chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@supabase/supabase-js (source)	^2.106.0 → ^2.106.1
@types/node (source)	^25.9.0 → ^25.9.1
pnpm (source)	11.1.3 → 11.2.1
pnpm (source)	11.1.1 → 11.2.1
typescript (source)	5.6.3 → 5.9.3
vitest (source)	^4.1.6 → ^4.1.7
vue-tsc (source)	^3.3.0 → ^3.3.1

---

Release Notes

supabase/supabase-js (@​supabase/supabase-js)

v2.106.1

Compare Source

🩹 Fixes

• misc: hide dynamic import from hermesc (#​2381)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

pnpm/pnpm (pnpm)

v11.2.1

Compare Source

Patch Changes

• Mark optional subdependency snapshots of config dependencies with optional: true in the env lockfile, matching how optional dependencies are recorded elsewhere in pnpm-lock.yaml. Previously, snapshots for the platform-specific subdeps pulled in via a config dep's optionalDependencies were written as empty objects, which was inconsistent with the rest of the lockfile and made it look like those non-host platform variants were required.
• Fix pickRegistryForPackage returning the wrong registry for an unscoped npm: alias under a scoped local name. A manifest entry like "@​private/foo": "npm:lodash@^1" was routing the lodash fetch through registries["@​private"], even though lodash is unscoped and doesn't live on that registry. The npm-alias branch now returns the alias target's own scope (or null for an unscoped target, falling through to registries.default) instead of leaking into the local key's scope.
• Don't print "Installing config dependencies..." when config dependencies are already installed and nothing needs to be fetched, re-linked, or removed.

v11.2.0

Compare Source

Minor Changes

• Experimental: Adding @pnpm/pacquet (the Rust port of pnpm) to configDependencies in pnpm-workspace.yaml now delegates the materialization phase of pnpm install to the pacquet binary. pnpm still owns dependency resolution; pacquet only fetches and imports from the freshly-written lockfile. This is an opt-in preview of the Rust install engine #​11723.

  To configure pacquet in a project, run:

  pnpm add @​pnpm/pacquet --config
  

  You'll see changes in pnpm-workspace.yaml and pnpm-lock.yaml that should be committed. If you experience any issues with pacquet, please let us know by mentioning this in the GitHub issue you create.

• configDependencies now resolve and install one level of optionalDependencies declared by the config dependency, with os/cpu/libc platform filtering applied at install time. This unlocks the esbuild/swc-style pattern where a package ships platform-specific binaries via optionalDependencies — a config dependency can now do the same and have the matching binary symlinked next to it in the global virtual store, so require('pkg-platform-arch') from inside the config dependency resolves correctly.

  The env lockfile records all platform variants regardless of host platform, so it remains portable across machines. Each entry in a config dependency's optionalDependencies must declare an exact version — ranges and tags are rejected to keep installs reproducible.

• Implement the documented pnpm login --scope <scope> flag. The scope is normalized (a leading @ is added if missing; blank values are ignored) and an @<scope>:registry=<registry> mapping is written to the pnpm auth file alongside the auth token. Subsequent installs of @<scope>/* packages then route to the chosen registry. Previously pnpm login --scope foo errored with Unknown option: 'scope' despite the flag being listed in the online documentation #​11716.

• pnpm outdated and pnpm update --interactive now report Node.js, Deno, and Bun runtimes installed as project dependencies (runtime: specifiers). Previously these were silently skipped.

Patch Changes

• Fix cafile=<relative-path> in .npmrc being read from the wrong directory when pnpm is invoked from a different cwd (e.g. pnpm --dir <project> install from a CI wrapper or monorepo script). The path is now resolved against the directory of the .npmrc that declared it, not process.cwd(). Before this fix the CA file silently failed to load — the install proceeded without the configured CA and the user only saw TLS errors against a private registry, with no log line tying back to the wrongly resolved path #​11624.

• Fix config.registry getting a trailing slash appended when registry is set in .npmrc and no registries.default is provided by pnpm-workspace.yaml. The sync from registries.default to config.registry introduced in #​11744 now only fires when the workspace manifest actually contributes a different default.

• Fix global add/update to handle minimumReleaseAge policy violations instead of surfacing an internal resolver guardrail error.

• Fix two crashes with injectWorkspacePackages: true when the lockfile has been pruned (e.g. by turbo prune --docker):

  • Cannot use 'in' operator to search for 'directory' in undefined: a peer-dependency-variant injected snapshot inherits its resolution from the base packages: entry; when a pruner drops that base entry the readers crash. convertToLockfileObject now reconstructs the directory resolution from the file: depPath at load time — a single normalization point, so every reader sees a fully-formed snapshot.
  • ERR_PNPM_ENOENT on node_modules/.bin/<tool>: after prepare/postinstall, runLifecycleHooksConcurrently re-imported each injected workspace package; the scanDir-into-filesMap workaround fed target-internal paths to the importer, which the makeEmptyDir fast path (#​11088) then wiped. Drop the workaround and pass keepModulesDir: true so the importer preserves the target's existing node_modules (bin links + transitive deps) and source files keep their hardlinks.

• Fixed pnpm login and pnpm logout ignoring registries.default from pnpm-workspace.yaml #​10099.

• Fix the minimumReleaseAge (publishedBy) maturity shortcut to be inclusive at the cutoff. Previously, abbreviated metadata whose modified field equalled the cutoff fell off the fast path and triggered a full-metadata re-fetch (or a MISSING_TIME error when full metadata wasn't permitted). Since modified is an upper bound on every version's publish time, modified == publishedBy already implies every version passes the per-version <= filter in filterPkgMetadataByPublishDate, so the shortcut now accepts the boundary case directly. Strictly > (was >=) at the rejection branch.

• Honor publishConfig.access when publishing packages.

microsoft/TypeScript (typescript)

v5.9.3: TypeScript 5.9.3

Compare Source

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)
• fixed issues query for Typescript 5.9.3 (Stable).

Downloads are available on:

• npm

v5.9.2: TypeScript 5.9

Compare Source

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)

Downloads are available on:

• npm

v5.8.3: TypeScript 5.8.3

Compare Source

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement.

• fixed issues query for Typescript 5.8.0 (Beta).
• fixed issues query for Typescript 5.8.1 (RC).
• fixed issues query for Typescript 5.8.2 (Stable).
• fixed issues query for Typescript 5.8.3 (Stable).

Downloads are available on:

• npm

v5.8.2: TypeScript 5.8

Compare Source

For release notes, check out the release announcement.

• fixed issues query for Typescript 5.8.0 (Beta).
• fixed issues query for Typescript 5.8.1 (RC).
• fixed issues query for Typescript 5.8.2 (Stable).

Downloads are available on:

• npm

v5.7.3: TypeScript 5.7.3

Compare Source

For release notes, check out the release announcement.

• fixed issues query for Typescript 5.7.0 (Beta).
• fixed issues query for Typescript 5.7.1 (RC).
• fixed issues query for Typescript 5.7.2 (Stable).
• fixed issues query for Typescript 5.7.3 (Stable).

Downloads are available on npm

v5.7.2: TypeScript 5.7

Compare Source

For release notes, check out the release announcement.

• fixed issues query for Typescript 5.7.0 (Beta).
• fixed issues query for Typescript 5.7.1 (RC).
• fixed issues query for Typescript 5.7.2 (Stable).

Downloads are available on:

• npm

vitest-dev/vitest (vitest)

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

vuejs/language-tools (vue-tsc)

v3.3.1

Compare Source

language-core

• fix: avoid extraneous children error for conditional slots (#​6056) - Thanks to @​KazariEX!

language-service

• refactor: replace scanner-based missing props hints detection with AST traversal - Thanks to @​KazariEX!

typescript-plugin

• fix: get component prop details from symbols - Thanks to @​KazariEX!
• fix: skip unchecked JS identifiers in component props (#​6055) - Thanks to @​KazariEX!

vscode

• fix: resolve typescript plugin path from resolved server path (#​6058) - Thanks to @​KazariEX!

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
supabase	Error		May 21, 2026 7:47pm
supabase-demo	Error		May 21, 2026 7:47pm

[pkg-pr-new]

npm i https://pkg.pr.new/@nuxtjs/supabase@613

commit: bc78626

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 3 workspace projects
? Verifying lockfile against supply-chain policies (1754 entries)...

   ╭─────────────────────────────────────────╮
   │                                         │
   │   Update available! 11.2.1 → 11.2.2.    │
   │   Changelog: https://pnpm.io/v/11.2.2   │
   │    To update, run: pnpm add -g pnpm     │
   │                                         │
   ╰─────────────────────────────────────────╯

✓ Lockfile passes supply-chain policies (1754 entries in 11.2s)
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 24, reused 0, downloaded 0, added 0
Progress: resolved 26, reused 0, downloaded 0, added 0
Progress: resolved 199, reused 0, downloaded 0, added 0
Progress: resolved 284, reused 0, downloaded 0, added 0
Progress: resolved 438, reused 0, downloaded 0, added 0
Progress: resolved 559, reused 0, downloaded 0, added 0
Progress: resolved 591, reused 0, downloaded 0, added 0
Progress: resolved 760, reused 0, downloaded 0, added 0
Progress: resolved 873, reused 0, downloaded 0, added 0
Progress: resolved 981, reused 0, downloaded 0, added 0
Progress: resolved 1072, reused 0, downloaded 0, added 0
Progress: resolved 1194, reused 0, downloaded 1, added 0
Progress: resolved 1522, reused 0, downloaded 1, added 0
Progress: resolved 1603, reused 0, downloaded 1, added 0
Progress: resolved 1641, reused 0, downloaded 1, added 0
Progress: resolved 1752, reused 0, downloaded 2, added 0
[ERR_PNPM_NO_MATURE_MATCHING_VERSION] 21 versions do not meet the minimumReleaseAge constraint:
  @supabase/auth-js@2.106.1 was published at 2026-05-20T12:31:34.128Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @supabase/functions-js@2.106.1 was published at 2026-05-20T12:31:25.405Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @supabase/postgrest-js@2.106.1 was published at 2026-05-20T12:31:25.549Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @supabase/realtime-js@2.106.1 was published at 2026-05-20T12:31:24.931Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @supabase/storage-js@2.106.1 was published at 2026-05-20T12:31:30.823Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @supabase/supabase-js@2.106.1 was published at 2026-05-20T12:31:40.004Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/expect@4.1.7 was published at 2026-05-20T07:19:30.353Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/mocker@4.1.7 was published at 2026-05-20T07:19:19.670Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/pretty-format@4.1.7 was published at 2026-05-20T07:19:07.386Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/pretty-format@4.1.7 was published at 2026-05-20T07:19:07.386Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/pretty-format@4.1.7 was published at 2026-05-20T07:19:07.386Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/runner@4.1.7 was published at 2026-05-20T07:19:23.373Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/snapshot@4.1.7 was published at 2026-05-20T07:19:26.917Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/spy@4.1.7 was published at 2026-05-20T07:19:11.425Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/spy@4.1.7 was published at 2026-05-20T07:19:11.425Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/spy@4.1.7 was published at 2026-05-20T07:19:11.425Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/utils@4.1.7 was published at 2026-05-20T07:19:15.696Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/utils@4.1.7 was published at 2026-05-20T07:19:15.696Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/utils@4.1.7 was published at 2026-05-20T07:19:15.696Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  @vitest/utils@4.1.7 was published at 2026-05-20T07:19:15.696Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)
  vitest@4.1.7 was published at 2026-05-20T07:19:42.142Z, within the minimumReleaseAge cutoff (2026-05-19T19:46:43.333Z)