chore(deps): bump unhead from 1.11.20 to 3.1.0 (via audit fix)

[dependabot]

Bumps unhead from 1.11.20 to 3.1.0.

Release notes

Sourced from unhead's releases.

v3.1.0

🛠️ Unhead CLI

To assist with migrations and overall DX a CLI has been introduced: @unhead/cli.

npx -y @unhead/cli 

It lets you do the following:

          audit    Lint your codebase for unhead misuse, type-narrowing issues, and SEO/perf foot-guns.                      
        migrate    Apply autofixes for v2-to-v3 migration: rewrite deprecated props and wrap tag literals in defineX helpers.
  validate-html    Run the runtime ValidatePlugin over prerendered HTML files (e.g. dist/, .output/, build/).                
   validate-url    Fetch a rendered URL and run unhead\'s SEO/perf validation rules over its <head>.         

For example, try running audit on your own project for hints on how to improve your SEO.

✔️ Unhead ESLint

Knowing that your useHead() and useSeoMeta() code is right while your coding is important. While type-narrowing solves many broken cases, we introduce an ESLint plugin to help catch anything that the typechecker can't catch.

These rules are shared from the runtime ValidatePlugin

# flat-config ESLint plugin with v2→v3 migration autofixes
npm i -D @unhead/eslint-plugin

```ts [eslint.config.ts]
import { configs } from '@unhead/eslint-plugin'
export default [
configs.recommended,
]

🌊 Streaming SSR non-Vite support

The streaming plugin lived only at unhead/stream/vite previously, leaving non-Vite users with no way to wire the bootstrap. The plugin is now a bundler-agnostic unplugin factory with first-class webpack and Vite entries, and the framework packages compose it behind Unhead({ streaming: true }).

// vite.config.ts
import { Unhead } from '@unhead/vue/vite'
export default { plugins: [vue(), Unhead({ streaming: true })] }
</tr></table>

... (truncated)

Commits

• 914d05e chore: release v3.1.0
• 35100fe refactor: extract shared predicates, swap CLI to oxc-walker (#757)
• 9e30013 feat(cli,eslint-plugin): add @​unhead/cli and @​unhead/eslint-plugin (#755)
• 5257d27 refactor(bundler): unify per-bundler entries into bundler factory (#754)
• 3ed063c feat(stream): webpack plugin + bundler-agnostic factory (#751)
• 40f777b fix(vue): batch streamed head updates via self-deleting inline scripts (#752)
• ea54e36 chore: release v3.0.5
• afdf925 chore: remove unused dependencies and exports (#746)
• af54923 fix(types): export new link rel types from #744 (#745)
• be43a70 chore: release v3.0.4
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for unhead since your current version.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	hash-sum@​2.0.0
	installed-check@​10.0.1
	jiti@​2.7.0
	hookable@​5.5.3

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm ioredis is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: pnpm-lock.yaml → npm/ioredis@5.10.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ioredis@5.10.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report