fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@types/leaflet (source)	1.9.20 → 1.9.21			devDependencies	patch
@types/node (source)	22.18.8 → 22.19.8			devDependencies	minor	22.19.9
actions/checkout	v5.0.0 → v5.0.1			action	patch
eslint (source)	9.37.0 → 9.39.2			devDependencies	minor
eslint-plugin-format	1.0.2 → 1.3.1			devDependencies	minor	1.4.0
lightningcss	1.30.2 → 1.31.1			dependencies	minor
lint-staged	16.2.3 → 16.2.7			devDependencies	patch
pnpm (source)	10.18.0 → 10.28.2			packageManager	minor
pnpm/action-setup	v4.1.0 → v4.2.0			action	minor
reka-ui	2.5.1 → 2.8.0			dependencies	minor
unplugin-icons	22.4.2 → 22.5.0			dependencies	minor
unplugin-vue-components	29.1.0 → 29.2.0			dependencies	minor
vitepress (source)	2.0.0-alpha.12 → 2.0.0-alpha.16			dependencies	patch
vue (source)	3.5.22 → 3.5.27			dependencies	patch
vue-tsc (source)	3.1.0 → 3.2.4			devDependencies	minor

---

Release Notes

actions/checkout (actions/checkout)

v5.0.1

Compare Source

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in #​2301

Full Changelog: actions/checkout@v5...v5.0.1

eslint/eslint (eslint)

v9.39.2

Compare Source

v9.39.1

Compare Source

v9.39.0

Compare Source

v9.38.0

Compare Source

Features

• ce40f74 feat: update complexity rule to only highlight function header (#​20048) (Atul Nair)
• e37e590 feat: correct no-loss-of-precision false positives with e notation (#​20187) (Francesco Trotta)

Bug Fixes

• 50c3dfd fix: improve type support for isolated dependencies in pnpm (#​20201) (Francesco Trotta)
• a1f06a3 fix: correct SourceCode typings (#​20114) (Pixel998)

Documentation

• 462675a docs: improve web accessibility by hiding non-semantic character (#​20205) (루밀LuMir)
• c070e65 docs: correct formatting in no-irregular-whitespace rule documentation (#​20203) (루밀LuMir)
• b39e71a docs: Update README (GitHub Actions Bot)
• cd39983 docs: move custom-formatters type descriptions to nodejs-api (#​20190) (Percy Ma)

Chores

• d17c795 chore: upgrade @​eslint/js@​9.38.0 (#​20221) (Milos Djermanovic)
• 25d0e33 chore: package.json update for @​eslint/js release (Jenkins)
• c82b5ef refactor: Use types from @​eslint/core (#​20168) (Nicholas C. Zakas)
• ff31609 ci: add Node.js 25 to ci.yml (#​20220) (루밀LuMir)
• 004577e ci: bump github/codeql-action from 3 to 4 (#​20211) (dependabot[bot])
• eac71fb test: remove use of nodejsScope option of eslint-scope from tests (#​20206) (Milos Djermanovic)
• 4168a18 chore: fix typo in legacy-eslint.js (#​20202) (Sweta Tanwar)
• 205dbd2 chore: fix typos (#​20200) (ntnyq)
• dbb200e chore: use team member's username when name is not available in data (#​20194) (Milos Djermanovic)
• 8962089 chore: mark deprecated rules as available until v11.0.0 (#​20184) (Pixel998)

antfu/eslint-plugin-format (eslint-plugin-format)

v1.3.1

Compare Source

   🚀 Features

• Cache the dprint context  -  by @​bitbloxhub in #​14 (1a53f)

    View changes on GitHub

v1.3.0

Compare Source

   🚀 Features

• Add support for multiple dprint plugins  -  by @​bitbloxhub in #​13 (3eaeb)

    View changes on GitHub

v1.2.0

Compare Source

   🚀 Features

• Support dprint v4  -  by @​bitbloxhub in #​12 (d12e1)

    View changes on GitHub

v1.1.0

Compare Source

   🚀 Features

• Update deps  -  by @​antfu (3b016)

    View changes on GitHub

parcel-bundler/lightningcss (lightningcss)

v1.31.1

Compare Source

v1.31.0

Compare Source

Features

• Implement scroll-state container queries
• Allow @​property to be nested inside at-rules
• Support print-color-adjust property
• Support <string> in @​property syntax
• Add :state() pseudo-class support
• Reduce min(), max() and clamp() with number arguments
• Support name-only @​container queries

Fixes

• Ensure compiled range media queries are correctly parenthesised
• Add quotes to font-families with multiple consecutive spaces
• Do not remove whitespace in token lists
• Fix whitespace handling in view transition pseudos
• Ensure interleave nested declarations have a semicolon when needed
• Fix casing for camel-cased svg values
• Improve grid-template-areas handling and grid shorthand
• Fix background-position minification and handling for various cases
• Update browser compat data

lint-staged/lint-staged (lint-staged)

v16.2.7

Compare Source

Patch Changes

• #​1711 ef74c8d Thanks @​iiroj! - Do not display a "failed to spawn" error message when a task fails normally. This message is reserved for when the task didn't run because spawning it failed.

v16.2.6

Compare Source

Patch Changes

• #​1693 33d4502 Thanks @​Adrian-Baran-GY! - Fix problems with --continue-on-error option, where tasks might have still been killed (SIGINT) when one of them failed.

v16.2.5

Compare Source

Patch Changes

• #​1687 9e02d9d Thanks @​iiroj! - Fix unhandled promise rejection when spawning tasks (instead of the tasks themselves failing). Previously when a task failed to spawn, lint-staged also failed and the backup stash might not have been automatically restored.

v16.2.4

Compare Source

Patch Changes

• #​1682 0176038 Thanks @​iiroj! - Update dependencies, including nano-spawn@2.0.0 with bug fixes.

• #​1671 581a54e Thanks @​iiroj! - Speed up execution by only importing the yaml depedency if using YAML configuration files.

pnpm/pnpm (pnpm)

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1

Compare Source

v10.28.0

Compare Source

v10.27.0

Compare Source

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

• Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

• Fix installation of Git dependencies using annotated tags #​10335.

  Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

• Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

• Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Gold Sponsors

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

• Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
• Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Gold Sponsors

v10.26.0

Compare Source

v10.25.0

Compare Source

v10.24.0

Compare Source

v10.23.0: pnpm 10.23

Compare Source

Minor Changes

• Added --lockfile-only option to pnpm list #​10020.

Patch Changes

• pnpm self-update should download pnpm from the configured npm registry #​10205.
• pnpm self-update should always install the non-executable pnpm package (pnpm in the registry) and never the @pnpm/exe package, when installing v11 or newer. We currently cannot ship @pnpm/exe as pkg doesn't work with ESM #​10190.
• Node.js runtime is not added to "dependencies" on pnpm add, if there's a engines.runtime setting declared in package.json #​10209.
• The installation should fail if an optional dependency cannot be installed due to a trust policy check failure #​10208.
• pnpm list and pnpm why now display npm: protocol for aliased packages (e.g., foo npm:is-odd@3.0.1) #​8660.
• Don't add an extra slash to the Node.js mirror URL #​10204.
• pnpm store prune should not fail if the store contains Node.js packages #​10131.

Platinum Sponsors

Gold Sponsors

v10.22.0: pnpm 10.22

Compare Source

Minor Changes

• Added support for trustPolicyExclude #​10164.

  You can now list one or more specific packages or versions that pnpm should allow to install, even if those packages don't satisfy the trust policy requirement. For example:

  trustPolicy: no-downgrade
  trustPolicyExclude:
    - chokidar@4.0.3
    - webpack@4.47.0 || 5.102.1

• Allow to override the engines field on publish by the publishConfig.engines field.

Patch Changes

• Don't crash when two processes of pnpm are hardlinking the contents of a directory to the same destination simultaneously #​10179.

Platinum Sponsors

Gold Sponsors

v10.21.0

Compare Source

v10.20.0

Compare Source

Minor Changes

• Support --all option in pnpm --help to list all commands #​8628.

Patch Changes

• When the latest version doesn't satisfy the maturity requirement configured by minimumReleaseAge, pick the highest version that is mature enough, even if it has a different major version #​10100.
• create command should not verify patch info.
• Set managePackageManagerVersions to false, when switching to a different version of pnpm CLI, in order to avoid subsequent switches #​10063.

v10.19.0

Compare Source

Minor Changes

• You can now allow specific versions of dependencies to run postinstall scripts. onlyBuiltDependencies now accepts package names with lists of trusted versions. For example:

  onlyBuiltDependencies:
    - nx@21.6.4 || 21.6.5
    - esbuild@0.25.1

  Related PR: #​10104.

• Added support for exact versions in minimumReleaseAgeExclude #​9985.

  You can now list one or more specific versions that pnpm should allow to install, even if those versions don’t satisfy the maturity requirement set by minimumReleaseAge. For example:

  minimumReleaseAge: 1440
  minimumReleaseAgeExclude:
    - nx@21.6.5
    - webpack@4.47.0 || 5.102.1

v10.18.3

Compare Source

Patch Changes

• Fix a bug where pnpm would infinitely recurse when using verifyDepsBeforeInstall: install and pre/post install scripts that called other pnpm scripts #​10060.
• Fixed scoped registry keys (e.g., @scope:registry) being parsed as property paths in pnpm config get when --location=project is used #​9362.
• Remove pnpm-specific CLI options before passing to npm publish to prevent "Unknown cli config" warnings #​9646.
• Fixed EISDIR error when bin field points to a directory #​9441.
• Preserve version and hasBin for variations packages #​10022.
• Fixed pnpm config set --location=project incorrectly handling keys with slashes (auth tokens, registry settings) #​9884.
• When both pnpm-workspace.yaml and .npmrc exist, pnpm config set --location=project now writes to pnpm-workspace.yaml (matching read priority) #​10072.
• Prevent a table width error in pnpm outdated --long #​10040.
• Sync bin links after injected dependencies are updated by build scripts. This ensures that binaries created during build processes are properly linked and accessible to consuming projects #​10057.

v10.18.2

Compare Source

Patch Changes

• pnpm outdated --long should work #​10040.
• Replace ndjson with split2. Reduce the bundle size of pnpm CLI #​10054.
• pnpm dlx should request the full metadata of packages, when minimumReleaseAge is set #​9963.
• pnpm version switching should work when the pnpm home directory is in a symlinked directory #​9715.
• Fix EPIPE errors when piping output to other commands #​10027.

v10.18.1

Compare Source

Patch Changes

• Don't print a warning, when --lockfile-only is used #​8320.
• pnpm setup creates a command shim to the pnpm executable. This is needed to be able to run pnpm self-update on Windows #​5700.
• When using pnpm catalogs and running a normal pnpm install, pnpm produced false positive warnings for "skip adding to the default catalog because it already exists". This warning now only prints when using pnpm add --save-catalog as originally intended.

pnpm/action-setup (pnpm/action-setup)

v4.2.0

Compare Source

When there's a .npmrc file at the root of the repository, pnpm will be fetched from the registry that is specified in that .npmrc file #​179

unovue/reka-ui (reka-ui)

v2.8.0

Compare Source

   🚨 Breaking Changes

• DatePicker/DateRangePicker/Calendar/RangeCalendar: Make weekStartsOn locale-independent  -  by @​kricsleo in #​2359 (623df)

   🚀 Features

• Menu: Allow more value types  -  by @​LeBenLeBen in #​2321 (cd7fc)
• NumberField: Add focusOnChange prop  -  by @​ShayanTheNerd in #​2316 (f06e1)
• PinInput: Enforce sequential inputs in OTP  -  by @​kricsleo in #​2360 (91422)
• PopperContent: Add hideShiftedArrow prop to control arrow visibility  -  by @​kricsleo in #​2373 (b710d)
• Rating: Add new Rating component  -  by @​J-Michalek in #​1968 (40221)
• ScrollArea: Add glimpse scrollbar mode  -  by @​badmike in #​2361 (58117)
• TimeField: Support stepSnapping  -  by @​kricsleo in #​2421 (4ced4)

   🐞 Bug Fixes

• DayPeriod returning incorrect value due to missmatched format  -  by @​javangriff in #​2382 (1827e)
• Avatar:
  • Properly set referrerpolicy and crossorigin  -  by @​toofishes in #​2391 (edb07)
• Combobox:
  • Allow input focus when used inside Dialog  -  by @​kricsleo in #​2393 (07c5d)
• DatePicker:
  • Add exports for DatePicker missing types and export…  -  by @​rastuhacode in #​2413 (d88a8)
• DatePicker, DateRangePicker:
  • Integrate locale handling with useLocale hook  -  by @​rastuhacode and Claude Sonnet 4.5 in #​2417 (d8227)
• DatePicker/DateRangePicker:
  • Replaced type extendance from emits to type  -  by @​rastuhacode in #​2419 (806d5)
• DateRangePicker:
  • Add exports for missing component types and include TimeValue type in exports  -  by @​rastuhacode in #​2379 (3ba58)
• Editable:
  • Prevent submission during IME composition  -  by @​nzws in #​2387 (fa471)
• HoverCard:
  • Reduce padding GraceArea  -  by @​Yves852 and @​zernonia in #​2217 (aa49a)
• NavigationMenu:
  • Allow aria-label override by fixing CollectionSlot attrs forwarding  -  by @​benjamincanac in #​2386 (089cb)
  • Close menu when clicking top-level link  -  by @​kricsleo in #​2392 (c048a)
• PinInput:
  • Handle more edge cases for the placeholder  -  by @​kricsleo in #​2377 (df69d)
• Tabs:
  • Only render aria-controls when TabsContent exists  -  by @​benjamincanac in #​2390 (d9d58)
• TimeField:
  • Correct hour display in 12-hour format  -  by @​al1maher and Claude Sonnet 4.5 in #​2354 (8f454)
  • Call to updateHour to handle 12 hour time  -  by @​ChrisSmartGP and Claude Sonnet 4.5 in #​2254 (bc5e0)
• TimeField/DateField/DateRangeField:
  • Filter redundant brackets with hideTimeZone  -  by @​kricsleo in #​2357 (03480)

    View changes on GitHub

v2.7.0

Compare Source

   🚀 Features

• Listbox/Tree: Handle estimateSize as function for Virtualizer  -  by @​benjamincanac in #​2288 (9cb81)
• Select: Add disableOutsidePointerEvents prop to Content  -  by @​benjamincanac in #​2287 (b1e4a)

   🐞 Bug Fixes

• Combobox:
  • Restore body pointer-event style  -  by @​kricsleo in #​2334 (238e0)
  • Don't focus the trigger element after closing  -  by @​kricsleo in #​2317 (7f231)
• ComboboxCancel:
  • Reset model value on clear without requiring input element  -  by @​benjamincanac in #​2332 (b6e34)
• DateRangePicker/DatePicker:
  • Root has invalid as,asChild props  -  by @​zernonia in #​2351 (d830a)
• RangeCalendar:
  • A11y aria attribute in CellTrigger  -  by @​wolandec in #​2265 (87b72)
  • Ensure update:validModelValue always emits latest value  -  by @​kricsleo in #​2349 (8fc39)
• Select:
  • Always show select arrow and leave display to the select content  -  by @​pmairoldi in #​2348 (760b9)
• Tabs:
  • Update indicator style when element size changes  -  by @​markjaniczak in #​2238 (82fea)
• Tooltip:
  • Empty ariaLabel for nested components in Content  -  by [@&fix(deps): update dependency marked to v16 - autoclosed #82

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone Asia/Taipei, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
2025	Error		Feb 6, 2026 9:27am