Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
node (source)		minor	24.16.0 → 24.17.0
node (source)	engines	minor	>=24.16.0 → >=24.17.0
oxc-minify (source)	devDependencies	minor	^0.135.0 → ^0.137.0
pnpm (source)	packageManager	patch	10.34.2 → 10.34.4

---

Release Notes

nodejs/node (node)

v24.17.0: 2026-06-18, Version 24.17.0 'Krypton' (LTS), @​aduh95

Compare Source

This is a security release.

Notable Changes

• (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
• (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
• (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
• (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
• (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
• (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
• (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
• (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
• (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
• (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
• (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

Commits

• [9e4dfc7bba] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878
• [cb2aed980c] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890
• [a8a0d12875] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #​62891
• [66e6203c1c] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #​62891
• [dd627ced27] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #​63820
• [684bae568f] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #​63820
• [3a631e7f83] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #​62656
• [cf44df3996] - deps: update undici to 7.28.0 (Node.js GitHub Bot) #​63703
• [138c70294b] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868
• [be7e719c3f] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846
• [cc7c11b4d1] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855
• [9224427b92] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867
• [cf85d54839] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873
• [a1bbc24f96] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870
• [e3723ff2d6] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854
• [a77af4867b] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854
• [31beb4f707] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857
• [8e75c73f91] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869

pnpm/pnpm (pnpm)

v10.34.4

Compare Source

v10.34.3

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

❌ Deploy Preview for sklauncher-docs failed.

Name	Link
🔨 Latest commit	95cc473
🔍 Latest deploy log	https://app.netlify.com/projects/sklauncher-docs/deploys/6a3478152ebfd700080a4f0a

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

 ERR_PNPM_NO_MATURE_MATCHING_VERSION  Version 0.137.0 (released 13 hours ago) of oxc-minify does not meet the minimumReleaseAge constraint

This error happened while installing a direct dependency of /tmp/renovate/repos/github/sklauncher/docs

The latest release of oxc-minify is "0.137.0". Published at 6/18/2026 9:43:51 AM

If you need the full list of all 112 published versions run "pnpm view oxc-minify versions".

If you want to install the matched version ignoring the time it was published, you can add the package name to the minimumReleaseAgeExclude setting. Read more about it: https://pnpm.io/settings#minimumreleaseageexclude