Skip to content

Comments

fix(deps): update all non-major dependencies#189

Open
clavery wants to merge 1 commit intomainfrom
renovate/all-non-major-dependencies
Open

fix(deps): update all non-major dependencies#189
clavery wants to merge 1 commit intomainfrom
renovate/all-non-major-dependencies

Conversation

@clavery
Copy link
Collaborator

@clavery clavery commented Feb 23, 2026

This PR contains the following updates:

Package Type Update Change
@inquirer/prompts (source) dependencies minor 8.2.0 -> 8.3.0
@modelcontextprotocol/inspector devDependencies minor ^0.18.0 -> ^0.20.0
@oclif/core pnpm.catalog.default patch 4.8.0 -> 4.8.1
@oclif/core peerDependencies minor ^4 -> ^4.8.1
@oclif/plugin-autocomplete dependencies patch 3.2.39 -> 3.2.40
@oclif/plugin-help dependencies patch 6.2.35 -> 6.2.37
@oclif/plugin-not-found dependencies patch 3.2.72 -> 3.2.74
@oclif/plugin-plugins dependencies patch 5.4.53 -> 5.4.56
@oclif/plugin-warn-if-update-available dependencies patch 3.1.52 -> 3.1.55
@oclif/test pnpm.catalog.default patch ^4 -> ^4.1.16
@salesforce/telemetry dependencies minor 6.4.6 -> 6.6.7
changesets/action action minor v1.5.3 -> v1.7.0
dorny/test-reporter action minor v2.3.0 -> v2.5.0
esbuild devDependencies minor ^0.24.0 -> ^0.27.3
glob pnpm.catalog.default patch 13.0.0 -> 13.0.6
i18next (source) dependencies minor 25.7.4 -> 25.8.13
minimatch dependencies minor 10.1.1 -> 10.2.2
node (source) engines minor >=22.16.0 -> >=22.22.0
node uses-with minor 22.x -> 22.22.0
node uses-with minor 24 -> 24.13.1
oclif pnpm.catalog.default patch ^4 -> ^4.22.81
openapi-fetch (source) dependencies minor 0.15.0 -> 0.17.0
openapi-typescript (source) devDependencies minor ^7.10.1 -> ^7.13.0
pino (source) dependencies minor 10.1.0 -> 10.3.1
pino-pretty dependencies patch 13.1.2 -> 13.1.3
pnpm (source) packageManager minor 10.17.1 -> 10.30.1
prettier (source) pnpm.catalog.default minor ^3.6.2 -> ^3.8.1
renovatebot/github-action action patch v41.0.21 -> v41.0.22
shx pnpm.catalog.default minor ^0.3.3 -> ^0.4.0
tsx (source) pnpm.catalog.default minor ^4 -> ^4.21.0
typedoc (source) devDependencies patch ^0.28.14 -> ^0.28.17
typedoc-plugin-markdown (source) devDependencies minor ^4.9.0 -> ^4.10.0
undici (source) dependencies minor 7.19.2 -> 7.22.0
vscode engines minor ^1.105.1 -> ^1.109.5
yaml (source) dependencies patch 2.8.1 -> 2.8.2

Release Notes

SBoudrias/Inquirer.js (@​inquirer/prompts)

v8.3.0

Compare Source

  • Fix: Keypresses happening before a prompt is rendered are now ignored.
  • Fix (checkbox): Element who're both checked and disabled are now always included in the returned array.
  • Feat (select/checkbox): Cursor will now hover disabled options of the list; but they still cannot be interacted with. This prevents the cursor jumping ahead in ways that can be confusing.
  • Feat: various new theme options to make all prompts content localizable.

Finally, see our new @inquirer/i18n package!

v8.2.1

Compare Source

  • chore: Switch wrap-ansi with fast-wrap-ansi
oclif/core (@​oclif/core)

v4.8.1

Compare Source

Bug Fixes
  • deps: bump minimatch from 9.0.5 to 10.2.1 (2815e37)
oclif/plugin-autocomplete (@​oclif/plugin-autocomplete)

v3.2.40

Compare Source

Bug Fixes
oclif/plugin-help (@​oclif/plugin-help)

v6.2.37

Compare Source

Bug Fixes

v6.2.36

Compare Source

Bug Fixes
oclif/plugin-not-found (@​oclif/plugin-not-found)

v3.2.74

Compare Source

Bug Fixes

v3.2.73

Compare Source

Bug Fixes
oclif/plugin-plugins (@​oclif/plugin-plugins)

v5.4.56

Compare Source

Bug Fixes

v5.4.55

Compare Source

Bug Fixes

v5.4.54

Compare Source

Bug Fixes
oclif/plugin-warn-if-update-available (@​oclif/plugin-warn-if-update-available)

v3.1.55

Compare Source

Bug Fixes

v3.1.54

Compare Source

Bug Fixes
  • deps: bump registry-auth-token from 5.1.0 to 5.1.1 (#​974) (aeb3361)

v3.1.53

Compare Source

Bug Fixes
oclif/test (@​oclif/test)

v4.1.16

Compare Source

Bug Fixes
  • deps: bump lodash from 4.17.21 to 4.17.23 (dab8924)

v4.1.15

Compare Source

Bug Fixes
  • deps: bump js-yaml from 4.1.0 to 4.1.1 (f6eb102)
forcedotcom/telemetry (@​salesforce/telemetry)

v6.6.7

Compare Source

Bug Fixes
  • deps: bump o11y_schema from 260.44.0 to 260.46.0 (35395de)

v6.6.6

Compare Source

Bug Fixes

v6.6.5

Compare Source

Bug Fixes

v6.6.4

Compare Source

Bug Fixes
  • deps: bump o11y_schema from 260.41.0 to 260.44.0 (b42b18e)

v6.6.3

Compare Source

Bug Fixes

v6.6.2

Compare Source

Bug Fixes

v6.6.1

Compare Source

Bug Fixes

v6.6.0

Compare Source

Bug Fixes
Features
  • updates for sending pdpEvents (6ed1a2f)

6.5.2 (2026-02-07)

Bug Fixes

6.5.1 (2026-02-07)

Bug Fixes

v6.5.2

Compare Source

Bug Fixes

v6.5.1

Compare Source

Bug Fixes

v6.5.0

Compare Source

Features

6.4.8 (2026-01-24)

Bug Fixes

6.4.7 (2026-01-22)

Bug Fixes
  • deps: bump lodash from 4.17.21 to 4.17.23 (579fdd3)

6.4.6 (2026-01-17)

Bug Fixes

6.4.5 (2026-01-06)

Bug Fixes

6.4.4 (2026-01-05)

Bug Fixes

6.4.3 (2025-12-06)

Bug Fixes

6.4.2 (2025-12-05)

Bug Fixes
  • deps: bump jws from 3.2.2 to 3.2.3 (4b51dab)

6.4.1 (2025-12-02)

Bug Fixes
  • deps: bump mdast-util-to-hast from 13.2.0 to 13.2.1 (537863c)

v6.4.8

Compare Source

Bug Fixes

v6.4.7

Compare Source

Bug Fixes
  • deps: bump lodash from 4.17.21 to 4.17.23 (579fdd3)
changesets/action (changesets/action)

v1.7.0

Compare Source

Minor Changes
  • #​564 935fe87 Thanks @​Andarist! - Automatically use the GitHub-provided token to allow most users to avoid explicit GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} configuration.
Patch Changes

  • #​545 54220dd Thanks @​ryanbas21! - The .npmrc generation now intelligently handles both traditional NPM token authentication and trusted publishing scenarios by only appending the auth token when NPM_TOKEN is defined. This prevents 'undefined' from being written to the registry configuration when using OIDC tokens from GitHub Actions trusted publishing.

  • #​563 6af4a7e Thanks @​Andarist! - Don't error on already committed symlinks and executables that stay untouched

v1.6.0

Compare Source

Minor Changes
dorny/test-reporter (dorny/test-reporter)

v2.5.0

Compare Source

What's Changed
Features
Project maintanance

Full Changelog: dorny/test-reporter@v2.4.0...v2.5.0

v2.4.0

Compare Source

What's Changed
New Contributors

Full Changelog: dorny/test-reporter@v2.3.0...v2.4.0

evanw/esbuild (esbuild)

v0.27.3

Compare Source

  • Preserve URL fragments in data URLs (#​4370)

    Consider the following HTML, CSS, and SVG:

    • index.html:

      <!DOCTYPE html>
<html>
  <head><link rel="stylesheet" href="icons.css"></head>
  <body><div class="triangle"></div></body>
</html>

    • icons.css:

      .triangle {
  width: 10px;
  height: 10px;
  background: currentColor;
  clip-path: url(./triangle.svg#x);
}

    • triangle.svg:

      <svg xmlns="http://www.w3.org/2000/svg">
  <defs>
    <clipPath id="x">
      <path d="M0 0H10V10Z"/>
    </clipPath>
  </defs>
</svg>

    The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

    /* icons.css */
.triangle {
  width: 10px;
  height: 10px;
  background: currentColor;
  clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
}

  • Parse and print CSS @scope rules (#​4322)

    This release includes dedicated support for parsing @scope rules in CSS. These rules include optional "start" and "end" selector lists. One important consequence of this is that the local/global status of names in selector lists is now respected, which improves the correctness of esbuild's support for CSS modules. Minification of selectors inside @scope rules has also improved slightly.

    Here's an example:

    /* Original code */
@&#8203;scope (:global(.foo)) to (:local(.bar)) {
  .bar {
    color: red;
  }
}

/* Old output (with --loader=local-css --minify) */
@&#8203;scope (:global(.foo)) to (:local(.bar)){.o{color:red}}

/* New output (with --loader=local-css --minify) */
@&#8203;scope(.foo)to (.o){.o{color:red}}

  • Fix a minification bug with lowering of for await (#​4378, #​4385)

    This release fixes a bug where the minifier would incorrectly strip the variable in the automatically-generated catch clause of lowered for await loops. The code that generated the loop previously failed to mark the internal variable references as used.

  • Update the Go compiler from v1.25.5 to v1.25.7 (#​4383, #​4388)

    This PR was contributed by @​MikeWillCook.

v0.27.2

Compare Source

  • Allow import path specifiers starting with #/ (#​4361)

    Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

    This change was contributed by @​hybrist.

  • Automatically add the -webkit-mask prefix (#​4357, #​4358)

    This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

    /* Original code */
main {
  mask: url(x.png) center/5rem no-repeat
}

/* Old output (with --target=chrome110) */
main {
  mask: url(x.png) center/5rem no-repeat;
}

/* New output (with --target=chrome110) */
main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
}

    This change was contributed by @​BPJEnnova.

  • Additional minification of switch statements (#​4176, #​4359)

    This release contains additional minification patterns for reducing switch statements. Here is an example:

    // Original code
switch (x) {
  case 0:
    foo()
    break
  case 1:
  default:
    bar()
}

// Old output (with --minify)
switch(x){case 0:foo();break;case 1:default:bar()}

// New output (with --minify)
x===0?foo():bar();

  • Forbid using declarations inside switch clauses (#​4323)

    This is a rare change to remove something that was previously possible. The Explicit Resource Management proposal introduced using declarations. These were previously allowed inside case and default clauses in switch statements. This had well-defined semantics and was already widely implemented (by V8, SpiderMonkey, TypeScript, esbuild, and others). However, it was considered to be too confusing because of how scope works in switch statements, so it has been removed from the specification. This edge case will now be a syntax error. See tc39/proposal-explicit-resource-management#215 and rbuckton/ecma262#14 for details.

    Here is an example of code that is no longer allowed:

    switch (mode) {
  case 'read':
    using readLock = db.read()
    return readAll(readLock)

  case 'write':
    using writeLock = db.write()
    return writeAll(writeLock)
}

    That code will now have to be modified to look like this instead (note the additional { and } block statements around each case body):

    switch (mode) {
  case 'read': {
    using readLock = db.read()
    return readAll(readLock)
  }
  case 'write': {
    using writeLock = db.write()
    return writeAll(writeLock)
  }
}

    This is not being released in one of esbuild's breaking change releases since this feature hasn't been finalized yet, and esbuild always tracks the current state of the specification (so esbuild's previous behavior was arguably incorrect).

v0.27.1

Compare Source

  • Fix bundler bug with var nested inside if (#​4348)

    This release fixes a bug with the bundler that happens when importing an ES module using require (which causes it to be wrapped) and there's a top-level var inside an if statement without being wrapped in a { ... } block (and a few other conditions). The bundling transform needed to hoist these var declarations outside of the lazy ES module wrapper for correctness. See the issue for details.

  • Fix minifier bug with for inside try inside label (#​4351)

    This fixes an old regression from version v0.21.4. Some code was introduced to move the label inside the try statement to address a problem with transforming labeled for await loops to avoid the await (the transformation involves converting the for await loop into a for loop and wrapping it in a try statement). However, it introduces problems for cross-compiled JVM code that uses all three of these features heavily. This release restricts this transform to only apply to for loops that esbuild itself generates internally as part of the for await transform. Here is an example of some affected code:

    // Original code
d: {
  e: {
    try {
      while (1) { break d }
    } catch { break e; }
  }
}

// Old output (with --minify)
a:try{e:for(;;)break a}catch{break e}

// New output (with --minify)
a:e:try{for(;;)break a}catch{break e}

  • Inline IIFEs containing a single expression (#​4354)

    Previously inlining of IIFEs (immediately-invoked function expressions) only worked if the body contained a single return statement. Now it should also work if the body contains a single expression statement instead:

    // Original code
const foo = () => {
  const cb = () => {
    console.log(x())
  }
  return cb()
}

// Old output (with --minify)
const foo=()=>(()=>{console.log(x())})();

// New output (with --minify)
const foo=()=>{console.log(x())};

  • The minifier now strips empty finally clauses (#​4353)

    This improvement means that finally clauses containing dead code can potentially cause the associated try statement to be removed from the output entirely in minified builds:

    // Original code
function foo(callback) {
  if (DEBUG) stack.push(callback.name);
  try {
    callback();
  } finally {
    if (DEBUG) stack.pop();
  }
}

// Old output (with --minify --define:DEBUG=false)
function foo(a){try{a()}finally{}}

// New output (with --minify --define:DEBUG=false)
function foo(a){a()}

  • Allow tree-shaking of the Symbol constructor

    With this release, calling Symbol is now considered to be side-effect free when the argument is known to be a primitive value. This means esbuild can now tree-shake module-level symbol variables:

    // Original code
const a = Symbol('foo')
const b = Symbol(bar)

// Old output (with --tree-shaking=true)
const a = Symbol("foo");
const b = Symbol(bar);

// New output (with --tree-shaking=true)
const b = Symbol(bar);

v0.27.0

Compare Source

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.26.0 or ~0.26.0. See npm's documentation about semver for more information.

  • Use Uint8Array.fromBase64 if available (#​4286)

    With this release, esbuild's binary loader will now use the new Uint8Array.fromBase64 function unless it's unavailable in the configured target environment. If it's unavailable, esbuild's previous code for this will be used as a fallback. Note that this means you may now need to specify target when using this feature with Node (for example --target=node22) unless you're using Node v25+.

  • Update the Go compiler from v1.23.12 to v1.25.4 (#​4208, #​4311)

    This raises the operating system requirements for running esbuild:

    • Linux: now requires a kernel version of 3.2 or later
    • macOS: now requires macOS 12 (Monterey) or later

v0.26.0

Compare Source

  • Enable trusted publishing (#​4281)

    GitHub and npm are recommending that maintainers for packages such as esbuild switch to trusted publishing. With this release, a VM on GitHub will now build and publish all of esbuild's packages to npm instead of me. In theory.

    Unfortunately there isn't really a way to test that this works other than to do it live. So this release is that live test. Hopefully this release is uneventful and is exactly the same as the previous one (well, except for the green provenance attestation checkmark on npm that happens with trusted publishing).

isaacs/node-glob (glob)

v13.0.6

Compare Source

v13.0.5

Compare Source

v13.0.4

Compare Source

v13.0.3

Compare Source

v13.0.2

Compare Source

v13.0.1

Compare Source

i18next/i18next (i18next)

v25.8.13

Compare Source

  • improve support notice shown logic

v25.8.12

Compare Source

  • improve support notice shown logic

v25.8.11

Compare Source

  • revert fix: compatibility with moduleResolution bundler (issue 2380) 2381

v25.8.10

Compare Source

  • fix(interpolator): guard null matchedDoubleQuotes in nesting option parsing 2395

v25.8.9

Compare Source

  • fix(interpolator): escape nestingOptionsSeparator in nesting option parsing 2394

v25.8.8

Compare Source

  • types(i18n): add missing toJSON() declaration 2393

v25.8.7

Compare Source

  • avoid crash due to ReferenceError without Intl API 2391

v25.8.6

Compare Source

  • ts: address incomplete type definition for getFixedT() return value 2318

v25.8.5

Compare Source

  • fix: compatibility with moduleResolution bundler (issue 2380) 2381

v25.8.4

Compare Source

  • fix: crashes when backend in backends array has no name property 2386

v25.8.3

Compare Source

  • ts: document option to suppress the support message 2385

v25.8.2

Compare Source

  • option to suppress the support message 2385

v25.8.1

Compare Source

  • improve support notice shown logic

v25.8.0

Compare Source

  • fix: TFunctionReturn fallback 2360
isaacs/minimatch (minimatch)

v10.2.2

Compare Source

v10.2.1

Compare Source

v10.2.0

Compare Source

v10.1.3

Compare Source

v10.1.2

Compare Source

nodejs/node (node)

v22.22.0: 2026-01-13, Version 22.22.0 'Jod' (LTS), @​marco-ippolito

Compare Source

This is a security release.

Notable Changes

lib:

  • (CVE-2025-59465) add TLSSocket default error handler
  • (CVE-2025-55132) disable futimes when permission model is enabled
    lib,permission:
  • (CVE-2025-55130) require full read and write to symlink APIs
    src:
  • (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks
    src,lib:
  • (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle
    tls:
  • (CVE-2026-21637) route callback exceptions through error handlers
Commits

v22.21.1: 2025-10-28, Version 22.21.1 'Jod' (LTS), @​aduh95

Compare Source

Commits

Configuration

📅 Schedule: Branch creation - "before 6am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@clavery clavery requested a review from wei-liu-sf as a code owner February 23, 2026 01:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wei-liu-sf wei-liu-sf Awaiting requested review from wei-liu-sf wei-liu-sf is a code owner

@yhsieh1 yhsieh1 Awaiting requested review from yhsieh1 yhsieh1 is a code owner

@patricksullivansf patricksullivansf Awaiting requested review from patricksullivansf patricksullivansf is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@clavery