Update all dependencies by renovate[bot] · Pull Request #124 · vadimpiven/node_reqwest

renovate · 2026-03-21T01:57:25Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Pending
aqua:cli/cli		minor	`2.88.1` → `2.90.0`	`2.91.0`
mitmproxy/mitmproxy		digest	`743b6cd` → `f4f0f41`
pnpm (source)	packageManager	minor	`10.28.2+sha512.41872f037ad22f7348e3b1debbaf7e867cfd448f2726d9cf74c08f19507c31d2c8e7a11525b983febc2df640b5438dee6023ebb1f84ed43cc2d654d2bc326264` → `10.33.0`	`10.33.2` (+1)
python		patch	`3.14.2` → `3.14.3`	`3.14.4`
quay.io/pypa/manylinux_2_28	final	digest	`55cfe5b` → `f78a9d7`
semgrep (changelog)	dependency-groups	minor	`==1.151.0` → `==1.159.0`	`1.161.0` (+1)

Release Notes

cli/cli (aqua:cli/cli)

`v2.90.0`: GitHub CLI 2.90.0

Compare Source

Manage agent skills with `gh skill` (Public Preview)

Agent skills are portable sets of instructions, scripts, and resources that teach AI coding agents how to perform specific tasks. The new gh skill command makes it easy to discover, install, manage, and publish agent skills from GitHub repositories - right from the CLI.


# Discover skills
gh skill search copilot

# Preview a skill without installing
gh skill preview github/awesome-copilot documentation-writer

# Install a skill
gh skill install github/awesome-copilot documentation-writer

# Pin to a specific version
gh skill install github/awesome-copilot documentation-writer --pin v1.2.0

# Check installed skills for updates
gh skill update --all

# Validate and publish your own skills
gh skill publish --dry-run

Skills are automatically installed to the correct directory for your agent host. gh skill supports GitHub Copilot, Claude Code, Cursor, Codex, Gemini CLI, and Antigravity. Target a specific agent and scope with --agent and --scope flags.

gh skill publish validates skills against the Agent Skills specification and checks remote settings like tag protection and immutable releases to improve supply chain security.

Read the full announcement on the GitHub Blog.

gh skill is launching in public preview and is subject to change without notice.

Official extension suggestions

When you run a command that matches a known official extension that isn't installed (e.g. gh stack), the CLI now offers to install it instead of showing a generic "unknown command" error.

This feature is available for github/gh-aw and github/gh-stack.

When possible, you'll be prompted to install immediately. When prompting isn't possible, the CLI prints the gh extension install command to run.

`gh extension install` no longer requires authentication

gh extension install previously required a valid auth token even though it only needs to download a public release asset. The auth check has been removed, so you can install extensions without being logged in.

What's Changed

✨ Features

Add gh skill command group: install, preview, search, update, publish by @SamMorrowDrums in #13165
Suggest and install official extensions for unknown commands by @BagToad in #13175
gh skill publish: auto-push unpushed commits before publish by @SamMorrowDrums in #13171
Disable auth check for gh extension install by @BagToad in #13176

🐛 Fixes

Fix infinite loop in gh release list --limit 0 by @Bahtya in #13097
Ensure api and auth commands record agentic invocations by @williammartin in #13046
Disable auth check for local-only skill flags by @SamMorrowDrums in #13173
URL-encode parentPath in skills discovery API call by @SamMorrowDrums in #13172
Fix: use target directory remotes in skills publish by @SamMorrowDrums in #13169
Fix: preserve namespace in skills search deduplication by @SamMorrowDrums in #13170

📚 Docs & Chores

docs: include PGP key fingerprints by @babakks in #13112
docs: add sha/md5 checksums of keyring files by @babakks in #13150
docs: fix SHA512 checksum for GPG key by @timsu92 in #13157
docs(skill): polish skill commandset docs by @babakks in #13183
Document dependency CVE policy in SECURITY.md by @BagToad in #13119
Replace github.com/golang/snappy with klauspost/compress/snappy by @thaJeztah in #13048
chore: bump to go1.26.2 by @babakks in #13116
chore: delete experimental script/debian-devel by @babakks in #13127
Suggest first party extensions by @williammartin in #13182
Add cli/skill-reviewers as CODEOWNERS for skills packages by @BagToad in #13189
Add @cli/code-reviewers to all CODEOWNERS rules by @BagToad in #13190
Address post-merge review feedback for skills commands by @SamMorrowDrums in #13185
Fix skills-publish-dry-run acceptance test error message mismatch by @SamMorrowDrums in #13187
Skills: replace real git in publish tests with CommandStubber by @SamMorrowDrums in #13188
Remove redundant nil-client fallback in skills publish by @SamMorrowDrums in #13168
Publish: use shared discovery logic instead of requiring skills/ directory by @SamMorrowDrums in #13167

Dependencies

chore(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5 by @dependabot[bot] in #13071
chore(deps): bump github.com/yuin/goldmark from 1.7.16 to 1.8.2 by @dependabot[bot] in #13045
chore(deps): bump charm.land/bubbles/v2 from 2.0.0 to 2.1.0 by @dependabot[bot] in #13051
chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 by @dependabot[bot] in #13152
chore(deps): bump github.com/google/go-containerregistry from 0.21.3 to 0.21.4 by @dependabot[bot] in #13129
chore(deps): bump github.com/sigstore/protobuf-specs from 0.5.0 to 0.5.1 by @dependabot[bot] in #13128
chore(deps): bump github.com/in-toto/attestation from 1.1.2 to 1.2.0 by @dependabot[bot] in #13044
chore(deps): bump advanced-security/filter-sarif from 1.0.1 to 1.1 by @dependabot[bot] in #12918
chore(deps): bump google.golang.org/grpc from 1.79.3 to 1.80.0 by @dependabot[bot] in #13076
chore(deps): bump github.com/hashicorp/go-version from 1.8.0 to 1.9.0 by @dependabot[bot] in #13065

New Contributors

@thaJeztah made their first contribution in #13048
@Bahtya made their first contribution in #13097
@timsu92 made their first contribution in #13157
@SamMorrowDrums made their first contribution in #13173

Full Changelog: cli/cli@v2.89.0...v2.90.0

`v2.89.0`: GitHub CLI 2.89.0

Compare Source

`gh agent-task` now works on ghe.com tenancies

gh agent-task commands previously failed with 401 Unauthorized for users on ghe.com tenancy hosts because the Copilot API URL was hardcoded. The URL is now resolved dynamically per host, so gh agent-task works correctly regardless of your GitHub hosting environment.

Experimental new prompter

A new TUI-based prompter powered by charmbracelet/huh is available behind the GH_EXPERIMENTAL_PROMPTER environment variable. This is an early preview — try it out and share feedback!

export GH_EXPERIMENTAL_PROMPTER=1

`gh issue create` and `gh issue transfer` no longer require extra token scopes

gh issue create and gh issue transfer previously fetched repository fields they didn't need, which could require additional token scopes. These commands now fetch only the minimal fields necessary for issue operations.

What's Changed

✨ Features

gh pr create, gh issue create, gh issue edit: search-based assignee selection and login-based mutation on github.com by @BagToad in #13009
Add experimental huh-only prompter gated by GH_EXPERIMENTAL_PROMPTER by @BagToad in #12859

🐛 Fixes

fix(agent-task): resolve Copilot API URL dynamically for ghe.com tenancies by @BagToad in #12956
fix(issue): avoid fetching unnecessary fields in issue create and issue transfer by @babakks in #12884
fix: resolve data race in codespaces port forwarder by @Lslightly in #13033

📚 Docs & Chores

Record agentic invocations in User-Agent header by @williammartin in #13023
docs: clarify that gh pr edit --add-reviewer can re-request reviews by @joshjohanning in #13021
Add AGENTS.md by @williammartin in #13024
Fix typo: remove extra space in README.md link by @realMelTuc in #12725
Align triage.md with current triage process by @tidy-dev in #13030
Remove auto-labels from issue templates by @tidy-dev in #12972
Consolidate actor-mode signals into ApiActorsSupported by @BagToad in #13025
Fix acceptance test failures: git identity, headRepository JSON, obsolete traversal test by @BagToad in #13037

Dependencies

chore(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 by @dependabot[bot] in #12963
chore(deps): bump github.com/google/go-containerregistry from 0.20.7 to 0.21.3 by @dependabot[bot] in #12962
chore(deps): bump github.com/zalando/go-keyring from 0.2.6 to 0.2.8 by @dependabot[bot] in #13031
chore(deps): bump microsoft/setup-msbuild from 2.0.0 to 3.0.0 by @dependabot[bot] in #13005
chore(deps): bump mislav/bump-homebrew-formula-action from 3.6 to 4.1 by @dependabot[bot] in #13004
chore(deps): bump azure/login from 2.3.0 to 3.0.0 by @dependabot[bot] in #12951

New Contributors

@joshjohanning made their first contribution in #13021
@realMelTuc made their first contribution in #12725
@Lslightly made their first contribution in #13033

Full Changelog: v2.88.1...v2.89.0

pnpm/pnpm (pnpm)

`v10.33.0`

Compare Source

`v10.32.1`: pnpm 10.32.1

Compare Source

Patch Changes

Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #10909.

Platinum Sponsors

Gold Sponsors

`v10.32.0`: pnpm 10.32

Compare Source

Minor Changes

Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #10136.

Patch Changes

Reverted change related to setting explicitly the npm config file path, which caused regressions.
Reverted fix related to lockfile-include-tarball-url. Fixes #10915.

Platinum Sponsors

Gold Sponsors

Patch Changes

Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #10649.

Platinum Sponsors

Gold Sponsors

`v10.30.0`: pnpm 10.30

Compare Source

Minor Changes

pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #7122.
Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #10596.

Platinum Sponsors

Gold Sponsors

`v10.29.3`

Compare Source

`v10.29.2`

Compare Source

`v10.29.1`: pnpm 10.29.1

Compare Source

Minor Changes

The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
Support configuring auditLevel in the pnpm-workspace.yaml file #10540.
Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #10436.

Patch Changes

Fixed pnpm list --json returning incorrect paths when using global virtual store #10187.
Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #10290.
Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #10497.
Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #10176.
Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #10281.
Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #10460.
Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #10540.
update tar to version 7.5.7 to fix security issue

Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842
Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #10325.
Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #10271.
pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #10561.
Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #10457.

Platinum Sponsors

Gold Sponsors

semgrep/semgrep (semgrep)

`v1.159.0`

Compare Source

### Fixed

Semgrep now reports an error instead of silently returning zero findings when target file discovery fails (e.g., due to a git ls-files failure). (ENGINE-2626)

`v1.158.0`

Compare Source

### Added

Added support for a supply chain hook for the Semgrep Plugin (supply-chain-hook)
Computing taint configs, ~1/4-1/2 of the semgrep-core time in interfile scans, is now done in parallel according to the number of jobs (ENGINE-2649)
Semgrep Pro interfile engine (--pro) taint analysis has been redesigned, significantly improving performance (estimated 20-40% improvement). This improvement introduces a slight change in how findings are generated, that may result in more true positives, or less false positives. To revert to previous behavior, pass --no-x-run-taint-once as a flag. (engine-2468)

### Changed

semgrep-core macOS binaries are now dynamically linked to the system's libraries. (macos-binary-build)
semgrep-core manylinux binaries are now dynamically linked to the system's glibc on glibc systems. This introduces a minimum glibc version requirement of >=2.35, which is satisfied in Ubuntu >=22.04, Debian >=12, RHEL >=10, and other glibc distributions with at least glibc 2.35. Linux systems running an older glibc will need to upgrade their OS. (manylinux-binary-build)
The manylinux wheel is now tagged as manylinux_2_35_, reflecting a minimum
requirement of glibc version 2.35. (manylinux-wheel-tag)
semgrep-core musllinux binaries are now dynamically linked to the system's musl libc on musl systems. (musllinux-binary-build)
The musllinux PyPI wheel is now tagged as musllinux_1_2_, reflecting a requirement
of musl libc version 1.2. (musllinux-wheel-tag)
The LSP and MCP servers now use the v2 config download endpoint by default when fetching rules from Semgrep AppSec Platform. Set SEMGREP_DISABLE_CONFIG_DOWNLOAD_V2=1 to fall back to the legacy endpoint. (SMS-2284)

### Fixed

Fixed IDE login issues where network errors during token verification were incorrectly clearing the saved token. The LSP now distinguishes 401 Unauthorized (invalid token) from other errors (e.g. network failures), surfacing appropriate messages instead. (ide-login)
Fixed SARIF taint trace output: step locations now use the correct file URI, and the full taint sink call trace is included in codeFlows. (engine-2570)
The --x-mem-policy flag now propagates to the RPC subprocess, fixing memory tuning for dependency resolution and other RPC-based operations. (pylon-20772)

`v1.157.0`

Compare Source

### Added

pro: Improved taint tracking through lambda calls. (LANG-268)
It is now possible to match a class name like in $C.getInstance(...), and then
use metavariable-type on $C to check its type. (LANG-271)
pro: Improve cross-file taint tracking for globals. (LANG-275)

### Changed

Pro: Reduces redundant recomputation during inter-file taint analysis by serializing intermediate results to disk. (ENGINE-2582)
pro: Improved golang module resolution. (code-9225)
Supply Chain Analysis of npm package lock files now uses a proprietary OCaml-based parser, replacing the old Python version. The supply-chain functionality for these files is now available only to Semgrep Pro users. (gh-5658)

### Fixed

Fix Rust parsing of "&raw" where "raw" is an identifier. (rust-parser-updated)
Errors during target file discovery (e.g., permission errors, git failures) are now surfaced as warnings instead of being silently ignored. (ENGINE-2627)
kotlin: Fixed bug parsing FQNs in metavariable-type. (LANG-271)
Fixed requirements.txt parser silently dropping pinned dependencies that followed unpinned package names. (SC-3379)
Prevented certain deeply nested aliengrep matches from segfaulting semgrep-core. (engine-2628)
Fix Python parsing for files that contains empty strings (or quotes in docstrings) along with match statements. (gh-11287)
Fix rule paths.include/paths.exclude filtering when a single file is passed as a scan target. Previously, path patterns like '/src/test//*.java' would not match because only the filename was used for filtering instead of the full project-relative path. (gh-11560)
Pro: Improved type resolution in Scala (lang-79)
Pro: Improved call resolution in Scala for parameterless methods (lang-80)

`v1.156.0`

Compare Source

### Changed

The Kotlin tree-sitter parser has been updated to the latest available grammar significantly improving Kotlin support in Semgrep. (kotlin-parser)

### Fixed

Pro: Experimental interfile tainting for Ruby now disambiguates between variable accesses and zero-argument method calls. (engine-2556)
Pro: Memoize tsconfig.json parsing to avoid redundant re-parsing across a project hierarchy. (engine-2596)
Fixed a crash in semgrep ci when run in a git repo with no remote origin set (gh-11342)

`v1.155.0`

Compare Source

### Added

Added support for (agentic) hooks in Windsurf. (windsurf-hooks)
scala: Improved support for Scala 3's optional braces. (LANG-218)
Added PowerShell language support (beta) with parsing and pattern matching (lang-233)

### Changed

Removed the experimental and undocumented command semgrep install-ci. (osemgrep-install-ci)
Migrate from publishing a single Linux wheel with the platform tag musllinux_1_0_<arch>.manylinux2014_<arch> to publishing two separate wheels:
- A wheel with the platform tag musllinux_1_0_
- A wheel with the platform tag manylinux2014_
(pypi-linux-tag)

### Fixed

When performing parallel operations over a small number of input items, the
engine no longer spawns more OCaml domains than we have items to process. This
assists with resource utilisation. (engine-2588)
Fixed: Prevent SessionStart hook crash when inject-secure-defaults receives empty stdin (JSONDecodeError). (engine-2592)
Semgrep secret validation now times out after 30 seconds instead of 15 minutes. Additionally this timeout is configurable via the --secrets-timeout flag. (engine-2593)
Fixed permission errors during lockfileless Java (Gradle) dependency resolution by invoking gradlew via sh when the executable bit is not set (gh-5747)

`v1.154.0`

### Fixed

Fix crash on Windows when running semgrep ci with --debug and no blocking findings. The Windows subprocess path incorrectly raised an exception for all pysemgrep exit codes (including 0), which was silently swallowed in normal mode but propagated as a fatal error when --debug was active. (ENGINE-2491)
Changed default memory policy from "eager" to "balanced". Scan times should
noticably improve; however, scans may use 5-10% additional memory. If running
in a resource-constrained environment, consider setting the memory policy back
to "aggressive". (engine-2055)
When Semgrep decides which files to scan (targeting), it can take a long time (over 5 minutes) on very large repos (> 10k files). Semgrep will now parallelize this work according to the number of jobs passed (-j) (engine-2512)
Fixed a performance issues where passing many scannign roots on the command
line (e.g. semgrep scan $(git ls-files '*.py')) caused one semgrep-core
subprocess to be spawned per file. Roots that are not directories are now
handled directly in Python without any subprocess overhead. (gh-11404)
Scala: Restored parse rate after mistaken bug introduced by implicit block parsing fix (lang-215)

`v1.153.0`

Compare Source

### Added

Semgrep core is now optimized with flambda (flambda)
Scala: Support for for-yield (LANG-193)

### Fixed

Scala: Fixed a parsing bug where subsequent calls in an implicit block would not
be considered at the same scope, e.g.
```
def f (a: t) =
  foo()
  bar()
``` (lang-194)
```

1.152.0 - 2026-02-17

### Added

Hooks (for both Claude Code and Cursor) now pull custom rules from the registry (custom-rules-hooks)
Turned on DNS rebinding protection for the MCP server (dns-check)
Environment variables can now be passed to third-party package managers invoked as part of --allow-local-builds dependency resolution via the environment variable SEMGREP_LOCAL_BUILD_ENV, which accepts a JSON object with string keys and string values. (SC-3163)
Memory management policies

A memory policy defines how OCaml's garbage collector should be configured for
a scan. There are two initial policies: "aggressive", the current behaviour,
which trades longer scan times for lower memory use, and "balanced", which
finds a middle ground between reclaiming heap memory in short order while
limiting how often the garbage collector runs. The policy can be configured
via the --x-mem-policy CLI flag for the pro engine; this flag is unused in
the OSS engine. (engine-2055)
Added experimental support for the OpenFGA authorization language. Thanks to Alex Useche (@hex0punk) for the contribution! (gh-11347)

Allows case insensitive string comparisons using lower() and upper() like this:

- metavariable-comparison:
    metavariable: $VALUE
    comparison: upper(str($VALUE)) == "SEMGREP"

(gh-11502)

Blocking findings that are outputted in the CI output are now labelled as such. (#4394)

### Changed

pro: There should be fewer FNs when the max number of fields to track per object
is reached. (code-9224)
Remove legacy combined symbol analysis computation and upload in favor of per-subproject symbol analysis (sc-3153)

### Fixed

pro: Improved accuracy of taint tracking through assignments, this will help
reduce FPs in some cases. (code-9220)
When receiving a 429 or 5xx from the Semgrep app, the CLI will wait for a
longer period of time before retrying the request, to spread out requests
during periods of app instability. (engine-2550)

1.151.0 - 2026-02-04

Added

Added progress indicators for symbol analysis calculation and upload during CI scans (sc-3103)

Fixed

bumped glom to at least version 23.3, which includes a fix to a SyntaxWarning
warning log. (gh-11460)
Semgrep no longer prints info log lines from semgrep-core RPC calls when --trace is passed and --debug isn't (loglines)
Fixed the README not appearing in built wheels. (wheelreadme)

[1.1

Configuration

📅 Schedule: (in timezone UTC)

Branch creation
- "every weekend"
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2026-03-21T01:57:28Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package.json

Command failed: corepack use pnpm@10.33.0

greptile-apps · 2026-03-21T01:59:49Z

Greptile Summary

This is a routine automated dependency update PR from Renovate Bot, bumping a wide range of dependencies across the stack: GitHub Actions (setup-node v6.3.0, mise-action v3.6.3, zizmor-action v0.5.2, codeql-action v4.32.6), Node.js packages (pnpm 10.32.1, vitest/vite 4.1.0/8.0.0 stable releases from beta, oxfmt, oxlint, undici, electron, node-addon-slsa), Rust crates (tempfile 3.27.0), Python tools (ruff, semgrep, pyrefly, zizmor), and various aqua-managed CLI tools (uv, gh, gitleaks, shfmt, nextest). All GitHub Action references continue to be pinned by full commit SHA, which is good practice for this repository.

Most changes are straightforward version bumps with no behavioral impact on the codebase itself.
Several beta versions (vitest, vite) graduate to stable releases — a positive change.
The packageManager field in package.json was updated to pnpm@10.32.1 but the SHA512 integrity hash that was present in the old value was dropped, removing Corepack's ability to verify the pnpm binary on download.

Confidence Score: 4/5

This PR is safe to merge; the only notable finding is a non-critical omission of the Corepack integrity hash for pnpm.
All changes are automated dependency bumps. GitHub Actions remain SHA-pinned, Dockerfile images are digest-pinned, and lock files are fully regenerated. The one notable point is the missing SHA512 hash in the packageManager field, which is a best-practice/supply-chain hygiene issue rather than an active vulnerability. Everything else is routine.
package.json — missing SHA512 hash in the packageManager field.

Important Files Changed

Filename	Overview
package.json	Updated pnpm to 10.32.1 but dropped the SHA512 integrity hash from the packageManager field, removing Corepack's ability to verify the binary's integrity on download.
Dockerfile	Updated docker/dockerfile syntax to 1.22 and manylinux_2_28 base image to a new digest. Both references are pinned by SHA256. No issues found.
Cargo.lock	Updated tempfile from 3.26.0 to 3.27.0 which pulls in getrandom 0.3.4 instead of 0.4.2, and resolves different windows-sys versions for various crates. Standard lock file update.
mise.toml	Updated gitleaks, uv, gh CLI, nextest, and mvdan/sh (shfmt) to newer patch/minor versions. No issues found.
pyproject.toml	Updated pyrefly, ruff, semgrep, and zizmor to newer versions. No issues found.
pnpm-workspace.yaml	Updated catalog versions for @vitest/coverage-istanbul, electron, oxfmt, oxlint, undici, vite, and vitest from beta/older versions to stable releases. No issues found.

Comments Outside Diff (1)

package.json, line 202 (link)

Missing Corepack integrity hash for pnpm

The previous packageManager value included a +sha512 integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

corepack use pnpm@10.32.1

This will update package.json with the correct hash for 10.32.1, e.g.:

Consider asking Renovate to preserve the hash when bumping the packageManager field (the pinDigests option may help, or a custom packageRules entry targeting packageManager).

Prompt To Fix With AI

This is a comment left during a code review.
Path: package.json
Line: 202

Comment:
**Missing Corepack integrity hash for pnpm**

The previous `packageManager` value included a `+sha512` integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

```bash
corepack use pnpm@10.32.1
```

This will update `package.json` with the correct hash for 10.32.1, e.g.:



Consider asking Renovate to preserve the hash when bumping the `packageManager` field (the [`pinDigests`](https://docs.renovatebot.com/configuration-options/#pindigests) option may help, or a custom `packageRules` entry targeting `packageManager`).

How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: package.json
Line: 202

Comment:
**Missing Corepack integrity hash for pnpm**

The previous `packageManager` value included a `+sha512` integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.

You can restore supply-chain integrity by running:

```bash
corepack use pnpm@10.32.1
```

This will update `package.json` with the correct hash for 10.32.1, e.g.:

```suggestion
  "packageManager": "pnpm@10.32.1+sha512.<hash-for-10.32.1>",
```

Consider asking Renovate to preserve the hash when bumping the `packageManager` field (the [`pinDigests`](https://docs.renovatebot.com/configuration-options/#pindigests) option may help, or a custom `packageRules` entry targeting `packageManager`).

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: "Update all dependenc..."}

codecov · 2026-04-20T21:27:48Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

renovate Bot force-pushed the renovate/all-dependencies branch 4 times, most recently from 1c2d5e5 to 40653e4 Compare March 22, 2026 02:03

github-advanced-security AI found potential problems Mar 22, 2026

View reviewed changes