Skip to content

fix(deps): update all minor dependency bump#288

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/all-minor
Open

fix(deps): update all minor dependency bump#288
renovate[bot] wants to merge 1 commit intomainfrom
renovate/all-minor

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Nov 24, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@frsource/eslint-config (source) 1.66.01.75.0 age confidence
@frsource/prettier-config (source) 1.38.01.42.0 age confidence
@types/node (source) 24.10.1324.12.0 age confidence
beasties (source) ^0.3.0^0.4.0 age confidence
focus-trap 7.6.67.8.0 age confidence
globals 17.0.017.4.0 age confidence
lodash-es (source) 4.17.234.18.1 age confidence
pnpm (source) 10.30.310.33.0 age confidence
prettier (source) 3.6.23.8.1 age confidence
sass 1.93.31.99.0 age confidence
type-fest 5.2.05.5.0 age confidence
unplugin-auto-import 20.2.020.3.0 age confidence
vite (source) 7.2.77.3.1 age confidence
vite-plugin-pwa 1.1.01.2.0 age confidence
vue-i18n (source) 11.1.1211.3.0 age confidence

Release Notes

FRSOURCE/toolkit (@​frsource/eslint-config)

v1.75.0

Compare Source

Bug Fixes

v1.74.0

Compare Source

Bug Fixes

v1.73.0

Compare Source

Bug Fixes

v1.72.0

Compare Source

v1.71.0

Compare Source

v1.70.0

Compare Source

Bug Fixes

v1.69.0

Compare Source

Bug Fixes

v1.68.0

Compare Source

Bug Fixes

v1.67.0

Compare Source

Bug Fixes
FRSOURCE/toolkit (@​frsource/prettier-config)

v1.42.0

Compare Source

Bug Fixes

v1.41.0

Compare Source

Bug Fixes

v1.40.0

Compare Source

v1.39.0

Compare Source

Bug Fixes
danielroe/beasties (beasties)

v0.4.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v0.4.0

Compare Source

   🚨 Breaking Changes
   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub
focus-trap/focus-trap (focus-trap)

v7.8.0

Compare Source

Minor Changes
  • c214581: Adds aria-hidden support to isolateSubtrees config option
Patch Changes
  • bb36e15: Fix undefined method _setSubtreeIsolation crash when using trapStack in DOM with older versions of Focus-trap (#​1729)

v7.7.1

Compare Source

Patch Changes
  • a386578: Bump tabbable dependency for improved inert handling

v7.7.0

Compare Source

Minor Changes
  • 14b9155: Adds a new feature "isolateSubtrees", allowing focus-trap to prevent screen readers from reading content outside the trap. (#​1575)
sindresorhus/globals (globals)

v17.4.0

Compare Source

v17.3.0

Compare Source

v17.2.0

Compare Source

  • jasmine: Add throwUnless and throwUnlessAsync globals (#​335) 97f23a7

v17.1.0

Compare Source

lodash/lodash (lodash-es)

v4.18.1

Compare Source

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See #​6167 (comment)

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

v4.18.0

Compare Source

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs
  • Add security notice for _.template in threat model and API docs (#​6099)
  • Document lower > upper behavior in _.random (#​6115)
  • Fix quotes in _.compact jsdoc (#​6090)
lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

pnpm/pnpm (pnpm)

v10.33.0

Compare Source

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

  • Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

  • Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

  • Reverted change related to setting explicitly the npm config file path, which caused regressions.
  • Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.31.0

Compare Source

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

v3.7.4

Compare Source

diff

LWC: Avoid quote around interpolations (#​18383 by @​kovsu)
<!-- Input -->
<div foo={bar}>   </div>

<!-- Prettier 3.7.3 (--embedded-language-formatting off) -->
<div foo="{bar}"></div>

<!-- Prettier 3.7.4 (--embedded-language-formatting off) -->
<div foo={bar}></div>
TypeScript: Fix comment inside union type gets duplicated (#​18393 by @​fisker)
// Input
type Foo = (/** comment */ a | b) | c;

// Prettier 3.7.3
type Foo = /** comment */ (/** comment */ a | b) | c;

// Prettier 3.7.4
type Foo = /** comment */ (a | b) | c;
TypeScript: Fix unstable comment print in union type comments (#​18395 by @​fisker)
// Input
type X = (A | B) & (
  // comment
  A | B
);

// Prettier 3.7.3 (first format)
type X = (A | B) &
  (// comment
  A | B);

// Prettier 3.7.3 (second format)
type X = (
  | A
  | B // comment
) &
  (A | B);

// Prettier 3.7.4
type X = (A | B) &
  // comment
  (A | B);

v3.7.3

Compare Source

diff

API: Fix prettier.getFileInfo() change that breaks VSCode extension (#​18375 by @​fisker)

An internal refactor accidentally broke the VSCode extension plugin loading.

v3.7.2

Compare Source

diff

JavaScript: Fix string print when switching quotes (#​18351 by @​fisker)
// Input
console.log("A descriptor\\'s .kind must be \"method\" or \"field\".")

// Prettier 3.7.1
console.log('A descriptor\\'s .kind must be "method" or "field".');

// Prettier 3.7.2
console.log('A descriptor\\\'s .kind must be "method" or "field".');
JavaScript: Preserve quote for embedded HTML attribute values (#​18352 by @​kovsu)
// Input
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;

// Prettier 3.7.1
const html = /* HTML */ ` <div class=${styles.banner}></div> `;

// Prettier 3.7.2
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;
TypeScript: Fix comment in empty type literal (#​18364 by @​fisker)
// Input
export type XXX = {
  // tbd
};

// Prettier 3.7.1
export type XXX = { // tbd };

// Prettier 3.7.2
export type XXX = {
  // tbd
};

v3.7.1

Compare Source

diff

API: Fix performance regression in doc printer (#​18342 by @​fisker)

Prettier 3.7.1 can be very slow when formatting big files, the regression has been fixed.

v3.7.0

Compare Source

diff

🔗 Release Notes

sass/dart-sass (sass)

v1.99.0

Compare Source

  • Add support for parent selectors (&) at the root of the document. These are
    emitted as-is in the CSS output, where they're interpreted as the scoping
    root    .

  • User-defined functions named calc or clamp are no longer forbidden. If
    such a function exists without a namespace in the current module, it will be
    used instead of the built-in calc() or clamp() function.

  • User-defined functions whose names begin with - and end with -expression,
    -url, -and, -or, or -not are no longer forbidden. These were
    originally intended to match vendor prefixes, but in practice no vendor
    prefixes for these functions ever existed in real browsers.

  • User-defined functions named EXPRESSION, URL, and ELEMENT, those that
    begin with - and end with -ELEMENT, as well as the same names with some
    lowercase letters are now deprecated, These are names conflict with plain CSS
    functions that have special syntax.

    See the Sass website for details.

  • In a future release, calls to functions whose names begin with - and end
    with -expression and -url will no longer have special parsing. For now,
    these calls are deprecated if their behavior will change in the future.

    See the Sass website for details.

  • Calls to functions whose names begin with - and end with -progid:... are
    deprecated.

    See the Sass website for details.

v1.98.0

Compare Source

Command-Line Interface
  • Gracefully handle dependency loops in --watch mode.
Dart API
  • Add a const Logger.defaultLogger field. This provides a logger that emits to
    standard error or the browser console, but automatically chooses whether to
    use terminal colors.
JavaScript API

  • Fix a crash when manually constructing a SassCalculation for 'calc' with
    an argument that can't be simplified.

  • Properly emit deprecation warnings as text rather than StringBuffer objects
    when running in a browser.

  • Emit colored warnings and other messages on the console when running in a
    browser.

v1.97.3

Compare Source

  • Fix a bug where nesting an at-rule within multiple style rules in plain CSS
    could cause outer style rules to be omitted.

v1.97.2

Compare Source

  • Additional fixes for implicit configuration when nested imports are involved.

v1.97.1

Compare Source

v1.97.0

Compare Source

  • Add support for the display-p3-linear color space.

v1.96.0

Compare Source

  • Allow numbers with complex units (more than one numerator unit or more than
    zero denominator units) to be emitted to CSS. These are now emitted as
    calc() expressions, which now support complex units in plain CSS.

v1.95.1

Compare Source

  • No user-visible changes.

v1.95.0

Compare Source

  • Add support for the CSS-style if() function. In addition to supporting the
    plain CSS syntax, this also supports a sass() query that takes a Sass
    expression that evaluates to true or false at preprocessing time depending
    on whether the Sass value is truthy. If there are no plain-CSS queries, the
    function will return the first value whose query returns true during
    preprocessing. For example, if(sass(false): 1; sass(true): 2; else: 3)
    returns 2.

  • The old Sass if() syntax is now deprecated. Users are encouraged to migrate
    to the new CSS syntax. if($condition, $if-true, $if-false) can be changed to
    if(sass($condition): $if-true; else: $if-false).

    See the Sass website for details.

  • Plain-CSS if() functions are now considered "special numbers", meaning that
    they can be used in place of arguments to CSS color functions.

  • Plain-CSS if() functions and attr() functions are now considered "special
    variable strings" (like var()), meaning they can now be used in place of
    multiple arguments or syntax fragments in various CSS functions.

v1.94.3

Compare Source

  • Fix the span reported for standalone % expressions followed by whitespace.

v1.94.2

Compare Source

Command-Line Interface
  • Using --fatal-deprecation <version> no longer emits warnings about
    deprecations that are obsolete.
Dart API
  • Deprecation.forVersion now excludes obsolete deprecations from the set it
    returns.
JS API
  • Excludes obsolete deprecations from fatalDeprecations when a Version is
    passed.
Node.js Embedded Host
  • Fix a bug where a variable could be used before it was initialized during
    async compilation.

v1.94.1

Compare Source

  • No user-visible changes.

v1.94.0

Compare Source

  • Potentially breaking compatibility fix: @function rules whose names
    begin with -- are now parsed as unknown at-rules to support the plain CSS
    @function rule. Within this rule, the result property is parsed as raw
    CSS just like custom properties.

  • Potentially breaking compatibility fix: @mixin rules whose names begin
    with -- are now errors. These are not yet parsed as unknown at-rules because
    no browser currently supports CSS mixins.

sindresorhus/type-fest (type-fest)

v5.5.0

Compare Source

New types
Improvements
  • Add function parameter constraint examples to numeric comparison types (#​1357) 24be93d
  • UnionToTuple: Fix behavior when a union member is a supertype of another (#​1349) 0f923d0
  • ConditionalPickDeep: Fix returning {} instead of never when no keys match (#​1360) 6af847a
  • ConditionalPick: Fix returning {} instead of never when no keys match (#​1359) 3995003
  • GreaterThan / LessThan / GreaterThanOrEqual / LessThanOrEqual: Fix behavior with the number type (#​1363) cfea505

v5.4.4

Compare Source

  • PackageJson: Use LiteralUnion for engines field (#​1354) fc9e2bb
  • IsUnion: Fix behavior when the entire union extends all individual members (#​1353) b0321a5
  • Paths: Fix leavesOnly behavior with never leaves (#​1350) 2c34128
  • Paths: Fix behavior with WeakMaps / WeakSets (#​1348) ac3b50e
  • Paths: Fix behavior with tuples containing optional elements with a rest element (#​1346) 7c82a21

v5.4.3

Compare Source

v5.4.2

Compare Source

v5.4.1

Compare Source

  • MergeDeep: Remove extra undefined from optional properties (#​1319) a6af489

v5.4.0

Compare Source

New types

v5.3.1

Compare Source

v5.3.0

Compare Source

Improvements
Fixes
unplugin/unplugin-auto-import (unplugin-auto-import)

v20.3.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub
vitejs/vite (vite)

v7.3.1

Compare Source

Please refer to CHANGELOG.md for details.

v7.3.0

Compare Source

Please refer to CHANGELOG.md for details.

vite-pwa/vite-plugin-pwa (vite-plugin-pwa)

v1.2.0

[Compare Source](https://redirect.github.com/vite-pwa/vite-p

Configuration

📅 Schedule: Branch creation - "before 5am on Monday" in timezone Europe/Warsaw, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/all-minor branch 8 times, most recently from f4f53ff to 21c51d7 Compare November 29, 2025 22:37
@renovate renovate bot force-pushed the renovate/all-minor branch 7 times, most recently from 387386c to d414b91 Compare December 8, 2025 20:01
@renovate renovate bot force-pushed the renovate/all-minor branch 6 times, most recently from eb62c0c to 7bd6b63 Compare December 16, 2025 09:32
@renovate renovate bot force-pushed the renovate/all-minor branch 4 times, most recently from 1a927e7 to 7cb4303 Compare December 22, 2025 04:41
@renovate renovate bot force-pushed the renovate/all-minor branch 4 times, most recently from b062db6 to 6b92299 Compare January 7, 2026 10:10
@renovate renovate bot force-pushed the renovate/all-minor branch from 6b92299 to 76e880e Compare January 8, 2026 17:25
@renovate renovate bot force-pushed the renovate/all-minor branch 3 times, most recently from a39f72c to 9c84de4 Compare January 27, 2026 19:15
@renovate renovate bot force-pushed the renovate/all-minor branch 4 times, most recently from 6890e77 to 8e7d90d Compare February 2, 2026 18:15
@renovate renovate bot force-pushed the renovate/all-minor branch 3 times, most recently from d634a69 to 29fceeb Compare February 12, 2026 13:43
@renovate renovate bot force-pushed the renovate/all-minor branch 3 times, most recently from b822bc1 to cd6044d Compare February 23, 2026 04:36
@renovate renovate bot force-pushed the renovate/all-minor branch 9 times, most recently from 9016bcc to f94a0b0 Compare March 2, 2026 13:58
@renovate renovate bot force-pushed the renovate/all-minor branch 7 times, most recently from e4acd2d to 91243e7 Compare March 9, 2026 05:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants