Dependency Update October 2025

[renovate]

Performs the following changes:

• Updates npm dependencies, except:
  • Known don't upgrades: angular v20 (and ng-packagr and zone.js), ni eslint v9 packages, tiptap v3, react v19, typescript >v5.4.5
  • @vitejs/plugin-react-swc upgrading caused type and build errors I did not investigate
  • yargs major update requires source changes, didn't look into it
  • newly pinned peer flatbuffers. TypeScript 5.7 changed the definitions of Int32Array to include a generic. The flatbuffers library used by apache-arrow updated to a newer version of typescript and now emits types that rely on Int32 being generic. Because we do full type lib checks this causes an issue and TypeScript fails with Error TS2315: Type 'Int32Array' is not generic. messages. Added a peer dep on the older flatbuffers version to avoid the issue. When the Angular upgrade is done and corresponding TypeScript update we can remove that pinned per flatbuffers dep.
• Updates nuget deps, except:
  • Known don't upgrades: dotnet v9
  • Following the Manual Recurring update task on playwright I tried to find the latest playwright version is 1.55.0 which has a DriverVersion / node dependency version on [email protected]. This seems intentional right now so I instead went with the last release of [email protected] and [email protected]
• This update ends up pulling in the stylistic update in the ni eslint packages and applies formatting changes for it.
  • Updates template.ts files to opt-out of prettier linting altogether (33 of 62 files already manually were) and the @stylistic/indent eslint rule.
• Known workflow issues: With the latest Visual Studio installed and with the dotnet-sdk v8 version we specify in the globals.json file it is not possible to run npm run -w packages\blazor-workspace update-lock-files reliably. It will lock to assembly versions that are not part of the sdk installation, see dotnet issue. The best workaround I have so far is to sync the changes in WSL, nuke any existing dotnet installs in WSL, download the x64 sdk, manually install it, and then update lock files to push to the branch.
• Updates renovate.json to opt-out of package-lock.json updates and npm @ni package updates as separate workflows. Getting the notification for general package.json updates periodically is good enough as updates are a very manual process right now.

Renovate Blazor Update Details

> [!NOTE] > Mend has cancelled [the proposed renaming](https://github.com/renovatebot/renovate/discussions/37842) of the Renovate GitHub app being renamed to `mend[bot]`. > > This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Change	Age	Confidence
Microsoft.AspNetCore.Components.Web (source)	8.0.19 -> 8.0.20
Microsoft.AspNetCore.Components.WebAssembly.DevServer (source)	8.0.19 -> 8.0.20
Microsoft.AspNetCore.Components.WebAssembly.Server (source)	8.0.19 -> 8.0.20
Microsoft.AspNetCore.Components.WebView (source)	8.0.19 -> 8.0.20
Microsoft.AspNetCore.Mvc.Testing (source)	8.0.19 -> 8.0.20
xunit.runner.visualstudio	3.1.3 -> 3.1.5

---

[!WARNING]
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

dotnet/aspnetcore (Microsoft.AspNetCore.Components.Web)

v8.0.20: .NET 8.0.20

Release

What's Changed

• Update branding to 8.0.20 by @​vseanreesermsft in #​63106
• [release/8.0] (deps): Bump src/submodules/googletest from c67de11 to 373af2e by @​dependabot[bot] in #​63038
• [release/8.0] Dispose the certificate chain elements with the chain by @​MackinnonBuck in #​62994
• [release/8.0] Update SignalR Redis tests to use internal Docker Hub mirror by @​github-actions[bot] in #​63117
• [release/8.0] [SignalR] Don't throw for message headers in Java client by @​github-actions[bot] in #​62784
• Merging internal commits for release/8.0 by @​vseanreesermsft in #​63152
• [release/8.0] Update dependencies from dotnet/extensions by @​dotnet-maestro[bot] in #​63188
• [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro[bot] in #​63189

Full Changelog: dotnet/aspnetcore@v8.0.19...v8.0.20

xunit/visualstudio.xunit (xunit.runner.visualstudio)

v3.1.5

Compare Source

v3.1.4

Compare Source

---

Configuration

📅 Schedule: Branch creation - "monthly" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 12 package(s) with unknown licenses.
• ⚠️ 6 packages with OpenSSF Scorecard issues.

View full job summary

[rajsite]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 12 package(s) with unknown licenses.
• ⚠️ 6 packages with OpenSSF Scorecard issues.

View full job summary

Not sure why this is coming up now. It's complaining about [email protected] which has had a moderate-severity issue since february and was already a dependency in nimble for a long-time.

[jattasNI]

Thanks for handling this!