chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@codspeed/vitest-plugin (source)	^5.5.0 → ^5.7.1			devDependencies	minor
@tanstack/react-table (source)	9.0.0-beta.16 → 9.0.0-beta.19			dependencies	patch
CodSpeedHQ/action	v4.17.5 → v4.18.1			action	minor
knip (source)	^6.16.1 → ^6.20.0			devDependencies	minor
nx (source)	^22.7.5 → ^22.7.6			devDependencies	patch
react (source)	19.2.0 → 19.2.7			dependencies	patch
react-dom (source)	19.2.0 → 19.2.7			dependencies	patch
semver	^7.8.4 → ^7.8.5			dependencies	patch
sherif	^1.11.1 → ^1.12.0			devDependencies	minor
tsdown (source)	^0.22.2 → ^0.22.3			devDependencies	patch
undici-types (source)	8.4.1 → 8.5.0			pnpm-workspace.overrides	minor
verdaccio (source)	^6.7.2 → ^6.7.4			devDependencies	patch
vitest (source)	4.1.8 → 4.1.9			devDependencies	patch
vitest-evals (source)	^0.13.1 → ^0.14.0			devDependencies	minor
zizmorcore/zizmor-action	v0.5.6 → v0.5.7			action	patch

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

CodSpeedHQ/codspeed-node (@​codspeed/vitest-plugin)

v5.7.1

Compare Source

What's Changed

• fix: emit perf maps when not parsing the full inlining logs from V8 by @​GuillaumeLagrange in #​85

Full Changelog: CodSpeedHQ/codspeed-node@v5.7.0...v5.7.1

v5.7.0

Compare Source

Highlights

• Dump full inlining information for higher optimization tiers in walltime so we can show more functions on the profiler. To test it out, set CODSPEED_WALLTIME_PROFILER=samply env variable in the codspeed action.
• Added support for tinybench v5 and v6 in @​codspeed/tinybench-plugin

What's Changed

• Add necessary flags to dump optimized inlining info and fix walltime marker placement by @​GuillaumeLagrange in #​83

Full Changelog: CodSpeedHQ/codspeed-node@v5.6.0...v5.7.0

v5.6.0

Compare Source

What's Changed

• feat: add MacOS support by @​not-matthias in #​81

Full Changelog: CodSpeedHQ/codspeed-node@v5.5.0...v5.6.0

TanStack/table (@​tanstack/react-table)

v9.0.0-beta.19

Compare Source

Version 9.0.0-beta.19 - 6/25/26, 4:08 AM

Changes

Fix

• improve row selection api performance (#​6344) (f077ae7) by Kevin Van Cott

Docs

• fix link (51298bb) by Kevin Van Cott
• helpers guide, fix some example tsc errors (a7aae8b) by Kevin Van Cott
• improve composable table guides (a471632) by Kevin Van Cott
• rearrange docs sidebar some (4e8a35d) by Kevin Van Cott

Examples

• standardize stress tests and remove re-render buttons (d1c84eb) by Kevin Van Cott

Packages

• @​tanstack/table-core@​9.0.0-beta.19
• @​tanstack/angular-table@​9.0.0-beta.19
• @​tanstack/lit-table@​9.0.0-beta.19
• @​tanstack/table-devtools@​9.0.0-beta.19
• @​tanstack/angular-table-devtools@​9.0.0-beta.19
• @​tanstack/preact-table@​9.0.0-beta.19
• @​tanstack/preact-table-devtools@​9.0.0-beta.19
• @​tanstack/react-table@​9.0.0-beta.19
• @​tanstack/react-table-devtools@​9.0.0-beta.19
• @​tanstack/solid-table@​9.0.0-beta.19
• @​tanstack/solid-table-devtools@​9.0.0-beta.19
• @​tanstack/svelte-table@​9.0.0-beta.19
• @​tanstack/vue-table@​9.0.0-beta.19
• @​tanstack/vue-table-devtools@​9.0.0-beta.19

v9.0.0-beta.18

Compare Source

Version 9.0.0-beta.18 - 6/24/26, 1:07 PM

Changes

Fix

• expanding and paginated row model memo (#​6342) (de74706) by Kevin Van Cott

Chore

• update pnpm to 11.9.0 (#​6341) (5c58673) by @​Sheraff

Docs

• update feature setup sections (17b84c3) by Kevin Van Cott

Packages

• @​tanstack/table-core@​9.0.0-beta.18
• @​tanstack/table-devtools@​9.0.0-beta.18
• @​tanstack/angular-table@​9.0.0-beta.18
• @​tanstack/angular-table-devtools@​9.0.0-beta.18
• @​tanstack/lit-table@​9.0.0-beta.18
• @​tanstack/preact-table@​9.0.0-beta.18
• @​tanstack/preact-table-devtools@​9.0.0-beta.18
• @​tanstack/react-table@​9.0.0-beta.18
• @​tanstack/react-table-devtools@​9.0.0-beta.18
• @​tanstack/solid-table@​9.0.0-beta.18
• @​tanstack/solid-table-devtools@​9.0.0-beta.18
• @​tanstack/svelte-table@​9.0.0-beta.18
• @​tanstack/vue-table@​9.0.0-beta.18
• @​tanstack/vue-table-devtools@​9.0.0-beta.18

v9.0.0-beta.17

Compare Source

Version 9.0.0-beta.17 - 6/20/26, 8:27 PM

Changes

Fix

• add checks to dictionaries for ssr (#​6338) (f237e20) by Kevin Van Cott

Chore

• modify some typescript script generation (dde8248) by Kevin Van Cott

Packages

• @​tanstack/table-core@​9.0.0-beta.17
• @​tanstack/table-devtools@​9.0.0-beta.17
• @​tanstack/angular-table@​9.0.0-beta.17
• @​tanstack/angular-table-devtools@​9.0.0-beta.17
• @​tanstack/lit-table@​9.0.0-beta.17
• @​tanstack/preact-table@​9.0.0-beta.17
• @​tanstack/preact-table-devtools@​9.0.0-beta.17
• @​tanstack/react-table@​9.0.0-beta.17
• @​tanstack/react-table-devtools@​9.0.0-beta.17
• @​tanstack/solid-table@​9.0.0-beta.17
• @​tanstack/solid-table-devtools@​9.0.0-beta.17
• @​tanstack/svelte-table@​9.0.0-beta.17
• @​tanstack/vue-table@​9.0.0-beta.17
• @​tanstack/vue-table-devtools@​9.0.0-beta.17

CodSpeedHQ/action (CodSpeedHQ/action)

v4.18.1

Compare Source

Release Notes

🚀 Features

• Bump go-runner to 1.2.1 by @​adriencaccia in #​421

Install codspeed-runner 4.18.1

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CodSpeedHQ/codspeed/releases/download/v4.18.1/codspeed-runner-installer.sh | sh

Download codspeed-runner 4.18.1

File	Platform	Checksum
codspeed-runner-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
codspeed-runner-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
codspeed-runner-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum

Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md

v4.18.0

Compare Source

Release Notes

🚀 Features

• Bump valgrind-codspeed to 3.26.0-0codspeed4
• Bump samply by @​GuillaumeLagrange in #​415
• Set env var to have node dump inlining information by @​GuillaumeLagrange
• Change isolation logic to include samply and non root fallback by @​GuillaumeLagrange
• Add experimental --cycle-estimation flag by @​not-matthias in #​412
• Make samply-codspeed a submodule rather than git rev with cargo by @​GuillaumeLagrange in #​416

🐛 Bug Fixes

• Honor locally-installed valgrind on non-apt systems by @​not-matthias in #​414

Install codspeed-runner 4.18.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CodSpeedHQ/codspeed/releases/download/v4.18.0/codspeed-runner-installer.sh | sh

Download codspeed-runner 4.18.0

File	Platform	Checksum
codspeed-runner-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
codspeed-runner-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
codspeed-runner-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum

Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md

v4.17.6

Compare Source

Release Notes

🚀 Features

• feat: skip hash check error when installing pre-release by @​GuillaumeLagrange in #​215
• Show memtrack capability status in setup status by @​not-matthias
• Run memtrack sudo-less via file capabilities by @​not-matthias
• Use extra events when using samply on linux by @​GuillaumeLagrange in #​404
• Update PerfEvent to also support samply format by @​GuillaumeLagrange
• Use isolation for with samply by @​GuillaumeLagrange
• Make eh_frame_hdr optional in unwind data (V4) by @​not-matthias

🐛 Bug Fixes

• Keep rolling buffer off during executor setup by @​not-matthias in #​411
• Gate memory executor behind Linux target by @​not-matthias
• Enable tracking when running without IPC by @​not-matthias
• Tolerate RLIMIT_MEMLOCK EPERM on modern kernels by @​not-matthias
• Install libc6-dbg during valgrind setup by @​not-matthias in #​394
• Skip rustup-wrapped proxy in trace-children by @​not-matthias in #​405
• Retry streamed uploads on transient failures by @​not-matthias in #​399
• Extract unwind data for binaries without eh_frame_hdr by @​not-matthias

💼 Other

• Drop OpenSSL, move TLS stack to rustls (#​406) by @​art049 in #​406

🏗️ Refactor

• Split executor privilege granting into grant_privileges by @​not-matthias

📚 Documentation

• Add unwind data version changelog by @​not-matthias in #​393

⚙️ Internals

• chore: bump runner version to 4.17.6 by @​github-actions[bot] in #​216
• Grant memtrack file capabilities before memory tests by @​not-matthias in #​407
• Bump samply to support additional events by @​GuillaumeLagrange
• Add helper script to use local versions of samply and framehop easily by @​GuillaumeLagrange

Install codspeed-runner 4.17.6

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CodSpeedHQ/codspeed/releases/download/v4.17.6/codspeed-runner-installer.sh | sh

Download codspeed-runner 4.17.6

File	Platform	Checksum
codspeed-runner-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
codspeed-runner-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
codspeed-runner-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum

Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md

Full Changelog: CodSpeedHQ/action@v4.17.5...v4.17.6

webpro-nl/knip (knip)

v6.20.0: Release 6.20.0

Compare Source

• Add raw transfer opt-out (resolve #​1813) (6f08c68)
• Fix cached plugin config cycles (resolve #​1811) (2bc2f24)

v6.19.0: Release 6.19.0

Compare Source

• feat: support new optional sveltekit config pattern via vite config (#​1810) (3fee8bf) - thanks @​fubits1!
• Optimize hot path string scanning (e30cfe7)
• Update astro snapshot (71e71a7)

v6.18.0: Release 6.18.0

Compare Source

• Update dependencies (pin oxc-resolver) (7dda4ec)
• Resolve tsconfig paths for non-TS importers independent of oxc ownership (3b71565)
• Format (64865f8)
• Fix false positive for Vitest mocks (#​1802) (ec93e20) - thanks @​remcohaszing!
• Mark npx-run binaries optional unless --no-install (resolve #​1803) (203c31e)
• Ignore pnpm [WARN] lines in ecosystem snapshots (392835a)
• Update slonik snapshot (62d802b)
• Update Jest entry patterns for Jest 30 (#​1808) (d2caedd) - thanks @​gwagjiug!
• Report stale workspaces configuration keys as configuration hints (#​1807) (9083c16) - thanks @​WooWan!

v6.17.2: Release 6.17.2

Compare Source

• Fix up jest plugin (63dbd65)
• Detect coverage provider from bare vitest --coverage flag (#​1800) (dc11d9f) - thanks @​WooWan!
• Don't disable configuration hints in workspace-scoped runs (#​1791) (8ce1ec8) - thanks @​WooWan!
• Detect react-email v6 packages from non-numeric version ranges (resolve #​1798) (27a1cae)
• Discover workspaces included after a negated pattern (resolve #​1797) (630e152)

v6.17.1: Release 6.17.1

Compare Source

• Remove ignoreBinaries w/ tar (b13d0ca)
• Wrap up docs/refs (29f3e46)
• Update dependencies (7b2f345)
• Fix up vscode-languageclient imports (820c233)

v6.17.0: Release 6.17.0

Compare Source

• chore(mcp): add package metadata links (#​1783) (e3d93b9) - thanks @​sh962214-hub!
• fix(capacitor): detect iOS platform with Swift Package Manager (#​1787) (e6cc533) - thanks @​jthrilly!
• Support ignoreIssues per workspace (resolve #​1782) (15a329a)
• Add commitlint.config.mts (resolve #​1784) (fa8eb6d)
• Treat scoped and tilde SCSS imports as packages (resolve #​1786) (98aa962)
• Add followCursor setting for Imports/Exports views (resolve #​1788) (67a0be8)
• Flag undeclared sibling imports in published workspaces (resolve #​1792) (aeabff7)
• Fix type-check errors in vscode-knip (12f266e)
• Note Markdown formatting with pnpm remark (bdffeec)
• Bump some doc-related dependencies (3334193)
• Update vscode-knip tool descriptions (be34178)
• Overhaul docs (55e3f3b)
• Improve mcp guidance (67483f0)
• Fix repeated --fix-type arg (9bb0512)
• Resolve module paths from selected tsconfig (resolve #​1794) (1c2f398)
• Update sanity snapshot (4ebce9c)
• Add tar to globally ignored binaries (resolve #​1796) (8c028e5)

nrwl/nx (nx)

v22.7.6

Compare Source

22.7.6 (2026-06-23)

🩹 Fixes

• misc: bump happy-dom, tmp, and form-data to patched versions (#​36013)

❤️ Thank You

• Jack Hsu @​jaysoo

facebook/react (react)

v19.2.7: 19.2.7 (June 1st, 2026)

Compare Source

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6
  (#​36566 by @​unstubbable)

v19.2.6: 19.2.6 (May 6th, 2026)

Compare Source

React Server Components

• Type hardening and performance improvements
  (by @​eps1lon and @​unstubbable)

v19.2.5: 19.2.5 (April 8th, 2026)

Compare Source

React Server Components

• Add more cycle protections (#​36236 by @​eps1lon and @​unstubbable)

v19.2.4: 19.2.4 (January 26th, 2026)

Compare Source

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#​35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

v19.2.3: 19.2.3 (December 11th, 2025)

Compare Source

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #​35351)

v19.2.2: 19.2.2 (December 11th, 2025)

Compare Source

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon #​35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #​35289)

v19.2.1: 19.2.1 (December 3rd, 2025)

Compare Source

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #​35277)

npm/node-semver (semver)

v7.8.5

Compare Source

Bug Fixes

• 9c8692a #​878 include prereleases in tilde range lower bound with includePrerelease (#​878) (@​chatman-media)

QuiiBz/sherif (sherif)

v1.12.0

Compare Source

What's Changed

• chore(ci): setup trusted publishing by @​QuiiBz in #​154
• feat: support devEngines for root-package-manager-field rule by @​MasterLambaster in #​156

New Contributors

• @​MasterLambaster made their first contribution in #​156

Full Changelog: QuiiBz/sherif@v1...v1.12.0

rolldown/tsdown (tsdown)

v0.22.3

Compare Source

   🚨 Breaking Changes

• Drop node 24.0 - 24.10 support  -  by @​sxzz (a2eac)

   🐞 Bug Fixes

• Inline CI detection  -  by @​sxzz (bfc64)

   🏎 Performance

• css: Skip renderChunk when no CSS has been collected  -  by @​ShMcK in #​967 (9f051)

    View changes on GitHub

nodejs/undici (undici-types)

v8.5.0

Compare Source

⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in
v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	8.5.0	32dbf0b3
GHSA-38rv-x7px-6hhq	CVE-2026-9675	High (7.5)	8.5.0	b4c287b3
GHSA-vmh5-mc38-953g	CVE-2026-9697	High (7.4)	8.5.0	42d49559
GHSA-hm92-r4w5-c3mj	CVE-2026-6734	High (7.5)	8.2.0	a516f870
GHSA-pr7r-676h-xcf6	CVE-2026-9678	Moderate (5.9)	8.5.0	cb105d7c
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	8.5.0	5655ea43
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	8.5.0	5655ea43
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	8.5.0	6ea54ef8

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)

A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream
  against untrusted endpoints.
• Workaround: none — upgrade is required.

WebSocket DoS via cumulative fragment bypass — CVE-2026-9675

GHSA-38rv-x7px-6hhq · CWE-400, CWE-770
Fix: b4c287b3 fix(websocket): enforce max payload size across fragments

Undici validated the size of individual frames but did not track cumulative size
across a fragmented message. An attacker could send many small fragments that
each pass per-frame validation but collectively exceed the configured limit,
causing memory exhaustion. This is a regression introduced in 8.1.0 (the
6.x and 7.x lines are not affected).

• Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295
Fix: 42d49559 fix: honor requestTls when proxy is SOCKS5

The ProxyAgent silently discarded the requestTls option when configured with
a SOCKS5 proxy. TLS connections through the SOCKS5 tunnel ignored user-configured
parameters such as ca, cert, key, rejectUnauthorized, and servername,
falling back to the default Mozilla CA bundle. Applications relying on
certificate pinning to an internal CA were exposed to man-in-the-middle attacks.

• Affected: ProxyAgent / Socks5ProxyAgent over SOCKS5 that rely on
  requestTls.
• Workaround: route traffic through an HTTP-proxy ProxyAgent, where
  requestTls functions correctly.

Cross-origin request routing via SOCKS5 proxy pool reuse — CVE-2026-6734

GHSA-hm92-r4w5-c3mj · CWE-346 · Fixed in 8.2.0
Fix: a516f870 fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing (#​5041)

Socks5ProxyAgent reused a single connection pool across different origins
without verifying the pool's origin matched the requested origin. This could
route credentials and request data to unintended destinations, cause responses
from the wrong origin to be trusted, and enable HTTPS→HTTP downgrade.

• Affected: applications using Socks5ProxyAgent across multiple origins
  (introduced via #​4385).
• Workaround: use a separate agent instance per origin.

---

Moderate severity

Cross-user information disclosure via shared cache whitespace bypass — CVE-2026-9678

GHSA-pr7r-676h-xcf6 · CWE-524
Fix: cb105d7c fix(cache): trim qualified field names

The cache interceptor mishandled responses with whitespace-padded
Cache-Control directives such as private=" authorization". In shared-cache
mode this could cause authenticated data to be cached and served to other users.

• Affected: apps using the cache interceptor in shared mode that forward
  Authorization upstream and receive non-canonical qualified directives.
• Workaround: disable shared-cache mode for authenticated traffic, avoid
  caching authenticated responses, or add Vary: Authorization upstream.

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

GHSA-p88m-4jfj-68fv · CWE-93
Fix: 5655ea43 fix(cookies): preserve values and parse SameSite strictly

parseSetCookie applied percent-decoding to cookie values, turning encoded
sequences like %0D%0A and %00 into literal bytes, contrary to RFC 6265 §5.4
and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning. Introduced in 7.0.0 via
#​3789.

• Workaround: sanitize values before forwarding — strip or reject CR, LF,
  NUL, ;, and =.

---

Low severity

Set-Cookie SameSite attribute downgrade — CVE-2026-11525

GHSA-g8m3-5g58-fq7m · CWE-183
Fix: 5655ea43 fix(cookies): preserve values and parse SameSite strictly

The cookie parser accepted SameSite values containing Strict, Lax, or
None as substrings rather than requiring exact matches per RFC 6265. Values
like SameSite=NoneOfYourBusiness parsed as None, and SameSite=StrictLax
parsed as Lax, silently weakening cookie security policies for apps that
forward parsed attributes.

HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733

GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix: 6ea54ef8 fix: guard idle socket validation to skip fresh sockets, hardened by c9fbe9d2 keep idle validation on native timers (#​5397) and ac5394b8 keep idle validation on global timers (#​5407)

An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.

• Requirements: attacker-controlled/compromised upstream and active
  keep-alive reuse.
• Workaround: disable keep-alive reuse with keepAliveTimeout: 0 on the
  Client or Pool.

---

Also in v8.5.0 (non-security)

v8.5.0 shipped the security fixes above alongside the following changes. These
are not security fixes — they are listed for completeness of the release. (The
two queue-poisoning hardening PRs, #​5397
and #​5407, are covered under
CVE-2026-6733 above and are not repeated here.)

• HTTP/2: #5408 don't rewind kPendingIdx past in-flight requests · #5391 allow h2 POST request multiplexing · #5406 reap idle HTTP/2 sessions · #5410 preserve h2 queue on out-of-order completion
• Features: #5416 add bodyMixin.textStream() · #5418 align EventSource with spec
• Docs / CI / tests: #5413 document request header validation · #5383 absorb h2 stream timeout resets (test) · #5420 remove stale repro + lint · #5426 extend Windows CI timeout · #5427 detect available python in WPT runner

Full changelog: v8.4.1...v8.5.0.

---

Credits

Per-advisory credits (as recorded in each GHSA):

• CVE-2026-12151 — reported by @​lpinca & @​Nadav0077; reviewed by @​UlisesGascon.
• CVE-2026-9675 — reported by @​mauriceng98 & @​Str1ckl4nd; fixed by @​mcollina & @​KhafraDev; reviewed by @​UlisesGascon.
• CVE-2026-9697 — reported by @​tonghuaroot; reviewed by @​UlisesGascon.
• CVE-2026-6734 — reported by @​ChALkeR; reviewed by @​mcollina; verified by @​UlisesGascon.
• CVE-2026-9678 — fixed by @​mcollina; reviewed by @​UlisesGascon.
• CVE-2026-9679 — reported by @​tndud042713; fixed by @​mcollina; reviewed by @​KhafraDev & @​UlisesGascon.
• CVE-2026-11525 — fixed by @​mcollina; reviewed by @​UlisesGascon.
• CVE-2026-6733 — fixed by @​mcollina; verified by @​UlisesGascon.

verdaccio/verdaccio (verdaccio)

v6.7.4

Compare Source

Patch Changes

• 0205c78: fix: run jwt middleware before middleware plugins

  Register the JWT mid

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Routine dependency and tooling version bumps across the monorepo: GitHub Actions pins for CodSpeed and zizmor are updated, pnpm is upgraded to 11.8.0, vitest to 4.1.9, and several package dependencies (semver, tsdown, verdaccio, sherif, undici-types, react, react-dom, @tanstack/react-table) are bumped to newer versions.

Changes

Dependency and Tooling Version Bumps

Layer / File(s)	Summary
GitHub Actions pinned version bumps .github/workflows/benchmarks.yml, .github/workflows/zizmor.yml	CodSpeedHQ/action bumped from v4.17.5 to v4.17.6; zizmorcore/zizmor-action bumped from v0.5.6 to v0.5.7.
Root package.json and workspace toolchain bumps package.json, pnpm-workspace.yaml	pnpm bumped from 11.7.0 to 11.8.0 in packageManager and engines; sherif bumped to ^1.12.0, vitest to 4.1.9; undici-types workspace override updated to 8.5.0.
Package and benchmark dependency bumps packages/intent/package.json, benchmarks/intent/package.json	semver bumped to ^7.8.5, tsdown to ^0.22.3, verdaccio to ^6.7.4; @codspeed/vitest-plugin bumped to ^5.6.0, vitest to 4.1.9.
Eval fixture dependency bumps evals/intent-discovery/fixtures/router-basic/package.json, evals/intent-discovery/fixtures/start-basic/package.json, evals/intent-discovery/fixtures/table-v9-basic/package.json	react and react-dom bumped from 19.2.0 to 19.2.7 in all three fixtures; @tanstack/react-table bumped from 9.0.0-beta.16 to 9.0.0-beta.17 in table-v9-basic.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• TanStack/intent#132: The main issue tracking dependency updates that are applied directly in this PR, covering all the same version bumps for toolchain and packages.

Possibly related PRs

• TanStack/intent#164: Bumps the same CodSpeedHQ/action and zizmorcore/zizmor-action pinned revisions in the same workflow files.

Suggested reviewers

• KevinVandy

Poem

🐇 A rabbit hops through the monorepo,
Sprinkling version bumps far and low,
pnpm, vitest, react so bright,
Semver, zizmor—all shiny and right!
Dependencies fresh, the lockfiles sing,
Hop hop hooray for each little thing! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR body is Renovate-generated and does not follow the required template sections for Changes, Checklist, or Release Impact.	Rewrite the PR description using the repository template and fill in the changes, testing checklist, and release impact sections.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main purpose of the PR: updating non-major dependencies across the project.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/all-minor-patch

---

_{Comment @coderabbitai help to get the list of available commands.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	react@​19.2.0 ⏵ 19.2.7
	react-dom@​19.2.0 ⏵ 19.2.7
	@​tanstack/​react-table@​9.0.0-beta.16 ⏵ 9.0.0-beta.19	+1			-1

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[nx-cloud]

View your CI Pipeline Execution ↗ for commit d0da768

Command	Status	Duration	Result
nx affected --targets=test:eslint,test:sherif,t...	✅ Succeeded	8s	View ↗
nx run-many --targets=build --exclude=examples/**	✅ Succeeded	2s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-06-24 12:53:02 UTC

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/TanStack/intent/@tanstack/intent@179

commit: d0da768

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 3 workspace projects
? Verifying lockfile against supply-chain policies (881 entries)...
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 13, reused 0, downloaded 0, added 0
Progress: resolved 18, reused 0, downloaded 0, added 0
Progress: resolved 19, reused 0, downloaded 0, added 0
Progress: resolved 21, reused 0, downloaded 0, added 0
Progress: resolved 22, reused 0, downloaded 0, added 0
[WARN] Request took 11753ms: https://registry.npmjs.org/@types%2Fnode
Progress: resolved 23, reused 0, downloaded 0, added 0
[WARN] Request took 12495ms: https://registry.npmjs.org/nx
Progress: resolved 24, reused 0, downloaded 0, added 0
[WARN] Request took 13313ms: https://registry.npmjs.org/typescript
Progress: resolved 30, reused 0, downloaded 0, added 0
Progress: resolved 132, reused 0, downloaded 0, added 0
Progress: resolved 243, reused 0, downloaded 0, added 0
Progress: resolved 280, reused 0, downloaded 0, added 0
Progress: resolved 291, reused 0, downloaded 0, added 0
Progress: resolved 407, reused 0, downloaded 4, added 0
Progress: resolved 495, reused 0, downloaded 4, added 0
[WARN] Request took 10120ms: https://registry.npmjs.org/@typescript-eslint%2Fscope-manager
Progress: resolved 523, reused 0, downloaded 4, added 0
Progress: resolved 524, reused 0, downloaded 4, added 0
[WARN] Request took 11107ms: https://registry.npmjs.org/@typescript-eslint%2Fparser
[WARN] Request took 11391ms: https://registry.npmjs.org/@typescript-eslint%2Ftypescript-estree
Progress: resolved 525, reused 0, downloaded 4, added 0
[WARN] Request took 11835ms: https://registry.npmjs.org/@typescript-eslint%2Feslint-plugin
Progress: resolved 527, reused 0, downloaded 4, added 0
Progress: resolved 536, reused 0, downloaded 4, added 0
Progress: resolved 690, reused 0, downloaded 4, added 0
[WARN] Request took 17755ms: https://registry.npmjs.org/vite
✓ Lockfile passes supply-chain policies (881 entries in 29.6s)
Progress: resolved 691, reused 0, downloaded 4, added 0
Progress: resolved 706, reused 0, downloaded 4, added 0
Progress: resolved 794, reused 0, downloaded 7, added 0
Progress: resolved 795, reused 0, downloaded 7, added 0
Progress: resolved 835, reused 0, downloaded 7, added 0
[ERR_PNPM_NO_MATURE_MATCHING_VERSION] 3 versions do not meet the minimumReleaseAge constraint:
  @codspeed/core@5.7.1 was published at 2026-06-24T09:51:32.420Z, within the minimumReleaseAge cutoff (2026-06-24T05:45:31.954Z)
  @codspeed/vitest-plugin@5.7.1 was published at 2026-06-24T09:51:44.549Z, within the minimumReleaseAge cutoff (2026-06-24T05:45:31.954Z)
  knip@6.20.0 was published at 2026-06-24T13:53:40.969Z, within the minimumReleaseAge cutoff (2026-06-24T05:45:31.954Z)