Update all non-major dependencies (master)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@lerna-lite/cli (source)	5.0.0 → 5.1.0			devDependencies	minor	5.2.0
@lerna-lite/publish (source)	5.0.0 → 5.1.0			devDependencies	minor	5.2.0
@lerna-lite/version (source)	5.0.0 → 5.1.0			devDependencies	minor	5.2.0
@tanstack/react-query (source)	5.99.0 → 5.99.2			dependencies	patch	5.100.5 (+5)
@tanstack/react-query-devtools (source)	5.99.0 → 5.99.2			dependencies	patch	5.100.5 (+5)
@tanstack/react-virtual (source)	3.13.23 → 3.13.24			dependencies	patch
dompurify	3.4.0 → 3.4.1			dependencies	patch
i18next (source)	26.0.5 → 26.0.6			dependencies	patch	26.0.8 (+1)
i18next-cli	1.53.2 → 1.56.4			devDependencies	minor	1.56.7 (+2)
marked (source)	18.0.1 → 18.0.2			dependencies	patch
maven	3.9.14-eclipse-temurin-25 → 3.9.15-eclipse-temurin-25			final	patch
pnpm (source)	10.33.0 → 10.33.1				patch	10.33.2
vite (source)	8.0.8 → 8.0.9			devDependencies	patch	8.0.10
vitest (source)	4.1.4 → 4.1.5			devDependencies	patch

---

Release Notes

lerna-lite/lerna-lite (@​lerna-lite/cli)

v5.1.0

Compare Source

Features

• add --no-shell for lerna exec/watch to avoid DEP0190 warning (#​1309) (7b7e61c) - by @​ghiscoding

lerna-lite/lerna-lite (@​lerna-lite/publish)

v5.1.0

Compare Source

Note: Version bump only for package @​lerna-lite/publish

lerna-lite/lerna-lite (@​lerna-lite/version)

v5.1.0

Compare Source

Bug Fixes

• deps: update dependency @​conventional-changelog/git-client to ^2.7.0 (#​1312) (d6689fb) - by @​renovate[bot]

TanStack/query (@​tanstack/react-query)

v5.99.2

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.2

v5.99.1

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.1

TanStack/query (@​tanstack/react-query-devtools)

v5.99.2

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.99.2
  • @​tanstack/react-query@​5.99.2

v5.99.1

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.99.1
  • @​tanstack/react-query@​5.99.1

TanStack/virtual (@​tanstack/react-virtual)

v3.13.24

Compare Source

Patch Changes

• Updated dependencies [97a204d]:
  • @​tanstack/virtual-core@​3.14.0

cure53/DOMPurify (dompurify)

v3.4.1: DOMPurify 3.4.1

Compare Source

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

i18next/i18next (i18next)

v26.0.6

Compare Source

Security release — all issues found via an internal audit.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security note in the Nesting docs for the full pattern and mitigations
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

i18next/i18next-cli (i18next-cli)

v1.56.4

Compare Source

• The <Trans> bare-identifier diagnostic added in 1.56.3 now uses
  logger.error and is prefixed with Error:, matching the convention
  established in
  #​200 so build
  tooling that watches for errors (or grep for Error:) can treat it
  as fatal. Behaviour and message are otherwise unchanged.
  Follow-up to #​246.

v1.56.3

Compare Source

• extract now resolves constant identifiers passed as the namespace or
  keyPrefix argument to i18next.getFixedT(...). Previously, only string
  literals were recognised, so
  const NS = "my-ns"; const t = i18next.getFixedT("en", NS, "prefix")
  silently fell back to the default namespace, while the equivalent
  useTranslation(NS) form worked correctly. The getFixedT handlers
  now reuse the same resolution logic as useTranslation (local/shared
  string constants via Identifier, constant-object property access via
  MemberExpression, interpolation-free TemplateLiteral, and TS
  wrappers like as const / satisfies), so both forms behave
  consistently. Fixes #​245.
• extract now warns when a <Trans> component contains a bare
  identifier JSX child such as <Trans>Hello <b>{cat}</b></Trans>.
  react-i18next inlines the value at runtime (producing a key like
  "Hello <1>meow</1>"), but the extractor serialises the identifier
  name as "Hello <1>{{cat}}</1>" — the two never match, and even with
  an explicit i18nKey the placeholder cannot be interpolated without a
  values={{ cat }} prop, so it renders literally. The warning points
  users at the correct {{cat}} double-brace form with a values prop.
  Extraction output is unchanged so existing projects that paired the
  {{cat}} output with a matching values prop keep working.
  Addresses #​246.

v1.56.2

Compare Source

• lint now detects hardcoded strings wrapped in JSX expression
  containers. Previously, string literals like <div>{"Hello"}</div> or
  braced attribute values like <img alt={"Logo"} /> were silently
  skipped because the walker only inspected StringLiteral nodes whose
  direct parent was a JSXAttribute. The linter now also recognises
  StringLiteral nodes whose parent is a JSXExpressionContainer,
  treating them as JSX child text or attribute values depending on the
  grandparent, and applying the same acceptedTags / acceptedAttributes
  / ignoredTags / i18next-instrument-ignore rules as raw text.
  Fixes #​244.

v1.56.1

Compare Source

• status now detects keys reachable only through $t(...) nested
  references in the primary translation file. Previously, keys like
  boys_one/boys_other — referenced only from
  "girlsAndBoys": "$t(boys, {\"count\": ...})" — were preserved by
  extract but never included in the status check, so empty values in
  secondary locales were silently ignored. Status now scans primary
  translation values for $t(...) references and includes the referenced
  keys (plus their per-locale plural and context variants) in the report,
  so translation gaps surface correctly.
  Follow-up to #​241.

v1.56.0

Compare Source

• Preserve keys that are only referenced through $t(...) nested references
  inside existing translation values. Previously, when removeUnusedKeys was
  enabled, keys like boys_one/boys_other referenced only from
  "girlsAndBoys": "$t(boys, {\"count\": {{boys}} })" were deleted because
  the AST-based extractor never sees them. The extractor now also scans
  existing translation values, treats referenced keys (and their
  plural / context variants) as used, and — for secondary locales — expands
  them into the correct per-locale CLDR plural skeleton on first extract.
  Fixes #​241.
• Propagate context variants from the primary locale to secondary locales
  when preserveContextVariants is enabled. Previously, dynamic context
  usage like t('exportType', { context: type }) preserved the variants
  (exportType_gas, exportType_water) only in the primary language file;
  secondary languages never received them. They are now copied to every
  locale with empty placeholders so translators and sync see the same key
  skeleton everywhere. Existing secondary values are left untouched.
  Fixes #​242.
• status now detects context variants when source code uses a dynamic
  context value. Previously, t('key', { context: type }) registered only
  the base key and tagged it as accepting context, so status had no way to
  count the actual variants (key_a, key_b) — empty values in secondary
  locales were silently ignored. Status now scans the primary translation
  file for context variants of each accepting-context base key and includes
  them in the per-locale translation report.
  Fixes #​243.

v1.55.0

Compare Source

• Infer function return types from the body when no explicit return-type
  annotation is present, so t(fn()) and t(`...${x}...`) with
  const x = fn() expand to all statically-resolvable return values. Works
  across files via a shared cross-file table populated during the pre-scan
  pass (alongside enums), so imported functions resolve just like in-file
  ones. Explicit annotations remain authoritative: : string still returns
  no keys rather than falling back to body inference.
• Print a per-file diff (added / removed / changed keys) when extract --ci
  fails because files would be updated. Makes CI failures actionable without
  needing to reproduce locally.
  Thanks to @​LudvigHz for both changes
  (#​240).

v1.54.2

Compare Source

• Propagate defaultNs and keyPrefix from a custom translation hook to
  inner t() calls accessed via a member expression (e.g.
  const obj = useMyHook('auth'); obj.t('key')). Previously the scope was
  stored on the outer variable but the call-site lookup used the full
  obj.t name and missed it, causing keys to fall back to the default
  namespace. The lookup now also tries the object part(s) of the member
  expression.
  Fixes #​239.

v1.54.1

Compare Source

• Fix --sync-all unexpectedly clearing secondary locale translations for
  keys with explicit defaults (e.g. t('my-key', 'my message')) when the
  code-provided default still matches the primary locale value. Secondary
  translations are now only reset when the primary value has actually
  diverged from the code default, matching the behavior already in place
  for trusted derived defaults.
  Fixes #​235.

v1.54.0

Compare Source

• Emit the generated Resources interface as a single combined
  export default interface Resources { ... } declaration, and import it in
  the generated i18next module augmentation file using import type. This
  makes the generated type files compatible with TypeScript's
  verbatimModuleSyntax compiler option. The interface's type identity is
  unchanged, so consumers importing Resources from the resources file
  continue to work without modification.
  Fixes #​238.
• Bump i18next-resources-for-ts to 2.1.0 for the new interface output
  format.

markedjs/marked (marked)

v18.0.2

Compare Source

Bug Fixes

• fix infinite loop for indented code blank line (#​3947) (58a52e8)

pnpm/pnpm (pnpm)

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

vitejs/vite (vite)

v8.0.9

Compare Source

Features

• update rolldown to 1.0.0-rc.16 (#​22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#​22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#​22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#​22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#​22039) (374bb5d)
• deps: update all non-major dependencies (#​22219) (4cd0d67)
• deps: update all non-major dependencies (#​22268) (c28e9c1)
• detect Deno workspace root (fix #​22237) (#​22238) (1b793c0)
• dev: handle errors in watchChange hook (#​22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#​22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#​22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#​22231) (44c42b9)
• fix reuses wording in dev environment comment (#​22173) (9163412)
• fix wording in sass error comment (#​22214) (bc5c6a7)
• update build CLI defaults (#​22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#​22271) (0a3887d)

vitest-dev/vitest (vitest)

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

---

Configuration

📅 Schedule: (in timezone Europe/Zurich)

• Branch creation
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.