chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@nuxt/cli (source)	^3.32.0 → ^3.33.1			peerDependencies	minor
@nuxt/cli (source)	^3.32.0 → ^3.33.1			devDependencies	minor
@nuxt/eslint-config (source)	^1.12.1 → ^1.15.1			devDependencies	minor
@types/node (source)	^24.10.9 → ^24.10.13			devDependencies	patch
@vitest/coverage-v8 (source)	^4.0.17 → ^4.0.18			devDependencies	patch
actions/checkout	v6.0.1 → v6.0.2			action	patch
citty	^0.1.6 → ^0.2.1			dependencies	minor
knip (source)	^5.82.1 → ^5.83.1			devDependencies	minor
pkg-pr-new (source)	^0.0.62 → ^0.0.63			devDependencies	patch
pnpm (source)	10.28.1 → 10.29.3			packageManager	minor
publint (source)	^0.3.16 → ^0.3.17			devDependencies	patch
semver	^7.7.3 → ^7.7.4			devDependencies	patch
vitest (source)	^4.0.17 → ^4.0.18			devDependencies	patch
vue (source)	^3.5.27 → ^3.5.28			resolutions	patch
vue (source)	^3.5.27 → ^3.5.28			devDependencies	patch
vue-tsc (source)	^3.2.2 → ^3.2.4			resolutions	patch
vue-tsc (source)	^3.2.2 → ^3.2.4			devDependencies	patch

---

Release Notes

nuxt/cli (@​nuxt/cli)

v3.33.1

Compare Source

3.33.1 is the next patch release.

👉 Changelog

compare changes

🩹 Fixes

• Convert more errors to strings (3cef4f3)

🏡 Chore

• Migrate Renovate config (#​1215)
• Unpin @clack/prompts now that it's stable (d3cf87c)

❤️ Contributors

• Daniel Roe (@​danielroe)

v3.33.0

Compare Source

3.33.0 is the next minor release.

👉 Changelog

compare changes

🚀 Enhancements

• init: Add fuzzy search for module selection (#​1180)

🩹 Fixes

• nuxi: Pass --dotenv argument to showVersions in build command (#​1189)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Max (@​onmax)
• Florian Heuberger (@​Flo0806)

nuxt/eslint (@​nuxt/eslint-config)

v1.15.1

Compare Source

   🐞 Bug Fixes

• Downgrade @eslint/js, fix #​647  -  by @​antfu in #​647 (2c1c1)

    View changes on GitHub

v1.15.0

Compare Source

   🚀 Features

• Relax peer deps range to support ESLint v10, fix #​642  -  by @​antfu in #​642 (305a9)

    View changes on GitHub

v1.14.0

Compare Source

   🚀 Features

• eslint-config: Add no-page-meta-runtime-values  -  by @​danielroe in #​641 (b74a0)

    View changes on GitHub

v1.13.0

Compare Source

   🚀 Features

• Upgrade eslint-flat-config-utils eslint-plugin-import-lite and eslint-plugin-jsdoc  -  by @​antfu (10bf9)

    View changes on GitHub

vitest-dev/vitest (@​vitest/coverage-v8)

v4.0.18

Compare Source

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in #​9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in #​9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in #​9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in #​9472 (22543)

    View changes on GitHub

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

unjs/citty (citty)

v0.2.1

Compare Source

compare changes

🩹 Fixes

• Propagate --no- negation to aliases and main option (#​225)

🏡 Chore

• Fix readme formatting (#​223)
• Use oxlint and oxfmt (f1d05f4)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kai Gritun kaigritun@gmail.com
• Jimmy Guzman (@​jimmy-guzman)

v0.2.0

Compare Source

compare changes

🚀 Enhancements

• Support hidden meta to hide command (#​111)
• Support enum arg type (#​83)
• Support number arg type (#​73)
• Support negativeDescription for args (#​40)
• ⚠️ Parsed optionals and enum type safety (#​174)

🩹 Fixes

• ⚠️ Conditionally print negative boolean argument usage (#​177)
• types: Value type of NumberArgDef should be number (#​183)
• Show cli error message (#​186)
• Allow number arg to be optional (#​194)

💅 Refactors

• Show error once (#​167)
• More strict types (f597897)
• ⚠️ Use node:util.parseArgs for arg parsing (#​218)
• Use simple console formatting (#​219)

📦 Build

• ⚠️ Esm-only dist (42b57b0)

🏡 Chore

• Use automd for badges (b8371c4)
• Apply automated lint fixes (34c52a2)
• Fix typos (#​143)
• Update repo (d1ed3b4)
• Fix ci script (e13cb1e)
• Apply automated updates (3838771)
• Add vitest.config (eb5c799)
• Update dependencies (5d0a84e)
• Remove extra file (b90a84a)

✅ Tests

• Add unit tests for internal utils (#​77)
• Add test for args (#​160)
• Add test for runMain (#​162)
• Add test for usage (#​161)
• Add test for parser (#​192)
• Add test for subcommand (#​191)

⚠️ Breaking Changes

• ⚠️ Parsed optionals and enum type safety (#​174)
• ⚠️ Conditionally print negative boolean argument usage (#​177)
• ⚠️ Use node:util.parseArgs for arg parsing (#​218)
• ⚠️ Esm-only dist (42b57b0)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kricsleo (@​kricsleo)
• Kanon (@​ysknsid25)
• Bobbie Goede bobbiegoede@gmail.com
• Estéban (@​Barbapapazes)
• IWANABETHATGUY <974153916@​qq.com>
• Kentaro Suzuki mail@sushichan.live
• Xjccc (@​xjccc)
• Zuixinwang (@​zuixinwang)
• K-Sato <satokatsuki0130@​gmail.com>
• Lsh (@​peterroe)

webpro-nl/knip (knip)

v5.83.1: Release 5.83.1

Compare Source

• Fix package.json import (f8c14c8)
• Organize imports (5d716ba)
• Update a bunch of dependencies (78bf644)
• Add minimal test suite to vscode-knip (b639508)
• Add support for monorepo when installing dependency (close #​1501) (5782b07)
• Fix unused file output in table (0f3dbb4)
• Restore slonik in ecosystem tests (35d9185)
• Fix type in exported value case (resolve #​1508) (d6dda74)
• Organize imports (fcdd33b)
• Remove unused export (c777bae)
• Don't flag exports (including used as type) in protected or consumed exports (a01bec1)
• Add npmx.dev to ecosystem tests (8f82052)
• fix: fix vitest setupFiles resolution (#​1511) (273b940) - thanks @​tmair!
• Improve & extend vitest args handling (6c49e5c)
• Detect Bun differently to avoid TS complaint (c1499d3)
• A temporary workaround until they catch up 🤫 (028b972)
• feat(vite): detect module entry from index.html (#​1487) (a76ab85) - thanks @​WooWan!
• Auto-format (69150bf)
• Add double-dash handling and add tests (close #​1404) (4c1de75)
• Revert most of previous commit 4c1de75 (0cd91ae)
• Auto-format (cf3d8ff)

v5.83.0: Release 5.83.0

Compare Source

• fix: skip empty string entries in package.json exports (#​1477) (6b64ac5) - thanks @​SBoudrias!
• add LS version to serverInfo (#​1468) (2c28cb8) - thanks @​niklas-wortmann!
• Avoid highlighting path-like specifiers (#​1488) (c8fec09) - thanks @​azat-io!
• Update avatar URLs (#​1489) (d612ac2) - thanks @​azat-io!
• Copy fix-fixtures to tmp dir (bd1519c)
• Don't add excluded issue types (resolve #​1486) (4eeeec6)
• Minor refactor (767b2c5)
• Edit docs (78111c9)
• feat: add plugin for expressive-code (#​1493) (fbf958a) - thanks @​cylewaitforit!
• Truncate file path left-side (resolves #​1494) (235949c)
• Revert fix-fixture format test (fails in outside cwd) (8e96125)
• Skip empty manifest entries (resolve #​1497) (d314ce4)
• Filter out empty issue objects in compact reporter (resolve #​1482) (7df0b4d)
• Lint/group import statements (61e7a24)
• Update AGENTS.md & docs (7537f8a)
• Optimize relative path helper (ac8a454)
• Move postinstall script to non-production (360110b)
• Ignore simple-git-hooks in production (like husky etc) (bbab35b)
• Move & add testimonials (5ab1813)
• Update sponsors page (4534a55)
• Edit docs, add config hints page (1a73a05)
• Rename reporter to match project style (58f8c4e)
• Auto-format (854124f)
• Refactor fs helper to match project style (f22e7e9)

stackblitz-labs/pkg.pr.new (pkg-pr-new)

v0.0.63

Compare Source

pnpm/pnpm (pnpm)

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

publint/publint (publint)

v0.3.17

Compare Source

Patch Changes

• Fix packing packages with pnpm when publishConfig.directory is set (#​216)

• Updated dependencies [2dcb107]:

  • @​publint/pack@​0.1.3

npm/node-semver (semver)

v7.7.4

Compare Source

Bug Fixes

• a29faa5 #​835 cli: pass options to semver.valid() for loose version validation (#​835) (@​mldangelo)

Documentation

• 1d28d5e #​836 fix typos and update -n CLI option documentation (#​836) (@​mldangelo)

Dependencies

• 120968b #​840 @npmcli/template-oss@4.29.0 (#​840)

Chores

• 44d7130 #​824 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#​824) (@​dependabot[bot])
• 7073576 #​820 reorder parameters in invalid-versions.js test (#​820) (@​reggi)
• 5816d4c #​829 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#​829) (@​dependabot[bot], @​npm-cli-bot)

vuejs/core (vue)

v3.5.28

Compare Source

Bug Fixes

• transition: avoid unexpected cancelled parameter in transition done callback (#​14391) (6798853)
• compiler-sfc: add resolution trying for .mts/.cts files (#​14402) (c09d41f), closes vuejs/router#2611
• compiler-sfc: no params were generated when using withDefaults (#​12823) (b0a1f05), closes #​12822
• reactivity: add __v_skip flag to EffectScope to prevent reactive conversion (#​14359) (48b7552), closes #​14357
• runtime-core: avoid retaining el on cached text vnodes during static traversal (#​14419) (4ace79a), closes #​14134
• runtime-core: prevent child component updates when style remains unchanged (#​12825) (57866b5), closes #​12826
• runtime-core: properly handle async component update before resolve (#​11619) (e71c26c), closes #​11617
• runtime-dom: handle null/undefined handler in withModifiers (#​14362) (261de54), closes #​14361
• teleport: properly handling disabled teleport target anchor (#​14417) (d7bcd85), closes #​14412
• transition-group: correct move translation under scale via element rect (#​14360) (0243a79), closes #​14356
• useTemplateRef: don't update setup ref for useTemplateRef key (#​12756) (fc40ca0), closes #​12749

vuejs/language-tools (vue-tsc)

v3.2.4

Compare Source

language-core

• feat: place plugin configs under ctx.config and support type annotation via generics (#​5944) - Thanks to @​KazariEX!

workspace

• chore: publish to npm with OIDC (#​5912) - Thanks to @​ghiscoding!

v3.2.3

Compare Source

language-core

• feat: support configuration for language plugins (#​5678) - Thanks to @​KazariEX!
• fix: avoid defineModel breaking ast in lang="js" (#​5935) - Thanks to @​KazariEX!
• fix: infer object keys as string if it does not extend string (#​5933) - Thanks to @​serkodev!

typescript-plugin

• feat: correct rename behavior on same name shorthands in template (#​5907) - Thanks to @​KazariEX!
• fix: only forward quick info for original results without tags (#​5938) - Thanks to @​KazariEX!

vscode

• fix: correct indent for <style> and <script> tags (#​5925) - Thanks to @​serkodev!

---

Configuration

📅 Schedule: Branch creation - "on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/module-builder@712

commit: ce1ba9d