fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@types/node (source)	24.11.0 → 24.12.0			devDependencies	minor
@types/sanitize-html (source)	2.16.0 → 2.16.1			devDependencies	patch
@vitejs/plugin-react (source)	5.1.4 → 5.2.0			devDependencies	minor
agent-client-protocol	0.9 → 0.10			dependencies	minor
clap	4.5.60 → 4.6.0			dependencies	minor
github.com/modelcontextprotocol/go-sdk	v1.4.0 → v1.4.1			require	patch
github.com/yuin/goldmark	v1.7.16 → v1.7.17			require	patch
go	1.26.0 → 1.26.1				patch
just	1.46.0 → 1.47.1				minor
lefthook	2.1.2 → 2.1.4				patch
libc	0.2.182 → 0.2.183			dependencies	patch
marked (source)	17.0.3 → 17.0.4			dependencies	patch
mermaid	11.12.3 → 11.13.0			dependencies	minor
pnpm (source)	10.30.3 → 10.32.1			packageManager	minor
prettier-plugin-svelte	3.5.0 → 3.5.1			devDependencies	patch
rusqlite	0.38 → 0.39			dependencies	minor
rustup	1.28.2 → 1.29.0				minor
sanitize-html (source)	2.17.1 → 2.17.2			dependencies	patch
svelte (source)	5.53.6 → 5.54.0			devDependencies	minor
svelte-check	4.4.4 → 4.4.5			devDependencies	patch
tempfile (source)	3.26.0 → 3.27.0			dev-dependencies	minor
tokio (source)	1.49.0 → 1.50.0			dependencies	minor
uuid	1.21.0 → 1.22.0			dependencies	minor

---

Release Notes

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v5.2.0

Compare Source

agentclientprotocol/rust-sdk (agent-client-protocol)

v0.10.2

Compare Source

Added

• (unstable) Add support for session/close methods (#​77)

v0.10.1

Compare Source

Added

• Stabilize session_list and session_info_update (#​74)

Fixed

• Make examples compile again (#​76)

v0.10.0

Compare Source

Added

• Add more unstable feature flags from schema (#​71)
• [breaking] Update to schema crate v0.11.0 (#​69)

v0.9.5

Compare Source

Fixed

• handle escaped forward slashes in JSON-RPC method names (#​65)

clap-rs/clap (clap)

v4.6.0

Compare Source

Compatibility

• Update MSRV to 1.85

v4.5.61

Compare Source

Internal

• Update dependencies

modelcontextprotocol/go-sdk (github.com/modelcontextprotocol/go-sdk)

v1.4.1

Compare Source

This release is a patch release for v1.4.0.

It contains cherry-picks for several security improvements. Security advisories will follow.

Fixes

Update of the segmentio/encoding module version

The JSON parsing library that was adopted to avoid attacks taking advantage of the Go's standard parser being case insensitive turned out to contain an issue itself. We have submitted the fix upstream and this release updates the dependency to the patched version.

Cross-origin requests protection

We have added additional protection against cross origin requests. From now on, we verify that Content-Type for JSON-RPC POST requests is set to application/json and use the new http.CrossOriginProtection functionality to verify the origin of the request. Usage of this functionality required increasing the required Go version to 1.25, which is in line with our Go version policy of supporting two newest Go versions. The behavior can be customized by passing a configured http.CrossOriginProtection object to StreamableHTTPOptions.

Since this is a behavior change, we introduced a compatibility parameter disablecrossoriginprotection that will allow to temporarily disable it. It will be removed in v1.6.0 version of the SDK. See here for more details about behavior changes and a history of compatibility parameters across SDK versions.

Allowing customization of http.Client for client-side OAuth

We have introduced an optional http.Client parameter to AuthorizationCodeHandlerConfig. This allows customization of the transport, for example implementing environment specific protection against Server-Side Request Forgery.

Pull requests

• internal: fix Unicode zero character handling by @​maciej-kisiel in #​841
• auth: allow passing custom http.Client to AuthorizationCodeHandler by @​maciej-kisiel in #​840
• mcp: verify 'Origin' and 'Content-Type' headers by @​maciej-kisiel in #​842

Full Changelog: modelcontextprotocol/go-sdk@v1.4.0...v1.4.1

yuin/goldmark (github.com/yuin/goldmark)

v1.7.17: release

Compare Source

Full Changelog: yuin/goldmark@v1.7.16...v1.7.17

golang/go (go)

v1.26.1

casey/just (just)

v1.47.1

Compare Source

Fixed

• Block on running parallel dependencies (#​3139 by casey)
• Fix setting-exported assignment visibility in child modules (#​3128 by casey)

Added

• Add eager keyword to force evaluation of unused assignments (#​3131 by casey)

Changed

• Only evaluate used variables in --evaluate and --command (#​3130 by casey)

Misc

• Make eager assignments unstable (#​3140 by casey)
• Include path to .env file in error messages (#​3135 by casey)
• Consolidate override checking (#​3127 by casey)
• Update readme version references (#​3126 by casey)

v1.47.0

Compare Source

Added

• Add lazy evaluation setting (#​3083 by casey)
• Add guard sigil ? (#​2547 by casey)
• Add --group flag to filter --list output by group (#​3117 by terror)
• Add attributes for DragonFly BSD, FreeBSD, and NetBSD (#​3115 by jakewilliami)
• Add [env(NAME, VALUE) recipe attribute (#​2957 by neunenak)

Changed

• Make --timestamp print timestamps unconditionally (#​3114 by casey)
• Print --timestamps with script recipes (#​3050 by casey)
• [private] modules are excluded from --list output (#​2889 by Scott-Guest)

Misc

• Fix readme typo (#​3122 by Rohan5commit)
• Move choose and run into match statement (#​3120 by casey)
• Add uv install instructions to readme (#​3062 by npikall)
• Suppress error when --choose is cancelled by user (#​3098 by cobyfrombrooklyn-bot)
• Test formatting justfile with undefined variable succeeds (#​3110 by casey)
• Format without compiling (#​3103 by terror)
• Fix Gentoo installation instructions (#​3085 by DarthGandalf)
• Deny unreachable pub (#​3080 by casey)
• Fix readme typo (#​3079 by pvinis)
• Include blank chapters in book (#​3076 by casey)
• Clean up build script (#​3078 by casey)
• Increase stack size on Windows (#​3077 by casey)
• Fix readme typo (#​3066 by kenden)
• Remove dependency on executable-path (#​3058 by casey)
• Fix typos (#​3056 by galenseilis)
• Avoid conditional compilation in integration tests (#​3055 by casey)
• Assert exit status last in Test builder (#​3054 by casey)
• Remove makedeb/MPR installation instructions (#​3053 by Chengings)
• Handle errors when checking for files (#​3051 by casey)

evilmartians/lefthook (lefthook)

v2.1.4

Compare Source

• pkg: fix scripts (#​1348) by @​mrexox
• fix: bring back {lefthook_job_name} template (#​1347) by @​mrexox
• pkg: refactor packaging (2) (#​1346) by @​mrexox
• fix: separate more commands' non-option args with -- (#​1339) by @​scop
• docs: change logo to point to landing page instead of itself (#​1343) by @​igas
• pkg: make it easier to read (#​1340) by @​mrexox
• pkg: refactor packaging scripts (#​1308) by @​mrexox

v2.1.3

Compare Source

• chore: switch artifact attestations gen to actions/attest v4 (#​1338) by @​scop
• chore: describe ENV variables usage in CLI help output (#​1337) by @​mrexox
• fix: support git debug versions (#​1334) by @​mrexox
• deps: March 2026 (#​1330) by @​mrexox
• feat: update minimum go version (#​1331) by @​mrexox

rust-lang/libc (libc)

v0.2.183

Compare Source

Added

• ESP-IDF: Add SOMAXCONN (#​4993)
• Linux: Add name_to_handle_at and open_by_handle_at (#​4988)
• NetBSD: Add kinfo_file, kinfo_pcb, and related constants (#​4985)
• OpenBSD: Add kinfo_file and related constants (#​4991)
• VxWorks: Add additional structs and defines (#​5003)
• Various: Implement Default for timeval and timespec (#​4976)

Fixed

• Hexagon musl: Enable unstable 64-bit time_t support and musl_v1_2_3 (#​4992)
• Nintendo Switch: Fix target support (#​4982)
• OpenBSD: Wrap an unused field in Padding (#​4997)
• Redox: Change sigaction.sa_flags to c_int (#​4986)
• Redox: Fix blkcnt_t type (#​4994)

markedjs/marked (marked)

v17.0.4

Compare Source

Bug Fixes

• prevent ReDoS in inline link regex title group (#​3902) (46fb9b8)

mermaid-js/mermaid (mermaid)

v11.13.0

Compare Source

Minor Changes

• #​7352 d6db0b0 Thanks @​remcohaszing! - feat: Export the AsyncIconLoader, SyncIconLoader, and IconLoader types.

• #​5932 cdacb0b Thanks @​exoego! - feat: Add venn-beta diagram

• #​6789 73e9849 Thanks @​omkarht! - feat: Add half-arrowheads (solid & stick) and central connection support

• #​7387 acce4db Thanks @​exoego! - feat: Add Ishikawa diagram (ishikawa-beta)

• #​6995 9745f32 Thanks @​darshanr0107! - feat: Deprecate flowchart.htmlLabels in favor of root-level htmlLabels in Mermaid config

• #​5814 2dd29be Thanks @​kairi003! - feat: allow to put notes in namespaces on classDiagram

Patch Changes

• #​7075 96a766d Thanks @​darshanr0107! - fix: Prevent HTML tags from being escaped in sandbox label rendering

• #​6843 32723b2 Thanks @​saurabhg772244! - fix: Support edge animation in hand drawn look

• #​7453 a60e615 Thanks @​darshanr0107! - fix: ER diagram edge label positioning

• #​6989 1a9d45a Thanks @​darshanr0107! - fix: Resolved parsing error where direction TD was not recognized within subgraphs

• #​7178 96ca7c0 Thanks @​omkarht! - fix(treemap): Fixed treemap classDef style application to properly apply user-defined styles

• #​7076 60f6331 Thanks @​darshanr0107! - fix: Correct viewBox casing and make SVGs responsive

• #​7055 fa15ce8 Thanks @​darshanr0107! - fix: Improve participant parsing and prevent recursive loops on invalid syntax

• #​7276 33c7c72 Thanks @​darshanr0107! - fix: respect markdownAutoWrap: false to prevent text auto-wrapping in flowchart markdown labels with htmlLabels enabled.

  Markdown labels with markdownAutoWrap: false, htmlLabels: false set doesn't work
  correctly.

• #​7416 3c069b5 Thanks @​Crafter-Y! - fix: architecture diagram lines should now have the correct length

• #​6995 9745f32 Thanks @​darshanr0107! - fix: Support the htmlLabels Mermaid config value whenever possible

• #​7293 a408b55 Thanks @​darshanr0107! - fix: Prevent browser hang when using multiline accDescr in XY charts

• #​6119 712c1ec Thanks @​NealGooch! - fix: correct block positioning when nested blocks span multiple columns

• #​7424 981a62e Thanks @​knsv! - fix: correct BT orientation arc sweep flags in gitGraph drawArrow()

  Swapped SVG arc sweep-flag values in the BT (bottom-to-top) orientation branches of drawArrow() so curves bend in the correct direction. Affects both rerouting and non-rerouting code paths for merge and non-merge arrows.

  Resolves #​6593

• #​7430 a4bb0b5 Thanks @​knsv! - fix: allow colons in stateDiagram-v2 transition and state description text

• #​7432 b0f9d5b Thanks @​knsv! - fix: derive taskTextDarkColor from doneTaskBkgColor in dark theme for readable done-task text

• #​7456 981fbb8 Thanks @​knsv-bot! - fix(gantt): restore readable outside-text color for done tasks in dark mode

• #​7139 93aa657 Thanks @​omkarht! - revert: restore original hexagon and roundedRect implementations

• #​7136 6bc6617 Thanks @​omkarht! - feat: add alias support for new participant syntax of sequence diagrams

• #​7375 9d0669a Thanks @​kaigritun! - fix(er): recognize '1' cardinality alias before relationship operators

• #​7275 7eed6a1 Thanks @​darshanr0107! - fix: change createLabel to call createText

  This adds support for KaTeX and FontAwesome icons loaded via iconpacks in some
  older labels. There are some small changes in formatting due to standardizing this code.

• #​7265 2000680 Thanks @​omkarht! - fix: prevent unintended opacity on SVG aws icons containing rect elements

• #​7139 b7c66a2 Thanks @​omkarht! - chore: restore original hexagon and roundedRect implementations

• #​7425 f16bfbb Thanks @​knsv! - fix: use rounded right-angle edges for ELK layout

  ELK layout edges now default to rounded curve (right-angle segments with rounded corners) instead of inheriting the global basis default. This fixes ELK edges that were curving instead of routing at right angles (#​7213). Non-ELK layouts are unaffected and keep their existing basis default.

• #​7296 aac86f7 Thanks @​darshanr0107! - fix: Ensure correct edge label rendering for ER and requirement diagrams when flowchart htmlLabels are false

• #​7019 ace0367 Thanks @​darshanr0107! - fix: Mindmap breaking in ELK layout

• #​6984 09b74f1 Thanks @​omkarht! - fix(er-diagram): prevent syntax error when using 'u', numbers, and decimals in node names

• #​7276 33c7c72 Thanks @​darshanr0107! - fix: Restore proper rendering of plain text flowchart labels without auto line-wrapping

  This fix restores backwards compatibility with Mermaid v10 by ensuring that plain text labels in flowcharts are rendered correctly. In Mermaid v11, all labels were incorrectly being treated as markdown by default, which caused issues with text wrapping, multiline breaks, and backwards compatibility.

  What changed:

  • Plain text labels in flowcharts (without markdown syntax) now render as regular text
    • For node labels and edge labels, these will line-wrap automatically. Although this isn't backwards compatible with v10, we think this is a minor change and it's worth keeping to avoid too many changes from diagrams created from v11 onwards.
    • Plain text labels in other diagrams will continue to not line wrap.
  • Plain text labels with \n characters now correctly create line breaks
  • Plain text that looks like markdown (e.g., "1.", "- x") is no longer misinterpreted

  If you want markdown formatting:
  You can still use markdown in your flowchart labels by using the proper markdown syntax. Wrap your markdown text with double quotes and backticks:
  node["`_markdown_ **text**`"]

  Example:

  ```mermaid
  flowchart TD
      plain["Plain text\nwith manual line break"]
      markdown["`This is a **markdown** _label_ that wraps and doesn't replace \n with newlines`"]
  ```

• #​7080 835de00 Thanks @​darshanr0107! - fix: Support ComponentQueue_Ext to prevent parsing error

• #​7310 a9e4c72 Thanks @​darshanr0107! - fix: Allow quoted string labels in architecture-beta diagrams

• #​7052 ff15e51 Thanks @​darshanr0107! - fix: Correct tooltip placement to appear near hovered element

• #​7197 8bfd477 Thanks @​omkarht! - fix: validate dates and tick interval to prevent UI freeze/crash in gantt diagramtype

• #​7099 b136acd Thanks @​darshanr0107! - fix: Mindmap rendering issue when the number of Level 2 nodes exceeds 11

• #​7217 e0317ac Thanks @​omkarht! - fix(gitgraph): pass gitGraphConfig to renderer functions for applying directives properly.

• Updated dependencies [fd3fc50]:

  • @​mermaid-js/parser@​1.0.1

pnpm/pnpm (pnpm)

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

• Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Gold Sponsors

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

• Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

• Reverted change related to setting explicitly the npm config file path, which caused regressions.
• Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Gold Sponsors

v10.31.0

Compare Source

sveltejs/prettier-plugin-svelte (prettier-plugin-svelte)

v3.5.1

Compare Source

rusqlite/rusqlite (rusqlite)

v0.39.0: 0.39.0

Compare Source

What's Changed

• Fix constraints on VTab Aux data #​1778, #​1771
• Fix docs.rs generation #​1779
• Fix a small typo in rollback_hook docstring #​1780
• Fix some warnings from Intellij #​1781
• Minimal doc for features #​1783
• Clear hooks only for owning connections #​1785, #​1784
• Fix link to SQLite C Interface, Prepare Flags #​1787
• Comment functions which are not usable from a loadable extension #​1789
• Factorize code #​1792
• Update getrandom to 0.4 #​1798
• Update Cargo.toml #​1800
• Fix appveyor #​1807
• Add support to unix timestamp for chrono, jiff and time #​1808, #​1803
• fix(trace): check that the sql string pointer is not NULL #​1805
• Bump bundled SQLite version to 3.51.3 #​1818
• Use TryFrom for Value #​1819, #​1817
• Make possible to pass your own pointers #​1626, #​1602

Full Changelog: rusqlite/rusqlite@v0.38.0...v0.39.0

apostrophecms/apostrophe (sanitize-html)

v2.17.2

Compare Source

Changes

• Upgrade htmlparser2 from 8.x to 10.1.0. This improves security by correctly decoding zero-padded numeric character references (e.g., &#​0000001) that previously bypassed javascript: URL detection. Also fixes double-encoding of entities inside raw text elements like textarea and option.

sveltejs/svelte (svelte)

v5.54.0

Compare Source

Minor Changes

• feat: allow css, runes, customElement compiler options to be functions (#​17951)

Patch Changes

• fix: reinstate reactivity loss tracking (#​17801)

v5.53.13

Compare Source

Patch Changes

• fix: ensure $inspect after top level await doesn't break builds (#​17943)

• fix: resume inert effects when they come from offscreen (#​17942)

• fix: don't eagerly access not-yet-initialized functions in template (#​17938)

• fix: discard batches made obsolete by commit (#​17934)

• fix: ensure "is standalone child" is correctly reset (#​17944)

• fix: remove nodes in boundary when work is pending and HMR is active (#​17932)

v5.53.12

Compare Source

Patch Changes

• fix: update select.__value on change (#​17745)

• chore: add invariant helper for debugging (#​17929)

• fix: ensure deriveds values are correct across batches (#​17917)

• fix: handle async RHS in assignment_value_stale ([#​17925](https://redirect.github.com/sveltej

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: apps/staged/src-tauri/Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path apps/staged/src-tauri/Cargo.toml --workspace
    Updating crates.io index
error: failed to select a version for `libsqlite3-sys`.
    ... required by package `rusqlite v0.38.0`
    ... which satisfies dependency `rusqlite = "^0.38.0"` of package `rusqlite_migration v2.4.1`
    ... which satisfies dependency `rusqlite_migration = "^2.4.1"` of package `Staged v0.1.1 (/tmp/renovate/repos/github/block/builderbot/apps/staged/src-tauri)`
versions that meet the requirements `^0.36.0` are: 0.36.0

package `libsqlite3-sys` links to the native library `sqlite3`, but it conflicts with a previous package which links to `sqlite3` as well:
package `libsqlite3-sys v0.37.0`
    ... which satisfies dependency `libsqlite3-sys = "^0.37.0"` of package `rusqlite v0.39.0`
    ... which satisfies dependency `rusqlite = "^0.39"` of package `Staged v0.1.1 (/tmp/renovate/repos/github/block/builderbot/apps/staged/src-tauri)`
Only one package in the dependency graph may specify the same links value. This helps ensure that only one copy of a native library is linked in the final binary. Try to adjust your dependencies so that only one package uses the `links = "sqlite3"` value. For more information, see https://doc.rust-lang.org/cargo/reference/resolver.html#links.

failed to select a version for `libsqlite3-sys` which could resolve this conflict

File name: apps/penpal/frontend/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ETIMEDOUT
npm error errno ETIMEDOUT
npm error network request to https://global.block-artifacts.com/artifactory/api/npm/square-npm/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.2.1.tgz failed, reason: 
npm error network This is a problem related to network connectivity.
npm error network In most cases you are behind a proxy or have bad network settings.
npm error network
npm error network If you are behind a proxy, please make sure that the
npm error network 'proxy' config is set properly.  See: 'npm help config'
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-03-19T08_01_27_965Z-debug-0.log