fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@cloudflare/vite-plugin (source)	^1.26.1 → ^1.28.0			devDependencies	minor
@rolldown/plugin-babel (source)	^0.2.0 → ^0.2.1			devDependencies	patch
@rolldown/pluginutils (source)	1.0.0-rc.7 → 1.0.0-rc.9			dependencies	patch
eslint-plugin-import-x	^4.16.1 → ^4.16.2			devDependencies	patch
eslint-plugin-regexp	^3.0.0 → ^3.1.0			devDependencies	minor
lint-staged	^16.3.2 → ^16.4.0			devDependencies	minor
oxfmt (source)	^0.36.0 → ^0.40.0			devDependencies	minor
pnpm (source)	10.31.0 → 10.32.1			packageManager	minor
pnpm/action-setup	v4.2.0 → v4.4.0			action	minor
rolldown (source)	1.0.0-rc.7 → 1.0.0-rc.9			devDependencies	patch
srvx (source)	^0.11.8 → ^0.11.12			dependencies	patch
tinyexec	^1.0.2 → ^1.0.4			devDependencies	patch
tsdown (source)	^0.21.0 → ^0.21.3			devDependencies	patch
typescript-eslint (source)	^8.56.1 → ^8.57.0			devDependencies	minor
vite (source)	^8.0.0-beta.16 → ^8.0.0			devDependencies	patch
vitest (source)	^4.0.18 → ^4.1.0			devDependencies	minor
wrangler (source)	^4.71.0 → ^4.73.0			devDependencies	minor

---

Release Notes

cloudflare/workers-sdk (@​cloudflare/vite-plugin)

v1.28.0

Compare Source

Minor Changes

• #​12855 c2b76bc Thanks @​jamesopstad! - Support local explorer /cdn-cgi/ routes

  The local explorer UI can now be accessed at /cdn-cgi/explorer.

Patch Changes

• #​12834 64edac7 Thanks @​jamesopstad! - Warn when the assets field is provided for auxiliary Workers

  Auxiliary Workers do not support static assets. Previously, the assets field was silently ignored but we now warn if it is used.

• #​12794 b980af6 Thanks @​aron-cf! - Fix Sandbox SDK preview URL WebSocket routing

  When using Sandbox SDK preview URLs, WebSocket requests using the vite-hmr protocol could be dropped before they reached the worker, causing HMR to fail. The plugin now forwards Sandbox WebSocket traffic and preserves the original request origin/host so worker proxy logic receives the correct URL.

• Updated dependencies [f7de0fd, ff543e3, 8e89e85, e63539d, 8d1e130, 6ee18e1, ecc7f79, 1dda1c8, 4bb61b9]:

  • miniflare@​4.20260312.0
  • wrangler@​4.73.0

v1.27.0

Compare Source

Minor Changes

• #​12826 de65c58 Thanks @​gabivlj! - Enable container egress interception in local dev without the experimental compatibility flag

  Container local development now always prepares the egress interceptor sidecar image needed for interceptOutboundHttp(). This makes container-to-Worker interception available by default in Wrangler, Miniflare, and the Cloudflare Vite plugin.

Patch Changes

• Updated dependencies [5451a7f, 5451a7f, 82cc2a8, 3c67c2a, d645594, 211d75d, 6ed249b, 9f93b54, de65c58, cb14820, a7c87d1, b8c33f5, e4d9510]:
  • miniflare@​4.20260310.0
  • wrangler@​4.72.0

rolldown/plugins (@​rolldown/plugin-babel)

v0.2.1

Bug Fixes

• babel: ignore queries when applying ts / jsx parsers (#​11) (0ce3d49)

rolldown/rolldown (@​rolldown/pluginutils)

v1.0.0-rc.9

Compare Source

💥 BREAKING CHANGES

• rename exported BindingMagicString to RolldownMagicString (#​8626) by @​IWANABETHATGUY

🚀 Features

• rolldown: add isRolldownMagicString property for reliable native detection (#​8614) by @​IWANABETHATGUY
• cli: align object type with rollup (#​8598) by @​h-a-n-a

🐛 Bug Fixes

• rust: circular inter-chunk imports when external dynamic imports exist (#​8596) by @​Dunqing
• update minify default docs from false to 'dce-only' (#​8620) by @​shulaoda

💼 Other

• fix early exit in script build-node (#​8617) by @​h-a-n-a

🚜 Refactor

• binding: remove outdated TODO comment in MagicString to_string() (#​8613) by @​IWANABETHATGUY

📚 Documentation

• add viteplus alpha announcement banner (#​8615) by @​mdong1909
• update VitePress theme to 4.8.2 for narrow-screen layout regression (#​8612) by @​Copilot

⚡ Performance

• merge 4 integration test binaries into 1 (#​8610) by @​Boshen

🧪 Testing

• replace heavy filename_with_hash test with targeted hash fixtures (#​8597) by @​Boshen

⚙️ Miscellaneous Tasks

• ci: remove redundant --no-run build step from cargo-test (#​8623) by @​Boshen
• rust: use cargo-shear to toggle Cargo.toml [lib] test = bool (#​8622) by @​Boshen
• deps: update test262 submodule for tests (#​8611) by @​sapphi-red
• skip macOS CI jobs on pull requests (#​8608) by @​Copilot
• add rust cache to repo validation job (#​8607) by @​Boshen
• skip running empty bin test targets (#​8605) by @​Boshen
• skip building examples in cargo-test to reduce build time (#​8603) by @​Boshen
• switch plain workflow checkouts to taiki-e action (#​8601) by @​Boshen
• skip Windows CI jobs on PRs (#​8600) by @​Boshen
• remove unused asset module (#​8594) by @​shulaoda

◀️ Revert

• "docs: add viteplus alpha announcement banner (#​8615)" (#​8616) by @​shulaoda

v1.0.0-rc.8

Compare Source

🚀 Features

• watch: enable full functional fs watcher in wasm (#​8575) by @​hyf0
• watch: expose debounce related options (#​8572) by @​hyf0

🐛 Bug Fixes

• detect new URL(…, import.meta.url) with no-sub template literal (#​8565) by @​char
• devtools: trace dynamic imports in devtools (#​8581) by @​cal-gooo
• watch: rebuild when a previously missing file is created (#​8562) by @​hyf0-agent
• watch: filter out Access events to prevent infinite rebuild loop on Linux (#​8557) by @​hyf0-agent

🚜 Refactor

• watch: remove auto watch for fail imports (#​8585) by @​hyf0
• fs_watcher: unify the way of constructing watcher (#​8571) by @​hyf0
• cli: migrate CLI to CAC (#​8551) by @​h-a-n-a
• switch asset module support from hard-code to builtin plugin (#​8546) by @​hyf0

📚 Documentation

• fix subject-verb agreement in why-bundlers.md (#​8591) by @​brandonzylstra
• maintenance: align release and canary workflow guide (#​8538) by @​minsoo-web
• add format option to directives example config (#​8590) by @​shulaoda
• fix: change twitter to x logo in team (#​8552) by @​mdong1909
• correct composable filter support explanation (#​8550) by @​sapphi-red

⚡ Performance

• testing: share tokio runtime across fixture tests (#​8567) by @​Boshen

🧪 Testing

• hmr: fix infinite loop in dev server test retry logic (#​8576) by @​hyf0-agent
• cli: add more cli-e2e test cases (#​8548) by @​h-a-n-a

⚙️ Miscellaneous Tasks

• docs: update in-depth/directives for output.strict option (#​8535) by @​minsoo-web
• add PNPM_HOME Dev Drive mapping to Windows CI workflows (#​8589) by @​Boshen
• deps: update github-actions (#​8588) by @​renovate[bot]
• move Windows cargo target dir to Dev Drive (#​8586) by @​Boshen
• optimize cache keys to fix race conditions and reduce usage (#​8578) by @​Boshen
• remove WASI build & test pipeline (#​8580) by @​Boshen
• remove unnecessary submodule checkouts (#​8577) by @​Boshen
• use Dev Drive for Windows CI jobs (#​8574) by @​Boshen
• skip redundant native binding build for browser and remove standalone job (#​8573) by @​Boshen
• parallelize Node tests on ubuntu, single Node 24 on macOS/windows (#​8570) by @​Boshen
• docs: bump @​voidzero-dev/vitepress-theme to 4.8.0 (#​8558) by @​crusty-voidzero
• dedupe type-check from dev server workflow (#​8554) by @​Boshen

❤️ New Contributors

• @​brandonzylstra made their first contribution in #​8591
• @​char made their first contribution in #​8565
• @​cal-gooo made their first contribution in #​8581
• @​hyf0-agent made their first contribution in #​8562
• @​h-a-n-a made their first contribution in #​8551

un-ts/eslint-plugin-import-x (eslint-plugin-import-x)

v4.16.2

Compare Source

Patch Changes

• #​457 1da4043 Thanks @​SukkaW! - Make the no-unused-modules rule no-op on ESLint 10 or later for now before we can implement an alternative. A warning message about this behavior is added, and can be suppressed with the new suppressMissingFileEnumeratorAPIWarning rule option (import-x/no-unused-modules: ['error', { suppressMissingFileEnumeratorAPIWarning: true }]).

• #​450 a51be0f Thanks @​andrewgaun! - fix(deps): Bumping minimatch 10 version to avoid dependency with a critical vulnerability

  Updating the minimum minimatch 10 version to 10.1.2 which updates a dependency (@​isaacs/brace-expansion) with a critical vulnerability. See GHSA-7h2j-956f-4vf2

• #​466 b669aca Thanks @​SukkaW! - Make eslint-plugin-import-x compatible with ESLint's defineConfig

• #​434 a3aae61 Thanks @​stepankuzmin! - fix(deps): replace type-fest with @​package-json/types

  PackageJson types are imported in published declaration files (lib/rules/no-extraneous-dependencies.d.ts and lib/utils/read-pkg-up.d.ts), which causes TypeScript compilation errors for consumers who don't have skipLibCheck enabled. Replacing type-fest with the smaller @​package-json/types package ensures the types are available to all consumers while reducing bundle size.

• #​458 60312ee Thanks @​SukkaW! - Bump peer deps version range to include ESLint 10 support

• #​443 b416a8a Thanks @​baevm! - consistent-type-specifier-style: Add exception for TS resolution-mode import attributes

• #​454 d3f8d67 Thanks @​SukkaW! - First step toward ESLint 10 support:

  • sourceType determination now prefers context.languageOptions when possible
  • Ensure context.parserOptions no longer results in crashes with ESLint 10
  • Merge getParser and getParserPath implementations into one getParserOrPath

• #​406 d0a7816 Thanks @​marcalexiei! - fix(package): remove config and rules exports pointing to empty files

ota-meshi/eslint-plugin-regexp (eslint-plugin-regexp)

v3.1.0

Compare Source

Minor Changes

• refactor: Name the default export 'regexp' (#​952)

lint-staged/lint-staged (lint-staged)

v16.4.0

Compare Source

Minor Changes

• #​1739 687fc90 Thanks @​hyperz111! - Replace micromatch with picomatch to reduce dependencies.

v16.3.4

Compare Source

Patch Changes

• #​1742 9d6e827 Thanks @​iiroj! - Update dependencies, including tinyexec@1.0.4 to make sure local node_modules/.bin are preferred to global locations (released in tinyexec@1.0.3).

v16.3.3

Compare Source

Patch Changes

• #​1740 0109e8d Thanks @​iiroj! - Make sure Git's warning about CRLF line-endings doesn't interfere with creating initial backup stash.

oxc-project/oxc (oxfmt)

v0.40.0

Compare Source

🐛 Bug Fixes

• bc20217 oxlint,oxfmt: Omit useless | null for Option<T> field from schema (#​20273) (leaysgur)

v0.39.0

Compare Source

v0.38.0

Compare Source

v0.37.0

Compare Source

pnpm/pnpm (pnpm)

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

• Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Gold Sponsors

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

• Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

• Reverted change related to setting explicitly the npm config file path, which caused regressions.
• Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Gold Sponsors

pnpm/action-setup (pnpm/action-setup)

v4.4.0

Compare Source

Updated the action to use Node.js 24.

v4.3.0

Compare Source

What's Changed

• docs: fix the run_install example in the Readme by @​dreyks in #​175
• chore: remove unused @types/node-fetch dependency by @​silverwind in #​186
• Clarify that package_json_file is relative to GITHUB_WORKSPACE by @​chris-martin in #​184
• feat: store caching by @​jrmajor in #​188
• refactor: remove star imports by @​KSXGitHub in #​196
• fix(ci): exclude macos by @​KSXGitHub in #​197

New Contributors

• @​dreyks made their first contribution in #​175
• @​silverwind made their first contribution in #​186
• @​chris-martin made their first contribution in #​184
• @​jrmajor made their first contribution in #​188
• @​Boosted-Bonobo made their first contribution in #​199

Full Changelog: pnpm/action-setup@v4.2.0...v4.3.0

h3js/srvx (srvx)

v0.11.12

Compare Source

compare changes

🩹 Fixes

• node: Improve pipeBody stability and performance (4051f22)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.11.11

Compare Source

compare changes

🩹 Fixes

• node: Handle duck-typed pipe objects in pipeBody (5e731ef)

✅ Tests

• node: Add duck-typed pipe object test for pipeBody (f746e79)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.11.10

Compare Source

compare changes

🩹 Fixes

• node: Handle error and abort propagation for piped Node.js streams (77f879b)
• node: Fallback to socket address on invalid Host header (#​192)
• node: Combine duplicate headers in entries() iterator (4ed7453)

🏡 Chore

• Apply automated updates (9b00c0c)
• Update deps (aa84077)
• Apply automated updates (91a5c14)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Marc marc@plastikpalme.de

v0.11.9

Compare Source

compare changes

🩹 Fixes

• static: Use path separator instead of hardcoded slash (#​190)
• fasturl, node: Normalize pathname if necessary (bd8c0d3)

🏡 Chore

• Update deps (cb8c4ed)
• Update tsconfig (fc1a711)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Joël Charles (@​magne4000)

tinylibs/tinyexec (tinyexec)

v1.0.4

Compare Source

What's Changed

• fix: package.json exports by @​mbwhite in #​91

New Contributors

• @​mbwhite made their first contribution in #​91

Full Changelog: tinylibs/tinyexec@1.0.3...1.0.4

v1.0.3

Compare Source

What's Changed

• chore: enable dependabot, bump actions by @​43081j in #​60
• chore: upgrade dependencies by @​43081j in #​62
• chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 in the github-actions group by @​dependabot[bot] in #​66
• chore: add licenses to distributed code temporarily by @​43081j in #​69
• chore(deps): bump actions/checkout from 5.0.1 to 6.0.0 in the github-actions group by @​dependabot[bot] in #​70
• chore(deps): bump the github-actions group with 2 updates by @​dependabot[bot] in #​72
• chore: bump node in CI by @​43081j in #​75
• chore(deps-dev): bump the development-dependencies group across 1 directory with 8 updates by @​dependabot[bot] in #​74
• chore(deps-dev): bump the development-dependencies group with 3 updates by @​dependabot[bot] in #​77
• chore(deps): bump actions/setup-node from 6.1.0 to 6.2.0 in the github-actions group by @​dependabot[bot] in #​76
• chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 in the github-actions group by @​dependabot[bot] in #​79
• chore(deps-dev): bump the development-dependencies group with 6 updates by @​dependabot[bot] in #​80
• chore(deps-dev): bump @​types/node from 25.0.10 to 25.2.0 in the development-dependencies group by @​dependabot[bot] in #​81
• chore(deps-dev): bump the development-dependencies group across 1 directory with 6 updates by @​dependabot[bot] in #​83
• chore(deps-dev): bump the development-dependencies group with 3 updates by @​dependabot[bot] in #​84
• chore(deps-dev): bump @​types/node from 25.3.0 to 25.3.3 in the development-dependencies group by @​dependabot[bot] in #​85
• fix: prefer local node_modules/.bin executables to globally installed ones by @​iiroj in #​87
• chore(deps): bump actions/setup-node from 6.2.0 to 6.3.0 in the github-actions group by @​dependabot[bot] in #​88
• chore(deps-dev): bump the development-dependencies group with 4 updates by @​dependabot[bot] in #​89

New Contributors

• @​dependabot[bot] made their first contribution in #​66
• @​iiroj made their first contribution in #​87

Full Changelog: tinylibs/tinyexec@1.0.2...1.0.3

rolldown/tsdown (tsdown)

v0.21.3

Compare Source

   🚀 Features

• copy: Add support for watching copy source files  -  by @​schplitt in #​721 (7c23a)

   🐞 Bug Fixes

• css: Watch inline CSS files in watch mode  -  by @​sxzz (2051a)
• exports: Sort inlined dependencies by package name  -  by @​sxzz (0ec71)
• publint: Support Yarn v1  -  by @​sxzz (4a291)
• unbundle: Root should be lowest common ancestor of entry files  -  by @​sxzz (f1823)

    View changes on GitHub

v0.21.2

Compare Source

   🚨 Breaking Changes

• exe: Add exe.outDir for separate executable output dir, defaults to build  -  by @​sxzz (d49ef)

Note: Executable is still an experimental feature and does not follow SemVer. Breaking changes may occur in any release.

   🚀 Features

• Add root option for controlling output directory structure  -  by @​sxzz (bad2d)
• deps: Rename onlyAllowBundle to onlyBundle  -  by @​peaklabs-dev and @​sxzz in #​819 (cbd7b)

   🐞 Bug Fixes

• css: Skip data URIs and external URLs in CSS url() rebasing  -  by @​sxzz (13907)

    View changes on GitHub

v0.21.1

Compare Source

   🚨 Breaking Changes

• css: Move all CSS support to @tsdown/css package  -  by @​sxzz in #​809 [(1b1a1)](https:/

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hi-ogawa]

This wasn't undocumented feature and Vitest 4.1 intentionally broke it in vitest-dev/vitest#9786