Skip to content

fix(deps): update all non-major dependencies#1369

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

fix(deps): update all non-major dependencies#1369
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
oxfmt (source) ^0.58.0^0.59.0 age confidence
oxlint (source) ^1.73.0^1.74.0 age confidence
tar ^7.5.19^7.5.20 age confidence
verdaccio (source) ^6.7.4^6.8.0 age confidence

Release Notes

oxc-project/oxc (oxfmt)

v0.59.0

Compare Source

🐛 Bug Fixes
  • 415fe1e oxfmt: Error on ignorePatterns that cannot match files outside the config directory (#​24286) (leaysgur)
oxc-project/oxc (oxlint)

v1.74.0

Compare Source

🚀 Features
  • 0433a83 linter/eslint/no-inner-declarations: Add namespaces option (#​24044) (Boshen)
🐛 Bug Fixes
  • 8337835 linter: Error on ignorePatterns that cannot match files aoutside the config directory (#​24341) (leaysgur)
  • 2ce5a33 linter: Resolve ignorePatterns relative to the config dir (#​24339) (leaysgur)
⚡ Performance
  • 7f80cac linter/vue/prop-name-casing: Precompile ignoreProps regex pattern (#​24413) (connorshea)
  • 6272051 linter/typescript/no-require-imports: Compile allow patterns once (#​24417) (connorshea)
  • 33805b9 linter/jsdoc/require-param: Compile checkTypesPattern regex once (#​24420) (connorshea)
isaacs/node-tar (tar)

v7.5.20

Compare Source

verdaccio/verdaccio (verdaccio)

v6.8.0

Compare Source

Minor Changes
  • 962fba8: feat: add unpublish notification hooks

    Port of #​5920 (ref #​5328). The notify webhook now also fires when a package is unpublished entirely and when a single version (tarball) is removed, not only on publish. Notification templates can distinguish the event through the new {{ publishType }} (publish | unpublish) and {{ publishedPackage }} variables, and the {{ publisher }} object exposes only name, groups and real_groups, so the remote user auth token can never leak to the notification endpoint (via @verdaccio/hooks 8.0.4).

Patch Changes
  • f0684dc: fix: return 403 to client when uplink responds with 403 for tarball requests

    Previously, any non-200/404 response from an uplink (e.g. a security proxy blocking a package download) would result in a generic 500 error being returned to the client. This change propagates 403 responses from the uplink through to the client, including any error detail from the response body, so callers can distinguish authorization failures from other upstream errors.

  • 3a84578: chore: refactor eslint

  • b7a5db1: fix: rate limit and bound the npm search v1 endpoint

    The /-/v1/search endpoint now applies the userRateLimit rate limiting middleware (matching the login, token and profile endpoints), clamps the size (max 250, like the public npm registry) and from (max 10000) pagination parameters, and stops evaluating package access as soon as the requested page is filled instead of running an auth check over the entire result set. The clamped values are also what gets forwarded to uplink registries (the raw request URL is no longer passed through), so the bounds hold end-to-end. This prevents cheap anonymous requests from triggering unbounded full-catalog scans. As part of this, pagination is fixed: results were sliced with slice(from, size) instead of slice(from, from + size), so pages beyond the first were wrong.

    Search results for local packages also emit npm-search-compatible maintainers ({ username, email }) — npm 11 on Node 24 crashes rendering entries without username (The "str" argument must be of type string. Received undefined) — and the publisher field is now populated from _npmUser when the publishing client provided it, falling back to the first maintainer, so the npm CLI shows the publishing user instead of by ???.

  • 808d916: fix: pick the right uplink for tarballs and heal missing distfile records

    Uplink selection. With several uplinks configured for a package, tarball downloads used the last uplink whose package pattern matched, even when the tarball url belongs to a different one, which could make downloads fail against registries that require authentication. The uplink is now selected by matching the tarball url: the registry recorded on the distfile wins, then the uplink whose url serves the file; when none matches, an autogenerated uplink with default settings is used. Single-uplink setups keep the previous behavior for tarballs hosted on another host (a CDN).

    Missing distfile records. Storages written by other verdaccio versions can carry cached versions without their _distfiles records, which made those tarballs permanently return 404 no such file available. The tarball location is now resolved from the version's dist.tarball metadata when the record is missing, and the record is restored when the tarball is cached.

  • a2de1d5: Update verdaccio dependencies to the latest npm dist-tag (@verdaccio/ui-theme tracks next-9):

    • @verdaccio/ui-theme: 9.0.0-next-9.209.0.0-next-9.21

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "every 2 months on Thursday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added 📦 dependencies Pull requests that update a dependency file 🤖 bot labels Jul 16, 2026
@pkg-pr-new

pkg-pr-new Bot commented Jul 16, 2026

Copy link
Copy Markdown
@lerna-lite/changed

npm i https://pkg.pr.new/@lerna-lite/changed@1369

@lerna-lite/cli

npm i https://pkg.pr.new/@lerna-lite/cli@1369

@lerna-lite/core

npm i https://pkg.pr.new/@lerna-lite/core@1369

@lerna-lite/diff

npm i https://pkg.pr.new/@lerna-lite/diff@1369

@lerna-lite/exec

npm i https://pkg.pr.new/@lerna-lite/exec@1369

@lerna-lite/init

npm i https://pkg.pr.new/@lerna-lite/init@1369

@lerna-lite/list

npm i https://pkg.pr.new/@lerna-lite/list@1369

@lerna-lite/listable

npm i https://pkg.pr.new/@lerna-lite/listable@1369

@lerna-lite/npmlog

npm i https://pkg.pr.new/@lerna-lite/npmlog@1369

@lerna-lite/profiler

npm i https://pkg.pr.new/@lerna-lite/profiler@1369

@lerna-lite/publish

npm i https://pkg.pr.new/@lerna-lite/publish@1369

@lerna-lite/run

npm i https://pkg.pr.new/@lerna-lite/run@1369

@lerna-lite/version

npm i https://pkg.pr.new/@lerna-lite/version@1369

@lerna-lite/watch

npm i https://pkg.pr.new/@lerna-lite/watch@1369

commit: 19edd2b

@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch from 37571a1 to 58cebee Compare July 16, 2026 10:50
@codecov

codecov Bot commented Jul 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (edaa6ed) to head (19edd2b).

Additional details and impacted files
@@            Coverage Diff            @@
##              main     #1369   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          168       168           
  Lines         5896      5896           
  Branches      1520      1520           
=========================================
  Hits          5896      5896           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate
renovate Bot force-pushed the renovate/all-minor-patch branch from 58cebee to 19edd2b Compare July 16, 2026 19:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

🤖 bot 📦 dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants