fix(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
actions/dependency-review-action	action	minor	v4.7.3 -> v4.8.1
actions/setup-node	action	major	v5.0.0 -> v6.0.0
github.com/aperturerobotics/starpc	require	patch	v0.39.9 -> v0.39.10
github/codeql-action	action	major	v3.30.3 -> v4.31.0
go (source)	toolchain	patch	1.25.1 -> 1.25.3
golang.org/x/mod	require	minor	v0.28.0 -> v0.29.0
golang.org/x/tools	require	minor	v0.37.0 -> v0.38.0
mvdan.cc/gofumpt	require	patch	v0.9.1 -> v0.9.2
starpc	dependencies	patch	0.39.9 -> 0.39.10
typescript (source)	devDependencies	patch	5.9.2 -> 5.9.3
vitest (source)	devDependencies	major	^3.1.1 -> ^4.0.0

---

Release Notes

actions/dependency-review-action (actions/dependency-review-action)

v4.8.1: Dependency Review Action v4.8.1

Compare Source

What's Changed

• (bug) Fix spamming link test in deprecation warning (again) by @​ahpook in #​1000
• Bump version for 4.8.1 release by @​ahpook in #​1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

v4.8.0

Compare Source

What's Changed

• Make Ruby Code Scannable by @​ljones140 in #​978
• Batch some contributions for release by @​brrygrdn in #​986
  • Make license lists collapsable by @​jasperkamerling
  • feat: add large summary handling with artifact upload by @​MattMencel

New Contributors

• @​ljones140 made their first contribution in #​978
• @​jasperkamerling made their first contribution in #​986
• @​MattMencel made their first contribution in #​986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

v4.7.4

Compare Source

actions/setup-node (actions/setup-node)

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in #​1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #​1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #​1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #​1362

Full Changelog: actions/setup-node@v5...v6.0.0

aperturerobotics/starpc (github.com/aperturerobotics/starpc)

v0.39.10

Compare Source

github/codeql-action (github/codeql-action)

v4.31.0

Compare Source

v4.30.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.9 - 17 Oct 2025

• Update default CodeQL bundle version to 2.23.3. #​3205
• Experimental: A new setup-codeql action has been added which is similar to init, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #​3204

See the full CHANGELOG.md for more information.

v4.30.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.8 - 10 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.30.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.7 - 06 Oct 2025

• [v4+ only] The CodeQL Action now runs on Node.js v24. #​3169

See the full CHANGELOG.md for more information.

v3.31.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.0 - 24 Oct 2025

• Bump minimum CodeQL bundle version to 2.17.6. #​3223
• When SARIF files are uploaded by the analyze or upload-sarif actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the upload-sarif action. For analyze, this may affect Advanced Setup for CodeQL users who specify a value other than always for the upload input. #​3222

See the full CHANGELOG.md for more information.

v3.30.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.9 - 17 Oct 2025

• Update default CodeQL bundle version to 2.23.3. #​3205
• Experimental: A new setup-codeql action has been added which is similar to init, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #​3204

See the full CHANGELOG.md for more information.

v3.30.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.8 - 10 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.7 - 06 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.6 - 02 Oct 2025

• Update default CodeQL bundle version to 2.23.2. #​3168

See the full CHANGELOG.md for more information.

v3.30.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.5 - 26 Sep 2025

• We fixed a bug that was introduced in 3.30.4 with upload-sarif which resulted in files without a .sarif extension not getting uploaded. #​3160

See the full CHANGELOG.md for more information.

v3.30.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.4 - 25 Sep 2025

• We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the codeql-action/init step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the codeql-action/init step. #​3099 and #​3100
• We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. #​3107
• You can now run the latest CodeQL nightly bundle by passing tools: nightly to the init action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. #​3130
• Update default CodeQL bundle version to 2.23.1. #​3118

See the full CHANGELOG.md for more information.

golang/go (go)

v1.25.3

v1.25.2

mvdan/gofumpt (mvdan.cc/gofumpt)

v0.9.2

Compare Source

This release moves the "clothe naked returns" rule under gofumpt -extra, following the discussion in #​285.

Binaries built on go version go1.25.3 linux/amd64 with:

CGO_ENABLED=0 go build -trimpath -ldflags="-w -s"

Consider becoming a sponsor if you benefit from the work that went into this release!

microsoft/TypeScript (typescript)

v5.9.3: TypeScript 5.9.3

Compare Source

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)
• fixed issues query for Typescript 5.9.3 (Stable).

Downloads are available on:

• npm

vitest-dev/vitest (vitest)

v4.0.4

Compare Source

   🐞 Bug Fixes

• browser:
  • Correct typo  -  by @​benmccann in #​8796 (ede1f)
  • Publish a missing context file for webdriverio  -  by @​sheremet-va in #​8824 (7c7b6)
• mocker:
  • Support mocking builtins without node: prefix  -  by @​sheremet-va in #​8829 (06208)
• pool:
  • Runner's error listener causing MaxListenersExceededWarning  -  by @​AriPerkkio in #​8820 (d1bff)
  • Capture workers stdio to logger  -  by @​AriPerkkio in #​8809 (fb95f)
• spy:
  • Allow classes in vi.mocked utility  -  by @​sheremet-va in #​8839 (f8756)
• worker:
  • Rpc listener leak when isolate: false  -  by @​AriPerkkio in #​8821 (573dc)

   🏎 Performance

• utils: Optimized reducer to avoid creating new objects  -  by @​Connormiha in #​8818 (d19ce)

    View changes on GitHub

v4.0.3

Compare Source

   🐞 Bug Fixes

• Preserve reporter options from config when CLI reporters override them  -  by @​Copilot and sheremet-va in #​8794 (15552)
• browser: More stable in-source testing validation  -  by @​sheremet-va in #​8793 (62297)
• happy-dom: Support fetch globals  -  by @​sheremet-va in #​8791 (0fb74)
• init: Use correct jsx/tsx extension  -  by @​sheremet-va in #​8792 (abc04)

    View changes on GitHub

v4.0.2

Compare Source

   🐞 Bug Fixes

• browser:
  • Don't print the deprecation notice in node_modules  -  by @​sheremet-va in #​8779 (588f7)
• pool:
  • Assign envs before running tests to keep in sync with process.env  -  by @​sheremet-va in #​8769 (26ce8)
• spy:
  • Properly inherit implementation's length  -  by @​sheremet-va in #​8778 (d4c2b)
  • Reset spies if both restoreMocks and mockReset is set in the config  -  by @​sheremet-va in #​8781 (2eedb)

    View changes on GitHub

v4.0.1

Compare Source

   🐞 Bug Fixes

• Move the getBuiltins check  -  by @​sheremet-va in #​8765 (81000)
• pool: Don't teardown the communication channel too soon if something is running after the test  -  by @​sheremet-va in #​8767 (3fae7)

    View changes on GitHub

v4.0.0

Compare Source

   🚨 Breaking Changes

• Remove 'basic' reporter  -  by @​AriPerkkio in #​7884 (82fcf)
• Simplify default exclude pattern  -  by @​sheremet-va in #​6287 (14c50)
• Remove deprecated getSourceMap  -  by @​sheremet-va in #​8194 (ff934)
• Replace deprecated ErrorWithDiff with TestError  -  by @​sheremet-va in #​8195 (da59e)
• Remove UserConfig type in favor of ViteUserConfig  -  by @​sheremet-va in #​8196 (22f7f)
• Remove deprecated coverage options in favor of vitest/node exports  -  by @​sheremet-va in #​8197 (dc848)
• Remove deprecated internal helpers and environment exports  -  by @​sheremet-va in #​8198 (4703c)
• Remove deprecated typecheck and runner types  -  by @​sheremet-va in #​8199 (89a1c)
• Remove Node types from the main entry point, use vitest/node instead  -  by @​sheremet-va in #​8200 (1e60c)
• Remove support for Vite 5  -  by @​sheremet-va in #​8202 (cb8b0)
• Remove deprecated types  -  by @​sheremet-va in #​8203 (66bee)
• Remove deprecated environmentMatchGlobs and poolMatchGlobs  -  by @​sheremet-va in #​8205 (be11d)
• Remove deprecated workspace option in favor of projects  -  by @​sheremet-va in #​8218 (76fb7)
• Ignore --standalone when CLI filename filter is used  -  by @​AriPerkkio in #​8262 (013bf)
• Use module-runner instead of vite-node  -  by @​sheremet-va and @​AriPerkkio in #​8208 (9be01)
• Rewrite spying implementation to make module mocking more intuitive  -  by @​sheremet-va in #​8363 (9e412)
• Remove deprecated APIs  -  by @​sheremet-va in #​8428 (a1cb9)
• Remove minWorkers and set it automatically to 0 in non watch mode  -  by @​sheremet-va in #​8454 (2c2d1)
• Verbose reporter prints tests in a list, introduce tree reporter  -  by @​sheremet-va and @​AriPerkkio in #​8500 (25fd3)
• Include shadow root contents in pretty-format output  -  by @​wkillerud in #​8545 (9e722)
• Remove deprecated order from test() API  -  by @​sheremet-va in #​8594 (4d419)
• Rewrite pools without tinypool  -  by @​AriPerkkio and @​sheremet-va in #​8705 (4822d)
• browser: Require a provider factory instead of a string  -  by @​sheremet-va in #​8445 (606cb)
• expect: Pass current equality testers to asymmetric matcher  -  by @​hi-ogawa in #​6825 (965ce)
• projects: Allow only files that have "vitest.config" or "vite.config" in the name  -  by @​sheremet-va in #​8542 (304bc)
• reporter: Remove deprecated APIs  -  by @​AriPerkkio and @​sheremet-va in #​8223 (149f8)
• runner: Set mode to todo if no function is passed down to test or describe  -  by @​sheremet-va in #​8346 (1a81c)
• snapshot: Fail test with obsolete snapshot on CI  -  by @​hi-ogawa in #​7963 (4d84f)
• spy: Support spying on classes  -  by @​sheremet-va in #​6160 (abc0d)

   🚀 Features

• Provide entity to onConsoleLog  -  by @​sheremet-va in #​8159 (437d4)
• Add onUnhandledError callback  -  by @​sheremet-va in #​8162 (924cb)
• Add spy option to vi.mockObject  -  by @​rChaoz in #​8285 (81d76)
• Don't use vite-node in coverage packages  -  by @​sheremet-va (ffdb4)
• Clickable dashboard numbers  -  by @​shairez in #​7406 (2344c)
• Display test "path" when filtering  -  by @​userquin in #​8547 (2e491)
• Introduce separate packages for browser mode providers  -  by @​sheremet-va in #​8629 (0dc93)
• Add hooks with type-safe extra context to TestAPI  -  by @​ysfaran in #​8623 (6b21c)
• Support expect.assert for type narrowing  -  by @​sheremet-va in #​8695 (fe589)
• Add displayAnnotations option to github-options  -  by @​sheremet-va in #​8706 (4a66d)
• Add schema validation matchers  -  by @​zirkelc in #​8527 (c0b25)
• Add a way to dump transformed content  -  by @​sheremet-va in #​8711 (931c0)
• api:
  • Expose experimental_parseSpecifications  -  by @​sheremet-va in #​8408 (fdeb2)
  • Expose Vitest watcher  -  by @​sheremet-va in #​8413 (aaa6e)
  • Add enableCoverage and disableCoverage methods  -  by @​sheremet-va and @​AriPerkkio in #​8412 (61eb7)
  • Add getGlobalTestNamePattern method  -  by @​sheremet-va in #​8438 (bdb70)
  • Add relativeModuleId to TestModule  -  by @​sheremet-va in #​8505 (3be09)
  • Add getSeed method  -  by @​sheremet-va in #​8592 (438c4)
• browser:
  • Support toBeInViewport utility method to assert element is in viewport or not  -  by @​Shinyaigeek in #​8234 (ceed5)
  • Add qwik to the vitest init cli command  -  by @​thejackshelton in #​8330 (1638b)
  • Introduce toMatchScreenshot for Visual Regression Testing  -  by @​macarie in #​8041 (d45f9)
  • Add trackUnhandledErrors option  -  by @​sheremet-va in #​8386 (c0ec0)
  • Support iframe locator with playwright provider  -  by @​sheremet-va in #​8016 (57b2c)
  • Add length property to locators, toHaveLength now accepts locators  -  by @​sheremet-va in #​8512 (2308c)
  • Support playwright tracing  -  by @​sheremet-va in #​8584 (1aac5)
  • Expose options on BrowserProviderOption  -  by @​sheremet-va in #​8609 (0d0e5)
  • Support --inspect option in webdriverio  -  by @​sheremet-va in #​8613 (38adc)
  • Support custom screenshot comparison algorithms  -  by @​macarie in #​8687 (e63b1)
• coverage:
  • autoUpdate to support percentage formatting  -  by @​Battjmo and @​AriPerkkio in #​8456 (99e01)
• expect:
  • Support toBeNullable expect function to check provided value is nullish  -  by @​Shinyaigeek and @​sheremet-va in #​8294 (eeec5)
• mocker:
  • Add automocker entry  -  by @​sheremet-va in #​8301 (e9c92)

   🐞 Bug Fixes

• Allow overriding globals in types  -  by @​sheremet-va in #​8215 (2248b)
• Remove unused dependencies  -  by @​AriPerkkio in #​8184 (feadc)
• Distribute test files to shards more evenly  -  by @​Shinyaigeek and @​AriPerkkio in #​8288 (7b489)
• Use suite's timeout when test.extend  -  by @​AriPerkkio in #​8278 (43977)
• Support snapshot with no object key sorting  -  by @​hi-ogawa and @​sheremet-va in #​8136 (e85e3)
• Annotation location always points to the test file  -  by @​sheremet-va in #​8315 (88071)
• Add --changed flag support to vitest list command  -  by @​haakonjackfloat in #​8270 and #​8272 (e71a5)
• Prevent rpc timeout on slow thread blocking synchronous methods  -  by @​AriPerkkio and @​sheremet-va in #​8297 (bea87)
• Forbid setting environment to browser  -  by @​sheremet-va in #​8334 (0417a)
• Invalidate modules in all module graphs when the file is changed  -  by @​sheremet-va in #​8352 (94ab3)
• Screenshot masks with Playwright provider  -  by @​macarie in #​8357 (459ef)
• Configure oxc instead of esbuild on rolldown-vite  -  by @​hi-ogawa in #​8378 (e922e)
• Make sure test errors always have stacks property in Node.js context  -  by @​sheremet-va in #​8392 (b825e)
• Support import.meta.resolve on Vite 7  -  by @​hi-ogawa in #​8493 (549d3)
• Show the assertion error first when expect.poll assertion fails  -  by @​sheremet-va in #​8483 (fb450)
• Override fake timers when useFakeTimers is called multiple times  -  by @​sheremet-va in #​8504 (ed7e3)
• Custom expect messages for expect.extend matchers  -  by @​lzl0304 in #​8520 (96945)
• Process sourcemaps for stack traces from globalSetup files  -  by @​sheremet-va in #​8534 (8978a)
• Resolve performance issue when throwing errors with stackTraceLimit = 0  -  by @​Copilot, sheremet-va and @​AriPerkkio in #​8531 (6d5b5)
• Avoid recursively applying $ and % formatting to test.for/each title  -  by @​hi-ogawa in #​8557 (ea6d7)
• Replace wildcard exports "./*" with specific files in vitest package  -  by @​hi-ogawa in #​8560 (ce746)
• Don't publish unused d.ts files  -  by @​sheremet-va in #​8562 (42dfd)
• Remove loupe dependencies from optimizeDeps.include for browser mode  -  by @​jake-danton in #​8570 (cdcf7)
• Update engines field to drop Node 18 support  -  by @​sheremet-va in #​8608 (9a0bf)
• Correctly inherit test options on extended tests  -  by @​sheremet-va in #​8618 (15c09)
• Update @​types/node peer deps  -  by @​sheremet-va (ee6b2)
• Re-export CDP Session directly from playwright  -  by @​mrginglymus in #​8702 (9553a)
• Disable trackUnhandledErrors if inspector is enabled  -  by @​sheremet-va in #​8732 (acac7)
• base option doesn't crash vitest  -  by @​sheremet-va in #​8760 (9f0ec)
• browser:
  • Run in-source tests only when the file itsels is a test file  -  by @​sheremet-va in #​8204 (bdd2e)
  • locator.element() return

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​golang.org/​x/​tools@​v0.38.0
	npm/​starpc@​0.39.9 ⏵ 0.39.10	+1		+1	+1
	npm/​typescript@​5.9.2 ⏵ 5.9.3			+1
	golang/​golang.org/​x/​mod@​v0.29.0
	golang/​mvdan.cc/​gofumpt@​v0.9.2
	golang/​github.com/​aperturerobotics/​starpc@​v0.39.10

View full report

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
golang.org/x/sys	v0.36.0 -> v0.37.0