chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@vitejs/plugin-react (source)	^6.0.1 → ^6.0.2			pnpm.catalog.default	patch
@vitejs/plugin-vue (source)	^6.0.6 → ^6.0.7			pnpm.catalog.default	patch
eslint (source)	^10.3.0 → ^10.4.0			pnpm.catalog.default	minor
nx (source)	22.7.1 → 22.7.2			pnpm.catalog.default	patch
pnpm (source)	11.1.1 → 11.1.2			packageManager	patch
pnpm/action-setup	v6.0.7 → v6.0.8			action	patch
publint (source)	^0.3.20 → ^0.3.21			pnpm.catalog.default	patch
vite (source)	^8.0.12 → ^8.0.13			pnpm.catalog.default	patch
zizmorcore/zizmor-action	v0.5.3 → v0.5.6			action	patch

---

Release Notes

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v6.0.2

Compare Source

Allow all options in reactCompilerPreset (#​1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

vitejs/vite-plugin-vue (@​vitejs/plugin-vue)

v6.0.7

Features

• use carets for @rolldown/pluginutils version (#​776) (941b651)

Bug Fixes

• deps: update all non-major dependencies (#​762) (9e825b8)
• deps: update all non-major dependencies (#​774) (77dc8bc)

eslint/eslint (eslint)

v10.4.0

Compare Source

nrwl/nx (nx)

v22.7.2

Compare Source

22.7.2 (2026-05-14)

🚀 Features

• gradle: stream batch task results to nx as they finish (#​35487)
• nx-dev: track docs analytics for code copy, LLM prompt, YouTube (#​35526)
• testing: add migration for Jest 30 snapshot guide link (#​35629)

🩹 Fixes

• angular: disable vitest watch by default (#​35493)
• angular-rspack: keep root-scoped assets out of per-locale i18n emit (#​35621)
• bundling: include tsconfig solution input for rollup (#​35476)
• bundling: include tsconfig solution input for webpack (#​35477, #​35476)
• core: bump axios to 1.16.0 for all packages (#​35568)
• core: add provenance check in nx console status path (#​35485)
• core: remove access control header from graph app (#​35494)
• core: ensure verbose logs go to stderr and daemon logs are properly decorated (#​34358)
• core: show flaky-task count in run summary (#​35491)
• core: unique telemetry user_id; expose workspace_id dimension (#​35553)
• core: update minimatch to 10.2.5 (#​35569, #​34660)
• core: restore use-legacy-versioning shim for @​nx/js@​21 ensurePackage path (#​35574)
• core: isolate NX_PARALLEL env var in parallel-related specs (#​35579)
• core: skip handleimport miss path when nx key packages are absent (#​35596)
• core: use gethostuuid(3) instead of ioreg on macOS (#​35599)
• core: isolate cache env vars in splitArgs spec (#​35584)
• core: enable node's native v8 compile cache support (#​35415, #​20454)
• core: support skipped batch tasks end-to-end and fix TUI double logs (#​35617)
• core: keep TUI task selection on the in-progress section (#​35640)
• core: allow nx mcp to run outside of an Nx workspace (#​35655)
• core: cast perf entries to PerformanceMeasure for detail access (43c0c821ba)
• devkit: exclude dist from jest module path scan (#​35615)
• devkit: expand @​nx/devkit/internal re-exports for cherry-picked v23 deep-import migration (#​35541)
• dotnet: correct output paths for Web SDK and centralized dist setups (#​35398)
• gradle: exclude batch-runner from jest haste-map crawl (#​35501)
• gradle: exclude project-graph from jest module path scan (#​35609)
• gradle: support Windows file paths (#​35184, #​34987)
• js: strip glob from inferred outputs before resolving as path (#​35463, #​35452)
• js: reference vitest.config in eslint dep-checks for vitest libs (#​35460, #​33670, #​35450)
• js: include transitive workspace deps in pruned pnpm lockfile (#​35532, #​35347, #​34655)
• linter: prevent ENOENT crash in getRelativeImportPath for unresolvable paths (#​35007, #​13872, #​34066, #​30491, #​16716, #​35006, #​21889, #​32190)
• maven: skip attached artifacts that fail to materialize in batch record (#​35473)
• maven: serialize Maven 4 build state recording (#​35555)
• maven: widen runCLI timeout for --no-batch maven.test.ts cases (#​35589)
• nx-dev: document nested CLI subcommands beyond two levels (#​35519)
• nx-dev: short-circuit bot probes in framer rewrite edge function (#​35527)
• react: withSvgr migration preserves other properties (#​35484)
• repo: clear NX_INVOCATION_ROOT_PID in run-native-target to avoid recursion false-positive (443dee0b22)
• repo: revert deep-import rewrites that targeted v23-only @​nx/devkit/internal entry (ac8187963d)
• repo: unblock 22.7.x cargo tests and nx-build e2e (#​34285)
• repo: expand "..." spread token in graph typecheck inputs (#​34285, #​35458)
• testing: pin jest to ~30.3.0 to avoid jest-runtime 30.4 RN incompat (#​35618)
• testing: handle absolute cypress screenshotsFolder/videosFolder paths (#​35624)
• testing: exclude dist and out-tsc from default jest module path scan (#​35619)
• testing: update remaining snapshot guide links missed by migration (cd350c1140)

❤️ Thank You

• Adam Keenan @​adamk33n3r
• AgentEnder @​AgentEnder
• beeman
• Claude
• Craigory Coppola @​AgentEnder
• FrozenPandaz @​FrozenPandaz
• Jack Hsu @​jaysoo
• Jason Jean @​FrozenPandaz
• Leosvel Pérez Espinosa @​leosvelperez
• Max Kless
• MaxKless @​MaxKless
• Optischa @​Optischa
• Sharon Lougheed

pnpm/pnpm (pnpm)

v11.1.2

Compare Source

Patch Changes

• convertEnginesRuntimeToDependencies: switch the runtime-dependency write to Object.defineProperty so the CodeQL js/prototype-polluting-assignment rule treats the assignment as safe regardless of the property name (follow-up to #​11609).

• Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (__proto__, constructor, prototype), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser.

• Strip sec-fetch-* headers from outgoing HTTP requests. These headers are automatically added by undici's fetch() implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests #​11572.

• Fix minimumReleaseAge handling for cached abbreviated metadata.

  The version-spec cache fast path no longer rethrows ERR_PNPM_MISSING_TIME under strictPublishedByCheck; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block.

  When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version time), pnpm now re-fetches with fullMetadata: true if minimumReleaseAge is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning.

  Closes #​11619.

• Fix pnpm upgrade --interactive --latest -r not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. "catalog:foo") would incorrectly rewrite package.json to "catalog:" and place the updated version in the default catalog instead of the named one #​10115.

• Fixed optimisticRepeatInstall skipping pnpm-lock.yaml merge conflict resolution when the existing node_modules state appears up to date.

• Fix minimumReleaseAge / resolutionMode: time-based installs failing on lockfiles whose time: block is missing entries. The npm-resolver's peek-from-store fast path now surfaces publishedAt from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand.

pnpm/action-setup (pnpm/action-setup)

v6.0.8

Compare Source

publint/publint (publint)

v0.3.21

Compare Source

Patch Changes

• Suggest adding "sideEffects": false when bundler-oriented package fields or conditions are detected and the field is missing. (#​228)

vitejs/vite (vite)

v8.0.13

Compare Source

Features

• bundled-dev: add lazy bundling support (#​21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#​22357) (47071ce)
• update rolldown to 1.0.1 (#​22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#​22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #​22274) (#​22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#​22439) (8e59c97)
• make isBundled per environment (#​22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#​22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#​22430) (6ea3838)
• update changelog (#​22413) (fcdc87c)

zizmorcore/zizmor-action (zizmorcore/zizmor-action)

v0.5.6

Compare Source

• 1.25.2 is now available via the action
• 1.25.2 is now the default version of zizmor used by the action

v0.5.5

Compare Source

This is a no-op release.

v0.5.4

Compare Source

• 1.25.0 is now available via the action
• 1.25.0 is now the default version of zizmor used by the action

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 84410c1c-7829-427e-bc5f-96580e804cdf

📥 Commits

Reviewing files that changed from the base of the PR and between 6ddd247 and 4644632.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• .github/setup/action.yml
• .github/workflows/zizmor.yml
• package.json
• pnpm-workspace.yaml

---

📝 Walkthrough

Walkthrough

This PR updates dependency and tool versions across configuration files: pnpm package manager is bumped to 11.1.2, GitHub Action tool pins are refreshed (pnpm/action-setup to v6.0.8 and zizmor-action to v0.5.6), and workspace dependency catalog entries in the pnpm configuration are updated to newer versions.

Changes

Dependency and Tool Version Updates

Layer / File(s)	Summary
GitHub Actions tool versions .github/setup/action.yml, .github/workflows/zizmor.yml	pnpm/action-setup is pinned to v6.0.8 (from v6.0.7), and zizmorcore/zizmor-action is pinned to v0.5.6 (from v0.5.3).
Project manager and workspace dependencies package.json, pnpm-workspace.yaml	Root pnpm packageManager version bumped to 11.1.2 (from 11.1.1); workspace catalog updated with @vitejs/plugin-react, @vitejs/plugin-vue, eslint, nx, publint, and vite version increments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Dependency Dashboard #117: Dependency version bumps (pnpm, pnpm/action-setup, zizmorcore/zizmor-action, and workspace catalog) match Renovate Dependency Dashboard entries.
• Dependency Dashboard pacer#76: pnpm version bumps and zizmor-action pin align with suggested Renovate updates.

Possibly related PRs

• TanStack/config#376: Overlapping pnpm version and pnpm-workspace.yaml catalog updates.
• TanStack/config#367: Related updates to pnpm-workspace.yaml dependency catalog and .github/setup/action.yml action pins.
• TanStack/config#378: Concurrent pnpm-workspace.yaml dependency catalog version bumps for packages like vite and eslint.

Poem

🐰 The tools and toolbox both arise,
With pnpm and vite to modernize.
Version bumps dance, neat and light,
Config files glowing, oh what a sight! ✨
Small steps forward, building just right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is largely incomplete; it lacks the required template sections including '🎯 Changes', '✅ Checklist', and '🚀 Release Impact' as specified in the repository template.	Add the required sections from the template: 'Changes' section describing the update rationale, 'Checklist' with the two checkboxes, and 'Release Impact' to clarify if a changeset is needed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(deps): update all non-major dependencies' accurately summarizes the main change—updating multiple dependencies to non-major versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/all-minor-patch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Changeset Version Preview

No changeset entries found. Merging this PR will not cause a version bump for any packages.

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit 4644632

Command	Status	Duration	Result
nx affected --targets=test:sherif,test:docs,tes...	❌ Failed	26s	View ↗
nx run-many --target=build	✅ Succeeded	7s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-18 01:10:32 UTC

[pkg-pr-new]

npm i https://pkg.pr.new/@tanstack/eslint-config@390

npm i https://pkg.pr.new/@tanstack/publish-config@390

npm i https://pkg.pr.new/@tanstack/typedoc-config@390

npm i https://pkg.pr.new/@tanstack/vite-config@390

commit: 4644632

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nx@​22.7.2
	publint@​0.3.21
	vite@​8.0.13
	eslint@​10.4.0
	@​vitejs/​plugin-react@​6.0.2
	@​vitejs/​plugin-vue@​6.0.7

View full report