chore(deps): update all by renovate[bot] · Pull Request #11 · LuminescentDev/ui

renovate · 2024-05-09T19:15:10Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Type	Update
@builder.io/qwik (source)	`1.18.0` → `1.20.0`	devDependencies	minor
@builder.io/qwik (source)	`1.19.1` → `1.20.0`	devDependencies	minor
@builder.io/qwik-city (source)	`1.18.0` → `1.20.0`	devDependencies	minor
@builder.io/qwik-city (source)	`1.19.1` → `1.20.0`	devDependencies	minor
@cloudflare/workers-types	`4.20260310.1` → `4.20260601.1`	devDependencies	minor
@types/node (source)	`25.0.3` → `25.9.1`	devDependencies	minor
@types/node (source)	`25.4.0` → `25.9.1`	devDependencies	minor
@vitejs/plugin-react (source)	`5.1.2` → `5.2.0`	devDependencies	minor
dotenv	`17.2.3` → `17.4.2`	devDependencies	minor
eslint-plugin-qwik (source)	`1.18.0` → `1.20.0`	devDependencies	minor
eslint-plugin-qwik (source)	`1.19.1` → `1.20.0`	devDependencies	minor
eslint-plugin-react-refresh	`^0.4.26` → `^0.5.0`	devDependencies	minor
globals	`17.4.0` → `17.6.0`	devDependencies	minor
node (source)	`23.11.0` → `23.11.1`		patch
pnpm (source)	`10.26.1` → `10.34.1`	packageManager	minor
pnpm (source)	`10.32.0` → `10.34.1`	packageManager	minor
prettier (source)	`3.7.4` → `3.8.3`	devDependencies	minor
prettier (source)	`3.8.1` → `3.8.3`	devDependencies	patch
prettier-plugin-tailwindcss	`^0.7.2` → `^0.8.0`	devDependencies	minor
tsx (source)	`4.21.0` → `4.22.4`	devDependencies	minor
undici (source)	`7.22.0` → `7.26.0`	devDependencies	minor
vite (source)	`7.3.0` → `7.3.3`	devDependencies	patch
vite (source)	`5.4.14` → `5.4.21`	devDependencies	patch
vite-tsconfig-paths	`6.0.3` → `6.1.1`	devDependencies	minor
wrangler (source)	`4.71.0` → `4.95.0`	devDependencies	minor

Release Notes

QwikDev/qwik (@builder.io/qwik)

`v1.20.0`

Compare Source

`v1.19.2`

Compare Source

Patch Changes

🐞🩹 type casts to bridge Rollup vs Rolldown type differences without changing runtime behavior (by @gioboa in #8405)

`v1.19.1`

Compare Source

Patch Changes

🐞🩹 support Deno as package manager for production builds. The Vite plugin now recognizes Deno as a Node-compatible runtime for manifest passing, and SSG delegates to the Node implementation instead of stubbing out. (by @ianlet in #8385)
🐞🩹 the optimizer was not using the binary builds (by @wmertens in #8360)
🐞🩹 resolve 404 error for virtual CSS modules during dev SSR (by @jantimon in #8351)

`v1.19.0`

Compare Source

Minor Changes

✨ untrack() now accepts signals and stores directly, as well as accepting arguments when you pass a function. This makes retrieving values without subscribing to them more efficient. (by @wmertens in #8247)

Patch Changes

🐞🩹 we now prevent merging useVisibleTask$ code together with other segments to prevent overpreloading when their entry contains a lot of transitive imports. (by @maiieul in #8275)
🐞🩹 duplicated preload bundles in SSR preload (by @chebanenko in #8248)
⚡️: the core.js and preloader.js references in q-manifest and bundle-graph are now filtered out for smaller outputs. (by @maiieul in #8278)

QwikDev/qwik (@builder.io/qwik-city)

`v1.20.0`

Compare Source

Minor Changes

🐞🩹 The server plugins were not actually sorted and were relying on directory traversal order. Now they are explicitly sorted by ascending name. (by @wmertens in #8568)

Patch Changes

🐞🩹 include route bundles when their matching origin is not the first manifest origin (by @Varixo in #8455)
🐞🩹 Bun and Deno request URL normalization to prevent protocol-relative paths from overriding the configured origin (by @Varixo in #8463)
✨ getRequestEvent() provides the current request event; used in the starter templates for providing better diagnostics in uncaught exceptions (by @wmertens in #8655)

`v1.19.2`

Compare Source

Patch Changes

🐞🩹 When a form POST is done, keys like "name.1" mean it's an array. However, later keys could be strings like "name.value". Now, we check if all the keys are numbers, otherwise we make an object instead of an array. This allows for more correct form data handling. (by @wmertens in #8424)
🐞🩹 handle special characters in dynamic route (by @gioboa in #8400)

`v1.19.1`

Compare Source

Patch Changes

🐞🩹 support Deno as package manager for production builds. The Vite plugin now recognizes Deno as a Node-compatible runtime for manifest passing, and SSG delegates to the Node implementation instead of stubbing out. (by @ianlet in #8385)
🐞🩹 Link hash change now properly updates location.url.hash (by @maiieul in #8305)

`v1.19.0`

Compare Source

Minor Changes

✨ allow mocking route loaders & actions in QwikCityMockProvider (by @alexismch in #8102)

Patch Changes

🐞🩹 qwik-city spa routeStateInternal and routeLocation url origins mismatch (by @maiieul in #8234)
feat(qwik-city): add getOrigin option to QwikCityBunOptions and QwikCityDenoOptions for improved URL handling (by @JerryWu1234 in #8251)
Make RequestEvents readonly instead of frozen (by @DustinJSilk in #8135)

cloudflare/workerd (@cloudflare/workers-types)

vitejs/vite-plugin-react (@vitejs/plugin-react)

`v5.2.0`

Compare Source

`v5.1.4`

Compare Source

Fix `canSkipBabel` not accounting for `babel.overrides` (#1098)

When configuring babel.overrides without top-level plugins or presets, Babel was incorrectly skipped. The canSkipBabel function now checks for overrides.length to ensure override configurations are processed.

`v5.1.3`

Compare Source

motdotla/dotenv (dotenv)

`v17.4.2`

Compare Source

`v17.4.1`

Compare Source

`v17.4.0`

Compare Source

`v17.3.1`

Compare Source

Changed

Fix as2 example command in README and update spanish README

`v17.3.0`

Compare Source

Added

Add a new README section on dotenv’s approach to the agentic future.

Changed

Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

`v17.2.4`

Compare Source

Changed

Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#915)

Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

QwikDev/qwik (eslint-plugin-qwik)

`v1.20.0`

Compare Source

`v1.19.2`

Compare Source

`v1.19.1`

Compare Source

Patch Changes

Support ESLint v10 (by @azat-io in #8395)

`v1.19.0`

Compare Source

ArnaudBarre/eslint-plugin-react-refresh (eslint-plugin-react-refresh)

`v0.5.2`

Compare Source

Support nested function calls for extraHOCs (actually fixes #104)

`v0.5.1`

Compare Source

Mark ESLint v10 as supported
Support false positives with TypeScript function overloading (fixes #105)
Support nested function calls for extraHOCs (fixes #104)

`v0.5.0`

Compare Source

Breaking changes

The package now ships as ESM and requires ESLint 9 + node 20. Because legacy config doesn't support ESM, this requires to use flat config
A new reactRefresh export is available and prefered over the default export. It's an object with two properties:
- plugin: The plugin object with the rules
- configs: An object containing configuration presets, each exposed as a function. These functions accept your custom options, merge them with sensible defaults for that config, and return the final config object.
customHOCs option was renamed to extraHOCs
Validation of HOCs calls is now more strict, you may need to add some HOCs to the extraHOCs option

Config example:

import { defineConfig } from "eslint/config";
import { reactRefresh } from "eslint-plugin-react-refresh";

export default defineConfig(
  /* Main config */
  reactRefresh.configs.vite({ extraHOCs: ["someLibHOC"] }),
);

Config example without config:

import { defineConfig } from "eslint/config";
import { reactRefresh } from "eslint-plugin-react-refresh";

export default defineConfig({
  files: ["**/*.ts", "**/*.tsx"],
  plugins: {
    // other plugins
    "react-refresh": reactRefresh.plugin,
  },
  rules: {
    // other rules
    "react-refresh/only-export-components": [
      "warn",
      { extraHOCs: ["someLibHOC"] },
    ],
  },
});

Why

This version follows a revamp of the internal logic to better make the difference between random call expressions like export const Enum = Object.keys(Record) and actual React HOC calls like export const MemoComponent = memo(Component). (fixes #93)

The rule now handles ternaries and patterns like export default customHOC(props)(Component) which makes it able to correctly support files like this one given this config:

{
  "react-refresh/only-export-components": [
    "warn",
    { "extraHOCs": ["createRootRouteWithContext"] }
  ]
}

[!NOTE]
Actually createRoute functions from TanStack Router are not React HOCs, they return route objects that fake to be a memoized component but are not. When only doing createRootRoute({ component: Foo }), HMR will work fine, but as soon as you add a prop to the options that is not a React component, HMR will not work. I would recommend to avoid adding any TanStack function to extraHOCs it you want to preserve good HMR in the long term. Bluesky thread.

Because I'm not 100% sure this new logic doesn't introduce any false positive, this is done in a major-like version. This also give me the occasion to remove the hardcoded connect from the rule. If you are using connect from react-redux, you should now add it to extraHOCs like this:

{
  "react-refresh/only-export-components": ["warn", { "extraHOCs": ["connect"] }]
}

sindresorhus/globals (globals)

`v17.6.0`

Compare Source

`v17.5.0`

Compare Source

nodejs/node (node)

`v23.11.1`: 2025-05-14, Version 23.11.1 (Current), @RafaelGSS

Compare Source

This is a security release.

Notable Changes

src:

(CVE-2025-23166) fix error handling on async crypto operation

Commits

[a271810ce2] - deps: update c-ares to v1.34.5 (Node.js GitHub Bot) #57792
[a12107f0dd] - (CVE-2025-23166) src: fix error handling on async crypto operations (RafaelGSS) nodejs-private/node-private#688

pnpm/pnpm (pnpm)

`v10.34.1`: pnpm 10.34.1

Compare Source

Patch Changes

Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Gold Sponsors

`v10.34.0`: pnpm 10.34

Compare Source

Minor Changes

Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

--force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

Patch Changes

Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

cloudflare-workers-and-pages · 2024-05-09T19:16:09Z

Deploying ui with Cloudflare Pages

Latest commit:	`0cd622d`
Status:	🚫 Build failed.

View logs

cloudflare-workers-and-pages · 2025-02-21T01:34:08Z

Deploying ui with Cloudflare Pages

Latest commit:	`117f928`
Status:	🚫 Build failed.

View logs

renovate Bot changed the title ~~Update dependency wrangler to v3.55.0~~ Update All May 10, 2024

renovate Bot force-pushed the renovate/all branch 4 times, most recently from 78adf2b to b3c5105 Compare May 17, 2024 14:46

renovate Bot force-pushed the renovate/all branch 5 times, most recently from a8dd0f0 to 8477199 Compare May 27, 2024 11:39

renovate Bot force-pushed the renovate/all branch 10 times, most recently from 36f842f to b307c97 Compare June 4, 2024 11:33

renovate Bot force-pushed the renovate/all branch 9 times, most recently from 934c82b to 12c69c6 Compare June 10, 2024 22:42

renovate Bot force-pushed the renovate/all branch 10 times, most recently from 3fd6417 to 1772174 Compare June 22, 2024 11:49

renovate Bot force-pushed the renovate/all branch 6 times, most recently from 99d58f0 to 6eb947a Compare June 29, 2024 19:12

renovate Bot force-pushed the renovate/all branch 12 times, most recently from 8353ffd to 6c49ee5 Compare July 9, 2024 22:51

chore(deps): update all

0cd622d

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update all#11

chore(deps): update all#11
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all

renovate Bot commented May 9, 2024 •

edited

Loading

Uh oh!

cloudflare-workers-and-pages Bot commented May 9, 2024 •

edited

Loading

Uh oh!

cloudflare-workers-and-pages Bot commented Feb 21, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented May 9, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Patch Changes

Patch Changes

Minor Changes

Patch Changes

Minor Changes

Patch Changes

Patch Changes

Patch Changes

Minor Changes

Patch Changes

Fix canSkipBabel not accounting for babel.overrides (#​1098)

Changed

Added

Changed

Changed

Patch Changes

Breaking changes

Why

v23.11.1: 2025-05-14, Version 23.11.1 (Current), @​RafaelGSS

Notable Changes

Commits

v10.34.1: pnpm 10.34.1

Patch Changes

Platinum Sponsors

Gold Sponsors

v10.34.0: pnpm 10.34

Minor Changes

Patch Changes

Configuration

Uh oh!

cloudflare-workers-and-pages Bot commented May 9, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Deploying ui with Cloudflare Pages

Uh oh!

cloudflare-workers-and-pages Bot commented Feb 21, 2025

Deploying ui with Cloudflare Pages

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented May 9, 2024 •

edited

Loading

Fix `canSkipBabel` not accounting for `babel.overrides` (#1098)

`v23.11.1`: 2025-05-14, Version 23.11.1 (Current), @RafaelGSS

`v10.34.1`: pnpm 10.34.1

`v10.34.0`: pnpm 10.34

cloudflare-workers-and-pages Bot commented May 9, 2024 •

edited

Loading