Skip to content

fix(deps): update all non-major dependencies#475

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

fix(deps): update all non-major dependencies#475
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented May 22, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@hookform/resolvers (source) 5.2.25.4.0 age confidence
@storybook/addon-a11y (source) 10.4.010.4.6 age confidence
@storybook/addon-docs (source) 10.4.010.4.6 age confidence
@storybook/addon-links (source) 10.4.010.4.6 age confidence
@storybook/react-vite (source) 10.4.010.4.6 age confidence
@types/node (source) 24.12.424.13.2 age confidence
@types/react (source) 19.2.1519.2.17 age confidence
@vitest/coverage-v8 (source) 4.1.74.1.10 age confidence
axios (source) 1.16.01.18.1 age confidence
commitlint (source) 21.0.121.2.0 age confidence
i18next (source) 26.2.026.3.4 age confidence
lint-staged 17.0.517.0.8 age confidence
msw (source) 2.14.62.14.7 age confidence
prettier (source) 3.8.33.9.4 age confidence
react (source) 19.2.619.2.7 age confidence
react-dom (source) 19.2.619.2.7 age confidence
react-hook-form (source) 7.76.07.81.0 age confidence
react-router (source) 7.15.17.18.1 age confidence
sass-embedded 1.99.01.100.0 age confidence
storybook (source) 10.4.010.4.6 age confidence
stylelint (source) 17.12.017.14.0 age confidence
vitest (source) 4.1.74.1.10 age confidence

Release Notes

react-hook-form/resolvers (@​hookform/resolvers)

v5.4.0

Compare Source

Features
  • feat: add ata-validator resolver (#​845)
Fixes
  • fix issue with toNestErrors.ts (#​848)
  • add guidance on passing context to yupResolver (useForm context) (#​835) (3d29924)
storybookjs/storybook (@​storybook/addon-a11y)

v10.4.6

Compare Source

v10.4.5

Compare Source

v10.4.4

Compare Source

  • Telemetry: Add timeout to event-log POST to prevent build hang - #​35085, thanks @​badams!

v10.4.3

Compare Source

v10.4.2

Compare Source

v10.4.1

Compare Source

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.10

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.9

Compare Source

🐞 Bug Fixes
  • Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #​10546 (a5180)
  • browser:
    • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in #​10555 (7fb29)
    • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in #​10497 and #​10556 (fbc62)
  • mocker:
    • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in #​10548 (2c955)
  • pool:
    • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in #​10543 and #​10564 (934b0)
View changes on GitHub

v4.1.8

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
axios/axios (axios)

v1.18.1

Compare Source

v1.18.1 — June 21, 2026

This release focuses on Node HTTP adapter fixes, safer AxiosError serialisation, runtime/type correctness fixes, documentation updates, and dependency maintenance.

🐛 Bug Fixes

  • AxiosError Serialisation: Made AxiosError#cause non-enumerable to prevent circular JSON serialisation failures when errors include nested causes. (#​10913)
  • Node HTTP Adapter: Guarded socket.setKeepAlive for proxy agent streams, accepted path-only URLs when socketPath is configured, deferred environment proxy handling to Node, and explicitly passed maxBodyLength through to follow-redirects. (#​10917, #​10930, #​10942, #​10993)
  • Runtime and Type Correctness: Fixed several runtime crashes, type definition mismatches, and incorrect error handling paths. (#​10959, #​11021)
  • AxiosURLSearchParams: Switched the encoder callback to an arrow function so encoder.call(this) receives the AxiosURLSearchParams instance correctly. (#​11019)

🔧 Maintenance & Chores

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.18.0

Compare Source

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

v1.17.0

Compare Source

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

v1.16.1

Compare Source

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

conventional-changelog/commitlint (commitlint)

v21.2.0

Compare Source

Note: Version bump only for package commitlint

v21.1.0

Compare Source

Note: Version bump only for package commitlint

21.0.2 (2026-05-29)

Note: Version bump only for package commitlint

21.0.1 (2026-05-12)

Note: Version bump only for package commitlint

v21.0.2

Compare Source

Note: Version bump only for package commitlint

i18next/i18next (i18next)

v26.3.4

Compare Source

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). See advisory GHSA-6jcc-5g8w-32mx, CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H). Thanks to zx (Jace) @​manus-use for the responsible disclosure.

v26.3.3

Compare Source

  • fix(types): selector t($ => $.arr, { returnObjects: true, context }) on a JSON array of heterogeneous objects now preserves each element's full shape (e.g. { transKey1: string; transKey2: string }[]) instead of collapsing to a union of partial element types. Two type-level causes: (1) FilterKeys evaluated the whole array element type at once, so keyof (A | B) only saw the keys common to every element — it now distributes over the object union and filters each element independently; (2) when TypeScript merges mismatched array element types it injects phantom optional undefined keys (e.g. transKey1_withContext?: undefined on elements that don't define it), which the context-detection helpers mistook for real context variants — they now skip keys typed as undefined. Also adds a dedicated context + returnObjects: true selector overload using const Fn + ReturnType<Fn>, so Target is no longer collapsed to unknown via ApplyTarget. Resolves Problem 1 of #​2398 (Problem 2 was already fixed on master). Thanks @​sauravgupta-dotcom (#​2438). Fixes #​2398.

v26.3.2

Compare Source

  • fix: chained formatters with a parenthesised option that contains the format separator (e.g. join(separator: ', ')) now work at any position in the chain, not just first. Previously the comma-in-parens reassembly only repaired formats[0], so {{v, uppercase, join(separator: ', ')}} split the join(...) option on the inner comma and never rejoined it, producing corrupt output. Replaced the first-position-only repair with a position-independent pass that re-joins fragments until each open paren closes. Thanks @​spokodev (#​2437).

v26.3.1

Compare Source

  • fix(types): t() with a keyPrefix no longer pollutes its return type with sibling keys' values. A regression in 26.3.0 — the [Res] extends [never] guards added to KeysBuilderWithReturnObjects / KeysBuilderWithoutReturnObjects turned the builders into deferred conditional types, so KeyPrefix<Ns> stopped resolving to a literal union and keyPrefix inference widened to the whole namespace. Symptom: useTranslation(ns, { keyPrefix: 'a.b' }) then t('title') would resolve to '<a.b>.title' | '<other.path>.title' | ... instead of just the scoped value. Affected every react-i18next user using keyPrefix. Restored to the eager 26.2.0 form. The same-namespace conflict handling from #​2434 still works via _DropConflictKeys at the merge layer (in options.d.ts). Thanks @​aaronrosenthal (#​2436).

v26.3.0

Compare Source

  • feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#​2434). Fixes #​2409.
lint-staged/lint-staged (lint-staged)

v17.0.8

Compare Source

Patch Changes
  • #​1809 179b437 - Fix lint-staged discarding the ongoing merge conflict status (.git/MERGE_HEAD) when using the --hide-unstaged or --hide-all options.

  • #​1811 3d0b2c0 - Fix issues with Git commands that are successful but also emit warnings to stderr, by ignoring the stderr output completely when the process exits with code 0. This was the behavior when using nano-spawn and execa, but when switching to tinyexec in 16.3.0 both stdout and stderr were used as interleaved output.

v17.0.7

Compare Source

Patch Changes

v17.0.6

Compare Source

Patch Changes
  • #​1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

  • #​1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

  • #​1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

  • #​1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

mswjs/msw (msw)

v2.14.7

Compare Source

v2.14.7 (2026-07-07)

Bug Fixes
prettier/prettier (prettier)

v3.9.4

Compare Source

v3.9.3

Compare Source

v3.9.2

Compare Source

v3.9.1

Compare Source

v3.9.0

Compare Source

diff

🔗 Release Notes

v3.8.5

Compare Source

v3.8.4

Compare Source

diff

Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#​17746 by @​byplayer)

Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.

<!-- Input -->
- a

  - b

- c

  - d

<!-- Prettier 3.8.3 -->
- a
  - b
- c
  - d

<!-- Prettier 3.8.4 -->
- a

  - b

- c

  - d
facebook/react (react)

v19.2.7: 19.2.7 (June 1st, 2026)

Compare Source

React Server Components
react-hook-form/react-hook-form (react-hook-form)

v7.81.0

Compare Source

v7.80.0: Version 7.80.0

Compare Source

🧄 feat: disable useFieldArray fields (#​13535)

const { fields } = useFieldArray({ disabled: true });
fields[0].disabled; // contains disabled props

🛺 perf: make rhf more performant (#​13524)
🐞 fix(deepEqual): empty array and empty plain object should not be equal (#​13533)

thanks to @​JSap0914

v7.79.0

Compare Source

Added
  • disabled option to useFieldArray
Fixed
  • Controller onChange promise return type
  • deepEqual false positives with shared object references
  • shouldUseNativeValidation behavior for radio groups
  • createFormControl stability with fast refresh in dev mode
  • StrictMode value preservation during remount
  • formState.errors reactivity with React compiler

v7.78.0

Compare Source

Fixed
  • Recover Controller fields after reset without rerender (RN issue #​13455)
  • useFormState().isDirty race with async resolver in onChange mode
  • Use reactive values prop over defaultValues when shouldUnregister is true
  • deepEqual for empty non-plain objects
Types
  • Update dirtyFields typing for field arrays with undefined entries

v7.77.0

Compare Source

Added
  • resetDefaultValues API
Fixed
  • Stale isDirty in subscribe payload after reset(..., { keepValues: true })
  • Preserve values with shouldUnregister
  • Inconsistent reset({}) behavior requiring double-call to take effect
  • FieldArray errors overriding nested fields
Security
  • Harden get() against prototype-path traversal (__proto__ / constructor / prototype)
Performance
  • Bundle size reduction

v7.76.1

Compare Source

Fixed
  • Revert notify all matching field-array roots on nested setValue updates
  • Revert treat NaN as empty when valueAsNumber is true in validateField
  • setValues pass options parameter through to enable validation
  • setValues emit whole-form change without stale name/type
Performance
  • setValues skip redundant per-field deep clones
  • setValues thread skipClone through setFieldValue
remix-run/react-router (react-router)

v7.18.1: v7.18.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/v7/CHANGELOG.md#v7181

v7.18.0

Compare Source

Patch Changes
  • Fix server handler prerender responses when using ssr: false and future.v8_trailingSlashAwareDataRequests: true. Avoids false positive "SPA Mode" detection when serving prerendered paths (#​15173)
  • Use the ServerRouter nonce for nonce-aware SSR components when they don't provide their own value so strict CSP pages can load them. (#​15170)
  • Use turbo-stream to serialize and deserialize Framework Mode hydration errors (#​15175)
  • Precompute route branch matchers to avoid recompiling route path regexes during matching (#​15186)
  • Use the constructed request URL host when validating action request origins. (#​15185)
  • Remove the un-documented custom error serialization logic from Data Mode SSR built-in hydration flows (#​15175)
  • Validate protocols in RSC render redirects (#​15177)
  • Consolidate url normalization logic and better handle mixed slashes (#​15176)

v7.17.0

Compare Source

Minor Changes
  • Ship a subset of the official documentation inside the react-router package (#​15121)

    • Markdown docs are now available in node_modules/react-router/docs, letting AI coding agents and the React Router agent skills read official docs locally
    • Excludes auto-generated API docs (api/), community/ content, and tutorials (tutorials/)

v7.16.0

Compare Source

Minor Changes
  • Stabilize future.unstable_trailingSlashAwareDataRequests as future.v8_trailingSlashAwareDataRequests (#​15098)
Patch Changes
  • Disable manifest path when lazy route dicovery is disabled (#​15068)

  • Fix browser URL creation to use the configured history window instead of the global window. (#​15066)

    • Pass the history/router window through to createBrowserURLImpl so custom window contexts keep the correct URL origin.
  • Fix useNavigation() return type to preserve discriminated union across navigation states (#​15095)

  • Widen MetaDescriptor script:ld+json type from LdJsonObject to LdJsonObject | LdJsonObject[] to permit multiple JSON-LD schemas in a single <script type="application/ld+json"> tag emitted by <Meta /> (#​15082)

sass/embedded-host-node (sass-embedded)

v1.100.0

Compare Source

  • Writing two compound selectors adjacent to one another without any whitespace
    between them, such as [class]a, is now deprecated. This was always an error
    in CSS and Sass only supported it by mistake.

    See the Sass website for
    details.

stylelint/stylelint (stylelint)

v17.14.0

Compare Source

It fixes 3 bugs, including a false negative one.

v17.13.0

Compare Source

It fixes 3 bugs, including a false negative one.

  • Fixed: declaration-block-no-duplicate-properties false negatives for interleaved non-consecutive duplicates with ignore: ["consecutive-duplicates(-*)"] (#​9324) (@​sarathfrancis90).
  • Fixed: selector-max-type false positives for nested selectors (#​9319) (@​romainmenke).
  • Fixed: selector-type-no-unknown false positives for install (#​9308) (@​Mouvedia).

Configuration

📅 Schedule: (in timezone Europe/Istanbul)

  • Branch creation
    • Between 07:00 AM and 09:59 AM, only on Monday (* 7-9 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner May 22, 2026 11:13
@changeset-bot

changeset-bot Bot commented May 22, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 0d0a4ee

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 8e017ed to 81efeac Compare May 29, 2026 10:37
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 4e0f495 to 86c2467 Compare May 31, 2026 13:53
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 6 times, most recently from 8ad3859 to 3fa07c8 Compare June 13, 2026 04:51
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from 31731c1 to 0e33467 Compare June 20, 2026 22:26
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 11 times, most recently from 767e25a to 4cbb086 Compare June 30, 2026 12:02
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 0b31c06 to 49ac7e9 Compare July 6, 2026 08:45
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 49ac7e9 to 0d0a4ee Compare July 7, 2026 19:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants