chore(deps): update all non-major dependencies with stable version (minor) - autoclosed

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@commitlint/cli (source)	^19.6.1 -> ^19.8.1			devDependencies	minor
@commitlint/config-conventional (source)	^19.6.0 -> ^19.8.1			devDependencies	minor
@evilmartians/lefthook	^1.10.1 -> ^1.13.0			devDependencies	minor	1.13.4 (+3)
node (source)	22.12.0 -> 22.19.0				minor	v22.20.0
node (source)	22.12.0 -> 22.19.0			volta	minor	v22.20.0
node (source)	>=22.12.0 -> >=22.19.0			engines	minor	v22.20.0
typescript (source)	^5.7.2 -> ^5.9.2			devDependencies	minor
unbuild	^3.2.0 -> ^3.6.1			devDependencies	minor

---

Release Notes

conventional-changelog/commitlint (@​commitlint/cli)

v19.8.1

Compare Source

Bug Fixes

• update dependency tinyexec to v1 (#​4332) (e49449f)

v19.8.0

Compare Source

Performance Improvements

• use node: prefix to bypass require.cache call for builtins (#​4302) (0cd8f41)

19.7.1 (2025-02-02)

Note: Version bump only for package @​commitlint/cli

19.6.1 (2024-12-15)

Note: Version bump only for package @​commitlint/cli

v19.7.1

Compare Source

Note: Version bump only for package @​commitlint/cli

conventional-changelog/commitlint (@​commitlint/config-conventional)

v19.8.1

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v19.8.0

Compare Source

Performance Improvements

• use node: prefix to bypass require.cache call for builtins (#​4302) (0cd8f41)

19.7.1 (2025-02-02)

Note: Version bump only for package @​commitlint/config-conventional

v19.7.1

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

evilmartians/lefthook (@​evilmartians/lefthook)

v1.13.0

Compare Source

• fix: use batched cmd for calculating git hashes (#​1116) by @​mrexox
• fix: add mutex to prevent concurrent git adds (#​1115) by @​mrexox
• refactor: improve structuring (#​1103) by @​mrexox
• feat: fail on change (#​1095) by @​olivier-lacroix
• fix: set --force for git add command (#​1104) by @​michaelm
• feat: recursively log successful results in summary (#​1108) by @​siler
• fix: groups with successes and skips are successful (#​1107) by @​siler

v1.12.4

Compare Source

• deps: September 2025 (#​1102) by @​mrexox
• feat: add tags argument (#​1101) by @​mrexox
• chore: bump github.com/go-viper/mapstructure/v2 (#​1094)

v1.12.3

Compare Source

• feat: add MIME types to file_types filters (#​1092)
• fix: respect LEFTHOOK_CONFIG in lefthook install (#​1090) by @​TECHNOFAB11
• docs: update pnpm installation note (#​1089) by @​skoch13
• docs: improve wording of run, files, and files-global config descriptions, document that the sh shell is used (#​1086) by @​ItsHarper
• docs: 404 for local-config (#​1082) by @​rammanoj
• docs: fix typo (#​1079) by @​eai04191

v1.12.2

Compare Source

• feat: add implicit template lefthook_job_name (#​1074)
• docs: restructure documentation (#​1075) by @​mrexox
• feat: allow overriding config path using LEFTHOOK_CONFIG env (#​1072) by @​TECHNOFAB11

v1.12.1

Compare Source

• feat: add check-install command (#​1064) by @​mrexox
• chore: only check if local configs exist by @​mrexox
• feat: allow using local config only (#​1071) by @​sj26

v1.12.0

Compare Source

• feat: allow installing only specific hooks (#​1069)
• refactor: [breaking] restructure files and folders, remove deprecated options (#​1067)

v1.11.16

Compare Source

• fix: race condition on repo state (#​1066)

v1.11.15

Compare Source

• feat: add exclude arg (#​1063)
• feat: inherit group envs (#​1061)
• fix: apply implicit staged files filter to all files when all files arg given (#​1062)
• deps: bump github.com/kaptinlin/jsonschema to 0.4.5
• deps: bump github.com/knadh/koanf/parsers/yaml to 1.1.0
• deps: bump github.com/knadh/koanf/v2 to 2.2.1 (#​1043)
• fix: friendlier updater error message
• fix: bump goreleaser

v1.11.14

Compare Source

• feat: show time for jobs (#​1044) by @​adeebshihadeh
• ci: update GoReleaser configurations (#​1040) by @​emmanuel-ferdman
• feat: support devbox (#​1031) by @​misogihagi
• chore: regexp use improvements (#​1034) by @​scop
• chore: upgrade golangci-lint to v2, address findings (#​1027) by @​scop

v1.11.13

Compare Source

• deps: May 2025 (#​1024) by @​mrexox
• fix: load scripts from .config too (#​1018) by @​mrexox
• chore: change "existed" to "existing" (#​1022) by @​assyrus-favolo
• docs: fix grammatical error in Local config section (#​1019) by @​dev-kas

v1.11.12

Compare Source

• feat: load from .config dir (#​1017) by @​mrexox
• feat: complete all job names, recursively (#​1015) by @​scop
• docs: update links to mise by @​mrexox

v1.11.11

Compare Source

• deps: koanf and jsonschema (#​1013) by @​mrexox
• feat: add support for mise (#​1007) by @​shahar-py

v1.11.10

Compare Source

• deps: bump github.com/pelletier/go-toml/v2 from 2.2.3 to 2.2.4 (#​1005) (#​1006) by @​mrexox
• feat: add support for uv (#​1004) by @​toshok

v1.11.9

Compare Source

• fix: better logging (#​1003) by @​mrexox
• feat: allow installing hooks in CI (#​1001) by @​caugner
• deps: Dependencies upgrade @​mrexox

v1.11.8

Compare Source

• fix: sh lookup on Windows (#​997) by @​mrexox
• fix: fix command execution error on Windows #​989 (#​992) by @​atsushifx

v1.11.7

Compare Source

• fix: avoid error logging when determining pre push files (#​995) by @​mrexox
• docs: allow duplicate files in SUMMARY (#​988) by @​mrexox
• fix: unquote paths to valid UTF-8 (#​987) by @​mrexox
• packaging: aur fixes (#​985) by @​mrexox

v1.11.6

Compare Source

• fix: print git errors (#​984) by @​mrexox
• packaging: maintain lefthook-bin AUR package (#​982) by @​mrexox
• chore: fancier logging (#​983) by @​mrexox
• docs: remove a note about the difference for unix-like and windows by @​mrexox

v1.11.5

Compare Source

• fix: windows scripts issues (#​979) by @​mrexox

v1.11.4

Compare Source

• feat: support lefthook as go tool (#​976) by @​nmoniz
• fix: use dedicated build path for swift plugin (#​978) by @​csjones
• deps: March 2025 (#​977) by @​mrexox
• docs: update pnpm install command in the installation guide (#​974) by @​hoosierhuy

v1.11.3

Compare Source

• fix: remote cloning issues (#​969) by @​mrexox

v1.11.2

Compare Source

• fix: do not inherit envs in remote Git commands (#​963) by @​mrexox

v1.11.1

Compare Source

• fix: race condition on repo state (#​1066)

v1.11.0

Compare Source

• perf: speed up git commands (#​956) by @​judofyr

v1.10.11

Compare Source

• deps: bump github.com/spf13/cobra from 1.8.1 to 1.9.1 (#​952) (#​958) by @​mrexox
• fix: add $schema property (#​942) by @​mst-mkt
• deps: bump github.com/briandowns/spinner from 1.23.1 to 1.23.2 (#​935) (#​940) by @​mrexox

v1.10.10

Compare Source

• feat: allow providing a list of globs (#​937) by @​mrexox
• fix: properly inherit exclude options when not overwritten (#​936) by @​mrexox

v1.10.9

Compare Source

• fix: make uninstall --remove-configs description more accurate (#​934) by @​scop

v1.10.8

Compare Source

• feat: add custom plain templates (#​930) by @​mrexox
• fix: unique names for nested operations (#​931) by @​mrexox

v1.10.7

Compare Source

• fix: use lefthook option in ghost hook too (#​929) by @​mrexox
• feat: add schema.json to npm packages (#​928) by @​mrexox
• fix: increase timeout for self-update to 2 mins by @​mrexox

v1.10.6

Compare Source

Changelog

• 3d0f05d chore: cleanup dotfiles
• 9873cee chore: remove .lefthook.toml
• 6d6977f feat: add schema.json to npm packages (#​928)
• 6621921 fix: increase timeout for self-update to 2 mins
• e8bf594 fix: typo
• ce2058d fix: use lefthook option in ghost hook too (#​929)

v1.10.5

Compare Source

• feat: add lefthook option for custom path or command (#​927) by @​mrexox
• chore: update config template with new jobs by @​mrexox

v1.10.4

Compare Source

• fix: avoid skipping pre commit when deleted files staged (#​925) by @​mrexox
• fix: use roots from jobs for possible npm package location (#​924) by @​mrexox
• deps: January 2025 (#​926) by @​mrexox

v1.10.3

Compare Source

• fix: replace cmd in jobs (#​918) by @​mrexox

v1.10.2

Compare Source

nodejs/node (node)

v22.19.0

Compare Source

v22.18.0

Compare Source

v22.17.1

Compare Source

v22.17.0: 2025-06-24, Version 22.17.0 'Jod' (LTS), @​aduh95

Compare Source

Notable Changes

⚠️ Deprecations

Instantiating node:http classes without new

Constructing classes like IncomingMessage or ServerResponse without the new
keyword is now discouraged. This clarifies API expectations and aligns with standard
JavaScript behavior. It may warn or error in future versions.

Contributed by Yagiz Nizipli in #​58518.

options.shell = "" in node:child_process

Using an empty string for shell previously had undefined behavior. This change
encourages explicit choices (e.g., shell: true or a shell path) and avoids
relying on implementation quirks.

Contributed by Antoine du Hamel and Renegade334 #​58564.

HTTP/2 priority signaling

The HTTP/2 prioritization API (e.g., stream.priority) is now deprecated due to
poor real-world support. Applications should avoid using priority hints and expect future removal.

Contributed by Matteo Collina and Antoine du Hamel #​58313.

✅ Features graduated to stable

assert.partialDeepStrictEqual()

This method compares only a subset of properties in deep object comparisons,
useful for flexible test assertions. Its stabilization means it's now safe for
general use and won't change unexpectedly in future releases.

Contributed by Ruben Bridgewater in #​57370.

Miscellaneous

• dirent.parentPath
• filehandle.readableWebStream()
• fs.glob()
• fs.openAsBlob()
• node:readline/promises
• port.hasRef()
• readable.compose()
• readable.iterator()
• readable.readableAborted
• readable.readableDidRead
• Duplex.fromWeb()
• Duplex.toWeb()
• Readable.fromWeb()
• Readable.isDisturbed()
• Readable.toWeb()
• stream.isErrored()
• stream.isReadable()
• URL.createObjectURL()
• URL.revokeObjectURL()
• v8.setHeapSnapshotNearHeapLimit()
• Writable.fromWeb()
• Writable.toWeb()
• writable.writableAborted
• Startup Snapshot API
• ERR_INPUT_TYPE_NOT_ALLOWED
• ERR_UNKNOWN_FILE_EXTENSION
• ERR_UNKNOWN_MODULE_FORMAT
• ERR_USE_AFTER_CLOSE

Contributed by James M Snell in
#​57513 and
#​58541.

Semver-minor features

🔧 fs.FileHandle.readableWebStream gets autoClose option

This gives developers explicit control over whether the file descriptor should
be closed when the stream ends. Helps avoid subtle resource leaks.

Contributed by James M Snell in #​58548.

🔧 fs.Dir now supports explicit resource management

This improves ergonomics around async iteration of directories. Developers can
now manually control when a directory is closed using .close() or with Symbol.asyncDispose.

Contributed by Antoine du Hamel in #​58206.

📊 http2 gains diagnostics channel: http2.server.stream.finish

Adds observability support for when a stream finishes. Useful for logging,
monitoring, and debugging HTTP/2 behavior without patching internals.

Contributed by Darshan Sen in #​58560.

🔐 Permissions: implicit allow-fs-read to entrypoint

Node.js permissions model now allows read access to the entry file by default.
It makes running permission-restricted apps smoother while preserving security.

Contributed by Rafael Gonzaga in #​58579.

🎨 util.styleText() adds 'none' style

This lets developers remove styling cleanly without hacks. Useful for overriding
inherited terminal styles when composing styled strings.

Contributed by James M Snell in #​58437.

🧑‍💻 Community updates

• [0105c13556] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #​58499
• [3b857735ef] - doc: add JonasBa to collaborators (Jonas Badalic) #​58355
• [fdf7612735] - doc: add puskin to collaborators (Giovanni Bucci) #​58308

Commits

• [ffe7e1ace0] - (SEMVER-MINOR) assert: mark partialDeepStrictEqual() as stable (Ruben Bridgewater) #​57370
• [269931f289] - async_hooks: ensure AsyncLocalStore instances work isolated (Gerhard Stöbich) #​58149
• [9e0746a4ff] - benchmark: fix broken fs.cpSync benchmark (Dario Piotrowicz) #​58472
• [dee8cb5bcb] - benchmark: add more options to cp-sync (Sonny) #​58278
• [e840fd5b85] - benchmark: fix typo in method name for error-stack (Miguel Marcondes Filho) #​58128
• [b9a16e97e0] - buffer: give names to Buffer.prototype.*Write() functions (Livia Medeiros) #​58258
• [d56a5e40af] - buffer: use constexpr where possible (Yagiz Nizipli) #​58141
• [215587feca] - build: add support for OpenHarmony operating system (hqzing) #​58350
• [9bcef6821c] - build: fix uvwasi pkgname (Antoine du Hamel) #​58270
• [7c3883c2ae] - build: search for libnode.so in multiple places (Jan Staněk) #​58213
• [3f954accb3] - build: fix pointer compression builds (Joyee Cheung) #​58171
• [04c8f59f84] - build: use FILE_OFFSET_BITS=64 esp. on 32-bit arch (RafaelGSS) #​58090
• [8c2cf3a372] - build: use //third_party/simdutf by default in GN (Shelley Vohr) #​58115
• [cff8006792] - child_process: give names to ChildProcess functions (Livia Medeiros) #​58370
• [6816d779b6] - child_process: give names to promisified exec() and execFile() (LiviaMedeiros) #​57916
• [5572cecca4] - crypto: expose crypto.constants.OPENSSL_IS_BORINGSSL (Shelley Vohr) #​58387
• [d6aa02889c] - deps: use proper C standard when building libuv (Yaksh Bariya) #​58587
• [375a6413d5] - deps: update simdjson to 3.12.3 (Node.js GitHub Bot) #​57682
• [e0cd138e52] - deps: update googletest to e9092b1 (Node.js GitHub Bot) #​58565
• [31e592631f] - deps: update corepack to 0.33.0 (Node.js GitHub Bot) #​58566
• [386c24260b] - deps: update sqlite to 3.50.0 (Node.js GitHub Bot) #​58272
• [f84998d40b] - deps: update OpenSSL gen container to Ubuntu 22.04 (Michaël Zasso) #​58432
• [d49fd29859] - deps: update llhttp to 9.3.0 (Fedor Indutny) #​58144
• [e397980a1a] - deps: update libuv to 1.51.0 (Node.js GitHub Bot) #​58124
• [a28c33645c] - dns: fix dns query cache implementation (Ethan Arrowood) #​58404
• [6939b0c624] - doc: fix the order of process.md sections (Allon Murienik) #​58403
• [1ca253c363] - doc: add support link for panva (Filip Skokan) #​58591
• [8319edbcf6] - doc: update metadata for _transformState deprecation (James M Snell) #​58530
• [697d258136] - doc: deprecate passing an empty string to options.shell (Antoine du Hamel) #​58564
• [132fc804e8] - doc: correct formatting of example definitions for --test-shard (Jacob Smith) #​58571
• [7d0df646f6] - doc: clarify DEP0194 scope (Antoine du Hamel) #​58504
• [1e6d7da0ce] - doc: deprecate HTTP/2 priority signaling (Matteo Collina) #​58313
• [5a917bc1d0] - doc: explain child_process code and signal null values everywhere (Darshan Sen) #​58479
• [0105c13556] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #​58499
• [2bdc87cd64] - doc: update git node release example (Antoine du Hamel) #​58475
• [28f9b43186] - doc: add missing options.info for ZstdOptions (Jimmy Leung) #​58360
• [e19496dfc1] - doc: add missing options.info for BrotliOptions (Jimmy Leung) #​58359
• [7f905863db] - doc: clarify x509.checkIssued only checks metadata (Filip Skokan) #​58457
• [5cc97df637] - doc: add links to parent class for node:zlib classes (Antoine du Hamel) #​58433
• [36e0d5539b] - doc: remove remaining uses of @@​wellknown syntax (René) #​58413
• [2f36f8e863] - doc: clarify behavior of --watch-path and --watch flags (Juan Ignacio Benito) #​58136
• [3b857735ef] - doc: add JonasBa to collaborators (Jonas Badalic) #​58355
• [9d5e969bb6] - doc: add latest security release steward (Rafael Gonzaga) #​58339
• [b22bb03167] - doc: fix CryptoKey.algorithm type and other interfaces in webcrypto.md (Filip Skokan) #​58294
• [670f31060b] - doc: mark the callback argument of crypto.generatePrime as mandatory (Allon Murienik) #​58299
• [39d9a61239] - doc: remove comma delimiter mention on permissions doc (Rafael Gonzaga) #​58297
• [573b0b7bfe] - doc: make Stability labels not sticky in Stability index (Livia Medeiros) #​58291
• [a5a686a3ae] - doc: update commit-queue documentation (Dario Piotrowicz) #​58275
• [fdf7612735] - doc: add puskin to collaborators (Giovanni Bucci) #​58308
• [be492a1708] - doc: update stability status for diagnostics_channel to experimental (Idan Goshen) #​58261
• [7d00fc2206] - doc: clarify napi_get_value_string_* for bufsize 0 (Tobias Nießen) #​58158
• [c8500a2c4a] - doc: fix typo of file http.md, outgoingMessage.setTimeout section (yusheng chen) #​58188
• [34a9b856c3] - doc: update return types for eventNames method in EventEmitter (Yukihiro Hasegawa) #​58083
• [faedee59d2] - doc: fix typo in benchmark script path (Miguel Marcondes Filho) #​58129
• [570d8d3f10] - doc: clarify future Corepack removal in v25+ (Trivikram Kamat) #​57825
• [a71b9fc2ff] - doc: mark multiple APIs stable (James M Snell) #​57513
• [73a97d47f3] - doc,lib: update source map links to ECMA426 (Chengzhong Wu) #​58597
• [8b41429499] - doc,src,test: fix typos (Noritaka Kobayashi) #​58477
• [0cea14ec7f] - errors: show url of unsupported attributes in the error message (Aditi) #​58303
• [b9586bf898] - (SEMVER-MINOR) fs: add autoClose option to FileHandle readableWebStream (James M Snell) #​58548
• [72a1b061f3] - fs: unexpose internal constants (Chengzhong Wu) #​58327
• [5c36510dec] - fs: add support for URL for fs.glob's cwd option (Antoine du Hamel) #​58182
• [3642b0d944] - fs: improve cpSync no-filter copyDir performance (Dario Piotrowicz) #​58461
• [24865bc7e8] - fs: improve cpSync dest overriding performance (Dario Piotrowicz) #​58160
• [1b3847694d] - (SEMVER-MINOR) fs: add to Dir support for explicit resource management (Antoine du Hamel) #​58206
• [cff62e3265] - fs: ensure dir.read() does not throw synchronously (Antoine du Hamel) #​58228
• [cb39e4ca1f] - fs: glob is stable, so should not emit experimental warnings (Théo LUDWIG) #​58236
• [597bfefbe1] - http: deprecate instantiating classes without new (Yagiz Nizipli) #​58518
• [5298da0102] - http: remove unused functions and add todos (Yagiz Nizipli) #​58143
• [cff440e0fa] - http,https: give names to anonymous or misnamed functions (Livia Medeiros) #​58180
• [43bf1f619a] - http2: add raw header array support to h2Session.request() (Tim Perry) #​57917
• [e8a0f5b063] - http2: add lenient flag for RFC-9113 (Carlos Fuentes) #​58116
• [49cb90d4a5] - (SEMVER-MINOR) http2: add diagnostics channel 'http2.server.stream.finish' (Darshan Sen) #​58560
• [6a56c68728] - http2: add diagnostics channel 'http2.server.stream.error' (Darshan Sen) #​58512
• [59806b41d3] - http2: add diagnostics channel 'http2.server.stream.start' (Darshan Sen) #​58449
• [d3d662ae47] - http2: remove no longer userful options.selectPadding (Jimmy Leung) #​58373
• [dec6c9af8c] - http2: add diagnostics channel 'http2.server.stream.created' (Darshan Sen) #​58390
• [9e98899986] - http2: add diagnostics channel 'http2.client.stream.close' (Darshan Sen) #​58329
• [86610389d8] - http2: add diagnostics channel 'http2.client.stream.finish' (Darshan Sen) #​58317
• [2d3071671e] - http2: add diagnostics channel 'http2.client.stream.error' (Darshan Sen) #​58306
• [6c3e426d6f] - http2: add diagnostics channel 'http2.client.stream.start' (Darshan Sen) #​58292
• [b99d131a61] - http2: add diagnostics channel 'http2.client.stream.created' (Darshan Sen) #​58246
• [b0644330f5] - http2: give name to promisified connect() (LiviaMedeiros) #​57916
• [4092d3611a] - inspector: add mimeType and charset support to Network.Response (Shima Ryuhei) #​58192
• [d7d8599f7c] - inspector: add protocol method Network.dataReceived (Chengzhong Wu) #​58001
• [aabafbc28f] - inspector: support for worker inspection in chrome devtools (Shima Ryuhei) #​56759
• [20d978de9a] - lib: make ERM functions into wrappers returning undefined (Livia Medeiros) #​58400
• [13567eac5f] - (SEMVER-MINOR) lib: graduate error codes that have been around for years (James M Snell) #​58541
• [342b5a0d7a] - lib: remove no-mixed-operators eslint rule (Ruben Bridgewater) #​58375
• [af7baef75a] - lib: fix sourcemaps with ts module mocking (Marco Ippolito) #​58193
• [8f73f42d4e] - meta: bump github/codeql-action from 3.28.16 to 3.28.18 (dependabot[bot]) #​58552
• [5dfedbeb86] - meta: bump codecov/codecov-action from 5.4.2 to 5.4.3 (dependabot[bot]) #​58551
• [53c50f66f5] - meta: bump step-security/harden-runner from 2.11.0 to 2.12.0 (dependabot[bot]) #​58109
• [a1a7024831] - meta: bump ossf/scorecard-action from 2.4.1 to 2.4.2 (dependabot[bot]) #​58550
• [a379988ef6] - meta: bump rtCamp/action-slack-notify from 2.3.2 to 2.3.3 (dependabot[bot]) #​58108
• [f6a46c87f2] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​58456
• [98b6aa0dcd] - meta: bump github/codeql-action from 3.28.11 to 3.28.16 (dependabot[bot]) #​58112
• [[5202b262e3](https://redirect.github.com/nodejs/

---

Configuration

📅 Schedule: Branch creation - "before 5am every weekday" in timezone America/New_York, Automerge - "every weekday" in timezone America/New_York.

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.