Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@swc/core (source)	1.15.40 → 1.15.41			devDependencies	patch
@types/node (source)	22.19.19 → 22.19.21			devDependencies	patch	22.20.0
@vitest/coverage-v8 (source)	3.2.4 → 3.2.6			devDependencies	patch
codecov/codecov-action	v5.5.4 → v5.5.5			action	patch
node (source)	24.16.0 → 24.17.0			volta	minor
npm (source)	11.16.0 → 11.17.0			packageManager	minor
npm (source)	11.16.0 → 11.17.0			volta	minor

---

Release Notes

swc-project/swc (@​swc/core)

v1.15.41

Compare Source

Bug Fixes

• (bindings/node) Preserve source context for AST transforms (#​11920) (b6dfa74)

• (es/codegen) Emit export as namespace correctly (#​11923) (4e1f832)

• (es/codegen) Emit export as namespace minified correctly (#​11924) (7157499)

• (es/compat) Rewrite this in destructuring defaults (#​11909) (68af779)

• (es/decorators) Delay 2022 decorator initializers after private fields (#​11847) (3f1a4f5)

• (es/decorators) Handle import types in decorator metadata (#​11916) (f411429)

• (es/fixer) Preserve new tagged template callee parens (#​11922) (242a03a)

• (es/minifier) Handle unknown member props (#​11927) (e59ba68)

• (es/parser) Handle Flow async generic arrows (#​11926) (b9b8993)

• (es/renamer) Avoid duplicate mangled names across eval scope boundaries (#​11913) (4a1af84)

• (plugin) Avoid importing __free from env (#​11908) (4584296)

• (swc) Preserve plugin error context (#​11904) (4e2e9fc)

• (swc_common) Fix sourcemap panic for multibyte mapping positions (#​11918) (40c1601)

Documentation

• Fix architecture fixer link (#​11911) (51cbc8c)

Performance

• Lazily compute source file hashes (#​11879) (a3cfbd7)

• Optimize Atom equality (#​11902) (c6f8cb0)

Revert

• (es/decorators) Revert decorator initializer ordering (#​11901) (a3f23b1)

• (swc_common) Revert sourcemap multibyte mapping clamp (#​11919) (08b4200)

vitest-dev/vitest (@​vitest/coverage-v8)

v3.2.6

Compare Source

v3.2.5

Compare Source

codecov/codecov-action (codecov/codecov-action)

v5.5.5

Compare Source

This release only contains the keybase.io change as described here.

Full Changelog: codecov/codecov-action@v5.5.4...v5.5.5

nodejs/node (node)

v24.17.0: 2026-06-18, Version 24.17.0 'Krypton' (LTS), @​aduh95

Compare Source

This is a security release.

Notable Changes

• (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
• (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
• (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
• (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
• (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
• (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
• (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
• (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
• (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
• (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
• (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

Commits

• [9e4dfc7bba] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878
• [cb2aed980c] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890
• [a8a0d12875] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #​62891
• [66e6203c1c] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #​62891
• [dd627ced27] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #​63820
• [684bae568f] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #​63820
• [3a631e7f83] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #​62656
• [cf44df3996] - deps: update undici to 7.28.0 (Node.js GitHub Bot) #​63703
• [138c70294b] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868
• [be7e719c3f] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846
• [cc7c11b4d1] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855
• [9224427b92] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867
• [cf85d54839] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873
• [a1bbc24f96] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870
• [e3723ff2d6] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854
• [a77af4867b] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854
• [31beb4f707] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857
• [8e75c73f91] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869

npm/cli (npm)

v11.17.0

Compare Source

Features

• ae8ac4e #​9534 add min-release-age-exclude config (@​JamieMagee, @​caseyjhol)
• 8ff3e48 #​9483 allowScripts tooling and inBundle hardening (#​9483) (@​github-actions[bot], @​JamieMagee)

Bug Fixes

• 847cdf8 #​9541 match dotted and versioned args in approve-scripts/deny-scripts (@​owlstronaut)
• d99f7cb #​9535 emit valid JSON from approve-scripts/deny-scripts --json (@​owlstronaut)
• 351a309 #​9499 pass script-shell to publish lifecycle hooks (#​9499) (@​github-actions[bot])
• 4fa81df #​9497 recognize allowScripts for local link targets (#​9497) (@​github-actions[bot], @​cyphercodes, @​cyphercodes)
• 95cf2e9 #​9489 validate registry path for allow-remote tarballs (@​Abhinav-143x)
• 9dd219b #​9462 respect allowScripts policy in prune, dedupe, uninstall, audit, and link (#​9462) (@​github-actions[bot], @​JamieMagee)
• cd8d18a #​9482 list pending scripts in approve-scripts when ignore-scripts is set (#​9482) (@​github-actions[bot], @​JamieMagee)
• c14e87c #​9481 suggest --allow-scripts for global installs in unreviewed-scripts warnings (#​9481) (@​github-actions[bot], @​JamieMagee)
• 7ade52e #​9465 invalid issue template YAML indentation (#​9465) (@​github-actions[bot], @​fallintoplace)
• c069622 #​9464 show full parent command path in subcommand usage errors (#​9464) (@​owlstronaut)
• 1bb62bb #​9454 config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@​JamieMagee)
• 84eeb5f #​9431 audit: don't apply min-release-age before filter when verifying installed signatures (@​JamieMagee)
• 3bd3377 #​9426 block forbidden keys in Queryable setter to prevent prototype pollution (@​12122J, @​claude)

Documentation

• a86a7a9 #​9522 approve-scripts only throws EGLOBAL when run with -g (@​JamieMagee)
• 693bb3d #​9508 clarify package.json override value specs (#​9508) (@​github-actions[bot], @​ded-furby)
• ccffe4a #​9501 use the latest version for global update and outdated's wanted (#​9501) (@​github-actions[bot], @​liangmiQwQ)
• 66e97c2 #​9478 update minimum npm required for npm trust (@​meeech)

Dependencies

• bd09b87 #​9542 postcss-selector-parser@7.1.4
• 95bfc4c #​9542 tinyglobby@0.2.17
• 8c0d5fd #​9542 tar@7.5.16
• 967d377 #​9542 semver@7.8.4
• cdaac1b #​9542 pacote@21.5.1
• 25c8a9e #​9542 node-gyp@12.4.0

Chores

• 2922fa4 #​9542 dev dependency updates (@​owlstronaut)
• workspace: @npmcli/arborist@9.8.0
• workspace: @npmcli/config@10.11.0
• workspace: libnpmdiff@8.1.10
• workspace: libnpmexec@10.3.0
• workspace: libnpmfund@7.0.24
• workspace: libnpmpack@9.1.10

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.41%. Comparing base (17a7e68) to head (246fe55).

Additional details and impacted files

@@           Coverage Diff           @@
##           master      #12   +/-   ##
=======================================
  Coverage   86.41%   86.41%           
=======================================
  Files           4        4           
  Lines         449      449           
  Branches      139      139           
=======================================
  Hits          388      388           
  Misses         61       61           

Flag	Coverage Δ
unit	86.41% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: @2bad/micrograd@1.0.0
npm error Found: vitest@3.2.4
npm error node_modules/vitest
npm error   dev vitest@"3.2.4" from the root project
npm error   peer vitest@"3.2.4" from @vitest/ui@3.2.4
npm error   node_modules/@vitest/ui
npm error     peerOptional @vitest/ui@"3.2.4" from vitest@3.2.4
npm error
npm error Could not resolve dependency:
npm error peer vitest@"3.2.6" from @vitest/coverage-v8@3.2.6
npm error node_modules/@vitest/coverage-v8
npm error   dev @vitest/coverage-v8@"3.2.6" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-06-18T18_09_00_220Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-06-18T18_09_00_220Z-debug-0.log