chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@arethetypeswrong/core (source)	^0.18.3 → ^0.18.4			pnpm.catalog.default	patch
@tanstack/query-core (source)	^5.101.0 → ^5.101.1			pnpm.catalog.default	patch
@vitejs/plugin-react (source)	^6.0.2 → ^6.0.3			pnpm.catalog.default	patch
eslint-plugin-import-x	^4.16.2 → ^4.17.0			pnpm.catalog.default	minor
globals	^17.6.0 → ^17.7.0			pnpm.catalog.default	minor
nx (source)	23.0.0 → 23.0.1			pnpm.catalog.default	patch
pnpm (source)	11.8.0 → 11.9.0			packageManager	minor
pnpm (source)	>=11.0.0 → >=11.9.0			engines	minor
semver	^7.8.4 → ^7.8.5			pnpm.catalog.default	patch
sherif	^1.11.1 → ^1.12.0			pnpm.catalog.default	minor
typescript-eslint (source)	^8.61.1 → ^8.62.0			pnpm.catalog.default	minor
vite (source)	^8.0.16 → ^8.1.0			pnpm.catalog.default	minor
zizmorcore/zizmor-action	v0.5.6 → v0.5.7			action	patch

---

Release Notes

arethetypeswrong/arethetypeswrong.github.io (@​arethetypeswrong/core)

v0.18.4

Patch Changes

• 644fab1: Skip package export subpaths with no real target when discovering entrypoints.

TanStack/query (@​tanstack/query-core)

v5.101.1

Compare Source

Patch Changes

• #​10610 9eff92e - fix missing dataUpdatedAt for streamed queries that resolve before hydration

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v6.0.3

Compare Source

un-ts/eslint-plugin-import-x (eslint-plugin-import-x)

v4.17.0

Compare Source

Minor Changes

• #​474 4b2c0c5 Thanks @​regseb! - Support RegExp in the import-x/ignore setting and the ignore option of the no-unresolved rule.

Patch Changes

• #​494 1c84235 Thanks @​morgan-coded! - Fixed no-unresolved crashing when case-sensitive path checks encounter EACCES or EPERM on an ancestor directory.

• #​481 3e13121 Thanks @​B4nan! - fix: memoize legacyNodeResolve resolver to avoid native memory leak

• #​484 9a07009 Thanks @​sairus2k! - Make the extensions rule check Node.js subpath imports (specifiers starting with #, e.g. #utils/helper). Previously parsePath treated a leading # as a URL hash fragment, so the rule skipped extension validation for these imports.

  Note: single-segment subpath imports without a slash (e.g. #dep) are still skipped by the existing external-root-module classification; fixing that is deferred to avoid expanding scope.

• #​468 240ed58 Thanks @​silverwind! - Make extensions handle .d.ts correctly

• #​479 e3cc7e4 Thanks @​mrginglymus! - fix: strip querystrings and hash fragments when checking for file existence

• #​476 fce29b1 Thanks @​nbouvrette! - fix(deps): replace @​package-json/types with an inline minimal type

sindresorhus/globals (globals)

v17.7.0

Compare Source

nrwl/nx (nx)

v23.0.1

Compare Source

23.0.1 (2026-06-23)

🚀 Features

• nx-cloud: add utm tracking to clickable cloud prompt links (#​36028)

🩹 Fixes

• angular: resolve esbuild option paths relative to the workspace root (#​36017, #​35936)
• angular-rspack: surface compilation failures as build errors and release resources on teardown (#​36018)
• bundling: restore preprocessor extensions in postcss normalizeOp… (#​36057, #​35854)
• core: avoid tsconfig path false positives for sibling project roots (#​35796, #​35795, #​35786)
• core: do not write minimumReleaseAgeExclude during nx migrate (#​36045)
• core: do not crash nx migrate on non-semver dependency specifiers (#​36051)
• core: format AI-edited files after agentic migrations (#​36064)
• misc: bump happy-dom, tmp, and form-data to patched versions (#​36013)
• nx-dev: keep mobile sidebar toggle clear of the conference banner (#​36047)
• nx-dev: run next-sitemap directly instead of via pnpm (#​36054)
• ⚠️ release: stop breaking change changelog entry from swallowing trailing PR body (#​36052, #​35910, #​33070)
• vitest: apply mode-based config consistently in the test executor (#​36041, #​35196)

❤️ Thank You

• Alex Croteau @​cw-alexcroteau
• Jack Hsu @​jaysoo
• Jason Jean @​FrozenPandaz
• Leosvel Pérez Espinosa @​leosvelperez
• Marwan Johnstone

pnpm/pnpm (pnpm)

v11.9.0

Compare Source

npm/node-semver (semver)

v7.8.5

Compare Source

Bug Fixes

• 9c8692a #​878 include prereleases in tilde range lower bound with includePrerelease (#​878) (@​chatman-media)

QuiiBz/sherif (sherif)

v1.12.0

Compare Source

What's Changed

• chore(ci): setup trusted publishing by @​QuiiBz in #​154
• feat: support devEngines for root-package-manager-field rule by @​MasterLambaster in #​156

New Contributors

• @​MasterLambaster made their first contribution in #​156

Full Changelog: QuiiBz/sherif@v1...v1.12.0

typescript-eslint/typescript-eslint (typescript-eslint)

v8.62.0

Compare Source

🚀 Features

• remove redundant package.json "files" (#​12444)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.1.0

Compare Source

Features

• extend server.fs.deny list with common files (#​22707) (61ba8fd)
• update rolldown to 1.1.2 (#​22695) (4f008a6)
• use ~ for Rolldown (#​22693) (9928722)

Bug Fixes

• bundled-dev: errors should be kept when incremental build fails (#​22617) (9a0dd48)
• cache falsy values in perEnvironmentState (#​22715) (0e91e79)
• glob: respect caseSensitive option in hmr matcher (#​22711) (65f525e)
• html: omit nonce on import map when cspNonce is unset (#​22713) (8340bb5)
• optimizer: skip null-valued exports in expandGlobIds glob resolution (#​22611) (8b9f5cd)
• resolved build options should be kept as a getter (#​22691) (3527191)
• server: handle malformed URI in memory files middleware (#​22714) (df9e0a5)
• use literal envPrefix queries for Vite Task (#​22706) (da72733)
• warn on deprecated envFile (#​22555) (ed7b283)

Code Refactoring

• client: inline dev-id value in CSS selector (#​22736) (57f59bc)
• remove unused removeRawQuery util (#​22724) (403cc60)
• use rolldownOptions property for chunkImportMap (#​22692) (8e8816c)

zizmorcore/zizmor-action (zizmorcore/zizmor-action)

v0.5.7

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bb901038-7ddd-4262-a47f-8fa302e54541

📥 Commits

Reviewing files that changed from the base of the PR and between 99cb359 and 7131054.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .github/workflows/zizmor.yml
• package.json
• pnpm-workspace.yaml

✅ Files skipped from review due to trivial changes (2)

• package.json
• pnpm-workspace.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/zizmor.yml

---

📝 Walkthrough

Walkthrough

Three non-major dependency version bumps: the zizmorcore/zizmor-action CI step is re-pinned to v0.5.7, pnpm is updated to 11.9.0 with engines.pnpm raised to >=11.9.0, and the workspace catalog updates ten development dependencies including @arethetypeswrong/core, @tanstack/query-core, @vitejs/plugin-react, eslint-plugin-import-x, globals, nx, semver, sherif, typescript-eslint, and vite.

Changes

Non-major dependency updates

Layer / File(s)	Summary
CI action and pnpm engine constraints .github/workflows/zizmor.yml, package.json	Re-pins zizmorcore/zizmor-action to v0.5.7 and updates pnpm to 11.9.0, raising engines.pnpm from >=11.0.0 to >=11.9.0.
Workspace catalog version updates pnpm-workspace.yaml	Bumps ten catalog dependencies including @arethetypeswrong/core, @tanstack/query-core, @vitejs/plugin-react, eslint-plugin-import-x, globals, nx, semver, sherif, typescript-eslint, and vite.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• TanStack/form-v2#3: Directly updates .github/workflows/zizmor.yml to use zizmorcore/zizmor-action@v0.5.7, matching the same dependency dashboard entry.
• Dependency Dashboard workflow#11: Implements the same family of dependency updates tracked in the Renovate dashboard for zizmor-action, pnpm, and catalog packages.

Possibly related PRs

• TanStack/config#390: Also modifies .github/workflows/zizmor.yml, package.json, and pnpm-workspace.yaml for coordinated dependency updates.
• TanStack/config#391: Also modifies package.json to enforce a pnpm engines constraint.

Poem

🐇 Hop, hop, versions leap and bound!
From v0.5.6 to v0.5.7 we've found,
pnpm now needs eleven-point-nine,
Ten catalog deps updated so fine.
A bunny keeps dependencies aligned! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description includes a comprehensive table of updated packages with versions, links, and release notes, but omits required template sections like 'Changes' narrative and 'Release Impact' checkbox.	Add narrative description under '🎯 Changes' section and check the appropriate '🚀 Release Impact' checkbox to indicate whether this requires a changeset.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change—updating non-major dependencies across multiple packages as described in the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/all-minor-patch

---

_{Comment @coderabbitai help to get the list of available commands.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nx@​23.0.1
	@​tanstack/​query-core@​5.101.1
	typescript-eslint@​8.62.0
	@​arethetypeswrong/​core@​0.18.4
	vite@​8.1.0
	globals@​17.7.0
	eslint-plugin-import-x@​4.17.0
	sherif@​1.12.0
	@​vitejs/​plugin-react@​6.0.3

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/tsdown@0.22.3 → npm/eslint-plugin-import-x@4.17.0 → npm/vite@8.1.0 → npm/nx@23.0.1 → npm/@emnapi/runtime@1.11.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/typescript-eslint@8.62.0 → npm/@typescript-eslint/eslint-plugin@8.62.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.62.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm nx is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/nx@23.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/nx@23.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report