Update dependency upgrades - non-major

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
eslint (source)	9.24.0 -> 9.25.1
pnpm (source)	10.8.1 -> 10.9.0
sass	1.86.3 -> 1.87.0
stylelint (source)	16.18.0 -> 16.19.0

---

Release Notes

eslint/eslint (eslint)

v9.25.1

Compare Source

v9.25.0

Compare Source

pnpm/pnpm (pnpm)

v10.9.0

Compare Source

Minor Changes

• Added support for installing JSR packages. You can now install JSR packages using the following syntax:

  pnpm add jsr:<pkg_name>
  

  or with a version range:

  pnpm add jsr:<pkg_name>@&#8203;<range>
  

  For example, running:

  pnpm add jsr:@​foo/bar
  

  will add the following entry to your package.json:

  {
    "dependencies": {
      "@​foo/bar": "jsr:^0.1.2"
    }
  }

  When publishing, this entry will be transformed into a format compatible with npm, older versions of Yarn, and previous pnpm versions:

  {
    "dependencies": {
      "@​foo/bar": "npm:@​jsr/foo__bar@^0.1.2"
    }
  }

  Related issue: #​8941.

  Note: The @jsr scope defaults to https://npm.jsr.io/ if the @jsr:registry setting is not defined.

• Added a new setting, dangerouslyAllowAllBuilds, for automatically running any scripts of dependencies without the need to approve any builds. It was already possible to allow all builds by adding this to pnpm-workspace.yaml:

  neverBuiltDependencies: []

  dangerouslyAllowAllBuilds has the same effect but also allows to be set globally via:

  pnpm config set dangerouslyAllowAllBuilds true
  

  It can also be set when running a command:

  pnpm install --dangerously-allow-all-builds
  

Patch Changes

• Fix a false negative in verifyDepsBeforeRun when nodeLinker is hoisted and there is a workspace package without dependencies and node_modules directory #​9424.
• Explicitly drop verifyDepsBeforeRun support for nodeLinker: pnp. Combining verifyDepsBeforeRun and nodeLinker: pnp will now print a warning.

sass/dart-sass (sass)

v1.87.0

Compare Source

• Potentially breaking bug fix: When a plain CSS file with a top-level
  nesting selector & is loaded into a nested Sass context via
  meta.load-css() or @import, Sass now emits plain CSS nesting rather than
  incorrectly combining it with the parent selector using a descendant
  combinator.

stylelint/stylelint (stylelint)

v16.19.0

Compare Source

It adds 2 options to 2 rules and fixes 3 bugs.

• Added: exceptWithoutPropertyFallback: [] to function-allowed-list (#​8488) (@​ryo-manba).
• Added: ignore: ["four-into-three-edge-values"] to shorthand-property-no-redundant-values (#​8527) (@​ryo-manba).
• Fixed: compact formatter with pnpm to newline the exit code (#​8534) (@​konomae).
• Fixed: declaration-property-value-no-unknown range and message for invalid syntax within known functions (#​8528) (@​ryo-manba).
• Fixed: no-empty-source false positives for --report-needless-disables (#​8536) (@​romainmenke).

---

Configuration

📅 Schedule: Branch creation - "after 4pm on thursday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint@​9.24.0 ⏵ 9.25.1	+1
	stylelint@​16.18.0 ⏵ 16.19.0	+1
	sass@​1.86.3 ⏵ 1.87.0

View full report