chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@types/google.maps (source)	^3.58.1 → ^3.64.0			peerDependencies	minor
@types/youtube (source)	^0.1.0 → ^0.2.0			peerDependencies	minor
@unhead/vue (source)	^2.0.3 → ^2.1.13			peerDependencies	minor
Hebilicious/reproduire	v0.0.9-mp → v0.0.9			action	patch
actions/checkout	v6.0.1 → v6.0.2			action	patch
actions/stale	v10.0.0 → v10.2.0			action	minor
oxc-parser (source)	^0.128.0 → ^0.129.0			pnpm.catalog.default	minor
pnpm (source)	10.33.2 → 10.33.4			packageManager	patch
posthog-js (source)	^1.372.6 → ^1.372.9			pnpm.catalog.default	patch
posthog-js (source)	^1.0.0 → ^1.372.9			peerDependencies	minor
valibot (source)	^1.3.1 → ^1.4.0			pnpm.catalog.default	minor
vue (source)	^3.5.33 → ^3.5.34			pnpm.catalog.default	patch
vue-tsc (source)	^3.2.7 → ^3.2.8			pnpm.catalog.default	patch

---

Release Notes

unjs/unhead (@​unhead/vue)

v2.1.13

Compare Source

   🐞 Bug Fixes

• schema-org: Normalize target to array before merging potentialAction  -  by @​harlan-zw and Claude Opus 4.6 (1M context) in #​709 (22ac9)

    View changes on GitHub

v2.1.12

Compare Source

   🐞 Bug Fixes

• Harden prototype pollution  -  by @​harlan-zw (a6ed9)
• Case insensitive attr dedupe  -  by @​harlan-zw (3146b)

    View changes on GitHub

v2.1.11

Compare Source

    ⚠️ Security

• Fixed XSS bypass in useHeadSafe via attribute name injection (GHSA-g5xx-pwrp-g3fv). Users handling untrusted input with useHeadSafe should upgrade immediately.

   🐞 Bug Fixes

• addons,schema-org: Permissive peer dependencies  -  by @​harlan-zw (4c5d1)

    View changes on GitHub

v2.1.10

Compare Source

   🐞 Bug Fixes

• solid-js: Correct peerDependency version  -  by @​tyeporter in #​671 (64e17)

    View changes on GitHub

v2.1.9

Compare Source

   🐞 Bug Fixes

• schema-org: Nuxt test utils compat bug  -  by @​harlan-zw (ef838)

    View changes on GitHub

v2.1.8

Compare Source

   🐞 Bug Fixes

• schema-org: Avoid crashing from 3+ duplicate nodes  -  by @​harlan-zw (4baf9)

    View changes on GitHub

v2.1.7

Compare Source

   🐞 Bug Fixes

• unhead:
  • deduplicate matching tags inside same render cycle  -  by @​harlan-zw in #​668 (5c0b2)

    View changes on GitHub

v2.1.6

Compare Source

   🐞 Bug Fixes

• react: Ssr regression  -  by @​harlan-zw (6adff)

    View changes on GitHub

v2.1.5

Compare Source

   🐞 Bug Fixes

• react: Dispose head entries on unmount in React 18 StrictMode  -  by @​harlan-zw in #​664 (50ffe)
• scripts: Prevent scope disposal from aborting unrelated trigger in useScript  -  by @​cernymatej in #​660 (e8f5b)
• unhead: Dedupe link rel without hreflang or type  -  by @​danielroe in #​658 (1487d)

    View changes on GitHub

v2.1.4

Compare Source

   🐞 Bug Fixes

• schema-org: Remove unimplemented SchemaOrgDebug  -  by @​onmax in #​649 (642dc)
• unhead: Dedupe <link rel="alternate"> by hreflang/type only, drop href from key  -  by @​harlan-zw in #​656 (86175)

    View changes on GitHub

v2.1.3

Compare Source

   🐞 Bug Fixes

• unhead:
  • Dedupe <link rel="alternate">  -  by @​danielroe and onmax in #​655 (fdabe)
• vue:
  • Support computed getter trigger  -  by @​harlan-zw in #​638 (fd63a)
  • Guard s._statusRef  -  by @​danielroe in #​642 (4ef03)

   🏎 Performance

• vue: Avoid duplicating error message in the bundle  -  by @​panstromek in #​652 (194e5)

    View changes on GitHub

v2.1.2

Compare Source

   🐞 Bug Fixes

• Broken cjs environment  -  by @​harlan-zw (ce989)

    View changes on GitHub

v2.1.1

Compare Source

No significant changes

    View changes on GitHub

v2.1.0

Compare Source

   🚀 Features

• schema-org: 12 new nodes  -  by @​harlan-zw in #​612 (1a9b8)

   🐞 Bug Fixes

• react:
  • Recursive function resolves broken  -  by @​harlan-zw (4e0c7)
• schema-org:
  • Correct month off-by-one  -  by @​harlan-zw in #​603 (a3e70)
  • Missing schema.org properties  -  by @​harlan-zw in #​614 (54e05)
• unhead:
  • Enforce boolean string meta contents  -  by @​kfreezen in #​594 (0b8e7)
  • Capo module scripts ordering  -  by @​Barbapapazes in #​600 (3c661)
  • Capo inline scripts ordering  -  by @​Barbapapazes in #​596 (7be75)
  • Normalize script type  -  by @​harlan-zw (e51b6)
  • Safer handling of input  -  by @​harlan-zw (b4b6c)

   🏎 Performance

• schema-org:
  • Remove ohash and defu dependencies  -  by @​harlan-zw in #​605 (0d508)
  • Rework graph resolution  -  by @​harlan-zw in #​616 (b79e4)

    View changes on GitHub

v2.0.19

Compare Source

   🐞 Bug Fixes

• vue: Tree shaking breaking some reactivity  -  by @​harlan-zw (7abb5)

    View changes on GitHub

v2.0.18

Compare Source

   🏎 Performance

• unhead: Avoid server side effects  -  by @​harlan-zw in #​585 (3fd09)

    View changes on GitHub

v2.0.17

Compare Source

No significant changes

    View changes on GitHub

v2.0.14

Compare Source

   🐞 Bug Fixes

• unhead: Multiword attributes in template  -  by @​NikSimonov in #​568 (f635b)

    View changes on GitHub

v2.0.13

Compare Source

   🐞 Bug Fixes

• unhead:
  • Canonical plugin modifying non-url properties  -  by @​paraboul (ee8fd)
  • Avoid normalizing template param input  -  by @​harlan-zw (1d205)
  • Safer removal of leading / trailing separators  -  by @​harlan-zw (d4501)

    View changes on GitHub

v2.0.12

Compare Source

   🐞 Bug Fixes

• react: Force invalidation on entry disposal  -  by @​harlan-zw in #​559 (4ee5e)

    View changes on GitHub

v2.0.11

Compare Source

   🐞 Bug Fixes

• Allow non-standard meta tags to be intentionally duped  -  by @​harlan-zw (9a899)

    View changes on GitHub

v2.0.10

Compare Source

   🐞 Bug Fixes

• Safer meta array deduping  -  by @​harlan-zw (32486)

    View changes on GitHub

v2.0.9

Compare Source

   🏎 Performance

• unhead: Normalize canonicalHost only once in canonical plugin  -  by @​negezor in #​550 (92713)

    View changes on GitHub

v2.0.8

Compare Source

No significant changes

    View changes on GitHub

v2.0.7

Compare Source

   🐞 Bug Fixes

• schema-org: unhead hoisting issue  -  by @​harlan-zw (bb0e4)

    View changes on GitHub

v2.0.6

Compare Source

   🐞 Bug Fixes

• ssr: Less aggressive encoding of non-title tags  -  by @​harlan-zw (f4d4f)

    View changes on GitHub

v2.0.5

Compare Source

   🐞 Bug Fixes

• vue: Use setTimeout as render's debounced delayer  -  by @​kricsleo in #​540 (8f7c5)

    View changes on GitHub

v2.0.4

Compare Source

   🐞 Bug Fixes

• InferSeoMetaPlugin: Template param replacement broken  -  by @​harlan-zw (4e1c8)

    View changes on GitHub

Hebilicious/reproduire (Hebilicious/reproduire)

v0.0.9

Compare Source

compare changes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

actions/stale (actions/stale)

v10.2.0

Compare Source

v10.1.1

Compare Source

What's Changed

Bug Fix

• Add Missing Input Reading for only-issue-types by @​Bibo-Joshi in #​1298

Improvement

• Improves error handling when rate limiting is disabled on GHES. by @​chiranjib-swain in #​1300

Dependency Upgrades

• Upgrade eslint-config-prettier from 8.10.0 to 10.1.8 by @​dependabot in #​1276
• Upgrade @​types/node from 20.10.3 to 24.2.0 and document breaking changes in v10 by @​dependabot in #​1280
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot in #​1291
• Upgrade actions/checkout from 4 to 6 by @​dependabot in #​1306

New Contributors

• @​chiranjib-swain made their first contribution in #​1300

Full Changelog: actions/stale@v10...v10.1.1

v10.1.0

Compare Source

What's Changed

• Add only-issue-types option to filter issues by type by @​Bibo-Joshi in #​1255

New Contributors

• @​Bibo-Joshi made their first contribution in #​1255

Full Changelog: actions/stale@v10...v10.1.0

oxc-project/oxc (oxc-parser)

v0.129.0

🐛 Bug Fixes

• 429deac napi/parser: Export visitorKeys from wasm entrypoint (#​21996) (NullVoxPopuli)

pnpm/pnpm (pnpm)

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

v10.33.3

Compare Source

PostHog/posthog-js (posthog-js)

v1.372.9

Compare Source

1.372.9

Patch Changes

• #​3537 026e09d Thanks @​TueHaulund! - Pull in the canvas-manager fix from @posthog/rrweb 0.0.61: skip canvas
  snapshots while the WebGL context is lost so transparent bitmaps don't
  poison the worker's fingerprint dedup map and silently kill canvas
  recording for the rest of the session. Also wraps getCanvas() in
  try/catch so DOM/shadow-root traversal errors can't cancel the rAF
  loop. See PR #​3527 for context. (2026-05-05)
• Updated dependencies []:
  • @​posthog/types@​1.372.9
  • @​posthog/core@​1.28.3

v1.372.8

Compare Source

1.372.8

Patch Changes

• #​3515 255b273 Thanks @​marandaneto! - Gate survey translation logs behind SDK debug logging to avoid production console spam.
  (2026-05-04)
• Updated dependencies [220cd61, 255b273]:
  • @​posthog/core@​1.28.2
  • @​posthog/types@​1.372.8

v1.372.7

Compare Source

1.372.7

Patch Changes

• Updated dependencies [8aee3d5]:
  • @​posthog/core@​1.28.1
  • @​posthog/types@​1.372.7

open-circle/valibot (valibot)

v1.4.0

Compare Source

Many thanks to @​ksaurav24, @​heiwen, @​compulim, @​ysknsid25, @​alaycock-stripe, @​IlyaSemenov, @​wszgrcy, @​LMGO, @​yslpn, @​EltonLobo07 and @​Eronmmer for contributing to this release.

Read the release notes on our website for a quick overview of the most exciting new features in this release.

• Add isoDateTimeSecond validation action to validate ISO date times with seconds (pull request #​1418)
• Add toCamelCase, toKebabCase, toPascalCase and toSnakeCase transformation actions to convert strings between common naming conventions (pull request #​1457)
• Change internal ReadonlyOutputKeys and OutputWithReadonly types of object schemas and WithReadonly type of record schemas to improve TypeScript type performance (pull request #​1442)
• Change hot paths to reduce object allocations and improve runtime performance (pull request #​1437)
• Change build target to ES2020 so distributed output stays compatible with environments that lack support for newer syntax (pull request #​1455)
• Change internal _LruCache to use a TypeScript private method instead of a #private class field to avoid runtime helpers in the transpiled output (pull request #​1455)
• Change internal _isValidObjectKey to use Object.prototype.hasOwnProperty.call instead of Object.hasOwn so the distributed output stays compatible with runtimes that lack the ES2022 Object.hasOwn builtin (pull request #​1421)
• Change flatten method to accept readonly issue arrays (pull request #​1269)
• Fix potential RangeError caused by spreading large issue arrays (pull request #​1437)
• Fix creditCard validation action to reject Mastercard numbers with invalid lengths (pull request #​1462)
• Fix intersect schema to no longer mutate input values, allowing frozen objects and arrays to be merged (pull request #​1463)

vuejs/core (vue)

v3.5.34

Compare Source

Bug Fixes

• compiler-sfc: infer Vue ref wrapper types when source is unresolvable (#​14758) (7f46fd4), closes #​14729
• compiler-sfc: preserve hash hrefs on <image> elements (#​14756) (090b2e3)
• compiler-sfc: resolve type re-exports inside declare global (#​14766) (acfffe3)
• reactivity: prevent orphan effect when created in a stopped scope (#​14778) (c8e2d4a), closes #​14777
• runtime-core: avoid symbol coercion during props validation (#​8539) (23d4fb5), closes #​8487
• suspense: avoid DOM leak with out-in transition in v-if fragment (#​14762) (9667e0d), closes #​14761

vuejs/language-tools (vue-tsc)

v3.2.8

Compare Source

language-core

• fix: replace inline code blocks after sfc blocks processing (#​6024) - Thanks to @​KazariEX!
• fix: support navigation for kebab-case declarations in GlobalComponents (#​6026) - Thanks to @​Gehbt!

language-service

• feat: support TS module resolution for SCSS @import navigation (#​6033) - Thanks to @​KazariEX!

typescript-plugin

• fix: replace language service per-method overrides with a proxy (#​6035) - Thanks to @​KazariEX!

vscode

• chore: upgrade reactive-vscode to v1.0.1 (#​6019) - Thanks to @​kermanx!

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
scripts-docs	Error		May 6, 2026 3:14pm
scripts-playground	Ready	Preview, Comment	May 6, 2026 3:14pm

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/scripts@446

commit: 32817cc

[vercel]

Suggested change

	"@nuxt/ui": "4.2.1",
	"@nuxt/ui": "^4.2.1",

The @nuxt/ui dependency is pinned to 4.2.1 without a caret, which is inconsistent with all other dependencies in this file that use flexible versioning with the ^ prefix.

View Details

Analysis

Inconsistent version pinning for @nuxt/ui dependency

What fails: docs/package.json line 20 specifies @nuxt/ui as pinned version 4.2.1 (without caret prefix), while all 13 other dependencies use caret versioning (^) for flexible version constraints within the major version.

How to reproduce:

cat docs/package.json | grep -A 15 '"dependencies"'

Result: Shows "@nuxt/ui": "4.2.1" (pinned) while all surrounding dependencies have caret prefix:

• "@nuxt/content": "^3.8.2"
• "@nuxt/fonts": "^0.12.1"
• "@nuxthq/studio": "^2.2.1"
• All other 10 dependencies also use ^ prefix

Expected behavior: According to npm semantic versioning, caret versioning allows compatible updates (minor/patch versions) within a major version. The project consistently uses this pattern for all other dependencies, so @nuxt/ui should be ^4.2.1 to match the established convention and allow patch/minor updates like other dependencies.

Root cause: Automated dependency update (Renovate bot commit 0b37709) preserved the previous pinned format when bumping the version from 4.0.0 to 4.2.1, rather than applying the project's standard caret versioning pattern used throughout the file.

[vercel]

Suggested change

	"posthog-js": "^1.321.2"
	"posthog-js": "^1.0.0"

The posthog-js peer dependency constraint changed from ^1.0.0 to ^1.321.2, which is unusually restrictive and appears unintentional given the patch version bump in devDependencies (1.321.1 → 1.321.2).

View Details

Analysis

Overly restrictive posthog-js peer dependency breaks backward compatibility

What fails: The posthog-js peer dependency constraint in package.json was changed from ^1.0.0 to ^1.321.2 (commit 1536ad2), restricting supported versions to 1.321.2+ and rejecting all prior versions (1.0.0-1.321.1) that would previously install.

How to reproduce:

# User has posthog-js 1.200.0 installed (legitimate version under old ^1.0.0 constraint)
npm install @nuxt/scripts
# After update, npm now rejects this version because 1.200.0 does not satisfy ^1.321.2

Result: npm/pnpm install fails with: "posthog-js@1.200.0 not satisfied by ^1.321.2"

Expected: The peer dependency should remain at ^1.0.0 (or similar permissive constraint) since:

• Code only uses posthog.init() and basic config options (api_host, capture_pageview, disable_session_recording) available since 1.0.0
• The devDependency update was only a patch bump (1.222.0 → 1.321.2), not a major version requiring API changes
• Peer dependencies should be permissive to maximize compatibility
• Semantic versioning guidance indicates patch/minor version updates within the same major version should be backward compatible

This change appears to be an error from automated dependency update tooling (Renovate) that applied the same pinpoint version to both devDependencies and peerDependencies.

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report