fix(deps): update npm non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@navikt/aksel-icons (source)	7.35.2 → 7.36.0
@percy/cli (source)	1.31.5 → 1.31.7
@tanstack/react-query (source)	5.90.12 → 5.90.16
@tanstack/react-query-devtools (source)	5.91.1 → 5.91.2
@testing-library/react	16.3.0 → 16.3.1
@typescript-eslint/eslint-plugin (source)	8.49.0 → 8.51.0
@typescript-eslint/parser (source)	8.49.0 → 8.51.0
caniuse-lite	1.0.30001760 → 1.0.30001762
cypress (source)	15.7.1 → 15.8.1
esbuild-loader	4.4.0 → 4.4.2
eslint-plugin-testing-library	7.14.0 → 7.15.4
html-react-parser	5.2.10 → 5.2.11
immer	11.0.1 → 11.1.3
react-day-picker (source)	9.12.0 → 9.13.0
typescript-eslint (source)	8.49.0 → 8.51.0
webpack	5.103.0 → 5.104.1
zod (source)	4.2.0 → 4.3.4

---

Release Notes

navikt/aksel (@​navikt/aksel-icons)

v7.36.0

Compare Source

Patch Changes

• Icons: Removed 'updated_at'-field from AkselIcon-type. (#​4399)

v7.35.3

Compare Source

percy/cli (@​percy/cli)

v1.31.7

Compare Source

What's Changed

✨ Enhancements

• Implement browser restart functionality on disconnection and enhance retry logic in discovery by @​prklm10 in #​2054
• Scope selector support for POA by @​prklm10 in #​2077

Full Changelog: percy/cli@v1.31.6...v1.31.7

v1.31.6

Compare Source

What's Changed

✨ Enhancements

• ✨ Adding support for custom tagging a capabilities to compare across osVersion, browserVersion, or devices for POA by @​this-is-shivamsingh in #​2058
• Fix Google Fonts corruption from incorrect text/html mime type by @​bhokaremoin in #​2068
• feat: Support custom font domains and add font MIME type detection tests by @​bhokaremoin in #​2073

🐛 Bug Fixes

• Fix: Normalize the POA comparison to major version for percyBrowserCustomName support by @​this-is-shivamsingh in #​2075

🏗 Maintenance

• ✨ Add MIT License to monitoring and webdriver-utils packages by @​this-is-shivamsingh in #​2063

Full Changelog: percy/cli@v1.31.5...v1.31.6

TanStack/query (@​tanstack/react-query)

v5.90.16

Compare Source

Patch Changes

• fix(react-query): allow retryOnMount when throwOnError is function (#​9338)

• Updated dependencies [7f47906]:

  • @​tanstack/query-core@​5.90.16

v5.90.15

Compare Source

Patch Changes

• Updated dependencies [fccef79]:
  • @​tanstack/query-core@​5.90.15

v5.90.14

Patch Changes

• Updated dependencies [d576092]:
  • @​tanstack/query-core@​5.90.14

v5.90.13

Patch Changes

• Updated dependencies [4a0a78a]:
  • @​tanstack/query-core@​5.90.13

TanStack/query (@​tanstack/react-query-devtools)

v5.91.2

Compare Source

Patch Changes

• Updated dependencies [f9fc56a, 0b29b6f]:
  • @​tanstack/query-devtools@​5.92.0
  • @​tanstack/react-query@​5.90.14

testing-library/react-testing-library (@​testing-library/react)

v16.3.1

Compare Source

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.51.0

Compare Source

🚀 Features

• eslint-plugin: add namespace to plugin meta (#​11885)
• eslint-plugin: [no-useless-default-assignment] fix some cases to optional syntax (#​11871)

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] handle MemberExpression in final chain position (#​11835)
• eslint-plugin: bump ts-api-utils to 2.2.0 (#​11881)
• eslint-plugin: remove fixable from no-dynamic-delete rule (#​11876)
• eslint-plugin: fix crash and false positives in no-useless-default-assignment (#​11845)

❤️ Thank You

• Josh Goldberg ✨
• Kirk Waiblinger @​kirkwaiblinger
• mdm317
• Ulrich Stark
• Yannick Decat @​mho22

You can read about our versioning strategy and releases on our website.

v8.50.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] correct handling of undefined vs. void (#​11826)
• eslint-plugin: [method-signature-style] ignore methods that return this (#​11813)

❤️ Thank You

• Josh Goldberg ✨
• Tamashoo @​Tamashoo

You can read about our versioning strategy and releases on our website.

v8.50.0

Compare Source

🚀 Features

• eslint-plugin: [no-useless-default-assignment] add rule (#​11720)

❤️ Thank You

• Josh Goldberg ✨
• Ulrich Stark

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.51.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.50.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.50.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

browserslist/caniuse-lite (caniuse-lite)

v1.0.30001762

Compare Source

v1.0.30001761

Compare Source

cypress-io/cypress (cypress)

v15.8.1

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-8-1

v15.8.0

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-8-0

privatenumber/esbuild-loader (esbuild-loader)

v4.4.2

Compare Source

Bug Fixes

• warn when define is used with eval-based devtools (dfec00d)

v4.4.1

Compare Source

Bug Fixes

• upgrade esbuild to ^0.27.1 (#​385) (80e2b36)

testing-library/eslint-plugin-testing-library (eslint-plugin-testing-library)

v7.15.4

Compare Source

Bug Fixes

• deps: bump typescript-eslint to v8.51.0 (#​1171) (b8ef377)

v7.15.3

Compare Source

Bug Fixes

• deps: bump typescript-eslint to v8.50.0 (#​1164) (c23f025)

v7.15.2

Compare Source

Bug Fixes

• expose correct meta version (#​1163) (d994f0c)

v7.15.1

Compare Source

Bug Fixes

• prevent unchecked indexed access (#​1132) (d865ce0)

v7.15.0

Compare Source

Features

• bundle in CJS and ESM formats (#​1130) (166e37c), closes #​900

remarkablemark/html-react-parser (html-react-parser)

v5.2.11

Compare Source

Continuous Integration

• github: remove npm token and publish with OIDC (ba9692d)

immerjs/immer (immer)

v11.1.3

Compare Source

Bug Fixes

• recursive T for WritableDraft (#​1197) (78ea694)

v11.1.2

Compare Source

Bug Fixes

• bogus commit to retest release (c329ddb)

v11.1.0

Compare Source

This feature release adds a new optional "array method overrides" plugin that significantly speeds up array methods when accessing drafts.

Changelog

Performance Improvements

As part of the recent performance optimization work, our benchmarks showed that all Proxy-based immutable update libraries were drastically slower than vanilla JS when calling both mutating and non-mutating array methods. After investigation, it turns out that an array method like arr.filter() causes the Proxy's get trap to trigger for every single item in the array. This in turn forces creation of a new Proxy and internal Immer metadata for every item, even though this was just a read operation and no items were being updated.

This release adds a new enableArrayMethods plugin that will override draft array methods to bypass the draft and directly operate on the underlying wrapped array instance. This significantly speeds up array operations.

When enabled, the plugin overrides these array methods:

• Mutating: push, pop, shift, unshift, splice, reverse, sort
• Non-mutating: filter, slice, concat, flat, find, findIndex, findLast, findLastIndex, some, every, indexOf, lastIndexOf, includes, join, toString, toLocaleString

Our benchmarks show that the overridden methods (plus the other perf changes in Immer 10.2 and 11.0) are 50-80% faster than the baseline behavior of Immer 10.1.

The plugin adds about 1.5-2K minified to Immer's bundle size.

It's important to note that the plugin does change the "safe to mutate a draft" semantics of Immer. Any of these methods that receives an array item as a callback argument will not automatically wrap that item in a Proxy!. That means that if you try to mutate an argument in a method such as filter, it will actually mutate the real underlying object, which will cause bugs in your app. This is an intentional design tradeoff. Semantically, all of these methods imply read-only access to array values, so if your code tries to mutate an array item in a callback, that is a bug in your code.

Note that this does not override map, flatMap, forEach, or reduce / reduceRight. Those methods do imply either side effects and potential mutations, or returning arbitrary values. Given that, we determined it was both safest and simplest to keep their behavior as-is.

See the Array Methods Plugin docs page for further details on the behavior of the overridden methods.

What's Changed

• Override array methods to avoid proxy creation while iterating and updating by @​markerikson in #​1184

gpbl/react-day-picker (react-day-picker)

v9.13.0

Compare Source

This release introduces an experimental noonSafe prop to help deal with historical time zones with second offsets. See https://daypicker.dev/localization/setting-time-zone#noonsafe for more details.

What's Changed

• feat: add experimental noonSafe prop for timezone offsets by @​gpbl in #​2879

Full Changelog: gpbl/react-day-picker@v9.12.0...v9.13.0

typescript-eslint/typescript-eslint (typescript-eslint)

v8.51.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.50.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.50.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

webpack/webpack (webpack)

v5.104.1

Compare Source

Patch Changes

• 2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
• c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

v5.104.0

Compare Source

Minor Changes

• d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
• d3dd841: Enhance import.meta.env to support object access.
• 4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
• 04cd530: Handle more at-rules for CSS modules.
• cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
• d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
• 5983843: Provide a stable runtime function variable __webpack_global__.
• d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

• 22c48fb: Added module existence check for informative error message in development mode.
• 50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
• d3dd841: Support universal lazy compilation.
• d3dd841: Fixed module library export definitions when multiple runtimes.
• d3dd841: Fixed CSS nesting and CSS custom properties parsing.
• d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
• aab1da9: Fixed bugs for css/global type.
• d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
• d3dd841: Handle nested __webpack_require__.
• 728ddb7: The speed of identifier parsing has been improved.
• 0f8b31b: Improve types.
• d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
• 2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
• d3dd841: Serialize HookWebpackError.
• d3dd841: Added ability to use built-in properties in dotenv and define plugin.
• 3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
• d3dd841: Reduce collision for local indent name in CSS.
• d3dd841: Remove CSS link tags when CSS imports are removed.

colinhacks/zod (zod)

v4.3.4

Compare Source

Commits:

• 1a8bea3 Add integration tests
• e01cd02 Support patternProperties for looserecord (#​5592)
• 089e5fb Improve looseRecord docs
• decef9c Fix lint
• 9443aab Drop iso time in fromJSONSchema
• 66bda74 Remove .refine() from ZodMiniType
• b4ab94c 4.3.4

v4.3.3

Compare Source

v4.3.2

Compare Source

v4.3.1

Compare Source

Commits:

• 0fe8840 allow non-overwriting extends with refinements. 4.3.1

v4.3.0

Compare Source

This is Zod's biggest release since 4.0. It addresses several of Zod's longest-standing feature requests.

z.fromJSONSchema()

Convert JSON Schema to Zod (#​5534, #​5586)

You can now convert JSON Schema definitions directly into Zod schemas. This function supports JSON Schema "draft-2020-12", "draft-7", "draft-4", and OpenAPI 3.0.

import * as z from "zod";

const schema = z.fromJSONSchema({
  type: "object",
  properties: {
    name: { type: "string", minLength: 1 },
    age: { type: "integer", minimum: 0 },
  },
  required: ["name"],
});

schema.parse({ name: "Alice", age: 30 }); // ✅

The API should be considered experimental. There are no guarantees of 1:1 "round-trip soundness": MySchema > z.toJSONSchema() > z.fromJSONSchema(). There are several features of Zod that don't exist in JSON Schema and vice versa, which makes this virtually impossible.

Features supported:

• All primitive types (string, number, integer, boolean, null, object, array)
• String formats (email, uri, uuid, date-time, date, time, ipv4, ipv6, and more)
• Composition (anyOf, oneOf, allOf)
• Object constraints (additionalProperties, patternProperties, propertyNames)
• Array constraints (prefixItems, items, minItems, maxItems)
• $ref for local references and circular schemas
• Custom metadata is preserved

z.xor() — exclusive union (#​5534)

A new exclusive union type that requires exactly one option to match. Unlike z.union() which passes if any option matches, z.xor() fails if zero or more than one option matches.

const schema = z.xor([z.string(), z.number()]);

schema.parse("hello"); // ✅
schema.parse(42);      // ✅
schema.parse(true);    // ❌ zero matches

When converted to JSON Schema, z.xor() produces oneOf instead of anyOf.

z.looseRecord() — partial record validation (#​5534)

A new record variant that only validates keys matching the key schema, passing through non-matching keys unchanged. This is used to represent patternProperties in JSON Schema.

const schema = z.looseRecord(z.string().regex(/^S_/), z.string());

schema.parse({ S_name: "John", other: 123 });
// ✅ { S_name: "John", other: 123 }
// only S_name is validated, "other" passes through

.exactOptional() — strict optional properties (#​5589)

A new wrapper that makes a property key-optional (can be omitted) but does not accept undefined as an explicit value.

const schema = z.object({
  a: z.string().optional(),      // accepts `undefined`
  b: z.string().exactOptional(), // does not accept `undefined`
});

schema.parse({});                  // ✅
schema.parse({ a: undefined });    // ✅
schema.parse({ b: undefined });    // ❌

This makes it possible to accurately represent the full spectrum of optionality expressible using exactOptionalPropertyTypes.

.apply()

A utility method for applying arbitrary transformations to a schema, enabling cleaner schema composition. (#​5463)

const setCommonChecks = <T extends z.ZodNumber>(schema: T) => {
  return schema.min(0).max(100);
};

const schema = z.number().apply(setCommonChecks).nullable();

.brand() cardinality

The .brand() method now accepts a second argument to control whether the brand applies to input, output, or both. Closes #​4764, #​4836.

// output only (default)
z.string().brand<"UserId">();           // output is branded (default)
z.string().brand<"UserId", "out">();    // output is branded
z.string().brand<"UserId", "in">();     // input is branded
z.string().brand<"UserId", "inout">();  // both are branded

Type predicates on .refine() (#​5575)

The .refine() method now supports type predicates to narrow the output type:

const schema = z.string().refine((s): s is "a" => s === "a");

type Input = z.input<typeof schema>;   // string
type Output = z.output<typeof schema>; // "a"

ZodMap methods: min, max, nonempty, size (#​5316)

ZodMap now has parity with ZodSet and ZodArray:

const schema = z.map(z.string(), z.number())
  .min(1)
  .max(10)
  .nonempty();

schema.size; // access the size constraint

.with() alias for .check() (359c0db)

A new .with() method has been added as a more readable alias for .check(). Over time, more APIs have been added that don't qualify as "checks". The new method provides a readable alternative that doesn't muddy semantics.

z.string().with(
  z.minLength(5),
  z.toLowerCase()
);

// equivalent to:
z.string().check(
  z.minLength(5),
  z.trim(),
  z.toLowerCase()
);

z.slugify() transform

Transform strings into URL-friendly slugs. Works great with .with():

// Zod
z.string().slugify().parse("Hello World");           // "hello-world"

// Zod Mini
// using .with() for explicit check composition
z.string().with(z.slugify()).parse("Hello World");   // "hello-world"

z.meta() and z.describe() in Zod Mini (947b4eb)

Zod Mini now exports z.meta() and z.describe() as top-level functions for adding metadata to schemas:

import * as z from "zod/mini";

// add description
const schema = z.string().with(
  z.describe("A user's name"),
);

// add arbitrary metadata
const schema2 = z.number().with(
  z.meta({ deprecated: true })
);

New locales

• Armenian (am) (#​5531)
• Uzbek (uz) (#​5519)

import * as z from "zod";
import { uz } from "zod/locales";

z.config(uz());

---

Bug fixes

All of these changes fix soundness issues in Zod. As with any bug fix there's some chance of breakage if you were intentionally or unintentionally relying on this unsound behavior.

⚠️ .pick() and .omit() disallowed on object schemas containing refinements (#​5317)

Using .pick() or .omit() on object schemas with refinements now throws an error. Previously, this would silently drop the refinements, leading to unexpected behavior.

const schema = z.object({
  password: z.string(),
  confirmPassword: z.string(),
}).refine(data => data.password === data.confirmPassword);

schema.pick({ password: true });
// 4.2: refinement silently dropped ⚠️
// 4.3: throws error ❌

Migration: The easiest way to migrate is to create a new schema using the shape of the old one.

const newSchema = z.object(schema.shape).pick({ ... })

⚠️ .extend() disallowed on refined schemas (#​5317)

Similarly, .extend() now throws on schemas with refinements. Use .safeExtend() if you need to extend refined schemas.

const schema = z.object({ a: z.string() }).refine(/* ... */);

// 4.2: refinement silently dropped ⚠️
// 4.3: throws error ✅
schema.extend({ b: z.number() });
// error: object schemas containing refinements cannot be extended. use `.safeExtend()` instead.

⚠️ Stricter object masking methods (#​5581)

Object masking methods (.pick(), .omit()) now validate that the keys provided actually exist in the schema:

const schema = z.object({ a: z.string() });

// 4.3: throws error for unrecognized keys
schema.pick({ nonexistent: true });
// error: unrecognized key: "nonexistent"

Additional changes

• Fixed JSON Schema generation for z.iso.time with minute precision (#​5557)
• Fixed error details for tuples with extraneous elements (#​5555)
• Fixed includes method params typing to accept string | $ZodCheckIncludesParams (#​5556)
• Fixed numeric formats error messages to be inclusive (#​5485)
• Fixed implementAsync inferred type to always be a promise (#​5476)
• Tightened E.164 regex to require a non-zero leading digit and 7–15 digits total (#​5524)
• Fixed Dutch (nl) error strings (#​5529)
• Convert Date instances to numbers in minimum/maximum checks (#​5351)
• Improved numeric keys handling in z.record() (#​5585)
• Lazy initialization of ~standard schema property (#​5363)
• Functions marked as @__NO_SIDE_EFFECTS__ for better tree-shaking (#​5475)
• Improved metadata tracking across child-parent relationships (#​5578)
• Improved locale translation approach (#​5584)
• Dropped id uniqueness enforcement at registry level (#​5574)

v4.2.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - "before 07:00 on Thursday" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud