chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@azure/cosmos (source)	^4.9.1 → ^4.9.2
@azure/identity (source)	^4.13.0 → ^4.13.1
@electric-sql/pglite (source)	^0.4.0 → ^0.4.2
@libsql/client (source)	^0.17.0 → ^0.17.2
@planetscale/database	^1.19.0 → ^1.20.1
@types/jsdom (source)	^28.0.0 → ^28.0.1
@typescript/native-preview (source)	^7.0.0-dev.20260319.1 → ^7.0.0-dev.20260325.1
@upstash/redis (source)	^1.36.2 → ^1.37.0
@vitest/coverage-v8 (source)	^4.1.0 → ^4.1.1
ioredis	^5.9.3 → ^5.10.1
ioredis	^5.10.0 → ^5.10.1
jsdom	^29.0.0 → ^29.0.1
lru-cache	^11.2.6 → ^11.2.7
mlly	^1.8.1 → ^1.8.2
mongodb	^7.1.0 → ^7.1.1
oxfmt (source)	^0.41.0 → ^0.42.0
oxlint (source)	^1.56.0 → ^1.57.0
pnpm (source)	10.32.1 → 10.33.0
pnpm (source)	10.30.2 → 10.33.0
srvx (source)	^0.11.12 → ^0.11.13
vite (source)	^8.0.1 → ^8.0.3
vitest (source)	^4.1.0 → ^4.1.1
wrangler (source)	^4.75.0 → ^4.77.0

---

Release Notes

Azure/azure-sdk-for-js (@​azure/cosmos)

v4.9.2

Compare Source

electric-sql/pglite (@​electric-sql/pglite)

v0.4.2

Compare Source

Patch Changes

• 41632c4: Allow passing initdb.wasm asset for bundlers that need it.

v0.4.1

Patch Changes

• 37fb39e: clear timers on exit; remove pglite-socket dependency on pglite-postgis

tursodatabase/libsql-client-ts (@​libsql/client)

v0.17.2

Compare Source

v0.17.1

Compare Source

planetscale/database-js (@​planetscale/database)

v1.20.1

Compare Source

What's Changed

• Add npm trusted publisher workflow by @​mattrobenolt in #​197
• Detect Cloudflare errors in UnknownError messaging by @​mattrobenolt in #​198

Full Changelog: planetscale/database-js@v1.20.0...v1.20.1

v1.20.0

Compare Source

What's Changed

• README: remove extra docs by @​nickvanw in #​184
• Update README by @​iheanyi in #​189
• Add link to postgres documentation by @​SimeonGriggs in #​194
• Add UnknownError with full response context for non-JSON API errors by @​mattrobenolt in #​196

New Contributors

• @​SimeonGriggs made their first contribution in #​194

Full Changelog: planetscale/database-js@v1.19.0...v1.20.0

microsoft/typescript-go (@​typescript/native-preview)

v7.0.0-dev.20260325.1

Compare Source

v7.0.0-dev.20260324.1

Compare Source

v7.0.0-dev.20260323.1

Compare Source

v7.0.0-dev.20260322.1

Compare Source

v7.0.0-dev.20260321.1

Compare Source

v7.0.0-dev.20260320.1

Compare Source

upstash/redis-js (@​upstash/redis)

v1.37.0

Compare Source

Minor Changes

• 6f2a831: Release redis search

Patch Changes

• 3980b45: Add monorepo structure

v1.36.4

Compare Source

What's Changed

• fix: prevent more than one script init running at once by @​myandrienko in #​1411
• DX-2479: strip v prefix from version in release workflow by @​CahidArda in #​1417

New Contributors

• @​myandrienko made their first contribution in #​1411

Full Changelog: upstash/redis-js@v1.36.3...v1.36.4

v1.36.3

Compare Source

What's Changed

• DX-2278: use npm OIDC by @​CahidArda in #​1408
• DX-2446: expose TData generic on xrange and xrevrange by @​CahidArda in #​1414
• DX-2439: add sintercard by @​CahidArda in #​1413

Full Changelog: upstash/redis-js@v1.36.2...v1.36.3

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.1

Compare Source

   🚀 Features

• experimental:
  • Expose matchesTagsFilter to test if the current filter matches tags  -  by @​sheremet-va in #​9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in #​9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in #​9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in #​9831 and #​9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in #​9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in #​9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in #​9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in #​9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in #​9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in #​9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in #​9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in #​9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in #​9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in #​9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in #​9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in #​9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in #​9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in #​9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in #​9949 (0d5f9)

    View changes on GitHub

luin/ioredis (ioredis)

v5.10.1

Compare Source

Bug Fixes

• cluster: lazily start sharded subscribers (#​2090) (4f167bb)

v5.10.0

Compare Source

Features

• add hash field expiration commands and tests (5219f9f)
• add hexpireat & hexpiretime (#​2082) (b38124f)

5.9.3 (2026-02-12)

Bug Fixes

• autopipelining to route writes to masters with scaleReads (#​2072) (8adb1ae)
• fix issue with moved command for replicas (#​2064) (de4eed4)
• types: optional properties on RedisOptions allow explicit undefined (#​2066) (0a1a898)

5.9.3 (2026-02-12)

Bug Fixes

• autopipelining to route writes to masters with scaleReads (#​2072) (8adb1ae)
• fix issue with moved command for replicas (#​2064) (de4eed4)
• types: optional properties on RedisOptions allow explicit undefined (#​2066) (0a1a898)

5.9.2 (2026-01-15)

Bug Fixes

• cluster: Cluster reconnect sharded subscribers (#​2060) (def9804)
• preserve replica slots on MOVED in pipelines (#​2059) (a1c3e9d)

Reverts

• Revert "fix: preserve replica slots on MOVED in pipelines (#​2059)" (#​2062) (517b932), closes #​2059 #​2062

5.9.1 (2026-01-08)

Bug Fixes

• make client-side blocking timeouts opt-in (#​2058) (07ed493)

jsdom/jsdom (jsdom)

v29.0.1

Compare Source

isaacs/node-lru-cache (lru-cache)

v11.2.7

Compare Source

unjs/mlly (mlly)

v1.8.2

Compare Source

compare changes

🩹 Fixes

• Extract variable names ignoring function calls (#​336)
• Generic angle bracket parsing (#​341)

📖 Documentation

• Fix typo (#​333)

🏡 Chore

• Update deps (12913db)
• Lint (33495f9)
• release: V1.8.1 (ed17783)
• Update deps (1b09363)

❤️ Contributors

• Florian Heuberger (@​Flo0806)
• Pooya Parsa (@​pi0)
• AngelHdz <angel.hernandez.12@​live.com>
• Daniel Roe (@​danielroe)

mongodb/node-mongodb-native (mongodb)

v7.1.1

Compare Source

The MongoDB Node.js team is pleased to announce version 7.1.1 of the mongodb package!

Release Notes

Tighten OIDC ALLOWED_HOSTS wildcard matching

The OIDC ALLOWED_HOSTS wildcard handling has been fixed to require full subdomain/path matches for *. and */ entries, preventing partial suffix matches from being incorrectly accepted.

Fixed TCP keep-alive and no-delay settings not being applied on TLS connections

Due to a Node.js bug, tls.connect() silently ignores keepAlive, keepAliveInitialDelay, and noDelay options passed through its constructor. This could cause idle connections - particularly through cloud load balancers like Azure (240s idle timeout) or AWS PrivateLink/NLB - to be dropped unexpectedly due to missing TCP keep-alive probes.

The driver now explicitly calls setKeepAlive() and setNoDelay() on the socket after creation, ensuring these settings are always applied regardless of whether TLS is used.

Bug Fixes

• NODE-7477: OIDC host allowlist fix (#​4896) (237c9ab)
• NODE-7482: explicitly call setKeepAlive and setNoDelay on socket (#​4900) (b14ba21)

Documentation

• Reference
• API
• Changelog

We invite you to try the mongodb library immediately, and report any issues to the NODE project.

oxc-project/oxc (oxfmt)

v0.42.0

Compare Source

🚀 Features

• 416865a formatter,oxfmt: Add doc comments for JsdocConfig (#​20644) (leaysgur)
• 4fec907 formatter: Add JSDoc comment formatting support (#​19828) (Dunqing)

oxc-project/oxc (oxlint)

v1.57.0

Compare Source

pnpm/pnpm (pnpm)

v10.33.0

Compare Source

h3js/srvx (srvx)

v0.11.13

Compare Source

compare changes

🩹 Fixes

• url: Deopt absolute URIs in FastURL (de0d699)

🏡 Chore

• Update deps (4e6ace6)
• Update deps (6a72a00)
• Fix type issue (ed8cc2b)
• Apply automated updates (7375fed)
• Update deps (8f4bc4f)

❤️ Contributors

• Pooya Parsa (@​pi0)

vitejs/vite (vite)

v8.0.3

Features

• update rolldown to 1.0.0-rc.12 (#​22024) (84164ef)

Bug Fixes

• html: cache unfiltered CSS list to prevent missing styles across entries (#​22017) (5464190)
• module-runner: handle non-ascii characters in base64 sourcemaps (#​21985) (77c95bf)
• module-runner: skip re-import if the runner is closed (#​22020) (ee2c2cd)
• optimizer: scan is not resolving sub path import if used in a glob import (#​22018) (ddfe20d)
• ssr: ssrTransform incorrectly rewrites meta identifier inside import.meta when a binding named meta exists (#​22019) (cff5f0c)

Miscellaneous Chores

• deps: bump picomatch from 4.0.3 to 4.0.4 (#​22027) (7e56003)

Tests

• html: add tests for getCssFilesForChunk (#​22016) (43fbbf9)

v8.0.2

Compare Source

Features

• update rolldown to 1.0.0-rc.11 (#​21998) (ff91c31)

Bug Fixes

• deps: update all non-major dependencies (#​21988) (9b7d150)

Miscellaneous Chores

• deps: update dependency @​vitejs/devtools to ^0.1.5 (#​21992) (b2dd65b)

cloudflare/workers-sdk (wrangler)

v4.77.0

Compare Source

Minor Changes

• #​13023 593c4db Thanks @​jamesopstad! - Add wrangler versions upload support for the experimental secrets configuration property

  When the new secrets property is defined, wrangler versions upload now validates that all secrets declared in secrets.required are configured on the Worker before the upload succeeds. If any required secrets are missing, the upload fails with a clear error listing which secrets need to be set.

  When secrets is not defined, the existing behavior is unchanged.

  // wrangler.jsonc
  {
    "secrets": {
      "required": ["API_KEY", "DB_PASSWORD"]
    }
  }

• #​12732 c2e9163 Thanks @​jamesopstad! - Add deploy support for the experimental secrets configuration property

  When the new secrets property is defined, wrangler deploy now validates that all secrets declared in secrets.required are configured on the Worker before the deploy succeeds. If any required secrets are missing, the deploy fails with a clear error listing which secrets need to be set.

  When secrets is not defined, the existing behavior is unchanged.

  // wrangler.jsonc
  {
    "secrets": {
      "required": ["API_KEY", "DB_PASSWORD"]
    }
  }

Patch Changes

• #​12896 451dae3 Thanks @​petebacondarwin! - fix: Add retry and timeout protection to remote preview API calls

  Remote preview sessions (wrangler dev --remote) now automatically retry transient 5xx API errors (up to 3 attempts with linear backoff) and enforce a 30-second per-request timeout. Previously, a single hung or failed API response during session creation or worker upload could block the dev session reload indefinitely.

• #​12569 379f2a2 Thanks @​MattieTK! - Use qwik add cloudflare-workers instead of qwik add cloudflare-pages for Workers targets

  Both the wrangler autoconfig and C3 Workers template for Qwik were running qwik add cloudflare-pages even when targeting Cloudflare Workers. This caused the wrong adapter directory structure to be scaffolded (adapters/cloudflare-pages/ instead of adapters/cloudflare-workers/), and required post-hoc cleanup of Pages-specific files like _routes.json.

  Qwik now provides a dedicated cloudflare-workers adapter that generates the correct Workers configuration, including wrangler.jsonc with main and assets fields, a public/.assetsignore file, and the correct adapters/cloudflare-workers/vite.config.ts.

  Also adds --skipConfirmation=true to all qwik add invocations so the interactive prompt is skipped in automated contexts.

• #​11899 9a1cf29 Thanks @​hoodmane! - Remove cf-requirements support for Python workers. It hasn't worked with the runtime for a while now.

• #​11800 875da60 Thanks @​southpolesteve! - Add upgrade hint to unexpected configuration field warnings when an update is available

  When Wrangler encounters unexpected fields in the configuration file and a newer version of Wrangler is available, it now displays a message suggesting to update. This helps users who may be using configuration options that were added in a newer version of Wrangler.

• Updated dependencies [b8f3309, 5aaaab2, 5aaaab2, f8516dd, 9c9fe30, 6a6449e]:

  • miniflare@​4.20260317.2

v4.76.0

Compare Source

Minor Changes

• #​12893 782df44 Thanks @​gpanders! - Rewrite wrangler containers list to use the paginated Dash API endpoint

  wrangler containers list now fetches from the /dash/applications endpoint instead of /applications, displaying results in a paginated table with columns for ID, Name, State, Live Instances, and Last Modified. Container state is derived from health instance counters (active, degraded, provisioning, ready).

  The command supports --per-page (default 25) for interactive pagination with Enter to load more and q/Esc to quit, and --json for machine-readable output. Non-interactive environments load all results in a single request.

• #​12957 62545c9 Thanks @​natewong1313! - Add Stream binding support to Wrangler and workers-utils

  Wrangler and workers-utils now recognize the stream binding in configuration, deployment metadata, and generated worker types. This enables projects to declare Stream bindings in wrangler.json and have the binding represented consistently across validation, metadata mapping, and type generation.

• #​12848 ce48b77 Thanks @​emily-shen! - Enable local explorer by default

  This ungates the local explorer, a UI that lets you inspect the state of D1, DO and KV resources locally by visiting /cdn-cgi/explorer during local development.

  Note: this feature is still experimental, and can be disabled by setting the env var X_LOCAL_EXPLORER=false.

Patch Changes

• #​12938 71ab981 Thanks @​dario-piotrowicz! - Add backward-compatible autoconfig support for Astro v5 and v4 projects

  The astro add cloudflare command in older Astro versions installs the latest adapter version, which causes compatibility issues. This change adds manual configuration logic for projects using Astro versions before 6.0.0:

  • Astro 6.0.0+: Uses the native astro add cloudflare command (unchanged behavior)
  • Astro 5.x: Installs @astrojs/cloudflare@12 and manually configures the adapter
  • Astro 4.x: Installs @astrojs/cloudflare@11 and manually configures the adapter
  • Astro < 4.0.0: Returns an error prompting the user to upgrade

• #​11892 7c3c6c6 Thanks @​staticpayload! - Handle registry ports when matching container image digests

  Wrangler now strips tags without breaking registry ports when comparing local images to remote digests. This prevents unnecessary pushes for tags like localhost:5000/app:tag.

• Updated dependencies [3c988e2, d028ffb, cb71403, 3a1c149, ce48b77, 8729f3d]:

  • miniflare@​4.20260317.1
  • @​cloudflare/unenv-preset@​2.16.0

---

Configuration

📅 Schedule: Branch creation - "after 2am and before 3am" (UTC), Automerge - "after 1am and before 2am" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.87%. Comparing base (b5b0449) to head (cb2cad1).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #761      +/-   ##
==========================================
+ Coverage   64.81%   64.87%   +0.06%     
==========================================
  Files          43       43              
  Lines        2234     2238       +4     
  Branches      522      524       +2     
==========================================
+ Hits         1448     1452       +4     
  Misses        678      678              
  Partials      108      108              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.