fix(deps): update all non-major dependencies

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@hono/node-server	^1.19.6 → ^1.19.7			devDependencies	patch
@react-router/dev (source)	^7.10.0 → ^7.12.0			devDependencies	minor
@react-router/express (source)	^7.10.0 → ^7.12.0			devDependencies	minor
@react-router/express (source)	^7.10.0 → ^7.12.0			dependencies	minor
@react-router/fs-routes (source)	^7.10.0 → ^7.12.0			dependencies	minor
@react-router/node (source)	^7.10.0 → ^7.12.0			dependencies	minor
@react-router/serve (source)	^7.10.0 → ^7.12.0			dependencies	minor
@types/node (source)	^24.10.1 → ^24.10.4			devDependencies	patch
@vitest/ui (source)	^4.0.15 → ^4.0.16			devDependencies	patch
esbuild	^0.27.1 → ^0.27.2			devDependencies	patch
hono (source)	^4.10.7 → ^4.11.3			devDependencies	minor
jsdom	^27.2.0 → ^27.4.0			devDependencies	minor
lucide-react (source)	^0.555.0 → ^0.562.0			dependencies	minor
node	24.11.1 → 24.12.0			uses-with	minor
oxfmt (source)	^0.16.0 → ^0.23.0			devDependencies	minor
oxlint (source)	^1.31.0 → ^1.38.0			devDependencies	minor
oxlint-tsgolint	^0.8.3 → ^0.10.1			devDependencies	minor
pnpm (source)	10.24.0 → 10.27.0			packageManager	minor
react-router (source)	^7.10.0 → ^7.12.0			dependencies	minor
socket.io (source)	^4.8.1 → ^4.8.3			dependencies	patch
socket.io-client (source)	^4.8.1 → ^4.8.3			devDependencies	patch
socket.io-client (source)	^4.8.1 → ^4.8.3			dependencies	patch
turbo (source)	^2.6.2 → ^2.7.3			devDependencies	minor
vite (source)	^7.2.6 → ^7.3.1			devDependencies	minor
vite (source)	8.0.0-beta.0 → 8.0.0-beta.7			pnpm.overrides	patch
vitest (source)	^4.0.15 → ^4.0.16			devDependencies	patch

---

Release Notes

honojs/node-server (@​hono/node-server)

v1.19.7

Compare Source

What's Changed

• fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @​tshmieldev in #​290
• chore: add configVersion to bun.lock by @​yusukebe in #​291

New Contributors

• @​tshmieldev made their first contribution in #​290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

remix-run/react-router (@​react-router/dev)

v7.12.0

Compare Source

Minor Changes

• Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins. If you need to permit access to specific external origins, you can specify them in the react-router.config.ts config allowedActionOrigins field. (#​14708)

Patch Changes

• Fix Maximum call stack size exceeded errors when HMR is triggered against code with cyclic imports (#​14522)

• fix(vite): Skip SSR middleware in preview server for SPA mode (#​14673)

• [UNSTABLE] Add a new future.unstable_trailingSlashAwareDataRequests flag to provide consistent behavior of request.pathname inside middleware, loader, and action functions on document and data requests when a trailing slash is present in the browser URL. (#​14644)

  Currently, your HTTP and request pathnames would be as follows for /a/b/c and /a/b/c/

  URL /a/b/c	HTTP pathname	request pathname`
  Document	/a/b/c	/a/b/c ✅
  Data	/a/b/c.data	/a/b/c ✅

  URL /a/b/c/	HTTP pathname	request pathname`
  Document	/a/b/c/	/a/b/c/ ✅
  Data	/a/b/c.data	/a/b/c ⚠️

  With this flag enabled, these pathnames will be made consistent though a new _.data format for client-side .data requests:

  URL /a/b/c	HTTP pathname	request pathname`
  Document	/a/b/c	/a/b/c ✅
  Data	/a/b/c.data	/a/b/c ✅

  URL /a/b/c/	HTTP pathname	request pathname`
  Document	/a/b/c/	/a/b/c/ ✅
  Data	/a/b/c/_.data ⬅️	/a/b/c/ ✅

  This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.

  Enabling this flag also changes the format of client side .data requests from /_root.data to /_.data when navigating to / to align with the new format. This does not impact the request pathname which is still / in all cases.

• Updated dependencies:

  • react-router@7.12.0
  • @react-router/node@7.12.0
  • @react-router/serve@7.12.0

v7.11.0

Compare Source

Minor Changes

• feat: add vite preview support (#​14507)

Patch Changes

• rsc framework mode manual chunking for react and react-router deps (#​14655)
• add support for throwing redirect Response's at RSC render time (#​14596)
• support custom entrypoints for RSC framework mode (#​14643)
• routeRSCServerRequest replace fetchServer with serverResponse (#​14597)
• rsc framewlrk mode - optimize react-server-dom-webpack if in project package.json (#​14656)
• Updated dependencies:
  • react-router@7.11.0
  • @react-router/serve@7.11.0
  • @react-router/node@7.11.0

v7.10.1

Compare Source

Patch Changes

• Import ESM package pkg-types with a dynamic import() to fix issues on Node 20.18 (#​14624)
• Update valibot dependency to ^1.2.0 to address GHSA-vqpr-j7v3-hqw9 (#​14608)
• Updated dependencies:
  • react-router@7.10.1
  • @react-router/node@7.10.1
  • @react-router/serve@7.10.1

remix-run/react-router (@​react-router/express)

v7.12.0

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.12.0
  • @react-router/node@7.12.0

v7.11.0

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.11.0
  • @react-router/node@7.11.0

v7.10.1

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.10.1
  • @react-router/node@7.10.1

remix-run/react-router (@​react-router/fs-routes)

v7.12.0

Compare Source

Patch Changes

• Updated dependencies:
  • @react-router/dev@7.12.0

v7.11.0

Compare Source

Patch Changes

• Updated dependencies:
  • @react-router/dev@7.11.0

v7.10.1

Compare Source

Patch Changes

• Updated dependencies:
  • @react-router/dev@7.10.1

remix-run/react-router (@​react-router/node)

v7.12.0

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.12.0

v7.11.0

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.11.0

v7.10.1

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.10.1

remix-run/react-router (@​react-router/serve)

v7.12.0

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.12.0
  • @react-router/node@7.12.0
  • @react-router/express@7.12.0

v7.11.0

Compare Source

Patch Changes

• support custom entrypoints for RSC framework mode (#​14643)
• Update compression and morgan dependencies to address on-headers CVE: GHSA-76c9-3jph-rj3q (#​14652)
• Updated dependencies:
  • react-router@7.11.0
  • @react-router/node@7.11.0
  • @react-router/express@7.11.0

v7.10.1

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.10.1
  • @react-router/node@7.10.1
  • @react-router/express@7.10.1

vitest-dev/vitest (@​vitest/ui)

v4.0.16

Compare Source

   🐞 Bug Fixes

• Fix browser mode default testTimeout back to 15 seconds  -  by @​hi-ogawa in #​9167 (da0ad)
• Avoid crashing on process.versions stub  -  by @​AriPerkkio in #​9174 (78cfb)
• Reject calling suite function inside test  -  by @​hi-ogawa in #​9198 (1a259)
• Allow inlining fully dynamic import  -  by @​hi-ogawa in #​9137 (56851)
• Fix module graph UI on html reporter with headless browser mode  -  by @​hi-ogawa in #​9219 (60642)
• Log deprecated test.poolOptions if it's set  -  by @​sheremet-va in #​9226 (f7f6a)
• browser:
  • Import recordArtifact from the vitest package  -  by @​macarie in #​9186 (01c56)
  • Fix import.meta.env define  -  by @​hi-ogawa in #​9205 (01a9a)
  • String formatting bug when including placeholders in console.log  -  by @​michael-debs and @​hi-ogawa in #​9030 and #​9131 (84a30)
• coverage:
  • Istanbul untested files source maps are off  -  by @​AriPerkkio in #​9208 (372e8)
• experimental:
  • Export setupEnvironment for custom pools  -  by @​AriPerkkio in #​9187 (5d26b)

    View changes on GitHub

evanw/esbuild (esbuild)

v0.27.2

Compare Source

• Allow import path specifiers starting with #/ (#​4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#​4357, #​4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  
  /* Old output (with --target=chrome110) */
  main {
    mask: url(x.png) center/5rem no-repeat;
  }
  
  /* New output (with --target=chrome110) */
  main {
    -webkit-mask: url(x.png) center/5rem no-repeat;
    mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#​4176, #​4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }
  
  // Old output (with --minify)
  switch(x){case 0:foo();break;case 1:default:bar()}
  
  // New output (with --minify)
  x===0?foo():bar();

• Forbid using declarations inside switch clauses (#​4323)

  This is a rare change to remove something that was previously possible. The Explicit Resource Management proposal introduced using declarations. These were previously allowed inside case and default clauses in switch statements. This had well-defined semantics and was already widely implemented (by V8, SpiderMonkey, TypeScript, esbuild, and others). However, it was considered to be too confusing because of how scope works in switch statements, so it has been removed from the specification. This edge case will now be a syntax error. See tc39/proposal-explicit-resource-management#215 and rbuckton/ecma262#14 for details.

  Here is an example of code that is no longer allowed:

  switch (mode) {
    case 'read':
      using readLock = db.read()
      return readAll(readLock)
  
    case 'write':
      using writeLock = db.write()
      return writeAll(writeLock)
  }

  That code will now have to be modified to look like this instead (note the additional { and } block statements around each case body):

  switch (mode) {
    case 'read': {
      using readLock = db.read()
      return readAll(readLock)
    }
    case 'write': {
      using writeLock = db.write()
      return writeAll(writeLock)
    }
  }

  This is not being released in one of esbuild's breaking change releases since this feature hasn't been finalized yet, and esbuild always tracks the current state of the specification (so esbuild's previous behavior was arguably incorrect).

honojs/hono (hono)

v4.11.3

Compare Source

What's Changed

• fix(types): fix middleware union type merging in MergeMiddlewareResponse by @​yusukebe in #​4602

Full Changelog: honojs/hono@v4.11.2...v4.11.3

v4.11.2

Compare Source

What's Changed

• docs: improve grammar in contributing documentation by @​Ishiezz in #​4581
• fix(validator): preserve literal union types in input type inference by @​yusukebe in #​4583
• chore: bump typescript-go preview for accurate benchmarking by @​sushichan044 in #​4586
• refactor(hono-base): add type annotations by @​yusukebe in #​4591
• refactor(client): refactor HonoURL types by @​yusukebe in #​4592
• perf(types): reduce Simplify in ToSchema by @​yusukebe in #​4597
• perf(types): optimize MergeMiddlewareResponse type by @​yusukebe in #​4598

New Contributors

• @​Ishiezz made their first contribution in #​4581

Full Changelog: honojs/hono@v4.11.1...v4.11.2

v4.11.1

Compare Source

What's Changed

• fix(types): fix app.on method array type inference by @​kosei28 in #​4578

Full Changelog: honojs/hono@v4.11.0...v4.11.1

v4.11.0

Compare Source

Release Notes

Hono v4.11.0 is now available!

This release includes new features for the Hono client, middleware improvements, and an important type system fix.

Type System Fix for Middleware

We've fixed a bug in the type system for middleware. Previously, app did not have the correct type with pathless handlers:

const app = new Hono()
  .use(async (c, next) => {
    await next()
  })
  .get('/a', async (c, next) => {
    await next()
  })
  .get((c) => {
    return c.text('Hello')
  })

// app's type was incorrect

This has now been fixed.

Thanks @​kosei28!

Typed URL for Hono Client

You can now pass the base URL as the second type parameter to hc to get more precise URL types:

const client = hc<typeof app, 'http://localhost:8787'>(
  'http://localhost:8787/'
)

const url = client.api.posts.$url()
// url is TypedURL with precise type information
// including protocol, host, and path

This is useful when you want to use the URL as a type-safe key for libraries like SWR.

Thanks @​miyaji255!

Custom NotFoundResponse Type

You can now customize the NotFoundResponse type using module augmentation. This allows c.notFound() to return a typed response:

import { Hono, TypedResponse } from 'hono'

declare module 'hono' {
  interface NotFoundResponse
    extends Response,
      TypedResponse<{ error: string }, 404, 'json'> {}
}

const app = new Hono()
  .get('/posts/:id', async (c) => {
    const post = await getPost(c.req.param('id'))
    if (!post) {
      return c.notFound()
    }
    return c.json({ post }, 200)
  })
  .notFound((c) => c.json({ error: 'not found' }, 404))

Now the client can correctly infer the 404 response type.

Thanks @​miyaji255!

tryGetContext Helper

The new tryGetContext() helper in the Context Storage middleware returns undefined instead of throwing an error when the context is not available:

import { tryGetContext } from 'hono/context-storage'

const context = tryGetContext<Env>()
if (context) {
  // Context is available
  console.log(context.var.message)
}

Thanks @​AyushCoder9!

Custom Query Serializer

You can now customize how query parameters are serialized using the buildSearchParams option:

const client = hc<AppType>('http://localhost', {
  buildSearchParams: (query) => {
    const searchParams = new URLSearchParams()
    for (const [k, v] of Object.entries(query)) {
      if (v === undefined) continue
      if (Array.isArray(v)) {
        v.forEach((item) => searchParams.append(`${k}[]`, item))
      } else {
        searchParams.set(k, v)
      }
    }
    return searchParams
  },
})

Thanks @​bolasblack!

New features

• feat(types): make Hono client's $url return the exact URL type #​4502
• feat(types): enhance NotFoundHandler to support custom NotFoundResponse type #​4518
• feat(timing): add wrapTime to simplify usage #​4519
• feat(pretty-json): support force option #​4531
• feat(client): add buildSearchParams option to customize query serialization #​4535
• feat(context-storage): add optional tryGetContext helper #​4539
• feat(secure-headers): add CSP report-to and report-uri directive support #​4555
• fix(types): replace schema-based path tracking with CurrentPath parameter #​4552

All changes

• chore: update esbuild to version 0.27.1 by @​kosei28 in #​4571
• fix(hono/jsx): display blank when children is nullish by @​techfish-11 in #​4573
• feat(types): make Hono client's $url return the exact URL type by @​miyaji255 in #​4502
• feat(types): enhance NotFoundHandler to support custom NotFoundResponse type by @​miyaji255 in #​4518
• feat(timing): add wrapTime to simplify usage by @​PassiDel in #​4519
• feat(pretty-json): support force option by @​missinglink in #​4531
• feat(context-storage): Add optional tryGetContext helper to context-storage middleware by @​AyushCoder9 in #​4539
• feat(client): add buildSearchParams option to customize query serialization by @​bolasblack in #​4535
• feat(secure-headers): Add CSP report-to and report-uri directive support by @​cruzz77 in #​4555
• fix(types): replace schema-based path tracking with CurrentPath parameter by @​kosei28 in #​4552
• Next by @​yusukebe in #​4574

New Contributors

• @​missinglink made their first contribution in #​4531
• @​bolasblack made their first contribution in #​4535
• @​cruzz77 made their first contribution in #​4555

Full Changelog: honojs/hono@v4.10.8...v4.11.0

v4.10.8

Compare Source

What's Changed

• chore: bump linter and formatter by @​ryuapp in #​4568
• chore: bump github actions by @​ryuapp in #​4569
• fix(linear-router): incorrect path matching by @​cromery in #​4567
• docs(cookie): update outdated RFC links by @​AyushCoder9 in #​4557
• feat(csrf): Support async IsAllowedOriginHandler by @​baseballyama in #​4558
• feat(csrf): Support async IsAllowedSecFetchSiteHandler by @​baseballyama in #​4559

New Contributors

• @​cromery made their first contribution in #​4567
• @​AyushCoder9 made their first contribution in #​4557
• @​baseballyama made their first contribution in #​4558

Full Changelog: honojs/hono@v4.10.7...v4.10.8

jsdom/jsdom (jsdom)

v27.4.0

Compare Source

• Added TextEncoder and TextDecoder.
• Improved decoding of HTML bytes by using the new @exodus/bytes package; it is now much more correct. (ChALkeR)
• Improved decoding of XML bytes to use UTF-8 more often, instead of sniffing for <meta charset> or using the parent frame's encoding.
• Fixed a memory leak when Ranges were used and then the elements referred to by those ranges were removed.

v27.3.0

Compare Source

• Improved CSS parsing and CSSOM object APIs via updates to @acemir/cssom. (acemir)

lucide-icons/lucide (lucide-react)

v0.562.0

Compare Source

v0.561.0: Version 0.561.0

Compare Source

What's Changed

• fix(site): Small adjustments color picker and add clear button search bar by @​ericfennis in #​3851
• feat(icons): added stone icon by @​Alportan in #​3850

Full Changelog: lucide-icons/lucide@0.560.0...0.561.0

v0.560.0: Version 0.560.0

Compare Source

What's Changed

• feat(icons): added cannabis-off icon by @​NickVeles in #​3748

New Contributors

• @​NickVeles made their first contribution in #​3748

Full Changelog: lucide-icons/lucide@0.559.0...0.560.0

v0.559.0: Version 0.559.0

Compare Source

What's Changed

• feat(icons): added fishing-hook icon by @​7ender in #​3837

New Contributors

• @​7ender made their first contribution in #​3837

Full Changelog: lucide-icons/lucide@0.558.0...0.559.0

v0.558.0: Version 0.558.0

Compare Source

What's Changed

• feat(icons): added hd icon by @​jamiemlaw in #​2958

Full Changelog: lucide-icons/lucide@0.557.0...0.558.0

v0.557.0: Version 0.557.0

Compare Source

What's Changed

• fix(github/workflows/ci): fixes linting issues by @​karsa-mistmere in #​3858
• fix(icons): changed memory-stick icon by @​karsa-mistmere in #​3017
• fix(icons): changed microchip icon by @​karsa-mistmere in #​3018
• chore(repo): Update Node version and overal cleanup by @​ericfennis in #​3861
• fix(icons): changed paint-bucket icon by @​jguddas in #​3865
• fix(icons): changed brush-cleaning icon by @​jguddas in #​3863
• fix(icons): Swap thumbs-up thumbs-down paths to fix fill issue by @​theianjones in #​3873
• fix(icons): changed tickets icon by @​karsa-mistmere in #​3859
• feat(icons): added layers-plus icon by @​juanisidoro in #​3367
• docs(dev): Fix code sample for vanilla JS by @​wavebeem in #​3836
• feat(icons): add search-error icon by @​Veatec22 in #​3292
• feat(icons): Add cloud-sync and cloud-backup by @​ericfennis in #​3466
• feat(icons): added circle-pile icon by @​nathan-de-pachtere in #​3681
• feat(icons): added balloon icon by @​peteruithoven in #​2519

New Contributors

• @​theianjones made their first contribution in #​3873
• @​juanisidoro made their first contribution in #​3367
• @​wavebeem made their first contribution in #​3836
• @​Veatec22 made their first contribution in #​3292

Full Changelog: lucide-icons/lucide@0.556.0...0.557.0

v0.556.0: Version 0.556.0

Compare Source

What's Changed

• feat(icon): add book-search icon (#​3573) by @​Muhammad-Aqib-Bashir in #​3580
• chore(dependencies): Update dependencies by @​ericfennis in #​3809
• ci(workflows): Enable trusted publishing in release by @​ericfennis in #​3808
• feat(icons): added scooter icon by @​Ahmed-Dghaies in #​3818
• fix(icons): changed plug icon by @​jamiemlaw in #​3841
• fix(icons): changed thermometer-sun icon by @​jguddas in #​3773
• fix(icons): Shrink square-scissors icons to match optical volume by @​eden881 in #​3603
• feat(preview-comment): add symmetry preview by @​jguddas in #​3823
• feat(icons): added estimated-weight icon by @​nathan-de-pachtere in #​3822
• fix(icons): changed flashlight icons by @​jamiemlaw in #​3843
• fix(icons): changed bubbles icon by @​jguddas in #​3774
• feat(site): add brand stop words to icon search by @​karsa-mistmere in #​3824
• feat(icons): added van icon by @​Ahmed-Dghaies in #​3821

New Contributors

• @​Muhammad-Aqib-Bashir made their first contribution in #​3580
• @​Ahmed-Dghaies made their first contribution in #​3818
• @​eden881 made their first contribution in #​3603
• @​nathan-de-pachtere made their first contribution in #​3822

Full Changelog: lucide-icons/lucide@0.555.0...0.556.0

actions/node-versions (node)

v24.12.0: 24.12.0

Compare Source

Node.js 24.12.0

oxc-project/oxc (oxfmt)

v0.23.0

Compare Source

v0.22.0

Compare Source

💥 BREAKING CHANGES

• f7da875 oxlint: [BREAKING] Remove oxc_language_server binary (#​17457) (Boshen)

🚀 Features

• 8fd4ea9 oxfmt: options.embeddedLanguageFormatting is now "auto" by default (#​17649) (leaysgur)

v0.21.0

Compare Source

🐛 Bug Fixes

• 0a39cba oxfmt: Update wrong doc comment (#​17288) (leaysgur)

v0.20.0

Compare Source

🚀 Features

• 97a02d1 oxfmt: Add insertFinalNewline option (#​17251) (leaysgur)

v0.19.0

Compare Source

v0.18.0

Compare Source

🚀 Features

• afd6c44 oxfmt: Support quoteProps: consistent in Oxfmtrc (#​16721) (leaysgur)
• 28e0682 oxfmt: Enable experimental package.json sorting by default (#​16593) (leaysgur)

⚡ Performance

• 6f3aaba oxfmt: Use worker_threads by tinypool for prettier formatting (#​16618) (leaysgur)

📚 Documentation

• 8babdf9 oxfmt: Improve docs for .oxfmtrc.jsonc config fields and add markdownDescription fields to JSON Schema (#​16587) (connorshea)

v0.17.0

[Compare Source](https://

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.