chore(deps): update all non-major dependencies with stable versions (minor)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@stylistic/stylelint-plugin	^5.0.1 → ^5.1.0			devDependencies	minor
@vueuse/core (source)	^14.2.1 → ^14.3.0			devDependencies	minor
autoprefixer	^10.4.27 → ^10.5.0			devDependencies	minor
axios@>=1.0.0 <1.12.0 (source)	[>=1.15.2 → >=1.16.0](https://renovatebot.com/diffs/npm/axios@>=1.0.0 <1.12.0/1.15.2/1.16.0)			pnpm.overrides	minor	1.16.1
brace-expansion@>=2.0.0 <=2.0.1	[>=2.0.3 → >=2.1.0](https://renovatebot.com/diffs/npm/brace-expansion@>=2.0.0 <=2.0.1/2.0.3/2.1.0)			pnpm.overrides	minor
node (source)	24.14.0 → 24.15.0				minor
node (source)	24.14.0 → 24.15.0			volta	minor
sass	^1.98.0 → ^1.99.0			devDependencies	minor
undici@<7.24.0 (source)	>=7.24.0 → >=7.25.0			pnpm.overrides	minor

---

Release Notes

stylelint-stylistic/stylelint-stylistic (@​stylistic/stylelint-plugin)

v5.1.0

Compare Source

Added

• The no-multiple-whitespaces rule, which disallows multiple whitespaces between property values and function arguments.

Fixed

• The dependencies have now been updated to versions that include security fixes.

vueuse/vueuse (@​vueuse/core)

v14.3.0

Compare Source

   🚀 Features

• Expose pointer event onLongPress  -  by @​mrcwbr in #​5295 (b1688)
• createInjectionState: Non-undefined return when default specified  -  by @​Laupetin in #​5306 (b0c51)
• createReusableTemplate: Add support for specifying component names  -  by @​wbolster in #​5300 (ea29d)
• nuxt: Add composable variants to auto imports  -  by @​OrbisK in #​5285 (ac2ef)
• useElementVisibility: Add controls option  -  by @​kricsleo in #​5191 (0cb03)
• useTextareaAutosize: Add optional maxHeight to limit autosize growth  -  by @​palamarchukser, @​antfu and @​9romise in #​5324 (1a3e5)

   🐞 Bug Fixes

• Add explicit ./package.json export to all packages  -  by @​babu-ch and @​OrbisK in #​5343 (0d989)
• core: Always return ssrValue in useCssSupports before mounted  -  by @​danielroe in #​5290 (76b0b)
• directive: Create disposable directive func cleanup of side effects unmounted  -  by @​kalu5, @​43081j, Raman Paulau and @​OrbisK in #​5244 (52d68)
• docs: Typos in useManualRefHistory, useFocusWithin, useStorageAsync, useIntersectionObserver  -  by @​blowsie, Sam Blowes and @​OrbisK in #​5329 (1d9c4)
• docs: Add ignoreDeprecations for twoslash TS 6.0 compat  -  by @​antfu and Claude Opus 4.6 (1M context) in #​5367 (9d1eb)
• metadata: Cleanup removed function resolveRef  -  by @​ntnyq in #​5307 (49da8)
• onClickOutside: Detect iframe inside shadow DOM with detectIframe option  -  by @​babu-ch and @​OrbisK in #​5336 (1a77b)
• shared: Align overloads order of watch functions with original version  -  by @​KazariEX in #​5288 (f1d32)
• useAxios: Handle optional response data safely  -  by @​jahnli in #​5318 (51198)
• useCached: Update comparator type and improve documentation  -  by @​IceMooncake in #​5376 (d886c)
• useClipboard: Prevents fail in Safari for async operation  -  by @​MatteoGabriele in #​5369 (5ec56)
• useSortable: Re-query DOM on every start() for string selectors  -  by @​Mini-ghost in #​5374 (3341f)
• useVirtualList: React to changes made in mutable arrays properly  -  by @​dcherman in #​5267 (7069e)
• useWakeLock: Auto-release wake lock on component unmount  -  by @​ProgrammingWithSid and @​OrbisK in #​5271 (43937)
• useWebSocket: Race condition caused by onopen/onclose events.  -  by @​DanCardin, @​antfu and @​9romise in #​5175 (6661c)
• whenever: Improve old value types  -  by @​VChet in #​5096 (979c6)

   🏎 Performance

• Replace deepRef with shallowRef where appropriate  -  by @​9romise in #​5293 (80004)

    View changes on GitHub

postcss/autoprefixer (autoprefixer)

v10.5.0

Compare Source

• Added mask-position-x and mask-position-y support (by @​toporek).

axios/axios (axios@>=1.0.0 <1.12.0)

v1.16.0

Compare Source

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#​10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#​10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#​10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#​10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#​7378)
• transformRequest input typing change was reverted. The typing change introduced in #​10745 was reverted in #​10810 after follow-up review — net behavior is unchanged from 1.15.2. (#​10745, #​10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#​10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #​6485). (#​10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#​6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#​10794, #​10800, #​6241, #​10822, #​10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#​10708, #​10819, #​7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#​10795, #​10772, #​10806, #​7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#​10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#​10724, #​7276, #​10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#​7414, #​6389, #​6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#​7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#​10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#​10588, #​7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#​10820, #​10791, #​10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#​10821, #​10782, #​10759, #​10804)
• Reverted: Reverted the transformRequest input typing change from #​10745 after follow-up review. (#​10745, #​10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#​10785, #​10813, #​10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#​10790, #​10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#​10588)
• @​cuiweixie (#​7419)
• @​iruizsalinas (#​10787)
• @​MarcosNocetti (#​10680)
• @​deepview-autofix (#​10729)
• @​atharvasingh7007 (#​10745)
• @​OfekDanny (#​10772)
• @​mnahkies (#​7414)
• @​tboyila (#​10759)
• @​Kingo64 (#​6897)
• @​ramram1048 (#​6389)
• @​FLNacif (#​6460)
• @​zozo123 (#​10806)
• @​pierluigilenoci (#​10802)
• @​afurm (#​10708)
• @​karan-lrn (#​7378)
• @​ebeigarts (#​7149)
• @​Raymondo97 (#​10782)
• @​mixelburg (#​10821)
• @​ashishkr96 (#​10822)
• @​cyphercodes (#​10819)
• @​Jye10032 (#​7260)
• @​VeerShah41 (#​7276)

Full Changelog

juliangruber/brace-expansion (brace-expansion@>=2.0.0 <=2.0.1)

v2.1.0

Compare Source

nodejs/node (node)

v24.15.0

Compare Source

v24.14.1

Compare Source

sass/dart-sass (sass)

v1.99.0

Compare Source

• Add support for parent selectors (&) at the root of the document. These are
  emitted as-is in the CSS output, where they're interpreted as the scoping
  root.

• User-defined functions named calc or clamp are no longer forbidden. If
  such a function exists without a namespace in the current module, it will be
  used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression,
  -url, -and, -or, or -not are no longer forbidden. These were
  originally intended to match vendor prefixes, but in practice no vendor
  prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that
  begin with - and end with -ELEMENT, as well as the same names with some
  lowercase letters are now deprecated, These are names conflict with plain CSS
  functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end
  with -expression and -url will no longer have special parsing. For now,
  these calls are deprecated if their behavior will change in the future.

  See the Sass website for details.

• Calls to functions whose names begin with - and end with -progid:... are
  deprecated.

  See the Sass website for details.

nodejs/undici (undici@<7.24.0)

v7.25.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

Compare Source

What's Changed

• fix: backport 401 stream-backed body fix to v7.x by @​mcollina in #​5006

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

Compare Source

What's Changed

• docs: update broken links in file "Dispatcher.md" by @​samuel871211 in #​4924
• doc: remove unused parameter redirectionLimitReached by @​samuel871211 in #​4933
• test: skip flaky macOS Node 20 cookie fetch cases by @​mcollina in #​4932
• fix(types): align Response with DOM fetch types by @​theamodhshetty in #​4867
• fix(types): Fix clone method type declaration to be an instance method rather than instance property by @​mistval in #​4925
• test: skip IPv6 tests when IPv6 is not available by @​mcollina in #​4939
• fix: correctly handle multi-value rawHeaders in fetch by @​mcollina in #​4938
• ignore AGENTS.md by @​mcollina in #​4942

New Contributors

• @​samuel871211 made their first contribution in #​4924
• @​mistval made their first contribution in #​4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

Compare Source

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in #​4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in #​4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in #​4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in #​4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in #​4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in #​4834
• docs: clarify fetch and FormData pairing by @​mcollina in #​4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in #​4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in #​4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in #​4926
• test: auto-init WPT submodule by @​mcollina in #​4930

New Contributors

• @​rozzilla made their first contribution in #​4909
• @​veeceey made their first contribution in #​4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

v7.24.5

Compare Source

What's Changed

• Formdata tests by @​KhafraDev in #​4902
• test: add unexpected disconnect guards to more client test files by @​samayer12 in #​4844
• fix(cache): only apply 1-year deleteAt for immutable responses by @​metalix2 in #​4913

New Contributors

• @​metalix2 made their first contribution in #​4913

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

Compare Source

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in #​4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

Compare Source

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in #​4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

Compare Source

What's Changed

• fix fetch path logic by @​KhafraDev in #​4890
• remove maxDecompressedMessageSize by @​KhafraDev in #​4891

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

Compare Source

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • Monday through Friday (* * * * 1-5)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 48, reused 0, downloaded 0, added 0
Progress: resolved 69, reused 0, downloaded 0, added 0
Progress: resolved 71, reused 0, downloaded 0, added 0
 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "chokidar@4.0.3" (possible package takeover)

This error happened while installing the dependencies of sass@1.99.0

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.

[netlify]

❌ Deploy Preview for kongponents-sandbox failed.

Name	Link
🔨 Latest commit	e033beb
🔍 Latest deploy log	https://app.netlify.com/projects/kongponents-sandbox/deploys/6a080b3fb72ee800084b0b04