chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@nuxtjs/seo (source)	5.0.2 → 5.1.0
@takumi-rs/core	1.0.0-beta.20 → 1.0.0-rc.9
@takumi-rs/wasm	1.0.0-beta.20 → 1.0.0-rc.9
discord-api-types (source)	^0.38.41 → ^0.38.42
nuxt-og-image (source)	6.2.6 → 6.3.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

harlan-zw/nuxt-seo (@​nuxtjs/seo)

v5.1.0

Compare Source

   🚀 Features

• Skew protection + ai ready standalone  -  by @​harlan-zw (d0fc2)

    View changes on GitHub

kane50613/takumi (@​takumi-rs/core)

v1.0.0-rc.9

Compare Source

Patch Changes

• @​takumi-rs/helpers@​1.0.0-rc.9

v1.0.0-rc.8

Compare Source

Patch Changes

• @​takumi-rs/helpers@​1.0.0-rc.8

v1.0.0-rc.7

Compare Source

Patch Changes

• @​takumi-rs/helpers@​1.0.0-rc.7

v1.0.0-rc.6

Compare Source

Patch Changes

• @​takumi-rs/helpers@​1.0.0-rc.6

v1.0.0-rc.5

Compare Source

Patch Changes

• @​takumi-rs/helpers@​1.0.0-rc.5

v1.0.0-rc.4

Compare Source

Patch Changes

• Updated dependencies [7ff886b]
• Updated dependencies [7ff886b]
  • @​takumi-rs/helpers@​1.0.0-rc.4

v1.0.0-rc.3

Compare Source

Patch Changes

• 532bc96: Fix bun compile fails to resolve native module #​606
  • @​takumi-rs/helpers@​1.0.0-rc.3

v1.0.0-rc.2

Compare Source

Patch Changes

• 26b5557: Fix dist folder not included
  • @​takumi-rs/helpers@​1.0.0-rc.2

v1.0.0-rc.1

Compare Source

Patch Changes

• @​takumi-rs/helpers@​1.0.0-rc.1

v1.0.0-rc.0

Compare Source

discordjs/discord-api-types (discord-api-types)

v0.38.43

Compare Source

Bug Fixes

• Channel: correct PATCH channel field nullability (#​1575) (a4aa724)
• Gateway: invite create timestamp type, zstd-stream (#​1569) (38b9467)
• Guild: correct optionality and nullability (#​1574) (cf6476d)
• guildScheduledEvent: entity_type required, channel_id nullable (#​1573) (bf12195)
• poll: mark expiry as nullable (#​1576) (dea22dc)
• role colors optionality, color deprecation, and stale annotations (#​1566) (0000e9a)
• send soundboard result type (#​1568) (f1a3cb7)
• split grouped gateway dispatch types (#​1563) (f76c2fa)
• Voice, AuditLog: voice state channel_id, audit log application_id (#​1580) (811314a)
• webhook: correct nullability for guild_id and channel_id (#​1567) (25778ae)

Features

• Application: add activity instance types and endpoint (#​1578) (b985362)
• Application: add webhook event fields to PATCH (#​1570) (e1ff008)
• BaseThemeType: add Unset base theme type (#​1577) (e65e02f)
• guild messages search (#​1583) (a99c8c0)
• Guild: add collectibles to guild member (#​1572) (c8ef2fe)
• Guild: add flags to modify guild member (#​1571) (46b8cbd)
• mark new modal components as stable (#​1556) (818b899)
• message: shared client themes (#​1565) (c3b331d)
• Rest: add missing JSON error codes (#​1579) (ba01bac)
• RESTJSONErrorCodes: add error code 50278 (#​1587) (662cb0c)

nuxt-modules/og-image (nuxt-og-image)

v6.3.1

Compare Source

   🐞 Bug Fixes

• Prefer runtime config for secret  -  by @​harlan-zw (65196)

    View changes on GitHub

v6.3.0

Compare Source

   🚀 Features

• security: Add URL signing to prevent parameter tampering  -  by @​harlan-zw in #​546 (87a25)

   🐞 Bug Fixes

• security: Strict mode, deprecate html  -  by @​harlan-zw in #​545 (25c05)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - "on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for wolfstar-rocks-et34281 ready!

Name	Link
🔨 Latest commit	4da615c
🔍 Latest deploy log	https://app.netlify.com/projects/wolfstar-rocks-et34281/deploys/69d51b3e4039b600087c1681
😎 Deploy Preview	https://deploy-preview-98.wolfstar.rocks
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 82 (no change from production) Accessibility: 100 (no change from production) Best Practices: 92 (no change from production) SEO: 94 (no change from production) PWA: 90 (no change from production) View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[sentry]

⚠️ JUnit XML file not found

The CLI was unable to find any JUnit XML files to upload.
For more help, visit our troubleshooting guide.

[codspeed-hq]

Merging this PR will not alter performance

✅ 44 untouched benchmarks

---

_{Comparing renovate/all-minor-patch (d076f96) with main (e9f0471)}

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[lorypelli]

LGTM!

[Copilot]

Pull request overview

This PR updates non-major npm dependencies (Nuxt SEO + OG image related packages, Takumi, Discord API types) and refreshes the locally vendored skilld reference docs under .claude/skills/ to match the new upstream versions.

Changes:

• Bumped runtime/dev dependencies in package.json (notably nuxt-og-image, @takumi-rs/*, discord-api-types) and updated pnpm-lock.yaml.
• Refreshed skilld lock + skill metadata for @nuxtjs/seo@5.1.0 and nuxt-og-image@6.3.1.
• Updated/added multiple skilld reference docs (migration guides + guides) for the updated Nuxt SEO / OG Image versions.

Reviewed changes

Copilot reviewed 26 out of 27 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
pnpm-lock.yaml	Lockfile updates reflecting bumped dependencies (including new transitive deps like React via Takumi).
package.json	Updates version pins for nuxt-og-image, @takumi-rs/*, and discord-api-types.
.claude/skills/skilld-lock.yaml	Updates skilld sync metadata and versions for Nuxt SEO / OG Image skills.
.claude/skills/nuxtjs-seo-skilld/SKILL.md	Updates skill header/version for @nuxtjs/seo@5.1.0.
.claude/skills/nuxtjs-seo-skilld/references/docs/content/6.migration-guide/5.v4-to-v5.md	Expands migration documentation for Nuxt SEO v4 → v5 (Nuxt Content v3 collections + sitemap changes).
.claude/skills/nuxtjs-seo-skilld/references/docs/content/6.migration-guide/3.nuxt-seo-kit.md	Adds/adjusts migration notes (key takeaways + clarified breaking changes).
.claude/skills/nuxtjs-seo-skilld/references/docs/content/6.migration-guide/1.beta-to-rc.md	Small wording tweak in migration guide.
.claude/skills/nuxtjs-seo-skilld/references/docs/content/6.migration-guide/0.rc-to-stable.md	Adds key takeaways + warnings and clarifies guidance.
.claude/skills/nuxtjs-seo-skilld/references/docs/content/2.guides/7.updating-modules.md	New guide content about updating Nuxt SEO modules.
.claude/skills/nuxtjs-seo-skilld/references/docs/content/2.guides/6.debugging-modules.md	New guide content for disabling modules + reproductions.
.claude/skills/nuxtjs-seo-skilld/references/docs/content/2.guides/5.site-config.md	New guide explaining Site Config usage.
.claude/skills/nuxtjs-seo-skilld/references/docs/content/2.guides/4.llms-txt.md	New guide documenting llms.txt routes and usage in AI tools.
.claude/skills/nuxtjs-seo-skilld/references/docs/content/2.guides/3.mcp.md	New guide documenting Nuxt SEO MCP server setup + tool list.
.claude/skills/nuxtjs-seo-skilld/references/docs/content/2.guides/0.using-the-modules.md	Updates module overview copy and adds related links.
.claude/skills/nuxtjs-seo-skilld/references/docs/content/1.getting-started/3.troubleshooting.md	Updates troubleshooting content structure and adds new sections/warnings.
.claude/skills/nuxtjs-seo-skilld/references/docs/content/1.getting-started/1.installation.md	Updates installation doc (standalone modules section + related pages).
.claude/skills/nuxtjs-seo-skilld/references/docs/content/1.getting-started/0.introduction.md	Major rewrite of Nuxt SEO introduction content and module dependency examples.
.claude/skills/nuxtjs-seo-skilld/references/docs/_INDEX.md	Regenerated docs index for Nuxt SEO references (currently has incorrect titles/labels).
.claude/skills/nuxtjs-seo-skilld/PROMPT_best-practices.md	Updates prompt to v5.1.0 (currently contains a malformed markdown link).
.claude/skills/nuxtjs-seo-skilld/PROMPT_api-changes.md	Updates prompt to v5.1.0 (currently contains a malformed markdown link).
.claude/skills/nuxt-og-image-skilld/SKILL.md	Updates skill header/version for nuxt-og-image@6.3.1.
.claude/skills/nuxt-og-image-skilld/references/docs/content/4.api/3.config.md	Adds docs for URL signing/strict mode config and env var usage.
.claude/skills/nuxt-og-image-skilld/references/docs/content/4.api/0.define-og-image.md	Adds docs for new options (url, cacheKey, takumi) and deprecations (html).
.claude/skills/nuxt-og-image-skilld/references/docs/content/3.guides/13.security.md	Expanded security guidance (URL signing + strict mode + DoS concerns).
.claude/skills/nuxt-og-image-skilld/references/docs/_INDEX.md	Updates OG Image docs index summaries.
.claude/skills/nuxt-og-image-skilld/PROMPT_best-practices.md	Updates prompt to v6.3.1 (currently contains a malformed markdown link).
.claude/skills/nuxt-og-image-skilld/PROMPT_api-changes.md	Updates prompt to v6.3.1 (currently contains a malformed markdown link).

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

[github-actions]

✅ Contribution guidelines check passed.

This automated dependency update PR meets all contribution requirements:

• Title follows Conventional Commits format: chore(deps): <description> ✅
• Description clearly lists all updated packages with version changes and release notes ✅
• No screenshots required (no UI changes) ✅

The contribution-ready label has been added.

Generated by Contribution Guidelines Checker for issue #98 · ◷

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/contribution-guidelines-checker.md@1f672aef974f4246124860fc532f82fe8a93a57e

[github-actions]

Dependency update review

This is a clean Renovate batch update. Here's a summary of what changed and what's worth knowing.

CI status

Check	Status
🔠 Lint	✅ Passed
🧪 Unit tests	✅ Passed
🧪 Component tests	✅ Passed
🧹 Unused code	✅ Passed
🛡️ GitGuardian	✅ Passed
🖥️ Browser tests	⏳ In progress
♿ Accessibility (light/dark)	⏳ In progress
⚡ Benchmarks	⏳ In progress

Core quality gates are green; the remaining checks were still running at review time.

---

Notable changes

nuxt-og-image 6.2.6 → 6.3.1 — security opportunity

6.3.0 introduced URL signing to prevent unauthenticated callers from crafting arbitrary image generation requests to /_og/d/ and exhausting server CPU/memory. The existing config (maxQueryParamSize: 2048) is still valid, but the new opt-in hardening is worth considering:

// nuxt.config.ts
ogImage: {
  security: {
    strict: true, // requires NUXT_OG_IMAGE_SECRET to be set
  }
}

Generate a secret with npx nuxt-og-image generate-secret and add NUXT_OG_IMAGE_SECRET=<value> to your production environment. This isn't a breaking change — everything works as-is — but it would close the DoS vector on the runtime OG endpoint if you're not prerendering all OG images.

@takumi-rs/* beta.20 → rc.9 — new react transitive dependency

The rc channel now lists react@19.2.4 as a runtime dep of @takumi-rs/helpers (used server-side for OG template rendering). This is reflected in pnpm-lock.yaml — react is now present in the install. This appears intentional (React is used as the server-side rendering engine for Takumi OG templates), but it does add a new runtime package to the graph. No action needed, just worth being aware of.

@nuxtjs/seo 5.0.2 → 5.1.0

Minor feature bump (skew protection, AI-ready standalone). No config changes needed.

discord-api-types ^0.38.41 → ^0.38.42

Resolves to 0.38.43 in the lock file; contains nullability corrections and new fields. No breaking changes expected.

---

No blocking issues found. Merge once the remaining CI checks complete.

Generated by WolfStar Code Quality Reviewer for issue #98

[github-actions]

CI is failing — blocking issue found

All CI jobs are red due to a single root cause introduced by this PR.

🚨 Root cause: nuxt-og-image v6.3.0 breaking change

The upgrade of nuxt-og-image from v6.2.6 → v6.3.1 introduced security.strict mode. This PR correctly updates nuxt.config.ts to enable strict: true, but strict mode requires a signing secret (NUXT_OG_IMAGE_SECRET). Without it, nuxt prepare throws a fatal error during the postinstall hook, causing every job that runs vp install to fail:

[error] [nuxt-og-image] `security.strict` requires a signing secret.
Generate one with: npx nuxt-og-image generate-secret

✅ Fix checklist

• Run npx nuxt-og-image generate-secret and store the output as a repository/environment secret named NUXT_OG_IMAGE_SECRET
• Add NUXT_OG_IMAGE_SECRET to CI secrets (used by nuxt prepare during install)
• Add NUXT_OG_IMAGE_SECRET to production deployment environment

CI summary

Check	Status
🔠 Lint	✅ Passed
🛡️ GitGuardian	✅ Passed
🧪 Unit tests	❌ Failed (install error)
🧪 Component tests	❌ Failed (install error)
🖥️ Browser tests	❌ Failed (install error)
⚡ Benchmarks	❌ Failed (install error)
♿ Accessibility (light/dark)	❌ Failed (install error)
🧹 Unused code	❌ Failed (install error)
Netlify deploy	❌ Failed (build error)

Once NUXT_OG_IMAGE_SECRET is in place, all jobs should recover. The dependency updates themselves (discord-api-types, @nuxtjs/seo, @takumi-rs) and the skill doc updates look fine.

Generated by WolfStar Code Quality Reviewer for issue #98

[github-actions]

🚨 Blocking: strict: true requires a signing secret

nuxt-og-image v6.3.0 introduced security.strict mode. When strict: true, the module requires a signing secret to be configured, and will throw a fatal error during nuxt prepare if it is missing:

[error] [nuxt-og-image] `security.strict` requires a signing secret.
Generate one with: npx nuxt-og-image generate-secret

This is exactly why all CI jobs are failing — the postinstall step runs nuxt prepare, which aborts with this error.

To fix, you need to:

1. Generate a secret:

   npx nuxt-og-image generate-secret

2. Add NUXT_OG_IMAGE_SECRET to your environment (CI secrets + production deployment).

Alternatively, if strict mode is not yet intended here, revert to the previous explicit options:

ogImage: {
  security: {
    maxQueryParamSize: 2048,
    restrictRuntimeImagesToOrigin: true,
  },
},

Note: the new strict: true flag is a good security improvement (URL signing, SSRF protection), so enabling it with the proper secret is the recommended path going forward.

[github-actions]

Review: Dependency updates look good — one blocking CI issue

The package upgrades are straightforward and the Renovate confidence ratings are reasonable. The intentional config change (nuxt-og-image strict mode) is a positive security improvement, but it has introduced a missing runtime-environment requirement that breaks CI.

✅ What's good

• All five packages are minor/patch upgrades.
• Enabling security.strict: true (URL-parameter signing) is a correct and desirable response to the new nuxt-og-image 6.3.0 security feature.
• .env.example is correctly updated with NUXT_OG_IMAGE_SECRET=.
• Skill reference docs in .claude/skills/ are in sync with the new versions.
• 🔠 Lint project passes.

❌ Blocking issue

All CI jobs fail at install time because nuxt prepare (run during postinstall) throws:

[nuxt-og-image] `security.strict` requires a signing secret.

NUXT_OG_IMAGE_SECRET must be available in the environment when vp install runs. It is not currently set in any CI job or in the Netlify deploy environment.

Required before merge

• Generate a secret: npx nuxt-og-image generate-secret
• Add it as a repository secret (NUXT_OG_IMAGE_SECRET)
• Expose it in .github/workflows/continuous-integration.yml (e.g., top-level env: NUXT_OG_IMAGE_SECRET: $\{\{ secrets.NUXT_OG_IMAGE_SECRET }})
• Add the same secret to the Netlify project environment variables

See the inline comment on nuxt.config.ts:375 for details.

Generated by WolfStar Code Quality Reviewer for issue #98

[github-actions]

CI is fully broken — 6 of 7 jobs fail 🔴

All jobs except 🔠 Lint are failing. The root cause is the nuxt-og-image 6.2.6 → 6.3.1 bump: v6.3.0 introduced security.strict mode which throws a hard error if NUXT_OG_IMAGE_SECRET is not present during nuxt prepare (i.e. at install/postinstall time, not just at runtime).

[nuxt-og-image] `security.strict` requires a signing secret.
Generate one with: npx nuxt-og-image generate-secret

The PR correctly adds NUXT_OG_IMAGE_SECRET to build and test steps — but setup-vp (with cache: true) internally runs vp install, which triggers the postinstall script (nuxt prepare), before those steps ever execute. Lint passes only because it uses run-install: false.

What must be fixed

• Add NUXT_OG_IMAGE_SECRET: ci-test-og-image-secret-at-least-32-characters-long as a job-level env (or to the setup-vp step's env) in every job that uses setup-vp with cache: true:
  • unit (env var currently absent from the entire job)
  • test / component tests (env var currently absent)
  • browser (env var present on build/test steps only — not install)
  • benchmark (env var currently absent)
  • a11y (env var present on build/test steps only — not install)
  • knip (env var currently absent)

See the inline comment for a concrete example.

---

Everything else looks correct ✅

• Enabling security.strict: true in nuxt.config.ts is the right upgrade path from maxQueryParamSize.
• NUXT_OG_IMAGE_SECRET= added to .env.example is correct.
• discord-api-types ^0.38.42 bump is a patch/minor with bug-fix nullability corrections — low risk.
• @nuxtjs/seo 5.0.2 → 5.1.0 adds skew-protection features — no breaking changes.
• @takumi-rs/core and @takumi-rs/wasm jump from beta.20 → rc.9 is notable, but these are dev/OG-image deps; once CI is green the build will validate them.

Once the install-step env vars are in place, this PR should merge cleanly.

Generated by WolfStar Code Quality Reviewer for issue #98

[github-actions]

Root cause of all CI failures is here (and in the other missing jobs below).

nuxt-og-image 6.3.0 added security.strict mode which validates the signing secret during nuxt prepare, not just at runtime. nuxt prepare runs as part of the postinstall script (stale-dep -u && nuxt prepare && vp config), which is triggered by vp install inside the setup-vp action (when cache: true).

NUXT_OG_IMAGE_SECRET is correctly added to the build and test steps here, but those steps run after installation has already failed.

Affected jobs that need the fix:

• browser — needs NUXT_OG_IMAGE_SECRET on the setup-vp step (or as a job-level env)
• unit — env var is absent entirely from this job
• test (component tests) — env var is absent entirely from this job
• benchmark — env var is absent entirely from this job
• knip — env var is absent entirely from this job
• a11y — needs NUXT_OG_IMAGE_SECRET on the setup-vp step (or as job-level env)

The cleanest fix is to add a job-level env block to each affected job, e.g.:

  unit:
    name: 🧪 Unit tests
    runs-on: ubuntu-24.04-arm
    env:
      NUXT_OG_IMAGE_SECRET: ci-test-og-image-secret-at-least-32-characters-long

This ensures the secret is available for every step including setup-vp → vp install → postinstall → nuxt prepare.