chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@ai-sdk/vue (source)	^3.0.154 → ^3.0.168
@changesets/cli (source)	^2.30.0 → ^2.31.0
@codspeed/vitest-plugin (source)	^5.2.0 → ^5.3.0
@comark/nuxt (source)	^0.2.1 → ^0.3.1
@libsql/client (source)	^0.17.2 → ^0.17.3
@nestjs/common (source)	>=11.1.18 → >=11.1.19
@nestjs/common (source)	^11.1.18 → ^11.1.19
@noble/hashes (source)	^1.7.2 → ^1.8.0
@nuxt/content (source)	^3.12.0 → ^3.13.0
@nuxt/test-utils	^4.0.2 → ^4.0.3
@nuxt/ui (source)	^4.6.1 → ^4.7.0
@nuxtjs/sitemap	^8.0.12 → ^8.0.14
@tanstack/start-client-core (source)	^1.167.9 → ^1.167.20
ai (source)	>=6.0.154 → >=6.0.168
ai (source)	^6.0.154 → ^6.0.168
better-auth (source)	>=1.2.0 → >=1.6.9
better-auth (source)	^1.6.2 → ^1.6.9
better-sqlite3	^12.8.0 → ^12.9.0
bun (source)	1.2.22 → 1.3.13
evlog (source)	^2.11.0 → ^2.14.0
fastify (source)	>=5.8.4 → >=5.8.5
fastify (source)	^5.8.4 → ^5.8.5
happy-dom	^20.8.9 → ^20.9.0
motion-v	^2.2.0 → ^2.2.1
next (source)	>=16.2.3 → >=16.2.4
next (source)	^16.2.3 → ^16.2.4
nuxt-studio	^1.6.0 → ^1.6.1
react-router (source)	>=7.14.0 → >=7.14.2
react-router (source)	^7.14.0 → ^7.14.2
shaders	^2.5.92 → ^2.5.109
tailwindcss (source)	^4.2.2 → ^4.2.4
tsdown (source)	^0.21.7 → ^0.21.10
turbo (source)	^2.9.5 → ^2.9.6
typescript (source)	^6.0.2 → ^6.0.3
vite (source)	^8.0.8 → ^8.0.10
vitest (source)	^4.1.4 → ^4.1.5
vue (source)	3.5.32 → 3.5.33
vue-tsc (source)	^3.2.6 → ^3.2.7

---

Release Notes

vercel/ai (@​ai-sdk/vue)

v3.0.168

Compare Source

Patch Changes

• Updated dependencies [b8d28f4]
  • ai@​6.0.166

v3.0.167

Compare Source

Patch Changes

• ai@​6.0.165

v3.0.166

Compare Source

Patch Changes

• ai@​6.0.164

v3.0.165

Compare Source

Patch Changes

• ai@​6.0.163

v3.0.164

Compare Source

Patch Changes

• ai@​6.0.162

v3.0.163

Compare Source

Patch Changes

• ai@​6.0.161

v3.0.162

Compare Source

Patch Changes

• ai@​6.0.160

v3.0.161

Compare Source

Patch Changes

• ai@​6.0.159

v3.0.160

Compare Source

Patch Changes

• Updated dependencies [295beba]
  • ai@​6.0.158

v3.0.159

Compare Source

Patch Changes

• Updated dependencies [ff11aee]
  • ai@​6.0.157

v3.0.158

Compare Source

Patch Changes

• ai@​6.0.156

v3.0.157

Compare Source

Patch Changes

• Updated dependencies [06764c5]
  • ai@​6.0.155

v3.0.156

Compare Source

Patch Changes

• ai@​6.0.154

v3.0.155

Compare Source

Patch Changes

• Updated dependencies [f152133]
  • ai@​6.0.153

changesets/changesets (@​changesets/cli)

v2.31.0

Compare Source

Minor Changes

• #​1889 96ca062 Thanks @​mixelburg! - Error on unsupported flags for individual CLI commands and print the matching command usage to make mistakes easier to spot.

• #​1873 42943b7 Thanks @​mixelburg! - Respond to --help on all subcommands. Previously, --help was only handled when it was the sole argument; passing it alongside a subcommand (e.g. changeset version --help) would silently execute the command instead. Now --help always exits early and prints per-command usage when a known subcommand is provided, or the general help text otherwise.

Patch Changes

• d2121dc Thanks @​Andarist! - Fix npm auth for path-based registries during publish by preserving configured registry URLs instead of normalizing them.

• #​1888 036fdd4 Thanks @​mixelburg! - Fix several changeset version issues with workspace protocol dependencies. Valid explicit workspace: ranges and aliases are no longer rewritten unnecessarily, and workspace path references are handled correctly during versioning.

• #​1903 5c4731f Thanks @​Andarist! - Gracefully handle stale npm info data leading to duplicate publish attempts.

• #​1867 f61e716 Thanks @​Andarist! - Improved detection for published state of prerelease-only packages without latest dist-tag on GitHub Packages registry.

• Updated dependencies [036fdd4, 036fdd4, 036fdd4]:

  • @​changesets/assemble-release-plan@​6.0.10
  • @​changesets/get-dependents-graph@​2.1.4
  • @​changesets/apply-release-plan@​7.1.1
  • @​changesets/get-release-plan@​4.0.16
  • @​changesets/config@​3.1.4

CodSpeedHQ/codspeed-node (@​codspeed/vitest-plugin)

v5.3.0

Compare Source

What's Changed

We now collect buildtime and runtime environment data to warn users about differences in their runtime environment when comparing two runs against one another.

This data includes toolchain metadata like version and build options, as well as a list of dynamically loaded linked libraries.

• feat(fi): add memory profiling by @​not-matthias in #​73
• feat: dump node process information when running by @​GuillaumeLagrange in #​77
• chore: bump instrument-hooks to dump linked libraries by @​GuillaumeLagrange in #​78

Full Changelog: CodSpeedHQ/codspeed-node@v5.2.0...v5.3.0

comarkdown/comark (@​comark/nuxt)

v0.3.1: @​comark/nuxt v0.3.1

Compare Source

Features

• comark: add breaks plugin (#​149) (90dca0d)
• comark: add footnotes plugin with parsing and rendering support (#​104) (3d74274)
• comark: add punctuation plugin (#​123) (9b76e11)
• data binding in components (#​143) (feedcd7)
• docs: enhance Playground with plugin management and parse options (#​107) (1dcb21b)
• new/default block attributes syntax (#​125) (5222cf9)
• punctuation: enhance punctuation plugin with normalization and locale-aware quotes (#​144) (62d996f)
• render: conditional handlers to match nodes based on attributes or children or ... (#​130) (25e45cc)
• rendering: expose dump options for frontmatter serialization (#​101) (d294b0d)
• specs: autolink support (#​112) (1f8442f)
• use parent heading id as prefix for child headings (#​126) (e83d889)

Bug Fixes

• auto-close: ensure underscore syntax does not joined with a word (#​131) (dd3fc00)
• auto-close: ignore contents inside attributes fence (9eefd87)
• auto-close: skip full link content and url part (7e378be)
• auto-close: support ignore char in math syntax \$ (b1641ce)
• deps: deduplicate vue runtime to single version (#​133) (669ea89)
• examples: add tailwindcss to dependencies (#​109) (d17259b)
• force extension for relative imports (#​152) (515c4dd)
• img: default alt to empty string to prevent 'undefined' in output (#​148) (5ba5507)
• mermaid: set default height to auto (#​119) (fb5b909)
• parser: return previous output on parse error while streaming (#​132) (7cf2c17)
• render: correct list indentation and block content in list items (#​120) (aad5516)
• specs: preserve indentation of nested components in named slots (#​106) (9ebddfd)
• vue: typo in slot unwrap prop name (#​127) (1517e95)

tursodatabase/libsql-client-ts (@​libsql/client)

v0.17.3

Compare Source

nestjs/nest (@​nestjs/common)

v11.1.19

Compare Source

v11.1.19 (2026-04-13)

Bug fixes

• microservices
  • #​16762 fix(microservices): use backing field for consumer CRASH event listener (@​burhanharoon)
  • #​16764 fix(microservices): prevent stack overflow in jsonsocket.handledata() (@​kamilmysliwiec)

Committers: 2

• Burhan Haroon⚡ (@​burhanharoon)
• Kamil Mysliwiec (@​kamilmysliwiec)

paulmillr/noble-hashes (@​noble/hashes)

v1.8.0

Compare Source

Preparation for v2

The release contains bugfixes and a few improvements which pave the way for upcoming v2.0.

• Modules are now available with .js extension
  • Old: @noble/hashes/sha2
  • New: @noble/hashes/sha2.js
  • Old path is still available
  • This simplifies working in browsers natively without transpilers
• Refactor core functionality, remove duplicate code
• Decrease package size

Deprecations

In v2, some modules will be removed. For example, sha256 will become sha2. In v1.8, the old names still exist, but are marked as deprecated, to simplify upgrade path.

One of the reasons for moving those was the fact sha384 resided in sha512, sha224 in sha256 - which was confusing. New naming scheme simplifies reasoning and decreases amount of modules.

• sha256 became sha2 (which already existed for several releases)
• sha512 became sha2
• _assert became utils
• blake2b became blake2
• blake2s became blake2
• ripemd160 became legacy (to signify its low security level 2^80)
• sha1 became legacy

Full Changelog: paulmillr/noble-hashes@1.7.2...1.8.0

nuxt/content (@​nuxt/content)

v3.13.0

Compare Source

Bug Fixes

• get mdc configs by calling mdc:configSources hook (#​3736) (57f5552)
• preview: move formatDate/formatDateTime into runtime subtree (#​3749) (4a76b2a)

nuxt/test-utils (@​nuxt/test-utils)

v4.0.3

Compare Source

4.0.3 is the next patch release.

👉 Changelog

compare changes

🩹 Fixes

• runtime-utils: Lazily import root-component in mount + render helpers (#​1665)
• runtime-utils: Insert compilerOptions conditionally (#​1659)
• config: Enable sourcemaps when vitest coverage is enabled (#​1674)
• module: Exclude test files from Nuxt plugin registration (#​1666)
• runtime-utils: Provide NuxtLink isActive slot props (#​1640)
• e2e: Wait for HTTP readiness before resolving startServer (#​1675)

🏡 Chore

• Fix typo (#​1663)
• Bump nitro and nuxt pins in nitro-v3 example (#​1678)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Martin Masevski (@​Archetipo95)
• Ryota Watanabe (@​wattanx)
• Jan Müller (@​DerYeger)
• Yoshihiro Yamaguchi (@​yamachi4416)
• Sai Asish Y (@​SAY-5)

nuxt/ui (@​nuxt/ui)

v4.7.0

Compare Source

Features

• AuthForm: add separator slot (#​6305) (81c7ddb)
• Card: add title and description props (3cf7d75), closes #​6001
• CommandPalette: add group-label slot (#​6329) (7fc773c)
• CommandPalette: add searchDelay prop (7d2af05)
• EditorSuggestionMenu: expose suggestion matching options (#​6234) (4427824)
• Link: auto-localize internal links when @nuxtjs/i18n is installed (#​5537) (92cfda0)
• Listbox: new component (#​6307) (00c1651)
• ProsePrompt: new component (#​6362) (2451ac6)
• Table: support sticky header/footer in virtualized mode (#​6217) (15d32ce)
• Textarea: expose autoResize method (#​6120) (9c5c0df)

Bug Fixes

• Accordion/Tabs: use item value as stable key to avoid remounts (#​6380) (3cee610)
• Avatar: remove leading-none from fallback (#​6383) (77ce09a)
• ChatMessage/ChatMessages: preserve generic message type in slot scope (#​6391) (20f66db)
• ChatMessages: prevent layout shift caused by indicator during streaming (#​6297) (b7160e2)
• ChatMessages: use MutationObserver for auto-scroll during streaming (#​6357) (47bf3cb)
• ChatPromptSubmit: ignore disabled prop when status is not ready (600a2ca)
• components: resolve defaultVariants in template logic (#​6361) (75b37d0)
• ContentSearch/DashboardSearch: pick shared props from CommandPalette (cdcf2e5)
• ContentSearch: speed up navigation mapping (0faf2c2)
• ContentToc: use links for scrollspy instead of hardcoded h2/h3 (#​6282) (6aba2ea)
• FieldGroup: prevent context from leaking into portals (#​6313) (5155e27)
• FileUpload: use form field color and highlight instead of raw props (bb5a9ed)
• Header/DashboardSidebar/Sidebar: allow auto focus in menu for proper focus trapping (#​6266) (9b91ee4)
• InputDate/InputTime: increase segments width (#​6339) (4ebdb2f)
• InputTags: add missing field group variant (#​6326) (aae5378)
• Link: ensure single-root rendering for v-show and $el resolution (#​6310) (2c4ff35)
• Modal/Slideover: drop empty header wrapper when empty (#​6381) (1082960)
• module: use relative tagPriority for inline style tags (#​6299) (ae693d0)
• PricingTable: align header elements vertically (#​6111) (0daacb0)
• PricingTable: handle RTL mode (#​6382) (ab203db)
• ProseCodeCollapse: match background on overscroll (28c89fe)
• ProseImg: respect markdown width attribute (#​6350) (d4e4ea1)
• ProsePre: get code from DOM if code prop is missing (#​6333) (b808ce4)
• Select: support item-aligned position mode (#​6358) (255807a)

nuxt-modules/sitemap (@​nuxtjs/sitemap)

v8.0.14

Compare Source

   🐞 Bug Fixes

• Escape all user-provided XML fields  -  by @​harlan-zw in #​610 (33398)

   🏎 Performance

• Split static sitemap config into virtual module  -  by @​harlan-zw in #​608 (9ef0a)
• Lazy load fast-xml-parser in parseSitemapIndex  -  by @​harlan-zw in #​609 (a3ee4)

    View changes on GitHub

v8.0.13

Compare Source

   🐞 Bug Fixes

• Skip cache during prerender to prevent empty sitemap  -  by @​harlan-zw in #​604 (b4570)

    View changes on GitHub

TanStack/router (@​tanstack/start-client-core)

v1.167.20

Compare Source

Patch Changes

• Updated dependencies [493148b]:
  • @​tanstack/router-core@​1.168.17
  • @​tanstack/start-storage-context@​1.166.31

v1.167.19

Compare Source

Patch Changes

• refactor(start-client-core): use a more explicit typing to CustomFetch type (#​7258)

v1.167.18

Compare Source

Patch Changes

• Updated dependencies [4d864ee]:
  • @​tanstack/router-core@​1.168.16
  • @​tanstack/start-storage-context@​1.166.30

v1.167.17

Compare Source

Patch Changes

• Updated dependencies [16f6892]:
  • @​tanstack/router-core@​1.168.15
  • @​tanstack/start-storage-context@​1.166.29

v1.167.16

Compare Source

Patch Changes

• Updated dependencies [0e2c900]:
  • @​tanstack/router-core@​1.168.14
  • @​tanstack/start-storage-context@​1.166.28

v1.167.15

Compare Source

Patch Changes

• Updated dependencies [812792f]:
  • @​tanstack/router-core@​1.168.13
  • @​tanstack/start-storage-context@​1.166.27

v1.167.14

Compare Source

Patch Changes

• Updated dependencies [8ec9ca9]:
  • @​tanstack/router-core@​1.168.12
  • @​tanstack/start-storage-context@​1.166.26

v1.167.13

Compare Source

Patch Changes

• Updated dependencies [6355bb7]:
  • @​tanstack/router-core@​1.168.11
  • @​tanstack/start-storage-context@​1.166.25

v1.167.12

Compare Source

Patch Changes

• migrate createStore > createAtom for simpler API (#​7150)

• Updated dependencies [459057c]:

  • @​tanstack/router-core@​1.168.10
  • @​tanstack/start-storage-context@​1.166.24

v1.167.11

Compare Source

Patch Changes

• fix publishing (f8ac427)

v1.167.10

Compare Source

Patch Changes

• Ensure request middleware context wins over colliding client-provided context in server function execution paths, including SSR, GET, and FormData requests. (#​7135)

better-auth/better-auth (better-auth)

v1.6.9

Compare Source

Patch Changes

• Updated dependencies [815ecf6]:
  • @​better-auth/core@​1.6.9
  • @​better-auth/drizzle-adapter@​1.6.9
  • @​better-auth/kysely-adapter@​1.6.9
  • @​better-auth/memory-adapter@​1.6.9
  • @​better-auth/mongo-adapter@​1.6.9
  • @​better-auth/prisma-adapter@​1.6.9
  • @​better-auth/telemetry@​1.6.9

v1.6.8

Compare Source

Patch Changes

• #​9253 856ab24 Thanks @​baptisteArno! - fix(organization): allow passing id through beforeCreateTeam and beforeCreateInvitation

  Mirrors #​4765 for teams and invitations: adapter.createTeam and adapter.createInvitation now pass forceAllowId: true, so ids returned from the respective hooks survive the DB insert.

• #​9331 9aa8e63 Thanks @​gustavovalverde! - fix(oauth): support mapProfileToUser fallback for providers that may omit email

  Social sign-in with OAuth providers that may return no email address (Discord phone-only accounts, Apple subsequent sign-ins, GitHub private emails, Facebook, LinkedIn, and Microsoft Entra ID managed users) can now be unblocked by synthesizing an email inside mapProfileToUser. Rejection logger messages now point at this workaround and at the new "Handling Providers Without Email" docs section.

  Provider profile types now reflect where email can be null or absent:

  • DiscordProfile.email is string | null and optional (absent when the email scope is not granted)
  • AppleProfile.email is optional
  • GithubProfile.email is string | null
  • FacebookProfile.email is optional
  • FacebookProfile.email_verified is optional (Meta's Graph API does not include this field)
  • LinkedInProfile.email is optional
  • LinkedInProfile.email_verified is optional
  • MicrosoftEntraIDProfile.email is optional

  TypeScript consumers who previously dereferenced profile.email directly inside mapProfileToUser will see a compile error that matches the runtime reality; use a nullish-coalescing fallback (profile.email ?? ...) or null-check the field.

  Sign-in still rejects with error=email_not_found (social callback) or error=email_is_missing (Generic OAuth plugin) when neither the provider nor mapProfileToUser produces an email. First-class support for users without an email, keyed on (providerId, accountId) per OpenID Connect Core §5.7, is tracked in #​9124.

• Updated dependencies [9aa8e63]:

  • @​better-auth/core@​1.6.8
  • @​better-auth/drizzle-adapter@​1.6.8
  • @​better-auth/kysely-adapter@​1.6.8
  • @​better-auth/memory-adapter@​1.6.8
  • @​better-auth/mongo-adapter@​1.6.8
  • @​better-auth/prisma-adapter@​1.6.8
  • @​better-auth/telemetry@​1.6.8

v1.6.7

Compare Source

Patch Changes

• #​9211 307196a Thanks @​stewartjarod! - Preserve Set-Cookie headers accumulated on ctx.responseHeaders when an endpoint throws APIError. Cookie side-effects from deleteSessionCookie (and any ctx.setCookie / ctx.setHeader calls before the throw) are no longer silently discarded on the error path.

• #​9292 4f373ee Thanks [@​gustavova

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • "before 3am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

Deployment failed with the following error:

There is no GitHub account connected to this Vercel account.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
evlog-docs	Ready	Preview, Comment, Open in v0	Apr 27, 2026 8:45pm

[autofix-troubleshooter]

Hi! I'm the autofix.ci troubleshooter bot.

It looks like you correctly set up a CI job that uses the autofix.ci GitHub Action, but the autofix.ci GitHub App has not been installed for this repository. This means that autofix.ci unfortunately does not have the permissions to fix this pull request. If you are the repository owner, please install the app and then restart the CI workflow! 😃

[github-actions]

Thank you for following the naming conventions! 🙏

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.