chore(deps): update all non-major dependencies by renovate[bot] · Pull Request #2270 · nuxt/nuxt.com

renovate · 2026-06-08T03:39:36Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@ai-sdk/anthropic (source)	`^3.0.81` → `^3.0.84`
@ai-sdk/mcp (source)	`^1.0.45` → `^1.0.50`
@ai-sdk/vue (source)	`^3.0.193` → `^3.0.204`
@comark/nuxt (source)	`^0.3.1` → `^0.4.0`
@iconify-json/lucide	`^1.2.111` → `^1.2.112`
@iconify-json/octicon	`^1.2.26` → `^1.2.28`
@iconify-json/simple-icons	`^1.2.84` → `^1.2.86`
@iconify-json/vscode-icons	`^1.2.53` → `^1.2.57`
@nuxt/eslint (source)	`^1.15.2` → `^1.16.0`
@nuxt/hints	`^1.1.2` → `^1.1.3`
@nuxt/scripts (source)	`^1.1.1` → `^1.2.1`
@nuxt/ui (source)	`^4.8.1` → `^4.8.2`
@takumi-rs/core (source)	`^1.6.0` → `^1.8.5`
@types/youtube (source)	`^0.2.0` → `^0.3.0`
@vercel/functions (source)	`^3.6.1` → `^3.7.1`
@vue/compiler-sfc (source)	`^3.5.35` → `^3.5.38`
@vue/test-utils	`^2.4.10` → `^2.4.11`
ai (source)	`^6.0.193` → `^6.0.204`
better-sqlite3	`^12.10.0` → `^12.10.1`
eslint (source)	`^10.4.1` → `^10.5.0`
evlog (source)	`^2.18.1` → `^2.19.1`
happy-dom	`^20.9.0` → `^20.10.3`
motion-v	`^2.2.1` → `^2.3.0`
nuxt-og-image (source)	`^6.5.1` → `^6.6.0`
nuxt-schema-org (source)	`^6.0.4` → `^6.2.1`
pnpm (source)	`11.5.0` → `11.6.0`
shaders	`^2.5.128` → `^2.5.130`
shiki (source)	`^4.1.0` → `^4.2.0`
vitest (source)	`^4.1.7` → `^4.1.8`
vue (source)	`^3.5.35` → `^3.5.38`
vue-tsc (source)	`^3.3.3` → `^3.3.5`

Release Notes

vercel/ai (@ai-sdk/anthropic)

`v3.0.84`

Patch Changes

Updated dependencies [bfa5864]
Updated dependencies [f42aa79]
- @ai-sdk/provider-utils@4.0.29

`v3.0.82`

Compare Source

Patch Changes

2a91a17: feat(provider/anthropic): add support for claude-fable-5 and the fallbacks API parameter

vercel/ai (@ai-sdk/mcp)

`v1.0.49`

Patch Changes

3e8d9ba: fix(mcp): lock first sse endpoint received via event
4fa7354: fix(mcp): prevent prototype-named tools from bypassing the schemas allowlist

When using client.tools({ schemas }) to expose only an explicitly allowed
subset of an MCP server's tools, the allowlist check used the in operator,
which also matches inherited Object.prototype properties. A server-advertised
tool named constructor, toString, __proto__, etc. would pass the check
even though the developer never defined it in schemas, and was then exposed to
the model and executable. The check now uses Object.hasOwn, so only
explicitly defined tools are returned.
Updated dependencies [bfa5864]
Updated dependencies [f42aa79]
- @ai-sdk/provider-utils@4.0.29

`v1.0.47`

Compare Source

Patch Changes

bf1d6bd: fix(mcp): prevent mcp oauth credential exfiltration during rediscovery

`v1.0.46`

Compare Source

Patch Changes

1f817db: fix(mcp): await addClientAuthentication in token exchange and refresh

vercel/ai (@ai-sdk/vue)

`v3.0.203`

Patch Changes

Updated dependencies [bfa5864]
Updated dependencies [f42aa79]
Updated dependencies [5291f7e]
Updated dependencies [b4b575a]
- @ai-sdk/provider-utils@4.0.29
- ai@6.0.203

`v3.0.201`

Compare Source

Patch Changes

Updated dependencies [0c8c0ed]
- ai@6.0.201

`v3.0.200`

Compare Source

Patch Changes

Updated dependencies [14098e7]
Updated dependencies [2cabe9c]
- ai@6.0.200

`v3.0.199`

Compare Source

Patch Changes

Updated dependencies [49d9364]
- ai@6.0.199

`v3.0.198`

Compare Source

Patch Changes

ai@6.0.198

`v3.0.197`

Compare Source

Patch Changes

ai@6.0.197

`v3.0.196`

Compare Source

Patch Changes

ai@6.0.196

`v3.0.195`

Compare Source

Patch Changes

ai@6.0.195

`v3.0.194`

Compare Source

Patch Changes

ai@6.0.194

comarkdown/comark (@comark/nuxt)

`v0.4.0`: @comark/svelte v0.4.0

Compare Source

Bug Fixes

support Svelte named snippets (#206) (660747e)
svelte: add missing components-manifest prop (#183) (c78885c)
svelte: avoid runtime snippet casts for slots (#209) (8ec994d)

nuxt/eslint (@nuxt/eslint)

`v1.16.0`

Compare Source

🚀 Features

Update deps - by @antfu (008ad)

View changes on GitHub

nuxt/hints (@nuxt/hints)

`v1.1.3`

Compare Source

🩹 Fixes

Ignore style serialization-only hydration diffs (#352)

❤️ Contributors

Matthias Amon (@Mat4m0)

nuxt/scripts (@nuxt/scripts)

`v1.2.1`

Compare Source

🐞 Bug Fixes

Provide SpeedCurve snippet fallback - by @sjh9714 in #811 (c1322)

View changes on GitHub

`v1.2.0`

Compare Source

🚀 Features

SpeedCurve LUX - by @zizzfizzix and @harlan-zw in #782 (82696)
globals: Runtime disable + scripts:globals hook - by @harlan-zw in #808 (62b04)

🐞 Bug Fixes

deps: Add support for unhead v3 - by @danielroe and @harlan-zw in #795 (fefd9)
google-maps: Deprecate heatmap component - by @harlan-zw in #809 (c92ac)
google-maps,gravatar: A11y misc fixes - by @harlan-zw in #802 (bb42b)
instagram-embed: Use facebookexternalhit UA & don't cache empty shells - by @harlan-zw in #806 (87b13)
proxy: Strip hop-by-hop request headers (RFC 7230) - by @harlan-zw in #804 (da57b)
speedcurve: Vendor LUX snippet and group schema options - by @harlan-zw in #805 (ac0ad)
stripe: Allow selecting Stripe.js SDK version - by @harlan-zw in #799 (ae8d2)
vimeo: A11y keyboard and video placeholder alt text - by @harlan-zw in #803 (33a11)
youtube-player: A11y keyboard-accessible - by @harlan-zw in #798 (8b4e9)

View changes on GitHub

nuxt/ui (@nuxt/ui)

`v4.8.2`

Compare Source

Bug Fixes

Form: support setting the name attribute (#6539) (f8186e2)
InputMenu/SelectMenu: re-highlight first item when items change (#6538) (0414dd0)
InputNumber/InputDate/InputTime/Calendar: restore locale prop (#6546) (ed2f955)
module: merge custom variants into AppConfig type (#6531) (f0571c3)

kane50613/takumi (@takumi-rs/core)

Patch Changes

bfc6e55: Join rayon's worker threads on N-API teardown to fix a Windows crash (0xC0000005) when Node exits after rendering (#763)
- @takumi-rs/helpers@1.8.3

`v1.8.2`

Compare Source

Patch Changes

@takumi-rs/helpers@1.8.2

`v1.8.1`

Compare Source

Patch Changes

@takumi-rs/helpers@1.8.1

`v1.8.0`

Compare Source

Minor Changes

ae2c9aa: Built with nightly Rust toolchain with panic=immediate-abort to reduce binary size

Patch Changes

@takumi-rs/helpers@1.8.0

`v1.7.0`

Compare Source

Patch Changes

Updated dependencies [b908a4d]
Updated dependencies [4748c22]
Updated dependencies [42d0d03]
Updated dependencies [80e29da]
- @takumi-rs/helpers@1.7.0

vercel/vercel (@vercel/functions)

`v3.7.1`

Compare Source

Patch Changes

a7f1f7c: Make ws an optional peer dependency

`v3.7.0`

Compare Source

Minor Changes

3f3ef14: Add experimental_upgradeWebSocket() API

`v3.6.3`

Compare Source

Patch Changes

Updated dependencies [01cf6c2]
- @vercel/oidc@3.6.1

`v3.6.2`

Compare Source

Patch Changes

Updated dependencies [fddeb55]
- @vercel/oidc@3.6.0

vuejs/core (@vue/compiler-sfc)

`v3.5.38`

Compare Source

`v3.5.37`

Compare Source

`v3.5.36`

Compare Source

Bug Fixes

compiler-core: avoid crash on CDATA at the document root (#14916) (0ea17e2)
compiler-core: prefix dynamic keys on v-memo elements (#14922) (68e978e), closes #14920
compiler-sfc: handle vue-ignore on leading intersection/union type (#14950) (0dcd225), closes #12254
compiler-sfc: respect var hoisting in props destructure (48ad452)
reactivity: preserve watch callback return value when wrapped for once: true (#14902) (450a8a8)
runtime-core: add dev warning for silent catch in compat mode and fix test description typo (#14891) (db3e117)
runtime-core: force model update when reverted before sync (#14897) (7f76378), closes #13524
runtime-core: skip async component callbacks after unmount (#14911) (5300ead)
transition: avoid move transition for hidden v-show group children (#14895) (c11f6ee), closes #14894
watch: trigger immediate callback for empty sources (#14914) (1f2ca7e), closes #14898

vuejs/test-utils (@vue/test-utils)

`v2.4.11`

Compare Source

compare changes

🩹 Fixes

Drop legacy Mutation Event listener entries (#2844)
Handle setData() correctly for components using both setup() and data() (#2846)
Export GlobalMountOptions type (#2851)
Set spec-compliant event.code on keydown/keyup (#2850)

❤️ Contributors

Cédric Exbrayat (@cexbrayat)
Renato de Leão (@renatodeleao)
Matt Van Horn (@mvanhorn)
Carsten Brachem (@cbrachem)
Ahmad Hanan (@AhmadHannan037)
Paul Cochrane (@paultcochrane)
Arpit Jain (@arpitjain099)

vercel/ai (ai)

`v6.0.204`

Compare Source

`v6.0.203`

Compare Source

Patch Changes

f42aa79: fix: harden download URL SSRF guard against hostname and redirect bypasses

validateDownloadUrl and the file download helpers (downloadBlob, download) could be bypassed in several ways when handling untrusted URLs:
- A fully-qualified hostname with a trailing dot (e.g. localhost., myhost.local.) skipped the localhost/.local blocklist.
- IPv6 addresses that embed an IPv4 address in their last 32 bits — IPv4-compatible (::127.0.0.1), IPv4-translated (::ffff:0:127.0.0.1), and NAT64 (64:ff9b::127.0.0.1, including the 64:ff9b:1::/48 local-use prefix) — were not decoded and checked against the private IPv4 ranges.
- Redirects were validated only after fetch had already followed them, so the request to a redirect target (e.g. an internal/metadata address) had already been issued before the check ran.
- Several reserved/internal address ranges were not blocked: CGNAT (100.64.0.0/10, used by some cloud providers for internal traffic), benchmarking (198.18.0.0/15), IETF protocol assignments (192.0.0.0/24), the reserved 240.0.0.0/4 block (including the 255.255.255.255 broadcast address), and IPv6 site-local (fec0::/10) and multicast (ff00::/8).
The validator now strips trailing dots before the hostname checks and fully expands IPv6 addresses to detect embedded private IPv4 targets. The download helpers now follow redirects manually (redirect: 'manual'), re-validating each hop before requesting it, so an unsafe redirect target is never fetched. When a redirect cannot be inspected because the runtime returns an opaque response, the helpers fail closed (reject the redirect) on the server; only in a real browser — where SSRF is not reachable (fetch is constrained by CORS and cannot reach a server's internal network or cloud-metadata endpoints) — is the redirect followed natively so legitimate redirected downloads keep working.
5291f7e: Harden stream text processing and middleware against prototype pollution from stream part IDs.
b4b575a: fix: redact server error details from UI message streams by default

streamText(...).toUIMessageStream() and createUIMessageStream defaulted their onError callback to getErrorMessage, which serializes the raw error (error.toString() / JSON.stringify(error)) into the client-facing { type: 'error', errorText } chunk — and also into tool-output-error parts. The documented default was () => 'An error occurred.', so applications relying on the documented behavior were unknowingly streaming server exception details (internal hostnames, paths, provider request data, validation inputs) to end users.

The default onError now returns the documented generic 'An error occurred.'. Raw error details are only emitted when the developer explicitly supplies an onError handler. This also redacts tool-output-error and invalid-tool-input error text by default; pass an onError to surface richer messages.
Updated dependencies [bfa5864]
Updated dependencies [f42aa79]
- @ai-sdk/provider-utils@4.0.29
- @ai-sdk/gateway@3.0.129

`v6.0.202`

Compare Source

Patch Changes

942f2f8: fix(security): re-validate tool approvals from client message history before execution

The approval-replay path in generateText/streamText reconstructed approved tool calls from the client-supplied messages array and executed them without re-validating input against the tool's schema or re-checking that the tool actually requires approval. A client could forge an assistant message with a pre-approved tool-call part and have the server execute a tool with attacker-chosen arguments.

The replay path now verifies the HMAC signature (when experimental_toolApprovalSecret is configured), re-validates tool-call input against the tool's input schema, and re-resolves whether the tool requires approval before execution.
Updated dependencies [942f2f8]
- @ai-sdk/provider-utils@4.0.28
- @ai-sdk/gateway@3.0.128

`v6.0.201`

Compare Source

Patch Changes

0c8c0ed: fix(ai): return schema-transformed elements in array output mode

Previously final array output validation checked each element against the schema but returned the raw model output. Array output now returns the validated values so Zod transforms, coercions, defaults, and pipes are applied consistently with object output.

`v6.0.200`

Compare Source

Patch Changes

14098e7: fix(ai): reject streamText result promises with NoOutputGeneratedError when the model stream ends without producing any output. Previously such streams resolved with an empty step. Incomplete streams with partial output still resolve with the partial result.
2cabe9c: Harden UI message stream processing against prototype pollution from chunk IDs.

`v6.0.199`

Compare Source

Patch Changes

49d9364: fix(ai): add approval guard for denied tool outputs
Updated dependencies [3851e29]
Updated dependencies [2a91a17]
- @ai-sdk/gateway@3.0.127

`v6.0.198`

Compare Source

Patch Changes

Updated dependencies [ff16d3b]
- @ai-sdk/gateway@3.0.126

`v6.0.197`

Compare Source

`v6.0.196`

Compare Source

Patch Changes

Updated dependencies [286b7a2]
- @ai-sdk/gateway@3.0.124

`v6.0.195`

Compare Source

`v6.0.194`

Compare Source

WiseLibs/better-sqlite3 (better-sqlite3)

`v12.10.1`

Compare Source

What's Changed

Bump the github-actions group across 1 directory with 4 updates by @dependabot[bot] in #1451
Fix V8 external API usage for Electron 42 by @tstone-1 in #1475

Full Changelog: WiseLibs/better-sqlite3@v12.10.0...v12.10.1

eslint/eslint (eslint)

`v10.5.0`

Compare Source

HugoRCD/evlog (evlog)

`v2.19.1`

Compare Source

What's Changed

Bug Fixes 🐞

fix(next): dedupe Next captureOutput logs and map dev stacks to source by @HugoRCD in #381
fix(core): show canonical env var names in adapter messages by @HugoRCD in #379
fix(nitro): stop the v3 path importing the optional h3 peer by @jmcgoldrick in #373
fix(next): split instrumentation gate and quiet edge dev warnings by @HugoRCD in #380
fix(nitro): flush v2 error responses by @HugoRCD in #375

Dependency Updates 📦

chore: repo-wide hardening and performance improvements by @HugoRCD in #376

New Contributors

@jmcgoldrick made their first contribution in #373

Full Changelog: https://github.com/HugoRCD/evlog/compare/evlog@2.19.0...evlog@2.19.1

`v2.19.0`

Compare Source

What's Changed

Features 🚀

feat: improve dev terminal error output by @HugoRCD in #370
feat(core): add recursive key-based redaction by @HugoRCD in #371
feat: improve audit mocks, types, and catalog metadata by @HugoRCD in #356

Bug Fixes 🐞

fix(elysia): evlog plugin initialize onRequest (#358) by @abhishekg999 in #359
fix(core): preserve source values during redaction by @HugoRCD in #365
fix(nuxt): bake evlog config into nitro replace for silent mode by @HugoRCD in #369
fix: defer wide-event emit for streaming AI responses by @HugoRCD in #367

Continuous Integration 🔄

ci: remove bundle size PR comment workflow by @HugoRCD in #366

New Contributors

@abhishekg999 made their first contribution in #359

Full Changelog: https://github.com/HugoRCD/evlog/compare/evlog@2.18.1...evlog@2.19.0

capricorn86/happy-dom (happy-dom)

`v20.10.3`

Compare Source

`v20.10.2`

Compare Source

👷‍♂️ Patch fixes

Updates external dependencies - By @capricorn86 in task #2163

`v20.10.1`

Compare Source

`v20.10.0`

Compare Source

motiondivision/motion-vue (motion-v)

`v2.3.0`

Compare Source

🚀 Features

arc: arc() for motion along an arc - by @rick-hup in #256 (db73e)

🐞 Bug Fixes

useAnimate: Respect MotionConfig skipAnimations - by @rick-hup in #255 (27ce4)

View changes on GitHub

nuxt-modules/og-image (nuxt-og-image)

`v6.6.0`

Compare Source

🚀 Features

devtools: Ship devtools as a layer - by @harlan-zw in #630 (d1a9b)

🐞 Bug Fixes

Scope WebP warning to satori renderer only - by @canstand in #631 (5622e)
devtools: Exclude dist + devOnly debug + ^5.2.4 - by @harlan-zw in #632 (25e64)

View changes on GitHub

`v6.5.3`

Compare Source

🐞 Bug Fixes

Escape " when inlining <style> rules into style attr - by @danielroe in #629 (c6cd3)
Use sfc parser to find outer <template> bounds - by @danielroe in #628 (607fd)

View changes on GitHub

`v6.5.2`

Compare Source

🐞 Bug Fixes

Block embedded-IPv4 IPv6 bypasses - by @harlan-zw in #624 (984df)
Resolve #og-image alias when no subpath is given - by @harlan-zw in #615 and #617 (ba5df)
Skip renderer prompt in non-interactive environments - by @harlan-zw in #623 (45222)
Degrade gracefully when cache backend is unreachable - by @harlan-zw in #613 and #619 (a4154)
Skip runtime buffer cache during prerender - by @harlan-zw in #613 and #626 (f5ae4)
content: Declare zod as optional peer dependency - by @harlan-zw in #622 and #625 (75bbb)

View changes on GitHub

harlan-zw/nuxt-schema-org (nuxt-schema-org)

`v6.2.1`

Compare Source

No significant changes

View changes on GitHub

`v6.2.0`

Compare Source

🚀 Features

devtools: Ship devtools as a layer - by @harlan-zw in #123 (5f314)

🐞 Bug Fixes

Inline v2 schema-org copy to survive prod dependency trace - by @harlan-zw in #122 (e9267)
Vendor @unhead/schema-org majors, drop npm-alias dep - by @harlan-zw in #126 (9c376)

View changes on GitHub

`v6.1.3`

[Compare Source](https://r

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- "on Monday"
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

vercel · 2026-06-08T03:39:42Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nuxt	Ready	Preview, Comment	Jun 15, 2026 8:41am

socket-security · 2026-06-08T03:40:18Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality	Maintenance
happy-dom@20.9.0 ⏵ 20.10.3		⁺¹
@vercel/functions@3.6.1 ⏵ 3.7.1		⁺¹	⁺¹
@nuxt/scripts@1.1.1 ⏵ 1.2.1		⁺¹
@iconify-json/simple-icons@1.2.84 ⏵ 1.2.86
shiki@4.1.0 ⏵ 4.2.0
evlog@2.18.1 ⏵ 2.19.1	⁺¹		⁺³
@nuxt/eslint@1.15.2 ⏵ 1.16.0			⁺⁵
@iconify-json/octicon@1.2.26 ⏵ 1.2.28	⁺¹	⁺¹	⁺¹
@takumi-rs/core@1.6.0 ⏵ 1.8.5	⁺¹	⁺¹	⁺²
vitest@4.1.7 ⏵ 4.1.8
@ai-sdk/anthropic@3.0.81 ⏵ 3.0.84	⁺¹	⁺¹	⁺¹
@iconify-json/lucide@1.2.111 ⏵ 1.2.112	⁺¹	⁺¹	⁺²
shaders@2.5.128 ⏵ 2.5.130	⁺¹	⁺¹
@iconify-json/vscode-icons@1.2.53 ⏵ 1.2.57	⁺¹	⁺¹	⁺¹
better-sqlite3@12.10.0 ⏵ 12.10.1
@vue/test-utils@2.4.10 ⏵ 2.4.11	⁺¹		^-1
vue-tsc@3.3.3 ⏵ 3.3.5			⁺¹
motion-v@2.2.1 ⏵ 2.3.0	⁺¹
nuxt-schema-org@6.0.4 ⏵ 6.2.1	⁺¹	⁺¹	⁺¹⁰
@nuxt/hints@1.1.2 ⏵ 1.1.3	⁺¹
@vue/compiler-sfc@3.5.35 ⏵ 3.5.38	⁺¹	⁺¹	⁺¹
nuxt-og-image@6.5.1 ⏵ 6.6.0	⁺¹		⁺²
eslint@10.4.1 ⏵ 10.5.0
@nuxt/ui@4.8.1 ⏵ 4.8.2	⁺¹		⁺¹

View full report

socket-security · 2026-06-10T20:40:44Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: npm `@typescript-eslint/eslint-plugin` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → `npm/@nuxt/eslint@1.16.0` → `npm/@typescript-eslint/eslint-plugin@8.61.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.61.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `better-sqlite3` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → `npm/better-sqlite3@12.10.1` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/better-sqlite3@12.10.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `eslint-plugin-jsdoc` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → `npm/@nuxt/eslint@1.16.0` → `npm/eslint-plugin-jsdoc@63.0.2` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/eslint-plugin-jsdoc@63.0.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `happy-dom` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → `npm/happy-dom@20.10.3` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/happy-dom@20.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

renovate · 2026-06-15T08:12:16Z

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

renovate Bot requested a review from atinux as a code owner June 8, 2026 03:39

vercel Bot deployed to Preview June 8, 2026 04:14 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from 4d6a0f5 to e1386fd Compare June 9, 2026 07:54

vercel Bot deployed to Preview June 9, 2026 08:23 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from e1386fd to 41c64a9 Compare June 9, 2026 14:58

vercel Bot deployed to Preview June 9, 2026 15:23 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from 41c64a9 to f2c50da Compare June 9, 2026 21:48

vercel Bot deployed to Preview June 9, 2026 22:13 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from f2c50da to 967b104 Compare June 10, 2026 08:20

vercel Bot deployed to Preview June 10, 2026 08:44 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from 967b104 to 0040817 Compare June 10, 2026 20:39

vercel Bot deployed to Preview June 10, 2026 21:08 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from 0040817 to 8a4c09d Compare June 11, 2026 03:48

vercel Bot deployed to Preview June 11, 2026 04:11 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from 8a4c09d to 6ef1f01 Compare June 11, 2026 08:10

vercel Bot had a problem deploying to Preview June 11, 2026 08:29 Failure

renovate Bot force-pushed the renovate/all-minor-patch branch from 6ef1f01 to 5dde234 Compare June 11, 2026 22:14

vercel Bot deployed to Preview June 11, 2026 22:37 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from 5dde234 to 96a205f Compare June 12, 2026 03:52

vercel Bot deployed to Preview June 12, 2026 04:16 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from 96a205f to 3dcfa2a Compare June 12, 2026 07:40

vercel Bot deployed to Preview June 12, 2026 08:05 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 86ef0a6 to 18c268a Compare June 12, 2026 20:54

vercel Bot had a problem deploying to Preview June 12, 2026 21:15 Failure

renovate Bot force-pushed the renovate/all-minor-patch branch from 18c268a to 7f08945 Compare June 13, 2026 02:57

vercel Bot deployed to Preview June 13, 2026 03:19 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from 7f08945 to dfe60ec Compare June 13, 2026 06:39

vercel Bot had a problem deploying to Preview June 13, 2026 06:58 Failure

renovate Bot force-pushed the renovate/all-minor-patch branch from dfe60ec to 3bfb98d Compare June 13, 2026 11:36

vercel Bot deployed to Preview June 13, 2026 11:59 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from 3bfb98d to 56500bb Compare June 13, 2026 19:47

vercel Bot deployed to Preview June 13, 2026 20:10 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from 56500bb to 2c57c45 Compare June 13, 2026 23:40

vercel Bot deployed to Preview June 14, 2026 00:05 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from 2c57c45 to 76696ea Compare June 14, 2026 03:29

vercel Bot deployed to Preview June 14, 2026 03:53 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from 76696ea to a731d38 Compare June 14, 2026 06:43

vercel Bot deployed to Preview June 14, 2026 07:08 View deployment

renovate Bot force-pushed the renovate/all-minor-patch branch from a731d38 to aaa32fe Compare June 14, 2026 10:46

vercel Bot deployed to Preview June 14, 2026 11:08 View deployment

chore(deps): update all non-major dependencies

05024bf

renovate Bot force-pushed the renovate/all-minor-patch branch from aaa32fe to 05024bf Compare June 14, 2026 22:42

vercel Bot deployed to Preview June 14, 2026 23:04 View deployment

fix(sponsors): lint

61d98f6

vercel Bot deployed to Preview June 15, 2026 08:14 View deployment

benjamincanac merged commit fa50e85 into main Jun 15, 2026
17 of 18 checks passed

benjamincanac deleted the renovate/all-minor-patch branch June 15, 2026 09:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update all non-major dependencies#2270

chore(deps): update all non-major dependencies#2270
benjamincanac merged 2 commits into
mainfrom
renovate/all-minor-patch

renovate Bot commented Jun 8, 2026 •

edited

Loading

Uh oh!

vercel Bot commented Jun 8, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Jun 8, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Jun 10, 2026 •

edited

Loading

Uh oh!

renovate Bot commented Jun 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

renovate Bot commented Jun 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

v0.4.0: @​comark/svelte v0.4.0

Bug Fixes

🚀 Features

🩹 Fixes

❤️ Contributors

🐞 Bug Fixes

🚀 Features

🐞 Bug Fixes

Bug Fixes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Minor Changes

Patch Changes

Patch Changes

Patch Changes

Minor Changes

Patch Changes

Patch Changes

Bug Fixes

🩹 Fixes

❤️ Contributors

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

What's Changed

What's Changed

Bug Fixes 🐞

Dependency Updates 📦

New Contributors

What's Changed

Features 🚀

Bug Fixes 🐞

Continuous Integration 🔄

New Contributors

👷‍♂️ Patch fixes

🚀 Features

🐞 Bug Fixes

🚀 Features

🐞 Bug Fixes

🐞 Bug Fixes

🐞 Bug Fixes

🚀 Features

🐞 Bug Fixes

Configuration

Uh oh!

vercel Bot commented Jun 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented Jun 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

renovate Bot commented Jun 8, 2026 •

edited

Loading

`v0.4.0`: @comark/svelte v0.4.0

vercel Bot commented Jun 8, 2026 •

edited

Loading

socket-security Bot commented Jun 8, 2026 •

edited

Loading