chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sxzz/eslint-config	^7.8.2 → ^7.8.3
@types/node (source)	^25.3.3 → ^25.3.5
eslint (source)	^9.39.2 → ^9.39.4
pnpm (source)	10.30.3 → 10.31.0
tsdown (source)	^0.20.3 → ^0.21.0

---

Release Notes

sxzz/eslint-config (@​sxzz/eslint-config)

v7.8.3

Compare Source

   🚀 Features

• Add inlinedDependencies to sort order in package.json  -  by @​sxzz (3caa8)

    View changes on GitHub

eslint/eslint (eslint)

v9.39.4

Compare Source

Bug Fixes

• f18f6c8 fix: update dependency minimatch to ^3.1.5 (#​20564) (Milos Djermanovic)
• a3c868f fix: update dependency @​eslint/eslintrc to ^3.3.4 (#​20554) (Milos Djermanovic)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#​20549) (Andrej Beles)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#​20538) (루밀LuMir)

Documentation

• 4675152 docs: add deprecation notice partial (#​20520) (Milos Djermanovic)

Chores

• b8b4eb1 chore: update dependencies for ESLint v9.39.4 (#​20596) (Francesco Trotta)
• 71b2f6b chore: package.json update for @​eslint/js release (Jenkins)
• 1d16c2f ci: pin Node.js 25.6.1 (#​20563) (Milos Djermanovic)

v9.39.3

Compare Source

Bug Fixes

• 791bf8d fix: restore TypeScript 4.0 compatibility in types (#​20504) (sethamus)

Chores

• 8594a43 chore: upgrade @​eslint/js@​9.39.3 (#​20529) (Milos Djermanovic)
• 9ceef92 chore: package.json update for @​eslint/js release (Jenkins)
• af498c6 chore: ignore /docs/v9.x in link checker (#​20453) (Milos Djermanovic)

pnpm/pnpm (pnpm)

v10.31.0

Compare Source

rolldown/tsdown (tsdown)

v0.21.0

Compare Source

v0.21.0 - Notable Changes

Breaking Changes

Dependency options renamed to deps namespace

The dependency-related options have been moved under a new deps namespace with clearer names:

• external -> deps.neverBundle
• noExternal -> deps.alwaysBundle
• inlineOnly -> deps.onlyAllowBundle
• skipNodeModulesBundle -> deps.skipNodeModulesBundle

Before:

export default defineConfig({
  external: ['vue'],
  noExternal: ['lodash'],
})

After:

export default defineConfig({
  deps: {
    neverBundle: ['vue'],
    alwaysBundle: ['lodash'],
  },
})

The old options still work but are deprecated and will emit warnings.

failOnWarn default changed from 'ci-only' to false

If you relied on the previous behavior where warnings would fail the build in CI environments, you now need to explicitly set failOnWarn: true or failOnWarn: 'ci-only' in your config.

Node.js < 22.18.0 deprecated

tsdown now emits a deprecation warning when running on Node.js versions below 22.18.0. Plan to upgrade your Node.js version accordingly.

New Features

Experimental Node.js SEA executable bundling (exe)

tsdown can now bundle your TypeScript project into a standalone executable using Node.js Single Executable Applications (SEA). A new @tsdown/exe package provides cross-platform executable building support. See the exe documentation for details.

export default defineConfig({
  exe: true, // or { useCodeCache: true, useSnapshot: true }
})

Full CSS pipeline with @tsdown/css

CSS handling has been reimplemented as a native Rolldown plugin and extracted into the @tsdown/css package, providing a complete CSS pipeline with Lightning CSS and PostCSS support via the css.transformer option. See the CSS documentation for details.

inlinedDependencies field in package.json

When using the exports feature, tsdown now auto-generates an inlinedDependencies field in your package.json, listing dependencies that are bundled into the output.

Object option for customExports

customExports now supports an object format for more fine-grained control over the generated exports field.

Migration Guide

1. Update dependency options: Rename external -> deps.neverBundle, noExternal -> deps.alwaysBundle, etc.
2. Check failOnWarn: If you need warnings to fail the build in CI, explicitly set failOnWarn: 'ci-only' or failOnWarn: true.
3. Upgrade Node.js: Ensure you're running Node.js >= 22.18.0 to avoid deprecation warnings.

Links

• tsdown Documentation
• v0.21.0-beta.1 Release
• v0.21.0-beta.2 Release
• v0.21.0-beta.3 Release
• v0.21.0-beta.4 Release
• v0.21.0-beta.5 Release
• Full diff from v0.20.3

---

   🚨 Breaking Changes

• Change failOnWarn default from 'ci-only' to false  -  by @​sxzz (ad8db)
• exe: Require Node >=25.7 and default format to esm  -  by @​sxzz in #​798 (0173c)

   🚀 Features

• Rename dependency options to deps namespace  -  by @​sxzz (7f509)
• Upgrade rolldown  -  by @​sxzz (7a528)
• Deprecate Node.js versions below 22.18.0  -  by @​sxzz (439f1)
• Support bundling .node files by default  -  by @​sxzz (944e9)
• css:
  • Implement full CSS pipeline as Rolldown plugin  -  by @​sxzz in #​787 (dbe3c)
  • Extract CSS pipeline into @tsdown/css package  -  by @​sxzz in #​790 (e4cbe)
  • Add PostCSS support with css.transformer option  -  by @​sxzz in #​791 (35bef)
  • Default css.transformer to lightningcss  -  by @​sxzz in #​797 (288a5)
• exe:
  • Add experimental Node.js SEA executable bundling  -  by @​sxzz in #​777 (418d5)
  • Add cross-platform executable building via @tsdown/exe  -  by @​sxzz in #​786 (b6833)
  • Support latest and latest-lts for nodeVersion  -  by @​sxzz (ce7ab)
• exports:
  • Support object option for customExports  -  by @​Joery-M and @​sxzz in #​769 (7fb72)
  • Add inlinedDependencies field to package.json  -  by @​sxzz in #​785 (5c71f)
• migrate:
  • Migrate external/noExternal to deps namespace  -  by @​sxzz (c59e7)

   🐞 Bug Fixes

• Apply failOnWarn to rolldown logs  -  by @​sxzz (149dc)
• Debounce onSuccess in watch mode to prevent duplicate execution  -  by @​sxzz (af748)
• Don't fail on PLUGIN_TIMINGS warnings when failOnWarn is enabled  -  by @​sxzz (9872a)
• Resolve css files in node_modules  -  by @​ocavue, @​sxzz and Rei in #​795 (d8a1f)
• config: Handle known Node.js bug in nativeImport error handling  -  by @​sxzz (e4230)
• copy: Don't warn if no files specified  -  by @​adamlohner, @​cursoragent and @​sxzz in #​780 (afaab)
• css: Remove empty js chunks  -  by @​ocavue and @​sxzz in #​799 (1183a)
• exe: Use runtime semver check for ESM SEA default format  -  by @​sxzz (5321c)
• exports: Include non-entry chunks in exports when all is true  -  by @​sxzz (79492)
• hooks: Set cwd for onSuccess  -  by @​sxzz (c114a)
• node-protocol: Respect alias and tsconfig paths when stripping node: prefix  -  by @​lazuee in #​773 (b1dd2)
• watch: Re-glob entry files on create/delete events  -  by @​sxzz (a1969)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-starter@197

commit: 4ea8103

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​node@​25.3.3 ⏵ 25.3.5	+1		+1
	@​sxzz/​eslint-config@​7.8.2 ⏵ 7.8.3	+1
	tsdown@​0.20.3 ⏵ 0.21.0			+1	+1
	eslint@​9.39.2 ⏵ 9.39.4	+1

View full report