Update ui deps sync

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@openzeppelin/confidential-contracts (source)	^0.3.1 → ^0.4.0
@rollup/plugin-commonjs (source)	^28.0.8 → ^28.0.9
@rollup/plugin-replace (source)	^6.0.2 → ^6.0.3
@rollup/plugin-typescript (source)	^12.1.4 → ^12.3.0
@types/node (source)	^20.19.21 → ^20.19.39
@upstash/redis (source)	1.35.6 → 1.37.0
@upstash/redis (source)	1.35.6 → 1.37.0
autoprefixer	^10.4.21 → ^10.5.0
jszip	3.6.0 → 3.10.1
postcss (source)	^8.5.6 → ^8.5.10
semver	^7.7.3 → ^7.7.4
tailwindcss (source)	^3.4.18 → ^3.4.19

---

Release Notes

OpenZeppelin/openzeppelin-confidential-contracts (@​openzeppelin/confidential-contracts)

v0.4.0

Compare Source

• Migrate @fhevm/solidity dependency to 0.11.1 (#​311)
• Upgrade openzeppelin/contracts and openzeppelin/contracts-upgradeable to v5.6.1 (#​314)

Token

• ERC7984ERC20Wrapper: use a bytes32 unwrap request identifier instead of identifying batches by the euint64 unwrap amount. (#​326)
• ERC7984ERC20Wrapper: Support ERC-165 interface detection on ERC7984ERC20Wrapper. (#​267)
• ERC7984ERC20Wrapper: return the amount of wrapped token sent on wrap calls. (#​307)
• ERC7984ERC20Wrapper: return unwrapped amount on unwrap calls (#​288)
• ERC7984ERC20Wrapper: revert on wrap if there is a chance of total supply overflow. (#​268)
• ERC7984Restricted, ERC7984Rwa: Rename isUserAllowed to canTransact (#​291)

Finance

• BatcherConfidential: A batching primitive that enables routing between two ERC7984ERC20Wrapper contracts via a non-confidential route. (#​293)

Utils

• HandleAccessManager: change _validateHandleAllowance to return a boolean and validate it. (#​303)

rollup/plugins (@​rollup/plugin-commonjs)

v28.0.9

2025-10-24

Bugfixes

• fix: handle node: builtins with strictRequires: auto (#​1930)

rollup/plugins (@​rollup/plugin-replace)

v6.0.3

2025-10-29

Bugfixes

• fix: update delimiters to respect valid js identifier chars (#​1938)

rollup/plugins (@​rollup/plugin-typescript)

v12.3.0

2025-10-23

Features

• feat: expose latest Program to transformers in watch mode (#​1923)

v12.2.0

2025-10-22

Features

• feat: process .js when allowJs is enabled (#​1920)

upstash/redis-js (@​upstash/redis)

v1.37.0

Compare Source

Minor Changes

• 6f2a831: Release redis search

Patch Changes

• 3980b45: Add monorepo structure

v1.36.4

Compare Source

What's Changed

• fix: prevent more than one script init running at once by @​myandrienko in #​1411
• DX-2479: strip v prefix from version in release workflow by @​CahidArda in #​1417

New Contributors

• @​myandrienko made their first contribution in #​1411

Full Changelog: upstash/redis-js@v1.36.3...v1.36.4

v1.36.3

Compare Source

What's Changed

• DX-2278: use npm OIDC by @​CahidArda in #​1408
• DX-2446: expose TData generic on xrange and xrevrange by @​CahidArda in #​1414
• DX-2439: add sintercard by @​CahidArda in #​1413

Full Changelog: upstash/redis-js@v1.36.2...v1.36.3

v1.36.2

Compare Source

What's Changed

• DX-2363: add redis-js skills by @​CahidArda in #​1406
• Dx 2353: Add commands HGETDEL, HGETEX, HSETEX, XDELEX, XACKDEL, CLIENT SETINFO and add new options to BITOP and XADD by @​alitariksahin in #​1407

Full Changelog: upstash/redis-js@v1.36.1...v1.36.2

v1.36.1

Compare Source

What's Changed

• feat: support chunked messages by @​joschan21 in #​1404

Full Changelog: upstash/redis-js@v1.36.0...v1.36.1

v1.36.0

Compare Source

What's Changed

• feat: add redis functions support by @​ytkimirti in #​1401

Full Changelog: upstash/redis-js@v1.35.8...v1.36.0

v1.35.8

Compare Source

What's Changed

• DX-2280: Remove large-group runners by @​CahidArda in #​1398
• fix: bump next by @​CahidArda in #​1400
• fix: improve env variable access by @​ytkimirti in #​1399

Full Changelog: upstash/redis-js@v1.35.7...v1.35.8

v1.35.7

Compare Source

What's Changed

• DX-2204: document telemetry configuration option by @​CahidArda in #​1393
• DX-2265: add Requester type declaration by @​CahidArda in #​1397
• Fix: zremrangebyscore should accept string | number for min/max scores by @​mvonschledorn in #​1396

New Contributors

• @​mvonschledorn made their first contribution in #​1396

Full Changelog: upstash/redis-js@v1.35.6...v1.35.7

postcss/autoprefixer (autoprefixer)

v10.5.0

Compare Source

• Added mask-position-x and mask-position-y support (by @​toporek).

v10.4.27

Compare Source

• Removed development key from package.json.

v10.4.26

Compare Source

• Reduced package size.

v10.4.25

Compare Source

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

v10.4.24

Compare Source

• Made Autoprefixer a little faster (by @​Cherry).

v10.4.23

Compare Source

• Reduced dependencies (by @​hyperz111).

v10.4.22

Compare Source

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

Stuk/jszip (jszip)

v3.10.1

Compare Source

• Add sponsorship files.
  • If you appreciate the time spent maintaining JSZip then I would really appreciate your sponsorship.
• Consolidate metadata types and expose OnUpdateCallback #​851 and #​852
• use const instead var in example from README.markdown #​828
• Switch manual download link to HTTPS #​839

Internals:

• Replace jshint with eslint #​842
• Add performance tests #​834

v3.10.0

Compare Source

• Change setimmediate dependency to more efficient one. Fixes #​617 (see #​829)
• Update types of currentFile metadata to include null (see #​826)

v3.9.1

Compare Source

• Fix recursive definition of InputFileFormat introduced in 3.9.0.

v3.9.0

Compare Source

• Update types JSZip#loadAsync to accept a promise for data, and remove arguments from new JSZip() (see #​752)
• Update types for compressionOptions to JSZipFileOptions and JSZipGeneratorOptions (see #​722)
• Add types for generateInternalStream (see #​774)

v3.8.0

Compare Source

• Santize filenames when files are loaded with loadAsync, to avoid "zip slip" attacks. The original filename is available on each zip entry as unsafeOriginalName. See the documentation. Many thanks to McCaulay Hudson for reporting.

v3.7.1

Compare Source

• Fix build of dist files.
  • Note: this version ensures the changes from 3.7.0 are actually included in the dist files. Thanks to Evan W for reporting.

v3.7.0

Compare Source

• Fix: Use a null prototype object for this.files (see #​766)
  • This change might break existing code if it uses prototype methods on the .files property of a zip object, for example zip.files.toString(). This approach is taken to prevent files in the zip overriding object methods that would exist on a normal object.

postcss/postcss (postcss)

v8.5.10

Compare Source

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

• Speed up source map encoding paring in case of the error.

v8.5.8

Compare Source

• Fixed Processor#version.

v8.5.7

Compare Source

• Improved source map annotation cleaning performance (by CodeAnt AI).

npm/node-semver (semver)

v7.7.4

Compare Source

Bug Fixes

• a29faa5 #​835 cli: pass options to semver.valid() for loose version validation (#​835) (@​mldangelo)

Documentation

• 1d28d5e #​836 fix typos and update -n CLI option documentation (#​836) (@​mldangelo)

Dependencies

• 120968b #​840 @npmcli/template-oss@4.29.0 (#​840)

Chores

• 44d7130 #​824 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#​824) (@​dependabot[bot])
• 7073576 #​820 reorder parameters in invalid-versions.js test (#​820) (@​reggi)
• 5816d4c #​829 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#​829) (@​dependabot[bot], @​npm-cli-bot)

tailwindlabs/tailwindcss (tailwindcss)

v3.4.19

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard AJV-like dynamic parser generator for JTD schemas. There are no explicit malware indicators in this fragment. The primary security concern is the dynamic code generation and execution from external schemas, which introduces a medium risk if schemas are untrusted. With trusted schemas and proper schema management, the risk is typically acceptable within this pattern. Confidence: 1.00 Severity: 0.60 From: ? → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: This module generates JavaScript code at runtime via standaloneCode(...) and then immediately executes it with require-from-string. Because the generated code can incorporate user-supplied schemas or custom keywords without sanitization or sandboxing, an attacker who controls those inputs could inject arbitrary code and achieve remote code execution in the Node process. Users should audit and lock down the standaloneCode output or replace dynamic evaluation with a safer, static bundling approach. Confidence: 1.00 Severity: 0.60 From: ? → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code implements standard timestamp validation with clear logic for normal and leap years and leap seconds. There is no network, file, or execution of external code within this isolated fragment. The only anomalous aspect is assigning a string to validTimestamp.code, which could enable external tooling to inject behavior in certain environments, but this does not constitute active malicious behavior in this isolated snippet. Overall, low to moderate security risk in typical usage; no malware detected within the shown code. Confidence: 1.00 Severity: 0.60 From: ? → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: ? → npm/ignore@7.0.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm prettier is 100.0% likely to have a medium risk anomaly Notes: No definitive malware detected in this fragment. The main security concern is supply-chain risk from dynamically loading plugins from potentially untrusted sources. To mitigate, enforce strict plugin provenance, disable remote plugin loading, verify plugin integrity, and apply least-privilege execution for plugins. Confidence: 1.00 Severity: 0.60 From: package.json → npm/prettier@3.6.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prettier@3.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Walkthrough

Package.json devDependencies updated: @types/node from ^20.19.21 to ^20.19.22 and rollup from ^4.52.4 to ^4.52.5. These are patch version updates with no runtime behavior changes.

Changes

Cohort / File(s)	Summary
DevDependency version updates packages/ui/package.json	@types/node: ^20.19.21 → ^20.19.22; rollup: ^4.52.4 → ^4.52.5

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Renovate update import and package #674: Also modifies packages/ui/package.json for dependency management through Renovate rules.

Suggested reviewers

• ericglau
• collins-w

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "Update ui deps sync" is directly related to the changeset, which updates dependencies in the packages/ui/package.json file (@types/node and rollup versions). The title accurately indicates the primary change involves updating UI package dependencies, and a teammate scanning the commit history would understand this is about dependency updates for the UI package. While the term "sync" is somewhat informal and could be more explicit about which dependencies are affected, the title is sufficiently clear and specific to describe the main change.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description check	✅ Passed	The PR description provides a detailed table of dependency updates with version changes and release notes for each package, which directly relates to the changeset of updating dependencies in package.json.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/ui-deps-sync

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​changesets/​changelog-github@​0.5.1
	typescript-eslint@​8.39.1
	@​types/​semver@​7.7.1
	@​openzeppelin/​confidential-contracts@​0.3.1
	@​types/​node@​20.19.39
	postcss@​8.5.10
	concurrently@​9.2.0
	semver@​7.7.4
	eslint-config-prettier@​10.1.8
	prettier-plugin-svelte@​3.4.0
	eslint@​9.33.0
	eslint-plugin-unicorn@​61.0.2
	typescript@​5.9.3
	prettier@​3.6.2
	eslint-plugin-prettier@​5.5.4
	@​eslint/​js@​9.33.0
	@​openzeppelin/​contracts@​5.4.0
	@​changesets/​cli@​2.29.5
	@​openzeppelin/​community-contracts@​0.0.1

View full report