chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@actions/cache (source)	6.0.0 → 6.0.1
@commitlint/cli (source)	21.0.1 → 21.0.2
@commitlint/config-conventional (source)	21.0.1 → 21.0.2
@vitest/coverage-v8 (source)	4.1.7 → 4.1.8
eslint (source)	10.4.0 → 10.4.1
knip (source)	6.14.1 → 6.15.0
lefthook	2.1.8 → 2.1.9
semver	7.8.0 → 7.8.1
tsx (source)	4.22.3 → 4.22.4
vitest (source)	4.1.7 → 4.1.8

---

Release Notes

actions/toolkit (@​actions/cache)

v6.0.1

• Bump dependency versions (#​2393):
  • @actions/core to ^3.0.1
  • @actions/http-client to ^4.0.1
  • @actions/io to ^3.0.2
  • @azure/core-rest-pipeline to ^1.23.0
  • @azure/storage-blob to ^12.31.0
  • semver to ^7.7.4

conventional-changelog/commitlint (@​commitlint/cli)

v21.0.2

Compare Source

Bug Fixes

• disallow same commit hash for --from and --to (#​4773) (121005e)

conventional-changelog/commitlint (@​commitlint/config-conventional)

v21.0.2

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.8

Compare Source

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in #​10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in #​10474 (675b4)

    View changes on GitHub

eslint/eslint (eslint)

v10.4.1

Compare Source

Bug Fixes

• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#​20930) (Francesco Trotta)
• d4ce898 fix: propagate failures from delegated commands (#​20917) (Minh Vu)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#​20916) (kuldeep kumar)
• c5bc78b fix: false positive for reference in finally block (#​20655) (Tanuj Kanti)
• 27538c0 fix: add missing CodePath and CodePathSegment types (#​20853) (Pixel998)

Documentation

• 61b0add docs: remove deprecated rule from related rules of max-params (#​20921) (Tanuj Kanti)
• 305d5b9 docs: remove deprecated rules from related rules section (#​20911) (Tanuj Kanti)
• 49b0202 docs: fix display: none of ad (#​20901) (Tanuj Kanti)
• 9067f94 docs: switch build to Node.js 24 (#​20893) (Milos Djermanovic)
• c91b041 docs: Update README (GitHub Actions Bot)
• e349265 docs: clarify semver strings in rule deprecation objects (#​20885) (Milos Djermanovic)

Chores

• b0e466b test: add data property to invalid tests cases for rules (#​20924) (Tanuj Kanti)
• f78838b test: add CodePath type coverage (#​20904) (Pixel998)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#​20922) (Francesco Trotta)
• 002942c ci: declare contents:read on update-readme workflow (#​20919) (Arpit Jain)
• 64bca24 chore: update ecosystem plugins (#​20912) (ESLint Bot)
• 6d7c832 chore: ignore fflate updates in renovate (#​20908) (Pixel998)
• b2c8638 ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 (#​20889) (dependabot[bot])
• a9b8d7f chore: increase maxBuffer for ecosystem tests (#​20881) (sethamus)
• b702ead chore: update ecosystem update PR settings (#​20884) (Pixel998)
• 507f60e chore: update ecosystem plugins (#​20882) (ESLint Bot)
• 92f5c5b test: add unit test for message-count (#​20878) (kuldeep kumar)
• df32108 chore: add @​eslint/markdown and typescript-eslint ecosystem tests (#​20837) (sethamus)
• 327f91d chore: use includeIgnoreFile internally (#​20876) (Kirk Waiblinger)
• f0dc4bd chore: pin fflate@​0.8.2 (#​20877) (Milos Djermanovic)
• 0f4bd25 ci: run Discord alert for ecosystem test failures (#​20873) (Copilot)

webpro-nl/knip (knip)

v6.15.0: Release 6.15.0

Compare Source

• Report exported type used only in inferred-return function body (resolve #​1765) (2413408)
• Work that EXPORTS.md again (7e13451)
• Update npmx ecosystem snapshot (dfc4011)
• Link dependencies key with notes (closes #​1764) (e3e66ce)
• Resolve tsconfig paths when loading plugin configs (#​1762) (0177c74) - thanks @​jakeleventhal!
• Avoid caching failed plugin config loads (#​1768) (5e201cd) - thanks @​jakeleventhal!
• Resolve extensionless .sass imports in SCSS compiler (#​1770) (30c2283) - thanks @​sebacardello!
• fix(vite): detect inline module script entry points in index.html (#​1772) (51f4edd) - thanks @​lucas-spin!
• Harden vite inline module script import detection (b8abcfd)
• Use RecordableHistogram for timerified function stats (d575c69)
• Add orval plugin (resolves #​1751) (4c82aa8)
• Add treatTagHintsAsErrors and --no-tag-hints (resolves #​1767) (4b6a573)
• Add nano-spawn plugin (resolves #​1769) (b2cad06)
• Simplify glob cache validation and ignore-list assembly (df1a960)
• Dedupe ignore-pattern collection and dependency fixing (d49b626)
• Simplify installed-binaries collection in manifest metadata (5514394)
• Flatten control flow in ConfigurationChief (010d570)
• Inline trivial installed-binaries and types-included accessors (b5afb9f)
• Format (eb4b178)
• Replace @​wdio/types dev dep with inline types (a3747d6)
• Bump dependencies (822ab39)
• Work AGENTS.md, etcetera (361bd48)
• Remove rootDirs workaround resolved by oxc-resolver 11.20.0 (e190a9f)
• Add nuxt no-root-tsconfig fixture guarding alias resolution (e3e5bc9)
• Allow extra args for release-it (f9c5995)
• Add @​vercel as platinum sponsor (c4c06a9)
• Overhaul & improve --trace functionailty (60df0b0)
• Re-gen plugins.md (0f9d044)

v6.14.2: Release 6.14.2

Compare Source

• Fix vscode-knip build: pin native oxc bindings to bundled JS version (1b45a41)
• Release vscode-knip@​2.1.5 (328892e)
• Fix Astro plugin to support both possible middleware entry points (#​1749) (33e0cc1) - thanks @​schmalz-dmi!
• Fix LICENSE link (#​1760) (829620f) - thanks @​vortispy!
• Fix GraphQL Codegen script config dependencies (#​1756) (e841c63) - thanks @​jakeleventhal!
• Set pnpm config via env vars, disable verify-deps in ecosystem tests (53c1224)
• Update slonik ecosystem snapshot (f18410b)
• Fix Serverless TypeScript plugin dependencies (#​1757) (ebde7f8) - thanks @​jakeleventhal!
• Fix extended tsconfig type dependency attribution (#​1758) (f600b09) - thanks @​jakeleventhal!
• Fix Bun binary dependency tracking (#​1759) (1b28923) - thanks @​jakeleventhal!
• Detect Babel plugins/presets in Vite plugin options (resolve #​1761) (2753d69)

evilmartians/lefthook (lefthook)

v2.1.9

Compare Source

• fix: update hooks path after resetting (#​1431) by @​mrexox
• deps: May 2026 (#​1415) by @​mrexox

npm/node-semver (semver)

v7.8.1

Compare Source

Bug Fixes

• 17aa702 #​869 strip build metadata before comparator trimming (#​869) (@​owlstronaut)
• 5f3ca13 #​867 handle prerelease bounds in subset (#​867) (@​puneetdixit200, Puneet Dixit)

privatenumber/tsx (tsx)

v4.22.4

Compare Source

Bug Fixes

• resolve CommonJS directory requires inside dependencies (#​803) (1ce8463)

---

This release is also available on:

• npm package (@​latest dist-tag)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​commitlint/​cli@​21.0.2
	vitest@​4.1.8
	@​vitest/​coverage-v8@​4.1.8
	tsx@​4.22.4
	@​actions/​cache@​6.0.1
	lefthook@​2.1.9
	knip@​6.15.0
	eslint@​10.4.1
	@​commitlint/​config-conventional@​21.0.2
	semver@​7.8.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm js-yaml is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → npm/js-yaml@4.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.21%. Comparing base (4f0273f) to head (711f444).
⚠️ Report is 1 commits behind head on trunk.

Additional details and impacted files

@@           Coverage Diff           @@
##            trunk     #126   +/-   ##
=======================================
  Coverage   67.21%   67.21%           
=======================================
  Files           2        2           
  Lines         122      122           
  Branches       32       32           
=======================================
  Hits           82       82           
  Misses         36       36           
  Partials        4        4           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.