chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@eslint/compat (source)	^2.0.2 → ^2.0.3			devDependencies	patch
@eslint/eslintrc	^3.3.3 → ^3.3.5			devDependencies	patch
@types/node (source)	^20.19.25 → ^20.19.37			devDependencies	patch
@typescript-eslint/eslint-plugin (source)	^8.48.0 → ^8.58.0			devDependencies	patch
@typescript-eslint/parser (source)	^8.48.0 → ^8.58.0			devDependencies	patch
esbuild	^0.27.0 → ^0.27.5			devDependencies	patch
eslint-plugin-import-x	^4.16.1 → ^4.16.2			devDependencies	patch
node (source)	20.19.6 → 20.20.2				minor
pnpm (source)	10.24.0 → 10.33.0				minor
prettier (source)	3.7.3 → 3.8.1			devDependencies	minor
typescript-eslint (source)	^8.48.0 → ^8.58.0			devDependencies	patch

---

Release Notes

evanw/esbuild (esbuild)

v0.27.5

Compare Source

• Fix for an async generator edge case (#​4401, #​4417)

  Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:

  async function* inner() { yield 1; yield 2 }
  async function* outer() { yield* inner() }
  let gen = outer()
  for await (let x of [gen.next(), gen.next()]) console.log(x)

  Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

  This fix was contributed by @​2767mr.

• Fix a regression when metafile is enabled (#​4420, #​4418)

  This release fixes a regression introduced by the previous release. When metafile: true was enabled in esbuild's JavaScript API, builds with build errors were incorrectly throwing an error about an empty JSON string instead of an object containing the build errors.

• Use define semantics for TypeScript parameter properties (#​4421)

  Parameter properties are a TypeScript-specific code generation feature that converts constructor parameters into class fields when they are prefixed by certain keywords. When "useDefineForClassFields": true is present in tsconfig.json, the TypeScript compiler automatically generates class field declarations for parameter properties. Previously esbuild didn't do this, but esbuild will now do this starting with this release:

  // Original code
  class Foo {
    constructor(public x: number) {}
  }
  
  // Old output (with --loader=ts)
  class Foo {
    constructor(x) {
      this.x = x;
    }
  }
  
  // New output (with --loader=ts)
  class Foo {
    constructor(x) {
      this.x = x;
    }
    x;
  }

• Allow es2025 as a target in tsconfig.json (#​4432)

  TypeScript recently added es2025 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2025"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

nodejs/node (node)

v20.20.2: 2026-03-24, Version 20.20.2 'Iron' (LTS), @​marco-ippolito

Compare Source

This is a security release.

Notable Changes

• (CVE-2026-21717) fix array index hash collision (Joyee Cheung)
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan)
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina)
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS)pull/795>
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS)
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS)
• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina)

Commits

• [cfb51fa9ce] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#831
• [f333d0be5f] - deps: V8: override depot_tools version (Richard Lau) #​62344
• [2acd5d1226] - deps: update undici to v6.24.1 (Matteo Collina) #​62285
• [af5c144ebc] - (CVE-2026-21717) deps,build,test: fix array index hash collision (Joyee Cheung) nodejs-private/node-private#834
• [00ad47a28e] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [0123309566] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#840
• [00830712bc] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#838
• [a0c73425da] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [cc3f294507] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#839

v20.20.1: 2026-03-05, Version 20.20.1 'Iron' (LTS), @​marco-ippolito

Compare Source

Notable Changes

• [91a66e671c] - build: test on Python 3.14 (Christian Clauss) #​59983
• [f66056054b] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [80feacaddb] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #​60741

Commits

• [6f580d5399] - assert: fix deepEqual always return true on URL (Xuguang Mei) #​50853
• [91a66e671c] - build: test on Python 3.14 (Christian Clauss) #​59983
• [cc4f7af6f3] - build: skip sscache action on non-main branches (Joyee Cheung) #​61790
• [f66056054b] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [80feacaddb] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #​60741
• [fa88cc07e2] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #​60662
• [88b2eec88a] - deps: update minimatch to 10.2.2 (Node.js GitHub Bot) #​61830
• [5c053264f1] - deps: V8: backport 6a0a25a (Vivian Wang) #​61687
• [4a398699d0] - deps: update googletest to 5a9c3f9 (Node.js GitHub Bot) #​61731
• [4fa43adf15] - deps: update googletest to 56efe39 (Node.js GitHub Bot) #​61605
• [1a855d490c] - deps: update googletest to 8508785 (Node.js GitHub Bot) #​61417
• [d8a9359826] - deps: update icu to 78.2 (Node.js GitHub Bot) #​60523
• [e79cd3a0bb] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #​61928
• [0707ade464] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #​61925
• [dc5a3cddef] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #​61827
• [46043b94c7] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #​61135
• [6be15a596e] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #​61271
• [10881404cd] - deps: update timezone to 2025c (Node.js GitHub Bot) #​61138
• [1594a78c85] - deps: update googletest to 065127f (Node.js GitHub Bot) #​61055
• [7fa2ee1933] - deps: update zlib to 1.3.1-63d7e16 (Node.js GitHub Bot) #​60898
• [09259532ef] - deps: update googletest to 1b96fa1 (Node.js GitHub Bot) #​60739
• [aa8bdb6886] - deps: update cjs-module-lexer to 2.1.1 (Node.js GitHub Bot) #​60646
• [cc849fde27] - deps: update googletest to 279f847 (Node.js GitHub Bot) #​60219
• [a99ba553a2] - deps: update googletest to 50b8600 (Node.js GitHub Bot) #​59955
• [6349a79f5f] - deps: update googletest to 7e17b15 (Node.js GitHub Bot) #​59131
• [8ba759f1a0] - deps: update googletest to 35b75a2 (Node.js GitHub Bot) #​58710
• [927d906850] - deps: update googletest to e9092b1 (Node.js GitHub Bot) #​58565
• [bf8919f5c2] - deps: update googletest to 0bdccf4 (Node.js GitHub Bot) #​57380
• [ae6231dac0] - deps: update googletest to e235eb3 (Node.js GitHub Bot) #​56873
• [0561c62e85] - deps: update minimatch to 10.1.2 (Node.js GitHub Bot) #​61732
• [f0ef221b0d] - deps: update minimatch to 10.1.1 (Node.js GitHub Bot) #​60543
• [15bd0da404] - deps: update archs files for openssl (Antoine du Hamel) #​61912
• [04d439323f] - deps: upgrade openssl sources to openssl-3.0.19 (Antoine du Hamel) #​61912
• [2ea16d3bd6] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #​61510
• [622f973d1c] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #​60842
• [2cd265d8b9] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #​60643
• [65e839687b] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #​60550
• [2dc99d2771] - dns: fix Windows SRV ECONNREFUSED by adjusting c-ares fallback detection (notvivek12) #​61453
• [2c7b84b1d8] - doc: fix typo in http.md (Michael Solomon) #​59354
• [a84b42667c] - doc: fix grammar in global dispatcher usage (Eng Zer Jun) #​59344
• [ffd0ada45f] - doc: fix typo in test/common/README.md (Yoo) #​59180
• [b4d9d006e7] - doc: fix broken sentence in URL.parse (Superchupu) #​59164
• [45e9971d9c] - doc: fix typo in writing-test.md (SeokHun) #​59123
• [e9fd10b5d6] - doc: fix fetch subsections in globals.md (Antoine du Hamel) #​58933
• [3715dd1c2b] - doc: fix wrong RFC number in http2 (Deokjin Kim) #​58753
• [098c017eac] - doc: punctuation fix for Node-API versioning clarification (Jiacai Liu) #​58599
• [545bf434e1] - doc: fix typo of file http.md, outgoingMessage.setTimeout section (yusheng chen) #​58188
• [b3d6683e7b] - doc: support toolchain with Visual Studio 2019 & 2022 only (Mike McCready) #​61450
• [8fdde5d110] - doc: fix v20 changelog after security release (Marco Ippolito) #​61371
• [31d04599be] - http: fix keep-alive not timing out after post-request empty line (Shima Ryuhei) #​58178
• [5ec7d1eba0] - http2: validate initialWindowSize per HTTP/2 spec (Matteo Collina) #​61402
• [5c091d5a96] - meta: persist sccache daemon until end of build workflows (René) #​61639
• [183353aba0] - path,win: fix bug in resolve and normalize (Hüseyin Açacak) #​55623
• [dbe9e5091b] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #​61948
• [4106bfc775] - test: mark stringbytes-external-max flaky on AIX (Stewart X Addison) #​60995
• [de51937306] - test: mark stringbytes-external-exceed-max tests as flaky on AIX (Joyee Cheung) #​60565
• [368b221be3] - test: fix flaky test-performance-eventloopdelay (Matteo Collina) #​61629
• [e134912a33] - test: fix flaky test-worker-message-port-transfer-filehandle test (Alex Yang) #​59158
• [5630170d3e] - test: account for truthy signal in flaky async_hooks tests (Darshan Sen) #​58478
• [1e5363bb63] - test: mark test-http2-debug as flaky on LinuxONE (Richard Lau) #​58494
• [662998787a] - test: set test-fs-cp as flaky (Stefan Stojanovic) #​56799
• [0807127339] - test: mark test-esm-loader-hooks-inspect-wait flaky (Richard Lau) #​56803
• [6320cd0721] - test: skip strace test with shared openssl (Richard Lau) #​61987
• [83b9f8ee02] - tools: make nodedownload module compatible with Python 3.14 (Lumír 'Frenzy' Balhar) #​58752
• [6cf9b5786e] - tools: enforce removal of lts-watch-* labels on release proposals (Antoine du Hamel) #​61672
• [cd4161499c] - tools: use ubuntu-slim runner in meta GitHub Actions (Tierney Cyren) #​61663
• [6dc2a99a0d] - tools: validate release commit diff as part of lint-release-proposal (Antoine du Hamel) #​61440
• [5014f22332] - tools: add read permission to workflows that read contents (Antoine du Hamel) #​58255
• [6c3ad2a5a3] - tools: switch to ARM runners on GHA jobs (Antoine du Hamel) #​61903
• [1abada9c34] - tools: avoid building twice in coverage jobs (Antoine du Hamel) #​61899
• [f260e40127] - tools: use ubuntu-slim runner in GHA (Antoine du Hamel) #​61759
• [64beca5e01] - tools: use ubuntu-slim runner in GHA (Antoine du Hamel) #​61734

v20.20.0: 2026-01-13, Version 20.20.0 'Iron' (LTS), @​marco-ippolito

Compare Source

This is a security release.

Notable Changes

lib:

• (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802
• (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
  lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
  src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
  src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
  tls:
• (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

Commits

• [8f9ba3f623] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #​60997
• [97fc9b0eb7] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#792
• [14fbbb510c] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802
• [1febc48d5b] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [494f62dc23] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [d7a5c587c0] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [51f4de4b4a] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [85f73e7057] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

pnpm/pnpm (pnpm)

v10.33.0

Compare Source

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

• Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Gold Sponsors

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

• Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

• Reverted change related to setting explicitly the npm config file path, which caused regressions.
• Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Gold Sponsors

v10.31.0

Compare Source

v10.30.3

Compare Source

v10.30.2

Compare Source

v10.30.1: pnpm 10.30.1

Compare Source

Patch Changes

• Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #​10649.

Platinum Sponsors

Gold Sponsors

v10.30.0: pnpm 10.30

Compare Source

Minor Changes

• pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

• Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #​7122.
• Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #​10596.

Platinum Sponsors

Gold Sponsors

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) in timezone Pacific/Auckland, Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired. If you want to rebase/retry this PR, check this box This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.23%. Comparing base (3ac4a2f) to head (0437007).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #281   +/-   ##
=======================================
  Coverage   72.23%   72.23%           
=======================================
  Files           4        4           
  Lines         389      389           
  Branches       54       54           
=======================================
  Hits          281      281           
  Misses        108      108           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.