chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@azure/cosmos (source)	^4.9.1 → ^4.9.3
@azure/identity (source)	^4.13.0 → ^4.13.1
@azure/keyvault-secrets (source)	^4.10.0 → ^4.11.2
@planetscale/database	^1.19.0 → ^1.20.1
@typescript/native-preview (source)	^7.0.0-dev.20260505.1 → ^7.0.0-dev
@upstash/redis (source)	^1.36.2 → ^1.38.0
@vercel/blob (source)	^2.3.3 → ^2.4.0
h3 (source)	^2.0.1-rc.21 → ^2.0.1-rc
idb-keyval	^6.2.2 → ^6.2.4
ioredis	^5.9.3 → ^5.11.0
ioredis	^5.10.1 → ^5.11.0
lru-cache	^11.2.6 → ^11.5.1
lru-cache	^11.3.6 → ^11.5.1
oxfmt (source)	^0.48.0 → ^0.52.0
pnpm (source)	10.33.3 → 10.34.1
pnpm (source)	10.30.2 → 10.34.1

---

Release Notes

Azure/azure-sdk-for-js (@​azure/cosmos)

v4.9.3

Compare Source

v4.9.2

Compare Source

Azure/azure-sdk-for-js (@​azure/keyvault-secrets)

v4.11.2

Compare Source

Bugs Fixed

• Fixed an issue where contentType passed to setSecret() and updateSecretProperties() was not forwarded to the service request body. #​38301

v4.11.1

Compare Source

Bugs Fixed

• Fix dependency issue.

v4.11.0

Features Added

• Added support for service API version 2025-07-01 which is now the default. #​37785
• Added outContentType option to getSecret() allowing callers to request PEM-format output for certificate-backed secrets (e.g., outContentType: KnownContentType.PEM). #​37785
• Added previousVersion readonly property to SecretProperties which returns the identifier of the previous certificate version. #​37785

planetscale/database-js (@​planetscale/database)

v1.20.1

Compare Source

What's Changed

• Add npm trusted publisher workflow by @​mattrobenolt in #​197
• Detect Cloudflare errors in UnknownError messaging by @​mattrobenolt in #​198

Full Changelog: planetscale/database-js@v1.20.0...v1.20.1

v1.20.0

Compare Source

What's Changed

• README: remove extra docs by @​nickvanw in #​184
• Update README by @​iheanyi in #​189
• Add link to postgres documentation by @​SimeonGriggs in #​194
• Add UnknownError with full response context for non-JSON API errors by @​mattrobenolt in #​196

New Contributors

• @​SimeonGriggs made their first contribution in #​194

Full Changelog: planetscale/database-js@v1.19.0...v1.20.0

microsoft/typescript-go (@​typescript/native-preview)

v7.0.0-dev.20260527.2

Compare Source

v7.0.0-dev.20260527.1

Compare Source

v7.0.0-dev.20260526.1

Compare Source

v7.0.0-dev.20260525.1

Compare Source

v7.0.0-dev.20260524.1

Compare Source

v7.0.0-dev.20260523.1

Compare Source

v7.0.0-dev.20260522.1

Compare Source

v7.0.0-dev.20260521.1

Compare Source

v7.0.0-dev.20260519.1

Compare Source

v7.0.0-dev.20260518.1

Compare Source

v7.0.0-dev.20260517.1

Compare Source

v7.0.0-dev.20260516.1

Compare Source

v7.0.0-dev.20260515.1

Compare Source

v7.0.0-dev.20260514.1

Compare Source

v7.0.0-dev.20260513.1

Compare Source

v7.0.0-dev.20260512.1

Compare Source

v7.0.0-dev.20260511.1

Compare Source

v7.0.0-dev.20260510.1

Compare Source

v7.0.0-dev.20260509.2

Compare Source

v7.0.0-dev.20260508.1

Compare Source

v7.0.0-dev.20260507.1

Compare Source

v7.0.0-dev.20260506.1

Compare Source

upstash/redis-js (@​upstash/redis)

v1.38.0

Compare Source

Minor Changes

• c71f581: Separate read/write commands into separate pipelines in auto pipeline. As a
  result, mixed read/write Promise.all batches may now be split across multiple
  pipeline HTTP requests instead of a single request, and read-after-write
  ordering may no longer be preserved within those mixed batches.

v1.37.0

Compare Source

Minor Changes

• 6f2a831: Release redis search

Patch Changes

• 3980b45: Add monorepo structure

v1.36.4

Compare Source

What's Changed

• fix: prevent more than one script init running at once by @​myandrienko in #​1411
• DX-2479: strip v prefix from version in release workflow by @​CahidArda in #​1417

New Contributors

• @​myandrienko made their first contribution in #​1411

Full Changelog: upstash/redis-js@v1.36.3...v1.36.4

v1.36.3

Compare Source

What's Changed

• DX-2278: use npm OIDC by @​CahidArda in #​1408
• DX-2446: expose TData generic on xrange and xrevrange by @​CahidArda in #​1414
• DX-2439: add sintercard by @​CahidArda in #​1413

Full Changelog: upstash/redis-js@v1.36.2...v1.36.3

vercel/storage (@​vercel/blob)

v2.4.0

Compare Source

Minor Changes

• 20eeaff: Add Vercel OIDC auth and presigned URLs

h3js/h3 (h3)

v2.0.1-rc.22

Compare Source

compare changes

🚀 Enhancements

• tracing: Export wrapHandlerWithTracing for manual handler wrapping (#​1369)

🩹 Fixes

• toEventHandler: Validate h3 subapp instance to pick .handler (a94b7fb)

💅 Refactors

• Split plugin definition (40bddff)

📦 Build

• Simplify chunk names (07c118d)

🏡 Chore

• Update deps (a7a0460)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Abdelrahman Awad abdelrahman.awad@sentry.io

jakearchibald/idb-keyval (idb-keyval)

v6.2.4

Compare Source

v6.2.3

Compare Source

luin/ioredis (ioredis)

v5.11.0

Compare Source

Bug Fixes

• prevent RangeError from string accumulation in pipeline (#​2088) (defc077)
• replace deprecated url.parse() with WHATWG URL API (#​2081) (0021a45), closes redis/ioredis#1747

Features

• add array commands, typings and tests (#​2114) (baf68d6)
• add increx command (#​2115) (37d0695)
• add Redis MSETEX support (#​2111) (04a4615)
• add typed GCRA command support and functional tests (#​2094) (468a802)
• add vector set command support (#​2116) (b7b3def)
• Add xnack command (#​2103) (187d29b)
• Add zinter zunion count (#​2104) (0d510bb)
• Implement TracingChannel support (#​2089) (4760e0a)

5.10.1 (2026-03-19)

Bug Fixes

• cluster: lazily start sharded subscribers (#​2090) (4f167bb)

v5.10.1

Compare Source

Bug Fixes

• cluster: lazily start sharded subscribers (#​2090) (4f167bb)

v5.10.0

Compare Source

Features

• add hash field expiration commands and tests (5219f9f)
• add hexpireat & hexpiretime (#​2082) (b38124f)

5.9.3 (2026-02-12)

Bug Fixes

• autopipelining to route writes to masters with scaleReads (#​2072) (8adb1ae)
• fix issue with moved command for replicas (#​2064) (de4eed4)
• types: optional properties on RedisOptions allow explicit undefined (#​2066) (0a1a898)

5.9.3 (2026-02-12)

Bug Fixes

• autopipelining to route writes to masters with scaleReads (#​2072) (8adb1ae)
• fix issue with moved command for replicas (#​2064) (de4eed4)
• types: optional properties on RedisOptions allow explicit undefined (#​2066) (0a1a898)

5.9.2 (2026-01-15)

Bug Fixes

• cluster: Cluster reconnect sharded subscribers (#​2060) (def9804)
• preserve replica slots on MOVED in pipelines (#​2059) (a1c3e9d)

Reverts

• Revert "fix: preserve replica slots on MOVED in pipelines (#​2059)" (#​2062) (517b932), closes #​2059 #​2062

5.9.1 (2026-01-08)

Bug Fixes

• make client-side blocking timeouts opt-in (#​2058) (07ed493)

isaacs/node-lru-cache (lru-cache)

v11.5.1

Compare Source

v11.5.0

Compare Source

v11.4.0

Compare Source

v11.3.6

Compare Source

v11.3.5

Compare Source

v11.3.4

Compare Source

v11.3.3

Compare Source

v11.3.2

Compare Source

v11.3.1

Compare Source

v11.3.0

Compare Source

v11.2.7

Compare Source

oxc-project/oxc (oxfmt)

v0.52.0

Compare Source

🚀 Features

• 16b8058 oxfmt: Support vite-plus/resolveConfig for vite.config.ts (#​22454) (leaysgur)

v0.51.0

Compare Source

v0.50.0

Compare Source

🐛 Bug Fixes

• 43b9978 formatter/sort_imports: Treat subpath imports as internal (#​22440) (leaysgur)

v0.49.0

Compare Source

🚀 Features

• 6e8e818 oxfmt: Experimental .svelte support (#​21700) (leaysgur)

pnpm/pnpm (pnpm)

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Gold Sponsors

v10.34.0

Compare Source

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "after 1am and before 5am"
• Automerge
  • "after 2am and before 5am"

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.87%. Comparing base (2727956) to head (ecdf1ae).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #773   +/-   ##
=======================================
  Coverage   64.87%   64.87%           
=======================================
  Files          43       43           
  Lines        2238     2238           
  Branches      524      523    -1     
=======================================
  Hits         1452     1452           
  Misses        678      678           
  Partials      108      108           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.