chore(deps): update npm

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@eslint/eslintrc	3.3.1 → 3.3.3
@remix-run/dev (source)	2.17.1 → 2.17.2
@remix-run/eslint-config (source)	2.17.1 → 2.17.2
@remix-run/fs-routes (source)	2.17.1 → 2.17.2
@remix-run/route-config (source)	2.17.1 → 2.17.2
@remix-run/serve (source)	2.17.1 → 2.17.2
@shopify/api-codegen-preset (source)	1.2.0 → 1.2.1
@shopify/app-bridge-react (source)	4.2.3 → 4.2.8
@tailwindcss/postcss (source)	4.1.13 → 4.1.18
@trustedshops-public/cot-integration-library	1.10.13 → 1.11.0
@types/cookie-parser (source)	1.4.9 → 1.4.10
@types/express (source)	4.17.23 → 4.17.25
@types/node (source)	22.18.6 → 22.19.3
@types/react (source)	19.1.13 → 19.2.7
@types/react (source)	18.3.24 → 18.3.27
@types/react-dom (source)	19.1.9 → 19.2.3
@vitejs/plugin-react (source)	5.0.3 → 5.1.2
dotenv	17.2.2 → 17.2.3
eslint (source)	9.36.0 → 9.39.2
eslint-config-next (source)	15.5.3 → 15.5.9
express (source)	4.21.2 → 4.22.1
isbot (source)	5.1.30 → 5.1.32
jose	6.1.0 → 6.1.3
prettier (source)	3.6.2 → 3.7.4
react (source)	19.1.1 → 19.2.3
react-dom (source)	19.1.1 → 19.2.3
tailwindcss (source)	4.1.13 → 4.1.18
tsx (source)	4.20.5 → 4.21.0
typescript (source)	5.9.2 → 5.9.3
vite-plugin-static-copy	3.1.2 → 3.1.4
winston	3.17.0 → 3.19.0

---

Release Notes

eslint/eslintrc (@​eslint/eslintrc)

v3.3.3

Compare Source

Bug Fixes

• release v3.3.3 because publishing v3.3.2 failed (#​211) (8aa555a)

Shopify/shopify-app-js (@​shopify/api-codegen-preset)

v1.2.1

Patch Changes

• 62394e5: Fixed TypeScript module resolution error by including file extensions (.d.ts or .ts) in generated import paths to support Node16/NodeNext module resolution strategies.

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.1.18

Compare Source

Fixed

• Ensure validation of source(…) happens relative to the file it is in (#​19274)
• Include filename and line numbers in CSS parse errors (#​19282)
• Skip comments in Ruby files when checking for class names (#​19243)
• Skip over arbitrary property utilities with a top-level ! in the value (#​19243)
• Support environment API in @tailwindcss/vite (#​18970)
• Preserve case of theme keys from JS configs and plugins (#​19337)
• Write source maps correctly on the CLI when using --watch (#​19373)
• Handle special defaults (like ringColor.DEFAULT) in JS configs (#​19348)
• Improve backwards compatibility for content theme key from JS configs (#​19381)
• Upgrade: Handle future and experimental config keys (#​19344)
• Try to canonicalize any arbitrary utility to a bare value (#​19379)
• Validate candidates similarly to Oxide (#​19397)
• Canonicalization: combine text-* and leading-* classes (#​19396)
• Correctly handle duplicate CLI arguments (#​19416)
• Don’t emit color-mix fallback rules inside @keyframes (#​19419)
• CLI: Don't hang when output is /dev/stdout (#​19421)

v4.1.17

Compare Source

Fixed

• Substitute @variant inside legacy JS APIs (#​19263)
• Prevent occasional crash on Windows when loaded into a worker thread (#​19242)

v4.1.16

Compare Source

Fixed

• Discard candidates with an empty data type (#​19172)
• Fix canonicalization of arbitrary variants with attribute selectors (#​19176)
• Fix invalid colors due to nested & (#​19184)
• Improve canonicalization for & > :pseudo and & :pseudo arbitrary variants (#​19178)

v4.1.15

Compare Source

Fixed

• Fix Safari devtools rendering issue due to color-mix fallback (#​19069)
• Suppress Lightning CSS warnings about :deep, :slotted, and :global (#​19094)
• Fix resolving theme keys when starting with the name of another theme key in JS configs and plugins (#​19097)
• Allow named groups in combination with not-*, has-*, and in-* (#​19100)
• Prevent important utilities from affecting other utilities (#​19110)
• Don’t index into strings with the theme(…) function (#​19111)
• Fix parsing issue when \t is used in at-rules (#​19130)
• Upgrade: Canonicalize utilities containing 0 values (#​19095)
• Upgrade: Migrate deprecated break-words to wrap-break-word (#​19157)

Changed

• Remove the postinstall script from oxide ([#​19149])(#​19149)

v4.1.14

Compare Source

Fixed

• Handle ' syntax in ClojureScript when extracting classes (#​18888)
• Handle @variant inside @custom-variant (#​18885)
• Merge suggestions when using @utility (#​18900)
• Ensure that file system watchers created when using the CLI are always cleaned up (#​18905)
• Do not generate grid-column utilities when configuring grid-column-start or grid-column-end (#​18907)
• Do not generate grid-row utilities when configuring grid-row-start or grid-row-end (#​18907)
• Prevent duplicate CSS when overwriting a static utility with a theme key (#​18056)
• Show Lightning CSS warnings (if any) when optimizing/minifying (#​18918)
• Use default export condition for @tailwindcss/vite (#​18948)
• Re-throw errors from PostCSS nodes (#​18373)
• Detect classes in markdown inline directives (#​18967)
• Ensure files with only @theme produce no output when built (#​18979)
• Support Maud templates when extracting classes (#​18988)
• Upgrade: Do not migrate variant = 'outline' during upgrades (#​18922)
• Upgrade: Show version mismatch (if any) when running upgrade tool (#​19028)
• Upgrade: Ensure first class inside className is migrated (#​19031)
• Upgrade: Migrate classes inside *ClassName and *Class attributes (#​19031)

trustedshops-public/cot-js-integration-library (@​trustedshops-public/cot-integration-library)

v1.11.0

Compare Source

Features

• create constructor without tsid (#​73) (c757452)
• SW-758: Replace trstd-switch with trstd-login across all usage and references. (#​76) (c3aef6a)

1.10.14 (2025-09-22)

Bug Fixes

• deps: update npm (#​60) (8ea4968)

1.10.13 (2025-09-03)

Bug Fixes

• deps: update npm (#​58) (ba9141e)

1.10.12 (2025-09-03)

Bug Fixes

• deps: update dependency next to v15.4.7 [security] (#​59) (7390d09)

1.10.11 (2025-08-19)

Bug Fixes

• deps: update npm (#​56) (fe33162)

1.10.10 (2025-08-11)

Bug Fixes

• deps: update npm (#​54) (c5f3a52)

1.10.9 (2025-08-04)

Bug Fixes

• deps: update npm (#​53) (c31f7f3)

1.10.8 (2025-08-01)

Bug Fixes

• deps: update npm (#​49) (2427896)

1.10.7 (2025-07-23)

Bug Fixes

• deps: update npm (#​48) (10a2a28)

1.10.6 (2025-07-18)

Bug Fixes

• deps: update dependency @​shopify/polaris to v13 (#​20) (14e064e)

1.10.5 (2025-07-18)

Bug Fixes

• deps: update npm (#​47) (30362ca)

1.10.4 (2025-07-10)

Bug Fixes

• deps: update npm (#​45) (27f2ff0)

1.10.3 (2025-07-02)

Bug Fixes

• use sub in AuthStorageInterface and implementations as primary key (44e3847)

1.10.2 (2025-07-02)

Bug Fixes

• add missing strategy attribute to Script component in CotSwitch (78d118a)

1.10.1 (2025-06-30)

Bug Fixes

• deps: update npm (#​41) (6395c5c)

v1.10.14

Compare Source

Bug Fixes

• deps: update npm (#​60) (8ea4968)

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v5.1.2

Compare Source

v5.1.1

Compare Source

Update code to support newer rolldown-vite (#​976)

rolldown-vite will remove optimizeDeps.rollupOptions in favor of optimizeDeps.rolldownOptions soon. This plugin now uses optimizeDeps.rolldownOptions to support newer rolldown-vite. Please update rolldown-vite to the latest version if you are using an older version.

v5.1.0

Compare Source

Add @vitejs/plugin-react/preamble virtual module for SSR HMR (#​890)

SSR applications can now initialize HMR runtime by importing @vitejs/plugin-react/preamble at the top of their client entry instead of manually calling transformIndexHtml. This simplifies SSR setup for applications that don't use the transformIndexHtml API.

Fix raw Rolldown support for Rolldown 1.0.0-beta.44+ (#​930)

Rolldown 1.0.0-beta.44+ removed the top-level jsx option in favor of transform.jsx. This plugin now uses the transform.jsx option to support Rolldown 1.0.0-beta.44+.

v5.0.4

Compare Source

Perf: use native refresh wrapper plugin in rolldown-vite (#​881)

motdotla/dotenv (dotenv)

v17.2.3

Compare Source

Changed

• Fixed typescript error definition (#​912)

eslint/eslint (eslint)

v9.39.2

Compare Source

v9.39.1

Compare Source

v9.39.0

Compare Source

v9.38.0

Compare Source

Features

• ce40f74 feat: update complexity rule to only highlight function header (#​20048) (Atul Nair)
• e37e590 feat: correct no-loss-of-precision false positives with e notation (#​20187) (Francesco Trotta)

Bug Fixes

• 50c3dfd fix: improve type support for isolated dependencies in pnpm (#​20201) (Francesco Trotta)
• a1f06a3 fix: correct SourceCode typings (#​20114) (Pixel998)

Documentation

• 462675a docs: improve web accessibility by hiding non-semantic character (#​20205) (루밀LuMir)
• c070e65 docs: correct formatting in no-irregular-whitespace rule documentation (#​20203) (루밀LuMir)
• b39e71a docs: Update README (GitHub Actions Bot)
• cd39983 docs: move custom-formatters type descriptions to nodejs-api (#​20190) (Percy Ma)

Chores

• d17c795 chore: upgrade @​eslint/js@​9.38.0 (#​20221) (Milos Djermanovic)
• 25d0e33 chore: package.json update for @​eslint/js release (Jenkins)
• c82b5ef refactor: Use types from @​eslint/core (#​20168) (Nicholas C. Zakas)
• ff31609 ci: add Node.js 25 to ci.yml (#​20220) (루밀LuMir)
• 004577e ci: bump github/codeql-action from 3 to 4 (#​20211) (dependabot[bot])
• eac71fb test: remove use of nodejsScope option of eslint-scope from tests (#​20206) (Milos Djermanovic)
• 4168a18 chore: fix typo in legacy-eslint.js (#​20202) (Sweta Tanwar)
• 205dbd2 chore: fix typos (#​20200) (ntnyq)
• dbb200e chore: use team member's username when name is not available in data (#​20194) (Milos Djermanovic)
• 8962089 chore: mark deprecated rules as available until v11.0.0 (#​20184) (Pixel998)

v9.37.0

Compare Source

Features

• 39f7fb4 feat: preserve-caught-error should recognize all static "cause" keys (#​20163) (Pixel998)
• f81eabc feat: support TS syntax in no-restricted-imports (#​19562) (Nitin Kumar)

Bug Fixes

• a129cce fix: correct no-loss-of-precision false positives for leading zeros (#​20164) (Francesco Trotta)
• 09e04fc fix: add missing AST token types (#​20172) (Pixel998)
• 861c6da fix: correct ESLint typings (#​20122) (Pixel998)

Documentation

• b950359 docs: fix typos across the docs (#​20182) (루밀LuMir)
• 42498a2 docs: improve ToC accessibility by hiding non-semantic character (#​20181) (Percy Ma)
• 29ea092 docs: Update README (GitHub Actions Bot)
• 5c97a04 docs: show availableUntil in deprecated rule banner (#​20170) (Pixel998)
• 90a71bf docs: update README files to add badge and instructions (#​20115) (루밀LuMir)
• 1603ae1 docs: update references from master to main (#​20153) (루밀LuMir)

Chores

• afe8a13 chore: update @eslint/js dependency to version 9.37.0 (#​20183) (Francesco Trotta)
• abee4ca chore: package.json update for @​eslint/js release (Jenkins)
• fc9381f chore: fix typos in comments (#​20175) (overlookmotel)
• e1574a2 chore: unpin jiti (#​20173) (renovate[bot])
• e1ac05e refactor: mark ESLint.findConfigFile() as async, add missing docs (#​20157) (Pixel998)
• 347906d chore: update eslint (#​20149) (renovate[bot])
• 0cb5897 test: remove tmp dir created for circular fixes in multithread mode test (#​20146) (Milos Djermanovic)
• bb99566 ci: pin jiti to version 2.5.1 (#​20151) (Pixel998)
• 177f669 perf: improve worker count calculation for "auto" concurrency (#​20067) (Francesco Trotta)
• 448b57b chore: Mark deprecated formatting rules as available until v11.0.0 (#​20144) (Milos Djermanovic)

vercel/next.js (eslint-config-next)

v15.5.9

Compare Source

v15.5.8

Compare Source

v15.5.7

Compare Source

v15.5.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Turbopack: don't define process.cwd() in node_modules #​83452

Credits

Huge thanks to @​mischnic for helping!

v15.5.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Split code-frame into separate compiled package (#​84238)
• Add deprecation warning to Runtime config (#​84650)
• fix: unstable_cache should perform blocking revalidation during ISR revalidation (#​84716)
• feat: experimental.middlewareClientMaxBodySize body cloning limit (#​84722)
• fix: missing next/link types with typedRoutes (#​84779)

Misc Changes

• docs: early October improvements and fixes (#​84334)

Credits

Huge thanks to @​devjiwonchoi, @​ztanner, and @​icyJoseph for helping!

v15.5.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: ensure onRequestError is invoked when otel enabled (#​83343)
• fix: devtools initial position should be from next config (#​83571)
• [devtool] fix overlay styles are missing (#​83721)
• Turbopack: don't match dynamic pattern for node_modules packages (#​83176)
• Turbopack: don't treat metadata routes as RSC (#​82911)
• [turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (#​83357)
• Turbopack: throw large static metadata error earlier (#​82939)
• fix: error overlay not closing when backdrop clicked (#​83981)
• Turbopack: flush Node.js worker IPC on error (#​84077)

Misc Changes

• [CNA] use linter preference (#​83194)
• CI: use KV for test timing data (#​83745)
• docs: september improvements and fixes (#​83997)

Credits

Huge thanks to @​yiminghe, @​huozhi, @​devjiwonchoi, @​mischnic, @​lukesandberg, @​ztanner, @​icyJoseph, @​leerob, @​fufuShih, @​dwrth, @​aymericzip, @​obendev, @​molebox, @​OoMNoO, @​pontasan, @​styfle, @​HondaYt, @​ryuapp, @​lpalmes, and @​ijjk for helping!

expressjs/express (express)

v4.22.1

Compare Source

v4.22.0

Compare Source

omrilotan/isbot (isbot)

v5.1.32

Compare Source

• [Pattern] Pattern updates

[v5.1.31](https://redirect.github.com/omrilotan/isbot/

---

Configuration

📅 Schedule: Branch creation - "on monday before 8am" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: examples/shopify-integration/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm warn Unknown project config "auto-install-peers". This will stop working in the next major version of npm.
npm warn Unknown project config "shamefully-hoist". This will stop working in the next major version of npm.
npm warn Unknown project config "enable-pre-post-scripts". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @remix-run/dev@2.17.2
npm error Found: vite@7.1.7
npm error node_modules/vite
npm error   peerOptional vite@"*" from vite-tsconfig-paths@5.1.4
npm error   node_modules/vite-tsconfig-paths
npm error     vite-tsconfig-paths@"^5.0.1" from the root project
npm error   dev vite@"^7.0.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peerOptional vite@"^5.1.0 || ^6.0.0" from @remix-run/dev@2.17.2
npm error node_modules/@remix-run/dev
npm error   @remix-run/dev@"2.17.2" from the root project
npm error   peer @remix-run/dev@"^2.17.0" from @remix-run/fs-routes@2.17.2
npm error   node_modules/@remix-run/fs-routes
npm error     @remix-run/fs-routes@"2.17.2" from the root project
npm error   1 more (@remix-run/route-config)
npm error
npm error Conflicting peer dependency: vite@6.4.1
npm error node_modules/vite
npm error   peerOptional vite@"^5.1.0 || ^6.0.0" from @remix-run/dev@2.17.2
npm error   node_modules/@remix-run/dev
npm error     @remix-run/dev@"2.17.2" from the root project
npm error     peer @remix-run/dev@"^2.17.0" from @remix-run/fs-routes@2.17.2
npm error     node_modules/@remix-run/fs-routes
npm error       @remix-run/fs-routes@"2.17.2" from the root project
npm error     1 more (@remix-run/route-config)
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-01-08T23_05_42_708Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-01-08T23_05_42_708Z-debug-0.log