chore(deps): update all dependencies by renovate[bot] · Pull Request #124 · vadimpiven/node_reqwest

renovate · 2026-03-21T01:57:25Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Type	Update	Pending
@codspeed/vitest-plugin (source)	`5.4.0` → `5.5.0`	pnpm.catalog.default	minor
CodSpeedHQ/action	`v4.15.1` → `v4.17.0`	action	minor
aqua:astral-sh/uv	`0.11.16` → `0.11.17`		patch	`0.11.19` (+1)
aqua:cli/cli	`2.92.0` → `2.93.0`		minor
aqua:crate-ci/typos	`1.46.3` → `1.47.0`		minor	`1.47.2` (+1)
electron	`42.2.0` → `42.3.0`	pnpm.catalog.default	minor	`42.3.3`
github:EmbarkStudios/cargo-deny	`0.19.7` → `0.19.8`		patch
github:nextest-rs/nextest	`0.9.136` → `0.9.137`		patch
jdx/mise	`v2026.5.15` → `v2026.5.16`		patch	`v2026.6.0` (+2)
node (source)	`24.15.0` → `24.16.0`		minor
npm:pnpm (source)	`11.2.2` → `11.5.0`		minor	`11.5.2` (+1)
oxfmt (source)	`0.51.0` → `0.52.0`	pnpm.catalog.default	minor	`0.53.0`
oxlint (source)	`1.66.0` → `1.67.0`	pnpm.catalog.default	minor	`1.68.0`
pnpm (source)	`11.2.2+sha512.36e6621fad506178936455e70247b8808ef4ec25797a9f437a93281a020484e2607f6a469a22e982987c3dbb8866e3071514ab10a4a1749e06edcd1ec118436f` → `11.5.0`	packageManager	minor	`11.5.2` (+1)
quay.io/pypa/manylinux_2_28	`65f13b3` → `102e1ad`	final	digest
ruff (source, changelog)	`==0.15.14` → `==0.15.15`	dependency-groups	patch	`0.15.16`
rust (source, changelog)	`nightly-2026-05-24` → `nightly-2026-05-30`	toolchain	patch	`nightly-2026-06-06` (+6)
rustlang/rust	`nightly-2026-05-24` → `nightly-2026-05-30`		patch	`nightly-2026-06-06` (+6)

Release Notes

CodSpeedHQ/codspeed-node (@codspeed/vitest-plugin)

`v5.5.0`

Compare Source

Highlights

We are introducing @codspeed/playwright, for walltime benchmarking and profiling of end to end browser applications through playwright.

Here's an example usage, but head to the docs for more information

import { bench, type Page } from "@&#8203;codspeed/playwright-plugin";
import electronExecutable from "electron";
import path from "node:path";
import { fileURLToPath } from "node:url";

const __dirname = path.dirname(fileURLToPath(import.meta.url));
const appRoot = path.resolve(__dirname, "..");

async function waitUntilSettled(page: Page): Promise<void> {
  await page.waitForFunction(() => {
    const main = document.getElementById("main");
    return !!main && !main.classList.contains("loading");
  });
}

await bench(
  "inbox-search-archive-threads",
  async ({ page }) => {
    await page.fill("#search", "update");
    await waitUntilSettled(page);

    await page.click("#select-visible-btn");
    await page.click("#archive-btn");
    await waitUntilSettled(page);

    await page.click('#sidebar nav button[data-view="threads"]');
    await waitUntilSettled(page);
  },
  {
    target: {
      kind: "electron",
      appPath: path.join(appRoot, "out/main/index.js"),
      cwd: appRoot,
    },
    beforeRound: async ({ page }) => {
      page.setDefaultTimeout(180_000);
      await page.waitForSelector("#main");
      await waitUntilSettled(page);
    },
  },
);

Note: this plugin is only compatible with the walltime instrument.

What's Changed

Add playwright profiling package by @GuillaumeLagrange in #80

Full Changelog: CodSpeedHQ/codspeed-node@v5.4.0...v5.5.0

CodSpeedHQ/action (CodSpeedHQ/action)

`v4.17.0`

Compare Source

Release Notes

🚀 Features

Configure samply symbol resolution env vars by @not-matthias
Add CODSPEED_WALLTIME_PROFILER override by @not-matthias
Make benchmark isolation profiler-driven by @not-matthias
Add profile-based auth configuration (#366) by @art049 in #366
Bump instrument-hooks to not use stubs on macos (#373) by @GuillaumeLagrange in #373
Pin codspeed-go-runner installer downloads with sha256 verification by @art049 in #362
Pin downloaded binaries with sha256 verification by @art049
Search NixOS debug info path by @not-matthias in #354
Inherit process mapping on forks by @GuillaumeLagrange
Bundle samply via library crate by @not-matthias
Add samply profiler for macOS by @not-matthias
Rename CODSPEED_PERF_ENABLED to CODSPEED_PROFILER_ENABLED by @not-matthias
Add Profiler trait abstraction by @not-matthias
Restore cursor on ctrl c by @GuillaumeLagrange in #341
Validate tokens and repository access up front by @GuillaumeLagrange

🐛 Bug Fixes

Use introspected env for memory executor by @GuillaumeLagrange
Misleading DCE advice in setup-harness (#350) by @SuperMuel in #350
Flush rolling buffer when executor errors by @not-matthias in #352
Use brew-installed bash for samply on macOS by @not-matthias in #347
Keep old name aliases to for deserialization purposes by @GuillaumeLagrange in #345
Handle malformed token from backend better by @GuillaumeLagrange
Disable PYTHON_PERF_JIT_SUPPORT on macOS by @not-matthias
Use mach_absolute_time for FIFO timestamps on macOS by @not-matthias
Use O_RDWR to open FIFOs on all Unix platforms by @not-matthias

💼 Other

Select profiler via typed CLI arg by @GuillaumeLagrange in #379
Bump workspace dependencies (#370) by @art049 in #370
Make api_client the single source of truth for the auth token by @GuillaumeLagrange
Bump gql_client to partial-data fork by @GuillaumeLagrange

🏗️ Refactor

Centralize internal re-exec via InternalCommands::get_command_builder by @not-matthias in #338
Rename Benchmark FIFO commands/markers to Profiler/Round by @not-matthias
Rename Profiler::wrap to wrap_command by @not-matthias
Share Linux profiler sysctl setup by @not-matthias
Port PerfRunner to Profiler trait by @not-matthias
Rename PerfMetadata to WalltimeMetadata by @not-matthias
Move perf module under profiler/ by @not-matthias
Rename FifoCommand::PingPerf to PingProfiler by @not-matthias
Rename IntegrationMode::Perf to Walltime by @not-matthias

🧪 Testing

Update valgrind snapshot tests by @adriencaccia

⚙️ Internals

Add taplo config file by @GuillaumeLagrange in #363
Bump samply fork to use framehop-codspeed by @not-matthias
Add retry to sha256 tests to prevent transient failures by @GuillaumeLagrange in #375
Update setarch command arguments to use long options (#304) by @xtqqczze in #304
Bump valgrind-codspeed to 3.26.0-0codspeed2
Fix macOS rustup cache corruption in install-rust action by @GuillaumeLagrange in #357
Give each bpf-tests shard its own cache key by @not-matthias in #358
Shard bpf-tests by integration test binary by @not-matthias
Use rustup show instead of toolchain install by @GuillaumeLagrange in #349
Disable profiler in macos-basic-run-test by @not-matthias
Upload the basic run to validate auth of integration test by @GuillaumeLagrange
Move samply fork from AvalancheHQ to CodSpeedHQ by @not-matthias
Remove the cursor hiding by @GuillaumeLagrange

Install codspeed-runner 4.17.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CodSpeedHQ/codspeed/releases/download/v4.17.0/codspeed-runner-installer.sh | sh

Download codspeed-runner 4.17.0

File	Platform	Checksum
codspeed-runner-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
codspeed-runner-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
codspeed-runner-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum

Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md

Full Changelog: CodSpeedHQ/action@v4.15.1...v4.17.0

astral-sh/uv (aqua:astral-sh/uv)

`v0.11.17`

Compare Source

Released on 2026-05-28.

Enhancements

Add a diagnostic for uv add with standard library modules (#19572)
Expose uv workspace and its list subcommand in help output (#19533)
Improve the "403 forbidden" hint to suggest ignore-error-codes when applicable (#19521)
Skip direct URL lock freshness checks while offline (#19596)
Add import-names and import-namespaces support to uv-build (PEP 794) (#19380)
Add a --no-editable-package flag to various commands (#19584)
Infer Python version requests from source trees in uv tool invocations (#19577)

Preview features

Add module owners to uv workspace metadata (#19122)
Do not allow uv venv --clear to remove non-virtual environments (#19595)

Bug fixes

Improve the performance of large entries in tool.uv.conflicts (#19538)
Avoid modifying the parent process' env with --env-file in uv run (#19567)
Fix script environment creation for scripts with long filenames (#19539)
Fix transitive Git archive dependencies in lockfiles (#19589)
Preserve Git repository URLs in direct URL metadata (#19590)
Support redirects in --check-url (#19594)
Accept case-insensitive HTML tags in --find-links parsing (#19537)
Reject duplicate script metadata blocks (#19544)
Ban names like "python3" as script entry points (#19535, #19536)
Validate Git LFS artifacts for Git archives (#19592)
Use a relative path when creating symlinks in cache to improve relocatability (#19033)

Documentation

Fix malformed positional anchors in the CLI reference (#19575)

cli/cli (aqua:cli/cli)

`v2.93.0`: GitHub CLI 2.93.0

Compare Source

Security

A security vulnerability has been identified, and fixed, that would incorrectly include authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands.

Users are advised to update gh to version v2.93.0 as soon as possible.

For more information see: GHSA-8xvp-7hj6-mcj9

Support agents in `gh secret` command set

The gh secret command set can now set agent secrets. For more information, see "Configuring secrets and variables for Copilot cloud agent".

What's Changed

✨ Features

Allow agents as application for secrets by @tenjaa in #13421

🐛 Fixes

fix(pr): remove numberFieldOnly optimization that skips API validation by @williammartin in #13327
Print gh auth refresh for 401 returns by @333fred in #13068
Derive digest algorithm from ref length in release verify commands by @bdehamer in #13430

📚 Docs & Chores

Add missing //go:build integration tag to verify_integration_test.go by @pdostal in #13303
Fix flaky accessible prompter Password test timeout by @pdostal in #13304
Enable extended PR screening for external PRs by @tidy-dev in #13312
Grammar fixes by @scop in #13326
Bump gh copilot telemetry sampling to 100% by @williammartin in #13362
Record accessibility feature state in telemetry by @williammartin in #13363
Poll TTY echo mode instead of sleeping in password tests by @pdostal in #13305
Switch from actions/attest-build-provenance to actions/attest by @scop in #13325
Fix skills acceptance tests by @williammartin in #13365
Bump Go toolchain to 1.26.3 by @Copilot in #13367
Trigger triage check-requirements on ready_for_review by @BagToad in #13383
fix(copilot): hint to run copilot directly when exec fails by @babakks in #13393
Update installation commands for GitHub CLI by @sassdawe in #13126
Update CODEOWNERS for skills directory ownership by @williammartin in #13416
fix(telemetry): prevent tzutil console flash on Windows by @adehad in #13353
Fix bump-go.sh to tolerate missing toolchain directive by @Copilot in #12581
docs: drop --repo gh-cli from dnf install lines by @c-tonneslan in #13444
Remove third-party license debris by @williammartin in #13470
Remove dependency on persistent token by @williammartin in #13474
Remove discussion workflow by @williammartin in #13476
Stop bumping homebrew on release by @williammartin in #13479
build: update golang.org/x/crypto by @tommaso-moro in #13486
Add 3 day dependabot cooldown period by @williammartin in #13488
Run govulncheck daily instead of weekly by @williammartin in #13487
SHA pin first-party GitHub Actions by @williammartin in #13491
Link to Accessibility category for community discussions instead of ACR by @mxie in #13481
docs: fix duplicated "of" in release-process-deep-dive by @vip892766gma in #13425
chore(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 by @BagToad in #13510
docs: note immutable releases starting v2.93.0 by @BagToad in #13518
fix CI attestation integration tests after rename by @BagToad in #13536

Dependencies

chore(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 by @dependabot[bot] in #13297
chore(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6 by @dependabot[bot] in #13328
chore(deps): bump golang.org/x/sys from 0.43.0 to 0.44.0 by @dependabot[bot] in #13381
chore(deps): bump golang.org/x/term from 0.42.0 to 0.43.0 by @dependabot[bot] in #13396
chore(deps): bump google.golang.org/grpc from 1.80.0 to 1.81.0 by @dependabot[bot] in #13346
chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 by @dependabot[bot] in #13397
chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 by @dependabot[bot] in #13420
chore(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1 by @dependabot[bot] in #13436
chore(deps): bump goreleaser/goreleaser-action from 7.2.1 to 7.2.2 by @dependabot[bot] in #13461
chore(deps): bump github/codeql-action from 4 to 4.35.5 by @dependabot[bot] in #13489
chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.4.1 to 2.4.2 by @dependabot[bot] in #13462
chore(deps): bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 by @dependabot[bot] in #13457

New Contributors

@pdostal made their first contribution in #13303
@333fred made their first contribution in #13068
@scop made their first contribution in #13326
@sassdawe made their first contribution in #13126
@adehad made their first contribution in #13353
@c-tonneslan made their first contribution in #13444
@tenjaa made their first contribution in #13421
@mxie made their first contribution in #13481
@vip892766gma made their first contribution in #13425

Full Changelog: cli/cli@v2.92.0...v2.93.0

crate-ci/typos (aqua:crate-ci/typos)

`v1.47.0`

Compare Source

Features

Updated the dictionary with the May 2026 changes

electron/electron (electron)

`v42.3.0`: electron v42.3.0

Compare Source

Release Notes for v42.3.0

Features

Added Linux support for app.getApplicationInfoForProtocol(). #51680
Added Notification.remove(), removeAll(), and removeGroup() static methods for macOS. #51691 ^{(Also in 43)}
Added session support to net module requests from utility process. #51698

Fixes

Fixed an issue where process and other Node globals were undefined in ESM preload scripts when contextIsolation was disabled. #51726 ^{(Also in 43)}
Fixed native addon compilation failure with undefined msvc intrinsic from v8 headers. #51706 ^{(Also in 43)}

Other Changes

Updated Chromium to 148.0.7778.180. #51600

EmbarkStudios/cargo-deny (github:EmbarkStudios/cargo-deny)

`v0.19.8`

Compare Source

Fixed

PR#864 fixed matching of ^ and ~ with on prerelease versions for when checking if a crate is affected by an advisory. As of the time of the PR, this literally affected none of published versions of any crate with an advisory, but this just ensures such a case will be handled in the future.

nextest-rs/nextest (github:nextest-rs/nextest)

`v0.9.137`: cargo-nextest 0.9.137

Compare Source

Changed

CLI --help descriptions, configuration-reference docs, and JSON schema descriptions now use consistent language and voice. (#3366)

Fixed

Filterset expressions like not(test(foo)), all()and(test(foo)), and all()or(test(foo)), where not, and, or or is immediately followed by an opening parenthesis, now parse correctly. Previously, a separating space was required. (#3367)

jdx/mise (jdx/mise)

`v2026.5.16`: : versions-host metadata, fork-bomb fixes, and friendlier upgrades

Compare Source

Added

(github) Use the shared mise-versions host for release metadata and artifact attestations before falling back to api.github.com, dramatically cutting anonymous GitHub API usage in CI/Docker (#10127 by @jdx).
(node) New node.npm_shim setting (MISE_NODE_NPM_SHIM) to opt out of the bundled npm wrapper, letting corepack manage bin/npm cleanly (#10082 by @jjb).
(npm) New allow_builds tool option for npm-backend installs that expands to --allow-build=<pkg> for aube and pnpm, accepting a string, array, or true for all builds (#10116 by @jdx).

Fixed

(backend) Strip the system shims dir from dependency_env PATH to prevent npm/go shim re-entry fork-bombs in devcontainer/Docker setups using mise install --system (#10019 by @andrewjamesbrown).
(backend) Improve libc detection on musl distros so installing gcompat on Alpine no longer flips mise to glibc binaries (#10020 by @thespags).
(aqua) Skip in-place link creation when src and dst alias the same inode (fixes godot install on macOS/APFS) (#10012 by @tvararu).
(aqua) Lock github_content packages using raw GitHub content URLs instead of archive URLs (#10102 by @risu729).
(toolset) hook-env and other prefer-offline flows no longer fetch remote versions to resolve concrete/latest/prefix:* specs, speeding up shells with many fuzzy tools (#10098 by @jdx).
(upgrade) Preserve installed versions still pinned by other tracked project lockfiles during upgrade cleanup (#10114 by @jdx).
(upgrade) Improve current version detection so prefix requests like go = "1.25" show the best matching installed version in summaries (#9973 by @jdx).
(lock) Allow mise lock and mise upgrade to refresh mise.lock even when locked = true is set (#10111 by @jdx).
(install) Reject install requests whose resolved backend is in disable_backends, including explicit syntax like ubi:owner/repo (#9905 by @risu729).
(use) Reject tool version strings that start with - (e.g. mise use dummy@--version) (#10113 by @jdx).
(en) Preserve MISE_ENV / -E profile when an activated subshell sources mise activate (#10124 by @jdx).
(unset) Respect MISE_GLOBAL_CONFIG_FILE when running mise unset from $HOME, matching mise set/use (#10105 by @jdx).
(task) Set config_root on tasks loaded from global config so {{config_root}} renders correctly (#10106 by @jdx).
(task) Render templates and expand ~/ in sandbox allow_read / allow_write paths (#10112 by @jdx).
(shim) Skip dot-prefixed (hidden) executables when generating shims (#10123 by @jdx).
(pipx) Combine --pip-args=VALUE into a single argv element so pipx's argparse accepts values starting with -- (#10120 by @iloveitaly).
(security) Apply url_replacements to the GitHub attestations API base URL (#9971 by @SlaterByte).
Show the mise version in friendly error output (#10109 by @jdx).
(copr) Increase build timeout (#10071 by @jdx).

Performance

Cache repeated successful path canonicalization across hot PATH/shim/activation lookups (#10068 by @jdx).

Changed

Registry: use the npm backend for npm on Windows (aqua's standalone npm/cli tarball is broken on Windows) (#10101 by @risu729).
Registry: allow narrow dependency builds for npm-primary tools (wrangler, gemini-cli, vercel, codebuff, jules, orval, serverless), and drop npm fallbacks for ast-grep, lefthook, claude, code (#9916 by @risu729).
Registry: add modem-dev/hunk (#10051 by @naoki-mizuno), wacli (#10043 by @dovocoder), liquibase via the github backend (#10052 by @benberryallwood), longbridge-terminal (#10073 by @hogan-yuan), and make aube more resilient (#10092 by @bgeron, #10110).

Documentation

Fix Scoop installation section (#10059 by @ofek).
Clarify untrusted config behavior (#10097 by @jdx).
Remove outdated terraform main.tf reference (#10099 by @risu729).
Remove broken "How I Use mise" link (#10081 by @HYP3R00T).

💚 Sponsor mise

mise is built by @jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.

If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

nodejs/node (node)

`v24.16.0`: 2026-05-21, Version 24.16.0 'Krypton' (LTS), @aduh95

Compare Source

Notable Changes

[b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #62553
[ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #62713
[9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #57775
[40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #62277
[d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #63082
[aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #62541
[6f37f7e240] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #61098
[d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #61747
[d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #62820
[01a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #60751
[00705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #61556

Commits

[dd72df060d] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #62509
[add94f4bc3] - build: track PDL files as inputs in inspector GN build (Robo) #62888
[1b1eb9e334] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #62667
[8752b604ec] - crypto: deduplicate and canonicalize CryptoKey usages (Filip Skokan) #62902
[341947e7fd] - crypto: reject unintended raw key format string input (Filip Skokan) #62974
[28a78747fc] - crypto: remove Argon2 KDF derivation from its job setup (Filip Skokan) #62863
[16e8c2b54d] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #62839
[eeae754a87] - crypto: reject inherited key type names (Jonathan Lopes) #62875
[9dd5540325] - crypto: add memory tracking for secureContext openssl objects (Mert Can Altin) #59051
[b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #62553
[7597d204c1] - crypto: add support for Ed25519 context parameter (Filip Skokan) #62474
[4bf85845da] - debugger: move ProbeInspectorSession and helpers to separate files (Joyee Cheung) #63013
[ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #62713
[83e98f77b7] - deps: update corepack to 0.35.0 (Node.js GitHub Bot) #63375
[ec8c6b939a] - deps: V8: cherry-pick 657d8de (Guy Bedford) #62784
[722c0c3274] - deps: update nghttp3 to 1.14.0 (Node.js GitHub Bot) #61187
[5304db93d3] - deps: update nghttp3 to 1.13.1 (Node.js GitHub Bot) #60046
[e073b3811d] - deps: update nghttp3 to 1.11.0 (James M Snell) #59249
[1d00313fb2] - deps: update ngtcp2 to 1.14.0 (James M Snell) #59249
[8b3a4fc18f] - deps: update amaro to 1.1.9 (Node.js GitHub Bot) #63090
[62fe0cfcd1] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #63045
[137e09c8e9] - deps: update corepack to 0.34.7 (Node.js GitHub Bot) #62810
[14a4cb8fbc] - deps: update timezone to 2026b (Node.js GitHub Bot) #62962
[3e1036583a] - deps: upgrade npm to 11.13.0 (npm team) #62898
[01dfe5961c] - deps: cherry-pick libuv/libuv@439a54b (skooch) #62881
[6cd368b10c] - deps: update sqlite to 3.53.0 (Node.js GitHub Bot) #62699
[f218a4f553] - deps: update nbytes to 0.1.4 (Node.js GitHub Bot) #62698
[b47688524a] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #62629
[d202e2d343] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #62629
[2faba66341] - deps: update minimatch to 10.2.5 (Node.js GitHub Bot) #62594
[fa46c90c5d] - deps: update googletest to d72f9c8 (Node.js GitHub Bot) #62593
[099ded5713] - deps: update simdjson to 4.6.1 (Node.js GitHub Bot) #62592
[7ce95afe96] - deps: libuv: cherry-pick aabb765 (Santiago Gimeno) #62561
[57ef845623] - deps: update icu to 78.3 (Node.js GitHub Bot) #62324
[493ac40e12] - deps: update libuv to 1.52.1 (Node.js GitHub Bot) #61829
[b39508b368] - deps: update undici to 7.25.0 (Node.js GitHub Bot) #63011
[cb67a925e9] - deps: use npm undici@seven tag in update-undici.sh (Matteo Collina) #62739
[aa1e0bc28b] - doc: fix typos and inconsistencies in crypto.md and webcrypto.md (Filip Skokan) #62828
[f2a1735ed9] - doc: fix duplicate word "to to" in util.styleText (Daijiro Wachi) #62917
[[b6378e215c](https://redirect.github.com/nodejs/

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone UTC)

Branch creation
- "every weekend"
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2026-03-21T01:57:28Z

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package.json

Command failed: corepack use pnpm@11.5.0

File name: mise.lock


mise ERROR error parsing config file: /tmp/renovate/repos/github/vadimpiven/node_reqwest/mise.toml
mise ERROR Config files in /tmp/renovate/repos/github/vadimpiven/node_reqwest/mise.toml are not trusted.
Trust them with `mise trust`. See https://mise.en.dev/cli/trust.html for more information.
mise ERROR Version: 2026.6.0 linux-x64 (2026-06-03)
mise ERROR Run with --verbose or MISE_VERBOSE=1 for more information

Command failed: mise lock aqua:astral-sh/uv aqua:cli/cli aqua:crate-ci/typos github:EmbarkStudios/cargo-deny github:EmbarkStudios/cargo-deny github:nextest-rs/nextest node npm:pnpm rustlang/rust
mise ERROR error parsing config file: /tmp/renovate/repos/github/vadimpiven/node_reqwest/mise.toml
mise ERROR Config files in /tmp/renovate/repos/github/vadimpiven/node_reqwest/mise.toml are not trusted.
Trust them with `mise trust`. See https://mise.en.dev/cli/trust.html for more information.
mise ERROR Version: 2026.6.0 linux-x64 (2026-06-03)
mise ERROR Run with --verbose or MISE_VERBOSE=1 for more information

greptile-apps · 2026-03-21T01:59:49Z

Greptile Summary

This is a routine automated dependency update PR from Renovate Bot, bumping a wide range of dependencies across the stack: GitHub Actions (setup-node v6.3.0, mise-action v3.6.3, zizmor-action v0.5.2, codeql-action v4.32.6), Node.js packages (pnpm 10.32.1, vitest/vite 4.1.0/8.0.0 stable releases from beta, oxfmt, oxlint, undici, electron, node-addon-slsa), Rust crates (tempfile 3.27.0), Python tools (ruff, semgrep, pyrefly, zizmor), and various aqua-managed CLI tools (uv, gh, gitleaks, shfmt, nextest). All GitHub Action references continue to be pinned by full commit SHA, which is good practice for this repository.

Most changes are straightforward version bumps with no behavioral impact on the codebase itself.
Several beta versions (vitest, vite) graduate to stable releases — a positive change.
The packageManager field in package.json was updated to pnpm@10.32.1 but the SHA512 integrity hash that was present in the old value was dropped, removing Corepack's ability to verify the pnpm binary on download.

Confidence Score: 4/5

This PR is safe to merge; the only notable finding is a non-critical omission of the Corepack integrity hash for pnpm.
All changes are automated dependency bumps. GitHub Actions remain SHA-pinned, Dockerfile images are digest-pinned, and lock files are fully regenerated. The one notable point is the missing SHA512 hash in the packageManager field, which is a best-practice/supply-chain hygiene issue rather than an active vulnerability. Everything else is routine.
package.json — missing SHA512 hash in the packageManager field.

Important Files Changed

Filename	Overview
package.json	Updated pnpm to 10.32.1 but dropped the SHA512 integrity hash from the packageManager field, removing Corepack's ability to verify the binary's integrity on download.
Dockerfile	Updated docker/dockerfile syntax to 1.22 and manylinux_2_28 base image to a new digest. Both references are pinned by SHA256. No issues found.
Cargo.lock	Updated tempfile from 3.26.0 to 3.27.0 which pulls in getrandom 0.3.4 instead of 0.4.2, and resolves different windows-sys versions for various crates. Standard lock file update.
mise.toml	Updated gitleaks, uv, gh CLI, nextest, and mvdan/sh (shfmt) to newer patch/minor versions. No issues found.
pyproject.toml	Updated pyrefly, ruff, semgrep, and zizmor to newer versions. No issues found.
pnpm-workspace.yaml	Updated catalog versions for @vitest/coverage-istanbul, electron, oxfmt, oxlint, undici, vite, and vitest from beta/older versions to stable releases. No issues found.

Comments Outside Diff (1)

package.json, line 202 (link)

Missing Corepack integrity hash for pnpm

The previous packageManager value included a +sha512 integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

corepack use pnpm@10.32.1

This will update package.json with the correct hash for 10.32.1, e.g.:

Consider asking Renovate to preserve the hash when bumping the packageManager field (the pinDigests option may help, or a custom packageRules entry targeting packageManager).

Prompt To Fix With AI

This is a comment left during a code review.
Path: package.json
Line: 202

Comment:
**Missing Corepack integrity hash for pnpm**

The previous `packageManager` value included a `+sha512` integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

```bash
corepack use pnpm@10.32.1
```

This will update `package.json` with the correct hash for 10.32.1, e.g.:



Consider asking Renovate to preserve the hash when bumping the `packageManager` field (the [`pinDigests`](https://docs.renovatebot.com/configuration-options/#pindigests) option may help, or a custom `packageRules` entry targeting `packageManager`).

How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: package.json
Line: 202

Comment:
**Missing Corepack integrity hash for pnpm**

The previous `packageManager` value included a `+sha512` integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

```bash
corepack use pnpm@10.32.1
```

This will update `package.json` with the correct hash for 10.32.1, e.g.:

```suggestion
  "packageManager": "pnpm@10.32.1+sha512.<hash-for-10.32.1>",
```

Consider asking Renovate to preserve the hash when bumping the `packageManager` field (the [`pinDigests`](https://docs.renovatebot.com/configuration-options/#pindigests) option may help, or a custom `packageRules` entry targeting `packageManager`).

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: "Update all dependenc..."}

codecov · 2026-04-20T21:27:48Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

codspeed-hq · 2026-05-18T07:49:49Z

Merging this PR will not alter performance

✅ 15 untouched benchmarks

_{Comparing renovate/all-dependencies (4ff023f) with main (32fd41a)}

socket-security · 2026-06-05T18:24:57Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/oxfmt@0.52.0
	npm/oxlint@1.67.0
	npm/@codspeed/vitest-plugin@5.5.0
	npm/electron@42.3.0

View full report

renovate Bot force-pushed the renovate/all-dependencies branch 4 times, most recently from 1c2d5e5 to 40653e4 Compare March 22, 2026 02:03

github-advanced-security AI found potential problems Mar 22, 2026

View reviewed changes