chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@apollo/server (source)	5.3.0 → 5.4.0			devDependencies	minor
@apollo/server-integration-testsuite (source)	5.3.0 → 5.4.0			devDependencies	minor
@changesets/changelog-github (source)	0.5.2 → 0.6.0			devDependencies	minor
@changesets/cli (source)	2.29.8 → 2.30.0			devDependencies	minor
@types/node (source)	20.19.30 → 20.19.37			devDependencies	patch
@typescript-eslint/eslint-plugin (source)	8.53.1 → 8.56.1			devDependencies	minor
@typescript-eslint/parser (source)	8.53.1 → 8.56.1			devDependencies	minor
cspell (source)	9.6.0 → 9.7.0			devDependencies	minor
eslint (source)	9.39.2 → 9.39.4			devDependencies	patch
node (source)	22.22.0 → 22.22.1			volta	patch
npm (source)	11.8.0 → 11.11.0			volta	minor

---

Release Notes

apollographql/apollo-server (@​apollo/server)

v5.4.0

Compare Source

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

  The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

  In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE).
  Any other character set will be rejected with a 415 Unsupported Media Type error.
  Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8.
  Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now.
  In a future major release, we may tighten this restriction further to only allow UTF-8.

  If you were not using startStandaloneServer, you were not affected by this vulnerability.

  Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server.
  For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

apollographql/apollo-server (@​apollo/server-integration-testsuite)

v5.4.0

Compare Source

Patch Changes

• Updated dependencies [d25a5bd]:
  • @​apollo/server@​5.4.0

changesets/changesets (@​changesets/changelog-github)

v0.6.0

Compare Source

Minor Changes

• #​1850 fd0bc2e Thanks @​mixelburg! - Linkify issue references in changelog entries.

Patch Changes

• #​1810 27fd8f4 Thanks @​hirasso! - Replace deprecated String.prototype.trimRight with String.prototype.trimEnd

• Updated dependencies [d4b8ad8, e462d89]:

  • @​changesets/get-github-info@​0.8.0

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.56.1

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.56.0

Compare Source

🚀 Features

• support ESLint v10 (#​12057)

🩹 Fixes

• use parser options from context.languageOptions (#​12043)

❤️ Thank You

• Brad Zacher @​bradzacher
• fnx @​DMartens
• Joshua Chen

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.55.0

Compare Source

🚀 Features

• utils: deprecate defaultOptions in favor of meta.defaultOptions (#​11992)

🩹 Fixes

• eslint-plugin: [no-useless-default-assignment] reduce param index to ts this handling (#​11949)
• eslint-plugin: [no-useless-default-assignment] report unnecessary defaults in ternary expressions (#​11984)
• eslint-plugin: [no-useless-default-assignment] require strictNullChecks (#​11966, #​12000)
• eslint-plugin: [no-unused-vars] remove trailing newline when removing entire import (#​11990)

❤️ Thank You

• Christian Rose @​chrros95
• Josh Goldberg
• Maria Solano @​MariaSolOs
• Minyeong Kim @​minyeong981
• SungHyun627 @​SungHyun627
• Yukihiro Hasegawa @​y-hsgw

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.54.0

Compare Source

🚀 Features

• eslint-plugin-internal: add prefer-tsutils-methods rule (#​11974, #​11625)
• typescript-estree: add shortcut methods to ParserServicesWithTypeInformation (#​11965, #​11955)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] check both base constraint and actual type for non-null assertions (#​11967, #​11559)
• deps: update dependency prettier to v3.8.0 (#​11991)
• scope-manager: fix catch clause scopes def.name (#​11982)
• eslint-plugin: [no-unused-private-class-members] private destructured class member is defined but used (#​11785)

❤️ Thank You

• Brad Zacher @​bradzacher
• Josh Goldberg
• MinJae @​Ju-MINJAE
• Minyeong Kim @​minyeong981
• overlookmotel
• Yuya Yoshioka @​YuyaYoshioka
• 김현수 @​Kimsoo0119

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.56.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.56.0

Compare Source

🚀 Features

• support ESLint v10 (#​12057)

❤️ Thank You

• Brad Zacher @​bradzacher
• Joshua Chen

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.55.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.54.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

streetsidesoftware/cspell (cspell)

v9.7.0

Compare Source

Features

feat: Substitution Part 4 - enable substitutions during document check (#​8630)

feat: Substitution Part 4 - enable substitutions during document check (#​8630)

v9.6.4

Compare Source

Fixes

fix: add --no-dictionary option to lint command (#​8514)

fix: add --no-dictionary option to lint command (#​8514)

v9.6.3

Compare Source

Fixes

fix: Add `engines` setting (#​8491)

fix: Add engines setting (#​8491)

v9.6.2

Compare Source

Fixes

fix: Conditionally compress and build bTrie (#​8437)

fix: Conditionally compress and build bTrie (#​8437)

v9.6.1

Compare Source

Fixes

fix: Move performance monitoring into its own package (#​8431)

fix: Move performance monitoring into its own package (#​8431)

eslint/eslint (eslint)

v9.39.4

Compare Source

Bug Fixes

• f18f6c8 fix: update dependency minimatch to ^3.1.5 (#​20564) (Milos Djermanovic)
• a3c868f fix: update dependency @​eslint/eslintrc to ^3.3.4 (#​20554) (Milos Djermanovic)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#​20549) (Andrej Beles)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#​20538) (루밀LuMir)

Documentation

• 4675152 docs: add deprecation notice partial (#​20520) (Milos Djermanovic)

Chores

• b8b4eb1 chore: update dependencies for ESLint v9.39.4 (#​20596) (Francesco Trotta)
• 71b2f6b chore: package.json update for @​eslint/js release (Jenkins)
• 1d16c2f ci: pin Node.js 25.6.1 (#​20563) (Milos Djermanovic)

v9.39.3

Compare Source

Bug Fixes

• 791bf8d fix: restore TypeScript 4.0 compatibility in types (#​20504) (sethamus)

Chores

• 8594a43 chore: upgrade @​eslint/js@​9.39.3 (#​20529) (Milos Djermanovic)
• 9ceef92 chore: package.json update for @​eslint/js release (Jenkins)
• af498c6 chore: ignore /docs/v9.x in link checker (#​20453) (Milos Djermanovic)

nodejs/node (node)

v22.22.1: 2026-03-05, Version 22.22.1 'Jod' (LTS)

Compare Source

Notable Changes

• [7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #​59983
• [6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #​60956
• [d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #​60741
• [b6ebf2cd53] - doc: add avivkeller to collaborators (Aviv Keller) #​61115
• [35854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #​61094
• [5c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #​60714

Commits

• [5f773488c2] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #​61076
• [feecbb0eab] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #​61388
• [096095b127] - benchmark: add SQLite benchmarks (Guilherme Araújo) #​61401
• [b5fe481415] - benchmark: use boolean options in benchmark tests (SeokhunEom) #​60129
• [fa9faacacb] - benchmark: allow boolean option values (SeokhunEom) #​60129
• [ba8714ac21] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #​60841
• [53596de876] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #​60663
• [e8930e9d7c] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #​60603
• [1155e412b1] - benchmark: add per-suite setup option (Joyee Cheung) #​60574
• [e01903d304] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #​60162
• [623a405747] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #​60205
• [7f5e7b9f7f] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #​60991
• [db132b85a8] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #​58938
• [66aab9f987] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #​60503
• [c3cf00c671] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #​60399
• [f6fad231e9] - build: skip sscache action on non-main branches (Joyee Cheung) #​61790
• [2145f91f6b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #​60369
• [5b49759dd8] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #​61414
• [24724cde40] - build: fix misplaced comma in ldflags (hqzing) #​61294
• [c57a19934e] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #​61329
• [8659d7cd07] - build: fix inconsistent quoting in Makefile (Antoine du Hamel) #​60511
• [44f339b315] - build: remove temporal updater (Chengzhong Wu) #​61151
• [d60a6cebd5] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #​61024
• [34ccf187f5] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #​61073
• [7b19e101a2] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #​60850
• [9408c4459f] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #​59984
• [2166ec7f0f] - build: use call command when calling python configure (Jacob Nichols) #​60098
• [73ef70145d] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #​60296
• [7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #​59983
• [508ce6ec6c] - build, src: fix include paths for vtune files (Rahul) #​59999
• [c89d3cd570] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #​61321
• [40904a0591] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #​61431
• [6d6742e7db] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #​61344
• [6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #​60956
• [3d324a0f88] - cluster: fix port reuse between cluster (Ryuhei Shima) #​60141
• [40a58709b4] - console: optimize single-string logging (Gürgün Dayıoğlu) #​60422
• [d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #​60741
• [a87499ae25] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #​60662
• [8c65cc11e2] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #​59956
• [91dc00a2c1] - debugger: fix event listener leak in the run command (Joyee Cheung) #​60464
• [0781bd3764] - deps: V8: backport 6a0a25a (Vivian Wang) #​61688
• [0cf1f9c3e9] - deps: update googletest to 8508785 (Node.js GitHub Bot) #​61417
• [521b4b1f07] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #​61339
• [58b9d219a3] - deps: update icu to 78.2 (Node.js GitHub Bot) #​60523
• [cbc1e4306d] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #​61135
• [db59c35ed8] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #​61271
• [c18518ee3c] - deps: update nbytes to 0.1.2 (Node.js GitHub Bot) #​61270
• [376df62d63] - deps: update timezone to 2025c (Node.js GitHub Bot) #​61138
• [993e905302] - deps: update simdjson to 4.2.4 (Node.js GitHub Bot) #​61056
• [b72fd2a5d3] - deps: update googletest to 065127f (Node.js GitHub Bot) #​61055
• [d765147405] - deps: update sqlite to 3.51.1 (Node.js GitHub Bot) #​60899
• [37abe2a7d2] - deps: update zlib to 1.3.1-63d7e16 (Node.js GitHub Bot) #​60898
• [97241fcb86] - deps: update sqlite to 3.51.0 (Node.js GitHub Bot) #​60614
• [3669c7b4f4] - deps: update simdjson to 4.2.2 (Node.js GitHub Bot) #​60740
• [9a056ec89c] - deps: update googletest to 1b96fa1 (Node.js GitHub Bot) #​60739
• [b5803b3ea0] - deps: update minimatch to 10.1.1 (Node.js GitHub Bot) #​60543
• [5bf99f3d46] - deps: update cjs-module-lexer to 2.1.1 (Node.js GitHub Bot) #​60646
• [801f187357] - deps: update simdjson to 4.2.1 (Node.js GitHub Bot) #​60644
• [03c16e5a4c] - deps: update simdjson to 4.1.0 (Node.js GitHub Bot) #​60542
• [2ebfc2ca56] - deps: update amaro to 1.1.5 (Node.js GitHub Bot) #​60541
• [d24ba4fed6] - deps: update simdjson to 4.0.7 (Node.js GitHub Bot) #​59883
• [9480a139bf] - deps: update googletest to 279f847 (Node.js GitHub Bot) #​60219
• [635e67379e] - deps: update archs files for openssl-3.5.5 (Node.js GitHub Bot) #​61547
• [c7b774047d] - deps: upgrade openssl sources to openssl-3.5.5 (Node.js GitHub Bot) #​61547
• [5b324d7d7f] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #​61510
• [eef8ba0667] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #​60842
• [490f7c7fb1] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #​60643
• [66903ea3b3] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #​60550
• [a2f0b69282] - deps: update corepack to 0.34.1 (Node.js GitHub Bot) #​60314
• [c8044a48a6] - deps: V8: backport 2e4c5cf (Michaël Zasso) #​60654
• [642f518198] - doc: supported toolchain with Visual Studio 2022 only (Mike McCready) #​61451
• [625f674487] - doc: move Security-Team from TSC to SECURITY (Rafael Gonzaga) #​61495
• [029e32f8ba] - doc: added requestOCSP option to tls.connect (ikeyan) #​61064
• [68e33dfa89] - doc: restore @​ChALkeR to collaborators (Сковорода Никита Андреевич) #​61553
• [e016770d62] - doc: update IBM/Red Hat volunteers with dedicated project time (Beth Griggs) #​61588
• [ec63954657] - doc: mention constructor comparison in assert.deepStrictEqual (Hamza Kargin) #​60253
• [c8e1563a98] - doc: add CVE delay mention (Rafael Gonzaga) #​61465
• [4b00cf2b54] - doc: include OpenJSF handle for security stewards (Rafael Gonzaga) #​61454
• [4b73bf5bc8] - doc: clarify process.argv[1] behavior for -e/--eval (Jeevankumar S) #​61366
• [d3151df4b3] - doc: remove Windows Dev Home instructions from BUILDING (Mike McCready) #​61434
• [2323462e35] - doc: clarify TypedArray properties on Buffer (Roman Reiss) #​61355
• [6c5478c8b2] - doc: note resume build should not be done on node-test-commit (Stewart X Addison) #​61373
• [ba4a043103] - doc: refine WebAssembly error documentation (sangwook) #​61382
• [cd315ea589] - doc: add deprecation history for url.parse (Eng Zer Jun) #​61389
• [42db0c392d] - doc: add marco and rafael in last sec release (Marco Ippolito) #​61383
• [4c3b680fc7] - doc: packages: example of private import switch to internal (coderaiser) #​61343
• [684d15e421] - doc: add esm and cjs examples to node:v8 (Alfredo González) #​61328
• [c3f9c7a7d9] - doc: added 'secure' event to tls.TLSSocket (ikeyan) #​61066
• [aa9acad5ca] - doc: restore @​watilde to collaborators (Daijiro Wachi) #​61350
• [9cafec084e] - doc: run license-builder (github-actions[bot]) #​61348
• [cdb12ccbc6] - doc: document ALPNCallback option for TLSSocket constructor (ikeyan) #​61331
• [461c5e65c5] - doc: update MDN links (Livia Medeiros) #​61062
• [dde45baeab] - doc: add documentation for process.traceProcessWarnings (Alireza Ebrahimkhani) #​53641
• [59a7aeec92] - doc: fix filename typo (Hardanish Singh) #​61297
• [9a0a40d1ed] - doc: fix typos and grammar in BUILDING.md & onboarding.md (Hardanish Singh) #​61267
• [dca7005f9d] - doc: mention --newVersion release script (Rafael Gonzaga) #​61255
• [c0dc8ddf85] - doc: correct typo in api contributing doc (Mike McCready) #​61260
• [066af38fe1] - doc: add PR-URL requirement for security backports (Rafael Gonzaga) #​61256
• [71dd46bd0c] - doc: add reusePort error behavior to net module (mag123c) #​61250
• [f6abe3ba33] - doc: note corepack package removal in distribution doc (Mike McCready) #​61207
• [9059d49d8c] - doc: fix tls.connect() timeout documentation (Azad Gupta) #​61079
• [e7b34b76b0] - doc: missing passed, error and passed properties on TestContext (Xavier Stouder) #​61185
• [9ae2dcfbb6] - doc: clarify threat model for application-level API exposure (Rafael Gonzaga) #​61184
• [9902331a7c] - doc: correct options for net.Socket class and socket.connect (Xavier Stouder) #​61179
• [a80122d2fe] - doc: document error event on readline InterfaceConstructor (Xavier Stouder) #​61170
• [38d73c9cfa] - doc: add a smooth scrolling effect to the sidebar (btea) #​59007
• [95c51fa984] - doc: correct invalid collaborator profile (JJ) #​61091
• [f5a044763c] - doc: exclude compile-time flag features from security policy (Matteo Collina) #​61109
• [b6ebf2cd53] - doc: add @​avivkeller to collaborators (Aviv Keller) #​61115
• [35854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #​61094
• [4932322c29] - doc: add File modes cross-references in fs methods (Mohit Raj Saxena) #​60286
• [c84904e047] - doc: add missing zstd to mjs example of zlib (Deokjin Kim) #​60915
• [e615b9e2f2] - doc: clarify fileURLToPath security considerations (Rafael Gonzaga) #​60887
• [99e384e6d4] - doc: replace column with columnNumber in example of util.getCallSites (Deokjin Kim) #​60881
• [9351bb4d02] - doc: correct spelling in BUILDING.md (Rich Trott) #​60875
• [e1f6e7fc4d] - doc: update debuglog examples to use 'foo-bar' instead of 'foo' (xiaoyao) #​60867
• [ccbb2d7300] - doc: fix typos in changelogs (Rich Trott) #​60855
• [1cb2fe8b35] - doc: mark module.register as active development (Chengzhong Wu) #​60849
• [ceeb4968a6] - doc: add fullName property to SuiteContext (PaulyBearCoding) #​60762
• [56155909dd] - doc: keep sidebar module visible when navigating docs (Botato) #​60410
• [6b637763d5] - doc: correct concurrency wording in test() documentation (Azad Gupta) #​60773
• [7183e8ffa1] - doc: clarify that CQ only picks up PRs targeting main (René) #​60731
• [d5d94303be] - doc: clarify license section and add contributor note (KaleruMadhu) #​60590
• [e0210c8f53] - doc: correct tls ALPNProtocols types (René) #​60143
• [eff87b498a] - doc: remove mention of SMS 2FA (Antoine du Hamel) #​60707
• [e77ef94a51] - doc: domain.add() does not accept timer objects (René) #​60675
• [4fe19c95ea] - doc: update Collaborators list to reflect hybrist handle change (Antoine du Hamel) #​60650
• [eece59b6ce] - doc: fix linter issues (Antoine du Hamel) #​60636
• [6e17e596e4] - doc: correct values/references for buffer.kMaxLength (René) #​60305
• [ac327ae9a7] - doc: recommend events.once to manage 'close' event (Dan Fabulich) #​60017
• [d9b149ea42] - doc: highlight module loading difference between import and require (Ajay A) #​59815
• [f6d62cb22c] - doc: fix typo in process.unref documentation (우혁) #​59698
• [6d5078b196] - doc: add some entries to glossary.md (Mohataseem Khan) #​59277
• [b0a5820dea] - doc: improve agent.createConnection docs for http and https agents (JaeHo Jang) #​58205
• [b5db02fe67] - doc: fix pseudo code in modules.md (chirsz) #​57677
• [e9b912d481] - doc: add missing variable in code snippet (Koushil Mankali) #​55478
• [44c06c7812] - doc: add missing word in single-executable-applications.md (Konstantin Tsabolov) #​53864
• [482b43f160] - doc: fix typo in http.md (Michael Solomon) #​59354
• [cd323bc718] - doc: update devcontainer.json and add documentation (Joyee Cheung) #​60472
• [[c7c70f3a16](https://redirect.github.com/n

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7c4ddba

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR