Skip to content

fix(deps): update non-major#99

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/non-major
Open

fix(deps): update non-major#99
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/non-major

Conversation

@renovate

@renovate renovate Bot commented Apr 1, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@isaacs/ttlcache ^2.1.4^2.1.5 age confidence
@sanity/client (source) ^7.22.0^7.23.0 age confidence
@sanity/pkg-utils (source) ^10.5.4^10.8.2 age confidence
@sanity/uuid (source) ^3.0.2^3.0.3 age confidence
@shikijs/vitepress-twoslash (source) ^4.0.2^4.3.0 age confidence
@typescript-eslint/parser (source) ^8.59.2^8.62.0 age confidence
@vitest/coverage-v8 (source) ^4.1.5^4.1.9 age confidence
@vitest/ui (source) ^4.1.5^4.1.9 age confidence
eslint (source) ^10.3.0^10.6.0 age confidence
eslint-plugin-prettier ^5.5.5^5.5.6 age confidence
lefthook ^2.1.6^2.1.9 age confidence
nanoid ^5.1.11^5.1.16 age confidence
prettier (source) ^3.8.3^3.9.1 age confidence
tsx (source) ^4.21.0^4.22.4 age confidence
typescript-eslint (source) ^8.59.2^8.62.0 age confidence
vitest (source) ^4.1.5^4.1.9 age confidence
vue (source) ^3.5.34^3.5.39 age confidence
xstate (source) ^5.19.0^5.32.2 age confidence

Release Notes

isaacs/ttlcache (@​isaacs/ttlcache)

v2.1.5

Compare Source

sanity-io/client (@​sanity/client)

v7.23.0

Compare Source

Features

v7.22.1

Compare Source

Bug Fixes
  • live: verify CORS via /check/cors (credentials-aware) before reporting CorsOriginError (#​1219) (566e1b5)
sanity-io/pkg-utils (@​sanity/pkg-utils)

v10.8.2

Compare Source

Patch Changes
  • #​2934 d6cfe32 Thanks @​stipsan! - fix: preserve side-effect-only imports of external packages

    Tree-shaking no longer sets the equivalent of moduleSideEffects: 'no-external' and instead relies on the bundler's default (moduleSideEffects: true). Previously, binding-less side-effect imports of external package subpaths — e.g. import 'react-time-ago/locale/en' — were stripped from the output, breaking consumers that depended on those side effects. package.json sideEffects fields are still honored for bundled modules, so dead-code elimination is unaffected.

v10.8.1

Compare Source

Patch Changes

v10.8.0

Compare Source

Minor Changes
  • #​2888 59fdc02 Thanks @​stipsan! - feat: add strict dependency placement checks for well-known packages

    When running with --strict, package.json is now validated to ensure these packages are declared in the correct dependency fields:

    • react-is and @sanity/ui should not be in peerDependencies (use dependencies or devDependencies).
    • sanity, styled-components, react, and react-dom should not be in dependencies (use devDependencies and/or peerDependencies).
    • @types/react, @types/react-dom, and @types/node should not be in dependencies (use devDependencies and/or peerDependencies), and when listed in peerDependencies the version range should be *.
    • rxjs and @sanity/client should not be in peerDependencies (use dependencies or devDependencies).

    Each check is enabled by default at the error level and can be downgraded to warn or disabled via strictOptions in package.config.ts, e.g.:

    import {defineConfig} from '@​sanity/pkg-utils'
    
    export default defineConfig({
      strictOptions: {
        noReactDependency: 'warn',
        noSanityClientPeerDependency: 'off',
      },
    })
Patch Changes
  • #​2903 296482a Thanks @​stipsan! - feat: disallow @sanity/icons in peerDependencies

    When running with --strict, package.json is now validated to ensure @sanity/icons is not declared in peerDependencies (use dependencies or devDependencies instead). The check defaults to error and can be configured via noSanityIconsPeerDependency in strictOptions.

v10.7.2

Compare Source

Patch Changes
  • #​2897 de87bc9 Thanks @​stipsan! - fix: mirror the auto-added bundle.css export into publishConfig.exports

    In vanilla-extract compat mode, pkg-utils auto-writes the conditional "./bundle.css" export to package.json. It only updated the top-level exports, so packages that also declare publishConfig.exports ended up out of sync, and the next strict --check failed with publishConfig.exports: missing export path "./bundle.css" that exists in exports.

    The conditional CSS export is now mirrored into publishConfig.exports as well (when that field exists), keeping the two in sync. The entry is identical in both places since the CSS export has no source/development/monorepo conditions to strip. publishConfig.exports is never created when it is absent.

  • #​2899 97cbc33 Thanks @​stipsan! - Emit a <css>.d.ts declaration alongside the vanilla-extract compat-mode CSS shim, so dts export checkers that resolve a .d.ts for every export target don't crash on a missing declaration file.

v10.7.1

Compare Source

Patch Changes
  • #​2895 ba964f1 Thanks @​stipsan! - Revert the upgrade of @babel/core and @babel/preset-typescript to v8, pinning them back to v7

v10.7.0

Compare Source

Minor Changes
  • #​2890 c219497 Thanks @​stipsan! - feat: auto-wire the conditional bundle.css export for vanilla-extract

    When rollup.vanillaExtract is enabled, pkg-utils now (by default) bakes in the conditional CSS export pattern so userland no longer needs a manual rollup.output.intro + shim plugin + package.json export. This new "compat mode" (rollup.vanillaExtract.extract.compatMode, defaults to true):

    • injects the self-referential import "<pkg-name>/<name>" into each entry chunk,
    • emits a no-op <name>.js shim for runtimes that cannot import .css files, and
    • writes the conditional "./<name>" export to package.json (browser/style → the real CSS, node/default → the shim).

    The emitted CSS file name is configurable via rollup.vanillaExtract.extract.name (default "bundle.css"), and the vanillaExtract option is now fully typed (PkgVanillaExtractOptions) with its real defaults documented. Set extract.compatMode: false to opt out and wire these up yourself.

Patch Changes

v10.6.0

Compare Source

Minor Changes
  • #​2887 a6adaa1 Thanks @​stipsan! - feat: support conditional exports for CSS files

    CSS subpath exports may now be declared as a conditional object (a flat map of condition name to path) instead of only a plain string. This enables re-adding a import "<pkg>/bundle.css" statement that resolves to the real CSS file in bundler/browser environments, while resolving to a no-op JS shim in runtimes (like Node) that cannot import .css files directly:

    {
      "exports": {
        "./bundle.css": {
          "browser": "./dist/bundle.css",
          "style": "./dist/bundle.css",
          "node": "./dist/bundle.css.js",
          "default": "./dist/bundle.css.js"
        }
      }
    }
Patch Changes

v10.5.8

Compare Source

Patch Changes

v10.5.7

Compare Source

Patch Changes

v10.5.6

Compare Source

Patch Changes

v10.5.5

Compare Source

Patch Changes
sanity-io/uuid (@​sanity/uuid)

v3.0.3

Compare Source

shikijs/shiki (@​shikijs/vitepress-twoslash)

v4.3.0

Compare Source

   🚀 Features
    View changes on GitHub

v4.2.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v4.1.0

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.62.0

Compare Source

🚀 Features
  • remove redundant package.json "files" (#​12444)
❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.61.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.61.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.4

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.3

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.9

Compare Source

🐞 Bug Fixes
  • Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #​10546 (a5180)
  • browser:
    • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in #​10555 (7fb29)
    • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in #​10497 and #​10556 (fbc62)
  • mocker:
    • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in #​10548 (2c955)
  • pool:
    • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in #​10543 and #​10564 (934b0)
View changes on GitHub

v4.1.8

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.7

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.6

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub
vitest-dev/vitest (@​vitest/ui)

v4.1.9

Compare Source

v4.1.8

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.7

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v4.1.6

Compare Source

   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub
eslint/eslint (eslint)

v10.6.0

Compare Source

Features

  • b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#​20981) (Taejin Kim)
  • f291007 feat: add checkRelationalComparisons to no-constant-binary-expression (#​20948) (sethamus)

Bug Fixes

  • 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#​20997) (Milos Djermanovic)
  • bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#​21013) (den$)
  • 8fd8741 fix: don't report shadowed undefined in radix rule (#​21011) (Pixel)
  • 5784980 fix: don't report shadowed undefined in no-throw-literal (#​21010) (Pixel)
  • 9cd1e6d fix: suppress invalid class suggestion in no-promise-executor-return (#​21008) (Pixel)
  • d4eb2dc fix: don't report shadowed undefined in prefer-promise-reject-errors (#​21006) (Pixel)
  • 2360464 fix: prefer-promise-reject-errors false positives for shadowed Promise (#​21003) (den$)
  • 63d52d2 fix: restore max-classes-per-file report range (#​21002) (Pixel)
  • 7feaff0 fix: callback detection logic for IIFEs in max-nested-callbacks (#​20979) (fnx)
  • 399a2ec fix: don't report inner non-callbacks in max-nested-callbacks (#​20995) (Milos Djermanovic)

Documentation

  • a83683d docs: Update README (GitHub Actions Bot)
  • f5449f9 docs: document userland patterns for global assertionOptions in RuleT… (#​20986) (playgirl)
  • bea49f7 docs: Update README (GitHub Actions Bot)
  • e5f70f9 docs: update code-path diagrams (#​20984) (Tanuj Kanti)
  • 8890c2d docs: add TypeScript config guidance for MCP server (#​20796) (Pierluigi Lenoci)
  • 3eb3d9b docs: Update README (GitHub Actions Bot)
  • c5bb59c docs: Update README (GitHub Actions Bot)
  • eb3c97c docs: fix grammar in prefer-const rule description (#​20983) (lumir)

Chores

v10.5.0

Compare Source

Features

  • 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#​20973) (Pixel998)
  • b565783 feat: report no-with violations at the with keyword (#​20971) (Pixel998)
  • 2ce032f feat: report max-lines-per-function violations at function head (#​20966) (Pixel998)
  • 732cb3e feat: report max-nested-callbacks violations at function head (#​20967) (Pixel998)
  • f9c138a feat: report max-depth violations on keywords (#​20943) (Pixel998)
  • bdb496c feat: correct max-depth handling for else-if chains (#​20944) (Pixel998)
  • c296873 feat: update error loc in max-statements to function header (#​20907) (Taejin Kim)

Documentation

  • 8ae1b5b docs: Update README (GitHub Actions Bot)
  • ca7eb90 docs: update Node.js prerequisites to include ICU support (#​20962) (Francesco Trotta)
  • f99b47a docs: Update README (GitHub Actions Bot)
  • acf03d4 docs: clarify precedence of parserOptions over languageOptions (#​20926) (sethamus)

Chores

v10.4.1

Compare Source

Bug Fixes

  • e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#​20930) (Francesco Trotta)
  • d4ce898 fix: propagate failures from delegated commands (#​20917) (Minh Vu)
  • f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#​20916) (kuldeep kumar)
  • c5bc78b fix: false positive for reference in finally block (#​20655) (Tanuj Kanti)
  • 27538c0 fix: add missing CodePath and CodePathSegment types (#​20853) (Pixel998)

Documentation

  • 61b0add docs: remove deprecated rule from related rules of max-params (#​20921) (Tanuj Kanti)
  • 305d5b9 docs: remove deprecated rules from related rules section (#​20911) (Tanuj Kanti)
  • 49b0202 docs: fix display: none of ad (#​20901) (Tanuj Kanti)
  • 9067f94 docs: switch build to Node.js 24 (#​20893) (Milos Djermanovic)
  • c91b041 docs: Update README (GitHub Actions Bot)
  • e349265 docs: clarify semver strings in rule deprecation objects (#​20885) (Milos Djermanovic)

Chores

  • b0e466b test: add data property to invalid tests cases for rules (#​20924) (Tanuj Kanti)
  • f78838b test: add CodePath type coverage (#​20904) (Pixel998)
  • 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#​20922) (Francesco Trotta)
  • 002942c ci: declare contents:read on update-readme workflow (#​20919) (Arpit Jain)
  • 64bca24 chore: update ecosystem plugins (#​20912) (ESLint Bot)
  • 6d7c832 chore: ignore fflate updates in renovate (#​20908) (Pixel998)
  • b2c8638 ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 (#​20889) (dependabot[bot])
  • a9b8d7f chore: increase maxBuffer for ecosystem tests (#​20881) (sethamus)
  • b702ead chore: update ecosystem

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 3am on Monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by Sanity. View repository job log here

@vercel

vercel Bot commented Apr 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
mutate-docs Ready Ready Preview, Comment Jul 2, 2026 12:39am
mutate-example-visual-editing Ready Ready Preview, Comment Jul 2, 2026 12:39am
mutate-example-web Ready Ready Preview, Comment Jul 2, 2026 12:39am

Request Review

@renovate renovate Bot force-pushed the renovate/non-major branch from e8f5305 to cb7e31f Compare April 2, 2026 19:58
@renovate renovate Bot force-pushed the renovate/non-major branch from cb7e31f to c5fc7cd Compare April 4, 2026 22:38
@renovate renovate Bot force-pushed the renovate/non-major branch from c5fc7cd to 96f5169 Compare April 8, 2026 16:00
@renovate renovate Bot force-pushed the renovate/non-major branch from 96f5169 to d7433f5 Compare April 10, 2026 07:07
@renovate renovate Bot force-pushed the renovate/non-major branch from d7433f5 to 32ebc29 Compare April 10, 2026 11:33
@renovate renovate Bot force-pushed the renovate/non-major branch from 32ebc29 to 3f93e29 Compare April 11, 2026 02:47
@renovate renovate Bot force-pushed the renovate/non-major branch from 3f93e29 to 8419b54 Compare April 12, 2026 10:42
@renovate renovate Bot force-pushed the renovate/non-major branch from 8419b54 to 3b0c096 Compare April 13, 2026 03:02
@renovate renovate Bot force-pushed the renovate/non-major branch from 3b0c096 to 9db52b0 Compare April 13, 2026 11:50
@renovate renovate Bot force-pushed the renovate/non-major branch from d60026a to 2fb4cf5 Compare April 18, 2026 15:12
@renovate renovate Bot force-pushed the renovate/non-major branch from 2fb4cf5 to 8a8b84b Compare April 20, 2026 18:14
@renovate renovate Bot force-pushed the renovate/non-major branch from 8a8b84b to b2fdeff Compare April 21, 2026 11:59
@renovate renovate Bot force-pushed the renovate/non-major branch from b2fdeff to 2bd470e Compare April 23, 2026 18:17
@renovate renovate Bot force-pushed the renovate/non-major branch from 2bd470e to c78a0e2 Compare April 24, 2026 13:16
@renovate renovate Bot force-pushed the renovate/non-major branch from c78a0e2 to eca4e3c Compare April 27, 2026 13:01
@renovate renovate Bot force-pushed the renovate/non-major branch from eca4e3c to 1d37813 Compare April 27, 2026 16:35
@renovate renovate Bot force-pushed the renovate/non-major branch from 1d37813 to 34d32c1 Compare April 28, 2026 00:10
@renovate renovate Bot force-pushed the renovate/non-major branch from 34d32c1 to c886cf4 Compare April 29, 2026 20:04
@socket-security

socket-security Bot commented May 12, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/@rolldown/plugin-babel@0.2.3npm/@sanity/pkg-utils@10.8.2npm/@emnapi/runtime@1.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Install-time scripts: npm lefthook during postinstall

Install script: postinstall

Source: node postinstall.js

From: package.jsonnpm/lefthook@2.1.9

ℹ Read more on: This package | This alert | What is an install script?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lefthook@2.1.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants