chore(deps): update all non-major dependencies

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
@envelop/core (source)	5.3.1 -> 5.3.2
@graphql-yoga/plugin-defer-stream (source)	3.15.2 -> 3.16.0
@types/node (source)	24.5.1 -> 24.5.2
esbuild	0.25.9 -> 0.25.10
eslint (source)	9.35.0 -> 9.36.0
eslint-plugin-n	17.23.0 -> 17.23.1
graphql-yoga (source)	5.15.2 -> 5.16.0
puppeteer (source)	24.21.0 -> 24.22.0
svelte (source)	5.38.10 -> 5.39.2
ts-jest (source)	29.4.2 -> 29.4.4
wrangler (source)	4.37.1 -> 4.38.0

---

Release Notes

graphql-hive/envelop (@​envelop/core)

v5.3.2

Compare Source

Patch Changes

• #​2665
  92948d8
  Thanks @​EmrysMyrddin! - Fix getters and setters being stripped
  away. The value was copied at plugin creation instead of copying the getter and setter (if any).

graphql-hive/graphql-yoga (@​graphql-yoga/plugin-defer-stream)

v3.16.0

Compare Source

evanw/esbuild (esbuild)

v0.25.10

Compare Source

• Fix a panic in a minification edge case (#​4287)

  This release fixes a panic due to a null pointer that could happen when esbuild inlines a doubly-nested identity function and the final result is empty. It was fixed by emitting the value undefined in this case, which avoids the panic. This case must be rare since it hasn't come up until now. Here is an example of code that previously triggered the panic (which only happened when minifying):

  function identity(x) { return x }
  identity({ y: identity(123) })

• Fix @supports nested inside pseudo-element (#​4265)

  When transforming nested CSS to non-nested CSS, esbuild is supposed to filter out pseudo-elements such as ::placeholder for correctness. The CSS nesting specification says the following:

  The nesting selector cannot represent pseudo-elements (identical to the behavior of the ':is()' pseudo-class). We’d like to relax this restriction, but need to do so simultaneously for both ':is()' and '&', since they’re intentionally built on the same underlying mechanisms.

  However, it seems like this behavior is different for nested at-rules such as @supports, which do work with pseudo-elements. So this release modifies esbuild's behavior to now take that into account:

  /* Original code */
  ::placeholder {
    color: red;
    body & { color: green }
    @​supports (color: blue) { color: blue }
  }
  
  /* Old output (with --supported:nesting=false) */
  ::placeholder {
    color: red;
  }
  body :is() {
    color: green;
  }
  @​supports (color: blue) {
     {
      color: blue;
    }
  }
  
  /* New output (with --supported:nesting=false) */
  ::placeholder {
    color: red;
  }
  body :is() {
    color: green;
  }
  @​supports (color: blue) {
    ::placeholder {
      color: blue;
    }
  }

eslint/eslint (eslint)

v9.36.0

Compare Source

eslint-community/eslint-plugin-n (eslint-plugin-n)

v17.23.1

Compare Source

🩹 Fixes

• node-builtins-modules/tls.js: Update minimal version (#​484) (fe94432)

📚 Documentation

• improve clarity of no-missing-import and no-missing-require (#​455) (92ea876)

graphql-hive/graphql-yoga (graphql-yoga)

v5.16.0

Compare Source

Minor Changes

• #​3188
  a4e1c5f
  Thanks @​EmrysMyrddin! - Add allowedHeaders option to allow
  filtering Response and Request headers

Patch Changes

• #​4191
  0a7a635
  Thanks @​ardatan! - Fix workers' loading in online GraphiQL mode, so
  that Monaco features like autocomplete can work properly

puppeteer/puppeteer (puppeteer)

v24.22.0

Compare Source

Miscellaneous Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 24.21.0 to 24.22.0

Features

• roll to Firefox 143.0 (#​14219) (ddab735)

Bug Fixes

• a11y: handle leaf nodes without heuristics that rely on name (#​14221) (076cc2e)

sveltejs/svelte (svelte)

v5.39.2

Compare Source

Patch Changes

• fix: preserve SSR context when block expressions contain await (#​16791)

• chore: bump some devDependencies (#​16787)

v5.39.1

Compare Source

Patch Changes

• fix: issue state_proxy_unmount warning when unmounting a state proxy (#​16747)

• fix: add then to class component render output (#​16783)

v5.39.0

Compare Source

Minor Changes

• feat: experimental async SSR (#​16748)

Patch Changes

• fix: correctly SSR hidden="until-found" (#​16773)

kulshekhar/ts-jest (ts-jest)

v29.4.4

Compare Source

Bug Fixes

• revert 29.4.3 changes (25cb706), closes #​5049

v29.4.3

Compare Source

Bug Fixes

• introduce transpilation option to replace isolatedModules option (#​5044) (5868761), closes #​5013 #​4859

cloudflare/workers-sdk (wrangler)

v4.38.0

Compare Source

Minor Changes

• #​10654 a4e2439 Thanks @​laplab! - Switch to WRANGLER_R2_SQL_AUTH_TOKEN env variable for R2 SQL secret. Update the response format for R2 SQL

• #​10676 f76da43 Thanks @​penalosa! - Support ctx.exports in wrangler types

• #​10651 6caf938 Thanks @​edevil! - Added new attribute "allowed_sender_addresses" to send email binding.

Patch Changes

• #​10674 1cc258e Thanks @​penalosa! - Fix remote/local display for KV/D1/R2 & Browser bindings

• #​10678 b30263e Thanks @​penalosa! - Remove dummy auth from SDK setup

• #​10678 b30263e Thanks @​penalosa! - Add WRANGLER_TRACE_ID environment variable to support internal testing

• #​10561 769ffb1 Thanks @​danielrs! - Do not show subdomain status mismatch warnings on first deploy.

• Updated dependencies [b59e3e1, e9b0c66, 6caf938, 88132bc]:

  • miniflare@​4.20250917.0
  • @​cloudflare/unenv-preset@​2.7.4

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 202b8ca

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

💻 Website Preview

The latest changes are available as preview in: https://pr-7497.graphql-tools.pages.dev