Skip to content

build: update all non-major dependencies (main)#33579

Open
angular-robot wants to merge 1 commit into
angular:mainfrom
angular-robot:ng-renovate/main-all-non-major-dependencies
Open

build: update all non-major dependencies (main)#33579
angular-robot wants to merge 1 commit into
angular:mainfrom
angular-robot:ng-renovate/main-all-non-major-dependencies

Conversation

@angular-robot

@angular-robot angular-robot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@eslint/eslintrc 3.3.53.3.6 age adoption passing confidence
@typescript-eslint/eslint-plugin (source) 8.63.08.64.0 age adoption passing confidence
@typescript-eslint/parser (source) 8.63.08.64.0 age adoption passing confidence
algoliasearch (source) 5.55.25.56.0 age adoption passing confidence
autoprefixer 10.5.210.5.3 age adoption passing confidence
beasties (source) 0.4.20.4.3 age adoption passing confidence
eslint (source) 10.6.010.7.0 age adoption passing confidence
postcss (source) 8.5.168.5.19 age adoption passing confidence
rolldown (source) 1.1.51.2.0 age adoption passing confidence
verdaccio (source) 6.7.46.8.0 age adoption passing confidence

  • If you want to rebase/retry this PR, check this box

Release Notes

eslint/eslintrc (@​eslint/eslintrc)

v3.3.6

Compare Source

Bug Fixes
  • update js-yaml to 4.3.0 to address security vulnerability (#​235) (0c5de74)
typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.64.0

Compare Source

🚀 Features
  • eslint-plugin: [no-loop-func] support using / await using declarations and deprecate the rule (#​12500)
  • typescript-estree: throw for invalid definite assignment in class properties (#​12543)
🩹 Fixes
  • eslint-plugin: [require-array-sort-compare] handle constrained arrays (#​12512)
❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.64.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

algolia/algoliasearch-client-javascript (algoliasearch)

v5.56.0

Compare Source

postcss/autoprefixer (autoprefixer)

v10.5.3

Compare Source

danielroe/beasties (beasties)

v0.4.3

Compare Source

v0.4.3 is the next minor release.

👉 Changelog

compare changes

🚀 Enhancements
  • beasties: support multiple beasties containers (#​334)
  • beasties: add data-beasties-skip attribute to skip individual stylesheets (#​335)
🩹 Fixes
  • preserve trailing semicolon on nested at-rule statements (#​323)
  • vite-plugin: remove css files from bundle when below inlineThreshold (#​299)
🏡 Chore
🤖 CI
  • pass packages glob to uppt release workflow (1131954)
  • migrate release workflow to uppt (6b71050)
  • add agent-scan workflow to flag bot-authored PRs (dc4a3db)
🎉 New Contributors
❤️ Contributors
eslint/eslint (eslint)

v10.7.0

Compare Source

Features

  • cf2a9bf feat: add errorClassNames option to preserve-caught-error rule (#​21032) (sethamus)
  • f8b873a feat: max-nested-callbacks option for constructor callbacks (#​21063) (fnx)
  • 557fde8 feat: support computed Number.parseInt member access in radix rule (#​21041) (Pixel)
  • 0b4a73b feat: add suggestions to no-compare-neg-zero (#​21034) (den$)
  • 96cdd42 feat: report invalid signed numeric radix values in radix rule (#​21030) (Pixel)

Bug Fixes

  • 3e7bf15 fix: apply ignoreClassesWithImplements to class expressions (#​21069) (Pixel)
  • 0d7d70c fix: insert cause outside wrapping parens in preserve-caught-error (#​21062) (Mahin Anowar)
  • 75ec753 fix: handle static template literals in eqeqeq rule (#​21058) (Pixel)
  • b717a22 fix: prevent eqeqeq null option from reporting non-equality operators (#​21057) (Pixel)
  • e35b05f fix: avoid no-invalid-regexp false positive for shadowed RegExp (#​21051) (Pixel)
  • a3172b6 fix: avoid no-control-regex false positive for shadowed RegExp (#​21050) (Pixel)
  • d1f637e fix: parenthesize sequence expression operands in no-implicit-coercion (#​21045) (spokodev)
  • 8859baf fix: avoid prefer-numeric-literals false positive for shadowed globals (#​21047) (한국)
  • a9e5961 fix: use-isnan false positive on shadowed NaN/Number (#​20958) (sethamus)
  • 8a240a7 fix: avoid false positives in radix rule for spread arguments (#​21044) (Pixel)

Documentation

  • c30d808 docs: Update README (GitHub Actions Bot)
  • 5139800 docs: document ESLint migration codemods in v9 and v10 guides (#​20980) (Alex Bit)
  • 04174cb docs: Update README (GitHub Actions Bot)
  • 026e130 docs: update semver policy for bug fixes (#​21048) (Milos Djermanovic)
  • 9d42fef docs: Update README (GitHub Actions Bot)
  • b230159 docs: Update README (GitHub Actions Bot)
  • 0129972 docs: correct **/.js glob to **/*.js in config files guide (#​21036) (EduardF1)

Chores

postcss/postcss (postcss)

v8.5.19

Compare Source

  • Fixed cleaning before for new nodes inserted to Root (by @​MahinAnowar).

v8.5.18

Compare Source

  • Restricted loading previous source maps file to the opts.from folder for security reasons (use unsafeMap: true to disable the check).

v8.5.17

Compare Source

  • Fixed Maximum call stack size exceeded error.
  • Fixed Prototype hijacking for postcss.fromJSON().
  • Fixed Input#origin() for unmapped end position (by @​chatman-media).
rolldown/rolldown (rolldown)

v1.2.0

Compare Source

🚀 Features
🐛 Bug Fixes
🚜 Refactor
📚 Documentation
⚡ Performance
  • sourcemap: owned merge in SourceJoiner::join (4005->5 allocs/chunk) (#​10250) by @​Boshen
  • avoid redundant sourcemap string copies in collapse and minify paths (#​10093) by @​Boshen
🧪 Testing
⚙️ Miscellaneous Tasks
❤️ New Contributors
verdaccio/verdaccio (verdaccio)

v6.8.0

Compare Source

Minor Changes
  • 962fba8: feat: add unpublish notification hooks

    Port of #​5920 (ref #​5328). The notify webhook now also fires when a package is unpublished entirely and when a single version (tarball) is removed, not only on publish. Notification templates can distinguish the event through the new {{ publishType }} (publish | unpublish) and {{ publishedPackage }} variables, and the {{ publisher }} object exposes only name, groups and real_groups, so the remote user auth token can never leak to the notification endpoint (via @verdaccio/hooks 8.0.4).

Patch Changes
  • f0684dc: fix: return 403 to client when uplink responds with 403 for tarball requests

    Previously, any non-200/404 response from an uplink (e.g. a security proxy blocking a package download) would result in a generic 500 error being returned to the client. This change propagates 403 responses from the uplink through to the client, including any error detail from the response body, so callers can distinguish authorization failures from other upstream errors.

  • 3a84578: chore: refactor eslint

  • b7a5db1: fix: rate limit and bound the npm search v1 endpoint

    The /-/v1/search endpoint now applies the userRateLimit rate limiting middleware (matching the login, token and profile endpoints), clamps the size (max 250, like the public npm registry) and from (max 10000) pagination parameters, and stops evaluating package access as soon as the requested page is filled instead of running an auth check over the entire result set. The clamped values are also what gets forwarded to uplink registries (the raw request URL is no longer passed through), so the bounds hold end-to-end. This prevents cheap anonymous requests from triggering unbounded full-catalog scans. As part of this, pagination is fixed: results were sliced with slice(from, size) instead of slice(from, from + size), so pages beyond the first were wrong.

    Search results for local packages also emit npm-search-compatible maintainers ({ username, email }) — npm 11 on Node 24 crashes rendering entries without username (The "str" argument must be of type string. Received undefined) — and the publisher field is now populated from _npmUser when the publishing client provided it, falling back to the first maintainer, so the npm CLI shows the publishing user instead of by ???.

  • 808d916: fix: pick the right uplink for tarballs and heal missing distfile records

    Uplink selection. With several uplinks configured for a package, tarball downloads used the last uplink whose package pattern matched, even when the tarball url belongs to a different one, which could make downloads fail against registries that require authentication. The uplink is now selected by matching the tarball url: the registry recorded on the distfile wins, then the uplink whose url serves the file; when none matches, an autogenerated uplink with default settings is used. Single-uplink setups keep the previous behavior for tarballs hosted on another host (a CDN).

    Missing distfile records. Storages written by other verdaccio versions can carry cached versions without their _distfiles records, which made those tarballs permanently return 404 no such file available. The tarball location is now resolved from the version's dist.tarball metadata when the record is missing, and the record is restored when the tarball is cached.

  • a2de1d5: Update verdaccio dependencies to the latest npm dist-tag (@verdaccio/ui-theme tracks next-9):

    • @verdaccio/ui-theme: 9.0.0-next-9.209.0.0-next-9.21

@angular-robot angular-robot added action: merge The PR is ready for merge by the caretaker area: build & ci Related the build and CI infrastructure of the project target: automation This PR is targeted to only merge into the branch defined in Github [bot use only] labels Jul 16, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependency versions across multiple package.json files, including ESLint packages, verdaccio, beasties, postcss, and autoprefixer. There are no review comments, so I have no feedback to provide.

@angular-robot angular-robot force-pushed the ng-renovate/main-all-non-major-dependencies branch from d888874 to f10f869 Compare July 16, 2026 11:23
See associated pull request for more information.
@angular-robot angular-robot force-pushed the ng-renovate/main-all-non-major-dependencies branch from f10f869 to e259d9f Compare July 16, 2026 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

action: merge The PR is ready for merge by the caretaker area: build & ci Related the build and CI infrastructure of the project target: automation This PR is targeted to only merge into the branch defined in Github [bot use only]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants