fix(deps): update all non-major dependencies (minor)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@shikijs/transformers (source)	3.21.0 → 3.23.0
@types/node (source)	25.0.10 → 25.3.2
@vercel/functions (source)	3.3.6 → 3.4.3
dotenv	17.2.3 → 17.3.1
jotai	2.16.2 → 2.18.0
motion	12.29.2 → 12.34.3
pnpm (source)	10.27.0 → 10.30.3
postcss-js	5.0.3 → 5.1.0
shiki (source)	3.21.0 → 3.23.0
tailwind-merge	3.4.0 → 3.5.0
tailwindcss (source)	4.1.18 → 4.2.1
tsdown (source)	0.14.0 → 0.14.2

---

Release Notes

shikijs/shiki (@​shikijs/transformers)

v3.23.0

Compare Source

   🚀 Features

• Update grammar and themes  -  by @​antfu (9b4ca)
• cli:
  • Add stdin support and list commands  -  by @​Divyapahuja31 and DIVYA PAHUJA in #​1241 (213f1)
• transformers:
  • Add 'leading' position to transformerRenderWhitespace  -  by @​Divyapahuja31 and DIVYA PAHUJA in #​1236 (49cbb)
  • Add support for [!code info] notation  -  by @​Divyapahuja31 and DIVYA PAHUJA in #​1237 (cd2a6)

   🐞 Bug Fixes

• Add declare modifier to top level declarations in .d.ts  -  by @​KazariEX in #​1242 (142d5)
• cli: Normalize language/extension casing for CLI inputs  -  by @​Nandann018-ux and @​antfu in #​1245 (4bea1)

    View changes on GitHub

v3.22.0

Compare Source

   🚀 Features

• Update grammar and themes  -  by @​antfu (40676)

    View changes on GitHub

vercel/vercel (@​vercel/functions)

v3.4.3

Compare Source

Patch Changes

• [functions] Revert "[functions] URL encode cache tags" (#​15213)

v3.4.2

Compare Source

Patch Changes

• Updated dependencies [3760ea1e97fdc45dae36c64138023e1b1a075467]:
  • @​vercel/oidc@​3.2.0

v3.4.1

Compare Source

Patch Changes

• Fix InMemoryCache to use JSON serialization for consistency with RuntimeCache (#​14751)

  InMemoryCache now serializes values with JSON.stringify() on set and deserializes with JSON.parse() on get, matching the behavior of RuntimeCache. This ensures consistent behavior when switching between cache implementations (e.g., in-memory for development, remote for production), particularly for types that don't survive JSON round-trips like Date, Map, Set, and undefined.

v3.4.0

Compare Source

Minor Changes

• Fix cache tags to be URL encoded before being sent to the cache API. Tags containing special characters (spaces, commas, ampersands, etc.) are now properly encoded using encodeURIComponent. This (#​14749)
  ensures tags like "my tag" or "category,item" are correctly handled when setting cache entries or expiring tags.

motdotla/dotenv (dotenv)

v17.3.1

Compare Source

Changed

• Fix as2 example command in README and update spanish README

v17.3.0

Compare Source

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

v17.2.4

Compare Source

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#​915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

pmndrs/jotai (jotai)

v2.18.0

Compare Source

We moved jotai/babel to jotai-babel.

Migration Guide

If you use the preset:

  {
-   "presets": ["jotai/babel/preset"]
+   "presets": ["jotai-babel/preset"]
  }

If you use a plugin:

  {
-   "plugins": ["jotai/babel/plugin-debug-label"]
+   "plugins": ["jotai-babel/plugin-debug-label"]
  }

What's Changed

• refactor(internals): simplify promise handing by @​dai-shi in #​3232
• feat: deprecate jotai/babel in favor of jotai-babel by @​dai-shi in #​3236
• fix: keep reactivity if get is called in a different atom by @​dai-shi in #​3241

New Contributors

• @​pavan-sh made their first contribution in #​3238

Full Changelog: pmndrs/jotai@v2.17.1...v2.18.0

v2.17.1

Compare Source

Small typing improvements. If you are using v2.16 or earlier, we recommend upgrading to the latest version.

What's Changed

• fix(core/types): Wrong variance on the WritableAtom Result type parameter by @​atomanyih in #​3135
• chore: leftover with #​3219 by @​dai-shi in #​3231

New Contributors

• @​atomanyih made their first contribution in #​3135

Full Changelog: pmndrs/jotai@v2.17.0...v2.17.1

v2.17.0

Compare Source

This release deprecates some features, which will be dropped in v3.

What's Changed

• deprecate loadable util by @​dai-shi in #​3217
• breaking: remove unstable_onInit by @​dai-shi in #​3219
• deprecate setSelf in the atom read function by @​dai-shi in #​3220

Full Changelog: pmndrs/jotai@v2.16.2...v2.17.0

motiondivision/motion (motion)

v12.34.3

Compare Source

Fixed

• Ensure velocity is never transferred to a time-derived spring.

v12.34.2

Compare Source

Fixed

• Layout animations: Reset motion value velocity when starting a new layout animation.

v12.34.1

Compare Source

Fixed

• useScroll: Ensure animations aren't hardware accelerated when target is set.
• Improve animatable "none" generation for mask values.

v12.34.0

Compare Source

Fixed

• useScroll: Hardware accelerated animations.

v12.33.2

Compare Source

Fixed

• Improve detection of detached elements with vanilla layout animations.

v12.33.0

Compare Source

Added

• <motion />: New propagate.tap prop prevents tap gestures from propagating to parents.

v12.32.0

Compare Source

Added

• transition.inherit: When true, inherit transition values from less-specific transitions.

v12.31.3

Compare Source

Fixed

• <motion />: Ensure animation state is reset after being re-suspended.
• Prevent stale values when mixing transitionEnd and transition.type: false.
• Drag: Fix "sticky" throw velocity on initial interaciton.
• Drag: Ensure catching a thrown element kills its velocity.

v12.31.2

Compare Source

Fixed

• onHoverStart and onHoverEnd first argument now correctly typed as PointerEvent.
• whileHover: No longer persists after drag end.
• AnimatePresence: Allow changing mode prop.

v12.31.1

Compare Source

Added

• Drag constraints updated even when draggable or constraints resize outside of React renders.

v12.31.0

Compare Source

Added

• animate: Support for bi-directional callbacks within animation sequences.

Fixed

• Ensure onPan never fires before onPanStart.

v12.30.1

Compare Source

Fixed

• Allow drag to be initiated by child a and button elements.

v12.30.0

Compare Source

Added

• MotionConfig: Add skipAnimations option.

Fixed

• animate: Prevent error when calling stop() on removed elements.
• animateLayout: Fixing shared element animations when animate called before animateLayout.

v12.29.3

Compare Source

Fixed

• Reorder: Fixed viewport autoscroll.

pnpm/pnpm (pnpm)

v10.30.3

Compare Source

v10.30.2

Compare Source

v10.30.1: pnpm 10.30.1

Compare Source

Patch Changes

• Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #​10649.

Platinum Sponsors

Gold Sponsors

v10.30.0: pnpm 10.30

Compare Source

Minor Changes

• pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

• Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #​7122.
• Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #​10596.

Platinum Sponsors

Gold Sponsors

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1

Compare Source

v10.28.0

Compare Source

postcss/postcss-js (postcss-js)

v5.1.0

Compare Source

• Added types (by @​hyperz111 and @​MysteryBlokHed).

dcastil/tailwind-merge (tailwind-merge)

v3.5.0

Compare Source

New Features

• Add support for Tailwind CSS v4.2 by @​dcastil in #​651

Full Changelog: dcastil/tailwind-merge@v3.4.1...v3.5.0

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph and more via @​thnxdev for sponsoring tailwind-merge! ❤️

v3.4.1

Compare Source

Bug Fixes

• Prevent arbitrary font-family and font-weight from merging by @​roneymoon in #​635

Full Changelog: dcastil/tailwind-merge@v3.4.0...v3.4.1

Thanks to @​brandonmcconnell, @​manavm1990, @​langy, @​roboflow, @​syntaxfm, @​getsentry, @​codecov, a private sponsor, @​block, @​openclaw, @​sourcegraph and more via @​thnxdev for sponsoring tailwind-merge! ❤️

tailwindlabs/tailwindcss (tailwindcss)

v4.2.1

Compare Source

Fixed

• Allow trailing dash in functional utility names for backwards compatibility (#​19696)
• Properly detect classes containing . characters within curly braces in MDX files (#​19711)

v4.2.0

Compare Source

Added

• Add mauve, olive, mist, and taupe color palettes to the default theme (#​19627)
• Add @tailwindcss/webpack package to run Tailwind CSS as a webpack plugin (#​19610)
• Add pbs-* and pbe-* utilities for padding-block-start and padding-block-end (#​19601)
• Add mbs-* and mbe-* utilities for margin-block-start and margin-block-end (#​19601)
• Add scroll-pbs-* and scroll-pbe-* utilities for scroll-padding-block-start and scroll-padding-block-end (#​19601)
• Add scroll-mbs-* and scroll-mbe-* utilities for scroll-margin-block-start and scroll-margin-block-end (#​19601)
• Add border-bs-* and border-be-* utilities for border-block-start and border-block-end (#​19601)
• Add inline-*, min-inline-*, max-inline-* utilities for inline-size, min-inline-size, and max-inline-size (#​19612)
• Add block-*, min-block-*, max-block-* utilities for block-size, min-block-size, and max-block-size (#​19612)
• Add inset-s-*, inset-e-*, inset-bs-*, inset-be-* utilities for inset-inline-start, inset-inline-end, inset-block-start, and inset-block-end (#​19613)
• Add font-features-* utility for font-feature-settings (#​19623)

Fixed

• Prevent double @supports wrapper for color-mix values (#​19450)
• Allow whitespace around @source inline() argument (#​19461)
• Emit comment when source maps are saved to files when using @tailwindcss/cli (#​19447)
• Detect utilities containing capital letters followed by numbers (#​19465)
• Fix class extraction for Rails' strict locals (#​19525)
• Align @utility name validation with Oxide scanner rules (#​19524)
• Fix infinite loop when using @variant inside @custom-variant (#​19633)
• Allow multiples of .25 in aspect-* fractions (e.g. aspect-8.5/11) (#​19688)
• Ensure changes to external files listed via @source trigger a full page reload when using @tailwindcss/vite (#​19670)
• Improve performance of Oxide scanner in bigger projects by reducing file system walks (#​19632)
• Ensure import aliases in Astro v5 work without crashing when using @tailwindcss/vite (#​19677)
• Allow escape characters in @utility names to improve support with formatters such as Biome (#​19626)
• Fix incorrect canonicalization results when canonicalizing multiple times (#​19675)
• Add .jj to default ignored content directories (#​19687)

Deprecated

• Deprecate start-* and end-* utilities in favor of inset-s-* and inset-e-* utilities (#​19613)

rolldown/tsdown (tsdown)

v0.14.2

Compare Source

   🚀 Features

• Enable dts if exports.types exists  -  by @​ronantakizawa and @​sxzz in #​440 (98eb1)
• Support rolldown 1.0.0-beta.34  -  by @​9romise and @​sxzz in #​458 (a25d7)
• migrate: Detect indentation of package.json  -  by @​Cherry in #​438 (d40e9)

    View changes on GitHub

v0.14.1

Compare Source

   🐞 Bug Fixes

• Remove expandDirectories  -  by @​Debbl in #​427 (fb2d1)

    View changes on GitHub

v0.14.0

Compare Source

   🚨 Breaking Changes

• Disable expandDirectories for matching fast-glob's behavior  -  by @​sxzz (8171b)

    View changes on GitHub

v0.13.5

Compare Source

   🐞 Bug Fixes

• Use latest rolldown  -  by @​sxzz (8ae72)

    View changes on GitHub

v0.13.4

Compare Source

   🚀 Features

• Add failOnWarn option  -  by @​Gugustinette in #​411 (d7d49)
• Add cjsDefault option  -  by @​sxzz (f503f)

   🐞 Bug Fixes

• Suppress mixed export warnings if cjsDefault is enabled  -  by @​sxzz (3ffa9)

    View changes on GitHub

v0.13.3

Compare Source

   🚨 Minor Breaking Changes

• dts.build option should be enable manually for tsc -b  -  by @​sxzz (13146)

   🚀 Features

• Add logLevel & customLogger option  -  by @​sxzz (724d1)
• Add warnOnce to logger  -  by @​sxzz (eb4fb)
• Allow regex for ignoreWatch  -  by @​sxzz (91f9f)
• Warn user if config includes cjs format  -  by @​Gugustinette and @​sxzz in #​403 (bd42e)

   🐞 Bug Fixes

• Resolve ignoreWatch  -  by @​sxzz (d0e31)

    View changes on GitHub

v0.13.2

Compare Source

   🚨 Upstream Breaking Changes

• Rename dts.isolatedDeclarations to dts.oxc  -  by @​sxzz (5bdb9)

   🚀 Features

• Support silent as programmatic usage  -  by @​Gugustinette and @​sxzz in #​404 (6d4b4)

   🐞 Bug Fixes

• Invalidate tsc before rebuild  -  by @​sxzz (0c7ab)
• Silent for resolved options  -  by @​sxzz [(4566c)](https://redirect.github.c

---

Configuration

📅 Schedule: Branch creation - "after 9pm,before 9am" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
shiro	Error		Mar 1, 2026 9:53pm