chore(deps): update all non-major dependencies (4.x)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@playwright/test (source)	1.59.1 → 1.60.0			devDependencies	minor
@typescript-eslint/parser (source)	8.59.2 → 8.59.3			devDependencies	patch
@vitest/coverage-v8 (source)	4.1.5 → 4.1.6			devDependencies	patch
oxc-minify (source)	^0.129.0 → ^0.130.0			dependencies	minor
oxc-parser (source)	^0.129.0 → ^0.130.0			dependencies	minor
oxc-transform (source)	0.129.0 → 0.130.0			devDependencies	minor
oxc-transform (source)	^0.129.0 → ^0.130.0			dependencies	minor
playwright-core (source)	1.59.1 → 1.60.0			devDependencies	minor
pnpm/action-setup	v6.0.6 → v6.0.7			action	patch
vitest (source)	4.1.5 → 4.1.6			devDependencies	patch

---

Release Notes

microsoft/playwright (@​playwright/test)

v1.60.0

Compare Source

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});

await page.locator('#dropzone').drop({
  data: {
    'text/plain': 'hello world',
    'text/uri-list': 'https://example.com',
  },
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

• Event browser.on('context') — fired when a new context is created on the browser.
• BrowserContext now mirrors lifecycle events from its pages: browserContext.on('download'), browserContext.on('frameattached'), browserContext.on('framedetached'), browserContext.on('framenavigated'), browserContext.on('pageclose'), browserContext.on('pageload').

Locators and Assertions

• New option description in page.getByRole() / locator.getByRole() / frame.getByRole() / frameLocator.getByRole() for matching the accessible description.
• New option pseudo in expect(locator).toHaveCSS() reads computed styles from ::before or ::after.
• New option style in locator.highlight() applies extra inline CSS to the highlight overlay, plus new page.hideHighlight() to clear all highlights.

Network

• webSocketRoute.protocols() returns the WebSocket subprotocols requested by the page.
• New option noDefaults in browserType.connectOverCDP() disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state.

Errors and Reporting

• New webError.location() mirrors consoleMessage.location().
• consoleMessage.location() now exposes line / column properties (lineNumber / columnNumber are deprecated).
• New testInfoError.errorContext surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an expect(...) matcher failure.
• reporter.onError() now receives a workerInfo argument with details about the worker for fixture teardown errors.

Test runner

• New {testFileBaseName} token in testProject.snapshotPathTemplate — file name without extension.
• Test runner now errors when a config tries to override a non-option fixture, and rejects workers: 0 or negative values.

🛠️ Other improvements

• HTML reporter:
  • npx playwright show-report accepts .zip files directly — no need to unzip first.
  • Steps that contain attachments inside nested children show an indicator on the parent step.
  • The repeatEachIndex is shown in the test header when non-zero.
• Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel.

Breaking Changes ⚠️

• Removed long-deprecated APIs:
  • Locator.ariaRef() — use the standard locator.ariaSnapshot() pipeline.
  • handle option on BrowserContext.exposeBinding and Page.exposeBinding.
  • logger option on BrowserType.connect and BrowserType.connectOverCDP — use tracing instead.
  • Context options videosPath / videoSize — use recordVideo instead.

Browser Versions

• Chromium 148.0.7778.96
• Mozilla Firefox 150.0.2
• WebKit 26.4

This version was also tested against the following stable channels:

• Google Chrome 147
• Microsoft Edge 147

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.59.3

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.6

Compare Source

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in #​10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in #​10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in #​10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in #​10276 (9f7b1)

    View changes on GitHub

oxc-project/oxc (oxc-minify)

v0.130.0

oxc-project/oxc (oxc-parser)

v0.130.0

📚 Documentation

• a4a6892 napi/parser: Correct code comment (#​22278) (overlookmotel)

oxc-project/oxc (oxc-transform)

v0.130.0

pnpm/action-setup (pnpm/action-setup)

v6.0.7

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[pkg-pr-new]

Open in StackBlitz

@nuxt/kit

npm i https://pkg.pr.new/@nuxt/kit@35046

@nuxt/nitro-server

npm i https://pkg.pr.new/@nuxt/nitro-server@35046

nuxt

npm i https://pkg.pr.new/nuxt@35046

@nuxt/rspack-builder

npm i https://pkg.pr.new/@nuxt/rspack-builder@35046

@nuxt/schema

npm i https://pkg.pr.new/@nuxt/schema@35046

@nuxt/vite-builder

npm i https://pkg.pr.new/@nuxt/vite-builder@35046

@nuxt/webpack-builder

npm i https://pkg.pr.new/@nuxt/webpack-builder@35046

commit: 347c812

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

 ERR_PNPM_ABORTED_REMOVE_MODULES_DIR_NO_TTY  Aborted removal of modules directory due to no TTY

If you are running pnpm in CI, set the CI environment variable to "true", or set "confirmModulesPurge" to "false".

[codspeed-hq]

Merging this PR will not alter performance

✅ 20 untouched benchmarks
⏩ 3 skipped benchmarks¹

---

_{Comparing renovate/4.x-all-non-major (347c812) with 4.x (8286e5f)}

Footnotes

1. 3 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	happy-dom@​20.9.0
	cssnano@​7.1.9
	escape-string-regexp@​5.0.0
	@​typescript-eslint/​parser@​8.59.2 ⏵ 8.59.3				+1
	esbuild@​0.28.0
	file-loader@​6.2.0
	@​vitest/​coverage-v8@​4.1.5 ⏵ 4.1.6
	errx@​0.1.0
	compatx@​0.2.0
	destr@​2.0.5
	estree-walker@​3.0.3
	case-police@​2.2.1
	fork-ts-checker-webpack-plugin@​9.1.0
	h3@​2.0.1-rc.22
	get-port-please@​3.2.0
	changelogen@​0.6.2
	chokidar@​5.0.0
	exsolve@​1.0.8
	eslint-typegen@​2.3.1
	acorn@​8.16.0
	css-loader@​7.1.4
	esbuild-loader@​4.4.3
	eslint-plugin-no-only-tests@​3.4.0
	defu@​6.1.7
	beasties@​0.4.2
	css-minimizer-webpack-plugin@​8.0.0
	cookie-es@​3.1.1
	h3@​1.15.11
	autoprefixer@​10.5.0
	eslint-plugin-import-x@​4.16.2
	eslint@​10.3.0
	eslint-plugin-perfectionist@​5.9.0
	c12@​3.3.4
See 2 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm commander is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@arethetypeswrong/cli@0.18.2 → npm/commander@10.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/commander@10.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm css-minimizer-webpack-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: packages/schema/package.json → npm/css-minimizer-webpack-plugin@8.0.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/css-minimizer-webpack-plugin@8.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm css-tree is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/css-tree@3.2.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/css-tree@3.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm eslint-plugin-jsdoc is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@nuxt/eslint-config@1.15.2 → npm/eslint-plugin-jsdoc@62.9.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint-plugin-jsdoc@62.9.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm formatly is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/formatly@0.3.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/formatly@0.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm happy-dom is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/happy-dom@20.9.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/happy-dom@20.9.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.