Skip to content

chore(deps): update npm packages (major)#1782

Open
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/major-npm-packages
Open

chore(deps): update npm packages (major)#1782
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/major-npm-packages

Conversation

@renovate

@renovate renovate Bot commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@babel/core (source) ^7.24.7^8.0.0 age adoption passing confidence
@babel/generator (source) ^7.28.5^8.0.0 age adoption passing confidence
@babel/parser (source) ^7.28.5^8.0.0 age adoption passing confidence
@babel/preset-env (source) ^7.24.7^8.0.0 age adoption passing confidence
@babel/preset-typescript (source) ^7.24.7^8.0.0 age adoption passing confidence
@babel/types (source) ^7.28.5^8.0.0 age adoption passing confidence
@vitejs/plugin-react (source) ^5.1.2^6.0.0 age adoption passing confidence
es-module-lexer ^1.7.0^2.0.0 age adoption passing confidence
fast-string-width ^1.1.0^3.0.0 age adoption passing confidence
is-unicode-supported ^1.3.0^2.0.0 age adoption passing confidence
lint-staged ^16.2.6^17.0.0 age adoption passing confidence
next (source) ^15.4.3^16.0.0 age adoption passing confidence
typescript (source) ^5^6.0.0 age adoption passing confidence
validate-npm-package-name ^7.0.2^8.0.0 age adoption passing confidence
zod (source) ^3.25.76^4.0.0 age adoption passing confidence

Release Notes

babel/babel (@​babel/core)

v8.0.1

Compare Source

💥 Breaking Change
  • babel-core, babel-plugin-transform-object-rest-spread, babel-plugin-transform-runtime, babel-preset-env, babel-standalone

v8.0.0

Compare Source

👓 Spec Compliance
💥 Breaking Change
  • babel-cli, babel-node, babel-plugin-proposal-decorators, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-plugin-transform-modules-commonjs, babel-plugin-transform-object-rest-spread, babel-plugin-transform-parameters, babel-plugin-transform-react-constant-elements, babel-plugin-transform-regenerator, babel-preset-env, babel-register
  • babel-plugin-transform-runtime, babel-runtime-corejs3, babel-runtime
  • babel-parser
🐛 Bug Fix
  • babel-generator
  • babel-plugin-transform-modules-systemjs
📝 Documentation
🏠 Internal
🏃‍♀️ Performance
babel/babel (@​babel/parser)

v8.0.0

Compare Source

v8.0.0 (2026-06-16)

NOTE: The changelog below is relative to v8.0.0-rc.6. You can find a summary of all the breaking changes shipped in the Babel 8 release line in the migration guide for users and migration guide for plugin developers.

Read the release blog post at http://babeljs.io/blog/2026/06/16/8.0.0!

👓 Spec Compliance
💥 Breaking Change
  • babel-cli, babel-node, babel-plugin-proposal-decorators, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-plugin-transform-modules-commonjs, babel-plugin-transform-object-rest-spread, babel-plugin-transform-parameters, babel-plugin-transform-react-constant-elements, babel-plugin-transform-regenerator, babel-preset-env, babel-register
  • babel-plugin-transform-runtime, babel-runtime-corejs3, babel-runtime
  • babel-parser
🐛 Bug Fix
  • babel-generator
  • babel-plugin-transform-modules-systemjs
📝 Documentation
🏠 Internal
🏃‍♀️ Performance
Committers: 6
vitejs/vite-plugin-react (@​vitejs/plugin-react)

v6.0.2

Compare Source

Allow all options in reactCompilerPreset (#​1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

v6.0.1

Compare Source

Expand @rolldown/plugin-babel peer dep range (#​1146)

Expanded @rolldown/plugin-babel peer dep range to include ^0.2.0.

v6.0.0

Compare Source

guybedford/es-module-lexer (es-module-lexer)

v2.1.0

Compare Source

What's Changed
New Contributors

Full Changelog: guybedford/es-module-lexer@2.0.0...2.1.0

v2.0.0

Compare Source

What's Changed

Full Changelog: guybedford/es-module-lexer@1.7.0...2.0.0

fabiospampinato/fast-string-width (fast-string-width)

v3.0.2

Compare Source

v3.0.1

Compare Source

v3.0.0

Compare Source

v2.0.0

Compare Source

sindresorhus/is-unicode-supported (is-unicode-supported)

v2.1.0

Compare Source

v2.0.0

Compare Source

Breaking
Fixes
  • Don’t assume CI on Windows supports Unicode 0c24cc6
lint-staged/lint-staged (lint-staged)

v17.0.7

Compare Source

Patch Changes

v17.0.6

Compare Source

Patch Changes

  • #​1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

  • #​1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

  • #​1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

  • #​1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

v17.0.5

Compare Source

Patch Changes
  • #​1792 1f67271 - Correctly set the --max-arg-length default value based on the running platform. This controls how very long lists of staged files are split into multiple chunks.

v17.0.4

Compare Source

Patch Changes

  • #​1788 f95c1f8 - Another fix for making sure lint-staged adds task modifications correctly to the commit in the following cases:

    • after editing <file> it is staged with git add <file>, and then committed with git commit
    • after editing <file> it is committed with git commit --all without explicit git add
    • after editing <file> it is committed with git commit <pathspec> without explicit git add

    There's new test cases which actually setup the Git pre_commit hook to run lint-staged and verify them. These issues started in v17.0.0 when trying to improve support for committig without having explicitly staged files.

v17.0.3

Compare Source

Patch Changes
  • #​1782 06813f9 Thanks @​iiroj! - Fix lint-staged behavior when implicitly committing files without using git add by either:
    • git commit -am "my commit message" where -a (--all) means to automatically stage all tracked modified and deleted files
    • git commit -m "my commit message" . where . is an example of a pathspec where matching files will be staged

v17.0.2

Compare Source

Patch Changes

v17.0.1

Compare Source

Patch Changes
  • #​1776 4a5664b Thanks @​iiroj! - Adjust GitHub Actions workflow so that automatic publishing works with signed commits.

v17.0.0

Compare Source

Major Changes

  • #​1745 e244adf Thanks @​iiroj! - Node.js v20 is no longer supported, and the oldest supported version is now 22.22.1, which is an active LTS version at the time of this release. Node.js 20 will be EOL after April 2026. Please upgrade your Node.js version!

  • #​1676 0584e0b Thanks @​outslept! - Lint-staged now tries to verify the installed Git version is at least 2.32.0, released in 2021. If you're using an even older Git version, you need to upgrade it before running lint-staged!

  • #​1745 2dcc40a Thanks @​iiroj! - The dependency yaml is now marked as optional and probably won't be installed by default. If you're using a YAML configuration file you should install the package separately:

    npm install --development yaml

    If you're using .lintstagedrc as the config file name (without a file extension), it will be treated as a YAML file. If the content is JSON, consider renaming it to .lintstagedrc.json to avoid needing to install yaml.

Minor Changes

  • #​1748 809d5ef Thanks @​iiroj! - Add new option --hide-all for hiding all unstaged changes and untracked files, before running tasks. This makes it easier to run tools like Knip which check for unused code. Untracked files are included in the backup stash and restored automatically after running.

  • #​1759 f13045a Thanks @​iiroj! - Update dependencies, including tinyexec@1.1.1 to fix the following issues:

    • When using a Node.js version manager with multiple versions installed (nvm, n, for example), scripts with the #!/usr/bin/env node shebang (Prettier, ESLint, for example) were previously spawned using the default Node.js version configured by the version manager (the one which node points to) on POSIX systems. Now, they will be spawned with the same version that lint-staged itself was started with.
      • For example, if your default Node.js version is 24.14.1 but lint-staged is run with the latest version 25.9.0, the tasks spawned by lint-staged will now also use version 25.9.0. Previously they were spawned using 24.14.1.
    • When installing Node.js from the Ubuntu App Center (Snap store), the node executable available in PATH is a symlink pointing to Snap itself. The sandboxing features of Snap prevented lint-staged from spawning scripts with the #!/usr/bin/env node shebang, because it meant lint-staged tried to spawn Snap via the symlink. This resulted in an ENOENT error when trying to run prettier, for example. Now, since the real node executable's directory is available in the PATH, lint-staged will instead spawn the script with the real node binary succesfully.

  • #​1761 d3251b1 Thanks @​iiroj! - Lint-staged now runs git update-index --again after running tasks, instead of git add <originally staged files>. This should improve compatibility when using non-default indexes, for example when committing with a pathspec git commit -m "message" . instead of adding files to the index.

  • #​1745 a9585ac Thanks @​iiroj! - Remove commander as a dependency and use the built-in parseArgs from node:util to parse CLI flags.

Patch Changes

  • #​1755 c82d30b Thanks @​iiroj! - All tests now pass on the Bun runtime (latest).

  • #​1750 a401818 Thanks @​iiroj! - Remove manual handling for git stash --keep-index resurrecting deleted files, because the issue was fixed in Git 2.23.0 and lint-staged requires at least Git 2.32.0.

  • #​1771 c4b8936 Thanks @​iiroj! - Fix documentation about multiple config files and the --cwd option. When using it, all tasks will be run in the specified directory. For example, to run everything in the actual process.cwd(), use lint-staged --cwd=".".

vercel/next.js (next)

v16.2.9

Compare Source

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Compare Source

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Backport documentation fixes for v16.2 (#​93804)
  • [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#​93920)
  • [backport] Fix dev mode hydration failure when page is served from HTTP cache (#​93492)
  • [backport] Fix catch-all router.query corruption with basePath + rewrites (#​93917)
  • [backport] Encode non-ASCII characters in cache tags at construction (#​93918)
  • [backport] Fix server action forwarding loop with middleware rewrites (#​93919)
  • [backport] Turbopack: switch from base40 to base38 hash encoding (#​93932)
  • [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#​94164)
  • [backport] Fix "type: module" in project dir when using standalone or adapters (#​94050)
  • [backport] Propagate adapter preferred regions (#​94200)
  • [16.2.x] Don't drop FormData entries (#​94240)
  • [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#​94284)
Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

Compare Source

[!NOTE]
This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

Moderate:

Low:

Core Changes
  • fix: preserve HTTP access fallbacks during prerender recovery (#​92231)
  • Fix fallback route params case in app-page handler (#​91737)
  • Fix invalid HTML response for route-level RSC requests in deployment adapter (#​91541)
  • Patch setHeader for direct route handlers (#​93101)
  • Include deployment id in cacheHandlers keys (#​93453)
  • Fix double-encoding of URL pathname parts in client param parsing (#​93491)

v16.2.5

Compare Source

[!NOTE]
This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

Moderate:

Low:

Core Changes
  • fix: preserve HTTP access fallbacks during prerender recovery (#​92231)
  • Fix fallback route params case in app-page handler (#​91737)
  • Fix invalid HTML response for route-level RSC requests in deployment adapter (#​91541)
  • Patch setHeader for direct route handlers (#​93101)
  • Include deployment id in cacheHandlers keys (#​93453)
  • Fix double-encoding of URL pathname parts in client param parsing (#​93491)

v16.2.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#​92713)
  • Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#​92631)
  • Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#​92580)
  • Compiler: Support boolean and number primtives in next.config defines (#​92731)
  • turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#​92725)
  • Turbopack: shorter error for ChunkGroupInfo::get_index_of (#​92814)
  • Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#​92828)
  • Adding more system info to the 'initialize project' trace (#​92427)
Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

v16.2.3

Compare Source

[!NOTE]
This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes
  • Ensure app-page reports stale ISR revalidation errors via onRequestError (#​92282)
  • Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#​91981 through #​92273)
  • Deduplicate output assets and detect content conflicts on emit (#​92292)
  • Fix styled-jsx race condition: styles lost due to concurrent rendering (#​92459)
  • turbo-tasks-backend: stability fixes for task cancellation and error handling (#​92254)
Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

v16.2.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • backport: Move expanded adapters docs to API reference (#​92115) (#​92129)
  • Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#​92130)
  • [create-next-app] Skip interactive prompts when CLI flags are provided (#​91840)
  • next.config.js: Accept an option for serverFastRefresh (#​91968)
  • Turbopack: enable server HMR for app route handlers (#​91466)
  • Turbopack: exclude metadata routes from server HMR (#​92034)
  • Fix CI for glibc linux builds
  • Backport: disable bmi2 in qfilter #​92177
  • [backport] Fix CSS HMR on Safari (#​92174)
Credits

Huge thanks to @​nextjs-bot, @​icyJoseph, @​ijjk, @​gaojude, @​wbinnssmith, @​lukesandberg, and @​bgw for helping!

v16.2.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • docs: post release amends (#​91715)
  • docs: fix broken Activity Patterns demo link in preserving UI state guide (#​91698)
  • Fix adapter outputs for dynamic metadata routes (#​91680)
  • Turbopack: fix webpack loader runner layer (#​91727)
  • Fix server actions in standalone mode with cacheComponents (#​91711)
  • turbo-persistence: remove Unmergeable mmap advice (#​91713)
  • Fix layout segment optimization: move app-page imports to server-utility transition (#​91701)
  • Turbopack: lazy require metadata and handle TLA (#​91705)
  • [turbopack] Respect {eval:true} in worker_threads constructors (#​91666)
Credits

Huge thanks to @​icyJoseph, @​abhishekmardiya, @​ijjk, @​mischnic, @​unstubbable, @​sokra, and @​lukesandberg for helping!

v16.2.0

Compare Source

[!TIP]
Check out our Next v16.2 Blog Post to learn more about this release.

Core Changes
  • Upgrade React from f93b9fd4-20251217 to 65eec428-20251218: #​87323
  • Turbopack: Create junction points instead of symlinks on Windows: #​87606
  • Turbopack: Symlink handling follow-up: #​87637
  • Add experimental routing package for resolving adapter routes: #​86404
  • Ensure outputs are correct with cache components in deployment adapters: #​87018
  • Move off of deprecated url.parse: #​87257
  • [strict-route-types] Add experimental.strictRouteTypes config: #​87378
  • misc: fix type check log for CI envs: #​87838
  • fix: revalidateTag with profile should not trigger client cache invalidation: #​88069
  • chore: warn when running tests against stale build: #​88001
  • Redesign default error pages with cleaner, more user-friendly UI: #​87988
  • dx: avoid next-env.d.ts change in dev: #​88103
  • prevent browser cache from using stale RSC responses from previous builds: #​86554
  • [strict-route-types] Typecheck App Router page props: #​87386
  • [strict-route-types] Enforce common React Component return types in App Router: #​87389
  • [strict-route-types] Switch to satisfies when validating page and route modules: #​87398
  • [strict-route-types] Don't reject number in config.api.bodyParser.sizeLimit when validating route: #​87633
  • Revert "dx: avoid next-env.d.ts change in dev": #​88153
  • [strict-route-types] Typecheck pages router routes in absence of App Router: #​87628
  • [strict-route-types] Ensure cache profiles and routes are type-checked even if .next is excluded: #​87768
  • add compilation error for taint when not enabled: #​88173
  • feat(next/image)!: add images.maximumResponseBody config: #​88183
  • Add maximum size limit for postponed body parsing: #​88175
  • metadata: use fixed segment in dynamic routes with static metadata files: #​88113
  • feat: add --experimental-cpu-prof flag for dev, build, and start: #​87946
  • Add experimental option to use no-cache instead of no-store in dev: #​88182
  • fix overlay frames cannot be opened sometimes: #​88210
  • Handle pnpm-workspace.yaml while searching for monorepo root: #​74818
  • Add more debug logs to 'use cache' wrapper: #​88219
  • Omit unused arguments from 'use cache' function calls: #​86920
  • Only log pending revalidates... debug log if applicable: #​88221
  • fix(next/image): bump sharp@​0.34.5: #​88238
  • Disallow javascript urls in router methods and redirects: #​88185
  • Fix relative same host redirects in node middleware: #​88253
  • Remove loadConfig from main development process, pass value from child process: #​88230
  • Update deploy adapters outputs and handler interfaces for node and edge: #​88247
  • Move Ready in time before handler initialization: #​88235
  • next/image: support custom cache handlers: #​88248
  • feat: add Claude Code plugin marketplace with Cache Components skill: #​87993
  • refactor: consolidate PPR in

Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

  • Branch creation
    • "before 10am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
Scope: all 6 workspace projects
 ENOENT  ENOENT: no such file or directory, open '/tmp/renovate/repos/github/voidzero-dev/vite-plus/vite/patches/sirv@3.0.2.patch'

pnpm: ENOENT: no such file or directory, open '/tmp/renovate/repos/github/voidzero-dev/vite-plus/vite/patches/sirv@3.0.2.patch'
    at async open (node:internal/fs/promises:639:25)
    at async Object.readFile (node:internal/fs/promises:1243:14)
    at async readNormalizedFile (/opt/containerbase/tools/pnpm/10.33.2/22.18.0/node_modules/pnpm/dist/pnpm.cjs:51185:23)
    at async createHexHashFromFile (/opt/containerbase/tools/pnpm/10.33.2/22.18.0/node_modules/pnpm/dist/pnpm.cjs:51182:28)
    at async /opt/containerbase/tools/pnpm/10.33.2/22.18.0/node_modules/pnpm/dist/pnpm.cjs:140925:17
    at async /opt/containerbase/tools/pnpm/10.33.2/22.18.0/node_modules/pnpm/dist/pnpm.cjs:140902:24
    at async Promise.all (index 0)
    at async pMapValue (/opt/containerbase/tools/pnpm/10.33.2/22.18.0/node_modules/pnpm/dist/pnpm.cjs:140901:7)
    at async _install (/opt/containerbase/tools/pnpm/10.33.2/22.18.0/node_modules/pnpm/dist/pnpm.cjs:163490:134)
    at async mutateModules (/opt/containerbase/tools/pnpm/10.33.2/22.18.0/node_modules/pnpm/dist/pnpm.cjs:163438:23)

@netlify

netlify Bot commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for viteplus-preview canceled.

Name Link
🔨 Latest commit 8919a2d
🔍 Latest deploy log https://app.netlify.com/projects/viteplus-preview/deploys/6a381f0116dd8c000859c541

@renovate renovate Bot force-pushed the renovate/major-npm-packages branch 2 times, most recently from e72e6b4 to 6f274d0 Compare June 14, 2026 17:38
@renovate renovate Bot force-pushed the renovate/major-npm-packages branch from 36698e1 to 09a1f14 Compare June 21, 2026 17:26
@socket-security

socket-security Bot commented Jun 21, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​babel/​preset-typescript@​8.0.11001007397100
Addednpm/​@​babel/​core@​8.0.1991007998100
Addednpm/​@​babel/​preset-env@​8.0.2971008098100
Addednpm/​validate-npm-package-name@​8.0.010010010090100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants