chore(deps): update all-dependencies (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
actions/checkout	action	major	v4 → v6
actions/setup-node	action	major	v4 → v6
lint-staged	dependencies	major	16.2.7 → 17.0.7
node	uses-with	major	22 → 24
node	final	major	23.11.1-slim → 26.3.0-slim
node	final	major	23.11.1-alpine → 26.3.0-alpine
node	stage	major	23.11.1-slim → 26.3.0-slim
pnpm (source)	packageManager	major	10.26.1 → 11.7.0
postgres		major	16-alpine → 18-alpine

---

Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

v6.0.0

Compare Source

v6

Compare Source

v5.0.1

Compare Source

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in #​2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

Compare Source

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in #​2226
• Prepare v5.0.0 release by @​salmanmkc in #​2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v5

Compare Source

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

Compare Source

v6.1.0

Compare Source

What's Changed

Enhancement:

• Remove always-auth configuration handling by @​priyagupta108 in #​1436

Dependency updates:

• Upgrade @​actions/cache from 4.0.3 to 4.1.0 by @​dependabot[bot] in #​1384
• Upgrade actions/checkout from 5 to 6 by @​dependabot[bot] in #​1439
• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​1435

Documentation update:

• Add example for restore-only cache in documentation by @​aparnajyothi-y in #​1419

Full Changelog: actions/setup-node@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in #​1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #​1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #​1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #​1362

Full Changelog: actions/setup-node@v5...v6.0.0

v6

Compare Source

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in #​1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in #​1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in #​1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in #​1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in #​1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​1345

New Contributors

• @​priya-kinthali made their first contribution in #​1348
• @​salmanmkc made their first contribution in #​1325

Full Changelog: actions/setup-node@v4...v5.0.0

v5

Compare Source

lint-staged/lint-staged (lint-staged)

v17.0.7

Compare Source

Patch Changes

• #​1806 e692e58 - Update dependency tinyexec@^1.2.4.

v17.0.6

Compare Source

Patch Changes

• #​1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

• #​1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

• #​1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

• #​1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

v17.0.5

Compare Source

Patch Changes

• #​1792 1f67271 - Correctly set the --max-arg-length default value based on the running platform. This controls how very long lists of staged files are split into multiple chunks.

v17.0.4

Compare Source

Patch Changes

• #​1788 f95c1f8 - Another fix for making sure lint-staged adds task modifications correctly to the commit in the following cases:

  • after editing <file> it is staged with git add <file>, and then committed with git commit
  • after editing <file> it is committed with git commit --all without explicit git add
  • after editing <file> it is committed with git commit <pathspec> without explicit git add

  There's new test cases which actually setup the Git pre_commit hook to run lint-staged and verify them. These issues started in v17.0.0 when trying to improve support for committig without having explicitly staged files.

v17.0.3

Compare Source

Patch Changes

• #​1782 06813f9 Thanks @​iiroj! - Fix lint-staged behavior when implicitly committing files without using git add by either:
  • git commit -am "my commit message" where -a (--all) means to automatically stage all tracked modified and deleted files
  • git commit -m "my commit message" . where . is an example of a pathspec where matching files will be staged

v17.0.2

Compare Source

Patch Changes

• #​1779 88670ca Thanks @​iiroj! - Enable immutable GitHub releases

v17.0.1

Compare Source

Patch Changes

• #​1776 4a5664b Thanks @​iiroj! - Adjust GitHub Actions workflow so that automatic publishing works with signed commits.

v17.0.0

Compare Source

Major Changes

• #​1745 e244adf Thanks @​iiroj! - Node.js v20 is no longer supported, and the oldest supported version is now 22.22.1, which is an active LTS version at the time of this release. Node.js 20 will be EOL after April 2026. Please upgrade your Node.js version!

• #​1676 0584e0b Thanks @​outslept! - Lint-staged now tries to verify the installed Git version is at least 2.32.0, released in 2021. If you're using an even older Git version, you need to upgrade it before running lint-staged!

• #​1745 2dcc40a Thanks @​iiroj! - The dependency yaml is now marked as optional and probably won't be installed by default. If you're using a YAML configuration file you should install the package separately:

  npm install --development yaml

  If you're using .lintstagedrc as the config file name (without a file extension), it will be treated as a YAML file. If the content is JSON, consider renaming it to .lintstagedrc.json to avoid needing to install yaml.

Minor Changes

• #​1748 809d5ef Thanks @​iiroj! - Add new option --hide-all for hiding all unstaged changes and untracked files, before running tasks. This makes it easier to run tools like Knip which check for unused code. Untracked files are included in the backup stash and restored automatically after running.

• #​1759 f13045a Thanks @​iiroj! - Update dependencies, including tinyexec@1.1.1 to fix the following issues:

  • When using a Node.js version manager with multiple versions installed (nvm, n, for example), scripts with the #!/usr/bin/env node shebang (Prettier, ESLint, for example) were previously spawned using the default Node.js version configured by the version manager (the one which node points to) on POSIX systems. Now, they will be spawned with the same version that lint-staged itself was started with.
    • For example, if your default Node.js version is 24.14.1 but lint-staged is run with the latest version 25.9.0, the tasks spawned by lint-staged will now also use version 25.9.0. Previously they were spawned using 24.14.1.
  • When installing Node.js from the Ubuntu App Center (Snap store), the node executable available in PATH is a symlink pointing to Snap itself. The sandboxing features of Snap prevented lint-staged from spawning scripts with the #!/usr/bin/env node shebang, because it meant lint-staged tried to spawn Snap via the symlink. This resulted in an ENOENT error when trying to run prettier, for example. Now, since the real node executable's directory is available in the PATH, lint-staged will instead spawn the script with the real node binary succesfully.

• #​1761 d3251b1 Thanks @​iiroj! - Lint-staged now runs git update-index --again after running tasks, instead of git add <originally staged files>. This should improve compatibility when using non-default indexes, for example when committing with a pathspec git commit -m "message" . instead of adding files to the index.

• #​1745 a9585ac Thanks @​iiroj! - Remove commander as a dependency and use the built-in parseArgs from node:util to parse CLI flags.

Patch Changes

• #​1755 c82d30b Thanks @​iiroj! - All tests now pass on the Bun runtime (latest).

• #​1750 a401818 Thanks @​iiroj! - Remove manual handling for git stash --keep-index resurrecting deleted files, because the issue was fixed in Git 2.23.0 and lint-staged requires at least Git 2.32.0.

• #​1771 c4b8936 Thanks @​iiroj! - Fix documentation about multiple config files and the --cwd option. When using it, all tasks will be run in the specified directory. For example, to run everything in the actual process.cwd(), use lint-staged --cwd=".".

v16.4.0

Compare Source

Minor Changes

• #​1739 687fc90 Thanks @​hyperz111! - Replace micromatch with picomatch to reduce dependencies.

v16.3.4

Compare Source

Patch Changes

• #​1742 9d6e827 Thanks @​iiroj! - Update dependencies, including tinyexec@1.0.4 to make sure local node_modules/.bin are preferred to global locations (released in tinyexec@1.0.3).

v16.3.3

Compare Source

Patch Changes

• #​1740 0109e8d Thanks @​iiroj! - Make sure Git's warning about CRLF line-endings doesn't interfere with creating initial backup stash.

v16.3.2

Compare Source

Patch Changes

• #​1735 2adaf6c Thanks @​iiroj! - Hide the extra cmd window on Windows by spawning tasks without the detached option.

v16.3.1

Compare Source

Patch Changes

• #​1729 cd5d762 Thanks @​iiroj! - Remove nano-spawn as a dependency from package.json as it was replaced with tinyexec and is no longer used.

v16.3.0

Compare Source

Minor Changes

• #​1698 feda37a Thanks @​iiroj! - Run external processes with tinyexec instead of nano-spawn. nano-spawn replaced execa in lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope tinyexec improves the situation.

• #​1699 1346d16 Thanks @​iiroj! - Remove pidtree as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the taskkill command on Windows.

Patch Changes

• #​1726 87467aa Thanks @​iiroj! - Incorrect brace expansions like *.{js} (nothing to expand) are detected exhaustively, instead of just a single pass.

actions/node-versions (node)

v24.16.0: 24.16.0

Compare Source

Node.js 24.16.0

v24.15.0: 24.15.0

Compare Source

Node.js 24.15.0

v24.14.1: 24.14.1

Compare Source

Node.js 24.14.1

v24.14.0: 24.14.0

Compare Source

Node.js 24.14.0

v24.13.1: 24.13.1

Compare Source

Node.js 24.13.1

v24.13.0: 24.13.0

Compare Source

Node.js 24.13.0

v24.12.0: 24.12.0

Compare Source

Node.js 24.12.0

v24.11.1: 24.11.1

Compare Source

Node.js 24.11.1

v24.11.0: 24.11.0

Compare Source

Node.js 24.11.0

v24.10.0: 24.10.0

Compare Source

Node.js 24.10.0

v24.9.0: 24.9.0

Compare Source

Node.js 24.9.0

v24.8.0: 24.8.0

Compare Source

Node.js 24.8.0

v24.7.0: 24.7.0

Compare Source

Node.js 24.7.0

v24.6.0: 24.6.0

Compare Source

Node.js 24.6.0

v24.5.0: 24.5.0

Compare Source

Node.js 24.5.0

v24.4.1: 24.4.1

Compare Source

Node.js 24.4.1

v24.4.0: 24.4.0

Compare Source

Node.js 24.4.0

v24.3.0: 24.3.0

Compare Source

Node.js 24.3.0

v24.2.0: 24.2.0

Compare Source

Node.js 24.2.0

v24.1.0: 24.1.0

Compare Source

Node.js 24.1.0

v24.0.2: 24.0.2

Compare Source

Node.js 24.0.2

v24.0.1: 24.0.1

Compare Source

Node.js 24.0.1

v24.0.0: 24.0.0

Compare Source

Node.js 24.0.0

nodejs/node (node)

v26.3.0: 2026-06-01, Version 26.3.0 (Current), @​aduh95

Compare Source

Notable Changes

Potential changes to macOS Universal Binary availability

With Apple and its ecosystem progressively dropping support for Intel-based
architectures, it has become apparent that the Node.js project may not be able
to maintain the universal binaries we currently distribute for the full lifetime
of Node.js 26. This change serves to communicate that risk. At present, our
intention remains to continue shipping universal binaries supporting both Apple
Silicon and Intel-based Macs for as long as practical.

Contributed by Antoine du Hamel in #​63055.

Other notable changes

• [a2a4b33dd8] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #​63597
• [051a2152f7] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #​63527
• [49462eca37] - (SEMVER-MINOR) http: add httpValidation option to configure header value validation (RajeshKumar11) #​61597
• [97b7ab19bd] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #​63079
• [cfb80a2103] - (SEMVER-MINOR) lib,permission: add permission.drop (Rafael Gonzaga) #​62672

Commits

• [a2a4b33dd8] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #​63597
• [0eff3e23b9] - build: def NODE_USE_NODE_CODE_CACHE only used in node_mksnapshot (Chengzhong Wu) #​63588
• [447ab2d252] - build,win: fix VS2022 arm64 PGO build (Stefan Stojanovic) #​63413
• [86032758e4] - build,win: replace LTCG with Thin LTO for releases (Stefan Stojanovic) #​63114
• [5f4d794052] - build,win: add Rust toolchain automated configuration Windows (Mike McCready) #​63381
• [051a2152f7] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #​63527
• [d0f65e3579] - crypto: coerce -0 keylen to +0 in pbkdf2 and scrypt (Jordan Harband) #​63531
• [e3ddb326c9] - crypto: harden WebCrypto against prototype pollution (Filip Skokan) #​63363
• [e04cd17dc0] - crypto: pass CryptoKey handles to KDF jobs (Filip Skokan) #​63363
• [64ba74d847] - crypto: remove async from WebCrypto methods (Filip Skokan) #​63363
• [bd230418b4] - crypto: add WebCrypto CryptoJob mode (Filip Skokan) #​63363
• [1a4090a83d] - debugger: surface inspector failures in probe mode (Joyee Cheung) #​63437
• [dbc78ff825] - debugger,test: deflake resume failure test and add debug logs (Joyee Cheung) #​63524
• [4da442f432] - deps: upgrade npm to 11.16.0 (npm team) #​63602
• [63372cfa87] - deps: SQLite: cherry-pick b869ed6 (Junsu Han) #​63525
• [e286fa170d] - deps: upgrade npm to 11.15.0 (npm team) #​63463
• [de996437a5] - doc: downgrade macOS x64 to Tier 2 (Antoine du Hamel) #​63055
• [22ac78750c] - doc: remove duplicated sentences in large-pull-requests.md (Joyee Cheung) #​63650
• [532f7f2085] - doc: update git node land instructions for security releases (Antoine du Hamel) #​63586
• [c61f90dfb9] - doc: drop --experimental from --permission (Rafael Gonzaga) #​63583
• [fd69d7b16a] - doc: improve fs.StatFs properties descriptions (aymanxdev) #​62578
• [693257782c] - doc: generate llms.txt (Guilherme Araújo) #​62027
• [55a57beb26] - doc: explicitly ask for reproducible in JS (Rafael Gonzaga) #​63479
• [4895c2babc] - doc: fix URL postMessage example in worker_threads (Kit Dallege) #​62203
• [0355c36e37] - doc: clarify filter option of sqlite.database.applyChangeset (Antoine du Hamel) #​63515
• [c85ee22df6] - doc: fix double spaces in ERR_TLS_INVALID_PROTOCOL_METHOD (Daijiro Wachi) #​63511
• [62947192f6] - doc: move hyperlinks outside of text blocks (Aviv Keller) #​63493
• [9849690a1d] - doc: edit Rust toolchain general install instructions (Antoine du Hamel) #​63488
• [885d2462e9] - doc: fix double space in modules.md (Daijiro Wachi) #​63512
• [42fbb48bc6] - doc: fix "options" to "option" in tls.createServer (Daijiro Wachi) #​63453
• [05a7b0a301] - doc: add Rust toolchain general install instructions (Mike McCready) #​63426
• [e13dfd7ed0] - doc: update toolchain for official releases (Richard Lau) #​63441
• [82306881cc] - doc: fix typo in deprecations (Daijiro Wachi) #​63434
• [eeb77d217c] - doc,lib: align WebCrypto names with spec (Filip Skokan) #​63518
• [679e13c57f] - errors: handle V8 warnings in DisallowJavascriptExecutionScope (Divyanshu Sharma) #​63491
• [7f41f5d803] - ffi: validate 'void' as parameter type in getFunction and getFunctions (Anshika Jain) #​63504
• [972cd227cb] - ffi: remove function signature property aliases (René) #​63482
• [5d7805e433] - ffi: move DynamicLibrary disposer to native layer (René) #​63459
• [5a0b32dc24] - gyp: update deps gypfiles (Nad Alaba) #​63117
• [49462eca37] - (SEMVER-MINOR) http: add httpValidation option to configure header value validation (RajeshKumar11) #​61597
• [e3c6629ee3] - http2: emit session close before stream close (Matteo Collina) #​63414
• [97b7ab19bd] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #​63079
• [6bef10e7b7] - lib: cleanup stateless diffiehellman key handling (Filip Skokan) #​62645
• [fdc0b3d49c] - lib: define kEnumerableProperty atomically (Antoine du Hamel) #​63609
• [99baf27aeb] - lib: fix typos in esm loader comments (RonGamzu) #​63465
• [cfb80a2103] - (SEMVER-MINOR) lib,permission: add permission.drop (Rafael Gonzaga) #​62672
• [8e75efb9bc] - meta: flip mcollina emails in .mailmap (Matteo Collina) #​63621
• [a4ae97045f] - meta: label "source maps" PRs (Chengzhong Wu) #​63591
• [3455a48ae1] - meta: add vfs subsystem label (René) #​62331
• [01bfcdfc20] - meta: skip scheduled workflows on forks (Jamie Magee) #​63565
• [bc4c457eae] - meta: add additional gitignore entries (James M Snell) #​63267
• [e1d65d9509] - module: load ESM helpers eagerly in the snapshot (Joyee Cheung) #​63550
• [6a97b0932a] - quic: add proper error codes & messages for QUIC failures (Tim Perry) #​63198
• [5989f4a6e1] - quic: support hostname verification (James M Snell) #​63483
• [b4d30e7a78] - quic: add stream idle timeout (James M Snell) #​63483
• [8a1017f774] - quic: add block list support for endpoints (James M Snell) #​63483
• [5a3ab93c49] - quic: improve peer cert verification (James M Snell) #​63483
• [9701a82a78] - quic: handle h3 max header size option (James M Snell) #​63483
• [71788a2048] - quic: add rate limiting docs (James M Snell) #​63483
• [309bd49906] - quic: cache timestamp for address lru cache (James M Snell) #​63483
• [2ce5588d51] - quic: add session creation rate limiting (James M Snell) #​63483
• [98808baed1] - quic: refine rate limiting (James M Snell) #​63483
• [75a4176b32] - quic: flip preferred address policy default to 'ignore' (James M Snell) #​63483
• [8b6b03d60c] - quic: add doc note about certificate size limitations (James M Snell) #​63483
• [30eff873e0] - quic: add applicationOptions to session (James M Snell) #​63267
• [4303daa43c] - quic: add getters for local and remote transport parameters (James M Snell) #​63267
• [e1b1bb5465] - quic: improve recv coalescing test sizes (James M Snell) #​63267
• [25a416f457] - quic: add initial RTT option to session options (James M Snell) #​63267
• [22e91c357f] - quic: enable recvmmsg batching in Endpoint (James M Snell) #​63267
• [c96d8a9d9b] - quic: improve stream header collection performance (James M Snell) #​63267
• [409460f2ce] - quic: add reusePort option to QuicEndpoint (James M Snell) #​63267
• [9a2afffec9] - quic: coalesce received data into fewer buffers (James M Snell) #​63267
• [f9a6a2f558] - quic: apply multiple additional minor improvements (James M Snell) #​63267
• [ea5f3724ee] - quic: fix tests that are missing serverEndpoint close (James M Snell) #​63267
• [6cffc931fc] - quic: fixup some v8:: qualifiers (James M Snell) #​63267
• [9bc875e522] - quic: fix premature unref of endpoint when listening (James M Snell) [#​63267](https://redirect.github.com/no

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
express_boilerplate	Ready	Preview, Comment	Jun 15, 2026 12:39pm
express-boilerplate	Ready	Preview, Comment	Jun 15, 2026 12:39pm
express-v5-typescript-boilerplate	Ready	Preview, Comment	Jun 15, 2026 12:39pm