Athemis/ds4
1
0
Fork 0
Code Issues 8 Pull requests 3 Projects Releases 9 Packages 1 Wiki Activity

chore(deps): update npm dependencies #45

Merged
renovate-bot merged 1 commit from renovate/npm-dependencies into main 2025-12-15 17:08:32 +00:00
Conversation 0 Commits 1 Files changed 2 +249 -249
renovate-bot commented 2025-12-15 13:33:18 +00:00
Collaborator
Copy link

This PR contains the following updates:

Package Change Age Confidence
@types/node (source) 24.10.3 -> 24.10.4 age confidence
pnpm (source) 10.25.0 -> 10.26.0 age confidence
rollup (source) 4.53.3 -> 4.53.4 age confidence
vite (source) 7.2.7 -> 7.3.0 age confidence

Release Notes

pnpm/pnpm (pnpm)

v10.26.0: pnpm 10.26

Compare Source

Minor Changes

  • Semi-breaking. Block git-hosted dependencies from running prepare scripts unless explicitly allowed in onlyBuiltDependencies #​10288.

  • Semi-breaking. Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs #​10287.

  • Added a new setting blockExoticSubdeps that prevents the resolution of exotic protocols in transitive dependencies.

    When set to true, direct dependencies (those listed in your root package.json) may still use exotic sources, but all transitive dependencies must be resolved from a trusted source. Trusted sources include the configured registry, local file paths, workspace links, trusted GitHub repositories (node, bun, deno), and custom resolvers.

    This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities.

    Exotic sources are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (git+ssh://...) and direct URL links to tarballs (https://.../package.tgz).

    Related PR: #​10265.

  • Added support for allowBuilds, which is a new field that can be used instead of onlyBuiltDependencies and ignoredBuiltDependencies. The new allowBuilds field in your pnpm-workspace.yaml uses a map of package matchers to explicitly allow (true) or disallow (false) script execution. This allows for a single, easy-to-manage source of truth for your build permissions.

    Example Usage. To explicitly allow all versions of esbuild to run scripts and prevent core-js from running them:

    allowBuilds:
  esbuild: true
  core-js: false

    The example above achieves the same result as the previous configuration:

    onlyBuiltDependencies:
  - esbuild
ignoredBuiltDependencies:
  - core-js

    Related PR: #​10311

  • Added support for --dry-run to the pack command #​10301.

Patch Changes

  • Show deprecation in table/list formats when latest version is deprecated #​8658.
  • Remove the injectWorkspacePackages setting from the lockfile on the deploy command #​10294.
  • Normalize the tarball URLs before saving them to the lockfile. URLs should not contain default ports, like :80 for http and :443 for https #​10273.
  • When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved to package.json #​10197.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite
rollup/rollup (rollup)

v4.53.4

Compare Source

2025-12-15

Bug Fixes
  • Ensure Symbol.dispose and Symbol.asyncDispose properties are never removed with (await) using declarations. (#​6209)
Pull Requests
vitejs/vite (vite)

v7.3.0

Compare Source

Please refer to CHANGELOG.md for details.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`24.10.3` -> `24.10.4`](https://renovatebot.com/diffs/npm/@types%2fnode/24.10.3/24.10.4) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2fnode/24.10.4?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2fnode/24.10.3/24.10.4?slim=true) | | [pnpm](https://pnpm.io) ([source](https://github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`10.25.0` -> `10.26.0`](https://renovatebot.com/diffs/npm/pnpm/10.25.0/10.26.0) | ![age](https://developer.mend.io/api/mc/badges/age/npm/pnpm/10.26.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pnpm/10.25.0/10.26.0?slim=true) | | [rollup](https://rollupjs.org/) ([source](https://github.com/rollup/rollup)) | [`4.53.3` -> `4.53.4`](https://renovatebot.com/diffs/npm/rollup/4.53.3/4.53.4) | ![age](https://developer.mend.io/api/mc/badges/age/npm/rollup/4.53.4?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/rollup/4.53.3/4.53.4?slim=true) | | [vite](https://vite.dev) ([source](https://github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`7.2.7` -> `7.3.0`](https://renovatebot.com/diffs/npm/vite/7.2.7/7.3.0) | ![age](https://developer.mend.io/api/mc/badges/age/npm/vite/7.3.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/7.2.7/7.3.0?slim=true) | --- ### Release Notes <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v10.26.0`](https://github.com/pnpm/pnpm/releases/tag/v10.26.0): pnpm 10.26 [Compare Source](https://github.com/pnpm/pnpm/compare/v10.25.0...v10.26.0) #### Minor Changes - **Semi-breaking.** Block git-hosted dependencies from running prepare scripts unless explicitly allowed in `onlyBuiltDependencies` [#&#8203;10288](https://github.com/pnpm/pnpm/pull/10288). - **Semi-breaking.** Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs [#&#8203;10287](https://github.com/pnpm/pnpm/pull/10287). - Added a new setting `blockExoticSubdeps` that prevents the resolution of exotic protocols in transitive dependencies. When set to `true`, direct dependencies (those listed in your root `package.json`) may still use exotic sources, but all transitive dependencies must be resolved from a trusted source. Trusted sources include the configured registry, local file paths, workspace links, trusted GitHub repositories (node, bun, deno), and custom resolvers. This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities. **Exotic sources** are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (`git+ssh://...`) and direct URL links to tarballs (`https://.../package.tgz`). Related PR: [#&#8203;10265](https://github.com/pnpm/pnpm/pull/10265). - Added support for `allowBuilds`, which is a new field that can be used instead of `onlyBuiltDependencies` and `ignoredBuiltDependencies`. The new `allowBuilds` field in your `pnpm-workspace.yaml` uses a map of package matchers to explicitly allow (`true`) or disallow (`false`) script execution. This allows for a single, easy-to-manage source of truth for your build permissions. **Example Usage.** To explicitly allow all versions of `esbuild` to run scripts and prevent `core-js` from running them: ```yaml allowBuilds: esbuild: true core-js: false ``` The example above achieves the same result as the previous configuration: ```yaml onlyBuiltDependencies: - esbuild ignoredBuiltDependencies: - core-js ``` Related PR: [#&#8203;10311](https://github.com/pnpm/pnpm/pull/10311) - Added support for `--dry-run` to the `pack` command [#&#8203;10301](https://github.com/pnpm/pnpm/issues/10301). #### Patch Changes - Show deprecation in table/list formats when latest version is deprecated [#&#8203;8658](https://github.com/pnpm/pnpm/issues/8658). - Remove the `injectWorkspacePackages` setting from the lockfile on the `deploy` command [#&#8203;10294](https://github.com/pnpm/pnpm/pull/10294). - Normalize the tarball URLs before saving them to the lockfile. URLs should not contain default ports, like :80 for http and :443 for https [#&#8203;10273](https://github.com/pnpm/pnpm/pull/10273). - When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved to `package.json` [#&#8203;10197](https://github.com/pnpm/pnpm/pull/10197). #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"> </a> </td> </tr> </tbody> </table> </details> <details> <summary>rollup/rollup (rollup)</summary> ### [`v4.53.4`](https://github.com/rollup/rollup/blob/HEAD/CHANGELOG.md#4534) [Compare Source](https://github.com/rollup/rollup/compare/v4.53.3...v4.53.4) *2025-12-15* ##### Bug Fixes - Ensure `Symbol.dispose` and `Symbol.asyncDispose` properties are never removed with `(await) using` declarations. ([#&#8203;6209](https://github.com/rollup/rollup/issues/6209)) ##### Pull Requests - [#&#8203;6185](https://github.com/rollup/rollup/pull/6185): chore(deps): update dependency [@&#8203;inquirer/prompts](https://github.com/inquirer/prompts) to v8 ([@&#8203;renovate](https://github.com/renovate)\[bot], [@&#8203;lukastaegert](https://github.com/lukastaegert)) - [#&#8203;6186](https://github.com/rollup/rollup/pull/6186): fix(deps): lock file maintenance minor/patch updates ([@&#8203;renovate](https://github.com/renovate)\[bot]) - [#&#8203;6187](https://github.com/rollup/rollup/pull/6187): chore(deps): lock file maintenance ([@&#8203;renovate](https://github.com/renovate)\[bot]) - [#&#8203;6188](https://github.com/rollup/rollup/pull/6188): chore(deps): lock file maintenance minor/patch updates ([@&#8203;renovate](https://github.com/renovate)\[bot]) - [#&#8203;6190](https://github.com/rollup/rollup/pull/6190): Fix syntax error in manualChunks example ([@&#8203;jonnyeom](https://github.com/jonnyeom)) - [#&#8203;6194](https://github.com/rollup/rollup/pull/6194): chore(deps): update actions/checkout action to v6 ([@&#8203;renovate](https://github.com/renovate)\[bot]) - [#&#8203;6195](https://github.com/rollup/rollup/pull/6195): fix(deps): lock file maintenance minor/patch updates ([@&#8203;renovate](https://github.com/renovate)\[bot], [@&#8203;lukastaegert](https://github.com/lukastaegert)) - [#&#8203;6202](https://github.com/rollup/rollup/pull/6202): fix(deps): update swc monorepo (major) ([@&#8203;renovate](https://github.com/renovate)\[bot]) - [#&#8203;6203](https://github.com/rollup/rollup/pull/6203): fix(deps): lock file maintenance minor/patch updates ([@&#8203;renovate](https://github.com/renovate)\[bot], [@&#8203;lukastaegert](https://github.com/lukastaegert)) - [#&#8203;6209](https://github.com/rollup/rollup/pull/6209): Do not tree-shake handlers for "using" ([@&#8203;lukastaegert](https://github.com/lukastaegert)) </details> <details> <summary>vitejs/vite (vite)</summary> ### [`v7.3.0`](https://github.com/vitejs/vite/releases/tag/v7.3.0) [Compare Source](https://github.com/vitejs/vite/compare/v7.2.7...v7.3.0) Please refer to [CHANGELOG.md](https://github.com/vitejs/vite/blob/v7.3.0/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41NC4xIiwidXBkYXRlZEluVmVyIjoiNDIuNTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwicmVub3ZhdGUiXX0=-->
chore(deps): update npm dependencies
Some checks are pending
renovate/stability-days Updates have not met minimum release age requirement
Details
ci/woodpecker/pr/checks Pipeline was successful
Details
8a0dfd5989
renovate-bot scheduled this pull request to auto merge when all checks succeed 2025-12-15 13:33:19 +00:00
Athemis changed target branch from v13-appv2 to main 2025-12-15 17:06:10 +00:00
renovate-bot force-pushed renovate/npm-dependencies from 8a0dfd5989
Some checks are pending
renovate/stability-days Updates have not met minimum release age requirement
Details
ci/woodpecker/pr/checks Pipeline was successful
Details
to 0358db64c3
Some checks are pending
renovate/stability-days Updates have not met minimum release age requirement
Details
ci/woodpecker/pr/checks Pipeline was successful
Details
2025-12-15 17:07:55 +00:00 Compare
renovate-bot deleted branch renovate/npm-dependencies 2025-12-15 17:08:32 +00:00
Athemis self-assigned this 2025-12-15 17:08:44 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Athemis
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
technical-debt

Technical improvements needed to maintain code quality and future compatibility

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
technical-debt
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
Athemis
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Athemis/ds4!45
No description provided.