chore(deps): update all non-major dependencies#446
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
9c4e39b to
5bfebea
Compare
5bfebea to
7804f68
Compare
7804f68 to
2d975ff
Compare
2d975ff to
0104ff1
Compare
0104ff1 to
8120e32
Compare
8120e32 to
5ec9f5e
Compare
5ec9f5e to
efcb3b7
Compare
efcb3b7 to
1a61aec
Compare
1a61aec to
cf8e7f8
Compare
cf8e7f8 to
2b13cf8
Compare
6132302 to
360e116
Compare
360e116 to
aa97a8b
Compare
aa97a8b to
714cf9d
Compare
714cf9d to
bdbb60c
Compare
bdbb60c to
9343bf3
Compare
9343bf3 to
fb7fea7
Compare
fb7fea7 to
556aaae
Compare
commit: |
| "@nuxt/image": "^1.11.0", | ||
| "@nuxt/scripts": "workspace:*", | ||
| "@nuxt/ui": "4.0.0", | ||
| "@nuxt/ui": "4.2.1", |
There was a problem hiding this comment.
| "@nuxt/ui": "4.2.1", | |
| "@nuxt/ui": "^4.2.1", |
The @nuxt/ui dependency is pinned to 4.2.1 without a caret, which is inconsistent with all other dependencies in this file that use flexible versioning with the ^ prefix.
View Details
Analysis
Inconsistent version pinning for @nuxt/ui dependency
What fails: docs/package.json line 20 specifies @nuxt/ui as pinned version 4.2.1 (without caret prefix), while all 13 other dependencies use caret versioning (^) for flexible version constraints within the major version.
How to reproduce:
cat docs/package.json | grep -A 15 '"dependencies"'Result: Shows "@nuxt/ui": "4.2.1" (pinned) while all surrounding dependencies have caret prefix:
"@nuxt/content": "^3.8.2""@nuxt/fonts": "^0.12.1""@nuxthq/studio": "^2.2.1"- All other 10 dependencies also use
^prefix
Expected behavior: According to npm semantic versioning, caret versioning allows compatible updates (minor/patch versions) within a major version. The project consistently uses this pattern for all other dependencies, so @nuxt/ui should be ^4.2.1 to match the established convention and allow patch/minor updates like other dependencies.
Root cause: Automated dependency update (Renovate bot commit 0b37709) preserved the previous pinned format when bumping the version from 4.0.0 to 4.2.1, rather than applying the project's standard caret versioning pattern used throughout the file.
| "posthog-js": "^1.0.0" | ||
| "@types/youtube": "^0.1.2", | ||
| "@unhead/vue": "^2.1.2", | ||
| "posthog-js": "^1.321.2" |
There was a problem hiding this comment.
| "posthog-js": "^1.321.2" | |
| "posthog-js": "^1.0.0" |
The posthog-js peer dependency constraint changed from ^1.0.0 to ^1.321.2, which is unusually restrictive and appears unintentional given the patch version bump in devDependencies (1.321.1 → 1.321.2).
View Details
Analysis
Overly restrictive posthog-js peer dependency breaks backward compatibility
What fails: The posthog-js peer dependency constraint in package.json was changed from ^1.0.0 to ^1.321.2 (commit 1536ad2), restricting supported versions to 1.321.2+ and rejecting all prior versions (1.0.0-1.321.1) that would previously install.
How to reproduce:
# User has posthog-js 1.200.0 installed (legitimate version under old ^1.0.0 constraint)
npm install @nuxt/scripts
# After update, npm now rejects this version because 1.200.0 does not satisfy ^1.321.2Result: npm/pnpm install fails with: "posthog-js@1.200.0 not satisfied by ^1.321.2"
Expected: The peer dependency should remain at ^1.0.0 (or similar permissive constraint) since:
- Code only uses
posthog.init()and basic config options (api_host,capture_pageview,disable_session_recording) available since 1.0.0 - The devDependency update was only a patch bump (1.222.0 → 1.321.2), not a major version requiring API changes
- Peer dependencies should be permissive to maximize compatibility
- Semantic versioning guidance indicates patch/minor version updates within the same major version should be backward compatible
This change appears to be an error from automated dependency update tooling (Renovate) that applied the same pinpoint version to both devDependencies and peerDependencies.
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This PR contains the following updates:
^10.0.1→^10.0.3^4.3.0→^4.3.1^4.3.0→^4.3.1^3.58.1→^3.65.2^26.0.1→^26.1.1^0.1.0→^0.3.0v0.0.9-mp→v0.0.9v6.0.1→v6.0.3v10.0.0→v10.4.0^10.6.0→^10.7.0^0.137.0→^0.139.011.9.0→11.12.011.13.0^1.396.2→^1.399.21.399.5(+2)^1.0.0→^1.399.21.399.5(+2)^4.3.0→^4.3.1^4.1.0→^4.2.0^1.6.0→^1.7.0^3.0.0→^3.1.8^4.1.9→^4.1.10^3.3.5→^3.3.7Release Notes
paypal/paypal-js (@paypal/paypal-js)
v10.0.3Compare Source
Patch Changes
4619c74: Adding v6 types for Venmo vault-without-payment (SavePayment)v10.0.2Compare Source
Patch Changes
cfcb985: Add adefaultexport condition to the./sdk-v6subpath so bundlers/tracers (e.g. @vercel/nft) resolve it correctly and don't fall back to the v5 entry.shikijs/shiki (@shikijs/langs)
v4.3.1Compare Source
🚀 Features
typefield forThemedToken- by @ije in #1293 (585b5)View changes on GitHub
Hebilicious/reproduire (Hebilicious/reproduire)
v0.0.9Compare Source
compare changes
actions/checkout (actions/checkout)
v6.0.3Compare Source
v6.0.2Compare Source
actions/stale (actions/stale)
v10.4.0Compare Source
What's Changed
Bug Fix
only-issue-typesvalidation by @trueberryless in #1338Dependency Updates
New Contributors
Full Changelog: actions/stale@v10.3.0...v10.4.0
v10.3.0Compare Source
What's Changed
Bug Fix
Dependency Updates
New Contributors
Full Changelog: actions/stale@v10...v10.3.0
v10.2.0Compare Source
What's Changed
Bug Fix
Dependency Updates
New Contributors
Full Changelog: actions/stale@v10...v10.2.0
v10.1.1Compare Source
What's Changed
Bug Fix
only-issue-typesby @Bibo-Joshi in #1298Improvement
Dependency Upgrades
New Contributors
Full Changelog: actions/stale@v10...v10.1.1
v10.1.0Compare Source
What's Changed
only-issue-typesoption to filter issues by type by @Bibo-Joshi in #1255New Contributors
Full Changelog: actions/stale@v10...v10.1.0
eslint/eslint (eslint)
v10.7.0Compare Source
Features
cf2a9bffeat: add errorClassNames option to preserve-caught-error rule (#21032) (sethamus)f8b873afeat: max-nested-callbacks option for constructor callbacks (#21063) (fnx)557fde8feat: support computedNumber.parseIntmember access inradixrule (#21041) (Pixel)0b4a73bfeat: add suggestions to no-compare-neg-zero (#21034) (den$)96cdd42feat: report invalid signed numeric radix values inradixrule (#21030) (Pixel)Bug Fixes
3e7bf15fix: applyignoreClassesWithImplementsto class expressions (#21069) (Pixel)0d7d70cfix: insert cause outside wrapping parens in preserve-caught-error (#21062) (Mahin Anowar)75ec753fix: handle static template literals ineqeqeqrule (#21058) (Pixel)b717a22fix: preventeqeqeqnull option from reporting non-equality operators (#21057) (Pixel)e35b05ffix: avoidno-invalid-regexpfalse positive for shadowed RegExp (#21051) (Pixel)a3172b6fix: avoidno-control-regexfalse positive for shadowed RegExp (#21050) (Pixel)d1f637efix: parenthesize sequence expression operands in no-implicit-coercion (#21045) (spokodev)8859baffix: avoid prefer-numeric-literals false positive for shadowed globals (#21047) (한국)a9e5961fix: use-isnan false positive on shadowed NaN/Number (#20958) (sethamus)8a240a7fix: avoid false positives inradixrule for spread arguments (#21044) (Pixel)Documentation
c30d808docs: Update README (GitHub Actions Bot)5139800docs: document ESLint migration codemods in v9 and v10 guides (#20980) (Alex Bit)04174cbdocs: Update README (GitHub Actions Bot)026e130docs: update semver policy for bug fixes (#21048) (Milos Djermanovic)9d42fefdocs: Update README (GitHub Actions Bot)b230159docs: Update README (GitHub Actions Bot)0129972docs: correct**/.jsglob to**/*.jsin config files guide (#21036) (EduardF1)Chores
9489379chore: update dependency @eslint/eslintrc to ^3.3.6 (#21076) (renovate[bot])81a4774chore: updates for v9.39.5 release (Jenkins)9835414chore: enable$ExpectTypeannotations in all TypeScript files (#21071) (Francesco Trotta)72adf6bchore: restrictmarkdownlint-cli2updates in renovate (#21067) (lumir)833ec10chore: update dependency prettier to v3.9.4 (#21061) (renovate[bot])7ea106dchore: update ecosystem plugins (#21059) (ESLint Bot)8fb550echore: add prettier update commit to.git-blame-ignore-revs(#21056) (lumir)e4e1166chore: update dependency prettier to v3.9.1 (#21055) (renovate[bot])0493f53chore: update prettier to v3.9.0 (#21054) (Pixel)1056a99chore: update dependency prettier to v3.8.5 (#21049) (renovate[bot])4d4155dci: run ecosystem tests on pull requests (#21027) (sethamus)993539fchore: update dependency @eslint/json to ^2.0.1 (#21042) (renovate[bot])53f8b69test: add error locations tono-constant-binary-expression(#21039) (lumir)5ab71d5refactor: clean up radix rule internals (#21015) (Pixel)a80a9a4chore: update ecosystem plugins (#21035) (ESLint Bot)7c9a029ci: add Node.js 26 to CI (#20847) (lumir)oxc-project/oxc (oxc-parser)
v0.138.0🛡️ Security
3cdd18fdeps: Update npm packages (#23690) (renovate[bot])pnpm/pnpm (pnpm)
v11.12.0Compare Source
Minor Changes
a897ef7: Custom fetchers exported from a pnpmfile can now delegate by returning a{ delegate: <resolution> }envelope: pnpm rewrites the package's resolution to the delegated shape and runs the built-in fetcher on it. This is the portable delegation form that also works in pacquet, wherecafsandfetcherscannot be passed to the hook. Related to pnpm/pnpm#11685.Patch Changes
2b02764: The changed-packages filter (--filter "...[<since>]") no longer allows an option-like<since>value (such as--output=<path>) to be interpreted as a git option — git now rejects it as a bad revision. The repository root is also resolved to the nearest.gitentry, so the filter works in a git worktree checked out inside another repository's tree.43711ce:pnpm outdatedno longer checks the registry for dependencies that are resolved from locallink:,file:, orworkspace:references in the lockfile #12827.3c6718b: Fixed a deadlock in peer dependency resolution:pnpm installhung forever when a peer dependency cycle spanned a project's own dependencies and auto-installed peer providers, for example when installingelectron-builder@26.15.3#12921.252f15e: Fixed peer dependency auto-install picking a version the peer range rejects. In a workspace with several projects, a package declaring a peer dependency with a semver range (for example^1.0.0) could get the highest version found anywhere in the workspace (for example a2.0.0resolved for another project) instead of a version that satisfies the range. Peers are now deduplicated onto the highest preferred version that satisfies the declared range, and when none does, the range is resolved from the registry.Also fixed re-resolving with an existing lockfile hoisting a different peer version than a fresh install of the same manifest: root dependencies reused from the lockfile were invisible to peer hoisting, so a peer that a root dependency provides could be bound to another version.
a38adda:pnpm self-update <version>now installs the requested pnpm version when it matches the currently running version but is missing from the global self-update directory.6a85968:pnpm stage listnow stops paginating after a fail-safe cap of 1000 pages, so a misbehaving registry cannot keep the command looping forever.eee7c9a:verify-deps-before-runno longer spawns apnpm installwhen pnpm is executed in a directory that has nopackage.json. A mistyped command run outside a project (for examplepnpm witch 10 login) used to crash with a confusing error from the spawned install; now it fails with the regular "no package.json found" error.v11.11.0Compare Source
Minor Changes
508b8c2: Added thepnpm accesscommand for managing package access and visibility on the registry, supporting listing packages and collaborators, getting and setting package status and MFA requirements, and granting or revoking team access.Patch Changes
c70e33e: AllowallowBuildsentries for git-hosted packages to match by repository URL without pinning the resolved commit hash. This lets trusted git repositories keep running their build scripts after branch updates without approving each new commit, while package-name-only rules still do not approve git-hosted artifacts.3067e4f: Reduced peak memory usage during cold-cache dependency resolution. The metadata fetch is memoized for the whole resolution phase, and it was retaining each package's raw registry response body (used only to mirror the response to disk) for that entire time. The memoized cache now holds a body-less copy, so the raw body only lives as long as the call that writes the disk mirror. On large graphs that fetch full metadata (e.g. withminimumReleaseAgeortrustPolicyenabled) this cuts peak RSS by roughly 30%, back in line with pnpm 10. The resolved lockfile is unchanged.51300fd: Prevent a craftedpnpm-lock.yamlfrom writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g.../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshotversion: "../../x") is now rejected atformatGlobalVirtualStorePath, the single point every global-virtual-store slot path funnels through — closing the same escape in the isolated linker, the resolver's dependency-graph builder, and the config-dependency installer.f8058eb: Reject symlinkedpnpm-lock.yamlfiles when reading or writing the env lockfile document.9318a11: AllowregistriesandnamedRegistriesto be configured in the globalconfig.yamlfile.51300fd: Fixed a path traversal vulnerability where a dependency whose manifestnamewas a scoped path traversal (e.g.@x/../../../<path>) could be written outsidenode_modulesto an attacker-controlled location duringpnpm install, even with--ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.14332f0: Fail instead of silently removing an optional dependency's locked entries frompnpm-lock.yamlwhen the registry cannot resolve it. Previously, when registry metadata lacked a version that the lockfile already pinned (for example, a mirror that had not synced a recent release yet),pnpm installandpnpm dedupesilently dropped the optional dependency's entries — emptying maps such as the platform binaries of@napi-rs/canvas— so the lockfile differed between machines and frozen installs on other hosts had nothing to link #12853.fecfe83: Fixed peer dependency resolution withautoInstallPeerswhen a workspace package depends on a version of a package that a transitive dependency's self-contained closure also provides for itself. The peer providers that are attached to the root project for reuse are no longer peer-resolved a second time in the root context, so packages inside such a closure no longer get their peers bound to the root project's incompatible version #4993.5a4daec:${...}environment-variable placeholders in thehttpProxy,httpsProxy,noProxy,proxy, andnoproxysettings are no longer expanded when these settings come from a project'spnpm-workspace.yaml. They now receive the same protection already applied toregistry,namedRegistries, andpnprServer.d1da02e:pnpm publishno longer prints credentials when the target registry is configured with inlineuser:pass@credentials (e.g.registry=https://user:pass@example.com/). They are now redacted both from the "publishing to registry" line and from the OIDC (trusted publishing) failure messages.dcfc611:pnpm self-updatenow honorstrustPolicy=no-downgrade. It resolves the target pnpm version against full registry metadata, so it refuses to switch to a version whose supply-chain trust evidence is weaker than an earlier-published one, the same way a regular install does.a8ad82d: Register thepnalias in generated shell completion scripts.25bd5c3: Fixed standalone installer downgrades from pnpm v12 to v11.23996e9:pnpm runtime set <name> <version>now validates its arguments: the name must benode,deno, orbun, and the version must not contain a comma. Previously these were interpolated straight into apnpm addselector, where an unsupported name or a comma (e.g.node 22,is-positive) could be misread as a list of packages or a local directory and install unintended packages or bins.v11.10.0Compare Source
Minor Changes
e2e3c81: Added theissuescommand as an alias ofbugs, sopnpm issuesopens the package's bug tracker URL in the browser.8491f8e: Added theprefixcommand which prints the current package prefix directory (or global prefix directory if-g/--globalis used).3425e80: Added an_authsetting for configuring registry authentication as a single structured (URL-keyed) value. It can be set in the global pnpm config (config.yaml) or, for CI, via thepnpm_config__authenvironment variable. The env form sidesteps the GitHub Actions / bash / zsh limitation that broke the existingpnpm_config_//host/:_authToken=…form (env var names containing/,:, or.are silently dropped). Closes #12314.The value is keyed by registry URL so each secret is explicitly bound to the host that may receive it. Registry URL keys must use
httporhttpsand must not include credentials, query strings, or fragments:The equivalent in the global
config.yaml:Within each registry URL,
@means registry-wide/default credentials and package scopes like@orgbind credentials to that scope on the same host. The only supported credential field isauthToken(maps to_authToken/ bearer auth); the deprecatedbasicAuth/username+passwordforms are intentionally not accepted here.Each entry also infers a trusted registry route:
@routes the default registry (andpnpm add <pkg>resolves there), and@orgroutes that scope. Because the credential and destination host arrive in one trusted value, repo-controlledpnpm-workspace.yamlor project.npmrccannot redirect the token to a different host._authis honored only from the env var and the global config — it is ignored in a projectpnpm-workspace.yaml/.npmrc, so repo-controlled config can never supply registry auth. Precedence: CLI flags (--registry,--@​scope:registry) >pnpm_config__auth> globalconfig.yaml_auth>pnpm-workspace.yaml.Both
pnpm_config__auth(lowercase, documented form) andPNPM_CONFIG__AUTH(all-caps, the shell convention some CI runners apply) are honored. If both are set, lowercase wins unless it is empty, in which case uppercase is used. The env var wins over the globalconfig.yaml_authon a conflicting key.tokenHelperis not supported in_auth. Parsing is strict: a malformed value (bad JSON, wrong shape, invalid registry URL or scope, an unsupported credential field) fails fast with an error rather than being silently dropped.Pacquet parity note: the pacquet (Rust) port supports the same single credential field as the TS CLI:
authToken.a33eeec:pnpm self-updateandpackageManagerversion-switching can now install and link pnpm v12 (the Rust port), published with equal content under both thepnpmand@pnpm/exenames on thenext-12dist-tag. Its native binaries ship as@pnpm/exe.<platform>-<arch>packages, which pnpm's built-in installer links directly — no Node.js launcher, so the command pays no Node startup cost. v12 is initialized exactly like@pnpm/exe, including per-platform global-virtual-store hashing. From v12 onward the install converges on the unscopedpnpmpackage (the Rust exe) — even when updating from the SEA@pnpm/exebuild.1dd12bd: When resolving through a pnpr install-accelerator server, pnpm no longer forwards its own upstream registry credentials in the resolve request. Only theAuthorizationheader identifying the caller to pnpr is sent. The pnpr server now selects upstream credentials from its own route policy (operator-configured upstream credential aliases), so private dependencies resolve through a pnpr-managed alias the caller is authorized to use, rather than by sending the client's registry tokens to the server.1e81761: Expose web authenticationauthUrlanddoneUrlin JSON error output when OTP is required in a non-interactive terminal #12724.Patch Changes
2f389d6: Added the Node.js release team's new signing key (Stewart X Addison,655F3B5C1FB3FA8D1A0CA6BDE4A7D232B936D2FD) to the embedded Node.js release keys, so runtimes whoseSHASUMS256.txtis signed by the new releaser verify successfully.acbdb94: Fixed shell tab completion not suggesting workspaces after the-Falias for--filteroption.dcabb78: Fixedpnpm up -r <pkg>bumping unrelated packages that have open semver ranges. Previously, any update mutation nullified the lockfile-derivedpreferredVersionsglobally, so packages with^x.y.zranges could re-resolve to newer compatible versions even though the user only asked to update a specific package. The install layer now always seedspreferredVersionsfrom the lockfile, and caller-supplied preferred versions (such as the vulnerability penalties ofpnpm audit --fix) layer on top of the seed instead of replacing it. The targeted package still bumps: the per-resolveupdateRequestedflag makes the resolver ignore the target's own lockfile pins.Closes #10662.
d539172: Fixed pnpm pack and pnpm publish failing when prepack generates files that are included in the package and postpack cleans them up.be6505a: Hardened global package management:node.exeflavor of a bin, so a stalenode.exeno longer survives onPATHafter uninstall, and a new global install no longer silently overwrites an existingnode.exe.pnpm add -g pnpm@<version>(and@pnpm/exe@<version>) is now rejected like the barepnpmform, pointing topnpm self-update.node_modulespaths, preventing a tampered manifest from escaping the install directory.25c7388: pnpm now rejectsjsr:specifiers whose package name is not a valid npm package name — an empty scope or name (e.g.jsr:@​scope/), path separators inside the name, or any other shapevalidate-npm-package-namerejects — withERR_PNPM_INVALID_JSR_PACKAGE_NAMEinstead of silently converting them into a malformed@jsr/...npm package name.25c7388: pnpm now rejects named-registry specifiers (e.g.gh:) whose package name is not a valid npm package name — an empty scope (e.g.gh:@​/bar), path separators inside the name (e.g.gh:@​scope/../name), or any other shapevalidate-npm-package-namerejects — withERR_PNPM_INVALID_NAMED_REGISTRY_PACKAGE_NAMEinstead of passing the name through to registry URLs and metadata cache file paths.96da7c5: node-gyp'sgyp_main.pyandgypentrypoints are now packed with the executable bit in thepnpmand@pnpm/exetarballs. Without it, building native addons from source could fail with a permission error.99982b9: Sped up resolution and reduced memory use against registries that ignore npm's abbreviated metadata format and always return the full package document (for example, Azure DevOps Artifacts). pnpm now strips such documents down to the abbreviated field set before caching them. Resolution output is unchanged, and registries that honor the abbreviated format (such as the npm registry) pay no extra cost.11a7fdd: Sped up offline and--prefer-offlineresolution on large workspaces (e.g.pnpm dedupe --offline,pnpm install --offline). Package metadata loaded from the local cache is now kept in memory, so each package's metadata is parsed once per command instead of once per dependent that references it.2c7369d:pnpm pack-appnow rejects--entry/pnpm.app.entryand--output-dir/pnpm.app.outputDirvalues that are absolute paths or escape the project directory via..(or a symlink that resolves outside it), and refuses to write the produced executable when its target path already exists as a symlink (or other non-regular file). This prevents a repository-controlledpackage.jsonfrom embedding host files (such as an SSH key) into the produced executable, writing build artifacts outside the project, or overwriting an arbitrary file through a committed symlink. The new error codes areERR_PNPM_PACK_APP_ENTRY_OUTSIDE_PROJECT,ERR_PNPM_PACK_APP_OUTPUT_DIR_OUTSIDE_PROJECT, andERR_PNPM_PACK_APP_OUTPUT_FILE_NOT_REGULAR.When ad-hoc signing macOS targets,
pnpm pack-appnow runs the systemcodesignby absolute path and resolvesldidto a location outside the project, so a repository-controllednode_modules/.binonPATHcannot hijack the signer.ce5d5a5: Relative paths inpatchedDependenciesare now resolved against the lockfile directory when computing patch file hashes, so runningpnpm installfrom a subdirectory no longer fails withENOENTlooking for the patch file in the wrong location #12762.ebb4096:pnpm peersno longer reports a conflict for a missing peer dependency that is ignored viapnpm.peerDependencyRules.ignoreMissing.dcabb78: Fixed a prototype-pollution hazard when seeding preferred versions: a dependency named__proto__in a manifest or inpnpm-lock.yamlcould write throughObject.prototype(or crash the install) while the preferred-versions map was being built. The maps are now null-prototype objects, so crafted package names land as plain keys.f38e696: Hardenedpnpm deploy --forceso it refuses unsafe deploy targets such as workspace roots, parent directories, out-of-workspace paths, and symlinked target parents.806c3ec: pnpm no longer warns about ignored project-level auth settings whenPNPM_CONFIG_NPMRC_AUTH_FILEpoints at the project.npmrc— setting it to that file is an explicit opt-in to trusting it, so auth env variables in it are expanded pnpm/pnpm#12480.991405e: Restore differential rendering (ansi-diff) to fix duplicated output lines introduced by #12351.c121235: Fixed the topological order of--filtered commands (pnpm run,pnpm exec,pnpm publish,pnpm pack,pnpm rebuild) when the selected projects depend on each other only transitively through projects that were not selected. Previously such selected projects could run concurrently or in the wrong order; now a project always runs after the selected projects it transitively depends on, while projects without a real dependency relationship still run concurrently. This now also holds for prod-only filters (--filter-prod), which resolve order through the production dependency graph so transitive production dependencies are respected without pulling back the dev dependencies the filter drops, and for selections that mix--filterwith--filter-prod#8335.d539172:pnpm packandpnpm publishno longer follow a symlinked workspaceLICENSEfile when injecting it into a package that has no license of its own. Following the symlink could pack bytes from outside the workspace into the published tarball.dcabb78: Fixedpnpm up <pkg>producing a different result than a fresh install of the same manifests would. The resolver now distinguishesupdateRequested(true only for packages that match the user's update target) from the broaderupdateflag, and for the targeted package ignores only its own lockfile-derived preferred-version pins — so the target re-resolves exactly as if its lockfile entries were deleted andpnpm installran. Preferred versions a fresh install applies (manifest pins, versions propagated down the dependency chain, and the vulnerability-avoidance penalties ofpnpm audit --fix) stay in effect, so an update never installs duplicate versions that a reinstall from scratch would not reproduce. When a preferred version holds the update target below the newest version its range admits, pnpm now prints a warning explaining that reaching the newer version everywhere requires an override.dcabb78:pnpm update <dep>@​<version>now prints a warning when<dep>is only present as a transitive dependency: the requested version cannot be applied there (updates resolve the target the way a fresh install would), and the warning recommends adding the version topnpm.overridesinstead, which is the mechanism that does pin transitive dependencies. Closes #12744.a6c4d5f: When a dependency cannot be found in the registry (404) or the registry has no matching version, and a workspace project with the same name exists only at non-matching versions, the error now reports the available workspace versions (ERR_PNPM_NO_MATCHING_VERSION_INSIDE_WORKSPACE) instead of the raw registry failure pnpm/pnpm#1379. Other registry failures (authorization, network, server errors) still propagate unchanged. The pacquet (Rust) resolver applies the same behavior.PostHog/posthog-js (posthog-js)
v1.399.2Compare Source
1.399.2
Patch Changes
f630394Thanks @posthog! - Fix aRangeError: Maximum call stack size exceededoriginating from the shared rrwebpatch()helper. It patches shared globals such asElement.prototype.attachShadow(shadow-dom-manager) and the DOM/canvas observers, so multiple recorder instances or repeated start/stop cycles wrap the same global more than once. Previously an out-of-order restore silently no-op'd, leaving the wrapper in the call path; repeated cycles grew the wrapper chain without bound until a real call walked a chain deep enough to overflow the stack. Wrappers now delegate through a mutable per-layer link so any layer can be torn down even when newer wrappers sit on top of it, keeping the chain bounded. Recording behavior is unchanged. This applies the same fix as #4063 (fetch/XHR) to the shared helper so every rrweb-record caller inherits the bounded-chain behavior.(2026-07-10)
v1.399.1Compare Source
v1.399.0Compare Source
1.399.0
Minor Changes
#4115
86bb3a5Thanks @DanielVisca! - add the posthog.metrics API (count, gauge, histogram) — alphaA statsd-style pre-aggregating metrics client for the PostHog Metrics product (alpha). Samples are folded into per-series aggregates in memory (counts sum, gauges keep the last value, histograms accumulate buckets) and flushed periodically as OTLP/JSON to
/i/v1/metrics— one data point per series per flush window, no matter how many calls. No OpenTelemetry SDK setup required:Configure via
metrics: { serviceName, environment, flushIntervalMs, maxSeriesPerFlush, beforeSend, ... }. (2026-07-08)Patch Changes
86bb3a5]:v1.398.7Compare Source
1.398.7
Patch Changes
#4113
45f17eeThanks @TueHaulund! - fix session replay leaking a shadow-root observer when a same-origin iframe is removedFollow-up to the shadow-observer iframe-teardown fix:
takeFullSnapshot'sonSerializeregisters every shadow root with the top-level document, so a root nested in a same-origin iframe was keyed to the wrong document and its observer/buffer were not disconnected when that iframe was removed (they lingered until the next full snapshot).addShadowRootnow derives the owning document from the host element, so per-document tConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.