chore(deps): update dependencies

[antfu]

Summary

Bumps every entry in the workspace catalogs to its latest version (8 majors, 38 minors, 23 patches) and pnpm to 11.4.0. Applies the migrations that those bumps required:

• @unhead/schema v2 → v3: the MetaFlatInput type was renamed to MetaFlat; updated the two client files that referenced it.
• nuxt@4.4.6 + satisfies Partial<ServerFunctions>: Nuxt's auto-generated modules.d.ts now declares unocss as required (O | false) on nuxt/schema.NuxtOptions, while nuxt.options still resolves to @nuxt/schema.NuxtOptions where it's optional. Added an explicit NuxtOptions return-type cast on getServerConfig() to bridge the two.
• @vueuse/core@14.3 now exports onKeyDown: renamed the colliding local handler in CommandPalette.vue to handleKeyDown so nuxt-eslint-auto-explicit-import@0.2 doesn't try to auto-import the composable into the template.
• @antfu/eslint-config@9 reordered the perfectionist/sort-imports groups so external modules now come before #imports/#app aliases — applied via eslint --fix across ~50 client files.

Created with the help of an agent.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​unhead/​schema@​3.1.1
	@​unocss/​preset-uno@​66.7.0
	@​unocss/​eslint-config@​66.7.0
	fast-npm-meta@​1.4.2 ⏵ 2.0.0	+1		+1
	@​vue/​devtools-applet@​8.1.2
	@​unocss/​nuxt@​66.7.0
	@​unocss/​preset-attributify@​66.7.0
	@​unocss/​preset-icons@​66.7.0
	@​unocss/​core@​66.7.0
	@​unocss/​reset@​66.7.0
	@​vue/​devtools-core@​8.1.2
	@​vitest/​ui@​4.1.7
	@​vue/​devtools-kit@​8.1.2
	@​vueuse/​core@​14.2.1 ⏵ 14.3.0	+1		+1
	@​iconify-json/​simple-icons@​1.2.84
	@​unocss/​preset-mini@​66.7.0
	@​unocss/​runtime@​66.7.0
	@​nuxt/​test-utils@​4.0.3
	@​iconify-json/​carbon@​1.2.22
	@​iconify-json/​tabler@​1.2.35
	@​types/​node@​25.9.1
	bumpp@​11.1.0
	@​vueuse/​nuxt@​14.2.1 ⏵ 14.3.0	+1		+1
	cypress@​15.16.0
	@​vueuse/​integrations@​14.3.0
	eslint-plugin-antfu@​3.2.3
	@​antfu/​ni@​30.1.0
	eslint-flat-config-utils@​3.2.0
	eslint@​10.4.0
	focus-trap@​8.2.1
	@​antfu/​eslint-config@​9.0.0
	@​nuxt/​schema@​4.4.2 ⏵ 4.4.6
	@​nuxt/​kit@​4.4.6
See 1 more rows in the dashboard

View full report

[cloudflare-workers-and-pages]

Deploying nuxt-devtools with    Cloudflare Pages

Latest commit:	7308210
Status:	✅  Deploy successful!
Preview URL:	https://c672d28a.nuxt-devtools.pages.dev
Branch Preview URL:	https://antfu-update-deps.nuxt-devtools.pages.dev

View logs

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9623d542-88eb-4eac-9e03-332a9485543e

📥 Commits

Reviewing files that changed from the base of the PR and between 8d1c4c9 and 7308210.

📒 Files selected for processing (1)

• playgrounds/tab-pinia/nuxt.config.ts

---

📝 Walkthrough

Walkthrough

This PR standardizes import ordering across the entire devtools client codebase (50+ files), updates type annotations from Unhead's deprecated MetaFlatInput to MetaFlat, adds explicit NuxtOptions type casting in the server RPC configuration, renames a keyboard event handler in CommandPalette, and updates pnpm and workspace dependencies. The changes enforce consistent import grouping patterns (external libraries → Vue/VueUse utilities → Nuxt composables) across components, composables, pages, and plugins. Workspace catalogs receive broad version bumps for Nuxt, Vite, UnoCSS, TypeScript, and related tooling libraries.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(deps): update dependencies' clearly and directly summarizes the main change: a dependency version update across the workspace.
Description check	✅ Passed	The description provides comprehensive context about the dependency updates, migrations required, and specific changes made for different package versions, all directly relevant to the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch antfu/update-deps

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

playgrounds/tab-pinia/nuxt.config.ts

ESLint skipped: missing config or dependency (missing-dependency). The ESLint configuration references a package that is not available in the sandbox.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

packages/devtools/src/server-rpc/general.ts (1)

87-89: 💤 Low value

Document the intentional double cast.

nuxt.options as unknown as NuxtOptions fully bypasses type checking on the return value. Per the migration, this bridges the discrepancy between nuxt/schema.NuxtOptions (where unocss is required) and the @nuxt/schema.NuxtOptions that nuxt.options resolves to. A brief inline comment will prevent a future reader from "simplifying" this cast and reintroducing the type error.

📝 Suggested clarifying comment

-    getServerConfig(): NuxtOptions {
-      return nuxt.options as unknown as NuxtOptions
+    getServerConfig(): NuxtOptions {
+      // `nuxt.options` resolves to `@nuxt/schema.NuxtOptions` (unocss optional) while the
+      // return type uses nuxt/schema.NuxtOptions (unocss required); cast bridges the mismatch.
+      return nuxt.options as unknown as NuxtOptions
     },

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/devtools/src/server-rpc/general.ts` around lines 87 - 89, Add a
brief inline comment above the double-cast in getServerConfig() explaining why
the code uses "nuxt.options as unknown as NuxtOptions" intentionally: it bridges
the schema mismatch between nuxt/schema.NuxtOptions (which requires unocss) and
the `@nuxt/schema` type returned by nuxt.options, and prevents future maintainers
from removing the cast; keep the cast as-is and ensure the comment references
both schema types and "unocss" so the intent is clear.

packages/devtools/client/components/OpenGraphMissingTabs.vue (1)

2-2: 💤 Low value

Avoid deprecated @unhead/schema import

MetaFlat rename is correct, but @unhead/schema is deprecated and now only re-exports unhead/types, so update the import in packages/devtools/client/components/OpenGraphMissingTabs.vue (line 2) to avoid relying on the deprecated alias.

♻️ Suggested import update

-import type { MetaFlat } from '`@unhead/schema`'
+import type { MetaFlat } from 'unhead/types'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/devtools/client/components/OpenGraphMissingTabs.vue` at line 2, The
import uses the deprecated alias '`@unhead/schema`' for the MetaFlat type; update
the import in OpenGraphMissingTabs.vue to import the type directly from
'unhead/types' (replace "import type { MetaFlat } from '`@unhead/schema`'" with
"import type { MetaFlat } from 'unhead/types'"), then run typechecking/TS build
to ensure no other references need adjusting; target the MetaFlat type usage in
this component when applying the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/package.json`:
- Line 4: Update the package manager declaration and workspace configs to
account for pnpm@11.4.0 stricter rules: ensure the "packageManager" field
(packageManager) is intentional, regenerate or validate the lockfile and
integrity metadata so lockfile entries include integrity checksums, audit any
auth/registry settings so unscoped credentials aren't leaked, convert git
resolutions to include SHA commits, validate patch files and dependency aliases
for directory traversal, and confirm runtime settings/workspace config
(devEngines.runtime vs engines.runtime) are set appropriately to avoid
install/read-time failures under pnpm@11.4.0.

---

Nitpick comments:
In `@packages/devtools/client/components/OpenGraphMissingTabs.vue`:
- Line 2: The import uses the deprecated alias '`@unhead/schema`' for the MetaFlat
type; update the import in OpenGraphMissingTabs.vue to import the type directly
from 'unhead/types' (replace "import type { MetaFlat } from '`@unhead/schema`'"
with "import type { MetaFlat } from 'unhead/types'"), then run typechecking/TS
build to ensure no other references need adjusting; target the MetaFlat type
usage in this component when applying the change.

In `@packages/devtools/src/server-rpc/general.ts`:
- Around line 87-89: Add a brief inline comment above the double-cast in
getServerConfig() explaining why the code uses "nuxt.options as unknown as
NuxtOptions" intentionally: it bridges the schema mismatch between
nuxt/schema.NuxtOptions (which requires unocss) and the `@nuxt/schema` type
returned by nuxt.options, and prevents future maintainers from removing the
cast; keep the cast as-is and ensure the comment references both schema types
and "unocss" so the intent is clear.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6ea071a9-e6a2-4fe8-9055-7cd3ba3371bf

📥 Commits

Reviewing files that changed from the base of the PR and between b5afa5d and c670c3e.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (56)

• docs/package.json
• package.json
• packages/devtools-ui-kit/src/components/NButton.ts
• packages/devtools/client/app.vue
• packages/devtools/client/components/AssetDetails.vue
• packages/devtools/client/components/AssetDropZone.vue
• packages/devtools/client/components/BuildAnalyzeDetails.vue
• packages/devtools/client/components/CommandPalette.vue
• packages/devtools/client/components/NpmVersionCheck.vue
• packages/devtools/client/components/OpenGraphMissingTabs.vue
• packages/devtools/client/components/RestartDialogs.vue
• packages/devtools/client/components/ServerRouteDetails.vue
• packages/devtools/client/components/SideNavItem.vue
• packages/devtools/client/components/SplitScreen.vue
• packages/devtools/client/components/StorageDetails.vue
• packages/devtools/client/components/TerminalView.vue
• packages/devtools/client/components/docs/timeline.md
• packages/devtools/client/composables/client.ts
• packages/devtools/client/composables/dialog.ts
• packages/devtools/client/composables/editor.ts
• packages/devtools/client/composables/npm.ts
• packages/devtools/client/composables/state-commands.ts
• packages/devtools/client/composables/state-modules.ts
• packages/devtools/client/composables/state-tabs.ts
• packages/devtools/client/composables/state.ts
• packages/devtools/client/composables/utils.ts
• packages/devtools/client/data/open-graph.ts
• packages/devtools/client/pages/index.vue
• packages/devtools/client/pages/modules/analyze-build.vue
• packages/devtools/client/pages/modules/assets.vue
• packages/devtools/client/pages/modules/custom-[name].vue
• packages/devtools/client/pages/modules/error.vue
• packages/devtools/client/pages/modules/hooks.vue
• packages/devtools/client/pages/modules/imports.vue
• packages/devtools/client/pages/modules/modules.vue
• packages/devtools/client/pages/modules/open-graph.vue
• packages/devtools/client/pages/modules/overview.vue
• packages/devtools/client/pages/modules/pages.vue
• packages/devtools/client/pages/modules/payload.vue
• packages/devtools/client/pages/modules/pinia.vue
• packages/devtools/client/pages/modules/plugins.vue
• packages/devtools/client/pages/modules/render-tree.vue
• packages/devtools/client/pages/modules/runtime-configs.vue
• packages/devtools/client/pages/modules/server-discovery.vue
• packages/devtools/client/pages/modules/server-routes.vue
• packages/devtools/client/pages/modules/server-tasks.vue
• packages/devtools/client/pages/modules/timeline.vue
• packages/devtools/client/pages/modules/virtual-files.vue
• packages/devtools/client/pages/settings.vue
• packages/devtools/client/plugins/floating-vue.ts
• packages/devtools/client/plugins/global.ts
• packages/devtools/client/plugins/vue-devtools.ts
• packages/devtools/src/runtime/plugins/devtools.client.ts
• packages/devtools/src/runtime/plugins/view/client.ts
• packages/devtools/src/server-rpc/general.ts
• pnpm-workspace.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Does pnpm version 11.4.0 exist and what are the breaking changes or notable updates in pnpm 11.4.0 compared to 11.1.3?

💡 Result:

Yes, pnpm version 11.4.0 exists and was released on May 27, 2026 [1][2]. Compared to version 11.1.3, pnpm 11.4.0 includes significant security enhancements and feature updates introduced in version 11.4 itself, as well as those accumulated since 11.1.3 (such as updates in 11.2.x and 11.3.x). Key updates and changes in 11.4.0 include: Security Enhancements: - Tarball-integrity mismatches: These are now a hard install failure by default, with a new --update-checksums flag available as a narrowly-scoped opt-in [2]. - Lockfile Integrity: pnpm now rejects lockfile entries that lack integrity metadata at read time [2]. - Credential Scoping: Unscoped credentials no longer leak across registries [2]. - Git Resolutions: The system now rejects non-SHA commit fields for git resolutions [2]. - Patch Files: Patch files attempting to write outside the package directory are now rejected [2]. - Dependency Aliases: Dependency aliases containing path-traversal segments are rejected [2]. Other Notable Updates: - Runtime configuration: The pnpm runtime set command now defaults to writing to devEngines.runtime instead of engines.runtime (use --save-prod or -P to save to engines.runtime) [2]. - Previous versions (11.2.x and 11.3.x): These introduced features such as staged publishing (pnpm stage), native implementations of pnpm pkg, pnpm repo, and pnpm set-script, a --skip-manifest-obfuscation flag for publishing, and a new trustLockfile setting to manage supply-chain verification [3]. For a complete history of changes, you can refer to the official pnpm release notes on GitHub [1][4].

Citations:

• 1: https://github.com/pnpm/pnpm/releases/tag/v11.4.0
• 2: https://pnpm.io/blog/releases/11.4
• 3: https://pnpm.io/blog/releases/11.3
• 4: https://github.com/pnpm/pnpm/releases

---

pnpm@11.4.0 exists; account for stricter integrity/security changes vs 11.1.3

pnpm@11.4.0 is a real release. Compared to 11.1.3, it introduces breaking/behavior changes that can affect installs and workspace config, including:

• Tarball integrity mismatches hard-fail by default (opt-in: --update-checksums)
• Lockfile entries missing integrity metadata are rejected at read time
• Unscoped credentials no longer leak across registries
• Git resolutions require SHA commit fields
• Patch files that write outside the package directory are rejected
• Dependency aliases containing path-traversal segments are rejected
• pnpm runtime set now defaults to devEngines.runtime (instead of engines.runtime)

Ensure the workspace lockfile/auth/patches/git resolutions are compatible with these stricter rules.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/package.json` at line 4, Update the package manager declaration and
workspace configs to account for pnpm@11.4.0 stricter rules: ensure the
"packageManager" field (packageManager) is intentional, regenerate or validate
the lockfile and integrity metadata so lockfile entries include integrity
checksums, audit any auth/registry settings so unscoped credentials aren't
leaked, convert git resolutions to include SHA commits, validate patch files and
dependency aliases for directory traversal, and confirm runtime
settings/workspace config (devEngines.runtime vs engines.runtime) are set
appropriately to avoid install/read-time failures under pnpm@11.4.0.