chore(deps): update non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@datadog/browser-rum (source)	7.2.0 → 7.3.0			dependencies	minor
@dotenvx/dotenvx	1.71.0 → 1.72.0			dependencies	minor
@github/clipboard-copy-element	1.3.0 → 1.3.1			dependencies	patch
@kong/kongponents (source)	9.57.0 → 9.59.0			dependencies	minor
@tailwindcss/typography	0.5.19 → 0.5.20			devDependencies	patch
algoliasearch (source)	5.53.0 → 5.54.1			dependencies	minor
axios (source)	1.17.0 → 1.18.0			dependencies	minor
axios (source)	1.17.0 → 1.18.0			resolutions	minor
liquid-c (source)	4.0.1 → 4.2.0				minor
playwright (source)	1.60.0 → 1.61.0			dependencies	minor
ruby (source)	3.4.4 → 3.4.9				patch
semver	7.8.2 → 7.8.4			dependencies	patch
undici (source)	7.27.2 → 7.28.0			dependencies	minor
vue (source)	3.5.35 → 3.5.38			dependencies	patch
vue-instantsearch	4.26.7 → 4.26.8			dependencies	patch
yarn (source)	4.16.0 → 4.17.0			packageManager	minor

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

DataDog/browser-sdk (@​datadog/browser-rum)

v7.3.0

Compare Source

Public Changes:

• ✨ Add browser debugger Capture Expressions (#​4731)
• ✨ Add Browser RUM Salesforce support (#​4726)
• ✨ RUM-16635 Add wildcard host pattern matching to WebView event bridge (#​4703)
• ✨ Introduce @​datadog/js-core, a runtime-agnostic core package with independent versioning (#​4727)
• ✨ Release feature operation vital APIs publicly (#​4684)
• 🐛 Harden debugger error formatting for hostile values (#​4740)
• 🐛 fix wrong framework name in angular router warning (#​4762)
• 🐛 remove unused getValidTagName (#​4752)
• 🐛 Restore sanitize toJSON hooks after failures (#​4750)
• 🐛 Omit global this from debugger snapshots (#​4732)
• 🐛 stop browser source leaking into Node-only scripts typecheck (#​4729)
• 🐛 Use Debugger SDK prefix for debugger logs (#​4722)
• 🐛 Ignore unsupported debugger probes (#​4723)
• 🐛 Forward initial loader errors to RouterProvider's onError (#​4660)
• 🐛 Preserve in-flight debugger probe entries on removal (#​4688)
• 🐛 [RUM-11848] Guard window/location access for non-browser environments (#​4674)
• 🐛 [PANA-7563] Fix maximum call stack exceeded error when processing mutations (#​4694)
• 🐛 Skip debugger probes with invalid conditions (#​4686)
• 🐛 Report debugger condition evaluation errors (#​4685)
• 📝 add code review guide for agents (#​4706)
• 📝 remove package tags from changelog entries (#​4689)
• ⚗️ Add instrumentConstructor utility (#​4714)
• ⚗️ Partial view updates (experimental) (#​4201)

Internal Changes:

• 👷 remove dead puppeteer-core ws resolution (#​4771)
• 👷 Update dependency eslint-plugin-unicorn to v65 (#​4745)
• 👷 Unfreeze canary deployment (#​4765)
• 👷 Update angular monorepo to v22 (#​4725)
• 👷 Lock file maintenance (#​4713)
• 👷 Add 'dependencies' label to bump-chrome-version PRs (#​4710)
• 👷 Update dependency next to v16.2.6 [SECURITY] (#​4552)
• 👷 Update Node.js to v26 (#​4698)
• 👷 Update all non-major dependencies to v7.3.5 (#​4744)
• 👷 Allow bcaudan/json-schema-to-typescript git dependency in Yarn hardened mode (#​4743)
• 👷 Freeze canary deployment by commenting out deploy-prod-canary CI job (#​4742)
• 👷 Update all non-major dependencies (#​4724)
• 👷 Update playwright monorepo to v1.60.0 (#​4719)
• 👷 Update dependency typescript to v6 (#​4700)
• 👷 Update all non-major dependencies (#​4701)
• 👷 Bump chrome to 149.0.7827.53-1 (#​4709)
• 👷 Update dependency @​playwright/test to v1.59.1 (#​4502)
• 👷 Add help message when publish fail (#​4690)
• 👷 add CI check for unreplaced BUILD_ENV placeholders (#​4693)
• 👷 Update BS Mobile Chrome Device (#​4692)
• 👷 Add debugger bundle to deploy scripts (#​4682)
• 👷 Allow version bump titles in PR (#​4681)
• ♻️ Tighten debugger capture return types (#​4755)
• ♻️ remove allowUntrustedEvents from internal configuration (#​4769)
• ♻️ more flexible Hook API (#​4749)
• ♻️ Rename E2E intake server to Datadog HTTP API (#​4737)
• ♻️ Align CODEOWNERS entries (#​4739)
• ♻️ Move time utilities from browser-core to @​datadog/js-core (#​4748)
• ♻️ Simplify debugger template evaluation (#​4730)
• ♻️ Make react-router-app the latest version app (#​4728)
• ♻️ rename packages/* folders with browser- prefix (#​4712)
• ♻️ Rename scripts/performance to scripts/bundle-size and remove deploy step from CI job (#​4707)
• ♻️ build intake endpoints lazily instead of storing them on the configuration (#​4699)
• ♻️ ESLint maintenance (#​4697)
• ♻️ improve globalObject definition and usage (#​4695)
• ♻️ unify endpoint URL building with buildEndpointUrl (#​4683)
• ♻️ [PANA-7375] Eliminate unnecessary conditional node serialization (#​4629)
• ♻️ refactor modifiable field paths in rum assembly (#​4687)
• ♻️ Update debugger generated code target to ES2020 (#​4680)
• 🎨 Gate view_update events behind datadogMode in developer extension (#​4622)
• 🎨 [PANA-7353] Clean up naming in recording code (#​4628)
• ✅ Test probe error handling when addProbe fails (#​4754)
• ✅ fail unit tests when unexpected console logs are detected in CI (#​4770)
• ✅ Simplify debugger API spec call sites (#​4741)
• ✅ Add debugger E2E coverage for delivery lifecycle (#​4738)
• ✅ Make tanstack router use basePluginRouterTests (#​4746)
• ✅ Fix React router test state leak (#​4751)
• ✅ Simplify debugger probe test fixtures (#​4736)
• ✅ Add e2e test for Vue Router v5 (#​4711)
• ✅ fix flaky test (#​4708)
• ✅ debugger: complete entry-snapshot capture-decision tests (#​4670)
• 🔧 Add .DS_Store files to .gitignore (#​4721)
• 🔥 remove WeakSet fallback in mergeInto (#​4763)
• 🔥 remove unused types (#​4753)
• 🚨 enable prefer-optional-chain (#​4705)
• 🧹 telemetry maintenance: drop unused instrumentation, bump expirations (#​4702)
• 🔇 Discard expected navigator.locks errors from page teardown (#​4691)

dotenvx/dotenvx (@​dotenvx/dotenvx)

v1.72.0

Compare Source

Added

• Move armor login command to first class dotenvx login command. (#​836)
• dotenvx remains local-first: login is optional and only needed when you want Armor features like moving keys off-device, team sharing, and audit access.
• Patch 2 high severity dependencies (#​837)

v1.71.3

Compare Source

Changed

• Forward command to Dotenvx Armor Key Guard approvals (#​835)

v1.71.2

Compare Source

Changed

• touch up get, set, and decrypt when armor installed (#​834)

v1.71.1

Compare Source

Changed

• stderr changed to inherit for dotenvx-armor integration (#​833)

github/clipboard-copy-element (@​github/clipboard-copy-element)

v1.3.1

Compare Source

What's Changed

• Bump follow-redirects from 1.14.9 to 1.15.4 by @​dependabot[bot] in #​72
• Bump ip from 1.1.8 to 1.1.9 by @​dependabot[bot] in #​73
• Bump follow-redirects from 1.15.4 to 1.15.6 by @​dependabot[bot] in #​74
• Bump braces from 3.0.2 to 3.0.3 by @​dependabot[bot] in #​75
• Bump the npm_and_yarn group with 7 updates by @​dependabot[bot] in #​76
• Bump the npm_and_yarn group with 2 updates by @​dependabot[bot] in #​77
• Bump the npm_and_yarn group with 4 updates by @​dependabot[bot] in #​79
• Bump the npm_and_yarn group with 2 updates by @​dependabot[bot] in #​80
• Bump the npm_and_yarn group across 1 directory with 2 updates by @​dependabot[bot] in #​81
• Bump the npm_and_yarn group across 1 directory with 2 updates by @​dependabot[bot] in #​82
• Potential fixes for 2 code scanning alerts by @​cinderellasecure in #​85
• Modify publish workflow to include id-token permission by @​gracepark in #​86
• Normalize non-breaking spaces when copying to clipboard by @​Copilot in #​87

New Contributors

• @​cinderellasecure made their first contribution in #​85
• @​gracepark made their first contribution in #​86
• @​Copilot made their first contribution in #​87

Full Changelog: github/clipboard-copy-element@v1.3.0...v1.3.1

Kong/kongponents (@​kong/kongponents)

v9.59.0

Compare Source

Features

• add a readonly prop to filters (#​3229) (32ae70b)

v9.58.0

Compare Source

Features

• enable filter select item searching (#​3228) (76e878f)

tailwindlabs/tailwindcss-typography (@​tailwindcss/typography)

v0.5.20

Compare Source

Fixed

• Support installing with stable versions of Tailwind CSS v4 (#​424)

algolia/algoliasearch-client-javascript (algoliasearch)

v5.54.1

Compare Source

• 3a0bad1d01 fix(javascript): use proper null check instead of truthiness for required params (#​6498) by @​Fluf22

v5.54.0

Compare Source

• e6753bc802 chore(deps): dependencies 2026-06-01 (#​6476) by @​algolia-bot
• 7f2ce8cd3a feat(clients): Agent Studio v1 (#​6097) by @​Fluf22

axios/axios (axios)

v1.18.0

Compare Source

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#​10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#​11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#​10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#​10984, #​10988, #​10992, #​10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#​10989, #​10996, #​10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#​11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​drori12 (#​10984)
• @​eyupcanakman (#​10899)
• @​Adi-Beker (#​10995)

Full Changelog

microsoft/playwright (playwright)

v1.61.0

Compare Source

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();

// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
  id: credentialId,
  userHandle,
  privateKey,
  publicKey,
});
await context.credentials.install();

const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

• apiResponse.securityDetails() and apiResponse.serverAddr() mirror the browser-side response.securityDetails() and response.serverAddr().

Browser and Screencast

• New option artifactsDir in browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.
• New option cursor in screencast.showActions() controls the cursor decoration rendered for pointer actions.
• The onFrame callback in screencast.start() now receives a timestamp of when the frame was presented by the browser.

Test runner

• The testOptions.video option now supports the same set of modes as trace: new 'on-all-retries', 'retain-on-first-failure' and 'retain-on-failure-and-retries' values. See the video modes table for which runs are recorded and kept in each mode.
• Supported expect.soft.poll(...).
• New fullConfig.argv — a snapshot of process.argv from the runner process, handy for reading custom arguments passed after the -- separator.
• New fullConfig.failOnFlakyTests mirrors the config option, so reporters can explain why a flaky run failed.
• testInfo.errors now lists each sub-error of an AggregateError as a separate entry.
• New -G command line shorthand for --grep-invert.

🛠️ Other improvements

• Playwright now supports Ubuntu 26.04.
• HAR and trace recordings now include WebSocket requests.

Browser Versions

• Chromium 149.0.7827.55
• Mozilla Firefox 151.0
• WebKit 26.5

This version was also tested against the following stable channels:

• Google Chrome 149
• Microsoft Edge 149

npm/node-semver (semver)

v7.8.4

Compare Source

Bug Fixes

• e583226 #​874 reject numeric segments after x-ranges (@​pupuking723)

v7.8.3

Compare Source

Bug Fixes

• 046da7f #​872 align caret includePrerelease lower bounds (#​872) (@​wayyoungboy)

Chores

• 3485dda #​866 bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#​866) (@​dependabot[bot])

nodejs/undici (undici)

v7.28.0

Compare Source

vuejs/core (vue)

v3.5.38

Compare Source

v3.5.37

Compare Source

v3.5.36

Compare Source

Bug Fixes

• compiler-core: avoid crash on CDATA at the document root (#​14916) (0ea17e2)
• compiler-core: prefix dynamic keys on v-memo elements (#​14922) (68e978e), closes #​14920
• compiler-sfc: handle vue-ignore on leading intersection/union type (#​14950) (0dcd225), closes #​12254
• compiler-sfc: respect var hoisting in props destructure (48ad452)
• reactivity: preserve watch callback return value when wrapped for once: true (#​14902) (450a8a8)
• runtime-core: add dev warning for silent catch in compat mode and fix test description typo (#​14891) (db3e117)
• runtime-core: force model update when reverted before sync (#​14897) (7f76378), closes #​13524
• runtime-core: skip async component callbacks after unmount (#​14911) (5300ead)
• transition: avoid move transition for hidden v-show group children (#​14895) (c11f6ee), closes #​14894
• watch: trigger immediate callback for empty sources (#​14914) (1f2ca7e), closes #​14898

algolia/instantsearch (vue-instantsearch)

v4.26.8

Compare Source

Note: Version bump only for package vue-instantsearch

yarnpkg/berry (yarn)

v4.17.0: v4.17.0

Compare Source

What's Changed

• Adds support for package map generation by @​arcanis in #​7184
• fix: add catalog settings to yarnrc schema by @​cyphercodes in #​7179
• docs: clarify background job exit codes by @​StantonMatt in #​7167
• fix: explain peer-default dependencies in why by @​StantonMatt in #​7168
• Docs: fix npmMinimalAgeGate default by @​clemyan in #​7181
• feat(plugin-npm): allow npmMinimalAgeGate per npmScope by @​erlandasz in #​7156

New Contributors

• @​cyphercodes made their first contribution in #​7179
• @​StantonMatt made their first contribution in #​7167
• @​erlandasz made their first contribution in #​7156

Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.16.0...@​yarnpkg/cli/4.17.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for kongdeveloper ready!

Name	Link
🔨 Latest commit	00cea73
🔍 Latest deploy log	https://app.netlify.com/projects/kongdeveloper/deploys/6a30ee0764478d00085214c8
😎 Deploy Preview	https://deploy-preview-5573--kongdeveloper.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.