Skip to content

Update npm dependencies#783

Merged
renovate[bot] merged 1 commit into
react-rewritefrom
renovate/npm-dependencies
Jun 8, 2026
Merged

Update npm dependencies#783
renovate[bot] merged 1 commit into
react-rewritefrom
renovate/npm-dependencies

Conversation

@renovate

@renovate renovate Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@tanstack/eslint-plugin-query (source) 5.100.145.101.0 age confidence
@tanstack/react-query (source) 5.100.145.101.0 age confidence
@tanstack/react-router (source) 1.170.101.170.15 age confidence
@tanstack/router-plugin (source) 1.168.131.168.18 age confidence
@types/node (source) 25.9.125.9.2 age confidence
@types/react (source) 19.2.1519.2.17 age confidence
axios (source) 1.16.11.17.0 age confidence
eslint-plugin-oxlint 1.67.01.68.0 age confidence
eslint-plugin-react-dom (source) 5.8.75.8.13 age confidence
eslint-plugin-react-jsx (source) 5.8.75.8.13 age confidence
eslint-plugin-react-naming-convention (source) 5.8.75.8.13 age confidence
eslint-plugin-react-x (source) 5.8.75.8.13 age confidence
oxfmt (source) ^0.52.0^0.53.0 age confidence
oxlint (source) 1.67.01.68.0 age confidence
pnpm (source) 11.5.011.5.2 age confidence
react (source) 19.2.619.2.7 age confidence
react-dom (source) 19.2.619.2.7 age confidence
shadcn (source) 4.8.34.10.0 age confidence
typescript-eslint (source) 8.60.08.60.1 age confidence
vite (source) 8.0.148.0.16 age confidence

Release Notes

TanStack/query (@​tanstack/eslint-plugin-query)

v5.101.0

Compare Source

Minor Changes
  • #​10775 dc54932 - no-rest-destructuring now also flags rest destructuring on custom hooks that return a TanStack Query result. Detection uses the TypeScript type checker and runs only when typed linting is enabled, so untyped projects are unaffected. Closes #​8951.
TanStack/query (@​tanstack/react-query)

v5.101.0

Compare Source

Patch Changes
TanStack/router (@​tanstack/react-router)

v1.170.15

Compare Source

Patch Changes

v1.170.14

Compare Source

Patch Changes

v1.170.13

Compare Source

Patch Changes

v1.170.12

Compare Source

Patch Changes

v1.170.11

Compare Source

Patch Changes
TanStack/router (@​tanstack/router-plugin)

v1.168.18

Compare Source

Patch Changes

v1.168.17

Compare Source

Patch Changes

v1.168.16

Compare Source

Patch Changes

v1.168.15

Compare Source

Patch Changes

v1.168.14

Compare Source

Patch Changes
axios/axios (axios)

v1.17.0

Compare Source

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#​10901, #​10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#​10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#​6792, #​10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#​10929, #​10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#​10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#​10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#​10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#​10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#​10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#​10956, #​10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#​10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#​10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#​10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#​10907, #​10911, #​10916, #​10927, #​10935, #​10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#​10925, #​10914, #​10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#​10890, #​10889, #​10921, #​10945, #​10905, #​10933, #​10915, #​10887, #​10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#​10871, #​10879, #​10918, #​10919, #​10934, #​10947, #​10954, #​10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

oxc-project/eslint-plugin-oxlint (eslint-plugin-oxlint)

v1.68.0

Compare Source

No significant changes

    View changes on GitHub
Rel1cx/eslint-react (eslint-plugin-react-dom)

v5.8.13

Compare Source

📝 Documentation
  • Added GoogleCloudPlatform/gke-mcp and removed archived antfu/shiki-stream from community projects on the website.
  • Improved RSC Directives wording in documentation.
  • Removed the no-multiple-children-in-title recipe from the website.
  • Removed the kit beta banner from the website (#​1846).
🏗️ Internal
  • Added RuleListener return type to all rule create functions (#​1845).
  • Added boundary and edge case tests for react-dom rules, JSX rules, and naming-convention rules (context-name, id-name, ref-name).
  • Added identifier resolution tests for react-x/no-leaked-conditional-rendering (#​1844).
  • Bumped pnpm and updated lockfile.
  • Bumped tsdown to 0.22.2 and updated dependencies.
  • Removed redundant single-argument merge() calls in rules (#​1843).
  • Switched GitHub workflows to ubuntu-latest.
  • Updated website brand assets and icons.

Full Changelog: Rel1cx/eslint-react@v5.8.12...v5.8.13

v5.8.12

Compare Source

🪄 Improvements
  • jsx: Aligned getChildren with Babel's buildChildren and cleanJSXElementLiteralChild patterns, improving whitespace handling accuracy in react-jsx/no-useless-fragment and react-jsx/no-children-prop rules. Migrated child text cleanup to @eslint-react/jsx utilities and removed local lib.ts helpers. (#​1836)
  • jsx: Removed isPaddingWhitespace API and added whitespace boundary tests for react-jsx/no-useless-fragment and react-dom/no-dangerously-set-innerhtml-with-children rules. (#​1837)
  • jsx: Renamed cleanJSXTextValue to collapseMultilineText in the public API and updated react-jsx/no-useless-fragment to use the new name. (#​1838)
📝 Documentation
  • Website: Expanded the Brand Assets page with an icons section and formatted file names as inline code. (#​1834)
🏗️ Internal
  • Added scripts/generate-website-icons.py for automated icon generation and refined logo geometry across all website assets. (#​1833)
  • Bumped import-integrity-lint and enhanced-resolve.
  • Bumped axios to ^1.17.0 and shiki to 4.2.0.
  • Updated pnpm lockfiles for dompurify and rolldown.
  • Updated rule-level changelogs for no-useless-fragment, no-children-prop, and no-dangerously-set-innerhtml-with-children. (#​1836, #​1837, #​1838)

Full Changelog: Rel1cx/eslint-react@v5.8.11...v5.8.12

v5.8.11

Compare Source

📝 Documentation
  • Added a new Brand Assets page and updated Meta legal name (#​1832).
🏗️ Internal
  • Updated default React fallback version to 19.2.7 (#​1827).
  • Recreated logo with an open-source workflow, removing reliance on SVG assets exported by Amadine (#​1831).
  • Removed @fontsource/iosevka-aile and switched to system font fallbacks.
  • Bumped TypeScript to 6.0.3 (#​1828).
  • Patch bumped @typescript-eslint/* to 8.60.1, react / react-dom to 19.2.7, next to 16.2.7, and @types/react to 19.2.16.

Full Changelog: Rel1cx/eslint-react@v5.8.10...v5.8.11

v5.8.10

Compare Source

🐞 Fixes
  • react-dom/no-unused-class-component-members: Aligned preset details in rule documentation (#​1825).
  • react-dom/no-unsafe-iframe-sandbox, react-x/context-name, react-x/id-name, react-x/ref-name, react-x/no-unnecessary-use-prefix, react-x/no-string-style-prop: Fixed missing or incorrect presets in rule documentation (#​1826).
📝 Documentation
  • naming-convention: Expanded examples and annotated Ok cases for context-name, id-name, and ref-name rules (#​1819).
  • Refactored MyComponent examples to Button component in custom rules of props and function component definition recipes (#​1823).
  • Added azat-io eslint-config to the community presets list.
🏗️ Internal
  • jsx: Consolidated whitespace child predicates and added isEmptyStringExpression to the public API (#​1820).
  • Added preset verification to verify-docs.ts (#​1822).
  • Added AGENTS.md guide for AI coding agents (#​1824).
  • Normalized local package metadata in .pkgs/*.
  • Bumped vite to ^8.0.15 and ansis to ^4.3.1 across workspace packages.
New Contributors

Full Changelog: Rel1cx/eslint-react@v5.8.9...v5.8.10

v5.8.9

Compare Source

🐞 Fixes
  • react-x/no-direct-mutation-state: Detect nested state mutations and member expressions in assignment expressions (#​1818).
📝 Documentation
  • Updated contributing guide and monorepo structure documentation.
🏗️ Internal
  • Removed .vscode directories from all examples, added missing engines.node to Preact examples, cleaned up redundant .config/*.ts from tsconfig.node.json, and updated .gitignore.
  • Cleaned up configs and docs.
  • Patch bumped eslint, tinyglobby, and tsdown across workspace packages; added @fontsource/iosevka-aile to the website; reordered CSS imports in layout.tsx.
  • Updated .sentrux baseline timestamp.

Full Changelog: Rel1cx/eslint-react@v5.8.8...v5.8.9

v5.8.8

Compare Source

📝 Documentation
  • kit: Added is.APICall callout to the Kit documentation (#​1813).
  • jsx: Updated getChildren and hasChildren API documentation to reflect empty string children behavior.
  • Reworked status emoji indicators across docs and examples (#​1816).
  • Added ℞ prefix to recipe titles and cleaned up See Also sections.
  • Removed the custom-rules-of-children recipe and cross-linked the remaining recipes.
  • Added redirects for moved rule documentation.
  • Cleaned up the "Community Maintained Presets that use ESLint React" documentation page.
🏗️ Internal
  • react-x/no-misused-capture-owner-stack: Added edge-case tests for captureOwnerStack (#​1813).
  • Updated fonts and dropped the data-theme attribute.
  • Updated theme configuration (#​1815).
  • Aligned the tsdown version in @local/configs.
  • Enabled trustPolicy: "no-downgrade" and added minimumReleaseAge: 1440 (1 day).
  • Bumped eslint to 10.4.1 across workspace packages.
  • Bumped pnpm to 11.5.0 and refreshed the lockfile.
  • Bumped fumadocs packages and tinyexec.
  • Bumped eslint-plugin-package-json to 1.2.0.
  • Updated dprint plugins and reformatted font families in example projects.
  • Updated Sentrux baseline metrics.
  • Updated .gitignore.

Full Changelog: Rel1cx/eslint-react@v5.8.7...v5.8.8

oxc-project/oxc (oxfmt)

v0.53.0

Compare Source

oxc-project/oxc (oxlint)

v1.68.0

Compare Source

🚀 Features
  • e4b1f46 linter/typescript: Implement method-signature-style rule (#​22679) (Mikhail Baev)
  • bc462ca linter/vue: Implement no-reserved-component-names rule (#​22741) (bab)
  • ef9e751 linter/vue: Implement component-definition-name-casing rule (#​22818) (bab)
  • d67f51a linter/vue: Implement require-prop-type-constructor rule (#​22708) (bab)
  • 8422e8b linter/jsdoc: Implement require-yields-description rule (#​22805) (Mikhail Baev)
  • fe93f97 linter/eslint: Implement prefer-named-capture-group rule (#​22759) (Sebastian Poxhofer)
pnpm/pnpm (pnpm)

v11.5.2

Compare Source

Patch Changes

  • Peer dependency resolution now reuses the peer contexts already recorded in the lockfile when those providers are still present in the dependency graph and still satisfy the peer ranges. This avoids unnecessary peer-context rewrites during lockfile regeneration. Current manifest choices remain authoritative: a newly added, explicitly updated, or aliased direct provider, a changed nested provider, or a locked version that no longer satisfies the range still takes precedence.

  • The lockfile verifier now checks that a registry entry pinning an explicit tarball URL points at the artifact the registry's own metadata lists for that name@version. Previously a tampered lockfile could pair a trusted name@version with an attacker-chosen tarball URL (and a matching integrity for those bytes), so the install fetched the attacker's bytes. A mismatch — or any entry that can't be confirmed against the registry — is rejected with ERR_PNPM_TARBALL_URL_MISMATCH. Non-registry resolutions (file:, git-hosted, etc.) and registry entries without an explicit tarball URL (the URL is reconstructed from name+version+registry, so it is inherently bound) are unaffected; non-standard registry tarball URLs (npm Enterprise, GitHub Packages) still pass because they match the metadata.

  • Fix pnpm update --recursive --lockfile-only <pkg>@&#8203;<version> crashing with Invalid Version when the catalog entry for <pkg> is a version range (e.g. ^21.2.10) and catalogMode is strict or prefer. The catalog–version comparison now skips the equality check when either side is a range rather than passing a range to semver.eq(), so range specifiers fall through to the existing mismatch handling instead of throwing #​11570.

  • Avoided a Node.js crash when pnpm exits after network requests on Windows.

  • Fixed packages being materialized into the virtual store without their root-level files (package.json, LICENSE, README, root entrypoints) when multiple pnpm install processes ran against the same store/workspace concurrently. The fast import path used to destructively empty the shared target directory, so a concurrent importer could wipe files another importer had already written; if the surviving files included the package.json completion marker, every later install treated the broken directory as complete and never repaired it. The fast path now imports directly only when it can create the target directory exclusively, and otherwise builds the package in a private temp directory and atomically renames it into place #​12197.

  • Fix dependency build scripts not running under the global virtual store (enableGlobalVirtualStore).

    In a workspace install, dependency build scripts are deferred to a single rebuild pass (buildProjects). That pass resolved each package's location from the classic node_modules/.pnpm/<depPathToFilename> layout, which does not exist under the global virtual store — so native dependencies (e.g. packages using node-gyp / prebuild-install) were never built and failed to load at runtime (Cannot find module .../build/Release/*.node).

    buildProjects now resolves the global-virtual-store projection directory (<storeDir>/links/<hash>, computed with the same graph hash the installer uses) when enableGlobalVirtualStore is set, and serializes concurrent builds of the same shared projection so parallel workspace projects don't race on the same directory.

  • Don't promote a runtime: dependency (such as the Node.js version from devEngines.runtime or pnpm runtime set) into a catalog when catalogMode is strict or prefer. A runtime: dependency round-trips to devEngines.runtime, which only recognizes the runtime: protocol; cataloging it rewrote the manifest entry to catalog:, which broke that round-trip, stranded it in devDependencies, and left devEngines.runtime untouched.

  • Skip lockfile minimumReleaseAge/trustPolicy verification for non-registry tarball protocols (for example file:), so local tarball dependencies are not incorrectly checked against npm registry metadata.

v11.5.1

Compare Source

Patch Changes
  • Improve pnpm audit performance by pruning non-vulnerable lockfile subtrees and stopping path enumeration once vulnerable findings reach the path cap.
  • Avoid crashing when the workspace state cache is partially written or malformed.
  • Set npm_config_user_agent for root lifecycle scripts during headless installs.
  • Preserve the integrity field of a remote (non-registry) tarball dependency when its lockfile entry is rebuilt. Re-resolving such a dependency without re-fetching it (for example via pnpm update, or when another dependency changes) produced a resolution with no integrity — URL/tarball resolvers only learn the integrity after the tarball is downloaded — so the previously recorded integrity was dropped, making later installs fail with ERR_PNPM_MISSING_TARBALL_INTEGRITY #​12067.
  • Normalize a string repository field into the { type, url } object form when creating the publish manifest, matching npm's behavior. Some registries (e.g. Gitea/Codeberg) reject a string repository with a 500 Internal Server Error during pnpm publish #​12099.
  • Preserve compatible optional peer versions already present in the lockfile when resolving dependencies.
  • Fixed inconsistent resolution of a peer dependency that is shared through a diamond. When a package peer-depends on both another package and one of that package's own peer dependencies (for example @typescript-eslint/eslint-plugin peer-depends on both @typescript-eslint/parser and typescript, and @typescript-eslint/parser peer-depends on typescript), pnpm no longer reuses a hoisted instance of the shared peer that was resolved against a different version #​12079.
facebook/react (react)

v19.2.7

Compare Source

facebook/react (react-dom)

v19.2.7

Compare Source

shadcn-ui/ui (shadcn)

v4.10.0

Compare Source

Minor Changes

v4.9.0

Compare Source

Minor Changes
typescript-eslint/typescript-eslint (typescript-eslint)

v8.60.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.0.16

Compare Source

Bug Fixes

v8.0.15

Compare Source

Features
Bug Fixes
  • capitalize error messages and remove spurious space in parse error (#​22488) (85a0eff)
  • deps: update all non-major dependencies (#​22511) (2686d7d)
  • dev: fix html-proxy cache key mismatch for /@​fs/ HTML paths (#​21762) (47c4213)
  • glob: error on relative glob in virtual module when no files match (#​22497) (5c8e98f)
  • optimizer: close the rolldown bundle when write() rejects (#​22528) (e3cfb9d)
  • resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#​22509) (40985f1)
Miscellaneous Chores
Code Refactoring

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) June 8, 2026 01:00
@netlify

netlify Bot commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for ucmacm ready!

Name Link
🔨 Latest commit 0b8a655
🔍 Latest deploy log https://app.netlify.com/projects/ucmacm/deploys/6a26142823aa6c0008cad479
😎 Deploy Preview https://deploy-preview-783--ucmacm.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse		 1 paths audited
Performance: 83
Accessibility: 97
Best Practices: 92
SEO: 83
PWA: 80
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify project configuration.

@renovate renovate Bot merged commit 00d950c into react-rewrite Jun 8, 2026
7 of 8 checks passed
@renovate renovate Bot deleted the renovate/npm-dependencies branch June 8, 2026 01:00
@sonarqubecloud

sonarqubecloud Bot commented Jun 8, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants