fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@antfu/eslint-config	^7.2.0 → ^7.4.3
@eslint/js (source)	^9.39.1 → ^9.39.2
@types/node (source)	^24.10.1 → ^24.10.13
bumpp	^10.3.2 → ^10.4.1
chai (source)	^6.2.1 → ^6.2.2
eslint (source)	^9.39.1 → ^9.39.2
eslint-plugin-format	^1.0.2 → ^1.4.0
pnpm (source)	10.24.0 → 10.29.3
prettier (source)	^3.7.3 → ^3.8.1
tsdown (source)	^0.16.8 → ^0.20.3
typescript-eslint (source)	^8.48.0 → ^8.56.0

---

Release Notes

antfu/eslint-config (@​antfu/eslint-config)

v7.4.3

Compare Source

   🐞 Bug Fixes

• Formating regression  -  by @​antfu (2ef8a)

    View changes on GitHub

v7.4.2

Compare Source

   🐞 Bug Fixes

• Relax eslint peer deps range  -  by @​antfu (b5f53)

    View changes on GitHub

v7.4.1

Compare Source

   🐞 Bug Fixes

• Ignore typescript files when typescript is off  -  by @​antfu (bda75)

    View changes on GitHub

v7.4.0

Compare Source

   🚀 Features

• Angular support  -  by @​St2r and @​antfu in #​804 (67b1b)

   🐞 Bug Fixes

• Update peer dependency requirement for eslint-plugin-react-refresh  -  by @​hyoban in #​813 (19a43)

    View changes on GitHub

v7.3.0

Compare Source

   🚀 Features

• Upgrade eslint-plugin-react-refresh, eslint-plugin-regexp  -  by @​antfu (610e7)
• react: Sync recommend rules  -  by @​hyoban in #​810 (1b870)

   🐞 Bug Fixes

• Use ConfigWithExtends instead of Linter.Config  -  by @​hyoban in #​809 (ad4e5)

    View changes on GitHub

eslint/eslint (@​eslint/js)

v9.39.2

Compare Source

antfu-collective/bumpp (bumpp)

v10.4.1

Compare Source

   🚀 Features

• Add custom path to config  -  by @​OskarLebuda in #​107 (0f2e4)

    View changes on GitHub

v10.4.0

Compare Source

No significant changes

    View changes on GitHub

chaijs/chai (chai)

v6.2.2

Compare Source

What's Changed

• build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 by @​dependabot[bot] in #​1745
• chore(deps): update dependency eslint-plugin-jsdoc to v61.2.1 by @​renovate[bot] in #​1746
• build(deps): bump glob from 10.4.5 to 10.5.0 by @​dependabot[bot] in #​1747
• chore(deps): update actions/checkout action to v6 by @​renovate[bot] in #​1749
• fix: avoid BigInt literal in closeTo for runtime compat by @​bheemreddy-samsara in #​1748
• chore(deps): update dependency eslint-plugin-jsdoc to v61.4.1 by @​renovate[bot] in #​1751
• chore(deps): update dependency prettier to v3.7.3 by @​renovate[bot] in #​1754
• chore(deps): update dependencies by @​renovate[bot] in #​1755
• chore(deps): update dependencies to v9.39.2 by @​renovate[bot] in #​1757
• chore: add --legal-comments=none option by @​hyperz111 in #​1756
• chore(deps): update dependency esbuild to v0.27.2 by @​renovate[bot] in #​1759

New Contributors

• @​bheemreddy-samsara made their first contribution in #​1748
• @​hyperz111 made their first contribution in #​1756

Full Changelog: chaijs/chai@v6.2.1...v6.2.2

eslint/eslint (eslint)

v9.39.2

Compare Source

antfu/eslint-plugin-format (eslint-plugin-format)

v1.4.0

Compare Source

   🐞 Bug Fixes

• Prefer context.sourceCode.ast.type  -  by @​hyoban in #​16 (d31ed)

    View changes on GitHub

v1.3.1

Compare Source

   🚀 Features

• Cache the dprint context  -  by @​bitbloxhub in #​14 (1a53f)

    View changes on GitHub

v1.3.0

Compare Source

   🚀 Features

• Add support for multiple dprint plugins  -  by @​bitbloxhub in #​13 (3eaeb)

    View changes on GitHub

v1.2.0

Compare Source

   🚀 Features

• Support dprint v4  -  by @​bitbloxhub in #​12 (d12e1)

    View changes on GitHub

v1.1.0

Compare Source

   🚀 Features

• Update deps  -  by @​antfu (3b016)

    View changes on GitHub

pnpm/pnpm (pnpm)

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1

Compare Source

v10.28.0

Compare Source

v10.27.0

Compare Source

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

• Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

• Fix installation of Git dependencies using annotated tags #​10335.

  Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

• Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

• Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Gold Sponsors

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

• Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
• Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Gold Sponsors

v10.26.0

Compare Source

v10.25.0

Compare Source

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

v3.7.4

Compare Source

diff

LWC: Avoid quote around interpolations (#​18383 by @​kovsu)

<!-- Input -->
<div foo={bar}>   </div>

<!-- Prettier 3.7.3 (--embedded-language-formatting off) -->
<div foo="{bar}"></div>

<!-- Prettier 3.7.4 (--embedded-language-formatting off) -->
<div foo={bar}></div>

TypeScript: Fix comment inside union type gets duplicated (#​18393 by @​fisker)

// Input
type Foo = (/** comment */ a | b) | c;

// Prettier 3.7.3
type Foo = /** comment */ (/** comment */ a | b) | c;

// Prettier 3.7.4
type Foo = /** comment */ (a | b) | c;

TypeScript: Fix unstable comment print in union type comments (#​18395 by @​fisker)

// Input
type X = (A | B) & (
  // comment
  A | B
);

// Prettier 3.7.3 (first format)
type X = (A | B) &
  (// comment
  A | B);

// Prettier 3.7.3 (second format)
type X = (
  | A
  | B // comment
) &
  (A | B);

// Prettier 3.7.4
type X = (A | B) &
  // comment
  (A | B);

rolldown/tsdown (tsdown)

v0.20.3

Compare Source

   🐞 Bug Fixes

• package: Ignore scripts when packing  -  by @​sxzz (0b10b)

    View changes on GitHub

v0.20.2

Compare Source

   🚀 Features

• Upgrade rolldown to 1.0.0-rc.3  -  by @​sxzz (0beea)
• dep: Keep inlineOnly clean with hint message on unused  -  by @​jycouet and @​sxzz in #​725 (13f1c)
• pkg: Optimize attw and publint packing  -  by @​sxzz in #​736 (375cf)

   🐞 Bug Fixes

• Throw error when skipNodeModulesBundle and noExternal are used together  -  by @​sxzz in #​746 (656d5)
• External type only packages @types/*  -  by @​kalvenschraut (0be7c)
• exports: Move import before require  -  by @​sxzz (3027a)

    View changes on GitHub

v0.20.1

Compare Source

   🚀 Features

• inline-only: Show warnings if bundled deps  -  by @​sxzz (1e0e7)

    View changes on GitHub

v0.20.0

Compare Source

   🚨 Breaking Changes

• Upgrade dts plugin, remove dts.resolve option  -  by @​sxzz (16655)

   🚀 Features

• Add option to disable legacy CJS warning  -  by @​sxzz (9fada)
• Apply inlineOnly option for dts files  -  by @​sxzz (7d89d)
• Upgrade rolldown to 1.0.0-beta.60  -  by @​sxzz (bb3ee)
• Upgrade rolldown to rc 1  -  by @​sxzz (1959f)
• entry: Support mixed array and object entries  -  by @​sxzz (a8083)

   🐞 Bug Fixes

• Optional parseEnv  -  by @​sxzz (be1b6)
• Reload config on restart  -  by @​sxzz (1756b)
• Config extensions typo  -  by @​aryaemami59 in #​722 (d2bb7)
• windows: Normalize path separators in build output  -  by @​ryuapp in #​719 (c4525)

   🏎 Performance

• Native filter for external plugin  -  by @​sxzz (8764e)

    View changes on GitHub

v0.19.0

Compare Source

   🚨 Breaking Changes

• Rename debugLogs to debug  -  by @​sxzz (bb4e7)
• Remove deprecated silent option  -  by @​sxzz (59015)
• devtools:
  • Rename debug to devtools, rename debug.devtools to devtools.ui  -  by @​sxzz (63e6f)
• exports:
  • Add legacy option, remove main & module fields if pure ESM  -  by @​sxzz (16841)
  • Exclude extension name for exports.exclude  -  by @​sxzz (53d38)
  • Only auto-fill types when exports.legacy  -  by @​lishaduck and @​sxzz in #​685 (7be6b)

   🚀 Features

• Add typeAssert util back  -  by @​sxzz (1d385)
• Generate CSS exports when css.splitting is disabled  -  by @​jinghaihan and @​sxzz in #​680 (b737c)
• Upgrade rolldown to 1.0.0-beta.58  -  by @​sxzz (48036)
• Expose enableDebug  -  by @​sxzz (2d922)
• Expose resolveUserConfig  -  by @​sxzz (c9acb)
• Upgrade rolldown to 1.0.0-beta.59  -  by @​sxzz (d564f)
• Clear console on rebuild start  -  by @​sxzz (78efd)
• migrate: Add monorepo support  -  by @​lauigi and @​sxzz in #​659 (efba2)

   🐞 Bug Fixes

• Print blank line only when the log level is info  -  by @​tomgao365 in #​689 (96d82)
• attw: Add --ignore-scripts to avoid lifecycle output  -  by @​Doctor-wu in #​661 (1c8b1)
• cjs: Update version check for require ESM support  -  by @​sxzz (beeff)

   🏎 Performance

• Optimize hot paths  -  by @​sxzz (7925d)

    View changes on GitHub

v0.18.4

Compare Source

   🚀 Features

• Export mergeConfig  -  by @​sxzz (ccd17)
• Warn deprecated removeNodeProtocol  -  by @​sxzz (90cd6)
• css: Add CSS code splitting support  -  by @​jinghaihan and @​sxzz in #​654 (0525f)
• entry: Support multiple patterns with same base  -  by @​sxzz (cee1b)
• exports: Add packageJson option  -  by @​sxzz (6d220)

    View changes on GitHub

v0.18.3

Compare Source

   🚀 Features

• Upgrade rolldown to 1.0.0-beta.57  -  by @​sxzz (525c0)
• Add envFile & envPrefix option  -  by @​toto6038 and @​sxzz in #​664 (d5493)
• attw: Add ignoreRules option to filter specified rule  -  by @​zyyv and Copilot in #​665 (450b0)

   🐞 Bug Fixes

• Inline PackageJson type  -  by @​sxzz (dfc43)

    View changes on GitHub

v0.18.2

Compare Source

   🚀 Features

• Support globs for noExternal / inlineOnly / exports.exclude  -  by @​sxzz and @​TheAlexLichter (84b68)
• entry: Support glob negation patterns in object entry  -  by @​Doctor-wu and @​sxzz in #​662 (8ed1b)

   🐞 Bug Fixes

• Preserve import cache for node_modules  -  by @​sxzz (426ab)
• skipNodeModulesBundle for monorepo  -  by @​sxzz (9a34f)
• attw: Show full entrypoint  -  by @​sxzz (c89c4)
• clean: Remove dot files  -  by @​sxzz (0430b)

    View changes on GitHub

v0.18.1

Compare Source

   🚀 Features

• Support glob patterns in object entry  -  by @​sxzz (bcb7a)

export default defineConfig({
  entry: {
    '*': './src/*.ts',
    'data-loaders': './src/data-loaders/entries/index.ts',
    'data-loaders/*': './src/data-loaders/entries/!(index).ts',
    'volar/*': './src/volar/entries/*.ts',
  },
}

• Upgrade rolldown to 1.0.0-beta.55  -  by @​sxzz (5be3e)
• Mark exports option as a stable feature  -  by @​sxzz (ce9e0)

   🐞 Bug Fixes

• Keep banner / footer as-is  -  by @​sxzz (f67e0)

    View changes on GitHub

v0.18.0

Compare Source

   🚨 Breaking Changes

• copy: Rework, sync behavior of rollup-plugin-copy  -  by @​sxzz (e864b)

v0.17.4

Compare Source

   🚨 Breaking Changes

• copy: Sync behavior of rollup-plugin-copy  -  by @​sxzz (e864b)

   🚀 Features

• exports: Add exclude option  -  by @​TheAlexLichter and @​sxzz in #​340 (9e634)
• shortcuts: Case insensitive  -  by @​btea in #​649 (019af)

   🐞 Bug Fixes

• Resolve cwd from user config  -  by @​sxzz (bc066)

    View changes on GitHub

v0.17.3

Compare Source

   🚀 Features

• copy: Support glob in copy  -  by @​kricsleo and @​sxzz in #​637 (c1fd4)
  • This may be a breaking change, as the behavior has changed again in v0.17.4. Please upgrade to v0.17.4 and verify the issue.

   🐞 Bug Fixes

• Print error stack  -  by @​sxzz (1c5b6)
• Add config name to rebuilt message  -  by @​sxzz (bfdc6)
• Call hooks for each format  -  by @​sxzz (19bdd)
• Merge input & output options  -  by @​sxzz (14181)

    View changes on GitHub

v0.17.2

Compare Source

   🐞 Bug Fixes

• Empty clean array  -  by @​sxzz (eae7f)

    View changes on GitHub

v0.17.1

Compare Source

   🐞 Bug Fixes

• Respect clean on watch mode  -  by @​sxzz (bfbfb)

    View changes on GitHub

v0.17.0

Compare Source

   🚨 Breaking Changes

Notable features: https://bsky.app/profile/sxzz.dev/post/3m6xi7e7d5k2b

• Rolldown native watcher  -  by @​sxzz in #​329 (1c4f8)
• Enable failOnWarn by default in CI  -  by @​sxzz in #​617 (245e7)
• Remove unconfig from configLoader  -  by @​sxzz (9d6a7)
• Support exports, publint, attw for multi-configs  -  by @​sxzz (f889a)
• refactor!(attw): rename profile value from esmOnly to esm-only  -  by @​sxzz (85c10f3)

   🚀 Features

• Export WatchPlugin  -  by @​sxzz (4ccb2)
• Add write option  -  by @​sxzz (64fea)
• Add chunks on build:done hook  -  by @​sxzz (eb45c)
• Override options by fo

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[pkg-pr-new]

npm i https://pkg.pr.new/@zotero-plugin/eslint-config@17

commit: ba70bf2

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 2 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 21, reused 0, downloaded 0, added 0
Progress: resolved 66, reused 0, downloaded 0, added 0
 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "chokidar@4.0.3" (possible package takeover)

This error happened while installing the dependencies of @eslint/config-inspector@1.4.2

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.