deps: Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@types/node (source)	^22.19.9 → ^22.19.11
@types/react (source)	^19.2.13 → ^19.2.14
@typescript-eslint/eslint-plugin (source)	^8.54.0 → ^8.55.0
@typescript-eslint/parser (source)	^8.54.0 → ^8.55.0
dotenv	^17.2.4 → ^17.3.1
pnpm (source)	10.28.2 → 10.29.3
turbo (source)	^2.8.3 → ^2.8.7

---

Release Notes

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.55.0

Compare Source

🚀 Features

• utils: deprecate defaultOptions in favor of meta.defaultOptions (#​11992)

🩹 Fixes

• eslint-plugin: [no-useless-default-assignment] reduce param index to ts this handling (#​11949)
• eslint-plugin: [no-useless-default-assignment] report unnecessary defaults in ternary expressions (#​11984)
• eslint-plugin: [no-useless-default-assignment] require strictNullChecks (#​11966, #​12000)
• eslint-plugin: [no-unused-vars] remove trailing newline when removing entire import (#​11990)

❤️ Thank You

• Christian Rose @​chrros95
• Josh Goldberg
• Maria Solano @​MariaSolOs
• Minyeong Kim @​minyeong981
• SungHyun627 @​SungHyun627
• Yukihiro Hasegawa @​y-hsgw

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.55.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

motdotla/dotenv (dotenv)

v17.3.1

Compare Source

Changed

• Fix as2 example command in README and update spanish README

v17.3.0

Compare Source

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

pnpm/pnpm (pnpm)

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

vercel/turborepo (turbo)

v2.8.7: Turborepo v2.8.7

Compare Source

What's Changed

Changelog

• fix: Keep stdin alive for persistent tasks in stream mode by @​anthonyshew in #​11793
• feat: Add internal agents app for repo automation by @​anthonyshew in #​11799
• chore: Add env vars by @​anthonyshew in #​11800
• fix: Handle subpath package imports in turbo boundaries by @​anthonyshew in #​11798
• feat: Add dashboard with run tracking and live logs for agent sandboxes by @​anthonyshew in #​11802
• fix: Normalize bare LF to CRLF in TUI output to prevent garbled logs by @​anthonyshew in #​11804

Full Changelog: vercel/turborepo@v2.8.6...v2.8.7

v2.8.6: Turborepo v2.8.6

Compare Source

What's Changed

Changelog

• chore: Add internal agents app for repo automation by @​anthonyshew in #​11781
• feat: Add internal agents app for repo automation by @​anthonyshew in #​11783
• chore: Manual audits by @​anthonyshew in #​11785
• chore: Fixing audit agent by @​anthonyshew in #​11786
• chore: Still iterating on sec audit fixer by @​anthonyshew in #​11787
• fix: Emit space for empty vt100 cells to fix TUI repaint on task switch by @​anthonyshew in #​11789

Full Changelog: vercel/turborepo@v2.8.5...v2.8.6

v2.8.5: Turborepo v2.8.5

Compare Source

What's Changed

@​turbo/codemod

• fix: Upgrade tsdown to fix valibot and diff vulnerabilities by @​anthonyshew in #​11766
• fix: Upgrade semver to fix ReDoS vulnerability by @​anthonyshew in #​11765

@​turbo/repository

• fix: Rename cli workspace package to avoid false audit match by @​anthonyshew in #​11767

Changelog

• fix: Add Vary: Accept header to docs markdown endpoint by @​molebox in #​11759
• chore: Agentic workflows app by @​anthonyshew in #​11773
• chore: Add internal agents app for repo automation by @​anthonyshew in #​11776
• chore: Update reproduction request message by @​anthonyshew in #​11778
• Revert "fix: Upgrade node-plop to 0.32.3" by @​anthonyshew in #​11780

Full Changelog: vercel/turborepo@v2.8.4...v2.8.5

v2.8.4: Turborepo v2.8.4

Compare Source

What's Changed

create-turbo

• fix: Upgrade semver to fix ReDoS vulnerability by @​anthonyshew in #​11683
• fix: Upgrade inquirer to remove lodash dependency by @​anthonyshew in #​11709
• fix: Upgrade tsdown in create-turbo to resolve valibot ReDoS vulnerability by @​anthonyshew in #​11702
• fix: Upgrade jest to v30 to resolve brace-expansion ReDoS vulnerability by @​anthonyshew in #​11706

eslint

• fix: Upgrade Next.js to 16.1.5 to fix DoS vulnerabilities by @​anthonyshew in #​11681
• fix: Upgrade eslint to v10 to resolve @​eslint/plugin-kit ReDoS vulnerability by @​anthonyshew in #​11705

Examples

• examples: Update NODE_VERSION to 24.13.1 in Dockerfile by @​i5d6 in #​11679

Changelog

• fix: Upgrade tar to 7.5.7 to address security vulnerabilities by @​anthonyshew in #​11680
• fix: Upgrade ts-json-schema-generator to fix glob command injection vulnerability by @​anthonyshew in #​11684
• fix: Upgrade fumadocs and shiki in docs to resolve mdast-util-to-hast vulnerability by @​anthonyshew in #​11704
• fix: Replace ts-node with tsx to resolve diff DoS vulnerability by @​anthonyshew in #​11708
• fix: Upgrade bytes to >=1.11.1 to fix RUSTSEC-2026-0007 by @​anthonyshew in #​11715
• chore: Update ratatui dependencies (paste blocked upstream) by @​anthonyshew in #​11717
• Revert "chore: Update ratatui dependencies (paste blocked upstream)" by @​anthonyshew in #​11722
• fix: Upgrade ratatui to 0.30.0 to drop unmaintained paste crate by @​anthonyshew in #​11723
• chore: Upgrade reqwest toward addressing RUSTSEC-2025-0134 by @​anthonyshew in #​11718
• fix(docs): Fix code syntax highlighting by using correct Shiki CSS variable names by @​anthonyshew in #​11726
• fix: Upgrade async-io to 2.x to drop unmaintained instant crate by @​anthonyshew in #​11719
• fix: Migrate from unmaintained serde_yaml to serde_yml by @​anthonyshew in #​11720
• fix: Upgrade test-case and merge to drop unmaintained proc-macro-error by @​anthonyshew in #​11721
• fix: Upgrade indicatif to 0.18.3 to drop unmaintained number_prefix by @​anthonyshew in #​11716
• refactor: Centralize configuration resolution funnel by @​anthonyshew in #​11727
• fix: Upgrade rustls chain to resolve RUSTSEC-2025-0134 by @​anthonyshew in #​11739
• fix: Upgrade test-case to resolve transitive proc-macro-error by @​anthonyshew in #​11737
• fix: Upgrade pest/pest_derive to resolve yanked version by @​anthonyshew in #​11734
• fix: Upgrade git2 to fix RUSTSEC-2026-0008 by @​anthonyshew in #​11729
• fix: Upgrade pprof to fix RUSTSEC-2024-0408 by @​anthonyshew in #​11730
• fix: Upgrade portable-pty to resolve RUSTSEC-2017-0008 by @​anthonyshew in #​11732
• fix: Upgrade oxc_resolver to resolve yanked papaya dependency by @​anthonyshew in #​11733
• fix: Upgrade futures/futures-util to resolve yanked futures-util 0.3.30 by @​anthonyshew in #​11735
• fix: Replace unic-segment with unicode-segmentation in globwatch by @​anthonyshew in #​11736
• fix: Replace serde_yml with serde_yaml_ng to fix RUSTSEC-2025-0067/0068 by @​anthonyshew in #​11755
• fix: Replace oxc_resolver with unrs_resolver to fix yanked papaya dependency by @​anthonyshew in #​11754
• fix: Upgrade node-plop to 0.32.3 by @​anthonyshew in #​11756
• docs: Capitalizaiton in update github-actions.mdx by @​anthonyshew in #​11762

Full Changelog: vercel/turborepo@v2.8.3...v2.8.4

---

Configuration

📅 Schedule: Branch creation - "after 12pm on Friday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview