Update patch-updates

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@types/node (source)	20.19.37 → 20.19.41
bun (source)	1.3.11 → 1.3.14
matplotlib	3.10.8 → 3.10.9
matplotlib	==3.10.8 → ==3.10.9
orjson (changelog)	==3.11.7 → ==3.11.9
spacy (source, changelog)	==3.8.11 → ==3.8.14
tornado (source)	==6.5.5 → ==6.5.6
vitest (source)	4.1.0 → 4.1.8

---

Release Notes

oven-sh/bun (bun)

v1.3.14: Bun v1.3.14

Compare Source

To install Bun v1.3.14

curl -fsSL https://bun.sh/install | bash

# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.3.14:

bun upgrade

Read Bun v1.3.14's release notes on Bun's blog

Thanks to 11 contributors!

• @​190n
• @​alii
• @​carlsmedstad
• @​cirospaciari
• @​coleleavitt
• @​djs5008
• @​dylan-conway
• @​ig-ant
• @​Jarred-Sumner
• @​robobun
• @​sosukesuzuki

v1.3.13: Bun v1.3.13

Compare Source

To install Bun v1.3.13

curl -fsSL https://bun.sh/install | bash

# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.3.13:

bun upgrade

Read Bun v1.3.13's release notes on Bun's blog

Thanks to 8 contributors!

• @​alii
• @​ant-kurt
• @​chrislloyd
• @​cirospaciari
• @​dylan-conway
• @​jarred-sumner
• @​robobun
• @​sosukesuzuki

v1.3.12: Bun v1.3.12

Compare Source

To install Bun v1.3.12

curl -fsSL https://bun.sh/install | bash

# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.3.12:

bun upgrade

Read Bun v1.3.12's release notes on Bun's blog

Thanks to 8 contributors!

• @​alii
• @​ant-kurt
• @​cirospaciari
• @​dylan-conway
• @​gameroman
• @​jarred-sumner
• @​robobun
• @​sosukesuzuki

matplotlib/matplotlib (matplotlib)

v3.10.9

Compare Source

This is a micro release of the v3.10.x series.
Highlights of this release include:

• Various minor bug and doc fixes
• Security hardening validation of cyclers - Removing eval usage
• Security hardening in Latex and PS calls - Removing shell escapes

ijl/orjson (orjson)

v3.11.9

Compare Source

Changed

• Build now depends on Rust 1.95 or later instead of 1.89.

Fixed

• Fix building on Rust 1.95.

v3.11.8

Compare Source

Changed

• Build and compatibility improvements.

explosion/spaCy (spacy)

v3.8.14

Compare Source

v3.8.13

Compare Source

v3.8.12

Compare Source

tornadoweb/tornado (tornado)

v6.5.6

Compare Source

vitest-dev/vitest (vitest)

v4.1.8

Compare Source

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in #​10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in #​10474 (675b4)

    View changes on GitHub

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

v4.1.6

Compare Source

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in #​10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in #​10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in #​10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in #​10276 (9f7b1)

    View changes on GitHub

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

v4.1.4

Compare Source

   🚀 Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in #​10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in #​10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in #​9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in #​10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in #​10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in #​10068 (a1b5f)
• Do not hoist imports whose names match class properties .  -  by @​SunsetFi in #​10093 and #​10094 (0fc4b)
• browser: Spread user server options into browser Vite server in project  -  by @​GoldStrikeArch in #​10049 (65c9d)

    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in #​10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in #​10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in #​9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in #​9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in #​10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in #​10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in #​9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in #​10004 (ec204)
• snapshot:
  • Fix flagging obsolete snapshots for snapshot properties mismatch  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​9986 (6b869)
  • Export custom snapshot matcher helper from vitest  -  by @​hi-ogawa and Codex in #​10042 (691d3)
• ui:
  • Don't leak vite types  -  by @​sheremet-va in #​10005 (fdff1)
• vm:
  • Fix external module resolve error with deps optimizer query  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10024 (9dbf4)

    View changes on GitHub

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in #​9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in #​9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in #​9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in #​9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in #​9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in #​9851 (6f97b)

    View changes on GitHub

v4.1.1

Compare Source

   🚀 Features

• experimental:
  • Expose matchesTagsFilter to test if the current filter matches tags  -  by @​sheremet-va in #​9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in #​9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in #​9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in #​9831 and #​9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in #​9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in #​9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in #​9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in #​9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in #​9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in #​9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in #​9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in #​9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in #​9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in #​9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in #​9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in #​9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in #​9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in #​9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in #​9949 (0d5f9)

    View changes on GitHub

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[claude]

LGTM, routine Renovate patch-version bumps for bun, @types/node, vitest, and Python deps (aiohttp, matplotlib, orjson, spacy, tornado).

Extended reasoning...

Overview

This is a Renovate-generated PR bumping patch versions across four files: .github/workflows/js_tests.yml (bun 1.3.11→1.3.14), chart_data_extractor/poetry.lock and template/requirements.txt (matplotlib 3.10.8→3.10.9, aiohttp 3.13.4→3.13.5, orjson 3.11.7→3.11.9, spacy 3.8.11→3.8.14, tornado 6.5.5→6.5.6), and pnpm-lock.yaml (@types/node 20.19.37→20.19.41, vitest 4.1.0→4.1.8). No source code or logic changes.

Security risks

None introduced. Several of the bumps are themselves security/hardening fixes (matplotlib 3.10.9 removes eval/shell-escape usage; aiohttp 3.13.5 tightens header parsing; vitest 4.1.8 disables a browser CDP API under restrictive flags). All updates are within the same minor version line.

Level of scrutiny

Low. These are mechanical patch-version bumps generated by Renovate, automerge is enabled per the PR description, no API contracts change, and the bug-hunting system found nothing. The template/requirements.txt change runs inside the sandbox, not on production infrastructure.

Other factors

No prior reviews or unresolved comments on the PR timeline. Patterns match prior accepted patch-update PRs in this repo (e.g., commit 83c14be on main is also titled "Update patch-updates"). CI will validate the JS test workflow against the new bun version.