chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@types/google.maps (source)	^3.58.1 → ^3.64.1			peerDependencies	minor
@types/youtube (source)	^0.1.0 → ^0.2.0			peerDependencies	minor
@unhead/vue (source)	^2.0.3 → ^2.1.15			peerDependencies	minor
Hebilicious/reproduire	v0.0.9-mp → v0.0.9			action	patch
actions/checkout	v6.0.1 → v6.0.2			action	patch
actions/stale	v10.0.0 → v10.2.0			action	minor	v10.3.0
posthog-js (source)	^1.0.0 → ^1.374.2			peerDependencies	minor	1.374.3

---

Release Notes

unjs/unhead (@​unhead/vue)

v2.1.15

Compare Source

No significant changes

    View changes on GitHub

v2.1.13

Compare Source

   🐞 Bug Fixes

• schema-org: Normalize target to array before merging potentialAction  -  by @​harlan-zw and Claude Opus 4.6 (1M context) in #​709 (22ac9)

    View changes on GitHub

v2.1.12

Compare Source

   🐞 Bug Fixes

• Harden prototype pollution  -  by @​harlan-zw (a6ed9)
• Case insensitive attr dedupe  -  by @​harlan-zw (3146b)

    View changes on GitHub

v2.1.11

Compare Source

    ⚠️ Security

• Fixed XSS bypass in useHeadSafe via attribute name injection (GHSA-g5xx-pwrp-g3fv). Users handling untrusted input with useHeadSafe should upgrade immediately.

   🐞 Bug Fixes

• addons,schema-org: Permissive peer dependencies  -  by @​harlan-zw (4c5d1)

    View changes on GitHub

v2.1.10

Compare Source

   🐞 Bug Fixes

• solid-js: Correct peerDependency version  -  by @​tyeporter in #​671 (64e17)

    View changes on GitHub

v2.1.9

Compare Source

   🐞 Bug Fixes

• schema-org: Nuxt test utils compat bug  -  by @​harlan-zw (ef838)

    View changes on GitHub

v2.1.8

Compare Source

   🐞 Bug Fixes

• schema-org: Avoid crashing from 3+ duplicate nodes  -  by @​harlan-zw (4baf9)

    View changes on GitHub

v2.1.7

Compare Source

   🐞 Bug Fixes

• unhead:
  • deduplicate matching tags inside same render cycle  -  by @​harlan-zw in #​668 (5c0b2)

    View changes on GitHub

v2.1.6

Compare Source

   🐞 Bug Fixes

• react: Ssr regression  -  by @​harlan-zw (6adff)

    View changes on GitHub

v2.1.5

Compare Source

   🐞 Bug Fixes

• react: Dispose head entries on unmount in React 18 StrictMode  -  by @​harlan-zw in #​664 (50ffe)
• scripts: Prevent scope disposal from aborting unrelated trigger in useScript  -  by @​cernymatej in #​660 (e8f5b)
• unhead: Dedupe link rel without hreflang or type  -  by @​danielroe in #​658 (1487d)

    View changes on GitHub

v2.1.4

Compare Source

   🐞 Bug Fixes

• schema-org: Remove unimplemented SchemaOrgDebug  -  by @​onmax in #​649 (642dc)
• unhead: Dedupe <link rel="alternate"> by hreflang/type only, drop href from key  -  by @​harlan-zw in #​656 (86175)

    View changes on GitHub

v2.1.3

Compare Source

   🐞 Bug Fixes

• unhead:
  • Dedupe <link rel="alternate">  -  by @​danielroe and onmax in #​655 (fdabe)
• vue:
  • Support computed getter trigger  -  by @​harlan-zw in #​638 (fd63a)
  • Guard s._statusRef  -  by @​danielroe in #​642 (4ef03)

   🏎 Performance

• vue: Avoid duplicating error message in the bundle  -  by @​panstromek in #​652 (194e5)

    View changes on GitHub

v2.1.2

Compare Source

   🐞 Bug Fixes

• Broken cjs environment  -  by @​harlan-zw (ce989)

    View changes on GitHub

v2.1.1

Compare Source

No significant changes

    View changes on GitHub

v2.1.0

Compare Source

   🚀 Features

• schema-org: 12 new nodes  -  by @​harlan-zw in #​612 (1a9b8)

   🐞 Bug Fixes

• react:
  • Recursive function resolves broken  -  by @​harlan-zw (4e0c7)
• schema-org:
  • Correct month off-by-one  -  by @​harlan-zw in #​603 (a3e70)
  • Missing schema.org properties  -  by @​harlan-zw in #​614 (54e05)
• unhead:
  • Enforce boolean string meta contents  -  by @​kfreezen in #​594 (0b8e7)
  • Capo module scripts ordering  -  by @​Barbapapazes in #​600 (3c661)
  • Capo inline scripts ordering  -  by @​Barbapapazes in #​596 (7be75)
  • Normalize script type  -  by @​harlan-zw (e51b6)
  • Safer handling of input  -  by @​harlan-zw (b4b6c)

   🏎 Performance

• schema-org:
  • Remove ohash and defu dependencies  -  by @​harlan-zw in #​605 (0d508)
  • Rework graph resolution  -  by @​harlan-zw in #​616 (b79e4)

    View changes on GitHub

v2.0.19

Compare Source

   🐞 Bug Fixes

• vue: Tree shaking breaking some reactivity  -  by @​harlan-zw (7abb5)

    View changes on GitHub

v2.0.18

Compare Source

   🏎 Performance

• unhead: Avoid server side effects  -  by @​harlan-zw in #​585 (3fd09)

    View changes on GitHub

v2.0.17

Compare Source

No significant changes

    View changes on GitHub

v2.0.14

Compare Source

   🐞 Bug Fixes

• unhead: Multiword attributes in template  -  by @​NikSimonov in #​568 (f635b)

    View changes on GitHub

v2.0.13

Compare Source

   🐞 Bug Fixes

• unhead:
  • Canonical plugin modifying non-url properties  -  by @​paraboul (ee8fd)
  • Avoid normalizing template param input  -  by @​harlan-zw (1d205)
  • Safer removal of leading / trailing separators  -  by @​harlan-zw (d4501)

    View changes on GitHub

v2.0.12

Compare Source

   🐞 Bug Fixes

• react: Force invalidation on entry disposal  -  by @​harlan-zw in #​559 (4ee5e)

    View changes on GitHub

v2.0.11

Compare Source

   🐞 Bug Fixes

• Allow non-standard meta tags to be intentionally duped  -  by @​harlan-zw (9a899)

    View changes on GitHub

v2.0.10

Compare Source

   🐞 Bug Fixes

• Safer meta array deduping  -  by @​harlan-zw (32486)

    View changes on GitHub

v2.0.9

Compare Source

   🏎 Performance

• unhead: Normalize canonicalHost only once in canonical plugin  -  by @​negezor in #​550 (92713)

    View changes on GitHub

v2.0.8

Compare Source

No significant changes

    View changes on GitHub

v2.0.7

Compare Source

   🐞 Bug Fixes

• schema-org: unhead hoisting issue  -  by @​harlan-zw (bb0e4)

    View changes on GitHub

v2.0.6

Compare Source

   🐞 Bug Fixes

• ssr: Less aggressive encoding of non-title tags  -  by @​harlan-zw (f4d4f)

    View changes on GitHub

v2.0.5

Compare Source

   🐞 Bug Fixes

• vue: Use setTimeout as render's debounced delayer  -  by @​kricsleo in #​540 (8f7c5)

    View changes on GitHub

v2.0.4

Compare Source

   🐞 Bug Fixes

• InferSeoMetaPlugin: Template param replacement broken  -  by @​harlan-zw (4e1c8)

    View changes on GitHub

Hebilicious/reproduire (Hebilicious/reproduire)

v0.0.9

Compare Source

compare changes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

actions/stale (actions/stale)

v10.2.0

Compare Source

v10.1.1

Compare Source

What's Changed

Bug Fix

• Add Missing Input Reading for only-issue-types by @​Bibo-Joshi in #​1298

Improvement

• Improves error handling when rate limiting is disabled on GHES. by @​chiranjib-swain in #​1300

Dependency Upgrades

• Upgrade eslint-config-prettier from 8.10.0 to 10.1.8 by @​dependabot in #​1276
• Upgrade @​types/node from 20.10.3 to 24.2.0 and document breaking changes in v10 by @​dependabot in #​1280
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot in #​1291
• Upgrade actions/checkout from 4 to 6 by @​dependabot in #​1306

New Contributors

• @​chiranjib-swain made their first contribution in #​1300

Full Changelog: actions/stale@v10...v10.1.1

v10.1.0

Compare Source

What's Changed

• Add only-issue-types option to filter issues by type by @​Bibo-Joshi in #​1255

New Contributors

• @​Bibo-Joshi made their first contribution in #​1255

Full Changelog: actions/stale@v10...v10.1.0

PostHog/posthog-js (posthog-js)

v1.374.2

Compare Source

1.374.2

Patch Changes

• #​3550 df91995 Thanks @​TueHaulund! - Preserve session-recording remote config across posthog.reset().

  posthog.reset() was clearing the entire persistence store, which wiped
  $session_recording_remote_config along with user state. On the next session
  rotation triggered by the reset, start('session_id_changed') would early-return
  because the remote config was missing — leaving rrweb torn down and the new
  session opening with no Meta + FullSnapshot until the next periodic 5-minute
  checkout.

  This affected any flow where an app calls posthog.reset() mid-session
  (e.g. on sign-out / sign-in) and was particularly visible on Flutter Web
  recordings that depend on a fresh FullSnapshot to anchor the CanvasKit DOM. (2026-05-18)

• Updated dependencies []:

  • @​posthog/types@​1.374.2
  • @​posthog/core@​1.29.5

v1.374.1

Compare Source

v1.374.0

Compare Source

1.374.0

Minor Changes

• #​3620 594ea11 Thanks @​pauldambra! - Dead clicks: add a .ph-no-deadclick CSS class (and capture_dead_clicks.css_selector_ignorelist config option) to exclude specific elements from dead-click detection without affecting autocapture, session replay, or heatmaps. Mirrors the existing .ph-no-rageclick pattern.
  (2026-05-18)

Patch Changes

• #​3621 3c0a09f Thanks @​pauldambra! - Dead clicks: a click on an <a> (or any element inside an <a>, including across shadow DOM) is no longer flagged as a dead click — the browser navigates / downloads / opens a new window and we can't observe that. Reuses autocapture's existing DOM walker for the ancestor walk. Direct clicks on <button>, <input>, <select>, <textarea>, <label>, and <form> (previously all skipped) are now eligible for dead-click detection: if their JS handler ran, the existing mutation / scroll / selection observers see the effect; if it didn't, dead-click correctly surfaces the bug. A broken <button> with no handler, or an <svg> icon inside one, will now flag — which is exactly the dead-click case we want to catch.
  (2026-05-18)
• Updated dependencies [594ea11]:
  • @​posthog/types@​1.374.0
  • @​posthog/core@​1.29.3

v1.373.5

Compare Source

1.373.5

Patch Changes

• #​3613 221973e Thanks @​lucasheriques! - Surveys: submit open text questions with Cmd/Ctrl+Enter. The textarea still inserts a newline on plain Enter (native behaviour), matching the convention used by Slack, GitHub, Discord, and ChatGPT for multi-line inputs. Single-line "Other:" inputs continue to submit on plain Enter as before.
  (2026-05-15)
• Updated dependencies []:
  • @​posthog/types@​1.373.5
  • @​posthog/core@​1.29.2

v1.373.4

Compare Source

1.373.4

Patch Changes

• #​3602 4b895bf Thanks @​marandaneto! - Validate gzip request bodies at the browser send boundary and fall back to JSON if the outgoing body is not gzip data.
  (2026-05-12)
• Updated dependencies [4b895bf]:
  • @​posthog/core@​1.29.1
  • @​posthog/types@​1.373.4

v1.373.3

Compare Source

1.373.3

Patch Changes

• Updated dependencies [ad60818]:
  • @​posthog/core@​1.29.0
  • @​posthog/types@​1.373.3

v1.373.2

Compare Source

1.373.2

Patch Changes

• #​3568 223d925 Thanks @​marandaneto! - Validate native gzip output before sending requests and fall back when CompressionStream returns malformed data.
  (2026-05-11)
• Updated dependencies [223d925]:
  • @​posthog/core@​1.28.7
  • @​posthog/types@​1.373.2

v1.373.1

Compare Source

1.373.1

Patch Changes

• #​3566 7d027bc Thanks @​dustinbyrne! - Prevent browser log capture from throwing when console arguments contain unreadable properties.
  (2026-05-11)
• Updated dependencies []:
  • @​posthog/types@​1.373.1
  • @​posthog/core@​1.28.6

v1.373.0

Compare Source

1.373.0

Minor Changes

• #​3547 4c0c7d9 Thanks @​williamchong! - capture() now accepts an optional uuid on CaptureOptions.
  (2026-05-11)

Patch Changes

• #​3561 3511848 Thanks @​marandaneto! - Handle invalid persisted session replay config JSON gracefully
  (2026-05-11)

• #​3559 0a835fa Thanks @​marandaneto! - Skip remote config background refreshes when no document is available.
  (2026-05-11)

• Updated dependencies [4c0c7d9, 0a835fa]:

  • @​posthog/types@​1.373.0
  • @​posthog/core@​1.28.5

v1.372.10

Compare Source

1.372.10

Patch Changes

• #​3544 d120042 Thanks @​ksvat! - fix: stop session recording before destroying sessionManager in opt_out_capturing() with cookieless_mode: "on_reject". Previously, queued/throttled rrweb events (e.g. mousemove) could fire after the sessionManager was set to undefined and throw [SessionRecording] must be started with a valid sessionManager. Also adds a defensive early-return in onRRwebEmit so any remaining late events bail out instead of throwing.
  (2026-05-07)

• #​3542 94a5ba0 Thanks @​TueHaulund! - Preserve <style> textContent when the browser's CSSOM serialization would
  emit empty longhands from var() inside a shorthand. When a stylesheet has
  e.g. padding: var(--p); padding-bottom: var(--pb);, browsers store the
  shorthand's longhands with empty token lists per the CSS Custom Properties
  spec, and CSSStyleRule.cssText re-emits them as padding-top: ; padding-right: ; padding-left: ;. The previous behavior replaced the
  <style> text with that corrupted output, silently dropping layout rules
  on replay. We now detect the empty-longhand pattern and keep the original
  textContent in that case. Affects users of any CSS-in-JS framework that
  combines var() with shorthands (Chakra UI v3, Panda CSS, Emotion, etc.).
  Same class of bug as rrweb-io/rrweb#1667. (2026-05-07)

• Updated dependencies []:

  • @​posthog/types@​1.372.10
  • @​posthog/core@​1.28.4

v1.372.9

Compare Source

1.372.9

Patch Changes

• #​3537 026e09d Thanks @​TueHaulund! - Pull in the canvas-manager fix from @posthog/rrweb 0.0.61: skip canvas
  snapshots while the WebGL context is lost so transparent bitmaps don't
  poison the worker's fingerprint dedup map and silently kill canvas
  recording for the rest of the session. Also wraps getCanvas() in
  try/catch so DOM/shadow-root traversal errors can't cancel the rAF
  loop. See PR #​3527 for context. (2026-05-05)
• Updated dependencies []:
  • @​posthog/types@​1.372.9
  • @​posthog/core@​1.28.3

v1.372.8

Compare Source

1.372.8

Patch Changes

• #​3515 255b273 Thanks @​marandaneto! - Gate survey translation logs behind SDK debug logging to avoid production console spam.
  (2026-05-04)
• Updated dependencies [220cd61, 255b273]:
  • @​posthog/core@​1.28.2
  • @​posthog/types@​1.372.8

v1.372.7

Compare Source

1.372.7

Patch Changes

• Updated dependencies [8aee3d5]:
  • @​posthog/core@​1.28.1
  • @​posthog/types@​1.372.7

v1.372.6

Compare Source

1.372.6

Patch Changes

• #​3492 cf56753 Thanks @​lucasheriques! - Add translated survey rendering support in React Native and share survey translation logic through @posthog/core.
  (2026-05-01)
• Updated dependencies [cf56753, 04db756]:
  • @​posthog/core@​1.28.0
  • @​posthog/types@​1.372.6

v1.372.5

Compare Source

1.372.5

Patch Changes

• #​3448 c726aae Thanks @​posthog! - fix(exceptions): avoid cross-origin property access when calling the previous window.onunhandledrejection handler
  (2026-04-29)
• Updated dependencies []:
  • @​posthog/types@​1.372.5
  • @​posthog/core@​1.27.9

v1.372.4

Compare Source

1.372.4

Patch Changes

• #​3495 5a6b2a5 Thanks @​posthog! - Fix copy autocapture when copying or cutting text from Shadow DOM or document fragment contexts.
  (2026-04-29)
• Updated dependencies []:
  • @​posthog/types@​1.372.4
  • @​posthog/core@​1.27.8

v1.372.3

Compare Source

1.372.3

Patch Changes

• #​3488 5b8efc3 Thanks @​lucasheriques! - Add browser survey translation rendering and language tracking.
  (2026-04-27)
• Updated dependencies []:
  • @​posthog/types@​1.372.3
  • @​posthog/core@​1.27.7

v1.372.2

Compare Source

1.372.2

Patch Changes

• #​3484 cba2570 Thanks @​veryayskiy! - Fix autofocus
  (2026-04-27)
• Updated dependencies []:
  • @​posthog/types@​1.372.2
  • @​posthog/core@​1.27.6

v1.372.1

Compare Source

1.372.1

Patch Changes

• #​3464 70508df Thanks @​dustinbyrne! - Avoid using Blob.stream() for native async gzip compression to prevent Safari NotReadableError stream failures.
  (2026-04-24)
• Updated dependencies [70508df]:
  • @​posthog/core@​1.27.5
  • @​posthog/types@​1.372.1

v1.372.0

Compare Source

1.372.0

Minor Changes

• #​3470 eaa1322 Thanks @​veryayskiy! - You cannot write to a resolve ticket. Start a new one.
  (2026-04-24)

Patch Changes

• Updated dependencies []:
  • @​posthog/types@​1.372.0
  • @​posthog/core@​1.27.4

v1.371.4

Compare Source

1.371.4

Patch Changes

• #​3469 3c4fc1e Thanks @​fasyy612! - bump rrweb to 0.0.60
  (2026-04-24)
• Updated dependencies []:
  • @​posthog/types@​1.371.4
  • @​posthog/core@​1.27.3

v1.371.3

Compare Source

1.371.3

Patch Changes

• #​3445 61cf83e Thanks @​dustinbyrne! - Fix session recording in the full no-external browser bundles
  (2026-04-24)
• Updated dependencies [daf028d]:
  • @​posthog/core@​1.27.2
  • @​posthog/types@​1.371.3

v1.371.2

Compare Source

1.371.2

Patch Changes

• #​3453 96f19b7 Thanks @​turnipdabeets! - Lift OTLP log serialization helpers from posthog-js into @​posthog/core so the
  upcoming React Native logs feature consumes the same builders. Browser gains
  two fixes as a side effect: NaN and ±Infinity attribute values no longer get
  silently dropped during JSON encoding, and the scope.version OTLP field is
  now populated with the SDK version (changes the server's instrumentation_scope
  column from "posthog-js@" to "posthog-js@"). (2026-04-23)
• Updated dependencies [96f19b7]:
  • @​posthog/types@​1.371.2
  • @​posthog/core@​1.27.1

v1.371.1

Compare Source

1.371.1

Patch Changes

• #​3425 2da17e8 Thanks @​marandaneto! - Classify SDK-owned persistence keys with an explicit event exposure policy so new internal persistence state must be intentionally marked as event-visible, hidden, or derived.
  (2026-04-23)
• Updated dependencies []:
  • @​posthog/types@​1.371.1

v1.371.0

Compare Source

1.371.0

Patch Changes

• #​3432 1a8b727 Thanks @​richardsolomou! - refactor: rename __add_tracing_headers to addTracingHeaders. The __ prefix signalled an internal/experimental option, but the config is a public API (documented for linking LLM traces to session replays). __add_tracing_headers continues to work as a deprecated alias on the browser SDK.

  Also exposes patchFetchForTracingHeaders from @posthog/core so non-browser SDKs can reuse the implementation. (2026-04-23)

• Updated dependencies [1a8b727]:

  • @​posthog/core@​1.27.0
  • @​posthog/types@​1.371.0

v1.370.1

Compare Source

1.370.1

Patch Changes

• #​3442 6f19ce8 Thanks @​marandaneto! - fix(surveys): guard survey seen localStorage access
  (2026-04-22)
• Updated dependencies []:
  • @​posthog/types@​1.370.1

v1.370.0

Compare Source

1.370.0

Minor Changes

• #​3389 922a1c1 Thanks @​hpouillot! - Add exception steps to error tracking (aka breadcrumbs)
  (2026-04-22)

Patch Changes

• Updated dependencies [922a1c1]:
  • @​posthog/types@​1.370.0
  • @​posthog/core@​1.26.0

v1.369.5

Compare Source

1.369.5

Patch Changes

• Updated dependencies [1a0b58d]:
  • @​posthog/core@​1.25.3
  • @​posthog/types@​1.369.5

v1.369.4

Compare Source

1.369.4

Patch Changes

• #​3362 d61bce1 Thanks @​sampennington! - fix(cookieless): start in cookieless mode when opt_out_capturing_by_default is set
  (2026-04-21)
• Updated dependencies []:
  • @​posthog/types@​1.369.4

v1.369.3

Compare Source

1.369.3

Patch Changes

• #​3419 ea08727 Thanks @​haacked! - Reinstate $feature_flag_payloads and $surveys_activated in captured event properties.
  (2026-04-18)

• #​3416 3d8b2e2 Thanks @​feliperalmeida! - Updated dependencies: - protobufjs@​7.5.5
  (2026-04-18)

• Updated dependencies []:

  • @​posthog/types@​1.369.3

v1.369.2

Compare Source

1.369.2

Patch Changes

• #​3386 4a65604 Thanks @​dustinbyrne! - Add a preview flag for versioned browser lazy bundle asset paths.
  (2026-04-16)
• Updated dependencies [4a65604]:
  • @​posthog/types@​1.369.2

v1.369.1

Compare Source

1.369.1

Patch Changes

• #​3393 85ae4d9 Thanks @​haacked! - Exclude active feature flag payloads from event properties
  (2026-04-16)

• #​3392 00cd1ce Thanks [@​haacked](https://redirect.g

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
scripts-docs	Error		May 21, 2026 1:26am
scripts-playground	Error		May 21, 2026 1:26am

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/scripts@446

commit: 7690d61

[vercel]

Suggested change

	"@nuxt/ui": "4.2.1",
	"@nuxt/ui": "^4.2.1",

The @nuxt/ui dependency is pinned to 4.2.1 without a caret, which is inconsistent with all other dependencies in this file that use flexible versioning with the ^ prefix.

View Details

Analysis

Inconsistent version pinning for @nuxt/ui dependency

What fails: docs/package.json line 20 specifies @nuxt/ui as pinned version 4.2.1 (without caret prefix), while all 13 other dependencies use caret versioning (^) for flexible version constraints within the major version.

How to reproduce:

cat docs/package.json | grep -A 15 '"dependencies"'

Result: Shows "@nuxt/ui": "4.2.1" (pinned) while all surrounding dependencies have caret prefix:

• "@nuxt/content": "^3.8.2"
• "@nuxt/fonts": "^0.12.1"
• "@nuxthq/studio": "^2.2.1"
• All other 10 dependencies also use ^ prefix

Expected behavior: According to npm semantic versioning, caret versioning allows compatible updates (minor/patch versions) within a major version. The project consistently uses this pattern for all other dependencies, so @nuxt/ui should be ^4.2.1 to match the established convention and allow patch/minor updates like other dependencies.

Root cause: Automated dependency update (Renovate bot commit 0b37709) preserved the previous pinned format when bumping the version from 4.0.0 to 4.2.1, rather than applying the project's standard caret versioning pattern used throughout the file.

[vercel]

Suggested change

	"posthog-js": "^1.321.2"
	"posthog-js": "^1.0.0"

The posthog-js peer dependency constraint changed from ^1.0.0 to ^1.321.2, which is unusually restrictive and appears unintentional given the patch version bump in devDependencies (1.321.1 → 1.321.2).

View Details

Analysis

Overly restrictive posthog-js peer dependency breaks backward compatibility

What fails: The posthog-js peer dependency constraint in package.json was changed from ^1.0.0 to ^1.321.2 (commit 1536ad2), restricting supported versions to 1.321.2+ and rejecting all prior versions (1.0.0-1.321.1) that would previously install.

How to reproduce:

# User has posthog-js 1.200.0 installed (legitimate version under old ^1.0.0 constraint)
npm install @nuxt/scripts
# After update, npm now rejects this version because 1.200.0 does not satisfy ^1.321.2

Result: npm/pnpm install fails with: "posthog-js@1.200.0 not satisfied by ^1.321.2"

Expected: The peer dependency should remain at ^1.0.0 (or similar permissive constraint) since:

• Code only uses posthog.init() and basic config options (api_host, capture_pageview, disable_session_recording) available since 1.0.0
• The devDependency update was only a patch bump (1.222.0 → 1.321.2), not a major version requiring API changes
• Peer dependencies should be permissive to maximize compatibility
• Semantic versioning guidance indicates patch/minor version updates within the same major version should be backward compatible

This change appears to be an error from automated dependency update tooling (Renovate) that applied the same pinpoint version to both devDependencies and peerDependencies.

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

<--- Last few GCs --->

[930:0x2ad4f000]    93805 ms: Mark-Compact (reduce) 1498.4 (1503.9) -> 1497.6 (1501.6) MB, pooled: 0 MB, 2189.99 / 0.01 ms  (+ 445.7 ms in 23 steps since start of marking, biggest step 19.7 ms, walltime since start of marking 2678 ms) (average mu = 0.242,
FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
----- Native stack trace -----

 1: 0x73f8c4 node::OOMErrorHandler(char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/24.15.0/bin/node]
 2: 0xc06f90  [/opt/containerbase/tools/node/24.15.0/bin/node]
 3: 0xc0707f  [/opt/containerbase/tools/node/24.15.0/bin/node]
 4: 0xeaa885  [/opt/containerbase/tools/node/24.15.0/bin/node]
 5: 0xeaa8b2  [/opt/containerbase/tools/node/24.15.0/bin/node]
 6: 0xeaabaa  [/opt/containerbase/tools/node/24.15.0/bin/node]
 7: 0xebb8aa  [/opt/containerbase/tools/node/24.15.0/bin/node]
 8: 0xebfc50  [/opt/containerbase/tools/node/24.15.0/bin/node]
 9: 0x1953f71  [/opt/containerbase/tools/node/24.15.0/bin/node]
/usr/local/bin/node: line 18:   930 Aborted                 /opt/containerbase/tools/node/24.15.0/bin/node "$@"

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nuxt/​ui@​4.7.1

View full report