chore(deps): update all-dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
alpine	final	digest	59855d3 → 4d889c1
go		patch	1.26.1 → 1.26.3
grafana/k6		minor	1.6.1 → 1.7.1
node (source)		minor	25.8.1 → 25.9.0
pinact		minor	3.8.0 → 3.10.1
pnpm (source)		minor	10.32.1 → 10.34.1
prom/prometheus		minor	v3.10.0 → v3.12.0
yq		minor	4.52.4 → 4.53.2

---

Release Notes

golang/go (go)

v1.26.3

Compare Source

v1.26.2

Compare Source

nodejs/node (node)

v25.9.0: 2026-04-01, Version 25.9.0 (Current), @​aduh95

Compare Source

Notable Changes

Test runner module mocking improvements

MockModuleOptions.defaultExport and MockModuleOptions.namedExports have been
consolidated into a single option MockModuleOptions.exports to align with user
expectations and other test runners.

A default property on MockModuleOptions.exports represents the default
export, and own enumerable properties are treated as named exports.

An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports

npx codemod @​nodejs/mock-module-exports

Contributed by sangwook in #​61727.

Other notable changes

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #​61674
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #​58708
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #​62188
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on node:domain (Matteo Collina) #​61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #​62158
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #​62066

Commits

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #​61674
• [bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #​62066
• [c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #​62084
• [e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #​61871
• [2fcd07f1ba] - build: support empty libname flags in configure.py (Antoine du Hamel) #​62477
• [b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #​62280
• [7dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #​62189
• [f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #​62115
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #​58708
• [ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #​62485
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
• [3009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #​62254
• [f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #​62218
• [f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #​61875
• [4d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #​62169
• [93d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #​62170
• [3d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #​62414
• [176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #​62164
• [95c7fc67ba] - deps: update googletest to 2461743 (Node.js GitHub Bot) #​62484
• [e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #​62382
• [905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #​62051
• [180c150122] - deps: V8: cherry-pick cf1bce4 (Richard Lau) #​62449
• [bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #​62448
• [f1b28612c4] - deps: V8: cherry-pick b25cd62 (Yagiz Nizipli) #​62354
• [757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #​62284
• [3bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #​62256
• [a9703d194a] - deps: update googletest to 73a63ea (Node.js GitHub Bot) #​61927
• [85138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #​62213
• [231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #​62123
• [0093863664] - doc: deprecate module.register() (DEP0205) (Geoffrey Booth) #​62395
• [0b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #​62456
• [8d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #​62492
• [08ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #​62482
• [61cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #​62423
• [64cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #​62139
• [1020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #​62206
• [9caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #​62374
• [e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #​62302
• [9e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #​62243
• [7f37c17516] - doc: minor typo fix (Jeff Matson) #​62358
• [eb0ca98f01] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #​62355
• [198b6e0932] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #​62321
• [17e5aee6c5] - doc: fix small environment_variables typo (chris) #​62279
• [193d629895] - doc: test and test-only targets do not run linter (Xavier Stouder) #​62120
• [4a1f20ec4a] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #​62208
• [f976c9214d] - doc: clarify that any truthy value of shell is part of DEP0190 (Antoine du Hamel) #​62249
• [4d83972681] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #​62202
• [71f2eada5b] - doc: add throwIfNoEntry version history to fs.stat (kovan) #​62204
• [670c80893b] - doc: add note (and caveat) for mock.module about customization hooks (Jacob Smith) #​62075
• [2ff5cb13f5] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #​62244
• [6c6c9004c4] - esm: fix typo in worker loader hook comment (jakecastelli) #​62475
• [1cdd23c9f3] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #​62415
• [4f4ff15794] - esm: fix path normalization in finalizeResolution (Antoine du Hamel) #​62080
• [088167d102] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #​62261
• [0250b436ee] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #​61950
• [b67a8fb171] - inspector: add Target.getTargets and extract TargetManager (Kohei) #​62487
• [ffcc5a5722] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #​62307
• [92ef2ad8fa] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #​62226
• [40a43ac4d0] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #​62133
• [3ef0a5b90e] - quic: remove CryptoKey support from session keys option (Filip Skokan) #​62335
• [3c8dd8eb8e] - repl: use vm DONT_CONTEXTIFY context (Chengzhong Wu) #​62371
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #​62188
• [e4c164e045] - repl: handle exceptions from async context after close (Anna Henningsen) #​62165
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on domain module (Matteo Collina) #​61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #​62158
• [fe82baf970] - src: improve EC JWK import performance (Filip Skokan) #​62396
• [d490b171e0] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #​62343
• [0e4af848bc] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #​62103
• [02980b8c8f] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #​62410
• [064f7c2fa6] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #​62268
• [ede52bc2dc] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #​62281
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #​62066
• [03839fb087] - stream: preserve error over AbortError in pipeline (Marco) #​62113
• [0000d2f011] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #​62087
• [3796a73719] - test: update WPT for WebCryptoAPI to 2cb332d (Node.js GitHub Bot) #​62483
• [ad8309415b] - test: update WPT for url to fc3e651 (Node.js GitHub Bot) #​62379
• [bed89b037e] - test: wait for reattach before initial break on restart (Yuya Inoue) #​62471
• [c9ffffcc55] - test: disable flaky WPT Blob test on AIX (James M Snell) #​62470
• [fd41ef31f6] - (SEMVER-MINOR) test: add tests for experimental stream/iter implementation (James M Snell) #​62066
• [1b9d8d3eec] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #​62112
• [cb08a29d51] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #​62238
• [abea0af8a9] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #​62226
• [47a2132269] - test: update WPT for WebCryptoAPI to 6a1c545 (Node.js GitHub Bot) #​62187
• [2c63d3006c] - test_runner: add exports option for module mocks (sangwook) #​61727
• [44ac0e1302] - test_runner: make it compatible with fake timers (Matteo Collina) #​59272
• [1865691275] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #​62282
• [0252b2bab8] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #​62439
• [3368155267] - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot[bot]) #​62437
• [5e47c359f5] - tools: adopt the --check-for-duplicates NCU flag (Antoine du Hamel) #​62478
• [4a604e82d0] - tools: bump picomatch in /tools/doc (dependabot[bot]) #​62438
• [d1a98b4ddb] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #​62375
• [c32daa1ab4] - tools: bump eslint deps (Huáng Jùnliàng) #​62356
• [7a2fcc6d41] - tools: do not swallow error in lint-nix workflow (Antoine du Hamel) #​62292
• [c41a2871b5] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #​62093
• [56dfeb06df] - tools: fix timeout errors in lint-nix job (Antoine du Hamel) #​62265
• [22fc8078e8] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #​62255
• [409b0663bd] - tools: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot[bot]) #​62250
• [67c69750f4] - tools: validate all commits that are pushed to main (Antoine du Hamel) #​62246
• [7d9db8cd21] - tools: keep GN files when updating Merve (Antoine du Hamel) #​62167
• [6c8fa42ba2] - typings: rationalise TypedArray types (René) #​62174
• [531c64d04e] - url: enable simdutf for ada (Yagiz Nizipli) #​61477
• [2000caccde] - util: allow color aliases in styleText (sangwook) #​62180
• [0aed332ab4] - wasm: support js string constant esm import (Guy Bedford) #​62198
• [d3fd4a978b] - worker: heap profile optimizations (Ilyas Shabi) #​62201
• [e992a34a18] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #​62325

suzuki-shunsuke/pinact (pinact)

v3.10.1

Compare Source

🐛 Bug Fixes

#​1535 pin uses lines with multiple spaces after the YAML list dash

v3.10.0

Compare Source

Features

#​1530 Support pinning branches to latest stable tags by the --branch-to-tag option

The default behabiour isn't changed.
By default, pinact doesn't pin branches such as main or master.
If you want to pin specific branches, you can use the --branch-to-tag option.

e.g.

pinact run --branch-to-tag '^main$' --branch-to-tag '^release/.*$'

v3.9.2

Compare Source

Fixes

#​1493 Preserve original line endings when updating workflows

v3.9.1

Compare Source

v3.9.0

Compare Source

Features

#​1365 Make version separator configurable via configuration file @​ReenigneArcher
#​1372 Make version separator configurable via command line option and environment variable

🐛 Bug Fixes

#​1359 Fix a bug that -log-color doesn't work

Others

• docs: fix readme for ignore_actions[].ref by @​nasa9084 in #​1323
• docs: fix readme for correct GHES_API_URL by @​maruloop in #​1324
• docs(INSTALL): add mise alternate installation documentation by @​jylenhof in #​1331

pnpm/pnpm (pnpm)

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Gold Sponsors

v10.34.0

Compare Source

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

v10.33.3

Compare Source

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

v10.33.0

Compare Source

prometheus/prometheus (prom/prometheus)

v3.12.0: 3.12.0 / 2026-05-28

Compare Source

This release contains security fixes, new features (especially around PromQL and Service Discovery), performance improvements in TSDB, Start Timestamp improvements and numerous bug fixes.

Thanks to all contributors!

Key Highlights

• Security: Two security vulnerabilities have been addressed: a denial of service in remote-write (snappy decompression limit) and a secret exposure leak in STACKIT service discovery.
• PromQL & Metadata: Several features and bug fixes related to the experimental "start timestamps" support, including updates to rate(), irate(), increase(), and resets(). New experimental functions start(), end(), range(), and step() are introduced.
• TSDB Performance: Optimizations in head chunk lookup (constant time) and mmap operations to reduce CPU usage.
• Service Discovery: Added support for DigitalOcean Managed Databases and Outscale VM, along with improvements to AWS SD (IPv6 support for EC2, external ID support).
• UI: Added a web interface for deleting time series and cleaning tombstones.

Changelog

• [SECURITY] Remote: Reject snappy-compressed received requests via Remote Write whose declared decoded length exceeds the 32MB. Thanks to @​hibrian827 for reporting it. #​18642
• [SECURITY] STACKIT SD: Fix secrets being exposed in plaintext via /-/config endpoint. Thanks to @​August829 and @​Phaxma for reporting. GHSA-39j6-789q-qxvh #​18649
• [CHANGE] TSDB/Agent: Adds Start Timestamp field to all WAL Histogram samples in memory; used st-storage flag is enabled. #​18221
• [FEATURE] API: Add /api/v1/status/self_metrics endpoint returning the current state of the Prometheus server's own metrics about itself as JSON. #​18411
• [FEATURE] Discovery: Add DigitalOcean Managed Databases service discovery #​18287
• [FEATURE] Prometheus: Add support for the aix/ppc64 compilation target #​18321
• [FEATURE] Discovery: Add Outscale VM service discovery (outscale_sd_configs) for discovering scrape targets from the Outscale Cloud API. #​18139
• [FEATURE] PromQL: Emit a warning when sort, sort_by_label or sort_by_label_desc is used within range (matrix) queries, as these functions do not have effect in that context. #​18498
• [FEATURE] PromQL: Add start(), end(), range(), and step() experimental functions #​17877
• [FEATURE] PromQL: Update resets() function to consider start timestamp resets. Hidden behind use-start-timestamps feature flag. #​18627
• [FEATURE] Prometheus: Promote auto-reload-config as stable #​18620
• [FEATURE] TSDB/Agent: Add CheckpointFromInMemorySeries option to agent.DB that enables checkpoint based on in-memory series. #​17948
• [FEATURE] UI: Add a web interface for deleting time series and cleaning tombstones, accessible from the Status menu. #​18390
• [FEATURE] PromQL: Use start timestamps for rate(), irate(), and increase() calculations, behind a feature flag use-start-timestamps. Doesn't work together with extended range selectors anchored and smoothed. #​18344
• [FEATURE] Scrape: Added a feature flag st-synthesis which synthesizes unknown STs for scraped cumulative metrics. Useful when Remote Writing 2.0 with delta or Otel-based backends. #​18279
• [FEATURE] promqltest: support @st annotation in load blocks to specify per-sample start timestamps. #​18360
• [ENHANCEMENT] API: reject concurrent fgprof profiles. #​18651
• [ENHANCEMENT] AWS SD: Add optional external_id field to ECS/MSK/RDS/Elasticache. #​18579
• [ENHANCEMENT] AWS SD: Add optional external_id field. #​17171
• [ENHANCEMENT] Discovery: Propagate SD target updates faster by introducing dynamic backoff interval instead of static 5s interval for throttling. #​18187
• [ENHANCEMENT] Promtool: Add --header flag to query instant command, matching existing query range behaviour. #​18418
• [ENHANCEMENT]: AWS SD: Allows EC2 service discovery to discover IPv6 addresses to communicate with target endpoints. The private IPv4 address remains the default when both IPv4 and IPv6 addresses are present. #​16088
• [PERF] TSDB: Make head chunk lookup in range queries constant time instead of quadratic time #​18302
• [PERF] TSDB: Skip entire stripes in mmapHeadChunks when no series need mmapping, reducing CPU utilization significantly at production-relevant scales. #​18541
• [PERF] TSDB: Skip clean series during periodic head chunk mmap using cached head chunk count #​18272
• [PERF] PromQL: Address FloatHistogram.KahanAdd performance regression on Go 1.26. #​18568
• [BUGFIX] PromQL: Fix info() function incorrectly handling negated __name__ matchers #​17932
• [BUGFIX] API: Return duration expressions in /parse_ast. #​18624
• [BUGFIX] API: correctly document formats accepted for duration query request parameters (step, timeout and lookback delta) in OpenAPI spec #​18305
• [BUGFIX] Scrape: AppenderV2 now tracks staleness even when OOO/duplicate series errors happen similar to AppenderV1 #​18567
• [BUGFIX] Config: Validate remote_write queue_config fields at load time to prevent runtime panic and silent misconfiguration. #​18209
• [BUGFIX] Discovery/Consul: Add health_filter for Health API filtering, fixing breakage when using Catalog-only fields like ServiceTags in filter. #​18479 #​18499
• [BUGFIX] OTLP: limit decompressed body size for gzip-encoded OTLP write requests. [#​18408](https://redirect.github.com/prometh

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • "on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.