chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@nuxt/devtools (source)	3.2.3 → 3.2.4			devDependencies	patch
@nuxt/test-utils	4.0.0 → 4.0.3			devDependencies	patch
actions/setup-node	v6.3.0 → v6.4.0			action	minor
defu	^6.1.4 → ^6.1.7			dependencies	patch
pnpm (source)	10.32.1 → 10.33.4			packageManager	minor
vitest (source)	4.1.0 → 4.1.7			devDependencies	patch
vue-tsc (source)	3.2.5 → 3.3.2			devDependencies	minor

---

Release Notes

nuxt/devtools (@​nuxt/devtools)

v3.2.4

Compare Source

   🚀 Features

• Use ua-parser-modern  -  by @​antfu (114aa)

   🐞 Bug Fixes

• Nuxt devtools inspector style  -  by @​antfu (91f09)

    View changes on GitHub

nuxt/test-utils (@​nuxt/test-utils)

v4.0.3

Compare Source

4.0.3 is the next patch release.

👉 Changelog

compare changes

🩹 Fixes

• runtime-utils: Lazily import root-component in mount + render helpers (#​1665)
• runtime-utils: Insert compilerOptions conditionally (#​1659)
• config: Enable sourcemaps when vitest coverage is enabled (#​1674)
• module: Exclude test files from Nuxt plugin registration (#​1666)
• runtime-utils: Provide NuxtLink isActive slot props (#​1640)
• e2e: Wait for HTTP readiness before resolving startServer (#​1675)

🏡 Chore

• Fix typo (#​1663)
• Bump nitro and nuxt pins in nitro-v3 example (#​1678)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Martin Masevski (@​Archetipo95)
• Ryota Watanabe (@​wattanx)
• Jan Müller (@​DerYeger)
• Yoshihiro Yamaguchi (@​yamachi4416)
• Sai Asish Y (@​SAY-5)

v4.0.2

Compare Source

👉 Changelog

compare changes

🩹 Fixes

• config: Respect override dev value (#​1602)

🤖 CI

• Use pnpm publish to resolve workspace dependencies (#​1651)

❤️ Contributors

• Julien Huang (@​huang-julien)
• Vasily Kuzin (@​ExEr7um)

v4.0.1

Compare Source

👉 Changelog

compare changes

🩹 Fixes

• config: Rename deps.optimizer.web to client for vitest4 (#​1593)
• runtime-utils: Fix mockNuxtImport types when using string target (#​1592)
• config: Pass non-project options for non-nuxt simple setup (#​1582)
• config: Do not import defineConfig from vite (1aa5e8748)
• runtime: Handle ResourceLoader removal in jsdom v28 (#​1611)
• config,vitest-environment: Directly import peerDeps (#​1617)
• runtime-utils: Align mount options merge w/ vue-test-utils (#​1610)
• vitest-environment: Avoid vitest/environments import warning (#​1627)
• runtime: Avoid error when vue/test-utils is not installed (#​1646)
• config: Prefer project h3 version if present (#​1641)

🏡 Chore

• Bump vitest-environment-nuxt versions (f5ec72127)
• Use workspace dependency (14fb254a7)
• Example playwright config improve type annotation for devices (#​1581)
• pkg-pr-new prerelease vitest-environment-nuxt (#​1601)
• Allow explicit any (633c93c2a)
• Switch unit test target to dir and move type unit tests to test:types (#​1618)
• Update lockfile (8306abf00)

✅ Tests

• Add failing test for stubbed global provide (#​1314)
• Update assertions deprecated in vitest 4.1 (#​1629)
• Change example/workspace to use glob based projects setup (#​1585)

🤖 CI

• Pin github actions to full-length commit shas (2832fd6d5)
• Avoid checkout for reproduction comment (e4e67ab09)
• Rename workflow (99318b9fc)
• Correctly publish pkg-pr-new prerelease (#​1598)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Yoshihiro Yamaguchi (@​yamachi4416)
• Robin (@​OrbisK)
• Paul Melero (@​paulmelero)

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

unjs/defu (defu)

v6.1.7

Compare Source

compare changes

🩹 Fixes

• defu.d.cts: Export Defu types (#​157)

📦 Build

• Correct the types export entry (#​160)

❤️ Contributors

• Jakub Michálek (@​J-Michalek)
• Kricsleo (@​kricsleo)

v6.1.6

Compare Source

compare changes

📦 Build

• Fix mixed types (407b516)

❤️ Contributors

• Pooya Parsa (@​pi0)

v6.1.5

Compare Source

compare changes

🩹 Fixes

• Prevent prototype pollution via __proto__ in defaults (#​156)
• Ignore inherited enumerable properties (11ba022)

🏡 Chore

• Add tea.yaml (70cffe5)
• Update repo (23cc432)
• Fix typecheck (89df6bb)

✅ Tests

• Add more tests for plain objects (b65f603)

🤖 CI

• Bump node (9237d9c)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kricsleo (@​kricsleo)

pnpm/pnpm (pnpm)

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

v10.33.3

Compare Source

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

v10.33.0

Compare Source

vitest-dev/vitest (vitest)

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

v4.1.6

Compare Source

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in #​10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in #​10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in #​10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in #​10276 (9f7b1)

    View changes on GitHub

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

v4.1.4

Compare Source

   🚀 Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in #​10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in #​10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in #​9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in #​10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in #​10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in #​10068 (a1b5f)
• Do not hoist imports whose names match class properties .  -  by @​SunsetFi in #​10093 and #​10094 (0fc4b)
• browser: Spread user server options into browser Vite server in project  -  by @​GoldStrikeArch in #​10049 (65c9d)

    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in #​10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in #​10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in #​9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in #​9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in #​10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in #​10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in #​9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in #​10004 (ec204)
• snapshot:
  • Fix flagging obsolete snapshots for snapshot properties mismatch  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​9986 (6b869)
  • Export custom snapshot matcher helper from vitest  -  by @​hi-ogawa and Codex in #​10042 (691d3)
• ui:
  • Don't leak vite types  -  by @​sheremet-va in #​10005 (fdff1)
• vm:
  • Fix external module resolve error with deps optimizer query  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10024 (9dbf4)

    View changes on GitHub

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in #​9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in #​9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in #​9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in #​9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in #​9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in #​9851 (6f97b)

    View changes on GitHub

v4.1.1

Compare Source

   🚀 Features

• experimental:
  • Expose matchesTagsFilter to test if the current filter matches tags  -  by @​sheremet-va in #​9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in #​9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in #​9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in #​9831 and #​9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in #​9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in #​9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in #​9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in #​9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in #​9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in #​9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in #​9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in #​9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in #​9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in #​9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in #​9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in #​9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in #​9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in #​9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in #​9949 (0d5f9)

    View changes on GitHub

vuejs/language-tools (vue-tsc)

v3.3.2

Compare Source

language-core

• feat: preserve literal types for inline v-for sources (#​6067) - Thanks to @​kkesidis!
• fix: align v-bind shorthand identifier skipping with interpolation - Thanks to @​KazariEX!

vscode

• feat: transform tsserver content (#​6062) - Thanks to @​KazariEX!
• fix: do not mark trailing slash in capitalized self-closing tags as invalid (#​6065) - Thanks to @​suisanka!

v3.3.1

Compare Source

language-core

• fix: avoid extraneous children error for conditional slots (#​6056) - Thanks to @​KazariEX!

language-service

• refactor: replace scanner-based missing props hints detection with AST traversal - Thanks to @​KazariEX!

typescript-plugin

• fix: get component prop details from symbols - Thanks to @​KazariEX!
• fix: skip unchecked JS identifiers in component props (#​6055) - Thanks to @​KazariEX!

vscode

• fix: resolve typescript plugin path from resolved server path (#​6058) - Thanks to @​KazariEX!

v3.3.0

Compare Source

language-core

• feat: check required fallthrough attributes (#​6049) - Thanks to @​KazariEX!
• fix: penetrate v-if branch fragments when collecting single root nodes - Thanks to @​KazariEX!
• refactor: rename Sfc APIs to IR - Thanks to @​KazariEX!

language-service

• fix: reuse ASTs for define assignment suggestions - Thanks to @​KazariEX!
• fix: re-support html.customData (#​5910) - Thanks to @​Bomberus!
• fix: strip ="" only for plain boolean props completion edits - Thanks to @​KazariEX!
• fix: reset to default data provider after running with vue data provider - Thanks to @​KazariEX!

typescript-plugin

• feat: refine props completion logic to follow TS behavior (#​5709) - Thanks to @​KazariEX!

vscode

• fix: include extraFileExtensions in tsserver configure request payload (#​6048) - Thanks to @​KazariEX!
• fix: write typescript plugins at build time (#​6050) - Thanks to @​KazariEX!
• fix: avoid infinite diagnostics on Vue files when project diagnostics is enabled (#​6051) - Thanks to @​KazariEX!

v3.2.9

Compare Source

language-core

• fix: do not process inline markdown syntax in semantic-aware segments (#​6038) - Thanks to @​KazariEX!
• perf: rewrite a subset of template node transforms (#​5769) - Thanks to @​KazariEX!

vscode

• fix: trigger file rename edits when moving folders with Vue files (#​6046) - Thanks to @​KazariEX!

workspace

• chore: bump volar services to 0.0.71 (#​6043) - Thanks to @​TRIS-H!

v3.2.8

Compare Source

language-core

• fix: replace inline code blocks after sfc blocks processing (#​6024) - Thanks to @​KazariEX!
• fix: support navigation for kebab-case declarations in GlobalComponents (#​6026) - Thanks to @​Gehbt!

language-service

• feat: support TS module resolution for SCSS @import navigation (#​6033) - Thanks to @​KazariEX!

typescript-plugin

• fix: replace language service per-method overrides with a proxy (#​6035) - Thanks to @​KazariEX!

vscode

• chore: upgrade reactive-vscode to v1.0.1 (#​6019) - Thanks to @​kermanx!

v3.2.7

Compare Source

component-meta

• fix: preserve non-ASCII characters in prop default values (#​6012) - Thanks to @​ef81sp!

workspace

• chore: bump typescript to 6.0.3 (#​6017) - Thanks to @​KazariEX!

v3.2.6

Compare Source

language-core

• fix: generate $slots type in template correctly with defineSlots (#​5984) - Thanks to @​KazariEX!
• fix: infer only readonly component of arrays in v-for (#​5987) - Thanks to @​ascott18!
• fix: avoid false positives for destructured props detection on binding property names (#​5994) - Thanks to @​KazariEX!

vscode

• fix: use regex for TS extension patching to support VS Code 1.110+ (#​5983) - Thanks to @​ebiryu!

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 15, reused 0, downloaded 0, added 0
 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "tinyexec@1.2.2" (possible package takeover)

This error happened while installing the dependencies of @nuxt/test-utils@4.0.3

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had trusted publisher, but this version has provenance attestation. A trust downgrade may indicate a supply chain incident.