chore(deps): update all dependencies by renovate[bot] · Pull Request #124 · vadimpiven/node_reqwest

renovate · 2026-03-21T01:57:25Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Type	Update	Pending
@codspeed/vitest-plugin (source)	`5.4.0` → `5.5.0`	pnpm.catalog.default	minor	`5.6.0`
@types/node (source)	`25.9.1` → `25.9.3`	pnpm.catalog.default	patch
@vitest/coverage-istanbul (source)	`4.1.7` → `4.1.8`	pnpm.catalog.default	patch	`4.1.9`
CodSpeedHQ/action	`v4.15.1` → `v4.17.5`	action	minor	`v4.17.6`
actions/checkout	`v6.0.2` → `v6.0.3`	action	patch
aqua:anchore/syft	`1.44.0` → `1.45.1`		minor
aqua:aquasecurity/trivy	`0.70.0` → `0.71.0`		minor	`0.71.1`
aqua:astral-sh/uv	`0.11.16` → `0.11.21`		patch	`0.11.22`
aqua:cargo-bins/cargo-binstall	`1.19.1` → `1.20.0`		minor
aqua:cli/cli	`2.92.0` → `2.94.0`		minor	`2.95.0`
aqua:crate-ci/typos	`1.46.3` → `1.47.2`		minor
codecov/codecov-action	`v6.0.1` → `v6.0.2`	action	patch
electron	`42.2.0` → `42.4.0`	pnpm.catalog.default	minor	`42.4.1`
github/codeql-action	`v4.36.0` → `v4.36.2`	action	patch
github:EmbarkStudios/cargo-deny	`0.19.7` → `0.19.8`		patch	`0.19.9`
github:mikefarah/yq	`4.53.2` → `v4.53.3`		patch
github:nextest-rs/nextest	`0.9.136` → `0.9.137`		patch
jdx/mise	`v2026.5.15` → `v2026.6.3`		minor	`v2026.6.11` (+7)
jdx/mise-action	`v4.0.1` → `v4.1.0`	action	minor	`v4.2.0`
node (source)	`24.15.0` → `24.16.0`		minor	`v24.17.0`
npm:pnpm (source)	`11.2.2` → `11.6.0`		minor	`11.8.0` (+1)
oxfmt (source)	`0.51.0` → `0.54.0`	pnpm.catalog.default	minor	`0.55.0`
oxlint (source)	`1.66.0` → `1.69.0`	pnpm.catalog.default	minor	`1.70.0`
pnpm (source)	`11.2.2+sha512.36e6621fad506178936455e70247b8808ef4ec25797a9f437a93281a020484e2607f6a469a22e982987c3dbb8866e3071514ab10a4a1749e06edcd1ec118436f` → `11.6.0`	packageManager	minor	`11.8.0` (+1)
quay.io/pypa/manylinux_2_28	`65f13b3` → `8ee7337`	final	digest
regex	`1.12.3` → `1.12.4`	workspace.dependencies	patch
ruff (source, changelog)	`==0.15.14` → `==0.15.17`	dependency-groups	patch	`0.15.18`
rust (source, changelog)	`nightly-2026-05-24` → `nightly-2026-06-12`	toolchain	patch	`nightly-2026-06-19` (+6)
rustlang/rust	`nightly-2026-05-24` → `nightly-2026-06-11`		minor	`nightly-2026-06-18` (+6)
tsx (source)	`4.22.3` → `4.22.4`	pnpm.catalog.default	patch
undici (source)	`8.3.0` → `8.4.1`		minor	`8.5.0`
undici (source)	`8.3.0` → `8.4.1`	pnpm.catalog.default	minor	`8.5.0`
vite (source)	`8.0.14` → `8.0.16`	pnpm.catalog.default	patch
vite-plugin-dts (source)	`5.0.1` → `5.0.2`	pnpm.catalog.default	patch
vitest (source)	`4.1.7` → `4.1.8`	pnpm.catalog.default	patch	`4.1.9`

Release Notes

CodSpeedHQ/codspeed-node (@codspeed/vitest-plugin)

`v5.5.0`

Compare Source

Highlights

We are introducing @codspeed/playwright, for walltime benchmarking and profiling of end to end browser applications through playwright.

Here's an example usage, but head to the docs for more information

import { bench, type Page } from "@&#8203;codspeed/playwright-plugin";
import electronExecutable from "electron";
import path from "node:path";
import { fileURLToPath } from "node:url";

const __dirname = path.dirname(fileURLToPath(import.meta.url));
const appRoot = path.resolve(__dirname, "..");

async function waitUntilSettled(page: Page): Promise<void> {
  await page.waitForFunction(() => {
    const main = document.getElementById("main");
    return !!main && !main.classList.contains("loading");
  });
}

await bench(
  "inbox-search-archive-threads",
  async ({ page }) => {
    await page.fill("#search", "update");
    await waitUntilSettled(page);

    await page.click("#select-visible-btn");
    await page.click("#archive-btn");
    await waitUntilSettled(page);

    await page.click('#sidebar nav button[data-view="threads"]');
    await waitUntilSettled(page);
  },
  {
    target: {
      kind: "electron",
      appPath: path.join(appRoot, "out/main/index.js"),
      cwd: appRoot,
    },
    beforeRound: async ({ page }) => {
      page.setDefaultTimeout(180_000);
      await page.waitForSelector("#main");
      await waitUntilSettled(page);
    },
  },
);

Note: this plugin is only compatible with the walltime instrument.

What's Changed

Add playwright profiling package by @GuillaumeLagrange in #80

Full Changelog: CodSpeedHQ/codspeed-node@v5.4.0...v5.5.0

vitest-dev/vitest (@vitest/coverage-istanbul)

`v4.1.8`

Compare Source

🐞 Bug Fixes

browser:
- Disable client cdp API when allowWrite/allowExec: false [backport to v4] - by @hi-ogawa and Codex in #10450 (e4067)
- Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4] - by @toxik and @Zelys-DFKH in #10474 (675b4)

View changes on GitHub

CodSpeedHQ/action (CodSpeedHQ/action)

`v4.17.5`

Compare Source

Release Notes

This release bundles all runner changes from 4.17.1 through 4.17.5.

🚀 Features

Add optional mode arg to target setup by @fargito in #397
Restore DYLD_INSERT_LIBRARIES from SAMPLY_ alias by @not-matthias
Bump valgrind-codspeed to 3.26.0-0codspeed3 by @adriencaccia

🐛 Bug Fixes

Purge inherited mappings on execve to fix unknown symbols (#392) by @GuillaumeLagrange in #392
Use %p in log file path to avoid multi-process overwrite by @not-matthias in #381
Compare codspeed iteration of installed valgrind by @not-matthias

💼 Other

Enable set -u to match go.sh by @not-matthias in #389

🏗️ Refactor

Parse codspeed iteration from version string by @not-matthias

⚙️ Internals

Bump samply by @not-matthias
Bump samply to fix sigkill by @not-matthias in #386
Log detected valgrind version by @not-matthias in #390
Bump samply-codspeed to disable jit classification and add fp-anchoring to unwinding (#382) by @GuillaumeLagrange in #382

Install codspeed-runner 4.17.5

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CodSpeedHQ/codspeed/releases/download/v4.17.5/codspeed-runner-installer.sh | sh

Download codspeed-runner 4.17.5

File	Platform	Checksum
codspeed-runner-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
codspeed-runner-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
codspeed-runner-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum

Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md

Full Changelog: CodSpeedHQ/action@v4.17.0...v4.17.5

`v4.17.0`

Compare Source

Release Notes

🚀 Features

Configure samply symbol resolution env vars by @not-matthias
Add CODSPEED_WALLTIME_PROFILER override by @not-matthias
Make benchmark isolation profiler-driven by @not-matthias
Add profile-based auth configuration (#366) by @art049 in #366
Bump instrument-hooks to not use stubs on macos (#373) by @GuillaumeLagrange in #373
Pin codspeed-go-runner installer downloads with sha256 verification by @art049 in #362
Pin downloaded binaries with sha256 verification by @art049
Search NixOS debug info path by @not-matthias in #354
Inherit process mapping on forks by @GuillaumeLagrange
Bundle samply via library crate by @not-matthias
Add samply profiler for macOS by @not-matthias
Rename CODSPEED_PERF_ENABLED to CODSPEED_PROFILER_ENABLED by @not-matthias
Add Profiler trait abstraction by @not-matthias
Restore cursor on ctrl c by @GuillaumeLagrange in #341
Validate tokens and repository access up front by @GuillaumeLagrange

🐛 Bug Fixes

Use introspected env for memory executor by @GuillaumeLagrange
Misleading DCE advice in setup-harness (#350) by @SuperMuel in #350
Flush rolling buffer when executor errors by @not-matthias in #352
Use brew-installed bash for samply on macOS by @not-matthias in #347
Keep old name aliases to for deserialization purposes by @GuillaumeLagrange in #345
Handle malformed token from backend better by @GuillaumeLagrange
Disable PYTHON_PERF_JIT_SUPPORT on macOS by @not-matthias
Use mach_absolute_time for FIFO timestamps on macOS by @not-matthias
Use O_RDWR to open FIFOs on all Unix platforms by @not-matthias

💼 Other

Select profiler via typed CLI arg by @GuillaumeLagrange in #379
Bump workspace dependencies (#370) by @art049 in #370
Make api_client the single source of truth for the auth token by @GuillaumeLagrange
Bump gql_client to partial-data fork by @GuillaumeLagrange

🏗️ Refactor

Centralize internal re-exec via InternalCommands::get_command_builder by @not-matthias in #338
Rename Benchmark FIFO commands/markers to Profiler/Round by @not-matthias
Rename Profiler::wrap to wrap_command by @not-matthias
Share Linux profiler sysctl setup by @not-matthias
Port PerfRunner to Profiler trait by @not-matthias
Rename PerfMetadata to WalltimeMetadata by @not-matthias
Move perf module under profiler/ by @not-matthias
Rename FifoCommand::PingPerf to PingProfiler by @not-matthias
Rename IntegrationMode::Perf to Walltime by @not-matthias

🧪 Testing

Update valgrind snapshot tests by @adriencaccia

⚙️ Internals

Add taplo config file by @GuillaumeLagrange in #363
Bump samply fork to use framehop-codspeed by @not-matthias
Add retry to sha256 tests to prevent transient failures by @GuillaumeLagrange in #375
Update setarch command arguments to use long options (#304) by @xtqqczze in #304
Bump valgrind-codspeed to 3.26.0-0codspeed2
Fix macOS rustup cache corruption in install-rust action by @GuillaumeLagrange in #357
Give each bpf-tests shard its own cache key by @not-matthias in #358
Shard bpf-tests by integration test binary by @not-matthias
Use rustup show instead of toolchain install by @GuillaumeLagrange in #349
Disable profiler in macos-basic-run-test by @not-matthias
Upload the basic run to validate auth of integration test by @GuillaumeLagrange
Move samply fork from AvalancheHQ to CodSpeedHQ by @not-matthias
Remove the cursor hiding by @GuillaumeLagrange

Install codspeed-runner 4.17.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CodSpeedHQ/codspeed/releases/download/v4.17.0/codspeed-runner-installer.sh | sh

Download codspeed-runner 4.17.0

File	Platform	Checksum
codspeed-runner-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
codspeed-runner-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
codspeed-runner-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum

Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md

Full Changelog: CodSpeedHQ/action@v4.15.1...v4.17.0

actions/checkout (actions/checkout)

`v6.0.3`

Compare Source

Fix checkout init for SHA-256 repositories by @yaananth in #2439
fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in #2414

anchore/syft (aqua:anchore/syft)

`v1.45.1`

Compare Source

Bug Fixes

bump stereoscope to pull in fix for registry client hanging [#4934 @anchore-oss-update-bot]

(Full Changelog)

`v1.45.0`

Compare Source

Added Features

Add support for ZapAddOns as jar files [#4654 #4932 @douglasclarke]
MySQL binary classifier should distinguish between MySQL Cluster (ndb) and MySQL [#3297 #4907 @witchcraze]
Catalog ingress-nginx binary [#4818 #4857 @witchcraze]

Bug Fixes

Support helm binary various versions [#4820 #4922 @witchcraze]
Support julia binary various versions [#4867 #4945 @witchcraze]
Support deno binary old versions [#4865 #4939 @witchcraze]
Compressed kernel modules are not scanned by the linux-kernel-cataloger [#4721 #4740 @will-bates11]
Yarn Berry lockfile parser incorrectly deduplicates packages with multiple resolutions [#4691 #4838 @calumleslie]
Possible misdetection of AWS-LC as OpenSSL 1.1.1 [#4539 #4882 @witchcraze]
Support elixir binary rc versions [#4819 #4851 @ChrisJr404]
Exclude path ending with a slash are discarded [#4839 #4892 @ChrisJr404]
Incorrect CPE for .NET Runtime [#4738 #4743 @PGrayCS]
fix parsing of debian/copyright files [#4708 #4754 @Bahtya]
Grype ignores python requirements in arbitrary equality (===) format [#4834 #4835 @cyphercodes]
valkey is detected as both of valkey and redis [#4591 #4619 @witchcraze]
TypeByName missing "nuget" case causes UnknownPkg when reading SPDX SBOMs [#4837 #4848 @ChrisJr404]

Additional Changes

hoist name normalization regexp to package level [#4926 @matiasinsaurralde]
bump the actions-minor-patch group across 1 directory with 6 updates [#4946 @dependabot]
bump the actions-minor-patch group across 2 directories with 2 updates [#4936 @dependabot]
bump the actions-minor-patch group across 1 directory with 4 updates [#4927 @dependabot]
bump the actions-minor-patch group across 1 directory with 2 updates [#4920 @dependabot]
bump the actions-minor-patch group across 1 directory with 2 updates [#4897 @dependabot]
update CPE dictionary index [#4831 @anchore-oss-update-bot]

(Full Changelog)

aquasecurity/trivy (aqua:aquasecurity/trivy)

astral-sh/uv (aqua:astral-sh/uv)

`v0.11.21`

Compare Source

Released on 2026-06-11.

Python

Add CPython 3.13.14 and 3.14.6 (#19787)

Preview features

Add environment.root to uv workspace metadata --sync (#19760)
Allow uv upgrade to update a single dependency constraint (#19738)
Compute and pass uv workspace metadata payload in ty check (#19763)
Make packaged applications the default for uv init (#17841)

Performance

Add parallel discovery of Python versions for uv python list (#18684)
Avoid normalizing source distribution names twice (#19784)

Bug fixes

Improve cache robustness and pruning behavior
- Allow CI cache pruning without an sdist bucket (#19802)
- Avoid overflow when reading malformed cache entries (#19799)
- Preserve cached Python downloads during cache pruning (#19795)
- Reject running inside the cache (#19659)
Fix Python discovery and version request edge cases
- Avoid panics for Unicode Python version requests (#19797)
- Fix handling of non-critical errors in uv python list with path requests (#19774)
- Fix stop-discovery-at regression (#19769)
Harden parsing and validation for package metadata, requirements, markers, URLs, and conflict sets
- Allow trailing commas in version specifiers (#19806)
- Avoid panics for invalid UTF-8 URL credentials (#19800)
- Avoid panics for malformed source distribution filenames (#19776)
- Avoid panics for trailing extra separators (#19779)
- Avoid stack overflow for recursive requirements path aliases (#19777)
- Ignore reversed string compatible-release markers (#19782)
- Reject duplicate entries in conflict sets (#19801)
- Reject malformed hash options in requirements files (#19783)
- Reject source distribution filenames without a separator (#19803)
- Use UTF-8 lengths for requirement errors (#19781)
- Use UTF-8 lengths for trailing marker errors (#19796)
- Use byte offsets when peeking over requirements (#19780)
- Validate GraalPy ABI suffixes (#19805)
Improve wheel entry-point error handling and virtual environment activation quoting
- Propagate errors when reading wheel entry points (#19794)
- Quote virtual environment activation paths with shell metacharacters (#19798)

`v0.11.20`

Compare Source

Released on 2026-06-10.

Enhancements

Add --emit-index-url and --emit-find-links to uv export (#18370)
Add --find-links support for uv pip list (#16103)
Group executable install errors during uv python install (#19691)
Use ICF in macOS release builds to reduce binary sizes (#19615)

Preview features

Add initial hidden uv upgrade command (#19678)
Reject Git revisions in uv upgrade (#19742)

Configuration

Recognize UV_NO_INSTALL_PROJECT, UV_NO_INSTALL_WORKSPACE, UV_NO_INSTALL_LOCAL (#19323)

Performance

Speed up discovery of large workspaces (#18311)

Bug fixes

Allow unknown preview flags with a warning again (#19669)
Apply dependency exclusions to direct requirements (#19699)
Avoid following external symlinks during cache clean (#19682)
Avoid following symlinks during cache prune (#19543)
Fix Git cache keys for worktrees and packed refs (#19706)
Make resolver error handling iterative to avoid stack overflows (#19695)
Pass VIRTUAL_ENV through cygpath inside fish on Windows (#19703)
Rebuild explicit local directory tool installs (#19591)
Validate egg top-level entries as identifiers (#19679)

Documentation

Document --find-links caching behavior (#19585)
Add a small section for malware checks (#19680)

`v0.11.19`

Compare Source

Released on 2026-06-03.

Python

Add CPython 3.15.0b2 (#19531)

Enhancements

Always compute SHA256 for remote distributions (#19662)
Add PyEmscripten platform (PEP 783) (#19629)
Add Pyodide 2025 target triple (#19653)

Preview features

Make preview features for commands have names that aren't ambiguous with the command (#19645)
Respect --isolated in uv check (#19666)

Bug fixes

Continue tool uninstall after dangling receipts (#19623)
Skip Unix-specific installation steps when cross-installing Windows Python distributions (#19424)

`v0.11.18`

Compare Source

Released on 2026-06-01.

Performance

Fix performance regression in unzip of local wheels (#19637)

Preview

Add uv check to run ty from uv (#19605)

Bug fixes

Update activation scripts with upstream fixes (#19628)

Other changes

Bump MSRV to 1.94 (#19600)

`v0.11.17`

Compare Source

Released on 2026-05-28.

Enhancements

Add a diagnostic for uv add with standard library modules (#19572)
Expose uv workspace and its list subcommand in help output (#19533)
Improve the "403 forbidden" hint to suggest ignore-error-codes when applicable (#19521)
Skip direct URL lock freshness checks while offline (#19596)
Add import-names and import-namespaces support to uv-build (PEP 794) (#19380)
Add a --no-editable-package flag to various commands (#19584)
Infer Python version requests from source trees in uv tool invocations (#19577)

Preview features

Add module owners to uv workspace metadata (#19122)
Do not allow uv venv --clear to remove non-virtual environments (#19595)

Bug fixes

Improve the performance of large entries in tool.uv.conflicts (#19538)
Avoid modifying the parent process' env with --env-file in uv run (#19567)
Fix script environment creation for scripts with long filenames (#19539)
Fix transitive Git archive dependencies in lockfiles (#19589)
Preserve Git repository URLs in direct URL metadata (#19590)
Support redirects in --check-url (#19594)
Accept case-insensitive HTML tags in --find-links parsing (#19537)
Reject duplicate script metadata blocks (#19544)
Ban names like "python3" as script entry points (#19535, #19536)
Validate Git LFS artifacts for Git archives (#19592)
Use a relative path when creating symlinks in cache to improve relocatability (#19033)

Documentation

Fix malformed positional anchors in the CLI reference (#19575)

cargo-bins/cargo-binstall (aqua:cargo-bins/cargo-binstall)

`v1.20.0`

Compare Source

Binstall is a tool to fetch and install Rust-based executables as binaries. It aims to be a drop-in replacement for cargo install in most cases. Install it today with cargo install cargo-binstall, from the binaries below, or if you already have it, upgrade with cargo binstall cargo-binstall.

In this release:

Fix IPv6 DNS issue for macOS (#2574 #2567 #2579)
Add os-name template variable for pkg-url and bin-dir (#2328 #2570)
Remove quad9 dns fallback (#2572)

Other changes:

Upgrade dependencies

cli/cli (aqua:cli/cli)

`v2.94.0`: GitHub CLI 2.94.0

Compare Source

Issue types, sub-issues, and relationships in `gh issue`

This release brings GitHub's advanced issue features to gh issue create, edit, view, and list. You can set and view an issue's type, organize work with sub-issues, and track blocked-by and blocking relationships without leaving the command line:

# Set an issue's type
gh issue create --type Bug
gh issue edit 123 --type Bug

# Organize work with sub-issues
gh issue create --parent 100
gh issue edit 100 --add-sub-issue 123

# Track blocked-by and blocking relationships
gh issue create --blocked-by 200
gh issue edit 123 --add-blocking 300

Issue types and sub-issues are available on GitHub.com and GHES 3.17+; relationships require GHES 3.19+.

Manage discussions with `gh discussion`

This release introduces the discussion command set for working with GitHub Discussions in gh:

# List discussions
gh discussion list

# View a discussion, its comments, or replies to a comment
gh discussion view 123 --comments

# Create a discussion
gh discussion create

# Edit a discussion
gh discussion edit 123

# Comment on a discussion
gh discussion comment 123

# Reply to a comment using its URL
gh discussion comment <url>

Run gh discussion --help for more information.

[!NOTE]
The discussion command set is in preview and is subject to change without notice.

Equip your agents with new `gh` features

Teach your agents how to leverage new GitHub CLI features on release day by installing the gh skill:

# Install
gh skill install cli/cli gh --scope user

# Or update
gh skill update gh

What's Changed

✨ Features

Add gh discussion command set (list, view, create, edit) as a preview by @babakks and @maxbeizer in #13541
Add gh discussion comment to comment on and reply to discussions by @babakks in #13620
Add Issues 2.0 support: issue types, sub-issues, and relationships by @BagToad in #13057
Add gh skill list to inventory installed agent skills by @tommaso-moro in #13418
Add --all flag to gh skill install to install every skill in a repository by @tommaso-moro in #13471
Skip skills without metadata when running gh skill update --all by @tommaso-moro in #13469
Alias gh extension uninstall to gh extension remove by @BagToad in #13599
Auto-install official extensions in CI by @BagToad in #13581

🐛 Fixes

fix(skill): support skill discovery in nested directories by @tommaso-moro in #13459

📚 Docs & Chores

Bump Go to 1.26.4 by @github-actions[bot] in #13578
Clean up deferred issue update helper by @BagToad in #13584
Add terminal-mockup canvas extension for marketing screenshots by @BagToad in #13612
Add gh discussion and Issues 2.0 reference to the gh skill, plus a README note by @BagToad in #13631

Dependencies

chore(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by @dependabot in #13521
chore(deps): bump github.com/gdamore/tcell/v2 from 2.13.9 to 2.13.10 by @dependabot in #13520
chore(deps): bump github.com/mattn/go-colorable from 0.1.14 to 0.1.15 by @dependabot in #13572
chore(deps): bump charm.land/bubbletea/v2 from 2.0.6 to 2.0.7 by @dependabot in #13595
chore(deps): bump git

✂ Note

PR body was truncated to here.

renovate · 2026-03-21T01:57:28Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package.json

Command failed: corepack use pnpm@11.6.0

greptile-apps · 2026-03-21T01:59:49Z

Greptile Summary

This is a routine automated dependency update PR from Renovate Bot, bumping a wide range of dependencies across the stack: GitHub Actions (setup-node v6.3.0, mise-action v3.6.3, zizmor-action v0.5.2, codeql-action v4.32.6), Node.js packages (pnpm 10.32.1, vitest/vite 4.1.0/8.0.0 stable releases from beta, oxfmt, oxlint, undici, electron, node-addon-slsa), Rust crates (tempfile 3.27.0), Python tools (ruff, semgrep, pyrefly, zizmor), and various aqua-managed CLI tools (uv, gh, gitleaks, shfmt, nextest). All GitHub Action references continue to be pinned by full commit SHA, which is good practice for this repository.

Most changes are straightforward version bumps with no behavioral impact on the codebase itself.
Several beta versions (vitest, vite) graduate to stable releases — a positive change.
The packageManager field in package.json was updated to pnpm@10.32.1 but the SHA512 integrity hash that was present in the old value was dropped, removing Corepack's ability to verify the pnpm binary on download.

Confidence Score: 4/5

This PR is safe to merge; the only notable finding is a non-critical omission of the Corepack integrity hash for pnpm.
All changes are automated dependency bumps. GitHub Actions remain SHA-pinned, Dockerfile images are digest-pinned, and lock files are fully regenerated. The one notable point is the missing SHA512 hash in the packageManager field, which is a best-practice/supply-chain hygiene issue rather than an active vulnerability. Everything else is routine.
package.json — missing SHA512 hash in the packageManager field.

Important Files Changed

Filename	Overview
package.json	Updated pnpm to 10.32.1 but dropped the SHA512 integrity hash from the packageManager field, removing Corepack's ability to verify the binary's integrity on download.
Dockerfile	Updated docker/dockerfile syntax to 1.22 and manylinux_2_28 base image to a new digest. Both references are pinned by SHA256. No issues found.
Cargo.lock	Updated tempfile from 3.26.0 to 3.27.0 which pulls in getrandom 0.3.4 instead of 0.4.2, and resolves different windows-sys versions for various crates. Standard lock file update.
mise.toml	Updated gitleaks, uv, gh CLI, nextest, and mvdan/sh (shfmt) to newer patch/minor versions. No issues found.
pyproject.toml	Updated pyrefly, ruff, semgrep, and zizmor to newer versions. No issues found.
pnpm-workspace.yaml	Updated catalog versions for @vitest/coverage-istanbul, electron, oxfmt, oxlint, undici, vite, and vitest from beta/older versions to stable releases. No issues found.

Comments Outside Diff (1)

package.json, line 202 (link)

Missing Corepack integrity hash for pnpm

The previous packageManager value included a +sha512 integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

corepack use pnpm@10.32.1

This will update package.json with the correct hash for 10.32.1, e.g.:

Consider asking Renovate to preserve the hash when bumping the packageManager field (the pinDigests option may help, or a custom packageRules entry targeting packageManager).

Prompt To Fix With AI

This is a comment left during a code review.
Path: package.json
Line: 202

Comment:
**Missing Corepack integrity hash for pnpm**

The previous `packageManager` value included a `+sha512` integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

```bash
corepack use pnpm@10.32.1
```

This will update `package.json` with the correct hash for 10.32.1, e.g.:



Consider asking Renovate to preserve the hash when bumping the `packageManager` field (the [`pinDigests`](https://docs.renovatebot.com/configuration-options/#pindigests) option may help, or a custom `packageRules` entry targeting `packageManager`).

How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: package.json
Line: 202

Comment:
**Missing Corepack integrity hash for pnpm**

The previous `packageManager` value included a `+sha512` integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

```bash
corepack use pnpm@10.32.1
```

This will update `package.json` with the correct hash for 10.32.1, e.g.:

```suggestion
  "packageManager": "pnpm@10.32.1+sha512.<hash-for-10.32.1>",
```

Consider asking Renovate to preserve the hash when bumping the `packageManager` field (the [`pinDigests`](https://docs.renovatebot.com/configuration-options/#pindigests) option may help, or a custom `packageRules` entry targeting `packageManager`).

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: "Update all dependenc..."}

codecov · 2026-04-20T21:27:48Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

codspeed-hq · 2026-05-18T07:49:49Z

Merging this PR will not alter performance

✅ 15 untouched benchmarks

_{Comparing renovate/all-dependencies (a483481) with main (32fd41a)}

socket-security · 2026-06-07T09:05:42Z

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

socket-security · 2026-06-13T02:06:53Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/undici@8.4.1
	npm/vitest@4.1.8
	npm/@types/node@25.9.3
	npm/tsx@4.22.4
	npm/@vitest/coverage-istanbul@4.1.8
	npm/vite@8.0.16
	npm/vite-plugin-dts@5.0.2
	npm/oxfmt@0.54.0
	npm/oxlint@1.69.0
	npm/@codspeed/vitest-plugin@5.5.0
	npm/electron@42.4.0
	pypi/ruff@0.15.14 ⏵ 0.15.17

View full report

renovate Bot force-pushed the renovate/all-dependencies branch 4 times, most recently from 1c2d5e5 to 40653e4 Compare March 22, 2026 02:03

github-advanced-security AI found potential problems Mar 22, 2026

View reviewed changes