fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@keyv/compress-brotli	1.1.4 → 1.1.6			devDependencies	patch
@keyv/sqlite	3.6.5 → 3.6.7			devDependencies	patch
@keyv/test-suite	1.9.2 → 1.9.5			devDependencies	patch
@metamask/eth-sig-util	7.0.1 → 7.0.3			devDependencies	patch
@types/debug (source)	4.1.8 → 4.1.13			devDependencies	patch
@types/eslint (source)	8.56.12 → 9.6.1			devDependencies	patch
@types/events (source)	3.0.0 → 3.0.3			devDependencies	patch
@types/express (source)	4.17.17 → 4.17.25			devDependencies	patch
@types/express (source)	4.17.21 → 4.17.25			devDependencies	patch
@types/inquirer (source)	9.0.3 → 9.0.9			devDependencies	patch
@types/inquirer-autocomplete-prompt (source)	3.0.0 → 3.0.3			devDependencies	patch
@types/jest (source)	29.5.12 → 29.5.14			devDependencies	patch
@types/json-buffer (source)	3.0.0 → 3.0.2			devDependencies	patch
@types/passport (source)	1.0.12 → 1.0.17			devDependencies	patch
@types/passport-http-bearer (source)	1.0.37 → 1.0.42			devDependencies	patch
@types/qrcode-terminal (source)	0.12.0 → 0.12.2			devDependencies	patch
@types/react (source)	18.3.12 → 18.3.29			devDependencies	patch
@types/react (source)	19.0.8 → 19.2.15			resolutions	minor
@types/react-dom (source)	18.3.1 → 18.3.7			devDependencies	patch
@types/url-parse (source)	1.4.8 → 1.4.11			devDependencies	patch
@​types/uuid	9.0.2 → 9.0.8			devDependencies	patch
actions/cache	v5.0.1 → v5.0.5			action	patch
actions/checkout	v6.0.1 → v6.0.2			action	patch
actions/setup-node	v6.2.0 → v6.4.0			action	minor
caip	1.1.0 → 1.1.1			devDependencies	patch
codecov/codecov-action	v5.5.2 → v5.5.4			action	patch
github/codeql-action	v4.31.10 → v4.35.5			action	minor
keyv	4.5.3 → 4.5.4			devDependencies	patch
nock	14.0.10 → 14.0.15			devDependencies	patch
passport (source)	^0.6.0 → ^0.7.0			dependencies	minor
pnpm/action-setup	v4.2.0 → v4.4.0			action	minor
postgres	16.0 → 16.14			service	minor
react (source)	19.0.0 → 19.2.6			dependencies	minor
react-dom (source)	19.0.0 → 19.2.6			dependencies	minor
rimraf	5.0.5 → 5.0.10			devDependencies	patch
ts-jest (source)	29.4.1 → 29.4.10			devDependencies	patch
ts-json-schema-generator	1.5.0 → 1.5.1			devDependencies	patch
typeorm (source)	0.3.20 → 0.3.30			devDependencies	patch
uint8arrays	5.1.0 → 5.1.1			devDependencies	patch

---

Release Notes

MetaMask/eth-sig-util (@​metamask/eth-sig-util)

v7.0.3

Compare Source

Changed

• Bump @metamask/abi-utils to ^2.0.4 (#​381)
• Bump @metamask/utils from ^9.0.0 (#​381)

v7.0.2

Compare Source

Fixed

• Replace dependency tweetnacl-util with @scure/base (#​358)

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in #​1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

Compare Source

v5.0.3

Compare Source

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v5.0.2

Compare Source

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

pedrouid/caip-js (caip)

v1.1.1

Compare Source

codecov/codecov-action (codecov/codecov-action)

v5.5.4

Compare Source

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

• Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" by @​thomasrockhu-codecov in #​1926
• chore(release): 5.5.4 by @​thomasrockhu-codecov in #​1927

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

v5.5.3

Compare Source

What's Changed

• build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @​dependabot[bot] in #​1874
• chore(release): bump to 5.5.3 by @​thomasrockhu-codecov in #​1922

Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3

github/codeql-action (github/codeql-action)

v4.35.5

Compare Source

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

v4.35.4

Compare Source

• Update default CodeQL bundle version to 2.25.4. #​3881

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
• Update default CodeQL bundle version to 2.25.3. #​3865

v4.35.2

Compare Source

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #​3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #​3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #​3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #​3807
• Update default CodeQL bundle version to 2.25.2. #​3823

v4.35.1

Compare Source

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #​3781

v4.35.0

Compare Source

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #​3767
• Update default CodeQL bundle version to 2.25.1. #​3773

v4.34.1

Compare Source

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #​3762

v4.34.0

Compare Source

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #​3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #​3584
• Update default CodeQL bundle version to 2.25.0. #​3585

v4.33.0

Compare Source

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #​3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #​3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #​3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #​3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #​3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #​3570

v4.32.6

Compare Source

• Update default CodeQL bundle version to 2.24.3. #​3548

v4.32.5

Compare Source

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #​3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #​3487
• The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #​3515
• Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #​3516
• Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #​3498
• Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #​3512
• The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #​3503, #​3504

v4.32.4

Compare Source

• Update default CodeQL bundle version to 2.24.2. #​3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #​3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #​3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #​3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #​3484

v4.32.3

Compare Source

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #​3466

v4.32.2

Compare Source

v4.32.1

Compare Source

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #​3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #​3421

v4.32.0

Compare Source

• Update default CodeQL bundle version to 2.24.0. #​3425

v4.31.11

Compare Source

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #​3409
• Improved error handling throughout the CodeQL Action. #​3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #​3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #​3403

nock/nock (nock)

v14.0.15

Compare Source

Bug Fixes

• Revert "fix(backport): apply body delay before the response end" (#​2973) (de5450c), closes #​2969

v14.0.14

Compare Source

Bug Fixes

• backport: apply body delay before the response end (#​2969) (215cd2a)

v14.0.13

Compare Source

v14.0.12

Compare Source

Bug Fixes

• prevent crash when query params have conflicting dot-notation keys (#​2958) (7ea9933)

v14.0.11

Compare Source

Bug Fixes

• migrate to npm OIDC (#​2940) (113dcac)
• restore github actions write permissions (#​2941) (a4cb6b8)
• update @mswjs/interceptors to fix a memory leak (#​2938) (025db76)
• upgrade semantic-release (#​2943) (db0b280)

jaredhanson/passport (passport)

v0.7.0

Compare Source

Changed

• Set req.authInfo by default when using the assignProperty option to
  authenticate() middleware. This makes the behavior the same as when not using
  the option, and can be disabled by setting authInfo option to false.

pnpm/action-setup (pnpm/action-setup)

v4.4.0

Compare Source

Updated the action to use Node.js 24.

v4.3.0

Compare Source

What's Changed

• docs: fix the run_install example in the Readme by @​dreyks in #​175
• chore: remove unused @types/node-fetch dependency by @​silverwind in #​186
• Clarify that package_json_file is relative to GITHUB_WORKSPACE by @​chris-martin in #​184
• feat: store caching by @​jrmajor in #​188
• refactor: remove star imports by @​KSXGitHub in #​196
• fix(ci): exclude macos by @​KSXGitHub in #​197

New Contributors

• @​dreyks made their first contribution in #​175
• @​silverwind made their first contribution in #​186
• @​chris-martin made their first contribution in #​184
• @​jrmajor made their first contribution in #​188
• @​Boosted-Bonobo made their first contribution in #​199

Full Changelog: pnpm/action-setup@v4.2.0...v4.3.0

facebook/react (react)

v19.2.6: 19.2.6 (May 6th, 2026)

Compare Source

React Server Components

• Type hardening and performance improvements
  (by @​eps1lon and @​unstubbable)

v19.2.5: 19.2.5 (April 8th, 2026)

Compare Source

React Server Components

• Add more cycle protections (#​36236 by @​eps1lon and @​unstubbable)

v19.2.4: 19.2.4 (January 26th, 2026)

Compare Source

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#​35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

v19.2.3: 19.2.3 (December 11th, 2025)

Compare Source

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #​35351)

v19.2.2: 19.2.2 (December 11th, 2025)

Compare Source

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon #​35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #​35289)

v19.2.1: 19.2.1 (December 3rd, 2025)

Compare Source

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #​35277)

v19.2.0

Compare Source

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #​33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #​34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #​32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #​34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #​33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #​32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #​34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #​33629, [#&Adding daf-react-native-libsodium #82

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

packages/credential-ld                   | [WARN] The field "resolutions" was found in /tmp/renovate/repos/github/decentralized-identity/veramo/packages/credential-ld/package.json. This will not take effect. You should configure "resolutions" at the root of the workspace instead.
packages/did-provider-key                | [WARN] The field "resolutions" was found in /tmp/renovate/repos/github/decentralized-identity/veramo/packages/did-provider-key/package.json. This will not take effect. You should configure "resolutions" at the root of the workspace instead.
packages/did-provider-peer               | [WARN] The field "resolutions" was found in /tmp/renovate/repos/github/decentralized-identity/veramo/packages/did-provider-peer/package.json. This will not take effect. You should configure "resolutions" at the root of the workspace instead.
Scope: all 36 workspace projects
? Verifying lockfile against supply-chain policies (2563 entries)...
✓ Lockfile passes supply-chain policies (2563 entries in 23.7s)
Progress: resolved 1, reused 0, downloaded 0, added 0
.                                        | [WARN] deprecated uuid@9.0.1
packages/cli                             | [WARN] deprecated @types/node-fetch@3.0.3
Progress: resolved 89, reused 0, downloaded 0, added 0
Packages are hard linked from the content-addressable store to the virtual store.
  Content-addressable store is at: /runner/cache/others/pnpm/store/v11
  Virtual store is at:             node_modules/.pnpm
[WARN] The git-hosted package fetched from "https://codeload.github.com/uport-project/EcdsaSecp256k1RecoverySignature2020/tar.gz/ab0db52de6f4e6663ef271a48009ba26e688ef9b" has to be built but the build scripts were ignored.
packages/data-store-json                 | [WARN] deprecated @ungap/structured-clone@1.3.0
Progress: resolved 104, reused 0, downloaded 1, added 0
Progress: resolved 109, reused 0, downloaded 1, added 0
packages/kv-store                        | [WARN] deprecated eslint@8.57.1
Progress: resolved 120, reused 0, downloaded 1, added 0
Progress: resolved 134, reused 0, downloaded 1, added 0
Progress: resolved 152, reused 0, downloaded 1, added 0
Progress: resolved 154, reused 0, downloaded 1, added 0
Progress: resolved 403, reused 0, downloaded 1, added 0
Progress: resolved 514, reused 0, downloaded 1, added 0
Progress: resolved 697, reused 0, downloaded 1, added 0
[WARN] The git-hosted package fetched from "https://codeload.github.com/digitalcredentials/jsonld.js/tar.gz/14357f7a1181ae769ecc50fee9303468f17665ff" has to be built but the build scripts were ignored.
/tmp/renovate/repos/github/decentralized-identity/veramo/packages/credential-ld:
[ERR_PNPM_EXOTIC_SUBDEP] Exotic dependency "jsonld" (resolved via git-repository) is not allowed in subdependencies when blockExoticSubdeps is enabled

This error happened while installing the dependencies of @digitalcredentials/vc@7.0.0