chore(deps): update dependencies-non-major (patch)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@nx/devkit (source)	22.3.1 → 22.3.3			pnpm.catalog.default	patch
@nx/eslint-plugin (source)	22.3.1 → 22.3.3			pnpm.catalog.default	patch
@nx/jest (source)	22.3.1 → 22.3.3			pnpm.catalog.default	patch
@nx/js (source)	22.3.1 → 22.3.3			pnpm.catalog.default	patch
@nx/plugin (source)	22.3.1 → 22.3.3			pnpm.catalog.default	patch
@nx/react (source)	22.3.1 → 22.3.3			pnpm.catalog.default	patch
@nx/storybook (source)	22.3.1 → 22.3.3			pnpm.catalog.default	patch
@nx/vite (source)	22.3.1 → 22.3.3			pnpm.catalog.default	patch
@nx/web (source)	22.3.1 → 22.3.3			pnpm.catalog.default	patch
@nx/workspace (source)	22.3.1 → 22.3.3			pnpm.catalog.default	patch
@types/node (source)	20.9.0 → 20.9.5			pnpm.catalog.default	patch
node (source)	20.11.0 → 20.11.1				patch
nx (source)	22.3.1 → 22.3.3			pnpm.catalog.default	patch
pnpm (source)	10.26.0 → 10.26.2			packageManager	patch
pnpm (source)	8.10.2 → 8.10.5			uses-with	patch
pnpm/action-setup	v2.4.0 → v2.4.1			action	patch
ts-jest (source)	29.4.1 → 29.4.11			pnpm.catalog.default	patch

---

Release Notes

nrwl/nx (@​nx/devkit)

v22.3.3

Compare Source

22.3.3 (2025-12-19)

🩹 Fixes

• misc: remove CNW A/B testing flow branching (#​33967)

❤️ Thank You

• Jack Hsu @​jaysoo

v22.3.2

Compare Source

22.3.2 (2025-12-19)

🚀 Features

• angular: support ngrx v21 (#​33940)
• angular: support cypress component testing with zoneless projects (#​33941)

🩹 Fixes

• angular: support @angular/cli package update during nx migrate (#​33918)
• core: fix vitest test runner options for angular in cnw (#​33921)
• linter: honor setParserOptionsProject in flat config (#​33953, #​33944)
• module-federation: use localhost as default host #​33909 (#​33947, #​33909)
• module-federation: skip non-npm external dependencies in getDependencies (#​33951, #​32819)
• nx-dev: make sure only prod is indexed (#​33922)
• nx-dev: make sure canonical urls are always nx.dev (#​33932)
• react: set up module federation with webpack and ts soln correctly #​31029 (#​33920, #​31029)
• testing: ensure jest v30 migration is run (#​33916)

❤️ Thank You

• Caleb Ukle
• Colum Ferry @​Coly010
• Jack Hsu @​jaysoo
• Leosvel Pérez Espinosa @​leosvelperez
• leosvelperez @​leosvelperez

nodejs/node (node)

v20.11.1: 2024-02-14, Version 20.11.1 'Iron' (LTS), @​RafaelGSS prepared by @​marco-ippolito

Compare Source

Notable changes

This is a security release.

Notable changes

• CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
• CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
• CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
• CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
• CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
• CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
• CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
• CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
• undici version 5.28.3
• libuv version 1.48.0
• OpenSSL version 3.0.13+quic1

Commits

• [7079c062bb] - crypto: disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
• [186a6e1ffb] - deps: fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #​51737
• [686da19abb] - deps: disable io_uring support in libuv by default (Tobias Nießen) nodejs-private/node-private#529
• [f7b44bfbce] - deps: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #​51614
• [7a30fecea2] - deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #​51614
• [480fc169a8] - fs: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) nodejs-private/node-private#497
• [77ac7c3153] - http: add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#519
• [ed7d149675] - lib: use cache fs internals against path traversal (RafaelGSS) nodejs-private/node-private#516
• [89bd5fc38f] - lib: update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#539
• [d01dd4291d] - permission: fix wildcard when children > 1 (Rafael Gonzaga) #​51209
• [40ff37dfcc] - src: fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
• [3f6addd590] - src,deps: disable setuid() etc if io_uring enabled (Tobias Nießen) nodejs-private/node-private#529
• [d6da413aa4] - test,doc: clarify wildcard usage (RafaelGSS) nodejs-private/node-private#517
• [c213910aea] - zlib: pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#541

pnpm/pnpm (pnpm)

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

• Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

• Fix installation of Git dependencies using annotated tags #​10335.

  Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

• Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

• Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Gold Sponsors

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

• Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
• Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Gold Sponsors

pnpm/action-setup (pnpm/action-setup)

v2.4.1

Compare Source

Updated the bundled pnpm version to v7 to fix the ERR_INVALID_THIS error.

kulshekhar/ts-jest (ts-jest)

v29.4.11

Compare Source

Bug Fixes

• preserve Bundler on the CJS path under TypeScript >= 6 (3941818), closes #​4198

v29.4.10

Compare Source

Bug Fixes

• pass resolutionMode to ts.resolveModuleName for hybrid module support (b557a85)
• rebuild Program when consecutive compiles need different module kinds (a82a2b3), closes #​4774
• respect tsconfig moduleResolution instead of forcing Node10 (1bffffc)
• transformer: transpile mjs files from node_modules for CJS mode (96d025d)
• transformer: use a consistent comparator in hoist-jest sortStatements (8a8fd2f)

v29.4.9

Compare Source

v29.4.8

Compare Source

v29.4.7

Compare Source

Features

• support TypeScript v6 (eda517d)

v29.4.6

Compare Source

Bug Fixes

• log hybrid module as warning instead of failing tests (#​5144) (528d37c), closes #​5130

v29.4.5

Compare Source

Bug Fixes

• allow filtering modern module warning message with diagnostic code (c290d4d), , closes #​5013

v29.4.4

Compare Source

Bug Fixes

• revert 29.4.3 changes (25cb706), closes #​5049

v29.4.3

Compare Source

Bug Fixes

• revert 29.4.3 changes (25cb706), closes #​5049

v29.4.2

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[deepsource-io]

DeepSource Code Review

We reviewed changes in fb59a67...1ec1074 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
JavaScript		Jun 8, 2026 1:38a.m.	Review ↗
Shell		Jun 8, 2026 1:38a.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nx/​web@​22.3.3
	@​nx/​vite@​22.3.3
	@​nx/​js@​22.3.3
	@​nx/​eslint-plugin@​22.3.3
	@​nx/​storybook@​22.3.3
	@​nx/​react@​22.3.3
	@​nx/​workspace@​22.3.3
	@​nx/​devkit@​22.3.3
	@​nx/​plugin@​22.3.3

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @nx/workspace is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/@nx/workspace@22.3.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nx/workspace@22.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @nx/workspace is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@nx/workspace@22.7.5 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nx/workspace@22.7.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report