chore(deps): update all minor dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@antfu/eslint-config	8.2.0 → 8.3.0
@eslint/markdown	8.0.1 → 8.0.2
@slidev/cli (source)	52.14.2 → 52.15.2
@slidev/types (source)	52.14.2 → 52.15.2
@typescript-eslint/eslint-plugin (source)	8.58.2 → 8.60.0
eslint (source)	10.2.1 → 10.4.1
eslint-plugin-vue (source)	10.8.0 → 10.9.1
globals	17.5.0 → 17.6.0
playwright-chromium (source)	1.59.1 → 1.60.0
pnpm (source)	10.33.0 → 10.34.1
typescript-eslint (source)	8.58.2 → 8.60.0

---

Release Notes

antfu/eslint-config (@​antfu/eslint-config)

v8.3.0

Compare Source

   🚀 Features

• Make perfectionist configurable inside antfu()  -  by @​oliver139 in #​848 (ae1d6)
• stylistic: Allow easy setting brace style  -  by @​oliver139 in #​846 (bd784)
• svelte: Use recommended rules  -  by @​Jungzl in #​842 (6c839)

   🐞 Bug Fixes

• markdown: Scope user rule overrides away from md files  -  by @​antfu and Claude Opus 4.7 (1M context) in #​844 (8d25a)

    View changes on GitHub

eslint/markdown (@​eslint/markdown)

v8.0.2

Compare Source

Bug Fixes

• allow InlineConfigComment node to be reported (#​652) (65aaadf)
• update eslint (#​642) (55dc070)
• update eslint (#​644) (d09ea4a)
• update TypeScript to v6 and tighten the return type of getParent (#​637) (2573a54)

slidevjs/slidev (@​slidev/cli)

v52.15.2

Compare Source

   🐞 Bug Fixes

• Remove unsafe exec() in resolver.ts  -  by @​orbisai0security, Claude Opus 4.7 (1M context) and Anthony Fu in #​2585 (cc677)
• Guard slide imports against fs.allow bypass  -  by @​kermanx (7ffc6)
• cli: Preserve output folder during md export  -  by @​cyphercodes, cyphercodes and Hermes Agent in #​2572 (439ba)
• parser: Ignore slide separators inside HTML comments  -  by @​pi-dal, Claude Opus 4.7 (1M context) and Anthony Fu in #​2561 (b31e4)

    View changes on GitHub

v52.15.1

Compare Source

   🐞 Bug Fixes

• Import error on recording.ts  -  by @​toreis-up in #​2574 (de8eb)
• Restore Windows virtual style globs  -  by @​cyphercodes and cyphercodes in #​2573 (ac6e5)
• client: Make drawing stroke-width control click-triggered  -  by @​enieuwy in #​2565 (9b93d)
• create-slidev: Only scaffold pnpm npmrc for pnpm  -  by @​hrithik18k in #​2564 (0e814)
• export: Pass timeout to frame.waitForLoadState()  -  by @​andreas-taranetz and Claude Sonnet 4.6 in #​2578 (36f8a)

    View changes on GitHub

v52.15.0

Compare Source

   🚀 Features

• Introduce named animation presets for v-click  -  by @​DEmmaRL, Diego Rivera and @​kermanx in #​2501 (a8700)
• Add bluesky embed component  -  by @​yuyinws (7abb6)
• Integrate markdown-it-github-alerts  -  by @​yuyinws in #​2547 (ec275)
• OnSlideEnter/Leave after mounted + pass idx  -  by @​maxkurze1 and @​kermanx in #​2540 (9c171)
• Add laser pointer feature  -  by @​hzb666, Claude Opus 4.7 (1M context), @​kermanx and @​antfu in #​2510 (57347)
• build: Add --router-mode flag for build command  -  by @​mvanhorn in #​2548 (df231)
• create-app: Automatically detect and substitute package manager  -  by @​hrithik18k, @​kermanx and @​maxkurze1 in #​2545 (56563)
• skills: Add native Claude Code plugin installation support  -  by @​MasonEgger and @​antfu in #​2523 (dcbd3)

   🐞 Bug Fixes

• No longer generate temporarily index.html on user root  -  by @​kermanx in #​2513 (768d5)
• Styles import order  -  by @​kermanx, Copilot and @​antfu in #​2512 (56ac8)
• Global context should be unrefed in Vue components  -  by @​kermanx (b7958)
• Improve css specificity  -  by @​kermanx (ef7d3)
• Merge themeConfig  -  by @​kermanx (6d828)
• Allow indented code blocks  -  by @​kermanx (55977)
• Katex block  -  by @​kermanx (55c06)
• Add duration metadata to recorded WebM files  -  by @​mvanhorn and Claude Opus 4.7 (1M context) (a60d6)
• Type errors  -  by @​antfu (d1fec)
• Missing import of vclick.css  -  by @​kermanx (eb79e)
• Plant-uml server prop format  -  by @​kermanx (e8f46)
• Vclick.css comment grammar  -  by @​kermanx (814c7)
• Glob base in Rolldown build mode  -  by @​kermanx in #​2538 (055ba)
• Apply scaling to export container  -  by @​maxkurze1 in #​2541 (dc24c)
• Glob import should relative to self id  -  by @​kermanx (29acd)
• Prevent Twoslash poppers from persisting between slides  -  by @​elecmonkey and @​kermanx in #​2292 (c2666)
• create-theme: Support background prop in cover and intro layouts  -  by @​hrithik18k in #​2553 (7002e)
• vscode: transition should not be required, fix #​2532  -  by @​kermanx in #​2532 (cb723)

    View changes on GitHub

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.60.0

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.4

Compare Source

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#​12294)

❤️ Thank You

• Evyatar Daud @​StyleShit

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.3

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.2

Compare Source

🩹 Fixes

• eslint-plugin: [no-deprecated] object destructuring values should be treated as declarations (#​12292)
• eslint-plugin: [no-unsafe-type-assertion] handle crash on recursive template literal types (#​12150)

❤️ Thank You

• Dima Barabash
• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#​12241)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#​12220)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#​12278)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#​12269)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#​12257)
• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#​12246)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

Compare Source

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#​11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

eslint/eslint (eslint)

v10.4.1

Compare Source

Bug Fixes

• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#​20930) (Francesco Trotta)
• d4ce898 fix: propagate failures from delegated commands (#​20917) (Minh Vu)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#​20916) (kuldeep kumar)
• c5bc78b fix: false positive for reference in finally block (#​20655) (Tanuj Kanti)
• 27538c0 fix: add missing CodePath and CodePathSegment types (#​20853) (Pixel998)

Documentation

• 61b0add docs: remove deprecated rule from related rules of max-params (#​20921) (Tanuj Kanti)
• 305d5b9 docs: remove deprecated rules from related rules section (#​20911) (Tanuj Kanti)
• 49b0202 docs: fix display: none of ad (#​20901) (Tanuj Kanti)
• 9067f94 docs: switch build to Node.js 24 (#​20893) (Milos Djermanovic)
• c91b041 docs: Update README (GitHub Actions Bot)
• e349265 docs: clarify semver strings in rule deprecation objects (#​20885) (Milos Djermanovic)

Chores

• b0e466b test: add data property to invalid tests cases for rules (#​20924) (Tanuj Kanti)
• f78838b test: add CodePath type coverage (#​20904) (Pixel998)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#​20922) (Francesco Trotta)
• 002942c ci: declare contents:read on update-readme workflow (#​20919) (Arpit Jain)
• 64bca24 chore: update ecosystem plugins (#​20912) (ESLint Bot)
• 6d7c832 chore: ignore fflate updates in renovate (#​20908) (Pixel998)
• b2c8638 ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 (#​20889) (dependabot[bot])
• a9b8d7f chore: increase maxBuffer for ecosystem tests (#​20881) (sethamus)
• b702ead chore: update ecosystem update PR settings (#​20884) (Pixel998)
• 507f60e chore: update ecosystem plugins (#​20882) (ESLint Bot)
• 92f5c5b test: add unit test for message-count (#​20878) (kuldeep kumar)
• df32108 chore: add @​eslint/markdown and typescript-eslint ecosystem tests (#​20837) (sethamus)
• 327f91d chore: use includeIgnoreFile internally (#​20876) (Kirk Waiblinger)
• f0dc4bd chore: pin fflate@​0.8.2 (#​20877) (Milos Djermanovic)
• 0f4bd25 ci: run Discord alert for ecosystem test failures (#​20873) (Copilot)

v10.4.0

Compare Source

v10.3.0

Compare Source

vuejs/eslint-plugin-vue (eslint-plugin-vue)

v10.9.1

Compare Source

Patch Changes

• Updated peer dependency version for vue-eslint-parser to fix parsing errors in Vue SFCs (#​3075)

v10.9.0

Compare Source

Minor Changes

• Added "inject" to groups option in vue/no-unused-properties rule (#​3052)

• Added new ignores option to vue/no-literals-in-template rule (#​3072)

• Added support for :single-line/:multi-line pseudo-classes in vue/padding-line-between-tags (#​3025)

• Added new vue/prefer-v-model rule (#​3062)

• Added new vue/prefer-single-event-payload rule (#​3058)

Patch Changes

• Added error end positions for vue/no-irregular-whitespace (#​3065)

• Updated resources: add Attrs and AllowedAttrs type definitions (#​3059)

• Improved error positions in vue/max-len (#​3066)

• Improve performance in vue/no-child-content rule (#​3068)

• Migrate configs to TypeScript (#​3002)

• Updated resources: geolocation HTML element and ClassValue and InputAutoCompleteAttribute Vue 3 export (#​3040)

sindresorhus/globals (globals)

v17.6.0

Compare Source

microsoft/playwright (playwright-chromium)

v1.60.0

Compare Source

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});

await page.locator('#dropzone').drop({
  data: {
    'text/plain': 'hello world',
    'text/uri-list': 'https://example.com',
  },
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

• Event browser.on('context') — fired when a new context is created on the browser.
• BrowserContext now mirrors lifecycle events from its pages: browserContext.on('download'), browserContext.on('frameattached'), browserContext.on('framedetached'), browserContext.on('framenavigated'), browserContext.on('pageclose'), browserContext.on('pageload').

Locators and Assertions

• New option description in page.getByRole() / locator.getByRole() / frame.getByRole() / frameLocator.getByRole() for matching the accessible description.
• New option pseudo in expect(locator).toHaveCSS() reads computed styles from ::before or ::after.
• New option style in locator.highlight() applies extra inline CSS to the highlight overlay, plus new page.hideHighlight() to clear all highlights.

Network

• webSocketRoute.protocols() returns the WebSocket subprotocols requested by the page.
• New option noDefaults in browserType.connectOverCDP() disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state.

Errors and Reporting

• New webError.location() mirrors consoleMessage.location().
• consoleMessage.location() now exposes line / column properties (lineNumber / columnNumber are deprecated).
• New testInfoError.errorContext surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an expect(...) matcher failure.
• reporter.onError() now receives a workerInfo argument with details about the worker for fixture teardown errors.

Test runner

• New {testFileBaseName} token in testProject.snapshotPathTemplate — file name without extension.
• Test runner now errors when a config tries to override a non-option fixture, and rejects workers: 0 or negative values.

🛠️ Other improvements

• HTML reporter:
  • npx playwright show-report accepts .zip files directly — no need to unzip first.
  • Steps that contain attachments inside nested children show an indicator on the parent step.
  • The repeatEachIndex is shown in the test header when non-zero.
• Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel.

Breaking Changes ⚠️

• Removed long-deprecated APIs:
  • Locator.ariaRef() — use the standard locator.ariaSnapshot() pipeline.
  • handle option on BrowserContext.exposeBinding and Page.exposeBinding.
  • logger option on BrowserType.connect and BrowserType.connectOverCDP — use tracing instead.
  • Context options videosPath / videoSize — use recordVideo instead.

Browser Versions

• Chromium 148.0.7778.96
• Mozilla Firefox 150.0.2
• WebKit 26.4

This version was also tested against the following stable channels:

• Google Chrome 147
• Microsoft Edge 147

pnpm/pnpm (pnpm)

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Gold Sponsors

v10.34.0: pnpm 10.34

Compare Source

Minor Changes

• Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

  pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

  The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

  --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

Patch Changes

• Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
• Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
• Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.
• Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.
• Fixed --prefix=<dir> not being honored when locating the workspace root. The --prefix → dir rename was applied after workspace detection, so workspace settings declared in <dir>/pnpm-workspace.yaml were not loaded when pnpm was invoked from outside <dir> #​11535.
• Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

Platinum Sponsors

Gold Sponsors

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

✂ Note PR body was truncated to here. Configuration 📅 Schedule: (UTC) Branch creation At any time (no schedule defined) Automerge At any time (no schedule defined) 🚦 Automerge: Enabled. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired. If you want to rebase/retry this PR, check this box This PR was generated by Mend Renovate. View the repository job log.