fix(deps): update all non-major dependencies#2592
Open
renovate-bot wants to merge 1 commit into
Open
Conversation
forking-renovate
Bot
added
📦 dependencies
renovate-bot
added
📦 dependencies
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2592 +/- ##
=======================================
Coverage 100.0% 100.0%
=======================================
Files 199 199
Lines 25168 25168
Branches 8908 8908
=======================================
Hits 25168 25168
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
angular-slickgrid
aurelia-slickgrid
slickgrid-react
slickgrid-vue
@slickgrid-universal/angular-row-detail-plugin
@slickgrid-universal/aurelia-row-detail-plugin
@slickgrid-universal/react-row-detail-plugin
@slickgrid-universal/vue-row-detail-plugin
@slickgrid-universal/binding
@slickgrid-universal/common
@slickgrid-universal/composite-editor-component
@slickgrid-universal/custom-footer-component
@slickgrid-universal/custom-tooltip-plugin
@slickgrid-universal/empty-warning-component
@slickgrid-universal/event-pub-sub
@slickgrid-universal/excel-export
@slickgrid-universal/graphql
@slickgrid-universal/odata
@slickgrid-universal/pagination-component
@slickgrid-universal/pdf-export
@slickgrid-universal/row-detail-view-plugin
@slickgrid-universal/rxjs-observable
@slickgrid-universal/sql
@slickgrid-universal/text-export
@slickgrid-universal/utils
@slickgrid-universal/vanilla-bundle
@slickgrid-universal/vanilla-force-bundle
commit: |
renovate-bot
force-pushed
the
renovate/all-minor-patch
branch
from
38d0f54 to
f114847
Compare
renovate-bot
changed the title
renovate-bot
force-pushed
the
renovate/all-minor-patch
branch
12 times, most recently
from
70e84aa to
d01099d
Compare
renovate-bot
force-pushed
the
renovate/all-minor-patch
branch
9 times, most recently
from
69336cf to
c7c3050
Compare
renovate-bot
force-pushed
the
renovate/all-minor-patch
branch
from
c7c3050 to
32bfb02
Compare
renovate-bot
force-pushed
the
renovate/all-minor-patch
branch
from
32bfb02 to
5aff612
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^7.29.0→^7.29.7^5.0.0→^5.0.1^9.73.8→^9.74.1^2.0.326→^2.0.328^2.0.2→^2.0.4^5.2.1→^5.2.2^5.2.1→^5.2.2^5.2.1→^5.2.2^19.2.14→^19.2.15^6.0.1→^6.0.2^6.0.6→^6.0.7^5.0.0-beta.2→^5.0.0-beta.3^5.0.0-beta.2→^5.0.0-beta.3^3.2.9→^3.3.3^15.15.0→^15.16.0^3.4.3→^3.4.7^5.0.0→^5.0.1^2.76.0→^2.85.0^0.8.2→^0.8.3^4.12.18→^4.12.23^1.65.0→^1.67.0^8.5.14→^8.5.15^7.15.1→^7.16.0^1.99.0→^1.100.0^8.0.13→^8.0.14^5.0.0→^5.0.1^5.0.0-beta.2→^5.0.0-beta.3^3.5.34→^3.5.35^5.0.7→^5.1.0^3.2.9→^3.3.3Release Notes
babel/babel (@babel/plugin-proposal-decorators)
v7.29.7Compare Source
v7.29.7 (2026-05-25)
Re-release all packages with npm provenance attestations
ghiscoding/excel-builder-vanilla (@excel-builder-vanilla/types)
v5.0.1Compare Source
Bug Fixes
microsoft/fluentui (@fluentui/react-components)
v9.74.1Compare Source
v9.74.0: @fluentui/react-components v9.74.0Compare Source
Minor changes
Patches
microsoft/fluentui-system-icons (@fluentui/react-icons)
v2.0.328Compare Source
v2.0.327Compare Source
honojs/node-server (@hono/node-server)
v2.0.4Compare Source
What's Changed
Full Changelog: honojs/node-server@v2.0.3...v2.0.4
v2.0.3Compare Source
What's Changed
ServeStaticOptionscomment with the current spec by @kakkokari-gtyih in #356New Contributors
Full Changelog: honojs/node-server@v2.0.2...v2.0.3
lerna-lite/lerna-lite (@lerna-lite/cli)
v5.2.2Compare Source
Note: Version bump only for package @lerna-lite/cli
lerna-lite/lerna-lite (@lerna-lite/publish)
v5.2.2Compare Source
Bug Fixes
columnifywith native implementation (#1330) (1887f43) - by @ghiscodinglerna-lite/lerna-lite (@lerna-lite/watch)
v5.2.2Compare Source
Note: Version bump only for package @lerna-lite/watch
vitejs/vite-plugin-react (@vitejs/plugin-react)
v6.0.2Compare Source
Allow all options in reactCompilerPreset (#1189)
This is a type only change. Only
compilationModeandtargetoptions were available forreactCompilerPreset.vitejs/vite-plugin-vue (@vitejs/plugin-vue)
v6.0.7Features
@rolldown/pluginutilsversion (#776) (941b651)Bug Fixes
vitest-dev/vitest (@vitest/coverage-v8)
v5.0.0-beta.3Compare Source
🚨 Breaking Changes
expect.pollwhen function didn't resolve in time - by @hi-ogawa and Codex in #10233 (4df04)🚀 Features
kindinpage.mark- by @AriPerkkio in #10302 (053e8)context.markfor custom command tracing - by @AriPerkkio in #10329 (aa514)🐞 Bug Fixes
attachmentsDirroot only config - by @hi-ogawa and Codex in #10334 (fab1b)__esModule- by @hi-ogawa in #10363 (2b135)wrapDynamicImporttransform on ssr environment - by @hi-ogawa in #10355 (d3c96)FORCE_COLORover agent detection - by @dokson in #10272 (7e66b)excludeto not inherit negation globs fromtest.include- by @AriPerkkio in #10299 (28685)toNotFake- by @BPScott, @hi-ogawa and Codex in #10043 (bbf2f)summaryto intercept logger's streams even when they are notprocess.std*streams - by @AriPerkkio in #10340 (f79e7)testModulesinonTestRunEndwhen merging blobs from different root directory test runs - by @hi-ogawa and Codex in #10348 (745b3)🏎 Performance
View changes on GitHub
vuejs/language-tools (@vue/language-core)
v3.3.3Compare Source
vscode
workspace
auto-versionworkflow to prevent injection (#6074) - Thanks to @arpitjain099!v3.3.2Compare Source
language-core
v-forsources (#6067) - Thanks to @kkesidis!v-bindshorthand identifier skipping with interpolation - Thanks to @KazariEX!vscode
v3.3.1Compare Source
language-core
language-service
typescript-plugin
vscode
v3.3.0Compare Source
language-core
v-ifbranch fragments when collecting single root nodes - Thanks to @KazariEX!SfcAPIs toIR- Thanks to @KazariEX!language-service
html.customData(#5910) - Thanks to @Bomberus!=""only for plain boolean props completion edits - Thanks to @KazariEX!typescript-plugin
vscode
extraFileExtensionsin tsserverconfigurerequest payload (#6048) - Thanks to @KazariEX!cypress-io/cypress (cypress)
v15.16.0Compare Source
Changelog: https://docs.cypress.io/app/references/changelog#15-16-0
cure53/DOMPurify (dompurify)
v3.4.7: DOMPurify 3.4.7Compare Source
IN_PLACE, thanks @GameZoneHackerv3.4.6: DOMPurify 3.4.6Compare Source
IN_PLACEmode, thanks @offset & @BankdeIN_PLACEand Shadow DOM sanitization, thanks @offset & @BankdeIN_PLACEand general DOM Clobbering attacksv3.4.5Compare Source
v3.4.4: DOMPurify 3.4.4Compare Source
selectedcontentelement to default allow-list, thanks @lukewarlowcommandandcommandforattributes to default allowed-list, thanks @lukewarlowIN_PLACEoperations, thanks @DEMON1Aghiscoding/excel-builder-vanilla (excel-builder-vanilla)
v5.0.1Compare Source
Note: Version bump only for package excel-builder-vanilla
fallow-rs/fallow (fallow)
v2.85.0Compare Source
Added
fallow coverage upload-source-mapsnow uploads each map's repo-relative path, so the source-evidence viewer can resolve monorepo sub-package source. A bundled map under a sub-package (e.g.dashboard/dist/assets/X.js.map) lists its sources relative to the map file (../../src/components/X.tsx); the cloud previously had only the basename and collapsed that tosrc/components/X.tsx, which never matched the package-prefixed runtime pathdashboard/src/components/X.tsx, so the viewer reported "source not in maps" even though the file was in an uploaded map. The CLI now sends the map's path relative to the repo root alongside the existingfileName, letting the cloud resolve each source against the map's directory and recoverdashboard/src/components/X.tsx. The field is omitted when a map is not under the repo root (an absolute--diroutside it), in which case the cloud falls back to its previous behavior. Runupload-source-mapsfrom the repo root so the prefix is correct. No change for single-package projects. (Closes #260.)fallow flagsnow surfaces the configuration surface when it finds nothing. The empty-result line (No feature flags detected) is no longer byte-identical whether a project truly has no flags or just uses an SDK fallow does not recognize. On full defaults, the human output now lists the built-in env-var prefixes and SDK providers it scanned for, then points atflags.sdkPatterns,flags.configObjectHeuristics, and the configuration docs, so you can tell a true negative from a missing detector and add your own SDK (PostHog, in-house, anything not listed). Projects that already configured customflags.*patterns get a single terse line acknowledging their config instead of the discovery block. The enumerated detectors are derived from fallow's built-in tables, so the hint stays in sync as defaults grow. JSON, SARIF, compact, markdown, and CodeClimate output are unchanged, and--quietsuppresses the hint. (Closes #562.)fallow impactreports what fallow has done for you, opt-in and local-only. A newfallow impactcommand shows how many issues fallow is currently surfacing, the trend since the previous recorded run, and how many commits its pre-commit gate blocked then cleared. Enable it withfallow impact enable(withdisableandstatussiblings); once enabled, eachfallow auditrun appends a small record to a single rolling.fallow/impact.json(gitignored, never uploaded). The generatedfallow init --hookspre-commit hook now tags gate runs so a blocked-then-fixed commit is recorded as contained. Writes are best-effort and never change a command's exit code or output. Human,--format json, and--format markdownoutput are available, and the JSON shape ships in the published output schema.fallow impactnow also credits per-finding resolutions: when a finding you previously saw goes away because you fixed the code, it counts as resolved, and when it goes away because you added afallow-ignore, it is reported separately as intentionally managed and never counted as a win. It distinguishes the two by capturing which suppressions are present each run, and it ignores findings that merely moved rather than being removed (within a file, or relocated to another file, including across separate commits). Resolution attribution covers dead code, complexity, and duplication, accrues from your local runs (it is a local-developer signal, not a CI metric, since it lives in.fallow/impact.json), and addsresolved_total,suppressed_total, and a recent-resolutions list to all three output formats and the published schema.fallow impactnow tracks a whole-project view and credits cleanups you make outside a changed-file audit. Previously every recorded run came fromfallow audit, which is scoped to the files changed against your base, so a duplication or whole-repo cleanup you verified withfallow dupes(or any fullfallowrun) was never credited. Now a fullfallowrun (dead code + duplication + complexity, with no--changed-since/--workspace/--diff/--productionnarrowing) records a separate whole-project entry, and its resolution pass credits any finding that has gone away anywhere in the repo, including a clone group you removed without touching it in the current commit. The report gains an understated whole-project section (project_surfacingandproject_trendin--format json) kept separate from the changed-file trend so the two scopes never mix into one misleading number; it advances only on your local fullfallowruns, not in CI, and the report says so. A clone that is merely reshaped (one of several identical copies removed while the rest still duplicate) is not counted as resolved. The report's JSON shape stays at schema version 1 (the new fields are additive and optional).The Fallow Impact value report is now available over MCP. A new read-only
impactMCP tool wrapsfallow impact --format json, so AI agents can read the local report (current surfacing, trend since the last recorded run, pre-commit gate containment, and, on impact v1.5+, resolved/suppressed attribution) the same way they callcheck_healthoraudit. It runs no analysis, so it takes only aroot; the mutatingenable/disablelifecycle is intentionally not exposed, and on a never-enabled project it returns a populated{"enabled": false, ...}report (never{}) so an agent can tell "not set up" from "set up, no history yet" and recommendfallow impact enablerather than toggling it. Because impact is a local-developer signal, the tool surfaces an empty report in ephemeral CI runners and should not be used as a CI metric.Opt-in product telemetry for improving agent, CI, MCP, and editor workflows, off by default.
fallow telemetry status|enable|disable|inspectmanages it, andFALLOW_TELEMETRY=inspect fallow <command>prints the exact payload a real run would send without sending it. When enabled, Fallow sends one small, allowlisted, workflow-level event per run (which workflow ran, the integration surface, the invocation context, output format, OS and architecture, and coarse duration and exit-code buckets) and never repository names, file paths, package or dependency names, source code, config values, environment variable names or values, raw command lines, or errors.DO_NOT_TRACKandFALLOW_TELEMETRY_DISABLEDare honored as top-precedence kill switches, and CI stays off unless telemetry is explicitly enabled in that environment. Agents and wrappers can declare their integration with an allowlistedFALLOW_AGENT_SOURCE(codex,claude_code,cursor,copilot,opencode,aider,roo,windsurf,gemini,cline,continue,zed,goose); setting it never enables telemetry and uploads no codebase content. The upload is best-effort on a background thread and never blocks the command or changes its output or exit code. Seedocs/telemetry.md.fallow healthnow emits acoverage_intelligenceverdict when coverage, runtime, complexity, and change-scope evidence combine into an actionable recommendation. The additive JSON block carries its own schema version, headline verdict, summary counts, stablefallow:coverage-intel:<hash>finding IDs, ordered signals, compact evidence, related runtime IDs, and agent-ready actions. It currently surfaces risky changed hot paths, high-confidence delete candidates, owner-review-required cold code, and hot covered code that still needs careful refactoring. Human, markdown, compact, SARIF, and CodeClimate output render actionable findings; audit receives the block through its nested health payload without changing the default audit verdict or exit behavior. (Closes #507.)Clone groups now have a stable fingerprint, and
fallow dupes --tracecan deep-dive one by id. Every clone group infallow dupesnow carries a content-derived fingerprint, usuallydup:<8hex>and widened only on rare report collisions, shown beside each group in the human listing and emitted on everyclone_groups[]entry (plus nestedclone_families[].groups[]and the per-bucket--group-byoutput) in--format json.fallow dupes --tracenow accepts that fingerprint (fallow dupes --trace dup:7f3a2c1e) in addition to the existingFILE:LINEform, so you can deep-dive a specific group without hunting for one of its line numbers. The trace output now also shows, per group, an extract-function suggestion with estimated line savings, a best-effort proposed function name (derived from the dominant identifier; omitted when it would be generic), and a docs link. The fingerprint is derived from the group's source content, so it is stable across runs and editing one clone group never changes another's id; collision handling is report-scoped, so a short collision widens only the colliding groups and ambiguous short ids do not resolve to the wrong group. The MCPtrace_clonetool gained an optionalfingerprintparameter (file/lineare now optional, exactly one addressing form required), so an AI agent can read a fingerprint fromfind_dupesand deep-dive that group in a single follow-up call. (Closes #759.)fallow's static analysis is now guaranteed, at compile time, never to execute the analyzed project's code. The analysis crates (
fallow-core,fallow-extract,fallow-graph) ban raw process spawning with a clippy lint (std::process::Command::newis denied at each crate root); the only external program the analysis path can run isgit(for--changed-since, churn history, and repository-state queries), routed through a singlefallow_core::spawn::gitwrapper. Apackage.jsonlifecycle script such aspostinstallis read as data and never run, now backed by a regression test that asserts a sentinel-writing script never fires during analysis. On the build-time supply-chain surface (Cargobuild.rsand proc-macros, which run arbitrary code while compiling fallow),deny.tomlnow also rejects yanked crates (yanked = "deny"), andSECURITY.mddocuments the build-time trust boundary alongside the existing runtime one. No user-facing behavior change.Changed
vite-plugin-*,prettier-plugin-*) are now reported as unused devDependencies. Fallow carried a hardcoded list of known dev tooling that exempted a package from the unused-dependency report by exact name. Several entries on that list were framework plugins (vite-plugin-svgr,vite-plugin-eslint,prettier-plugin-tailwindcss,prettier-plugin-organize-imports,@ianvs/prettier-plugin-sort-imports), which meant a plugin you listed indevDependenciesbut never wired into yourvite.config.*or prettier config was silently treated as used. Those entries are gone: such a plugin is now credited only when it actually appears in the config (vite plugins through the import graph that already reads your config file, prettier plugins through the Prettier config parser, which now also reads thepluginsarray from.prettierrc.{yml,yaml,toml}), so a genuinely-unused one correctly surfaces. If a plugin you do use is flagged, fallow could not see it referenced in a config it parses; add it toignoreDependenciesand please open an issue with the config form. (Closes #462.)crates/core/data/tooling.toml. Adding a tool is a one-line entry with no code change and no regeneration step; see [CONTRIBUTIConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.