fix(deps): update all non-major dependencies - autoclosed

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@sxzz/eslint-config	^7.8.2 → ^7.8.3
@types/node (source)	^25.3.3 → ^25.5.0
@typescript/native-preview (source)	7.0.0-dev.20260302.1 → 7.0.0-dev.20260313.1
esbuild	^0.27.3 → ^0.27.4
eslint (source)	^10.0.2 → ^10.0.3
pnpm (source)	10.30.3 → 10.32.1
rolldown-string	^0.2.1 → ^0.3.0
tsdown (source)	^0.21.0-beta.2 → ^0.21.2
tsdown-preset-sxzz	^0.4.0 → ^0.4.2
unplugin-oxc	^0.5.7 → ^0.6.0
vitest (source)	^4.0.18 → ^4.1.0
webpack	^5.105.3 → ^5.105.4

---

Release Notes

sxzz/eslint-config (@​sxzz/eslint-config)

v7.8.3

Compare Source

   🚀 Features

• Add inlinedDependencies to sort order in package.json  -  by @​sxzz (3caa8)

    View changes on GitHub

microsoft/typescript-go (@​typescript/native-preview)

v7.0.0-dev.20260313.1

Compare Source

v7.0.0-dev.20260312.1

Compare Source

v7.0.0-dev.20260311.1

Compare Source

v7.0.0-dev.20260310.1

Compare Source

v7.0.0-dev.20260309.1

Compare Source

v7.0.0-dev.20260308.1

Compare Source

v7.0.0-dev.20260307.1

Compare Source

v7.0.0-dev.20260306.1

Compare Source

v7.0.0-dev.20260305.1

Compare Source

v7.0.0-dev.20260304.1

Compare Source

v7.0.0-dev.20260303.1

Compare Source

evanw/esbuild (esbuild)

v0.27.4

Compare Source

• Fix a regression with CSS media queries (#​4395, #​4405, #​4406)

  Version 0.25.11 of esbuild introduced support for parsing media queries. This unintentionally introduced a regression with printing media queries that use the <media-type> and <media-condition-without-or> grammar. Specifically, esbuild was failing to wrap an or clause with parentheses when inside <media-condition-without-or>. This release fixes the regression.

  Here is an example:

  /* Original code */
  @​media only screen and ((min-width: 10px) or (min-height: 10px)) {
    a { color: red }
  }
  
  /* Old output (incorrect) */
  @​media only screen and (min-width: 10px) or (min-height: 10px) {
    a {
      color: red;
    }
  }
  
  /* New output (correct) */
  @​media only screen and ((min-width: 10px) or (min-height: 10px)) {
    a {
      color: red;
    }
  }

• Fix an edge case with the inject feature (#​4407)

  This release fixes an edge case where esbuild's inject feature could not be used with arbitrary module namespace names exported using an export {} from statement with bundling disabled and a target environment where arbitrary module namespace names is unsupported.

  With the fix, the following inject file:

  import jquery from 'jquery';
  export { jquery as 'window.jQuery' };

  Can now always be rewritten as this without esbuild sometimes incorrectly generating an error:

  export { default as 'window.jQuery' } from 'jquery';

• Attempt to improve API handling of huge metafiles (#​4329, #​4415)

  This release contains a few changes that attempt to improve the behavior of esbuild's JavaScript API with huge metafiles (esbuild's name for the build metadata, formatted as a JSON object). The JavaScript API is designed to return the metafile JSON as a JavaScript object in memory, which makes it easy to access from within a JavaScript-based plugin. Multiple people have encountered issues where this API breaks down with a pathologically-large metafile.

  The primary issue is that V8 has an implementation-specific maximum string length, so using the JSON.parse API with large enough strings is impossible. This release will now attempt to use a fallback JavaScript-based JSON parser that operates directly on the UTF8-encoded JSON bytes instead of using JSON.parse when the JSON metafile is too big to fit in a JavaScript string. The new fallback path has not yet been heavily-tested. The metafile will also now be generated with whitespace removed if the bundle is significantly large, which will reduce the size of the metafile JSON slightly.

  However, hitting this case is potentially a sign that something else is wrong. Ideally you wouldn't be building something so enormous that the build metadata can't even fit inside a JavaScript string. You may want to consider optimizing your project, or breaking up your project into multiple parts that are built independently. Another option could potentially be to use esbuild's command-line API instead of its JavaScript API, which is more efficient (although of course then you can't use JavaScript plugins, so it may not be an option).

eslint/eslint (eslint)

v10.0.3

Compare Source

pnpm/pnpm (pnpm)

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

• Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Gold Sponsors

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

• Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

• Reverted change related to setting explicitly the npm config file path, which caused regressions.
• Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Gold Sponsors

v10.31.0

Compare Source

sxzz/rolldown-string (rolldown-string)

v0.3.0

Compare Source

   🚀 Features

• Support rolldown v1.0.0-rc.9  -  by @​sxzz (feb65)

    View changes on GitHub

rolldown/tsdown (tsdown)

v0.21.2

Compare Source

   🚨 Breaking Changes

• exe: Add exe.outDir for separate executable output dir, defaults to build  -  by @​sxzz (d49ef)

Note: Executable is still an experimental feature and does not follow SemVer. Breaking changes may occur in any release.

   🚀 Features

• Add root option for controlling output directory structure  -  by @​sxzz (bad2d)
• deps: Rename onlyAllowBundle to onlyBundle  -  by @​peaklabs-dev and @​sxzz in #​819 (cbd7b)

   🐞 Bug Fixes

• css: Skip data URIs and external URLs in CSS url() rebasing  -  by @​sxzz (13907)

    View changes on GitHub

v0.21.1

Compare Source

   🚨 Breaking Changes

• css: Move all CSS support to @tsdown/css package  -  by @​sxzz in #​809 (1b1a1)

[!IMPORTANT]
If you are using CSS features (e.g., CSS imports), you now need to manually install the @tsdown/css package:

npm install @​tsdown/css -D
# or
pnpm add @​tsdown/css -D

Note: CSS support is still an experimental feature and does not follow SemVer. Breaking changes may occur in any release.

   🚀 Features

• css:
  • Add css.inject option to preserve CSS imports in JS output  -  by @​sxzz and Claude Haiku 4.5 in #​808 (ad745)
  • Support ?inline query for CSS imports  -  by @​sxzz in #​810 (b7379)
  • Support node_modules package resolution  -  by @​sxzz and Claude Haiku 4.5 in #​812 (b06b4)

   🐞 Bug Fixes

• Generate correct filename for sass files when dts is enabled  -  by @​ocavue in #​802 (848a7)
• css:
  • Handle virtual module IDs from framework plugins  -  by @​sxzz (c421f)
  • Ignore css imports with URL query  -  by @​ocavue and @​sxzz in #​806 (c1d23)

    View changes on GitHub

v0.21.0

Compare Source

v0.21.0 - Notable Changes

Breaking Changes

Dependency options renamed to deps namespace

The dependency-related options have been moved under a new deps namespace with clearer names:

• external -> deps.neverBundle
• noExternal -> deps.alwaysBundle
• inlineOnly -> deps.onlyAllowBundle
• skipNodeModulesBundle -> deps.skipNodeModulesBundle

Before:

export default defineConfig({
  external: ['vue'],
  noExternal: ['lodash'],
})

After:

export default defineConfig({
  deps: {
    neverBundle: ['vue'],
    alwaysBundle: ['lodash'],
  },
})

The old options still work but are deprecated and will emit warnings.

failOnWarn default changed from 'ci-only' to false

If you relied on the previous behavior where warnings would fail the build in CI environments, you now need to explicitly set failOnWarn: true or failOnWarn: 'ci-only' in your config.

Node.js < 22.18.0 deprecated

tsdown now emits a deprecation warning when running on Node.js versions below 22.18.0. Plan to upgrade your Node.js version accordingly.

New Features

Experimental Node.js SEA executable bundling (exe)

tsdown can now bundle your TypeScript project into a standalone executable using Node.js Single Executable Applications (SEA). A new @tsdown/exe package provides cross-platform executable building support. See the exe documentation for details.

export default defineConfig({
  exe: true, // or { useCodeCache: true, useSnapshot: true }
})

Full CSS pipeline with @tsdown/css

CSS handling has been reimplemented as a native Rolldown plugin and extracted into the @tsdown/css package, providing a complete CSS pipeline with Lightning CSS and PostCSS support via the css.transformer option. See the CSS documentation for details.

inlinedDependencies field in package.json

When using the exports feature, tsdown now auto-generates an inlinedDependencies field in your package.json, listing dependencies that are bundled into the output.

Object option for customExports

customExports now supports an object format for more fine-grained control over the generated exports field.

Migration Guide

1. Update dependency options: Rename external -> deps.neverBundle, noExternal -> deps.alwaysBundle, etc.
2. Check failOnWarn: If you need warnings to fail the build in CI, explicitly set failOnWarn: 'ci-only' or failOnWarn: true.
3. Upgrade Node.js: Ensure you're running Node.js >= 22.18.0 to avoid deprecation warnings.

Links

• tsdown Documentation
• v0.21.0-beta.1 Release
• v0.21.0-beta.2 Release
• v0.21.0-beta.3 Release
• v0.21.0-beta.4 Release
• v0.21.0-beta.5 Release
• Full diff from v0.20.3

---

   🚨 Breaking Changes

• Change failOnWarn default from 'ci-only' to false  -  by @​sxzz (ad8db)
• exe: Require Node >=25.7 and default format to esm  -  by @​sxzz in #​798 (0173c)

   🚀 Features

• Rename dependency options to deps namespace  -  by @​sxzz (7f509)
• Upgrade rolldown  -  by @​sxzz (7a528)
• Deprecate Node.js versions below 22.18.0  -  by @​sxzz (439f1)
• Support bundling .node files by default  -  by @​sxzz (944e9)
• css:
  • Implement full CSS pipeline as Rolldown plugin  -  by @​sxzz in #​787 (dbe3c)
  • Extract CSS pipeline into @tsdown/css package  -  by @​sxzz in #​790 (e4cbe)
  • Add PostCSS support with css.transformer option  -  by @​sxzz in #​791 (35bef)
  • Default css.transformer to lightningcss  -  by @​sxzz in #​797 (288a5)
• exe:
  • Add experimental Node.js SEA executable bundling  -  by @​sxzz in #​777 (418d5)
  • Add cross-platform executable building via @tsdown/exe  -  by @​sxzz in #​786 (b6833)
  • Support latest and latest-lts for nodeVersion  -  by @​sxzz (ce7ab)
• exports:
  • Support object option for customExports  -  by @​Joery-M and @​sxzz in #​769 (7fb72)
  • Add inlinedDependencies field to package.json  -  by @​sxzz in #​785 (5c71f)
• migrate:
  • Migrate external/noExternal to deps namespace  -  by @​sxzz (c59e7)

   🐞 Bug Fixes

• Apply failOnWarn to rolldown logs  -  by @​sxzz (149dc)
• Debounce onSuccess in watch mode to prevent duplicate execution  -  by @​sxzz (af748)
• Don't fail on PLUGIN_TIMINGS warnings when failOnWarn is enabled  -  by @​sxzz (9872a)
• Resolve css files in node_modules  -  by @​ocavue, @​sxzz and Rei in #​795 (d8a1f)
• config: Handle known Node.js bug in nativeImport error handling  -  by @​sxzz (e4230)
• copy: Don't warn if no files specified  -  by @​adamlohner, @​cursoragent and @​sxzz in #​780 (afaab)
• css: Remove empty js chunks  -  by @​ocavue and @​sxzz in #​799 (1183a)
• exe: Use runtime semver check for ESM SEA default format  -  by @​sxzz (5321c)
• exports: Include non-entry chunks in exports when all is true  -  by @​sxzz (79492)
• hooks: Set cwd for onSuccess  -  by @​sxzz (c114a)
• node-protocol: Respect alias and tsconfig paths when stripping node: prefix  -  by @​lazuee in #​773 (b1dd2)
• watch: Re-glob entry files on create/delete events  -  by @​sxzz (a1969)

    View changes on GitHub

v0.21.0-beta.5

Compare Source

v0.21.0-beta.5 - Notable Changes

Breaking Changes

Dependency options renamed to deps namespace

The dependency-related options have been moved under a new deps namespace with clearer names:

• external -> deps.neverBundle
• noExternal -> deps.alwaysBundle
• inlineOnly -> deps.onlyAllowBundle
• skipNodeModulesBundle -> deps.skipNodeModulesBundle

Before:

export default defineConfig({
  external: ['vue'],
  noExternal: ['lodash'],
})

After:

export default defineConfig({
  deps: {
    neverBundle: ['vue'],
    alwaysBundle: ['lodash'],
  },
})

The old options still work but are deprecated and will emit warnings.

failOnWarn default changed from 'ci-only' to false

If you relied on the previous behavior where warnings would fail the build in CI environments, you now need to explicitly set failOnWarn: true or failOnWarn: 'ci-only' in your config.

Node.js < 22.18.0 deprecated

tsdown now emits a deprecation warning when running on Node.js versions below 22.18.0. Plan to upgrade your Node.js version accordingly.

New Features

Experimental Node.js SEA executable bundling (exe)

tsdown can now bundle your TypeScript project into a standalone executable using Node.js Single Executable Applications (SEA). A new @tsdown/exe package provides cross-platform executable building support. See the exe documentation for details.

export default defineConfig({
  exe: true, // or { useCodeCache: true, useSnapshot: true }
})

Full CSS pipeline with @tsdown/css

CSS handling has been reimplemented as a native Rolldown plugin and extracted into the @tsdown/css package, providing a complete CSS pipeline with Lightning CSS and PostCSS support via the css.transformer option. See the CSS documentation for details.

inlinedDependencies field in package.json

When using the exports feature, tsdown now auto-generates an inlinedDependencies field in your package.json, listing dependencies that are bundled into the output.

Object option for customExports

customExports now supports an object format for more fine-grained control over the generated exports field.

Migration Guide

1. Update dependency options: Rename external -> deps.neverBundle, noExternal -> deps.alwaysBundle, etc.
2. Check failOnWarn: If you need warnings to fail the build in CI, explicitly set failOnWarn: 'ci-only' or failOnWarn: true.
3. Upgrade Node.js: Ensure you're running Node.js >= 22.18.0 to avoid deprecation warnings.

Links

• tsdown Documentation
• v0.21.0-beta.1 Release
• v0.21.0-beta.2 Release
• v0.21.0-beta.3 Release
• v0.21.0-beta.4 Release
• v0.21.0-beta.5 Release
• Full diff from v0.20.3

---

   🚨 Breaking Changes

• exe: Require Node >=25.7 and default format to esm  -  by @​sxzz in #​798 (0173c)

   🚀 Features

• css: Default css.transformer to lightningcss  -  by @​sxzz in #​797 (288a5)

   🐞 Bug Fixes

• Resolve css files in node_modules  -  by @​ocavue, @​sxzz and Rei in #​795 (d8a1f)

    View changes on GitHub

v0.21.0-beta.4

Compare Source

   🚀 Features

• css:
  • Extract CSS pipeline into @tsdown/css package  -  by @​sxzz in #​790 (e4cbe)
  • Add PostCSS support with css.transformer option  -  by @​sxzz in #​791 (35bef)

    View changes on GitHub

v0.21.0-beta.3

Compare Source

v0.21.0-beta.3 - Notable Changes

Breaking Changes

Dependency options renamed to deps namespace

The dependency-related options have been moved under a new deps namespace with clearer names:

• external -> deps.neverBundle
• noExternal -> deps.alwaysBundle
• inlineOnly -> deps.onlyAllowBundle
• skipNodeModulesBundle -> deps.skipNodeModulesBundle

Before:

export default defineConfig({
  external: ['vue'],
  noExternal: ['lodash'],
})

After:

export default defineConfig({
  deps: {
    neverBundle: ['vue'],
    alwaysBundle: ['lodash'],
  },
})

The old options still work but are deprecated and will emit warnings.

failOnWarn default changed from 'ci-only' to false

If you relied on the previous behavior where warnings would fail the build in CI environments, you now need to explicitly set failOnWarn: true or failOnWarn: 'ci-only' in your config.

Node.js < 22.18.0 deprecated

tsdown now emits a deprecation warning when running on Node.js versions below 22.18.0. Plan to upgrade your Node.js version accordingly.

New Features

Experimental Node.js SEA executable bundling (exe)

tsdown can now bundle your TypeScript project into a standalone executable using Node.js Single Executable Applications (SEA). A new @tsdown/exe package provides cross-platform executable building support. See the exe documentation for details.

export default defineConfig({
  exe: true, // or { useCodeCache: true, useSnapshot: true }
})

Full CSS pipeline as Rolldown plugin

CSS handling has been reimplemented as a native Rolldown plugin, providing a complete CSS pipeline with Lightning CSS integration for transforms, minification, and bundling. See the CSS documentation for details.

inlinedDependencies field in package.json

When using the exports feature, tsdown now auto-generates an inlinedDependencies field in your package.json, listing dependencies that are bundled into the output.

Object option for customExports

customExports now supports an object format for more fine-grained control over the generated exports field.

Migration Guide

1. Update dependency options: Rename external -> deps.neverBundle, noExternal -> deps.alwaysBundle, etc.
2. Check failOnWarn: If you need warnings to fail the build in CI, explicitly set failOnWarn: 'ci-only' or failOnWarn: true.
3. Upgrade Node.js: Ensure you're running Node.js >= 22.18.0 to avoid deprecation warnings.

Links

• tsdown beta Documentation
• v0.21.0-beta.1 Release
• v0.21.0-beta.2 Release
• v0.21.0-beta.3 Release
• Full diff from v0.20.3

---

   🚀 Features

• Upgrade rolldown  -  by @​sxzz (7a528)
• Deprecate Node.js versions below 22.18.0  -  by @​sxzz (439f1)
• css: Implement full CSS pipeline as Rolldown plugin  -  by @​sxzz in #​787 (dbe3c)
• exe: Add cross-platform executable building via @tsdown/exe  -  by @​sxzz in #​786 (b6833)
• exports: Add inlinedDependencies field to package.json  -  by @​sxzz in #​785 (5c71f)

   🐞 Bug Fixes

• Don't fail on PLUGIN_TIMINGS warnings when failOnWarn is enabled  -  by @​sxzz (9872a)
• hooks: Set cwd for onSuccess  -  by @​sxzz (c114a)
• watch: Re-glob entry files on create/delete events  -  by @​sxzz (a1969)

    View changes on GitHub

sxzz/tsdown-preset-sxzz (tsdown-preset-sxzz)

v0.4.2

Compare Source

   🚀 Features

• Support tsdown 0.21.2  -  by @​sxzz (f465f)

    View changes on GitHub

v0.4.1

Compare Source

No significant changes

    View changes on GitHub

unplugin/unplugin-oxc (unplugin-oxc)

v0.6.0

Compare Source

   🐞 Bug Fixes

• deps:
  • Update all non-major dependencies  -  in #​30 (722ca)
  • Update all non-major dependencies  -  in #​31 (8a9b5)
  • Update all non-major dependencies  -  in #​32 (7dce2)
  • Update all non-major dependencies  -  in #​33 (d8499)
  • Update all non-major dependencies  -  in #​34 (55514)
  • Update dependency unplugin to v3  -  in #​35 (33bac)

    View changes on GitHub

vitest-dev/vitest (vitest)

v4.1.0

Compare Source

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

   🚀 Features

• Return a disposable from doMock()  -  by @​kirkwaiblinger in #​9332 (e3e65)
• Added chai style assertions  -  by @​ronnakamoto and @​sheremet-va in #​8842 (841df)
• Update to sinon/fake-timers v15 and add setTickMode to timer controls  -  by @​atscott and @​sheremet-va in #​8726 (4b480)
• Expose matcher types  -  by @​sheremet-va in #​9448 (3e4b9)
• Add toTestSpecification to reported tasks  -  by @​sheremet-va in #​9464 (1a470)
• Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module  -  by @​sheremet-va in #​9387 (5db54)
• Track and display expectedly failed tests (.fails) in UI and CLI  -  by @​Copilot, sheremet-va and @​sheremet-va in #​9476 (77d75)
• Support tags  -  by @​sheremet-va in #​9478 (de7c8)
• Implement aroundEach and aroundAll hooks  -  by @​sheremet-va in #​9450 (2a8cb)
• Stabilize experimental features  -  by @​sheremet-va in #​9529 (b5fd2)
• Accept new or all in --update flag  -  by @​sheremet-va in #​9543 (a5acf)
• Support meta in test options  -  by @​sheremet-va in #​9535 (7d622)
• Support type inference with a new test.extend syntax  -  by @​sheremet-va in #​9550 (e5385)
• Support vite 8 beta, fix type issues in the config with different vite versions  -  by @​sheremet-va in #​9587 (99028)
• Add assertion helper to hide internal stack traces  -  by @​hi-ogawa and Claude Opus 4.6 in #​9594 (eeb0a)
• Store failure screenshots using artifacts API  -  by @​macarie in #​9588 (24603)
• Allow vitest list to statically collect tests instead of running files to collect them  -  by @​sheremet-va in [#​9630](https://redirect.git

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-inline-enum@113

commit: fc2493c

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	tsdown-preset-sxzz@​0.4.0 ⏵ 0.4.2	+1		+1	+1
	@​typescript/​native-preview@​7.0.0-dev.20260302.1 ⏵ 7.0.0-dev.20260313.1
	esbuild@​0.27.3 ⏵ 0.27.4			+1
	vitest@​4.0.18 ⏵ 4.1.0			+1
	@​types/​node@​25.3.3 ⏵ 25.5.0	+1		+1
	unplugin-oxc@​0.5.7 ⏵ 0.6.0	+2		+1	-2
	rolldown-string@​0.3.0
	webpack@​5.105.3 ⏵ 5.105.4	+1		+1
	@​sxzz/​eslint-config@​7.8.2 ⏵ 7.8.3	+1
	tsdown@​0.21.0-beta.2 ⏵ 0.21.2			+1	+1
	eslint@​10.0.2 ⏵ 10.0.3	+1

View full report