chore(deps): update ⬆️ mise-packages

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending	Age	Adoption	Passing	Confidence
aqua:ast-grep/ast-grep	minor	0.42.3 → 0.43.0
aqua:dagger/dagger	minor	0.20.8 → 0.21.0	0.21.3 (+2)
aqua:editorconfig-checker/editorconfig-checker	minor	3.6.1 → 3.7.0
aqua:junegunn/fzf	patch	0.73.0 → 0.73.1
aqua:siderolabs/talos	patch	1.13.2 → 1.13.3
github:agavra/tuicr	patch	v0.16.0 → v0.16.1
github:always-further/nono	minor	v0.57.0 → v0.58.0	v0.59.0
github:janosmiko/lfk	patch	v0.12.4 → v0.12.6	v0.13.0 (+3)
github:modem-dev/hunk	minor	v0.13.2 → v0.14.0
github:thiagokokada/gh-gfm-preview	patch	v1.2.0 → v1.2.1
npm:pyright (source)	patch	1.1.409 → 1.1.410
npm:socket	patch	1.1.102 → 1.1.105	1.1.112 (+5)

---

Release Notes

ast-grep/ast-grep (aqua:ast-grep/ast-grep)

v0.43.0

Compare Source

• chore(deps): update dependency @​types/node to v24.12.4 #2636
• chore(deps): update rust crate assert_cmd to v2.2.2 #2632
• chore(deps): update rust crate similar to v3.1.1 #2662
• fix(lsp): initialize tracing subscriber to surface tower-lsp errors #2639
• fix(deps): update rust-wasm-bindgen monorepo #2660
• chore(deps): update rust crate tree-sitter to v0.26.9 #2656
• chore(deps): update rust crate serde_json to v1.0.150 #2659
• chore(deps): update rust crate clap_complete to v4.6.5 #2634
• chore(deps): update dependency @​ast-grep/napi to v0.42.3 #2653
• chore(deps): update dependency oxlint to v1.66.0 #2651
• chore(deps): update dependency web-tree-sitter to v0.26.9 #2654
• fix: strip trailing comment artifact in comment suppression #2644
• feat: support ESQuery style selector in run command #2663
• feat: add --follow arg for sg test #2657
• test: add test for run --kind d0d0b30
• feat: add markdown support beacc9e
• fix: use Rule instead of pattern in run 2759fda

dagger/dagger (aqua:dagger/dagger)

v0.21.0

Compare Source

Added

• Automatically expose a check for each generate function by @​eunomie in #​12923
  Each generated check has the same name as its generate function, so dagger check can report whether generated files are out of date.
  Use dagger check --no-generate to list or run only functions explicitly marked as checks, without the generated ones.
  Toolchains can set ignoreChecks to skip creating checks for specific generate functions.
• Add workspace lockfiles for selected lookups such as container.from and Git refs by @​shykes + @​alexcb + @​grouville + @​tiborvass + @​eunomie in #​12046 #​13094
  Locking is opt-in with --lock live, --lock pinned, or --lock frozen: live mode resolves and records live values, pinned mode prefers recorded pins while resolving the rest live, and frozen mode only resolves from .dagger/lock.
  Use dagger lock update to refresh entries already recorded in .dagger/lock; it now creates the file when missing.
  This also fixes remote Git tree cache keys so cache reuse follows the actual checkout inputs.
• Add an interactive tests view to the TUI, plus compact test summaries for pretty, plain, logs, dots, and report progress modes by @​vito in #​13073
• Add experimental --x-release=<ref> and DAGGER_X_RELEASE=<ref> support for running a command against an unreleased Dagger build from a GitHub ref, fixing #​12996 by @​tiborvass in #​13156
• Add a configurable Kubernetes Service to the Helm chart by @​pierreyves-lebrun + @​grouville in #​11993
• Add EngineCacheEntry.dagqlCall and EngineCacheEntry.recordTypes so cache entries expose the producing DagQL call and all represented storage record types for inspection and GC filtering by @​sipsma in #​13207
• Show the Dagger Cloud trace URL when using the logs frontend by @​marcosnils in #​13105
• Dang SDK: add support for local types that shadow Dagger core types, early return, self-calls, order-independent declarations, and stricter nullability/type checking by @​vito in #​13184

Changed

• Migrate caching to DagQL and remove the BuildKit solver backend, making DagQL responsible for cache lookups, persistence, and pruning by @​sipsma in #​11856
• Improve engine performance and memory use by reducing bbolt/containerd metadata overhead, lazily creating containerd operation leases, reusing pooled CNI namespaces for default execs, and batching long withDirectory chains instead of materializing them quadratically by @​sipsma in #​13117 #​13123 #​13144 #​13124
• Deduplicate equivalent in-flight DagQL calls across clients in the same session and fall back to same-session secret/socket attachables when the original client binding is gone by @​sipsma in #​13118

Fixed

• Fix enum argument defaults so they appear correctly in schema output and CLI help by @​kpenfound in #​13068
• Fix module loading and type generation failures caused by stale handle-form module IDs and nested client session races, replacing session ... not found failures with the intended behavior or original error by @​sipsma in #​13108 #​13119
• Fix bound service failures so dependent execs and container-backed services see the service exit as the cause while interactive terminals stay open by @​vito in #​13099
• Fix remote Git checkout behavior so cached trees can be reused after cache pruning by @​sipsma in #​13141
• Fix Changeset merge cleanup flakiness by disabling Git auto-maintenance in Dagger's temporary merge repositories by @​sipsma in #​13121
• Fix WithSecretVariable so later calls override earlier values, fixing #​13147 by @​matipan in #​13159
• Fix user-default secret and env handling so empty plaintext secrets resolve correctly, .env values are not double-expanded through namespaces, and plaintext Secret defaults are scrubbed in console output; fixes #​12855 and closes #​12014 by @​sipsma + @​marcosnils + @​tiborvass in #​13163 #​13160 #​13177
• Fix telemetry and replay output so dagger check log telemetry is not dropped, Python module logs are not duplicated, and dagger trace honors frontend flags by @​vito + @​sipsma in #​13114 #​13153
• Fix dagger generate --scale-out returning unusable remote Changeset objects by always running generation locally; dagger check --scale-out remains supported by @​eunomie in #​13190
• Fix toolchain customizations so they propagate when toolchain functions are called through another module function by @​suprjinx in #​13176
• Dang SDK: fix panics, initialization-race typechecking failures, and ID argument handling by @​tiborvass + @​vito in #​13098 #​13103 #​13150
• Java SDK: fix version updates so mvn versions:set no longer performs unnecessary dependency/plugin resolution, preventing Maven Central 429 failures; fixes #​13174 by @​dagger-codex[bot] + @​tiborvass in #​13198
• Python SDK: fix static module analysis regressions from the AST analyzer cutover, including inherited functions, aliased decorators and fields, @staticmethod, type aliases, constants/defaults, Annotated, Optional, Union, and relative imports; fixes #​13097 and #​13089 by @​eunomie in #​13095
• Python SDK: fix more AST analyzer cases for TypeAlias inside X | None, quoted and aliased annotations, and absolute self-package imports by @​marcosnils + @​grouville + @​eunomie in #​13149 #​13162 #​13171
• Python SDK: exclude the broken yarl 1.24.1 release from the dependency range by @​tiborvass in #​13189
• Rust SDK: fix list-of-object fields so generated clients load each object by ID instead of returning an incorrect single wrapped selection by @​wingyplus in #​13000

What to do next?

• Read the documentation
• Join our Discord server
• Follow us on Twitter

editorconfig-checker/editorconfig-checker (aqua:editorconfig-checker/editorconfig-checker)

v3.7.0

Compare Source

Features

• files: expand glob patterns in passed-file args (#​190) (#​558) (4c0f326)

Bug Fixes

• cli: auto-enable no-color when output format is github-actions (#​557) (9f4014c)
• detect binary files before decoding to prevent false text (#​550) (f47b30c)

junegunn/fzf (aqua:junegunn/fzf)

v0.73.1

Compare Source

• Bug fixes
  • Skip $FZF_CURRENT_ITEM export when the item contains a NUL byte; exec(2) rejects the env, breaking preview and other child commands (#​4806)
  • Fixed O(n^2) HTTP body accumulation in --listen; a single ~390 KB request could block the single-threaded server for ~8 s (Michal Majchrowicz, Marcin Wyczechowski, AFINE Team)

siderolabs/talos (aqua:siderolabs/talos)

v1.13.3

Compare Source

Talos 1.13.3 (2026-05-26)

Welcome to the v1.13.3 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.33
Kubernetes: 1.36.1
containerd: 2.2.4

Talos is built with Go 1.26.3.

Contributors

• Andrey Smirnov
• Noel Georgi
• Lukasz Raczylo
• Maja Bojarska
• Mateusz Urbanek
• Utku Ozdemir

Changes

19 commits

• @​befeda7 release(v1.13.3): prepare release
• @​f4d4510 feat(ci): rotate credentials
• @​01b4348 fix: guard apply config API call
• @​a42c37f feat(machined): support instance tags on Akamai
• @​d62d54c fix: memorymodules resource reporting
• @​b673b4b fix: bump Go golang.org/x modules
• @​19755ad feat: add bnxt_re module to the rootfs
• @​532bc6b fix: relax hostname config validation
• @​3bbd3ed fix: bump Kubernetes to 1.36.1 in one more place
• @​472b9d9 feat: update default Kubernetes version to 1.36.1
• @​6d53ce0 chore(ci): fix cloud image upload job name
• @​5633c77 fix: rework how scheduler config is marshaled
• @​52f0560 fix: restore some shared (and some lower tier slave) mount propagation
• @​9de3c12 fix: image verification issue with registry.k8s.io
• @​7dc716d feat: redact more machine config secrets and audit redactors
• @​d5448c6 chore(ci): try fixing homebrew action
• @​ef9f0bf docs: drop controlplane endpoint examples
• @​7ee3e78 feat: update Linux to 6.18.33
• @​e99744b fix: update containerd to 2.2.4

Changes from siderolabs/go-smbios

1 commit

• siderolabs/go-smbios@063f5dc chore: rekres + new testdata

Changes from siderolabs/pkgs

12 commits

• siderolabs/pkgs@8c18616 feat: pre-generate drbd patches using spatch out of tree
• siderolabs/pkgs@82e70a0 feat: update Linux to 6.18.33
• siderolabs/pkgs@993d4a6 feat: enable PPP and INFINIBAND_BNXT_RE
• siderolabs/pkgs@12d5337 feat: enable more options for CRI-U checkpoint/restore
• siderolabs/pkgs@c2e43aa feat: preserve System.map on kernel builds
• siderolabs/pkgs@230b4bc chore: update deps
• siderolabs/pkgs@847a37e feat: bump kernel 6.18.32
• siderolabs/pkgs@d7ae843 feat: update Linux to 6.18.31
• siderolabs/pkgs@a26d3c0 feat: update ZFS & NVIDIA LTS
• siderolabs/pkgs@94d28c5 feat: update Linux to 6.18.30
• siderolabs/pkgs@b3dd525 fix: macb silent TX stall on BCM2712/RP1 (v2 patches from netdev)
• siderolabs/pkgs@8bdd5e0 feat: update containerd to 2.2.4

Dependency Changes

• github.com/containerd/containerd/v2 v2.2.2 -> v2.2.4
• github.com/siderolabs/go-smbios v0.3.3 -> v0.3.4
• github.com/siderolabs/pkgs v1.13.0-11-g969f61c -> v1.13.0-23-g8c18616
• github.com/siderolabs/talos/pkg/machinery v1.13.2 -> v1.13.3
• golang.org/x/net v0.53.0 -> v0.55.0
• golang.org/x/sys v0.43.0 -> v0.45.0
• golang.org/x/term v0.42.0 -> v0.43.0
• golang.org/x/text v0.36.0 -> v0.37.0
• google.golang.org/grpc v1.79.3 -> v1.81.0
• k8s.io/api v0.36.0 -> v0.36.1
• k8s.io/apiextensions-apiserver v0.36.0 -> v0.36.1
• k8s.io/apimachinery v0.36.0 -> v0.36.1
• k8s.io/apiserver v0.36.0 -> v0.36.1
• k8s.io/client-go v0.36.0 -> v0.36.1
• k8s.io/component-base v0.36.0 -> v0.36.1
• k8s.io/kube-scheduler v0.36.0 -> v0.36.1
• k8s.io/kubectl v0.36.0 -> v0.36.1
• k8s.io/kubelet v0.36.0 -> v0.36.1
• k8s.io/pod-security-admission v0.36.0 -> v0.36.1

Previous release can be found at v1.13.2

Images

ghcr.io/siderolabs/flannel:v0.28.4
registry.k8s.io/coredns/coredns:v1.14.2
registry.k8s.io/etcd:v3.6.11
registry.k8s.io/pause:3.10.1
registry.k8s.io/kube-apiserver:v1.36.1
registry.k8s.io/kube-controller-manager:v1.36.1
registry.k8s.io/kube-scheduler:v1.36.1
registry.k8s.io/kube-proxy:v1.36.1
ghcr.io/siderolabs/kubelet:v1.36.1
registry.k8s.io/networking/kube-network-policies:v1.0.0
ghcr.io/siderolabs/installer:v1.13.3
ghcr.io/siderolabs/installer-base:v1.13.3
ghcr.io/siderolabs/imager:v1.13.3
ghcr.io/siderolabs/talos:v1.13.3
ghcr.io/siderolabs/talosctl-all:v1.13.3
ghcr.io/siderolabs/overlays:v1.13.3
ghcr.io/siderolabs/extensions:v1.13.3

agavra/tuicr (github:agavra/tuicr)

v0.16.1

Compare Source

What's Changed

• feat: deterministic slug-addressed sessions for agent discovery by @​agavra in #​339
• [forge] document forge-specific config settings by @​natebrennand in #​345
• perf(startup): verify change status via cheap path probe by @​agavra in #​346
• feat(forge): resolve canonical (fork-parent) repo for PR ops by @​agavra in #​347
• refactor(cli): migrate argument parsing to clap by @​agavra in #​349
• Add support for local TOML themes and custom .tmTheme syntax themes by @​jackokerman in #​341
• Expose review session library API by @​agavra in #​351
• Add review CLI subcommand by @​agavra in #​352
• Improve collaborative review sessions by @​agavra in #​354
• Add comment navigator pane by @​agavra in #​355
• add zellij support to existing claude skill #​344 by @​nguyenquannnn in #​357
• Attribute comment authorship and surface it in the UI by @​agavra in #​356
• Surface PR review bodies + fix navigator author for remote threads by @​agavra in #​360
• fix(vcs): detect reftable repos and fall back to CLI backend by @​saleemdjima in #​366
• perf(ui): skip span allocation for off-screen diff lines by @​r-vdp in #​365
• fix: use macos-15-intel runner for x86_64-apple-darwin builds by @​Johngeorgesample in #​362
• Update tuicr skill for review CLI workflow by @​agavra in #​369
• feat: mouse horizontal scrolling in the file diff view by @​N4M3Z in #​367
• feat: clicking anywhere on a panel sets focus by @​N4M3Z in #​371
• fix: clipboard copy silently drops content on Linux by @​ryandielhenn in #​372
• fix: replace deprecated flake output attributes by @​broady in #​374
• fix: include HEAD SHA in live diff source slugs by @​agavra in #​380
• release: v0.16.1 by @​github-actions[bot] in #​381

New Contributors

• @​jackokerman made their first contribution in #​341
• @​nguyenquannnn made their first contribution in #​357
• @​Johngeorgesample made their first contribution in #​362
• @​ryandielhenn made their first contribution in #​372
• @​broady made their first contribution in #​374

Full Changelog: agavra/tuicr@v0.16.0...v0.16.1

always-further/nono (github:always-further/nono)

v0.58.0

Compare Source

What's Changed

• feat(profile): add JSONC support for profile files by @​SequeI in #​974
• fix(macos): emit platform rules after user write allows by @​kipz in #​971
• docs(readme): refine project description and quick start by @​lukehinds in #​988
• feat(profile): allow profiles to specify a target binary by @​SequeI in #​975
• ci(pr-summary): add pull request summary workflow by @​lukehinds in #​980
• chore(deps): update sigstore crates to 0.8.0 by @​lukehinds in #​992
• feat: add Bitwarden credential source (bw:// URI scheme) by @​caiocdcs in #​990
• ci(release): enable github attesations workflow for releases (current and future) by @​lukehinds in #​1006
• chore(deps): bump similar from 3.1.0 to 3.1.1 by @​dependabot[bot] in #​1013
• chore(deps): bump docker/build-push-action from 7.1.0 to 7.2.0 by @​dependabot[bot] in #​1009
• chore(deps): bump actions/attest-build-provenance from 96b4a1e to e8998f9 by @​dependabot[bot] in #​1010
• chore(deps): bump docker/login-action from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​1011
• chore(deps): bump docker/setup-buildx-action from 4.0.0 to 4.1.0 by @​dependabot[bot] in #​1012
• chore(deps): bump serde_json from 1.0.149 to 1.0.150 by @​dependabot[bot] in #​1015
• chore(deps): bump landlock from 0.4.4 to 0.4.5 by @​dependabot[bot] in #​1014
• feat(policy): add java_runtime group and java-dev profile by @​panga in #​995
• chore(deps): bump rcgen from 0.13.2 to 0.14.8 by @​dependabot[bot] in #​900
• feat: session lifecycle hooks (#​954) by @​caiocdcs in #​976
• refactor(pack-hints): refresh in detached process to avoid threads by @​lukehinds in #​1005
• fix(sandbox): preserve symlink path when adding CWD capability on macOS by @​advaithsujith in #​680
• fix(proxy): return 502 with audit entry on upstream connect failure by @​attila in #​1000
• fix: replace fd-based IPC with named socket for URL open helpers by @​panga in #​1007

New Contributors

• @​attila made their first contribution in #​1000

Full Changelog: always-further/nono@v0.57.0...v0.58.0

janosmiko/lfk (github:janosmiko/lfk)

v0.12.6

Compare Source

Bug Fixes

• views: apply GVR-keyed view columns and hide unlisted builtins (#​277) (a2df863), closes #​262

v0.12.5

Compare Source

Features

• columns + views: REV, kubectl-parity audit, k9s-style views config (#​271) (837961c)

modem-dev/hunk (github:modem-dev/hunk)

v0.14.0

Compare Source

What's Changed

Features

• Added inline expansion for collapsed unchanged context, so you can reveal surrounding source without leaving the review. Expand rows by clicking ▾ N unchanged lines or pressing z on the selected hunk. Includes source-load limits and coverage for edge cases. (#​303, #​367, #​372)
• Added mouse-drag text selection in diff views with clipboard copy via OSC 52, plus safer copied text handling. (#​306, #​371)
• Added custom theme support, letting users define their own Hunk palette in config. (#​226)
• Added Catppuccin Latte and Catppuccin Mocha as built-in themes, and made them work correctly as custom theme base themes and in static pager output. (#​305, #​352, #​354, #​365)
• Surfaced agent author names in inline notes and matching popovers, making multi-agent reviews easier to follow. (#​293)

Fixes

• Fixed split diff alignment for wide CJK and emoji characters, and stabilized wrapped-row hover backgrounds so add-note affordances do not shift layout. (#​353, #​376)
• Fixed inline note shortcuts: Ctrl-S works in tmux CSI-u input, and copy chords such as Ctrl-C / Ctrl-Shift-C no longer trigger note actions. (#​350, #​375)
• Fixed editor launch behavior when Hunk is started from a repository subdirectory. (#​347, #​360)
• Fixed VCS auto-detection so Git repositories nested under parent Jujutsu workspaces still use Git by default. (#​342)
• Hardened pager execution and fallback behavior: pager commands no longer evaluate shell metacharacters, and captured/dumb-terminal non-diff pager content passes through instead of spawning less. (#​358, #​362)
• Restricted session reloads so daemon commands cannot read files outside the initial Hunk session root. (#​349)
• Hardened terminal rendering against control-sequence injection from diffs, file paths, notes, expanded context, copied selections, and pager fallback output. (#​371)

Tests and maintenance

• Added broader PTY coverage for add-note keyboard actions, stack/deletion/context rows, note focus, multiple drafts, editor launch paths, and flaky terminal interactions. (#​336, #​348, #​351, #​356, #​357, #​360, #​361)
• Centralized diff section row planning to keep rendering, navigation, scrolling, and note placement aligned. (#​359)
• Added issue templates and skipped expensive CI jobs for docs-only changes. (#​368, #​369)
• Added coverage for actionable security gaps around non-script terminal content. (#​372)

New contributors

Thanks to first-time contributors in this release:

• @​raulk (#​306)
• @​TaltonFiggins (#​344)
• @​adit-chandra (#​303)
• @​sgruendel (#​226)
• @​mfkd (#​305)
• @​sdougbrown (#​293)

Full Changelog: modem-dev/hunk@v0.13.1...v0.14.0

thiagokokada/gh-gfm-preview (github:thiagokokada/gh-gfm-preview)

v1.2.1

Compare Source

What's Changed

• Bump dependencies by @​thiagokokada in #​104
• Add .github/dependabot.yml by @​thiagokokada in #​105
• Fix .github/dependabot.yml by @​thiagokokada in #​106
• Be complaint with NO_COLOR spec by @​thiagokokada in #​107
• Auto-detect TTY to enable colors by @​thiagokokada in #​108

Full Changelog: thiagokokada/gh-gfm-preview@v1.2.0...v1.2.1

Microsoft/pyright (npm:pyright)

v1.1.410: Published 1.1.410

Compare Source

Changes:

• 2dfeabc Published 1.1.410
• 79cc195 Update NODE_VERSION to '22.x' in workflow files for consistency with vscode (#​11460)
• 505a9bc Update typeshed to 483fd73 (#​11416)
• f06cf49 Fix hang in constraint solver for cyclic TypeVar lower bounds (#​11413) (#​11415)
• 3619ecd Faster tokenizer (#​11392)
• 34c556b Push pylance changes to pyright (#​11396)

This list of changes was auto generated.

SocketDev/socket-cli (npm:socket)

v1.1.105

Compare Source

v1.1.104

Compare Source

v1.1.103

Compare Source

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • Between 03:00 AM and 05:59 AM (* 3-5 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: mise/mise.lock

mise ERROR error parsing config file: /tmp/renovate/repos/github/scottames/dots/mise/config.toml
mise ERROR Config files in /tmp/renovate/repos/github/scottames/dots/mise/config.toml are not trusted.
Trust them with `mise trust`. See https://mise.en.dev/cli/trust.html for more information.
mise ERROR Version: 2026.5.16 linux-x64 (2026-05-28)
mise ERROR Run with --verbose or MISE_VERBOSE=1 for more information

Command failed: mise lock aqua:ast-grep/ast-grep aqua:dagger/dagger aqua:editorconfig-checker/editorconfig-checker aqua:junegunn/fzf aqua:siderolabs/talos github:agavra/tuicr github:always-further/nono github:janosmiko/lfk github:modem-dev/hunk github:thiagokokada/gh-gfm-preview npm:pyright
mise ERROR error parsing config file: /tmp/renovate/repos/github/scottames/dots/mise/config.toml
mise ERROR Config files in /tmp/renovate/repos/github/scottames/dots/mise/config.toml are not trusted.
Trust them with `mise trust`. See https://mise.en.dev/cli/trust.html for more information.
mise ERROR Version: 2026.5.16 linux-x64 (2026-05-28)
mise ERROR Run with --verbose or MISE_VERBOSE=1 for more information