fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@codemirror/view	^6.40.0 → ^6.41.0			dependencies	minor
@playwright/test (source)	^1.58.2 → ^1.59.1			devDependencies	minor
@types/node (source)	^25.5.0 → ^25.5.2			devDependencies	patch
@vue/compiler-sfc (source)	^3.5.31 → ^3.5.32			devDependencies	patch
docker/login-action	v4.0.0 → v4.1.0			action	minor
fuse.js (source)	^7.1.0 → ^7.2.0			dependencies	minor
github.com/andybalholm/brotli	v1.2.0 → v1.2.1			require	patch
google.golang.org/grpc	v1.79.3 → v1.80.0			require	minor
mcr.microsoft.com/playwright	v1.58.2-jammy → v1.59.1-jammy				minor
node	25.8.2-alpine → 25.9.0-alpine			stage	minor
vue (source)	^3.5.31 → ^3.5.32			dependencies	patch

---

Release Notes

codemirror/view (@​codemirror/view)

v6.41.0

Compare Source

Bug fixes

Fix an issue where EditorView.posAtCoords could incorrectly return a position near a higher element on the line, in mixed-font-size lines.

Expand the workaround for the Webkit bug that causes nonexistent selections to stay visible to be active on non-Safari Webkit browsers.

New features

The new EditorView.cursorScrollMargin facet can now be used to configure the extra space used when scrolling the cursor into view.

microsoft/playwright (@​playwright/test)

v1.59.1

Compare Source

v1.59.0

Compare Source

vuejs/core (@​vue/compiler-sfc)

v3.5.32

Compare Source

Bug Fixes

• runtime-core: prevent currentInstance leak into sibling render during async setup re-entry (#​14668) (f166353), closes #​14667
• teleport: handle updates before deferred mount (#​14642) (32b44f1), closes #​14640
• types: allow customRef to have different getter/setter types (#​14639) (e20ddb0)
• types: use private branding for shallowReactive (#​14641) (302c47a), closes #​14638 #​14493

Reverts

• Revert "fix(server-renderer): cleanup component effect scopes after SSR render" (#​14674) (219d83b), closes #​14674 #​14669

docker/login-action (docker/login-action)

v4.1.0

Compare Source

• Fix scoped Docker Hub cleanup path when registry is omitted by @​crazy-max in #​945
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.1020.0 in #​930
• Bump @​docker/actions-toolkit from 0.77.0 to 0.86.0 in #​932 #​936
• Bump brace-expansion from 1.1.12 to 1.1.13 in #​952
• Bump fast-xml-parser from 5.3.4 to 5.3.6 in #​942
• Bump flatted from 3.3.3 to 3.4.2 in #​944
• Bump glob from 10.3.12 to 10.5.0 in #​940
• Bump handlebars from 4.7.8 to 4.7.9 in #​949
• Bump http-proxy-agent and https-proxy-agent to 8.0.0 in #​937
• Bump lodash from 4.17.23 to 4.18.1 in #​958
• Bump minimatch from 3.1.2 to 3.1.5 in #​941
• Bump picomatch from 4.0.3 to 4.0.4 in #​948
• Bump undici from 6.23.0 to 6.24.1 in #​938

Full Changelog: docker/login-action@v4.0.0...v4.1.0

krisk/Fuse (fuse.js)

v7.2.0

Compare Source

Features

• add Fuse.use() for runtime plugin registration (8546a9b)

Performance

• inline Bitap score computation to reduce object allocation in hot loops (8546a9b)
• batch removeAll for O(n) bulk removes instead of O(n*k) (8546a9b)
• heap-based top-k selection when limit is set (8546a9b)
• cache compiled searcher for repeated queries (8546a9b)

Bug Fixes

• search: deduplicate and merge overlapping match indices (60c393a), closes #​735
• search: preserve original array indices in nested path traversal (a1451be), closes #​786
• types: correct key type in FuseSortFunctionMatch (fecee16), closes #​811
• types: correct keys type in parseIndex parameter (58c7c73), closes #​794

andybalholm/brotli (github.com/andybalholm/brotli)

v1.2.1

Compare Source

grpc/grpc-go (google.golang.org/grpc)

v1.80.0: Release 1.80.0

Compare Source

Behavior Changes

• balancer: log a warning if a balancer is registered with uppercase letters, as balancer names should be lowercase. In a future release, balancer names will be treated as case-insensitive; see #​5288 for details. (#​8837)
• xds: update resource error handling and re-resolution logic (#​8907)
  • Re-resolve all LOGICAL_DNS clusters simultaneously when re-resolution is requested.
  • Fail all in-flight RPCs immediately upon receipt of listener or route resource errors, instead of allowing them to complete.

Bug Fixes

• xds: support the LB policy configured in LOGICAL_DNS cluster resources instead of defaulting to pick_first. (#​8733)
• credentials/tls: perform per-RPC authority validation against the leaf certificate instead of the entire peer certificate chain. (#​8831)
• xds: enabling A76 ring hash endpoint keys no longer causes EDS resources with invalid proxy metadata to be NACKed when HTTP CONNECT (gRFC A86) is disabled. (#​8875)
• xds: validate that the sum of endpoint weights in a locality does not exceed the maximum uint32 value. (#​8899)
  • Special Thanks: @​RAVEYUS
• xds: fix incorrect proto field access in the weighted round robin (WRR) configuration where blackout_period was used instead of weight_expiration_period. (#​8915)
  • Special Thanks: @​gregbarasch
• xds/rbac: handle addresses with ports in IP matchers. (#​8990)

New Features

• ringhash: enable gRFC A76 (endpoint hash keys and request hash headers) by default. (#​8922)

Performance Improvements

• credentials/alts: pool write buffers to reduce memory allocations and usage. (#​8919)
• grpc: enable the use of pooled write buffers for buffering HTTP/2 frame writes by default. This reduces memory usage when connections are idle. Use the WithSharedWriteBuffer dial option or the SharedWriteBuffer server option to disable this feature. (#​8957)
• xds/priority: stop caching child LB policies removed from the configuration. This will help reduce memory and cpu usage when localities are constantly switching between priorities. (#​8997)
• mem: add a faster tiered buffer pool; use the experimental mem.NewBinaryTieredBufferPool function to create such pools. (#​8775)

nodejs/node (node)

v25.9.0: 2026-04-01, Version 25.9.0 (Current), @​aduh95

Compare Source

Notable Changes

Test runner module mocking improvements

MockModuleOptions.defaultExport and MockModuleOptions.namedExports have been
consolidated into a single option MockModuleOptions.exports to align with user
expectations and other test runners.

A default property on MockModuleOptions.exports represents the default
export, and own enumerable properties are treated as named exports.

An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports

npx codemod @​nodejs/mock-module-exports

Contributed by sangwook in #​61727.

Other notable changes

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #​61674
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #​58708
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #​62188
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on node:domain (Matteo Collina) #​61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #​62158
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #​62066

Commits

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #​61674
• [bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #​62066
• [c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #​62084
• [e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #​61871
• [2fcd07f1ba] - build: support empty libname flags in configure.py (Antoine du Hamel) #​62477
• [b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #​62280
• [7dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #​62189
• [f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #​62115
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #​58708
• [ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #​62485
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
• [3009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #​62254
• [f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #​62218
• [f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #​61875
• [4d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #​62169
• [93d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #​62170
• [3d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #​62414
• [176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #​62164
• [95c7fc67ba] - deps: update googletest to 2461743 (Node.js GitHub Bot) #​62484
• [e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #​62382
• [905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #​62051
• [180c150122] - deps: V8: cherry-pick cf1bce4 (Richard Lau) #​62449
• [bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #​62448
• [f1b28612c4] - deps: V8: cherry-pick b25cd62 (Yagiz Nizipli) #​62354
• [757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #​62284
• [3bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #​62256
• [a9703d194a] - deps: update googletest to 73a63ea (Node.js GitHub Bot) #​61927
• [85138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #​62213
• [231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #​62123
• [0093863664] - doc: deprecate module.register() (DEP0205) (Geoffrey Booth) #​62395
• [0b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #​62456
• [8d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #​62492
• [08ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #​62482
• [61cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #​62423
• [64cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #​62139
• [1020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #​62206
• [9caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #​62374
• [e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #​62302
• [9e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #​62243
• [7f37c17516] - doc: minor typo fix (Jeff Matson) #​62358
• [eb0ca98f01] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #​62355
• [198b6e0932] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #​62321
• [17e5aee6c5] - doc: fix small environment_variables typo (chris) #​62279
• [193d629895] - doc: test and test-only targets do not run linter (Xavier Stouder) #​62120
• [4a1f20ec4a] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #​62208
• [f976c9214d] - doc: clarify that any truthy value of shell is part of DEP0190 (Antoine du Hamel) #​62249
• [4d83972681] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #​62202
• [71f2eada5b] - doc: add throwIfNoEntry version history to fs.stat (kovan) #​62204
• [670c80893b] - doc: add note (and caveat) for mock.module about customization hooks (Jacob Smith) #​62075
• [2ff5cb13f5] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #​62244
• [6c6c9004c4] - esm: fix typo in worker loader hook comment (jakecastelli) #​62475
• [1cdd23c9f3] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #​62415
• [4f4ff15794] - esm: fix path normalization in finalizeResolution (Antoine du Hamel) #​62080
• [088167d102] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #​62261
• [0250b436ee] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #​61950
• [b67a8fb171] - inspector: add Target.getTargets and extract TargetManager (Kohei) #​62487
• [ffcc5a5722] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #​62307
• [92ef2ad8fa] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #​62226
• [40a43ac4d0] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #​62133
• [3ef0a5b90e] - quic: remove CryptoKey support from session keys option (Filip Skokan) #​62335
• [3c8dd8eb8e] - repl: use vm DONT_CONTEXTIFY context (Chengzhong Wu) #​62371
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #​62188
• [e4c164e045] - repl: handle exceptions from async context after close (Anna Henningsen) #​62165
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on domain module (Matteo Collina) #​61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #​62158
• [fe82baf970] - src: improve EC JWK import performance (Filip Skokan) #​62396
• [d490b171e0] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #​62343
• [0e4af848bc] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #​62103
• [02980b8c8f] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #​62410
• [064f7c2fa6] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #​62268
• [ede52bc2dc] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #​62281
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #​62066
• [03839fb087] - stream: preserve error over AbortError in pipeline (Marco) #​62113
• [0000d2f011] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #​62087
• [3796a73719] - test: update WPT for WebCryptoAPI to 2cb332d (Node.js GitHub Bot) #​62483
• [ad8309415b] - test: update WPT for url to fc3e651 (Node.js GitHub Bot) #​62379
• [bed89b037e] - test: wait for reattach before initial break on restart (Yuya Inoue) #​62471
• [c9ffffcc55] - test: disable flaky WPT Blob test on AIX (James M Snell) #​62470
• [fd41ef31f6] - (SEMVER-MINOR) test: add tests for experimental stream/iter implementation (James M Snell) #​62066
• [1b9d8d3eec] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #​62112
• [cb08a29d51] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #​62238
• [abea0af8a9] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #​62226
• [47a2132269] - test: update WPT for WebCryptoAPI to 6a1c545 (Node.js GitHub Bot) #​62187
• [2c63d3006c] - test_runner: add exports option for module mocks (sangwook) #​61727
• [44ac0e1302] - test_runner: make it compatible with fake timers (Matteo Collina) #​59272
• [1865691275] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #​62282
• [0252b2bab8] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #​62439
• [3368155267] - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot[bot]) #​62437
• [5e47c359f5] - tools: adopt the --check-for-duplicates NCU flag (Antoine du Hamel) #​62478
• [4a604e82d0] - tools: bump picomatch in /tools/doc (dependabot[bot]) #​62438
• [d1a98b4ddb] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #​62375
• [c32daa1ab4] - tools: bump eslint deps (Huáng Jùnliàng) #​62356
• [7a2fcc6d41] - tools: do not swallow error in lint-nix workflow (Antoine du Hamel) #​62292
• [c41a2871b5] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #​62093
• [56dfeb06df] - tools: fix timeout errors in lint-nix job (Antoine du Hamel) #​62265
• [22fc8078e8] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #​62255
• [409b0663bd] - tools: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot[bot]) #​62250
• [67c69750f4] - tools: validate all commits that are pushed to main (Antoine du Hamel) #​62246
• [7d9db8cd21] - tools: keep GN files when updating Merve (Antoine du Hamel) #​62167
• [6c8fa42ba2] - typings: rationalise TypedArray types (René) #​62174
• [531c64d04e] - url: enable simdutf for ada (Yagiz Nizipli) #​61477
• [2000caccde] - util: allow color aliases in styleText (sangwook) #​62180
• [0aed332ab4] - wasm: support js string constant esm import (Guy Bedford) #​62198
• [d3fd4a978b] - worker: heap profile optimizations (Ilyas Shabi) #​62201
• [e992a34a18] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #​62325

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260120221211-b8f7ae30c516