chore(deps): update all non-major dependencies with stable versions (minor)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@shikijs/monaco (source)	^3.15.0 → ^3.21.0			devDependencies	minor	3.22.0
dompurify@<3.2.4	>=3.2.7 → >=3.3.1			pnpm.overrides	minor
happy-dom	^20.0.11 → ^20.4.0			devDependencies	minor
node (source)	24.12.0 → 24.13.0			volta	minor
sass-embedded	^1.93.3 → ^1.97.3			devDependencies	minor
shiki (source)	^3.15.0 → ^3.21.0			devDependencies	minor	3.22.0
vue@>=2.0.0-alpha.1 <3.0.0-alpha.0 (source)	[>=3.0.11 → >=3.5.27](https://renovatebot.com/diffs/npm/vue@&gt;&#x3D;2.0.0-alpha.1 <3.0.0-alpha.0/3.0.11/3.5.27)			pnpm.overrides	minor

---

Release Notes

shikijs/shiki (@​shikijs/monaco)

v3.21.0

Compare Source

   🚀 Features

• Update grammar  -  by @​antfu (6d109)
• core: Preserve HAST data and properties in codeToHast  -  by @​AmanCrafts in #​1204 (747ea)

   🐞 Bug Fixes

• vitepress-twoslash: Fix scroll blocking on mobile viewports  -  by @​dahlia in #​1235 (8e931)

    View changes on GitHub

v3.20.0

Compare Source

   🚀 Features

• cli: Add --format option for html output  -  by @​Divyapahuja31 in #​1211 (28dd0)

   🐞 Bug Fixes

• rehype: Handle promise rejections in lazy language loading  -  by @​ambujvashistha in #​1221 (99654)
• vitepress-twoslash: Fix popper positions being recomputed too early within vitepress code groups  -  by @​Dschungelabenteuer, charles.gruenais and @​antfu in #​1116 (19ea5)

   🏎 Performance

• core: Eliminate redundant tokenization call in tokenizeWithTheme  -  by @​ShivanshBhargava and @​NssGourav in #​1216 (c78b1)

    View changes on GitHub

v3.19.0

Compare Source

   🚀 Features

• Support rootStyle: false option  -  by @​khushthecoder and @​antfu in #​1184 (baf9a)
• transformers:
  • Add classActiveCode option to notation transformers  -  by @​GreenHacker420 in #​1171 (a6a44)
  • Add transformerRemoveComments  -  by @​Bitshifter-9, Copilot, @​crazylogic03 and @​antfu in #​1144 (f2ee3)
• twoslash:
  • Add context parameter to filter option  -  by @​siddu-09 in #​1173 (ac7f5)

   🐞 Bug Fixes

• Add typesVersions for legacy resolution support  -  by @​khushthecoder in #​1179 (100b7)
• core: Check embeddedLanguages in registry dependency check  -  by @​vamsi2246 in #​1178 (6ad16)
• monaco: Correctly handle sparse color map updates  -  by @​wcr-karan in #​1169 (38c7f)

    View changes on GitHub

v3.18.0

Compare Source

   🚀 Features

• transformers: Support zeroIndexed option to transformerMetaHighlight  -  by @​manak-sharma20 in #​1149 (c39ff)

   🐞 Bug Fixes

• core:
  • Correct offset calculation in mergeWhitespaceTokens  -  by @​Karthikeya1500 in #​1162 (15e73)
  • Allow langAlias to special languages, close #​1164  -  by @​antfu in #​1164 (45ab1)

    View changes on GitHub

v3.17.1

Compare Source

   🚀 Features

• core: Enhance string utils with robust edge case handling  -  by @​shekhar-narayan-mishra in #​1154 (a2b68)

   🐞 Bug Fixes

• core: Correctly parse 4-digit hex colors in dimColor  -  by @​shalini-saloni in #​1151 (fcdd3)
• monaco: Ensure correct color map update when switching themes  -  by @​shivank-1011 in #​1155 (d2e94)

    View changes on GitHub

v3.17.0

Compare Source

   🚀 Features

• cli: Support passing remote file url  -  by @​o-az in #​1139 (fb05a)
• core: Support embeddedLanguages alias for backwards compatibility  -  by @​Ipshita29 in #​1044 and #​1145 (3a367)
• monaco: Normalize theme tokenScopes and tighten monaco type import  -  by @​Simon-He95 in #​1140 (dc792)

   🐞 Bug Fixes

• monaco: Preserve Markdown font styles  -  by @​prempyla and @​antfu in #​1107 (e4dec)
• shiki: Rename createdBundledHighlighter to createBundledHighlighter  -  by @​tushar73-jet, Tushar and @​antfu in #​1135 (e6d21)
• transformers: Handle multi-token comments in rose-pine theme  -  by @​ish1416 and @​antfu in #​1118 (3e1bd)
• twoslash: Fix typo in twoslash-query-persisted, close #​1130, close #​981  -  by @​antfu in #​1130 and #​981 (55a17)
• types: Add 'plain' to PlainTextLanguage type  -  by @​kevinkucharczyk in #​1133 (156c5)

    View changes on GitHub

v3.16.0

Compare Source

   🚀 Features

• Update grammars  -  by @​antfu (02dab)

   🐞 Bug Fixes

• Enable decorations for structure: inline  -  by @​Aashish-Jha-11 and Aashish_Jha_1107 in #​1103 (8806b)
• Resolve vitest alias for wasm-inlined  -  by @​sahilsharda (2d7b3)
• transformers: Support comment-prefixed [code . highlight] markers in v3 notation matcher  -  by @​Hariksh in #​1102 (5068b)

    View changes on GitHub

cure53/DOMPurify (dompurify@<3.2.4)

v3.3.1: DOMPurify 3.3.1

Compare Source

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

v3.3.0: DOMPurify 3.3.0

Compare Source

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

capricorn86/happy-dom (happy-dom)

v20.4.0

Compare Source

🎨 Features

• Adds support for caching the compiled code of EcmaScript modules - By @​capricorn86 in task #​2049

v20.3.9

Compare Source

v20.3.8

Compare Source

v20.3.7

Compare Source

👷‍♂️ Patch fixes

• Updates README.md for the "@​happy-dom/server-renderer" package - By @​capricorn86 in task #​2035

v20.3.6

Compare Source

👷‍♂️ Patch fixes

• Fixes issue where it wasn't possible to toggle the "open" attribute of <details> by clicking on a child of the <summary> element - By @​Nxooah in task #​1928

v20.3.5

Compare Source

👷‍♂️ Patch fixes

• Use internal property for "location" in BrowserFrameURL to avoid mock interference - By @​marchaos in task #​1964
• Add optional chaining to the "hostname" and pathname" properties to check if they are undefined in CookieURLUtility - By @​marchaos in task #​1968

v20.3.4

Compare Source

v20.3.3

Compare Source

v20.3.2

Compare Source

v20.3.1

Compare Source

👷‍♂️ Patch fixes

• Normalizes the "format" parameter according to the HTML specification in DataTransfer.getData() - By @​marchaos in task #​1965
• Handle partial responses in XMLHttpRequest - By @​rexxars in task #​1890

v20.3.0

Compare Source

🎨 Features

• Use RegExp to convert ASCII character casing to improve performance - By @​TrevorBurnham in task #​1886

v20.2.0

Compare Source

🎨 Features

• Use Element.classList.contains() instead of splitting className in query selectors to improve performance as it's cached - By @​TrevorBurnham in task #​1884

v20.1.1

Compare Source

👷‍♂️ Patch fixes

• Fixes caching in querySelector() - By @​TrevorBurnham in task #​1882
• Avoid sort in querySelector() to improve performance - By @​TrevorBurnham in task #​1882

v20.1.0

Compare Source

🎨 Features

• Adds support for BrowserPage.evaluateModule() and BrowserFrame.evaluateModule() - By @​capricorn86 in task #​1944
• Adds support for module to the browser settings - By @​capricorn86 in task #​1944
  • This makes it possible to add a custom resolver or a node module resolver
• Adds support for dynamic import() to JavaScript evaluation - By @​capricorn86 in task #​1944
  • It was previously only supported when using type="module" on script elements
• Adds support for WebSocket - By @​capricorn86 in task #​1944
• Adds support for CloseEvent - By @​capricorn86 in task #​1944
• Adds support for render.setupScript and render.mode to the configuration in @​happy-dom/server-renderer - By @​capricorn86 in task #​1944
• Changes name from urls to renderItems in the configuration in @​happy-dom/server-renderer - By @​capricorn86 in task #​1944
• Adds support for rendering strings in @​happy-dom/server-renderer - By @​capricorn86 in task #​1944
• Makes JavaScript evaluation disabled by default in @​happy-dom/server-renderer - By @​capricorn86 in task #​1944

👷‍♂️ Patch fixes

• Several fixed to the EcmaScript module compiler (esm) - By @​capricorn86 in task #​1944
• Fixes issue where rendering using Worker's didn't work in @​happy-dom/server-renderer - By @​capricorn86 in task #​1944

nodejs/node (node)

v24.13.0: 2026-01-13, Version 24.13.0 'Krypton' (LTS), @​marco-ippolito

Compare Source

This is a security release.

Notable Changes

lib:

• (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
  lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
  src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
  src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
  tls:
• (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

Commits

• [2092785d01] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #​60997
• [3e58b7f2af] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #​61283
• [4ba536a5a6] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [89adaa21fd] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [7302b4dae1] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [ac030753c4] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [20075692fe] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [20591b0618] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

sass/embedded-host-node (sass-embedded)

v1.97.3

Compare Source

• Fix a bug where nesting an at-rule within multiple style rules in plain CSS
  could cause outer style rules to be omitted.

v1.97.2

Compare Source

• Additional fixes for implicit configuration when nested imports are involved.

v1.97.1

Compare Source

• Fix a bug with the new CSS-style if() syntax where values would be evaluated
  even if their conditions didn't match.

v1.97.0

Compare Source

• Add support for the display-p3-linear color space.

v1.96.0

Compare Source

• Allow numbers with complex units (more than one numerator unit or more than
  zero denominator units) to be emitted to CSS. These are now emitted as
  calc() expressions, which now support complex units in plain CSS.

v1.95.1

Compare Source

• No user-visible changes.

vuejs/core (vue@>=2.0.0-alpha.1 <3.0.0-alpha.0)

v3.5.27

Compare Source

Bug Fixes

• compile-sfc: correctly handle variable shadowing in for loop for defineProps destructuring. (#​14296) (6a1bb50), closes #​14294
• compiler-sfc: handle indexed access types in declare global blocks (#​14260) (e4091fe), closes #​14236
• compiler-sfc: use correct scope when resolving indexed access types from external files (#​14297) (f0f0a21), closes #​14292
• reactivity: collection iteration should inherit iterator instance methods (#​12644) (3c8b2fc), closes #​12615
• runtime-core: skip patching reserved props for custom elements (#​14275) (19cc7e2), closes #​14274
• server-renderer: use ssrRenderClass helper for className attribute (#​14327) (a4708f3)
• ssr: handle v-bind modifiers during render attrs (#​14263) (c2f5964), closes #​14262

v3.5.26

Compare Source

Bug Fixes

• compat: fix compat handler of draggable (#​12445) (ed85953), closes #​12444
• compat: handle v-model deprecation warning with missing appContext (#​14203) (945a543), closes #​14202
• compiler-sfc: demote const reactive bindings used in v-model (#​14214) (e24ff7d), closes #​11265 #​11275
• compiler-ssr: handle ssr attr fallthrough when preserve whitespace (#​12304) (4783118), closes #​8072
• hmr: handle cached text node update (#​14134) (69ce3c7), closes #​14127
• keep-alive: use resolved component name for async components in cache pruning (#​14212) (dfe667c), closes #​14210
• runtime-core: ensure correct anchor el for deeper unresolved async components (#​14182) (f5b3bf2), closes #​14173
• runtime-core: handle patch stable fragment edge case (#​12411) (94aeb64), closes #​12410
• runtime-core: pass component instance to flushPreFlushCbs on unmount (#​14221) (e857e12), closes #​14215

Performance Improvements

• compiler-core: use binary-search to get line and column (#​14222) (1904053)

v3.5.25

Compare Source

Bug Fixes

• compiler: share logic for comments and whitespace (#​13550) (2214f7a)
• provide: warn when using provide after mounting (#​13954) (247b2c2), closes #​13921 #​13924
• reactivity: correctly wrap iterated array items to preserve their readonly status (#​14120) (301020b)
• reactivity: toRef edge cases for ref unwrapping (#​12420) (0d2357e)
• runtime-core: keep options API typing intact when expose is used (#​14118) (8f82f23), closes #​14117 vuejs/language-tools#5069
• suspense: defer clearing fallback vnode el in case it has dirs (#​14080) (c0f63dd), closes #​14078

v3.5.24

Compare Source

Reverts

• Revert "fix(compiler-core): correctly handle ts type assertions in expression…" (#​14062) (11ec51a), closes #​14062 #​14060

v3.5.23

Compare Source

Bug Fixes

• compiler-core: correctly handle ts type assertions in expressions (#​13397) (e6544ac), closes #​13395
• compiler-core: fix v-bind shorthand handling for in-DOM templates (#​13933) (b3cca26), closes #​13930
• compiler-sfc: resolve numeric literals and template literals without expressions as static property key (#​13998) (75d44c7)
• compiler-ssr: textarea with v-text directive SSR (#​13975) (006a0c1)
• compiler: using guard instead of non-nullish assertion (#​13982) (dcc6f36)
• custom-element: batch custom element prop patching (#​13478) (c13e674), closes #​12619
• custom-element: optimize slot retrieval to avoid duplicates (#​13961) (84ca349), closes #​13955
• hydration: avoid mismatch during hydrate text with newlines in interpolation (#​9232) (6cbdf78), closes #​9229
• runtime-core: pass props and children to loadingComponent (#​13997) (40c4b2a)
• runtime-dom: ensure iframe sandbox is handled as an attribute to prevent unintended behavior (#​13950) (5689884), closes #​13946
• suspense: clear placeholder and fallback el after resolve to enable GC (#​13928) (f411c66)
• transition-group: use offsetLeft and offsetTop instead of getBoundingClientRect to avoid transform scale affect animation (#​6108) (dc4dd59), closes #​6105
• v-model: handle number modifier on change (#​13959) (8fbe48f), closes #​13958

v3.5.22

Compare Source

Bug Fixes

• compiler-core: identifiers in switch-case should not be inferred as references (#​13923) (5953c9f)
• compiler-dom: nodes with v-once shouldn't be stringified (#​13878) (95c1975)
• compiler-sfc: add support for @vue-ignore in runtime type resolution (#​13906) (ba7f7f9)
• compiler-sfc: enhance inferRuntimeType to support TSMappedType with indexed access (#​13848) (e388f1a), closes #​13847
• compiler-sfc: ensure css custom properties do not start with a digit (#​13870) (9c27951)
• compiler-sfc: ensure props bindings register before compiling template (#​13922) (abd5638), closes #​13920
• compiler-ssr: ensure v-show has a higher priority in SSR (#​12171) (836b829), closes #​12162
• custom-element: properly mount multiple Teleports in custom element component w/ shadowRoot false (#​13900) (5e1e791), closes #​13899
• custom-element: set prop runs pending mutations before disconnect (#​13897) (c4a88cd), closes #​13315
• custom-element: use PatchFlags.BAIL for slot when props are present (#​13907) (5358bca), closes #​13904
• reactivity: respect readonly during ref unwrapping (#​13905) (aba7fed), closes #​13903
• reactivity: update iterator to check for completion instead of value presence (#​13761) (2078f8b)
• runtime-core: simplify block-tracking disabling in h helper (#​13841) (75220c7)
• transition-group: run forceReflow on the correct document (fix #​13849) (#​13853) (1be5ddf)
• types: more precise types for Events and added missing definitions (#​9675) (8bb8fb2)
• types: set dom stub type to never instead of {} (#​13915) (8620a61), closes #​11564
• types: widen directive arg type from string to any (#​13758) (4b71706), closes #​13757

Features

• custom-element: allow specifying additional options for shadowRoot in custom elements (#​12965) (47e628d), closes #​12964

Reverts

• Revert "fix(hmr): prevent VUE_HMR_RUNTIME from being overwritten by vue runtime in 3rd-party libraries" (#​13925) (6b68f72), closes #​13925

v3.5.21

Compare Source

Bug Fixes

• compiler-core: force dynamic slots when slot referencing scope vars (#​9427) (99d54b2), closes #​9380
• compiler-sfc: check lang before attempt to compile script (#​13508) (55922ff), closes #​8368
• compiler-sfc: support ${configDir} in paths for TypeScript 5.5+ (#​13491) (8696e34), closes #​13484
• compiler-sfc: support global augments with named exports (#​13789) (35da3c6)
• custom-element: prevent defineCustomElement from mutating the options object (#​13791) (e322436)
• hmr: prevent __VUE_HMR_RUNTIME__ from being overwritten by vue runtime in 3rd-party libraries (#​13817) (1392734), closes vitejs/vite-plugin-vue#644
• hmr: prevent update unmounting component during HMR reload (#​13815) (ef20b86), closes vitejs/vite-plugin-vue#599
• runtime-core: disable tracking block in h function (#​8213) (8f6b505), closes #​6913
• runtime-core: use separate emits caches for components and mixins (#​11661) (15fc75f)
• Suspence: handle Suspense + KeepAlive HMR updating edge case (#​13076) (5d75a17), closes #​13075
• Teleport: hydrate disabled Teleport with undefined target (#​11235) (00978f7), closes #​11230
• templateRef: prevent unnecessary set ref on dynamic ref change or component unmount (#​12642) (93ba107), closes #​12639
• watch: use maximum depth for duplicates (#​13434) (f2699a5)

Performance Improvements

• improve regexp performance with non-capturing groups (#​13567) (1e8b65a)

v3.5.20

Compare Source

Bug Fixes

• runtime-dom: add name to vShow for prop mismatch check (#​13806) (1031e8d), closes #​13805 re-fix #​13744 revert #​13777

v3.5.19

Compare Source

Bug Fixes

• compiler-core: adjacent v-else should cause a compiler error (#​13699) (911e670), closes #​13698
• compiler-core: prevent cached array children from retaining detached dom nodes (#​13691) (7f60ef8), closes element-plus/element-plus#21408 #​13211
• compiler-sfc: improve type inference for generic type aliases types (#​12876) (d9dd628), closes #​12872
• compiler-sfc: throw mismatched script langs error before invoking babel (#​13194) (0562548), closes #​13193
• compiler-ssr: disable v-memo transform in ssr vdom fallback branch (#​13725) (0a202d8), closes #​13724
• devtools: clear performance measures (#​13701) (c875019), closes #​13700
• hmr: prevent updating unmounting component during HMR rerender (#​13775) (6e5143d), closes #​13771 [#&chore: codeowners #82

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) in timezone America/New_York, Automerge - Monday through Friday ( * * * * 1-5 ) in timezone America/New_York.

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for kong-spec-editor ready!

Name	Link
🔨 Latest commit	75e0b6e
🔍 Latest deploy log	https://app.netlify.com/projects/kong-spec-editor/deploys/697d9c6825f3af0009e5e8e0
😎 Deploy Preview	https://deploy-preview-171--kong-spec-editor.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.