fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@vercel/functions (source)	3.6.0 → 3.6.1
next-intl (source)	4.12.0 → 4.13.0
pnpm (source)	10.33.4 → 10.34.1
react-hook-form (source)	7.76.0 → 7.76.1
remeda (source)	2.34.1 → 2.37.0

---

Release Notes

vercel/vercel (@​vercel/functions)

v3.6.1

Compare Source

Patch Changes

• Updated dependencies [5a700dc]
  • @​vercel/oidc@​3.5.0

amannn/next-intl (next-intl)

v4.13.0

Compare Source

Features

• Use URL-safe base64 for auto-generated message keys of useExtracted (#​2330) (a003d3a) – by @​spokodev

pnpm/pnpm (pnpm)

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Gold Sponsors

v10.34.0: pnpm 10.34

Compare Source

Minor Changes

• Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

  pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

  The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

  --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

Patch Changes

• Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
• Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
• Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.
• Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.
• Fixed --prefix=<dir> not being honored when locating the workspace root. The --prefix → dir rename was applied after workspace detection, so workspace settings declared in <dir>/pnpm-workspace.yaml were not loaded when pnpm was invoked from outside <dir> #​11535.
• Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

Platinum Sponsors

Gold Sponsors

react-hook-form/react-hook-form (react-hook-form)

v7.76.1: Version 7.76.1

Compare Source

🐞 fix: pass options parameter through setValues to enable validation (#​13457)
🐞 fix(setValues): emit whole-form change without stale name/type (#​13450)
🚗 perf(setValues): thread skipClone through setFieldValue (#​13448)
🚗 perf(setValues): skip redundant per-field deep clones (#​13445)
Revert "🐞 fix: treat NaN as empty when valueAsNumber is true in validateField (#​13388)"

thanks to @​philibea & @​maxkostow

remeda/remeda (remeda)

v2.37.0

Compare Source

Bug Fixes

• splice: move data-last inference to curried data param (#​1358) (16338d8)

v2.36.0

Compare Source

Bug Fixes

• sample: typechecking perf issue with large literal tuples (#​1355) (542185d)

v2.35.0

Compare Source

Bug Fixes

• only: typing issue with union types (#​1354) (ee955e7), closes #​1353

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

<--- Last few GCs --->

[1022:0x25af2000]    70999 ms: Scavenge (interleaved) 1485.1 (1498.8) -> 1481.9 (1498.0) MB, pooled: 0 MB, 13.68 / 0.00 ms  (average mu = 0.316, current mu = 0.296) task; 
[1022:0x25af2000]    72206 ms: Mark-Compact (reduce) 1487.4 (1500.2) -> 1483.1 (1493.1) MB, pooled: 0 MB, 42.36 / 0.20 ms  (+ 1022.6 ms in 132 steps since start of marking, biggest step 20.2 ms, walltime since start of marking 1204 ms) (average mu = 0.320
FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
----- Native stack trace -----

 1: 0x744ae8 node::OOMErrorHandler(char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/24.16.0/bin/node]
 2: 0xc1a4b0  [/opt/containerbase/tools/node/24.16.0/bin/node]
 3: 0xc1a59f  [/opt/containerbase/tools/node/24.16.0/bin/node]
 4: 0xebdda5  [/opt/containerbase/tools/node/24.16.0/bin/node]
 5: 0xebddd2  [/opt/containerbase/tools/node/24.16.0/bin/node]
 6: 0xebe0ca  [/opt/containerbase/tools/node/24.16.0/bin/node]
 7: 0xecedca  [/opt/containerbase/tools/node/24.16.0/bin/node]
 8: 0xed3170  [/opt/containerbase/tools/node/24.16.0/bin/node]
 9: 0x19655d1  [/opt/containerbase/tools/node/24.16.0/bin/node]
/usr/local/bin/node: line 18:  1022 Aborted                 /opt/containerbase/tools/node/24.16.0/bin/node "$@"