chore(deps): update all-minor-updates #9
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: lucasoskorep/mta-sign#9
Reference in New Issue
Block a user
Delete Branch "renovate/minor"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
25.5.0→25.6.210.4.27→10.5.01.14.0→1.16.010.1.0→10.3.016.2.1→16.2.616.2.1→16.2.625.8.2→25.9.010.33.0→10.33.48.5.8→8.5.1419.2.4→19.2.619.2.4→19.2.64.1.2→4.1.54.13.0→4.14.1Release Notes
postcss/autoprefixer (autoprefixer)
v10.5.0Compare Source
mask-position-xandmask-position-ysupport (by @toporek).axios/axios (axios)
v1.16.0Compare Source
This release adds support for the QUERY HTTP method and a new
ECONNREFUSEDerror constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.v1.15.2Compare Source
This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in
allowedSocketPathsallowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.v1.15.1Compare Source
This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.
v1.15.0Compare Source
Bug Fixes
Features
Contributors to this release
PRs
1.2.6 (2023-01-28)
Bug Fixes
CommonRequestHeadersList&CommonResponseHeadersListtypes to be private in commonJS; (#5503) (5a3d0a3)Contributors to this release
PRs
1.2.5 (2023-01-26)
Bug Fixes
Contributors to this release
PRs
1.2.4 (2023-01-22)
Bug Fixes
RawAxiosRequestConfigback toAxiosRequestConfig; (#5486) (2a71f49)AxiosRequestConfiggeneric; (#5478) (9bce81b)Contributors to this release
PRs
1.2.3 (2023-01-10)
Bug Fixes
Contributors to this release
PRs
[1.2.2] - 2022-12-29
Fixed
Chores
Contributors to this release
[1.2.1] - 2022-12-05
Changed
Fixed
Refactors
Chores
Contributors to this release
PRs
[1.2.0] - 2022-11-10
Changed
Fixed
Refactors
Chores
Contributors to this release
PRs
[1.1.3] - 2022-10-15
Added
Fixed
Chores
Contributors to this release
PRs
[1.1.2] - 2022-10-07
Fixed
Contributors to this release
PRs
[1.1.1] - 2022-10-07
Fixed
Contributors to this release
PRs
[1.1.0] - 2022-10-06
Fixed
Contributors to this release
PRs
[1.0.0] - 2022-10-04
Added
Changed
Deprecated
Removed
Fixed
Chores
Security
Contributors to this release
Bertrand Marron
Dmitriy Mozgovoy
Dan Mooney
Michael Li
aong
Des Preston
Ted Robertson
zhoulixiang
Arthur Fiorette
Kumar Shanu
JALAL
Jingyi Lin
Philipp Loose
Alexander Shchukin
Dave Cardwell
Cat Scarlet
Luca Pizzini
Kai
Maxime Bargiel
Brian Helba
reslear
Jamie Slome
Landro3
rafw87
Afzal Sayed
Koki Oyatsu
Dave
暴走老七
Spencer
Adrian Wieprzkowicz
Jamie Telin
毛呆
Kirill Shakirov
Rraji Abdelbari
Jelle Schutter
Tom Ceuppens
Johann Cooper
Dimitris Halatsis
chenjigeng
João Gabriel Quaresma
Victor Augusto
neilnaveen
Pavlos
Kiryl Valkovich
Naveen
wenzheng
hcwhan
Bassel Rachid
Grégoire Pineau
felipedamin
Karl Horky
Yue JIN
Usman Ali Siddiqui
WD
Günther Foidl
Stephen Jennings
C.T.Lin
mia-z
Parth Banathia
parth0105pluang
Marco Weber
Luca Pizzini
Willian Agostini
Huyen Nguyen
eslint/eslint (eslint)
v10.3.0Compare Source
Features
379571afeat: add suggestions for no-unused-private-class-members (#20773) (sethamus)Bug Fixes
b6ae5cffix: handle unavailable require cache (#20812) (Simon Podlipsky)6fb3685fix: rule suggestions cause continuation in class body (#20787) (Milos Djermanovic)Documentation
32cc7abdocs: fix typos in docs and comments (#20809) (Tanuj Kanti)7f47937docs: Update README (GitHub Actions Bot)Chores
d32235eci: use pnpm ineslint-flat-config-utilstype integration test (#20826) (Francesco Trotta)3ffb14echore: clean up typos in comments and JSDoc (#20821) (Pixel998)22eb58achore: add missing continue-on-error to ecosystem-tests.yml (#20818) (Josh Goldberg ✨)88bf002ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#20815) (dependabot[bot])97c8c33chore: update ilshidur/action-discord action to v0.4.0 (#20811) (renovate[bot])2f58136chore: pin peter-evans/create-pull-request action to5f6978f(#20810) (renovate[bot])77add7fchore: add initial ecosystem plugin tests workflow (#19643) (Josh Goldberg ✨)4023b55test: Add unit tests for SuppressionsService.prune() (#20797) (kuldeep kumar)54080datest: add unit tests for ForkContext (#20778) (kuldeep kumar)f0e2bcctest: add unit tests for SuppressionsService.suppress() method (#20765) (kuldeep kumar)a7f0b94chore: update dependency prettier to v3.8.3 (#20782) (renovate[bot])7bf93d9chore: update TypeScript to v6 (#20677) (sethamus)b42dd72ci: bump pnpm/action-setup from 6.0.0 to 6.0.1 (#20781) (dependabot[bot])2b252betest: add unit tests for IdGenerator (#20775) (kuldeep kumar)v10.2.1Compare Source
Bug Fixes
14be92bfix: model generator yield resumption paths in code path analysis (#20665) (sethamus)84a19d2fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx)af764affix: clarify language and processor validation errors (#20729) (Pixel998)e251b89fix: update eslint (#20715) (renovate[bot])Documentation
ca92ca0docs: reuse markdown-it instance for markdown filter (#20768) (Amaresh S M)57d2ee2docs: Enable Eleventy incremental mode for watch (#20767) (Amaresh S M)c1621b9docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla)1418d52docs: Update README (GitHub Actions Bot)39771e6docs: Update README (GitHub Actions Bot)71e0469docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar)22119cedocs: clarify scope of for-direction rule with dead code examples (#20723) (Amaresh S M)8f3fb77docs: documentmeta.docs.dialects(#20718) (Pixel998)Chores
7ddfea9chore: update dependency prettier to v3.8.2 (#20770) (renovate[bot])fac40e1ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763) (dependabot[bot])7246f92test: add tests for SuppressionsService.load() error handling (#20734) (kuldeep kumar)4f34b1echore: update pnpm/action-setup action to v5 (#20762) (renovate[bot])51080ebtest: processor service (#20731) (kuldeep kumar)e7e1889chore: remove stale babel-eslint10 fixture and test (#20727) (kuldeep kumar)4e1a87ctest: remove redundant async/await in flat config array tests (#20722) (Pixel998)066eabbtest: add rule metadata coverage forlanguagesanddocs.dialects(#20717) (Pixel998)v10.2.0Compare Source
Features
586ec2ffeat: Addmeta.languagessupport to rules (#20571) (Copilot)14207defeat: addTemporaltono-obj-calls(#20675) (Pixel998)bbb2c93feat: add Temporal to ES2026 globals (#20672) (Pixel998)Bug Fixes
542cb3efix: update first-party dependencies (#20714) (Francesco Trotta)Documentation
a2af743docs: addlanguageto configuration objects (#20712) (Francesco Trotta)845f23fdocs: Update README (GitHub Actions Bot)5fbcf59docs: removesourceTypefrom ts playground link (#20477) (Tanuj Kanti)8702a47docs: Update README (GitHub Actions Bot)ddeadeddocs: Update README (GitHub Actions Bot)2b44966docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic)eab65c7docs: updateeslintversions in examples (#20664) (루밀LuMir)3e4a299docs: update ESM Dependencies policies with note for own-usage packages (#20660) (Milos Djermanovic)Chores
8120e30refactor: extract no unmodified loop condition (#20679) (kuldeep kumar)46e8469chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697) (renovate[bot])01ed3aatest: add unit tests for unicode utilities (#20622) (Manish chaudhary)811f493ci: remove--legacy-peer-depsfrom types integration tests (#20667) (Milos Djermanovic)6b86fcfchore: update dependency npm-run-all2 to v8 (#20663) (renovate[bot])632c4f8chore: addprettierupdate commit to.git-blame-ignore-revs(#20662) (루밀LuMir)b0b0f21chore: update dependency eslint-plugin-regexp to ^3.1.0 (#20659) (Milos Djermanovic)228a2ddchore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#20661) (Milos Djermanovic)3ab4d7etest: Add tests for eslintrc-style keys (#20645) (kuldeep kumar)vercel/next.js (eslint-config-next)
v16.2.6Compare Source
This release contains security fixes for the following advisories:
High:
Moderate:
Low:
v16.2.5Compare Source
This release contains security fixes for the following advisories:
High:
Moderate:
Low:
v16.2.4Compare Source
Core Changes
Credits
Huge thanks to @Badbird5907, @lukesandberg, @andrewimm, @sokra, and @mischnic for helping!
v16.2.3Compare Source
Core Changes
Credits
Huge thanks to @icyJoseph, @sokra, @wbinnssmith, @eps1lon and @ztanner for helping!
v16.2.2Compare Source
Core Changes
Credits
Huge thanks to @nextjs-bot, @icyJoseph, @ijjk, @gaojude, @wbinnssmith, @lukesandberg, and @bgw for helping!
nodejs/node (node)
v25.9.0: 2026-04-01, Version 25.9.0 (Current), @aduh95Compare Source
Notable Changes
Test runner module mocking improvements
MockModuleOptions.defaultExportandMockModuleOptions.namedExportshave beenconsolidated into a single option
MockModuleOptions.exportsto align with userexpectations and other test runners.
A
defaultproperty onMockModuleOptions.exportsrepresents the defaultexport, and own enumerable properties are treated as named exports.
An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports
Contributed by sangwook in #61727.
Other notable changes
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes toAsyncLocalStorage(Stephen Belanger) #6167462d2cd473b] - (SEMVER-MINOR) cli: add--max-heap-sizeoption (tannal) #58708d0ebf0e44b] - (SEMVER-MINOR) crypto: addTurboSHAKEandKangarooTwelveWeb Cryptography algorithms (Filip Skokan) #62183f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #6218867b854d407] - (SEMVER-MINOR) repl: remove dependency onnode:domain(Matteo Collina) #61227966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #62066Commits
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #61674bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #62066c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #618712fcd07f1ba] - build: support empty libname flags inconfigure.py(Antoine du Hamel) #62477b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #622807dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #62189f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #6211562d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #621833009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #618754d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #6216993d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #621703d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #62414176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #6216495c7fc67ba] - deps: update googletest to2461743(Node.js GitHub Bot) #62484e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #62051180c150122] - deps: V8: cherry-pickcf1bce4(Richard Lau) #62449bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #62448f1b28612c4] - deps: V8: cherry-pickb25cd62(Yagiz Nizipli) #62354757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #622843bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #62256a9703d194a] - deps: update googletest to73a63ea(Node.js GitHub Bot) #6192785138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #62213231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #621230093863664] - doc: deprecatemodule.register()(DEP0205) (Geoffrey Booth) #623950b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #624568d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #6249208ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #6248261cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #6242364cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #621391020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #622069caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #62374e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #623029e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #622437f37c17516] - doc: minor typo fix (Jeff Matson) #62358eb0ca98f01] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #62355198b6e0932] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #6232117e5aee6c5] - doc: fix small environment_variables typo (chris) #62279193d629895] - doc: test and test-only targets do not run linter (Xavier Stouder) #621204a1f20ec4a] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #62208f976c9214d] - doc: clarify that any truthy value ofshellis part of DEP0190 (Antoine du Hamel) #622494d83972681] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #6220271f2eada5b] - doc: add throwIfNoEntry version history to fs.stat (kovan) #62204670c80893b] - doc: add note (and caveat) formock.moduleabout customization hooks (Jacob Smith) #620752ff5cb13f5] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #622446c6c9004c4] - esm: fix typo in worker loader hook comment (jakecastelli) #624751cdd23c9f3] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #624154f4ff15794] - esm: fix path normalization infinalizeResolution(Antoine du Hamel) #62080088167d102] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #622610250b436ee] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #61950b67a8fb171] - inspector: add Target.getTargets and extract TargetManager (Kohei) #62487ffcc5a5722] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #6230792ef2ad8fa] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #6222640a43ac4d0] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #621333ef0a5b90e] - quic: remove CryptoKey support from session keys option (Filip Skokan) #623353c8dd8eb8e] - repl: use vm DONT_CONTEXTIFY context (Chengzhong Wu) #62371f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #62188e4c164e045] - repl: handle exceptions from async context after close (Anna Henningsen) #6216567b854d407] - (SEMVER-MINOR) repl: remove dependency on domain module (Matteo Collina) #61227966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158fe82baf970] - src: improve EC JWK import performance (Filip Skokan) #62396d490b171e0] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #623430e4af848bc] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #6210302980b8c8f] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #62410064f7c2fa6] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #62268ede52bc2dc] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #62281e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #6206603839fb087] - stream: preserve error over AbortError in pipeline (Marco) #621130000d2f011] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #620873796a73719] - test: update WPT for WebCryptoAPI to2cb332d(Node.js GitHub Bot) #62483ad8309415b] - test: update WPT for url tofc3e651(Node.js GitHub Bot) #62379bed89b037e] - test: wait for reattach before initial break on restart (Yuya Inoue) #62471c9ffffcc55] - test: disable flaky WPT Blob test on AIX (James M Snell) #62470fd41ef31f6] - (SEMVER-MINOR) test: add tests for experimental stream/iter implementation (James M Snell) #620661b9d8d3eec] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #62112cb08a29d51] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238abea0af8a9] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #6222647a2132269] - test: update WPT for WebCryptoAPI to6a1c545(Node.js GitHub Bot) #621872c63d3006c] - test_runner: add exports option for module mocks (sangwook) #6172744ac0e1302] - test_runner: make it compatible with fake timers (Matteo Collina) #592721865691275] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #622820252b2bab8] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #624393368155267] - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot[bot]) #624375e47c359f5] - tools: adopt the--check-for-duplicatesNCU flag (Antoine du Hamel) #624784a604e82d0] - tools: bump picomatch in /tools/doc (dependabot[bot]) #62438d1a98b4ddb] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #62375c32daa1ab4] - tools: bump eslint deps (Huáng Jùnliàng) #623567a2fcc6d41] - tools: do not swallow error inlint-nixworkflow (Antoine du Hamel) #62292c41a2871b5] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #6209356dfeb06df] - tools: fix timeout errors inlint-nixjob (Antoine du Hamel) #6226522fc8078e8] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #62255409b0663bd] - tools: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot[bot]) #6225067c69750f4] - tools: validate all commits that are pushed tomain(Antoine du Hamel) #622467d9db8cd21] - tools: keep GN files when updating Merve (Antoine du Hamel) #621676c8fa42ba2] - typings: rationalise TypedArray types (René) #62174531c64d04e] - url: enable simdutf for ada (Yagiz Nizipli) #614772000caccde] - util: allow color aliases in styleText (sangwook) #621800aed332ab4] - wasm: support js string constant esm import (Guy Bedford) #62198d3fd4a978b] - worker: heap profile optimizations (Ilyas Shabi) #62201e992a34a18] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #62325pnpm/pnpm (pnpm)
v10.33.4: pnpm 10.33.4Compare Source
Patch Changes
Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.
A new
gitHosted: truefield is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.Fix a regression where
pnpm --recursive --filter '!<pkg>' run/exec/test/addwould include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative--filterarguments are provided, matching the documented behavior. To include the root, pass--include-workspace-root#11341.Platinum Sponsors
Gold Sponsors
v10.33.3: pnpm 10.33.3Compare Source
Patch Changes
@pnpm/exeto v11+ on Intel macOS (darwin-x64),pnpm self-updatenow transparently switches to the JS-onlypnpmpackage on npm instead of installing@pnpm/exe@v11+(which doesn't ship a working binary for Intel Macs because of an upstream Node.js SEA bug — see #11423 and nodejs/node#62893). Without this, the self-update would silently leave the user with no workingpnpmbinary. The new install requires Node.js to be available onPATH; a warning is printed when the swap happens. All other host/version combinations are unchanged.pnpm self-update(with no version argument) no longer downgrades pnpm when the registry'slatestdist-tag points to an older release than the currently active version. Runpnpm self-update latestto force a downgrade #11418.Platinum Sponsors
Gold Sponsors
v10.33.2: pnpm 10.33.2Compare Source
Patch Changes
Globally-installed bins no longer fail with
ERR_PNPM_NO_IMPORTER_MANIFEST_FOUNDwhen pnpm was installed via the standalone@pnpm/exebinary (e.g.curl -fsSL https://get.pnpm.io/install.sh | sh -) on a system without a separate Node.js installation. Previously, whenwhich('node')failed duringpnpm add --global, pnpm fell back toprocess.execPath, which in@pnpm/exeis the pnpm binary itself — and that path was baked into the generated bin shim, causing the shim to invoke pnpm instead of Node #11291, #4645.Fix an infinite fork-bomb that could happen when pnpm was installed with one version (e.g.
npm install -g pnpm@A) and run inside a project whosepackage.jsonselected a different pnpm version via thepackageManagerfield (e.g.pnpm@B), while apnpm-workspace.yamlalso existed at the project root.The child's environment is now forced to
manage-package-manager-versions=false(v10) andpm-on-fail=ignore(v11+), which disables the package-manager-version handling in whichever pnpm runs as the child.Fixes #11337.
Platinum Sponsors
Gold Sponsors
v10.33.1: pnpm 10.33.1Compare Source
Patch Changes
packageManagerfield selects pnpm v11 or newer, commands that v10 would have passed through to npm (version,login,logout,publish,unpublish,deprecate,dist-tag,docs,ping,search,star,stars,unstar,whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example,pnpm version --helpprint npm's help on a project withpackageManager: pnpm@11.0.0-rc.3#11328.Platinum Sponsors
Gold Sponsors
postcss/postcss (postcss)
v8.5.14Compare Source
v8.5.13Compare Source
postcss-scsscommend regression.v8.5.12Compare Source
opts.unsafeMapto disable checks.v8.5.11Compare Source
v8.5.10Compare Source
</style>in non-bundler cases (by @TharVid).v8.5.9Compare Source
facebook/react (react)
v19.2.6: 19.2.6 (May 6th, 2026)Compare Source
React Server Components
(#36425 by @eps1lon and @unstubbable)
v19.2.5: 19.2.5 (April 8th, 2026)Compare Source
React Server Components
vitest-dev/vitest (vitest)
v4.1.5Compare Source
🚀 Experimental Features
instrumenteroption - by @BartWaardenburg and @AriPerkkio in #10119 (0e0ff)🐞 Bug Fixes
vi.defineHelpercalled as object method - by @hi-ogawa in #10163 (122c2)agentreporter tominimal- by @sheremet-va in #10157 (663b9)View changes on GitHub
v4.1.4Compare Source
🚀 Experimental Features
skipFullif agent detected - by @hi-ogawa in #10018 (53757)assertionas a public field - by @sheremet-va in #10095 (a120e)🐞 Bug Fixes
expect(..., message)consistent as error message prefix - by @hi-ogawa and Codex in #10068 (a1b5f)View changes on GitHub
v4.1.3Compare Source
🚀 Experimental Features
experimental.preParseflag - by @sheremet-va in #10070 (78273)browser.locators.exactoption - by @sheremet-va in #10013 (48799)TestAttachment.bodyEncoding- by @hi-ogawa in #9969 (89ca0)🐞 Bug Fixes
expect.pollinterval - by @hi-ogawa and Claude Sonnet 4.6 in #10022 (3f5bf)@vitest/coverage-v8and@vitest/coverage-istanbulas optional dependency - by @alan-agius4 in #10025 (146d4)defineHelperfor webkit async stack trace + update playwright 1.59.0 - by @hi-ogawa in #10036 (5a5fa)JestExtendError.contextfrom verbose error reporting - by @hi-ogawa in #9983 (66751)vitest- by @hi-ogawa and Codex in #10042 (691d3)View changes on GitHub
yarnpkg/berry (yarn)
v4.14.1Compare Source
v4.14.0Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.
991c822f2dto7731a4c8d77731a4c8d7to558035b53a558035b53ato587fa1d358View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.