chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@effect/cli (source)	0.75.0 → 0.75.1
@effect/language-service	^0.84.0 → ^0.86.0
@effect/platform (source)	^0.94.5 → ^0.94.5 || ^0.96.0
@effect/platform (source)	0.96.0 → 0.96.1
@tanstack/react-query (source)	5.96.2 → 5.100.10
@types/node (source)	22.19.17 → 22.19.19
ajv (source)	8.18.0 → 8.20.0
autoprefixer	10.4.27 → 10.5.0
effect (source)	3.21.0 → 3.21.2
fs-extra	11.3.4 → 11.3.5
nanoid	5.1.7 → 5.1.11
playwright (source)	1.59.1 → 1.60.0
pnpm (source)	10.33.0 → 10.33.4
postcss (source)	8.5.8 → 8.5.14
react-hook-form (source)	7.72.1 → 7.75.0
safe-regex2	5.1.0 → 5.1.1
turbo (source)	2.9.3 → 2.9.12
yaml (source)	2.8.3 → 2.9.0

---

Release Notes

Effect-TS/effect (@​effect/cli)

v0.75.1

Compare Source

Patch Changes

• #​6144 ec5c505 Thanks @​LikiosSedo! - Fix --log-level=value equals syntax incorrectly swallowing the next argument. Only skip the next arg when the previous arg is exactly --log-level (space-separated form).

• Updated dependencies [f99048e]:

  • effect@​3.21.1

Effect-TS/language-service (@​effect/language-service)

v0.86.1

Compare Source

Patch Changes

• #​732 0674371 Thanks @​mattiamanzati! - Update the Effect v4 test harness and language service development dependencies to Effect 4.0.0 beta 66, including fixture updates for the latest Context service API.

v0.86.0

Compare Source

Minor Changes

• #​728 a5b0e47 Thanks @​mattiamanzati! - Add the unsafeEffectTypeAssertion diagnostic to catch as Effect<...>, as Stream<...>, and as Layer<...> assertions that unsafely narrow the error or requirements channels.

  The rule skips channels whose original type is any and offers a quick fix that removes the assertion while preserving the original expression.

v0.85.1

Compare Source

Patch Changes

• #​726 fd4a8da Thanks @​mattiamanzati! - Update the Effect v4 beta examples and type parsing to match the renamed Context APIs in the latest 4.0.0-beta releases.

• #​724 14d5798 Thanks @​mattiamanzati! - Refactor Effect context tracking to use cached node context flags and direct generator lookups.

  This aligns the TypeScript implementation more closely with the TSGo version and simplifies diagnostics that need to detect whether code is inside an Effect generator.

v0.85.0

Compare Source

Minor Changes

• #​720 4229bb9 Thanks @​mattiamanzati! - Add the nestedEffectGenYield diagnostic to detect yield* Effect.gen(...) inside an existing Effect generator context.

  Example:

  Effect.gen(function* () {
    yield* Effect.gen(function* () {
      yield* Effect.succeed(1);
    });
  });

• #​723 da9cc4b Thanks @​mattiamanzati! - Add the effectMapFlatten style diagnostic for Effect.map(...) immediately followed by Effect.flatten in pipe flows.

  Example:

  import { Effect } from "effect";
  
  const program = Effect.succeed(1).pipe(
    Effect.map((n) => Effect.succeed(n + 1)),
    Effect.flatten
  );

• #​718 0af7c0f Thanks @​mattiamanzati! - Add the lazyPromiseInEffectSync diagnostic to catch Effect.sync(() => Promise...) patterns and suggest using Effect.promise or Effect.tryPromise for async work.

  Example:

  Effect.sync(() => Promise.resolve(1));

• #​714 32985b2 Thanks @​mattiamanzati! - Add processEnv and processEnvInEffect diagnostics to guide process.env.* reads toward Effect Config APIs.

  Examples:

  • process.env.PORT
  • process.env["API_KEY"]

• #​721 f05ae89 Thanks @​mattiamanzati! - Add the unnecessaryArrowBlock style diagnostic for arrow functions whose block body only returns an expression.

  Example:

  const trim = (value: string) => {
    return value.trim();
  };

• #​717 b77848a Thanks @​mattiamanzati! - Add newPromise and asyncFunction effect-native diagnostics to report manual Promise construction and async function declarations, with guidance toward Effect-based async control flow.

• #​722 6f19858 Thanks @​mattiamanzati! - Add the effectDoNotation style diagnostic for Effect.Do usage and suggest migrating to Effect.gen or Effect.fn.

  Example:

  import { pipe } from "effect/Function";
  import { Effect } from "effect";
  
  const program = pipe(
    Effect.Do,
    Effect.bind("a", () => Effect.succeed(1)),
    Effect.let("b", ({ a }) => a + 1)
  );

• #​716 c3f67b0 Thanks @​mattiamanzati! - Add cryptoRandomUUID and cryptoRandomUUIDInEffect diagnostics for Effect v4 to discourage crypto.randomUUID() in favor of the Effect Random module, which uses Effect-injected randomness instead of the global crypto implementation.

Patch Changes

• #​719 d23980a Thanks @​mattiamanzati! - Update the Effect v4 beta dependencies to 4.0.0-beta.43 for the language service and v4 harness packages.

Effect-TS/effect (@​effect/platform)

v0.96.1

Compare Source

Patch Changes

• #​6147 518d0e3 Thanks @​syhstanley! - Fix HttpLayerRouter.addHttpApi silently skipping API-level middleware.

• #​6191 c016642 Thanks @​IGassmann! - Update msgpackr to 1.11.10 to fix silent decode failures in environments that block new Function() at runtime (e.g. Cloudflare Workers). The new version wraps the JIT new Function() call in a try/catch, falling back to the interpreted path when dynamic code evaluation is blocked.

• Updated dependencies [74f3267]:

  • effect@​3.21.2

v0.96.0

Compare Source

Patch Changes

• Updated dependencies [f7bb09b, bd7552a, ad1a7eb, 0d32048, 0d32048]:
  • effect@​3.21.0

v0.95.0

Compare Source

Patch Changes

• Updated dependencies [fc82e81, 82996bc, 4d97a61, f6b0960, 8798a84]:
  • effect@​3.20.0

TanStack/query (@​tanstack/react-query)

v5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

v5.100.9

Compare Source

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

v5.100.8

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.8

v5.100.7

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.7

v5.100.6

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.6

v5.100.5

Compare Source

Patch Changes

• Updated dependencies [a53ef97]:
  • @​tanstack/query-core@​5.100.5

v5.100.4

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.4

v5.100.3

Compare Source

Patch Changes

• fix(suspense): skip calling combine when queries would suspend (#​10576)

• Updated dependencies [f85d825]:

  • @​tanstack/query-core@​5.100.3

v5.100.2

Patch Changes

• Updated dependencies [ea4497e, d6a7bf3, 645d5d1]:
  • @​tanstack/query-core@​5.100.2

v5.100.1

Patch Changes

• Updated dependencies [1bb0d23]:
  • @​tanstack/query-core@​5.100.1

v5.100.0

Compare Source

Patch Changes

• Updated dependencies [6540a41]:
  • @​tanstack/query-core@​5.100.0

v5.99.2

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.2

v5.99.1

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.1

v5.99.0

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.0

v5.98.0

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.98.0

v5.97.0

Compare Source

Patch Changes

• Updated dependencies [2bfb12c]:
  • @​tanstack/query-core@​5.97.0

ajv-validator/ajv (ajv)

v8.20.0

Compare Source

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in #​2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in #​2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

postcss/autoprefixer (autoprefixer)

v10.5.0

Compare Source

• Added mask-position-x and mask-position-y support (by @​toporek).

Effect-TS/effect (effect)

v3.21.2

Compare Source

Patch Changes

• #​6194 74f3267 Thanks @​mikearnaldi! - Fix TestClock.unsafeCurrentTimeNanos() to floor fractional millisecond instants before converting them to BigInt.

v3.21.1

Compare Source

Patch Changes

• #​6139 f99048e Thanks @​marbemac! - Fix batched request resolver defects causing consumer fibers to hang forever.

  When a RequestResolver.makeBatched resolver died with a defect, the request Deferreds were never completed because the cleanup logic in invokeWithInterrupt used flatMap (which only runs on success). Changed to ensuring so uncompleted request entries are always resolved regardless of exit type.

jprichardson/node-fs-extra (fs-extra)

v11.3.5

Compare Source

• Fix ensureLink*/ensureSymlink* identical file detection on Windows (#​1068)
• Fix error handling in timestamp preservation code (#​1065, #​1069)
• Fix potential file descriptor leak on error in synchronous timestamp preservation code (#​1066)

ai/nanoid (nanoid)

v5.1.11

Compare Source

• Fixed breaking Nano ID by requesting big ID.

v5.1.10

Compare Source

• Fixed breaking Nano ID by requesting big ID (by @​alanzabihi).

v5.1.9

Compare Source

• Fixed npm package size regression.

v5.1.8

Compare Source

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

microsoft/playwright (playwright)

v1.60.0

Compare Source

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});

await page.locator('#dropzone').drop({
  data: {
    'text/plain': 'hello world',
    'text/uri-list': 'https://example.com',
  },
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

• Event browser.on('context') — fired when a new context is created on the browser.
• BrowserContext now mirrors lifecycle events from its pages: browserContext.on('download'), browserContext.on('frameattached'), browserContext.on('framedetached'), browserContext.on('framenavigated'), browserContext.on('pageclose'), browserContext.on('pageload').

Locators and Assertions

• New option description in page.getByRole() / locator.getByRole() / frame.getByRole() / frameLocator.getByRole() for matching the accessible description.
• New option pseudo in expect(locator).toHaveCSS() reads computed styles from ::before or ::after.
• New option style in locator.highlight() applies extra inline CSS to the highlight overlay, plus new page.hideHighlight() to clear all highlights.

Network

• webSocketRoute.protocols() returns the WebSocket subprotocols requested by the page.
• New option noDefaults in browserType.connectOverCDP() disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state.

Errors and Reporting

• New webError.location() mirrors consoleMessage.location().
• consoleMessage.location() now exposes line / column properties (lineNumber / columnNumber are deprecated).
• New testInfoError.errorContext surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an expect(...) matcher failure.
• reporter.onError() now receives a workerInfo argument with details about the worker for fixture teardown errors.

Test runner

• New {testFileBaseName} token in testProject.snapshotPathTemplate — file name without extension.
• Test runner now errors when a config tries to override a non-option fixture, and rejects workers: 0 or negative values.

🛠️ Other improvements

• HTML reporter:
  • npx playwright show-report accepts .zip files directly — no need to unzip first.
  • Steps that contain attachments inside nested children show an indicator on the parent step.
  • The repeatEachIndex is shown in the test header when non-zero.
• Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel.

Breaking Changes ⚠️

• Removed long-deprecated APIs:
  • Locator.ariaRef() — use the standard locator.ariaSnapshot() pipeline.
  • handle option on BrowserContext.exposeBinding and Page.exposeBinding.
  • logger option on BrowserType.connect and BrowserType.connectOverCDP — use tracing instead.
  • Context options videosPath / videoSize — use recordVideo instead.

Browser Versions

• Chromium 148.0.7778.96
• Mozilla Firefox 150.0.2
• WebKit 26.4

This version was also tested against the following stable channels:

• Google Chrome 147
• Microsoft Edge 147

pnpm/pnpm (pnpm)

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

v10.33.3

Compare Source

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

postcss/postcss (postcss)

v8.5.14

Compare Source

• Fixed custom syntax regression (by @​43081j).

v8.5.13

Compare Source

• Fixed postcss-scss commend regression.

v8.5.12

Compare Source

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

v8.5.11

Compare Source

• Fixed nested brackets parsing performance (by @​offset).

v8.5.10

Compare Source

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

• Speed up source map encoding paring in case of the error.

react-hook-form/react-hook-form (react-hook-form)

v7.75.0: Version 7.75.0

Compare Source

🦧 feat: improve get dirty fields prune empty fields (#​13363)

+ dirtyFields: { test: [{ data: false }] }
- dirtyFields: {} // removed the empty node with false value

🎹 typescript 6.0 (#​13330)
🌡️ chore: minor improvement on setValue & reset (#​13366)
🐞 fix #​13403: include setValues in FormProvider context value (#​13404)
🐞 fix: recompute isDirty after re-registering a previously unregistered field (#​13399)
🐞 fix: preserve watch updates on field array unmount fixes #​13375 (#​13385)
🐞 fix: prevent useWatch re-render when unrelated field validation is … (#​13398)

thanks to @​dfedoryshchev, @​cyky & @​gkarabelos

v7.74.0: Version 7.74.0

Compare Source

🪇 feat: setValues (#​13201)

setValues((data) => {
  return {
    ...data,
    name: 'test'
  }
})

setValues(formValues);

🐞 fix: preserve previous field value when useController name changes (#​13395)
🐞 fix: handle null parent when unregistering nested field (#​13396)
🐞 fix: treat NaN as empty when valueAsNumber is true in validateField (#​13388)
🪢 fix build to exclude test files (#​13387)

thanks to @​Yihao-G & @​mixelburg

v7.73.1

Compare Source

fastify/safe-regex2 (safe-regex2)

v5.1.1

Compare Source

What's Changed

• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in #​72
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in #​74
• ci: add lock-threads workflow by @​Fdawgs in #​75
• fix: detect alternation inside REPETITION groups by @​deepview-autofix in #​76

New Contributors

• @​deepview-autofix made their first contribution in #​76

Full Changelog: fastify/safe-regex2@v5.1.0...v5.1.1

vercel/turborepo (turbo)

v2.9.12: Turborepo v2.9.12

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.11 by @​github-actions[bot] in #​12771
• fix: Allow transit nodes in LSP diagnostics by @​anthonyshew in #​12773

Full Changelog: vercel/turborepo@v2.9.11...v2.9.12

v2.9.11: Turborepo v2.9.11

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.10 by @​github-actions[bot] in #​12745
• ci: Publish VS Code extension on release by @​anthonyshew in [#​12747](https

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sdk-harmony	Ready	Preview, Comment	May 12, 2026 4:12pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: d9a91c5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	effect@​3.21.0 ⏵ 3.21.2
	nanoid@​5.1.7 ⏵ 5.1.11	+1
	playwright@​1.59.1 ⏵ 1.60.0				+1	-19
	@​types/​node@​22.19.17 ⏵ 22.19.19	+1		+1
	postcss@​8.5.14
	@​tanstack/​react-query@​5.96.2 ⏵ 5.100.10	+1		+1	+1
	autoprefixer@​10.4.27 ⏵ 10.5.0	+1
	ajv@​8.18.0 ⏵ 8.20.0	+1
	safe-regex2@​5.1.0 ⏵ 5.1.1	+1		+1
	fs-extra@​11.3.4 ⏵ 11.3.5	+1
	react-hook-form@​7.72.1 ⏵ 7.75.0	+1		+1
	@​effect/​language-service@​0.84.3 ⏵ 0.86.1			+1	+2
	@​effect/​platform@​0.96.0 ⏵ 0.96.1
	@​effect/​cli@​0.75.0 ⏵ 0.75.1				+2

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report