Skip to content

chore(deps): update all non-major dependencies#402

Merged
lachlancollins merged 1 commit into
mainfrom
renovate/all-minor-patch
Jul 14, 2026
Merged

chore(deps): update all non-major dependencies#402
lachlancollins merged 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@arethetypeswrong/core (source) ^0.18.4^0.18.5 age confidence
eslint (source) ^10.6.0^10.7.0 age confidence
nx (source) 23.0.123.0.2 age confidence
pnpm (source) 11.10.011.11.0 age confidence
pnpm (source) >=11.10.0>=11.11.0 age confidence
prettier (source) ^3.9.4^3.9.5 age confidence
tsdown (source) ^0.22.3^0.22.4 age confidence
typescript-eslint (source) ^8.62.1^8.63.0 age confidence
vite (source) ^8.1.3^8.1.4 age confidence
vitest (source) ^4.1.9^4.1.10 age confidence

Release Notes

arethetypeswrong/arethetypeswrong.github.io (@​arethetypeswrong/core)

v0.18.5

Patch Changes
  • c4be7e8: Detect default exports in webpack-bundled CommonJS libraries.
eslint/eslint (eslint)

v10.7.0

Compare Source

Features

  • cf2a9bf feat: add errorClassNames option to preserve-caught-error rule (#​21032) (sethamus)
  • f8b873a feat: max-nested-callbacks option for constructor callbacks (#​21063) (fnx)
  • 557fde8 feat: support computed Number.parseInt member access in radix rule (#​21041) (Pixel)
  • 0b4a73b feat: add suggestions to no-compare-neg-zero (#​21034) (den$)
  • 96cdd42 feat: report invalid signed numeric radix values in radix rule (#​21030) (Pixel)

Bug Fixes

  • 3e7bf15 fix: apply ignoreClassesWithImplements to class expressions (#​21069) (Pixel)
  • 0d7d70c fix: insert cause outside wrapping parens in preserve-caught-error (#​21062) (Mahin Anowar)
  • 75ec753 fix: handle static template literals in eqeqeq rule (#​21058) (Pixel)
  • b717a22 fix: prevent eqeqeq null option from reporting non-equality operators (#​21057) (Pixel)
  • e35b05f fix: avoid no-invalid-regexp false positive for shadowed RegExp (#​21051) (Pixel)
  • a3172b6 fix: avoid no-control-regex false positive for shadowed RegExp (#​21050) (Pixel)
  • d1f637e fix: parenthesize sequence expression operands in no-implicit-coercion (#​21045) (spokodev)
  • 8859baf fix: avoid prefer-numeric-literals false positive for shadowed globals (#​21047) (한국)
  • a9e5961 fix: use-isnan false positive on shadowed NaN/Number (#​20958) (sethamus)
  • 8a240a7 fix: avoid false positives in radix rule for spread arguments (#​21044) (Pixel)

Documentation

  • c30d808 docs: Update README (GitHub Actions Bot)
  • 5139800 docs: document ESLint migration codemods in v9 and v10 guides (#​20980) (Alex Bit)
  • 04174cb docs: Update README (GitHub Actions Bot)
  • 026e130 docs: update semver policy for bug fixes (#​21048) (Milos Djermanovic)
  • 9d42fef docs: Update README (GitHub Actions Bot)
  • b230159 docs: Update README (GitHub Actions Bot)
  • 0129972 docs: correct **/.js glob to **/*.js in config files guide (#​21036) (EduardF1)

Chores

nrwl/nx (nx)

v23.0.2

Compare Source

23.0.2 (2026-07-10)

🚀 Features
  • core: re-add isCacheableTask helper (#​36177)
🩹 Fixes
  • bundling: prevent TS6059 when an app imports a workspace lib from source (#​36217, #​35017)
  • core: prefer module.registerHooks to avoid DEP0205 deprecation warning (#​36081)
  • core: prevent nx migrate crash when include=optional filters out the target package (#​36087)
  • core: make nx migrate honor preapproved packages and emit a valid temp workspace (#​36086)
  • core: skip daemon project-graph recompute on no-op file rewrites (#​36082)
  • core: prevent the TUI from auto-selecting a completed task when a batch finishes (#​35833)
  • core: deregister pseudo-terminal exit handlers when tasks finish (#​36115)
  • core: prevent path traversal / zip-slip in self-hosted remote cache (#​36116)
  • core: respect explicit --nxCloud=skip for AI agents in create-nx-workspace (#​36131)
  • core: warn when the self-hosted remote cache disables TLS verification (NXC-4593) (#​36132, #​36116)
  • core: throw actionable error when pnpm .modules.yaml is missing (#​35666, #​35635)
  • core: support ${configDir} in tsconfig path alias resolution (#​36037, #​35804)
  • core: prevent non-npm devEngines pin from breaking npm registry lookups (#​36020, #​35815)
  • core: clarify nx sync remediation messaging and surface spinner output in non-tty (#​35747)
  • core: exclude direct-dependency overrides from generated package.json (#​36040, #​35675)
  • core: apply target defaults when project.json overrides an inferred run-commands target with different commands (#​36142, #​36067)
  • core: run the nx.bat wrapper for dot-nx setup on windows (#​36048)
  • core: speed up bun lockfile parsing (#​36198)
  • core: set NX_CLI_SET in batch worker processes (#​36214, #​36210)
  • core: preserve comments in catalog YAML updates (#​35733)
  • core: box JsonFileSet payload to keep HashInstruction small (#​36247, #​35248, #​36244, #​36152)
  • core: share workspace fileset hash results instead of deep-cloning per task (#​36244, #​34971, #​34942)
  • core: replace per-input visited clones with undo-log scoping in hash planner (#​36248, #​35071, #​36152, #​34971, #​36244, #​35248, #​36247)
  • core: intern hash instructions in a pool and plan with id lists (#​36249, #​35071, #​36152, #​36248)
  • core: detect Codex sandbox on Linux to disable daemon and plugin isolation (#​36273)
  • devkit: restore prettier v2 support in formatFiles (#​36193)
  • graph: prevent project details web view top from being clipped (#​36154)
  • js: prevent doubled output paths in buildable library path mappings (#​36138, #​36079)
  • js: scope incremental type-check .tsbuildinfo per project (#​36137, #​36113)
  • js: preserve npm allowScripts allowlist in pruned package.json (#​36016, #​35931)
  • js: resolve catalog references in pruned package.json output (#​35805, #​35419)
  • js: avoid import locator unicode position panic (#​36133, #​36128)
  • js: prevent Windows TS6059 rootDir errors in tsc builds (#​36184, #​35696)
  • js: wait for process tree exit when stopping node executor tasks (#​36230)
  • linter: update terminal cli regex for local-dist build (#​36201, #​36199)
  • maven: de-flake maven e2e by dropping -X debug forks and widening timeout (#​36091)
  • misc: bump axios to 1.16.1 (#​36120)
  • misc: use default import for chalk in @​nx/workspace output.ts (#​35523, #​35521, #​34111, #​21201, #​26667)
  • misc: remove duplicate nx init cloud-prompt telemetry event (#​36145)
  • nx-cloud: use standard utm params on cloud prompt links (#​36227, #​36226)
  • nx-dev: remove empty SaaS and Mobile template filters (#​36085)
  • react: reserve ports in rspack e2e test to avoid default port collisions (#​36090)
  • react: stop pinning eslint-plugin-react in generated projects (#​36168, #​36161)
  • release: widen release e2e timeouts to absorb pre-version dlx install (#​36092)
  • repo: trust wix/brew tap so macOS detox CI can install applesimutils (#​36146)
  • rspack: use contenthash for chunkFilename to prevent stale chunks (#​36136, #​2292, #​36014)
  • rspack: stop mocking non-existent is-serve-mode util in apply-base-config test (fea2cabbcc)
  • vite: widen vite ts-solution e2e build timeouts for cold multi-lib build (#​36093)
  • vite: detect @​vitejs/plugin-vue2 (vite:vue2) for vue-tsc typecheck (#​36125, #​36094)
  • vite: update deprecation docs link (#​36070, #​36053)
  • vitest: support passing mode through to vitest (#​35069)
  • web: run executor/plugin/generator commands with the workspace package manager (#​36021, #​35950)
  • webpack: prevent TS6059 when a tsc build bundles a workspace lib (#​36188, #​35017)
❤️ Thank You
pnpm/pnpm (pnpm)

v11.11.0

Compare Source

Minor Changes
  • 508b8c2: Added the pnpm access command for managing package access and visibility on the registry, supporting listing packages and collaborators, getting and setting package status and MFA requirements, and granting or revoking team access.
Patch Changes
  • c70e33e: Allow allowBuilds entries for git-hosted packages to match by repository URL without pinning the resolved commit hash. This lets trusted git repositories keep running their build scripts after branch updates without approving each new commit, while package-name-only rules still do not approve git-hosted artifacts.
  • 3067e4f: Reduced peak memory usage during cold-cache dependency resolution. The metadata fetch is memoized for the whole resolution phase, and it was retaining each package's raw registry response body (used only to mirror the response to disk) for that entire time. The memoized cache now holds a body-less copy, so the raw body only lives as long as the call that writes the disk mirror. On large graphs that fetch full metadata (e.g. with minimumReleaseAge or trustPolicy enabled) this cuts peak RSS by roughly 30%, back in line with pnpm 10. The resolved lockfile is unchanged.
  • 51300fd: Prevent a crafted pnpm-lock.yaml from writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g. ../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshot version: "../../x") is now rejected at formatGlobalVirtualStorePath, the single point every global-virtual-store slot path funnels through — closing the same escape in the isolated linker, the resolver's dependency-graph builder, and the config-dependency installer.
  • f8058eb: Reject symlinked pnpm-lock.yaml files when reading or writing the env lockfile document.
  • 9318a11: Allow registries and namedRegistries to be configured in the global config.yaml file.
  • 51300fd: Fixed a path traversal vulnerability where a dependency whose manifest name was a scoped path traversal (e.g. @x/../../../<path>) could be written outside node_modules to an attacker-controlled location during pnpm install, even with --ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.
  • 14332f0: Fail instead of silently removing an optional dependency's locked entries from pnpm-lock.yaml when the registry cannot resolve it. Previously, when registry metadata lacked a version that the lockfile already pinned (for example, a mirror that had not synced a recent release yet), pnpm install and pnpm dedupe silently dropped the optional dependency's entries — emptying maps such as the platform binaries of @napi-rs/canvas — so the lockfile differed between machines and frozen installs on other hosts had nothing to link #​12853.
  • fecfe83: Fixed peer dependency resolution with autoInstallPeers when a workspace package depends on a version of a package that a transitive dependency's self-contained closure also provides for itself. The peer providers that are attached to the root project for reuse are no longer peer-resolved a second time in the root context, so packages inside such a closure no longer get their peers bound to the root project's incompatible version #​4993.
  • 5a4daec: ${...} environment-variable placeholders in the httpProxy, httpsProxy, noProxy, proxy, and noproxy settings are no longer expanded when these settings come from a project's pnpm-workspace.yaml. They now receive the same protection already applied to registry, namedRegistries, and pnprServer.
  • d1da02e: pnpm publish no longer prints credentials when the target registry is configured with inline user:pass@ credentials (e.g. registry=https://user:pass@example.com/). They are now redacted both from the "publishing to registry" line and from the OIDC (trusted publishing) failure messages.
  • dcfc611: pnpm self-update now honors trustPolicy=no-downgrade. It resolves the target pnpm version against full registry metadata, so it refuses to switch to a version whose supply-chain trust evidence is weaker than an earlier-published one, the same way a regular install does.
  • a8ad82d: Register the pn alias in generated shell completion scripts.
  • 25bd5c3: Fixed standalone installer downgrades from pnpm v12 to v11.
  • 23996e9: pnpm runtime set <name> <version> now validates its arguments: the name must be node, deno, or bun, and the version must not contain a comma. Previously these were interpolated straight into a pnpm add selector, where an unsupported name or a comma (e.g. node 22,is-positive) could be misread as a list of packages or a local directory and install unintended packages or bins.
prettier/prettier (prettier)

v3.9.5

Compare Source

diff

Markdown: Cap ordered list mark at 999,999,999 (#​19351 by @​tats-u)

CommonMark parsers only support ordered list item numbers up to 999,999,999.

With this change, Prettier now caps the ordered list item number at 999,999,999 to ensure that the output is correctly parsed as an ordered list by CommonMark parsers. Numbers larger than 999,999,999 are not parsed as list item numbers and are left unchanged in the output:

<!-- Input -->
999999998. text
999999998. text
999999998. text
999999998. text

1234567890123456789012) text

<!-- Prettier 3.9.4 -->
999999998. text
999999999. text
1000000000. text
1000000001. text

1234567890123456789012) text

<!-- Prettier 3.9.5 -->
999999998. text
999999999. text
999999999. text
999999999. text

1234567890123456789012) text
Markdown: Avoid corrupting empty link with title (#​19487 by @​andersk)

Do not remove <> from an inline link or image with an empty URL and a title, as this removal would change its interpretation.

<!-- Input -->
[link](<> "title")

<!-- Prettier 3.9.4 -->
[link]( "title")

<!-- Prettier 3.9.5 -->
[link](<> "title")
Less: Remove extra spaces after [ in map lookups (#​19503 by @​kovsu)
// Input
.foo {
  color: #theme[ primary];
  color: #theme[@&#8203;name];
  color: #theme[@&#8203;@&#8203;name];
}

// Prettier 3.9.4
.foo {
  color: #theme[ primary];
  color: #theme[ @&#8203;name];
  color: #theme[ @&#8203;@&#8203;name];
}

// Prettier 3.9.5
.foo {
  color: #theme[primary];
  color: #theme[@&#8203;name];
  color: #theme[@&#8203;@&#8203;name];
}
CSS: Prevent addition space in type() with + (#​19516 by @​bigandy)

This fixes the addition space before + in CSS type() declaration. For example type(<number>+) was being converted into type(<number> +) which is invalid CSS and does not work.

/* Input */
div {
  border-radius: attr(br type(<length>+));
}

/* Prettier 3.9.4 */
div {
  border-radius: attr(br type(<length> +));
}

/* Prettier 3.9.5 */
div {
  border-radius: attr(br type(<length>+));
}
Less: Remove spaces between merge markers and colons (#​19517 by @​kovsu)
// Input
a {
  box-shadow  +  : 0 0 1px #&#8203;000;
}

// Prettier 3.9.4
a {
  box-shadow+  : 0 0 1px #&#8203;000;
}

// Prettier 3.9.5
a {
  box-shadow+: 0 0 1px #&#8203;000;
}
Markdown: Preserve wiki links with aliases (#​19527 by @​kovsu)
<!-- Input -->
[[Foo:Bar]]

<!-- Prettier 3.9.4 -->
[[Foo]]

<!-- Prettier 3.9.5 -->
[[Foo:Bar]]
TypeScript: Fix comments being dropped on shorthand type import/export specifiers (#​19565 by @​kirkwaiblinger)
// Input
export { type /* comment */ T } from "foo";
import { type /* comment */ T } from "foo";

// Prettier 3.9.4
Error: Comment "comment" was not printed. Please report this error!

// Prettier 3.9.5
export { type /* comment */ T } from "foo";
import { type /* comment */ T } from "foo";
Miscellaneous: Preserving comments' placement property (#​19567 by @​Janther)

Prettier@​3.9.0 deleted an undocumented property on comments, which was already used by plugins, comment.placement is now available again after comment attach.

Flow: Stop enforcing empty module declaration to break (#​19568 by @​fisker)
// Input
declare module "foo" {}

// Prettier 3.9.4
declare module "foo" {
}

// Prettier 3.9.5
declare module "foo" {}
Angular: Support expression for exhaustive typechecking (#​19571 by @​fisker)
<!-- Input -->
@&#8203;switch (state.mode) {
  @&#8203;default never(state);
}

<!-- Prettier 3.9.4 -->
@&#8203;switch (state.mode) {
  @&#8203;default never;
}

<!-- Prettier 3.9.5 -->
@&#8203;switch (state.mode) {
  @&#8203;default never(state);
}
TypeScript: Ignore comments inside mapped type when checking type parameter comments (#​19572 by @​fisker)
// Input
foo<{
  // comment
  [key in keyof Foo]: number
}>();

// Prettier 3.9.4
foo<
  {
    // comment
    [key in keyof Foo]: number;
  }
>();

// Prettier 3.9.5
foo<{
  // comment
  [key in keyof Foo]: number;
}>();
Less: Fix adjacent block comments being corrupted (#​19574 by @​kovsu)
// Input
/* a *//* b */
/* a */* {
  color: red;
}

// Prettier 3.9.4
/* a */
/* b */
/* a * {
  color: red;
}

// Prettier 3.9.5
/* a */ /* b */
/* a */
* {
  color: red;
}
JavaScript: Handle dangling comments in SwitchStatement (#​19581 by @​fisker)
// Input
switch (foo) {
 // comment
}

// Prettier 3.9.4
switch (
  foo
  // comment
) {
}

// Prettier 3.9.5
switch (foo) {
  // comment
}
TypeScript: Remove space in comment-only object type (#​19583 by @​fisker)
// Input
var foo = {
  /* comment */
};
type Foo = {
  /* comment */
};

// Prettier 3.9.4
var foo = {/* comment */};
type Foo = { /* comment */ };

// Prettier 3.9.5
var foo = {/* comment */};
type Foo = {/* comment */};
rolldown/tsdown (tsdown)

v0.22.4

Compare Source

   🚀 Features
   🐞 Bug Fixes
   🏎 Performance
    View changes on GitHub
typescript-eslint/typescript-eslint (typescript-eslint)

v8.63.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.1.4

Compare Source

Features
Bug Fixes
Documentation
Miscellaneous Chores
Code Refactoring
Tests
Build System
vitest-dev/vitest (vitest)

v4.1.10

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Summary by CodeRabbit

  • Chores
    • Updated the project’s required package manager to pnpm 11.11.0 (and pnpm engines to 11.11.0 or later).
    • Refreshed workspace tooling and utilities to the latest patch versions, including linting, formatting, type analysis, build tooling, and testing (e.g., ESLint, Nx, Prettier, tsdown, TypeScript ESLint, Vite, Vitest).

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jul 13, 2026
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The repository now requires pnpm 11.11.0, and several workspace catalog tooling dependencies have updated version constraints.

Changes

Tooling version alignment

Layer / File(s) Summary
Package manager and catalog version updates
package.json, pnpm-workspace.yaml
The declared and minimum pnpm version is raised to 11.11.0, while @arethetypeswrong/core, ESLint, Nx, Prettier, tsdown, typescript-eslint, Vite, and Vitest catalog constraints are updated.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is detailed, but it does not follow the required template sections for Changes, Checklist, and Release Impact. Reformat the PR body to include the template headings, fill in the checklist items, and state whether this is release-impacting or docs/CI/dev-only.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title matches the PR’s main change: a non-major dependency update across several packages.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/all-minor-patch

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown
Contributor

🚀 Changeset Version Preview

No changeset entries found. Merging this PR will not cause a version bump for any packages.

@nx-cloud

nx-cloud Bot commented Jul 13, 2026

Copy link
Copy Markdown

View your CI Pipeline Execution ↗ for commit 1b0d737

Command Status Duration Result
nx affected --targets=test:sherif,test:docs,tes... ✅ Succeeded 26s View ↗
nx run-many --target=build ✅ Succeeded 7s View ↗

☁️ Nx Cloud last updated this comment at 2026-07-13 23:35:33 UTC

@pkg-pr-new

pkg-pr-new Bot commented Jul 13, 2026

Copy link
Copy Markdown
npm i https://pkg.pr.new/@tanstack/eslint-config@402
npm i https://pkg.pr.new/@tanstack/publish-config@402
npm i https://pkg.pr.new/@tanstack/typedoc-config@402
npm i https://pkg.pr.new/@tanstack/vite-config@402

commit: 1b0d737

@socket-security

socket-security Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addednx@​23.0.25810093100100
Addedtypescript-eslint@​8.63.01001007498100
Added@​arethetypeswrong/​core@​0.18.51001007590100
Addedvitest@​4.1.10981007998100
Addedvite@​8.1.4991008298100
Addedtsdown@​0.22.5981008897100
Addedprettier@​3.9.5961009498100
Addedeslint@​10.7.09810010097100

View full report

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Around line 8-10: Update the pnpm version guidance in CONTRIBUTING.md to
require pnpm >=11.11.0, matching the packageManager and engines declarations in
package.json; replace the outdated pnpm v9 references without changing unrelated
contributor instructions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ca91aabb-091a-4edc-9750-e48d90dd5f6f

📥 Commits

Reviewing files that changed from the base of the PR and between e6ab763 and d812b05.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • package.json
  • pnpm-workspace.yaml

Comment thread package.json
Comment on lines +8 to +10
"packageManager": "pnpm@11.11.0",
"engines": {
"pnpm": ">=11.10.0"
"pnpm": ">=11.11.0"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Keep contributor documentation aligned with the pnpm requirement.

CONTRIBUTING.md:26-30 still says the repository uses pnpm v9, while this change requires pnpm >=11.11.0. Update the guide so contributors do not install an incompatible version.

Suggested documentation update
- We use [pnpm](...) v9 for package management.
+ We use [pnpm](...) v11.11.0 for package management.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` around lines 8 - 10, Update the pnpm version guidance in
CONTRIBUTING.md to require pnpm >=11.11.0, matching the packageManager and
engines declarations in package.json; replace the outdated pnpm v9 references
without changing unrelated contributor instructions.

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from d812b05 to 6fd6ca6 Compare July 13, 2026 19:06
@socket-security

socket-security Bot commented Jul 13, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm nx is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/nx@23.0.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/nx@23.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 6fd6ca6 to 1b0d737 Compare July 13, 2026 23:34
@lachlancollins lachlancollins merged commit 10ece5e into main Jul 14, 2026
11 checks passed
@lachlancollins lachlancollins deleted the renovate/all-minor-patch branch July 14, 2026 00:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant