chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@sxzz/eslint-config	^7.4.4 → ^7.8.2
@sxzz/prettier-config	^2.2.6 → ^2.3.1
@types/node (source)	^25.0.3 → ^25.3.2
bumpp	^10.3.2 → ^10.4.1
esbuild	^0.27.2 → ^0.27.3
pnpm (source)	10.27.0 → 10.30.3
prettier (source)	^3.7.4 → ^3.8.1
rolldown (source)	^1.0.0-beta.58 → ^1.0.0-rc.6
rollup (source)	^4.54.0 → ^4.59.0
tsdown (source)	^0.19.0-beta.2 → ^0.20.3
tsdown-preset-sxzz	^0.2.0 → ^0.4.0
vite (source)	^7.3.0 → ^7.3.1
vitest (source)	^4.0.16 → ^4.0.18

---

Release Notes

sxzz/eslint-config (@​sxzz/eslint-config)

v7.8.2

Compare Source

   🐞 Bug Fixes

• Exclude .context directory  -  by @​sxzz (e815c)
• Disable baseline-js/use-baseline for cli scripts  -  by @​sxzz (057f8)

    View changes on GitHub

v7.8.1

Compare Source

   🚀 Features

• Upgrade jsonc plugin  -  by @​sxzz (7aef3)

    View changes on GitHub

v7.8.0

Compare Source

   🚀 Features

• Add eslint 10 support  -  by @​sxzz (e3608)

    View changes on GitHub

v7.7.2

Compare Source

   🐞 Bug Fixes

• Downgrade eslint and @​eslint/js to v9  -  by @​sxzz (46002)

    View changes on GitHub

v7.7.1

Compare Source

   🐞 Bug Fixes

• Disable no-useless-assignment for vue, remove reactivity transform support  -  by @​sxzz (beb15)

    View changes on GitHub

v7.7.0

Compare Source

   🚀 Features

• Support ESLint v10  -  by @​sxzz (e2a57) Not fully supported.

    View changes on GitHub

v7.6.1

Compare Source

No significant changes

    View changes on GitHub

v7.6.0

Compare Source

   🚀 Features

• Add Astro support  -  by @​sxzz in #​154 (5aa3e)
• Add importWithError utility for optional plugin imports  -  by @​sxzz (4ce53)

    View changes on GitHub

v7.5.1

Compare Source

   🐞 Bug Fixes

• Move import condition before require  -  by @​sxzz (c3ca1)

    View changes on GitHub

v7.5.0

Compare Source

   🚀 Features

• Upgrade yaml plugin  -  by @​sxzz (5516e)

    View changes on GitHub

v7.4.5

Compare Source

No significant changes

    View changes on GitHub

sxzz/prettier-config (@​sxzz/prettier-config)

v2.3.1

Compare Source

   🐞 Bug Fixes

• Missing dist  -  by @​sxzz (e1152)

    View changes on GitHub

v2.3.0

Compare Source

No significant changes

    View changes on GitHub

v2.2.7

Compare Source

   🐞 Bug Fixes

• deps:
  • Update all non-major dependencies  -  in #​83 (4484b)
  • Update all non-major dependencies  -  in #​84 (1a098)

    View changes on GitHub

antfu-collective/bumpp (bumpp)

v10.4.1

Compare Source

   🚀 Features

• Add custom path to config  -  by @​OskarLebuda in #​107 (0f2e4)

    View changes on GitHub

v10.4.0

Compare Source

No significant changes

    View changes on GitHub

evanw/esbuild (esbuild)

v0.27.3

Compare Source

• Preserve URL fragments in data URLs (#​4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

• Parse and print CSS @scope rules (#​4322)

  This release includes dedicated support for parsing @scope rules in CSS. These rules include optional "start" and "end" selector lists. One important consequence of this is that the local/global status of names in selector lists is now respected, which improves the correctness of esbuild's support for CSS modules. Minification of selectors inside @scope rules has also improved slightly.

  Here's an example:

  /* Original code */
  @​scope (:global(.foo)) to (:local(.bar)) {
    .bar {
      color: red;
    }
  }
  
  /* Old output (with --loader=local-css --minify) */
  @​scope (:global(.foo)) to (:local(.bar)){.o{color:red}}
  
  /* New output (with --loader=local-css --minify) */
  @​scope(.foo)to (.o){.o{color:red}}

• Fix a minification bug with lowering of for await (#​4378, #​4385)

  This release fixes a bug where the minifier would incorrectly strip the variable in the automatically-generated catch clause of lowered for await loops. The code that generated the loop previously failed to mark the internal variable references as used.

• Update the Go compiler from v1.25.5 to v1.25.7 (#​4383, #​4388)

  This PR was contributed by @​MikeWillCook.

pnpm/pnpm (pnpm)

v10.30.3

Compare Source

v10.30.2

Compare Source

v10.30.1: pnpm 10.30.1

Compare Source

Patch Changes

• Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #​10649.

Platinum Sponsors

Gold Sponsors

v10.30.0: pnpm 10.30

Compare Source

Minor Changes

• pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

• Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #​7122.
• Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #​10596.

Platinum Sponsors

Gold Sponsors

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1

Compare Source

v10.28.0

Compare Source

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

rolldown/rolldown (rolldown)

v1.0.0-rc.6

Compare Source

💥 BREAKING CHANGES

• css: remove css_entry_filenames , css_chunk_filenames and related code (#​8402) by @​hyf0
• css: drop builtin CSS bundling to explore alternative solutions (#​8399) by @​hyf0

🚀 Features

• rust/data-url: use hash as id for data url modules to prevent long string overhead (#​8420) by @​hyf0
• validate bundle stays within output dir (#​8441) by @​sapphi-red
• rust: support PluginOrder::PinPost (#​8417) by @​hyf0
• support ModuleType:Copy (#​8407) by @​hyf0
• expose ESTree types from rolldown/utils (#​8400) by @​sapphi-red

🐛 Bug Fixes

• incorrect sourcemap when postBanner/postFooter is used with shebang (#​8459) by @​Copilot
• resolver: disable node_path option to align ESM resolver behavior (#​8472) by @​sapphi-red
• parse .js within "type": "commonjs" as ESM for now (#​8470) by @​sapphi-red
• case-insensitive filename conflict detection for chunk deduplication (#​8458) by @​Copilot
• prevent inlining CJS exports that are mutated by importers (#​8456) by @​IWANABETHATGUY
• parse .cjs / .cts / .js within "type": "commonjs" as CommonJS (#​8455) by @​sapphi-red
• plugin/copy-module: correct hooks' priority (#​8423) by @​hyf0
• plugin/chunk-import-map: ensure render_chunk_meta run after users plugin (#​8422) by @​hyf0
• rust: correct hooks order of DataUriPlugin (#​8418) by @​hyf0
• jsx.preserve should also considering tsconfig json preserve (#​8324) by @​IWANABETHATGUY
• deferred_scan_data.rs "Should have resolved id: NotFound" error (#​8379) by @​sapphi-red
• cli: require value for --dir/-d and --file/-o (#​8378) by @​Copilot
• dev: avoid mutex deadlock caused by inconsistent lock order (#​8370) by @​sapphi-red

🚜 Refactor

• watch: rename TaskStart/TaskEnd to BundleStart/BundleEnd (#​8463) by @​hyf0
• rust: rename rolldown_plugin_data_uri to rolldown_plugin_data_url (#​8421) by @​hyf0
• bindingify-build-hook: extract helper for PluginContextImpl (#​8438) by @​ShroXd
• give source loading a proper name (#​8436) by @​IWANABETHATGUY
• ban holding DashMap refs across awaits (#​8362) by @​sapphi-red

📚 Documentation

• add glob pattern usage example to input option (#​8469) by @​IWANABETHATGUY
• remove https://rolldown.rs from links in reference docs (#​8454) by @​sapphi-red
• mention execution order issue in output.codeSplitting docs (#​8452) by @​sapphi-red
• clarify output.comments behavior a bit (#​8451) by @​sapphi-red
• replace npmjs package links with npmx.dev (#​8439) by @​Boshen
• reference: add Exported from for values / types exported from subpath exports (#​8394) by @​sapphi-red
• add JSDocs for APIs exposed from subpath exports (#​8393) by @​sapphi-red
• reference: generate reference pages for APIs exposed from subpath exports (#​8392) by @​sapphi-red
• avoid pipe character in codeSplitting example to fix broken rendering (#​8391) by @​IWANABETHATGUY

⚡ Performance

• avoid redundant PathBuf allocations in resolve paths (#​8435) by @​Brooooooklyn
• bump to sugar_path@2 (#​8432) by @​hyf0
• use flag-based convergence detection in include_statements (#​8412) by @​Brooooooklyn

🧪 Testing

• execute _test.mjs even if executeOutput is false (#​8398) by @​sapphi-red
• add retry to tree-shake/module-side-effects-proxy4 as it is flaky (#​8397) by @​sapphi-red
• avoid expect.assertions() as it is not concurrent test friendly (#​8383) by @​sapphi-red
• disable mockReset option (#​8382) by @​sapphi-red
• fix flaky failure caused by concurrent resolveId calls (#​8381) by @​sapphi-red

⚙️ Miscellaneous Tasks

• deps: update dependency rollup to v4.59.0 [security] (#​8471) by @​renovate[bot]
• ai/design: add design doc about watch mode (#​8453) by @​hyf0
• deps: update oxc resolver to v11.19.0 (#​8461) by @​renovate[bot]
• ai: introduce progressive spec-driven development pattern (#​8446) by @​hyf0
• deprecate output.legalComments (#​8450) by @​sapphi-red
• deps: update dependency oxlint-tsgolint to v0.15.0 (#​8448) by @​renovate[bot]
• ai: make CLAUDE.md a symlink of AGENTS.md (#​8445) by @​hyf0
• deps: update rollup submodule for tests to v4.59.0 (#​8433) by @​sapphi-red
• deps: update test262 submodule for tests (#​8434) by @​sapphi-red
• deps: update oxc to v0.115.0 (#​8430) by @​renovate[bot]
• deps: update oxc apps (#​8429) by @​renovate[bot]
• deps: update npm packages (#​8426) by @​renovate[bot]
• deps: update rust crate owo-colors to v4.3.0 (#​8428) by @​renovate[bot]
• deps: update github-actions (#​8424) by @​renovate[bot]
• deps: update rust crates (#​8425) by @​renovate[bot]
• deps: update oxc resolver to v11.18.0 (#​8406) by @​renovate[bot]
• deps: update dependency oxlint-tsgolint to v0.14.2 (#​8405) by @​renovate[bot]
• ban expect.assertions in all fixture tests (#​8395) by @​sapphi-red
• deps: update oxc apps (#​8389) by @​renovate[bot]
• ban expect.assertions in fixture tests (#​8387) by @​sapphi-red
• enable lint for _config.ts files (#​8386) by @​sapphi-red
• deps: update dependency oxlint-tsgolint to v0.14.1 (#​8385) by @​renovate[bot]

v1.0.0-rc.5

Compare Source

🚀 Features

• add Visitor to rolldown/utils (#​8373) by @​sapphi-red
• module-info: add inputFormat property to ModuleInfo (#​8329) by @​shulaoda
• default treeshake.invalid_import_side_effects to false (#​8357) by @​sapphi-red
• rolldown_utils: add IndexBitSet (#​8343) by @​sapphi-red
• rolldown_utils: add more methods and trait impls to BitSet (#​8342) by @​sapphi-red
• rolldown_plugin_vite_build_import_analysis: add support for await import().then((m) => m.prop) (#​8328) by @​sapphi-red
• rolldown_plugin_vite_reporter: support custom logger for build infos (#​7652) by @​shulaoda
• rust/mcs: support entriesAwareMergeThreshold (#​8312) by @​hyf0
• mcs: maxSize will split the oversized chunk with taking file relevance into account (#​8277) by @​hyf0
• rolldown_plugin_vite_import_glob: support template literal in glob import patterns (#​8298) by @​shulaoda
• rolldown_plugin_chunk_import_map: output importmap without spaces (#​8297) by @​sapphi-red
• add INEFFECTIVE_DYNAMIC_IMPORT warning in core (#​8284) by @​shulaoda
• mcs: generate more readable name for entriesAware chunks (#​8275) by @​hyf0
• mcs: support entriesAware (#​8274) by @​hyf0

🐛 Bug Fixes

• improve circular dependency detection in chunk optimizer (#​8371) by @​IWANABETHATGUY
• align minify.compress: true and minify.mangle: true with minify: true (#​8367) by @​sapphi-red
• rolldown_plugin_esm_external_require: apply conversion to UMD and IIFE outputs (#​8359) by @​sapphi-red
• cjs: bailout treeshaking on cjs modules that have multiple re-exports (#​8348) by @​hyf0
• handle member expression and this expression in JSX element name rewriting (#​8323) by @​IWANABETHATGUY
• pad encode_hash_with_base output to fixed length to prevent slice panics (#​8320) by @​shulaoda
• xxhash_with_base skips hashing when input is exactly 16 bytes (#​8319) by @​shulaoda
• complete ImportKind::try_from with missing variants and correct url-import to url-token (#​8310) by @​shulaoda
• mark Node.js builtin modules as side-effect-free when resolved via external config (#​8304) by @​IWANABETHATGUY
• mcs: maxSize should split chunks correctly based on sizes (#​8289) by @​hyf0

🚜 Refactor

• introduce RawMangleOptions and RawCompressOptions (#​8366) by @​sapphi-red
• mcs: refactor apply_manual_code_splitting into ManualSplitter (#​8346) by @​hyf0
• rolldown_plugin_vite_reporter: simplify hook registration and remove redundant state (#​8322) by @​shulaoda
• use set to store user defined entry modules (#​8315) by @​IWANABETHATGUY
• rust/mcs: collect groups into map at first for having clean and performant operations (#​8313) by @​hyf0
• mcs: introduce newtype ModuleGroupOrigin and ModuleGroupId (#​8311) by [@​hyf0](https://redirect.github

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-raw@25

commit: 53d163b

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	tsdown-preset-sxzz@​0.2.0 ⏵ 0.4.0	+2			+5
	esbuild@​0.27.2 ⏵ 0.27.3
	@​sxzz/​prettier-config@​2.2.6 ⏵ 2.3.1	-1		+1	+2
	rolldown@​1.0.0-beta.58 ⏵ 1.0.0-rc.6	+4		+1	+2
	vitest@​4.0.16 ⏵ 4.0.18			+1	+2
	@​types/​node@​25.0.3 ⏵ 25.3.2	+1		+1	+1
	bumpp@​10.3.2 ⏵ 10.4.1				+2
	vite@​7.3.0 ⏵ 7.3.1	+1		+1	+1
	@​sxzz/​eslint-config@​7.4.4 ⏵ 7.8.2	+1		+1	+1
	rollup@​4.54.0 ⏵ 4.59.0		+16
	tsdown@​0.19.0-beta.2 ⏵ 0.20.3	+1		-4
	prettier@​3.7.4 ⏵ 3.8.1			+1	-1

View full report