Skip to content

chore(deps): update all non-major dependencies#446

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#446
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Apr 5, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
@paypal/paypal-js (source) ^10.0.1^10.0.2 age confidence pnpm.catalog.default patch
@types/google.maps (source) ^3.58.1^3.65.2 age confidence peerDependencies minor
@types/youtube (source) ^0.1.0^0.3.0 age confidence peerDependencies minor
Hebilicious/reproduire v0.0.9-mpv0.0.9 age confidence action patch
actions/checkout v6.0.1v6.0.3 age confidence action patch
actions/stale v10.0.0v10.3.0 age confidence action minor
oxc-parser (source) ^0.137.0^0.138.0 age confidence pnpm.catalog.default minor
posthog-js (source) ^1.396.2^1.396.3 age confidence pnpm.catalog.default patch 1.396.4
posthog-js (source) ^1.0.0^1.396.3 age confidence peerDependencies minor 1.396.4
unhead-v3-fixture>@unhead/vue (source) ^3.0.0^3.1.7 age confidence pnpm-workspace.overrides minor
vue-tsc (source) ^3.3.5^3.3.6 age confidence pnpm.catalog.default patch

Release Notes

paypal/paypal-js (@​paypal/paypal-js)

v10.0.2

Compare Source

Patch Changes
  • cfcb985: Add a default export condition to the ./sdk-v6 subpath so bundlers/tracers (e.g. @​vercel/nft) resolve it correctly and don't fall back to the v5 entry.
Hebilicious/reproduire (Hebilicious/reproduire)

v0.0.9

Compare Source

compare changes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

v6.0.2

Compare Source

actions/stale (actions/stale)

v10.3.0

Compare Source

What's Changed

Bug Fix
Dependency Updates

New Contributors

Full Changelog: actions/stale@v10...v10.3.0

v10.2.0

Compare Source

What's Changed

Bug Fix
Dependency Updates

New Contributors

Full Changelog: actions/stale@v10...v10.2.0

v10.1.1

Compare Source

What's Changed

Bug Fix
Improvement
Dependency Upgrades

New Contributors

Full Changelog: actions/stale@v10...v10.1.1

v10.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: actions/stale@v10...v10.1.0

oxc-project/oxc (oxc-parser)

v0.138.0

🛡️ Security
PostHog/posthog-js (posthog-js)

v1.396.3

Compare Source

unjs/unhead (unhead-v3-fixture>@​unhead/vue)

v3.1.7

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v3.1.6

Compare Source

   🏎 Performance
    View changes on GitHub

v3.1.5

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v3.1.4

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub

v3.1.3

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.1.2

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.1.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.1.0

Compare Source

🛠️ Unhead CLI

To assist with migrations and overall DX a CLI has been introduced: @unhead/cli.

npx -y @​unhead/cli 

It lets you do the following:

          audit    Lint your codebase for unhead misuse, type-narrowing issues, and SEO/perf foot-guns.                      
        migrate    Apply autofixes for v2-to-v3 migration: rewrite deprecated props and wrap tag literals in defineX helpers.
  validate-html    Run the runtime ValidatePlugin over prerendered HTML files (e.g. dist/, .output/, build/).                
   validate-url    Fetch a rendered URL and run unhead\'s SEO/perf validation rules over its <head>.         

For example, try running audit on your own project for hints on how to improve your SEO.

✔️ Unhead ESLint

Knowing that your useHead() and useSeoMeta() code is right while your coding is important. While type-narrowing solves many broken cases, we introduce an ESLint plugin to help catch anything that the typechecker can't catch.

These rules are shared from the runtime ValidatePlugin

# flat-config ESLint plugin with v2→v3 migration autofixes
npm i -D @&#8203;unhead/eslint-plugin
```ts [eslint.config.ts]
import { configs } from '@&#8203;unhead/eslint-plugin'

export default [
  configs.recommended,
]

🌊 Streaming SSR non-Vite support

The streaming plugin lived only at unhead/stream/vite previously, leaving non-Vite users with no way to wire the bootstrap. The plugin is now a bundler-agnostic unplugin factory with first-class webpack and Vite entries, and the framework packages compose it behind Unhead({ streaming: true }).

// vite.config.ts
import { Unhead } from '@&#8203;unhead/vue/vite'
export default { plugins: [vue(), Unhead({ streaming: true })] }

// webpack.config.ts
import { Unhead } from '@&#8203;unhead/vue/bundler'
export default { plugins: [...Unhead({ streaming: true }).webpack()] }

Streaming also gains a nonce option (forwarded on every injected <script> for CSP support), a fixed async mode for production Vite builds (the IIFE is now emitted via this.emitFile() so the script src references a real hashed asset), a dev-mode warning when the client IIFE runs against an empty server queue, and a shared StreamingGlobal type so the server bootstrap, client, and injected IIFE agree on the shape of window.__unhead__. Default mode changed from async to inline for smaller TTFB.

Changelog

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v3.0.5

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.0.4

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.0.3

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.0.2

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.0.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
vuejs/language-tools (vue-tsc)

v3.3.6

Compare Source

language-core
  • fix: make generic component internal context inference type-safe across .d.ts boundary (#​6104) - Thanks to @​Holiden!
  • fix: do not treat non-trivial property accesses as compound - Thanks to @​KazariEX!
  • fix: treat semicolon-terminated expressions as compound - Thanks to @​KazariEX!
  • fix: preserve return types for compound event handlers - Thanks to @​KazariEX!
  • fix: use WeakMap to cache inline TS ASTs - Thanks to @​KazariEX!
  • fix: match upstream CSS v-bind parsing behavior - Thanks to @​KazariEX!
  • fix: include setup bindings as potential component names (#​6111) - Thanks to @​KazariEX!
  • perf: reduce boundary code feature allocations - Thanks to @​KazariEX!
  • refactor: centralize code features and deprecate allCodeFeatures - Thanks to @​KazariEX!

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "on Monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel

vercel Bot commented Apr 5, 2025

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
scripts-docs Error Error Jul 2, 2026 8:03am
scripts-playground Ready Ready Preview, Comment Jul 2, 2026 8:03am

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 9c4e39b to 5bfebea Compare April 5, 2025 00:30
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 5bfebea to 7804f68 Compare April 6, 2025 09:08
@renovate renovate Bot changed the title chore(deps): update resolutions typescript to v5.8.3 chore(deps): update all non-major dependencies Apr 6, 2025
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 7804f68 to 2d975ff Compare April 7, 2025 04:48
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 2d975ff to 0104ff1 Compare April 7, 2025 08:22
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 0104ff1 to 8120e32 Compare April 7, 2025 15:15
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 8120e32 to 5ec9f5e Compare April 7, 2025 18:22
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 5ec9f5e to efcb3b7 Compare April 8, 2025 08:39
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from efcb3b7 to 1a61aec Compare April 10, 2025 00:28
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 1a61aec to cf8e7f8 Compare April 10, 2025 09:47
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from cf8e7f8 to 2b13cf8 Compare April 11, 2025 01:12
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 6132302 to 360e116 Compare April 16, 2025 14:05
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 360e116 to aa97a8b Compare April 17, 2025 00:59
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from aa97a8b to 714cf9d Compare April 17, 2025 08:46
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 714cf9d to bdbb60c Compare April 17, 2025 18:14
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from bdbb60c to 9343bf3 Compare April 18, 2025 20:28
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 9343bf3 to fb7fea7 Compare April 21, 2025 12:46
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from fb7fea7 to 556aaae Compare April 21, 2025 16:40
@pkg-pr-new

pkg-pr-new Bot commented Jul 16, 2025

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/scripts@446

commit: 38ebeaf

Comment thread pnpm-lock.yaml Outdated
Comment thread docs/package.json Outdated
"@nuxt/image": "^1.11.0",
"@nuxt/scripts": "workspace:*",
"@nuxt/ui": "4.0.0",
"@nuxt/ui": "4.2.1",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"@nuxt/ui": "4.2.1",
"@nuxt/ui": "^4.2.1",

The @nuxt/ui dependency is pinned to 4.2.1 without a caret, which is inconsistent with all other dependencies in this file that use flexible versioning with the ^ prefix.

View Details

Analysis

Inconsistent version pinning for @nuxt/ui dependency

What fails: docs/package.json line 20 specifies @nuxt/ui as pinned version 4.2.1 (without caret prefix), while all 13 other dependencies use caret versioning (^) for flexible version constraints within the major version.

How to reproduce:

cat docs/package.json | grep -A 15 '"dependencies"'

Result: Shows "@nuxt/ui": "4.2.1" (pinned) while all surrounding dependencies have caret prefix:

  • "@nuxt/content": "^3.8.2"
  • "@nuxt/fonts": "^0.12.1"
  • "@nuxthq/studio": "^2.2.1"
  • All other 10 dependencies also use ^ prefix

Expected behavior: According to npm semantic versioning, caret versioning allows compatible updates (minor/patch versions) within a major version. The project consistently uses this pattern for all other dependencies, so @nuxt/ui should be ^4.2.1 to match the established convention and allow patch/minor updates like other dependencies.

Root cause: Automated dependency update (Renovate bot commit 0b37709) preserved the previous pinned format when bumping the version from 4.0.0 to 4.2.1, rather than applying the project's standard caret versioning pattern used throughout the file.

Comment thread package.json Outdated
"posthog-js": "^1.0.0"
"@types/youtube": "^0.1.2",
"@unhead/vue": "^2.1.2",
"posthog-js": "^1.321.2"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"posthog-js": "^1.321.2"
"posthog-js": "^1.0.0"

The posthog-js peer dependency constraint changed from ^1.0.0 to ^1.321.2, which is unusually restrictive and appears unintentional given the patch version bump in devDependencies (1.321.1 → 1.321.2).

View Details

Analysis

Overly restrictive posthog-js peer dependency breaks backward compatibility

What fails: The posthog-js peer dependency constraint in package.json was changed from ^1.0.0 to ^1.321.2 (commit 1536ad2), restricting supported versions to 1.321.2+ and rejecting all prior versions (1.0.0-1.321.1) that would previously install.

How to reproduce:

# User has posthog-js 1.200.0 installed (legitimate version under old ^1.0.0 constraint)
npm install @nuxt/scripts
# After update, npm now rejects this version because 1.200.0 does not satisfy ^1.321.2

Result: npm/pnpm install fails with: "posthog-js@1.200.0 not satisfied by ^1.321.2"

Expected: The peer dependency should remain at ^1.0.0 (or similar permissive constraint) since:

  • Code only uses posthog.init() and basic config options (api_host, capture_pageview, disable_session_recording) available since 1.0.0
  • The devDependency update was only a patch bump (1.222.0 → 1.321.2), not a major version requiring API changes
  • Peer dependencies should be permissive to maximize compatibility
  • Semantic versioning guidance indicates patch/minor version updates within the same major version should be backward compatible

This change appears to be an error from automated dependency update tooling (Renovate) that applied the same pinpoint version to both devDependencies and peerDependencies.

@socket-security

socket-security Bot commented Apr 29, 2026

Copy link
Copy Markdown

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@socket-security

socket-security Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedposthog-js@​1.396.4 ⏵ 1.396.366 -1710081100100
Updatedoxc-parser@​0.126.0 ⏵ 0.138.090100100 +195100
Addedvue-tsc@​3.3.61001009296100
Added@​paypal/​paypal-js@​10.0.210010010099100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants