chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@intlify/unplugin-vue-i18n (source)	11.0.7 → 11.1.2
@typescript-eslint/eslint-plugin (source)	8.58.2 → 8.59.1
dompurify	3.4.0 → 3.4.1
eslint-plugin-vue (source)	10.8.0 → 10.9.0
filesize (source)	11.0.15 → 11.0.17
github.com/asticode/go-astisub	v0.39.0 → v0.40.0
pnpm (source)	10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319 → 10.33.2
postcss (source)	8.5.10 → 8.5.12
qrcode.vue (source)	3.8.1 → 3.9.0
terser (source)	5.46.1 → 5.46.2
vite (source)	8.0.8 → 8.0.10
vitest (source)	4.1.4 → 4.1.5
vue (source)	3.5.32 → 3.5.33
vue-i18n (source)	11.3.2 → 11.4.0
vue-router (source)	5.0.4 → 5.0.6
vue-tsc (source)	3.2.6 → 3.2.7

---

Release Notes

intlify/bundle-tools (@​intlify/unplugin-vue-i18n)

v11.1.2

Compare Source

What's Changed

🐛 Bug Fixes

• fix(unplugin-vue-i18n): preserve vite:json ObjectHook shape for Vite 8 compatibility by @​kazupon in #​554

Full Changelog: intlify/bundle-tools@v11.1.1...v11.1.2

v11.1.1

Compare Source

What's Changed

🐛 Bug Fixes

• fix(unplugin-vue-i18n): support JS/TS lang in SFC i18n custom blocks by @​kazupon in #​549

Full Changelog: intlify/bundle-tools@v11.1.0...v11.1.1

v11.1.0

Compare Source

What's Changed

🌟 Features

• feat(unplugin-vue-i18n): support locale mesasges tree-shaking by @​kazupon in #​542

Full Changelog: intlify/bundle-tools@v11.0.7...v11.1.0

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.59.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#​12241)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#​12220)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#​12278)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#​12269)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#​12257)
• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#​12246)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

Compare Source

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#​11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

cure53/DOMPurify (dompurify)

v3.4.1: DOMPurify 3.4.1

Compare Source

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

vuejs/eslint-plugin-vue (eslint-plugin-vue)

v10.9.0

Compare Source

Minor Changes

• Added "inject" to groups option in vue/no-unused-properties rule (#​3052)

• Added new ignores option to vue/no-literals-in-template rule (#​3072)

• Added support for :single-line/:multi-line pseudo-classes in vue/padding-line-between-tags (#​3025)

• Added new vue/prefer-v-model rule (#​3062)

• Added new vue/prefer-single-event-payload rule (#​3058)

Patch Changes

• Added error end positions for vue/no-irregular-whitespace (#​3065)

• Updated resources: add Attrs and AllowedAttrs type definitions (#​3059)

• Improved error positions in vue/max-len (#​3066)

• Improve performance in vue/no-child-content rule (#​3068)

• Migrate configs to TypeScript (#​3002)

• Updated resources: geolocation HTML element and ClassValue and InputAutoCompleteAttribute Vue 3 export (#​3040)

avoidwork/filesize.js (filesize)

v11.0.17

Compare Source

• docs: update browser CDN URL to v11.0.16 #262
• Bump oxfmt from 0.45.0 to 0.46.0 #260
• Bump oxlint from 1.60.0 to 1.61.0 #259
• Bump rollup from 4.60.1 to 4.60.2 #258
• Version bump 43320d8
• docs: remove Browser Usage section from README 99136ff

v11.0.16

Compare Source

• refactor: extract delegate functions from filesize for better SRP #257
• Bump oxlint from 1.59.0 to 1.60.0 #256
• Bump oxfmt from 0.44.0 to 0.45.0 #255
• Bump oxfmt from 0.43.0 to 0.44.0 #254
• Bump oxlint from 1.58.0 to 1.59.0 #253
• Bump oxlint from 1.57.0 to 1.58.0 #252
• Bump oxfmt from 0.42.0 to 0.43.0 #251
• Bump rollup from 4.60.0 to 4.60.1 #250
• Version bump bf3df96
• Updating CHANGELOG.md be4ffbb

asticode/go-astisub (github.com/asticode/go-astisub)

v0.40.0

Compare Source

pnpm/pnpm (pnpm)

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

postcss/postcss (postcss)

v8.5.12

Compare Source

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

v8.5.11

Compare Source

• Fixed nested brackets parsing performance (by @​offset).

scopewu/qrcode.vue (qrcode.vue)

v3.9.0

Compare Source

Feature

• Support radius prop for QRCode module corner rounding. The rounding is context-aware, keeping inner corners sharp while rounding outer corners. Supports both SVG and Canvas rendering modes.

terser/terser (terser)

v5.46.2

Compare Source

• unused option: delete computed keys of concise methods and getters/setters.
• Error.cause added to DOM properties list
• Don't consider foo.bar and foo["bar"] to be equivalent when property mangler is enabled with keep_quoted=strict option.

vitejs/vite (vite)

v8.0.10

Compare Source

Features

• update rolldown to 1.0.0-rc.17 (#​22299) (a4d06d9)

Bug Fixes

• hmrClient.logger.debug and hmrClient.logger.error looked different from other HMR logs (#​22147) (a4d828f)
• css: show filename in CSS minification warnings for .css?inline (#​22292) (83f0a78)
• optimizer: allow user transform.target to override default in optimizeDeps (#​22273) (5c7cec6)
• remove format sniffing module resolution from JS resolver (#​22297) (b8a21cc)

Code Refactoring

• enable some typecheck rules (#​22278) (9437518)
• typecheck client directory (#​22284) (40a0847)

v8.0.9

Compare Source

Features

• update rolldown to 1.0.0-rc.16 (#​22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#​22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#​22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#​22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#​22039) (374bb5d)
• deps: update all non-major dependencies (#​22219) (4cd0d67)
• deps: update all non-major dependencies (#​22268) (c28e9c1)
• detect Deno workspace root (fix #​22237) (#​22238) (1b793c0)
• dev: handle errors in watchChange hook (#​22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#​22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#​22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#​22231) (44c42b9)
• fix reuses wording in dev environment comment (#​22173) (9163412)
• fix wording in sass error comment (#​22214) (bc5c6a7)
• update build CLI defaults (#​22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#​22271) (0a3887d)

vitest-dev/vitest (vitest)

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

vuejs/core (vue)

v3.5.33

Compare Source

Bug Fixes

• compiler-sfc: handle nested :deep in selector pseudos (#​14725) (bb9d265), closes #​14724
• reactivity: unlink effect scopes on out-of-order off (#​14734) (e7659be), closes #​14733
• runtime-dom: preserve textarea resize dimensions (#​14747) (11fb2fd), closes #​14741
• teleport: don't move teleport children if not mounted (#​14702) (6a61f44), closes #​14701
• transition: preserve placeholder for conditional explicit default slots (#​14748) (45990ce), closes #​14727

intlify/vue-i18n (vue-i18n)

v11.4.0

Compare Source

What's Changed

🌟 Features

• feat: support isolated scope by @​kazupon in #​2468

Full Changelog: intlify/vue-i18n@v11.3.2...v11.4.0

vuejs/router (vue-router)

v5.0.6

Compare Source

   🐞 Bug Fixes

• Missing closing quote in generated import  -  by @​zjy040525 and @​posva in #​2688 (32f78)

    View changes on GitHub

v5.0.5

Compare Source

   🚀 Features

• Enable standard schema param parsers  -  by @​posva (ea8e3)
• Normalize param parsers once  -  by @​posva (48087)

   🐞 Bug Fixes

• Track definePage imports per-file to fix named view race condition  -  by @​posva (11191)
• Avoid double decoding hash on string location  -  by @​posva (1578c)

    View changes on GitHub

vuejs/language-tools (vue-tsc)

v3.2.7

Compare Source

component-meta

• fix: preserve non-ASCII characters in prop default values (#​6012) - Thanks to @​ef81sp!

workspace

• chore: bump typescript to 6.0.3 (#​6017) - Thanks to @​KazariEX!

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.