chore(deps): update all non-major dependencies by renovate[bot] · Pull Request #132 · unjs/httpxy

renovate · 2026-04-25T02:53:16Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@fastify/http-proxy	`^11.4.2` → `^11.4.4`
@types/node (source)	`^25.6.0` → `^25.8.0`
@typescript/native-preview (source)	`^7.0.0-dev.20260421.1` → `^7.0.0-dev.20260515.1`
@vitest/coverage-v8 (source)	`^4.1.5` → `^4.1.6`
fastify (source)	`^5.8.4` → `^5.8.5`
obuild	`^0.4.33` → `^0.4.35`
oxfmt (source)	`^0.46.0` → `^0.50.0`
oxlint (source)	`^1.61.0` → `^1.65.0`
pnpm (source)	`10.33.0` → `10.33.4`
semver	`^7.7.4` → `^7.8.0`
undici (source)	`^8.1.0` → `^8.3.0`
vitest (source)	`^4.1.5` → `^4.1.6`
ws	`^8.20.0` → `^8.20.1`

Release Notes

fastify/fastify-http-proxy (@fastify/http-proxy)

`v11.4.4`

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-33805 GHSA-gwhp-pf74-vj37.

What's Changed

chore: remove fast-proxy dependency by @Tony133 in #453
build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in #454
build(deps-dev): bump pino-test from 1.1.0 to 2.0.0 by @dependabot[bot] in #456
build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @dependabot[bot] in #455
build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in #457
ci: add lock-threads workflow by @Fdawgs in #459

Full Changelog: fastify/fastify-http-proxy@v11.4.3...v11.4.4

`v11.4.3`

Compare Source

What's Changed

fix: Only replace the prefix at the beginning of the URL. by @ShogunPanda in #452

Full Changelog: fastify/fastify-http-proxy@v11.4.2...v11.4.3

microsoft/typescript-go (@typescript/native-preview)

vitest-dev/vitest (@vitest/coverage-v8)

`v4.1.6`

Compare Source

🐞 Bug Fixes

browser: Provide project reference in ToMatchScreenshotResolvePath - by @macarie and @sheremet-va in #10138 (31882)
Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options - by @hi-ogawa, Codex and @sheremet-va in #10196 (2847d)
browser: Simplify orchestrator otel carrier - by @hi-ogawa in #10285 (18af9)

🏎 Performance

Stringify diff objects only once - by @sheremet-va in #10276 (9f7b1)

View changes on GitHub

fastify/fastify (fastify)

`v5.8.5`

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-33806 GHSA-247c-9743-5963.

What's Changed

chore: Fix port parsing by @jsumners in #6603
chore: upgrade to typescript v6.0.2 by @Tony133 in #6605
fix: restore trustProxy function for number and string types, add null check for socketAddr by @mcollina in #6613
ci: reduce cron scheduled workflows from daily/weekly to monthly by @Fdawgs in #6623
chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 by @dependabot[bot] in #6629
chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 by @dependabot[bot] in #6632
chore: Bump borp from 0.21.0 to 1.0.0 by @dependabot[bot] in #6633
chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 by @dependabot[bot] in #6630
docs(ecosystem): add @pompelmi/fastify-plugin by @SonoTommy in #6610

New Contributors

@SonoTommy made their first contribution in #6610

Full Changelog: fastify/fastify@v5.8.4...v5.8.5

unjs/obuild (obuild)

`v0.4.35`

Compare Source

compare changes

🏡 Chore

Update deps (5047837)

❤️ Contributors

Pooya Parsa (@pi0)

`v0.4.34`

Compare Source

compare changes

🚀 Enhancements

Support license: { gzip: true } (488f9e3)

🩹 Fixes

transform: Fall back to declaration-less emit on isolatedDeclarations errors (#83)
license: Dedup by name@version and only scan modules in emitted chunks (98f1fda)

💅 Refactors

Replace rollup-plugin-license with native Rolldown plugin (#81)
Inline pretty-bytes impl (dc1606c)

🏡 Chore

Update deps (90f0a3f)

❤️ Contributors

Pooya Parsa (@pi0)
ナイトウコウスケ (@naitokosuke)
Wind (@productdevbook)

oxc-project/oxc (oxfmt)

`v0.50.0`

Compare Source

🐛 Bug Fixes

43b9978 formatter/sort_imports: Treat subpath imports as internal (#22440) (leaysgur)

`v0.49.0`

Compare Source

🚀 Features

6e8e818 oxfmt: Experimental .svelte support (#21700) (leaysgur)

`v0.48.0`

Compare Source

`v0.47.0`

Compare Source

oxc-project/oxc (oxlint)

`v1.65.0`

Compare Source

🚀 Features

5478fb5 linter/jsdoc: Implement require-throws-description rule (#22386) (Mikhail Baev)
c73225e linter/eslint: Implement prefer-arrow-callback rule (#22312) (박천(Cheon Park))
de82b59 linter: Add support for eslint-plugin-jsx-a11y-x (#22356) (mehm8128)
f44b6c8 linter: Fill schemas DummyRuleMap with built-in rules (#22288) (Sysix)

`v1.64.0`

Compare Source

🚀 Features

fbb8f22 linter: Support ignores in overrides (#22148) (camc314)

🐛 Bug Fixes

25b7017 linter: Undocument override ignores option (#22213) (camc314)

`v1.63.0`

Compare Source

📚 Documentation

cacbc4a linter: Fix jest settings docs. (#22127) (connorshea)

`v1.62.0`

Compare Source

🚀 Features

348f46c linter: Add respectEslintDisableDirectives option (#21384) (Christian Vuerings)

🐛 Bug Fixes

8c425db linter: Allow string for jest version in config schema (#21649) (camc314)

`v1.61.1`

Compare Source

pnpm/pnpm (pnpm)

`v10.33.4`: pnpm 10.33.4

Compare Source

Patch Changes

Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.
Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #11341.

Platinum Sponsors

Gold Sponsors

`v10.33.3`

Compare Source

`v10.33.2`

Compare Source

`v10.33.1`: pnpm 10.33.1

Compare Source

Patch Changes

When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #11328.

Platinum Sponsors

Gold Sponsors

npm/node-semver (semver)

`v7.8.0`

Compare Source

Features

0d0a0a2 #855 Add truncate function (#855) (@pjohnmeyer, @owlstronaut)

Bug Fixes

3905343 #859 Warn when defaulting to --inc=patch in CLI (@pjohnmeyer)

Documentation

c368af6 #853 fix typos in documentation (#853) (@ankitkumar572005)
37776c3 #846 fix BNF grammar to distinguish prerelease from build identifiers (#846) (@abhu85, @claude)

Chores

9542e09 #860 template-oss-apply (@owlstronaut)
937bc2c #860 template-oss-apply@5.0.0 (@owlstronaut)
6946fef #852 bump @npmcli/template-oss from 4.29.0 to 4.30.0 (#852) (@dependabot[bot], @npm-cli-bot)

nodejs/undici (undici)

`v8.3.0`

Compare Source

What's Changed

fix: preserve pool capacity after removing stale client by @trivikr in #5151
build(deps): bump actions/github-script from 8.0.0 to 9.0.0 by @dependabot[bot] in #5157
build(deps): bump actions/upload-artifact from 5.0.0 to 7.0.1 by @dependabot[bot] in #5162
build(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @dependabot[bot] in #5156
chore(http2): collapse duplicate request stream setup by @trivikr in #5140
perf(client): cache HTTP/2 authority by @trivikr in #5141
build(deps-dev): bump borp from 0.20.2 to 1.0.0 by @dependabot[bot] in #4819
types: add TOpaque to client connect options by @samuel871211 in #4928
build(deps): bump tinybench from 5.1.0 to 6.0.1 in /benchmarks by @dependabot[bot] in #4688
build(deps): bump codecov/codecov-action from 5.5.1 to 6.0.0 by @dependabot[bot] in #4950
build(deps): bump actions/dependency-review-action from 4.8.1 to 4.9.0 by @dependabot[bot] in #4951
test(fetch): add userinfo coverage for issue-4897 URLs by @mcollina in #4901
perf: avoid duplicate pool dispatcher selection on backpressure by @trivikr in #5149
build(deps): bump actions/setup-node from 6.2.0 to 6.4.0 by @dependabot[bot] in #5163
build(deps): bump step-security/harden-runner from 2.14.1 to 2.19.1 by @dependabot[bot] in #5160
build(deps): bump cronometro from 5.3.0 to 6.0.3 in /benchmarks by @dependabot[bot] in #4687
build(deps): bump github/codeql-action from 4.35.1 to 4.35.3 by @dependabot[bot] in #5161
build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in #4853
build(deps): bump hendrikmuhs/ccache-action from 1.2.22 to 1.2.23 by @dependabot[bot] in #5158
build(deps): bump fastify/github-action-merge-dependabot from 3.11.2 to 3.12.0 by @dependabot[bot] in #5159
build(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @dependabot[bot] in #4854
build(deps): bump uWebSockets.js from v20.64.0 to v20.66.0 in /benchmarks by @dependabot[bot] in #5130
docs: mention install() also installs WebSocket globals by @mcollina in #5174
types: stop interfering with @types/node by @Renegade334 in #5173
fix: align h2 empty body content-length methods with h1 by @trivikr in #5172
build(deps-dev): bump fast-check from 4.6.0 to 4.7.0 by @dependabot[bot] in #5192
build(deps-dev): bump typescript from 6.0.2 to 6.0.3 by @dependabot[bot] in #5191
test: move cleanup from finally to after hooks by @trivikr in #5194
test: resolve flaky timeout in issue-3356 by @trivikr in #5188
SnapshotAgent: Add normalizeBody and normalizeQuery by @GeoffreyBooth in #5121
fix(socks5): use configured connector in Socks5ProxyAgent by @trivikr in #5168
perf(http2): avoid isArray checks for common headers by @trivikr in #5170
fix(test): make deduplicate body-streaming test non-flaky by @mcollina in #5196
test(retry): add regression test for RetryAgent + HTTP/2 stream timeout (#5137) by @mcollina in #5176
fix(socks5): preserve dispatch backpressure return value by @trivikr in #5166
perf(http2): end zero-length request bodies with headers by @trivikr in #5169
fix(test): make issue-2898-comment.js assertion robust against flakiness by @mcollina in #5208
test: disable timeouts in h2 high concurrency regression by @trivikr in #5205
test: deflake stream compat coverage by @mcollina in #5209
fix(dispatcher): remove unreachable assert in writeBlob by @SAY-5 in #5231
fix: clean up benchmark resources before worker exit by @trivikr in #5225
test: avoid per-chunk assertions in diagnostics get by @trivikr in #5224
test: capture cache test worker stderr and preserve failures by @trivikr in #5206
chore: gitignore benchmarks/package-lock.json by @trivikr in #5228
perf(proxy-agent): avoid extra header allocations in auth guard by @trivikr in #5164
test(wpt): retry WPT server startup on port conflicts or timeout by @trivikr in #5215
test: make websocket diagnostics ping-pong ordering deterministic by @trivikr in #5222
test(websocket): fix flaky send test by @mcollina in #5232
fix: prevent node-fetch test server close from hanging on Windows by @mcollina in #5246
test: wait for cache test server to listen by @trivikr in #5242
fix: accept unknown-size Content-Range values by @trivikr in #5120
test: avoid global dispatcher state in mock client tests by @trivikr in #5258
test: fix flaky permessage-deflate limit timeout by @mcollina in #5229
test: drain request bodies in request tests by @trivikr in #5247
test: reduce retry-after invalid date timing flake by @trivikr in #5250
test: drive request timeout ticks after connect by @trivikr in #5251
test: only fail max-listener checks on max-listener warnings by @trivikr in #5253
test: avoid double-closing server in client-request test by @trivikr in #5255
fix(retry-handler): validate response body length against Content-Range by @mcollina in #4975
test: wait for inflight-and-close body cleanup by @trivikr in #5261
fix(test): make http2-pseudo-headers test order-independent by @mcollina in #5234
fix: preserve fetch multipart body on MockAgent fallback by @mcollina in #5269
ci: build Node FFI fixtures for shared-builtin tests by @trivikr in #5275
test: deflake issue-5137 stream count assertion by @trivikr in #5243
fix: replace finished() with writable lifecycle tracking by @trivikr in #5001
perf(client-h2): reuse request stream handlers by @trivikr in #5280
fix: prevent pipeline body replay on redirect by @mcollina in #5274
fix(types): remove throwOnError from Dispatcher.RequestOptions by @Zelys-DFKH in #5279
fix: validate EOF for chunked h1 responses by @mcollina in #5273
test: deflake parser-issues teardown by @mcollina in #5278
test: make http2-alpn control requests explicit by @trivikr in #5252
test: include cache-test worker metadata on failure by @trivikr in #5276
test: include after in parser-issues by @trivikr in #5284
cache formdata boundary by @KhafraDev in #5292
build(deps-dev): bump fast-check from 4.7.0 to 4.8.0 by @dependabot[bot] in #5298
test: retry crashed cache-test workers once by @trivikr in #5294
Add Node 26 to the matrix by @mcollina in #5271
perf(client-h2): reuse request upgrade stream handlers by @trivikr in #5293
build(deps-dev): bump jest from 30.3.0 to 30.4.2 by @dependabot[bot] in #5297
build(deps): bump uWebSockets.js from v20.66.0 to v20.67.0 in /benchmarks by @dependabot[bot] in #5299
test: fix flaky http2-dispatcher WebSocket upgrade tests by @mcollina in #5304

New Contributors

@Zelys-DFKH made their first contribution in #5279

Full Changelog: nodejs/undici@v8.2.0...v8.3.0

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- "after 2am and before 3am"
Automerge
- "after 1am and before 2am"

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

codecov · 2026-04-25T02:59:54Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.91%. Comparing base (9dc2425) to head (5656c32).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #132   +/-   ##
=======================================
  Coverage   94.91%   94.91%           
=======================================
  Files           8        8           
  Lines         786      786           
  Branches      320      320           
=======================================
  Hits          746      746           
  Misses         35       35           
  Partials        5        5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

renovate Bot force-pushed the renovate/all-minor-patch branch 9 times, most recently from 9ea05b7 to 7139641 Compare May 1, 2026 23:25

renovate Bot force-pushed the renovate/all-minor-patch branch 12 times, most recently from 35d1022 to 8bda383 Compare May 8, 2026 22:41

renovate Bot force-pushed the renovate/all-minor-patch branch 8 times, most recently from b54d53e to 3bb6d44 Compare May 12, 2026 19:46

renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from af33f3b to 50ab5ce Compare May 15, 2026 10:26

chore(deps): update all non-major dependencies

5656c32

renovate Bot force-pushed the renovate/all-minor-patch branch from 50ab5ce to 5656c32 Compare May 15, 2026 18:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update all non-major dependencies#132

chore(deps): update all non-major dependencies#132
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

renovate Bot commented Apr 25, 2026 •

edited

Loading

Uh oh!

codecov Bot commented Apr 25, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Apr 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

⚠️ Security Release

What's Changed

What's Changed

🐞 Bug Fixes

🏎 Performance

⚠️ Security Release

What's Changed

New Contributors

🏡 Chore

❤️ Contributors

🚀 Enhancements

🩹 Fixes

💅 Refactors

🏡 Chore

❤️ Contributors

🐛 Bug Fixes

🚀 Features

🚀 Features

🚀 Features

🐛 Bug Fixes

📚 Documentation

🚀 Features

🐛 Bug Fixes

v10.33.4: pnpm 10.33.4

Patch Changes

Platinum Sponsors

Gold Sponsors

v10.33.1: pnpm 10.33.1

Patch Changes

Platinum Sponsors

Gold Sponsors

Features

Bug Fixes

Documentation

Chores

What's Changed

New Contributors

Configuration

Uh oh!

codecov Bot commented Apr 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Apr 25, 2026 •

edited

Loading

`v10.33.4`: pnpm 10.33.4

`v10.33.1`: pnpm 10.33.1

codecov Bot commented Apr 25, 2026 •

edited

Loading