- Update all non-major dependencies with digest and pinDigest

[blumilk-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@tailwindcss/forms	^0.5.2 -> ^0.5.11			devDependencies	patch
@tailwindcss/vite (source)	^4.1.18 -> ^4.2.2			devDependencies	patch
@typescript-eslint/eslint-plugin (source)	^8.46.4 -> ^8.57.2			devDependencies	minor	8.58.0
actions/setup-node	v6.1.0 -> v6.3.0			action	minor
alpinejs (source)	^3.4.2 -> ^3.15.9			devDependencies	patch
alpinejs (source)	^3.15.5 -> ^3.15.9			dependencies	patch
axios (source)	^1.13.5 -> ^1.13.6			dependencies	patch
axllent/mailpit (source)	v1.29.1 -> v1.29.5				patch
composer	-> 743aebe			stage	pinDigest
eslint (source)	^9.39.2 -> ^9.39.4			devDependencies	patch
ghcr.io/php/pie	1.3.8-bin -> 1.3.10-bin			stage	patch
larastan/larastan	^3.9.2 -> ^3.9.3			require-dev	patch
laravel-vite-plugin	^2.0.1 -> ^2.1.0			dependencies	patch
laravel/breeze	^2.3.8 -> ^2.4.1			require-dev	minor
laravel/framework (source)	^12.52.0 -> ^12.56.0			require	minor
nginx/nginx	1.29.5 -> 1.29.7				patch
node (source)	24.13.1 -> 24.14.1				minor
node	24.13.1-trixie-slim -> 24.14.1-trixie-slim			stage	minor
php	8.5.3 -> 8.5.4				patch
php	8.5.3-fpm-trixie -> 8.5.4-fpm-trixie			final	patch
redis	8.6.0-trixie -> 8.6.2-trixie				patch
shivammathur/setup-php	2.36.0 -> 2.37.0			action	minor
spatie/laravel-ignition (source)	^2.10.0 -> ^2.12.0			require-dev	minor
tailwindcss (source)	^4.1.18 -> ^4.2.2			devDependencies	patch
vite (source)	^7.0.8 -> ^7.3.1			devDependencies	patch

---

Release Notes

tailwindlabs/tailwindcss (@​tailwindcss/vite)

v4.2.2

Compare Source

Fixed

• Don't crash when candidates contain prototype properties like row-constructor (#​19725)
• Canonicalize calc(var(--spacing)*…) expressions into --spacing(…) (#​19769)
• Fix crash in canonicalization step when handling utilities containing @property at-rules (e.g. shadow-sm border) (#​19727)
• Skip full reload for server only modules scanned by client CSS when using @tailwindcss/vite (#​19745)
• Add support for Vite 8 in @tailwindcss/vite (#​19790)
• Improve canonicalization for bare values exceeding default spacing scale suggestions (e.g. w-1234 h-1234 → size-1234) (#​19809)
• Fix canonicalization resulting in empty list (e.g. w-5 h-5 size-5 → '' instead of size-5) (#​19812)
• Resolve tsconfig paths to allow for @import '@​/path/to/file'; when using @tailwindcss/vite (#​19803)

v4.2.1

Compare Source

Fixed

• Allow trailing dash in functional utility names for backwards compatibility (#​19696)
• Properly detect classes containing . characters within curly braces in MDX files (#​19711)

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.57.2

Compare Source

🩹 Fixes

• eslint-plugin: [prefer-readonly-parameter-types] preserve type alias infomation (#​11954)
• eslint-plugin: [no-useless-default-assignment] skip reporting false positives for unresolved type parameters (#​12127)
• eslint-plugin: [no-unsafe-return] false positive on unwrapping generic (#​12125)
• eslint-plugin: [no-restricted-types] flag banned generics in extends or implements (#​12120)
• eslint-plugin: [array-type] ignore Array and ReadonlyArray without type arguments (#​11971)
• eslint-plugin: [prefer-optional-chain] remove dangling closing parenthesis (#​11865)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger
• Konv Suu
• mdm317
• Newton Yuan @​NewtonYuan
• SungHyun627 @​SungHyun627
• Tamashoo @​Tamashoo

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.57.1

Compare Source

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] no report for property on intersection type (#​12126)

❤️ Thank You

• Newton Yuan @​NewtonYuan

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.57.0

Compare Source

🚀 Features

• eslint-plugin: [no-unnecessary-condition] allow literal loop conditions in for/do loops (#​12080)

🩹 Fixes

• eslint-plugin: [no-base-to-string] fix false positive for toString with overloads (#​12089)
• eslint-plugin: [prefer-promise-reject-errors] add allow TypeOrValueSpecifier to prefer-promise-reject-errors (#​12094)
• typescript-estree: if the template literal is tagged and the text has an invalid escape, cooked will be null (#​11355)
• eslint-plugin: guard against negative paramIndex in no-useless-default-assignment (#​12077)
• eslint-plugin: handle statically analyzable computed keys in prefer-readonly (#​12079)
• eslint-plugin: [strict-void-return] false positives with overloads (#​12055)

❤️ Thank You

• Brad Zacher @​bradzacher
• Brian Schlenker @​bschlenk
• Evyatar Daud @​StyleShit
• James Henry @​JamesHenry
• Josh Goldberg
• Kirk Waiblinger @​kirkwaiblinger
• Moses Odutusin @​thebolarin
• Newton Yuan @​NewtonYuan
• SungHyun627 @​SungHyun627
• Younsang Na @​nayounsang

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.56.1

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

actions/setup-node (actions/setup-node)

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

Compare Source

What's Changed

Documentation

• Documentation update related to absence of Lockfile by @​mahabaleshwars in #​1454
• Correct mirror option typos by @​MikeMcC399 in #​1442
• Readme update on checkout version v6 by @​deining in #​1446
• Readme typo fixes @​munyari in #​1226
• Advanced document update on checkout version v6 by @​aparnajyothi-y in #​1468

Dependency updates:

• Upgrade @​actions/cache to v5.0.1 by @​salmanmkc in #​1449

New Contributors

• @​mahabaleshwars made their first contribution in #​1454
• @​MikeMcC399 made their first contribution in #​1442
• @​deining made their first contribution in #​1446
• @​munyari made their first contribution in #​1226

Full Changelog: actions/setup-node@v6...v6.2.0

alpinejs/alpine (alpinejs)

v3.15.9

Compare Source

What's Changed

• fix(morph): close dialogs properly when removing open attribute by @​calebporzio in #​4739
• Update tabbable and focus-trap dependencies in focus plugin by @​joshhanley in #​4737
• feat(x-anchor): allow dynamic reference to be used with x-anchor by @​maximbelyayev in #​4735
• Handle all types of whitespace in class lists, not just spaces by @​calebporzio in #​4743
• docs: clearer variable name in x-bind example by @​calebporzio in #​4742
• Fix x-model.parent when inside of x-teleport by @​willrowe in #​4676
• feat: x-on.passive.false modifier by @​hirasso in #​4610
• Add support for Set objects in x-for loop function by @​alfanzain in #​4672
• Add support for custom options and cancelable $dispatch by @​nicolagianelli in #​4608
• Fix how x-html handles undefined by @​willrowe in #​4555
• move dependencies from monorepo root to correct packages by @​Igloczek in #​4550
• Don't assign the normalEvaluator per default by @​JeroenBoersma in #​4548
• Fix class setters invocation on nested x-data by @​helio3197 in #​4528
• 🐛 Masks model updates by @​ekwoka in #​4175
• Allow debouncing/throttling x-model when using x-modelable by @​Spitfire972 in #​4186
• UI x-radio: fix keyboard navigation when value of first/last radio option is null by @​gdebrauwer in #​4308
• Improve handling of autocomplete values in X-Mask by @​robertmarney in #​4260
• ⚡ Improves x-for performance by @​ekwoka in #​4361
• Fix x-ref crash during child-element morph by @​calebporzio in #​4748
• Fix $watch oldValue for objects by @​calebporzio in #​4749
• Escape attribute values in morph setAttribute patch by @​joshhanley in #​4770
• Fix x-model setting .value instead of .checked on checkboxes by @​ganyicz in #​4779
• Fix x-model.blur crash when input is removed from a form by @​joshhanley in #​4783

New Contributors

• @​maximbelyayev made their first contribution in #​4735
• @​hirasso made their first contribution in #​4610
• @​alfanzain made their first contribution in #​4672
• @​nicolagianelli made their first contribution in #​4608
• @​Igloczek made their first contribution in #​4550
• @​JeroenBoersma made their first contribution in #​4548
• @​helio3197 made their first contribution in #​4528
• @​Spitfire972 made their first contribution in #​4186
• @​robertmarney made their first contribution in #​4260

Full Changelog: alpinejs/alpine@v3.15.8...v3.15.9

axios/axios (axios)

v1.13.6

Compare Source

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

• React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @​moh3n9595 for the initial implementation. (#​5764)
• Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#​7385)

🐛 Bug Fixes

• Environment Compatibility:

  • Fixed module exports for React Native and Browserify environments. (#​7386)
  • Added safe FormData detection for the WeChat Mini Program environment. (#​7324)

• Error Handling:

  • AxiosError.message is now correctly enumerable. (#​7392)
  • AxiosError.from now correctly copies the status property from the source error, ensuring better error propagation. (#​7403)

🔧 Maintenance & Chores

• Dependencies: Updated the development_dependencies group (5 updates). (#​7432)
• Infrastructure: Migrated @​rollup/plugin-babel from v5.3.1 to v6.1.0. (#​7424)
• Documentation: Added missing JSDoc comments to utilities. (#​7427)

🌟 New Contributors

We are thrilled to welcome our new contributors! Thank you for helping improve the project:

• @​Gudahtt (#​7386)
• @​ybbus (#​7392)
• @​Shiwaangee (#​7324)
• @​skrtheboss (#​7403)
• @​Janaka66 (#​7427)
• @​moh3n9595 (#​5764)
• @​digital-wizard48 (#​7424)

Full Changelog: v1.13.5...v1.13.6

axllent/mailpit (axllent/mailpit)

v1.29.5

Compare Source

Security

• Add sandbox attribute to message iframe for extra later of security (already protected via CSP headers)

Feature

• Add option to disable auto-VACUUMing of the SQLite database (#​661)

Chore

• Update Go dependencies
• Update node dependencies

v1.29.4

Compare Source

Feature

• Add filter functionality to message headers tab

Chore

• Update Go dependencies
• Update node dependencies

Fix

• Refactor webhook delay & rate limit logic to ignore endpoint response times & prevent hardcoded 1000 message limit when set to 0 (#​656)

v1.29.3

Compare Source

Security

• Enhance CORS origin handling to respect host:port distinctions
• Limit proxy requests to 50MB to prevent OOM attacks
• Enhance HTML sanitization in message view
• Enhance HTML sanitization in screenshot generation
• Escape ContentID in HTML replacement to prevent regex injection

Chore

• Use last release + git hash in Docker edge versions
• Bump minimatch from 10.2.2 to 10.2.4
• Refactor code with go fix
• Switch to math/rand/v2
• Refactor API send authentication logic
• Refactor events websocket middleware
• Set timeout for HTTP client in webhook Send function
• Use local hostname for EHLO/HELO in SMTP communication
• Simplify HTML decoding function in screenshot generation using DOMParser
• Set margin & padding to HTML screenshot to prevent transparent top/left border
• Replace localStorage retrieval with a dedicated function for default release addresses
• Limit subject length to 100 characters in browser notifications
• Improve transaction handling in pruneMessages and fix loop continuation in InitDB
• Update Content-Disposition header to use inline display and escape filename
• Refactor timezone handling in searchQueryBuilder
• Update Go dependencies
• Update node dependencies

Fix

• Update SQL query to use tenant when using is:tagged filter

v1.29.2

Compare Source

Security

• Prevent Server-Side Request Forgery (SSRF) via Link Check API (GHSA-mpf7-p9x7-96r3)

Chore

• Upgrade eslint JavaScript linting
• Update Go dependencies
• Update node dependencies
• Update caniemail test database

Fix

• Update install instructions when setting INSTALL_PATH
• Include 8BITMIME in SMTPD EHLO response (#​648)

eslint/eslint (eslint)

v9.39.4

Compare Source

Bug Fixes

• f18f6c8 fix: update dependency minimatch to ^3.1.5 (#​20564) (Milos Djermanovic)
• a3c868f fix: update dependency @​eslint/eslintrc to ^3.3.4 (#​20554) (Milos Djermanovic)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#​20549) (Andrej Beles)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#​20538) (루밀LuMir)

Documentation

• 4675152 docs: add deprecation notice partial (#​20520) (Milos Djermanovic)

Chores

• b8b4eb1 chore: update dependencies for ESLint v9.39.4 (#​20596) (Francesco Trotta)
• 71b2f6b chore: package.json update for @​eslint/js release (Jenkins)
• 1d16c2f ci: pin Node.js 25.6.1 (#​20563) (Milos Djermanovic)

v9.39.3

Compare Source

Bug Fixes

• 791bf8d fix: restore TypeScript 4.0 compatibility in types (#​20504) (sethamus)

Chores

• 8594a43 chore: upgrade @​eslint/js@​9.39.3 (#​20529) (Milos Djermanovic)
• 9ceef92 chore: package.json update for @​eslint/js release (Jenkins)
• af498c6 chore: ignore /docs/v9.x in link checker (#​20453) (Milos Djermanovic)

larastan/larastan (larastan/larastan)

v3.9.3: 3.9.3

Compare Source

What's Changed

• feat: allow Laravel 13 by @​canvural in #​2446
• Improve config type inference to respect @​return docblocks by @​haratake22 in #​2445

New Contributors

• @​haratake22 made their first contribution in #​2445

Full Changelog: larastan/larastan@v3.9.2...v3.9.3

laravel/breeze (laravel/breeze)

v2.4.1

Compare Source

• [2.x] Makes imports consistent by @​nunomaduro in #​481

v2.4.0

Compare Source

• [2.x] Bump plugin-vue to ^6.0.0 by @​gyaaniguy in #​475
• Update README.md to include mention of Laravel 12 by @​JohnnyWalkerDigital in #​478
• Reversion: Update README.md by @​JohnnyWalkerDigital in #​479
• Laravel 13.x Compatibility by @​laravel-shift in #​480

laravel/framework (laravel/framework)

v12.56.0

Compare Source

• [12.x] schedule:list display expression in the correct timezone by @​xiCO2k in #​59307
• [12.x] Fix validation wildcard array message type error by @​sadique-cws in #​59339
• Preserve class type of mocked classes by @​AJenbo in #​59353

v12.55.1

Compare Source

• [12.x] Correct truncate exceptions at by @​bretto36 in #​59239
• [12.x] Fix float pluralization in trans_choice() by @​JulianGlueck in #​59268
• [12.x] Fix tests on PHP 8.5 by @​SanderMuller in #​59251

v12.55.0

Compare Source

• Add depth parameter to Arr::dot() by @​faytekin in #​59150
• [12.x] Add strict integer validation to Numeric validation rule by @​riesjart in #​59156
• [12.x] Add *OrFail transaction methods to BelongsToMany by @​SanderMuller in #​59153
• Bump tar from 7.5.9 to 7.5.11 in /src/Illuminate/Foundation/resources/exceptions/renderer by @​dependabot[bot] in #​59164
• [12.x] Add missing *OrFail transaction methods to BelongsToMany by @​erhanurgun in #​59168
• [12.x] Add inOrderOf() method to query builder by @​faytekin in #​59162
• [12.x] Add tcp_keepalive option to PhpRedis connector by @​heikokrebs in #​59158
• [12.x] untap PendingRequest by @​cosmastech in #​59188
• [12.x] Fix float to int deprecation in trans_choice() for certain locales by @​hamedelasma in #​59174
• [12.x] Allow touch() to accept multiple columns by @​devajmeireles in #​59175
• Revert "Add composite index to jobs table migration for improved queue polling" by @​taylorotwell in #​59202
• [12.x] Add fluent string validation rule builder by @​SanderMuller in #​59201
• Update Command::withProgressBar phpdoc to account for arrow functions and non-void return types by @​billypoke in #​58766
• [12.x] Lazily evaluate value for constraints in HasOneOrManyThrough by @​Jacobs63 in #​59231
• Add string helper to get initials from a string by @​denjaland in #​59230
• fix: Strip gzip-compressed output from concurrent process response by @​NikhiltGhalme in #​59224
• [12.x] Fix failing tests introduced by #​59201 by @​SanderMuller in #​59207
• [12.x] Avoid redundant Util::getParameterClassName() call in container resolution by @​SanderMuller in #​59220
• [12.x] Add missing conditional validation rule builders by @​SanderMuller in #​59209
• [12.x] Skip placeholder replacements when message does not contain them by @​SanderMuller in #​59211
• [12.x] Use array_push with spread operator in MessageBag::all() by @​SanderMuller in #​59217
• [12.x] Cache Route instances in CompiledRouteCollection::getByName() by @​SanderMuller in #​59221
• [12.x] Accept CarbonInterval for retry sleep duration by @​riesjart in #​59232
• [12.x] Fix failing phpstan by @​GrahamCampbell in #​59245
• [12.x] Update comments for PlanetScale MySQL and PostgreSQL by @​GrahamCampbell in #​59244
• [12.x] Use big integers for database cache expiration column by @​tanerkay in #​59243
• [12.x] Display file path and line number for closure routes in route:list by @​devajmeireles in #​59237
• [12.x] Add wantsMarkdown() and acceptsMarkdown() request methods by @​joetannenbaum in #​59238

v12.54.1

Compare Source

• [12.x] Makes imports consistent by @​nunomaduro in #​59149

v12.54.0

Compare Source

• [12.x] Fix division by zero error in repeatEvery() method by @​amirhshokri in #​58987
• [12.x] Allow app.editor.base_path to be an empty string by @​kminek in #​58991
• [12.x] Add missing, remove unused parameters to docblocks by @​mrvipchien in #​58989
• Fix URL validation for punycode subdomains by @​mpa12 in #​58982
• [12.x] Prevent queue deadlock when reserving a job throws an exception (e.g., attempts overflow) by @​sadique-cws in #​58978
• [12.x] bug: throttle with redis ignores after callback by @​RobertBoes in #​58990
• Update brick/math version constraint to include 0.15 by @​julien-boudry in #​59005
• Revert "Update brick/math version constraint to include 0.15" by @​GrahamCampbell in #​59009
• Bump rollup from 4.46.3 to 4.59.0 in /src/Illuminate/Foundation/resources/exceptions/renderer by @​dependabot[bot] in #​59013
• [12.x] Fix TwoColumnDetail stripping trailing punctuation from second column values by @​theritvars in #​59010
• [12.x] Add support for assertions on BinaryFileResponse by @​axlon in #​59018
• [12.x] fix: array offset deprecation warning by @​calebdw in #​59019
• [12.x] Add tsvector column type for PostgreSQL by @​milroyfraser in #​59004
• Memory Limit passed as string when run from supervisor by @​turbo124 in #​59049
• [12.x] Fix facade cache file permissions by @​nkoestinger in #​59059
• [12.x] Display oldest pending job in queue:monitor output by @​jackbayliss in #​59073
• Fix type() method return type in Illuminate\Filesystem\Filesystem by @​GNfsys in #​59071
• [12.x] Test Improvements by @​crynobone in #​59068
• [12.x] Wrap flags in int-mask-of annotation by @​shaedrich in #​59082
• Fix after-commit observers breaking -ing event cancellation by @​eyupcanakman in #​59058
• [12.x] Fix migrate:fresh failing when database does not exist by @​MElkmeshi in #​59113
• [12.x] Add interval() method to InteractsWithData by @​SanderMuller in #​59114
• [12.x] Hash displayName() in cache lock keys by @​A5hleyRich in #​59141
• [12.x] Improved html test helpers by @​jnoordsij in #​59140
• [12.x] Add Model::withoutRelation() for selective relation unloading by @​SanderMuller in #​59137
• [12.x] Include request context in HTTP client Response::dump() by @​SanderMuller in #​59136
• Fix enum handling in ModelNotFoundException error message by @​isaackaara in #​59132
• [12.x] Update composer.json to enforce commonmark version without DisallowedRawHtmlRenderer exploit by @​Smoggert in #​59131
• [12.x] Suppress chmod errors in Filesystem::replace() for non-POSIX filesystems by @​eyupcanakman in #​59126
• Add composite index to jobs table migration for improved queue polling by @​firecow in [#​59111](https://redirect.github.co

---

Configuration

📅 Schedule: Branch creation - On day 1 of the month, every 3 months ( * * 1 */3 * ) in timezone Europe/Warsaw, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.