380 Commits

Author	SHA1	Message	Date
Giteabot	326db5c932	chore(deps): update dependency @stylistic/stylelint-plugin to v5.2.0 (#37852) ... This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@stylistic/stylelint-plugin](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic) | [`5.1.0` → `5.2.0`](https://renovatebot.com/diffs/npm/@stylistic%2fstylelint-plugin/5.1.0/5.2.0) |  |  | --- ### Release Notes <details> <summary>stylelint-stylistic/stylelint-stylistic (@&#8203;stylistic/stylelint-plugin)</summary> ### [`v5.2.0`](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic/blob/HEAD/CHANGELOG.md#520--20260520) [Compare Source](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic/compare/v5.1.0...v5.2.0) ##### Added - The `declaration-block-semicolon-newline-before` rule is now autofixable. ##### Fixed - An exception for an empty custom property value has been added to the `declaration-block-semicolon-newline-before` and `declaration-colon-space-after` rules: the `--custom-prop: ;` and `--custom-prop:;` variants are now considered valid (see [#&#8203;50](https://redirect.github.com/stylelint-stylistic/stylelint-stylistic/issues/50)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->	2026-05-26 02:57:12 +02:00
Giteabot	1c130d2eb6	chore(deps): update npm dependencies (#37848) ... This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.1.3` → `11.2.1`](https://renovatebot.com/diffs/npm/pnpm/11.1.3/11.2.1) |  |  | | [stylelint](https://stylelint.io) ([source](https://redirect.github.com/stylelint/stylelint)) | [`17.11.1` → `17.12.0`](https://renovatebot.com/diffs/npm/stylelint/17.11.1/17.12.0) |  |  | --- ### Release Notes <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.2.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1121) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.2.0...v11.2.1) ##### Patch Changes - Mark optional subdependency snapshots of config dependencies with `optional: true` in the env lockfile, matching how optional dependencies are recorded elsewhere in `pnpm-lock.yaml`. Previously, snapshots for the platform-specific subdeps pulled in via a config dep's `optionalDependencies` were written as empty objects, which was inconsistent with the rest of the lockfile and made it look like those non-host platform variants were required. - Fix `pickRegistryForPackage` returning the wrong registry for an unscoped `npm:` alias under a scoped local name. A manifest entry like `"@&#8203;private/foo": "npm:lodash@^1"` was routing the `lodash` fetch through `registries["@&#8203;private"]`, even though `lodash` is unscoped and doesn't live on that registry. The npm-alias branch now returns the alias target's own scope (or `null` for an unscoped target, falling through to `registries.default`) instead of leaking into the local key's scope. - Don't print "Installing config dependencies..." when config dependencies are already installed and nothing needs to be fetched, re-linked, or removed. ### [`v11.2.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1120) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.3...v11.2.0) ##### Minor Changes - **Experimental:** Adding [`@pnpm/pacquet`](https://npmx.dev/package/@&#8203;pnpm/pacquet) (the Rust port of pnpm) to `configDependencies` in `pnpm-workspace.yaml` now delegates the materialization phase of `pnpm install` to the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine [#&#8203;11723](https://redirect.github.com/pnpm/pnpm/issues/11723). To configure pacquet in a project, run: ``` pnpm add @&#8203;pnpm/pacquet --config ``` You'll see changes in `pnpm-workspace.yaml` and `pnpm-lock.yaml` that should be committed. If you experience any issues with pacquet, please let us know by mentioning this in the GitHub issue you create. - `configDependencies` now resolve and install one level of `optionalDependencies` declared by the config dependency, with `os`/`cpu`/`libc` platform filtering applied at install time. This unlocks the esbuild/swc-style pattern where a package ships platform-specific binaries via `optionalDependencies` — a config dependency can now do the same and have the matching binary symlinked next to it in the global virtual store, so `require('pkg-platform-arch')` from inside the config dependency resolves correctly. The env lockfile records all platform variants regardless of host platform, so it remains portable across machines. Each entry in a config dependency's `optionalDependencies` must declare an exact version — ranges and tags are rejected to keep installs reproducible. - Implement the documented `pnpm login --scope <scope>` flag. The scope is normalized (a leading `@` is added if missing; blank values are ignored) and an `@<scope>:registry=<registry>` mapping is written to the pnpm auth file alongside the auth token. Subsequent installs of `@<scope>/*` packages then route to the chosen registry. Previously `pnpm login --scope foo` errored with `Unknown option: 'scope'` despite the flag being listed in the online documentation [#&#8203;11716](https://redirect.github.com/pnpm/pnpm/issues/11716). - `pnpm outdated` and `pnpm update --interactive` now report Node.js, Deno, and Bun runtimes installed as project dependencies (`runtime:` specifiers). Previously these were silently skipped. ##### Patch Changes - Fix `cafile=<relative-path>` in `.npmrc` being read from the wrong directory when pnpm is invoked from a different cwd (e.g. `pnpm --dir <project> install` from a CI wrapper or monorepo script). The path is now resolved against the directory of the `.npmrc` that declared it, not `process.cwd()`. Before this fix the CA file silently failed to load — the install proceeded without the configured CA and the user only saw TLS errors against a private registry, with no log line tying back to the wrongly resolved path [#&#8203;11624](https://redirect.github.com/pnpm/pnpm/issues/11624). - Fix `config.registry` getting a trailing slash appended when `registry` is set in `.npmrc` and no `registries.default` is provided by `pnpm-workspace.yaml`. The sync from `registries.default` to `config.registry` introduced in [#&#8203;11744](https://redirect.github.com/pnpm/pnpm/issues/11744) now only fires when the workspace manifest actually contributes a different default. - Fix global add/update to handle minimumReleaseAge policy violations instead of surfacing an internal resolver guardrail error. - Fix two crashes with `injectWorkspacePackages: true` when the lockfile has been pruned (e.g. by `turbo prune --docker`): - `Cannot use 'in' operator to search for 'directory' in undefined`: a peer-dependency-variant injected snapshot inherits its `resolution` from the base `packages:` entry; when a pruner drops that base entry the readers crash. `convertToLockfileObject` now reconstructs the directory resolution from the `file:` depPath at load time — a single normalization point, so every reader sees a fully-formed snapshot. - `ERR_PNPM_ENOENT` on `node_modules/.bin/<tool>`: after `prepare`/`postinstall`, `runLifecycleHooksConcurrently` re-imported each injected workspace package; the `scanDir`-into-`filesMap` workaround fed target-internal paths to the importer, which the `makeEmptyDir` fast path ([#&#8203;11088](https://redirect.github.com/pnpm/pnpm/issues/11088)) then wiped. Drop the workaround and pass `keepModulesDir: true` so the importer preserves the target's existing `node_modules` (bin links + transitive deps) and source files keep their hardlinks. - Fixed `pnpm login` and `pnpm logout` ignoring `registries.default` from `pnpm-workspace.yaml` [#&#8203;10099](https://redirect.github.com/pnpm/pnpm/issues/10099). - Fix the `minimumReleaseAge` (publishedBy) maturity shortcut to be inclusive at the cutoff. Previously, abbreviated metadata whose `modified` field equalled the cutoff fell off the fast path and triggered a full-metadata re-fetch (or a `MISSING_TIME` error when full metadata wasn't permitted). Since `modified` is an upper bound on every version's publish time, `modified == publishedBy` already implies every version passes the per-version `<=` filter in `filterPkgMetadataByPublishDate`, so the shortcut now accepts the boundary case directly. Strictly `>` (was `>=`) at the rejection branch. - Honor `publishConfig.access` when publishing packages. </details> <details> <summary>stylelint/stylelint (stylelint)</summary> ### [`v17.12.0`](https://redirect.github.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#17120---2026-05-20) [Compare Source](https://redirect.github.com/stylelint/stylelint/compare/17.11.1...17.12.0) It fixes 3 bugs, including a false negative one. - Fixed: `block-no-empty` reported range when using comments ([#&#8203;9294](https://redirect.github.com/stylelint/stylelint/pull/9294)) ([@&#8203;romainmenke](https://redirect.github.com/romainmenke)). - Fixed: `declaration-property-value-no-unknown` false negatives for custom properties defined in reference files ([#&#8203;9292](https://redirect.github.com/stylelint/stylelint/pull/9292)) ([@&#8203;romainmenke](https://redirect.github.com/romainmenke)). - Fixed: `value-keyword-layout-mappings` false positives for `caption-side` ([#&#8203;9293](https://redirect.github.com/stylelint/stylelint/pull/9293)) ([@&#8203;romainmenke](https://redirect.github.com/romainmenke)). </details> --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->	2026-05-25 11:07:48 -07:00
Giteabot	953090fda4	fix(deps): update npm dependencies (#37844) ... This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @&#8203;codemirror/legacy-modes | [`6.5.2` → `6.5.3`](https://renovatebot.com/diffs/npm/@codemirror%2flegacy-modes/6.5.2/6.5.3) |  |  | | @&#8203;codemirror/view | [`6.42.1` → `6.43.0`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.42.1/6.43.0) |  |  | | [@primer/octicons](https://primer.style/octicons) ([source](https://redirect.github.com/primer/octicons)) | [`19.25.0` → `19.26.0`](https://renovatebot.com/diffs/npm/@primer%2focticons/19.25.0/19.26.0) |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`25.7.0` → `25.9.1`](https://renovatebot.com/diffs/npm/@types%2fnode/25.7.0/25.9.1) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.59.3` → `8.59.4`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.3/8.59.4) |  |  | | [@vitejs/plugin-vue](https://redirect.github.com/vitejs/vite-plugin-vue/tree/main/packages/plugin-vue#readme) ([source](https://redirect.github.com/vitejs/vite-plugin-vue/tree/HEAD/packages/plugin-vue)) | [`6.0.6` → `6.0.7`](https://renovatebot.com/diffs/npm/@vitejs%2fplugin-vue/6.0.6/6.0.7) |  |  | | [clippie](https://redirect.github.com/silverwind/clippie) | [`4.1.15` → `4.2.0`](https://renovatebot.com/diffs/npm/clippie/4.1.15/4.2.0) |  |  | | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.3.0` → `10.4.0`](https://renovatebot.com/diffs/npm/eslint/10.3.0/10.4.0) |  |  | | [eslint-plugin-playwright](https://redirect.github.com/mskelton/eslint-plugin-playwright) | [`2.10.2` → `2.10.4`](https://renovatebot.com/diffs/npm/eslint-plugin-playwright/2.10.2/2.10.4) |  |  | | [katex](https://katex.org) ([source](https://redirect.github.com/KaTeX/KaTeX)) | [`0.16.46` → `0.16.47`](https://renovatebot.com/diffs/npm/katex/0.16.46/0.16.47) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.1.1` → `11.1.3`](https://renovatebot.com/diffs/npm/pnpm/11.1.1/11.1.3) |  |  | | [postcss](https://postcss.org/) ([source](https://redirect.github.com/postcss/postcss)) | [`8.5.14` → `8.5.15`](https://renovatebot.com/diffs/npm/postcss/8.5.14/8.5.15) |  |  | | [rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin) | [`3.0.5` → `3.0.7`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.5/3.0.7) |  |  | | [stylelint](https://stylelint.io) ([source](https://redirect.github.com/stylelint/stylelint)) | [`17.11.0` → `17.11.1`](https://renovatebot.com/diffs/npm/stylelint/17.11.0/17.11.1) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.3` → `8.59.4`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.3/8.59.4) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.16.11` → `17.16.13`](https://renovatebot.com/diffs/npm/updates/17.16.11/17.16.13) |  |  | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.0.12` → `8.0.13`](https://renovatebot.com/diffs/npm/vite/8.0.12/8.0.13) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.6` → `4.1.7`](https://renovatebot.com/diffs/npm/vitest/4.1.6/4.1.7) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.2.9` → `3.3.1`](https://renovatebot.com/diffs/npm/vue-tsc/3.2.9/3.3.1) |  |  | --- ### Release Notes <details> <summary>primer/octicons (@&#8203;primer/octicons)</summary> ### [`v19.26.0`](https://redirect.github.com/primer/octicons/blob/HEAD/CHANGELOG.md#19260) [Compare Source](https://redirect.github.com/primer/octicons/compare/v19.25.0...v19.26.0) ##### Minor Changes - [#&#8203;1197](https://redirect.github.com/primer/octicons/pull/1197) [`b45f1d35`](https://redirect.github.com/primer/octicons/commit/b45f1d35477402da4df64ae3a38dae8e95477dc4) Thanks [@&#8203;lukasoppermann](https://redirect.github.com/lukasoppermann)! - Add repo-forked-locked icon ##### Patch Changes - [#&#8203;1209](https://redirect.github.com/primer/octicons/pull/1209) [`9a7e2146`](https://redirect.github.com/primer/octicons/commit/9a7e2146907d2b0bf06d2dd65d2d17d4c3959108) Thanks [@&#8203;siddharthkp](https://redirect.github.com/siddharthkp)! - fix: remove hardcoded fill from sandbox icon </details> <details> <summary>typescript-eslint/typescript-eslint (@&#8203;typescript-eslint/parser)</summary> ### [`v8.59.4`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8594-2026-05-18) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.3...v8.59.4) This was a version bump only for parser to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.4) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>vitejs/vite-plugin-vue (@&#8203;vitejs/plugin-vue)</summary> ### [`v6.0.7`](https://redirect.github.com/vitejs/vite-plugin-vue/blob/HEAD/packages/plugin-vue/CHANGELOG.md#small-607-2026-05-15-small) ##### Features - use carets for `@rolldown/pluginutils` version ([#&#8203;776](https://redirect.github.com/vitejs/vite-plugin-vue/issues/776)) ([941b651](https://redirect.github.com/vitejs/vite-plugin-vue/commit/941b651d8329559fce9231aad4e178f54cccb013)) ##### Bug Fixes - **deps:** update all non-major dependencies ([#&#8203;762](https://redirect.github.com/vitejs/vite-plugin-vue/issues/762)) ([9e825b8](https://redirect.github.com/vitejs/vite-plugin-vue/commit/9e825b85ebe9b6006dc5927aaa8aabc0bcc7eceb)) - **deps:** update all non-major dependencies ([#&#8203;774](https://redirect.github.com/vitejs/vite-plugin-vue/issues/774)) ([77dc8bc](https://redirect.github.com/vitejs/vite-plugin-vue/commit/77dc8bc935216bb7ed13f1c2653a80ffdc99fd45)) </details> <details> <summary>silverwind/clippie (clippie)</summary> ### [`v4.2.0`](https://redirect.github.com/silverwind/clippie/releases/tag/4.2.0) [Compare Source](https://redirect.github.com/silverwind/clippie/compare/4.1.15...4.2.0) - tests: make fallback block concurrent-safe (silverwind) - add ClippieCopyable type (silverwind) - fallback: use el.value.length for setSelectionRange end (silverwind) - update deps, replace describe.sequential with concurrent: false (silverwind) - Update vitest-config-silverwind to 11.3.3, add Node 26 to CI (silverwind) - update deps (silverwind) - simplify and fix minor issues (silverwind) </details> <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.4.0`](https://redirect.github.com/eslint/eslint/releases/tag/v10.4.0) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.3.0...v10.4.0) #### Features - [`1a45ec5`](https://redirect.github.com/eslint/eslint/commit/1a45ec596af1dd5f880e6874cb8f24dafb6a7ecf) feat: check sequence expressions in `for-direction` ([#&#8203;20701](https://redirect.github.com/eslint/eslint/issues/20701)) (kuldeep kumar) - [`450040b`](https://redirect.github.com/eslint/eslint/commit/450040bd89b989b3531824c6be45feb5fe3d936b) feat: add `includeIgnoreFile()` to `eslint/config` ([#&#8203;20735](https://redirect.github.com/eslint/eslint/issues/20735)) (Kirk Waiblinger) #### Bug Fixes - [`544c0c3`](https://redirect.github.com/eslint/eslint/commit/544c0c3da589166ad8e5d634f35d3d06701c57be) fix: escape code path DOT labels in debug output ([#&#8203;20866](https://redirect.github.com/eslint/eslint/issues/20866)) (Pixel998) - [`6799431`](https://redirect.github.com/eslint/eslint/commit/6799431203f2579632d0870f98ba132067f4040c) fix: update dependency [@&#8203;eslint/config-helpers](https://redirect.github.com/eslint/config-helpers) to ^0.6.0 ([#&#8203;20850](https://redirect.github.com/eslint/eslint/issues/20850)) (renovate\[bot]) - [`f078fef`](https://redirect.github.com/eslint/eslint/commit/f078fef5005dceb14fc162aab7c7200e027688dd) fix: handle non-array deprecated rule replacements ([#&#8203;20825](https://redirect.github.com/eslint/eslint/issues/20825)) (xbinaryx) #### Documentation - [`7e52a71`](https://redirect.github.com/eslint/eslint/commit/7e52a7151fb92eec0e0f67fe4e5ddbd1ccce796f) docs: add mention of `@eslint-react/eslint-plugin` ([#&#8203;20869](https://redirect.github.com/eslint/eslint/issues/20869)) (Pavel) - [`db3468b`](https://redirect.github.com/eslint/eslint/commit/db3468ba746407d7f286f18f7ea9db6df0e3bc08) docs: tweak wording around ambiguous CJS-vs-ESM config ([#&#8203;20865](https://redirect.github.com/eslint/eslint/issues/20865)) (Kirk Waiblinger) - [`9084664`](https://redirect.github.com/eslint/eslint/commit/90846643ec6e97d447ae0d831fabe6d17b0a998a) docs: Update README (GitHub Actions Bot) - [`9cc7387`](https://redirect.github.com/eslint/eslint/commit/9cc73875046e3c4b8313644cbb1e99e26b36bd3f) docs: Update README (GitHub Actions Bot) - [`3d7b548`](https://redirect.github.com/eslint/eslint/commit/3d7b5484407403817aa9071a394d336d8ea96eb5) docs: Update README (GitHub Actions Bot) - [`191ec3c`](https://redirect.github.com/eslint/eslint/commit/191ec3c0a3f94ce0f110df761f0b2b8949011ccb) docs: Update README (GitHub Actions Bot) #### Chores - [`6616856`](https://redirect.github.com/eslint/eslint/commit/6616856f28fa514a30f87b5539fc100d739a94bf) chore: upgrade knip to v6 ([#&#8203;20875](https://redirect.github.com/eslint/eslint/issues/20875)) (Pixel998) - [`d13b084`](https://redirect.github.com/eslint/eslint/commit/d13b084a3ad02f926e9addaa35fc383759ea5554) ci: ensure auto-created PRs run CI ([#&#8203;20860](https://redirect.github.com/eslint/eslint/issues/20860)) (lumir) - [`e71c7af`](https://redirect.github.com/eslint/eslint/commit/e71c7af86dce9acc1d18cb12d2184309f6841594) ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 ([#&#8203;20862](https://redirect.github.com/eslint/eslint/issues/20862)) (dependabot\[bot]) - [`d84393d`](https://redirect.github.com/eslint/eslint/commit/d84393dea170f54191fd20c8268b52c81c0ccd99) test: add unit tests for SuppressionsService.applySuppressions() ([#&#8203;20863](https://redirect.github.com/eslint/eslint/issues/20863)) (kuldeep kumar) - [`24db8cb`](https://redirect.github.com/eslint/eslint/commit/24db8cb8e6f07fba667121777a15b1785486be94) test: add tests for SuppressionsService.save() ([#&#8203;20802](https://redirect.github.com/eslint/eslint/issues/20802)) (kuldeep kumar) - [`2ef0549`](https://redirect.github.com/eslint/eslint/commit/2ef0549cac4a9537e4c3a26b9f3edd4c99476bf6) chore: update ecosystem plugins ([#&#8203;20857](https://redirect.github.com/eslint/eslint/issues/20857)) (github-actions\[bot]) - [`a429791`](https://redirect.github.com/eslint/eslint/commit/a4297918d264d229a06cd96051ef9b91c7b86732) ci: remove `eslint-webpack-plugin` types integration test ([#&#8203;20668](https://redirect.github.com/eslint/eslint/issues/20668)) (Milos Djermanovic) - [`9e37386`](https://redirect.github.com/eslint/eslint/commit/9e37386aa7f2ce220b2ef74a6afbac5f6b3527c5) chore: replace `recast` with range approach in code-sample-minimizer ([#&#8203;20682](https://redirect.github.com/eslint/eslint/issues/20682)) (Copilot) - [`0dd1f9f`](https://redirect.github.com/eslint/eslint/commit/0dd1f9ffc9a07704d46e2a4c8d4ccc0d0908b0c0) test: disable warning for `vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER` ([#&#8203;20845](https://redirect.github.com/eslint/eslint/issues/20845)) (Francesco Trotta) - [`9da3c7b`](https://redirect.github.com/eslint/eslint/commit/9da3c7bc92d9579f8db19ecb56e718538d09db2b) refactor: remove deprecated `meta.language` and migrate `meta.dialects` ([#&#8203;20716](https://redirect.github.com/eslint/eslint/issues/20716)) (Pixel998) - [`2099ed1`](https://redirect.github.com/eslint/eslint/commit/2099ed12a0a74c3d7f0808514362af2499b4fe2b) refactor: add `meta.defaultOptions` to more rules, enable linting ([#&#8203;20800](https://redirect.github.com/eslint/eslint/issues/20800)) (xbinaryx) - [`f1dfbc9`](https://redirect.github.com/eslint/eslint/commit/f1dfbc9ca57196de7092e1888cc99427bd6fe06e) chore: update ecosystem plugins ([#&#8203;20836](https://redirect.github.com/eslint/eslint/issues/20836)) (github-actions\[bot]) - [`c759413`](https://redirect.github.com/eslint/eslint/commit/c75941390c14728806cd4baef4f6072f6de78318) ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 ([#&#8203;20843](https://redirect.github.com/eslint/eslint/issues/20843)) (dependabot\[bot]) - [`5b817d6`](https://redirect.github.com/eslint/eslint/commit/5b817d6fdc9ae2c35b528dc662b2eca8f40f64aa) test: add unit tests for lib/shared/ast-utils ([#&#8203;20838](https://redirect.github.com/eslint/eslint/issues/20838)) (kuldeep kumar) - [`1c13ae3`](https://redirect.github.com/eslint/eslint/commit/1c13ae3934c198c494e5958fa3a68b33244ff06a) test: add unit tests for lib/shared/severity ([#&#8203;20835](https://redirect.github.com/eslint/eslint/issues/20835)) (kuldeep kumar) </details> <details> <summary>mskelton/eslint-plugin-playwright (eslint-plugin-playwright)</summary> ### [`v2.10.4`](https://redirect.github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.10.4) [Compare Source](https://redirect.github.com/mskelton/eslint-plugin-playwright/compare/v2.10.3...v2.10.4) ##### Bug Fixes - **valid-title:** Skip title checks for anonymous describe blocks ([894c0ec](https://redirect.github.com/mskelton/eslint-plugin-playwright/commit/894c0ec261763bb1e073b276c70bbf88b4ebad39)) ### [`v2.10.3`](https://redirect.github.com/mskelton/eslint-plugin-playwright/releases/tag/v2.10.3) [Compare Source](https://redirect.github.com/mskelton/eslint-plugin-playwright/compare/v2.10.2...v2.10.3) ##### Bug Fixes - **missing-playwright-await:** Fix false positive when not assigning awaited variable ([#&#8203;464](https://redirect.github.com/mskelton/eslint-plugin-playwright/issues/464)) ([801f01a](https://redirect.github.com/mskelton/eslint-plugin-playwright/commit/801f01aa8a5e279b65939e06d63f7e0d2b638f93)) </details> <details> <summary>KaTeX/KaTeX (katex)</summary> ### [`v0.16.47`](https://redirect.github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01647-2026-05-16) [Compare Source](https://redirect.github.com/KaTeX/KaTeX/compare/v0.16.46...v0.16.47) ##### Bug Fixes - correct size of `[` big delimiter ([#&#8203;4217](https://redirect.github.com/KaTeX/KaTeX/issues/4217)) ([7ba0027](https://redirect.github.com/KaTeX/KaTeX/commit/7ba0027d2f04abddd3b215362f867ab8260b09d7)), closes [#&#8203;4215](https://redirect.github.com/KaTeX/KaTeX/issues/4215) </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.1.3`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1113) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.2...v11.1.3) ##### Patch Changes - `pnpm install` now re-validates `pnpm-lock.yaml` entries against the active `minimumReleaseAge` and `trustPolicy: 'no-downgrade'` policies before any tarball is fetched. Lockfiles resolved elsewhere (committed to the repo, restored from a CI cache, produced by an older pnpm) under a weaker or absent policy can no longer install a freshly-published or trust-downgraded version silently. Violating entries abort the install with `ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION`, `ERR_PNPM_TRUST_DOWNGRADE`, or the generic `ERR_PNPM_LOCKFILE_RESOLUTION_VERIFICATION` when both policies trip in the same batch; `minimumReleaseAgeExclude` and `trustPolicyExclude` are honored. Verification results are cached so repeat installs against an unchanged lockfile take a fast path, and pnpm shows a transient progress line while the registry round-trip runs. When fresh resolution picks an immature version, the behavior depends on `minimumReleaseAgeStrict`: - **Loose mode** — the default, in effect whenever `minimumReleaseAge` keeps its built-in 24-hour value — auto-adds the immature picks to `minimumReleaseAgeExclude` in `pnpm-workspace.yaml` and lets the install proceed. A single info message lists what was persisted. - **Strict mode** in an interactive terminal collects every immature direct AND transitive pick in one pass and prompts once with the full list. Approving adds them to `minimumReleaseAgeExclude` and the install continues; declining aborts before the lockfile, `package.json`, or `node_modules` is touched. - **Strict mode** in CI (or any non-TTY context) aborts with `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing every offending entry, instead of failing on the first one the resolver hit. `minimumReleaseAgeStrict` auto-enables whenever the user explicitly sets `minimumReleaseAge` (CLI flag, env var, global `config.yaml`, or `pnpm-workspace.yaml`); set `minimumReleaseAgeStrict: false` to keep loose-mode auto-collect even with an explicit `minimumReleaseAge` value. Closes [#&#8203;10438](https://redirect.github.com/pnpm/pnpm/issues/10438), [#&#8203;10488](https://redirect.github.com/pnpm/pnpm/issues/10488), [#&#8203;11687](https://redirect.github.com/pnpm/pnpm/issues/11687). - Allow redundant trailing base64 padding in `.npmrc` auth values and report invalid auth base64 with a pnpm error. - Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install. When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`. Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes. - Global installs respect global config build policy (e.g., `dangerouslyAllowAllBuilds` from config.yaml) when GVS is enabled [#&#8203;9249](https://redirect.github.com/pnpm/pnpm/issues/9249). The global virtual-store (GVS) default `allowBuilds = {}` was applied before workspace manifest settings were read and before global config values (stripped by `extractAndRemoveDependencyBuildOptions`) were re-applied via `globalDepsBuildConfig`. This caused `hasDependencyBuildOptions` to return `true` (because `{}` is not null), blocking restoration of global config values like `dangerouslyAllowAllBuilds`. As a result, global installs skipped all build scripts even when the config explicitly allowed them. This fix moves the GVS default to **after** workspace manifest reading and `globalDepsBuildConfig` re-application, so that: 1. Workspace manifest `allowBuilds` takes precedence (if present) 2. Global config `dangerouslyAllowAllBuilds` is properly restored (if set and no workspace policy exists) 3. Empty `{}` is only applied as a last resort when no policy is configured anywhere - Honor `--silent` when `verifyDepsBeforeRun: install` auto-installs dependencies before `pnpm run` or `pnpm exec`, preventing install output from being written to stdout [#&#8203;11636](https://redirect.github.com/pnpm/pnpm/issues/11636). - Fix lockfile parsing failures when `pnpm-lock.yaml` contains CRLF line endings and multiple YAML documents [#&#8203;11612](https://redirect.github.com/pnpm/pnpm/issues/11612). - Anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. `ENGINE_NAME` (the `<platform>;<arch>;node<major>` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. Three changes: - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:<version>` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. On upgrade, two one-time GVS slot churns are possible: - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. In both cases the old slots become prune-eligible. - Resolve the GVS hash's engine portion per-snapshot when a dependency declares its own `engines.runtime`, instead of using an install-wide value. Pnpm's resolver desugars a dep's `engines.runtime` into `dependencies.node: 'runtime:<version>'`, and the bin linker spawns that dep's lifecycle scripts through the pinned Node downloaded into `<pkgDir>/node_modules/node/`. The GVS hash and the side-effects-cache key prefix were still anchored to the install-wide runtime — so a pinning snapshot's slot encoded the wrong Node major, and a reinstall on the same host could read the cached side-effects under a key whose `<platform>;<arch>;node<major>` triple disagreed with the Node the build actually ran on. Per-snapshot resolution now matches what `bins/linker` already does on a per-package basis: - `@pnpm/deps.graph-hasher` adds `readSnapshotRuntimePin(children)` — reads the `node` entry from one snapshot's graph children and extracts the version from a `node@runtime:` value. Pairs with the existing `findRuntimeNodeVersion(snapshotKeys)` install-wide fallback (also now exported from `@pnpm/deps.graph-hasher` rather than `@pnpm/engine.runtime.system-node-version`, where it was a poor fit — `system-node-version` is about probing the host Node, not parsing lockfile-derived strings). - `calcDepState` and `calcGraphNodeHash` consult `readSnapshotRuntimePin(graph[depPath].children)` first and only fall back to the install-wide `nodeVersion` parameter when the snapshot doesn't pin its own Node. Pacquet mirrors the same precedence at the `calc_graph_node_hash` call site in `package-manager/src/virtual_store_layout.rs` — a new `find_own_runtime_node_major(snapshot)` helper reads each snapshot's `dependencies` for a `node` entry with `Prefix::Runtime` and overrides the install-wide engine when present. On upgrade, snapshots of dependencies that declare their own `engines.runtime` re-hash under that dep's pinned Node instead of the install-wide value. The old slots become prune-eligible. Closes [#&#8203;11690](https://redirect.github.com/pnpm/pnpm/issues/11690). - Fixed `pnpm publish` failing with a 404 when authentication relied on OIDC trusted publishing alongside an `.npmrc` written by `actions/setup-node` (`_authToken=${NODE_AUTH_TOKEN}`) without `NODE_AUTH_TOKEN` being set. Unresolved `${VAR}` placeholders in auth values are now treated as empty rather than passed through verbatim, so the literal placeholder no longer surfaces as a bearer token when OIDC fallback is the intended auth source [#&#8203;11513](https://redirect.github.com/pnpm/pnpm/issues/11513). - Fix `devEngines.packageManager` (singular form, without `onFail`) defaulting to `onFail: "error"` instead of the documented `pmOnFail: "download"`. As a result, a project that pinned a different pnpm version via `devEngines.packageManager` and ran `pnpm install` from a mismatched pnpm version failed with a hard error, even though the migration table from `managePackageManagerVersions: true` to `pmOnFail: download (default)` promises the install would auto-download the wanted version [#&#8203;11676](https://redirect.github.com/pnpm/pnpm/issues/11676). The array form of `devEngines.packageManager` keeps its existing per-element defaults (`error` for the last entry, `ignore` for the rest), since those reflect explicit prioritization by the user. Explicit `onFail` values continue to win. - Fix `devEngines.packageManager` not writing `packageManagerDependencies` to `pnpm-lock.yaml` when the lockfile lacks an env-doc entry. Previously the lockfile sync skipped resolution unless an existing `packageManagerDependencies.pnpm` entry needed refreshing, so a fresh install without `onFail: "download"` left the resolved pnpm version unrecorded — contradicting the documented behavior that the resolved version is stored in `pnpm-lock.yaml` [#&#8203;11674](https://redirect.github.com/pnpm/pnpm/issues/11674). - Warn when `package.json` contains a legacy `pnpm` field with settings pnpm no longer reads from `package.json` (e.g. `pnpm.overrides`, `pnpm.patchedDependencies`). Previously these were silently ignored after the upgrade from v10, leaving users unaware that their overrides/patched dependencies had stopped taking effect [#&#8203;11677](https://redirect.github.com/pnpm/pnpm/issues/11677). ### [`v11.1.2`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1112) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.1...v11.1.2) ##### Patch Changes - `convertEnginesRuntimeToDependencies`: switch the runtime-dependency write to `Object.defineProperty` so the CodeQL `js/prototype-polluting-assignment` rule treats the assignment as safe regardless of the property name (follow-up to [#&#8203;11609](https://redirect.github.com/pnpm/pnpm/pull/11609)). - Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (`__proto__`, `constructor`, `prototype`), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser. - Strip `sec-fetch-*` headers from outgoing HTTP requests. These headers are automatically added by undici's `fetch()` implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests [#&#8203;11572](https://redirect.github.com/pnpm/pnpm/issues/11572). - Fix `minimumReleaseAge` handling for cached abbreviated metadata. The version-spec cache fast path no longer rethrows `ERR_PNPM_MISSING_TIME` under `strictPublishedByCheck`; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block. When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version `time`), pnpm now re-fetches with `fullMetadata: true` if `minimumReleaseAge` is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning. Closes [#&#8203;11619](https://redirect.github.com/pnpm/pnpm/issues/11619). - Fix `pnpm upgrade --interactive --latest -r` not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. `"catalog:foo"`) would incorrectly rewrite `package.json` to `"catalog:"` and place the updated version in the default catalog instead of the named one [#&#8203;10115](https://redirect.github.com/pnpm/pnpm/issues/10115). - Fixed `optimisticRepeatInstall` skipping `pnpm-lock.yaml` merge conflict resolution when the existing `node_modules` state appears up to date. - Fix `minimumReleaseAge` / `resolutionMode: time-based` installs failing on lockfiles whose `time:` block is missing entries. The npm-resolver's peek-from-store fast path now surfaces `publishedAt` from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand. </details> <details> <summary>postcss/postcss (postcss)</summary> ### [`v8.5.15`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8515) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.14...8.5.15) - Fixed declaration parsing performance (by [@&#8203;homanp](https://redirect.github.com/homanp)). </details> <details> <summary>silverwind/rolldown-license-plugin (rolldown-license-plugin)</summary> ### [`v3.0.7`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.7) [Compare Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.6...3.0.7) - update deps (silverwind) - skip readdir when package has a "LICENSE" file (silverwind) - clarify dedup comment: package.json reads are not deduped, only readdir/readFile (silverwind) - skip readdir/readFile for duplicate package paths (silverwind) ### [`v3.0.6`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.6) [Compare Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.5...3.0.6) - update deps (silverwind) - skip duplicate license reads, preserve wrap indentation (silverwind) - batch generateBundle IO into two phases for \~11% speedup (silverwind) </details> <details> <summary>stylelint/stylelint (stylelint)</summary> ### [`v17.11.1`](https://redirect.github.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#17111---2026-05-14) [Compare Source](https://redirect.github.com/stylelint/stylelint/compare/17.11.0...17.11.1) It fixes 2 bugs. - Fixed: `node_modules` ignore for `codeFilename` paths containing a dot-prefixed directory ([#&#8203;9282](https://redirect.github.com/stylelint/stylelint/pull/9282)) ([@&#8203;tuhtah](https://redirect.github.com/tuhtah)). - Fixed: `declaration-block-no-redundant-longhand-properties` range for contiguous redundant longhand properties ([#&#8203;9273](https://redirect.github.com/stylelint/stylelint/pull/9273)) ([@&#8203;pamelalozano16](https://redirect.github.com/pamelalozano16)). </details> <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.59.4`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8594-2026-05-18) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.3...v8.59.4) ##### 🩹 Fixes - **typescript-eslint:** export Compatible\* types from typescript-eslint to resolve pnpm TS error ([#&#8203;12340](https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12340)) ##### ❤️ Thank You - Kirk Waiblinger [@&#8203;kirkwaiblinger](https://redirect.github.com/kirkwaiblinger) See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.4) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>silverwind/updates (updates)</summary> ### [`v17.16.13`](https://redirect.github.com/silverwind/updates/releases/tag/17.16.13) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.16.12...17.16.13) - Speed up findVersion hot loop (silverwind) - Minor simplifications (silverwind) - Fix Go pseudo-version write corruption and selectTag tag ordering (silverwind) - Fix parser/replace edge cases across modes (silverwind) ### [`v17.16.12`](https://redirect.github.com/silverwind/updates/releases/tag/17.16.12) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.16.11...17.16.12) - Fix several parser/URL edge cases across modes (silverwind) - bump vitest-config-silverwind to 11.3.5 (silverwind) - speed up tests (silverwind) - perf: reduce redundant work in hot paths (silverwind) </details> <details> <summary>vitejs/vite (vite)</summary> ### [`v8.0.13`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8013-2026-05-14-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v8.0.12...v8.0.13) ##### Features - **bundled-dev:** add lazy bundling support ([#&#8203;21406](https://redirect.github.com/vitejs/vite/issues/21406)) ([4f0949f](https://redirect.github.com/vitejs/vite/commit/4f0949f3f13e4b2b34d32bf7b2b4de5f26bea192)) - **optimizer:** improve the esbuild plugin converter to pass some properties of build result to `onEnd` ([#&#8203;22357](https://redirect.github.com/vitejs/vite/issues/22357)) ([47071ce](https://redirect.github.com/vitejs/vite/commit/47071ce53f21726cf39e999c4407c4828ecbe957)) - update rolldown to 1.0.1 ([#&#8203;22444](https://redirect.github.com/vitejs/vite/issues/22444)) ([8c766a6](https://redirect.github.com/vitejs/vite/commit/8c766a6c5ee014969c4e32f29cc265e8e2c96e18)) ##### Bug Fixes - **build:** copy public directory after building same environment with `write=false` ([#&#8203;22328](https://redirect.github.com/vitejs/vite/issues/22328)) ([158e8ae](https://redirect.github.com/vitejs/vite/commit/158e8ae8efdf7075ab295727e36b5ff68da3243e)) - **css:** await sass/less/styl worker disposal on teardown (fix [#&#8203;22274](https://redirect.github.com/vitejs/vite/issues/22274)) ([#&#8203;22275](https://redirect.github.com/vitejs/vite/issues/22275)) ([b7edcb7](https://redirect.github.com/vitejs/vite/commit/b7edcb7d0dd17ddfeef4ace78d610c099216dade)) - **css:** keep deprecated `name`/`originalFileName` in synthetic `assetFileNames` call ([#&#8203;22439](https://redirect.github.com/vitejs/vite/issues/22439)) ([8e59c97](https://redirect.github.com/vitejs/vite/commit/8e59c97a44d923c4c06f67287a793c9aa5a4ebaa)) - make `isBundled` per environment ([#&#8203;22257](https://redirect.github.com/vitejs/vite/issues/22257)) ([a576326](https://redirect.github.com/vitejs/vite/commit/a5763266170f8606836da5c6f987b4b2fd6ddc55)) - **ssr:** avoid rewriting labels that collide with imports ([#&#8203;22451](https://redirect.github.com/vitejs/vite/issues/22451)) ([d9b18e0](https://redirect.github.com/vitejs/vite/commit/d9b18e0387a253628d3d834288e79c5f7e85d566)) ##### Miscellaneous Chores - remove irrelevant commits from changelog ([#&#8203;22430](https://redirect.github.com/vitejs/vite/issues/22430)) ([6ea3838](https://redirect.github.com/vitejs/vite/commit/6ea383859aaf0ef8e673b458f164e84aeb6ff51d)) - update changelog ([#&#8203;22413](https://redirect.github.com/vitejs/vite/issues/22413)) ([fcdc87c](https://redirect.github.com/vitejs/vite/commit/fcdc87cc6799857e2bab0f44f333a681694fff74)) </details> <details> <summary>vitest-dev/vitest (vitest)</summary> ### [`v4.1.7`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v4.1.7) [Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.6...v4.1.7) #####    🐞 Bug Fixes - **runner**: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by [@&#8203;hi-ogawa](https://redirect.github.com/hi-ogawa) in [#&#8203;10384](https://redirect.github.com/vitest-dev/vitest/issues/10384) [<samp>(4f0f2)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/4f0f2a1ee) #####     [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.6...v4.1.7) </details> <details> <summary>vuejs/language-tools (vue-tsc)</summary> ### [`v3.3.1`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#331-2026-05-19) [Compare Source](https://redirect.github.com/vuejs/language-tools/compare/v3.3.0...v3.3.1) ##### language-core - **fix:** avoid extraneous children error for conditional slots ([#&#8203;6056](https://redirect.github.com/vuejs/language-tools/issues/6056)) - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! ##### language-service - **refactor:** replace scanner-based missing props hints detection with AST traversal - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! ##### typescript-plugin - **fix:** get component prop details from symbols - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! - **fix:** skip unchecked JS identifiers in component props ([#&#8203;6055](https://redirect.github.com/vuejs/language-tools/issues/6055)) - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! ##### vscode - **fix:** resolve typescript plugin path from resolved server path ([#&#8203;6058](https://redirect.github.com/vuejs/language-tools/issues/6058)) - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! ### [`v3.3.0`](https://redirect.github.com/vuejs/language-tools/blob/HEAD/CHANGELOG.md#330-2026-05-18) [Compare Source](https://redirect.github.com/vuejs/language-tools/compare/v3.2.9...v3.3.0) ##### language-core - **feat:** check required fallthrough attributes ([#&#8203;6049](https://redirect.github.com/vuejs/language-tools/issues/6049)) - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! - **fix:** penetrate `v-if` branch fragments when collecting single root nodes - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! - **refactor:** rename `Sfc` APIs to `IR` - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! ##### language-service - **fix:** reuse ASTs for define assignment suggestions - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! - **fix:** re-support `html.customData` ([#&#8203;5910](https://redirect.github.com/vuejs/language-tools/issues/5910)) - Thanks to [@&#8203;Bomberus](https://redirect.github.com/Bomberus)! - **fix:** strip `=""` only for plain boolean props completion edits - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! - **fix:** reset to default data provider after running with vue data provider - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! ##### typescript-plugin - **feat:** refine props completion logic to follow TS behavior ([#&#8203;5709](https://redirect.github.com/vuejs/language-tools/issues/5709)) - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! ##### vscode - **fix:** include `extraFileExtensions` in tsserver `configure` request payload ([#&#8203;6048](https://redirect.github.com/vuejs/language-tools/issues/6048)) - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! - **fix:** write typescript plugins at build time ([#&#8203;6050](https://redirect.github.com/vuejs/language-tools/issues/6050)) - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! - **fix:** avoid infinite diagnostics on Vue files when project diagnostics is enabled ([#&#8203;6051](https://redirect.github.com/vuejs/language-tools/issues/6051)) - Thanks to [@&#8203;KazariEX](https://redirect.github.com/KazariEX)! </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->	2026-05-25 10:08:25 +00:00
Giteabot	343eaa8940	fix(deps): update npm dependencies (#37768) ... This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [katex](https://katex.org) ([source](https://redirect.github.com/KaTeX/KaTeX)) | [`0.16.45` → `0.16.46`](https://renovatebot.com/diffs/npm/katex/0.16.45/0.16.46) |  |  | | [vue-tsc](https://redirect.github.com/vuejs/language-tools) ([source](https://redirect.github.com/vuejs/language-tools/tree/HEAD/packages/tsc)) | [`3.2.8` → `3.2.9`](https://renovatebot.com/diffs/npm/vue-tsc/3.2.8/3.2.9) |  |  |	2026-05-19 06:28:06 +00:00
Giteabot	aecb2585f0	fix(deps): update npm dependencies (#37753) ... This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @&#8203;codemirror/view | [`6.42.0` → `6.42.1`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.42.0/6.42.1) |  |  | | [@playwright/test](https://playwright.dev) ([source](https://redirect.github.com/microsoft/playwright)) | [`1.59.1` → `1.60.0`](https://renovatebot.com/diffs/npm/@playwright%2ftest/1.59.1/1.60.0) |  |  | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`25.6.0` → `25.7.0`](https://renovatebot.com/diffs/npm/@types%2fnode/25.6.0/25.7.0) |  |  | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.59.2` → `8.59.3`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.2/8.59.3) |  |  | | [@vitest/eslint-plugin](https://redirect.github.com/vitest-dev/eslint-plugin-vitest) | [`1.6.16` → `1.6.17`](https://renovatebot.com/diffs/npm/@vitest%2feslint-plugin/1.6.16/1.6.17) |  |  | | [eslint-plugin-de-morgan](https://redirect.github.com/azat-io/eslint-plugin-de-morgan) | [`2.1.1` → `2.1.2`](https://renovatebot.com/diffs/npm/eslint-plugin-de-morgan/2.1.1/2.1.2) |  |  | | [eslint-plugin-vue-scoped-css](https://future-architect.github.io/eslint-plugin-vue-scoped-css/) ([source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css)) | [`3.0.0` → `3.1.0`](https://renovatebot.com/diffs/npm/eslint-plugin-vue-scoped-css/3.0.0/3.1.0) |  |  | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | [`11.0.8` → `11.1.1`](https://renovatebot.com/diffs/npm/pnpm/11.0.8/11.1.1) |  |  | | [rolldown-license-plugin](https://redirect.github.com/silverwind/rolldown-license-plugin) | [`3.0.4` → `3.0.5`](https://renovatebot.com/diffs/npm/rolldown-license-plugin/3.0.4/3.0.5) |  |  | | [swagger-ui-dist](https://redirect.github.com/swagger-api/swagger-ui) | [`5.32.5` → `5.32.6`](https://renovatebot.com/diffs/npm/swagger-ui-dist/5.32.5/5.32.6) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.2` → `8.59.3`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.2/8.59.3) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.16.9` → `17.16.11`](https://renovatebot.com/diffs/npm/updates/17.16.9/17.16.11) |  |  | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.0.10` → `8.0.12`](https://renovatebot.com/diffs/npm/vite/8.0.10/8.0.12) |  |  | | [vitest](https://vitest.dev) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | [`4.1.5` → `4.1.6`](https://renovatebot.com/diffs/npm/vitest/4.1.5/4.1.6) |  |  | --- ### Release Notes <details> <summary>microsoft/playwright (@&#8203;playwright/test)</summary> ### [`v1.60.0`](https://redirect.github.com/microsoft/playwright/releases/tag/v1.60.0) [Compare Source](https://redirect.github.com/microsoft/playwright/compare/v1.59.1...v1.60.0) #### 🌐 HAR recording on Tracing [tracing.startHar()](https://playwright.dev/docs/api/class-tracing#tracing-start-har) / [tracing.stopHar()](https://playwright.dev/docs/api/class-tracing#tracing-stop-har) expose HAR recording as a first-class tracing API, with the same `content`, `mode` and `urlFilter` options as `recordHar`. The returned [Disposable](https://playwright.dev/docs/api/class-disposable) makes it easy to scope a recording with `await using`: ```js await using har = await context.tracing.startHar('trace.har'); const page = await context.newPage(); await page.goto('https://playwright.dev'); // HAR is finalized when `har` goes out of scope. ``` #### 🪝 Drop API New [locator.drop()](https://playwright.dev/docs/api/class-locator#locator-drop) simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches `dragenter`, `dragover`, and `drop` with a synthetic \[DataTransfer] in the page context — works cross-browser and is great for testing upload zones: ```js await page.locator('#dropzone').drop({ files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') }, }); await page.locator('#dropzone').drop({ data: { 'text/plain': 'hello world', 'text/uri-list': 'https://example.com', }, }); ``` #### 🎯 Aria snapshots - [expect(page).toMatchAriaSnapshot()](https://playwright.dev/docs/api/class-pageassertions#page-assertions-to-match-aria-snapshot) now works on a [Page](https://playwright.dev/docs/api/class-page), in addition to a [Locator](https://playwright.dev/docs/api/class-locator) — equivalent to asserting against `page.locator('body')`. - New `boxes` option on [locator.ariaSnapshot()](https://playwright.dev/docs/api/class-locator#locator-aria-snapshot) / [page.ariaSnapshot()](https://playwright.dev/docs/api/class-page#page-aria-snapshot) appends each element's bounding box as `[box=x,y,width,height]`, useful for AI consumption. #### 🛑 test.abort() New [test.abort()](https://playwright.dev/docs/api/class-test#test-abort) aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away: ```js test('does not publish to the shared page', async ({ page }) => { await page.route('**/publish', route => { test.abort('Tests must not publish to the shared page. Use the `clone` option.'); return route.abort(); }); // ... }); ``` #### New APIs ##### Browser, Context and Page - Event [browser.on('context')](https://playwright.dev/docs/api/class-browser#browser-event-context) — fired when a new context is created on the browser. - [BrowserContext](https://playwright.dev/docs/api/class-browsercontext) now mirrors lifecycle events from its pages: [browserContext.on('download')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-download), [browserContext.on('frameattached')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-frame-attached), [browserContext.on('framedetached')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-frame-detached), [browserContext.on('framenavigated')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-frame-navigated), [browserContext.on('pageclose')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-page-close), [browserContext.on('pageload')](https://playwright.dev/docs/api/class-browsercontext#browser-context-event-page-load). ##### Locators and Assertions - New option `description` in [page.getByRole()](https://playwright.dev/docs/api/class-page#page-get-by-role) / [locator.getByRole()](https://playwright.dev/docs/api/class-locator#locator-get-by-role) / [frame.getByRole()](https://playwright.dev/docs/api/class-frame#frame-get-by-role) / [frameLocator.getByRole()](https://playwright.dev/docs/api/class-framelocator#frame-locator-get-by-role) for matching the [accessible description](https://www.w3.org/TR/wai-aria-1.2/#dfn-accessible-description). - New option `pseudo` in [expect(locator).toHaveCSS()](https://playwright.dev/docs/api/class-locatorassertions#locator-assertions-to-have-css) reads computed styles from `::before` or `::after`. - New option `style` in [locator.highlight()](https://playwright.dev/docs/api/class-locator#locator-highlight) applies extra inline CSS to the highlight overlay, plus new [page.hideHighlight()](https://playwright.dev/docs/api/class-page#page-hide-highlight) to clear all highlights. ##### Network - [webSocketRoute.protocols()](https://playwright.dev/docs/api/class-websocketroute#web-socket-route-protocols) returns the WebSocket subprotocols requested by the page. - New option `noDefaults` in [browserType.connectOverCDP()](https://playwright.dev/docs/api/class-browsertype#browser-type-connect-over-cdp) disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state. ##### Errors and Reporting - New [webError.location()](https://playwright.dev/docs/api/class-weberror#web-error-location) mirrors [consoleMessage.location()](https://playwright.dev/docs/api/class-consolemessage#console-message-location). - [consoleMessage.location()](https://playwright.dev/docs/api/class-consolemessage#console-message-location) now exposes `line` / `column` properties (`lineNumber` / `columnNumber` are deprecated). - New [testInfoError.errorContext](https://playwright.dev/docs/api/class-testinfoerror#test-info-error-error-context) surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an `expect(...)` matcher failure. - [reporter.onError()](https://playwright.dev/docs/api/class-reporter#reporter-on-error) now receives a `workerInfo` argument with details about the worker for fixture teardown errors. ##### Test runner - New `{testFileBaseName}` token in [testProject.snapshotPathTemplate](https://playwright.dev/docs/api/class-testproject#test-project-snapshot-path-template) — file name without extension. - Test runner now errors when a config tries to override a non-option fixture, and rejects `workers: 0` or negative values. #### 🛠️ Other improvements - HTML reporter: - `npx playwright show-report` accepts `.zip` files directly — no need to unzip first. - Steps that contain attachments inside nested children show an indicator on the parent step. - The `repeatEachIndex` is shown in the test header when non-zero. - Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel. #### Breaking Changes ⚠️ - Removed long-deprecated APIs: - `Locator.ariaRef()` — use the standard [locator.ariaSnapshot()](https://playwright.dev/docs/api/class-locator#locator-aria-snapshot) pipeline. - `handle` option on `BrowserContext.exposeBinding` and `Page.exposeBinding`. - `logger` option on `BrowserType.connect` and `BrowserType.connectOverCDP` — use [tracing](https://playwright.dev/docs/trace-viewer) instead. - Context options `videosPath` / `videoSize` — use `recordVideo` instead. #### Browser Versions - Chromium 148.0.7778.96 - Mozilla Firefox 150.0.2 - WebKit 26.4 This version was also tested against the following stable channels: - Google Chrome 147 - Microsoft Edge 147 </details> <details> <summary>typescript-eslint/typescript-eslint (@&#8203;typescript-eslint/parser)</summary> ### [`v8.59.3`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8593-2026-05-11) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.2...v8.59.3) This was a version bump only for parser to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.3) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>vitest-dev/eslint-plugin-vitest (@&#8203;vitest/eslint-plugin)</summary> ### [`v1.6.17`](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/releases/tag/v1.6.17) [Compare Source](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.16...v1.6.17) #####    🐞 Bug Fixes - Recommend `toBeTypeOf` instead of `expectTypeOf` in `prefer-expect-type-of`  -  by [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [#&#8203;896](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/896) [<samp>(a4bcd)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/a4bcdf5) - **no-standalone-expect**: Allow expect inside vi.defineHelper callbacks  -  by [@&#8203;nami8824](https://redirect.github.com/nami8824) in [#&#8203;894](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/issues/894) [<samp>(fd8eb)</samp>](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/commit/fd8eb3c) #####     [View changes on GitHub](https://redirect.github.com/vitest-dev/eslint-plugin-vitest/compare/v1.6.16...v1.6.17) </details> <details> <summary>azat-io/eslint-plugin-de-morgan (eslint-plugin-de-morgan)</summary> ### [`v2.1.2`](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/blob/HEAD/changelog.md#v212) [Compare Source](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/compare/v2.1.1...v2.1.2) [compare changes](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/compare/v2.1.1...v2.1.2) ##### 🐞 Bug Fixes - Avoid invalid autofixes for grouped boolean expressions ([1173aaa](https://redirect.github.com/azat-io/eslint-plugin-de-morgan/commit/1173aaa)) ##### ❤️ Contributors - Azat S. ([@&#8203;azat-io](https://redirect.github.com/azat-io)) </details> <details> <summary>future-architect/eslint-plugin-vue-scoped-css (eslint-plugin-vue-scoped-css)</summary> ### [`v3.1.0`](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/blob/HEAD/CHANGELOG.md#310) [Compare Source](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/compare/v3.0.0...v3.1.0) ##### Minor Changes - refactor: replace lodash with es-toolkit and vanilla js ([#&#8203;492](https://redirect.github.com/future-architect/eslint-plugin-vue-scoped-css/pull/492)) </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v11.1.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1111) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.0...v11.1.1) ##### Patch Changes - Skip installability validation when scanning workspace projects in `checkDepsStatus` (run by `verifyDepsBeforeRun`). Previously the status check called `findWorkspaceProjects`, which validates each project's `engines` and `os`/`cpu`/`libc` and warns about useless fields in non-root manifests — work that the install pipeline already performs. With no `nodeVersion` threaded through, the engine check also fell back to the system Node from `PATH` and emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now use `findWorkspaceProjectsNoCheck`; install paths continue to validate. - Fixed `pnpm add <alias>:@&#8203;scope/pkg` for [named registries](https://redirect.github.com/pnpm/pnpm/pull/11324). The local resolver was claiming any specifier containing `/` as a local directory, so `pnpm add bit:@&#8203;teambit/bit` (with `bit` configured under `namedRegistries`) installed a bogus link to `bit:@&#8203;teambit/bit/` instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain. - Updated `@zkochan/cmd-shim` to 9.0.3. The sh shim it writes for `.cmd` / `.bat` targets now escapes the `/C` switch as `//C`, so it survives the path translation Git Bash applies when launching `cmd.exe`. Without this, a bare `/C` was rewritten to `C:\` before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See [pnpm/cmd-shim#55](https://redirect.github.com/pnpm/cmd-shim/pull/55). ### [`v11.1.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1110) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.0.9...v11.1.0) ##### Minor Changes - Added `pnpm audit signatures` to verify ECDSA registry signatures for installed packages against keys from `/-/npm/v1/keys` [#&#8203;7909](https://redirect.github.com/pnpm/pnpm/issues/7909). Scoped registries are respected, and registries without signing keys are skipped. - Added support for installing packages from the [GitHub Packages npm registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry) via a built-in `gh:` prefix (e.g. `pnpm add gh:@&#8203;acme/private`), and, more broadly, for arbitrary named registries in the style of [vlt's named-registry aliases](https://docs.vlt.sh/cli/registries). Authentication is picked up from the existing per-URL `.npmrc` entries (e.g. `//npm.pkg.github.com/:_authToken=...`), so no separate auth mechanism is required. Additional aliases — or an override for the built-in `gh` alias, for GitHub Enterprise Server — can be configured under `namedRegistries` in `pnpm-workspace.yaml`: ```yaml namedRegistries: gh: https://npm.pkg.github.example.com/ work: https://npm.work.example.com/ ``` With this, `work:@&#8203;corp/lib@^2.0.0` resolves against `https://npm.work.example.com/`. [#&#8203;11324](https://redirect.github.com/pnpm/pnpm/issues/11324). - Allow setting sbom spec version using `--sbom-spec-version` [#&#8203;11389](https://redirect.github.com/pnpm/pnpm/pull/11389). - Add `--no-runtime` flag (config: `runtime=false`) to skip installing runtime entries (e.g. Node.js downloaded via `devEngines.runtime`) without modifying the lockfile. The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and `.bin` linking are skipped. Useful in CI matrices where the runtime is provisioned externally (e.g. via `pnpm runtime -g set node <version>`) before `pnpm install` runs. - Added the `pnpm bugs` command that opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's `package.json`; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. Falls back to `<repository>/issues` when the `bugs` field is missing [#&#8203;11279](https://redirect.github.com/pnpm/pnpm/pull/11279). - Added `pnpm owner` command to manage package owners on the registry. ##### Patch Changes - Added "published X ago by Y" information to the `pnpm view` command output, similar to `npm view`. This is useful when comparing against `minimumReleaseAge`. For example, `pnpm view pnpm` now shows: ``` published 17 hours ago by GitHub Actions ``` - `pnpm publish` now honors the configured HTTP/HTTPS proxy (including `https_proxy`/`http_proxy`/`no_proxy` environment variables) when polling the registry's `doneUrl` during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond `403` from a different source IP and the login to never complete [#&#8203;11561](https://redirect.github.com/pnpm/pnpm/issues/11561). - `pnpm add -g` now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so that they share dependencies and are removed together), pass them as a comma-separated list. For example: - `pnpm add -g foo bar` installs `foo` and `bar` as two independent globals — removing one does not affect the other. - `pnpm add -g foo,bar qar` bundles `foo` and `bar` into a single isolated install while `qar` is installed on its own. Related: [#&#8203;11587](https://redirect.github.com/pnpm/pnpm/issues/11587). - `pnpm runtime set <name> <version>` no longer fails in the root of a multi-package workspace with the `ADDING_TO_ROOT` error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check. - Fix `pnpm --version` hanging for the lifetime of the worker pool after the version was printed. `main.ts`'s `--version` short-circuit returned before reaching the command-handler `finally` that calls `finishWorkers()`, so the worker pool that `switchCliVersion` had spawned during integrity resolution stayed alive and held the Node event loop open. The CLI entry now runs `finishWorkers()` from its own `finally`, so every exit path tears the pool down. Repro: `pnpm --version` in a workspace whose `devEngines.packageManager` version already matches the running pnpm + `onFail: "download"`. `switchCliVersion` resolves the integrity (spawning workers), finds nothing to swap, returns. The version prints, then the process hangs. ### [`v11.0.9`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1109) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v11.0.8...v11.0.9) ##### Patch Changes - Fixed installation of GitLab-hosted dependencies. pnpm now downloads the tarball from `https://gitlab.com/<user>/<project>/-/archive/<sha>/<project>-<sha>.tar.gz` instead of the GitLab API endpoint that contained an encoded slash (`%2F`) between user and project. The encoded slash both triggered `406 Not Acceptable` responses from GitLab and produced virtual store directory names that Node refused to import (`ERR_INVALID_MODULE_SPECIFIER`) [#&#8203;11533](https://redirect.github.com/pnpm/pnpm/issues/11533). - Honor `NPM_CONFIG_USERCONFIG` (and its lowercase `npm_config_userconfig` form) as a low-priority fallback when locating the user-level `.npmrc`. This restores compatibility with environments that point npm at a custom auth file via that env var — most notably `actions/setup-node`, which writes registry credentials to `${runner.temp}/.npmrc` and exports `NPM_CONFIG_USERCONFIG` to reference it. Without this, GitHub Actions workflows using `actions/setup-node` to authenticate to private registries broke after upgrading to pnpm v11. PNPM-prefixed env vars and `npmrcAuthFile` from the global `config.yaml` continue to take precedence [#&#8203;11539](https://redirect.github.com/pnpm/pnpm/issues/11539). - Fix `pnpm pack` not bundling dependencies listed in `bundleDependencies` (or `bundledDependencies`). The npm-packlist upgrade in pnpm 11 changed its API to require the caller to pre-populate the dependency tree, which the wrapper was not doing — `bundleDependencies` were silently dropped from the tarball [#&#8203;11519](https://redirect.github.com/pnpm/pnpm/issues/11519). - Fixed the pnpm CLI crashing with a confusing `SyntaxError: Invalid regular expression flags` instead of printing a clear "requires Node.js v22.13" error when launched on an unsupported Node.js version. The Node.js version check in `bin/pnpm.mjs` was effectively dead code because the static `import` of the bundled `dist/pnpm.mjs` was hoisted by the ES module loader and parsed before the check could run [#&#8203;11546](https://redirect.github.com/pnpm/pnpm/issues/11546). - Fixed `pnpm --prefix=<dir> install` overwriting the existing `pnpm-workspace.yaml` in `<dir>` with `set this to true or false` placeholders. The renamed `--prefix` option (which maps to `dir`) was not honored when locating the workspace root, so the workspace manifest's `allowBuilds` settings were not loaded into config and got clobbered when ignored builds were auto-populated [#&#8203;11535](https://redirect.github.com/pnpm/pnpm/issues/11535). - Fixed `pnpm publish --provenance` failing with a 422 from the registry when the package version contained semver build metadata (e.g. `1.0.0-canary.0+abc1234`). The `+<build>` segment is now stripped before packing so that the version embedded in the tarball, the metadata sent to the registry, and the sigstore provenance subject all agree [#&#8203;11518](https://redirect.github.com/pnpm/pnpm/issues/11518). </details> <details> <summary>silverwind/rolldown-license-plugin (rolldown-license-plugin)</summary> ### [`v3.0.5`](https://redirect.github.com/silverwind/rolldown-license-plugin/releases/tag/3.0.5) [Compare Source](https://redirect.github.com/silverwind/rolldown-license-plugin/compare/3.0.4...3.0.5) - update deps, bump rolldown to 1.0.0 (silverwind) - Update vitest-config-silverwind to 11.3.3, add Node 26 to CI (silverwind) - update deps (silverwind) </details> <details> <summary>swagger-api/swagger-ui (swagger-ui-dist)</summary> ### [`v5.32.6`](https://redirect.github.com/swagger-api/swagger-ui/releases/tag/v5.32.6) [Compare Source](https://redirect.github.com/swagger-api/swagger-ui/compare/v5.32.5...v5.32.6) ##### Bug Fixes - **deps-dev:** address undici vulnerability ([#&#8203;10870](https://redirect.github.com/swagger-api/swagger-ui/issues/10870)) ([35f5a6a](https://redirect.github.com/swagger-api/swagger-ui/commit/35f5a6a84a9b4681809e8d70d32b9de69c779691)) - **docker:** address CVE-2026-27135 nghttp2-libs vulnerability ([#&#8203;10879](https://redirect.github.com/swagger-api/swagger-ui/issues/10879)) ([0a63415](https://redirect.github.com/swagger-api/swagger-ui/commit/0a63415dfbaa491f5741d9025407e30a8ebf9592)) </details> <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.59.3`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8593-2026-05-11) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.2...v8.59.3) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.3) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>silverwind/updates (updates)</summary> ### [`v17.16.11`](https://redirect.github.com/silverwind/updates/releases/tag/17.16.11) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.16.10...17.16.11) - update deps (silverwind) - Generalize action discovery (silverwind) - Fix composite-action tests on Windows (silverwind) - ci: force bun runtime for tsdown on bun jobs (silverwind) - Discover composite actions anywhere under .github (silverwind) ### [`v17.16.10`](https://redirect.github.com/silverwind/updates/releases/tag/17.16.10) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.16.9...17.16.10) - update deps (silverwind) - Revert "Drop `process.exit()` to let Node shut down naturally ([#&#8203;137](https://redirect.github.com/silverwind/updates/issues/137))" (silverwind) - Drop `process.exit()` to let Node shut down naturally ([#&#8203;137](https://redirect.github.com/silverwind/updates/issues/137)) (silverwind) - Exclude Node 26 on windows-latest (silverwind) - Update vitest-config-silverwind to 11.3.3, add Node 26 to CI (silverwind) - update deps (silverwind) - Minor perf and simplification cleanups (silverwind) </details> <details> <summary>vitejs/vite (vite)</summary> ### [`v8.0.12`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8012-2026-05-11-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v8.0.11...v8.0.12) ##### Features - update rolldown to 1.0.0 ([#&#8203;22401](https://redirect.github.com/vitejs/vite/issues/22401)) ([cf0ff41](https://redirect.github.com/vitejs/vite/commit/cf0ff4154b26cffbf18541ade1a50818842731d3)) ##### Bug Fixes - **deps:** update all non-major dependencies ([#&#8203;22420](https://redirect.github.com/vitejs/vite/issues/22420)) ([2be6000](https://redirect.github.com/vitejs/vite/commit/2be6000130e3ae2160acc301baa4f7913fbc1f6e)) - **module-runner:** prevent partial-exports race on concurrent imports of in-flight invalidated re-export chains ([#&#8203;22369](https://redirect.github.com/vitejs/vite/issues/22369)) ([f5a22e6](https://redirect.github.com/vitejs/vite/commit/f5a22e62ada75286138b7ceb3825e43958ef00e1)) - refer to `rolldownOptions` instead of deprecated `rollupOptions` in messages ([#&#8203;22400](https://redirect.github.com/vitejs/vite/issues/22400)) ([b675c7b](https://redirect.github.com/vitejs/vite/commit/b675c7b6697423275ad9dd521d3ce7c8679761a0)) - **worker:** apply `build.target` to worker bundle ([#&#8203;22404](https://redirect.github.com/vitejs/vite/issues/22404)) ([3c93fde](https://redirect.github.com/vitejs/vite/commit/3c93fde21f07d44db7669ca7484f4e7a8767afe5)) - **worker:** forward define to worker bundle transform ([#&#8203;22408](https://redirect.github.com/vitejs/vite/issues/22408)) ([d4838a0](https://redirect.github.com/vitejs/vite/commit/d4838a0358d9f04a980d4d2ac7263f21a6b28ee2)) ##### Miscellaneous Chores - **deps:** update dependency eslint-plugin-n to v18 ([#&#8203;22423](https://redirect.github.com/vitejs/vite/issues/22423)) ([2fe7bd2](https://redirect.github.com/vitejs/vite/commit/2fe7bd2d73beb697a3d149e943ac74b768c9d27f)) - **deps:** update rolldown-related dependencies ([#&#8203;22421](https://redirect.github.com/vitejs/vite/issues/22421)) ([66b9eb3](https://redirect.github.com/vitejs/vite/commit/66b9eb35188007e0e9a1bd03b4be820016cad60b)) ### [`v8.0.11`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8011-2026-05-07-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v8.0.10...v8.0.11) ##### Features - update rolldown to 1.0.0-rc.18 ([#&#8203;22360](https://redirect.github.com/vitejs/vite/issues/22360)) ([3f80524](https://redirect.github.com/vitejs/vite/commit/3f80524aa1fa40bfa831f1a1bf2641c3979ba396)) ##### Bug Fixes - **deps:** update all non-major dependencies ([#&#8203;22334](https://redirect.github.com/vitejs/vite/issues/22334)) ([672c962](https://redirect.github.com/vitejs/vite/commit/672c96288fd5440bbecddc65551e713edeb8d403)) - **deps:** update all non-major dependencies ([#&#8203;22382](https://redirect.github.com/vitejs/vite/issues/22382)) ([5c0cfcb](https://redirect.github.com/vitejs/vite/commit/5c0cfcb83dde2c6e25b6c3215dd622956bf29631)) - **glob:** align hmr matcher options with glob enumeration ([#&#8203;22306](https://redirect.github.com/vitejs/vite/issues/22306)) ([30028f9](https://redirect.github.com/vitejs/vite/commit/30028f94516fa06dd0212567373169b3b3f6e393)) - make separate object instance for each environment ([#&#8203;22276](https://redirect.github.com/vitejs/vite/issues/22276)) ([7c2aa3b](https://redirect.github.com/vitejs/vite/commit/7c2aa3b40ba00ce1299e4f31932c7929f179a80a)) ##### Documentation - **create-vite:** list react-compiler templates in README ([#&#8203;22347](https://redirect.github.com/vitejs/vite/issues/22347)) ([7c3a61f](https://redirect.github.com/vitejs/vite/commit/7c3a61f42da6445904e93f0e29e9a2a838fa684a)) - explain mergeConfig skips null/undefined ([#&#8203;22325](https://redirect.github.com/vitejs/vite/issues/22325)) ([2151f70](https://redirect.github.com/vitejs/vite/commit/2151f701dc98270c905c540b209fb6d23d53d3ad)) - mention native config loader in CLI options ([#&#8203;22348](https://redirect.github.com/vitejs/vite/issues/22348)) ([0420c5d](https://redirect.github.com/vitejs/vite/commit/0420c5d37b6049476b6e6c16662be372575dd683)) - update evan's x handle ([640202a](https://redirect.github.com/vitejs/vite/commit/640202a2167b0c19b94e4d3b8ff87309ae1f44d0)) ##### Miscellaneous Chores - **deps:** update dependency tsdown to ^0.21.10 ([#&#8203;22333](https://redirect.github.com/vitejs/vite/issues/22333)) ([3b51e05](https://redirect.github.com/vitejs/vite/commit/3b51e050214c5a817c163838ab8643fe34c7d0c3)) - **deps:** update rolldown-related dependencies ([#&#8203;22383](https://redirect.github.com/vitejs/vite/issues/22383)) ([555ff36](https://redirect.github.com/vitejs/vite/commit/555ff36de70a43b3b3dc22f958bf78fe75e11d67)) - **deps:** update transitive packages to fix npm audit alerts ([#&#8203;22316](https://redirect.github.com/vitejs/vite/issues/22316)) ([86aee62](https://redirect.github.com/vitejs/vite/commit/86aee6268aa879d74f68a890392c1dee973ebf05)) ##### Code Refactoring - devtools integration ([#&#8203;22312](https://redirect.github.com/vitejs/vite/issues/22312)) ([3c8bf06](https://redirect.github.com/vitejs/vite/commit/3c8bf064ec76e311f2d8be3a37dcfdcdd4e4253c)) - remove unnecessary async ([#&#8203;22296](https://redirect.github.com/vitejs/vite/issues/22296)) ([b31fd35](https://redirect.github.com/vitejs/vite/commit/b31fd355d93eb166573362bd09c07745b9f76755)) - show direct path type in bad character warning ([#&#8203;22339](https://redirect.github.com/vitejs/vite/issues/22339)) ([0c162e9](https://redirect.github.com/vitejs/vite/commit/0c162e96a6545c93808e7338b9adeca2636596fa)) ##### Tests - **create-vite:** use short help alias ([#&#8203;22389](https://redirect.github.com/vitejs/vite/issues/22389)) ([994ab66](https://redirect.github.com/vitejs/vite/commit/994ab66bc4dc872278d8353d710ffc4bbd881f8d)) </details> <details> <summary>vitest-dev/vitest (vitest)</summary> ### [`v4.1.6`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v4.1.6) [Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.5...v4.1.6) #####    🐞 Bug Fixes - **browser**: Provide project reference in `ToMatchScreenshotResolvePath`  -  by [@&#8203;macarie](https://redirect.github.com/macarie) and [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [#&#8203;10138](https://redirect.github.com/vitest-dev/vitest/issues/10138) [<samp>(31882)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/31882607c) - Global `sequence.concurrent: true` with top-level `test(..., { concurrent: false })` + depreacte `sequential` test API and options  -  by [@&#8203;hi-ogawa](https://redirect.github.com/hi-ogawa), **Codex** and [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [#&#8203;10196](https://redirect.github.com/vitest-dev/vitest/issues/10196) [<samp>(2847d)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/2847dfa2a) - **browser**: Simplify orchestrator otel carrier  -  by [@&#8203;hi-ogawa](https://redirect.github.com/hi-ogawa) in [#&#8203;10285](https://redirect.github.com/vitest-dev/vitest/issues/10285) [<samp>(18af9)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/18af98cee) #####    🏎 Performance - Stringify diff objects only once  -  by [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [#&#8203;10276](https://redirect.github.com/vitest-dev/vitest/issues/10276) [<samp>(9f7b1)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/9f7b1528c) #####     [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v4.1.5...v4.1.6) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->	2026-05-18 05:06:04 +00:00
Giteabot	6a27066269	fix(deps): update dependency mermaid to v11.15.0 [security], add e2e test (#37662) ... This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [mermaid](https://redirect.github.com/mermaid-js/mermaid) | [`11.14.0` → `11.15.0`](https://renovatebot.com/diffs/npm/mermaid/11.14.0/11.15.0) |  |  | --- ### Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection [CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148) / [GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) <details> <summary>More information</summary> #### Details ##### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ##### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) ##### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r) - [https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102) - [https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) - [https://github.com/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection [CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) / [GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) <details> <summary>More information</summary> #### Details ##### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. ##### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) ##### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Credits Thanks to @&#8203;zsxsoft from @&#8203;KeenSecurityLab for reporting this vulnerability. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr) - [https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056) - [https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) - [https://github.com/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of configuration leads to CSS injection [CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159) / [GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) <details> <summary>More information</summary> #### Details ##### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) ##### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ##### Credits Reported by @&#8203;zsxsoft on behalf of @&#8203;KeenSecurityLab #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p) - [https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa) - [https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://github.com/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS [CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150) / [GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) <details> <summary>More information</summary> #### Details ##### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d ``` `mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram). ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6)) ##### Workarounds There are no workarounds available without updating to a newer version of mermaid. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh) - [https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6) - [https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://github.com/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS [CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150) / [GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) <details> <summary>More information</summary> #### Details ##### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d ``` `mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram). ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6)) ##### Workarounds There are no workarounds available without updating to a newer version of mermaid. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh) - [https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6) - [https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6m6c-36f7-fhxh) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of configuration leads to CSS injection [CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159) / [GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) <details> <summary>More information</summary> #### Details ##### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) ##### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ##### Credits Reported by @&#8203;zsxsoft on behalf of @&#8203;KeenSecurityLab #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p) - [https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa) - [https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-87f9-hvmw-gh4p) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection [CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) / [GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) <details> <summary>More information</summary> #### Details ##### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. ##### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) ##### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Credits Thanks to @&#8203;zsxsoft from @&#8203;KeenSecurityLab for reporting this vulnerability. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr) - [https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056) - [https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-ghcm-xqfw-q4vr) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection [CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148) / [GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) <details> <summary>More information</summary> #### Details ##### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ##### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) ##### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r) - [https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102) - [https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xcj9-5m2h-648r) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>mermaid-js/mermaid (mermaid)</summary> ### [`v11.15.0`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) [Compare Source](https://redirect.github.com/mermaid-js/mermaid/compare/mermaid@11.14.0...mermaid@11.15.0) ##### Minor Changes - [#&#8203;7174](https://redirect.github.com/mermaid-js/mermaid/pull/7174) [`0aca217`](https://redirect.github.com/mermaid-js/mermaid/commit/0aca21739c0d1fcaaa206e04a6cd574ebc415483) Thanks [@&#8203;milesspencer35](https://redirect.github.com/milesspencer35)! - feat(sequence): Add support for decimal start and increment values in the `autonumber` directive - [#&#8203;7512](https://redirect.github.com/mermaid-js/mermaid/pull/7512) [`8e17492`](https://redirect.github.com/mermaid-js/mermaid/commit/8e17492f7365ba50896382feb69a23efd9d8a22d) Thanks [@&#8203;aruncveli](https://redirect.github.com/aruncveli)! - feat(flowchart): add datastore shape In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with `A@{ shape: datastore, label: "Datastore" }`. - [#&#8203;6440](https://redirect.github.com/mermaid-js/mermaid/pull/6440) [`9ad8dde`](https://redirect.github.com/mermaid-js/mermaid/commit/9ad8dde6d049adde85d8ed2d476c09b5820f3f4b) Thanks [@&#8203;yordis](https://redirect.github.com/yordis), [@&#8203;lgazo](https://redirect.github.com/lgazo)! - feat: add Event Modeling diagram - [#&#8203;7707](https://redirect.github.com/mermaid-js/mermaid/pull/7707) [`27db774`](https://redirect.github.com/mermaid-js/mermaid/commit/27db774627be1cee881961dfd0d2cb21cd01b79d) Thanks [@&#8203;txmxthy](https://redirect.github.com/txmxthy)! - feat(architecture): expose four fcose layout knobs for `architecture-beta` diagrams (`nodeSeparation`, `idealEdgeLengthMultiplier`, `edgeElasticity`, `numIter`) so authors can tune layout density and spread overlapping siblings without changing diagram source - [#&#8203;7604](https://redirect.github.com/mermaid-js/mermaid/pull/7604) [`bf9502f`](https://redirect.github.com/mermaid-js/mermaid/commit/bf9502fb6012a4b724679b401ac928f5ee55161c) Thanks [@&#8203;M-a-c](https://redirect.github.com/M-a-c)! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting If you have namespaces in class diagrams that use `.`s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set `class.hierarchicalNamespaces=false` in your mermaid config: ```yaml config: class: hierarchicalNamespaces: false ``` - [#&#8203;7272](https://redirect.github.com/mermaid-js/mermaid/pull/7272) [`88cdd3d`](https://redirect.github.com/mermaid-js/mermaid/commit/88cdd3dc0aab9577174561b04e14760c565a232b) Thanks [@&#8203;xinbenlv](https://redirect.github.com/xinbenlv)! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors ##### Patch Changes - [#&#8203;7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`e9b0f34`](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f) Thanks [@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: prevent unbalanced CSS styles in classDefs - [#&#8203;7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`37ff937`](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056) Thanks [@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: create CSS styles using the CSSOM This removes some invalid CSS and normalizes some CSS formatting. - [#&#8203;7508](https://redirect.github.com/mermaid-js/mermaid/pull/7508) [`bfe60cc`](https://redirect.github.com/mermaid-js/mermaid/commit/bfe60cc67b9a6dec64f9161f58e4d24a06c42b65) Thanks [@&#8203;biiab](https://redirect.github.com/biiab)! - fix(stateDiagram): `end note` now only closes a note when used on a new line - [#&#8203;7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`faafb5d`](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e) Thanks [@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix(gantt): add iteration limit for `excludes` field - [#&#8203;7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`65f8be2`](https://redirect.github.com/mermaid-js/mermaid/commit/65f8be2a42faf869b811469571983cba7eeeca99) Thanks [@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: disallow some CSS at-rules in custom CSS - [#&#8203;7726](https://redirect.github.com/mermaid-js/mermaid/pull/7726) [`1502f32`](https://redirect.github.com/mermaid-js/mermaid/commit/1502f32f3c5fb944925b0c527fbbde3c4f041824) Thanks [@&#8203;aloisklink](https://redirect.github.com/aloisklink)! - fix(wardley): fix unnecessary sanitization of text - [#&#8203;7578](https://redirect.github.com/mermaid-js/mermaid/pull/7578) [`1f98db8`](https://redirect.github.com/mermaid-js/mermaid/commit/1f98db8e326299ac97a2fa60abfd509d8f5f16e2) Thanks [@&#8203;Gaston202](https://redirect.github.com/Gaston202)! - fix(class): self-referential class multiplicity labels no longer rendered multiple times Fixes [#&#8203;7560](https://redirect.github.com/mermaid-js/mermaid/issues/7560). Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions. - [#&#8203;7592](https://redirect.github.com/mermaid-js/mermaid/pull/7592) [`2343e38`](https://redirect.github.com/mermaid-js/mermaid/commit/2343e38498a3b31f8ce5e79f1f009e0b56fbe086) Thanks [@&#8203;knsv-bot](https://redirect.github.com/knsv-bot)! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams - [#&#8203;7589](https://redirect.github.com/mermaid-js/mermaid/pull/7589) [`7fb9509`](https://redirect.github.com/mermaid-js/mermaid/commit/7fb9509b8b5cb1dc48519dc60cf6cdc6afba0462) Thanks [@&#8203;NYCU-Chung](https://redirect.github.com/NYCU-Chung)! - fix(block): prevent column widths from shrinking when mixing different column spans - [#&#8203;7632](https://redirect.github.com/mermaid-js/mermaid/pull/7632) [`3f9e0f1`](https://redirect.github.com/mermaid-js/mermaid/commit/3f9e0f15bedc1e2c71ddb6b34192d1a21124cfc2) Thanks [@&#8203;ekiauhce](https://redirect.github.com/ekiauhce)! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams - [#&#8203;7642](https://redirect.github.com/mermaid-js/mermaid/pull/7642) [`7a8fb85`](https://redirect.github.com/mermaid-js/mermaid/commit/7a8fb8532c57ecc55b3711454ab0e505a4291445) Thanks [@&#8203;tractorjuice](https://redirect.github.com/tractorjuice)! - fix(wardley): allow hyphens in unquoted component names Multi-word names containing hyphens — e.g. `real-time processing`, `end-user`, `on-call engineer` — now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention. `A->B` (no-space arrow) still tokenises correctly. - [#&#8203;7523](https://redirect.github.com/mermaid-js/mermaid/pull/7523) [`5144ed4`](https://redirect.github.com/mermaid-js/mermaid/commit/5144ed4b138ae0f4836bab4c163c575e0a767dd3) Thanks [@&#8203;darshanr0107](https://redirect.github.com/darshanr0107)! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using `:n` syntax. - [#&#8203;7262](https://redirect.github.com/mermaid-js/mermaid/pull/7262) [`13d9bfa`](https://redirect.github.com/mermaid-js/mermaid/commit/13d9bfa4748e845a9eec7d6265ba496d2278f26e) Thanks [@&#8203;darshanr0107](https://redirect.github.com/darshanr0107)! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax - [#&#8203;7684](https://redirect.github.com/mermaid-js/mermaid/pull/7684) [`e14bb88`](https://redirect.github.com/mermaid-js/mermaid/commit/e14bb88bdb940124cdb0a107025653bf93745c99) Thanks [@&#8203;aloisklink](https://redirect.github.com/aloisklink)! - fix: loosen `uuid` dependency range to allow v14 Mermaid does not use any of the vulnerable code in CVE-2026-41907, but this allows users to silence any `npm audit` alerts on it. - [#&#8203;7633](https://redirect.github.com/mermaid-js/mermaid/pull/7633) [`9217c0d`](https://redirect.github.com/mermaid-js/mermaid/commit/9217c0d8b221b423af80e420b7adae901acf6c8c) Thanks [@&#8203;Felix-Garci](https://redirect.github.com/Felix-Garci)! - fix(block): add support for all arrow types in block diagrams - [#&#8203;7587](https://redirect.github.com/mermaid-js/mermaid/pull/7587) [`5e7eb62`](https://redirect.github.com/mermaid-js/mermaid/commit/5e7eb62e3aba6b5df559f5c839a868e5b7f40e72) Thanks [@&#8203;MaddyGuthridge](https://redirect.github.com/MaddyGuthridge)! - chore: drop lodash-es in favour of es-toolkit - [#&#8203;7693](https://redirect.github.com/mermaid-js/mermaid/pull/7693) [`afaf306`](https://redirect.github.com/mermaid-js/mermaid/commit/afaf3062381d115d66744413151b642f124dd9ba) Thanks [@&#8203;dull-bird](https://redirect.github.com/dull-bird)! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels. Previously the lexer only matched ASCII `[A-Za-z]+` for text tokens, even though the grammar referenced `UNICODE_TEXT`. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a `[^\x00-\x7F]+` lexer rule to emit `UNICODE_TEXT` and included it in the `alphaNumToken` grammar rule. Fixes [#&#8203;7120](https://redirect.github.com/mermaid-js/mermaid/issues/7120). - [#&#8203;7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`4755553`](https://redirect.github.com/mermaid-js/mermaid/commit/4755553d5fb6d1217809e43ffb8fc54d6a73e482) Thanks [@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: improve D3 types for mermaidAPI funcs - [#&#8203;7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`6476973`](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa) Thanks [@&#8203;ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: handle `&` when namespacing CSS rules - [#&#8203;7520](https://redirect.github.com/mermaid-js/mermaid/pull/7520) [`8c1a0c1`](https://redirect.github.com/mermaid-js/mermaid/commit/8c1a0c1fd19587c6772d6966fe9d217e5cd1356c) Thanks [@&#8203;RodrigojndSantos](https://redirect.github.com/RodrigojndSantos)! - fix(stateDiagram): comments starting with one `%` are no longer treated as comments Switch to using two `%%` if you want to write a comment. - Updated dependencies \[[`7a8fb85`](https://redirect.github.com/mermaid-js/mermaid/commit/7a8fb8532c57ecc55b3711454ab0e505a4291445), [`675a64c`](https://redirect.github.com/mermaid-js/mermaid/commit/675a64ca0e3cde8728ca715991623c3fc055ce88)]: - [@&#8203;mermaid-js/parser](https://redirect.github.com/mermaid-js/parser)@&#8203;1.1.1 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>	2026-05-12 01:34:49 +02:00
Giteabot	8cd8291ed0	fix(deps): update npm dependencies (#37647) ... This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @&#8203;codemirror/autocomplete | [`6.20.1` → `6.20.2`](https://renovatebot.com/diffs/npm/@codemirror%2fautocomplete/6.20.1/6.20.2) |  |  | | @&#8203;codemirror/lint | [`6.9.5` → `6.9.6`](https://renovatebot.com/diffs/npm/@codemirror%2flint/6.9.5/6.9.6) |  |  | | @&#8203;codemirror/view | [`6.41.1` → `6.42.0`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.41.1/6.42.0) |  |  | | [vue](https://vuejs.org/) ([source](https://redirect.github.com/vuejs/core)) | [`3.5.33` → `3.5.34`](https://renovatebot.com/diffs/npm/vue/3.5.33/3.5.34) |  |  | --- ### Release Notes <details> <summary>vuejs/core (vue)</summary> ### [`v3.5.34`](https://redirect.github.com/vuejs/core/blob/HEAD/CHANGELOG.md#3534-2026-05-06) [Compare Source](https://redirect.github.com/vuejs/core/compare/v3.5.33...v3.5.34) ##### Bug Fixes - **compiler-sfc:** infer Vue ref wrapper types when source is unresolvable ([#&#8203;14758](https://redirect.github.com/vuejs/core/issues/14758)) ([7f46fd4](https://redirect.github.com/vuejs/core/commit/7f46fd411b4e3f75ca755ee1318ea8e9aff43f56)), closes [#&#8203;14729](https://redirect.github.com/vuejs/core/issues/14729) - **compiler-sfc:** preserve hash hrefs on `<image>` elements ([#&#8203;14756](https://redirect.github.com/vuejs/core/issues/14756)) ([090b2e3](https://redirect.github.com/vuejs/core/commit/090b2e3a5149ec951c5313b270e5400a1fc870ce)) - **compiler-sfc:** resolve type re-exports inside declare global ([#&#8203;14766](https://redirect.github.com/vuejs/core/issues/14766)) ([acfffe3](https://redirect.github.com/vuejs/core/commit/acfffe34e7724a84c21bb8e51e8a5bc0da35f350)) - **reactivity:** prevent orphan effect when created in a stopped scope ([#&#8203;14778](https://redirect.github.com/vuejs/core/issues/14778)) ([c8e2d4a](https://redirect.github.com/vuejs/core/commit/c8e2d4adc9112d2529de0434acc1188dfc399bf4)), closes [#&#8203;14777](https://redirect.github.com/vuejs/core/issues/14777) - **runtime-core:** avoid symbol coercion during props validation ([#&#8203;8539](https://redirect.github.com/vuejs/core/issues/8539)) ([23d4fb5](https://redirect.github.com/vuejs/core/commit/23d4fb5a6a070df3d2d4a043f0f62c141e376095)), closes [#&#8203;8487](https://redirect.github.com/vuejs/core/issues/8487) - **suspense:** avoid DOM leak with out-in transition in v-if fragment ([#&#8203;14762](https://redirect.github.com/vuejs/core/issues/14762)) ([9667e0d](https://redirect.github.com/vuejs/core/commit/9667e0d498ab39273614682986a666c3e73024d9)), closes [#&#8203;14761](https://redirect.github.com/vuejs/core/issues/14761) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>	2026-05-11 16:03:11 +00:00
Giteabot	a603f89fce	fix(deps): update npm dependencies (#37636) ... This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | [`8.59.1` → `8.59.2`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.1/8.59.2) |  |  | | [eslint-plugin-vue](https://eslint.vuejs.org) ([source](https://redirect.github.com/vuejs/eslint-plugin-vue)) | [`10.9.0` → `10.9.1`](https://renovatebot.com/diffs/npm/eslint-plugin-vue/10.9.0/10.9.1) |  |  | | [jiti](https://redirect.github.com/unjs/jiti) | [`2.6.1` → `2.7.0`](https://renovatebot.com/diffs/npm/jiti/2.6.1/2.7.0) |  |  | | [postcss](https://postcss.org/) ([source](https://redirect.github.com/postcss/postcss)) | [`8.5.13` → `8.5.14`](https://renovatebot.com/diffs/npm/postcss/8.5.13/8.5.14) |  |  | | [stylelint](https://stylelint.io) ([source](https://redirect.github.com/stylelint/stylelint)) | [`17.10.0` → `17.11.0`](https://renovatebot.com/diffs/npm/stylelint/17.10.0/17.11.0) |  |  | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.59.1` → `8.59.2`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.1/8.59.2) |  |  | | [updates](https://redirect.github.com/silverwind/updates) | [`17.16.8` → `17.16.9`](https://renovatebot.com/diffs/npm/updates/17.16.8/17.16.9) |  |  | --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (@&#8203;typescript-eslint/parser)</summary> ### [`v8.59.2`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8592-2026-05-04) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.1...v8.59.2) This was a version bump only for parser to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.2) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>vuejs/eslint-plugin-vue (eslint-plugin-vue)</summary> ### [`v10.9.1`](https://redirect.github.com/vuejs/eslint-plugin-vue/blob/HEAD/CHANGELOG.md#1091) [Compare Source](https://redirect.github.com/vuejs/eslint-plugin-vue/compare/v10.9.0...v10.9.1) ##### Patch Changes - Updated peer dependency version for [`vue-eslint-parser`](https://redirect.github.com/vuejs/vue-eslint-parser) to fix parsing errors in Vue SFCs ([#&#8203;3075](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3075)) </details> <details> <summary>unjs/jiti (jiti)</summary> ### [`v2.7.0`](https://redirect.github.com/unjs/jiti/blob/HEAD/CHANGELOG.md#v270) [Compare Source](https://redirect.github.com/unjs/jiti/compare/v2.6.1...v2.7.0) [compare changes](https://redirect.github.com/unjs/jiti/compare/v2.6.1...v2.7.0) ##### 🚀 Enhancements - Add explicit resource management (using/await using) support ([#&#8203;422](https://redirect.github.com/unjs/jiti/pull/422)) - Support opt-in `tsconfigPaths` ([#&#8203;427](https://redirect.github.com/unjs/jiti/pull/427)) - Support virtual modules option ([#&#8203;428](https://redirect.github.com/unjs/jiti/pull/428)) - Add `jiti/static` export ([#&#8203;430](https://redirect.github.com/unjs/jiti/pull/430)) ##### 🔥 Performance - **interopDefault:** Add caching to reduce proxy overhead by \~2x ([#&#8203;421](https://redirect.github.com/unjs/jiti/pull/421)) ##### 🩹 Fixes - **require:** Passthrough resolve options ([#&#8203;412](https://redirect.github.com/unjs/jiti/pull/412)) - **ci:** Skip `--coverage` flag for node 18 ([fe264b4](https://redirect.github.com/unjs/jiti/commit/fe264b4)) - **require:** Fallback to transpilation when `tryNative` fails ([#&#8203;413](https://redirect.github.com/unjs/jiti/pull/413)) - Fallback for `ENAMETOOLONG` when evaluating esm ([#&#8203;429](https://redirect.github.com/unjs/jiti/pull/429)) ##### 📦 Build - Upgrade rspack ([55194fb](https://redirect.github.com/unjs/jiti/commit/55194fb)) - Experimental rolldown config ([8c0243f](https://redirect.github.com/unjs/jiti/commit/8c0243f)) ##### 🏡 Chore - Fix lint issues ([4045c7a](https://redirect.github.com/unjs/jiti/commit/4045c7a)) - Update deps ([e88ac44](https://redirect.github.com/unjs/jiti/commit/e88ac44)) - Update deps ([498e8d7](https://redirect.github.com/unjs/jiti/commit/498e8d7)) - Add missing prettier dep ([650bc48](https://redirect.github.com/unjs/jiti/commit/650bc48)) - Lint ([058d91a](https://redirect.github.com/unjs/jiti/commit/058d91a)) - Init agents.md ([c49c54e](https://redirect.github.com/unjs/jiti/commit/c49c54e)) - Update agents.md ([4deba16](https://redirect.github.com/unjs/jiti/commit/4deba16)) - Update deps ([08fc868](https://redirect.github.com/unjs/jiti/commit/08fc868)) - Update tsconfig ([8c7822e](https://redirect.github.com/unjs/jiti/commit/8c7822e)) - Update release script ([27fe3f2](https://redirect.github.com/unjs/jiti/commit/27fe3f2)) ##### ✅ Tests - Ignore jsx test for bun/cjs ([3a744ca](https://redirect.github.com/unjs/jiti/commit/3a744ca)) - Update ([9ee314f](https://redirect.github.com/unjs/jiti/commit/9ee314f)) ##### 🤖 CI - Update node test matrix ([0abda72](https://redirect.github.com/unjs/jiti/commit/0abda72)) ##### ❤️ Contributors - Pooya Parsa ([@&#8203;pi0](https://redirect.github.com/pi0)) - Kricsleo ([@&#8203;kricsleo](https://redirect.github.com/kricsleo)) - Espen Hovlandsdal ([@&#8203;rexxars](https://redirect.github.com/rexxars)) - Rintaro Itokawa ([@&#8203;re-taro](https://redirect.github.com/re-taro)) - Matteo Collina ([@&#8203;mcollina](https://redirect.github.com/mcollina)) </details> <details> <summary>postcss/postcss (postcss)</summary> ### [`v8.5.14`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8514) [Compare Source](https://redirect.github.com/postcss/postcss/compare/8.5.13...8.5.14) - Fixed custom syntax regression (by [@&#8203;43081j](https://redirect.github.com/43081j)). </details> <details> <summary>stylelint/stylelint (stylelint)</summary> ### [`v17.11.0`](https://redirect.github.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#17110---2026-05-05) [Compare Source](https://redirect.github.com/stylelint/stylelint/compare/17.10.0...17.11.0) It adds 2 features, including a `loader` property to `referenceFiles: {}` for when the order of appearance in the reference styles matters. - Added: `loader` to experimental `referenceFiles: {}` ([#&#8203;9251](https://redirect.github.com/stylelint/stylelint/pull/9251)) ([@&#8203;romainmenke](https://redirect.github.com/romainmenke)). - Added: `autofixed` to the result object ([#&#8203;8771](https://redirect.github.com/stylelint/stylelint/pull/8771)) ([@&#8203;Rob--W](https://redirect.github.com/Rob--W)). </details> <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.59.2`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8592-2026-05-04) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.1...v8.59.2) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.2) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> <details> <summary>silverwind/updates (updates)</summary> ### [`v17.16.9`](https://redirect.github.com/silverwind/updates/releases/tag/17.16.9) [Compare Source](https://redirect.github.com/silverwind/updates/compare/17.16.8...17.16.9) - update deps (silverwind) - Resolve config per-file when `-f` is used ([#&#8203;136](https://redirect.github.com/silverwind/updates/issues/136)) (silverwind) - Honor config pin in docker mode (silverwind) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>	2026-05-11 05:01:34 +00:00
silverwind	b4085c7e3c	build: update pnpm to v11 (#37591) ... Update to https://github.com/pnpm/pnpm/releases/tag/v11.0.0 - move all pnpm settings to `pnpm-workspace.yaml`, pnpm v11 only reads that file - drop redundant or no-op settings - disable `strictDepBuilds` to avoid having to manually specify deps with build scripts, this is equivalent to v10 where it will not execute and warn. - add workarounds for https://github.com/SukkaW/nolyfill/issues/119 - remove dead eslintrc entry --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-05-08 04:17:20 +00:00
Sebastian Ertz	89a49de0fd	Update go js py dependencies (#37525) ... | go | from | to | | --- | --- | --- | | connectrpc.com/connect | `1.19.1 ` | `1.19.2` | | github.com/Azure/go-ntlmssp | `0.1.0` | `0.1.1` | | github.com/alecthomas/chroma/v2 | `2.23.1` | `2.24.1` | | github.com/aws/aws-sdk-go-v2/credentials | `1.19.15` | `1.19.16` | | github.com/aws/aws-sdk-go-v2/service/codecommit | `1.33.13` | `1.33.14` | | github.com/blevesearch/bleve/v2 | `2.5.7` | `2.6.0` | | github.com/caddyserver/certmagic | `0.25.2` | `0.25.3` | | github.com/fsnotify/fsnotify | `1.9.0` | `1.10.1` | | github.com/getkin/kin-openapi | `0.134.0` | `0.137.0` | | github.com/go-co-op/gocron/v2 | `2.21.0` | `2.21.1` | | github.com/go-sql-driver/mysql | `1.9.3` | `1.10.0` | | github.com/go-webauthn/webauthn | `0.16.5` | `0.17.2` | | github.com/klauspost/compress | `1.18.5` | `1.18.6` | | github.com/mattn/go-isatty | `0.0.21` | `0.0.22` | | github.com/mattn/go-sqlite3 | `1.14.42` | `1.14.44` | | github.com/minio/minio-go/v7 | `7.0.100` | `7.1.0` | | github.com/redis/go-redis/v9 | `9.18.0` | `9.19.0` | | google.golang.org/grpc | `1.80.0` | `1.81.0` | | gopkg.in/ini.v1 | `1.67.1` | `1.67.2` | | js | from | to | | --- | --- | --- | | @codemirror/search | `6.6.0` | `6.7.0` | | @primer/octicons | `19.24.1` | `19.25.0` | | clippie | `4.1.14` | `4.1.15` | | easymde | `2.20.0` | `2.21.0` | | postcss | `8.5.10` | `8.5.13` | | rolldown-license-plugin | `3.0.1` | `3.0.4` | | swagger-ui-dist | `5.32.4` | `5.32.5` | | vite | `8.0.9` | `8.0.10` | | vite-string-plugin | `2.0.2` | `2.0.4` | | vue | `3.5.32` | `3.5.33` | | @typescript-eslint/parser | `8.59.0` | `8.59.1` | | eslint | `10.2.1` | `10.3.0` | | eslint-plugin-vue | `10.8.0` | `10.9.0` | | globals | `17.5.0` | `17.6.0` | | material-icon-theme | `5.33.1` | `5.34.0` | | spectral-cli-bundle | `1.0.7` | `1.0.8` | | stylelint | `17.8.0` | `17.10.0` | | typescript-eslint | `8.59.0` | `8.59.1` | | updates | `17.16.3` | `17.16.8` | | vitest | `4.1.4` | `4.1.5` | | vue-tsc | `3.2.7` | `3.2.8` | | pnpm | `10.33.0` | `10.33.2` | | py | from | to | | --- | --- | --- | | click | `8.3.2` | `8.3.3` | | pathspec | `1.0.4` | `1.1.1` | --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>	2026-05-04 19:27:47 +00:00
rootful	3d838ef96a	Fix mCaptcha broken after Vite migration (#37492) ... After the Webpack-to-Vite migration (#37002), mCaptcha stopped working entirely on the registration page, throwing an error: `TypeError: setting getter-only property "INPUT_NAME"` This fix stops trying to mutate the read-only INPUT_NAME export. Instead it probes for the Widget constructor at module.default (direct) or module.default.default (CJS-wrapped), constructs the widget, and then renames the hidden input element it creates to m-captcha-response which is the field name Gitea's backend reads from the submitted form. Generative AI was used to help with making this PR. --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io>	2026-05-02 17:21:56 +02:00
silverwind	99cd4f6b22	Integrate renovate bot for all dependency updates (#37050) ... Replaces Dependabot with Renovate. The new setup: - One PR per ecosystem (GitHub Actions, Go modules + Makefile go-tool pins, npm, Python via uv, Nix flake), opened weekly on Mondays with a 5-day release-age cooldown. Vulnerability PRs ship next-day via daily cron + Renovate's `vulnerabilityAlerts` schedule bypass. - All `uses:` action refs SHA-pinned with patch-level version comments (same format as #36971, which this supersedes); `helpers:pinGitHubActionDigests` keeps future bumps in that format. - `renovatebot/github-action` runtime image pinned via the upstream-recommended `RENOVATE_VERSION` env + magic comment + `customManagers:githubActionsVersions` preset, so Renovate keeps the pin updated. - Custom regex manager tracks the `*_PACKAGE ?= <import-path>@<version>` lines in `Makefile` (golangci-lint, swagger, actionlint, etc.) and groups them into the same Go PR via `matchDatasources: ["go"]`. - Post-upgrade tasks regenerate `assets/go-licenses.json` (`make tidy`) and the SVG sprite (`make svg`), gated by an env-level command allowlist. - Replaces the standalone `cron-flake-updater` workflow — Renovate's nix manager tracks `flake.nix` inputs and produces the same `flake.lock` bump PRs on the regular weekly schedule. - npm and gomod-replace pins live in `renovate.json5` only; `updates@17.16.3` reads them from there too, so the standalone `updates.config.ts` is gone and one source of truth covers both tools. Fixes: https://github.com/go-gitea/gitea/issues/33386 Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Giteabot <teabot@gitea.io>	2026-04-26 14:25:22 +00:00
Sebastian Ertz	3f3bebda0d	Update go js dependencies (#37312) ... | go | from | to | | --- | --- | --- | | github.com/aws/aws-sdk-go-v2/credentials | `1.19.14` | `1.19.15` | | github.com/aws/aws-sdk-go-v2/service/codecommit | `1.33.12` | `1.33.13` | | github.com/dlclark/regexp2 | `1.11.5` | `1.12.0` | | github.com/go-co-op/gocron/v2 | `2.20.0` | `2.21.0` | | github.com/go-webauthn/webauthn | `0.16.4` | `0.16.5` | | js | from | to | | --- | --- | --- | | @codemirror/view | `6.41.0` | `6.41.1` | | @primer/octicons | `19.24.0` | `19.24.1` | | clippie | `4.1.10` | `4.1.14` | | postcss | `8.5.9` | `8.5.10` | | rolldown-license-plugin | `2.2.5` | `3.0.1` | | swagger-ui-dist | `5.32.2` | `5.32.4` | | vite | `8.0.8` | `8.0.9` | | @typescript-eslint/parser | `8.58.2` | `8.59.0` | | @vitest/eslint-plugin | `1.6.15` | `1.6.16` | | eslint | `10.2.0` | `10.2.1` | | eslint-plugin-playwright | `2.10.1` | `2.10.2` | | eslint-plugin-sonarjs | `4.0.2` | `4.0.3` | | happy-dom | `20.8.9` | `20.9.0` | | stylelint | `17.7.0` | `17.8.0` | | typescript | `6.0.2` | `6.0.3` | | typescript-eslint | `8.58.2` | `8.59.0` | | updates | `17.15.3` | `17.15.5` | | vue-tsc | `3.2.6` | `3.2.7` | Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <silv3rwind@gmail.com> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>	2026-04-20 22:32:45 +00:00
silverwind	1d25bb22f4	Move heatmap to first-party code (#37262) ... Replaces `@silverwind/vue3-calendar-heatmap` with an inlined SVG implementation. Renders pixel-identically to `main`, drops the `onMounted` legend viewBox workaround, and uses tippy's `createSingleton` for the hover tooltip. Adds an e2e test for tooltip display. This is a prereq for migrating tippy.js to [floating-ui](https://github.com/floating-ui/floating-ui) to avoid having two tooltip libs active. <img width="861" height="168" alt="image" src="https://github.com/user-attachments/assets/99343cf6-6e09-42c7-a80d-63dbf33cf56a" /> --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com>	2026-04-20 20:15:45 +02:00
PineBale	2bfaa33347	Replace dropzone with @deltablot/dropzone (#37237) ... Fix #37228. Using NicolasCARPi/dropzone as short-term solution	2026-04-17 08:16:42 +00:00
wxiaoguang	2644bb8490	Remove htmx (#37224) ... Close #35059 Slightly improved the "fetch action" framework and started adding tests for it. --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <me@silverwind.io>	2026-04-15 17:26:26 +00:00
Sebastian Ertz	b55528b1a2	Update go js py dependencies (#37204) ... | go | from | to | | --- | --- | --- | | github.com/go-webauthn/webauthn | `0.16.3` | `0.16.4` | | github.com/meilisearch/meilisearch-go | `0.36.1` | `0.36.2` | | golang.org/x/crypto | `0.49.0` | `0.50.0` | | golang.org/x/image | `0.38.0` | `0.39.0` | | golang.org/x/net | `0.52.0` | `0.53.0` | | golang.org/x/text | `0.35.0` | `0.36.0` | | js | from | to | | --- | --- | --- | | @primer/octicons | `19.23.1` | `19.24.0` | | @vitejs/plugin-vue | `6.0.5` | `6.0.6` | | rolldown-license-plugin | `2.2.0` | `2.2.5` | | vite | `8.0.7` | `8.0.8` | | @types/node | `25.5.2` | `25.6.0` | | @typescript-eslint/parser | `8.58.1` | `8.58.2` | | @vitest/eslint-plugin | `1.6.14` | `1.6.15` | | globals | `17.4.0` | `17.5.0` | | stylelint | `17.6.0` | `17.7.0` | | typescript-eslint | `8.58.1` | `8.58.2` | | updates | `17.13.5` | `17.15.3` | | vitest | `4.1.3` | `4.1.4` | | py | from | to | | --- | --- | --- | | click | `8.3.1` | `8.3.2` | | json5 | `0.13.0` | `0.14.0` | | regex | `2026.2.19` | `2026.4.4` | | tomli | `2.4.0` | `2.4.1` |	2026-04-14 12:45:54 +02:00
silverwind	04fb6f1c0b	Replace rollup-plugin-license with rolldown-license-plugin (#37130) ... Replace `rollup-plugin-license` and `wrap-ansi` with [`rolldown-license-plugin`](https://github.com/silverwind/rolldown-license-plugin), a zero-dependency plugin with async parallel I/O and built-in word wrapping. - Removes `rollup-plugin-license` (pulls in `lodash`, `moment`) and `wrap-ansi` from the dependency tree - License build time reduced by ~40% (370ms vs 640ms) - Added e2e test for `licenses.txt` Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>	2026-04-09 09:31:05 +00:00
Sebastian Ertz	714f4207d9	Update javascript dependencies (#37142) ... --- | | from | to | | --- | ---- | --- | | esbuild | `0.27.4` | `0.28.0` | | katex | `0.16.44` | `0.16.45` | | postcss | `8.5.8` | `8.5.9` | | swagger-ui-dist | `5.32.1` | `5.32.2` | | vite | `8.0.5` | `8.0.7` | | vue | `3.5.31` | `3.5.32` |	2026-04-08 16:45:02 +00:00
Lunny Xiao	290edc1614	upgrade vite (#37126)	2026-04-07 09:16:22 +00:00
silverwind	3a9cab034b	Update JS dependencies and misc tweaks (#37064) ... - Update all JS deps - Regenerate SVGs - Add new eslint rules from unicorn - Update typescript config for 6.0, remove deprecated options in favor of `strict` with disablements, remove implicit dom libs. - Set vite log level during `watch-frontend` to `warn` to avoid confusing URLs or HMR spam from the dev server to keep the log concise. Overridable via `FRONTEND_DEV_LOG_LEVEL`. Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>	2026-04-01 20:15:02 +02:00
silverwind	e2e8509239	Replace Monaco with CodeMirror (#36764) ... - Replace monaco-editor with CodeMirror 6 - Add `--color-syntax-*` CSS variables for all syntax token types, shared by CodeMirror, Chroma and EasyMDE - Consolidate chroma CSS into a single theme-independent file (`modules/chroma.css`) - Syntax colors in the code editor now match the code view and light/dark themes - Code editor is now 12px instead of 14px font size to match code view and GitHub - Use a global style for kbd elements - When editing existing files, focus will be on codemirror instead of filename input. - Keyboard shortcuts are roughtly the same as VSCode - Add a "Find" button, useful for mobile - Add context menu similar to Monaco - Add a command palette (Ctrl/Cmd+Shift+P or F1) or via button - Add clickable URLs via Ctrl/Cmd+click - Add e2e test for the code editor - Remove `window.codeEditors` global - The main missing Monaco features are hover types and semantic rename but these were not fully working because monaco operated only on single files and only for JS/TS/HTML/CSS/JSON. | | Monaco (main) | CodeMirror (cm) | Delta | |---|---|---|---| | **Build time** | 7.8s | 5.3s | **-32%** | | **JS output** | 25 MB | 14 MB | **-44%** | | **CSS output** | 1.2 MB | 1012 KB | **-17%** | | **Total (no maps)** | 23.3 MB | 12.1 MB | **-48%** | Fixes: #36311 Fixes: #14776 Fixes: #12171 <img width="1333" height="555" alt="image" src="https://github.com/user-attachments/assets/f0fe3a28-1ed9-4f22-bf25-2b161501d7ce" /> --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2026-03-31 21:50:45 +00:00
silverwind	e15219d810	Raise minimum Node.js version to 22.18.0 (#37058) ... Remove the experimental strip types check and `NODE_VARS` mechanism from the Makefile, as Node.js 22.18.0+ has native TypeScript type stripping support. https://nodejs.org/en/blog/release/v22.18.0 was released 8 months ago and has now trickled into all major Linux distros like Alpine 3.23+. --- This PR was written with the help of Claude Opus 4.6 Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>	2026-03-31 16:50:51 +00:00
silverwind	0ec66b5380	Migrate from webpack to vite (#37002) ... Replace webpack with Vite 8 as the frontend bundler. Frontend build is around 3-4 times faster than before. Will work on all platforms including riscv64 (via wasm). `iife.js` is a classic render-blocking script in `<head>` (handles web components/early DOM setup). `index.js` is loaded as a `type="module"` script in the footer. All other JS chunks are also module scripts (supported in all browsers since 2018). Entry filenames are content-hashed (e.g. `index.C6Z2MRVQ.js`) and resolved at runtime via the Vite manifest, eliminating the `?v=` cache busting (which was unreliable in some scenarios like vscode dev build). Replaces: https://github.com/go-gitea/gitea/pull/36896 Fixes: https://github.com/go-gitea/gitea/issues/17793 Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2026-03-29 10:24:30 +00:00
silverwind	b3c6917463	Update JS dependencies (#37001) ... - Update all JS dependencies via `make update-js` - `webpack-cli` 6 to 7: remove `--disable-interpret` from Makefile - Fix lint: remove unnecessary type args, `toThrowError` to `toThrow` - Fix duplicate CSS selector detected by `stylelint` 17.6.0 - Change `updates.config.ts` to use `pin`, needed for `tailwindcss` - Pin `typescript` pending typescript-eslint/typescript-eslint#12123 --------- Co-authored-by: Claude (claude-opus-4-6) <noreply@anthropic.com> Co-authored-by: Giteabot <teabot@gitea.io>	2026-03-27 04:39:24 +01:00
silverwind	ae0bc0222a	Update to eslint 10 (#36925) ... - Enable a few more rules, fix issues. The 2 `value` issues are false-positives. - Add exact types for `window.pageData` and `window.notificationSettings`. - peerDependencyRules for eslint-plugin-github unrestricted, the plugin works in v10, but does not declare compatibility, pending https://github.com/github/eslint-plugin-github/issues/680. - Added [eslint-plugin-de-morgan](https://github.com/azat-io/eslint-plugin-de-morgan), no violations. --------- Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2026-03-23 07:49:25 +00:00
silverwind	28e09ffc67	Vendor relative-time-element as local web component (#36853) ... Replace the `@github/relative-time-element` npm dependency with a vendored, simplified implementation. - Support 24h format rendering [PR 329](https://github.com/github/relative-time-element/pull/329) - Enable `::selection` styling in Firefox [PR 341](https://github.com/github/relative-time-element/pull/341) - Remove timezone from tooltips (It's always local timezone) - Clean up previous `title` workaround in tippy - Remove unused features - Use native `Intl.DurationFormat` with fallback for older browsers, remove dead polyfill - Add MIT license header to vendored file - Add unit tests - Add dedicated devtest page for all component variants --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude claude-opus-4-6 20250630 <noreply@anthropic.com>	2026-03-13 10:43:17 +00:00
silverwind	6e7bc1e635	Update JS deps (#36850) ... Gets rid of all open vulns except https://github.com/microsoft/monaco-editor/issues/5248. Cursorly tested, works. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io>	2026-03-08 07:29:27 +01:00
Lunny Xiao	9c2c9c5a00	upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (#36837)	2026-03-05 13:42:47 -08:00
Théo LUDWIG	9fe5b70e3e	build(deps): update material-icon-theme v5.32.0 (#36832) ... Updated https://github.com/material-extensions/vscode-material-icon-theme to v5.32.0 and ran `make svg && git add --all`	2026-03-05 11:51:26 -08:00
silverwind	fed2d81e88	Update JS and PY deps (#36708) ... `colord` reordered in package.json, otherwise just maintenance updates.	2026-02-22 19:56:45 +00:00
silverwind	91dc737a35	Replace tinycolor2 with colord (#36673) ... [`colord`](https://github.com/omgovich/colord) is significantly smaller than [`tinycolor2`](https://github.com/bgrins/TinyColor) (~4KB vs ~29KB minified) and ships its own TypeScript types, removing the need for `@types/tinycolor2`. Behaviour is exactly the same for our use cases. By using `.alpha(1)` we force the function to always output 6-digit hex format (it would output 8-digit for non-opaque colors). --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-20 15:43:01 +00:00
silverwind	5e9b9b33d1	Clean up Makefile, tests and legacy code (#36638) ... This simplifies the Makefile by removing the whole-file wrapping that creates a tempdir introduced by https://github.com/go-gitea/gitea/pull/11126. REPO_TEST_DIR is removed as well. Also clean up a lot of legacy code: unnecessary XSS test, incorrect test env init, unused "_old_uid" hack, etc Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2026-02-19 01:23:32 +00:00
silverwind	ddacefa5d6	Update JS deps (#36656) ... Fixes a [security issue in mermaid](https://github.com/mermaid-js/mermaid/issues/7345), tested mermaid and asciinema.	2026-02-17 19:35:37 +01:00
silverwind	2d70d37bff	Update JS and PY deps (#36576) ... eslint v10 is excluded from updates because the plugins are not compatible yet.	2026-02-10 15:39:17 +00:00
silverwind	49e6d5f6d6	Add elk layout support to mermaid (#36486) ... Fixes: https://github.com/go-gitea/gitea/issues/34769 This allows the user to opt-in to using `elk` layouts using either YAML frontmatter or `%%{ init` directives inside the markup code block. The default layout is not changed. --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2026-02-07 02:22:57 +00:00
silverwind	7292ae1ed5	Update JS deps, remove knip, misc tweaks (#36499) ... - Update all JS deps - Enable a few more stylelint stylistic rules and fix issues - Remove knip, it raised another false-positive, this tool is not worth it when you have to babysit it like that - Exclude @eslint/json from updating as it requires unreleased eslint 10 ([ref](https://github.com/eslint/json/issues/207)) - Update labeler config for new eslint filenames - Adjust `make help` output - Add type checking in `stylelint.config.ts`	2026-01-31 20:58:23 +08:00
wxiaoguang	4c8f6dfa4e	Support rendering OpenAPI spec (#36449) ... Fix #20852	2026-01-26 10:34:38 +08:00
silverwind	12a81d38c1	Add knip linter (#36442) ... This adds [knip](https://github.com/webpro-nl/knip), a tool to find unused files, dependencies and exports in JS. Fixed all discovered issues. 1. knip apparently has some issue resolving imports from `d.ts` to `.ts` so I worked around it by moving the two affected types to where they are used. 2. I don't know why `modules/fomantic/dropdown.ts` had a new typescript error, but I fixed it. 3. Use named export for `EsbuildPlugin`, I think this was added recently.	2026-01-24 12:52:13 +00:00
silverwind	5925433fe6	Update JS dependencies, adjust webpack config, misc fixes (#36431) ... 1. Upgrade to [jQuery 4.0](https://blog.jquery.com/2026/01/17/jquery-4-0-0/). Two of the removed APIs are in use by fomantic, but there are [polyfills present](https://github.com/go-gitea/gitea/blob/a3a3e581aa387969ce6410ab54c4775e9023ec40/web_src/fomantic/build/components/dropdown.js#L15-L17) so it continues to work. 2. Remove manual naming of webpack chunks. I was running into below webpack error and I see no reason for this manual chunk naming which is prone to naming collisions. Also, the webpack build now shows all output assets. This change will result in longer asset filenames, but webpack should now be able to guarentee that the names are without collisions. ```` ERROR in SplitChunksPlugin Cache group "defaultVendors" conflicts with existing chunk. Both have the same name "--------" and existing chunk is not a parent of the selected modules. Use a different name for the cache group or make sure that the existing chunk is a parent (e. g. via dependOn). HINT: You can omit "name" to automatically create a name. BREAKING CHANGE: webpack < 5 used to allow to use an entrypoint as splitChunk. This is no longer allowed when the entrypoint is not a parent of the selected modules. Remove this entrypoint and add modules to cache group's 'test' instead. If you need modules to be evaluated on startup, add them to the existing entrypoints (make them arrays). See migration guide of more info. 3. Fix test issue related to `p > div` which is invalid as per HTML spec because `div` is not [phrasing content](https://html.spec.whatwg.org/multipage/dom.html#phrasing-content-2) and therefor can not be a descendant of `p`. This is related to https://github.com/capricorn86/happy-dom/pull/2007. 4. Add webpack globals 5. Remove obsolete docs glob 6. fix security issue for `seroval` package 7. disable [vitest isolate](https://vitest.dev/config/isolate.html) for 30% faster JS tests, which are all pure.	2026-01-24 07:35:46 +00:00
Bart van der Braak	2f377e8552	Update material-icon-theme to v5.31.0 (#36427)	2026-01-22 00:25:14 +01:00
silverwind	49edbbbc2e	Update JS and PY deps (#36383) ... - Update JS and PY dependencies - Workaround https://github.com/stylelint/stylelint/issues/8893 by moving the stylint config file to JS - Regenerate SVGs - Bump to python 3.14 in devcontainer and actions - Verified `@github/text-expander-element` - Removed obsolete type stub	2026-01-16 11:00:16 +00:00
silverwind	2859b0602a	Update JS deps (#36354) ... - Update all JS deps - Regenerate SVGs - Enable new lint rules and fix issues - Tested affected dependencies	2026-01-13 04:06:58 +00:00
silverwind	16aa0fcc98	Add date to "No Contributions" tooltip (#36190) ... Fixes https://github.com/go-gitea/gitea/issues/36188 via https://github.com/silverwind/vue3-calendar-heatmap/commit/52bbfd7a15bb3ebbedcaae4d1f792dc3e4acc221. Before: <img width="183" height="92" alt="Screenshot 2025-12-18 at 16 50 18" src="https://github.com/user-attachments/assets/f06ca7d6-a141-499f-b6da-e46064a44846" /> After: <img width="292" height="78" alt="Screenshot 2025-12-18 at 17 08 36" src="https://github.com/user-attachments/assets/b80f7391-7960-44ad-8184-ffab4c9a4ea7" /> If there will be more changes in the future, we should vendor this module. Co-authored-by: Giteabot <teabot@gitea.io>	2025-12-19 09:48:53 +01:00
silverwind	b915e6908c	Add JSON linting (#36192) ... Uses https://github.com/eslint/json to lint all JSON and JSONC files in the repo.	2025-12-19 06:27:21 +00:00
silverwind	ad49b7bf31	Update JS deps and eslint enhancements (#36147) ... - Update all JS deps - Tested affected `dependencies` - Replace eslint `unstable_native_nodejs_ts_config` with optional `jiti` dependency. This will be more compatible with editor integrations that may not pass this flag. - Enable additional eslint rules, no new issues - Move `typescript` to `devDependencies` because `make frontend` works without it	2025-12-17 17:35:33 +00:00
Dawid Góra	0e916c67cc	Automatic generation of release notes (#35977) ... Similar to GitHub, release notes can now be generated automatically. The generator is server-side and gathers the merged PRs and contributors and returns the corresponding Markdown text. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2025-12-17 02:01:19 +00:00
silverwind	ca8c4ebecd	Update JS deps (#36091) ... Result of `make update-js svg && git add --all`. Tested Mermaid. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2025-12-05 06:30:59 +01:00
silverwind	9668913d76	Update JS deps, fix deprecations (#36040) ... - Update JS deps - Regenerate SVGs - Fix air `bin` deprecation - Fix `monaco.languages.typescript` deprecation - Remove `eslint-plugin-no-use-extend-native`, it's unnecessary with typescript - Enable new `@typescript-eslint` rules - Disable `@typescript-eslint/no-redundant-type-constituents`, this rule has bugs when not running under `strictNullChecks` (pending in https://github.com/go-gitea/gitea/pull/35843).	2025-11-27 23:58:10 +00:00
silverwind	1baca49870	Update JS deps (#35978) ... Update JS deps, regenerate SVGs, fixed lint issues and did cursory testing of UI.	2025-11-20 21:53:44 +00:00