chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
crate-ci/typos	action	patch	v1.42.1 → v1.42.3
pnpm (source)	packageManager	patch	10.28.1 → 10.28.2

---

Release Notes

crate-ci/typos (crate-ci/typos)

v1.42.3

Compare Source

Bug Fixes

• Ignore numbers as identifiers (a00831c8)
• Improve the organization of --help (a48a457c)

Features

• Dump files, identifiers, and words (ce365ae1, closes #​41)
• Give control over allowed identifier characters for leading vs rest (107308a6)

Performance

• Use standard identifier rules to avoid doing umber checks (107308a6)
• Only do hex check if digits are in identifiers (68cd36d0)

v1.42.2

Compare Source

Bug Fixes

• Ignore numbers as identifiers (a00831c8)
• Improve the organization of --help (a48a457c)

Features

• Dump files, identifiers, and words (ce365ae1, closes #​41)
• Give control over allowed identifier characters for leading vs rest (107308a6)

Performance

• Use standard identifier rules to avoid doing umber checks (107308a6)
• Only do hex check if digits are in identifiers (68cd36d0)

pnpm/pnpm (pnpm)

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 3 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 53, reused 0, downloaded 0, added 0
/tmp/renovate/repos/github/TDesignOteam/workflows/packages/close-release-issue:
 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "@octokit/plugin-paginate-rest@9.2.2" (possible package takeover)

This error happened while installing the dependencies of @actions/github@7.0.0

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.