fix(deps): update all non-major dependencies

[renovate-sh-app]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@cubejs-client/core (source)	1.6.43 → 1.6.55			devDependencies	patch	1.6.57 (+1)
@grafana/data (source)	13.0.1 → 13.0.2			dependencies	patch
@grafana/i18n (source)	13.0.1 → 13.0.2			dependencies	patch
@grafana/plugin-e2e (source)	3.7.0 → 3.9.0			devDependencies	minor
@grafana/plugin-ui	0.13.1 → 0.14.0			dependencies	minor
@grafana/runtime (source)	13.0.1 → 13.0.2			dependencies	patch
@grafana/schema (source)	13.0.1 → 13.0.2			dependencies	patch
@grafana/sign-plugin (source)	3.2.2 → 3.3.0			devDependencies	minor
@grafana/tsconfig (source)	2.1.0 → 2.2.0			devDependencies	minor
@grafana/ui (source)	13.0.1 → 13.0.2			dependencies	patch
@playwright/test (source)	1.59.1 → 1.60.0			devDependencies	minor
@swc/core (source)	1.15.33 → 1.15.40			devDependencies	patch	1.15.41
@swc/helpers (source)	0.5.21 → 0.5.23			devDependencies	patch
@tanstack/react-query (source)	5.100.9 → 5.101.0			dependencies	minor
@tanstack/react-query-devtools (source)	5.100.9 → 5.101.0			dependencies	minor
@types/node (source)	24.12.2 → 24.13.1			devDependencies	minor
@types/react (source)	18.3.28 → 18.3.31			devDependencies	patch
@typescript-eslint/eslint-plugin (source)	8.59.1 → 8.60.1			devDependencies	minor	8.61.0
@typescript-eslint/parser (source)	8.59.1 → 8.60.1			devDependencies	minor	8.61.0
actions/checkout (changelog)	de0fac2 → df4cb1c			action	digest
cubejs/cube	43412ba → 79890b1				digest
eslint-plugin-jsdoc	63.0.0 → 63.0.2			devDependencies	patch
github.com/grafana/grafana-plugin-sdk-go	v0.292.0 → v0.292.1			require	patch
grafana/grafana-enterprise	f7e79dc → c2dcc96			final	digest
jest (source)	30.3.0 → 30.4.2			devDependencies	minor
jest-environment-jsdom (source)	30.3.0 → 30.4.1			devDependencies	minor
node (source)	24.15.0 → 24.16.0				minor
node (source)	24.15.0 → 24.16.0			volta	minor
npm (source)	11.12.1 → 11.16.0			packageManager	minor
postgres	7848165 → 8ff36f3				digest
sass	1.99.0 → 1.100.0			devDependencies	minor
semver	7.7.4 → 7.8.2			devDependencies	minor	7.8.4 (+1)
terser-webpack-plugin	5.5.0 → 5.6.1			devDependencies	minor
webpack	5.106.2 → 5.107.2			devDependencies	minor
webpack-cli (source)	7.0.2 → 7.0.3			devDependencies	patch

---

Release Notes

cube-js/cube (@​cubejs-client/core)

v1.6.55

Compare Source

Note: Version bump only for package @​cubejs-client/core

v1.6.54

Compare Source

Note: Version bump only for package @​cubejs-client/core

v1.6.53

Compare Source

Note: Version bump only for package @​cubejs-client/core

v1.6.52

Compare Source

Note: Version bump only for package @​cubejs-client/core

v1.6.51

Compare Source

Note: Version bump only for package @​cubejs-client/core

v1.6.50

Compare Source

Note: Version bump only for package @​cubejs-client/core

v1.6.49

Compare Source

Note: Version bump only for package @​cubejs-client/core

v1.6.48

Compare Source

Note: Version bump only for package @​cubejs-client/core

v1.6.47

Compare Source

Note: Version bump only for package @​cubejs-client/core

v1.6.46

Compare Source

Note: Version bump only for package @​cubejs-client/core

v1.6.45

Compare Source

Note: Version bump only for package @​cubejs-client/core

v1.6.44

Compare Source

Note: Version bump only for package @​cubejs-client/core

grafana/grafana (@​grafana/data)

v13.0.2

Compare Source

grafana/grafana (@​grafana/i18n)

v13.0.2: 13.0.2

Compare Source

Download page
What's new highlights

Features and enhancements

• Dashboards: Show k8s format in provisioned save #​123045, @​stephaniehingtgen
• Docker: Bump Alpine-based images to 3.23.4 #​122938, @​Proximyst
• Go: Update version to 1.26.3 #​124454, @​macabu
• Homepage: Support v2 dashboards if defined by a file #​123029, @​stephaniehingtgen
• LibraryPanels: Return 403 instead of 500 for insufficient permissions #​123467, @​MissingRoberto
• Provisioning: Don't mark folders pending due to _folder.json metadata #​124139, @​MissingRoberto
• Provisioning: Honor ruleset bypass for write workflow validation #​124128, @​MissingRoberto
• Provisioning: Negotiate receive-pack capabilities for git pushes #​124130, @​MissingRoberto
• Provisioning: Per-verb fallback for the files subresource #​123900, @​MissingRoberto
• Provisioning: Scope repository uniqueness by (URL, branch, path) #​124121, @​ferruvich
• Provisioning: Surface folder uid-too-long and other validation 4xx as sync warnings #​123888, @​MissingRoberto
• Provisioning: add public_root_url instance setting for external URLs #​124258, @​MissingRoberto

Bug fixes

• DashboardDS: Fix Mixed panels not updating on time-range change with stale upstreams #​124894, @​ivanortegaalba
• Jaeger: Fix log event timestamp unit conversion in trace view #​123707, @​ktw4071
• K8s Dashboards: Fix folder permission check to use dashboards:create #​124942, @​mihai-turdean
• PostgreSQL: Allow sql_engine to return results for EXPLAIN queries #​123246, @​sdague
• Provisioning: Bump nanogit to v0.17.0 to fix pushes with repositories using git modules #​124140, @​MissingRoberto
• RBAC: Quick fix for global datasource permissions (Enterprise)
• Security: CVE-2026-9029
• Security: CVE-2026-33382
• Security: CVE-2026-42127
• Security: CVE-2026-42129
• Security: CVE-2026-10601
• Security: CVE-2026-8609
• Security: CVE-2026-8595

grafana/plugin-tools (@​grafana/plugin-e2e)

v3.9.0

Compare Source

🐛 Bug Fix

• Plugin E2E: Fix flaky alerting, TLS, and permissions tests on slow CI #​2675 (@​mckn)

Authors: 1

• Marcus Andersson (@​mckn)

---

v3.8.0

Compare Source

v3.7.2

Compare Source

🐛 Bug Fix

• Plugin E2E: Select MultiSelect options sequentially #​2626 (marcusandersson@Marcuss-MBP.lan)
• Update dependency @​grafana/e2e-selectors to v13.1.0-25644485979 #​2623 (@​renovate-sh-app[bot])

Authors: 2

• @​renovate-sh-app[bot]
• Marcus Andersson (@​mckn)

---

v3.7.1

Compare Source

🐛 Bug Fix

• Chore: Update slider selector #​2604 (@​ashharrison90)
• Plugin E2E: Fix addPanel timeout when dashboardNewLayouts is disabled #​2612 (@​sunker)

Authors: 2

• Ashley Harrison (@​ashharrison90)
• Erik Sundell (@​sunker)

---

grafana/plugin-ui (@​grafana/plugin-ui)

v0.14.0

Compare Source

• Added/Moved components from @grafana/async-query-data package from https://github.com/grafana/grafana-async-query-data-js

grafana/grafana (@​grafana/runtime)

v13.0.2

Compare Source

grafana/grafana (@​grafana/schema)

v13.0.2

Compare Source

grafana/plugin-tools (@​grafana/sign-plugin)

v3.3.0

Compare Source

grafana/plugin-tools (@​grafana/tsconfig)

v2.2.0

Compare Source

grafana/grafana (@​grafana/ui)

v13.0.2

Compare Source

microsoft/playwright (@​playwright/test)

v1.60.0

Compare Source

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});

await page.locator('#dropzone').drop({
  data: {
    'text/plain': 'hello world',
    'text/uri-list': 'https://example.com',
  },
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

• Event browser.on('context') — fired when a new context is created on the browser.
• BrowserContext now mirrors lifecycle events from its pages: browserContext.on('download'), browserContext.on('frameattached'), browserContext.on('framedetached'), browserContext.on('framenavigated'), browserContext.on('pageclose'), browserContext.on('pageload').

Locators and Assertions

• New option description in page.getByRole() / locator.getByRole() / frame.getByRole() / frameLocator.getByRole() for matching the accessible description.
• New option pseudo in expect(locator).toHaveCSS() reads computed styles from ::before or ::after.
• New option style in locator.highlight() applies extra inline CSS to the highlight overlay, plus new page.hideHighlight() to clear all highlights.

Network

• webSocketRoute.protocols() returns the WebSocket subprotocols requested by the page.
• New option noDefaults in browserType.connectOverCDP() disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state.

Errors and Reporting

• New webError.location() mirrors consoleMessage.location().
• consoleMessage.location() now exposes line / column properties (lineNumber / columnNumber are deprecated).
• New testInfoError.errorContext surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an expect(...) matcher failure.
• reporter.onError() now receives a workerInfo argument with details about the worker for fixture teardown errors.

Test runner

• New {testFileBaseName} token in testProject.snapshotPathTemplate — file name without extension.
• Test runner now errors when a config tries to override a non-option fixture, and rejects workers: 0 or negative values.

🛠️ Other improvements

• HTML reporter:
  • npx playwright show-report accepts .zip files directly — no need to unzip first.
  • Steps that contain attachments inside nested children show an indicator on the parent step.
  • The repeatEachIndex is shown in the test header when non-zero.
• Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel.

Breaking Changes ⚠️

• Removed long-deprecated APIs:
  • Locator.ariaRef() — use the standard locator.ariaSnapshot() pipeline.
  • handle option on BrowserContext.exposeBinding and Page.exposeBinding.
  • logger option on BrowserType.connect and BrowserType.connectOverCDP — use tracing instead.
  • Context options videosPath / videoSize — use recordVideo instead.

Browser Versions

• Chromium 148.0.7778.96
• Mozilla Firefox 150.0.2
• WebKit 26.4

This version was also tested against the following stable channels:

• Google Chrome 147
• Microsoft Edge 147

swc-project/swc (@​swc/core)

v1.15.40

Compare Source

Bug Fixes

• (es/minifier) Preserve args for destructured callbacks (#​11830) (21873b0)

• (es/minifier) Avoid generating mangled property names that collide with existing properties (#​11839) (9b4fab5)

• (es/minifier) Respect ecma for iife temp vars (#​11873) (e481934)

• (es/minifier) Preserve default parameter object props (#​11884) (71ff84f)

• (es/parser) Reject object-rest assignment to array/object literal (#​11875) (7b57d1f)

• (es/parser) Reject object rest assignment to literals (#​11881) (4ec2eaf)

• (es/react) Exclude self-recursive hooks from refresh dependency array (#​11838) (9101c71)

• (ts/fast-dts) Strip definite assertions in dts (#​11858) (2ab1b8a)

• (ts/fast-strip) Reject unsafe assertion erasure in binary expressions (#​11828) (aa5b539)

• (typescript) Strip parameter binding defaults in dts (#​11857) (800bc17)

Documentation

• Update agent guidance (#​11842) (bf2d015)

• Add security policy (#​11876) (6c43c2d)

• Clarify security scope for npm packages (#​11877) (4662db8)

• Clarify untrusted input security model (#​11882) (5463777)

Features

• (es/minifier) Fine grained effect analysis of class (#​11814) (c9058ad)

• (swc_cli) Implement all features for swc_cli (#​11797) (9300ede)

Miscellaneous Tasks

• (es/minifier) Fix typo in debug log (#​11866) (3de0254)

• (html) Add webcontainer fallback for @swc/html (#​11860) (7692eed)

Performance

• (ecma) Reduce transformer compat overhead (#​11856) (d03cb71)

• (es/codegen) Speed up JsWriter position and srcmap tracking (#​11867) (dbceade)

• (es/codegen) Remove JsWriter last_srcmap cache (#​11869) (3bc1c2b)

• (es/minifier) Reduce minifier profiling hotspots (#​11853) (28c1091)

• Optimize es parser comment finalization (#​11852) (2959ddf)

Testing

• (es/minifier) Move issue_11835 fixture out of terser folder (#​11840) (3dd3431)

Ci

• Update corepack in publish docker jobs (#​11885) (9a7d954)

• Pass publish docker env explicitly (#​11888) (c5f7547)

• Lock issues closed by merged prs (#​11887) (6bd74e5)

• Provide aarch64 musl linker in publish job (#​11889) (20234fd)

• Fix publish musl linker and windows tests (#​11890) (a798a23)

• Make minifier test path explicit (#​11891) (e7cba97)

Security

• Save CI caches only on main (#​11848) (7582529)

• Update rkyv and Rust dependencies (#​11851) (20d92eb)

• Harden PR workflow permissions (#​11849) (e199564)

TanStack/query (@​tanstack/react-query)

v5.101.0

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

v5.100.14

Compare Source

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#​10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

v5.100.13

Compare Source

Patch Changes

• Updated dependencies [d423168]:
  • @​tanstack/query-core@​5.100.13

v5.100.12

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.12

v5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

v5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

TanStack/query (@​tanstack/react-query-devtools)

v5.101.0

Compare Source

Patch Changes

• Updated dependencies [3042860, e631dc3]:
  • @​tanstack/query-devtools@​5.101.0
  • @​tanstack/react-query@​5.101.0

v5.100.14

Compare Source

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-devtools@​5.100.14

v5.100.13

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.13
  • @​tanstack/react-query@​5.100.13

v5.100.12

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.12
  • @​tanstack/react-query@​5.100.12

v5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.11
  • @​tanstack/react-query@​5.100.11

v5.100.10

Patch Changes

• Updated dependencies [4d130b9]:
  • @​tanstack/query-devtools@​5.100.10
  • @​tanstack/react-query@​5.100.10

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.60.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-shadow] correct rule to match ESLint v10 handling (#​12182)
• eslint-plugin: respect ECMAScript line terminators in ts-comment rules (#​12352)

❤️ Thank You

• lumir
• Nevette Bailey @​nevette-bailey

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.0

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.4

Compare Source

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#​12294)

❤️ Thank You

• Evyatar Daud @​StyleShit

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.3

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.2

Compare Source

🩹 Fixes

• eslint-plugin: [no-deprecated] object destructuring values should be treated as declarations (#​12292)
• eslint-plugin: [no-unsafe-type-assertion] handle crash on recursive template literal types (#​12150)

❤️ Thank You

• Dima Barabash
• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.60.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.4

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.3

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

[v8.59.2](https://re

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[renovate-sh-app]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 11 additional dependencies were updated

Details:

Package	Change
github.com/apache/arrow-go/v18	v18.5.2 -> v18.6.0
github.com/clipperhouse/uax29/v2	v2.6.0 -> v2.7.0
github.com/goccy/go-json	v0.10.5 -> v0.10.6
github.com/klauspost/compress	v1.18.4 -> v1.18.5
github.com/magefile/mage	v1.17.1 -> v1.17.2
github.com/mattn/go-runewidth	v0.0.19 -> v0.0.20
github.com/pierrec/lz4/v4	v4.1.25 -> v4.1.26
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.67.0 -> v0.68.0
go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace	v0.67.0 -> v0.68.0
go.opentelemetry.io/contrib/propagators/jaeger	v1.42.0 -> v1.43.0
go.opentelemetry.io/contrib/samplers/jaegerremote	v0.36.0 -> v0.37.0