chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@arethetypeswrong/core (source)	^0.18.3 → ^0.18.4			pnpm.catalog.default	patch
@tanstack/query-core (source)	^5.101.0 → ^5.101.2			pnpm.catalog.default	patch
@vitejs/plugin-react (source)	^6.0.2 → ^6.0.3			pnpm.catalog.default	patch
eslint (source)	^10.5.0 → ^10.6.0			pnpm.catalog.default	minor
eslint-plugin-import-x	^4.16.2 → ^4.17.1			pnpm.catalog.default	minor
globals	^17.6.0 → ^17.7.0			pnpm.catalog.default	minor
nx (source)	23.0.0 → 23.0.1			pnpm.catalog.default	patch
pnpm (source)	11.8.0 → 11.9.0			packageManager	minor
pnpm (source)	>=11.0.0 → >=11.9.0			engines	minor
prettier (source)	^3.8.4 → ^3.9.1			pnpm.catalog.default	minor
semver	^7.8.4 → ^7.8.5			pnpm.catalog.default	patch
sherif	^1.11.1 → ^1.12.0			pnpm.catalog.default	minor
typescript-eslint (source)	^8.61.1 → ^8.62.0			pnpm.catalog.default	minor
vite (source)	^8.0.16 → ^8.1.0			pnpm.catalog.default	minor
vue (source)	^3.5.38 → ^3.5.39			pnpm.catalog.default	patch
zizmorcore/zizmor-action	v0.5.6 → v0.5.7			action	patch

---

Release Notes

arethetypeswrong/arethetypeswrong.github.io (@​arethetypeswrong/core)

v0.18.4

Patch Changes

• 644fab1: Skip package export subpaths with no real target when discovering entrypoints.

TanStack/query (@​tanstack/query-core)

v5.101.2

Compare Source

v5.101.1

Compare Source

Patch Changes

• #​10610 9eff92e - fix missing dataUpdatedAt for streamed queries that resolve before hydration

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v6.0.3

Compare Source

eslint/eslint (eslint)

v10.6.0

Compare Source

Features

• b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#​20981) (Taejin Kim)
• f291007 feat: add checkRelationalComparisons to no-constant-binary-expression (#​20948) (sethamus)

Bug Fixes

• 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#​20997) (Milos Djermanovic)
• bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#​21013) (den$)
• 8fd8741 fix: don't report shadowed undefined in radix rule (#​21011) (Pixel)
• 5784980 fix: don't report shadowed undefined in no-throw-literal (#​21010) (Pixel)
• 9cd1e6d fix: suppress invalid class suggestion in no-promise-executor-return (#​21008) (Pixel)
• d4eb2dc fix: don't report shadowed undefined in prefer-promise-reject-errors (#​21006) (Pixel)
• 2360464 fix: prefer-promise-reject-errors false positives for shadowed Promise (#​21003) (den$)
• 63d52d2 fix: restore max-classes-per-file report range (#​21002) (Pixel)
• 7feaff0 fix: callback detection logic for IIFEs in max-nested-callbacks (#​20979) (fnx)
• 399a2ec fix: don't report inner non-callbacks in max-nested-callbacks (#​20995) (Milos Djermanovic)

Documentation

• a83683d docs: Update README (GitHub Actions Bot)
• f5449f9 docs: document userland patterns for global assertionOptions in RuleT… (#​20986) (playgirl)
• bea49f7 docs: Update README (GitHub Actions Bot)
• e5f70f9 docs: update code-path diagrams (#​20984) (Tanuj Kanti)
• 8890c2d docs: add TypeScript config guidance for MCP server (#​20796) (Pierluigi Lenoci)
• 3eb3d9b docs: Update README (GitHub Actions Bot)
• c5bb59c docs: Update README (GitHub Actions Bot)
• eb3c97c docs: fix grammar in prefer-const rule description (#​20983) (lumir)

Chores

• 6a42034 ci: run ecosystem tests on main branch (#​20891) (sethamus)
• 3dbacdb ci: bump actions/checkout from 6 to 7 (#​21014) (dependabot[bot])
• c3abfca chore: correct JSDoc param types in html formatter (#​21018) (Minseon Kim)
• a832320 ci: split ecosystem tests into separate jobs (#​21001) (xbinaryx)
• 27166e7 chore: update ecosystem plugins (#​21005) (ESLint Bot)
• 865d76e ci: bump pnpm/action-setup from 6.0.8 to 6.0.9 (#​20989) (dependabot[bot])
• 27a88c9 chore: update dependency markdown-it to v14 in root (#​20994) (Milos Djermanovic)
• 970cea6 chore: update dependency markdown-it to v14 (#​20993) (Milos Djermanovic)
• b482120 chore: update dependency prettier to v3.8.4 (#​20990) (renovate[bot])
• 6993fb3 chore: update ecosystem plugins (#​20985) (ESLint Bot)

un-ts/eslint-plugin-import-x (eslint-plugin-import-x)

v4.17.1

Compare Source

Patch Changes

• #​498 cf25a01 Thanks @​marcalexiei! - fix(extensions): don't require an extension for package subpaths that resolve to a .d.ts (e.g. vitest/config)

v4.17.0

Compare Source

Minor Changes

• #​474 4b2c0c5 Thanks @​regseb! - Support RegExp in the import-x/ignore setting and the ignore option of the no-unresolved rule.

Patch Changes

• #​494 1c84235 Thanks @​morgan-coded! - Fixed no-unresolved crashing when case-sensitive path checks encounter EACCES or EPERM on an ancestor directory.

• #​481 3e13121 Thanks @​B4nan! - fix: memoize legacyNodeResolve resolver to avoid native memory leak

• #​484 9a07009 Thanks @​sairus2k! - Make the extensions rule check Node.js subpath imports (specifiers starting with #, e.g. #utils/helper). Previously parsePath treated a leading # as a URL hash fragment, so the rule skipped extension validation for these imports.

  Note: single-segment subpath imports without a slash (e.g. #dep) are still skipped by the existing external-root-module classification; fixing that is deferred to avoid expanding scope.

• #​468 240ed58 Thanks @​silverwind! - Make extensions handle .d.ts correctly

• #​479 e3cc7e4 Thanks @​mrginglymus! - fix: strip querystrings and hash fragments when checking for file existence

• #​476 fce29b1 Thanks @​nbouvrette! - fix(deps): replace @​package-json/types with an inline minimal type

sindresorhus/globals (globals)

v17.7.0

Compare Source

nrwl/nx (nx)

v23.0.1

Compare Source

23.0.1 (2026-06-23)

🚀 Features

• nx-cloud: add utm tracking to clickable cloud prompt links (#​36028)

🩹 Fixes

• angular: resolve esbuild option paths relative to the workspace root (#​36017, #​35936)
• angular-rspack: surface compilation failures as build errors and release resources on teardown (#​36018)
• bundling: restore preprocessor extensions in postcss normalizeOp… (#​36057, #​35854)
• core: avoid tsconfig path false positives for sibling project roots (#​35796, #​35795, #​35786)
• core: do not write minimumReleaseAgeExclude during nx migrate (#​36045)
• core: do not crash nx migrate on non-semver dependency specifiers (#​36051)
• core: format AI-edited files after agentic migrations (#​36064)
• misc: bump happy-dom, tmp, and form-data to patched versions (#​36013)
• nx-dev: keep mobile sidebar toggle clear of the conference banner (#​36047)
• nx-dev: run next-sitemap directly instead of via pnpm (#​36054)
• ⚠️ release: stop breaking change changelog entry from swallowing trailing PR body (#​36052, #​35910, #​33070)
• vitest: apply mode-based config consistently in the test executor (#​36041, #​35196)

❤️ Thank You

• Alex Croteau @​cw-alexcroteau
• Jack Hsu @​jaysoo
• Jason Jean @​FrozenPandaz
• Leosvel Pérez Espinosa @​leosvelperez
• Marwan Johnstone

pnpm/pnpm (pnpm)

v11.9.0

Compare Source

prettier/prettier (prettier)

v3.9.1

Compare Source

v3.9.0

Compare Source

diff

🔗 Release Notes

v3.8.5

Compare Source

npm/node-semver (semver)

v7.8.5

Compare Source

Bug Fixes

• 9c8692a #​878 include prereleases in tilde range lower bound with includePrerelease (#​878) (@​chatman-media)

QuiiBz/sherif (sherif)

v1.12.0

Compare Source

What's Changed

• chore(ci): setup trusted publishing by @​QuiiBz in #​154
• feat: support devEngines for root-package-manager-field rule by @​MasterLambaster in #​156

New Contributors

• @​MasterLambaster made their first contribution in #​156

Full Changelog: QuiiBz/sherif@v1...v1.12.0

typescript-eslint/typescript-eslint (typescript-eslint)

v8.62.0

Compare Source

🚀 Features

• remove redundant package.json "files" (#​12444)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.1.0

Compare Source

Features

• extend server.fs.deny list with common files (#​22707) (61ba8fd)
• update rolldown to 1.1.2 (#​22695) (4f008a6)
• use ~ for Rolldown (#​22693) (9928722)

Bug Fixes

• bundled-dev: errors should be kept when incremental build fails (#​22617) (9a0dd48)
• cache falsy values in perEnvironmentState (#​22715) (0e91e79)
• glob: respect caseSensitive option in hmr matcher (#​22711) (65f525e)
• html: omit nonce on import map when cspNonce is unset (#​22713) (8340bb5)
• optimizer: skip null-valued exports in expandGlobIds glob resolution (#​22611) (8b9f5cd)
• resolved build options should be kept as a getter (#​22691) (3527191)
• server: handle malformed URI in memory files middleware (#​22714) (df9e0a5)
• use literal envPrefix queries for Vite Task (#​22706) (da72733)
• warn on deprecated envFile (#​22555) (ed7b283)

Code Refactoring

• client: inline dev-id value in CSS selector (#​22736) (57f59bc)
• remove unused removeRawQuery util (#​22724) (403cc60)
• use rolldownOptions property for chunkImportMap (#​22692) (8e8816c)

vuejs/core (vue)

v3.5.39

Compare Source

Bug Fixes

• compiler-core: correct filter rewrite recursion (#​14959) (be7ce31)
• hydration: force patch dynamic props when hydrating (#​9083) (024cf06), closes #​9033
• hydration: respect data-allow-mismatch on conditional branches (#​12801) (164af63), closes #​12782
• reactivity: avoid triggering effects when set fails (#​14964) (e450973)
• runtime-core: handle non-isomorphic block element update (#​15002) (932ddd0), closes #​6385
• runtime-core: normalize function children for elements and Teleport (#​9108) (2f374cd), closes #​9107
• runtime-core: pause tracking when invoking function refs (#​14985) (3ac052b)
• runtime-core: preserve once event listener name (#​8341) (87b73b6), closes #​8342
• runtime-dom: preserve option modifier event names (#​8338) (4b659e6), closes #​8334
• ssr: dedupe inherited scope ids during vnode rendering (#​15005) (027da6b), closes #​12159 #​12175
• ssr: resolve nested async teleport content (#​9431) (31d0f23), closes #​6207
• teleport: handle teleport unmount edge case (#​12705) (671997a), closes #​12702
• types: support named tuple emits (#​12676) (232f402), closes #​12673
• types: validate defineModel defaults (#​14968) (747f57e), closes #​14966

zizmorcore/zizmor-action (zizmorcore/zizmor-action)

v0.5.7

Compare Source

1.26.1 is now available via the action
1.26.1 is now the default version of zizmor used by the action

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Three non-major dependency updates: the zizmorcore/zizmor-action CI step is re-pinned to v0.5.7, pnpm is updated to 11.9.0 with engines.pnpm raised to >=11.9.0, and the workspace catalog updates multiple development dependencies including @arethetypeswrong/core, @tanstack/query-core, @vitejs/plugin-react, eslint-plugin-import-x, globals, nx, semver, sherif, typescript-eslint, vite, and vue.

Changes

Non-major dependency updates

Layer / File(s)	Summary
CI action and pnpm engine constraints .github/workflows/zizmor.yml, package.json	Re-pins zizmorcore/zizmor-action to v0.5.7 and updates pnpm to 11.9.0, raising engines.pnpm from >=11.0.0 to >=11.9.0.
Workspace catalog version updates pnpm-workspace.yaml	Bumps multiple catalog dependencies including @arethetypeswrong/core, @tanstack/query-core, @vitejs/plugin-react, eslint-plugin-import-x, globals, nx, semver, sherif, typescript-eslint, vite, and vue.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• Dependency Dashboard workflow#11: Matches the same family of dependency dashboard updates, including zizmorcore/zizmor-action and pnpm.
• Dependency Dashboard persist#3: Covers overlapping package.json and pnpm-workspace.yaml version bumps for pnpm and workspace tooling.
• TanStack/form-v2#3: Includes the same zizmorcore/zizmor-action and catalog dependency bump pattern.
• Dependency Dashboard #117: Tracks the same pnpm, zizmor, and workspace catalog dependency updates.
• TanStack/state#1: Shares the pnpm and tooling version bump pattern from the dependency dashboard.
• Dependency Dashboard template#3: Matches the workspace tooling and pnpm-related catalog updates.

Possibly related PRs

• TanStack/config#367: Overlaps on pnpm-workspace.yaml catalog version constraint updates for shared tooling dependencies.
• TanStack/config#376: Also updates overlapping pnpm-workspace.yaml catalog entries such as nx, typescript-eslint, vite, and vue.
• TanStack/config#390: Also modifies pnpm-workspace.yaml and .github/workflows/zizmor.yml for coordinated dependency bumps.

Poem

🐇 Hop, hop, the versions glide,
Zizmor and pnpm side by side.
Catalog blooms with shiny new seeds,
Little bunny cheers these tidy updates indeed.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is Renovate-generated and lacks the required Changes, Checklist, and Release Impact sections from the repository template.	Rewrite it using the template and add a brief change summary plus checklist and release-impact selections.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title matches the PR's main purpose: a dependency refresh across non-major updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/all-minor-patch

---

_{Comment @coderabbitai help to get the list of available commands.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nx@​23.0.1
	@​tanstack/​query-core@​5.101.2
	typescript-eslint@​8.62.0
	@​arethetypeswrong/​core@​0.18.4
	vite@​8.1.0
	globals@​17.7.0
	eslint-plugin-import-x@​4.17.1
	sherif@​1.12.0
	vue@​3.5.39
	@​vitejs/​plugin-react@​6.0.3
	prettier@​3.9.1
	eslint@​10.6.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/tsdown@0.22.3 → npm/vite@8.1.0 → npm/nx@23.0.1 → npm/eslint-plugin-import-x@4.17.1 → npm/@emnapi/runtime@1.11.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/typescript-eslint@8.62.0 → npm/@typescript-eslint/eslint-plugin@8.62.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.62.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm nx is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/nx@23.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/nx@23.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report