Skip to content

chore(deps): update all non-major dependencies#25

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/all-minor-patch
Open

chore(deps): update all non-major dependencies#25
renovate[bot] wants to merge 1 commit intomainfrom
renovate/all-minor-patch

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 6, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@sxzz/eslint-config ^7.4.4^7.8.3 age confidence
@sxzz/prettier-config ^2.2.6^2.3.1 age confidence
@types/node (source) ^25.0.3^25.5.0 age confidence
bumpp ^10.3.2^10.4.1 age confidence
esbuild ^0.27.2^0.27.4 age confidence
eslint (source) ^9.39.2^9.39.4 age confidence
pnpm (source) 10.27.010.32.1 age confidence
prettier (source) ^3.7.4^3.8.1 age confidence
rolldown (source) ^1.0.0-beta.58^1.0.0-rc.9 age confidence
rollup (source) ^4.54.0^4.59.0 age confidence
tsdown (source) ^0.19.0-beta.2^0.21.2 age confidence
tsdown-preset-sxzz ^0.2.0^0.4.2 age confidence
vite (source) ^7.3.0^7.3.1 age confidence
vitest (source) ^4.0.16^4.1.0 age confidence

Release Notes

sxzz/eslint-config (@​sxzz/eslint-config)

v7.8.3

Compare Source

   🚀 Features
  • Add inlinedDependencies to sort order in package.json  -  by @​sxzz (3caa8)
    View changes on GitHub

v7.8.2

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v7.8.1

Compare Source

   🚀 Features
    View changes on GitHub

v7.8.0

Compare Source

   🚀 Features
    View changes on GitHub

v7.7.2

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v7.7.1

Compare Source

   🐞 Bug Fixes
  • Disable no-useless-assignment for vue, remove reactivity transform support  -  by @​sxzz (beb15)
    View changes on GitHub

v7.7.0

Compare Source

   🚀 Features
    View changes on GitHub

v7.6.1

Compare Source

No significant changes

    View changes on GitHub

v7.6.0

Compare Source

   🚀 Features
    View changes on GitHub

v7.5.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v7.5.0

Compare Source

   🚀 Features
    View changes on GitHub

v7.4.5

Compare Source

No significant changes

    View changes on GitHub
sxzz/prettier-config (@​sxzz/prettier-config)

v2.3.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v2.3.0

Compare Source

No significant changes

    View changes on GitHub

v2.2.7

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
antfu-collective/bumpp (bumpp)

v10.4.1

Compare Source

   🚀 Features
    View changes on GitHub

v10.4.0

Compare Source

No significant changes

    View changes on GitHub
evanw/esbuild (esbuild)

v0.27.4

Compare Source

  • Fix a regression with CSS media queries (#​4395, #​4405, #​4406)

    Version 0.25.11 of esbuild introduced support for parsing media queries. This unintentionally introduced a regression with printing media queries that use the <media-type> and <media-condition-without-or> grammar. Specifically, esbuild was failing to wrap an or clause with parentheses when inside <media-condition-without-or>. This release fixes the regression.

    Here is an example:

    /* Original code */
@&#8203;media only screen and ((min-width: 10px) or (min-height: 10px)) {
  a { color: red }
}

/* Old output (incorrect) */
@&#8203;media only screen and (min-width: 10px) or (min-height: 10px) {
  a {
    color: red;
  }
}

/* New output (correct) */
@&#8203;media only screen and ((min-width: 10px) or (min-height: 10px)) {
  a {
    color: red;
  }
}

  • Fix an edge case with the inject feature (#​4407)

    This release fixes an edge case where esbuild's inject feature could not be used with arbitrary module namespace names exported using an export {} from statement with bundling disabled and a target environment where arbitrary module namespace names is unsupported.

    With the fix, the following inject file:

    import jquery from 'jquery';
export { jquery as 'window.jQuery' };

    Can now always be rewritten as this without esbuild sometimes incorrectly generating an error:

    export { default as 'window.jQuery' } from 'jquery';

  • Attempt to improve API handling of huge metafiles (#​4329, #​4415)

    This release contains a few changes that attempt to improve the behavior of esbuild's JavaScript API with huge metafiles (esbuild's name for the build metadata, formatted as a JSON object). The JavaScript API is designed to return the metafile JSON as a JavaScript object in memory, which makes it easy to access from within a JavaScript-based plugin. Multiple people have encountered issues where this API breaks down with a pathologically-large metafile.

    The primary issue is that V8 has an implementation-specific maximum string length, so using the JSON.parse API with large enough strings is impossible. This release will now attempt to use a fallback JavaScript-based JSON parser that operates directly on the UTF8-encoded JSON bytes instead of using JSON.parse when the JSON metafile is too big to fit in a JavaScript string. The new fallback path has not yet been heavily-tested. The metafile will also now be generated with whitespace removed if the bundle is significantly large, which will reduce the size of the metafile JSON slightly.

    However, hitting this case is potentially a sign that something else is wrong. Ideally you wouldn't be building something so enormous that the build metadata can't even fit inside a JavaScript string. You may want to consider optimizing your project, or breaking up your project into multiple parts that are built independently. Another option could potentially be to use esbuild's command-line API instead of its JavaScript API, which is more efficient (although of course then you can't use JavaScript plugins, so it may not be an option).

v0.27.3

Compare Source

  • Preserve URL fragments in data URLs (#​4370)

    Consider the following HTML, CSS, and SVG:

    • index.html:

      <!DOCTYPE html>
<html>
  <head><link rel="stylesheet" href="icons.css"></head>
  <body><div class="triangle"></div></body>
</html>

    • icons.css:

      .triangle {
  width: 10px;
  height: 10px;
  background: currentColor;
  clip-path: url(./triangle.svg#x);
}

    • triangle.svg:

      <svg xmlns="http://www.w3.org/2000/svg">
  <defs>
    <clipPath id="x">
      <path d="M0 0H10V10Z"/>
    </clipPath>
  </defs>
</svg>

    The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

    /* icons.css */
.triangle {
  width: 10px;
  height: 10px;
  background: currentColor;
  clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
}

  • Parse and print CSS @scope rules (#​4322)

    This release includes dedicated support for parsing @scope rules in CSS. These rules include optional "start" and "end" selector lists. One important consequence of this is that the local/global status of names in selector lists is now respected, which improves the correctness of esbuild's support for CSS modules. Minification of selectors inside @scope rules has also improved slightly.

    Here's an example:

    /* Original code */
@&#8203;scope (:global(.foo)) to (:local(.bar)) {
  .bar {
    color: red;
  }
}

/* Old output (with --loader=local-css --minify) */
@&#8203;scope (:global(.foo)) to (:local(.bar)){.o{color:red}}

/* New output (with --loader=local-css --minify) */
@&#8203;scope(.foo)to (.o){.o{color:red}}

  • Fix a minification bug with lowering of for await (#​4378, #​4385)

    This release fixes a bug where the minifier would incorrectly strip the variable in the automatically-generated catch clause of lowered for await loops. The code that generated the loop previously failed to mark the internal variable references as used.

  • Update the Go compiler from v1.25.5 to v1.25.7 (#​4383, #​4388)

    This PR was contributed by @​MikeWillCook.

eslint/eslint (eslint)

v9.39.4

Compare Source

Bug Fixes

Documentation

Chores

v9.39.3

Compare Source

Bug Fixes

  • 791bf8d fix: restore TypeScript 4.0 compatibility in types (#​20504) (sethamus)

Chores

pnpm/pnpm (pnpm)

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

  • Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

  • Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

  • Reverted change related to setting explicitly the npm config file path, which caused regressions.
  • Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.31.0

Compare Source

v10.30.3

Compare Source

v10.30.2

Compare Source

v10.30.1: pnpm 10.30.1

Compare Source

Patch Changes

  • Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #​10649.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Workleap
Stackblitz Nx

v10.30.0: pnpm 10.30

Compare Source

Minor Changes

  • pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

  • Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #​7122.
  • Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #​10596.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Workleap
Stackblitz Nx

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

  • The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
  • Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
  • Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

  • Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

  • Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

  • Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

  • Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

  • Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

  • Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

  • Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

  • update tar to version 7.5.7 to fix security issue

    Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

  • Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

  • Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

  • pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

  • Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

  • Security fix: prevent path traversal in directories.bin field.

  • When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

    This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

    Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

  • Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Bit

Gold Sponsors

Discord CodeRabbit Workleap
Stackblitz Vite

v10.28.1

Compare Source

v10.28.0

Compare Source

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

rolldown/rolldown (rolldown)

v1.0.0-rc.9

Compare Source

💥 BREAKING CHANGES
🚀 Features
🐛 Bug Fixes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies label Oct 6, 2025
@bolt-new-by-stackblitz
Copy link

bolt-new-by-stackblitz bot commented Oct 6, 2025

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Oct 6, 2025
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-raw@25

commit: 7b434d6

@socket-security
Copy link

socket-security bot commented Oct 6, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedtsdown-preset-sxzz@​0.2.0 ⏵ 0.4.268 +21007593 +5100
Updatedesbuild@​0.27.2 ⏵ 0.27.49110073 +192 +5100
Updated@​sxzz/​prettier-config@​2.2.6 ⏵ 2.3.176 -110078 +193 +2100
Updatedrolldown@​1.0.0-beta.58 ⏵ 1.0.0-rc.99510078 +199 +1100
Updatedvitest@​4.0.16 ⏵ 4.1.098 +210079 +198100
Updated@​types/​node@​25.0.3 ⏵ 25.5.0100 +110081 +196100
Updatedbumpp@​10.3.2 ⏵ 10.4.1961008290 +2100
Updatedvite@​7.3.0 ⏵ 7.3.196 +110082 +199 +1100
Updated@​sxzz/​eslint-config@​7.4.4 ⏵ 7.8.383 +1100100 +196 +1100
Updatedrollup@​4.54.0 ⏵ 4.59.088100 +1610098100
Updatedtsdown@​0.19.0-beta.2 ⏵ 0.21.29810088 -496100
Updatedeslint@​9.39.2 ⏵ 9.39.489 +110010097100
Updatedprettier@​3.7.4 ⏵ 3.8.19010097 +193100

View full report

@renovate renovate bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 7eb1898 to 9392b2b Compare October 6, 2025 17:14
@renovate renovate bot changed the title chore(deps): update all non-major dependencies fix(deps): update all non-major dependencies Oct 6, 2025
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 6 times, most recently from 75a18c6 to edc3802 Compare October 14, 2025 02:00
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 13 times, most recently from 5f996b3 to 7d2e330 Compare October 21, 2025 02:13
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from fb1df5a to 0d32c79 Compare October 23, 2025 08:38
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 13 times, most recently from 3e93018 to 9d9d267 Compare November 12, 2025 21:45
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 848b216 to 2a3de0f Compare November 18, 2025 02:13
@renovate renovate bot changed the title fix(deps): update all non-major dependencies fix(deps): update all non-major dependencies - autoclosed Nov 18, 2025
@renovate renovate bot closed this Nov 18, 2025
@renovate renovate bot deleted the renovate/all-minor-patch branch November 18, 2025 17:58
@renovate renovate bot changed the title fix(deps): update all non-major dependencies - autoclosed fix(deps): update all non-major dependencies Nov 24, 2025
@renovate renovate bot reopened this Nov 24, 2025
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 8 times, most recently from 1592dd8 to 9c8e00b Compare November 27, 2025 21:06
@socket-security
Copy link

socket-security bot commented Dec 17, 2025
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants