Skip to content

chore(deps): update all non-major dependencies#164

Open
renovate[bot] wants to merge 4 commits into
mainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#164
renovate[bot] wants to merge 4 commits into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jun 15, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update
@changesets/cli (source) ^2.29.8^2.31.0 age confidence devDependencies minor
@codspeed/vitest-plugin (source) ^5.0.1^5.5.0 age confidence devDependencies minor
@faker-js/faker (source) ^10.2.0^10.4.0 age confidence devDependencies minor
CodSpeedHQ/action v4.15.1v4.17.5 age confidence action minor
actions/checkout v6.0.2v6.0.3 age confidence action patch
autofix-ci/action v1.3.2v1.3.4 age confidence action patch
changesets/action v1.8.0v1.9.0 age confidence action minor
eslint (source) ^9.39.2^9.39.4 age confidence devDependencies patch
eslint-plugin-unused-imports ^4.3.0^4.4.1 age confidence devDependencies minor
happy-dom ^20.1.0^20.10.4 age confidence devDependencies minor
knip (source) ^5.80.2^5.88.1 age confidence devDependencies minor
nx (source) ^22.3.3^22.7.5 age confidence devDependencies minor
pnpm (source) 11.1.111.7.0 age confidence packageManager minor
pnpm (source) >=11.0.0>=11.7.0 age confidence engines minor
prettier (source) ^3.7.4^3.8.4 age confidence devDependencies patch
prettier-plugin-svelte ^3.4.1^3.5.2 age confidence devDependencies minor
semver ^7.7.4^7.8.4 age confidence dependencies minor
sherif ^1.9.0^1.11.1 age confidence devDependencies minor
tinyglobby (source) ^0.2.15^0.2.17 age confidence devDependencies patch
tsdown (source) ^0.19.0^0.22.2 age confidence devDependencies minor
verdaccio (source) ^6.3.2^6.7.2 age confidence devDependencies minor
vitest (source) ^4.0.17^4.1.9 age confidence devDependencies minor
yaml (source) 2.8.32.9.0 age confidence dependencies minor
yaml (source) 2.8.32.9.0 age confidence devDependencies minor
zizmorcore/zizmor-action v0.5.3v0.5.6 age confidence action patch

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

changesets/changesets (@​changesets/cli)

v2.31.0

Compare Source

Minor Changes

  • #​1889 96ca062 Thanks @​mixelburg! - Error on unsupported flags for individual CLI commands and print the matching command usage to make mistakes easier to spot.

  • #​1873 42943b7 Thanks @​mixelburg! - Respond to --help on all subcommands. Previously, --help was only handled when it was the sole argument; passing it alongside a subcommand (e.g. changeset version --help) would silently execute the command instead. Now --help always exits early and prints per-command usage when a known subcommand is provided, or the general help text otherwise.

Patch Changes

v2.30.0

Compare Source

CodSpeedHQ/codspeed-node (@​codspeed/vitest-plugin)

v5.5.0

Compare Source

Highlights

We are introducing @codspeed/playwright, for walltime benchmarking and profiling of end to end browser applications through playwright.

Here's an example usage, but head to the docs for more information

import { bench, type Page } from "@​codspeed/playwright-plugin";
import electronExecutable from "electron";
import path from "node:path";
import { fileURLToPath } from "node:url";

const __dirname = path.dirname(fileURLToPath(import.meta.url));
const appRoot = path.resolve(__dirname, "..");

async function waitUntilSettled(page: Page): Promise<void> {
  await page.waitForFunction(() => {
    const main = document.getElementById("main");
    return !!main && !main.classList.contains("loading");
  });
}

await bench(
  "inbox-search-archive-threads",
  async ({ page }) => {
    await page.fill("#search", "update");
    await waitUntilSettled(page);

    await page.click("#select-visible-btn");
    await page.click("#archive-btn");
    await waitUntilSettled(page);

    await page.click('#sidebar nav button[data-view="threads"]');
    await waitUntilSettled(page);
  },
  {
    target: {
      kind: "electron",
      appPath: path.join(appRoot, "out/main/index.js"),
      cwd: appRoot,
    },
    beforeRound: async ({ page }) => {
      page.setDefaultTimeout(180_000);
      await page.waitForSelector("#main");
      await waitUntilSettled(page);
    },
  },
);

Note: this plugin is only compatible with the walltime instrument.

What's Changed

Full Changelog: CodSpeedHQ/codspeed-node@v5.4.0...v5.5.0

v5.4.0

Compare Source

What's Changed

This release adds first support for macOS walltime.

Please note that profiling and other instruments are not yet available on macOS and will come in a later update.

Full Changelog: CodSpeedHQ/codspeed-node@v5.3.0...v5.4.0

v5.3.0

Compare Source

What's Changed

We now collect buildtime and runtime environment data to warn users about differences in their runtime environment when comparing two runs against one another.

This data includes toolchain metadata like version and build options, as well as a list of dynamically loaded linked libraries.

Full Changelog: CodSpeedHQ/codspeed-node@v5.2.0...v5.3.0

faker-js/faker (@​faker-js/faker)

v10.4.0

Compare Source

New Locales
Features
Changed Locales
  • locale: filter and cleanup PersonEntryDefintions data (#​3266) (67defc8)
Bug Fixes
  • locales: correct typos and capitalization in es_MX street names (#​3737) (2b32c28)

v10.3.0

Compare Source

New Locales
Features
Changed Locales
Bug Fixes
CodSpeedHQ/action (CodSpeedHQ/action)

v4.17.5

Compare Source

Release Notes

This release bundles all runner changes from 4.17.1 through 4.17.5.

🚀 Features
🐛 Bug Fixes
💼 Other
🏗️ Refactor
⚙️ Internals

Install codspeed-runner 4.17.5

Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CodSpeedHQ/codspeed/releases/download/v4.17.5/codspeed-runner-installer.sh | sh

Download codspeed-runner 4.17.5

File Platform Checksum
codspeed-runner-aarch64-apple-darwin.tar.gz Apple Silicon macOS checksum
codspeed-runner-aarch64-unknown-linux-musl.tar.gz ARM64 MUSL Linux checksum
codspeed-runner-x86_64-unknown-linux-musl.tar.gz x64 MUSL Linux checksum

Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md

Full Changelog: CodSpeedHQ/action@v4.17.0...v4.17.5

v4.17.0

Compare Source

Release Notes

🚀 Features
🐛 Bug Fixes
💼 Other
🏗️ Refactor
🧪 Testing
⚙️ Internals

Install codspeed-runner 4.17.0

Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CodSpeedHQ/codspeed/releases/download/v4.17.0/codspeed-runner-installer.sh | sh

Download codspeed-runner 4.17.0

File Platform Checksum
codspeed-runner-aarch64-apple-darwin.tar.gz Apple Silicon macOS checksum
codspeed-runner-aarch64-unknown-linux-musl.tar.gz ARM64 MUSL Linux checksum
codspeed-runner-x86_64-unknown-linux-musl.tar.gz x64 MUSL Linux checksum

Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md

Full Changelog: CodSpeedHQ/action@v4.15.1...v4.17.0

actions/checkout (actions/checkout)

v6.0.3

Compare Source

autofix-ci/action (autofix-ci/action)

v1.3.4: autofix-ci/action 1.3.4

Compare Source

What's Changed

  • Update action to use Node 24

Full Changelog: autofix-ci/action@v1...v1.3.4

v1.3.3: autofix-ci/action 1.3.3

Compare Source

What's Changed

  • Move Autofix API from .ci to .com TLD.
    This aims to improve overall reliability (#​32). api.autofix.ci will remain available as an alias for the time being.

Full Changelog: autofix-ci/action@v1.3.2...v1.3.3

changesets/action (changesets/action)

v1.9.0

Compare Source

Minor Changes
Patch Changes

  • #​535 34f64f6 Thanks @​Andarist! - Fixed an issue with GitHub releases not being created for successfully published packages when some packages failed to be published to the registry.

  • #​632 1d54b9e Thanks @​bluwy! - Simplify internal implementation to get changelog entries for a package version

  • #​629 e0c90aa Thanks @​bluwy! - Fix custom version and publish command argument parsing

  • #​645 f9585d9 Thanks @​Andarist! - Improved force-push handling when using commitMode: "github-api" so updating an existing branch no longer temporarily resets the target branch to the base commit, avoiding cases where GitHub closes open pull requests during the update. This should remove a possibility of a GitHub state race that caused the force-pushed PRs not being reopened.

sweepline/eslint-plugin-unused-imports (eslint-plugin-unused-imports)

v4.4.1

Compare Source

No significant changes

    View changes on GitHub
capricorn86/happy-dom (happy-dom)

v20.10.4

Compare Source

v20.10.3

Compare Source

v20.10.2

Compare Source

👷‍♂️ Patch fixes

v20.10.1

Compare Source

v20.10.0

Compare Source

v20.9.0

Compare Source

🎨 Features
  • Adds support for event listener properties on Window (e.g. Window.onkeydown) - By @​capricorn86 in task #​2131

v20.8.9

Compare Source

👷‍♂️ Patch fixes
  • Fixes issue where cookies from the current origin was being forwarded to the target origin in fetch requests - By @​capricorn86 in task #​2117

v20.8.8

Compare Source

👷‍♂️ Patch fixes
  • Fixes issue where export names can be interpolated as executable code in ESM - By @​capricorn86 in task #​2113
    • A security advisory (GHSA-6q6h-j7hj-3r64) has been reported that shows a security vulnerability where it may be possible to escape the VM context and get access to process level functionality in unsafe environments using CommonJS. Big thanks to @​tndud042713 for reporting this!

v20.8.7

Compare Source

👷‍♂️ Patch fixes
  • Replace implementing Node.js Console with common IConsole interface to support latest version of Bun - By @​YevheniiKotyrlo in task #​1845

v20.8.6

Compare Source

👷‍♂️ Patch fixes

v20.8.5

Compare Source

👷‍♂️ Patch fixes

v20.8.4

Compare Source

v20.8.3

Compare Source

👷‍♂️ Patch fixes

v20.8.2

Compare Source

👷‍♂️ Patch fixes
  • Resets Event.cancelBubble and Event.defaultPrevented when calling Event.initEvent() - By @​capricorn86 in task #​2090

v20.8.1

Compare Source

👷‍♂️ Patch fixes

v20.8.0

Compare Source

v20.7.2

Compare Source

👷‍♂️ Patch fixes
  • Properly decode CSS escape sequences in attribute selector values - By @​silverwind

v20.7.1

Compare Source

v20.7.0

Compare Source

🎨 Features

v20.6.5

Compare Source

👷‍♂️ Patch fixes

v20.6.4

Compare Source

👷‍♂️ Patch fixes

v20.6.3

Compare Source

👷‍♂️ Patch fixes
  • Refactors query selector parser to be able to handle complex rules - By @​capricorn86 in task #​1910
  • Fixes issue related to using query selector for attribute in XML document - By @​capricorn86 in task #​1912
  • Fixes issue with using quotes within quotes for attribute query selector (e.g. [data-value="it's a test"]) - By @​capricorn86 in task #​2034

v20.6.2

Compare Source

👷‍♂️ Patch fixes
  • Update entities package version to resolve missing export for vue and vue-compat v3.5 - By @​acollins1991 in task #​2066

v20.6.1

Compare Source

v20.6.0

Compare Source

v20.5.5

Compare Source

v20.5.4

Compare Source

👷‍♂️ Patch fixes

v20.5.3

Compare Source

v20.5.2

Compare Source

v20.5.1

Compare Source

v20.5.0

Compare Source

v20.4.0

Compare Source

🎨 Features
  • Adds support for caching the compiled code of EcmaScript modules - By @​capricorn86 in task #​2049
  • Improves the way nodes are

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Summary by CodeRabbit

  • Chores

    • Updated GitHub Actions workflow dependencies across multiple workflow files.
    • Bumped development and runtime package dependencies to newer versions.
    • Updated package manager version constraint and configuration overrides.
    • Removed deprecated Prettier plugin configuration.

  • Refactor

    • Simplified internal type definitions and reduced public API surface.

@renovate renovate Bot requested a review from a team as a code owner June 15, 2026 03:24
@renovate

renovate Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
Scope: all 3 workspace projects
? Verifying lockfile against supply-chain policies (965 entries)...
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 12, reused 0, downloaded 0, added 0
Progress: resolved 18, reused 0, downloaded 0, added 0
Progress: resolved 19, reused 0, downloaded 0, added 0
Progress: resolved 20, reused 0, downloaded 0, added 0
Progress: resolved 22, reused 0, downloaded 0, added 0
Progress: resolved 24, reused 0, downloaded 0, added 0
[WARN] Request took 10967ms: https://registry.npmjs.org/@typescript-eslint%2Ftypes
[WARN] Request took 11420ms: https://registry.npmjs.org/@typescript-eslint%2Fvisitor-keys
[WARN] Request took 11882ms: https://registry.npmjs.org/@typescript-eslint%2Fscope-manager
[WARN] Request took 13454ms: https://registry.npmjs.org/@typescript-eslint%2Fparser
[WARN] Request took 17558ms: https://registry.npmjs.org/@types%2Fnode
Progress: resolved 25, reused 0, downloaded 0, added 0
[WARN] Request took 14060ms: https://registry.npmjs.org/@typescript-eslint%2Ftypescript-estree
[WARN] Request took 14349ms: https://registry.npmjs.org/@typescript-eslint%2Feslint-plugin
[WARN] Request took 18563ms: https://registry.npmjs.org/nx
Progress: resolved 26, reused 0, downloaded 0, added 0
[WARN] Request took 11668ms: https://registry.npmjs.org/@types%2Fnode
[WARN] Request took 20374ms: https://registry.npmjs.org/typescript
Progress: resolved 27, reused 0, downloaded 0, added 0
Progress: resolved 112, reused 0, downloaded 0, added 0
Progress: resolved 240, reused 0, downloaded 0, added 0
Progress: resolved 286, reused 0, downloaded 0, added 0
[WARN] Request took 11398ms: https://registry.npmjs.org/@typescript-eslint%2Futils
Progress: resolved 298, reused 0, downloaded 0, added 0
Progress: resolved 305, reused 0, downloaded 0, added 0
[WARN] Request took 11373ms: https://registry.npmjs.org/@typescript-eslint%2Fvisitor-keys
Progress: resolved 353, reused 0, downloaded 1, added 0
[WARN] Request took 12441ms: https://registry.npmjs.org/@typescript-eslint%2Ftypes
Progress: resolved 384, reused 0, downloaded 1, added 0
Progress: resolved 506, reused 0, downloaded 1, added 0
[WARN] Request took 13544ms: https://registry.npmjs.org/@typescript-eslint%2Fscope-manager
Progress: resolved 531, reused 0, downloaded 1, added 0
Progress: resolved 545, reused 0, downloaded 1, added 0
[WARN] Request took 13270ms: https://registry.npmjs.org/nx
Progress: resolved 546, reused 0, downloaded 1, added 0
[WARN] Request took 15640ms: https://registry.npmjs.org/@typescript-eslint%2Fparser
[WARN] Request took 15926ms: https://registry.npmjs.org/@typescript-eslint%2Ftypescript-estree
[WARN] Request took 16324ms: https://registry.npmjs.org/@typescript-eslint%2Feslint-plugin
Progress: resolved 547, reused 0, downloaded 1, added 0
Progress: resolved 549, reused 0, downloaded 1, added 0
[WARN] Request took 10243ms: https://registry.npmjs.org/@typescript-eslint%2Feslint-plugin
Progress: resolved 565, reused 0, downloaded 1, added 0
Progress: resolved 744, reused 0, downloaded 2, added 0
Progress: resolved 757, reused 0, downloaded 2, added 0
Progress: resolved 761, reused 0, downloaded 2, added 0
[WARN] Request took 23505ms: https://registry.npmjs.org/vite
✗ Lockfile failed supply-chain policy check (965 entries in 41s)
[ERR_PNPM_TRUST_DOWNGRADE] 2 lockfile entries failed verification:
  pino@9.14.0 High-risk trust downgrade for "pino@9.14.0" (possible package takeover)
  undici-types@6.21.0 High-risk trust downgrade for "undici-types@6.21.0" (possible package takeover)

The lockfile contains entries that the active policies reject. This can mean the lockfile is stale, or that someone committed a lockfile that bypassed the policy locally — inspect recent changes to pnpm-lock.yaml before trusting it. If the changes look expected, run "pnpm clean --lockfile" and then "pnpm install" to rebuild from a fresh resolution. Alternatively, relax the policy that flagged them.

@coderabbitai

coderabbitai Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Routine dependency maintenance across the monorepo: pinned GitHub Actions action versions are bumped, pnpm is updated to v11.7.0, and numerous root and package-level npm dependencies are updated or removed. Svelte-related tooling is dropped. Three internal TypeScript types (SkillSource, IntentFsCacheStats, IntentScanDebugStats) are removed from the public API surface. Workspace overrides pin pino and undici-types.

Changes

Dependency and tooling version updates

Layer / File(s) Summary
GitHub Actions workflow pin updates
.github/workflows/autofix.yml, .github/workflows/benchmarks.yml, .github/workflows/pr.yml, .github/workflows/release.yml, .github/workflows/zizmor.yml		 actions/checkout bumped v6.0.2→v6.0.3 in all five workflows; autofix-ci/action v1.3.2→v1.3.4; CodSpeedHQ/action v4.15.1→v4.17.5; changesets/action v1.8.0→v1.9.0; zizmorcore/zizmor-action v0.5.3→v0.5.6.
npm package and pnpm version updates
package.json, benchmarks/intent/package.json, packages/intent/package.json		 packageManager and engines.pnpm raised to 11.7.0; root devDependencies bumped for eslint, knip, nx, prettier, typescript, vitest, yaml and others; @faker-js/faker, happy-dom, prettier-plugin-svelte removed; clean scripts guarded with agents directory existence check; intent and benchmark package deps updated.
Workspace configuration and Svelte tooling removal
pnpm-workspace.yaml, prettier.config.js, knip.json		 Workspace overrides added for pino@10.3.1 and undici-types@8.4.1; Svelte plugin and parser override removed from Prettier config; knip ignores updated to remove @faker-js/faker, tsx, @verdaccio/node-api and add verdaccio.

Type API surface simplification

Layer / File(s) Summary
Type visibility and consolidation changes
packages/intent/src/core/skill-sources.ts, packages/intent/src/fs-cache.ts, packages/intent/src/core/types.ts		 SkillSource and IntentFsCacheStats de-exported to module-local types; IntentScanDebugStats interface removed and both IntentSkillListDebug.scan and LoadedIntentSkillDebug.scan now use ScanStats directly.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

  • Dependency Dashboard #132: This PR implements the exact dependency and action version updates tracked in that Dependency Dashboard issue, including actions/checkout v6.0.3, autofix-ci/action v1.3.4, pnpm v11.7.0, and removal of prettier-plugin-svelte.

Possibly related PRs

  • TanStack/intent#139: Both PRs modify package.json's engines.pnpm constraint; the prior PR set it to >=11.0.0 and this PR raises it to >=11.7.0.

Suggested reviewers

  • tannerlinsley

🐇 Bumping versions, one by one,
Old Svelte plugins? Their time is done.
Types made private, clean and neat,
Pnpm hops to a newer beat.
Dependency dashboard? Check! ✅
The rabbit keeps the monorepo in spec!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive The PR description is mostly complete with detailed dependency update information, but is missing the required checklist items and release impact assessment from the template. Complete the required sections: confirm testing with 'pnpm run test:pr' and indicate whether a changeset was generated for any code changes affecting published packages.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main purpose of the PR - updating non-major dependencies across the entire project.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/all-minor-patch

Comment @coderabbitai help to get the list of available commands and usage tips.

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 9d66960 to 5c39ba8 Compare June 16, 2026 02:48
@nx-cloud

nx-cloud Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

To disable these notifications, a workspace admin can disable them in workspace settings.

View your CI Pipeline Execution ↗ for commit adbc086

Command Status Duration Result
nx affected --targets=test:eslint,test:sherif,t... ❌ Failed 24s View ↗
nx run-many --targets=build --exclude=examples/** ✅ Succeeded <1s View ↗

☁️ Nx Cloud last updated this comment at 2026-06-16 05:18:08 UTC

@nx-cloud

nx-cloud Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

View your CI Pipeline Execution ↗ for commit 151885e

Command Status Duration Result
nx run-many --targets=build --exclude=examples/** ✅ Succeeded <1s View ↗

☁️ Nx Cloud last updated this comment at 2026-06-16 04:36:43 UTC

@pkg-pr-new

pkg-pr-new Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/TanStack/intent/@tanstack/intent@164

commit: 5df7a01

@socket-security

socket-security Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednx@​22.7.55910093100100
Addedtinyglobby@​0.2.171001007786100
Addedvitest@​4.1.8981007999100
Addedeslint-plugin-unused-imports@​4.4.11001009084100
Addedyaml@​2.9.010010010088100
Addedtsdown@​0.22.2981008896100
Updatedtypescript@​5.9.3 ⏵ 6.0.3100 +110090 +19590
Addedsherif@​1.11.19910010091100
Added@​changesets/​cli@​2.31.09710010093100
Addedknip@​6.16.1991009596100
Addedsemver@​7.8.410010010095100
Addedprettier@​3.8.4981009795100
Added@​codspeed/​vitest-plugin@​5.5.0971009896100
Addedverdaccio@​6.7.29710010097100

View full report

@socket-security

socket-security Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @verdaccio/ui-theme is 95.0% likely obfuscated

Confidence: 0.95

Location: Package overview

From: pnpm-lock.yamlnpm/verdaccio@6.7.2npm/@verdaccio/ui-theme@9.0.0-next-9.14

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@verdaccio/ui-theme@9.0.0-next-9.14. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm nx is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/nx@22.7.5

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/nx@22.7.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
High CVE: npm tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template

CVE: GHSA-7c78-jf6q-g5cm tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template (HIGH)

Affected versions: >= 0.2.6 < 0.2.7

Patched version: 0.2.7

From: pnpm-lock.yamlnpm/nx@22.7.5npm/tmp@0.2.6

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tmp@0.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate

renovate Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@codspeed-hq

codspeed-hq Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 6 untouched benchmarks

Comparing renovate/all-minor-patch (5df7a01) with main (2676302)

Open in CodSpeed

coderabbitai[bot]
coderabbitai Bot reviewed Jun 16, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@knip.json`:
- Around line 2-3: The $schema field in knip.json references knip@5 but the
installed knip version is 6.16.1. Update the schema URL on line 2 by changing
the version from `@5` to `@6` in the $schema value so that IDE validation and
tooling use the correct configuration schema for the installed version.

In `@package.json`:
- Around line 20-21: The clean and clean:node_modules scripts are checking for
the existence of an agents directory but the actual repository structure uses
packages/agents. Update both scripts to check for the correct directory path.
Change the conditional check from [ -d agents ] to [ -d packages ] and update
the find commands to search within packages/agents (or packages/*) instead of
agents to ensure the cleanup scripts actually execute when the correct directory
structure exists.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5ecc7202-28eb-4c1b-af58-989bc7372ac7

📥 Commits

Reviewing files that changed from the base of the PR and between 5c39ba8 and 151885e.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (11)
  • benchmarks/intent/package.json
  • knip.json
  • nx.json
  • package.json
  • packages/intent/package.json
  • packages/intent/src/core/skill-sources.ts
  • packages/intent/src/core/types.ts
  • packages/intent/src/fs-cache.ts
  • pnpm-workspace.yaml
  • prettier.config.js
  • terminalOutput
💤 Files with no reviewable changes (3)
  • terminalOutput
  • prettier.config.js
  • packages/intent/package.json

Comment thread knip.json Outdated
Comment thread package.json Outdated
@LadyBluenotes LadyBluenotes force-pushed the renovate/all-minor-patch branch 2 times, most recently from adbc086 to 4ae842a Compare June 16, 2026 05:08
@LadyBluenotes LadyBluenotes force-pushed the renovate/all-minor-patch branch from 4ae842a to ab96d69 Compare June 16, 2026 05:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LadyBluenotes