- Update all non-major dependencies with digest and pinDigest

[blumilk-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@inertiajs/vue3 (source)	^2.0.17 -> ^2.3.18			dependencies	patch
@vue/compiler-sfc (source)	^3.5.26 -> ^3.5.31			dependencies	patch
actions/cache	v4.2.4 -> v4.3.0			action	minor
alpine	3.22.2 -> 3.22.3			stage	patch
appleboy/ssh-action	v1.2.4 -> v1.2.5			action	patch
autoprefixer	^10.4.23 -> ^10.4.27			dependencies	patch
axios (source)	^1.13.2 -> ^1.13.6			dependencies	patch
axllent/mailpit (source)	v1.27 -> v1.29				minor
azuyalabs/yasumi (source)	^2.9.0 -> ^2.10.0			require	patch	2.11.0
barryvdh/laravel-debugbar	^3.16.3 -> ^3.16.5			require-dev	patch
barryvdh/laravel-dompdf	^3.1.1 -> ^3.1.2			require	patch
composer	2.8.12 -> 2.9.5			stage	minor
composer/composer	2.8.12-bin -> 2.9.5-bin			stage	minor
docker/build-push-action	v6.18.0 -> v6.19.2			action	minor
docker/login-action	v3.6.0 -> v3.7.0			action	minor
dompdf/dompdf	^3.1.4 -> ^3.1.5			require	patch
eslint (source)	^9.30.1 -> ^9.39.4			dependencies	patch
inertiajs/inertia-laravel	^2.0.18 -> ^2.0.22			require	patch
laravel/dusk (source)	^8.3.4 -> ^8.3.6			require-dev	patch
laravel/framework (source)	^11.45.3 -> ^11.51.0			require	minor
laravel/sanctum	^4.1.2 -> ^4.3.1			require	patch
laravel/socialite (source)	^5.24.1 -> ^5.24.3			require	patch
laravel/telescope	^5.16.1 -> ^5.19.0			require	minor
laravel/tinker	^2.10.2 -> ^2.11.1			require	patch
lodash (source)	^4.17.21 -> ^4.17.23			dependencies	patch
maatwebsite/excel	^3.1.67 -> ^3.1.68			require	patch
node	22.17.1 -> 22.22.2			uses-with	minor
node	22.17.1-bullseye-slim -> 22.22.2-bullseye-slim			stage	minor
nunomaduro/collision	^8.8.3 -> ^8.9.1			require-dev	patch	8.9.2
php	8.4.16 -> 8.4.19				patch
php	8.4.11 -> 8.4.19				patch
php	-> aa9ca43			final	pinDigest
php	-> aa9ca43			stage	pinDigest
phpunit/phpunit (source)	^11.5.46 -> ^11.5.55			require-dev	patch
postcss (source)	^8.5.6 -> ^8.5.8			dependencies	patch
postgres	a7711af -> c635fa3			service	digest
postgres	a7711af -> c635fa3				digest
selenium/standalone-chrome	57bc98a -> aae9b44				digest
sentry/sentry-laravel (source)	^4.15.3 -> ^4.24.0			require	minor
shivammathur/setup-php	2.36.0 -> 2.37.0			action	minor
spatie/laravel-google-calendar	^3.8.4 -> ^3.8.5			require	patch
spatie/laravel-ignition (source)	^2.9.1 -> ^2.12.0			require-dev	minor
spatie/laravel-model-states	^2.11.3 -> ^2.13.1			require	minor
spatie/laravel-permission	^6.24.0 -> ^6.24.1			require	patch
spatie/laravel-slack-slash-command	^1.12.2 -> ^1.13.0			require	patch
vite (source)	^6.3.5 -> ^6.3.7			dependencies	patch
vue (source)	^3.5.26 -> ^3.5.31			dependencies	patch
xdebug/xdebug	3.4.7 -> 3.5.1				minor

---

Release Notes

inertiajs/inertia (@​inertiajs/vue3)

v2.3.18

Compare Source

What's Changed

• Bump @​sveltejs/kit from 2.53.2 to 2.53.3 by @​dependabot[bot] in #​2919
• Bump multer from 2.0.2 to 2.1.1 by @​dependabot[bot] in #​2923
• [2.x] Remove request from stream on network failure by @​pascalbaljet in #​2948
• Use SharedPageProps in GlobalEventsMap event types by @​hamedelasma in #​2946
• [2.x] fix: include SharedPageProps in createInertiaApp and onSuccess types by @​isaackaara in #​2931
• [2.x] Remove server-renderer dependency from Vue adapter type by @​pascalbaljet in #​2955
• [2.x] fix(types): module augmentation example by @​pascalbaljet in #​2954
• [2.x] fix: always fire flash event regardless of partial reload equality by @​pascalbaljet in #​2953
• fix: skip view transition when document visibility is hidden by @​mortenhauberg in #​2957

New Contributors

• @​hamedelasma made their first contribution in #​2946
• @​mortenhauberg made their first contribution in #​2957

Full Changelog: inertiajs/inertia@v2.3.17...v2.3.18

vuejs/core (@​vue/compiler-sfc)

v3.5.31

Compare Source

Bug Fixes

• compiler-sfc: allow Node.js subpath imports patterns in asset urls (#​13045) (95c3356), closes #​9919
• compiler-sfc: support template literal as defineModel name (#​14622) (bd7eef0), closes #​14621
• reactivity: normalize toRef property keys before dep lookup + improve types (#​14625) (1bb28d0), closes #​12427 #​12431
• runtime-core: invalidate detached v-for memo vnodes after unmount (#​14624) (560def4), closes #​12708 #​12710
• runtime-core: preserve nullish event handlers in mergeProps (#​14550) (5725222)
• runtime-core: prevent merging model listener when value is null or undefined (#​14629) (b39e032)
• runtime-dom: defer teleport mount/update until suspense resolves (#​8619) (88ed045), closes #​8603
• runtime-dom: handle activeElement check in Shadow DOM for v-model (#​14196) (959ded2)
• server-renderer: cleanup component effect scopes after SSR render (#​14548) (862f11e)
• suspense: avoid unmount activeBranch twice if wrapped in transition (#​9392) (908c6ad), closes #​7966
• suspense: update suspense vnode's el during branch self-update (#​12922) (a2c1700), closes #​12920
• transition: skip enter guard while hmr updating (#​14611) (be0a2f1), closes #​14608
• types: prevent shallowReactive marker from leaking into value unions (#​14493) (3b561db), closes #​14490

v3.5.30

Compare Source

Bug Fixes

• compat: add entities to @​vue/compat deps to fix CJS edge cases (#​12514) (e725a67), closes #​10609
• custom-element: ensure child component styles are injected in correct order before parent styles (#​13374) (1398bf8), closes #​13029
• custom-element: properly locate parent when slotted in shadow dom (#​12480) (f06c81a), closes #​12479
• custom-element: should properly patch as props for vue custom elements (#​12409) (740983e), closes #​12408
• reactivity: avoid duplicate raw/proxy entries in Set.add (#​14545) (d943612)
• reactivity: fix reduce on reactive arrays to preserve reactivity (#​12737) (16ef165), closes #​12735
• reactivity: handle Set with initial reactive values edge case (#​12393) (5dc27ca), closes #​8647
• runtime-core: warn about negative number in v-for (#​12308) (9438cc5)
• ssr: prevent watch from firing after async setup await (#​14547) (6cda71d), closes #​14546
• types: make generics with runtime props in defineComponent work (fix #​11374) (#​13119) (cea3cf7), closes #​13763
• types: narrow useAttrs class/style typing for TSX (#​14492) (bbb8977), closes #​14489

actions/cache (actions/cache)

v4.3.0

Compare Source

What's Changed

• Add note on runner versions by @​GhadimiR in #​1642
• Prepare v4.3.0 release by @​Link- in #​1655

New Contributors

• @​GhadimiR made their first contribution in #​1642

Full Changelog: actions/cache@v4...v4.3.0

appleboy/ssh-action (appleboy/ssh-action)

v1.2.5

Compare Source

Changelog

Refactor

• 0ff4204: refactor: streamline output handling for GITHUB_OUTPUT in workflows (#​404) (@​appleboy)

Documentation updates

• 23bd972: docs: update README and assets for new SSH agent workflow (@​appleboy)
• 8e460a2: docs: improve documentation table formatting for output descriptions (@​appleboy)

axllent/mailpit (axllent/mailpit)

v1.29

Security

• Add sandbox attribute to message iframe for extra later of security (already protected via CSP headers)

Feature

• Add option to disable auto-VACUUMing of the SQLite database (#​661)

Chore

• Update Go dependencies
• Update node dependencies

v1.28

Chore

• Increase allowed SMTP email address length to 1024 chars & return clearer SMTP responses for failures (#​620)
• Update Go dependencies
• Update node dependencies

Fix

• Ensure SMTP HELO/EHLO command is issued before MAIL FROM as per RFC 5321 (#​621)
• Prevent nested MAIL command during an active SMTP transaction (#​623)
• Avoid error on image type assertion in thumbnail generation

barryvdh/laravel-dompdf (barryvdh/laravel-dompdf)

v3.1.2

Compare Source

What's Changed

• Fix typo in dompdf.php comment by @​chengkangzai in #​1076
• PHP 8.5 tests by @​erikn69 in #​1079
• Laravel 13.x Compatibility by @​laravel-shift in #​1083

New Contributors

• @​chengkangzai made their first contribution in #​1076

Full Changelog: barryvdh/laravel-dompdf@v3.1.1...v3.1.2

docker/build-push-action (docker/build-push-action)

v6.19.2

Compare Source

• Preserve port in GIT_AUTH_TOKEN host by @​crazy-max in #​1458

Full Changelog: docker/build-push-action@v6.19.1...v6.19.2

v6.19.1

Compare Source

• Derive GIT_AUTH_TOKEN host from GitHub server URL by @​crazy-max in #​1456

Full Changelog: docker/build-push-action@v6.19.0...v6.19.1

v6.19.0

Compare Source

• Scope default git auth token to github.com by @​crazy-max in #​1451
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​1396
• Bump form-data from 2.5.1 to 2.5.5 in #​1391
• Bump js-yaml from 3.14.1 to 3.14.2 in #​1429
• Bump lodash from 4.17.21 to 4.17.23 in #​1446
• Bump tmp from 0.2.3 to 0.2.4 in #​1398
• Bump undici from 5.28.4 to 5.29.0 in #​1397

Full Changelog: docker/build-push-action@v6.18.0...v6.19.0

docker/login-action (docker/login-action)

v3.7.0

Compare Source

• Add scope input to set scopes for the authentication token by @​crazy-max in #​912
• Add support for AWS European Sovereign Cloud ECR by @​dphi in #​914
• Ensure passwords are redacted with registry-auth input by @​crazy-max in #​911
• build(deps): bump lodash from 4.17.21 to 4.17.23 in #​915

Full Changelog: docker/login-action@v3.6.0...v3.7.0

eslint/eslint (eslint)

v9.39.4

Compare Source

Bug Fixes

• f18f6c8 fix: update dependency minimatch to ^3.1.5 (#​20564) (Milos Djermanovic)
• a3c868f fix: update dependency @​eslint/eslintrc to ^3.3.4 (#​20554) (Milos Djermanovic)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#​20549) (Andrej Beles)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#​20538) (루밀LuMir)

Documentation

• 4675152 docs: add deprecation notice partial (#​20520) (Milos Djermanovic)

Chores

• b8b4eb1 chore: update dependencies for ESLint v9.39.4 (#​20596) (Francesco Trotta)
• 71b2f6b chore: package.json update for @​eslint/js release (Jenkins)
• 1d16c2f ci: pin Node.js 25.6.1 (#​20563) (Milos Djermanovic)

inertiajs/inertia-laravel (inertiajs/inertia-laravel)

v2.0.22

Compare Source

What's Changed

• [2.x] Prevent Boost conflict by @​pascalbaljet in #​838
• [2.x] Fix SSR shutdown URL construction by @​pascalbaljet in #​843

Full Changelog: inertiajs/inertia-laravel@v2.0.21...v2.0.22

laravel/framework (laravel/framework)

v11.51.0

Compare Source

• [11.x] schedule:list display expression in the correct timezone by @​xiCO2k in #​59340

v11.50.0

Compare Source

v11.49.0

Compare Source

• [11.x] Fix PHPUnit compatibility by @​crynobone in #​58735
• [11.x] Fix MySQL inRandomOrder default seed regression by @​laraib15 in #​58969
• [11.x] Deduplicate paths in view:cache by @​ganyicz in #​59146
• [11.x] Test Improvements by @​crynobone in #​59248

laravel/telescope (laravel/telescope)

v5.19.0

Compare Source

• Update Symfony console and var-dumper versions to support v8 by @​HichemTab-tech in #​1699
• Fix: Hardcoded config in Service Provider by @​webard in #​1702
• [5.x] Fix workflow YAML syntax and Laravel 13 CSRF test failures by @​JoshSalway in #​1703

SpartnerNL/Laravel-Excel (maatwebsite/excel)

v3.1.68

Compare Source

What's Changed

• Fix: correct Laravel version range from 11.x to 12.x in compatibility by @​ZakAmirou in #​4325
• chore: edited the Run tests badge by @​Olexandr88 in #​4321
• docs: edited the MIT license link by @​Olexandr88 in #​4327
• Add PHP 8.5 to test matrix in CI workflow by @​alexbowers in #​4332
• Fix TSV processing, queued export crashes, and interface parameter consistency by @​imhayatunnabi in #​4330
• feat: Update composer.json for Laravel 13 support by @​chinmaypurav in #​4348

New Contributors

• @​ZakAmirou made their first contribution in #​4325
• @​Olexandr88 made their first contribution in #​4321
• @​imhayatunnabi made their first contribution in #​4330
• @​chinmaypurav made their first contribution in #​4348

Full Changelog: SpartnerNL/Laravel-Excel@3.1.67...3.1.68

actions/node-versions (node)

v22.22.2: 22.22.2

Compare Source

Node.js 22.22.2

v22.22.1: 22.22.1

Compare Source

Node.js 22.22.1

v22.22.0: 22.22.0

Compare Source

Node.js 22.22.0

v22.21.1: 22.21.1

Compare Source

Node.js 22.21.1

v22.21.0: 22.21.0

Compare Source

Node.js 22.21.0

v22.20.0: 22.20.0

Compare Source

Node.js 22.20.0

v22.19.0: 22.19.0

Compare Source

Node.js 22.19.0

v22.18.0: 22.18.0

Compare Source

Node.js 22.18.0

nodejs/node (node)

v22.22.2: 2026-03-24, Version 22.22.2 'Jod' (LTS), @​RafaelGSS prepared by @​aduh95

Compare Source

This is a security release.

Notable Changes

• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low

Commits

• [6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#809
• [52a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#822
• [30a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pick aac14dd (Joyee Cheung) nodejs-private/node-private#809
• [e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport 1361b2a (Joyee Cheung) nodejs-private/node-private#809
• [7dc00fa5f4] - (CVE-2026-21717) deps: V8: backport 185f0fe (Joyee Cheung) nodejs-private/node-private#809
• [076acd052d] - (CVE-2026-21717) deps: V8: backport 0a8b1cd (snek) nodejs-private/node-private#809
• [963c60a951] - deps: V8: override depot_tools version (Richard Lau) #​62344
• [a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #​62330
• [859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #​62285
• [d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #​62215
• [a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [73deff77c1] - lib: backport _tls_common and _tls_wrap refactors (Dario Piotrowicz) #​57643
• [06fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [2a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [91b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

v22.22.1: 2026-03-05, Version 22.22.1 'Jod' (LTS)

Compare Source

Notable Changes

• [7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #​59983
• [6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #​60956
• [d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #​60741
• [b6ebf2cd53] - doc: add avivkeller to collaborators (Aviv Keller) #​61115
• [35854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #​61094
• [5c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #​60714

Commits

• [5f773488c2] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #​61076
• [feecbb0eab] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #​61388
• [096095b127] - benchmark: add SQLite benchmarks (Guilherme Araújo) #​61401
• [b5fe481415] - benchmark: use boolean options in benchmark tests (SeokhunEom) #​60129
• [fa9faacacb] - benchmark: allow boolean option values (SeokhunEom) #​60129
• [ba8714ac21] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #​60841
• [53596de876] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #​60663
• [e8930e9d7c] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #​60603
• [1155e412b1] - benchmark: add per-suite setup option (Joyee Cheung) #​60574
• [e01903d304] - benchmark: improve cpu.sh for safety

---

Configuration

📅 Schedule: Branch creation - On day 1 of the month, every 3 months ( * * 1 */3 * ) in timezone Europe/Warsaw, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[blumilk-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update azuyalabs/yasumi:2.10.0 barryvdh/laravel-debugbar:3.16.5 barryvdh/laravel-dompdf:3.1.2 dompdf/dompdf:3.1.5 inertiajs/inertia-laravel:2.0.22 laravel/dusk:8.3.6 laravel/framework:11.51.0 laravel/sanctum:4.3.1 laravel/socialite:5.24.3 laravel/telescope:5.19.0 laravel/tinker:2.11.1 maatwebsite/excel:3.1.68 nunomaduro/collision:8.9.1 phpunit/phpunit:11.5.55 sentry/sentry-laravel:4.24.0 spatie/laravel-google-calendar:3.8.5 spatie/laravel-ignition:2.12.0 spatie/laravel-model-states:2.13.1 spatie/laravel-permission:6.24.1 spatie/laravel-slack-slash-command:1.13.0 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
Dependency guzzlehttp/guzzle is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency mockery/mockery is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires spatie/laravel-model-states ^2.13.1 -> satisfiable by spatie/laravel-model-states[2.13.1].
    - spatie/laravel-model-states 2.13.1 requires illuminate/contracts ^12.0|^13.0 -> found illuminate/contracts[v12.0.0, ..., v12.56.0, v13.0.0, ..., v13.3.0] but these were not loaded, likely because it conflicts with another require.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.