chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@types/node (source)	^20.19.23 → ^20.19.33
@unocss/eslint-plugin (source)	^66.5.4 → ^66.6.0
@unocss/preset-icons (source)	^66.5.4 → ^66.6.0
axios (source)	^1.12.2 → ^1.13.5
bumpp	^10.3.1 → ^10.4.1
eslint (source)	^9.38.0 → ^9.39.2
hoci	^0.8.1 → ^0.9.0
less (source)	^4.4.2 → ^4.5.1
lint-staged	^16.2.6 → ^16.2.7
pinia (source)	^3.0.3 → ^3.0.4
pnpm (source)	10.19.0 → 10.29.3
prettier (source)	^3.6.2 → ^3.8.1
rimraf	^6.0.1 → ^6.1.2
sass	^1.93.2 → ^1.97.3
taze	^19.8.1 → ^19.9.2
tslx	^0.1.1 → ^0.3.0
unocss (source)	^66.5.4 → ^66.6.0
vite-plugin-pwa	^1.1.0 → ^1.2.0
vue (source)	^3.5.22 → ^3.5.28
vue-router (source)	^4.6.3 → ^4.6.4
workbox-core (source)	^7.3.0 → ^7.4.0
workbox-expiration (source)	^7.3.0 → ^7.4.0
workbox-precaching (source)	^7.3.0 → ^7.4.0
workbox-routing (source)	^7.3.0 → ^7.4.0
workbox-strategies (source)	^7.3.0 → ^7.4.0
workbox-window (source)	^7.3.0 → ^7.4.0

---

Release Notes

unocss/unocss (@​unocss/eslint-plugin)

v66.6.0

Compare Source

   🚀 Features

• core:
  • Add allLayers option to output all layer names  -  by @​zyyv in #​5057 (b55b4)
• preset-mini, preset-wind4:
  • Add stretch keyword for width/height  -  by @​zyyv in #​5048 (126d1)
  • Optimize contain-intrinsic-size rule close #​5045  -  by @​zyyv in #​5045 (d5346)

   🐞 Bug Fixes

• build: Remove tsconfig paths mapping and adjust bundle config  -  by @​Jungzl and @​zyyv in #​5052 (55748)
• cli: Avoid clearing cache early to prevent race condition in watch mode  -  by @​zyyv in #​5054 (6bf89)
• svelte-scoped: Explicit export of types to prevent node error  -  by @​henrikvilhelmberglund in #​5067 (42670)
• vscode: Not use catalog version of @types/vscode  -  by @​Jungzl in #​5034 (54769)

    View changes on GitHub

v66.5.12

Compare Source

   🚀 Features

• Enhance style injection logic to support custom root elements  -  by @​octavio1243 in #​5027 (70f1b)

   🐞 Bug Fixes

• playground: Mock invalidate function in fakePluginContext  -  by @​zyyv (5e93d)
• preset-mini: Correct tsdown external configuration  -  by @​zyyv in #​5031 (0107e)
• preset-wind3, preset-wind4: Update column generate value from container  -  by @​zyyv in #​5030 (46860)
• transformer-attributify-jsx: Falls back to regular expression when babel parse error  -  by @​zyyv and Copilot in #​5032 (38cc8)

    View changes on GitHub

v66.5.11

Compare Source

   🚀 Features

• Support Vite 8  -  by @​sxzz in #​5011 (115ee)

   🐞 Bug Fixes

• inspector: Prevent blinking after toggling dark  -  by @​liangmiQwQ in #​5023 (c9651)
• preset-mini: Resolve nested theme colors with dashed keys  -  by @​nlemoine in #​5021 (8e7db)

    View changes on GitHub

v66.5.10

Compare Source

   🚀 Features

• core: Allow postprocessors to append or remove rules  -  by @​Menci and @​zyyv in #​5010 (298de)
• vite: Add virtualModulePrefix option to support for custom virtual module prefix  -  by @​zyyv and @​liujiayii in #​5008 (1819f)

   🐞 Bug Fixes

• config: Should merge inlineConfig when load config  -  by @​zyyv (37452)
• preset-wind4: Support special color key with alpha close #​4998  -  by @​zyyv in #​4998 (e43d0)
• rule-utils: Escape rule prefix close Group descendant selectors and prefixes Fixes #​5004  -  by @​zyyv in #​5004 (dba52)

    View changes on GitHub

v66.5.9

Compare Source

No significant changes

    View changes on GitHub

v66.5.7

Compare Source

   🚀 Features

• Add first-class support for Marko  -  by @​LuLaValva in #​4995 (ba06c)

   🐞 Bug Fixes

• preset-wind4: Cancel support for chained variables close #​4994  -  by @​zyyv in #​4994 (8a465)

   🏎 Performance

• preset-mini: Deprecate regex for search css variables  -  by @​zyyv (4f023)

    View changes on GitHub

v66.5.6

Compare Source

   🐞 Bug Fixes

• preset-wind4: Cancel colors shortcutsnomerge close #​4987  -  by @​zyyv in #​4987 (6b0f7)

    View changes on GitHub

v66.5.5

Compare Source

   🚨 Breaking Changes

• svelte-scoped: Simplify user facing setup  -  by @​fehnomenal and Henrik Berglund in #​4942 (7e52a)

   🚀 Features

• inspector:
  • Integrate Vite DevTools  -  by @​antfu (a95bd)
• preset-wind4:
  • Set the default spacing digits to 4  -  by @​zyyv in #​4983 (1d1ca)
  • Support theme function in bracket  -  by @​zyyv in #​4970 (caeb3)
• reset:
  • Tailwind v4 reset  -  by @​KTibow in #​4956 (8561a)

   🐞 Bug Fixes

• core: Don't use parentVariants for shortcutsNoMerge shortcut  -  by @​zyyv in #​4954 (71d4d)
• eslint-plugin: Enhance generator to support filename context for config loading  -  by @​Jungzl in #​4978 (942cd)
• postcss: Fix wind4 in @screen transformer close #​4973  -  by @​zyyv in #​4973 (49035)
• preset-wind4: Escape css variables close #​4957  -  by @​zyyv in #​4957 (d1e00)
• svelte-scoped: Correctly transform rules with only --at-apply  -  by @​fehnomenal and Henrik Berglund in #​4795 (9a7c3)

    View changes on GitHub

axios/axios (axios)

v1.13.5

Compare Source

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #​7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #​7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #​7369)

Fixes

• Fix/5657. (PR #​7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #​7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #​7326)
• Refactor: bump minor package versions. (PR #​7356)

Documentation

• Clarify object-check comment. (PR #​7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #​7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #​7355)
• CI: update workflow YAMLs. (PR #​7372)
• CI: fix run condition. (PR #​7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #​7360)
• Chore(release): prepare release 1.13.5. (PR #​7379)

New Contributors

• @​sachin11063 (first contribution — PR #​7323)
• @​asmitha-16 (first contribution — PR #​7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Compare Source

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#​7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release
  • Cleaned up interceptor test files
  • Improved workflow configurations

Infrastructure & CI/CD

• refactor: ci and build (#​7340) (8ff6c19)

  • Major refactoring of CI/CD workflows
  • Consolidated workflow files for better maintainability
  • Added mise configuration for the development environment
  • Improved sponsor block update automation
  • Enhanced issue and PR templates
  • Added automatic release notes generation
  • Implemented workflow cancellation for concurrent runs

• chore: codegen and some updates to workflows (76cf77b)

  • Code generation improvements
  • Workflow optimisations

Migration Notes

Breaking Changes

None in this release.

Deprecations

None in this release.

Contributors

Thank you to all contributors who made this release possible! Special thanks to:

• jasonsaayman - Release management and CI/CD improvements

v1.13.3

Compare Source

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#​7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#​6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#​5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#​5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#​7253) (#​7257) (7d19335)
• turn AxiosError into a native error (#​5394) (#​5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#​5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#​7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#​6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#​5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#​6053) (65a7584)
• add Node.js coverage script using c8 (closes #​7289) (#​7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#​6265) (860e033)
• enhance pipeFileToResponse with error handling (#​7169) (88d7884)
• types: Intellisense for string literals in a widened union (#​6134) (f73474d), closes /github.com/microsoft/TypeScript/issues/33471#issuecomment-1376364329

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#​7253) (#​7…" (#​7298) (a4230f5), closes #​7253 #​7 #​7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#​7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad
• JohnTitor
• rohit miryala
• Wilson Mun
• techcodie
• Ved Vadnere
• svihpinc
• SANDESH LENDVE
• Lubos
• Jarred Sumner
• Adam Hines
• Subhan Kumar Rai
• Joseph Frazier
• KT0803
• Albie
• Jake Hayes

v1.13.2

Compare Source

Bug Fixes

• http: fix 'socket hang up' bug for keep-alive requests when using timeouts; (#​7206) (8d37233)
• http: use default export for http2 module to support stubs; (#​7196) (0588880)

Performance Improvements

• http: fix early loop exit; (#​7202) (12c314b)

Contributors to this release

• Dmitriy Mozgovoy
• Kasper Isager Dalsgarð

v1.13.1

Compare Source

Bug Fixes

• http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#​7193) (bcd5581)

Contributors to this release

• Anchal Singh
• Dmitriy Mozgovoy

v1.13.0

Compare Source

Bug Fixes

• fetch: prevent TypeError when config.env is undefined (#​7155) (015faec)
• resolve issue #​7131 (added spacing in mergeConfig.js) (#​7133) (9b9ec98)

Features

• http: add HTTP2 support; (#​7150) (d676df7)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Aviraj2929
• prasoon patel
• Samyak Dandge
• Anchal Singh
• Rahul Kumar
• Amit Verma
• Abhishek3880
• Dhvani Maktuporia
• Usama Ayoub
• ikuy1203
• Nikhil Simon Toppo
• Jane Wangari
• Supakorn Ieamgomol
• Kian-Meng Ang
• UTSUMI Keiji

1.12.2 (2025-09-14)

Bug Fixes

• fetch: use current global fetch instead of cached one when env fetch is not specified to keep MSW support; (#​7030) (cf78825)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi

1.12.1 (2025-09-12)

Bug Fixes

• types: fixed env config types; (#​7020) (b5f26b7)

Contributors to this release

• Dmitriy Mozgovoy

antfu-collective/bumpp (bumpp)

v10.4.1

Compare Source

   🚀 Features

• Add custom path to config  -  by @​OskarLebuda in #​107 (0f2e4)

    View changes on GitHub

v10.4.0

Compare Source

No significant changes

    View changes on GitHub

v10.3.2

Compare Source

   🐞 Bug Fixes

• Resolve the options in config file correctly  -  by @​liangmiQwQ in #​101 (f5887)

    View changes on GitHub

eslint/eslint (eslint)

v9.39.2

Compare Source

v9.39.1

Compare Source

v9.39.0

Compare Source

chizukicn/hoci (hoci)

v0.9.0

Compare Source

   🚀 Features

• Add file-upload component  -  by @​chizukicn in #​35 (2264e)
• Use elementRef instead of ref  -  by @​chizukicn in #​41 (ae0f1)
• Add virtual list  -  by @​chizukicn in #​58 (a8d54)

   🐞 Bug Fixes

• Unable to append files in multiple selection mode  -  by @​chizukicn in #​44 (31510)
• File upload cannot upload the same file continuously  -  by @​chizukicn in #​72 (f18ea)

    View changes on GitHub

less/less.js (less)

v4.5.1

Compare Source

lint-staged/lint-staged (lint-staged)

v16.2.7

Compare Source

Patch Changes

• #​1711 ef74c8d Thanks @​iiroj! - Do not display a "failed to spawn" error message when a task fails normally. This message is reserved for when the task didn't run because spawning it failed.

vuejs/pinia (pinia)

v3.0.4

Compare Source

Please refer to CHANGELOG.md for details.

pnpm/pnpm (pnpm)

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

config help if that's undesired. If you want to rebase/retry this PR, check this box This PR was generated by Mend Renovate. View the repository job log.