fix(deps): update all non-major dependencies#475
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
|
8e017ed to
81efeac
Compare
4e0f495 to
86c2467
Compare
8ad3859 to
3fa07c8
Compare
31731c1 to
0e33467
Compare
767e25a to
4cbb086
Compare
0b31c06 to
49ac7e9
Compare
49ac7e9 to
0d0a4ee
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.2.2→5.4.010.4.0→10.4.610.4.0→10.4.610.4.0→10.4.610.4.0→10.4.624.12.4→24.13.219.2.15→19.2.174.1.7→4.1.101.16.0→1.18.121.0.1→21.2.026.2.0→26.3.417.0.5→17.0.82.14.6→2.14.73.8.3→3.9.419.2.6→19.2.719.2.6→19.2.77.76.0→7.81.07.15.1→7.18.11.99.0→1.100.010.4.0→10.4.617.12.0→17.14.04.1.7→4.1.10Release Notes
react-hook-form/resolvers (@hookform/resolvers)
v5.4.0Compare Source
Features
Fixes
yupResolver(useForm context) (#835) (3d29924)storybookjs/storybook (@storybook/addon-a11y)
v10.4.6Compare Source
v10.4.5Compare Source
v10.4.4Compare Source
v10.4.3Compare Source
v10.4.2Compare Source
v10.4.1Compare Source
npx expo install --fixafter init for Expo projects - #34803, thanks @ndelangen!peerDependenciesin framework detection for component libraries - #34516, thanks @zhyd1997!vitest-dev/vitest (@vitest/coverage-v8)
v4.1.10Compare Source
🐞 Bug Fixes
View changes on GitHub
v4.1.9Compare Source
🐞 Bug Fixes
importOriginalwith optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #10546 (a5180)View changes on GitHub
v4.1.8Compare Source
🐞 Bug Fixes
cdpAPI whenallowWrite/allowExec: false[backport to v4] - by @hi-ogawa and Codex in #10450 (e4067)View changes on GitHub
axios/axios (axios)
v1.18.1Compare Source
v1.18.1 — June 21, 2026
This release focuses on Node HTTP adapter fixes, safer AxiosError serialisation, runtime/type correctness fixes, documentation updates, and dependency maintenance.
🐛 Bug Fixes
encoder.call(this)receives theAxiosURLSearchParamsinstance correctly. (#11019)🔧 Maintenance & Chores
Documentation: Documented sensitive headers and status transition behaviour, prepared cleaned-up docs, added Deno install instructions, and clarified that request data is request-specific (#11007, #11010, #11023, #11025)
Dependencies: Bumped vite, rollup, form-data, js-yaml, and multer across the root project, docs, smoke tests, and module test workspaces. (#11011, #11012, #11013, #11014, #11015, #11016, #11017, #11026)
🌟 New Contributors
We are thrilled to welcome our new contributors. Thank you for helping improve axios:
Full Changelog
v1.18.0Compare Source
This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.
v1.17.0Compare Source
This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.
v1.16.1Compare Source
This release ships a defence-in-depth fix for prototype pollution in
formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.conventional-changelog/commitlint (commitlint)
v21.2.0Compare Source
Note: Version bump only for package commitlint
v21.1.0Compare Source
Note: Version bump only for package commitlint
21.0.2 (2026-05-29)
Note: Version bump only for package commitlint
21.0.1 (2026-05-12)
Note: Version bump only for package commitlint
v21.0.2Compare Source
Note: Version bump only for package commitlint
i18next/i18next (i18next)
v26.3.4Compare Source
deepExtend(used byaddResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with theinoperator, which walks the prototype chain, so a source key matching an inherited built-in (e.g.hasOwnProperty,toString) caused recursion into the sharedObject.prototypefunction and, withoverwrite: true, could overwrite e.g.Object.prototype.hasOwnProperty.callwith a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked withObject.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing__proto__/constructorguard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data withdeep: trueandoverwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages,setPathmechanism). See advisory GHSA-6jcc-5g8w-32mx, CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H). Thanks to zx (Jace) @manus-use for the responsible disclosure.v26.3.3Compare Source
t($ => $.arr, { returnObjects: true, context })on a JSON array of heterogeneous objects now preserves each element's full shape (e.g.{ transKey1: string; transKey2: string }[]) instead of collapsing to a union of partial element types. Two type-level causes: (1)FilterKeysevaluated the whole array element type at once, sokeyof (A | B)only saw the keys common to every element — it now distributes over the object union and filters each element independently; (2) when TypeScript merges mismatched array element types it injects phantom optionalundefinedkeys (e.g.transKey1_withContext?: undefinedon elements that don't define it), which the context-detection helpers mistook for real context variants — they now skip keys typed asundefined. Also adds a dedicatedcontext+returnObjects: trueselector overload usingconst Fn+ReturnType<Fn>, soTargetis no longer collapsed tounknownviaApplyTarget. Resolves Problem 1 of #2398 (Problem 2 was already fixed on master). Thanks @sauravgupta-dotcom (#2438). Fixes #2398.v26.3.2Compare Source
join(separator: ', ')) now work at any position in the chain, not just first. Previously the comma-in-parens reassembly only repairedformats[0], so{{v, uppercase, join(separator: ', ')}}split thejoin(...)option on the inner comma and never rejoined it, producing corrupt output. Replaced the first-position-only repair with a position-independent pass that re-joins fragments until each open paren closes. Thanks @spokodev (#2437).v26.3.1Compare Source
t()with akeyPrefixno longer pollutes its return type with sibling keys' values. A regression in 26.3.0 — the[Res] extends [never]guards added toKeysBuilderWithReturnObjects/KeysBuilderWithoutReturnObjectsturned the builders into deferred conditional types, soKeyPrefix<Ns>stopped resolving to a literal union andkeyPrefixinference widened to the whole namespace. Symptom:useTranslation(ns, { keyPrefix: 'a.b' })thent('title')would resolve to'<a.b>.title' | '<other.path>.title' | ...instead of just the scoped value. Affected everyreact-i18nextuser usingkeyPrefix. Restored to the eager 26.2.0 form. The same-namespace conflict handling from #2434 still works via_DropConflictKeysat the merge layer (inoptions.d.ts). Thanks @aaronrosenthal (#2436).v26.3.0Compare Source
ResourceNamespaceMap— a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a singleCustomTypeOptions.resourcesdeclaration (or fall back to typing dependency namespaces asany) becauseresourcesis a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally acrossdeclare module 'i18next'blocks, so each package can ship its owni18next.d.tsindependently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoningt()overload resolution. Fully backwards-compatible — existingCustomTypeOptions.resourcesaugmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS,returnNull,enableSelector, etc.) still belong onCustomTypeOptions. Thanks @sh3xu (#2434). Fixes #2409.lint-staged/lint-staged (lint-staged)
v17.0.8Compare Source
Patch Changes
#1809
179b437- Fix lint-staged discarding the ongoing merge conflict status (.git/MERGE_HEAD) when using the--hide-unstagedor--hide-alloptions.#1811
3d0b2c0- Fix issues with Git commands that are successful but also emit warnings tostderr, by ignoring thestderroutput completely when the process exits with code 0. This was the behavior when usingnano-spawnandexeca, but when switching totinyexecin 16.3.0 bothstdoutandstderrwere used as interleaved output.v17.0.7Compare Source
Patch Changes
e692e58- Update dependencytinyexec@^1.2.4.v17.0.6Compare Source
Patch Changes
#1803
bdf2770- Run all tests with Deno, in addition to Node.js and Bun.#1796
7508272- Fix performance regression of lint-staged v17 by going back to usinggit addto stage task modifications. This was changed togit update-index --againin v17 for less manual work, but unfortunately theupdate-indexcommand gets slower in very large Git repos.#1797
7b2505a- This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.#1802
321b0a9- Downgrade dependencytinyexec@1.2.2to avoid issues in version 1.2.3.mswjs/msw (msw)
v2.14.7Compare Source
v2.14.7 (2026-07-07)
Bug Fixes
5c0ae1c) @kettanaitoprettier/prettier (prettier)
v3.9.4Compare Source
v3.9.3Compare Source
v3.9.2Compare Source
v3.9.1Compare Source
v3.9.0Compare Source
diff
🔗 Release Notes
v3.8.5Compare Source
v3.8.4Compare Source
diff
Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#17746 by @byplayer)
Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.
facebook/react (react)
v19.2.7: 19.2.7 (June 1st, 2026)Compare Source
React Server Components
FormDataentries in Server Actions which regressed in 19.2.6(#36566 by @unstubbable)
react-hook-form/react-hook-form (react-hook-form)
v7.81.0Compare Source
v7.80.0: Version 7.80.0Compare Source
🧄 feat: disable useFieldArray fields (#13535)
🛺 perf: make rhf more performant (#13524)
🐞 fix(deepEqual): empty array and empty plain object should not be equal (#13533)
thanks to @JSap0914
v7.79.0Compare Source
Added
disabledoption touseFieldArrayFixed
ControlleronChangepromise return typedeepEqualfalse positives with shared object referencesshouldUseNativeValidationbehavior for radio groupscreateFormControlstability with fast refresh in dev modeStrictModevalue preservation during remountformState.errorsreactivity with React compilerv7.78.0Compare Source
Fixed
Controllerfields afterresetwithout rerender (RN issue #13455)useFormState().isDirtyrace with async resolver inonChangemodevaluesprop overdefaultValueswhenshouldUnregisteris truedeepEqualfor empty non-plain objectsTypes
dirtyFieldstyping for field arrays with undefined entriesv7.77.0Compare Source
Added
resetDefaultValuesAPIFixed
isDirtyinsubscribepayload afterreset(..., { keepValues: true })shouldUnregisterreset({})behavior requiring double-call to take effectFieldArrayerrors overriding nested fieldsSecurity
get()against prototype-path traversal (__proto__/constructor/prototype)Performance
v7.76.1Compare Source
Fixed
setValueupdatesNaNas empty whenvalueAsNumberistrueinvalidateFieldsetValuespassoptionsparameter through to enable validationsetValuesemit whole-form change without stalename/typePerformance
setValuesskip redundant per-field deep clonessetValuesthreadskipClonethroughsetFieldValueremix-run/react-router (react-router)
v7.18.1: v7.18.1Compare Source
See the changelog for release notes: https://github.com/remix-run/react-router/blob/v7/CHANGELOG.md#v7181
v7.18.0Compare Source
Patch Changes
ssr: falseandfuture.v8_trailingSlashAwareDataRequests: true. Avoids false positive "SPA Mode" detection when serving prerendered paths (#15173)ServerRouternonce for nonce-aware SSR components when they don't provide their own value so strict CSP pages can load them. (#15170)turbo-streamto serialize and deserialize Framework Mode hydration errors (#15175)v7.17.0Compare Source
Minor Changes
Ship a subset of the official documentation inside the
react-routerpackage (#15121)node_modules/react-router/docs, letting AI coding agents and the React Router agent skills read official docs locallyapi/),community/content, and tutorials (tutorials/)v7.16.0Compare Source
Minor Changes
future.unstable_trailingSlashAwareDataRequestsasfuture.v8_trailingSlashAwareDataRequests(#15098)Patch Changes
Disable manifest path when lazy route dicovery is disabled (#15068)
Fix browser URL creation to use the configured history window instead of the global window. (#15066)
createBrowserURLImplso custom window contexts keep the correct URL origin.Fix
useNavigation()return type to preserve discriminated union across navigation states (#15095)Widen
MetaDescriptorscript:ld+jsontype fromLdJsonObjecttoLdJsonObject | LdJsonObject[]to permit multiple JSON-LD schemas in a single<script type="application/ld+json">tag emitted by<Meta />(#15082)sass/embedded-host-node (sass-embedded)
v1.100.0Compare Source
Writing two compound selectors adjacent to one another without any whitespace
between them, such as
[class]a, is now deprecated. This was always an errorin CSS and Sass only supported it by mistake.
See the Sass website for
details.
stylelint/stylelint (stylelint)
v17.14.0Compare Source
It fixes 3 bugs, including a false negative one.
TIMINGonly on use (#9356) (@jeddy3).function-calc-no-unspaced-operatorfalse negatives for unspaced+and-operators following a*or/operator (#9357) (@sarathfrancis90).v17.13.0Compare Source
It fixes 3 bugs, including a false negative one.
declaration-block-no-duplicate-propertiesfalse negatives for interleaved non-consecutive duplicates withignore: ["consecutive-duplicates(-*)"](#9324) (@sarathfrancis90).selector-max-typefalse positives for nested selectors (#9319) (@romainmenke).selector-type-no-unknownfalse positives forinstall(#9308) (@Mouvedia).Configuration
📅 Schedule: (in timezone Europe/Istanbul)
* 7-9 * * 1)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.