chore(deps): update all non-major dependencies by renovate[bot] · Pull Request #164 · TanStack/intent

renovate · 2026-06-15T03:24:07Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Type	Update
@changesets/cli (source)	`^2.29.8` → `^2.31.0`	devDependencies	minor
@codspeed/vitest-plugin (source)	`^5.0.1` → `^5.5.0`	devDependencies	minor
@faker-js/faker (source)	`^10.2.0` → `^10.4.0`	devDependencies	minor
CodSpeedHQ/action	`v4.15.1` → `v4.17.5`	action	minor
actions/checkout	`v6.0.2` → `v6.0.3`	action	patch
autofix-ci/action	`v1.3.2` → `v1.3.4`	action	patch
changesets/action	`v1.8.0` → `v1.9.0`	action	minor
eslint (source)	`^9.39.2` → `^9.39.4`	devDependencies	patch
eslint-plugin-unused-imports	`^4.3.0` → `^4.4.1`	devDependencies	minor
happy-dom	`^20.1.0` → `^20.10.4`	devDependencies	minor
knip (source)	`^5.80.2` → `^5.88.1`	devDependencies	minor
nx (source)	`^22.3.3` → `^22.7.5`	devDependencies	minor
pnpm (source)	`11.1.1` → `11.7.0`	packageManager	minor
pnpm (source)	`>=11.0.0` → `>=11.7.0`	engines	minor
prettier (source)	`^3.7.4` → `^3.8.4`	devDependencies	patch
prettier-plugin-svelte	`^3.4.1` → `^3.5.2`	devDependencies	minor
semver	`^7.7.4` → `^7.8.4`	dependencies	minor
sherif	`^1.9.0` → `^1.11.1`	devDependencies	minor
tinyglobby (source)	`^0.2.15` → `^0.2.17`	devDependencies	patch
tsdown (source)	`^0.19.0` → `^0.22.2`	devDependencies	minor
verdaccio (source)	`^6.3.2` → `^6.7.2`	devDependencies	minor
vitest (source)	`^4.0.17` → `^4.1.9`	devDependencies	minor
yaml (source)	`2.8.3` → `2.9.0`	dependencies	minor
yaml (source)	`2.8.3` → `2.9.0`	devDependencies	minor
zizmorcore/zizmor-action	`v0.5.3` → `v0.5.6`	action	patch

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

changesets/changesets (@changesets/cli)

`v2.31.0`

Compare Source

Minor Changes

#1889 96ca062 Thanks @mixelburg! - Error on unsupported flags for individual CLI commands and print the matching command usage to make mistakes easier to spot.
#1873 42943b7 Thanks @mixelburg! - Respond to --help on all subcommands. Previously, --help was only handled when it was the sole argument; passing it alongside a subcommand (e.g. changeset version --help) would silently execute the command instead. Now --help always exits early and prints per-command usage when a known subcommand is provided, or the general help text otherwise.

Patch Changes

d2121dc Thanks @Andarist! - Fix npm auth for path-based registries during publish by preserving configured registry URLs instead of normalizing them.
#1888 036fdd4 Thanks @mixelburg! - Fix several changeset version issues with workspace protocol dependencies. Valid explicit workspace: ranges and aliases are no longer rewritten unnecessarily, and workspace path references are handled correctly during versioning.
#1903 5c4731f Thanks @Andarist! - Gracefully handle stale npm info data leading to duplicate publish attempts.
#1867 f61e716 Thanks @Andarist! - Improved detection for published state of prerelease-only packages without latest dist-tag on GitHub Packages registry.
Updated dependencies [036fdd4, 036fdd4, 036fdd4]:
- @changesets/assemble-release-plan@6.0.10
- @changesets/get-dependents-graph@2.1.4
- @changesets/apply-release-plan@7.1.1
- @changesets/get-release-plan@4.0.16
- @changesets/config@3.1.4

`v2.30.0`

Compare Source

CodSpeedHQ/codspeed-node (@codspeed/vitest-plugin)

`v5.5.0`

Compare Source

Highlights

We are introducing @codspeed/playwright, for walltime benchmarking and profiling of end to end browser applications through playwright.

Here's an example usage, but head to the docs for more information

import { bench, type Page } from "@&#8203;codspeed/playwright-plugin";
import electronExecutable from "electron";
import path from "node:path";
import { fileURLToPath } from "node:url";

const __dirname = path.dirname(fileURLToPath(import.meta.url));
const appRoot = path.resolve(__dirname, "..");

async function waitUntilSettled(page: Page): Promise<void> {
  await page.waitForFunction(() => {
    const main = document.getElementById("main");
    return !!main && !main.classList.contains("loading");
  });
}

await bench(
  "inbox-search-archive-threads",
  async ({ page }) => {
    await page.fill("#search", "update");
    await waitUntilSettled(page);

    await page.click("#select-visible-btn");
    await page.click("#archive-btn");
    await waitUntilSettled(page);

    await page.click('#sidebar nav button[data-view="threads"]');
    await waitUntilSettled(page);
  },
  {
    target: {
      kind: "electron",
      appPath: path.join(appRoot, "out/main/index.js"),
      cwd: appRoot,
    },
    beforeRound: async ({ page }) => {
      page.setDefaultTimeout(180_000);
      await page.waitForSelector("#main");
      await waitUntilSettled(page);
    },
  },
);

Note: this plugin is only compatible with the walltime instrument.

What's Changed

Add playwright profiling package by @GuillaumeLagrange in #80

Full Changelog: CodSpeedHQ/codspeed-node@v5.4.0...v5.5.0

`v5.4.0`

Compare Source

What's Changed

This release adds first support for macOS walltime.

Please note that profiling and other instruments are not yet available on macOS and will come in a later update.

Support macos walltime without profiling in codspeed-node by @GuillaumeLagrange in #79

Full Changelog: CodSpeedHQ/codspeed-node@v5.3.0...v5.4.0

`v5.3.0`

Compare Source

What's Changed

We now collect buildtime and runtime environment data to warn users about differences in their runtime environment when comparing two runs against one another.

This data includes toolchain metadata like version and build options, as well as a list of dynamically loaded linked libraries.

feat(fi): add memory profiling by @not-matthias in #73
feat: dump node process information when running by @GuillaumeLagrange in #77
chore: bump instrument-hooks to dump linked libraries by @GuillaumeLagrange in #78

Full Changelog: CodSpeedHQ/codspeed-node@v5.2.0...v5.3.0

faker-js/faker (@faker-js/faker)

`v10.4.0`

Compare Source

New Locales

locale: add Japanese bear definitions (#3720) (2a4b15c)
locale: add Japanese bird definitions (#3719) (dc31ff8)
locale: add Japanese cat breed definitions (#3716) (54af8a8)
locale: add Japanese cattle breed definitions (#3717) (c2c7342)
locale: add Japanese fish definitions (#3721) (15fc361)
locale: add Japanese horse breed definitions (#3718) (e02536e)
locale: add Norwegian (nb_NO) country definition (#3714) (614b4e9)

Features

fi locale phone numbers (#3747) (7afa8b5)
food: add plant-based dish variety (#3745) (41edf49)

Changed Locales

locale: filter and cleanup PersonEntryDefintions data (#3266) (67defc8)

Bug Fixes

locales: correct typos and capitalization in es_MX street names (#3737) (2b32c28)

`v10.3.0`

Compare Source

New Locales

locale: add Japanese dog definition (#3715) (76c9df1)
locale: add Japanese color definitions (#3707) (bbbb215)
locale: add Japanese food module (#3706) (71d55c0)
locale: add Japanese internet definitions (#3708) (184a709)
locale: add Japanese job definitions for person module (#3705) (e7f3ccd)
locale: add Japanese suffix definitions for person module (#3704) (45ad7d8)
locale: add Norwegian (nb_NO) continent definitions (#3712) (c0f0f23)
locale: add Norwegian (nb_NO) direction definition (#3713) (43b18fa)
locale: add Norwegian (nb_NO) sex definitions (#3710) (76063f2)
locale: add Norwegian (nb_NO) vehicle definition (#3732) (d1c32b0)

Features

locales: add Norwegian (nb_NO) zodiac sign definitions (#3711) (e306542)
person: sexType can return 'generic' (#3259) (0e099a1)
string: support uuid v7 (#3701) (87c2753)

Changed Locales

locale: normalize system locale data (#3702) (ba91653)

Bug Fixes

locale: remove empty string from Hebrew lorem words (#3698) (81a896c)
location: state name to 'Trøndelag' for nb_NO (#3691) (eaef389)

CodSpeedHQ/action (CodSpeedHQ/action)

`v4.17.5`

Compare Source

Release Notes

This release bundles all runner changes from 4.17.1 through 4.17.5.

🚀 Features

Add optional mode arg to target setup by @fargito in #397
Restore DYLD_INSERT_LIBRARIES from SAMPLY_ alias by @not-matthias
Bump valgrind-codspeed to 3.26.0-0codspeed3 by @adriencaccia

🐛 Bug Fixes

Purge inherited mappings on execve to fix unknown symbols (#392) by @GuillaumeLagrange in #392
Use %p in log file path to avoid multi-process overwrite by @not-matthias in #381
Compare codspeed iteration of installed valgrind by @not-matthias

💼 Other

Enable set -u to match go.sh by @not-matthias in #389

🏗️ Refactor

Parse codspeed iteration from version string by @not-matthias

⚙️ Internals

Bump samply by @not-matthias
Bump samply to fix sigkill by @not-matthias in #386
Log detected valgrind version by @not-matthias in #390
Bump samply-codspeed to disable jit classification and add fp-anchoring to unwinding (#382) by @GuillaumeLagrange in #382

Install codspeed-runner 4.17.5

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CodSpeedHQ/codspeed/releases/download/v4.17.5/codspeed-runner-installer.sh | sh

Download codspeed-runner 4.17.5

File	Platform	Checksum
codspeed-runner-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
codspeed-runner-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
codspeed-runner-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum

Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md

Full Changelog: CodSpeedHQ/action@v4.17.0...v4.17.5

`v4.17.0`

Compare Source

Release Notes

🚀 Features

Configure samply symbol resolution env vars by @not-matthias
Add CODSPEED_WALLTIME_PROFILER override by @not-matthias
Make benchmark isolation profiler-driven by @not-matthias
Add profile-based auth configuration (#366) by @art049 in #366
Bump instrument-hooks to not use stubs on macos (#373) by @GuillaumeLagrange in #373
Pin codspeed-go-runner installer downloads with sha256 verification by @art049 in #362
Pin downloaded binaries with sha256 verification by @art049
Search NixOS debug info path by @not-matthias in #354
Inherit process mapping on forks by @GuillaumeLagrange
Bundle samply via library crate by @not-matthias
Add samply profiler for macOS by @not-matthias
Rename CODSPEED_PERF_ENABLED to CODSPEED_PROFILER_ENABLED by @not-matthias
Add Profiler trait abstraction by @not-matthias
Restore cursor on ctrl c by @GuillaumeLagrange in #341
Validate tokens and repository access up front by @GuillaumeLagrange

🐛 Bug Fixes

Use introspected env for memory executor by @GuillaumeLagrange
Misleading DCE advice in setup-harness (#350) by @SuperMuel in #350
Flush rolling buffer when executor errors by @not-matthias in #352
Use brew-installed bash for samply on macOS by @not-matthias in #347
Keep old name aliases to for deserialization purposes by @GuillaumeLagrange in #345
Handle malformed token from backend better by @GuillaumeLagrange
Disable PYTHON_PERF_JIT_SUPPORT on macOS by @not-matthias
Use mach_absolute_time for FIFO timestamps on macOS by @not-matthias
Use O_RDWR to open FIFOs on all Unix platforms by @not-matthias

💼 Other

Select profiler via typed CLI arg by @GuillaumeLagrange in #379
Bump workspace dependencies (#370) by @art049 in #370
Make api_client the single source of truth for the auth token by @GuillaumeLagrange
Bump gql_client to partial-data fork by @GuillaumeLagrange

🏗️ Refactor

Centralize internal re-exec via InternalCommands::get_command_builder by @not-matthias in #338
Rename Benchmark FIFO commands/markers to Profiler/Round by @not-matthias
Rename Profiler::wrap to wrap_command by @not-matthias
Share Linux profiler sysctl setup by @not-matthias
Port PerfRunner to Profiler trait by @not-matthias
Rename PerfMetadata to WalltimeMetadata by @not-matthias
Move perf module under profiler/ by @not-matthias
Rename FifoCommand::PingPerf to PingProfiler by @not-matthias
Rename IntegrationMode::Perf to Walltime by @not-matthias

🧪 Testing

Update valgrind snapshot tests by @adriencaccia

⚙️ Internals

Add taplo config file by @GuillaumeLagrange in #363
Bump samply fork to use framehop-codspeed by @not-matthias
Add retry to sha256 tests to prevent transient failures by @GuillaumeLagrange in #375
Update setarch command arguments to use long options (#304) by @xtqqczze in #304
Bump valgrind-codspeed to 3.26.0-0codspeed2
Fix macOS rustup cache corruption in install-rust action by @GuillaumeLagrange in #357
Give each bpf-tests shard its own cache key by @not-matthias in #358
Shard bpf-tests by integration test binary by @not-matthias
Use rustup show instead of toolchain install by @GuillaumeLagrange in #349
Disable profiler in macos-basic-run-test by @not-matthias
Upload the basic run to validate auth of integration test by @GuillaumeLagrange
Move samply fork from AvalancheHQ to CodSpeedHQ by @not-matthias
Remove the cursor hiding by @GuillaumeLagrange

Install codspeed-runner 4.17.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CodSpeedHQ/codspeed/releases/download/v4.17.0/codspeed-runner-installer.sh | sh

Download codspeed-runner 4.17.0

File	Platform	Checksum
codspeed-runner-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
codspeed-runner-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
codspeed-runner-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum

Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md

Full Changelog: CodSpeedHQ/action@v4.15.1...v4.17.0

actions/checkout (actions/checkout)

`v6.0.3`

Compare Source

Fix checkout init for SHA-256 repositories by @yaananth in #2439
fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in #2414

autofix-ci/action (autofix-ci/action)

`v1.3.4`: autofix-ci/action 1.3.4

Compare Source

What's Changed

Update action to use Node 24

Full Changelog: autofix-ci/action@v1...v1.3.4

`v1.3.3`: autofix-ci/action 1.3.3

Compare Source

What's Changed

Move Autofix API from .ci to .com TLD.
This aims to improve overall reliability (#32). api.autofix.ci will remain available as an alias for the time being.

Full Changelog: autofix-ci/action@v1.3.2...v1.3.3

changesets/action (changesets/action)

`v1.9.0`

Compare Source

Minor Changes

#636 b072bcc Thanks @bluwy! - Add a new @changesets/action/pr-comment sub-action to comment on PRs
#625 8795eee Thanks @bluwy! - Add a new @changesets/action/pr-status sub-action to generate the changeset status comment for PRs as an alternative to the Changesets Bot.

Patch Changes

#535 34f64f6 Thanks @Andarist! - Fixed an issue with GitHub releases not being created for successfully published packages when some packages failed to be published to the registry.
#632 1d54b9e Thanks @bluwy! - Simplify internal implementation to get changelog entries for a package version
#629 e0c90aa Thanks @bluwy! - Fix custom version and publish command argument parsing
#645 f9585d9 Thanks @Andarist! - Improved force-push handling when using commitMode: "github-api" so updating an existing branch no longer temporarily resets the target branch to the base commit, avoiding cases where GitHub closes open pull requests during the update. This should remove a possibility of a GitHub state race that caused the force-pushed PRs not being reopened.

sweepline/eslint-plugin-unused-imports (eslint-plugin-unused-imports)

`v4.4.1`

Compare Source

No significant changes

View changes on GitHub

capricorn86/happy-dom (happy-dom)

👷‍♂️ Patch fixes

Updates external dependencies - By @capricorn86 in task #2163

`v20.10.1`

Compare Source

`v20.10.0`

Compare Source

`v20.9.0`

Compare Source

🎨 Features

Adds support for event listener properties on Window (e.g. Window.onkeydown) - By @capricorn86 in task #2131

`v20.8.9`

Compare Source

👷‍♂️ Patch fixes

Fixes issue where cookies from the current origin was being forwarded to the target origin in fetch requests - By @capricorn86 in task #2117
- A security advisory (GHSA-w4gp-fjgq-3q4g) was reported for this security vulnerability. Big thanks to @r74tech for reporting this!

`v20.8.8`

Compare Source

👷‍♂️ Patch fixes

Fixes issue where export names can be interpolated as executable code in ESM - By @capricorn86 in task #2113
- A security advisory (GHSA-6q6h-j7hj-3r64) has been reported that shows a security vulnerability where it may be possible to escape the VM context and get access to process level functionality in unsafe environments using CommonJS. Big thanks to @tndud042713 for reporting this!

`v20.8.7`

Compare Source

👷‍♂️ Patch fixes

Replace implementing Node.js Console with common IConsole interface to support latest version of Bun - By @YevheniiKotyrlo in task #1845

`v20.8.6`

Compare Source

👷‍♂️ Patch fixes

Request.formData() should honor "Content-Type" header - By @brianhelba in task #2106

`v20.8.5`

Compare Source

👷‍♂️ Patch fixes

Fixes error thrown when modifying DOM structure in connectedCallback() - By @capricorn86 in task #2110

`v20.8.4`

Compare Source

`v20.8.3`

Compare Source

👷‍♂️ Patch fixes

Throw error if event is not of type Event in dispatchEvent - By @capricorn86 in task #2054

`v20.8.2`

Compare Source

👷‍♂️ Patch fixes

Resets Event.cancelBubble and Event.defaultPrevented when calling Event.initEvent() - By @capricorn86 in task #2090

`v20.8.1`

Compare Source

👷‍♂️ Patch fixes

Make "inert" attribute block focus interactions - By @coffeeandwork in task #1422

`v20.8.0`

Compare Source

`v20.7.2`

Compare Source

👷‍♂️ Patch fixes

Properly decode CSS escape sequences in attribute selector values - By @silverwind

`v20.7.1`

Compare Source

`v20.7.0`

Compare Source

🎨 Features

Adds support for Window.getScreenDetails() - By @TrevorBurnham in task #1923
Extends Screen from EventTarget - By @TrevorBurnham in task #1923

`v20.6.5`

Compare Source

👷‍♂️ Patch fixes

Add clearImmediate to Jest environment global scope - By @TrevorBurnham in task #1927

`v20.6.4`

Compare Source

👷‍♂️ Patch fixes

Normalize invalid input type attribute to "text" per HTML spec - By @atzzCokeK in task #2053

`v20.6.3`

Compare Source

👷‍♂️ Patch fixes

Refactors query selector parser to be able to handle complex rules - By @capricorn86 in task #1910
Fixes issue related to using query selector for attribute in XML document - By @capricorn86 in task #1912
Fixes issue with using quotes within quotes for attribute query selector (e.g. [data-value="it's a test"]) - By @capricorn86 in task #2034

`v20.6.2`

Compare Source

👷‍♂️ Patch fixes

Update entities package version to resolve missing export for vue and vue-compat v3.5 - By @acollins1991 in task #2066

`v20.6.1`

Compare Source

`v20.6.0`

Compare Source

`v20.5.5`

Compare Source

`v20.5.4`

Compare Source

👷‍♂️ Patch fixes

Implement Text.wholeText property - By @aki05162525 in task #1959

`v20.5.3`

Compare Source

`v20.5.2`

Compare Source

`v20.5.1`

Compare Source

`v20.5.0`

Compare Source

`v20.4.0`

Compare Source

🎨 Features

Adds support for caching the compiled code of EcmaScript modules - By @capricorn86 in task #2049
Improves the way nodes are

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Summary by CodeRabbit

Chores
- Updated GitHub Actions workflow dependencies across multiple workflow files.
- Bumped development and runtime package dependencies to newer versions.
- Updated package manager version constraint and configuration overrides.
- Removed deprecated Prettier plugin configuration.
Refactor
- Simplified internal type definitions and reduced public API surface.

renovate · 2026-06-15T03:24:10Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 3 workspace projects
? Verifying lockfile against supply-chain policies (965 entries)...
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 12, reused 0, downloaded 0, added 0
Progress: resolved 18, reused 0, downloaded 0, added 0
Progress: resolved 19, reused 0, downloaded 0, added 0
Progress: resolved 20, reused 0, downloaded 0, added 0
Progress: resolved 22, reused 0, downloaded 0, added 0
Progress: resolved 24, reused 0, downloaded 0, added 0
[WARN] Request took 10967ms: https://registry.npmjs.org/@typescript-eslint%2Ftypes
[WARN] Request took 11420ms: https://registry.npmjs.org/@typescript-eslint%2Fvisitor-keys
[WARN] Request took 11882ms: https://registry.npmjs.org/@typescript-eslint%2Fscope-manager
[WARN] Request took 13454ms: https://registry.npmjs.org/@typescript-eslint%2Fparser
[WARN] Request took 17558ms: https://registry.npmjs.org/@types%2Fnode
Progress: resolved 25, reused 0, downloaded 0, added 0
[WARN] Request took 14060ms: https://registry.npmjs.org/@typescript-eslint%2Ftypescript-estree
[WARN] Request took 14349ms: https://registry.npmjs.org/@typescript-eslint%2Feslint-plugin
[WARN] Request took 18563ms: https://registry.npmjs.org/nx
Progress: resolved 26, reused 0, downloaded 0, added 0
[WARN] Request took 11668ms: https://registry.npmjs.org/@types%2Fnode
[WARN] Request took 20374ms: https://registry.npmjs.org/typescript
Progress: resolved 27, reused 0, downloaded 0, added 0
Progress: resolved 112, reused 0, downloaded 0, added 0
Progress: resolved 240, reused 0, downloaded 0, added 0
Progress: resolved 286, reused 0, downloaded 0, added 0
[WARN] Request took 11398ms: https://registry.npmjs.org/@typescript-eslint%2Futils
Progress: resolved 298, reused 0, downloaded 0, added 0
Progress: resolved 305, reused 0, downloaded 0, added 0
[WARN] Request took 11373ms: https://registry.npmjs.org/@typescript-eslint%2Fvisitor-keys
Progress: resolved 353, reused 0, downloaded 1, added 0
[WARN] Request took 12441ms: https://registry.npmjs.org/@typescript-eslint%2Ftypes
Progress: resolved 384, reused 0, downloaded 1, added 0
Progress: resolved 506, reused 0, downloaded 1, added 0
[WARN] Request took 13544ms: https://registry.npmjs.org/@typescript-eslint%2Fscope-manager
Progress: resolved 531, reused 0, downloaded 1, added 0
Progress: resolved 545, reused 0, downloaded 1, added 0
[WARN] Request took 13270ms: https://registry.npmjs.org/nx
Progress: resolved 546, reused 0, downloaded 1, added 0
[WARN] Request took 15640ms: https://registry.npmjs.org/@typescript-eslint%2Fparser
[WARN] Request took 15926ms: https://registry.npmjs.org/@typescript-eslint%2Ftypescript-estree
[WARN] Request took 16324ms: https://registry.npmjs.org/@typescript-eslint%2Feslint-plugin
Progress: resolved 547, reused 0, downloaded 1, added 0
Progress: resolved 549, reused 0, downloaded 1, added 0
[WARN] Request took 10243ms: https://registry.npmjs.org/@typescript-eslint%2Feslint-plugin
Progress: resolved 565, reused 0, downloaded 1, added 0
Progress: resolved 744, reused 0, downloaded 2, added 0
Progress: resolved 757, reused 0, downloaded 2, added 0
Progress: resolved 761, reused 0, downloaded 2, added 0
[WARN] Request took 23505ms: https://registry.npmjs.org/vite
✗ Lockfile failed supply-chain policy check (965 entries in 41s)
[ERR_PNPM_TRUST_DOWNGRADE] 2 lockfile entries failed verification:
  pino@9.14.0 High-risk trust downgrade for "pino@9.14.0" (possible package takeover)
  undici-types@6.21.0 High-risk trust downgrade for "undici-types@6.21.0" (possible package takeover)

The lockfile contains entries that the active policies reject. This can mean the lockfile is stale, or that someone committed a lockfile that bypassed the policy locally — inspect recent changes to pnpm-lock.yaml before trusting it. If the changes look expected, run "pnpm clean --lockfile" and then "pnpm install" to rebuild from a fresh resolution. Alternatively, relax the policy that flagged them.

coderabbitai · 2026-06-15T03:24:20Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

📝 Walkthrough

Walkthrough

Routine dependency maintenance across the monorepo: pinned GitHub Actions action versions are bumped, pnpm is updated to v11.7.0, and numerous root and package-level npm dependencies are updated or removed. Svelte-related tooling is dropped. Three internal TypeScript types (SkillSource, IntentFsCacheStats, IntentScanDebugStats) are removed from the public API surface. Workspace overrides pin pino and undici-types.

Changes

Dependency and tooling version updates

Layer / File(s)	Summary
GitHub Actions workflow pin updates `.github/workflows/autofix.yml`, `.github/workflows/benchmarks.yml`, `.github/workflows/pr.yml`, `.github/workflows/release.yml`, `.github/workflows/zizmor.yml`	`actions/checkout` bumped v6.0.2→v6.0.3 in all five workflows; `autofix-ci/action` v1.3.2→v1.3.4; `CodSpeedHQ/action` v4.15.1→v4.17.5; `changesets/action` v1.8.0→v1.9.0; `zizmorcore/zizmor-action` v0.5.3→v0.5.6.
npm package and pnpm version updates `package.json`, `benchmarks/intent/package.json`, `packages/intent/package.json`	`packageManager` and `engines.pnpm` raised to `11.7.0`; root `devDependencies` bumped for eslint, knip, nx, prettier, typescript, vitest, yaml and others; `@faker-js/faker`, `happy-dom`, `prettier-plugin-svelte` removed; clean scripts guarded with `agents` directory existence check; intent and benchmark package deps updated.
Workspace configuration and Svelte tooling removal `pnpm-workspace.yaml`, `prettier.config.js`, `knip.json`	Workspace overrides added for `pino@10.3.1` and `undici-types@8.4.1`; Svelte plugin and parser override removed from Prettier config; knip ignores updated to remove `@faker-js/faker`, `tsx`, `@verdaccio/node-api` and add `verdaccio`.

Type API surface simplification

Layer / File(s)	Summary
Type visibility and consolidation changes `packages/intent/src/core/skill-sources.ts`, `packages/intent/src/fs-cache.ts`, `packages/intent/src/core/types.ts`	`SkillSource` and `IntentFsCacheStats` de-exported to module-local types; `IntentScanDebugStats` interface removed and both `IntentSkillListDebug.scan` and `LoadedIntentSkillDebug.scan` now use `ScanStats` directly.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

Dependency Dashboard #132: This PR implements the exact dependency and action version updates tracked in that Dependency Dashboard issue, including actions/checkout v6.0.3, autofix-ci/action v1.3.4, pnpm v11.7.0, and removal of prettier-plugin-svelte.

Possibly related PRs

TanStack/intent#139: Both PRs modify package.json's engines.pnpm constraint; the prior PR set it to >=11.0.0 and this PR raises it to >=11.7.0.

Suggested reviewers

tannerlinsley

🐇 Bumping versions, one by one,
Old Svelte plugins? Their time is done.
Types made private, clean and neat,
Pnpm hops to a newer beat.
Dependency dashboard? Check! ✅
The rabbit keeps the monorepo in spec!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is mostly complete with detailed dependency update information, but is missing the required checklist items and release impact assessment from the template.	Complete the required sections: confirm testing with 'pnpm run test:pr' and indicate whether a changeset was generated for any code changes affecting published packages.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main purpose of the PR - updating non-major dependencies across the entire project.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch renovate/all-minor-patch

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

nx-cloud · 2026-06-16T04:25:16Z

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

View your CI Pipeline Execution ↗ for commit adbc086

Command	Status	Duration	Result
`nx affected --targets=test:eslint,test:sherif,t...`	❌ Failed	24s	View ↗
`nx run-many --targets=build --exclude=examples/**`	✅ Succeeded	<1s	View ↗

☁️ Nx Cloud last updated this comment at 2026-06-16 05:18:08 UTC

nx-cloud · 2026-06-16T04:25:17Z

View your CI Pipeline Execution ↗ for commit 151885e

Command	Status	Duration	Result
`nx run-many --targets=build --exclude=examples/**`	✅ Succeeded	<1s	View ↗

☁️ Nx Cloud last updated this comment at 2026-06-16 04:36:43 UTC

pkg-pr-new · 2026-06-16T04:25:23Z

Open in StackBlitz

npm i https://pkg.pr.new/TanStack/intent/@tanstack/intent@164

commit: 5df7a01

socket-security · 2026-06-16T04:25:34Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality
nx@22.7.5
tinyglobby@0.2.17
vitest@4.1.8
eslint-plugin-unused-imports@4.4.1
yaml@2.9.0
tsdown@0.22.2
typescript@5.9.3 ⏵ 6.0.3	⁺¹	⁺¹
sherif@1.11.1
@changesets/cli@2.31.0
knip@6.16.1
semver@7.8.4
prettier@3.8.4
@codspeed/vitest-plugin@5.5.0
verdaccio@6.7.2

View full report

socket-security · 2026-06-16T04:25:37Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: npm `@verdaccio/ui-theme` is 95.0% likely obfuscated Confidence: 0.95 Location: Package overview From: pnpm-lock.yaml → `npm/verdaccio@6.7.2` → `npm/@verdaccio/ui-theme@9.0.0-next-9.14` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@verdaccio/ui-theme@9.0.0-next-9.14`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `nx` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → `npm/nx@22.7.5` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/nx@22.7.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm `tmp`: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template CVE: GHSA-7c78-jf6q-g5cm tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template (HIGH) Affected versions: >= 0.2.6 < 0.2.7 Patched version: 0.2.7 From: pnpm-lock.yaml → `npm/nx@22.7.5` → `npm/tmp@0.2.6` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/tmp@0.2.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

renovate · 2026-06-16T04:26:56Z

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

codspeed-hq · 2026-06-16T04:28:31Z

Merging this PR will not alter performance

✅ 6 untouched benchmarks

_{Comparing renovate/all-minor-patch (5df7a01) with main (2676302)}

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@knip.json`:
- Around line 2-3: The $schema field in knip.json references knip@5 but the
installed knip version is 6.16.1. Update the schema URL on line 2 by changing
the version from `@5` to `@6` in the $schema value so that IDE validation and
tooling use the correct configuration schema for the installed version.

In `@package.json`:
- Around line 20-21: The clean and clean:node_modules scripts are checking for
the existence of an agents directory but the actual repository structure uses
packages/agents. Update both scripts to check for the correct directory path.
Change the conditional check from [ -d agents ] to [ -d packages ] and update
the find commands to search within packages/agents (or packages/*) instead of
agents to ensure the cleanup scripts actually execute when the correct directory
structure exists.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5ecc7202-28eb-4c1b-af58-989bc7372ac7

📥 Commits

Reviewing files that changed from the base of the PR and between 5c39ba8 and 151885e.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (11)

benchmarks/intent/package.json
knip.json
nx.json
package.json
packages/intent/package.json
packages/intent/src/core/skill-sources.ts
packages/intent/src/core/types.ts
packages/intent/src/fs-cache.ts
pnpm-workspace.yaml
prettier.config.js
terminalOutput

💤 Files with no reviewable changes (3)

terminalOutput
prettier.config.js
packages/intent/package.json

renovate Bot added the dependencies label Jun 15, 2026

renovate Bot requested a review from a team as a code owner June 15, 2026 03:24

renovate Bot added the dependencies label Jun 15, 2026

renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 9d66960 to 5c39ba8 Compare June 16, 2026 02:48

coderabbitai Bot reviewed Jun 16, 2026

View reviewed changes

Comment thread knip.json Outdated

Comment thread package.json Outdated

LadyBluenotes force-pushed the renovate/all-minor-patch branch 2 times, most recently from adbc086 to 4ae842a Compare June 16, 2026 05:08

renovate Bot and others added 3 commits June 15, 2026 22:10

chore(deps): update all non-major dependencies

ed042dc

fix errors

890209b

fix

ab96d69

LadyBluenotes force-pushed the renovate/all-minor-patch branch from 4ae842a to ab96d69 Compare June 16, 2026 05:10

fix

5df7a01

Uh oh!

Conversation

renovate Bot commented Jun 15, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Minor Changes

Patch Changes

Highlights

What's Changed

What's Changed

What's Changed

New Locales

Features

Changed Locales

Bug Fixes

New Locales

Features

Changed Locales

Bug Fixes

Release Notes

🚀 Features

🐛 Bug Fixes

💼 Other

🏗️ Refactor

⚙️ Internals

Install codspeed-runner 4.17.5

Install prebuilt binaries via shell script

Download codspeed-runner 4.17.5

Release Notes

🚀 Features

🐛 Bug Fixes

💼 Other

🏗️ Refactor

🧪 Testing

⚙️ Internals

Install codspeed-runner 4.17.0

Install prebuilt binaries via shell script

Download codspeed-runner 4.17.0

v1.3.4: autofix-ci/action 1.3.4

What's Changed

v1.3.3: autofix-ci/action 1.3.3

What's Changed

Minor Changes

Patch Changes

👷‍♂️ Patch fixes

🎨 Features

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

🎨 Features

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

🎨 Features

Configuration

Summary by CodeRabbit

Uh oh!

renovate Bot commented Jun 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Artifact update problem

File name: pnpm-lock.yaml

Uh oh!

coderabbitai Bot commented Jun 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Estimated code review effort

Possibly related issues

Possibly related PRs

Suggested reviewers

❌ Failed checks (1 inconclusive)

renovate Bot commented Jun 15, 2026 •

edited by coderabbitai Bot

Loading

`v1.3.4`: autofix-ci/action 1.3.4

`v1.3.3`: autofix-ci/action 1.3.3

renovate Bot commented Jun 15, 2026 •

edited

Loading

coderabbitai Bot commented Jun 15, 2026 •

edited

Loading

nx-cloud Bot commented Jun 16, 2026 •

edited

Loading

nx-cloud Bot commented Jun 16, 2026 •

edited

Loading

pkg-pr-new Bot commented Jun 16, 2026 •

edited

Loading

socket-security Bot commented Jun 16, 2026 •

edited

Loading

socket-security Bot commented Jun 16, 2026 •

edited

Loading