chore(deps): update all-dependencies#36
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate/all-dependencies
branch
3 times, most recently
from
0fa4fa5 to
e042f37
Compare
renovate
Bot
force-pushed
the
renovate/all-dependencies
branch
5 times, most recently
from
87fd0be to
facab4e
Compare
renovate
Bot
force-pushed
the
renovate/all-dependencies
branch
3 times, most recently
from
282b4f7 to
e5208a9
Compare
renovate
Bot
force-pushed
the
renovate/all-dependencies
branch
3 times, most recently
from
14b638a to
53c8296
Compare
renovate
Bot
force-pushed
the
renovate/all-dependencies
branch
5 times, most recently
from
adc448c to
62746ed
Compare
renovate
Bot
force-pushed
the
renovate/all-dependencies
branch
2 times, most recently
from
7e8d4aa to
3cbe820
Compare
renovate
Bot
force-pushed
the
renovate/all-dependencies
branch
2 times, most recently
from
c3264b4 to
2d5d698
Compare
renovate
Bot
force-pushed
the
renovate/all-dependencies
branch
from
2d5d698 to
f437385
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
59855d3→4d889c11.26.1→1.26.31.26.41.6.1→1.7.125.8.1→25.9.03.8.0→3.10.110.32.1→10.34.1v3.10.0→v3.12.04.52.4→4.53.2Release Notes
golang/go (go)
v1.26.3Compare Source
v1.26.2Compare Source
nodejs/node (node)
v25.9.0: 2026-04-01, Version 25.9.0 (Current), @aduh95Compare Source
Notable Changes
Test runner module mocking improvements
MockModuleOptions.defaultExportandMockModuleOptions.namedExportshave beenconsolidated into a single option
MockModuleOptions.exportsto align with userexpectations and other test runners.
A
defaultproperty onMockModuleOptions.exportsrepresents the defaultexport, and own enumerable properties are treated as named exports.
An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports
Contributed by sangwook in #61727.
Other notable changes
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes toAsyncLocalStorage(Stephen Belanger) #6167462d2cd473b] - (SEMVER-MINOR) cli: add--max-heap-sizeoption (tannal) #58708d0ebf0e44b] - (SEMVER-MINOR) crypto: addTurboSHAKEandKangarooTwelveWeb Cryptography algorithms (Filip Skokan) #62183f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #6218867b854d407] - (SEMVER-MINOR) repl: remove dependency onnode:domain(Matteo Collina) #61227966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #62066Commits
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #61674bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #62066c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #618712fcd07f1ba] - build: support empty libname flags inconfigure.py(Antoine du Hamel) #62477b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #622807dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #62189f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #6211562d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #621833009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #618754d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #6216993d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #621703d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #62414176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #6216495c7fc67ba] - deps: update googletest to2461743(Node.js GitHub Bot) #62484e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #62051180c150122] - deps: V8: cherry-pickcf1bce4(Richard Lau) #62449bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #62448f1b28612c4] - deps: V8: cherry-pickb25cd62(Yagiz Nizipli) #62354757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #622843bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #62256a9703d194a] - deps: update googletest to73a63ea(Node.js GitHub Bot) #6192785138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #62213231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #621230093863664] - doc: deprecatemodule.register()(DEP0205) (Geoffrey Booth) #623950b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #624568d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #6249208ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #6248261cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #6242364cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #621391020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #622069caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #62374e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #623029e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #622437f37c17516] - doc: minor typo fix (Jeff Matson) #62358eb0ca98f01] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #62355198b6e0932] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #6232117e5aee6c5] - doc: fix small environment_variables typo (chris) #62279193d629895] - doc: test and test-only targets do not run linter (Xavier Stouder) #621204a1f20ec4a] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #62208f976c9214d] - doc: clarify that any truthy value ofshellis part of DEP0190 (Antoine du Hamel) #622494d83972681] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #6220271f2eada5b] - doc: add throwIfNoEntry version history to fs.stat (kovan) #62204670c80893b] - doc: add note (and caveat) formock.moduleabout customization hooks (Jacob Smith) #620752ff5cb13f5] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #622446c6c9004c4] - esm: fix typo in worker loader hook comment (jakecastelli) #624751cdd23c9f3] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #624154f4ff15794] - esm: fix path normalization infinalizeResolution(Antoine du Hamel) #62080088167d102] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #622610250b436ee] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #61950b67a8fb171] - inspector: add Target.getTargets and extract TargetManager (Kohei) #62487ffcc5a5722] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #6230792ef2ad8fa] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #6222640a43ac4d0] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #621333ef0a5b90e] - quic: remove CryptoKey support from session keys option (Filip Skokan) #623353c8dd8eb8e] - repl: use vm DONT_CONTEXTIFY context (Chengzhong Wu) #62371f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #62188e4c164e045] - repl: handle exceptions from async context after close (Anna Henningsen) #6216567b854d407] - (SEMVER-MINOR) repl: remove dependency on domain module (Matteo Collina) #61227966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158fe82baf970] - src: improve EC JWK import performance (Filip Skokan) #62396d490b171e0] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #623430e4af848bc] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #6210302980b8c8f] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #62410064f7c2fa6] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #62268ede52bc2dc] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #62281e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #6206603839fb087] - stream: preserve error over AbortError in pipeline (Marco) #621130000d2f011] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #620873796a73719] - test: update WPT for WebCryptoAPI to2cb332d(Node.js GitHub Bot) #62483ad8309415b] - test: update WPT for url tofc3e651(Node.js GitHub Bot) #62379bed89b037e] - test: wait for reattach before initial break on restart (Yuya Inoue) #62471c9ffffcc55] - test: disable flaky WPT Blob test on AIX (James M Snell) #62470fd41ef31f6] - (SEMVER-MINOR) test: add tests for experimental stream/iter implementation (James M Snell) #620661b9d8d3eec] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #62112cb08a29d51] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238abea0af8a9] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #6222647a2132269] - test: update WPT for WebCryptoAPI to6a1c545(Node.js GitHub Bot) #621872c63d3006c] - test_runner: add exports option for module mocks (sangwook) #6172744ac0e1302] - test_runner: make it compatible with fake timers (Matteo Collina) #592721865691275] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #622820252b2bab8] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #624393368155267] - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot[bot]) #624375e47c359f5] - tools: adopt the--check-for-duplicatesNCU flag (Antoine du Hamel) #624784a604e82d0] - tools: bump picomatch in /tools/doc (dependabot[bot]) #62438d1a98b4ddb] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #62375c32daa1ab4] - tools: bump eslint deps (Huáng Jùnliàng) #623567a2fcc6d41] - tools: do not swallow error inlint-nixworkflow (Antoine du Hamel) #62292c41a2871b5] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #6209356dfeb06df] - tools: fix timeout errors inlint-nixjob (Antoine du Hamel) #6226522fc8078e8] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #62255409b0663bd] - tools: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot[bot]) #6225067c69750f4] - tools: validate all commits that are pushed tomain(Antoine du Hamel) #622467d9db8cd21] - tools: keep GN files when updating Merve (Antoine du Hamel) #621676c8fa42ba2] - typings: rationalise TypedArray types (René) #62174531c64d04e] - url: enable simdutf for ada (Yagiz Nizipli) #614772000caccde] - util: allow color aliases in styleText (sangwook) #621800aed332ab4] - wasm: support js string constant esm import (Guy Bedford) #62198d3fd4a978b] - worker: heap profile optimizations (Ilyas Shabi) #62201e992a34a18] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #62325suzuki-shunsuke/pinact (pinact)
v3.10.1Compare Source
🐛 Bug Fixes
#1535 pin uses lines with multiple spaces after the YAML list dash
v3.10.0Compare Source
Features
#1530 Support pinning branches to latest stable tags by the
--branch-to-tagoptionThe default behabiour isn't changed.
By default, pinact doesn't pin branches such as main or master.
If you want to pin specific branches, you can use the --branch-to-tag option.
e.g.
v3.9.2Compare Source
Fixes
#1493 Preserve original line endings when updating workflows
v3.9.1Compare Source
v3.9.0Compare Source
Features
#1365 Make version separator configurable via configuration file @ReenigneArcher
#1372 Make version separator configurable via command line option and environment variable
🐛 Bug Fixes
#1359 Fix a bug that
-log-colordoesn't workOthers
pnpm/pnpm (pnpm)
v10.34.1: pnpm 10.34.1Compare Source
Patch Changes
pnpm-lock.yamlentries whose remote tarballresolution:block is missing theintegrityfield. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that stripsintegrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under--frozen-lockfile. pnpm now fails closed at lockfile-read time withERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: trueor a URL on codeload.github.com / bitbucket.org / gitlab.com) andfile:tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.Platinum Sponsors
Gold Sponsors
v10.34.0: pnpm 10.34Compare Source
Minor Changes
Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously,
pnpm install(non-frozen) would logERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.pnpm installnow exits withERR_PNPM_TARBALL_INTEGRITYand a hint pointing at the new opt-in flag.The only opt-in is
pnpm install --update-checksums— narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.--forceandpnpm updatedeliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide.--frozen-lockfilebehavior is unchanged.--fix-lockfilekeeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.Patch Changes
_authToken,_auth,username/_password,tokenHelper, inlinecert/key) to the registry declared in the same config source at load time, so a later layer overridingregistry=(workspace.npmrc,pnpm-workspace.yaml, CLI--registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.minimumReleaseAgehandling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-versiontimefield) by default, which made the maturity check throwERR_PNPM_MISSING_TIMEwhenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch whenminimumReleaseAgeis active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and letsERR_PNPM_MISSING_TIMEfrom the cache fast-path fall through to the network fetch even under strict mode.commitfield is not a 40-character hexadecimal SHA before invokinggit. A malicious lockfile could otherwise smuggle a value such as--upload-pack=<command>throughgit fetch/git checkout, which on SSH or local-file transports executes the supplied command.diff --githeaders reference paths outside the patched package directory. Previously a malicious.patchfile added via a pull request could write, delete, or rename arbitrary files reachable by the user runningpnpm install.--prefix=<dir>not being honored when locating the workspace root. The--prefix → dirrename was applied after workspace detection, so workspace settings declared in<dir>/pnpm-workspace.yamlwere not loaded when pnpm was invoked from outside<dir>#11535.@x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them intonode_modules. A malicious registry package could otherwise use a transitive dependency key to makepnpm installcreate symlinks at attacker-chosen paths outside the intendednode_modulesdirectory.Platinum Sponsors
Gold Sponsors
v10.33.4: pnpm 10.33.4Compare Source
Patch Changes
Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.
A new
gitHosted: truefield is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.Fix a regression where
pnpm --recursive --filter '!<pkg>' run/exec/test/addwould include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative--filterarguments are provided, matching the documented behavior. To include the root, pass--include-workspace-root#11341.Platinum Sponsors
Gold Sponsors
v10.33.3Compare Source
v10.33.2Compare Source
v10.33.1: pnpm 10.33.1Compare Source
Patch Changes
packageManagerfield selects pnpm v11 or newer, commands that v10 would have passed through to npm (version,login,logout,publish,unpublish,deprecate,dist-tag,docs,ping,search,star,stars,unstar,whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example,pnpm version --helpprint npm's help on a project withpackageManager: pnpm@11.0.0-rc.3#11328.Platinum Sponsors
Gold Sponsors
v10.33.0Compare Source
prometheus/prometheus (prom/prometheus)
v3.12.0: 3.12.0 / 2026-05-28[Compare Sour
Configuration
📅 Schedule: (in timezone Asia/Tokyo)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.