chore(deps): lock file maintenance

[renovate]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 007c40b5-4617-49d0-947c-6621f42a0e0c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/lock-file-maintenance

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit 260877a

Command	Status	Duration	Result
nx affected --targets=test:sherif,test:knip,tes...	❌ Failed	4m 43s	View ↗
nx run-many --target=build --exclude=examples/*...	❌ Failed	1m 25s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-14 06:21:11 UTC

[github-actions]

🚀 Changeset Version Preview

2 package(s) bumped directly, 23 bumped as dependents.

🟩 Patch bumps

Package	Version	Reason
@tanstack/vue-query	5.100.10 → 5.100.11	Changeset
@tanstack/vue-query-devtools	6.1.29 → 6.1.30	Changeset
@tanstack/angular-query-experimental	5.100.10 → 5.100.11	Dependent
@tanstack/angular-query-persist-client	5.100.10 → 5.100.11	Dependent
@tanstack/eslint-plugin-query	5.100.10 → 5.100.11	Dependent
@tanstack/lit-query	0.2.1 → 0.2.2	Dependent
@tanstack/preact-query	5.100.10 → 5.100.11	Dependent
@tanstack/preact-query-devtools	5.100.10 → 5.100.11	Dependent
@tanstack/preact-query-persist-client	5.100.10 → 5.100.11	Dependent
@tanstack/query-async-storage-persister	5.100.10 → 5.100.11	Dependent
@tanstack/query-broadcast-client-experimental	5.100.10 → 5.100.11	Dependent
@tanstack/query-core	5.100.10 → 5.100.11	Dependent
@tanstack/query-devtools	5.100.10 → 5.100.11	Dependent
@tanstack/query-persist-client-core	5.100.10 → 5.100.11	Dependent
@tanstack/query-sync-storage-persister	5.100.10 → 5.100.11	Dependent
@tanstack/react-query	5.100.10 → 5.100.11	Dependent
@tanstack/react-query-devtools	5.100.10 → 5.100.11	Dependent
@tanstack/react-query-next-experimental	5.100.10 → 5.100.11	Dependent
@tanstack/react-query-persist-client	5.100.10 → 5.100.11	Dependent
@tanstack/solid-query	5.100.10 → 5.100.11	Dependent
@tanstack/solid-query-devtools	5.100.10 → 5.100.11	Dependent
@tanstack/solid-query-persist-client	5.100.10 → 5.100.11	Dependent
@tanstack/svelte-query	6.1.29 → 6.1.30	Dependent
@tanstack/svelte-query-devtools	6.1.29 → 6.1.30	Dependent
@tanstack/svelte-query-persist-client	6.1.29 → 6.1.30	Dependent

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​size-limit/​preset-small-lib@​12.1.0
	@​angular/​router@​20.3.21
	@​angular/​cli@​20.3.26
	@​angular/​platform-browser@​20.3.21
	@​angular/​animations@​20.3.21
	@​angular/​compiler-cli@​20.3.21
	@​angular/​forms@​20.3.21
	@​babel/​preset-env@​7.29.5
	@​angular/​build@​20.3.26
	react-native-gesture-handler@​2.31.2
	@​angular/​core@​20.3.21
	@​angular/​compiler@​20.3.21
	vitest@​4.1.6
	@​angular/​common@​20.3.21
	@​astrojs/​check@​0.9.9
	size-limit@​12.1.0
	publint@​0.3.21
	goober@​2.1.19
	tailwindcss@​4.3.0
	globals@​17.6.0
	svelte@​5.55.5
	@​tailwindcss/​vite@​4.3.0
	prettier@​3.8.3
	html-webpack-plugin@​5.6.7
	eslint-plugin-vue@​10.9.1
	prettier-plugin-svelte@​3.5.2
	lit@​3.3.3
	preact@​10.29.1
	msw@​2.14.6
	@​cspell/​eslint-plugin@​9.8.0
	svelte-check@​4.4.8
	knip@​6.13.1
	@​changesets/​cli@​2.31.0
See 5 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		High CVE: Axios: Header Injection via Prototype Pollution CVE: GHSA-6chq-wfr3-2hj9 Axios: Header Injection via Prototype Pollution (HIGH) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: pnpm-lock.yaml → npm/nx@22.1.3 → npm/axios@1.15.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking CVE: GHSA-pf86-5x62-jrwf Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking (HIGH) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: pnpm-lock.yaml → npm/nx@22.1.3 → npm/axios@1.15.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 CVE: GHSA-pmwg-cvhr-8vh7 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 (HIGH) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: pnpm-lock.yaml → npm/nx@22.1.3 → npm/axios@1.15.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking CVE: GHSA-q8qp-cvcw-x6jj Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking (HIGH) Affected versions: >= 1.0.0 < 1.15.2 Patched version: 1.15.2 From: pnpm-lock.yaml → npm/nx@22.1.3 → npm/axios@1.15.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm svelte is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: examples/svelte/auto-refetching/package.json → npm/svelte@5.55.5 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/svelte@5.55.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report