chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
@cwcss/crosswind	^0.1.3 → ^0.1.6					dependencies	patch
@types/bun (source)	^1.3.9 → ^1.3.11					devDependencies	patch
@vscode/vsce (source)	^3.7.2-9 → ^3.7.2-10					devDependencies	patch
actions/cache	v5.0.3 → v5.0.4					action	patch
happy-dom	^20.8.4 → ^20.8.8					dependencies	patch
isomorphic-dompurify	^3.5.1 → ^3.7.1					dependencies	minor
liquidjs	^10.25.0 → ^10.25.2					dependencies	patch
marked (source)	^17.0.4 → ^17.0.5					dependencies	patch
oven-sh/setup-bun	v2.1.2 → v2.2.0					action	minor
shivammathur/setup-php	2.36.0 → 2.37.0					action	minor
ws	^8.19.0 → ^8.20.0					dependencies	minor

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

cwcss/crosswind (@​cwcss/crosswind)

v0.1.6

Compare Source

v0.1.5

Compare Source

Full Changelog: cwcss/crosswind@v0.1.4...v0.1.5

Microsoft/vsce (@​vscode/vsce)

v3.7.2-10

Compare Source

Changes:

• #​1252: Bump yauzl from 2.10.0 to 3.2.1

This list of changes was auto generated.

actions/cache (actions/cache)

v5.0.4

Compare Source

capricorn86/happy-dom (happy-dom)

v20.8.8

Compare Source

👷‍♂️ Patch fixes

• Fixes issue where export names can be interpolated as executable code in ESM - By @​capricorn86 in task #​2113
  • A security advisory (GHSA-6q6h-j7hj-3r64) has been reported that shows a security vulnerability where it's possible to escape the VM context and get access to process level functionality. Big thanks to @​tndud042713 for reporting this!

v20.8.7

Compare Source

v20.8.6

Compare Source

v20.8.5

Compare Source

kkomelin/isomorphic-dompurify (isomorphic-dompurify)

v3.7.1

Compare Source

Bug Fix

• Fixed missing browser type declarations — browser.d.ts and browser.d.mts were not included in the 3.7.0 published package due to a race condition in the build process. This caused TS7016: Could not find a declaration file for module 'isomorphic-dompurify' errors in tsgo and TypeScript 6 when resolving through the default (browser) exports condition. (#​411)

Thanks to @​asterikx and @​ElPrudi for their help with the issue.

v3.7.0: : TypeScript 6 compatibility

Compare Source

TypeScript 6 compatibility fixes:

• Add explicit type annotation for sanitize to satisfy TS6
• Silence baseUrl deprecation warning from tsup dts build in TS6

Dependency updates:

• bump typescript from 5.9.3 to 6.0.2
• bump vitest from 4.1.0 to 4.1.1

v3.6.0: : Updated dependencies

Compare Source

Dependency updates:

• bump jsdom from 29.0.0 to 29.0.1
• bump @​types/jsdom from 28.0.0 to 28.0.1
• bump @​biomejs/biome from 2.4.7 to 2.4.8

harttle/liquidjs (liquidjs)

v10.25.2

Compare Source

Bug Fixes

• handle undefined replacement argument in replace filter (#​864) (0ad2b11)

v10.25.1

Compare Source

Bug Fixes

• mem limiter for invalid ranges (95ddefc)
• treat args for replace_first as literal (35d5230)

markedjs/marked (marked)

v17.0.5

Compare Source

Bug Fixes

• Fix catastrophic backtracking (ReDoS) in link/reflink label regex (#​3918) (4625980)
• prevent quadratic complexity in emStrongLDelim regex (#​3906) (c732dd2)
• prevent single-tilde strikethrough false positives (#​3910) (5e03369)
• re-assign tokenizer.lexer and renderer.parser at start of each parse call (#​3907) (f3a3ec0)
• trim trailing whitespace from lheading text (#​3920) (3ea7e88)

oven-sh/setup-bun (oven-sh/setup-bun)

v2.2.0

Compare Source

oven-sh/setup-bun is the github action for setting up Bun.

What's Changed

• build: update action runtime to Node.js 24 by @​adam0white in #​176
• ci: use actions/checkout@v6.0.2 in the test workflow by @​tcely in #​173
• ci: update actions for the autofix.ci workflow by @​tcely in #​174
• ci: update actions for the Release new action version workflow by @​tcely in #​175
• release: v2.2.0 by @​xhyrom in #​177

New Contributors

• @​adam0white made their first contribution in #​176
• @​tcely made their first contribution in #​173

Full Changelog: oven-sh/setup-bun@v2...v2.2.0

v2.1.3

Compare Source

oven-sh/setup-bun is the github action for setting up Bun.

What's Changed

• perf: avoid unnecessary api calls by @​xhyrom in #​161
• feat: add bun- prefix to cache keys by @​maschwenk in #​160
• fix: use native Windows ARM64 binary for Bun >= 1.3.10 by @​oddrationale in #​165
• feat: add AVX2 support detection for x64 Linux systems by @​GoForceX in #​167
• fix: validate cached binary version matches requested version (#​146) by @​wyMinLwin in #​169
• release: v2.1.3 by @​xhyrom in #​170

New Contributors

• @​oddrationale made their first contribution in #​165
• @​GoForceX made their first contribution in #​167
• @​wyMinLwin made their first contribution in #​169

Full Changelog: oven-sh/setup-bun@v2...v2.1.3

shivammathur/setup-php (shivammathur/setup-php)

v2.37.0

Compare Source

Changelog

• Updated the action to use Node.js 24. (#​1049)

• Added support for master in the php-version input. It should now set up a nightly build from the master branch of php-src.

• Added support to install ioncube and zephir_parser extensions on PHP 8.5.

• Expanded support for installing extensions using Homebrew on macOS from the shivammathur/homebrew-extensions tap. This includes pdo_firebird, sqlsrv, pdo_sqlsrv, pecl_http, swow, xhprof, and several other supported extensions.

• Improved switching PHP versions on Linux. Missing alternatives should now be registered automatically before switching versions. #​1067

• Improved support for Homebrew on macOS. It should now retry stuck brew commands with an inactivity watchdog.

• Improved support for adding tools. It should now correctly use the latest release download URL when a version is not specified. (#​1064)

• Improved tool setup and caching on self-hosted runners.

• Improved support for sqlsrv and pdo_sqlsrv on PHP 8.1 and 8.2.

• Fixed installing pecl_http on Windows. Switched to downloads.php.net for fixing ICU version post install.

• Fixed cached couchbase installs on macOS using the shivammathur/cache-extensions action.

• Replaced @actions/core with local functions to reduce bundle size.

• Refactored to use ES2024+ features for Node 24.

• Updated actions used in examples to their latest versions.

• Updated Node.js dependencies.

Thanks @​theluckystrike for the contribution 🎉

Thanks @​code-kudu, @​ssddanbrown, @​RoundingWell, and @​ntzrbtr for the sponsorship ❤️

For the complete list of changes, please refer to the Full Changelog

Follow for updates

websockets/ws (ws)

v8.20.0

Compare Source

Features

• Added exports for the PerMessageDeflate class and utilities for the
  Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1).

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

❌ Deploy Preview for stacks-stx failed. Why did it fail? →

Name	Link
🔨 Latest commit	d0294b8
🔍 Latest deploy log	https://app.netlify.com/projects/stacks-stx/deploys/69c41c3163d66b000805f345

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/bun-plugin-stx@1648

npm i https://pkg.pr.new/@stacksjs/components@1648

npm i https://pkg.pr.new/@stacksjs/stx@1648

commit: 6b0b67b