chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@sxzz/eslint-config	^6.1.0 -> ^6.1.1
@sxzz/test-utils	^0.5.2 -> ^0.5.4
@types/node (source)	^22.13.13 -> ^22.13.17
esbuild	^0.25.1 -> ^0.25.2
pnpm (source)	10.6.5 -> 10.7.1
rollup (source)	^4.37.0 -> ^4.38.0
tsdown	^0.6.9 -> ^0.6.10
vite (source)	^6.2.3 -> ^6.2.4
vitest (source)	^3.0.9 -> ^3.1.1

---

Release Notes

sxzz/eslint-config (@​sxzz/eslint-config)

v6.1.1

Compare Source

No significant changes

    View changes on GitHub

sxzz/test-utils (@​sxzz/test-utils)

v0.5.4

Compare Source

   🏎 Performance

• Import vitest on-demand  -  by @​sxzz (924f7)

    View changes on GitHub

v0.5.3

Compare Source

   🚀 Features

• Disable snapshot  -  by @​sxzz (3a533)

    View changes on GitHub

evanw/esbuild (esbuild)

v0.25.2

Compare Source

• Support flags in regular expressions for the API (#​4121)

  The JavaScript plugin API for esbuild takes JavaScript regular expression objects for the filter option. Internally these are translated into Go regular expressions. However, this translation previously ignored the flags property of the regular expression. With this release, esbuild will now translate JavaScript regular expression flags into Go regular expression flags. Specifically the JavaScript regular expression /\.[jt]sx?$/i is turned into the Go regular expression `(?i)\.[jt]sx?$` internally inside of esbuild's API. This should make it possible to use JavaScript regular expressions with the i flag. Note that JavaScript and Go don't support all of the same regular expression features, so this mapping is only approximate.

• Fix node-specific annotations for string literal export names (#​4100)

  When node instantiates a CommonJS module, it scans the AST to look for names to expose via ESM named exports. This is a heuristic that looks for certain patterns such as exports.NAME = ... or module.exports = { ... }. This behavior is used by esbuild to "annotate" CommonJS code that was converted from ESM with the original ESM export names. For example, when converting the file export let foo, bar from ESM to CommonJS, esbuild appends this to the end of the file:

  // Annotate the CommonJS export names for ESM import in node:
  0 && (module.exports = {
    bar,
    foo
  });

  However, this feature previously didn't work correctly for export names that are not valid identifiers, which can be constructed using string literal export names. The generated code contained a syntax error. That problem is fixed in this release:

  // Original code
  let foo
  export { foo as "foo!" }
  
  // Old output (with --format=cjs --platform=node)
  ...
  0 && (module.exports = {
    "foo!"
  });
  
  // New output (with --format=cjs --platform=node)
  ...
  0 && (module.exports = {
    "foo!": null
  });

• Basic support for index source maps (#​3439, #​4109)

  The source map specification has an optional mode called index source maps that makes it easier for tools to create an aggregate JavaScript file by concatenating many smaller JavaScript files with source maps, and then generate an aggregate source map by simply providing the original source maps along with some offset information. My understanding is that this is rarely used in practice. I'm only aware of two uses of it in the wild: ClojureScript and Turbopack.

  This release provides basic support for indexed source maps. However, the implementation has not been tested on a real app (just on very simple test input). If you are using index source maps in a real app, please try this out and report back if anything isn't working for you.

  Note that this is also not a complete implementation. For example, index source maps technically allows nesting source maps to an arbitrary depth, while esbuild's implementation in this release only supports a single level of nesting. It's unclear whether supporting more than one level of nesting is important or not given the lack of available test cases.

  This feature was contributed by @​clyfish.

pnpm/pnpm (pnpm)

v10.7.1: pnpm 10.7.1

Compare Source

Patch Changes

• pnpm config set should convert the settings to their correct type before adding them to pnpm-workspace.yaml #​9355.
• pnpm config get should read auth related settings via npm CLI #​9345.
• Replace leading ~/ in a path in .npmrc with the home directory #​9217.

Platinum Sponsors

Gold Sponsors

v10.7.0

Compare Source

Minor Changes

• pnpm config get and list also show settings set in pnpm-workspace.yaml files #​9316.

• It should be possible to use env variables in pnpm-workspace.yaml setting names and value.

• Add an ability to patch dependencies by version ranges. Exact versions override version ranges, which in turn override name-only patches. Version range * is the same as name-only, except that patch application failure will not be ignored.

  For example:

  patchedDependencies:
    foo: patches/foo-1.patch
    foo@^2.0.0: patches/foo-2.patch
    [email protected]: patches/foo-3.patch

  The above configuration would apply patches/foo-3.patch to [email protected], patches/foo-2.patch to all foo versions which satisfy ^2.0.0 except 2.1.0, and patches/foo-1.patch to the remaining foo versions.

  [!WARNING]
  The version ranges should not overlap. If you want to specialize a sub range, make sure to exclude it from the other keys. For example:

  # pnpm-workspace.yaml
  patchedDependencies:
    # the specialized sub range
    '[email protected]': patches/foo.2.2.0-2.8.0.patch
    # the more general patch, excluding the sub range above
    'foo@>=2.0.0 <2.2.0 || >2.8.0': 'patches/foo.gte2.patch

  In most cases, however, it's sufficient to just define an exact version to override the range.

• pnpm config set --location=project saves the setting to a pnpm-workspace.yaml file if no .npmrc file is present in the directory #​9316.

• Rename pnpm.allowNonAppliedPatches to pnpm.allowUnusedPatches. The old name is still supported but it would print a deprecation warning message.

• Add pnpm.ignorePatchFailures to manage whether pnpm would ignore patch application failures.

  If ignorePatchFailures is not set, pnpm would throw an error when patches with exact versions or version ranges fail to apply, and it would ignore failures from name-only patches.

  If ignorePatchFailures is explicitly set to false, pnpm would throw an error when any type of patch fails to apply.

  If ignorePatchFailures is explicitly set to true, pnpm would print a warning when any type of patch fails to apply.

Patch Changes

• Remove dependency paths from audit output to prevent out-of-memory errors #​9280.

rollup/rollup (rollup)

v4.38.0

Compare Source

2025-03-29

Features

• Support .filter option in resolveId, load and transform hooks (#​5882)

Pull Requests

• #​5882: Add support for hook filters (@​sapphi-red)
• #​5894: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​5895: chore(deps): update dependency eslint-plugin-unicorn to v58 (@​renovate[bot])

sxzz/tsdown (tsdown)

v0.6.10

Compare Source

No significant changes

    View changes on GitHub

vitejs/vite (vite)

v6.2.4

Compare Source

Please refer to CHANGELOG.md for details.

vitest-dev/vitest (vitest)

v3.1.1

Compare Source

   🐞 Bug Fixes

• reporter:
  • Report tests in correct order  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7752 (b166e)
  • Print test only once in the verbose mode  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7738 (69ca4)

    View changes on GitHub

v3.1.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "* 0-3 * * 1" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@sxzz/[email protected] ➜ 6.1.1	environment Transitive: filesystem, shell, unsafe	+232	29.4 MB	sxzz
npm/@sxzz/[email protected] ➜ 0.5.4	Transitive: filesystem	+3	142 kB	sxzz
npm/@types/[email protected] ➜ 22.13.17	None	+1	83.3 kB
npm/[email protected] ➜ 0.25.2	None	0	134 kB	evanw
npm/[email protected], 1.0.0-beta.6-commit.a250548 ➜ 1.0.0-beta.7-commit.139c54d	None	+3	2.42 MB	rolldownbot
npm/[email protected] ➜ 4.38.0	None	+1	2.75 MB	eventualbuddha, lukastaegert, rich_harris, ...2 more
npm/[email protected] ➜ 0.6.10	Transitive: filesystem, shell	+26	4.61 MB	sxzz
npm/[email protected] ➜ 6.2.4	None	+4	405 kB
npm/[email protected] ➜ 3.1.1	Transitive: environment, filesystem, shell, unsafe	+31	1.16 MB

View full report↗︎