Skip to content

Update npm dependencies#769

Merged
renovate[bot] merged 1 commit into
react-rewritefrom
renovate/npm-dependencies
May 16, 2026
Merged

Update npm dependencies#769
renovate[bot] merged 1 commit into
react-rewritefrom
renovate/npm-dependencies

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 16, 2026

This PR contains the following updates:

Package Change Age Confidence
@tanstack/eslint-plugin-query (source) 5.100.95.100.10 age confidence
@tanstack/eslint-plugin-router (source) 1.161.61.162.0 age confidence
@tanstack/react-query (source) 5.100.95.100.10 age confidence
@tanstack/react-router (source) 1.169.21.170.1 age confidence
@tanstack/router-plugin (source) 1.167.351.168.1 age confidence
@types/node (source) 25.6.225.8.0 age confidence
@vitejs/plugin-react (source) 6.0.16.0.2 age confidence
axios (source) 1.16.01.16.1 age confidence
eslint (source) 10.3.010.4.0 age confidence
eslint-plugin-oxlint 1.63.01.65.0 age confidence
eslint-plugin-react-dom (source) 5.7.55.7.9 age confidence
eslint-plugin-react-jsx (source) 5.7.55.7.9 age confidence
eslint-plugin-react-naming-convention (source) 5.7.55.7.9 age confidence
eslint-plugin-react-x (source) 5.7.55.7.9 age confidence
lucide-react (source) 1.14.01.16.0 age confidence
oxfmt (source) ^0.48.0^0.50.0 age confidence
oxlint (source) 1.63.01.65.0 age confidence
pnpm (source) 11.0.911.1.2 age confidence
tailwind-merge 3.5.03.6.0 age confidence
typescript-eslint (source) 8.59.28.59.3 age confidence
vite (source) 8.0.118.0.13 age confidence

Release Notes

TanStack/query (@​tanstack/eslint-plugin-query)

v5.100.10

TanStack/router (@​tanstack/eslint-plugin-router)

v1.162.0

Compare Source

Minor Changes
  • Clean minor bump, fresh start (#​7395)
TanStack/query (@​tanstack/react-query)

v5.100.10

Patch Changes
TanStack/router (@​tanstack/react-router)

v1.170.1

Compare Source

Patch Changes

v1.170.0

Compare Source

Minor Changes
  • Clean minor bump, fresh start (#​7395)
Patch Changes
TanStack/router (@​tanstack/router-plugin)

v1.168.1

Compare Source

Patch Changes

v1.168.0

Compare Source

Minor Changes
  • Clean minor bump, fresh start (#​7395)
Patch Changes
vitejs/vite-plugin-react (@​vitejs/plugin-react)

v6.0.2

Compare Source

Allow all options in reactCompilerPreset (#​1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

axios/axios (axios)

v1.16.1

Compare Source

eslint/eslint (eslint)

v10.4.0

Compare Source

oxc-project/eslint-plugin-oxlint (eslint-plugin-oxlint)

v1.65.0

Compare Source

No significant changes

    View changes on GitHub

v1.64.0

Compare Source

No significant changes

    View changes on GitHub
Rel1cx/eslint-react (eslint-plugin-react-dom)

v5.7.9

Compare Source

🐞 Fixes
  • react-x/no-leaked-conditional-rendering, react-x/set-state-in-effect: Added cycle detection to prevent stack overflow in recursive function analysis (#​1769).
📝 Documentation
  • Added third-party-plugins.mdx documentation page.
  • Added spec diff and compiler test fixtures for react-x/globals rule.
  • Updated ESLint Stylistic link to rules anchor.
  • Updated community projects (added Obsidian Copilot).
  • Added redirects and simplified removed docs page.
🏗️ Internal
  • react-x/error-boundaries: Simplified getEnclosingTryBlock implementation.
  • Added minimumReleaseAge and minimumReleaseAgeExclude entries to pnpm-workspace.yaml.
  • Bumped fumadocs-core and fumadocs-ui to 16.8.11.
  • Marked .repos as linguist-vendored to exclude from GitHub language stats.
  • Pinned pnpm to v11 in CI and adjusted install hooks.
  • Vendored facebook/react as git subtree under .repos.

Full Changelog: Rel1cx/eslint-react@v5.7.8...v5.7.9

v5.7.8

Compare Source

🐞 Fixes
  • react-x/no-missing-key: Fixed the rule not detecting ConditionalExpression/LogicalExpression returned from block-bodied .map/Array.from callbacks. The rule now reports both branches when both lack a key, instead of only the first (#​1767, #​1766).
📝 Documentation
  • Added [NEEDS VERIFICATION] markers to spec diffs for React Compiler aligned rules.
  • Added Issue Labels Design Doc and migration scripts.
  • Added a Hint component to the website and used it on the home page.
🏗️ Internal
  • Bumped @effect/language-service to 0.86.0.
  • Bumped dompurify to 3.4.3.
  • Bumped fumadocs-mdx to 15.0.4 and related dependencies.
  • Bumped pnpm from 11.1.0 to 11.1.1.
  • Enabled caching for Nx targets.
  • Removed experimental.useFlatConfig from Zed settings.
  • Removed two dprint plugins from dprint.json.
  • Updated Sentrux baseline metrics.

v5.7.7

Compare Source

🐞 Fixes
  • Fixed the rule documentation URLs returned by eslint-plugin-react-jsx and eslint-plugin-react-rsc to include the jsx- / rsc- prefixes so editor Open documentation links resolve correctly (#​1757) — by @​kasmacioma.
🏗️ Internal
  • Bumped @types/node from 25.6.2 to 25.7.0.
  • Bumped pnpm from 11.0.9 to 11.1.0.
  • Bumped mermaid from 11.14.0 to 11.15.0 and pinned it via pnpm-workspace.yaml overrides, dropping the transitive chevrotain@12.0.0 chain in favor of @chevrotain/types@11.1.2.
  • Enabled trustPolicy: "no-downgrade" in pnpm-workspace.yaml.

v5.7.6

Compare Source

📝 Documentation
  • Migrated the website to the fumadocs solar theme; removed the WIP Frutiger Aero variant and consolidated theme overrides.
  • Each rule documentation page now lists prior versions in a Versions accordion sourced from per-rule CHANGELOG.md.
  • Added the mikoto project to the community showcase.
  • Updated README badges to use @eslint-react/core.
🏗️ Internal
  • Bumped @typescript-eslint packages from 8.59.2 to 8.59.3.
  • Bumped fumadocs-core and fumadocs-ui from 16.8.7 to 16.8.10.
  • Bumped fumadocs-mdx from 14.3.2 to 15.0.3.
  • Bumped tailwindcss and @tailwindcss/postcss from 4.2.4 to 4.3.0.
  • Bumped tailwind-merge from 3.5.0 to 3.6.0.
  • Bumped vitest from 4.1.5 to 4.1.6.
  • Bumped ansis from 4.2.0 to 4.3.0.
  • Bumped semver from 7.7.4 to 7.8.0.
  • Bumped pnpm from 11.0.8 to 11.0.9.
  • Upgraded dprint biome plugin from 0.12.10 to 0.12.11.
  • Reverted nx from a 23.0.0 canary back to 22.7.1 stable.
  • Renamed the verify:rule-docs script to verify:docs.
  • Removed unused assets/logo.html and assets/react-icon.html (#​1755, #​1756).
  • Updated Sentrux baseline metrics.

Full Changelog: Rel1cx/eslint-react@v5.7.5...v5.7.6

lucide-icons/lucide (lucide-react)

v1.16.0: Version 1.16.0

Compare Source

What's Changed

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

v1.15.0

Compare Source

oxc-project/oxc (oxfmt)

v0.50.0

Compare Source

🐛 Bug Fixes
  • 43b9978 formatter/sort_imports: Treat subpath imports as internal (#​22440) (leaysgur)

v0.49.0

Compare Source

🚀 Features
oxc-project/oxc (oxlint)

v1.65.0

Compare Source

🚀 Features
  • 5478fb5 linter/jsdoc: Implement require-throws-description rule (#​22386) (Mikhail Baev)
  • c73225e linter/eslint: Implement prefer-arrow-callback rule (#​22312) (박천(Cheon Park))
  • de82b59 linter: Add support for eslint-plugin-jsx-a11y-x (#​22356) (mehm8128)
  • f44b6c8 linter: Fill schemas DummyRuleMap with built-in rules (#​22288) (Sysix)

v1.64.0

Compare Source

🚀 Features
🐛 Bug Fixes
pnpm/pnpm (pnpm)

v11.1.2

Compare Source

Patch Changes

  • convertEnginesRuntimeToDependencies: switch the runtime-dependency write to Object.defineProperty so the CodeQL js/prototype-polluting-assignment rule treats the assignment as safe regardless of the property name (follow-up to #​11609).

  • Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (__proto__, constructor, prototype), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser.

  • Strip sec-fetch-* headers from outgoing HTTP requests. These headers are automatically added by undici's fetch() implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests #​11572.

  • Fix minimumReleaseAge handling for cached abbreviated metadata.

    The version-spec cache fast path no longer rethrows ERR_PNPM_MISSING_TIME under strictPublishedByCheck; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block.

    When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version time), pnpm now re-fetches with fullMetadata: true if minimumReleaseAge is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning.

    Closes #​11619.

  • Fix pnpm upgrade --interactive --latest -r not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. "catalog:foo") would incorrectly rewrite package.json to "catalog:" and place the updated version in the default catalog instead of the named one #​10115.

  • Fixed optimisticRepeatInstall skipping pnpm-lock.yaml merge conflict resolution when the existing node_modules state appears up to date.

  • Fix minimumReleaseAge / resolutionMode: time-based installs failing on lockfiles whose time: block is missing entries. The npm-resolver's peek-from-store fast path now surfaces publishedAt from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand.

v11.1.1

Compare Source

Patch Changes
  • Skip installability validation when scanning workspace projects in checkDepsStatus (run by verifyDepsBeforeRun). Previously the status check called findWorkspaceProjects, which validates each project's engines and os/cpu/libc and warns about useless fields in non-root manifests — work that the install pipeline already performs. With no nodeVersion threaded through, the engine check also fell back to the system Node from PATH and emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now use findWorkspaceProjectsNoCheck; install paths continue to validate.
  • Fixed pnpm add <alias>:@&#8203;scope/pkg for named registries. The local resolver was claiming any specifier containing / as a local directory, so pnpm add bit:@&#8203;teambit/bit (with bit configured under namedRegistries) installed a bogus link to bit:@&#8203;teambit/bit/ instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain.
  • Updated @zkochan/cmd-shim to 9.0.3. The sh shim it writes for .cmd / .bat targets now escapes the /C switch as //C, so it survives the path translation Git Bash applies when launching cmd.exe. Without this, a bare /C was rewritten to C:\ before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See pnpm/cmd-shim#55.

v11.1.0

Compare Source

Minor Changes

  • Added pnpm audit signatures to verify ECDSA registry signatures for installed packages against keys from /-/npm/v1/keys #​7909. Scoped registries are respected, and registries without signing keys are skipped.

  • Added support for installing packages from the GitHub Packages npm registry via a built-in gh: prefix (e.g. pnpm add gh:@&#8203;acme/private), and, more broadly, for arbitrary named registries in the style of vlt's named-registry aliases. Authentication is picked up from the existing per-URL .npmrc entries (e.g. //npm.pkg.github.com/:_authToken=...), so no separate auth mechanism is required.

    Additional aliases — or an override for the built-in gh alias, for GitHub Enterprise Server — can be configured under namedRegistries in pnpm-workspace.yaml:

    namedRegistries:
  gh: https://npm.pkg.github.example.com/
  work: https://npm.work.example.com/

    With this, work:@&#8203;corp/lib@^2.0.0 resolves against https://npm.work.example.com/. #​8941.

  • Allow setting sbom spec version using --sbom-spec-version #​11389.

  • Add --no-runtime flag (config: runtime=false) to skip installing runtime entries (e.g. Node.js downloaded via devEngines.runtime) without modifying the lockfile. The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and .bin linking are skipped. Useful in CI matrices where the runtime is provisioned externally (e.g. via pnpm runtime -g set node <version>) before pnpm install runs.

  • Added the pnpm bugs command that opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's package.json; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. Falls back to <repository>/issues when the bugs field is missing #​11279.

  • Added pnpm owner command to manage package owners on the registry.

Patch Changes

  • Added "published X ago by Y" information to the pnpm view command output, similar to npm view. This is useful when comparing against minimumReleaseAge.

    For example, pnpm view pnpm now shows:

    published 17 hours ago by GitHub Actions

  • pnpm publish now honors the configured HTTP/HTTPS proxy (including https_proxy/http_proxy/no_proxy environment variables) when polling the registry's doneUrl during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond 403 from a different source IP and the login to never complete #​11561.

  • pnpm add -g now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so that they share dependencies and are removed together), pass them as a comma-separated list. For example:

    • pnpm add -g foo bar installs foo and bar as two independent globals — removing one does not affect the other.
    • pnpm add -g foo,bar qar bundles foo and bar into a single isolated install while qar is installed on its own.

    Related: #​11587.

  • pnpm runtime set <name> <version> no longer fails in the root of a multi-package workspace with the ADDING_TO_ROOT error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check.

  • Fix pnpm --version hanging for the lifetime of the worker pool after the version was printed. main.ts's --version short-circuit returned before reaching the command-handler finally that calls finishWorkers(), so the worker pool that switchCliVersion had spawned during integrity resolution stayed alive and held the Node event loop open. The CLI entry now runs finishWorkers() from its own finally, so every exit path tears the pool down.

    Repro: pnpm --version in a workspace whose devEngines.packageManager version already matches the running pnpm + onFail: "download". switchCliVersion resolves the integrity (spawning workers), finds nothing to swap, returns. The version prints, then the process hangs.

dcastil/tailwind-merge (tailwind-merge)

v3.6.0

Compare Source

typescript-eslint/typescript-eslint (typescript-eslint)

v8.59.3

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.0.13

Compare Source

Features
Bug Fixes
Miscellaneous Chores

v8.0.12

Compare Source

Features
Bug Fixes
  • create-vite: pass react framework to TanStack CLI (#​22397) (18f0f90)
  • deps: update all non-major dependencies (#​22420) (2be6000)
  • module-runner: prevent partial-exports race on concurrent imports of in-flight invalidated re-export chains (#​22369) (f5a22e6)
  • refer to rolldownOptions instead of deprecated rollupOptions in messages (#​22400) (b675c7b)
  • worker: apply build.target to worker bundle (#​22404) (3c93fde)
  • worker: forward define to worker bundle transform (#​22408) (d4838a0)
Miscellaneous Chores

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) May 16, 2026 04:10
@netlify
Copy link
Copy Markdown

netlify Bot commented May 16, 2026
edited
Loading

Deploy Preview for ucmacm ready!

Name Link
🔨 Latest commit 1bf4661
🔍 Latest deploy log https://app.netlify.com/projects/ucmacm/deploys/6a07ef18fc7c6d0008bb9efc
😎 Deploy Preview https://deploy-preview-769--ucmacm.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse		 1 paths audited
Performance: 91
Accessibility: 97
Best Practices: 92
SEO: 83
PWA: 80
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify project configuration.

@renovate renovate Bot force-pushed the renovate/npm-dependencies branch from 6432435 to 1bf4661 Compare May 16, 2026 04:14
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 16, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate Bot merged commit a1d9c56 into react-rewrite May 16, 2026
9 checks passed
@renovate renovate Bot deleted the renovate/npm-dependencies branch May 16, 2026 04:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants