fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@commitlint/cli (source)	^9.1.1 → ^9.1.2			devDependencies	patch
@commitlint/config-conventional (source)	^9.1.1 → ^9.1.2			devDependencies	patch
@ecomplus/application-sdk	^22.0.0-firestore.1.13.1 → ^22.0.0-firestore.1.15.7			dependencies	patch
@google-cloud/firestore	^7.11.0 → ^7.11.6			dependencies	patch
dotenv	^8.2.0 → ^8.6.0			dependencies	minor
eslint-plugin-promise	^4.2.1 → ^4.3.1			devDependencies	minor
firebase-functions-test	^0.2.1 → ^0.3.3			devDependencies	minor
firebase-tools	^13.29.2 → ^13.35.1			dependencies	minor
husky	^4.2.5 → ^4.3.8			devDependencies	minor
node (source)	20 → 20.20.0				minor
node (source)	20 → 20.20.0			engines	minor
node	12.x → 12.22.12			uses-with	minor
node	20.x → 20.20.0			uses-with	minor
uglify-js	^3.10.0 → ^3.19.3			dependencies	minor

---

Release Notes

conventional-changelog/commitlint (@​commitlint/cli)

v9.1.2

Compare Source

Note: Version bump only for package @​commitlint/cli

conventional-changelog/commitlint (@​commitlint/config-conventional)

v9.1.2

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

ecomplus/application-sdk (@​ecomplus/application-sdk)

v22.0.0-firestore.1.15.7

Compare Source

v22.0.0-firestore.1.15.6

Compare Source

v22.0.0-firestore.1.15.5

Compare Source

v22.0.0-firestore.1.15.4

Compare Source

v22.0.0-firestore.1.15.3

Compare Source

v22.0.0-firestore.1.15.2

Compare Source

v22.0.0-firestore.1.15.1

Compare Source

v22.0.0-firestore.1.15.0

Compare Source

v22.0.0-firestore.1.14.11

Compare Source

v22.0.0-firestore.1.14.10

Compare Source

v22.0.0-firestore.1.14.9

Compare Source

v22.0.0-firestore.1.14.8

Compare Source

v22.0.0-firestore.1.14.7

Compare Source

v22.0.0-firestore.1.14.6

Compare Source

v22.0.0-firestore.1.14.5

Compare Source

v22.0.0-firestore.1.14.4

Compare Source

v22.0.0-firestore.1.14.3

Compare Source

v22.0.0-firestore.1.14.2

Compare Source

v22.0.0-firestore.1.14.1

Compare Source

v22.0.0-firestore.1.14.0

Compare Source

googleapis/nodejs-firestore (@​google-cloud/firestore)

v7.11.6

Compare Source

Bug Fixes

• Pool.ts: add even more logging (c508d1b)

v7.11.5

Compare Source

Bug Fixes

• Pool.ts: add more detailed logging for client garbage collection (#​2420) (1bbca46)

v7.11.4

Compare Source

Bug Fixes

• Improve debug logging for the internal client pool. Added client IDs to debug log statements for client management. (99918f1)

v7.11.3

Compare Source

Bug Fixes

• Improve performance of the UTF-8 string comparison logic (#​2380) (bc6a03e)

v7.11.2

Compare Source

Bug Fixes

• Firestore Client caching stub in bad state issue (#​2365) (04ad0a4)

v7.11.1

Compare Source

Bug Fixes

• Aggregate query readtime bug (#​2331) (9ac0394)
• Bump default deadline on CreateDatabase and RestoreDatabase to 2 minutes (#​2274) (d559080)
• Close default BulkWriter upon terminate. (#​2276) (1e714a8)
• Correctly escape field paths with multiple backslashes or backticks (#​2259) (#​2261) (7056ba7)
• Do not send page size with auto-paginate. Fixes warnings in listCollections and listDocuments. (#​2336) (844b4ca)
• Finalize fixing typings for headers in generator (#​2287) (c6c85b6)
• Prevent crashes if an inactive stream receives an error. (#​2283) (f58fe79)
• Remove unused "long" dependency from firestore proto (#​2324) (5937b93)
• Sort document reference by long type id (#​2257) (3fd0de9)
• Sort strings in UTF-8 encoded byte order (#​2275) (a2950e0)
• Use lazy encoding for utf-8 encoded string comparison (#​2299) (e8777e1)

motdotla/dotenv (dotenv)

v8.6.0

Compare Source

Added

• define package.json in exports

v8.5.1

Compare Source

Changed

• updated dev dependencies via npm audit

v8.5.0

Compare Source

Added

• allow for import "dotenv/config"

v8.4.0

Compare Source

Changed

• point to exact types file to work with VS Code

v8.3.0

Compare Source

Changed

• Breaking: drop support for Node v8 (mistake to be released as minor bump. later bumped to 9.0.0. see above.)

eslint-community/eslint-plugin-promise (eslint-plugin-promise)

v4.3.1

Compare Source

• Updated and applied prettier

v4.3.0

Compare Source

• #​202
• Updated jest

firebase/firebase-functions-test (firebase-functions-test)

v0.3.3

Compare Source

• Allow setting context.app in wrapped callable functions (#​123).

v0.3.2

Compare Source

• Fix problem with missing import in the firebase-functions SDK

v0.3.1

Compare Source

• Add support for GeoPoints in Firestore tests
• Improve error message for unsupported types in Firestore tests

v0.3.0

Compare Source

• Remove support for crashlytics (#​98)

v0.2.3

Compare Source

• Fixes a bug where functions.config() would return old config values if process.env.CLOUD_RUNTIME_CONFIG was changed after the first call to functions.config().

v0.2.2

Compare Source

• Adds clearFirestoreData to clear all Firestore data in the Firestore emulator (#​71).
• Adds ability to create DataSnapshots for multiple RTDB instances (#​72).

firebase/firebase-tools (firebase-tools)

v13.35.1

Compare Source

• Fix bug where functions:artifacts:setpolicy command's --none option didn't work as expected (#​8330)

v13.35.0

Compare Source

• Added support for generated Angular SDKs for Data Connect
• App Hosting emulator can now load secret env vars. (#​8305)
• Fixed webframeworks deployments when using multiple hosting sites in firebase.json. (#​8314)
• Added a new command to setup a cleanup policy for functions artifacts. (#​8268)
• Added support for 3rd party builders for Angular. (#​7557)
• Fixed GCF V2 artifact cleanup by correctly encoding artifact names to match GCF V2's format. (#​8318)
• Increase emulator UI body parser limit to match Storage emulator maximum. (#​8329)
• Fixed Data Connect setup issues for fresh databases due to IAM user not being created. (#​8335)
• Fixed an issue where ext:install used POSIX file seperators on Windows machines. (#​8326)
• Updated the Firebase Data Connect local toolkit to v1.9.2, which adds support for generated Angular SDKs and updates Dart SDK fields to follow best practices. (#​8347)
• Fixed an issue where credentials from firebase login would not be correctly provided to the Data Connect emulator.
• Fixed misleading comments in firebase init dataconnect connector.yaml template.
• Improved Data Connect SQL permissions to better handle tables owned by IAM roles. (#​8339)
• Fixed an issue where the Data Connect emulator would crash after some SQL errors.

v13.34.0

Compare Source

• Fix webframeworks deployments when using site in firebase.json. (#​8295)
• Add support for brownfield project onboard dataconnect:sql:setup. (#​8150)
• Update the Firebase Data Connect local toolkit to v1.8.5, which includes the following changes: (#​8310)
  • Fix the Int and Int64 scalars to correctly validate the int32 and int64 ranges, respectively.
  • Fix the generated web SDK so that pnpm properly uses the link functionality.

v13.33.0

Compare Source

• Fixed issue where apps:init fails to detect the output directory when it was run in a directory where app was the only module.
• Set LOG_EXECUTION_ID=true by default for Cloud Functions (2nd gen) to improve debugging by displaying execution IDs in logs. (#​8276)
• Fix bug where function deployment no-oped for functions in bad state. (#​8289)
• Updated the Firebase Data Connect local toolkit to v1.8.4 which includes the following changes: (#​8290)
  • React hooks for mutations without args no longer require undefined to be passed when calling mutate.
  • Fixed import resolution when moduleResolution is set to bundler.
  • React code generation will now generate a README explaining how to use generated query and mutation hook functions.
  • Fixed an issue where React developers have to pass in an empty object even when all fields are optional.
  • Fixed an issue where FirebaseError wasn't being passed into UseMutationOptions.

v13.32.0

Compare Source

• Replaced VSCODE_CWD check to address issues running in VSCode environments. (#​7471)
• Added initial delay when loading python functions (#​8239)
• Enforced webframeworks enablement only on webframeworks sites (#​8168)
• Fixed issue where apps:init throws an error upon app creation.
• Reenabled prompts for unused service deletion in deploy --only.
• Update Firebase Data Connect local toolkit to v1.8.3, which includes the following changes: (#​8263)
  • Adds a _metadata.distance field to vector similarity search results
  • Fixes auth and request.auth when the request is unauthenticated
  • Fixes an issue with hanging commas in import statements in the generated Web SDK
  • Fixes an issue where the additional union type { __angular?: true } breaks type inference in the generated Web SDK

v13.31.2

Compare Source

• Fixed an issue where --import path was incorrectly resolved for the Data Connect emulator. (#​8219)
• Updated the Firebase Data Connect local toolkit to v1.8.2 which fixes an issue with a missing FirebaseError import. (#​8232)

v13.31.1

Compare Source

• Fixed issue where firebase init dataconnect would crash on React-based web apps.
• Updated the Firebase Data Connect local toolkit to v.1.8.1, which:
  • Fixed issue where users who are using a version lower than 11.3.0 of firebase get a "missing import" error.

v13.31.0

Compare Source

• Switched Data Connect from v1beta API to v1 API.
• Added code generation of React hooks for Data Connect
• Genkit init improvements around gcloud login and flow input values.
• Added new command apps:init under experimental flag (appsinit) that automatically detects what SDK to download and places the file in the corresponding place.
• Removed dependencies on some packages and methods that caused deprecation warnings on Node 22.
• Fixes symbol generation when uploading Unity 6 symbols to Crashlytics. (#​7867)
• Fixed SSR issues in Angular 19 by adding support for default and reqHandler exports. (#​8145)
• Added Angular 19 as supported version. (#​8145)
• Fixed appdistribution:testers:list raising an error when a tester is not part of any group. (#​8191)
• Updated the Firebase Data Connect local toolkit to v1.8.0, which includes several changes: (#​8210)
  • Adds support for the v1 Data Connect API in the emulator
  • Adds support for generated React SDKs
  • Fixes @check to also be evaluated for admin auth
  • Fixes CEL expressions to be able to access @redact fields

v13.30.0

Compare Source

• Fixed issue where Extensions deployment fails due to *.firebasestorage.app not being recognized as a valid Storage bucket name. (#​8152)
• Fixes issue with custom 404 pages not being returned in Next.js in the emulator (#​8035).
• Annotate onCallGenkit functions to allow for future Firebase Console annotations (#​8135)
• Adds genkit 1.0.0 template (#​8144)

v13.29.3

Compare Source

• Fixed a Data Connect emulator issue where prepared statements would be persisted after terminated connections.
• Added a warning when deploying a Genkit function without a secret as this is likely a bug (#​8138)
• Fixed .env.* files for web frameworks in Windows (#​8086)
• Updated the Firebase Data Connect local toolkit to v1.7.7, which includes fixes in Dart code generation around required argument typing, and changes the emulator to always serve local connector sources and surface errors if they're invalid or schema migration fails. (#​8153)

typicode/husky (husky)

v4.3.8

Compare Source

• Fix Cannot read property 'toString' of null
• Improve error messages

v4.3.7

Compare Source

• Fix: upgrade find-versions to 4.0.0 #​837

v4.3.6

Compare Source

• Fix prepare-commit-msg on windows #​737

v4.3.5

Compare Source

• Rollback and do not throw error if husky install fails

v4.3.4

Compare Source

• Throw error if husky install fails
• Add workaround for npm 7 currently missing INIT_CWD environment variable

v4.3.3

Compare Source

v4.3.2

Compare Source

v4.3.1

Compare Source

v4.3.0

Compare Source

• Add .cjs config file support #​754

nodejs/node (node)

v20.20.0: 2026-01-13, Version 20.20.0 'Iron' (LTS), @​marco-ippolito

Compare Source

This is a security release.

Notable Changes

lib:

• (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802
• (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
  lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
  src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
  src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
  tls:
• (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

Commits

• [8f9ba3f623] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #​60997
• [97fc9b0eb7] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#792
• [14fbbb510c] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802
• [1febc48d5b] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [494f62dc23] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [d7a5c587c0] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [51f4de4b4a] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [85f73e7057] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

v20.19.6: 2025-11-25, Version 20.19.6 'Iron' (LTS), @​marco-ippolito

Compare Source

Notable Changes

• [6277910a15] - crypto: update root certificates to NSS 3.114 (Node.js GitHub Bot) #​59571
• [082e50d4a2] - doc: update the instruction on how to verify releases (Antoine du Hamel) #​59113
• [db68cec4cb] - doc: deprecate HTTP/2 priority signaling (Matteo Collina) #​58313

Commits

• [0f644df42e] - build: fix 'implicit-function-declaration' on OpenHarmony platform (hqzing) #​59547
• [fba0025b9c] - build: use windows-2025 runner (Michaël Zasso) #​59673
• [3456ec946d] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #​59956
• [6277910a15] - crypto: update root certificates to NSS 3.114 (Node.js GitHub Bot) #​59571
• [1788fb5f3d] - deps: update undici to 6.22.0 (Matteo Collina) #​60112
• [5d61b55f24] - deps: update uvwasi to 0.0.23 (Node.js GitHub Bot) #​59791
• [9f1e5e4637] - deps: update histogram to 0.11.9 (Node.js GitHub Bot) #​59689
• [d0edb01d25] - deps: update googletest to eb2d85e (Node.js GitHub Bot) #​59335
• [576242ff39] - deps: V8: cherry-pick a0d0d4f (Ho Cheung) #​60716
• [a07a277020] - deps: update corepack to 0.34.1 (Node.js GitHub Bot) #​60314
• [fa5c5af8ce] - deps: update archs files for openssl-3.0.17 (Node.js GitHub Bot) #​59134
• [556113e2fc] - deps: upgrade openssl sources to openssl-3.0.17 (Node.js GitHub Bot) #​59134
• [cd1536ca90] - deps: update corepack to 0.34.0 (Node.js GitHub Bot) #​59133
• [acec79989e] - deps: V8: cherry-pick 6b1b9bc (zhoumingtao) #​59283
• [e65b930aa7] - deps: V8: backport 2e4c5cf (Michaël Zasso) #​60654
• [1b75a601f7] - doc: fix typo on child_process.md (Angelo Gazzola) #​60114
• [a2bcb217c6] - doc: fix typo in section on microtask order (Tobias Nießen) #​59932
• [2426d3f3ff] - doc: add security escalation policy (Ulises Gascón) #​59806
• [e7f6f04758] - doc: add Miles Guicent as triager (Miles Guicent) #​59562
• [e51ef3f48b] - doc: update install_tools.bat free disk space (Stefan Stojanovic) #​59579
• [8a504d900a] - doc: fix missing link to the Error documentation in the http page (Alexander Makarenko) #​59080
• [8c5c8aa71d] - doc: clarify experimental platform vulnerability policy (Matteo Collina) #​59591
• [109c4bff77] - doc: add security incident reponse plan (Rafael Gonzaga) #​59470
• [4f004efdf3] - doc: add RafaelGSS as performance strategic lead (Rafael Gonzaga) #​59445
• [caa2db4bac] - doc: fix links in test.md (Vas Sudanagunta) #​58876
• [082e50d4a2] - doc: update the instruction on how to verify releases (Antoine du Hamel) #​59113
• [19a66365d9] - doc: clarify DEP0194 scope (Antoine du Hamel) #​58504
• [db68cec4cb] - doc: deprecate HTTP/2 priority signaling (Matteo Collina) #​58313
• [3b2368774f] - doc: make Stability labels not sticky in Stability index (Livia Medeiros) #​58291
• [960d05ad7d] - doc: add history entries to --input-type section (Antoine du Hamel) #​58175
• [20616f1750] - http2: do not crash on mismatched ping buffer length (René) #​60135
• [9eb94232c8] - lib: handle superscript variants on windows device (Rafael Gonzaga) #​59261
• [dc58b4e35f] - meta: move Michael to emeritus (Michael Dawson) #​60070
• [d943cfb260] - meta: bump actions/setup-node from 4.4.0 to 5.0.0 (dependabot[bot]) #​60093
• [de9a3aaf0f] - meta: bump step-security/harden-runner from 2.12.2 to 2.13.1 (dependabot[bot]) #​60094
• [b4b5d4a4d7] - meta: bump ossf/scorecard-action from 2.4.2 to 2.4.3 (dependabot[bot]) #​60096
• [e5b4eee901] - meta: bump actions/setup-python from 5.6.0 to 6.0.0 (dependabot[bot]) #​60090
• [7cb032c2c1] - meta: update devcontainer to the latest schema (Aviv Keller) #​54347
• [bb108191aa] - meta: call create-release-post.yml post release (Aviv Keller) #​60366
• [2a11d50526] - module: correctly detect top-level await in ambiguous contexts (Shima Ryuhei) #​58646
• [144233b71a] - process: fix wrong asyncContext under unhandled-rejections=strict (Shima Ryuhei) #​60103
• [409cb773a4] - repl: fix cpu overhead pasting big strings to the REPL (Ruben Bridgewater) #​59857
• [d1c9d80cac] - repl: add isValidParentheses check before wrap input (Xuguang Mei) #​59607
• [b8d145db2c] - src: fix order of CHECK_NOT_NULL/dereference (Tobias Nießen) #​59487
• [2c8a73f95f] - src: remove duplicate assignment of O_EXCL in node_constants.cc (Daniel Osvaldo R) #​59049
• [b1da374503] - test: fix typo of test-benchmark-readline.js (Deokjin Kim) #​59993
• [4b4e38f497] - test: mark sea tests flaky on macOS x64 (Richard Lau) #​60068
• [cbf4fc34c3] - test: skip more sea tests on Linux ppc64le (Richard Lau) #​59755
• [9543facad7] - test: mark test-inspector-network-fetch as flaky again (Joyee Cheung) #​59640
• [4f858d22ac] - test: skip test-fs-cp* tests that are constantly failing on Windows (Joyee Cheung) #​59637
• [3ec534dbe8] - test: skip sea tests on Linux ppc64le (Richard Lau) #​59563
• [a7a109f926] - test: fix typos (Lee Jiho) #​59330
• [fd9d43da46] - test: skip failing test on macOS 15.7+ (Antoine du Hamel) #​60419
• [bc3ffbd713] - test_runner: fix isSkipped check in junit (Sungwon) #​59414
• [0cace96472] - test_runner: correct "already mocked" error punctuation placement (Jacob Smith) #​58840
• [76001f9480] - tools: remove unused actions from build-tarball.yml (Antoine du Hamel) #​59787
• [69904844bb] - tools: do not attempt to compress tgz archive (Antoine du Hamel) #​59785
• [a6e7adb173] - tools: fix return value of try_check_compiler (theanarkh) #​59434
• [6443ad2da5] - tools: drop deprecated macos-13 runner (Richard Lau) #​60679
• [45ec702ef7] - tools: fix tools/make-v8.sh for clang (Richard Lau) #​59893
• [393ff7226e] - util: fix numericSeparator with negative fractional numbers (sangwook) #​59379
• [9e8beff0f4] - util: fix error's namespaced node_modules highlighting using inspect (Ruben Bridgewater) #​59446

v20.19.5: 2025-09-03, Version 20.19.5 'Iron' (LTS), @​marco-ippolito

Compare Source

Notable Changes

• [f5b293ad48] - doc: add JonasBa to collaborators (Jonas Badalic) #​58355
• [4e6ae787c6] - doc: add puskin to collaborators (Giovanni Bucci) #​58308
• [d06db658fc] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #​58499
• [3c6206cac9] - doc: add @​geeksilva97 to collaborators (Edy Silva) #​57241

Commits

• [ea20403467] - build: fix uvwasi pkgname (Antoine du Hamel) #​58270
• [c647aa4b30] - build: fix pointer compression builds (Joyee Cheung) #​58171
• [d2c5e609ae] - build: disable v8_enable_pointer_compression_shared_cage on non-64bit (Shelley Vohr) #​58867
• [84d5c4d244] - build: search for libnode.so in multiple places (Jan Staněk) #​58213
• [068c439552] - crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 (Filip Skokan) [#​58942](htt

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.