chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@types/node (source)	^22.18.8 → ^22.19.10
esbuild	^0.25.10 → ^0.27.3
eslint (source)	^9.37.0 → ^9.39.2
eslint-config-unjs	^0.5.0 → ^0.6.2
pnpm (source)	10.18.0 → 10.29.2
prettier (source)	^3.6.2 → ^3.8.1
zeptomatch	^2.0.2 → ^2.1.0

---

Release Notes

evanw/esbuild (esbuild)

v0.27.3

Compare Source

• Preserve URL fragments in data URLs (#​4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

• Parse and print CSS @scope rules (#​4322)

  This release includes dedicated support for parsing @scope rules in CSS. These rules include optional "start" and "end" selector lists. One important consequence of this is that the local/global status of names in selector lists is now respected, which improves the correctness of esbuild's support for CSS modules. Minification of selectors inside @scope rules has also improved slightly.

  Here's an example:

  /* Original code */
  @​scope (:global(.foo)) to (:local(.bar)) {
    .bar {
      color: red;
    }
  }
  
  /* Old output (with --loader=local-css --minify) */
  @​scope (:global(.foo)) to (:local(.bar)){.o{color:red}}
  
  /* New output (with --loader=local-css --minify) */
  @​scope(.foo)to (.o){.o{color:red}}

• Fix a minification bug with lowering of for await (#​4378, #​4385)

  This release fixes a bug where the minifier would incorrectly strip the variable in the automatically-generated catch clause of lowered for await loops. The code that generated the loop previously failed to mark the internal variable references as used.

• Update the Go compiler from v1.25.5 to v1.25.7 (#​4383, #​4388)

  This PR was contributed by @​MikeWillCook.

v0.27.2

Compare Source

• Allow import path specifiers starting with #/ (#​4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#​4357, #​4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  
  /* Old output (with --target=chrome110) */
  main {
    mask: url(x.png) center/5rem no-repeat;
  }
  
  /* New output (with --target=chrome110) */
  main {
    -webkit-mask: url(x.png) center/5rem no-repeat;
    mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#​4176, #​4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }
  
  // Old output (with --minify)
  switch(x){case 0:foo();break;case 1:default:bar()}
  
  // New output (with --minify)
  x===0?foo():bar();

• Forbid using declarations inside switch clauses (#​4323)

  This is a rare change to remove something that was previously possible. The Explicit Resource Management proposal introduced using declarations. These were previously allowed inside case and default clauses in switch statements. This had well-defined semantics and was already widely implemented (by V8, SpiderMonkey, TypeScript, esbuild, and others). However, it was considered to be too confusing because of how scope works in switch statements, so it has been removed from the specification. This edge case will now be a syntax error. See tc39/proposal-explicit-resource-management#215 and rbuckton/ecma262#14 for details.

  Here is an example of code that is no longer allowed:

  switch (mode) {
    case 'read':
      using readLock = db.read()
      return readAll(readLock)
  
    case 'write':
      using writeLock = db.write()
      return writeAll(writeLock)
  }

  That code will now have to be modified to look like this instead (note the additional { and } block statements around each case body):

  switch (mode) {
    case 'read': {
      using readLock = db.read()
      return readAll(readLock)
    }
    case 'write': {
      using writeLock = db.write()
      return writeAll(writeLock)
    }
  }

  This is not being released in one of esbuild's breaking change releases since this feature hasn't been finalized yet, and esbuild always tracks the current state of the specification (so esbuild's previous behavior was arguably incorrect).

v0.27.1

Compare Source

• Fix bundler bug with var nested inside if (#​4348)

  This release fixes a bug with the bundler that happens when importing an ES module using require (which causes it to be wrapped) and there's a top-level var inside an if statement without being wrapped in a { ... } block (and a few other conditions). The bundling transform needed to hoist these var declarations outside of the lazy ES module wrapper for correctness. See the issue for details.

• Fix minifier bug with for inside try inside label (#​4351)

  This fixes an old regression from version v0.21.4. Some code was introduced to move the label inside the try statement to address a problem with transforming labeled for await loops to avoid the await (the transformation involves converting the for await loop into a for loop and wrapping it in a try statement). However, it introduces problems for cross-compiled JVM code that uses all three of these features heavily. This release restricts this transform to only apply to for loops that esbuild itself generates internally as part of the for await transform. Here is an example of some affected code:

  // Original code
  d: {
    e: {
      try {
        while (1) { break d }
      } catch { break e; }
    }
  }
  
  // Old output (with --minify)
  a:try{e:for(;;)break a}catch{break e}
  
  // New output (with --minify)
  a:e:try{for(;;)break a}catch{break e}

• Inline IIFEs containing a single expression (#​4354)

  Previously inlining of IIFEs (immediately-invoked function expressions) only worked if the body contained a single return statement. Now it should also work if the body contains a single expression statement instead:

  // Original code
  const foo = () => {
    const cb = () => {
      console.log(x())
    }
    return cb()
  }
  
  // Old output (with --minify)
  const foo=()=>(()=>{console.log(x())})();
  
  // New output (with --minify)
  const foo=()=>{console.log(x())};

• The minifier now strips empty finally clauses (#​4353)

  This improvement means that finally clauses containing dead code can potentially cause the associated try statement to be removed from the output entirely in minified builds:

  // Original code
  function foo(callback) {
    if (DEBUG) stack.push(callback.name);
    try {
      callback();
    } finally {
      if (DEBUG) stack.pop();
    }
  }
  
  // Old output (with --minify --define:DEBUG=false)
  function foo(a){try{a()}finally{}}
  
  // New output (with --minify --define:DEBUG=false)
  function foo(a){a()}

• Allow tree-shaking of the Symbol constructor

  With this release, calling Symbol is now considered to be side-effect free when the argument is known to be a primitive value. This means esbuild can now tree-shake module-level symbol variables:

  // Original code
  const a = Symbol('foo')
  const b = Symbol(bar)
  
  // Old output (with --tree-shaking=true)
  const a = Symbol("foo");
  const b = Symbol(bar);
  
  // New output (with --tree-shaking=true)
  const b = Symbol(bar);

v0.27.0

Compare Source

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.26.0 or ~0.26.0. See npm's documentation about semver for more information.

• Use Uint8Array.fromBase64 if available (#​4286)

  With this release, esbuild's binary loader will now use the new Uint8Array.fromBase64 function unless it's unavailable in the configured target environment. If it's unavailable, esbuild's previous code for this will be used as a fallback. Note that this means you may now need to specify target when using this feature with Node (for example --target=node22) unless you're using Node v25+.

• Update the Go compiler from v1.23.12 to v1.25.4 (#​4208, #​4311)

  This raises the operating system requirements for running esbuild:

  • Linux: now requires a kernel version of 3.2 or later
  • macOS: now requires macOS 12 (Monterey) or later

v0.26.0

Compare Source

• Enable trusted publishing (#​4281)

  GitHub and npm are recommending that maintainers for packages such as esbuild switch to trusted publishing. With this release, a VM on GitHub will now build and publish all of esbuild's packages to npm instead of me. In theory.

  Unfortunately there isn't really a way to test that this works other than to do it live. So this release is that live test. Hopefully this release is uneventful and is exactly the same as the previous one (well, except for the green provenance attestation checkmark on npm that happens with trusted publishing).

v0.25.12

Compare Source

• Fix a minification regression with CSS media queries (#​4315)

  The previous release introduced support for parsing media queries which unintentionally introduced a regression with the removal of duplicate media rules during minification. Specifically the grammar for @media <media-type> and <media-condition-without-or> { ... } was missing an equality check for the <media-condition-without-or> part, so rules with different suffix clauses in this position would incorrectly compare equal and be deduplicated. This release fixes the regression.

• Update the list of known JavaScript globals (#​4310)

  This release updates esbuild's internal list of known JavaScript globals. These are globals that are known to not have side-effects when the property is accessed. For example, accessing the global Array property is considered to be side-effect free but accessing the global scrollY property can trigger a layout, which is a side-effect. This is used by esbuild's tree-shaking to safely remove unused code that is known to be side-effect free. This update adds the following global properties:

  From ES2017:

  • Atomics
  • SharedArrayBuffer

  From ES2020:

  • BigInt64Array
  • BigUint64Array

  From ES2021:

  • FinalizationRegistry
  • WeakRef

  From ES2025:

  • Float16Array
  • Iterator

  Note that this does not indicate that constructing any of these objects is side-effect free, just that accessing the identifier is side-effect free. For example, this now allows esbuild to tree-shake classes that extend from Iterator:

  // This can now be tree-shaken by esbuild:
  class ExampleIterator extends Iterator {}

• Add support for the new @view-transition CSS rule (#​4313)

  With this release, esbuild now has improved support for pretty-printing and minifying the new @view-transition rule (which esbuild was previously unaware of):

  /* Original code */
  @​view-transition {
    navigation: auto;
    types: check;
  }
  
  /* Old output */
  @​view-transition { navigation: auto; types: check; }
  
  /* New output */
  @​view-transition {
    navigation: auto;
    types: check;
  }

  The new view transition feature provides a mechanism for creating animated transitions between documents in a multi-page app. You can read more about view transition rules here.

  This change was contributed by @​yisibl.

• Trim CSS rules that will never match

  The CSS minifier will now remove rules whose selectors contain :is() and :where() as those selectors will never match. These selectors can currently be automatically generated by esbuild when you give esbuild nonsensical input such as the following:

  /* Original code */
  div:before {
    color: green;
    &.foo {
      color: red;
    }
  }
  
  /* Old output (with --supported:nesting=false --minify) */
  div:before{color:green}:is().foo{color:red}
  
  /* New output (with --supported:nesting=false --minify) */
  div:before{color:green}

  This input is nonsensical because CSS nesting is (unfortunately) not supported inside of pseudo-elements such as :before. Currently esbuild generates a rule containing :is() in this case when you tell esbuild to transform nested CSS into non-nested CSS. I think it's reasonable to do that as it sort of helps explain what's going on (or at least indicates that something is wrong in the output). It shouldn't be present in minified code, however, so this release now strips it out.

v0.25.11

Compare Source

• Add support for with { type: 'bytes' } imports (#​4292)

  The import bytes proposal has reached stage 2.7 in the TC39 process, which means that although it isn't quite recommended for implementation, it's generally approved and ready for validation. Furthermore it has already been implemented by Deno and Webpack. So with this release, esbuild will also add support for this. It behaves exactly the same as esbuild's existing binary loader. Here's an example:

  import data from './image.png' with { type: 'bytes' }
  const view = new DataView(data.buffer, 0, 24)
  const width = view.getInt32(16)
  const height = view.getInt32(20)
  console.log('size:', width + '\xD7' + height)

• Lower CSS media query range syntax (#​3748, #​4293)

  With this release, esbuild will now transform CSS media query range syntax into equivalent syntax using min-/max- prefixes for older browsers. For example, the following CSS:

  @&#8203;media (640px <= width <= 960px) {
    main {
      display: flex;
    }
  }

  will be transformed like this with a target such as --target=chrome100 (or more specifically with --supported:media-range=false if desired):

  @​media (min-width: 640px) and (max-width: 960px) {
    main {
      display: flex;
    }
  }

eslint/eslint (eslint)

v9.39.2

Compare Source

v9.39.1

Compare Source

v9.39.0

Compare Source

v9.38.0

Compare Source

Features

• ce40f74 feat: update complexity rule to only highlight function header (#​20048) (Atul Nair)
• e37e590 feat: correct no-loss-of-precision false positives with e notation (#​20187) (Francesco Trotta)

Bug Fixes

• 50c3dfd fix: improve type support for isolated dependencies in pnpm (#​20201) (Francesco Trotta)
• a1f06a3 fix: correct SourceCode typings (#​20114) (Pixel998)

Documentation

• 462675a docs: improve web accessibility by hiding non-semantic character (#​20205) (루밀LuMir)
• c070e65 docs: correct formatting in no-irregular-whitespace rule documentation (#​20203) (루밀LuMir)
• b39e71a docs: Update README (GitHub Actions Bot)
• cd39983 docs: move custom-formatters type descriptions to nodejs-api (#​20190) (Percy Ma)

Chores

• d17c795 chore: upgrade @​eslint/js@​9.38.0 (#​20221) (Milos Djermanovic)
• 25d0e33 chore: package.json update for @​eslint/js release (Jenkins)
• c82b5ef refactor: Use types from @​eslint/core (#​20168) (Nicholas C. Zakas)
• ff31609 ci: add Node.js 25 to ci.yml (#​20220) (루밀LuMir)
• 004577e ci: bump github/codeql-action from 3 to 4 (#​20211) (dependabot[bot])
• eac71fb test: remove use of nodejsScope option of eslint-scope from tests (#​20206) (Milos Djermanovic)
• 4168a18 chore: fix typo in legacy-eslint.js (#​20202) (Sweta Tanwar)
• 205dbd2 chore: fix typos (#​20200) (ntnyq)
• dbb200e chore: use team member's username when name is not available in data (#​20194) (Milos Djermanovic)
• 8962089 chore: mark deprecated rules as available until v11.0.0 (#​20184) (Pixel998)

unjs/eslint-config (eslint-config-unjs)

v0.6.2

Compare Source

compare changes

🩹 Fixes

• Disable array immutation rules for now (3cde73a)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.6.1

Compare Source

compare changes

💅 Refactors

• Migrate to @eslint/markdown (2f92a53)
• Update default rules (84cdbad)

📦 Build

• Migrate to obuild (8f36bf1)

🏡 Chore

• Update deps (4347a4f)
• Update globals to v17 (4f168b4)
• Update unicorn to 62 (e737dd7)
• release: V0.6.0 (b683294)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.6.0

Compare Source

compare changes

💅 Refactors

• Migrate to @eslint/markdown (2f92a53)

📦 Build

• Migrate to obuild (8f36bf1)

🏡 Chore

• Update deps (4347a4f)
• Update globals to v17 (4f168b4)
• Update unicorn to 62 (e737dd7)

❤️ Contributors

• Pooya Parsa (@​pi0)

pnpm/pnpm (pnpm)

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1

Compare Source

v10.28.0

Compare Source

v10.27.0

Compare Source

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

• Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

• Fix installation of Git dependencies using annotated tags #​10335.

  Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

• Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

• Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Gold Sponsors

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

• Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
• Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Gold Sponsors

v10.26.0

Compare Source

v10.25.0

Compare Source

v10.24.0

Compare Source

v10.23.0: pnpm 10.23

Compare Source

Minor Changes

• Added --lockfile-only option to pnpm list #​10020.

Patch Changes

• pnpm self-update should download pnpm from the configured npm registry #​10205.
• pnpm self-update should always install the non-executable pnpm package (pnpm in the registry) and never the @pnpm/exe package, when installing v11 or newer. We currently cannot ship @pnpm/exe as pkg doesn't work with ESM #​10190.
• Node.js runtime is not added to "dependencies" on pnpm add, if there's a engines.runtime setting declared in package.json #​10209.
• The installation should fail if an optional dependency cannot be installed due to a trust policy check failure #​10208.
• pnpm list and pnpm why now display npm: protocol for aliased packages (e.g., foo npm:is-odd@3.0.1) #​8660.
• Don't add an extra slash to the Node.js mirror URL #​10204.
• pnpm store prune should not fail if the store contains Node.js packages #​10131.

Platinum Sponsors

Gold Sponsors

v10.22.0: pnpm 10.22

Compare Source

Minor Changes

• Added support for trustPolicyExclude #​10164.

  You can now list one or more specific packages or versions that pnpm should allow to install, even if those packages don't satisfy the trust policy requirement. For example:

  trustPolicy: no-downgrade
  trustPolicyExclude:
    - chokidar@4.0.3
    - webpack@4.47.0 || 5.102.1

• Allow to override the engines field on publish by the publishConfig.engines field.

Patch Changes

• Don't crash when two processes of pnpm are hardlinking the contents of a directory to the same destination simultaneously #​10179.

Platinum Sponsors

Gold Sponsors

v10.21.0

Compare Source

v10.20.0

Compare Source

Minor Changes

• Support --all option in pnpm --help to list all commands #​8628.

Patch Changes

• When the latest version doesn't satisfy the maturity requirement configured by minimumReleaseAge, pick the highest version that is mature enough, even if it

---

Configuration

📅 Schedule: Branch creation - "after 2am and before 3am" (UTC), Automerge - "after 1am and before 2am" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.