deps: Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@notionhq/client (source)	^5.20.0 → ^5.21.0			devDependencies	minor
@types/node (source)	^22.19.18 → ^22.19.19			devDependencies	patch
@typescript-eslint/eslint-plugin (source)	^8.59.2 → ^8.59.3			devDependencies	patch
@typescript-eslint/parser (source)	^8.59.2 → ^8.59.3			devDependencies	patch
@vitest/coverage-v8 (source)	^4.1.5 → ^4.1.6			devDependencies	patch
katex (source)	^0.16.45 → ^0.16.46			dependencies	patch
node (source)	>=22.22.2 → >=22.22.3			engines	patch
node	22.22.2 → 22.22.3			uses-with	patch
pnpm (source)	11.1.0 → 11.1.2			packageManager	patch
tsx (source)	^4.21.0 → ^4.22.0			devDependencies	minor
turbo (source)	^2.9.10 → ^2.9.14			devDependencies	patch
vite (source)	^8.0.11 → ^8.0.13			devDependencies	patch
vitest (source)	^4.1.5 → ^4.1.6			devDependencies	patch

---

Release Notes

makenotion/notion-sdk-js (@​notionhq/client)

v5.21.0

Compare Source

What's Changed

• chore: sync generated api endpoints modules by @​haustle in #​714
• feat: add meeting notes query support with attendees property typing by @​haustle in #​680
• Add agent_id parent type for workflow-parented pages and blocks in #​715
• Bump version to v5.21.0 in #​718

Links

• Full Changelog: makenotion/notion-sdk-js@v5.20.0...v5.21.0
• NPM Package: https://www.npmjs.com/package/@​notionhq/client/v/5.21.0

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.59.3

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.59.3

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.6

Compare Source

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in #​10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in #​10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in #​10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in #​10276 (9f7b1)

    View changes on GitHub

KaTeX/KaTeX (katex)

v0.16.46

Compare Source

Bug Fixes

• preserve math font in some styling commands (#​4214) (e9ee046), closes #​4213

nodejs/node (node)

v22.22.3: 2026-05-13, Version 22.22.3 'Jod' (LTS), @​marco-ippolito

Compare Source

Commits

• [4f780905c5] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #​61788
• [4a09efb947] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #​62485
• [e4c0d99839] - deps: update timezone to 2026a (Node.js GitHub Bot) #​62164
• [0226c8dd7a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #​62382
• [e742ab748c] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #​62256
• [73cac0571a] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #​62151
• [ae5c162b93] - deps: update amaro to 1.1.7 (Node.js GitHub Bot) #​61730
• [b819cb9977] - deps: update amaro to 1.1.6 (Node.js GitHub Bot) #​61603
• [bbcce09dc7] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #​62150
• [22ff2d81ce] - deps: update simdjson to 4.3.1 (Node.js GitHub Bot) #​61930
• [f49b51d75c] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #​61928
• [1a5cec0d49] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #​61925
• [d339497688] - deps: update nbytes to 0.1.3 (Node.js GitHub Bot) #​61879
• [3ff8ffd459] - deps: remove stale OpenSSL arch configs (René) #​61834
• [b8ddbc1e9a] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #​61827
• [ffda97afd4] - deps: update googletest to 2461743 (Node.js GitHub Bot) #​62484
• [79aa32cf4f] - deps: update googletest to 73a63ea (Node.js GitHub Bot) #​61927
• [b6957e13b6] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [3a27669063] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [d568a1bb53] - deps: upgrade npm to 10.9.8 (npm team) #​62463
• [ec11f3c1d5] - deps: V8: backport 85b3900 (Thibaud Michaud) #​62783
• [08609712ed] - deps: V8: backport 1b27e46 (Thibaud Michaud) #​62783
• [dcc60d5ab2] - deps: V8: backport 9997fc0 (Thibaud Michaud) #​62783
• [1d1f4451fb] - deps: V8: cherry-pick b96e40d (Clemens Backes) #​62783
• [2268567237] - deps: V8: cherry-pick 7cb6188 (Thibaud Michaud) #​62783
• [92804cdbea] - deps: V8: cherry-pick e7ccf0a (Thibaud Michaud) #​62783
• [eae2c27a40] - deps: V8: cherry-pick 8e214ec (Thibaud Michaud) #​62783
• [a1799a49bb] - deps: V8: backport 63b8849 (Thibaud Michaud) #​62783
• [a2df2d8731] - deps: V8: backport 3239427 (Thibaud Michaud) #​62783
• [e3d65c7dca] - deps: V8: backport 89dc6ea (Thibaud Michaud) #​62783
• [5e7db133de] - deps: V8: backport 910cb91 (Jakob Kummerow) #​62783
• [d0c24a28af] - deps: V8: cherry-pick b8f91e5 (Thibaud Michaud) #​62783
• [d358687824] - deps: V8: cherry-pick cf03d55 (Thibaud Michaud) #​62783
• [67c8b2c349] - deps: V8: cherry-pick 692f3d5 (Sébastien Doeraene) #​62783
• [71e5a59ffd] - deps: V8: cherry-pick c734674 (Manos Koukoutos) #​62783
• [f0dbe81c7b] - deps: V8: cherry-pick b2f3aea (Thibaud Michaud) #​62783
• [d333f480c3] - deps: V8: cherry-pick 5f1342c (Matthias Liedtke) #​62783
• [db722725bb] - deps: use npm undici@​six tag in update-undici.sh (Matteo Collina) #​63012
• [9b57979d9c] - doc: add Rafael to last security release steward (Rafael Gonzaga) #​62423
• [d8075585bf] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #​62355
• [6ec9a70204] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #​62208
• [1fc86fcb6e] - doc: add note (and caveat) for mock.module about customization hooks (Jacob Smith) #​62075
• [491be80bd9] - doc: add efekrskl as triager (Efe) #​61876
• [18558293a3] - doc: fix module.stripTypeScriptTypes indentation (René) #​61992
• [8e20976522] - doc: explicitly mention Slack handle (Rafael Gonzaga) #​61986
• [70b8e6b4fb] - doc: rename invalid function parameter (René) #​61942
• [4045c76f6c] - doc: clarify status of feature request issues (Antoine du Hamel) #​61505
• [c54652f2aa] - doc: remove incorrect mention of module in typescript.md (Rob Palmer) #​61839
• [9fad6cedf5] - doc: clarify async caveats for events.once() (René) #​61572
• [2f1e5733fe] - doc: update Juan's security steward info (Juan José) #​61754
• [a64bdb5068] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #​62206
• [02797de923] - doc: fix small environment_variables typo (chris) #​62279
• [f22ebdc809] - doc: fix small logic error in DETECT_MODULE_SYNTAX (René) #​62025
• [9f4508062a] - doc: fix methods being documented as properties in process.md (Antoine du Hamel) #​61765
• [3ea39ff135] - doc: fix dropdown menu being obscured at <600px due to stacking context (Jeff) #​61735
• [c22445079b] - doc: fix spacing in process message event (Aviv Keller) #​61756
• [32831b5223] - doc: fix broken links of net.md (YuSheng Chen) #​61673
• [005508d509] - doc: remove obsolete Boxstarter automated install (Mike McCready) #​61785
• [37c2fd6f7d] - esm: fix path normalization in finalizeResolution (Antoine du Hamel) #​62080
• [1769d74613] - esm: populate separate cache for require(esm) in imported CJS (Joyee Cheung) #​59679
• [ee02966ffc] - http: fix keep-alive socket reuse race in requestOnFinish (Martin Slota) #​61710
• [2fdb5ce6cc] - http2: fix FileHandle leak in respondWithFile (sangwook) #​61707
• [aa2c1eca04] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #​61990
• [785b00cbeb] - meta: pass release version to release worker (flakey5) #​62777
• [447fb9a0b5] - meta: persist sccache daemon until end of build workflows (René) #​61639
• [5065a0acb3] - module: do not invoke resolve hooks twice for imported cjs (Joyee Cheung) #​61529
• [9a2e21305d] - module: do not wrap module._load when tracing is not enabled (Joyee Cheung) #​61479
• [b9240bc063] - module: fix sync resolve hooks for require with node: prefixes (Joyee Cheung) #​61088
• [2e91b28aaf] - module: handle null source from async loader hooks in sync hooks (Joyee Cheung) #​59929
• [39147c154e] - module: use sync cjs when importing cts (Marco Ippolito) #​60072
• [12a2462b2c] - module: only put directly require-d ESM into require.cache (Joyee Cheung) #​59874
• [cf39566277] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #​61948
• [578a9a9230] - src: clamp WriteUtf8 capacity to INT_MAX in EncodeInto (semimikoh) #​62621
• [57c3035fec] - stream: fix decoded fromList chunk boundary check (Thomas Watson) #​61884
• [57fb008bb8] - test: update tls junk data error expectations (Filip Skokan) #​62629
• [363f9a9d18] - test: skip test-url on --shared-ada builds (Antoine du Hamel) #​62019
• [daaead342b] - test: simplify encodeInto large buffer regression test (semimikoh) #​62621
• [ecfa766b41] - tools: fix auto-start-ci (Antoine du Hamel) #​61900
• [17c0a610af] - tools: fix parsing of commit trailers in lint-release-proposal GHA (Antoine du Hamel) #​62077
• [89ad7dc63b] - tools: enforce removal of lts-watch-* labels on release proposals (Antoine du Hamel) #​61672
• [5f9bb8ef0c] - tools: revert tools GHA workflow to ubuntu-latest (Richard Lau) #​62024
• [977ef80ac1] - url: process crash via malformed UNC hostname in pathToFileURL() (Nicola Del Gobbo) #​62574
• [ad8f518a81] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #​62325

actions/node-versions (node)

v22.22.3: 22.22.3

Compare Source

Node.js 22.22.3

pnpm/pnpm (pnpm)

v11.1.2

Compare Source

Patch Changes

• convertEnginesRuntimeToDependencies: switch the runtime-dependency write to Object.defineProperty so the CodeQL js/prototype-polluting-assignment rule treats the assignment as safe regardless of the property name (follow-up to #​11609).

• Address CodeQL static-analysis findings: guard manifest dependency writes against prototype-polluting keys (__proto__, constructor, prototype), and replace a potentially super-linear semver-detection regex in registry 404 hints with an O(n) parser.

• Strip sec-fetch-* headers from outgoing HTTP requests. These headers are automatically added by undici's fetch() implementation per the Fetch spec but cause Azure DevOps Artifacts to return HTTP 400 for uncached upstream packages, as ADO interprets them as browser requests #​11572.

• Fix minimumReleaseAge handling for cached abbreviated metadata.

  The version-spec cache fast path no longer rethrows ERR_PNPM_MISSING_TIME under strictPublishedByCheck; it now falls through to the registry-fetch path, consistent with the adjacent mtime-gated cache block.

  When the registry returns 304 Not Modified for a package whose cached metadata is abbreviated (no per-version time), pnpm now re-fetches with fullMetadata: true if minimumReleaseAge is active and the package was modified after the cutoff. The upgraded metadata is persisted to disk so subsequent installs don't repeat the fetch. Previously the abbreviated meta was used as-is and the maturity check fell back to its warn-and-skip path, silently bypassing the quarantine and emitting a misleading "metadata is missing the time field" warning.

  Closes #​11619.

• Fix pnpm upgrade --interactive --latest -r not respecting named catalog groups. Previously, upgrading a dependency using a named catalog (e.g. "catalog:foo") would incorrectly rewrite package.json to "catalog:" and place the updated version in the default catalog instead of the named one #​10115.

• Fixed optimisticRepeatInstall skipping pnpm-lock.yaml merge conflict resolution when the existing node_modules state appears up to date.

• Fix minimumReleaseAge / resolutionMode: time-based installs failing on lockfiles whose time: block is missing entries. The npm-resolver's peek-from-store fast path now surfaces publishedAt from the lockfile rather than discarding it, and falls through to a registry metadata fetch when the time-based cutoff can't be computed from the data on hand.

v11.1.1

Compare Source

Patch Changes

• Skip installability validation when scanning workspace projects in checkDepsStatus (run by verifyDepsBeforeRun). Previously the status check called findWorkspaceProjects, which validates each project's engines and os/cpu/libc and warns about useless fields in non-root manifests — work that the install pipeline already performs. With no nodeVersion threaded through, the engine check also fell back to the system Node from PATH and emitted spurious "Unsupported engine" warnings before scripts ran. Status-only callers now use findWorkspaceProjectsNoCheck; install paths continue to validate.
• Fixed pnpm add <alias>:@&#8203;scope/pkg for named registries. The local resolver was claiming any specifier containing / as a local directory, so pnpm add bit:@​teambit/bit (with bit configured under namedRegistries) installed a bogus link to bit:@​teambit/bit/ instead of resolving from the configured registry. The local resolver now runs after the named-registry resolver in the resolution chain.
• Updated @zkochan/cmd-shim to 9.0.3. The sh shim it writes for .cmd / .bat targets now escapes the /C switch as //C, so it survives the path translation Git Bash applies when launching cmd.exe. Without this, a bare /C was rewritten to C:\ before reaching cmd.exe — the switch was dropped, cmd started interactively, and the calling script saw the cmd banner instead of the wrapped command's output. Affects any cmd-shim-wrapped batch script invoked from Git Bash / MSYS / Cygwin on Windows. See pnpm/cmd-shim#55.

privatenumber/tsx (tsx)

v4.22.0

Compare Source

v4.21.1

Compare Source

Bug Fixes

• support Node 20.11/21.2 import.meta paths (acf3d8f)
• support Node.js 24.15.0 (c1d2d45)
• support Node.js 26.1.0 and 25.9.0 (1d7e528)

---

This release is also available on:

• npm package (@​latest dist-tag)

vercel/turborepo (turbo)

v2.9.14: Turborepo v2.9.14

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.12 by @​github-actions[bot] in #​12774
• fix: Restore docs mobile menu by @​anthonyshew in #​12782
• ci: Use pull_request for PR title linting by @​anthonyshew in #​12787
• ci: Scope GitHub Actions caches by branch by @​anthonyshew in #​12788
• test: Validate lockfiles without dependency downloads by @​anthonyshew in #​12789
• Removed unneeded import form hash creation script in docs by @​dancrumb in #​12799
• fix: Validate auth callback state by @​anthonyshew in #​12802
• fix: Harden VS Code extension command execution by @​anthonyshew in #​12800
• fix: Avoid project-local Yarn during detection by @​anthonyshew in #​12801
• chore: Release 2.9.13 by @​anthonyshew in #​12803

New Contributors

• @​dancrumb made their first contribution in #​12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

v2.9.12: Turborepo v2.9.12

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.11 by @​github-actions[bot] in #​12771
• fix: Allow transit nodes in LSP diagnostics by @​anthonyshew in #​12773

Full Changelog: vercel/turborepo@v2.9.11...v2.9.12

v2.9.11: Turborepo v2.9.11

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.10 by @​github-actions[bot] in #​12745
• ci: Publish VS Code extension on release by @​anthonyshew in #​12747
• fix: Start daemon for VSCode Extension from the extension itself by @​anthonyshew in #​12749
• release(turborepo): 2.9.11-canary.1 by @​github-actions[bot] in #​12748
• fix: Include file URIs in LSP lifecycle logs by @​anthonyshew in #​12751
• fix: Handle JSON decoration visitor depth by @​anthonyshew in #​12752
• fix: Resolve relative turbo path in VS Code extension by @​anthonyshew in #​12753
• fix: Preserve Bun nested dependencies during prune by @​anthonyshew in #​12754
• fix: Prefer installed Turbo for LSP by @​anthonyshew in #​12755
• release(turborepo): 2.9.11-canary.2 by @​github-actions[bot] in #​12750
• ci: Parallelize LSP release publishing by @​anthonyshew in #​12758
• fix: Reduce VS Code extension startup popups by @​anthonyshew in #​12759
• fix: Support turbo.jsonc in VS Code extension by @​anthonyshew in #​12760
• fix: Remove VS Code task key gradient by @​anthonyshew in #​12761
• release(turborepo): 2.9.11-canary.3 by @​github-actions[bot] in #​12756
• chore: Release v2.9.11-canary.4 by @​anthonyshew in #​12762
• ci: Stop VS Code publish from blocking release PR by @​anthonyshew in #​12763
• release(turborepo): 2.9.11-canary.5 by @​github-actions[bot] in #​12764
• fix: Publish VS Code extension from release tag by @​anthonyshew in #​12765
• fix: Support shimmed VS Code LSP probes by @​anthonyshew in #​12767
• release(turborepo): 2.9.11-canary.6 by @​github-actions[bot] in #​12766
• release(turborepo): 2.9.11-canary.7 by @​github-actions[bot] in #​12768
• fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @​anthonyshew in #​12770

Full Changelog: vercel/turborepo@v2.9.10...v2.9.11

vitejs/vite (vite)

v8.0.13

Compare Source

Features

• bundled-dev: add lazy bundling support (#​21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#​22357) (47071ce)
• update rolldown to 1.0.1 (#​22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#​22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #​22274) (#​22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#​22439) (8e59c97)
• make isBundled per environment (#​22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#​22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#​22430) (6ea3838)
• update changelog (#​22413) (fcdc87c)

v8.0.12

Compare Source

Features

• update rolldown to 1.0.0 (#​22401) (cf0ff41)

Bug Fixes

• create-vite: pass react framework to TanStack CLI (#​22397) (18f0f90)
• deps: update all non-major dependencies (#​22420) (2be6000)
• module-runner: prevent partial-exports race on concurrent imports of in-flight invalidated re-export chains (#​22369) (f5a22e6)
• refer to rolldownOptions instead of deprecated rollupOptions in messages (#​22400) (b675c7b)
• worker: apply build.target to worker bundle (#​22404) (3c93fde)
• worker: forward define to worker bundle transform (#​22408) (d4838a0)

Miscellaneous Chores

• deps: update dependency eslint-plugin-n to v18 (#​22423) (2fe7bd2)
• deps: update rolldown-related dependencies (#​22421) (66b9eb3)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "after 12pm on Friday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.