chore(deps): update all non-major dependencies (main) by renovate[bot] · Pull Request #4268 · AmadeusITGroup/otter

renovate · 2026-06-13T17:10:45Z

This PR contains the following updates:

Package	Change	Type	Update	Pending
@crxjs/vite-plugin (source)	`~2.4.0` → `~2.7.0`	dependencies	minor
@jsverse/transloco (source)	`~8.3.0` → `~8.4.0`	devDependencies	minor
@jsverse/transloco (source)	`~8.3.0` → `~8.4.0`	dependencies	minor
@jsverse/transloco-messageformat (source)	`~8.3.0` → `~8.4.0`	devDependencies	minor
@jsverse/transloco-messageformat (source)	`~8.3.0` → `~8.4.0`	dependencies	minor
@openapitools/openapi-generator-cli	`~2.34.0` → `~2.38.0`	devDependencies	minor	`2.39.0`
@openapitools/openapi-generator-cli	`~2.34.0` → `~2.38.0`	dependencies	minor	`2.39.0`
@redocly/openapi-core	`~2.31.0` → `~2.34.0`	devDependencies	minor
@types/vscode (source)	`~1.120.0` → `~1.125.0`	devDependencies	minor
@vercel/ncc	`~0.38.0` → `~0.44.0`	devDependencies	minor
actions/setup-java	`v5.2.0` → `v5.3.0`	action	minor
lighthouse	`~13.3.0` → `~13.4.0`	dependencies	minor
lighthouse	`~13.3.0` → `~13.4.0`	devDependencies	minor
node (source)	`24.16` → `24.17`		minor
node	`24.16` → `24.17`	uses-with	minor
sass	`~1.100.0` → `~1.101.0`	devDependencies	minor
sass	`~1.100.0` → `~1.101.0`	dependencies	minor

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

crxjs/chrome-extension-tools (@crxjs/vite-plugin)

`v2.7.0`

Minor Changes

9f00943: Add dev HMR support for manifest-declared MAIN world content scripts.

Patch Changes

a9cc89a: Remove unused vite-plugin dependencies and update selected dependency
versions.

`v2.6.1`

Patch Changes

2b88621: Coalesce file writer readiness waits so large dev-server graph
updates do not repeatedly recompute the same dependency traversal. This also
fixes late HMR readiness waits that could miss the shared ready event and
delay content script updates.

`v2.6.0`

Minor Changes

4f5d2ec: feat: add IIFE content script bundling

Content scripts named with .iife.ts extension are automatically bundled as
self-contained IIFE files with all dependencies inlined. This is useful for
MAIN world content scripts used with chrome.scripting.executeScript or
chrome.scripting.registerContentScripts.

Patch Changes

5316e9c: Allow chrome-extension:// and moz-extension:// origins in Vite
dev-server CORS automatically. This keeps extension pages able to fetch
dev-server files on Vite releases with the stricter localhost-only CORS
default, including Vite 4.5.6, 5.4.12, and 6.0.9+, without requiring
projects to configure server.cors.origin manually.
1aee9ad: fix: dynamic content scripts failing in build --watch mode
2f8bab5: Fix the dev-mode loading page so it waits for the requested extension
HTML file, preserves the page URL query string, allows extension-origin
readiness polling, and throttles automatic reloads to avoid rapid flicker.
1681511: Expand vite-plugin CI to run e2e tests against supported Vite
versions and fix compatibility issues exposed by the matrix.
0593d58: fix: publish ESM declarations for the Vite plugin entrypoint

`v2.5.0`

Minor Changes

4756baf: feat: add HMR support for CSS declared in manifest content_scripts
4756baf: add: browser_specific_settings.gecko properties
4756baf: Fix "TypeError: plugins is not iterable" error when using
rolldown-vite (Vite 7).

In rolldown-vite, the buildStart hook doesn't receive options.plugins. This
fix uses the configResolved hook to get plugins from the resolved config, with
buildStart kept as a fallback for older Vite versions.
4756baf: Fixed
#852, the plugin
now emits a correct URL in service-worker-loader.js when the Vite option
server.https is enabled.
4756baf: fix: resolve TypeScript types correctly for ESM and CJS consumers
4756baf: feat: add Vite 8 beta support

Patch Changes

4756baf: ci: migrate release workflow to npm trusted publishers
570312a: fix: sanitize colons from output filenames on Windows
4756baf: fix: copy CSS files declared in manifest content_scripts to output
4756baf: Replace cheerio with node-html-parser to fix npm deprecation warning
for whatwg-encoding.

Also adds explicit vite peerDependency declaration (^3.0.0 through ^7.0.0) to
enable proper version resolution when used with different vite versions.
4756baf: ci: run compat tests against stable Vite 8, make the vite8 available
as a peer dependency
4756baf: fix: UnoCSS/TailwindCSS HMR issues with virtual CSS modules
8a99b4f: made data_collection_permissions optional
4756baf: fix: respect user's build.manifest setting in Vite 4+

When users set build.manifest: false in their Vite config, the Vite manifest
file (.vite/manifest.json in Vite 5+, or manifest.json in older versions)
is now properly removed from the output bundle.

CRXJS internally requires the Vite manifest to derive content script resources
during build, so it forces build.manifest: true. Previously, this meant the
Vite manifest was always included in the output even if the user explicitly
disabled it. Now, CRXJS removes the manifest from the bundle after processing
if the user didn't want it.

Closes #1077
d364bd8: chore: upgrade chokidar to 5.0.0
4756baf: feat(client): Update the style and content of the development mode
loading page

jsverse/transloco (@jsverse/transloco)

`v8.4.0`

Compare Source

🚀 Features

transloco: transpile function arguments in FunctionalTranspiler

🩹 Fixes

translateSignal utility missing injector for toSignal
transloco-scoped-libs: multi-scope i18n with join strategy

❤️ Thank You

Dafnik
f-aubert
Ilshat Khamitov

OpenAPITools/openapi-generator-cli (@openapitools/openapi-generator-cli)

`v2.38.0`

Compare Source

Features

release: trigger a release after upgrading concurrently to newer versions (#1225) (a265046)

`v2.37.0`

Compare Source

Features

release: trigger a release after upgrading deps to newer versions (#1223) (899c037)

`v2.36.0`

Compare Source

Features

release: trigger a release after upgrading to node 22.x (#1217) (8f69e5a)

`v2.35.0`

Compare Source

Features

release: v7.23.0 release (#1214) (47787b9)

Redocly/redocly-cli (@redocly/openapi-core)

`v2.34.0`

Compare Source

Minor Changes

Improved CLI install speed by bundling the CLI into a dependency-free package.

Warning: The published package no longer ships runtime dependencies in node_modules.
Plugins that relied on importing packages hoisted from the CLI (such as @redocly/openapi-core) must now declare those packages as their own dependencies.

`v2.33.2`

Compare Source

Patch Changes

Fixed a path traversal in the split command that might have written files outside the chosen --outDir.
Updated @redocly/openapi-core to v2.33.2.

Minor Changes

Added the --component-names-strategy option to the bundle command.
This option allows a choice of how inline Schema components are named: basename (default) or title (from each schema's title field).

Patch Changes

Updated @redocly/openapi-core to v2.33.0.

`v2.32.2`

Compare Source

Patch Changes

Updated @redocly/respect-core to v2.32.2.

`v2.32.1`

Compare Source

Patch Changes

Updated @redocly/openapi-core to v2.32.1.

`v2.32.0`

Compare Source

Minor Changes

Added support for junit output in the lint command.

Patch Changes

Updated @redocly/openapi-core to v2.32.0.

vercel/ncc (@vercel/ncc)

`v0.44.0`

Compare Source

Features

read permissions pr.yml (#1323) (5ea625e)

`v0.43.0`

Compare Source

Changes

BREAKING CHANGE: add Node 24 and 26 support, remove 20 (#1318) (#1305)
switch npm releases to trusted publishing (OIDC) (#1325) (#1327) (#1328) (#1329) (#1330) (#1331) (#1332)
switch package management to pnpm (#1321)
fix predictable global cache directory in /tmp enables symlink/hijack risks (#1314)
reorder extension resolution to prioritise TypeScript over JSON (#1315)
support TypeScript 6 transpile builds (#1316)

actions/setup-java (actions/setup-java)

`v5.3.0`

Compare Source

What's Changed

chore: update Java version to 25 in setup examples by @alaahong in #969
Bump minimatch from 3.1.2 to 3.1.5 by @dependabot[bot] in #984
Refactor error handling and improve test logging for installers by @chiranjib-swain in #989
chore: upgrade dependencies (@actions/core, cache, glob, http-client, tool-cache, xmlbuilder2) by @Copilot in #999
Add Oracle JDK 17 licensing limitation note by @mahabaleshwars in #1001
Update readme for ubuntu sudo java_home behavior by @mahabaleshwars in #1013
temurin: add support for Alpine Linux by @gdams in #674
fix: resolve npm audit vulnerabilities in fast-xml-builder and fast-xml-parser by @gdams in #1015
Bump @typescript-eslint/eslint-plugin from 8.35.1 to 8.48.0 by @dependabot[bot] in #952
Bump eslint-config-prettier from 8.10.0 to 10.1.8 by @dependabot[bot] in #881
Bump picomatch, @types/jest, jest, jest-circus and ts-jest by @dependabot[bot] in #1016
Bump @types/node from 24.1.0 to 25.9.3 by @dependabot[bot] in #950
Implement pagination with link headers for Adoptium based apis by @johnoliver in #1014
Make the Adoptopenjdk package type look at the Temurin repo first for latest assets by @johnoliver in #522
Bump @vercel/ncc from 0.38.1 to 0.44.0 by @dependabot[bot] in #1018

New Contributors

@alaahong made their first contribution in #969
@Copilot made their first contribution in #999
@johnoliver made their first contribution in #1014

Full Changelog: actions/setup-java@v5...v5.3.0

GoogleChrome/lighthouse (lighthouse)

`v13.4.0`

Compare Source

Full Changelog

We expect this release to ship in the DevTools of Chrome 151, and to PageSpeed Insights within 2 weeks.

New contributors

Thanks to our new contributors 👽🐷🐰🐯🐻!

Thomas Steiner @tomayac
KS Nithin @Nithin0620
Emanuele @emazack
Kirtikumar Anandrao Ramchandani @KirtiRamchandani
Rin @RinZ27
Michael Hablich @natorion

Core

canonical: improve validation for invalid URLs (#16765)
llms-txt: allow leading whitespace for header check (#17057)
geolocation-on-start: mention geolocation element (#16835)
add public Lighthouse types entrypoint (#17028)
match scripts to network requests using frameId (#16774)
config: import LH types (#17048)
driver: add ExecutionContext.evaluateOnObject (#17050)
driver: check if usage data exists before using (#17033)

Report

fix performance gauge label, improve load animation (#17045)
decouple link creation from link details rendering (#17049)
viewer: persist dark mode when when changing langauge (#17063)

Deps

upgrade deps (#17070)
upgrade typescript to 6.0.3 (#17060)
upgrade terser to 5.48.0 (#17059)
upgrade esbuild to 0.28.0 (#17058)
upgrade trace_engine to 0.0.65 (#17046)
upgrade puppeteer to 25.0.2 (#17019)

Clients

viewer: prevent toast showing on load (#17069)
viewer: clear github auth token on 401 error (#17064)
viewer: disable agentic-browsing in PSI api call (#17041)

I18n

import (#17071)

Docs

add agentic web issue template (#17020)

Tests

exclude origin-isolation-coop-present smoke test (#17072)
remove accidental .only (#17042)
remove unused c8 (#16845)
llms-txt: add coverage for network failure and heading edge cases (#17040)
viewer: update psi key (#17037)

Misc

migrate typescript moduleResolution to bundler (#17061)
build: generate subset of web-features data (#17047)
ci: add Node 26 to unit matrix (#17062)
ci: bump actions/upload-artifact from 4 to 7 (#16938)

nodejs/node (node)

`v24.17.0`: 2026-06-18, Version 24.17.0 'Krypton' (LTS), @aduh95

Compare Source

This is a security release.

Notable Changes

(CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
(CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
(CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
(CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
(CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
(CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
(CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
(CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
(CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
(CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
(CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

Commits

[9e4dfc7bba] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878
[cb2aed980c] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890
[a8a0d12875] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #62891
[66e6203c1c] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #62891
[dd627ced27] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #63820
[684bae568f] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #63820
[3a631e7f83] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #62656
[cf44df3996] - deps: update undici to 7.28.0 (Node.js GitHub Bot) #63703
[138c70294b] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868
[be7e719c3f] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846
[cc7c11b4d1] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855
[9224427b92] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867
[cf85d54839] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873
[a1bbc24f96] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870
[e3723ff2d6] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854
[a77af4867b] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854
[31beb4f707] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857
[8e75c73f91] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869

actions/node-versions (node)

`v24.17.0`: 24.17.0

Compare Source

Node.js 24.17.0

sass/dart-sass (sass)

`v1.101.0`

Compare Source

Potentially breaking bug fix: The Node package importer now properly
supports resolving import-only variants of Sass files declared in the
exports, sass, and style fields of package.json. Previously, these
files were ignored even when loaded via @import, so any code relying on
loading module-system-only files this way may break.

Configuration

📅 Schedule: (in timezone Europe/Paris)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

nx-cloud · 2026-06-13T17:13:51Z

View your CI Pipeline Execution ↗ for commit 0dddee3

Command	Status	Duration	Result
`nx run-many --target=build,build-jar`	❌ Failed	4m 48s	View ↗
`nx affected --target=lint --configuration ci`	✅ Succeeded	5m 14s	View ↗
`nx run-many --target=documentation`	✅ Succeeded	17s	View ↗
`nx affected --target=test --coverage --configur...`	✅ Succeeded	48s	View ↗
`nx run-many --tui=false --target=build --projec...`	✅ Succeeded	2m	View ↗
`nx affected --target=package-github-action`	✅ Succeeded	3s	View ↗

💡 Dealing with memory or CPU issues? See memory and CPU details with the resource usage add-on ↗.

☁️ Nx Cloud last updated this comment at 2026-06-23 20:01:55 UTC

codecov · 2026-06-13T17:20:49Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.80%. Comparing base (25814f5) to head (0dddee3).
✅ All tests successful. No failed tests found.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

nx-cloud

Nx Cloud is proposing a fix for your failed CI:

We added an ambient module declaration for picomatch to fix TS7016 errors in both chrome-devtools:build-panel and chrome-devtools:build-components. The dependency updates in this PR transitively introduced fdir@6.5.0, whose type definitions import picomatch@4.0.4, which no longer ships TypeScript types. Adding declare module 'picomatch'; in src/picomatch.d.ts satisfies the TypeScript compiler without changing any runtime behaviour.

Tip

✅ We verified this fix by re-running chrome-devtools:build-panel.

diff --git a/apps/chrome-devtools/src/picomatch.d.ts b/apps/chrome-devtools/src/picomatch.d.ts
new file mode 100644
index 000000000..26eba8841
--- /dev/null
+++ b/apps/chrome-devtools/src/picomatch.d.ts
@@ -0,0 +1 @@
+declare module 'picomatch';

Or Apply changes locally with:

npx nx-cloud apply-locally jDMY-q4NV

Apply fix locally with your editor ↗ View interactive diff ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}

renovate Bot requested a review from a team as a code owner June 13, 2026 17:10

renovate Bot added the dependencies Pull requests that update a dependency file label Jun 13, 2026

github-actions Bot added project:@ama-sdk/schematics project:@ama-sdk/create project:@ama-styling/figma-sdk project:@o3r-training/showcase-sdk project:@o3r-training/training-sdk project:@o3r/chrome-devtools labels Jun 13, 2026