fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/workers-types	4.20251106.1 -> 4.20251111.0
@graphql-codegen/cli (source)	6.0.1 -> 6.0.2
@graphql-tools/url-loader (source)	9.0.2 -> 9.0.4
@graphql-tools/utils (source)	10.10.1 -> 10.10.3
@pulumi/aws (source)	7.11.0 -> 7.11.1
@pulumi/pulumi (source)	3.206.0 -> 3.207.0
@types/aws-lambda (source)	8.10.157 -> 8.10.158
@types/node (source)	24.10.0 -> 24.10.1
@types/react (source)	19.2.2 -> 19.2.4
@types/react-dom (source)	19.2.2 -> 19.2.3
@vitejs/plugin-react (source)	5.1.0 -> 5.1.1
autoprefixer	10.4.21 -> 10.4.22
aws-cdk-lib (source)	2.222.0 -> 2.223.0
esbuild	0.25.12 -> 0.27.0
fastify (source)	5.6.1 -> 5.6.2
pnpm (source)	10.20.0 -> 10.22.0
svelte (source)	5.43.4 -> 5.43.6
svelte-check	4.3.3 -> 4.3.4
wrangler (source)	4.46.0 -> 4.48.0

---

Release Notes

cloudflare/workerd (@​cloudflare/workers-types)

v4.20251111.0

Compare Source

v4.20251109.0

Compare Source

v4.20251107.0

Compare Source

dotansimha/graphql-code-generator (@​graphql-codegen/cli)

v6.0.2

Compare Source

Patch Changes

• #​10430 aad7f03 Thanks @​renovate! - dependencies updates:
  • Updated dependency @graphql-tools/github-loader@^9.0.0 ↗︎ (from ^8.0.0, in dependencies)
  • Updated dependency @graphql-tools/url-loader@^9.0.0 ↗︎ (from ^8.0.0, in dependencies)
• Updated dependencies []:
  • @​graphql-codegen/client-preset@​5.1.2

ardatan/graphql-tools (@​graphql-tools/url-loader)

v9.0.4

Compare Source

Patch Changes

• Updated dependencies
  [2fe123a]:
  • @​graphql-tools/utils@​10.10.3
  • @​graphql-tools/executor-legacy-ws@​1.1.23

v9.0.3

Compare Source

Patch Changes

• Updated dependencies
  [dddc5f6]:
  • @​graphql-tools/utils@​10.10.2
  • @​graphql-tools/executor-legacy-ws@​1.1.22

ardatan/graphql-tools (@​graphql-tools/utils)

v10.10.3

Compare Source

Patch Changes

• #​7683
  2fe123a
  Thanks @​ardatan! - Revert
  #​7683 which can cause unexpected breaking changes so
  as before the schema extension node will always be converted to a schema definition node

v10.10.2

Compare Source

Patch Changes

• #​7679
  dddc5f6
  Thanks @​ardatan! - Support "federation/subgraph style" schemas in
  astFromSchema and printSchemaWithDirectives

  If a GraphQLSchema doesn't have any defined operation types, we should print the schema
  definition as an extension rather than omitting it entirely. They are not a valid schema on their
  own, but they are valid subgraph schemas in a federation setup, and it is possible to build such
  schemas with assumeValid options.

  // A schema without defined root types
  buildSchema(
    /* GraphQL */ `
      extend schema @​link(url: "https://specs.apollo.dev/federation/v2.0", import: ["@​key"])
  
      type User @​key(fields: "id") {
        id: ID!
        username: String
      }
    `,
    { assumeValid: true, assumeValidSDL: true }
  )

pulumi/pulumi-aws (@​pulumi/aws)

v7.11.1

Compare Source

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

What's Changed

• fix: ordered list should start at 1 by @​stooj in #​5940
• Update GitHub Actions workflows. by @​pulumi-bot in #​5949

Full Changelog: pulumi/pulumi-aws@v7.11.0...v7.11.1

pulumi/pulumi (@​pulumi/pulumi)

v3.207.0

Compare Source

3.207.0 (2025-11-12)

Features

• [cli] Log gRPC requests before invoking them in gRPC debug interceptor
  #​20817

• [engine] Add ReplaceWith resource option to allow one resource's replace operations to trigger another's
  #​20693

• [sdkgen/python] Allow all PEP440 version specifiers to be used

Bug Fixes

• [cli/import] Return errors when an import fails
  #​20904

• [engine] Fix parenting of resources in some cases in refresh --run-program
  #​20894

• [engine] Fix StackReference secrets performance
  #​20908

• [programgen] Do not panic when re-writing type-invalid PCL
  #​20770

• [sdk/go] Fix import path in instructions when linking a package in Go
  #​20888

• [sdk/nodejs] Fix closure serialization on Node.js v25.2.0
  #​20913

• [sdk/{nodejs,python}] Avoid cancellations due to do slow processing of requests

• [sdk/python] Avoid cancellations due to do slow processing of requests in the callbacks server
  #​20917

Miscellaneous

• [engine] Stop sending ConfigPropertyMap as part of RunRequest
  #​20887

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v5.1.1

Compare Source

Update code to support newer rolldown-vite (#​976)

rolldown-vite will remove optimizeDeps.rollupOptions in favor of optimizeDeps.rolldownOptions soon. This plugin now uses optimizeDeps.rolldownOptions to support newer rolldown-vite. Please update rolldown-vite to the latest version if you are using an older version.

postcss/autoprefixer (autoprefixer)

v10.4.22

Compare Source

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

aws/aws-cdk (aws-cdk-lib)

v2.223.0

Compare Source

⚠ BREAKING CHANGES

L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

• aws-dynamodb: AWS::DynamoDB::GlobalTable: GlobalTableSettingsReplicationMode property removed.
• aws-dynamodb: AWS::DynamoDB::GlobalTable: GlobalTableSourceArn property removed.
• aws-dynamodb: AWS::DynamoDB::Table: GlobalTableSettingsReplicationMode property removed.
• aws-events: AWS::Events::EventBusPolicy: Id attribute removed.

Features

• update L1 CloudFormation resource definitions (#​35926) (3f4d585)
• ec2: support for Cloud Wan Core Network routes (#​35008) (fba027b)
• s3-deployment: support securityGroups in BucketDeploymentProps (#​33233) (f2a3166), closes #​33229

Bug Fixes

• stepfunctions: DistributedMap ResultWriter correct query language selection (#​35834) (75b8ead), closes #​35403
• onEvent function to pass all the options to rule resource (#​35829) (3d7023d)

---

Alpha modules (2.223.0-alpha.0)

evanw/esbuild (esbuild)

v0.27.0

Compare Source

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.26.0 or ~0.26.0. See npm's documentation about semver for more information.

• Use Uint8Array.fromBase64 if available (#​4286)

  With this release, esbuild's binary loader will now use the new Uint8Array.fromBase64 function unless it's unavailable in the configured target environment. If it's unavailable, esbuild's previous code for this will be used as a fallback. Note that this means you may now need to specify target when using this feature with Node (for example --target=node22) unless you're using Node v25+.

• Update the Go compiler from v1.23.12 to v1.25.4 (#​4208, #​4311)

  This raises the operating system requirements for running esbuild:

  • Linux: now requires a kernel version of 3.2 or later
  • macOS: now requires macOS 12 (Monterey) or later

v0.26.0

Compare Source

• Enable trusted publishing (#​4281)

  GitHub and npm are recommending that maintainers for packages such as esbuild switch to trusted publishing. With this release, a VM on GitHub will now build and publish all of esbuild's packages to npm instead of me. In theory.

  Unfortunately there isn't really a way to test that this works other than to do it live. So this release is that live test. Hopefully this release is uneventful and is exactly the same as the previous one (well, except for the green provenance attestation checkmark on npm that happens with trusted publishing).

fastify/fastify (fastify)

v5.6.2

Compare Source

pnpm/pnpm (pnpm)

v10.22.0

Compare Source

v10.21.0

Compare Source

sveltejs/svelte (svelte)

v5.43.6

Compare Source

Patch Changes

• fix: don't deactivate other batches (#​17132)

v5.43.5

Compare Source

Patch Changes

• fix: ensure async static props/attributes are awaited (#​17120)

• fix: wait on dependencies of async bindings (#​17120)

• fix: await dependencies of style directives (#​17120)

sveltejs/language-tools (svelte-check)

v4.3.4

Compare Source

Patch Changes

• chore: use machine format when run by Claude Code (#​2870)

cloudflare/workers-sdk (wrangler)

v4.48.0

Minor Changes

• #​11212 3908162 Thanks @​dario-piotrowicz! - Add autoconfig changes summary for wrangler deploy --x-autoconfig with the option for users to cancel the operation

• #​11229 14d79f2 Thanks @​dario-piotrowicz! - Enables experimental-deploy-remote-diff-check flag by default (the flag is still present for now so that users can turn it off if needed) and improves the remote config diffing logic (to include less noise in the diff presented to the user)

• #​11245 dfc6513 Thanks @​vicb! - Change how Wrangler selects default ports for dev sessions.

  If no port is specified, Wrangler now probes the default port and the 10 consecutive ports after it before falling back to a random port.
  This will help getting a stable port number across dev sessions.
  Both the http server and inspector ports are affected.

Patch Changes

• #​11177 43fe9f3 Thanks @​MattieTK! - Added bun detection to package manager analytics

• Updated dependencies [305ffb3, 46ccf0e]:

  • miniflare@​4.20251109.1

v4.47.0

Compare Source

Minor Changes

• #​11201 5286309 Thanks @​avenceslau! - Add wrangler workflows instances restart command

• #​11214 5cf8a39 Thanks @​penalosa! - Add the experimental wrangler setup command to run autoconfig outside of the deploy flow.

• #​11187 8abc789 Thanks @​dario-piotrowicz! - Add possibility for users to edit their project settings during autoconfig

  When running wrangler deploy --experimental-autoconfig, after the automatic project settings detection Wrangler will now present users the opportunity to customize the auto-detected project's settings

Patch Changes

• #​11143 2d16610 Thanks @​FlorentCollin! - Improve the formatting of the D1 execute command to always show the duration in milliseconds with two decimal places.

• #​11178 63defa2 Thanks @​ascorbic! - Log a more helpful error when attempting to "r2 object put" a non-existent file

• #​11199 70d3d4a Thanks @​penalosa! - Add telemetry to autoconfig

• #​11186 38396ed Thanks @​hoodmane! - Removed warning when deploying a Python worker

• #​11024 cdcecfc Thanks @​devin-ai-integration! - Use the native node:trace_events module when available

  It is enabled when the enable_nodejs_trace_events_module compatibility flag is set.

• #​11195 e85f965 Thanks @​ascorbic! - Ignores .dev.vars if --env-file has been explicitly passed

  Previously, .dev.vars would always be read first, and then any file passed with --env-file would override variables in .dev.vars. This meant there was no way to ignore .dev.vars if you wanted to use a different env file. Now, if --env-file is passed, .dev.vars will be ignored entirely.

• #​11181 88aa707 Thanks @​petebacondarwin! - add more logging around Wrangler authentication to help diagnose issues

• Updated dependencies [dd7d584, 4259256, cdcecfc]:

  • miniflare@​4.20251109.0
  • @​cloudflare/unenv-preset@​2.7.10

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[github-actions]

🚀 Snapshot Release (alpha)

The latest changes of this PR are available as alpha on npm (based on the declared changesets):

Package	Version	Info
@graphql-yoga/graphiql	4.4.4-alpha-20251113122836-28ca0bfb85d875e1f7e673f0c32d0303cc7235a3	npm ↗︎ unpkg ↗︎

[github-actions]

Apollo Federation Subgraph Compatibility Results

Federation 1 Support	Federation 2 Support
_service 🟢 @key (single) 🟢 @key (multi) 🟢 @key (composite) 🟢 repeatable @key 🟢 @requires 🟢 @provides 🟢 federated tracing 🟢	@link 🟢 @shareable 🟢 @tag 🟢 @override 🟢 @inaccessible 🟢 @composeDirective 🟢 @interfaceObject 🟢

Learn more:

• Apollo Federation Subgraph Specification
• Compatibility Tests

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[github-actions]

💻 Website Preview

The latest changes are available as preview in: https://pr-4286.graphql-yoga.pages.dev

[github-actions]

✅ Benchmark Results

     ✓ no_errors{mode:graphql}
     ✓ expected_result{mode:graphql}
     ✓ no_errors{mode:graphql-jit}
     ✓ expected_result{mode:graphql-jit}
     ✓ no_errors{mode:graphql-response-cache}
     ✓ expected_result{mode:graphql-response-cache}
     ✓ no_errors{mode:graphql-no-parse-validate-cache}
     ✓ expected_result{mode:graphql-no-parse-validate-cache}
     ✓ no_errors{mode:uws}
     ✓ expected_result{mode:uws}

     checks.......................................: 100.00% ✓ 530436      ✗ 0     
     data_received................................: 2.1 GB  14 MB/s
     data_sent....................................: 107 MB  711 kB/s
     http_req_blocked.............................: avg=1.39µs   min=794ns    med=1.24µs   max=282.1µs  p(90)=1.81µs   p(95)=2.09µs  
     http_req_connecting..........................: avg=2ns      min=0s       med=0s       max=136.18µs p(90)=0s       p(95)=0s      
     http_req_duration............................: avg=355.28µs min=195.19µs med=321.47µs max=16.92ms  p(90)=478.03µs p(95)=508.45µs
       { expected_response:true }.................: avg=355.28µs min=195.19µs med=321.47µs max=16.92ms  p(90)=478.03µs p(95)=508.45µs
     ✓ { mode:graphql-jit }.......................: avg=274.86µs min=195.19µs med=252.8µs  max=16.92ms  p(90)=293.3µs  p(95)=311.9µs 
     ✓ { mode:graphql-no-parse-validate-cache }...: avg=507.59µs min=410.27µs med=481.85µs max=6.57ms   p(90)=535µs    p(95)=557.72µs
     ✓ { mode:graphql-response-cache }............: avg=327.23µs min=241.06µs med=308.15µs max=13.04ms  p(90)=348.18µs p(95)=363.52µs
     ✓ { mode:graphql }...........................: avg=363.08µs min=270.04µs med=334.42µs max=13.77ms  p(90)=388.23µs p(95)=438.66µs
     ✓ { mode:uws }...............................: avg=351.15µs min=269.11µs med=330.5µs  max=6.92ms   p(90)=370.05µs p(95)=388µs   
     http_req_failed..............................: 0.00%   ✓ 0           ✗ 265218
     http_req_receiving...........................: avg=30.2µs   min=12.08µs  med=28.86µs  max=2.83ms   p(90)=39.54µs  p(95)=43.39µs 
     http_req_sending.............................: avg=7.43µs   min=4.53µs   med=6.59µs   max=1.05ms   p(90)=10.19µs  p(95)=11.88µs 
     http_req_tls_handshaking.....................: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting.............................: avg=317.64µs min=172.06µs med=285.74µs max=16.79ms  p(90)=439.72µs p(95)=465.42µs
     http_reqs....................................: 265218  1768.106525/s
     iteration_duration...........................: avg=561.02µs min=358.17µs med=522.17µs max=17.55ms  p(90)=686.07µs p(95)=727.23µs
     iterations...................................: 265218  1768.106525/s
     vus..........................................: 1       min=1         max=1   
     vus_max......................................: 2       min=2         max=2