chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@antfu/eslint-config	^7.4.3 → ^7.7.3			pnpm.catalog.dev	minor
@commitlint/cli (source)	^20.4.1 → ^20.5.3			pnpm.catalog.dev	minor
@commitlint/config-conventional (source)	^20.4.1 → ^20.5.3			pnpm.catalog.dev	minor
@vitest/browser-playwright (source)	^4.0.18 → ^4.1.7			pnpm.catalog.test	minor
@vitest/coverage-v8 (source)	^4.0.18 → ^4.1.7			pnpm.catalog.test	minor
eslint (source)	^9.39.2 → ^9.39.4			pnpm.catalog.dev	patch
lint-staged	^16.2.7 → ^16.4.0			pnpm.catalog.dev	minor
node (source)	>=24.13.1 → >=24.16.0			engines	minor
playwright (source)	^1.58.2 → ^1.60.0			pnpm.catalog.test	minor
pnpm (source)	10.29.3 → 10.34.1			packageManager	minor
pnpm (source)	>=10.29.3 → >=10.34.1			engines	minor
vitest (source)	^4.0.18 → ^4.1.7			pnpm.catalog.test	minor

---

Release Notes

antfu/eslint-config (@​antfu/eslint-config)

v7.7.3

Compare Source

   🐞 Bug Fixes

• Disable some e18e rules  -  by @​antfu (7edec)

    View changes on GitHub

v7.7.2

Compare Source

   🐞 Bug Fixes

• Exclude the zed terminal from editor detection  -  by @​mattmess1221 in #​834 (9484a)
• Enable typescript when tsgo installed  -  by @​9romise in #​833 (4665e)
• e18e: moduleReplacements should only enable in lib  -  by @​antfu (61658)

    View changes on GitHub

v7.7.0

Compare Source

   🚀 Features

• Zed support  -  by @​hyoban in #​827 (30fcb)
• Integrate @​e18e/eslint-plugin  -  by @​9romise in #​830 (ebd46)

   🐞 Bug Fixes

• markdown: Disable 'markdown/fenced-code-language' rule  -  by @​jinghaihan in #​831 (0c44d)

    View changes on GitHub

v7.6.1

Compare Source

   🐞 Bug Fixes

• Separate node plugins setup and rules, fix #​817  -  by @​antfu in #​817 (fa3b0)

    View changes on GitHub

v7.6.0

Compare Source

   🚀 Features

• jsonc: Use jsonc/x language  -  by @​hyoban in #​824 (a9b7a)

   🐞 Bug Fixes

• jsdoc: Separate setup  -  by @​hyoban in #​825 (6742d)

    View changes on GitHub

v7.5.0

Compare Source

   🚀 Features

• markdown: Use markdown language  -  by @​hyoban and @​antfu in #​818 (93063)

    View changes on GitHub

conventional-changelog/commitlint (@​commitlint/cli)

v20.5.3

Compare Source

Note: Version bump only for package @​commitlint/cli

v20.5.2

Compare Source

Note: Version bump only for package @​commitlint/cli

v20.5.0

Compare Source

Bug Fixes

• cli: validate that --cwd directory exists before execution (#​4658) (cf80f75), closes #​4595

20.4.4 (2026-03-12)

Note: Version bump only for package @​commitlint/cli

20.4.3 (2026-03-03)

Bug Fixes

• footer parser does not escape special chars for regex #​4560 (#​4634) (8ff7c7f)

20.4.2 (2026-02-19)

Note: Version bump only for package @​commitlint/cli

20.4.1 (2026-02-02)

Note: Version bump only for package @​commitlint/cli

v20.4.4

Compare Source

Note: Version bump only for package @​commitlint/cli

v20.4.3

Compare Source

Bug Fixes

• footer parser does not escape special chars for regex #​4560 (#​4634) (8ff7c7f)

v20.4.2

Compare Source

Note: Version bump only for package @​commitlint/cli

conventional-changelog/commitlint (@​commitlint/config-conventional)

v20.5.3

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v20.5.0

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

20.4.4 (2026-03-12)

Note: Version bump only for package @​commitlint/config-conventional

20.4.3 (2026-03-03)

Bug Fixes

• footer parser does not escape special chars for regex #​4560 (#​4634) (8ff7c7f)

20.4.2 (2026-02-19)

Note: Version bump only for package @​commitlint/config-conventional

20.4.1 (2026-02-02)

Note: Version bump only for package @​commitlint/config-conventional

v20.4.4

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

v20.4.3

Compare Source

Bug Fixes

• footer parser does not escape special chars for regex #​4560 (#​4634) (8ff7c7f)

v20.4.2

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

vitest-dev/vitest (@​vitest/browser-playwright)

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

v4.1.6

Compare Source

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in #​10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in #​10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in #​10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in #​10276 (9f7b1)

    View changes on GitHub

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

v4.1.4

Compare Source

   🚀 Experimental Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in #​10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in #​10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in #​9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in #​10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in #​10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in #​10068 (a1b5f)
• Do not hoist imports whose names match class properties .  -  by @​SunsetFi in #​10093 and #​10094 (0fc4b)
• browser: Spread user server options into browser Vite server in project  -  by @​GoldStrikeArch in #​10049 (65c9d)

    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in #​10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in #​10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in #​9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in #​9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in #​10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in #​10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in #​9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in #​10004 (ec204)
• snapshot:
  • Fix flagging obsolete snapshots for snapshot properties mismatch  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​9986 (6b869)
  • Export custom snapshot matcher helper from vitest  -  by @​hi-ogawa and Codex in #​10042 (691d3)
• ui:
  • Don't leak vite types  -  by @​sheremet-va in #​10005 (fdff1)
• vm:
  • Fix external module resolve error with deps optimizer query  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10024 (9dbf4)

    View changes on GitHub

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in #​9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in #​9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in #​9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in #​9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in #​9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in #​9851 (6f97b)

    View changes on GitHub

v4.1.1

Compare Source

   🚀 Features

• experimental:
  • Expose matchesTags to test if the current filter matches tags  -  by @​sheremet-va in #​9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in #​9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in #​9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in #​9831 and #​9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in #​9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in #​9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in #​9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in #​9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in #​9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in #​9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in #​9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in #​9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in #​9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in #​9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in #​9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in #​9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in #​9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in #​9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in #​9949 (0d5f9)

    View changes on GitHub

v4.1.0

Compare Source

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

   🚀 Features

• Return a disposable from doMock()  -  by @​kirkwaiblinger in #​9332 (e3e65)
• Added chai style assertions  -  by @​ronnakamoto and @​sheremet-va in #​8842 (841df)
• Update to sinon/fake-timers v15 and add setTickMode to timer controls  -  by @​atscott and @​sheremet-va in #​8726 (4b480)
• Expose matcher types  -  by @​sheremet-va in #​9448 (3e4b9)
• Add toTestSpecification to reported tasks  -  by @​sheremet-va in #​9464 (1a470)
• Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module  -  by @​sheremet-va in #​9387 (5db54)
• Track and display expectedly failed tests (.fails) in UI and CLI  -  by @​Copilot, sheremet-va and @​sheremet-va in #​9476 (77d75)
• Support tags  -  by @​sheremet-va in #​9478 (de7c8)
• Implement aroundEach and aroundAll hooks  -  by @​sheremet-va in #​9450 (2a8cb)
• Stabilize experimental features  -  by @​sheremet-va in #​9529 (b5fd2)
• Accept new or all in --update flag  -  by @​sheremet-va in #​9543 (a5acf)
• Support meta in test options  -  by @​sheremet-va in #​9535 (7d622)
• Support type inference with a new test.extend syntax  -  by @​sheremet-va in #​9550 (e5385)
• Support vite 8 beta, fix type issues in the config with different vite versions  -  by @​sheremet-va in #​9587 (99028)
• Add assertion helper to hide internal stack traces  -  by @​hi-ogawa and Claude Opus 4.6 in #​9594 (eeb0a)
• Store failure screenshots using artifacts API  -  by @​macarie in #​9588 (24603)
• Allow vitest list to statically collect tests instead of running files to collect them  -  by @​sheremet-va in #​9630 (7a8e7)
• Add --detect-async-leaks  -  by @​AriPerkkio in #​9528 (c594d)
• Implement mockThrow and mockThrowOnce  -  by @​thor-juhasz and @​sheremet-va in #​9512 (61917)
• Support update: "none" and add docs about snapshots behavior on CI  -  by @​hi-ogawa in #​9700 (05f18)
• Support playwright launchOptions with connectOptions  -  by @​hi-ogawa in #​9702 (f0ff1)
• Add page/locator.mark API to enhance playwright trace  -  by @​hi-ogawa in #​9652 (d0ee5)
• api:
  • Support tests starting or ending with test in experimental_parseSpecification  -  by @​jgillick and Jeremy Gillick in #​9235 (2f367)
  • Add filters to createSpecification  -  by @​sheremet-va in #​9336 (c8e6c)
  • Expose runTestFiles as alternative to runTestSpecifications  -  by @​sheremet-va in #​9443 (43d76)
  • Add allowWrite and allowExec options to api  -  by @​sheremet-va in #​9350 (20e00)
  • Allow passing down test cases to toTestSpecification  -  by @​sheremet-va in #​9627 (6f17d)
• browser:
  • Add userEvent.wheel API  -  by @​macarie in #​9188 (66080)
  • Add filterNode option to prettyDOM for filtering browser assertion error output  -  by @​Copilot, sheremet-va and @​sheremet-va in #​9475 (d3220)
  • Support playwright persistent context  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in #​9229 (f865d)
  • Added detailsPanelPosition option and button  -  by @​shairez in #​9525 (c8a31)
  • Use BlazeDiff instead of pixelmatch  -  by @​macarie in #​9514 (30936)
  • Add findElement and enable strict mode in webdriverio and preview  -  by @​sheremet-va in #​9677 (c3f37)
• cli:
  • Add @​bomb.sh/tab completions  -  by @​AmirSa12 and @​sheremet-va in #​8639 (200f3)
• coverage:
  • Support ignore start/stop ignore hints  -  by @​AriPerkkio in #​9204 (e59c9)
  • Add coverage.changed option to report only changed files  -  by @​kykim00 and @​AriPerkkio in #​9521 (1d939)
• experimental:
  • Add onModuleRunner hook to worker.init  -  by @​sheremet-va in #​9286 (e977f)
  • Option to disable the module runner  -  by @​sheremet-va and @​AriPerkkio in #​9210 (9be61)
  • Add importDurations: { limit, print } options  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in #​9401 (7e10f)
  • Add print and fail thresholds for importDurations  -  by @​hi-ogawa and Claude Opus 4.6 in #​9533 (3f7a5)
• fixtures:
  • Pass down file context to beforeAll/afterAll  -  by @​sheremet-va in #​9572 (c8339)
• reporters:
  • Add agent reporter to reduce ai agent token usage  -  by @​cpojer in #​9779 (3e9e0)
• runner:
  • Enhance retry options  -  by @​MazenSamehR, Matan Shavit, @​AriPerkkio and @​sheremet-va in #​9370 (9e4cf)
• ui:
  • Allow run individual test/suites  -  by @​userquin in #​9465 (73b10)
  • Add project filter/sort support  -  by @​userquin in #​8689 (0c7ea)
  • Add duration sorting to explorer  -  by @​julianhahn and @​cursoragent in #​9603 (209b1)
  • Implement filter for slow tests  -  by @​DerYeger and @​userquin in #​9705 (8880c)
• vitest:
  • Add run summary in GitHub Actions Reporter  -  by @​macarie and jhnance in #​9579 (96bfc)

   🐞 Bug Fixes

• Deprecate several vitest/* entry points  -  by @​sheremet-va in #​9347 (fd459)
• Use meta.url in createRequire  -  by @​sheremet-va in #​9441 (e3422)
• Preact browser mode init example of render function not async  -  by @​WuMingDao in #​9375 (2bea5)
• Deprecate unused types in matcher context  -  by @​sheremet-va in [#​9449](https://redirect.github.com/vitest-dev/vitest/issues/9

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "after 2am and before 3am"
• Automerge
  • "after 1am and before 2am"

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cubic-dev-ai]

No issues found across 3 files

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 2 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 14, reused 0, downloaded 0, added 0
 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "ast-v8-to-istanbul@1.0.2" (possible package takeover)

This error happened while installing the dependencies of @vitest/coverage-v8@4.1.7

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had trusted publisher, but this version has provenance attestation. A trust downgrade may indicate a supply chain incident.