Skip to content

chore: bump up all non-major dependencies#293

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

chore: bump up all non-major dependencies#293
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence Type Update
@types/node (source) 24.13.224.13.3 age confidence dependencies patch
next (source) 16.2.916.2.10 age confidence dependencies patch
node (source) 24.16.024.18.0 age confidence minor
oxfmt (source) ^0.54.0^0.58.0 age confidence devDependencies minor
pnpm (source) 10.34.310.34.5 age confidence packageManager patch
pnpm/action-setup v6.0.8v6.0.9 age confidence action patch

Release Notes

vercel/next.js (next)

v16.2.10

Compare Source

nodejs/node (node)

v24.18.0: 2026-06-23, Version 24.18.0 'Krypton' (LTS), @​richardlau prepared by @​sxa

Compare Source

Notable Changes
  • [e07e7a31e1] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #​63527
  • [44c8ebcbd6] - http: avoid stream listeners on idle agent sockets (Matteo Collina) #​64004
  • [d3ef4122ee] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #​63597
  • [bb2857b85a] - (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #​62527
  • [b9d5e87880] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #​62527
  • [ccd756d61e] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
  • [4c9251fc09] - (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #​63155
  • [8c989ec4a3] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #​63079
  • [3f54c8ba32] - Revert "stream: noop pause/resume on destroyed streams" (Stewart X Addison) #​63834
Commits

v24.17.0: 2026-06-18, Version 24.17.0 'Krypton' (LTS), @​aduh95

Compare Source

This is a security release.

Notable Changes
  • (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
  • (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
  • (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
  • (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
  • (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
  • (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
  • (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
  • (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
  • (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
  • (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
  • (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
Commits
oxc-project/oxc (oxfmt)

v0.58.0

Compare Source

v0.57.0

Compare Source

v0.56.0

Compare Source

v0.55.0

Compare Source

🚀 Features
  • 9a2788b linter/unicorn: Implement prefer-export-from rule (#​22935) (AliceLanniste)
pnpm/pnpm (pnpm)

v10.34.5

Compare Source

v10.34.4: pnpm 10.34.4

Compare Source

Patch Changes
  • 352ae48: Security: validate config dependency names and versions before using them to build filesystem paths. A pnpm-workspace.yaml with a traversal-shaped configDependencies name (such as ../../PWNED) or version (such as ../../../PWNED) could previously cause pnpm install to create symlinks or write package files outside node_modules/.pnpm-config and the store. Names must now be valid npm package names and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.

  • 352ae48: Reject path-traversal and reserved dependency aliases (such as ../../../escape, .bin, .pnpm, or node_modules) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoisted node_modules directory, letting package files be written outside the intended install root or overwrite pnpm-owned layout.

    The nodeLinker: hoisted graph builder now validates each alias at the directory sink (safeJoinModulesDir), matching the validation pnpm already performs when resolving aliases from manifests. See GHSA-fr4h-3cph-29xv.

  • 352ae48: Prevent pnpm patch-remove from removing files outside the configured patches directory.

  • 217fbe0: Hardened the warning printed when a project .npmrc uses environment variables in registry/auth settings: the suggested pnpm config set command is now only included for keys made up of shell-inert characters. Because the key comes from a repository-controlled .npmrc and a shell expands $(...), backticks, and $VAR even inside double quotes, a crafted key could otherwise have turned the suggested copy-paste command into command execution.

Platinum Sponsors
Bit
Gold Sponsors
Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx
pnpm/action-setup (pnpm/action-setup)

v6.0.9

Compare Source

What's Changed

Full Changelog: pnpm/action-setup@v6...v6.0.9


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel

vercel Bot commented Jun 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
milkdown Ready Ready Preview, Comment Jul 10, 2026 6:04pm

Request Review

@changeset-bot

changeset-bot Bot commented Jun 15, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: fbbf3e8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 489da0a to d033eaf Compare June 18, 2026 06:10
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from d033eaf to eb94377 Compare June 19, 2026 01:37
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from eb94377 to 02b7e7e Compare June 22, 2026 17:43
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 02b7e7e to 38d2883 Compare June 24, 2026 01:38
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 38d2883 to a7e6c63 Compare June 30, 2026 02:00
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from a7e6c63 to b74a76d Compare July 1, 2026 23:04
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from b74a76d to dc15ce6 Compare July 7, 2026 05:35
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from dc15ce6 to 59975aa Compare July 8, 2026 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants