chore(deps): update all non-major dependencies #42

renovate · 2025-12-01T02:03:30Z

This PR contains the following updates:

Package	Change	Age	Confidence
@eslint/js (source)	`^9.39.1` → `^9.39.2`
@types/node (source)	`^22.19.0` → `^22.19.8`
cookie@<0.7.0	`>=1.0.2` → `>=1.1.1`
eslint (source)	`^9.39.1` → `^9.39.2`
eslint-plugin-n	`^17.23.1` → `^17.23.2`
execa	`^9.6.0` → `^9.6.1`
lint-staged	`^16.2.6` → `^16.2.7`
pnpm (source)	`10.20.0` → `10.28.2`
pnpm (source)	`^10.20.0` → `^10.28.2`
rimraf	`^6.1.0` → `^6.1.2`
tsx (source)	`^4.20.6` → `^4.21.0`
typescript-eslint (source)	`^8.46.3` → `^8.54.0`
validator@<13.15.22	`>=13.15.22` → `>=13.15.26`
verdaccio (source)	`^6.2.1` → `^6.2.5`
yaml (source)	`^2.8.1` → `^2.8.2`

Release Notes

eslint/eslint (@eslint/js)

`v9.39.2`

Compare Source

jshttp/cookie (cookie@<0.7.0)

`v1.1.1`

Compare Source

Fixed

Overwrite value in passed in options (#253) c66147c
- When value was provided in serialize(key, value, { value }) the value in options was used instead of the value passed as an argument

`v1.1.0`

Compare Source

eslint/eslint (eslint)

`v9.39.2`

Compare Source

eslint-community/eslint-plugin-n (eslint-plugin-n)

`v17.23.2`

Compare Source

🩹 Fixes

avoid any type for no-top-level-await listener node (build issue) (#498) (f071703)
file-extension-in-import: handle directory index imports (#499) (754a1a6)
file-extension-in-import: handle files with dots in basename (#506) (600f3f2)
no-sync: resolve full typed names for ignores (#501) (047301a)

📚 Documentation

safely disable no-unpublished-bin npm v10+ (#487) (8af9c86)

🧹 Chores

no-missing-import: align fixture message with latest resolver output (#500) (a3719d2)

sindresorhus/execa (execa)

`v9.6.1`

Compare Source

Fix VerboseOption type not being properly exported (#1215) 7891c39

lint-staged/lint-staged (lint-staged)

`v16.2.7`

Compare Source

Patch Changes

#1711 ef74c8d Thanks @iiroj! - Do not display a "failed to spawn" error message when a task fails normally. This message is reserved for when the task didn't run because spawning it failed.

pnpm/pnpm (pnpm)

`v10.28.2`: pnpm 10.28.2

Compare Source

Patch Changes

Security fix: prevent path traversal in directories.bin field.
When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.
Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #9950.

Platinum Sponsors

Gold Sponsors

Patch Changes

Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #10307.
Fix installation of Git dependencies using annotated tags #10335.

Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.
Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #10244.
Try to avoid making network calls with preferOffline #10334.

Platinum Sponsors

Gold Sponsors

`v10.26.1`: pnpm 10.26.1

Compare Source

Patch Changes

Don't fail on pnpm add, when blockExoticSubdeps is set to true #10324.
Always resolve git references to full commits and ensure HEAD points to the commit after checkout #10310.

Platinum Sponsors

Gold Sponsors

`v10.26.0`

Compare Source

`v10.25.0`

Compare Source

`v10.24.0`

Compare Source

`v10.23.0`: pnpm 10.23

Compare Source

Minor Changes

Added --lockfile-only option to pnpm list #10020.

Patch Changes

pnpm self-update should download pnpm from the configured npm registry #10205.
pnpm self-update should always install the non-executable pnpm package (pnpm in the registry) and never the @pnpm/exe package, when installing v11 or newer. We currently cannot ship @pnpm/exe as pkg doesn't work with ESM #10190.
Node.js runtime is not added to "dependencies" on pnpm add, if there's a engines.runtime setting declared in package.json #10209.
The installation should fail if an optional dependency cannot be installed due to a trust policy check failure #10208.
pnpm list and pnpm why now display npm: protocol for aliased packages (e.g., foo npm:is-odd@3.0.1) #8660.
Don't add an extra slash to the Node.js mirror URL #10204.
pnpm store prune should not fail if the store contains Node.js packages #10131.

Platinum Sponsors

Gold Sponsors

`v10.22.0`: pnpm 10.22

Compare Source

Minor Changes

Added support for trustPolicyExclude #10164.

You can now list one or more specific packages or versions that pnpm should allow to install, even if those packages don't satisfy the trust policy requirement. For example:
```
trustPolicy: no-downgrade
trustPolicyExclude:
  - chokidar@4.0.3
  - webpack@4.47.0 || 5.102.1
```
Allow to override the engines field on publish by the publishConfig.engines field.

Patch Changes

Don't crash when two processes of pnpm are hardlinking the contents of a directory to the same destination simultaneously #10179.

Platinum Sponsors

Gold Sponsors

`v10.21.0`

Compare Source

isaacs/rimraf (rimraf)

`v6.1.2`

Compare Source

`v6.1.1`

Compare Source

privatenumber/tsx (tsx)

`v4.21.0`

Compare Source

typescript-eslint/typescript-eslint (typescript-eslint)