chore(deps): update all-dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
go		minor	1.25.7 → 1.26.0
golang	stage	minor	1.25-alpine → 1.26-alpine
grafana/grafana		digest	5c1eb28 → 62a54c7
grafana/k6		digest	9e00f7d → 921615e
node (source)		patch	25.6.0 → 25.6.1
pnpm (source)		minor	10.28.2 → 10.29.3
yq		patch	4.52.2 → 4.52.4

---

Release Notes

golang/go (go)

v1.26.0

Compare Source

nodejs/node (node)

v25.6.1: 2026-02-10, Version 25.6.1 (Current), @​aduh95

Compare Source

Notable Changes

• [47df4328d7] - build,deps: replace cjs-module-lexer with merve (Yagiz Nizipli) #​61456

Commits

• [47df4328d7] - build,deps: replace cjs-module-lexer with merve (Yagiz Nizipli) #​61456
• [a727054503] - deps: upgrade npm to 11.9.0 (npm team) #​61685
• [c78c49ed6b] - deps: update amaro to 1.1.7 (Node.js GitHub Bot) #​61730
• [4790816d9b] - deps: update minimatch to 10.1.2 (Node.js GitHub Bot) #​61732
• [8c71740e8a] - deps: update undici to 7.21.0 (Node.js GitHub Bot) #​61683
• [e559ef6ab1] - deps: update googletest to 56efe39 (Node.js GitHub Bot) #​61605
• [300de2bb5a] - deps: update amaro to 1.1.6 (Node.js GitHub Bot) #​61603
• [e71e9505ef] - dns: fix Windows SRV ECONNREFUSED by adjusting c-ares fallback detection (notvivek12) #​61453
• [439b816bc7] - doc: clarify EventEmitter error handling in threat model (Matteo Collina) #​61701
• [c1c6641f23] - doc: mention default option for test runner env (Steven) #​61659
• [41ec451f98] - doc: fix --inspect security warning section (Tim Perry) #​61675
• [bb90ef2356] - doc: document url.format(urlString) as deprecated under DEP0169 (René) #​61644
• [513df82e6f] - doc: update to Visual Studio 2026 manual install (Mike McCready) #​61655
• [9409d30736] - doc: deprecation add more codemod (Augustin Mauroy) #​61642
• [75a7a67151] - doc: fix grammatical error in README.md (ayj8201) #​61653
• [821e59e884] - doc: correct tools README Boxstarter link (Mike McCready) #​61638
• [4998f539a0] - doc: update server.dropMaxConnection link (YuSheng Chen) #​61584
• [9383ac4ab7] - http: implement slab allocation for HTTP header parsing (Mert Can Altin) #​61375
• [e90eb1d561] - meta: persist sccache daemon until end of build workflows (René) #​61639
• [ade36ac367] - meta: bump github/codeql-action from 4.31.9 to 4.32.0 (dependabot[bot]) #​61622
• [26638bd67f] - meta: bump step-security/harden-runner from 2.14.0 to 2.14.1 (dependabot[bot]) #​61621
• [eaa9a96cb6] - meta: bump actions/setup-python from 6.1.0 to 6.2.0 (dependabot[bot]) #​61627
• [fd98187828] - meta: bump cachix/cachix-action (dependabot[bot]) #​61626
• [820c1d021c] - meta: bump actions/setup-node from 6.1.0 to 6.2.0 (dependabot[bot]) #​61625
• [72a4136bd5] - meta: bump actions/cache from 5.0.1 to 5.0.3 (dependabot[bot]) #​61624
• [e3ef6cb3bc] - meta: bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (dependabot[bot]) #​61623
• [020a836202] - meta: bump actions/stale from 10.1.0 to 10.1.1 (dependabot[bot]) #​61620
• [0df72f07c8] - meta: bump actions/checkout from 6.0.1 to 6.0.2 (dependabot[bot]) #​61619
• [d147c08b83] - module: do not invoke resolve hooks twice for imported cjs (Joyee Cheung) #​61529
• [a2843f8556] - net: defer synchronous destroy calls in internalConnect (RajeshKumar11) #​61658
• [7fb7030781] - repl: fix flaky test-repl-programmatic-history (Matteo Collina) #​61614
• [d4c9b5cf5b] - sqlite: avoid extra copy for large text binds (Ali Hassan) #​61580
• [aa1b3661d9] - sqlite: use DictionaryTemplate for run() result (Mert Can Altin) #​61432
• [9c8ad7e881] - src: elide heap allocation in structured clone implementation (Anna Henningsen) #​61703
• [c4ecfef93d] - src: use simdutf for one-byte string UTF-8 write in stringBytes (Mert Can Altin) #​61696
• [28905b9734] - src: consolidate C++ ReadFileSync/WriteFileSync utilities (Joyee Cheung) #​61662
• [e90cec2f69] - test: restraint version replacement pattern in snapshots (Chengzhong Wu) #​61748
• [adce20c0a1] - test: print stack immediately avoiding GC interleaving (Chengzhong Wu) #​61699
• [7643bc8999] - test: fix case-insensitive path matching on Windows (Matteo Collina) #​61682
• [23d1ecf66f] - test: fix flaky test-performance-eventloopdelay (Matteo Collina) #​61629
• [99012a88ed] - test: remove duplicate wpt tests (Filip Skokan) #​61617
• [a8b32b8ce1] - test: fix race condition in watch mode tests (Matteo Collina) #​61615
• [086a5a5a25] - test: update WPT for url to e3c46fd (Node.js GitHub Bot) #​61602
• [f0574fd419] - test: use the skipIfNoWatch() utility function (Luigi Pinca) #​61531
• [b064ddc221] - test: unify assertSnapshot common patterns (Chengzhong Wu) #​61590
• [17122e521b] - test_runner: fix test enqueue when test file has syntax error (Edy Silva) #​61573
• [bad3f02dd9] - tools: enforce removal of lts-watch-* labels on release proposals (Antoine du Hamel) #​61672
• [a8f33fd6bd] - tools: use ubuntu-slim runner in meta GitHub Actions (Tierney Cyren) #​61663
• [c843e447ca] - tools: test --shared-merve in test-shared workflow (Antoine du Hamel) #​61649
• [2fedc03f96] - tools: update OpenSSL to 3.5.5 in test-shared (Antoine du Hamel) #​61551
• [1c1db94670] - tools,win: upgrade install additional tools to Visual Studio 2026 (Mike McCready) #​61562

pnpm/pnpm (pnpm)

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

mikefarah/yq (yq)

v4.52.4

Compare Source

• Dropping windows/arm - no longer supported in cross-compile
  • Fixing comments in TOML arrays (#​2592)
  • Bumped dependencies

---

Configuration

📅 Schedule: Branch creation - "on monday" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.