chore(deps): update ⬆️ mise-packages

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change	Pending	Age	Adoption	Passing	Confidence
aqua:anthropics/claude-code	patch	2.1.145 → 2.1.148	2.1.150 (+1)
aqua:astral-sh/ruff	patch	0.15.13 → 0.15.14
aqua:astral-sh/uv	patch	0.11.15 → 0.11.16
aqua:snyk/cli	minor	1.1304.3 → 1.1305.0
aqua:sst/opencode	patch	1.15.5 → 1.15.7	1.15.10 (+1)
github:agavra/tuicr	minor	v0.15.0 → v0.16.0
github:always-further/nono	minor	v0.56.0 → v0.57.0	v0.58.0
github:janosmiko/lfk	patch	v0.12.1 → v0.12.2	v0.12.6 (+3)
github:modem-dev/hunk	patch	0.13.1 → v0.13.2
node (source)	minor	24.15.0 → 24.16.0
npm:socket	patch	1.1.99 → 1.1.102

---

Release Notes

anthropics/claude-code (aqua:anthropics/claude-code)

v2.1.148

Compare Source

• Fixed the Bash tool returning exit code 127 on every command for some users (a regression introduced in 2.1.147)

v2.1.147

Compare Source

• Pinned background sessions (Ctrl+T in claude agents) now stay alive when idle, are restarted in place to apply Claude Code updates, and are shed under memory pressure only after non-pinned sessions
• Renamed /simplify to /code-review. It now reports correctness bugs at a chosen effort level (e.g., /code-review high); pass --comment to post findings as inline GitHub PR comments. The old cleanup-and-fix behavior has been removed
• Improved auto-updater: retries transient network failures, reports specific error categories and OS error codes on failure, and shows the current version when an update fails
• Improved diff rendering performance for large file edits
• Prompt history no longer records consecutive duplicate entries — recalling a prompt with arrow-up and submitting it again won't add another copy
• Fixed enterprise login restrictions (forceLoginOrgUUID and forceLoginMethod managed-settings) not being enforced against third-party-provider and API-key sessions
• Fixed & in ! command output displaying as &, which broke copy-pasting URLs from commands like gcloud auth login on headless machines
• Fixed unknown slash commands silently doing nothing in headless/SDK mode — they now show an error message
• Fixed /help rendering a broken tab header and showing only one command per page on small terminals when not in fullscreen mode
• Fixed shell snapshot dropping user functions whose names start with a single underscore, which broke aliases referencing them
• Fixed plugin agents that declare multiple Agent(...) types in tools: frontmatter dropping all but the last entry
• Fixed hook if conditions like PowerShell(git push*) never matching — only PowerShell(*) worked
• Fixed PowerShell tool dropping output for commands that rely on the default formatter
• Fixed: on Windows, "Yes, and don't ask again" for a PowerShell script invocation now writes a rule that actually matches on subsequent runs
• Fixed PowerShell tool failing on Windows with exit code 1 when pwsh is installed via winget or the Microsoft Store
• Fixed /effort opening with the slider on the wrong level — it now starts at your current effort
• Fixed paginating MCP servers dropping resources, templates, and prompts past page 1
• Fixed full-screen strobing in attached background sessions on Windows Terminal while Claude is streaming
• Fixed: on Windows, removing a background-job worktree no longer follows NTFS junctions into the main repo
• Fixed /background refusing sessions whose only typed input was a skill or custom slash command
• Fixed auto mode suppressing AskUserQuestion when the user or a skill explicitly relies on it; the auto-mode classifier now sees the user's answers as intent signal
• Fixed /theme "New custom theme" and color editor dialogs not responding to Esc
• Fixed an uncaught exception at the end of streaming sessions when running via the Agent SDK
• Fixed a rare hang when waiting for scroll to settle on Windows
• Fixed stale and doubled rows in the agent view list on Windows when background session results contain wide (CJK) characters
• Fixed pasted text being delivered to agents as an unreadable [Pasted text #N] placeholder instead of the actual content
• Fixed plugin component counts in claude plugin details and /plugin being doubled when a plugin's manifest listed paths overlapping its default directories
• Fixed backgrounded sessions re-prompting for tool permissions you already granted with "don't ask again"
• Fixed GNOME Terminal right-click and middle-click paste not inserting text
• Fixed CLAUDE_CODE_SUBAGENT_MODEL not applying to teammate processes spawned by agent teams
• Fixed slash commands followed by a tab or newline being treated as an unknown command
• Fixed several spacing and layout glitches in the /plugin, /status, /mobile, /sandbox, and /permissions menus
• Fixed stripped images prompting the model to repeatedly re-read media that was no longer present

v2.1.146

Compare Source

What's changed

• Renamed /simplify to /code-review with an optional effort level (e.g. /code-review high)
• Auto mode no longer suppresses AskUserQuestion when the user or a skill explicitly relies on it
• Fixed Windows PowerShell tool failing with "command line is invalid" when pwsh is installed via winget or the Microsoft Store (regression in v2.1.124)
• Fixed MCP resources/list, resources/templates/list, and prompts/list dropping items past page 1 on paginating servers
• Fixed full-screen strobing in attached background sessions on Windows Terminal while Claude is streaming
• Fixed the auto-updater status line not showing your current version when an update fails
• Fixed on Windows, removing a background-job worktree no longer follows NTFS junctions into the main repo
• Fixed /background refusing sessions whose only typed input was a skill or custom slash command
• Fixed backgrounded sessions re-prompting for tool permissions you already granted with "don't ask again"
• Fixed /theme color editor and "New custom theme" dialogs not responding to Esc
• Fixed an uncaught exception at the end of streaming sessions when running via the Agent SDK
• Fixed forceLoginOrgUUID and forceLoginMethod managed-settings policies not being enforced against third-party-provider and API-key sessions
• Fixed GNOME Terminal right-click and middle-click paste not inserting text
• Fixed CLAUDE_CODE_SUBAGENT_MODEL not being forwarded to child processes in multi-agent sessions
• Improved auto-updater reliability: native version checks and downloads now retry transient network failures instead of failing immediately
• Improved diff rendering performance for large file edits

astral-sh/ruff (aqua:astral-sh/ruff)

v0.15.14

Compare Source

Released on 2026-05-21.

Preview features

• [airflow] Implement airflow-task-implicit-multiple-outputs (AIR202) (#​25152)
• [flake8-use-pathlib] Mark PTH101 fix as unsafe when first argument is a class attribute annotated as int (#​25086)
• [pylint] Implement too-many-try-statements (W0717) (#​23970)
• [ruff] Add incorrect-decorator-order (RUF074) (#​23461)
• [ruff] Add fallible-context-manager (RUF075) (#​22844)

Bug fixes

• Fix lambda formatting in interpolated string expressions (#​25144)
• Treat generic frozenset annotations as immutable (#​25251)
• [flake8-type-checking] Avoid strict behavior when future-annotations are enabled (TC001, TC002, TC003) (#​25035)
• [pylint] Avoid false positives in else clause (PLR1733) (#​25177)

Rule changes

• [flake8-comprehensions] Skip C417 for lambdas with positional-only parameters (#​25272)
• [flake8-simplify] Preserve f-string source verbatim in SIM101 fix (#​25061)

Performance

• Avoid unnecessary parser lookahead for operators (#​25290)

Documentation

• Update code example setting Neovim LSP log level (#​25284)

Other changes

• Add full PEP 798 support (#​25104)
• Add a parser recursion limit (#​24810)
• Update various ruff_python_stdlib APIs (#​25273)

Contributors

• @​ocaballeror
• @​lerebear
• @​samuelcolvin
• @​baltasarblanco
• @​aconal-com
• @​anishgirianish
• @​JelleZijlstra
• @​AlexWaygood
• @​ntBre
• @​adityasingh2400
• @​charliermarsh
• @​Dev-iL
• @​neutrinoceros
• @​shivamtiwari3
• @​Dev-X25874

astral-sh/uv (aqua:astral-sh/uv)

v0.11.16

Compare Source

Released on 2026-05-21.

Enhancements

• Add support for direct archive dependencies in Git (#​10072)
• Adjust hint rendering (#​18090)

Preview features

• uv audit: specialize malformed OSV error (#​19515)
• Reject locked malware installations (#​18936)

Configuration

• Allow disabling reading the system config with UV_NO_SYSTEM_CONFIG (#​19476)

Bug fixes

• Allow environment variables that take a list to be empty (#​19503)
• Ensure that incompatible wheel hints do not leak secrets (#​19504)
• Reject unsafe entry points in uv-build (#​19495)
• Restrict delimiters in entry point parsing (#​19471)
• uv-netrc: fix multi-word no-space comment lines causing parse errors (#​19494)

Documentation

• Document and test relative exclude-newer support for uv pip (#​19475)

snyk/cli (aqua:snyk/cli)

v1.1305.0

Compare Source

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Features

• sbom: Introduces the --allow-incomplete-sbom flag for snyk sbom, allowing the SBOM to be generated even when individual projects fail to resolve. Failed projects are surfaced as per-project errors alongside the successful results. (29ba128)
• container: Speed up snyk container monitor by sending dependency requests in parallel, configurable via the SNYK_REQUEST_CONCURRENCY environment variable. (186c5fb, 6764f65)
• general: Linux ARM64 and AMD64 binaries are now statically linked by default. (f02b850)
• mcp: Adds an experimental breakability evaluation tool to the Snyk MCP Server. (69806f5)

Bug Fixes

• test: Fixes resolution of aliased npm packages so the alias from the lockfile is used instead of the target package name. (9b0e4d9)
• test: Fixes parsing of Python .whl files when scanning projects with --all-projects. (12ac0db)
• deps: Updates dependencies to fix vulnerabilities:
  • CVE-2026-34165 (1eec8f8)
  • CVE-2026-33762 (1eec8f8)
  • CVE-2025-62718 (0c4bdcc)
  • CVE-2026-6321 (2670813)
  • CVE-2026-6322 (2670813)

sst/opencode (aqua:sst/opencode)

v1.15.7

Compare Source

Core

Improvements

• Added Grok OAuth sign-in, including device-code login. (@​Jaaneek)

Bugfixes

• V2 session APIs now return safe UnknownError responses with log reference IDs when stored messages are corrupt.
• Generic API 500s no longer expose config details from server errors.
• Unknown API errors now include reference IDs so you can match responses to server logs.
• V2 session APIs now return 503 ServiceUnavailableError for mutations that are not available yet.
• V2 session APIs now return SessionNotFoundError for missing sessions.
• Deduped concurrent Codex OAuth refreshes to avoid repeated refresh failures. (@​cooper-oai)
• Restored native OpenAI OAuth requests.
• Tool schema failures now surface as friendly tool errors.
• Added PDF attachment support for Grok.
• Restored OpenAI reasoning streams.

TUI

Bugfixes

• Collapsed thinking labels now use clearer punctuation.
• New sessions now default to the local project.
• Single-select question checkmarks no longer run into option labels.

Desktop

Improvements

• Added a pinch zoom setting for the desktop app.
• Added a new desktop home view, session entry flow, and titlebar.
• Refined the new desktop UI and moved app update actions into the titlebar.
• Added desktop log export.

SDK

Bugfixes

• V2 global event streams now include account add, remove, and switch events.

Thank you to 3 community contributors:

• @​cooper-oai:
  • fix(opencode): dedupe concurrent Codex OAuth refreshes (#​28236)
• @​Jaaneek:
  • feat(opencode): add xAI Grok OAuth (SuperGrok) + device-code login (#​28557)
• @​kagura-agent:
  • fix(ui): preserve target attribute in DOMPurify config for markdown links (#​28598)

v1.15.6

Compare Source

Core

Improvements

• Added a diff viewer in the TUI for reviewing changes.
• Collapsed single-child directories in the diff viewer file tree.
• Added shell mode to the run prompt.
• Replaced subagent tabs with an on-demand picker in run.
• Plugin file load errors no longer break the rest of plugin loading.
• Anthropic API-key models now use the native runtime.
• The v2 HTTP API now exposes structured public error schemas.

Bugfixes

• Zed editor context now only activates inside Zed terminals.
• The v2 HTTP API now exposes catalog errors.
• The v2 HTTP API now exposes request errors.
• The v2 OpenAPI spec now preserves endpoint error responses.
• opencode login now defaults to https://console.opencode.ai.
• Agent and command names now resolve correctly from relative config paths.
• Invalid OPENCODE_PERMISSION JSON no longer crashes startup.
• Plugin tools with missing args no longer break tool loading.
• Restored legacy PgUp and PgDn TUI keybind aliases.
• Native runtime now prefers the console provider token for OpenCode models.

TUI

Improvements

• The diff viewer now focuses the first file automatically.

Bugfixes

• Imported sessions now refresh their directory and relative path fields correctly. (@​OpeOginni)

Desktop

Improvements

• Added initial desktop tabs support.
• Added a native app menu on Windows.
• Added Ukrainian locale support. (@​MYMDO)

Bugfixes

• Custom providers now appear immediately after config updates. (@​tianxiaoliang)

SDK

• Updated opentui dependencies to 0.2.15.

Thank you to 4 community contributors:

• @​MYMDO:
  • feat(i18n): add Ukrainian (uk) locale support (#​28061)
• @​StarpTech:
  • chore(team): add starptech to the team members list (#​28320)
  • chore(docs): remove beta zen go (#​28317)
  • chore(triage): add 'starptech' to core and inference teams (#​28376)
• @​tianxiaoliang:
  • fix(app): invalidate provider queries after config update to show custom providers immediately (#​28313)
• @​OpeOginni:
  • fix(opencode): Update directory and path fields of imported session (#​27516)
  • fix(enterprise): message nav hovercard and active state (#​23964)

agavra/tuicr (github:agavra/tuicr)

v0.16.0

Compare Source

What's Changed

• fix(forge): clear submitted comments from local session on success by @​agavra in #​332
• fix split diff gutter sizing in 10k+ line files by @​natebrennand in #​335
• feat(forge): remove the "Reviewed with tuicr" review-body footer by @​agavra in #​334
• fix(forge): count remote-thread rows in file_render_height by @​agavra in #​336
• feat(theme): add tokyo-night-day light theme by @​apurvam in #​340
• feat: add single-file view with file-walking navigation by @​N4M3Z in #​342
• release: v0.16.0 by @​github-actions[bot] in #​343

Full Changelog: agavra/tuicr@v0.15.0...v0.16.0

always-further/nono (github:always-further/nono)

v0.57.0

Compare Source

What's Changed

• feat(profiles): expand shadowing checks to include pack profiles by @​lukehinds in #​961
• chore(deps): bump aws-lc-rs from 1.16.3 to 1.17.0 by @​dependabot[bot] in #​962

Full Changelog: always-further/nono@v0.56.0...v0.57.0

janosmiko/lfk (github:janosmiko/lfk)

v0.12.2

Compare Source

Bug Fixes

• bulk: clear stale bulk-action snapshot on dispatch and cancel (#​257) (16a4c60)
• stop node metrics column-order flicker (and prevent the whole class) (#​259) (7f5c695)

modem-dev/hunk (github:modem-dev/hunk)

v0.13.2

Compare Source

What's Changed

• Fixed VCS auto-detection so a Git repository nested under a parent Jujutsu workspace uses the nearest Git checkout by default. This keeps hunk diff/hunk show in Git mode for nested Git repos instead of incorrectly inheriting the parent JJ workspace. by @​benvinegar in #​342

Full Changelog: modem-dev/hunk@v0.13.1...v0.13.2

nodejs/node (node)

v24.16.0: 2026-05-21, Version 24.16.0 'Krypton' (LTS), @​aduh95

Compare Source

Notable Changes

• [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
• [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
• [9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #​57775
• [40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #​62277
• [d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #​63082
• [aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #​62541
• [6f37f7e240] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #​61098
• [d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #​61747
• [d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #​62820
• [01a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #​60751
• [00705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #​61556

Commits

• [dd72df060d] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #​62509
• [add94f4bc3] - build: track PDL files as inputs in inspector GN build (Robo) #​62888
• [1b1eb9e334] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #​62667
• [8752b604ec] - crypto: deduplicate and canonicalize CryptoKey usages (Filip Skokan) #​62902
• [341947e7fd] - crypto: reject unintended raw key format string input (Filip Skokan) #​62974
• [28a78747fc] - crypto: remove Argon2 KDF derivation from its job setup (Filip Skokan) #​62863
• [16e8c2b54d] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #​62839
• [eeae754a87] - crypto: reject inherited key type names (Jonathan Lopes) #​62875
• [9dd5540325] - crypto: add memory tracking for secureContext openssl objects (Mert Can Altin) #​59051
• [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
• [7597d204c1] - crypto: add support for Ed25519 context parameter (Filip Skokan) #​62474
• [4bf85845da] - debugger: move ProbeInspectorSession and helpers to separate files (Joyee Cheung) #​63013
• [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
• [83e98f77b7] - deps: update corepack to 0.35.0 (Node.js GitHub Bot) #​63375
• [ec8c6b939a] - deps: V8: cherry-pick 657d8de (Guy Bedford) #​62784
• [722c0c3274] - deps: update nghttp3 to 1.14.0 (Node.js GitHub Bot) #​61187
• [5304db93d3] - deps: update nghttp3 to 1.13.1 (Node.js GitHub Bot) #​60046
• [e073b3811d] - deps: update nghttp3 to 1.11.0 (James M Snell) #​59249
• [1d00313fb2] - deps: update ngtcp2 to 1.14.0 (James M Snell) #​59249
• [8b3a4fc18f] - deps: update amaro to 1.1.9 (Node.js GitHub Bot) #​63090
• [62fe0cfcd1] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #​63045
• [137e09c8e9] - deps: update corepack to 0.34.7 (Node.js GitHub Bot) #​62810
• [14a4cb8fbc] - deps: update timezone to 2026b (Node.js GitHub Bot) #​62962
• [3e1036583a] - deps: upgrade npm to 11.13.0 (npm team) #​62898
• [01dfe5961c] - deps: cherry-pick libuv/libuv@439a54b (skooch) #​62881
• [6cd368b10c] - deps: update sqlite to 3.53.0 (Node.js GitHub Bot) #​62699
• [f218a4f553] - deps: update nbytes to 0.1.4 (Node.js GitHub Bot) #​62698
• [b47688524a] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [d202e2d343] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [2faba66341] - deps: update minimatch to 10.2.5 (Node.js GitHub Bot) #​62594
• [fa46c90c5d] - deps: update googletest to d72f9c8 (Node.js GitHub Bot) #​62593
• [099ded5713] - deps: update simdjson to 4.6.1 (Node.js GitHub Bot) #​62592
• [7ce95afe96] - deps: libuv: cherry-pick aabb765 (Santiago Gimeno) #​62561
• [57ef845623] - deps: update icu to 78.3 (Node.js GitHub Bot) #​62324
• [493ac40e12] - deps: update libuv to 1.52.1 (Node.js GitHub Bot) #​61829
• [b39508b368] - deps: update undici to 7.25.0 (Node.js GitHub Bot) #​63011
• [cb67a925e9] - deps: use npm undici@​seven tag in update-undici.sh (Matteo Collina) #​62739
• [aa1e0bc28b] - doc: fix typos and inconsistencies in crypto.md and webcrypto.md (Filip Skokan) #​62828
• [f2a1735ed9] - doc: fix duplicate word "to to" in util.styleText (Daijiro Wachi) #​62917
• [b6378e215c] - doc: fix node-config-schema (Сковорода Никита Андреевич) #​61596
• [233894a9ce] - doc: fix the TypeScript Execute (tsx) project link (David Thornton) #​63093
• [5d97919f8f] - doc: correct diagnostics_channel built-in channel names (Bryan English) #​62995
• [2a9ccc927e] - doc: use mjs/cjs blocks for callbackify null reason example (Daijiro Wachi) #​62884
• [ef413b5358] - doc: fix typo in test.md (Rich Trott) #​62960
• [76f21c5070] - doc: correct typo in PR contribution instructions (Mike McCready) #​62738
• [ca02af1f7d] - doc: fix duplicate word "of of" in postMessageToThread (Daijiro Wachi) #​62917
• [46c99ed526] - doc: fix duplicate word "for for" in compile cache (Daijiro Wachi) #​62917
• [1a60851734] - doc: fix typo in dns.lookup options description (Daijiro Wachi) #​62882
• [169b5ea2ed] - doc: fix Argon2 parameter bounds (Tobias Nießen) #​62868
• [9a3a190f4e] - doc: clarify diffieHellman.generateKeys recomputes same key (Kit Dallege) #​62205
• [0fba9e87d6] - doc: remove Ayase-252 and meixg from triagger team (Antoine du Hamel) #​62841
• [9c700f3446] - doc: clarify dns.lookup() callback signature when all is true (eungi) #​62800
• [6b7280bc17] - doc: add experimental modules lifetime policy (Paolo Insogna) #​62753
• [ce47ea31c9] - doc: clarify process._debugProcess() in Permission Model (Fahad Khan) #​62537
• [ba01633757] - doc: fix typo in devcontainer guide (Rohan Santhosh Kumar) #​62687
• [70b4d5839b] - doc: clarify Backport-PR-URL metadata added automatically (Mike McCready) #​62668
• [8126d1c3eb] - doc: update WPT test runner README.md (Filip Skokan) #​62680
• [978afea4b5] - doc: fix spelling in release announcement guidance (Rohan Santhosh Kumar) #​62663
• [1684ab8ff8] - doc: note non-monotonic clock in crypto.randomUUIDv7 (nabeel378) #​62600
• [86d4f07930] - doc: update bug bounty program (Rafael Gonzaga) #​62590
• [736ed8a08f] - doc: document TransformStream transformer.cancel option (Tom Pereira) #​62566
• [938af9be01] - doc: mention test runner retry attemp is zero based (Moshe Atlow) #​62504
• [94433e450f] - doc,src,test: fix dead inspector help URL (semimikoh) #​62745
• [ddf1f01659] - esm: add ERR_REQUIRE_ESM_RACE_CONDITION (Antoine du Hamel) #​62462
• [4a506acd16] - fs: add followSymlinks option to glob (Matteo Collina) #​62695
• [f4ea495f9b] - fs: restore fs patchability in ESM loader (Joyee Cheung) #​62835
• [63c111cd60] - fs: validate position argument before length === 0 early return (Edy Silva) #​62674
• [9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #​57775
• [40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #​62277
• [717476a24e] - http: emit 'drain' on OutgoingMessage only after buffers drain (Robert Nagy) #​62936
• [d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #​63082
• [64f15c274a] - http: fix leaked error listener on sync HTTP req create + destroy (Tim Perry) #​62872
• [5c4798d799] - http: fix no_proxy leading-dot suffix matching (Daijiro Wachi) #​62333
• [9f3bc70ae5] - http: cleanup pipeline queue (Robert Nagy) #​62534
• [aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #​62541
• [900dc758ff] - http2: expose writable stream state on compat response (T) #​63003
• [b3bfe35912] - inspector: coerce key and value to string in webstorage events (Ali Hassan) #​62616
• [3dc3fb6ad8] - inspector: return errors when CDP protocol event emission fails (Ryuhei Shima) #​62162
• [4f3f21bd7c] - inspector: auto collect webstorage data (Ryuhei Shima) #​62145
• [36cc04189d] - inspector: initial support storage inspection (Ryuhei Shima) #​61139
• [1718bc3b9b] - inspector: fix absolute URLs in network http (bugyaluwang) #​62955
• [97e32c7a74] - lib: avoid quadratic shift() in startup snapshot callback (Daijiro Wachi) #​62914
• [25d2e999de] - lib: harden kKeyOps lookup with null prototype (Filip Skokan) #​62877
• [37d3913c8f] - lib: short-circuit WebIDL BufferSource SAB check (Filip Skokan) #​62833
• [430c69d25f] - lib: use js-only implementation of isDataView() (René) #​62780
• [3ba0add6a0] - lib: fix lint in internal/webstreams/util.js (Filip Skokan) #​62806
• [9b95c41398] - lib: fix sequence argument handling in Blob constructor (Ms2ger) #​62179
• [314dacdbee] - lib: improve Web Cryptography key validation ordering (Filip Skokan) #​62749
• [3d18162430] - lib: reject SharedArrayBuffer in web APIs per spec (Ali Hassan) #​62632
• [ada3ce879d] - lib: defer AbortSignal.any() following (sangwook) #​62367
• [b2981ec7eb] - meta: bump actions/download-artifact from 8.0.0 to 8.0.1 (dependabot[bot]) #​62549
• [7cd20667b5] - meta: bump github/codeql-action from 4.35.1 to 4.35.3 (dependabot[bot]) #​63074
• [91a07cfe9f] - meta: bump Mozilla-Actions/sccache-action from 0.0.9 to 0.0.10 (dependabot[bot]) #​63073
• [09e17fe47c] - meta: add automation policy (Chengzhong Wu) #​62871
• [59e7fb7986] - meta: move VoltrexKeyva to emeritus (Matteo Collina) #​62895
• [1e2915cfa6] - meta: bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (dependabot[bot]) #​62845
• [0253c6e2be] - meta: bump step-security/harden-runner from 2.16.1 to 2.19.0 (dependabot[bot]) #​62844
• [f503675b86] - meta: bump actions/setup-node from 6.3.0 to 6.4.0 (dependabot[bot]) #​62842
• [5e14e4d26e] - meta: broaden stale bot (Aviv Keller) #​62658
• [795db76f87] - meta: pass release version to release worker (flakey5) #​62777
• [ef384fe39f] - meta: add QUIC to CODEOWNERS (Tim Perry) #​62652
• [67e0ac568d] - meta: move Michael to emeritus (Michael Dawson) #​62536
• [5dad616393] - meta: populate apt list for slim runner in update-openssl workflow (René) #​62628
• [a869d25d8a] - meta: bump step-security/harden-runner from 2.15.0 to 2.16.1 (dependabot[bot]) #​62550
• [769efc0403] - meta: bump actions/setup-node from 6.2.0 to 6.3.0 (dependabot[bot]) #​62548
• [73fcc2b055] - meta: bump github/codeql-action from 4.32.4 to 4.35.1 (dependabot[bot]) #​62547
• [6c001246fe] - meta: bump codecov/codecov-action from 5.5.2 to 6.0.0 (dependabot[bot]) #​62545
• [5ee40d6a03] - meta: bump actions/cache from 5.0.3 to 5.0.4 (dependabot[bot])

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • Between 03:00 AM and 05:59 AM (* 3-5 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: mise/mise.lock

mise ERROR mise lock is disabled in --locked mode
hint: Remove --locked or unset MISE_LOCKED=1
mise ERROR Run with --verbose or MISE_VERBOSE=1 for more information

Command failed: mise lock aqua:anthropics/claude-code aqua:astral-sh/ruff aqua:astral-sh/uv aqua:snyk/cli aqua:sst/opencode github:agavra/tuicr github:always-further/nono github:janosmiko/lfk github:modem-dev/hunk node
mise ERROR mise lock is disabled in --locked mode
hint: Remove --locked or unset MISE_LOCKED=1
mise ERROR Run with --verbose or MISE_VERBOSE=1 for more information