chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/workers-types	^4.20260206.0 → ^4.20260207.0
@scalar/api-reference (source)	^1.44.14 → ^1.44.15
@typescript/native-preview (source)	7.0.0-dev.20260206.1 → 7.0.0-dev.20260207.1
deno (source)	2.6.6 → 2.6.8
pnpm (source)	10.28.2 → 10.29.1
rollup (source)	^4.57.0 → ^4.57.1

---

Release Notes

cloudflare/workerd (@​cloudflare/workers-types)

v4.20260207.0

Compare Source

scalar/scalar (@​scalar/api-reference)

v1.44.15

Patch Changes

Updated Dependencies

• @​scalar/workspace-store@​0.30.0

  • #​8077: feat: support team workspaces

• @​scalar/api-client@​2.25.0

  • #​8077: feat: support team workspaces

• @​scalar/components@​0.18.0

  • #​8077: feat: support team workspaces

• @​scalar/agent-chat@​0.5.6

• @​scalar/oas-utils@​0.6.37

• @​scalar/sidebar@​0.7.30

microsoft/typescript-go (@​typescript/native-preview)

v7.0.0-dev.20260207.1

Compare Source

denoland/deno (deno)

v2.6.8

Compare Source

• feat(npm): support jsr: scheme in package.json (#​31938)
• feat: Windows on ARM builds (#​31917)
• fix(ext/node): enable defensive option on DatabaseSync (#​32004)
• fix(ext/node): error formatting compatibility (#​31970)
• fix(ext/node): implement sqlite' SQLTagStore (#​31945)
• fix(ext/node): use primordials in _fs_fchown.ts (#​32007)
• fix(flags): correct zsh completions for script arg (#​31994)
• fix(install): clean up associated config and lock files during uninstall
  (#​31984)
• fix(types): correct types for Worker events (#​31981)
• fix: Reload the CronHandlerImpl if necessary when the control socket
  receives new envs (#​31996)
• fix: upgrade deno_core to 0.383.0 (#​32014)

v2.6.7

Compare Source

• feat(ext/node): implement mock API for node:test module (#​31954)
• feat(node): implement FileHandle.readv() method (#​31943)
• feat(npm): use JSR for @jsr scope (#​31925)
• feat: External Socket-Based Cron Implementation (#​31952)
• feat: V8 14.5 (#​31873)
• feat: add --inspect-publish-uid flag for VSCode debugging (#​31927)
• fix(ext/http): use serve address override only once (#​31935)
• fix(ext/net): remove socket file when dropping unix listener (#​31947)
• fix(ext/node): sqlite's StatementSync compatibility (#​31941)
• fix(ext/node): align assert throws/rejects signatures (#​31934)
• fix(ext/node): fix usage of new V8 string APIs (#​31963)
• fix(ext/node): implement sqlite's missing options (#​31919)
• fix(ext/node): pass test-child-process-bad-stdio node compat test (#​31851)
• fix(ext/node): read NODE_OPTIONS for --require and --inspect-publish-uid
  (#​31949)
• fix(ext/node): retry stale keepAlive connections in http client (#​31932)
• fix(ext/node): support setImmediate promisify.custom (#​31920)
• fix(ext/node): use primordials in _fs_ftruncate.ts (#​31944)
• fix(ext/node): use primordials in ext/node/polyfills/tls.ts (#​31816)
• fix(ext/web): support object in DOMException second argument for Node.js
  compat (#​31939)
• fix(node): throw ERR_INVALID_ARG_TYPE for invalid fs.readFile path (#​31918)
• fix(unstable): lint ast comments from first file showing in others (#​31956)
• fix(x): use local npm package even if npm specifier is used, forward unstable
  flags (#​31942)
• fix: allow reading /dev/tty without requiring --allow-all (#​31105)
• fix: enable edns for Deno.resolveDns (#​31951)
• fix: graceful server shutdown with open, un-upgraded connections (#​31959)
• fix: use locked-tripwire to prevent unlocked cargo installs (#​31973)

pnpm/pnpm (pnpm)

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

rollup/rollup (rollup)

v4.57.1

Compare Source

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#​6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#​6254)

Pull Requests

• #​6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)
• #​6252: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #​6253: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #​6254: Fully include dynamic imports in a try-catch (@​lukastaegert)
• #​6255: chore(deps): lock file maintenance (@​renovate[bot])

---

Configuration

📅 Schedule: Branch creation - "after 2am and before 3am" (UTC), Automerge - "after 1am and before 2am" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nitro.build	Ready	Preview, Comment	Feb 7, 2026 9:02pm