chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@atproto/api (source)	0.19.0 → 0.19.3			dependencies	patch
@atproto/lex (source)	0.0.19 → 0.0.20			dependencies	patch
@atproto/lex-password-session (source)	0.0.7 → 0.0.8			dependencies	patch
@clack/prompts (source)	1.0.1 → 1.1.0			dependencies	minor
@floating-ui/vue (source)	1.1.10 → 1.1.11			dependencies	patch
@iconify-json/lucide	1.2.95 → 1.2.96			dependencies	patch
@intlify/core-base (source)	11.2.8 → 11.3.0			devDependencies	minor
@intlify/shared (source)	11.2.8 → 11.3.0			dependencies	minor
@napi-rs/canvas	0.1.95 → 0.1.96			dependencies	patch
@nuxtjs/mdc	0.20.1 → 0.20.2			dependencies	patch
@shikijs/langs (source)	4.0.1 → 4.0.2			dependencies	patch
@shikijs/markdown-exit (source)	4.0.1 → 4.0.2			dependencies	patch
@shikijs/themes (source)	4.0.1 → 4.0.2			dependencies	patch
@storybook/addon-a11y (source)	10.2.14 → 10.2.16			pnpm.catalog.storybook	patch
@storybook/addon-docs (source)	10.2.14 → 10.2.16			pnpm.catalog.storybook	patch
@storybook/addon-themes (source)	10.2.14 → 10.2.16			pnpm.catalog.storybook	patch
@types/node (source)	24.11.0 → 24.12.0			devDependencies	minor
@types/sanitize-html (source)	2.16.0 → 2.16.1			devDependencies	patch
@unocss/nuxt (source)	66.6.2 → 66.6.6			dependencies	patch
@unocss/preset-wind4 (source)	66.6.3 → 66.6.6			dependencies	patch
@upstash/redis (source)	1.36.3 → 1.36.4			dependencies	patch
@​voidzero-dev/vite-plus-core	0.0.0-gd42e0ca6.20260225-0619 → 0.1.2			dependencies	minor
actions/setup-node	v6.2.0 → v6.3.0			action	minor
fast-check (source)	4.5.3 → 4.6.0			devDependencies	minor
fast-npm-meta	1.3.0 → 1.4.2			dependencies	minor
h3 (source)	1.15.5 → 1.15.6			devDependencies	patch
h3-next (source)	2.0.1-rc.14 → 2.0.1-rc.16			devDependencies	patch
marked (source)	17.0.3 → 17.0.4			dependencies	patch
pnpm (source)	10.30.3 → 10.31.0			packageManager	minor
shiki (source)	4.0.1 → 4.0.2			dependencies	patch
srvx (source)	0.11.8 → 0.11.9			dependencies	patch
tsdown (source)	0.20.3 → 0.21.1			devDependencies	minor
unocss (source)	66.6.2 → 66.6.6			dependencies	patch
vitest	0.0.0-gd42e0ca6.20260225-0619 → 0.1.2			devDependencies	minor

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

bluesky-social/atproto (@​atproto/api)

v0.19.3

Compare Source

Patch Changes

• #​4717 76ab6ea Thanks @​estrattonbailey! - Trust status returned from refreshSession and do not fall back to a potentially stale value from this.session.

v0.19.2

Compare Source

Patch Changes

• #​4683 6634140 Thanks @​ds-boyce! - Introduce recIdStr field

• #​4713 0e5df95 Thanks @​matthieusieben! - Make sure to always trigger a refreshSession when resumeSession() is called

v0.19.1

Compare Source

Patch Changes

• #​4704 137065b Thanks @​ds-boyce! - Add feed to sendInteractions input

• Updated dependencies [f7c2610, f7c2610, f7c2610, f7c2610, f7c2610, f7c2610, f7c2610, 52834ab, f7c2610]:

  • @​atproto/syntax@​0.5.0
  • @​atproto/common-web@​0.4.18
  • @​atproto/lexicon@​0.6.2

bluesky-social/atproto (@​atproto/lex)

v0.0.20

Compare Source

Patch Changes

• #​4689 f7c2610 Thanks @​matthieusieben! - Update readme

• Updated dependencies [52834ab, f7c2610, 52834ab, 52834ab, 52834ab, 52834ab, 52834ab, 52834ab, 52834ab, 52834ab]:

  • @​atproto/lex-schema@​0.0.14
  • @​atproto/lex-data@​0.0.13
  • @​atproto/lex-client@​0.0.15
  • @​atproto/lex-installer@​0.0.20
  • @​atproto/lex-builder@​0.0.17
  • @​atproto/lex-json@​0.0.13

bluesky-social/atproto (@​atproto/lex-password-session)

v0.0.8

Compare Source

Patch Changes

• Updated dependencies [52834ab, f7c2610, 52834ab, 52834ab, 52834ab, 52834ab, 52834ab, 52834ab]:
  • @​atproto/lex-schema@​0.0.14
  • @​atproto/lex-client@​0.0.15

bombshell-dev/clack (@​clack/prompts)

v1.1.0

Compare Source

Minor Changes

• e3333fb: Replaces picocolors with Node.js built-in styleText.

Patch Changes

• c3666e2: destruct limitOption param for better code readability, tweak types definitions
• ba3df8e: Fixes withGuide support in intro, outro, and cancel messages.
• Updated dependencies [e3333fb]
  • @​clack/core@​1.1.0

floating-ui/floating-ui (@​floating-ui/vue)

v1.1.11

Patch Changes

• Update dependencies: @floating-ui/dom@1.7.6, @floating-ui/utils@0.2.11

intlify/vue-i18n (@​intlify/core-base)

v11.3.0

Compare Source

What's Changed

🌟 Features

• feat: support escape sequence by @​kazupon in #​2437

🐛 Bug Fixes

• fix: wrong @intlify/devtools-types dependencies by @​kazupon in #​2411
• fix: v-t directive does not rerender when locale switches by @​kazupon in #​2415
• fix: te returns false if the key contains a do by @​kazupon in #​2430
• fix: modifiers skip missing translation keys by @​kazupon in #​2432
• fix: wrong $d type by @​kazupon in #​2435
• fix: resolve correctly key path by @​kazupon in #​2436

⚡ Improvement Features

• fix: Usage of n() and $n() with undefined should not throw errors by @​kazupon in #​2429
• fix: display message commpiler error strictly by @​kazupon in #​2431
• fix: Suppressing automatic locale fallback with ! breaks n/$n and d/$d formatting by @​kazupon in #​2434

📈 Performance Fixes

• perf: use shallowRef server-side for datetimeFormats by @​kazupon in #​2428

📝️ Documentations

• docs: fix wrong plural usage by @​kazupon in #​2438
• docs: improve petite-vue-i18n resource key handling by @​kazupon in #​2439

👕 Refactoring

• refactor: reduce variable assignments and function calls by @​kazupon in #​2426

Full Changelog: intlify/vue-i18n@v11.2.8...v11.3.0

Brooooooklyn/canvas (@​napi-rs/canvas)

v0.1.96

Compare Source

Bug Fixes

• prevent memory leak when drawing canvas onto another via drawImage() (#​1222) (85ef08b)

nuxt-content/mdc (@​nuxtjs/mdc)

v0.20.2

Compare Source

compare changes

shikijs/shiki (@​shikijs/langs)

v4.0.2

Compare Source

   🐞 Bug Fixes

• Support ANSI language with multiple themes  -  by @​dan-lee in #​1259 (2a232)

    View changes on GitHub

storybookjs/storybook (@​storybook/addon-a11y)

v10.2.16

Compare Source

• CSF-Factories: Fix ConfigFile parser false warning on definePreview({...}).type<T>() export default - #​33885, thanks @​copilot-swe-agent!
• Core: Add host/origin validation to requests and websocket connections - #​33835, thanks @​ghengeveld!
• Core: Add vike metadata frameworks - #​33965, thanks @​yannbf!
• Core: Resolve builder preset path correctly in pnpm strict mode - #​34032, thanks @​braedenfoster!
• Core: Update default allowed hosts in host validation middleware - #​34045, thanks @​ghengeveld!

v10.2.15

Compare Source

• Core: Storybook failed to load iframe.html when publishing - #​33896, thanks @​danielalanbates!
• Manager-API: Update refs sequentially in experimental_setFilter - #​33958, thanks @​ia319!
• React: Handle render identifier in manifest snippet generation - #​33940, thanks @​kasperpeulen!

unocss/unocss (@​unocss/nuxt)

v66.6.6

Compare Source

   🐞 Bug Fixes

• svelte-scoped: Generate in buildEnd() to make presetWind4 on-dem…  -  by @​henrikvilhelmberglund in #​5133 (06d7c)

    View changes on GitHub

v66.6.5

Compare Source

   🐞 Bug Fixes

• config: Enhance loadConfig to track user custom config presence  -  by @​zyyv in #​5132 (76f65)

    View changes on GitHub

v66.6.4

Compare Source

   🚀 Features

• core: Add noScope key determines whether to wrap the selector  -  by @​zyyv and Copilot in #​5130 (5b67c)

    View changes on GitHub

upstash/redis-js (@​upstash/redis)

v1.36.4

Compare Source

actions/setup-node (actions/setup-node)

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

dubzzz/fast-check (fast-check)

v4.6.0

Compare Source

Better stringMatching with maxLength
[Code][Diff]

Features

• (PR#6599) Add basic maxLength support to stringMatching
• (PR#6600) Better clamp on regexes when maxLength on stringMatching
• (PR#6687) Deprecate Random::next(n) and Random::nextInt()

Fixes

• (PR#6502) Bug: Bad d.ts import in BuildInversedRelationsMapping
• (PR#6578) Bug: Don't crash when stringifying detached ArrayBuffers
• (PR#6700) Bug: Fix object unmapper and depth computation for special keys
• (PR#6432) CI: Move all dependencies to dev on examples/
• (PR#6443) CI: Migrate to Docusaurus v4 configuration format
• (PR#6456) CI: Enable persist-credentials in add-contributor workflow
• (PR#6501) CI: Bump module in tsconfig to node18
• (PR#6548) CI: Fix zizmor ignore config line numbers
• (PR#6554) CI: Drop tests against Node 20
• (PR#6563) CI: Fix check_publish status to be success on no error
• (PR#6565) CI: Add create release workflow
• (PR#6610) CI: Rework pnpm configuration
• (PR#6619) CI: Add PR template enforcement workflow
• (PR#6622) CI: Skip Netlify doc publish on PRs
• (PR#6625) CI: Run PR template check without approval
• (PR#6623) CI: Skip PR template check for Renovate bot
• (PR#6638) CI: Bundle fast-check using rolldown
• (PR#6662) CI: Rework configuration of examples
• (PR#6683) CI: Add Claude Code GitHub Action workflow
• (PR#6684) CI: Add configuration for pre and post tool Claude hooks
• (PR#6690) CI: Refine GH Action triggering CLAUDE
• (PR#6693) CI: Configure another Claude model
• (PR#6703) CI: Add top-level permissions: {} to workflows missing it
• (PR#6704) CI: Refactor Claude workflow custom instructions configuration
• (PR#6705) CI: Add SessionStart hook to ensure dependencies are installed
• (PR#6597) Clean: Drop runkit file
• (PR#6640) Clean: Drop unused "tsd" in package.json
• (PR#6441) Doc: Release note for 4.5.0
• (PR#6442) Doc: Replace generic blog tags with feature-specific taxonomy
• (PR#6458) Doc: Add adamni21 as doc contributor
• (PR#6496) Doc: Refine npm keywords
• (PR#6514) Doc: Skill for JavaScript testing expert
• (PR#6516) Doc: Add note to avoid overusing filter and fc.pre
• (PR#6517) Doc: Update testing skill to recommend mimicking existing test structure
• (PR#6523) Doc: Add PR template requirement to Copilot instructions
• (PR#6522) Doc: Add note on complementary testing approaches
• (PR#6524) Doc: Add snapshot vs screenshot guidance
• (PR#6527) Doc: Push to install missing tooling
• (PR#6530) Doc: Clearer guidelines for constraints of arbs in skill
• (PR#6526) Doc: Add AI-powered testing documentation
• (PR#6529) Doc: Add testing-library and browser testing part in skill
• (PR#6528) Doc: Add bigint type preference for integer computations in skill
• (PR#6531) Doc: Add TDD fashion thinking in skill
• (PR#6553) Doc: Add josephjunker as doc contributor
• (PR#6561) Doc: Add page on "What is property-based testing" and modify "Why property-based testing"
• (PR#6605) Doc: Drop Snyk link on Readme
• (PR#6603) Doc: Update CONTRIBUTING.md for AI
• (PR#6572) Doc: Rework issue templates
• (PR#6613) Doc: Update PR template
• (PR#6634) Doc: Rework bug-report template
• (PR#6635) Doc: Rework regression-report template
• (PR#6652) Doc: Update Readme to point to npmx
• (PR#6659) Doc: Update home to link to npmx
• (PR#6696) Doc: Add rushelex as code contributor
• (PR#6448) Performance: Optimize RunDetailsFormatter array allocations
• (PR#5718) Performance: Import less from pure-rand
• (PR#6679) Performance: Bump pure-rand to v8
• (PR#6446) Performance: Replace loose equality by strict one
• (PR#6444) Performance: Slightly faster code for RunExecution
• (PR#6437) Refactor: Replace fileURLToPath patterns with import.meta.*
• (PR#6567) Refactor: Remove ErrorWithCause, use Error directly
• (PR#6621) Refactor: Replace glob package with native Node.js fs.glob
• (PR#6675) Refactor: Drop @​rollup/plugin-replace for rolldown builtin
• (PR#6550) Security: Fix zizmor template-injection findings
• (PR#6472) Test: Provide cause when doc generation fails
• (PR#6381) Test: Migrate test-types to vitest
• (PR#6507) Test: Filter ESM-only packages from CommonJS mode checks
• (PR#6453) Typo: Fix typo for dictionary arbitrary constraint maxKeys
• (PR#6552) Typo: Replace flatMap with chain in error message

---

antfu/fast-npm-meta (fast-npm-meta)

v1.4.2

Compare Source

   🐞 Bug Fixes

• Batch syntax with plus restored  -  by @​alex-key in #​34 (d123b)

    View changes on GitHub

v1.4.1

Compare Source

   🐞 Bug Fixes

• Avoid decode + incorrectly  -  by @​antfu (dcd57)

    View changes on GitHub

v1.4.0

Compare Source

   🐞 Bug Fixes

• Range semver in url properly handled, remove space-plus replacement  -  by @​alex-key in #​32 (ecae7)
• skill: Add missing fields  -  by @​9romise in #​30 (b944d)

    View changes on GitHub

h3js/h3 (h3)

v1.15.6

Compare Source

compare changes

🩹 Fixes

• sse: Sanitize newlines in event stream fields to prevent SSE injection (840ac5c)
• static: Prevent path traversal via percent-encoded dot segments (6465e1b)

markedjs/marked (marked)

v17.0.4

Compare Source

Bug Fixes

• prevent ReDoS in inline link regex title group (#​3902) (46fb9b8)

pnpm/pnpm (pnpm)

v10.31.0

Compare Source

h3js/srvx (srvx)

v0.11.9

Compare Source

compare changes

🩹 Fixes

• static: Use path separator instead of hardcoded slash (#​190)
• fasturl, node: Normalize pathname if necessary (bd8c0d3)

🏡 Chore

• Update deps (cb8c4ed)
• Update tsconfig (fc1a711)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Joël Charles (@​magne4000)

rolldown/tsdown (tsdown)

v0.21.1

Compare Source

   🚨 Breaking Changes

• css: Move all CSS support to @tsdown/css package  -  by @​sxzz in #​809 (1b1a1)

[!IMPORTANT]
If you are using CSS features (e.g., CSS imports), you now need to manually install the @tsdown/css package:

npm install @​tsdown/css -D
# or
pnpm add @​tsdown/css -D

Note: CSS support is still an experimental feature and does not follow SemVer. Breaking changes may occur in any release.

   🚀 Features

• css:
  • Add css.inject option to preserve CSS imports in JS output  -  by @​sxzz and Claude Haiku 4.5 in #​808 (ad745)
  • Support ?inline query for CSS imports  -  by @​sxzz in #​810 (b7379)
  • Support node_modules package resolution  -  by @​sxzz and Claude Haiku 4.5 in #​812 (b06b4)

   🐞 Bug Fixes

• Generate correct filename for sass files when dts is enabled  -  by @​ocavue in #​802 (848a7)
• css:
  • Handle virtual module IDs from framework plugins  -  by @​sxzz (c421f)
  • Ignore css imports with URL query  -  by @​ocavue and @​sxzz in #​806 (c1d23)

    View changes on GitHub

v0.21.0

Compare Source

v0.21.0 - Notable Changes

Breaking Changes

Dependency options renamed to deps namespace

The dependency-related options have been moved under a new deps namespace with clearer names:

• external -> deps.neverBundle
• noExternal -> deps.alwaysBundle
• inlineOnly -> deps.onlyAllowBundle
• skipNodeModulesBundle -> deps.skipNodeModulesBundle

Before:

export default defineConfig({
  external: ['vue'],
  noExternal: ['lodash'],
})

After:

export default defineConfig({
  deps: {
    neverBundle: ['vue'],
    alwaysBundle: ['lodash'],
  },
})

The old options still work but are deprecated and will emit warnings.

failOnWarn default changed from 'ci-only' to false

If you relied on the previous behavior where warnings would fail the build in CI environments, you now need to explicitly set failOnWarn: true or failOnWarn: 'ci-only' in your config.

Node.js < 22.18.0 deprecated

tsdown now emits a deprecation warning when running on Node.js versions below 22.18.0. Plan to upgrade your Node.js version accordingly.

New Features

Experimental Node.js SEA executable bundling (exe)

tsdown can now bundle your TypeScript project into a standalone executable using Node.js Single Executable Applications (SEA). A new @tsdown/exe package provides cross-platform executable building support. See the exe documentation for details.

export default defineConfig({
  exe: true, // or { useCodeCache: true, useSnapshot: true }
})

Full CSS pipeline with @tsdown/css

CSS handling has been reimplemented as a native Rolldown plugin and extracted into the @tsdown/css package, providing a complete CSS pipeline with Lightning CSS and PostCSS support via the css.transformer option. See the CSS documentation for details.

inlinedDependencies field in package.json

When using the exports feature, tsdown now auto-generates an inlinedDependencies field in your package.json, listing dependencies that are bundled into the output.

Object option for customExports

customExports now supports an object format for more fine-grained control over the generated exports field.

Migration Guide

1. Update dependency options: Rename external -> deps.neverBundle, noExternal -> deps.alwaysBundle, etc.
2. Check failOnWarn: If you need warnings to fail the build in CI, explicitly set failOnWarn: 'ci-only' or failOnWarn: true.
3. Upgrade Node.js: Ensure you're running Node.js >= 22.18.0 to avoid deprecation warnings.

Links

• tsdown Documentation
• v0.21.0-beta.1 Release
• v0.21.0-beta.2 Release
• v0.21.0-beta.3 Release
• v0.21.0-beta.4 Release
• v0.21.0-beta.5 Release
• Full diff from v0.20.3

---

   🚨 Breaking Changes

• Change failOnWarn default from 'ci-only' to false  -  by @​sxzz (ad8db)
• exe: Require Node >=25.7 and default format to esm  -  by @​sxzz in #​798 (0173c)

   🚀 Features

• Rename dependency options to deps namespace  -  by @​sxzz (7f509)
• Upgrade rolldown  -  by @​sxzz (7a528)
• Deprecate Node.js versions below 22.18.0  -  by @​sxzz (439f1)
• Support bundling .node files by default  -  by @​sxzz (944e9)
• css:
  • Implement full CSS pipeline as Rolldown plugin  -  by @​sxzz in #​787 (dbe3c)
  • Extract CSS pipeline into @tsdown/css package  -  by @​sxzz in #​790 (e4cbe)
  • Add PostCSS support with css.transformer option  -  by @​sxzz in #​791 (35bef)
  • Default css.transformer to lightningcss  -  by @​sxzz in #​797 (288a5)
• exe:
  • Add experimental Node.js SEA executable bundling  -  by @​sxzz in #​777 [(418d5)](https://redirect.github.co

---

Configuration

📅 Schedule: Branch creation - "on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Error		Mar 9, 2026 3:32pm
npmx.dev	Error		Mar 9, 2026 3:32pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
npmx-lunaria	Ignored		Mar 9, 2026 3:32pm

[codecov]

⚠️ JUnit XML file not found

The CLI was unable to find any JUnit XML files to upload.
For more help, visit our troubleshooting guide.