fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@types/node (source)	^24.12.4 → ^24.13.2
@vitest/coverage-v8 (source)	^4.1.7 → ^4.1.8
js-yaml	^4.1.1 → ^4.2.0
prettier (source)	^3.8.3 → ^3.8.4
turbo (source)	^2.9.16 → ^2.9.18
vitest (source)	^4.1.7 → ^4.1.8
yarn (source)	4.15.0 → 4.16.0

---

Release Notes

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.8

Compare Source

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in #​10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in #​10474 (675b4)

    View changes on GitHub

nodeca/js-yaml (js-yaml)

v4.2.0

Compare Source

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better
  exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix,
  but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #​627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #​62.
• Fix trailing whitespace handling when folding flow scalar lines, #​307.
• Reject top-level block scalars without content indentation, #​280.
• Ensure numbers survive round-trip, #​737.
• Fix test coverage for issue #​221.
• Fix flow scalar trailing whitespace folding, #​307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated
  elements (makes sense for malformed files > 10K).

prettier/prettier (prettier)

v3.8.4

Compare Source

vercel/turborepo (turbo)

v2.9.18: Turborepo v2.9.18

Compare Source

What's Changed

Changelog

• release(turborepo): 2.9.17 by @​github-actions[bot] in #​13047
• ci: Fetch version.txt via API in docs alias failure notification by @​anthonyshew in #​13050
• fix: Harden cache archive symlink restore by @​anthonyshew in #​13051
• chore: Remove web UI mode by @​anthonyshew in #​13052
• fix: Harden query server file access by @​anthonyshew in #​13053
• fix: Confine prune patch paths by @​anthonyshew in #​13054
• fix: Prevent git argument injection in SCM refs by @​anthonyshew in #​13055
• fix: Strip special mode bits from cache restore by @​anthonyshew in #​13056
• fix: Contain incremental cache outputs by @​anthonyshew in #​13057
• fix(turborepo): Normalize Windows daemon path hash by @​Balance8 in #​13020
• fix: Preserve vt100 cell byte counts by @​anthonyshew in #​13058
• fix: Separate artifact signature fields by @​anthonyshew in #​13059
• fix: Validate OidHash hex buffers by @​anthonyshew in #​13060
• fix: Block self-hosted login URLs from attempting to use Vercel's SSO by @​anthonyshew in #​13061

New Contributors

• @​Balance8 made their first contribution in #​13020

Full Changelog: vercel/turborepo@v2.9.17...v2.9.18

v2.9.17: Turborepo v2.9.17

Compare Source

What's Changed

Changelog

• fix: Keep non-PTY stdin alive for persistent tasks by @​anthonyshew in #​12972
• release(turborepo): 2.9.16 by @​github-actions[bot] in #​12970
• release(turborepo): 2.9.17-canary.1 by @​github-actions[bot] in #​12973
• fix: Add auth HTTP timeouts by @​anthonyshew in #​12976
• fix: Detect affected root tasks in query by @​anthonyshew in #​12977
• fix: Wait for Windows graceful shutdown by @​anthonyshew in #​12979
• release(turborepo): 2.9.17-canary.2 by @​github-actions[bot] in #​12980
• test: Skip installs for JSON output fixtures by @​anthonyshew in #​12981
• feat: Add Rsbuild examples by @​Nsttt in #​12942
• test: Skip installs for single package dry runs by @​anthonyshew in #​12982
• test: Skip Corepack setup without installs by @​anthonyshew in #​12983
• test: Skip installs for metadata-only Rust tests by @​anthonyshew in #​12985
• test: Skip remaining unnecessary fixture installs by @​anthonyshew in #​12986
• test: Add final hash contract snapshots by @​anthonyshew in #​12984
• test: Trim run logging integration matrix by @​anthonyshew in #​12987
• test: Trim affected query integration matrix by @​anthonyshew in #​12988
• test: Narrow Windows integration test group by @​anthonyshew in #​12989
• test: Trim task dependency integration coverage by @​anthonyshew in #​12990
• test: Trim affected integration coverage by @​anthonyshew in #​12991
• test: Collapse integration test matrices by @​anthonyshew in #​12992
• test: Collapse non-watch integration matrices by @​anthonyshew in #​12993
• test: Collapse summary and caching test setup by @​anthonyshew in #​12994
• test: Trim lockfile-aware caching integration matrix by @​anthonyshew in #​12995
• test: Move inference, env, and otel coverage lower by @​anthonyshew in #​12996
• test: Trim turborepo-scm subprocess tests by @​anthonyshew in #​12998
• test: Remove Windows nextest thread cap by @​anthonyshew in #​12999
• test: Trim workspace config integration tests by @​anthonyshew in #​13000
• test: Trim run logging integration coverage by @​anthonyshew in #​13001
• test: Trim summary inference and single package tests by @​anthonyshew in #​13002
• test: Trim continue and persistent integration tests by @​anthonyshew in #​13004
• test: Trim force and workspace inheritance tests by @​anthonyshew in #​13005
• test: Trim SCM regression matrix by @​anthonyshew in #​13006
• test: Trim miscellaneous integration tests by @​anthonyshew in #​13007
• test: Trim affected and cache integration coverage by @​anthonyshew in #​13008
• refactor: Split engine builder modules by @​anthonyshew in #​13009
• refactor: Split process child module by @​anthonyshew in #​13014
• refactor: Split CLI module by @​anthonyshew in #​13013
• refactor: Split Bun lockfile module by @​anthonyshew in #​13012
• Fix typo in .gitignore comment by @​saiteja-madha in #​13010
• fix: Preserve Bun nested dependency versions by @​anthonyshew in #​13016
• docs: Exclude Next.js dev server output from cache examples by @​anthonyshew in #​13019
• release(turborepo): 2.9.17-canary.3 by @​github-actions[bot] in #​13017
• fix: Highlight active docs sidebar item by @​anthonyshew in #​13023
• fix: Ignore peer dependencies in package graph by @​kitten in #​13025
• release(turborepo): 2.9.17-canary.4 by @​github-actions[bot] in #​13032
• fix: Preserve pnpm override-resolved prune deps by @​anthonyshew in #​13031
• fix: Keep PTY stdin open for tasks by @​anthonyshew in #​13033
• fix: Add TUI pane padding before logs by @​anthonyshew in #​13034
• fix(api-client): Support P-521 ECDSA certificate chains over rustls by @​anthonyshew in #​13036
• chore: Restore aarch64 musl release builds by @​anthonyshew in #​13037
• release(turborepo): 2.9.17-canary.5 by @​github-actions[bot] in #​13038
• docs: Remove ESM warning from gen page by @​anthonyshew in #​13039
• fix: Bypass npm command shim on Windows by @​anthonyshew in #​13040
• feat: Add JIT task input hashing by @​anthonyshew in #​13043
• fix: Defer hashes for JIT task dependents by @​anthonyshew in #​13045
• release(turborepo): 2.9.17-canary.6 by @​github-actions[bot] in #​13044
• release(turborepo): 2.9.17-canary.7 by @​github-actions[bot] in #​13046
• fix: Send Ctrl+C to Windows PTY tasks by @​anthonyshew in #​13041

New Contributors

• @​Nsttt made their first contribution in #​12942
• @​saiteja-madha made their first contribution in #​13010
• @​kitten made their first contribution in #​13025

Full Changelog: vercel/turborepo@v2.9.16...v2.9.17

yarnpkg/berry (yarn)

v4.16.0: v4.16.0

Compare Source

What's Changed

• PnP: Include Node 22.22.3 in fstat workaround by @​junjuny0227 in #​7141
• Implements yarn npm stage by @​arcanis in #​7147
• fix: Stop using EBADF workaround for Node 24.16.0+ by @​MJDSys in #​7152
• Bumps eslint-plugin-arca by @​arcanis in #​7163
• Enables staged publishing by @​arcanis in #​7164
• feat: Add editor SDK support for oxc (oxfmt & oxlint) by @​slainless in #​7078
• docs: fix npmMinimalAgeGate default value. by @​ryanfox1985 in #​7125

New Contributors

• @​junjuny0227 made their first contribution in #​7141
• @​MJDSys made their first contribution in #​7152
• @​slainless made their first contribution in #​7078
• @​ryanfox1985 made their first contribution in #​7125

Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.15.0...@​yarnpkg/cli/4.16.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 12pm on Sunday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

➤ YN0000: · Yarn 4.16.0
➤ YN0000: ┌ Resolution step
➤ YN0016: │ prettier@npm:^3.8.4: All versions satisfying "^3.8.4" are quarantined
➤ YN0000: └ Completed in 1s 677ms
➤ YN0000: · Failed with errors in 1s 715ms