Update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@types/node (source)	24.10.4 → 24.12.2			devDependencies	minor
autoprefixer	10.4.23 → 10.5.0			devDependencies	minor
babel-loader	10.0.0 → 10.1.1			devDependencies	minor
better-sqlite3	12.5.0 → 12.9.0			devDependencies	minor
canvas	3.2.0 → 3.2.3			devDependencies	patch
css-loader	7.1.2 → 7.1.4			devDependencies	patch
html-webpack-plugin	5.6.5 → 5.6.6			devDependencies	patch	5.6.7
iconv-lite	0.7.1 → 0.7.2			devDependencies	patch
jimp	1.6.0 → 1.6.1			devDependencies	patch
jotai	2.16.1 → 2.19.1			devDependencies	minor
mini-css-extract-plugin	2.9.4 → 2.10.2			devDependencies	minor
modern-screenshot	4.6.7 → 4.7.0			devDependencies	minor
nanoid	5.1.6 → 5.1.9			devDependencies	patch
node (source)	24.12 → 24.15				minor
p-queue	9.0.1 → 9.1.2			devDependencies	minor
postcss (source)	8.5.6 → 8.5.10			devDependencies	patch
postcss-loader	8.2.0 → 8.2.1			devDependencies	patch
react (source)	19.2.3 → 19.2.5			devDependencies	patch
react-dom (source)	19.2.3 → 19.2.5			devDependencies	patch
react-error-boundary (source)	6.0.1 → 6.1.1			devDependencies	minor
react-intl (source)	8.0.9 → 8.1.4			devDependencies	minor
sanitize-filename	1.6.3 → 1.6.4			devDependencies	patch
undici (source)	7.24.0 → 7.25.0			devDependencies	minor
webpack	5.104.1 → 5.106.2			devDependencies	minor
webpack-dev-server	5.2.2 → 5.2.3			devDependencies	patch
webpack-sources	3.3.3 → 3.3.4			devDependencies	patch
yarn (source)	4.12.0 → 4.14.0			packageManager	minor	4.14.1
zustand	5.0.9 → 5.0.12			devDependencies	patch

---

Release Notes

postcss/autoprefixer (autoprefixer)

v10.5.0

Compare Source

• Added mask-position-x and mask-position-y support (by @​toporek).

v10.4.27

Compare Source

• Removed development key from package.json.

v10.4.26

Compare Source

• Reduced package size.

v10.4.25

Compare Source

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

v10.4.24

Compare Source

• Made Autoprefixer a little faster (by @​Cherry).

babel/babel-loader (babel-loader)

v10.1.1

Compare Source

v10.1.0

Compare Source

What's Changed

• refactor: use module.findPackageJSON API by @​JLHwung in #​1055
• Enable type checking and support Babel 8 by @​JLHwung in #​1056
• Bump js-yaml from 4.1.0 to 4.1.1 by @​dependabot[bot] in #​1059
• fix: mark webpack as optional peer dependency by @​chenjiahan in #​1061
• Bump webpack from 5.101.0 to 5.104.1 by @​dependabot[bot] in #​1062
• Bump glob from 10.4.5 to 10.5.0 by @​dependabot[bot] in #​1060
• Bump minimatch from 3.1.2 to 3.1.5 by @​dependabot[bot] in #​1063
• Pin Node.js on CI by @​nicolo-ribaudo in #​1064

New Contributors

• @​chenjiahan made their first contribution in #​1061

Full Changelog: babel/babel-loader@v10.0.0...v10.1.0

WiseLibs/better-sqlite3 (better-sqlite3)

v12.9.0

Compare Source

What's Changed

• Update SQLite to version 3.53.0 in #​1464

Full Changelog: WiseLibs/better-sqlite3@v12.8.0...v12.9.0

v12.8.0

Compare Source

What's Changed

• Readme: requires Node.js v20 or later by @​Prinzhorn in #​1443
• Update SQLite to version 3.51.3 in #​1460
• fix: use HolderV2() for PropertyCallbackInfo on V8 >= 12.5 by @​tstone-1 in #​1459

New Contributors

• @​tstone-1 made their first contribution in #​1459

Why SQLite v3.51.3 instead of v3.52.0

From the SQLite team:

Some important issues have been found with version 3.52.0. In order to give us time to deal with those issues, we plan to withdraw the 3.52.0 release. In its place, we will put up a new 3.51.3 patch release that includes a fix for the recently discovered WAL-reset bug as well as other patches. This will happen probably within about the next twelve hours.

Hence, if you were planning to upgrade to 3.52.0 tomorrow (Friday, 2026-03-14), perhaps it would be better to wait a day or so for 3.51.3.

At some point we will do version 3.52.1 which will hopefully resolve the issues that have arisen with the 3.52.0 release.

Full Changelog: WiseLibs/better-sqlite3@v12.7.1...v12.8.0

v12.6.2

Compare Source

What's Changed

• fix build: update node-abi version in package.json to ^4.25.0 by @​mceachen in #​1439

Full Changelog: WiseLibs/better-sqlite3@v12.6.1...v12.6.2

v12.6.0

Compare Source

What's Changed

• Update SQLite to version 3.51.2 in #​1436

Full Changelog: WiseLibs/better-sqlite3@v12.5.0...v12.6.0

Automattic/node-canvas (canvas)

v3.2.3

Compare Source

==================

Fixed

• Fix building with gcc (#​2559)

v3.2.2

Compare Source

==================

Fixed

• Fix dangling env pointer in image MIME data cleanup (#​2550)
• Fix ctx.direction not affected by ctx.save and ctx.restore
• Preserve rest of PDF pages when changing width and height (#​2538)
• Several security fixes for untrusted inputs to getImageData and putImageData. Thanks to Ethan Kim for the report.

v3.2.1

Compare Source

==================

• Fix error message HTTP response status code in image src setter
• roundRect() shape incorrect when radii were large relative to rectangle size (#​2400)
• Reject loadImage when src is null or invalid (#​2304)
• Fix compilation on GCC 15 by including (#​2545)

webpack/css-loader (css-loader)

v7.1.4

Compare Source

v7.1.3

Compare Source

jantimon/html-webpack-plugin (html-webpack-plugin)

v5.6.6

Compare Source

pillarjs/iconv-lite (iconv-lite)

v0.7.2

Compare Source

🐞 Bug fixes

• Correction of CommonJS exports in TypeScript definitions - by @​plbstl in #​366

  Fixed the TypeScript definitions to correctly represent the CommonJS exports of the library.
  This resolves issues where consumers using TypeScript would encounter errors due to incorrect
  type definitions that did not align with the actual module exports.

jimp-dev/jimp (jimp)

v1.6.1

Compare Source

🎉 This release contains work from new contributors! 🎉

Thanks for all your work!

❤️ Denys Kashkovskyi (@​Kashkovsky)

❤️ Viki (@​vikiboss)

🐛 Bug Fix

• fix docs imports (@​hipstersmoothie)
• @jimp/core, @jimp/plugin-quantize, @jimp/wasm-avif, @jimp/wasm-jpeg, @jimp/wasm-png, @jimp/wasm-webp
  • Update file-type from ^16 to ^21.3.3 in @​jimp/core #​1400 (@​Kashkovsky @​hipstersmoothie)

⚠️ Pushed to main

• @jimp/core
  • Doc updates (closes #​1342) (@​hipstersmoothie)

📝 Documentation

• docs: correct GitHub repo link #​1340 (@​vikiboss)

Authors: 3

• Andrew Lisowski (@​hipstersmoothie)
• Denys Kashkovskyi (@​Kashkovsky)
• Viki (@​vikiboss)

pmndrs/jotai (jotai)

v2.19.1

Compare Source

This release includes several small refactors to improve performance.

What's Changed

• fix(vanilla/utils/atomWithObservable): use symbol index signature to avoid 'Symbol.observable' type reference by @​sukvvon in #​3274
• refactor(internals): replace nextDeps with prevDeps by @​dmaskasky in #​3278
• refactor(internals): reduce recomputeInvalidatedAtoms overhead (performance) by @​dmaskasky in #​3284
• refactor(internals): reduce flushPending overhead (performance) by @​dmaskasky in #​3285
• fix(internals): check if atom has dependencies before doing mountDependencies work (performance) by @​dmaskasky in #​3290
• fix(internals): check if atom has onMount property before queueing processOnMount callback (performance) by @​dmaskasky in #​3291
• refactor(types): prefer no-any by @​dai-shi in #​3304

New Contributors

• @​aio39 made their first contribution in #​3277

Full Changelog: pmndrs/jotai@v2.19.0...v2.19.1

v2.19.0

Compare Source

We improved the core to enable atom caching for performance for some cases.

What's Changed

• fix(react): deprecate delay option by @​dai-shi in #​3264
• feat: improve store.get performance when atoms are not mutated by @​dmaskasky in #​3265 thanks to @​edkimmel

New Contributors

• @​composite made their first contribution in #​3268

Full Changelog: pmndrs/jotai@v2.18.1...v2.19.0

v2.18.1

Compare Source

This release fixes a regression introduced in v2.12.1, which affects an uncommon edge case.

What's Changed

• fix(vanilla): subscriber not notified when derived read calls store.set by @​dmaskasky in #​3245
• fix(vanilla/utils/atomWithObservable): add 'Symbol.observable' type support to 'ObservableLike' by @​sukvvon in #​3253
• refactor(vanilla/utils/atomWithStorage): use optional chaining for 'storage.subscribe' by @​sukvvon in #​3260

Full Changelog: pmndrs/jotai@v2.18.0...v2.18.1

v2.18.0

Compare Source

We moved jotai/babel to jotai-babel.

Migration Guide

If you use the preset:

  {
-   "presets": ["jotai/babel/preset"]
+   "presets": ["jotai-babel/preset"]
  }

If you use a plugin:

  {
-   "plugins": ["jotai/babel/plugin-debug-label"]
+   "plugins": ["jotai-babel/plugin-debug-label"]
  }

What's Changed

• refactor(internals): simplify promise handing by @​dai-shi in #​3232
• feat: deprecate jotai/babel in favor of jotai-babel by @​dai-shi in #​3236
• fix: keep reactivity if get is called in a different atom by @​dai-shi in #​3241

New Contributors

• @​pavan-sh made their first contribution in #​3238

Full Changelog: pmndrs/jotai@v2.17.1...v2.18.0

v2.17.1

Compare Source

Small typing improvements. If you are using v2.16 or earlier, we recommend upgrading to the latest version.

What's Changed

• fix(core/types): Wrong variance on the WritableAtom Result type parameter by @​atomanyih in #​3135
• chore: leftover with #​3219 by @​dai-shi in #​3231

New Contributors

• @​atomanyih made their first contribution in #​3135

Full Changelog: pmndrs/jotai@v2.17.0...v2.17.1

v2.17.0

Compare Source

This release deprecates some features, which will be dropped in v3.

What's Changed

• deprecate loadable util by @​dai-shi in #​3217
• breaking: remove unstable_onInit by @​dai-shi in #​3219
• deprecate setSelf in the atom read function by @​dai-shi in #​3220

Full Changelog: pmndrs/jotai@v2.16.2...v2.17.0

v2.16.2

Compare Source

Fixes unwrap and loadable, resolving a regression introduced in v2.15.2.

What's Changed

• fix(utils): unwrap should not violate the store mutation rule by @​dai-shi in #​3213

New Contributors

• @​dev-itsheng made their first contribution in #​3206

Full Changelog: pmndrs/jotai@v2.16.1...v2.16.2

webpack/mini-css-extract-plugin (mini-css-extract-plugin)

v2.10.2

Compare Source

v2.10.1

Compare Source

v2.10.0

Compare Source

Features

• respect output.cssFilename and output.cssChunkFilename (#​1151) (54f775d)

Bug Fixes

• prevent generation of a contentHash for a chunk when the set of css modules is of size 0 (#​1154) (4e4a95d)

2.9.4 (2025-08-11)

Bug Fixes

• hmr crash in some situations (#​1140) (f67c05a)

2.9.3 (2025-08-04)

Bug Fixes

• should update initial chunks correctly with filename (dab023f)

2.9.2 (2024-11-01)

Bug Fixes

• prefetch and preload runtime generation (#​1116) (58c6b74)

2.9.1 (2024-08-19)

Bug Fixes

• add export default {} when CSS modules enabled and a file is empty for the defaultExport option (8f77e19)

qq15725/modern-screenshot (modern-screenshot)

v4.7.0

Compare Source

Bug Fixes

• clone documentElement instead of body for same-origin iframes (0c3871a)
• delete position when copy root element styles (328379d)
• use detached document for @​import rule processing (719fb4e)

4.6.8 (2026-01-26)

Features

• add support for fonts in @​layers (e4624bb)

4.6.7 (2025-11-18)

Bug Fixes

• ensure WebKit scrollbar pseudo-classes are cloned correctly (1d10f48)

4.6.6 (2025-08-19)

4.6.5 (2025-07-05)

Features

• Add the onCloneEachNode callback to execute when each node is cloned. (f9fe0db)

4.6.4 (2025-06-12)

Bug Fixes

• use HTMLIFrameElement.srcdoc replace HTMLIFrameElement.contentWindow.document.write remove browser warning (closes #​136) (ea2ddf4)

4.6.3 (2025-06-12)

Bug Fixes

• rollback previous commit. fix SVG use in shadowDOM (closes #​140) (9be4f5e)

4.6.2 (2025-06-09)

Bug Fixes

• skip copying styles for SVG Defs and their children (c043f34)
• skip copying styles for SVG Defs and their children (824ab63)

4.6.1 (2025-06-09)

Bug Fixes

• skip copying styles for SVG Defs and their children (14fc8b3)

v4.6.8

Compare Source

Features

• add support for fonts in @​layers (e4624bb)

ai/nanoid (nanoid)

v5.1.9

Compare Source

• Fixed npm package size regression.

v5.1.8

Compare Source

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

v5.1.7

Compare Source

• Added --version to CLI (by @​mahmoodhamdi).
• Updated nanoid.js for CDN (by @​mahmoodhamdi).
• Fixed docs (by @​mahmoodhamdi).
• Fixed customRandom types (by @​oguimbal).

nodejs/node (node)

v24.15.0

Compare Source

v24.14.1

Compare Source

v24.14.0

Compare Source

v24.13.1

Compare Source

v24.13.0: 2026-01-13, Version 24.13.0 'Krypton' (LTS), @​marco-ippolito

Compare Source

This is a security release.

Notable Changes

lib:

• (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
  lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
  src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
  src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
  tls:
• (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

Commits

• [2092785d01] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #​60997
• [3e58b7f2af] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #​61283
• [4ba536a5a6] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [89adaa21fd] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [7302b4dae1] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [ac030753c4] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [20075692fe] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [20591b0618] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

sindresorhus/p-queue (p-queue)

v9.1.2

Compare Source

• Fix: Export PriorityQueue type (#​242) a20e1f3

---

v9.1.1

Compare Source

• Fix signal option not rejecting when task is aborted while queued a64b316
  • If you use a custom queue class, you will have to add a remove() method. See the built-in class.

---

v9.1.0

Compare Source

• Add strict option for sliding window rate limiting 03b8156

---

postcss/postcss (postcss)

v8.5.10

Compare Source

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

• Speed up source map encoding paring in case of the error.

v8.5.8

Compare Source

• Fixed Processor#version.

v8.5.7

Compare Source

• Improved source map annotation cleaning performance (by CodeAnt AI).

webpack/postcss-loader (postcss-loader)

v8.2.1

Compare Source

facebook/react (react)

v19.2.5: 19.2.5 (April 8th, 2026)

Compare Source

React Server Components

• Add more cycle protections (#​36236 by @​eps1lon and @​unstubbable)

v19.2.4: 19.2.4 (January 26th, 2026)

Compare Source

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#​35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

bvaughn/react-error-boundary (react-error-boundary)

v6.1.1

Compare Source

v6.1.0

Compare Source

• #​235: Fix error type (Error -> unknown)
• Export getErrorMessage helper method

v6.0.3

Compare Source

• Removed react-dom from peer dependencies list; it was accidentally added during a previous internal refactor

v6.0.2

Compare Source

Updated README and generated TS docs

formatjs/formatjs (react-intl)

v8.1.4

Compare Source

v8.1.3

Compare Source

8.1.3 (2026-02-03)

Bug Fixes

• react-intl: update react/react-dom dep versions to 19 (#​6015) (70e7ad3), closes #​6014 - by @​longlho

v8.1.2

Compare Source

v8.1.1

Compare Source

v8.1.0

Compare Source

8.1.0 (2026-01-15)

Features

• @​formatjs/intl-segmenter: improve Unicode 17.0 Format/Extend transparency and upgrade deps (#​5862) (effeb9c), closes #​29 - by @​longlho

v8.0.11

Compare Source

v8.0.10

Compare Source

parshap/node-sanitize-filename (sanitize-filename)

v1.6.4

Compare Source

nodejs/undici (undici)

v7.25.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

Compare Source

What's Changed

• fix: backport 401 stream-backed body fix to v7.x by @​mcollina in #​5006

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

Compare Source

What's Changed

• docs: update broken links in file "Dispatcher.md" by @​samuel871211 in #​4924
• doc: remove unused parameter redirectionLimitReached by @​samuel871211 in #​4933
• test: skip flaky macOS Node 20 cookie fetch cases by @​mcollina in #​4932
• fix(types): align Response with DOM fetch types by @​theamodhshetty in #​4867
• fix(types): Fix clone method type declaration to be an instance method rather than instance property by @​mistval in #​4925
• test: skip IPv6 tests when IPv6 is not available by @​mcollina in #​4939
• fix: correctly handle multi-value rawHeaders in fetch by @​mcollina in #​4938
• ignore AGENTS.md by @​mcollina in #​4942

New Contributors

• @​samuel871211 made their first contribution in #​4924
• @​mistval made their first contribution in #​4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

Compare Source

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in #​4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in #​4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in #​4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in #​4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in #​4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in #​4834
• docs: clarify fetch and FormData pairing by @​mcollina in #​4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in #​4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in #​4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in #​4926
• test: auto-init WPT submodule by @​mcollina in #​4930

New Contributors

• @​rozzilla made their first contribution in #​4909
• @​veeceey made their first contribution in #​4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

v7.24.5

Compare Source

What's Changed

• Formdata tests by @​KhafraDev in #​4902
• test: add unexpected disconnect guards to more client test files by @​samayer12 in #​4844
• fix(cache): only apply 1-year deleteAt fo

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ddr-tools	Ready	Preview	Apr 19, 2026 4:34pm