Skip to content

deps: all non-major dependencies#684

Merged
dejanvasic85 merged 1 commit into
mainfrom
renovate/all-minor-patch
Jun 26, 2026
Merged

deps: all non-major dependencies#684
dejanvasic85 merged 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@dejanvasic85

@dejanvasic85 dejanvasic85 commented Jun 24, 2026

Copy link
Copy Markdown
Owner

This PR contains the following updates:

Package Type Update Change Pending
@aws-sdk/client-ses (source) dependencies minor 3.1074.03.1075.0
@sanity/vision (source) dependencies minor 6.1.06.2.0
@sentry/nextjs (source) dependencies minor 10.59.010.61.0 10.62.0
@tanstack/react-query (source) dependencies patch 5.101.05.101.1
@tanstack/react-query-devtools (source) dependencies patch 5.101.05.101.1
playwright-core (source) devDependencies patch 1.61.01.61.1
pnpm (source) packageManager minor 11.8.011.9.0
pnpm (source) uses-with minor 11.8.011.9.0
sanity (source) dependencies minor 6.1.06.2.0
styled-components (source) dependencies patch 6.4.26.4.3

Release Notes

aws/aws-sdk-js-v3 (@​aws-sdk/client-ses)

v3.1075.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-ses

sanity-io/sanity (@​sanity/vision)

v6.2.0

Compare Source

Bug Fixes
getsentry/sentry-javascript (@​sentry/nextjs)

v10.61.0

Compare Source

Important Changes
  • feat(core): Enable streamGenAiSpans by default (#​21732)

    The SDK now extracts all gen_ai spans out of a transaction and sends them as v2 envelope items by default. This prevents gen_ai spans from being dropped when the transaction payload exceeds size limits. Because they are no longer constrained by transaction size limits, AI message data is also no longer truncated by default. Set enableTruncation: true on the respective AI integration to re-enable truncation. To keep the previous behavior, set streamGenAiSpans: false.

    Self-hosted Sentry users should opt out with streamGenAiSpans: false, since streamed gen_ai spans may not be ingested by their Sentry instance.

Other Changes
  • feat(cloudflare): Add batch, exec, and withSession D1 instrumentation (#​21292)
  • feat(cloudflare): Instrument SQL API in sqlite durable objects (#​21656)
  • feat(core): Add db.query.summary functionality (#​21670)
  • feat(core): Add top-level Sentry.setAttribute(s) APIs (#​21705)
  • fix(hono): Name transactions after the matched route handler (#​21700)
  • fix(react-router): Bump peerDependencies for react-router 8 (#​21762)
  • fix(replays): Record replay trace_ids with span streaming (#​21714)
Internal Changes
  • build: add rollup plugin for compile-time ESM/CJS code branching (#​21715)
  • chore: Fix version bump for bundler plugin fixtures (#​21707)
  • chore(node-integration-tests): Improve node test runner naming (#​21685)
  • docs: Update contributing guide for E2E tests (#​21763)
  • feat: Adopt bindTracingChannelToSpan across runtimes (#​21642)
  • feat: Remove Otel from fsIntegration (#​21654)
  • feat(deps): Bump http-proxy-middleware from 2.0.9 to 2.0.10 (#​21709)
  • feat(server-utils): Add tracingChannel-to-span binding (#​21641)
  • fix(tests): Add dedicated route for Hono query_string tests (#​21731)
  • ref: Export SPAN_KIND from core and drop OTel SpanKind imports (#​21668)
  • test: Make bundler plugins tests work after release
  • test: Remove duplicated test (#​21699)
  • test: retry npm install on network hiccups (#​21689)
  • test(cloudflare): Increase node count for memory tests (#​21719)
  • test(e2e): Add sentry-sdk-init measure and marks (#​21687)
  • test(e2e): Add more lighthouse react e2e test SDK init modes (#​21711)
  • test(node): Add esm/cjs specific test runner utils (#​21729)
  • test(node): Increase cron integration test timeout to 60s (#​21704)
  • test(node): Streamline amqplib tests (#​21723)
  • test(node): Update mysql tests for better coverage and correctness (#​21684)
  • test(node): Use different ports for redis tests (#​21727)

v10.60.0

Compare Source

Other Changes
  • feat(cloudflare): Add R2 bucket auto-instrumentation (#​21327)
  • feat(core): Add bindScopeToEmitter to bind a scope to an event emitter (#​21594)
  • feat(deps): Bump @​hapi/wreck from 18.1.0 to 18.1.2 (#​21178)
  • fix(browser): Ensure url.full and http.url attributes have the same values on http.client spans (#​21660)
  • fix(server-utils): Avoid directly importing tracingChannel for Node v18 compatibility (#​21662)
  • fix(server-utils): Remove optional vite peer dependency (#​21677)
Internal Changes
  • chore: Add bundler-plugins to craft (#​21701)
  • chore: Cleanup unused imports of @opentelemetry/core (#​21679)
  • fix(bundler-plugins): Integration with monorepo build (#​21479)
  • ref(core): Gate updateName() custom source on an OTel inference brand (#​21649)
  • ref(core/opentelemetry): Move OTel span data inference from captureSpan to SentrySpanProcessor (#​21648)
  • ref(node): Remove unused sql-common helper and @opentelemetry/core dep (#​21688)
  • ref(node): Streamline kafkajs instrumentation (#​21647)
  • ref(node): Streamline undici (node-fetch) instrumentation (#​21650)
  • ref(vercel-edge): Drop unused @opentelemetry/semantic-conventions dependency (#​21691)
  • ref(vercel-edge): Remove @opentelemetry/resources dependency (#​21690)
TanStack/query (@​tanstack/react-query)

v5.101.1

Compare Source

Patch Changes
TanStack/query (@​tanstack/react-query-devtools)

v5.101.1

Compare Source

Patch Changes
microsoft/playwright (playwright-core)

v1.61.1

Compare Source

Bug Fixes
  • #​41365 [Bug]: Expect.Extend matcher with same name as default matcher in same expect instance overrides default matchers implementation to custom matcher
  • #​41351 [Bug]: Playwright UI mode: apiRequestContext._wrapApiCall reports unexpected number of bytes (same test passes in headed mode)
  • #​41360 [Bug]: Trace viewer: message times in websockets are downscaled by 1000
  • #​41311 [Bug]: [Regression]: Sync loader throws "context.conditions?.includes is not a function" on Node 22.15
  • #​41371 [Regression]: Sync ESM loader (registerHooks) fails to resolve extensionless .ts subpath imports across pnpm workspace symlinks
pnpm/pnpm (pnpm)

v11.9.0: pnpm 11.9

Compare Source

Minor Changes
  • bae694f: Some registries generate tarballs on-demand and cannot provide an integrity checksum in their package metadata. In that case pnpm now computes the integrity from the downloaded tarball and stores it in the lockfile, so the entry is verifiable on subsequent installs instead of being written without an integrity (which would fail the next install). This also applies to --lockfile-only: the tarball is downloaded so its integrity can be computed. A lockfile entry that is still missing its integrity is rejected as a ERR_PNPM_MISSING_TARBALL_INTEGRITY lockfile verification violation (the install fails closed) rather than being silently re-fetched.
  • 6c35a43: Added --exclude-peers to pnpm sbom. With auto-install-peers (the default), peer dependencies resolve into the lockfile and are otherwise indistinguishable from the package's own dependencies. The flag drops peer dependencies (and any transitive subtree reachable only through them) from the SBOM. CycloneDX 1.7 has no scope or relationship that expresses "consumer-provided peer", so omission is the only spec-clean handling. The flag name matches pnpm list --exclude-peers; note the SBOM flag prunes a peer's exclusive subtree, which is stricter than pnpm list (which only hides leaf peers).
Patch Changes
  • 25a829e: pnpm audit --fix now writes a single combined minimumReleaseAgeExclude entry per package (e.g. axios@0.18.1 || 0.21.1) instead of one entry per version, matching the format documented for the setting. Existing per-version entries in pnpm-workspace.yaml are merged into the combined form rather than left as duplicates. Installs that auto-collect immature versions into minimumReleaseAgeExclude now report the same combined entries, so the "Added N entries" message matches what is written to the manifest #​12534.

  • 1cbb5f2: Fixed non-deterministic peer resolution that could add or remove an optional transitive peer — for example @babel/core, reached through styled-jsx — from a package's peer-dependency suffix across otherwise identical installs, churning the lockfile and causing intermittent pnpm dedupe --check failures in CI. When a package's children are resolved by one occurrence (the "owner") and reused by a deeper consumer, whether that consumer inherited the owner's missing peers depended on whether the owner's resolution had finished yet — a race under concurrent resolution. The decision is now a function of the dependency graph's structure rather than resolution-completion order.

  • d577eea: Fixed a Windows flakiness in pnpm dlx where a failed install could surface a spurious EBUSY: resource busy or locked error. The cleanup of a partially-populated dlx cache is now best-effort with retries and no longer masks the original error.

  • ec7cf70: Shortened the pnpm dlx cache path so deep dependency trees no longer overflow Windows' MAX_PATH, which could make a dependency's lifecycle script fail with spawn cmd.exe ENOENT.

  • 05b95ab: Fixed pnpm hanging (and crashing with an unhandled promise rejection) when a non-retryable network error such as SELF_SIGNED_CERT_IN_CHAIN occurs while fetching from a registry. The error is now rejected through the returned promise instead of being thrown inside the detached retry callback.

  • d3f68e2: Fix a pnpm audit performance regression on lockfiles that contain dependency cycles. The reachable-vulnerability pruning added in pnpm 11.5.1 only memoized acyclic subtrees, so any node whose subtree touched a cycle — together with all of its ancestors — was recomputed on every query, making the path walk quadratic. Reachability is now computed once per node using Tarjan's strongly-connected-components algorithm, so cyclic graphs are handled in linear time #​12212.

    The audit path walk also no longer recurses, so a deeply nested dependency graph can no longer overflow the call stack, and the install path to each finding is tracked without per-node copying, keeping memory linear in the graph depth.

  • 322f88f: Fix failed optional dependency updates so they don't rewrite unrelated dependency specs #​11267.

  • 1488db1: When enableGlobalVirtualStore is toggled on for a project that was previously installed without it, stale hoisted symlinks under node_modules/.pnpm/node_modules are now replaced instead of being left pointing at the old per-project virtual store location #​9739.

  • 6545793: Fixed pnpm install --ignore-workspace overwriting the allowBuilds map in pnpm-workspace.yaml. The ignored builds of a package with a build script were auto-populated into allowBuilds even though --ignore-workspace was passed, clobbering committed true/false values with the set this to true or false placeholder #​12469.

  • fbdc0eb: Fixed minimumReleaseAgeExclude and trustPolicyExclude so multiple exact-version entries for the same package behave the same as a single || disjunction entry. Previously only the first matching rule's versions were honored, so a config like [form-data@4.0.6, form-data@2.5.6] could still flag form-data@2.5.6 as violating minimumReleaseAge, while [form-data@4.0.6 || 2.5.6] worked as expected #​12463.

  • fa7004b: The in-memory package metadata cache is now populated on the exact-version disk fast path, so repeated resolutions of the same package within one install no longer re-read and re-parse the on-disk metadata. In large monorepos this brings the time for adding a new package down from minutes to seconds. The in-memory cache key now also includes the registry, so a package of the same name served by two different registries in a single install can no longer share a cache slot and resolve the wrong tarball.

  • 0a154b1: Fixed pnpm patch dropping the package name (and leaking internal option fields) when the patched dependency resolves to a single git-hosted version.

  • 4d3fe4b: The pnpr resolver endpoints moved under the reserved /-/pnpr namespace: POST /v1/resolve is now POST /-/pnpr/v0/resolve and POST /v1/verify-lockfile is now POST /-/pnpr/v0/verify-lockfile. The capability handshake at GET /-/pnpr advertises protocol version 0 to match. This keeps every pnpr-proprietary route in npm's reserved namespace, so it can never collide with a package path.

  • 0ec878d: Removing a runtime dependency now removes the matching devEngines.runtime or engines.runtime entry that was materialized from it. Blank runtime selectors are normalized to latest.

  • 17e7f2c: pnpm sbom now emits a CycloneDX issue-tracker external reference for components (and the root) whose package.json declares a bugs URL. Email-only bugs entries are skipped, since the reference requires a URL.

  • a84d2a1: Add @pnpm/resolving.tarball-url, which builds and recognizes the canonical npm tarball URL of a package. It vendors getNpmTarballUrl (previously the external get-npm-tarball-url package) and adds isCanonicalRegistryTarballUrl, the predicate the lockfile writer uses to decide whether a tarball URL is derivable from name+version+registry (and can therefore be omitted from pnpm-lock.yaml).

    Exposing isCanonicalRegistryTarballUrl lets a custom resolver (pnpmfile resolvers) fronting a proxy that serves tarballs on a non-canonical path (e.g. an ephemeral localhost:<port>) rewrite the resolved tarball to the canonical form, so nothing host-specific is persisted to the lockfile. Previously this logic was private to @pnpm/lockfile.utils.

    Two correctness fixes are included while consolidating the logic: the scoped-package unescape now handles uppercase %2F as well as %2f (percent-encoding is case-insensitive), and protocol-insensitive comparison strips only a leading http(s):// scheme instead of splitting on the first :// (which could truncate URLs containing a later ://).

  • 852d537: Lockfile verification no longer reports a registry metadata fetch failure (for example a 403/401 on a private registry, or a network error) as ERR_PNPM_TARBALL_URL_MISMATCH. When the registry can't be reached to verify an entry, the install now aborts with the registry's own fetch error (such as ERR_PNPM_FETCH_403, which already explains the authentication situation) instead of mislabeling a transport failure as lockfile tampering. Registry fetch errors no longer leak basic-auth credentials embedded in the registry URL (https://user:pass@host/) into their message.

Platinum Sponsors
Bit
OpenAI
Gold Sponsors
Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx
sanity-io/sanity (sanity)

v6.2.0

Compare Source

Features
Bug Fixes
Performance Improvements
  • core: lazy-load default plugin and asset source UI components (#​13088) (9fd25d9)
styled-components/styled-components (styled-components)

v6.4.3

Compare Source

Patch Changes
  • f692ec2: Fix a TypeScript error when wrapping a component whose props can't be statically read, such as Mantine v7's polymorphic-factory components (Button, Card, Menu.Item, and similar). These styled components no longer reject every prop, including children; arbitrary props are accepted again at the JSX call site and via .attrs(), while components with readable prop types stay fully type-checked.
  • f692ec2: Keep TypeScript attribute autocomplete working while you type props on a polymorphic styled component. When a component renders a different element through as (for example as="video"), beginning to type a new prop name could make the whole suggestion list vanish; the rendered element's props now keep autocompleting as you go.

Configuration

📅 Schedule: (in timezone Australia/Melbourne)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@dejanvasic85 dejanvasic85 enabled auto-merge (squash) June 24, 2026 20:39
@vercel

vercel Bot commented Jun 24, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
williamstownsc Ready Ready Preview, Comment Jun 26, 2026 8:37pm

Request Review

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The PR bumps Node.js versions in the CI, crawl, and deploy-sanity workflows from 11.8.0 to 11.9.0. It also updates packageManager and several package versions in package.json, including AWS SDK, Sanity, Sentry, TanStack Query, styled-components, and Playwright.

Changes

Workflow and package version bumps

Layer / File(s) Summary
Workflow runtime bumps
.github/workflows/ci.yml, .github/workflows/crawl.yml, .github/workflows/deploy-sanity.yml
mise-action inputs and workflow runtime versions move from 11.8.0 to 11.9.0 across the CI, crawl, and deploy-sanity jobs.
Package manifest bumps
package.json
packageManager moves to pnpm@11.9.0, and the AWS SDK, Sanity, Sentry, TanStack Query, styled-components, and Playwright versions are bumped.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

  • dejanvasic85/williamstownsc issue 646 — tracks the same pnpm and workflow version bumps reflected here.
  • dejanvasic85/portfolio issue 221 — overlaps on package.json and CI workflow version updates, including pnpm and @aws-sdk/client-ses.
  • dejanvasic85/ses-next issue 563 — matches the pnpm, Playwright, and Sanity dependency bumps in this PR.
  • dejanvasic85/orderflow issue 107 — overlaps on pnpm, TanStack Query, and Playwright version updates.
  • dejanvasic85/jlc-carpentry issue 593 — covers the same workflow and package.json version bump pattern.
  • dejanvasic85/notes issue 717 — also concerns package.json and CI workflow version bumps.

Possibly related PRs

Poem

Hop, hop, the versions took a tiny leap,
From 11.8.0 to 11.9.0, neat and neat.
pnpm, Sanity, and Playwright joined the spring,
And the bunny CI bells went ding-ding-ding. 🐰
Carrot crumbs of updates, bright and fine!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the PR’s dependency bump focus and accurately summarizes the non-major updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/all-minor-patch

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@dejanvasic85 dejanvasic85 force-pushed the renovate/all-minor-patch branch from 3920aad to 5eaa600 Compare June 26, 2026 20:35
@dejanvasic85 dejanvasic85 merged commit e49bb2a into main Jun 26, 2026
6 checks passed
@dejanvasic85 dejanvasic85 deleted the renovate/all-minor-patch branch June 26, 2026 20:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant