chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@vue/reactivity (source)	^3.5.32 → ^3.5.33
enhanced-resolve	^5.20.1 → ^5.21.0
eslint-plugin-vue (source)	^10.8.0 → ^10.9.0
knip (source)	6.6.0 → 6.9.0
nitropack	^2.13.3 → ^2.13.4
nypm	^0.6.5 → ^0.6.6
pkg-types	^2.3.0 → ^2.3.1
pnpm (source)	10.33.0 → 10.33.2
terser (source)	^5.46.1 → ^5.46.2
typescript-eslint (source)	^8.59.0 → ^8.59.1
ufo	^1.6.3 → ^1.6.4
unimport	^6.1.0 → ^6.2.0

---

Release Notes

vuejs/core (@​vue/reactivity)

v3.5.33

Compare Source

Bug Fixes

• compiler-sfc: handle nested :deep in selector pseudos (#​14725) (bb9d265), closes #​14724
• reactivity: unlink effect scopes on out-of-order off (#​14734) (e7659be), closes #​14733
• runtime-dom: preserve textarea resize dimensions (#​14747) (11fb2fd), closes #​14741
• teleport: don't move teleport children if not mounted (#​14702) (6a61f44), closes #​14701
• transition: preserve placeholder for conditional explicit default slots (#​14748) (45990ce), closes #​14727

webpack/enhanced-resolve (enhanced-resolve)

v5.21.0

Compare Source

Minor Changes

• Added promise API and support to resolve without context and resolveContext. (by @​alexander-akait in #​520)

• Add extensionAliasForExports option. When true, extensionAlias also applies to paths resolved through the package.json exports field. Off by default to match Node.js; opt in for full TypeScript-resolver parity with packages that ship .ts sources alongside the compiled .js they declare in exports. (by @​alexander-akait in #​554)

Patch Changes

• Properly handle DOS device paths (\\?\… and \\.\…). (by @​alexander-akait in #​551)

• Prevent fallback to parent node_modules when the exports field target file is not found. (by @​xiaoxiaojx in #​495)

• Imports field spec deviation: non-relative targets (e.g. "#a": "#b") no longer re-enter imports resolution, aligning with the Node.js ESM spec where PACKAGE_IMPORTS_RESOLVE does not recursively resolve # specifiers. (by @​xiaoxiaojx in #​503)

  Previously { "#a": "#b", "#b": "./the.js" } would chain-resolve #a to ./the.js; now it correctly fails, matching Node.js behavior.

• Move cachedJoin/cachedDirname/createCachedBasename caches from module-level globals to per-Resolver instances. This prevents unbounded memory growth in long-running processes — when a Resolver is garbage collected, its join/dirname/basename caches are released with it. (by @​xiaoxiaojx in #​507)

• Fixed when tsconfig: true is used (default config file) and no tsconfig.json exists. (by @​xiaoxiaojx in #​502)

• Apply the extensionAlias option to the imports field to be align with typescript resolution. (by @​alexander-akait in #​549)

• Improved performance of the many plugins. (by @​alexander-akait in #​529)

• Replace the Set<string>-based resolver stack with a singly-linked StackEntry class that exposes a Set-compatible API. (by @​xiaoxiaojx in #​526)

  Each doResolve call now prepends a single linked-list node instead of cloning the entire Set, making stack push O(1) in time and memory. Recursion detection walks the linked list (O(n)), but because the stack is typically shallow this is much cheaper than cloning a Set per call.

• Cache the result of stripJsonComments + JSON.parse in readJson using a WeakMap keyed by the raw file buffer. This avoids redundant comment-stripping and JSON parsing on every resolve call that reads tsconfig.json files (via stripComments: true), improving TsconfigPathsPlugin warm performance by ~20-35% depending on the depth of the extends chain. (by @​xiaoxiaojx in #​524)

• Avoid OOM in CachedInputFileSystem when duration is Infinity. (by @​alexander-akait in #​527)

vuejs/eslint-plugin-vue (eslint-plugin-vue)

v10.9.0

Compare Source

Minor Changes

• Added "inject" to groups option in vue/no-unused-properties rule (#​3052)

• Added new ignores option to vue/no-literals-in-template rule (#​3072)

• Added support for :single-line/:multi-line pseudo-classes in vue/padding-line-between-tags (#​3025)

• Added new vue/prefer-v-model rule (#​3062)

• Added new vue/prefer-single-event-payload rule (#​3058)

Patch Changes

• Added error end positions for vue/no-irregular-whitespace (#​3065)

• Updated resources: add Attrs and AllowedAttrs type definitions (#​3059)

• Improved error positions in vue/max-len (#​3066)

• Improve performance in vue/no-child-content rule (#​3068)

• Migrate configs to TypeScript (#​3002)

• Updated resources: geolocation HTML element and ClassValue and InputAutoCompleteAttribute Vue 3 export (#​3040)

webpro-nl/knip (knip)

v6.9.0: Release 6.9.0

Compare Source

• Expose types for JSON reporter (961b734)

v6.8.0: Release 6.8.0

Compare Source

• feat: add WXT plugin (#​1703) (9167557) - thanks @​sebastianbreguel!
• Add support for pnpm@​11 new commands (#​1706) (c937697) - thanks @​PatrykWalach!
• Fix case of spread export → other exports used (resolve #​1705) (0f94d2d)
• Add more pnpm commands + tests (f2819b3)
• Bump oxc-parser (5c21d27)

v6.7.0: Release 6.7.0

Compare Source

• Fix markdown reporter column width (resolve #​1700) (4713108)
• Handle Vitest agent and minimal reporters (#​1701) (a71ead1) - thanks @​dskwrite!
• Add e2e tests w/ tsgo defs + lib consumption (98113e6)
• Fix pkg name inconsistencies (544c3e6)
• Add export {} to maintain module shape (27d8a02)
• Strip leading UTF-8 BOM before parsing package.json (47e4029)
• Skip workspace with invalid JSON manifest (bfb4867)
• Preserve out-of-bound writes to stdout/err (95faad8)
• Consistent prefix in logError/logWarning (2c6d8a0)
• Don't exit on config file load error (0914bd3)
• Fix tsgo resolution in e2e tests (a689501)

v6.6.3: Release 6.6.3

Compare Source

• Use venz chart svg directly from CDN (ba7e907)
• Bump that plugin counter (abae75b)
• Fix plugin title (f2b8fcf)
• Work Table util class: fix bugs, tighten API, water-fill widths (2eb4045)
• Questionable.. (970a0db)
• Fmt (14538ec)
• Ensure output is flushed on exit (#​1699) (9533365) - thanks @​joshkel!
• Use currentColor to support light/dark themes (7ea055a)
• Tighten type-chain alignment + gate via ignoreExportsUsedInFile (resolve #​1698) (0910b33)
• Eating our own dog food ↻ (d5aa1f6)

v6.6.2: Release 6.6.2

Compare Source

• Don't track typeof value refs at top of exported type alias (resolve #​1697) (1a99048)
• Treat Props as used when Astro.props is referenced (resolve #​1629) (46cb338)
• Update dependencies (dcf5315)

v6.6.1: Release 6.6.1

Compare Source

• Fix website papercuts (#​1696) (c6d9c43) - thanks @​skoeva!
• fix(rslib): resolve entry points from rslib config (#​1695) (af83d68) - thanks @​rpereira-anchor!
• Update react-email plugin for react-email@​6 (#​1694) (200db55) - thanks @​krystofspiller!
• Introduce Manifest wrapper with scriptNames + getMajor helpers (6fded2f)

nitrojs/nitro (nitropack)

v2.13.4

Compare Source

compare changes

[!IMPORTANT]
This release patches two medium-severity vulnerabilities in proxy and redirect route rules. Users relying on either are strongly encouraged to upgrade. See GHSA-5w89-w975-hf9q and GHSA-9phm-9p8f-hw5m for details.

🚀 Enhancements

• Add version meta (#​4194)

🩹 Fixes

• route-rules: Reject out-of-scope requests (#​4223)
• route-rules: Prevent open redirect via protocol-relative url bypass (8d6bfb0b)

🏡 Chore

❤️ Contributors

• Pooya Parsa (@​pi0)
• Rihan Arfan (@​RihanArfan)

unjs/nypm (nypm)

v0.6.6

Compare Source

compare changes

🩹 Fixes

• Do not try to require /package.json (#​230)
• Handle resolving package.json from pure esm packages (#​234)

🏡 Chore

• Migrate to oxlint and oxfmt (dcf0a77)
• release: V0.6.5 (dd09ffa)
• Update deps (634f1a9)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Pooya Parsa (@​pi0)

unjs/pkg-types (pkg-types)

v2.3.1

Compare Source

compare changes

🩹 Fixes

• Use untransformed typescript type exports (#​261)

📖 Documentation

• Improve documentation and fix typos across the project (#​246)
• Fix incorrect imports and add missing function docs (#​248)

📦 Build

• Migrate to obuild (29e54be)

🏡 Chore

• Migrate to oxlint and oxfmt (67fedc4)
• Update deps (78e9de1)
• Update ci (e21a456)
• Update test scripts (d8d7e68)
• Add missing tsgo dep (d05a063)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Pooya Parsa (@​pi0)
• Eugene (@​outslept)

pnpm/pnpm (pnpm)

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

terser/terser (terser)

v5.46.2

Compare Source

• unused option: delete computed keys of concise methods and getters/setters.
• Error.cause added to DOM properties list
• Don't consider foo.bar and foo["bar"] to be equivalent when property mangler is enabled with keep_quoted=strict option.

typescript-eslint/typescript-eslint (typescript-eslint)

v8.59.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

unjs/ufo (ufo)

v1.6.4

Compare Source

compare changes

🩹 Fixes

• withoutBase: Collapse leading slashes (#​335)

🏡 Chore

• Update deps (7807010)

❤️ Contributors

• Pooya Parsa (@​pi0)

unjs/unimport (unimport)

v6.2.0

Compare Source

   🚀 Features

• Introduce oxc as parser  -  by @​KazariEX and Claude Opus 4.7 (1M context) in #​503 (1c9ee)

    View changes on GitHub

v6.1.2

Compare Source

   🐞 Bug Fixes

• toExports: Dedupe duplicate identifiers for class/enum declarations  -  by @​MukundaKatta in #​529 (28486)

    View changes on GitHub

v6.1.1

Compare Source

   🐞 Bug Fixes

• dedupeImports: Respect negative and zero import priorities  -  by @​8ctavio in #​527 (4f462)

    View changes on GitHub

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​vue/​reactivity@​3.5.32 ⏵ 3.5.33	+1		+1	+2
	eslint-plugin-vue@​10.8.0 ⏵ 10.9.0	+1			-1
	enhanced-resolve@​5.20.1 ⏵ 5.21.0

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/bridge@1798

npm i https://pkg.pr.new/@nuxt/bridge-schema@1798

commit: ad3f431