chore(deps): update support-deps

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@commitlint/cli (source)	21.0.1 → 21.0.2			devDependencies	patch
@commitlint/config-conventional (source)	21.0.1 → 21.0.2			devDependencies	patch
@vitest/coverage-v8 (source)	4.1.6 → 4.1.7			devDependencies	patch	4.1.8
actions/checkout (changelog)	de0fac2 → df4cb1c			action	digest
astral-sh/uv	0.11.15 → 0.11.17				patch	0.11.19 (+1)
astral-sh/uv	0.11.15 → 0.11.17			uses-with	patch	0.11.19 (+1)
defenseunicorns/uds-cli	v0.31.0 → v0.32.0				minor
defenseunicorns/uds-common	v1.24.11 → v1.24.12				patch
ghcr.io/zarf-dev/packages/init	v0.76.0 → v0.77.0				minor
github/codeql-action	v4.35.5 → v4.36.0			action	minor	v4.36.1
likec4 (source)	1.56.0 → 1.57.0			devDependencies	minor
redis	8.6.3 → 8.8.0				minor
semver	7.8.0 → 7.8.1			dependencies	patch
vitest (source)	4.1.6 → 4.1.7			devDependencies	patch	4.1.8
zarf-dev/zarf	v0.76.0 → v0.77.0				minor

---

Release Notes

conventional-changelog/commitlint (@​commitlint/cli)

v21.0.2

Compare Source

Bug Fixes

• disallow same commit hash for --from and --to (#​4773) (121005e)

conventional-changelog/commitlint (@​commitlint/config-conventional)

v21.0.2

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

astral-sh/uv (astral-sh/uv)

v0.11.17

Compare Source

Released on 2026-05-28.

Enhancements

• Add a diagnostic for uv add with standard library modules (#​19572)
• Expose uv workspace and its list subcommand in help output (#​19533)
• Improve the "403 forbidden" hint to suggest ignore-error-codes when applicable (#​19521)
• Skip direct URL lock freshness checks while offline (#​19596)
• Add import-names and import-namespaces support to uv-build (PEP 794) (#​19380)
• Add a --no-editable-package flag to various commands (#​19584)
• Infer Python version requests from source trees in uv tool invocations (#​19577)

Preview features

• Add module owners to uv workspace metadata (#​19122)
• Do not allow uv venv --clear to remove non-virtual environments (#​19595)

Bug fixes

• Improve the performance of large entries in tool.uv.conflicts (#​19538)
• Avoid modifying the parent process' env with --env-file in uv run (#​19567)
• Fix script environment creation for scripts with long filenames (#​19539)
• Fix transitive Git archive dependencies in lockfiles (#​19589)
• Preserve Git repository URLs in direct URL metadata (#​19590)
• Support redirects in --check-url (#​19594)
• Accept case-insensitive HTML tags in --find-links parsing (#​19537)
• Reject duplicate script metadata blocks (#​19544)
• Ban names like "python3" as script entry points (#​19535, #​19536)
• Validate Git LFS artifacts for Git archives (#​19592)
• Use a relative path when creating symlinks in cache to improve relocatability (#​19033)

Documentation

• Fix malformed positional anchors in the CLI reference (#​19575)

v0.11.16

Compare Source

Released on 2026-05-21.

Enhancements

• Add support for direct archive dependencies in Git (#​10072)
• Adjust hint rendering (#​18090)

Preview features

• uv audit: specialize malformed OSV error (#​19515)
• Reject locked malware installations (#​18936)

Configuration

• Allow disabling reading the system config with UV_NO_SYSTEM_CONFIG (#​19476)

Bug fixes

• Allow environment variables that take a list to be empty (#​19503)
• Ensure that incompatible wheel hints do not leak secrets (#​19504)
• Reject unsafe entry points in uv-build (#​19495)
• Restrict delimiters in entry point parsing (#​19471)
• uv-netrc: fix multi-word no-space comment lines causing parse errors (#​19494)

Documentation

• Document and test relative exclude-newer support for uv pip (#​19475)

defenseunicorns/uds-cli (defenseunicorns/uds-cli)

v0.32.0

Compare Source

What's Changed

• chore: add SECURITY.md with vulnerability reporting policy by @​daveworth in #​1390
• feat: add keyless signature verification for Zarf packages by @​emoskito in #​1393
• chore(deps): update test-dependencies to v6.12.0 by @​renovate[bot] in #​1389
• chore(deps): update github-actions and golangci-lint by @​emoskito in #​1396

New Contributors

• @​daveworth made their first contribution in #​1390

Full Changelog: defenseunicorns/uds-cli@v0.31.0...v0.32.0

defenseunicorns/uds-common (defenseunicorns/uds-common)

v1.24.12

Compare Source

Miscellaneous

• deps: update uds common foundation dependencies to v1.5.0 (#​684) (69baa44)
• deps: update uds common support dependencies (#​678) (fc11b2c)
• remove verify badge (#​683) (5d26c78)
• swap from oras setup task to shell (#​680) (df4991b)

github/codeql-action (github/codeql-action)

v4.36.0

Compare Source

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
• Add support for SHA-256 Git object IDs. #​3893
• Update default CodeQL bundle version to 2.25.5. #​3926

likec4/likec4 (likec4)

v1.57.0

Compare Source

Minor Changes

• #​2968 590864d Thanks @​farhan523! - Add --public option (alias --public-dir) to likec4 build and likec4 start for specifying a directory that Vite serves and copies as-is into the output (Vite's publicDir). Files in this directory are preserved in the build output, including when --output-single-file is used. Resolves #​1941.

• #​2935 35ba3f6 Thanks @​Kiiv! - feat: add includeAncestors property to deployment views to include all ancestors of visible nodes. Fix #​1483

Patch Changes

• #​2971 3e0d071 Thanks @​farhan523! - Add --allowed-host option to likec4 start (serve / dev) for scoping which hostnames are allowed to access the dev server (Vite's server.allowedHosts). Can be repeated. When omitted, all hosts are allowed (current behaviour). Resolves #​1650.

• #​2950 dcbf674 Thanks @​ckeller42! - Add --description to PNG and JPEG exports to include the view title and Markdown description in generated images.

• #​2950 dcbf674 Thanks @​ckeller42! - Add --notation to PNG and JPEG exports to include non-overlapping view notation in generated images.

• #​2952 0a1b751 Thanks @​kieronlanning! - Fix single-project overview page always showing the CLI --title value instead of the title from likec4.config.json

• #​2969 116f482 Thanks @​ckeller42! - Fixes #​2962 by showing relationship popovers in static embedded views generated with likec4 build.

• 1540465 Thanks @​davydkov! - Fix css bundling for react/webcomponents (when rendered in shadow root)

• #​2976 783155b Thanks @​davydkov! - Drop the react-shadow dependency and inline shadow-root rendering directly. Mark use-sync-external-store as external to avoid duplicate React internals.

• #​2947 3726863 Thanks @​kieronlanning! - Add --hmr-port option to the start CLI command for specifying the HMR WebSocket port.

  The port can also be set via the HMR_PORT environment variable. If neither is provided, a free port is auto-discovered in the range 24678–24690.

• 2e41ccf Thanks @​davydkov! - Fix validation of browser property in webcomponent (accepts string values "true"/"false"/"yes"/"no")

  Closes #​2936

• #​2976 783155b Thanks @​davydkov! - Chore (contributors): upgrade to pnpm 11.

  packageManager is now pnpm@11.2.2 and .tool-versions was bumped accordingly. Workspace overrides, allowBuilds, and patchedDependencies were moved from the root package.json into pnpm-workspace.yaml (pnpm 11 layout).

• Updated dependencies [311b93d, 35ba3f6]:

  • @​likec4/core@​1.57.0
  • @​likec4/icons@​1.46.4

npm/node-semver (semver)

v7.8.1

Compare Source

Bug Fixes

• 17aa702 #​869 strip build metadata before comparator trimming (#​869) (@​owlstronaut)
• 5f3ca13 #​867 handle prerelease bounds in subset (#​867) (@​puneetdixit200, Puneet Dixit)

zarf-dev/zarf (zarf-dev/zarf)

v0.77.0

Compare Source

⚠ BREAKING CHANGES

• signing: resolve auth flow for CI environments (#​4939)
• allow pulling images by index sha (#​4879)

Features

• allow pulling images by index sha (#​4879) (945a26d)
• find-images: 4509 include archives in find image (#​4551) (058754e)
• init: prefer injector image without imagePullSecrets (#​4935) (e46fa25)
• release: signed init packages (#​4934) (158acbc)
• sign: support for keyless signing and offline verification (#​4891) (d0b8665)

Bug Fixes

• signing: resolve auth flow for CI environments (#​4939) (bc60685)

Full Changelog: zarf-dev/zarf@v0.77.0-rc1...v0.77.0

Verifying Init Packages

The init packages in this release are signed with keyless Sigstore signing. Verify with:

amd64:

zarf package verify zarf-init-amd64-v0.77.0.tar.zst \
  --certificate-identity "https://github.com/zarf-dev/zarf/.github/workflows/release.yml@refs/tags/v0.77.0" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

arm64:

zarf package verify zarf-init-arm64-v0.77.0.tar.zst \
  --certificate-identity "https://github.com/zarf-dev/zarf/.github/workflows/release.yml@refs/tags/v0.77.0" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

See RELEASES.md for details.

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.