chore(deps): update npm minor/patch

[losol-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@opentelemetry/api-logs (source)	^0.217.0 → ^0.218.0
@opentelemetry/exporter-logs-otlp-http (source)	^0.217.0 → ^0.218.0
@opentelemetry/instrumentation-pino (source)	^0.63.0 → ^0.64.0
@opentelemetry/sdk-logs (source)	^0.217.0 → ^0.218.0
@sentry/nextjs (source)	10.52.0 → 10.53.1
i18next (source)	26.0.10 → 26.1.0
lucide-react (source)	1.14.0 → 1.16.0
playwright (source)	1.59.1 → 1.60.0
pnpm (source)	11.0.9 → 11.1.2
tsx (source)	4.21.0 → 4.21.1
xstate (source)	5.31.0 → 5.31.1

---

Release Notes

open-telemetry/opentelemetry-js (@​opentelemetry/api-logs)

v0.218.0

Compare Source

open-telemetry/opentelemetry-js-contrib (@​opentelemetry/instrumentation-pino)

v0.64.0

Compare Source

Features

• deps: update deps matching '@​opentelemetry/*' (#​3523) (e26a90a)

Dependencies

• The following workspace dependencies were updated
  • devDependencies
    • @​opentelemetry/contrib-test-utils bumped from ^0.64.0 to ^0.65.0

getsentry/sentry-javascript (@​sentry/nextjs)

v10.53.1

Compare Source

• fix(core): Don't gate user data for streamed spans at scope read time (#​20827)
• fix(core): Include subpath type shims in published package (#​20835)
• ref(hono): Consolidate route patching and add clarification comments (#​20829)

Internal Changes

• chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/test-applications/nextjs-15-intl (#​20821)

v10.53.0

Compare Source

Important Changes

• feat(core): Add streamGenAiSpans options to stream gen_ai spans (#​20785)

  Adds a new streamGenAiSpans option that controls how gen_ai spans are
  sent to Sentry. When set, the SDK extracts all gen_ai spans out of a
  transaction and sends them as v2 envelope items.

  Enable this option if gen_ai spans are being dropped because the transaction payload exceeds size limits.

  Sentry.init({
    dsn: 'https://examplePublicKey@o0.ingest.sentry.io/0',
    streamGenAiSpans: true,
  });

Other Changes

• feat(browser): Migrate browser profiling thread data to span attributes (#​20800)
• feat(core): Add addConsoleInstrumentationFilter utility (#​20790)
• feat(core): Add applicationKey to BuildTimeOptionsBase (#​20789)
• feat(core): split exports by browser/server for bundle size (#​20435)
• feat(nextjs): Add top-level applicationKey option (#​20794)
• feat(node): Support Node 26 (#​20710)
• feat(profiling-node): Bump @sentry-internal/node-cpu-profiler to 2.4.0 (#​20720)
• fix(cloudflare): avoid flush lock self-wait (#​20719)
• fix(hono): Capture transaction name on request for correct culprit (#​20801)
• fix(mcp): retroactively wrap handlers registered before wrapMcpServerWithSentry (#​20699)
• fix(node-core): Guard against undefined util.getSystemErrorMap (#​20660)
• fix(replay): Capture aborted/errored fetch requests in replay network tab (#​20722)

Internal Changes

• chore: bump replay dependencies (#​20746)
• chore: Typo intergation -> integration (#​20799)
• chore(deps): Bump @​babel/plugin-transform-modules-systemjs from 7.24.1 to 7.29.4 (#​20773)
• chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/test-applications/nextjs-15 (#​20818)
• chore(deps): Bump next from 16.2.4 to 16.2.6 in /dev-packages/e2e-tests/test-applications/nextjs-16-streaming (#​20811)
• chore(deps): Bump rollup from 4.59.0 to 4.60.3 (#​20716)
• ci: Ensure PR reminder workflow considers new sub teams (#​20814)
• ci: Remove codecov reporting (#​20803)
• feat(deps): Bump bundler plugins to 5.3.0 (#​20820)
• feat(deps): Bump fast-uri from 3.0.6 to 3.1.2 (#​20774)
• feat(deps): Bump hono from 4.12.16 to 4.12.18 (#​20777)
• test(cloudflare-hono): fix 'occured' -> 'occurred' typo in error log (#​20783)
• test(deps): Bump hono from 4.12.14 to 4.12.16 (#​20712)
• test(deps): Bump hono from 4.12.14 to 4.12.18 in /dev-packages/e2e-tests/test-applications/cloudflare-hono (#​20776)
• test(e2e): Pin astro version in astro-6 test app (#​20709)

Work in this release was contributed by @​dmmulroy and @​SAY-5. Thank you for your contributions!

i18next/i18next (i18next)

v26.1.0

Compare Source

• feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #​2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #​2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

lucide-icons/lucide (lucide-react)

v1.16.0: Version 1.16.0

Compare Source

What's Changed

• feat(icons): added blender icon by @​rrod497 in #​3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

v1.15.0: Version 1.15.0

Compare Source

What's Changed

• fix: remove 'less' from brand stopwords by @​jguddas in #​4331
• fix(@​lucide/vue): Clone slots before passing to icon by @​axtho in #​4339
• fix(icons): changed text-cursor icon by @​jamiemlaw in #​4340
• fix(icons): changed landmark icon by @​jamiemlaw in #​4334
• chore(deps-dev): bump nitropack from 2.13.1 to 2.13.4 by @​dependabot[bot] in #​4352
• chore(deps-dev): bump simple-git from 3.33.0 to 3.36.0 by @​dependabot[bot] in #​4349
• fix(icons): changed candy-cane icon by @​jguddas in #​4148
• fix(icons): changed volleyball icon by @​jamiemlaw in #​4338
• fix(icons): changed chart-no-axes-combined icon by @​jguddas in #​3567
• feat(icon): added broccoli icon by @​swastik7805 in #​4263
• chore(site): Updates to site and updated carbon ads by @​ericfennis in #​4359
• feat(icons): added sticky note variants by @​Barakudum in #​4348
• chore(deps-dev): bump astro from 6.1.6 to 6.1.10 by @​dependabot[bot] in #​4361

New Contributors

• @​axtho made their first contribution in #​4339
• @​Barakudum made their first contribution in #​4348

Full Changelog: lucide-icons/lucide@1.14.0...1.15.0

microsoft/playwright (playwright)

v1.60.0

Compare Source

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});

await page.locator('#dropzone').drop({
  data: {
    'text/plain': 'hello world',
    'text/uri-list': 'https://example.com',
  },
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

• Event browser.on('context') — fired when a new context is created on the browser.
• BrowserContext now mirrors lifecycle events from its pages: browserContext.on('download'), browserContext.on('frameattached'), browserContext.on('framedetached'), browserContext.on('framenavigated'), browserContext.on('pageclose'), browserContext.on('pageload').

Locators and Assertions

• New option description in page.getByRole() / locator.getByRole() / frame.getByRole() / frameLocator.getByRole() for matching the accessible description.
• New option pseudo in expect(locator).toHaveCSS() reads computed styles from ::before or ::after.
• New option style in locator.highlight() applies extra inline CSS to the highlight overlay, plus new page.hideHighlight() to clear all highlights.

Network

• webSocketRoute.protocols() returns the WebSocket subprotocols requested by the page.
• New option noDefaults in browserType.connectOverCDP() disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state.

Errors and Reporting

• New webError.location() mirrors consoleMessage.location().
• consoleMessage.location() now exposes line / column properties (lineNumber / columnNumber are deprecated).
• New testInfoError.errorContext surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an expect(...) matcher failure.
• reporter.onError() now receives a workerInfo argument with details about the worker for fixture teardown errors.

Test runner

• New {testFileBaseName} token in testProject.snapshotPathTemplate — file name without extension.
• Test runner now errors when a config tries to override a non-option fixture, and rejects workers: 0 or negative values.

🛠️ Other improvements

• HTML reporter:
  • npx playwright show-report accepts .zip files directly — no need to unzip first.
  • Steps that contain attachments inside nested children show an indicator on the parent step.
  • The repeatEachIndex is shown in the test header when non-zero.
• Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel.

Breaking Changes ⚠️

• Removed long-deprecated APIs:
  • Locator.ariaRef() — use the standard locator.ariaSnapshot() pipeline.
  • handle option on BrowserContext.exposeBinding and Page.exposeBinding.
  • logger option on BrowserType.connect and BrowserType.connectOverCDP — use tracing instead.
  • Context options videosPath / videoSize — use recordVideo instead.

Browser Versions

• Chromium 148.0.7778.96
• Mozilla Firefox 150.0.2
• WebKit 26.4

This version was also tested against the following stable channels:

• Google Chrome 147
• Microsoft Edge 147

pnpm/pnpm (pnpm)

v11.1.2

Compare Source

Patch Changes

• convertEnginesRuntimeToDependencies: switch the runtime-dependency write to Object.defineProperty so the CodeQL js/prototype-polluting-assignment rule treats the assignment as safe regardless of the property name (follow-up to #​11609).

• Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (__proto__, constructor, prototype), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser.

• Strip sec-fetch-* headers from outgoing HTTP requests. These headers are automatically added by undici's fetch() implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests #​11572.

• Fix minimumReleaseAge handling for cached abbreviated metadata.

  The version-spec cache fast path no longer rethrows ERR_PNPM_MISSING_TIME under strictPublishedByCheck; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block.

  When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version time), pnpm now re-fetches with fullMetadata: true if minimumReleaseAge is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning.

  Closes #​11619.

• Fix pnpm upgrade --interactive --latest -r not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. "catalog:foo") would incorrectly rewrite package.json to "catalog:" and place the updated version in the default catalog instead of the named one #​10115.

• Fixed optimisticRepeatInstall skipping pnpm-lock.yaml merge conflict resolution when the existing node_modules state appears up to date.

• Fix minimumReleaseAge / resolutionMode: time-based installs failing on lockfiles whose time: block is missing entries. The npm-resolver's peek-from-store fast path now surfaces publishedAt from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand.

v11.1.1

Compare Source

Patch Changes

• Skip installability validation when scanning workspace projects in checkDepsStatus (run by verifyDepsBeforeRun). Previously the status check called findWorkspaceProjects, which validates each project's engines and os/cpu/libc and warns about useless fields in non-root manifests — work that the install pipeline already performs. With no nodeVersion threaded through, the engine check also fell back to the system Node from PATH and emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now use findWorkspaceProjectsNoCheck; install paths continue to validate.
• Fixed pnpm add <alias>:@&#8203;scope/pkg for named registries. The local resolver was claiming any specifier containing / as a local directory, so pnpm add bit:@​teambit/bit (with bit configured under namedRegistries) installed a bogus link to bit:@​teambit/bit/ instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain.
• Updated @zkochan/cmd-shim to 9.0.3. The sh shim it writes for .cmd / .bat targets now escapes the /C switch as //C, so it survives the path translation Git Bash applies when launching cmd.exe. Without this, a bare /C was rewritten to C:\ before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See pnpm/cmd-shim#55.

v11.1.0

Compare Source

Minor Changes

• Added pnpm audit signatures to verify ECDSA registry signatures for installed packages against keys from /-/npm/v1/keys #​7909. Scoped registries are respected, and registries without signing keys are skipped.

• Added support for installing packages from the GitHub Packages npm registry via a built-in gh: prefix (e.g. pnpm add gh:@​acme/private), and, more broadly, for arbitrary named registries in the style of vlt's named-registry aliases. Authentication is picked up from the existing per-URL .npmrc entries (e.g. //npm.pkg.github.com/:_authToken=...), so no separate auth mechanism is required.

  Additional aliases — or an override for the built-in gh alias, for GitHub Enterprise Server — can be configured under namedRegistries in pnpm-workspace.yaml:

  namedRegistries:
    gh: https://npm.pkg.github.example.com/
    work: https://npm.work.example.com/

  With this, work:@​corp/lib@^2.0.0 resolves against https://npm.work.example.com/. #​11324.

• Allow setting sbom spec version using --sbom-spec-version #​11389.

• Add --no-runtime flag (config: runtime=false) to skip installing runtime entries (e.g. Node.js downloaded via devEngines.runtime) without modifying the lockfile. The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and .bin linking are skipped. Useful in CI matrices where the runtime is provisioned externally (e.g. via pnpm runtime -g set node <version>) before pnpm install runs.

• Added the pnpm bugs command that opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's package.json; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. Falls back to <repository>/issues when the bugs field is missing #​11279.

• Added pnpm owner command to manage package owners on the registry.

Patch Changes

• Added "published X ago by Y" information to the pnpm view command output, similar to npm view. This is useful when comparing against minimumReleaseAge.

  For example, pnpm view pnpm now shows:

  published 17 hours ago by GitHub Actions
  

• pnpm publish now honors the configured HTTP/HTTPS proxy (including https_proxy/http_proxy/no_proxy environment variables) when polling the registry's doneUrl during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond 403 from a different source IP and the login to never complete #​11561.

• pnpm add -g now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so that they share dependencies and are removed together), pass them as a comma-separated list. For example:

  • pnpm add -g foo bar installs foo and bar as two independent globals — removing one does not affect the other.
  • pnpm add -g foo,bar qar bundles foo and bar into a single isolated install while qar is installed on its own.

  Related: #​11587.

• pnpm runtime set <name> <version> no longer fails in the root of a multi-package workspace with the ADDING_TO_ROOT error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check.

• Fix pnpm --version hanging for the lifetime of the worker pool after the version was printed. main.ts's --version short-circuit returned before reaching the command-handler finally that calls finishWorkers(), so the worker pool that switchCliVersion had spawned during integrity resolution stayed alive and held the Node event loop open. The CLI entry now runs finishWorkers() from its own finally, so every exit path tears the pool down.

  Repro: pnpm --version in a workspace whose devEngines.packageManager version already matches the running pnpm + onFail: "download". switchCliVersion resolves the integrity (spawning workers), finds nothing to swap, returns. The version prints, then the process hangs.

privatenumber/tsx (tsx)

v4.21.1

Compare Source

Bug Fixes

• support Node 20.11/21.2 import.meta paths (acf3d8f)
• support Node.js 24.15.0 (c1d2d45)
• support Node.js 26.1.0 and 25.9.0 (1d7e528)

---

This release is also available on:

• npm package (@​latest dist-tag)

statelyai/xstate (xstate)

v5.31.1

Compare Source

Patch Changes

• #​5525 f79ea13 Thanks @​davidkpiano! - Fixed route transition guards so named guards registered with setup({ guards }) are resolved for route.guard.

  const machine = setup({
    guards: {
      isReady: ({ context }) => context.ready
    }
  }).createMachine({
    states: {
      review: {
        id: 'review',
        route: {
          guard: 'isReady'
        }
      }
    }
  });

---

Configuration

📅 Schedule: (in timezone Europe/Oslo)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[github-actions]

No changeset found. Consider running pnpm changeset or pnpm changeset:suggest locally.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud