chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@ai-sdk/react (source)	3.0.179 → 3.0.184			dependencies	patch	3.0.186 (+1)
@datadog/browser-rum (source)	7.0.0 → 7.1.0			dependencies	minor
@datadog/browser-rum-react (source)	7.0.0 → 7.1.0			dependencies	minor
@harperfast/skills (source)	1.4.2 → 1.4.3			dependencies	patch
@stripe/stripe-js (source)	9.4.0 → 9.5.0			dependencies	minor
@tanstack/react-query (source)	5.100.9 → 5.100.10			dependencies	patch
@tanstack/react-query-devtools (source)	5.100.9 → 5.100.10			dependencies	patch
@types/node (source)	24.12.3 → 24.12.4			dependencies	patch
@vitejs/plugin-react (source)	6.0.1 → 6.0.2			devDependencies	patch
@vitest/coverage-v8 (source)	4.1.5 → 4.1.6			devDependencies	patch
ai (source)	6.0.177 → 6.0.182			dependencies	patch	6.0.184 (+1)
axios (source)	1.16.0 → 1.16.1			dependencies	patch
harper (source)	5.0.11 → 5.0.15			devDependencies	patch	5.0.17
lucide-react (source)	1.14.0 → 1.16.0			dependencies	minor
oxlint (source)	1.63.0 → 1.64.0			devDependencies	minor	1.65.0
pnpm (source)	11.0.9 → 11.1.2			packageManager	minor
pnpm/action-setup	v6.0.6 → v6.0.8			action	patch
swagger-ui-react	5.32.5 → 5.32.6			dependencies	patch
vite (source)	8.0.11 → 8.0.13			devDependencies	patch
vitest (source)	4.1.5 → 4.1.6			devDependencies	patch

---

Release Notes

vercel/ai (@​ai-sdk/react)

v3.0.184

Compare Source

Patch Changes

• Updated dependencies [e76a29a]
  • ai@​6.0.182

v3.0.182

Compare Source

Patch Changes

• Updated dependencies [253bd5a]
• Updated dependencies [57ec10f]
  • ai@​6.0.180

v3.0.180

Compare Source

Patch Changes

• Updated dependencies [ac6f27e]
  • ai@​6.0.178

DataDog/browser-sdk (@​datadog/browser-rum)

v7.1.0

Compare Source

Public Changes:

• ✨ [RUM-16070] GA trackResourceHeaders (#​4542) [LOGS] [RUM] [RUM-ANGULAR] [RUM-NEXTJS] [RUM-NUXT] [RUM-SLIM] [RUM-VUE] [WORKER]
• 🐛 make sure we don't postpone batch indefinitely when upserting a view (#​4583) [LOGS] [RUM] [RUM-ANGULAR] [RUM-NEXTJS] [RUM-NUXT] [RUM-SLIM] [RUM-VUE] [WORKER]
• 🐛 align trace sampling fallback with non-bridge path [RUM] [RUM-ANGULAR] [RUM-NEXTJS] [RUM-NUXT] [RUM-SLIM] [RUM-VUE]
• 🐛 tolerate Cypress.env throwing under allowCypressEnv: false (#​4550) [RUM] [RUM-ANGULAR] [RUM-NEXTJS] [RUM-NUXT] [RUM-SLIM] [RUM-VUE]
• 🐛 [Browser Profiler] use profiling start time to look up session id (#​4545) [RUM]
• 📝 export public API option types for typedoc (#​4575) [RUM] [RUM-ANGULAR] [RUM-NEXTJS] [RUM-NUXT] [RUM-SLIM] [RUM-VUE]
• 📝 Add DO NOT MODIFY IT BY HAND comment to CHANGELOG.md (#​4526)
• 📝 update CDN URLs to v7 and clear NEXT_MAJOR_BRANCH (#​4551)

Internal Changes:

• 👷 Update all non-major dependencies (#​4596) [RUM-ANGULAR] [RUM-NEXTJS] [RUM-VUE]
• 👷 Auto-cancel interruptible jobs on new commits (#​4571)
• 👷 Update all non-major dependencies (#​4501) [LOGS] [RUM] [RUM-ANGULAR] [RUM-NEXTJS] [RUM-NUXT] [RUM-SLIM] [RUM-VUE] [WORKER]
• 👷 Renovate: pin angular-app to its current Angular version (#​4565)
• 👷 check @​datadog/browser-* in test app devDependencies (#​4564)
• 👷 add dd-octo-sts[bot] to CLA allowlist (#​4562)
• 👷 Bump chrome to 148.0.7778.96-1 (#​4559)
• 👷 Lock file maintenance (#​4504)
• 👷 Update dependency typescript to v6 (#​4553)
• 👷 Update dependency next to v16.1.7 [SECURITY] (#​4375)
• 👷 [PANA-7214] Use only new serialization code in mutation tracker tests (#​4538) [RUM]
• 👷 Bump chrome to 147.0.7727.55-1 (#​4452)
• 👷 RUM-15702 Add trace sampling decision to DatadogEventBridge (#​4516) [LOGS] [RUM] [RUM-ANGULAR] [RUM-NEXTJS] [RUM-NUXT] [RUM-SLIM] [RUM-VUE] [WORKER]
• ♻️ remove unnecessary type assertions [LOGS] [RUM] [RUM-ANGULAR] [RUM-NEXTJS] [RUM-NUXT] [RUM-SLIM] [RUM-VUE] [WORKER]
• 🔥 [PANA-7724] Remove the old session replay serialization algorithm (#​4547) [RUM]

HarperFast/skills (@​harperfast/skills)

v1.4.3

Compare Source

stripe/stripe-js (@​stripe/stripe-js)

v9.5.0

Compare Source

Changed

• Add types for new PE and ECE availablepaymentmethodschange event (#​924)

TanStack/query (@​tanstack/react-query)

v5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

TanStack/query (@​tanstack/react-query-devtools)

v5.100.10

Patch Changes

• Updated dependencies [4d130b9]:
  • @​tanstack/query-devtools@​5.100.10
  • @​tanstack/react-query@​5.100.10

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v6.0.2

Compare Source

Allow all options in reactCompilerPreset (#​1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.6

Compare Source

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in #​10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in #​10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in #​10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in #​10276 (9f7b1)

    View changes on GitHub

axios/axios (axios)

v1.16.1

Compare Source

harperfast/harper (harper)

v5.0.15

Compare Source

What's Changed

• Fix invalid 'this' reference
• fix: resolve unresolved merge markers in run.js from PR 520 cherry-pick
• Merge pull request #​520 from HarperFast/cherry-pick/v5.0/pr-516
• test: pin Date.now in temp-path regression test
• fix: make atomicWriteFile temp path unique across worker threads
• fix: Lookup hostname in logs properly
• Fix release notes step failing when grep filters out all commits

Full Changelog: HarperFast/harper@v5.0.14...v5.0.15

v5.0.14

Compare Source

What's Changed

• Update rocksdb-js@​1.2.0
• Fix system database handling in copyDb and add system database verification test

Full Changelog: HarperFast/harper@v5.0.13...v5.0.14

v5.0.12

Compare Source

What's Changed

• 5.0.12
• Fix shallow clone breaking git log release notes
• Merge pull request #​499 from HarperFast/fix/config-update-comparison-typecast

Full Changelog: HarperFast/harper@v5.0.11...v5.0.12

lucide-icons/lucide (lucide-react)

v1.16.0: Version 1.16.0

Compare Source

What's Changed

• feat(icons): added blender icon by @​rrod497 in #​3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

v1.15.0

Compare Source

oxc-project/oxc (oxlint)

v1.64.0

Compare Source

🚀 Features

• fbb8f22 linter: Support ignores in overrides (#​22148) (camc314)

🐛 Bug Fixes

• 25b7017 linter: Undocument override ignores option (#​22213) (camc314)

pnpm/pnpm (pnpm)

v11.1.2

Compare Source

Patch Changes

• convertEnginesRuntimeToDependencies: switch the runtime-dependency write to Object.defineProperty so the CodeQL js/prototype-polluting-assignment rule treats the assignment as safe regardless of the property name (follow-up to #​11609).

• Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (__proto__, constructor, prototype), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser.

• Strip sec-fetch-* headers from outgoing HTTP requests. These headers are automatically added by undici's fetch() implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests #​11572.

• Fix minimumReleaseAge handling for cached abbreviated metadata.

  The version-spec cache fast path no longer rethrows ERR_PNPM_MISSING_TIME under strictPublishedByCheck; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block.

  When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version time), pnpm now re-fetches with fullMetadata: true if minimumReleaseAge is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning.

  Closes #​11619.

• Fix pnpm upgrade --interactive --latest -r not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. "catalog:foo") would incorrectly rewrite package.json to "catalog:" and place the updated version in the default catalog instead of the named one #​10115.

• Fixed optimisticRepeatInstall skipping pnpm-lock.yaml merge conflict resolution when the existing node_modules state appears up to date.

• Fix minimumReleaseAge / resolutionMode: time-based installs failing on lockfiles whose time: block is missing entries. The npm-resolver's peek-from-store fast path now surfaces publishedAt from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand.

v11.1.1

Compare Source

Patch Changes

• Skip installability validation when scanning workspace projects in checkDepsStatus (run by verifyDepsBeforeRun). Previously the status check called findWorkspaceProjects, which validates each project's engines and os/cpu/libc and warns about useless fields in non-root manifests — work that the install pipeline already performs. With no nodeVersion threaded through, the engine check also fell back to the system Node from PATH and emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now use findWorkspaceProjectsNoCheck; install paths continue to validate.
• Fixed pnpm add <alias>:@&#8203;scope/pkg for named registries. The local resolver was claiming any specifier containing / as a local directory, so pnpm add bit:@​teambit/bit (with bit configured under namedRegistries) installed a bogus link to bit:@​teambit/bit/ instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain.
• Updated @zkochan/cmd-shim to 9.0.3. The sh shim it writes for .cmd / .bat targets now escapes the /C switch as //C, so it survives the path translation Git Bash applies when launching cmd.exe. Without this, a bare /C was rewritten to C:\ before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See pnpm/cmd-shim#55.

v11.1.0

Compare Source

Minor Changes

• Added pnpm audit signatures to verify ECDSA registry signatures for installed packages against keys from /-/npm/v1/keys #​7909. Scoped registries are respected, and registries without signing keys are skipped.

• Added support for installing packages from the GitHub Packages npm registry via a built-in gh: prefix (e.g. pnpm add gh:@​acme/private), and, more broadly, for arbitrary named registries in the style of vlt's named-registry aliases. Authentication is picked up from the existing per-URL .npmrc entries (e.g. //npm.pkg.github.com/:_authToken=...), so no separate auth mechanism is required.

  Additional aliases — or an override for the built-in gh alias, for GitHub Enterprise Server — can be configured under namedRegistries in pnpm-workspace.yaml:

  namedRegistries:
    gh: https://npm.pkg.github.example.com/
    work: https://npm.work.example.com/

  With this, work:@​corp/lib@^2.0.0 resolves against https://npm.work.example.com/. #​8941.

• Allow setting sbom spec version using --sbom-spec-version #​11389.

• Add --no-runtime flag (config: runtime=false) to skip installing runtime entries (e.g. Node.js downloaded via devEngines.runtime) without modifying the lockfile. The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and .bin linking are skipped. Useful in CI matrices where the runtime is provisioned externally (e.g. via pnpm runtime -g set node <version>) before pnpm install runs.

• Added the pnpm bugs command that opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's package.json; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. Falls back to <repository>/issues when the bugs field is missing #​11279.

• Added pnpm owner command to manage package owners on the registry.

Patch Changes

• Added "published X ago by Y" information to the pnpm view command output, similar to npm view. This is useful when comparing against minimumReleaseAge.

  For example, pnpm view pnpm now shows:

  published 17 hours ago by GitHub Actions
  

• pnpm publish now honors the configured HTTP/HTTPS proxy (including https_proxy/http_proxy/no_proxy environment variables) when polling the registry's doneUrl during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond 403 from a different source IP and the login to never complete #​11561.

• pnpm add -g now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so that they share dependencies and are removed together), pass them as a comma-separated list. For example:

  • pnpm add -g foo bar installs foo and bar as two independent globals — removing one does not affect the other.
  • pnpm add -g foo,bar qar bundles foo and bar into a single isolated install while qar is installed on its own.

  Related: #​11587.

• pnpm runtime set <name> <version> no longer fails in the root of a multi-package workspace with the ADDING_TO_ROOT error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check.

• Fix pnpm --version hanging for the lifetime of the worker pool after the version was printed. main.ts's --version short-circuit returned before reaching the command-handler finally that calls finishWorkers(), so the worker pool that switchCliVersion had spawned during integrity resolution stayed alive and held the Node event loop open. The CLI entry now runs finishWorkers() from its own finally, so every exit path tears the pool down.

  Repro: pnpm --version in a workspace whose devEngines.packageManager version already matches the running pnpm + onFail: "download". switchCliVersion resolves the integrity (spawning workers), finds nothing to swap, returns. The version prints, then the process hangs.

pnpm/action-setup (pnpm/action-setup)

v6.0.8

Compare Source

v6.0.7

Compare Source

swagger-api/swagger-ui (swagger-ui-react)

v5.32.6

Compare Source

Bug Fixes

• deps-dev: address undici vulnerability (#​10870) (35f5a6a)
• docker: address CVE-2026-27135 nghttp2-libs vulnerability (#​10879) (0a63415)

vitejs/vite (vite)

v8.0.13

Compare Source

Features

• bundled-dev: add lazy bundling support (#​21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#​22357) (47071ce)
• update rolldown to 1.0.1 (#​22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#​22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #​22274) (#​22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#​22439) (8e59c97)
• make isBundled per environment (#​22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#​22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#​22430) (6ea3838)
• update changelog (#​22413) (fcdc87c)

v8.0.12

Compare Source

Features

• update rolldown to 1.0.0 (#​22401) (cf0ff41)

Bug Fixes

• create-vite: pass react framework to TanStack CLI (#​22397) (18f0f90)
• deps: update all non-major dependencies (#​22420) (2be6000)
• module-runner: prevent partial-exports race on concurrent imports of in-flight invalidated re-export chains (#​22369) (f5a22e6)
• refer to rolldownOptions instead of deprecated rollupOptions in messages (#​22400) (b675c7b)
• worker: apply build.target to worker bundle (#​22404) (3c93fde)
• worker: forward define to worker bundle transform (#​22408) (d4838a0)

Miscellaneous Chores

• deps: update dependency eslint-plugin-n to v18 (#​22423) (2fe7bd2)
• deps: update rolldown-related dependencies (#​22421) (66b9eb3)

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • "before 9am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.