fix(deps): update all major dependencies (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@types/archiver (source)	^6.0.3 → ^8.0.0			devDependencies	major
@types/node (source)	^22.18.7 → ^24.0.0			devDependencies	major
@types/node (source)	^22.19.17 → ^24.0.0			devDependencies	major
@types/react (source)	^18.3.24 → ^19.0.0			devDependencies	major
actions/checkout	v4 → v7			action	major
actions/github-script	v7 → v9			action	major
actions/setup-node	v4 → v6			action	major
archiver	^7.0.1 → ^8.0.0			dependencies	major
dotenv	^16.6.1 → ^17.0.0			devDependencies	major
glob	^11.1.0 → ^13.0.0			devDependencies	major
globals	^16.5.0 → ^17.0.0			devDependencies	major
lucide-react (source)	^0.577.0 → ^1.0.0			dependencies	major
node (source)	22.22.2 → 24.17.0				major
open	^10.2.0 → ^11.0.0			dependencies	major
p-limit	^6.2.0 → ^7.0.0			dependencies	major
pnpm (source)	10.33.0 → 11.8.0			packageManager	major
pnpm/action-setup	v4 → v6			action	major
react (source)	^18.3.1 → ^19.0.0			devDependencies	major
react-day-picker (source)	^9.11.1 → ^10.0.0			dependencies	major
react-dom (source)	^18.3.1 → ^19.0.0			devDependencies	major
typescript (source)	^5.9.3 → ^6.0.0			pnpm.catalog.default	major
typescript (source)	^5.0.0 → ^5.0.0 || ^6.0.0			peerDependencies	major

---

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v7

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

• Add worktree support for persist-credentials includeIf by @​ericsciple in #​2327

v6.0.0

Compare Source

• Persist creds to a separate file by @​ericsciple in #​2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in #​2248

v6

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

v5.0.1

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

v5.0.0

Compare Source

• Update actions checkout to use node 24 by @​salmanmkc in #​2226

v5

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

actions/github-script (actions/github-script)

v9.0.0

Compare Source

New features:

• getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
• Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

• require('@​actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@​actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@​actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
• getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
• If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

• Add ACTIONS_ORCHESTRATION_ID to user-agent string by @​Copilot in #​695
• ci: use deployment: false for integration test environments by @​salmanmkc in #​712
• feat!: add getOctokit to script context, upgrade @​actions/github v9, @​octokit/core v7, and related packages by @​salmanmkc in #​700

New Contributors

• @​Copilot made their first contribution in #​695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

v9

Compare Source

v8.0.0

Compare Source

v8: .0.0

Compare Source

What's Changed

• Update Node.js version support to 24.x by @​salmanmkc in #​637
• README for updating actions/github-script from v7 to v8 by @​sneha-krip in #​653

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

New Contributors

• @​salmanmkc made their first contribution in #​637
• @​sneha-krip made their first contribution in #​653

Full Changelog: actions/github-script@v7.1.0...v8.0.0

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

What's Changed

Dependency updates:

• Upgrade @​actions dependencies by @​Copilot in #​1525
• Update Node.js versions in versions.yml and bump package to v6.4.0 by @​priya-kinthali in #​1533

New Contributors

• @​Copilot made their first contribution in #​1525

Full Changelog: actions/setup-node@v6...v6.4.0

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

Compare Source

What's Changed

Documentation

• Documentation update related to absence of Lockfile by @​mahabaleshwars in #​1454
• Correct mirror option typos by @​MikeMcC399 in #​1442
• Readme update on checkout version v6 by @​deining in #​1446
• Readme typo fixes @​munyari in #​1226
• Advanced document update on checkout version v6 by @​aparnajyothi-y in #​1468

Dependency updates:

• Upgrade @​actions/cache to v5.0.1 by @​salmanmkc in #​1449

New Contributors

• @​mahabaleshwars made their first contribution in #​1454
• @​MikeMcC399 made their first contribution in #​1442
• @​deining made their first contribution in #​1446
• @​munyari made their first contribution in #​1226

Full Changelog: actions/setup-node@v6...v6.2.0

v6.1.0

Compare Source

What's Changed

Enhancement:

• Remove always-auth configuration handling by @​priyagupta108 in #​1436

Dependency updates:

• Upgrade @​actions/cache from 4.0.3 to 4.1.0 by @​dependabot[bot] in #​1384
• Upgrade actions/checkout from 5 to 6 by @​dependabot[bot] in #​1439
• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​1435

Documentation update:

• Add example for restore-only cache in documentation by @​aparnajyothi-y in #​1419

Full Changelog: actions/setup-node@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in #​1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #​1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #​1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #​1362

Full Changelog: actions/setup-node@v5...v6.0.0

v6

Compare Source

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in #​1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in #​1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in #​1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in #​1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in #​1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​1345

New Contributors

• @​priya-kinthali made their first contribution in #​1348
• @​salmanmkc made their first contribution in #​1325

Full Changelog: actions/setup-node@v4...v5.0.0

v5

Compare Source

archiverjs/node-archiver (archiver)

v8.0.0

Compare Source

What’s changed

Breaking changes

• esm: node v18+ required @​ctalkington (#​790)

Maintenance

• Update actions/checkout action to v4.1.6 @​renovate[bot] (#​758)
• Update actions/checkout action to v4.1.7 @​renovate[bot] (#​767)
• Update actions/setup-node action to v4.0.3 @​renovate[bot] (#​775)
• Update actions/checkout action to v4.2.1 @​renovate[bot] (#​786)
• Update actions/setup-node action to v4.0.4 @​renovate[bot] (#​784)
• Update actions/setup-node action to v4.2.0 @​renovate[bot] (#​797)
• Update actions/checkout action to v4.2.2 @​renovate[bot] (#​796)
• Update release-drafter/release-drafter action to v6.1.0 @​renovate[bot] (#​805)
• Update actions/setup-node action to v4.4.0 @​renovate[bot] (#​811)
• Update release-drafter/release-drafter action to v6.4.0 @​renovate[bot] (#​825)
• Update actions/checkout action to v4.3.1 @​renovate[bot] (#​826)
• Update actions/setup-node action to v6 @​renovate[bot] (#​827)
• Update actions/checkout action to v6 @​renovate[bot] (#​833)
• Update release-drafter/release-drafter action to v7 @​renovate[bot] (#​836)

Documentation

• Add glob method's options.cwd to API docs @​PixievoltNo1 (#​756)
• release 8.0.0 @​ctalkington (#​832)

Dependency updates

• Update actions/checkout action to v4.1.6 @​renovate[bot] (#​758)
• Lock file maintenance @​renovate[bot] (#​752)
• Update dependency readdir-glob to v2 @​renovate[bot] (#​755)
• Update dependency yauzl to v3.1.3 @​renovate[bot] (#​757)
• Update dependency jsdoc to v4.0.3 @​renovate[bot] (#​761)
• Update dependency mocha to v10.4.0 @​renovate[bot] (#​750)
• Update dependency tar to v6.2.1 @​renovate[bot] (#​749)
• Update actions/checkout action to v4.1.7 @​renovate[bot] (#​767)
• Update actions/setup-node action to v4.0.3 @​renovate[bot] (#​775)
• Lock file maintenance @​renovate[bot] (#​771)
• Update actions/checkout action to v4.2.1 @​renovate[bot] (#​786)
• Update dependency mocha to v10.7.3 @​renovate[bot] (#​769)
• Lock file maintenance @​renovate[bot] (#​789)
• Update actions/setup-node action to v4.0.4 @​renovate[bot] (#​784)
• Update dependency chai to v4.5.0 @​renovate[bot] (#​779)
• Update dependency rimraf to v5.0.10 @​renovate[bot] (#​766)
• Update docusaurus monorepo to v3.5.2 @​renovate[bot] (#​751)
• Lock file maintenance @​renovate[bot] (#​795)
• Update actions/setup-node action to v4.2.0 @​renovate[bot] (#​797)
• Update actions/checkout action to v4.2.2 @​renovate[bot] (#​796)
• Update dependency jsdoc to v4.0.4 @​renovate[bot] (#​794)
• Update dependency mocha to v10.8.2 @​renovate[bot] (#​798)
• Update dependency is-stream to v4 @​renovate[bot] (#​792)
• Update release-drafter/release-drafter action to v6.1.0 @​renovate[bot] (#​805)
• Update actions/setup-node action to v4.4.0 @​renovate[bot] (#​811)
• Update dependency yauzl to v3.2.0 @​renovate[bot] (#​803)
• Update dependency prettier to v3.5.3 @​renovate[bot] (#​801)
• Lock file maintenance @​renovate[bot] (#​814)
• Update dependency prettier to v3.8.3 @​renovate[bot] (#​813)
• Migrate Renovate config @​renovate[bot] (#​824)
• Update release-drafter/release-drafter action to v6.4.0 @​renovate[bot] (#​825)
• Update dependency readdir-glob to v3 @​renovate[bot] (#​823)
• Update dependency yauzl to v3.2.1 [SECURITY] @​renovate[bot] (#​821)
• Update actions/checkout action to v4.3.1 @​renovate[bot] (#​826)
• Update actions/setup-node action to v6 @​renovate[bot] (#​827)
• Update dependency jsdoc to v4.0.5 @​renovate[bot] (#​829)
• Update dependency yauzl to v3.3.0 @​renovate[bot] (#​831)
• Update actions/checkout action to v6 @​renovate[bot] (#​833)
• Update dependency zip-stream to v7.0.4 @​renovate[bot] (#​830)
• Update dependency chai to v6 @​renovate[bot] (#​834)
• Update dependency rimraf to v6 @​renovate[bot] (#​774)
• Update docusaurus monorepo to v3.10.1 @​renovate[bot] (#​804)
• Update dependency mocha to v11 @​renovate[bot] (#​806)
• Update release-drafter/release-drafter action to v7 @​renovate[bot] (#​836)
• Update dependency zip-stream to v7.0.5 @​renovate[bot] (#​837)

motdotla/dotenv (dotenv)

v17.4.2

Compare Source

Changed

• Improved skill files - tightened up details (#​1009)

v17.4.1

Compare Source

Changed

• Change text injecting to injected (#​1005)

v17.4.0

Compare Source

Added

• Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

• Tighten up logs: ◇ injecting env (14) from .env (#​1003)

v17.3.1

Compare Source

Changed

• Fix as2 example command in README and update spanish README

v17.3.0

Compare Source

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

v17.2.4

Compare Source

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#​915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

v17.2.3

Compare Source

Changed

• Fixed typescript error definition (#​912)

v17.2.2

Compare Source

Added

• 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

v17.2.1

Compare Source

Changed

• Fix clickable tip links by removing parentheses (#​897)

v17.2.0

Compare Source

Added

• Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#​889)
• Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})

# .env
DOTENV_CONFIG_QUIET=true
HELLO="World"

// index.js
require('dotenv').config()
console.log(`Hello ${process.env.HELLO}`)

$ node index.js
Hello World

or

$ DOTENV_CONFIG_QUIET=true node index.js

v17.1.0

Compare Source

Added

• Add additional security and configuration tips to the runtime log (#​884)
• Dim the tips text from the main injection information text

const TIPS = [
  '🔐 encrypt with dotenvx: https://dotenvx.com',
  '🔐 prevent committing .env to code: https://dotenvx.com/precommit',
  '🔐 prevent building .env in docker: https://dotenvx.com/prebuild',
  '🛠️  run anywhere with `dotenvx run -- yourcommand`',
  '⚙️  specify custom .env file path with { path: \'/custom/path/.env\' }',
  '⚙️  enable debug logging with { debug: true }',
  '⚙️  override existing env vars with { override: true }',
  '⚙️  suppress all logs with { quiet: true }',
  '⚙️  write to custom object with { processEnv: myObject }',
  '⚙️  load multiple .env files with { path: [\'.env.local\', \'.env\'] }'
]

v17.0.1

Compare Source

Changed

• Patched injected log to count only populated/set keys to process.env (#​879)

v17.0.0

Compare Source

Changed

• Default quiet to false - informational (file and keys count) runtime log message shows by default (#​875)

isaacs/node-glob (glob)

v13.0.6

Compare Source

v13.0.5

Compare Source

v13.0.4

Compare Source

v13.0.3

Compare Source

v13.0.2

Compare Source

v13.0.1

Compare Source

v13.0.0

Compare Source

v12.0.0

Compare Source

sindresorhus/globals (globals)

v17.7.0

Compare Source

v17.6.0

Compare Source

• Update globals (2026-05-01) (#​343) 00a4dd9

---

v17.5.0

Compare Source

• Update globals (2026-04-12) (#​342) 5d84602

---

v17.4.0

Compare Source

• Update globals (2026-03-01) (#​338) d43a051

---

v17.3.0

Compare Source

• Update globals (2026-02-01) (#​336) 295fba9

---

v17.2.0

Compare Source

• jasmine: Add throwUnless and throwUnlessAsync globals (#​335) 97f23a7

---

v17.1.0

Compare Source

• Add webpack and rspack globals (#​333) 65cae73

---

v17.0.0

Compare Source

Breaking

• Split audioWorklet environment from browser (#​320) 7bc293e

Improvements

• Update globals (#​329) ebe1063
• Get all browser globals from both chrome and firefox (#​321) 59ceff8
• Add bunBuiltin environment (#​324) 1bc6e3b
• Add denoBuiltin environment (#​324) 1bc6e3b
• Add paintWorklet environment (#​323) 4b78f56
• Add sharedWorker environment (#​322) 4a02a85

---

lucide-icons/lucide (lucide-react)

v1.21.0: Version 1.21.0

Compare Source

What's Changed

• ci(release.yml): Remove new-version in release flow by @​ericfennis in #​4478
• ci(release.yml): Fix workflow and remove version scripts in package scripts by @​ericfennis in #​4479
• fix(docs): rename navigation category label by @​Hsiii in #​4483
• feat(icons): added broken-bone icon by @​Patolord in #​4131

New Contributors

• @​Hsiii made their first contribution in #​4483
• @​Patolord made their first contribution in #​4131

Full Changelog: lucide-icons/lucide@1.20.0...1.21.0

v1.20.0: Version 1.20.0

Compare Source

What's Changed

• fix(icons): decreased size of arrows inside square-arrow-* icons by @​jguddas in #​3926
• chore(tags): Add tags to search- icons by @​jamiemlaw in #​4099
• feat(icons): added save-check icon by @​Konixy in

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sdk-harmony	Error		Jun 22, 2026 12:04am

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5a6a045

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​archiver@​8.0.0
	@​types/​react@​19.2.17
	lucide-react@​1.21.0
	@​types/​node@​24.13.2
	open@​11.0.0
	archiver@​7.0.1 ⏵ 8.0.0
	p-limit@​7.3.0
	react@​18.3.1 ⏵ 19.2.7	+1
	globals@​17.6.0
	dotenv@​17.4.2
	typescript@​6.0.3
	react-day-picker@​10.0.1
	react-dom@​18.3.1 ⏵ 19.2.7	+1		+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm powershell-utils is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/open@11.0.0 → npm/powershell-utils@0.1.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/powershell-utils@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report