chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@iconify-json/lucide	^1.2.85 → ^1.2.89
@nuxt/eslint-config (source)	^1.12.1 → ^1.14.0
@nuxt/ui (source)	^4.3.0 → ^4.4.0
@​nuxtlabs/monarch-mdc	^0.8.1 → ^0.9.0
@shikijs/core (source)	^3.21.0 → ^3.22.0
@shikijs/langs (source)	^3.21.0 → ^3.22.0
@shikijs/themes (source)	^3.21.0 → ^3.22.0
@shikijs/transformers (source)	^3.21.0 → ^3.22.0
@types/node (source)	^25.0.8 → ^25.2.2
@vue/compiler-core (source)	^3.5.26 → ^3.5.27
mkdist	2.3.0 → 2.4.1
pnpm (source)	10.28.0 → 10.29.1
release-it	^19.2.3 → ^19.2.4
shiki (source)	^3.21.0 → ^3.22.0
unist-util-visit	^5.0.0 → ^5.1.0
vitest (source)	^4.0.17 → ^4.0.18
vue-tsc (source)	^3.2.2 → ^3.2.4

---

Release Notes

nuxt/eslint (@​nuxt/eslint-config)

v1.14.0

Compare Source

   🚀 Features

• eslint-config: Add no-page-meta-runtime-values  -  by @​danielroe in #​641 (b74a0)

    View changes on GitHub

v1.13.0

Compare Source

   🚀 Features

• Upgrade eslint-flat-config-utils eslint-plugin-import-lite and eslint-plugin-jsdoc  -  by @​antfu (10bf9)

    View changes on GitHub

nuxt/ui (@​nuxt/ui)

v4.4.0

Compare Source

Features

• Calendar: add weekNumbers prop (#​4555) (7a1a71b)
• ChangelogVersions: handle scroll options in indicator prop (#​5257) (6a925cd)
• CommandPalette/InputMenu/SelectMenu/Tree: handle virtualizer estimateSize as function (#​5748) (d51b424)
• CommandPalette: add input prop (#​5736) (12052e8)
• CommandPalette: add size prop (#​5878) (3ae04c6)
• components: add by prop (#​5906) (36cd5e5)
• components: add valueKey prop (#​5905) (55646ea)
• Editor: add placeholder.mode prop (d90acb3), closes #​5785
• Editor: add size prop in menus (#​5889) (571d50d)
• Editor: add taskList handler (#​5837) (db04197)
• Editor: add support for code inside links (2ed2d5d)
• Editor: handle boolean in image and mention props (b6fa83a), closes #​5820
• EditorMentionMenu: handle async search with ignoreFilter prop (#​5880) (f8d1883)
• InputMenu/Select/SelectMenu: expose viewportRef for infinite scroll (#​5836) (f4a945c)
• InputMenu/SelectMenu: add clear prop (#​5643) (ec6b8ec)
• Link: support custom navigate function in vue (#​5860) (f51e58a)
• ProseTd/ProseTh: handle align prop (859390e), closes #​5795
• Timeline/Stepper: add wrapper slot and fix dynamic slot conditions (#​5868) (8610d4d)
• Timeline: add select event (#​5826) (8e431be)

Bug Fixes

• Banner: isolate banner visibility using per-instance CSS variables (#​5751) (c7332eb)
• Banner: prevent XSS via id prop injection (4e334a0)
• CommandPalette/ContextMenu/DropdownMenu: keyboard selection on link items (3f5bdb3)
• CommandPalette: prevent XSS in search highlight (e12ceb6)
• ContentSurround: align next link to right on tablet without prev (#​5833) (b3adccc)
• defineShortcuts: check shift modifier for special character shortcuts (bd344d7), closes #​5911
• Editor: set contentType when updating value (c37d6f7), closes #​5709
• Editor: support all heading levels by default (3046c3e)
• EditorToolbar: prevent onClick from being called twice on items (cbed0cc), closes #​5784
• EditorToolbar: prevent disabled dropdown when items have no kind (d473f63)
• Error/Main: render as main instead of div (6ccb1f5)
• FileUpload: emit null when clearing file (#​5892) (1d9a2fd)
• FileUpload: keep input visible when preview is disabled with multiple files (597ac29), closes #​5875
• locale: improve cs and sk terminology for correct inflection (#​5789) (af6f288)
• module: only override primary color and md size default variants (f422de8)
• ProseCodeTree: prevent infinite update loop with expandAll prop (c79cb77), closes #​5828
• useOverlay: refine close event argument extraction (#​5775) (182af20)

shikijs/shiki (@​shikijs/core)

v3.22.0

Compare Source

   🚀 Features

• Update grammar and themes  -  by @​antfu (40676)

    View changes on GitHub

vuejs/core (@​vue/compiler-core)

v3.5.27

Compare Source

Bug Fixes

• compile-sfc: correctly handle variable shadowing in for loop for defineProps destructuring. (#​14296) (6a1bb50), closes #​14294
• compiler-sfc: handle indexed access types in declare global blocks (#​14260) (e4091fe), closes #​14236
• compiler-sfc: use correct scope when resolving indexed access types from external files (#​14297) (f0f0a21), closes #​14292
• reactivity: collection iteration should inherit iterator instance methods (#​12644) (3c8b2fc), closes #​12615
• runtime-core: skip patching reserved props for custom elements (#​14275) (19cc7e2), closes #​14274
• server-renderer: use ssrRenderClass helper for className attribute (#​14327) (a4708f3)
• ssr: handle v-bind modifiers during render attrs (#​14263) (c2f5964), closes #​14262

unjs/mkdist (mkdist)

v2.4.1

Compare Source

compare changes

🩹 Fixes

• Consider extension when deduping outputs (f4424fe)

❤️ Contributors

• Daniel Roe (@​danielroe)

v2.4.0

Compare Source

compare changes

🚀 Enhancements

• dts: Emit .d.vue.ts as type declaration of .vue files (#​301)

🤖 CI

• Test against previous lts verison (946852b)
• Remove install of corepack (73894e6)
• Bump setup/checkout action versions (8a909da)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Teages (@​Teages)

pnpm/pnpm (pnpm)

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1

Compare Source

release-it/release-it (release-it)

v19.2.4

Compare Source

• chore: update dependencies to resolve security vulnerabilities (#​1273) (b45dd1a) - thanks @​Yeom-JinHo!
• Update a few dev deps (cd8acdc)

syntax-tree/unist-util-visit (unist-util-visit)

v5.1.0

Compare Source

Types

• 8607d64 Refactor to use @imports
• efbed8a Add declaration maps
• 639c0e5 Fix type support for readonly arrays
  by @​JounQin in #​40

Full Changelog: syntax-tree/unist-util-visit@5.0.0...5.1.0

vitest-dev/vitest (vitest)

v4.0.18

Compare Source

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in #​9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in #​9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in #​9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in #​9472 (22543)

    View changes on GitHub

vuejs/language-tools (vue-tsc)

v3.2.4

Compare Source

language-core

• feat: place plugin configs under ctx.config and support type annotation via generics (#​5944) - Thanks to @​KazariEX!

workspace

• chore: publish to npm with OIDC (#​5912) - Thanks to @​ghiscoding!

v3.2.3

Compare Source

language-core

• feat: support configuration for language plugins (#​5678) - Thanks to @​KazariEX!
• fix: avoid defineModel breaking ast in lang="js" (#​5935) - Thanks to @​KazariEX!
• fix: infer object keys as string if it does not extend string (#​5933) - Thanks to @​serkodev!

typescript-plugin

• feat: correct rename behavior on same name shorthands in template (#​5907) - Thanks to @​KazariEX!
• fix: only forward quick info for original results without tags (#​5938) - Thanks to @​KazariEX!

vscode

• fix: correct indent for <style> and <script> tags (#​5925) - Thanks to @​serkodev!

---

Configuration

📅 Schedule: Branch creation - "on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[nuxthub-admin]

✅ Deployed mdc

Deployed mdc 54ec0f8 to preview

🔗	renovate-all-minor-patch.mdc-btm.pages.dev
📌	9fffff52.mdc-btm.pages.dev
📱	View QR Code

📋 View deployment logs

[pkg-pr-new]

npm i https://pkg.pr.new/@nuxtjs/mdc@369

commit: e364b9e