chore(deps): update all non-major dependencies #48

renovate · 2025-04-28T02:46:22Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@types/node (source)	`^22.14.1` -> `^22.15.3`
esbuild	`^0.25.2` -> `^0.25.3`
eslint (source)	`^9.25.0` -> `^9.25.1`
pnpm (source)	`10.8.1` -> `10.10.0`
rollup (source)	`^4.40.0` -> `^4.40.1`
tsdown	`^0.9.1` -> `^0.10.0`
vite (source)	`^6.3.2` -> `^6.3.3`
vitest (source)	`^3.1.1` -> `^3.1.2`
webpack	`^5.99.6` -> `^5.99.7`

Release Notes

evanw/esbuild (esbuild)

`v0.25.3`

Compare Source

Fix lowered async arrow functions before super() (#4141, #4142)

This change makes it possible to call an async arrow function in a constructor before calling super() when targeting environments without async support, as long as the function body doesn't reference this. Here's an example (notice the change from this to null):
```
// Original code
class Foo extends Object {
  constructor() {
    (async () => await foo())()
    super()
  }
}

// Old output (with --target=es2016)
class Foo extends Object {
  constructor() {
    (() => __async(this, null, function* () {
      return yield foo();
    }))();
    super();
  }
}

// New output (with --target=es2016)
class Foo extends Object {
  constructor() {
    (() => __async(null, null, function* () {
      return yield foo();
    }))();
    super();
  }
}
```
Some background: Arrow functions with the async keyword are transformed into generator functions for older language targets such as --target=es2016. Since arrow functions capture this, the generated code forwards this into the body of the generator function. However, JavaScript class syntax forbids using this in a constructor before calling super(), and this forwarding was problematic since previously happened even when the function body doesn't use this. Starting with this release, esbuild will now only forward this if it's used within the function body.

This fix was contributed by @magic-akari.
Fix memory leak with --watch=true (#4131, #4132)

This release fixes a memory leak with esbuild when --watch=true is used instead of --watch. Previously using --watch=true caused esbuild to continue to use more and more memory for every rebuild, but --watch=true should now behave like --watch and not leak memory.

This bug happened because esbuild disables the garbage collector when it's not run as a long-lived process for extra speed, but esbuild's checks for which arguments cause esbuild to be a long-lived process weren't updated for the new --watch=true style of boolean command-line flags. This has been an issue since this boolean flag syntax was added in version 0.14.24 in 2022. These checks are unfortunately separate from the regular argument parser because of how esbuild's internals are organized (the command-line interface is exposed as a separate Go API so you can build your own custom esbuild CLI).

This fix was contributed by @mxschmitt.
More concise output for repeated legal comments (#4139)

Some libraries have many files and also use the same legal comment text in all files. Previously esbuild would copy each legal comment to the output file. Starting with this release, legal comments duplicated across separate files will now be grouped in the output file by unique comment content.
Allow a custom host with the development server (#4110)

With this release, you can now use a custom non-IP host with esbuild's local development server (either with --serve= for the CLI or with the serve() call for the API). This was previously possible, but was intentionally broken in version 0.25.0 to fix a security issue. This change adds the functionality back except that it's now opt-in and only for a single domain name that you provide.

For example, if you add a mapping in your /etc/hosts file from local.example.com to 127.0.0.1 and then use esbuild --serve=local.example.com:8000, you will now be able to visit http://local.example.com:8000/ in your browser and successfully connect to esbuild's development server (doing that would previously have been blocked by the browser). This should also work with HTTPS if it's enabled (see esbuild's documentation for how to do that).
Add a limit to CSS nesting expansion (#4114)

With this release, esbuild will now fail with an error if there is too much CSS nesting expansion. This can happen when nested CSS is converted to CSS without nesting for older browsers as expanding CSS nesting is inherently exponential due to the resulting combinatorial explosion. The expansion limit is currently hard-coded and cannot be changed, but is extremely unlikely to trigger for real code. It exists to prevent esbuild from using too much time and/or memory. Here's an example:
```
a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{color:red}}}}}}}}}}}}}}}}}}}}
```
Previously, transforming this file with --target=safari1 took 5 seconds and generated 40mb of CSS. Trying to do that will now generate the following error instead:
```
✘ [ERROR] CSS nesting is causing too much expansion

    example.css:1:60:
      1 │ a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{color:red}}}}}}}}}}}}}}}}}}}}
        ╵                                                             ^

  CSS nesting expansion was terminated because a rule was generated with 65536 selectors. This limit
  exists to prevent esbuild from using too much time and/or memory. Please change your CSS to use
  fewer levels of nesting.
```
Fix path resolution edge case (#4144)

This fixes an edge case where esbuild's path resolution algorithm could deviate from node's path resolution algorithm. It involves a confusing situation where a directory shares the same file name as a file (but without the file extension). See the linked issue for specific details. This appears to be a case where esbuild is correctly following node's published resolution algorithm but where node itself is doing something different. Specifically the step LOAD_AS_FILE appears to be skipped when the input ends with ... This release changes esbuild's behavior for this edge case to match node's behavior.
Update Go from 1.23.7 to 1.23.8 (#4133, #4134)

This should have no effect on existing code as this version change does not change Go's operating system support. It may remove certain reports from vulnerability scanners that detect which version of the Go compiler esbuild uses, such as for CVE-2025-22871.

As a reminder, esbuild's development server is intended for development, not for production, so I do not consider most networking-related vulnerabilities in Go to be vulnerabilities in esbuild. Please do not use esbuild's development server in production.

eslint/eslint (eslint)

`v9.25.1`

Compare Source

pnpm/pnpm (pnpm)

`v10.10.0`

Compare Source

Minor Changes

Allow loading the preResolution, importPackage, and fetchers hooks from local pnpmfile.

Patch Changes

Fix cd command, when shellEmulator is true #7838.
Sort keys in pnpm-workspace.yaml #9453.
Pass the npm_package_json environment variable to the executed scripts #9452.
Fixed a mistake in the description of the --reporter=silent option.

`v10.9.0`

Compare Source

Minor Changes

Added support for installing JSR packages. You can now install JSR packages using the following syntax:
```
pnpm add jsr:<pkg_name>
```
or with a version range:
```
pnpm add jsr:<pkg_name>@&#8203;<range>
```
For example, running:
```
pnpm add jsr:@&#8203;foo/bar
```
will add the following entry to your package.json:
```
{
  "dependencies": {
    "@&#8203;foo/bar": "jsr:^0.1.2"
  }
}
```
When publishing, this entry will be transformed into a format compatible with npm, older versions of Yarn, and previous pnpm versions:
```
{
  "dependencies": {
    "@&#8203;foo/bar": "npm:@&#8203;jsr/foo__bar@^0.1.2"
  }
}
```
Related issue: #8941.

Note: The @jsr scope defaults to https://npm.jsr.io/ if the @jsr:registry setting is not defined.
Added a new setting, dangerouslyAllowAllBuilds, for automatically running any scripts of dependencies without the need to approve any builds. It was already possible to allow all builds by adding this to pnpm-workspace.yaml:
```
neverBuiltDependencies: []
```
dangerouslyAllowAllBuilds has the same effect but also allows to be set globally via:
```
pnpm config set dangerouslyAllowAllBuilds true
```
It can also be set when running a command:
```
pnpm install --dangerously-allow-all-builds
```

Patch Changes

Fix a false negative in verifyDepsBeforeRun when nodeLinker is hoisted and there is a workspace package without dependencies and node_modules directory #9424.
Explicitly drop verifyDepsBeforeRun support for nodeLinker: pnp. Combining verifyDepsBeforeRun and nodeLinker: pnp will now print a warning.

rollup/rollup (rollup)

`v4.40.1`

Compare Source

2025-04-28

Bug Fixes

Limit hash size for asset file names to the supported 21 (#5921)
Do not inline user-defined entry chunks or chunks with explicit file name (#5923)
Avoid top-level-await cycles when non-entry chunks use top-level await (#5930)
Expose package.json via exports (#5931)

Pull Requests

#5921: fix(assetFileNames): reduce max hash size to 21 (@shulaoda)
#5923: fix: generate the separate chunk for the entry module with explicated chunk filename or name (@TrickyPi)
#5926: fix(deps): update rust crate swc_compiler_base to v18 (@renovate[bot])
#5927: fix(deps): lock file maintenance minor/patch updates (@renovate[bot])
#5928: fix(deps): lock file maintenance minor/patch updates (@renovate[bot])
#5930: Avoid chunks TLA dynamic import circular when TLA dynamic import used in non-entry modules (@TrickyPi)
#5931: chore: add new ./package.json entry (@JounQin, @lukastaegert)
#5936: fix(deps): lock file maintenance minor/patch updates (@renovate[bot])

rolldown/tsdown (tsdown)

`v0.10.0`

Compare Source

🚨 Breaking Changes

Clean output dir by default - by @sxzz (cda6f)
Enable dts based on typings field in package.json - by @sxzz (c7109)

🚀 Features

Show migration guide link - by @sxzz (0ff39)

View changes on GitHub

`v0.9.9`

Compare Source

🚀 Features

Support declaration maps - by @sxzz (10565)
Support CSS syntax lowering - by @ocavue and @sxzz in https://github.com/rolldown/tsdown/issues/159 (8634d)

🏎 Performance

Disable report plugin when silent - by @sxzz (46051)

View changes on GitHub

`v0.9.8`

Compare Source

🚀 Features

Functional config - by @sxzz (2680c)

View changes on GitHub

🏎 Performance

Enable compiler cache via module.enableCompileCache() - by @btea in https://github.com/rolldown/tsdown/issues/153 (a60d9)
watch: Defer chokidar import - by @sxzz (516fa)

View changes on GitHub

`v0.9.6`

Compare Source

🐞 Bug Fixes

Resolve comma for format & target - by @sxzz (06700)
Add build start log - by @sxzz (8662d)
report: Disable brotli by default for performance - by @sxzz (4b95e)

View changes on GitHub

`v0.9.5`

Compare Source

🚀 Features

Hooks - by @sxzz (55a9c)

View changes on GitHub

`v0.9.4`

Compare Source

🚀 Features

Add external cli option - by @sxzz (87cf4)

View changes on GitHub

`v0.9.3`

Compare Source

🚀 Features

Output report - by @MatteoGabriele and @sxzz in https://github.com/rolldown/tsdown/issues/136 (6b9d5)
Report total file size - by @sxzz (3aea3)

🐞 Bug Fixes

Report dts for cjs - by @sxzz (294e2)

View changes on GitHub

`v0.9.2`

Compare Source

🐞 Bug Fixes

cwd for entry glob - by @sxzz (20d68)

View changes on GitHub

vitejs/vite (vite)

`v6.3.3`

Compare Source

fix: ignore malformed uris in tranform middleware (#19853) (e4d5201), closes #19853
fix(assets): ensure ?no-inline is not included in the asset url in the production environment (#1949 (16a73c0), closes #19496
fix(css): resolve relative imports in sass properly on Windows (#19920) (ffab442), closes #19920
fix(deps): update all non-major dependencies (#19899) (a4b500e), closes #19899
fix(ssr): fix execution order of re-export (#19841) (ed29dee), closes #19841
fix(ssr): fix live binding of default export declaration and hoist exports getter (#19842) (80a91ff), closes #19842
perf: skip sourcemap generation for renderChunk hook of import-analysis-build plugin (#19921) (55cfd04), closes #19921
test(ssr): test ssrTransform re-export deps and test stacktrace with first line (#19629) (9399cda), closes #19629

vitest-dev/vitest (vitest)

`v3.1.2`

Compare Source

🚀 Features

Draft implementation - by @sheremet-va (86010)
Draft implementation" - by @sheremet-va (ce2a0)

🐞 Bug Fixes

Add global chai variable in vitest/globals (fix: #7474) - by @Jay-Karia in https://github.com/vitest-dev/vitest/issues/7771 and https://github.com/vitest-dev/vitest/issues/7474 (d9297)
Prevent modifying test.exclude when same object passed in coverage.exclude - by @AriPerkkio in https://github.com/vitest-dev/vitest/issues/7774 (c3751)
Fix already hoisted mock - by @hi-ogawa in https://github.com/vitest-dev/vitest/issues/7815 (773b1)
Fix test.scoped inheritance - by @hi-ogawa in https://github.com/vitest-dev/vitest/issues/7814 (db6c3)
Remove pointer-events-none after resizing the left panel - by @alexprudhomme in https://github.com/vitest-dev/vitest/issues/7811 (a7e77)
Default to run mode when stdin is not a TTY - by @kentonv, @hi-ogawa and @sheremet-va in https://github.com/vitest-dev/vitest/issues/7673 (6358f)
Use happy-dom/jsdom types for envionmentOptions - by @hi-ogawa in https://github.com/vitest-dev/vitest/issues/7795 (67430)
browser:
- Fix transform error before browser server initialization - by @hi-ogawa in https://github.com/vitest-dev/vitest/issues/7783 (5f762)
- Fix mocking from outside of root - by @hi-ogawa in https://github.com/vitest-dev/vitest/issues/7789 (03f55)
- Scale iframe for non ui case - by @hi-ogawa in https://github.com/vitest-dev/vitest/issues/6512 (c3374)
coverage:
- await profiler calls - by @AriPerkkio in https://github.com/vitest-dev/vitest/issues/7763 (795a6)
- Expose profiling timers - by @AriPerkkio in https://github.com/vitest-dev/vitest/issues/7820 (5652b)
deps:
- Update all non-major dependencies - in https://github.com/vitest-dev/vitest/issues/7765 (7c3df)
- Update all non-major dependencies - in https://github.com/vitest-dev/vitest/issues/7831 (15701)
runner:
- Correctly call test hooks and teardown functions - by @sheremet-va in https://github.com/vitest-dev/vitest/issues/7775 (3c00c)
- Show stacktrace on test timeout error - by @hi-ogawa in https://github.com/vitest-dev/vitest/issues/7799 (df33b)
ui:
- Load panel sizes from storage on initial load - by @userquin in https://github.com/vitest-dev/vitest/issues/7265 (6555d)
vite-node:
- Named export should overwrite export all - by @hi-ogawa in https://github.com/vitest-dev/vitest/issues/7846 (5ba0d)
- Add ERR_MODULE_NOT_FOUND code error if module cannot be loaded - by @sheremet-va in https://github.com/vitest-dev/vitest/issues/7776 (f9eac)

🏎 Performance

browser: Improve browser parallelisation - by @sheremet-va in https://github.com/vitest-dev/vitest/issues/7665 (816a5)

View changes on GitHub

webpack/webpack (webpack)

`v5.99.7`

Compare Source

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

bolt-new-by-stackblitz · 2025-04-28T02:46:25Z

Run & review this pull request in StackBlitz Codeflow.

socket-security · 2025-04-28T02:47:38Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality	Maintenance
esbuild@0.25.2 ⏵ 0.25.3
rolldown@1.0.0-beta.7-commit.a684277 ⏵ 1.0.0-beta.8-commit.a98d94e	⁺⁶
vitest@3.1.1 ⏵ 3.1.2
@types/node@22.14.1 ⏵ 22.15.3	⁺¹	⁺¹
vite@6.3.2 ⏵ 6.3.3		⁺¹
tsdown@0.9.1 ⏵ 0.10.0	⁺⁷	⁺¹	⁺¹
eslint@9.25.0 ⏵ 9.25.1	⁺¹
webpack@5.99.6 ⏵ 5.99.7			⁺¹
rollup@4.40.0 ⏵ 4.40.1	⁺¹

View full report

renovate bot added the dependencies label Apr 28, 2025

chore(deps): update all non-major dependencies

37dca9b

renovate bot force-pushed the renovate/all-minor-patch branch from 12d9e93 to 37dca9b Compare April 28, 2025 08:55

renovate bot merged commit 4bac074 into main Apr 28, 2025
9 checks passed

renovate bot deleted the renovate/all-minor-patch branch April 28, 2025 17:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

chore(deps): update all non-major dependencies #48

chore(deps): update all non-major dependencies #48

Uh oh!

renovate bot commented Apr 28, 2025 •

edited

Loading

Uh oh!

bolt-new-by-stackblitz bot commented Apr 28, 2025

Uh oh!

socket-security bot commented Apr 28, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chore(deps): update all non-major dependencies #48

chore(deps): update all non-major dependencies #48

Uh oh!

Conversation

renovate bot commented Apr 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Minor Changes

Patch Changes

Minor Changes

Patch Changes

Bug Fixes

Pull Requests

🚨 Breaking Changes

🚀 Features

🚀 Features

🏎 Performance

🚀 Features

🚀 Features

🐞 Bug Fixes

🏎 Performance

🐞 Bug Fixes

🚀 Features

🚀 Features

🚀 Features

🐞 Bug Fixes

🐞 Bug Fixes

🚀 Features

🐞 Bug Fixes

🏎 Performance

Configuration

Uh oh!

bolt-new-by-stackblitz bot commented Apr 28, 2025

Uh oh!

socket-security bot commented Apr 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

renovate bot commented Apr 28, 2025 •

edited

Loading

socket-security bot commented Apr 28, 2025 •

edited

Loading