chore: update minor-updates

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@trivago/prettier-plugin-sort-imports	6.0.0 → 6.0.2
pnpm (source)	10.24.0 → 10.30.0
prettier (source)	3.7.1 → 3.8.1
prettier-plugin-sort-json	4.1.1 → 4.2.0
sass	1.94.2 → 1.97.3

---

Release Notes

trivago/prettier-plugin-sort-imports (@​trivago/prettier-plugin-sort-imports)

v6.0.2

Compare Source

Bug fixes

• Fix recognising mandatory prefix built-in imports #​389 by @​TomFryersMidsummer - Fixed detection of Node.js built-in modules that are only accessible with the node: prefix (like node:test, node:sqlite) to be correctly recognized when using <BUILTIN_MODULES> placeholder

v6.0.1

Compare Source

Bug fixes

• Fix Svelte export snippet parsing #​390 - Fixed by adding support for new Svelte snippet syntax

pnpm/pnpm (pnpm)

v10.30.0

Compare Source

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1

Compare Source

v10.28.0

Compare Source

v10.27.0

Compare Source

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

• Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

• Fix installation of Git dependencies using annotated tags #​10335.

  Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

• Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

• Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Gold Sponsors

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

• Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
• Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Gold Sponsors

v10.26.0

Compare Source

v10.25.0

Compare Source

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

v3.7.4

Compare Source

diff

LWC: Avoid quote around interpolations (#​18383 by @​kovsu)

<!-- Input -->
<div foo={bar}>   </div>

<!-- Prettier 3.7.3 (--embedded-language-formatting off) -->
<div foo="{bar}"></div>

<!-- Prettier 3.7.4 (--embedded-language-formatting off) -->
<div foo={bar}></div>

TypeScript: Fix comment inside union type gets duplicated (#​18393 by @​fisker)

// Input
type Foo = (/** comment */ a | b) | c;

// Prettier 3.7.3
type Foo = /** comment */ (/** comment */ a | b) | c;

// Prettier 3.7.4
type Foo = /** comment */ (a | b) | c;

TypeScript: Fix unstable comment print in union type comments (#​18395 by @​fisker)

// Input
type X = (A | B) & (
  // comment
  A | B
);

// Prettier 3.7.3 (first format)
type X = (A | B) &
  (// comment
  A | B);

// Prettier 3.7.3 (second format)
type X = (
  | A
  | B // comment
) &
  (A | B);

// Prettier 3.7.4
type X = (A | B) &
  // comment
  (A | B);

v3.7.3

Compare Source

diff

API: Fix prettier.getFileInfo() change that breaks VSCode extension (#​18375 by @​fisker)

An internal refactor accidentally broke the VSCode extension plugin loading.

v3.7.2

Compare Source

diff

JavaScript: Fix string print when switching quotes (#​18351 by @​fisker)

// Input
console.log("A descriptor\\'s .kind must be \"method\" or \"field\".")

// Prettier 3.7.1
console.log('A descriptor\\'s .kind must be "method" or "field".');

// Prettier 3.7.2
console.log('A descriptor\\\'s .kind must be "method" or "field".');

JavaScript: Preserve quote for embedded HTML attribute values (#​18352 by @​kovsu)

// Input
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;

// Prettier 3.7.1
const html = /* HTML */ ` <div class=${styles.banner}></div> `;

// Prettier 3.7.2
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;

TypeScript: Fix comment in empty type literal (#​18364 by @​fisker)

// Input
export type XXX = {
  // tbd
};

// Prettier 3.7.1
export type XXX = { // tbd };

// Prettier 3.7.2
export type XXX = {
  // tbd
};

Gudahtt/prettier-plugin-sort-json (prettier-plugin-sort-json)

v4.2.0

Compare Source

Added

• Extend Prettier’s Options interface with plugin options (#​292)
  • This provides autocomplete when editing a local prettier.config.ts

Fixed

• Fix sorting of negative numbers (#​291)
  • The numeric sort option was not recognizing negative numbers as numbers

sass/dart-sass (sass)

v1.97.3

Compare Source

• Fix a bug where nesting an at-rule within multiple style rules in plain CSS
  could cause outer style rules to be omitted.

v1.97.2

Compare Source

• Additional fixes for implicit configuration when nested imports are involved.

v1.97.1

Compare Source

v1.97.0

Compare Source

• Add support for the display-p3-linear color space.

v1.96.0

Compare Source

• Allow numbers with complex units (more than one numerator unit or more than
  zero denominator units) to be emitted to CSS. These are now emitted as
  calc() expressions, which now support complex units in plain CSS.

v1.95.1

Compare Source

• No user-visible changes.

v1.95.0

Compare Source

• Add support for the CSS-style if() function. In addition to supporting the
  plain CSS syntax, this also supports a sass() query that takes a Sass
  expression that evaluates to true or false at preprocessing time depending
  on whether the Sass value is truthy. If there are no plain-CSS queries, the
  function will return the first value whose query returns true during
  preprocessing. For example, if(sass(false): 1; sass(true): 2; else: 3)
  returns 2.

• The old Sass if() syntax is now deprecated. Users are encouraged to migrate
  to the new CSS syntax. if($condition, $if-true, $if-false) can be changed to
  if(sass($condition): $if-true; else: $if-false).

  See the Sass website for details.

• Plain-CSS if() functions are now considered "special numbers", meaning that
  they can be used in place of arguments to CSS color functions.

• Plain-CSS if() functions and attr() functions are now considered "special
  variable strings" (like var()), meaning they can now be used in place of
  multiple arguments or syntax fragments in various CSS functions.

v1.94.3

Compare Source

• Fix the span reported for standalone % expressions followed by whitespace.

---

Configuration

📅 Schedule: Branch creation - "after 11:00pm on the 1 day of the month,before 4am on the 2 day of the month,after 11:00pm on the 15 day of the month,before 4am on the 16 day of the month" in timezone Europe/Vienna, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.