chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@shikijs/transformers (source)	^4.0.2 → ^4.1.0
devalue	^5.8.0 → ^5.8.1
eslint (source)	^10.3.0 → ^10.4.1
oxc-parser (source)	^0.130.0 → ^0.133.0
pkg-pr-new (source)	0.0.72 → 0.0.75
pnpm (source)	10.33.4+sha512.1c67b3b359b2d408119ba1ed289f34b8fc3c6873412bec6fd264fbdc82489e510fcbecb9ce9d22dae7f3b76269d8441046014bdca53b9979cd7a561ad631b800 → 10.34.1
sass-embedded	^1.99.0 → ^1.100.0
shiki (source)	^4.0.2 → ^4.1.0
valibot (source)	^1.4.0 → ^1.4.1
vitest (source)	^4.1.6 → ^4.1.7
web-vitals	^5.2.0 → ^5.3.0

---

Release Notes

shikijs/shiki (@​shikijs/transformers)

v4.1.0

Compare Source

   🐞 Bug Fixes

• twoslash: Forward tsModule to createTwoslasher  -  by @​arthurfiorette in #​1271 (be89a)

    View changes on GitHub

eslint/eslint (eslint)

v10.4.1

Compare Source

v10.4.0

Compare Source

oxc-project/oxc (oxc-parser)

v0.132.0

v0.131.0

stackblitz-labs/pkg.pr.new (pkg-pr-new)

v0.0.75

Compare Source

v0.0.74

Compare Source

v0.0.73

Compare Source

pnpm/pnpm (pnpm)

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Gold Sponsors

v10.34.0

Compare Source

sass/embedded-host-node (sass-embedded)

v1.100.0

Compare Source

• Writing two compound selectors adjacent to one another without any whitespace
  between them, such as [class]a, is now deprecated. This was always an error
  in CSS and Sass only supported it by mistake.

  See the Sass website for
  details.

open-circle/valibot (valibot)

v1.4.1

Compare Source

• Fix intersect schema to infer correct input and output types for non-tuple array options instead of never (pull request #​1478)

vitest-dev/vitest (vitest)

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

GoogleChrome/web-vitals (web-vitals)

v5.3.0

Compare Source

• Remove getFirstHiddenTimePolyfill
  (#​729)
• Fixed issue where the same configuration object to multiple metric functions can result in errors
  (#​731)
• Add more robust interactionTarget setting for INP
  (#​744)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pkg-pr-new@​0.0.75
	@​shikijs/​transformers@​4.1.0
	eslint@​10.4.1
	oxc-parser@​0.133.0

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/hints@346

commit: d2076bf