fix(deps): update all non-major dependencies - autoclosed #39

renovate · 2025-12-29T02:10:12Z

This PR contains the following updates:

Package	Change	Age	Confidence
@sxzz/eslint-config	`^7.4.3` → `^7.5.0`
@types/node (source)	`^25.0.3` → `^25.0.10`
@typescript/native-preview (source)	`7.0.0-dev.20251221.1` → `7.0.0-dev.20260122.3`
bumpp	`^10.3.2` → `^10.4.0`
lightningcss	`^1.30.2` → `^1.31.1`
pnpm (source)	`10.26.1` → `10.28.1`
prettier (source)	`^3.7.4` → `^3.8.1`
rollup (source)	`^4.54.0` → `^4.56.0`
tsdown (source)	`^0.18.2` → `^0.20.0`
vite (source)	`^7.3.0` → `^7.3.1`
vitest (source)	`^4.0.16` → `^4.0.17`
vue (source)	`^3.5.26` → `^3.5.27`

Release Notes

sxzz/eslint-config (@sxzz/eslint-config)

`v7.5.0`

Compare Source

🚀 Features

Upgrade yaml plugin - by @sxzz (5516e)

View changes on GitHub

`v7.4.5`

Compare Source

No significant changes

View changes on GitHub

`v7.4.4`

Compare Source

No significant changes

View changes on GitHub

microsoft/typescript-go (@typescript/native-preview)

antfu-collective/bumpp (bumpp)

`v10.4.0`

Compare Source

No significant changes

View changes on GitHub

parcel-bundler/lightningcss (lightningcss)

`v1.31.1`

Compare Source

`v1.31.0`

Compare Source

Features

Fixes

pnpm/pnpm (pnpm)

`v10.28.1`

Compare Source

`v10.28.0`

Compare Source

`v10.27.0`

Compare Source

`v10.26.2`: pnpm 10.26.2

Compare Source

Patch Changes

Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #10307.
Fix installation of Git dependencies using annotated tags #10335.

Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.
Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #10244.
Try to avoid making network calls with preferOffline #10334.

Platinum Sponsors

Gold Sponsors

prettier/prettier (prettier)

`v3.8.1`

Compare Source

`v3.8.0`

Compare Source

diff

🔗 Release note

rollup/rollup (rollup)

`v4.56.0`

Compare Source

2026-01-22

Features

Track object property inclusions of dynamic namespace members (#6230)

Bug Fixes

Handle methods that access dynamically imported namespace members via this (#6230)

Pull Requests

#6230: Refine namespace handling (@lukastaegert)

`v4.55.3`

Compare Source

2026-01-21

Bug Fixes

Fix JSX semicolon insert position in variable declarations (#6241)

Pull Requests

#6241: Fix JSX semicolon insertion (@lukastaegert)

`v4.55.2`

Compare Source

2026-01-19

Bug Fixes

Sort manual chunks by execution order to reduce circular dependency issues (#6240)

Pull Requests

#6234: chore(deps): pin cross-platform-actions/action action to 492b0c8 (@renovate[bot])
#6235: chore(deps): update dependency globals to v17 (@renovate[bot], @lukastaegert)
#6236: fix(deps): lock file maintenance minor/patch updates (@renovate[bot])
#6237: chore(deps): lock file maintenance (@renovate[bot])
#6239: fix(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)
#6240: Sort manual chunks by module execution order (@TrickyPi)

`v4.55.1`

Compare Source

2026-01-05

Bug Fixes

Fix artifact reference for OpenBSD (#6231)

Pull Requests

#6231: Fix OpenBSD artifacts and ensure OIDC is working (@lukastaegert)

rolldown/tsdown (tsdown)

`v0.20.0`

🚨 Breaking Changes

Upgrade dts plugin, remove dts.resolve option - by @sxzz (16655)

🚀 Features

Add option to disable legacy CJS warning - by @sxzz (9fada)
Apply inlineOnly option for dts files - by @sxzz (7d89d)
Upgrade rolldown to 1.0.0-beta.60 - by @sxzz (bb3ee)
Upgrade rolldown to rc 1 - by @sxzz (1959f)
entry: Support mixed array and object entries - by @sxzz (a8083)

🐞 Bug Fixes

Optional parseEnv - by @sxzz (be1b6)
Reload config on restart - by @sxzz (1756b)
Config extensions typo - by @aryaemami59 in #722 (d2bb7)
windows: Normalize path separators in build output - by @ryuapp in #719 (c4525)

🏎 Performance

Native filter for external plugin - by @sxzz (8764e)

View changes on GitHub

`v0.19.0`

Compare Source

🚨 Breaking Changes

Rename debugLogs to debug - by @sxzz (bb4e7)
Remove deprecated silent option - by @sxzz (59015)
devtools:
- Rename debug to devtools, rename debug.devtools to devtools.ui - by @sxzz (63e6f)
exports:
- Add legacy option, remove main & module fields if pure ESM - by @sxzz (16841)
- Exclude extension name for exports.exclude - by @sxzz (53d38)
- Only auto-fill types when exports.legacy - by @lishaduck and @sxzz in #685 (7be6b)

🚀 Features

Add typeAssert util back - by @sxzz (1d385)
Generate CSS exports when css.splitting is disabled - by @jinghaihan and @sxzz in #680 (b737c)
Upgrade rolldown to 1.0.0-beta.58 - by @sxzz (48036)
Expose enableDebug - by @sxzz (2d922)
Expose resolveUserConfig - by @sxzz (c9acb)
Upgrade rolldown to 1.0.0-beta.59 - by @sxzz (d564f)
Clear console on rebuild start - by @sxzz (78efd)
migrate: Add monorepo support - by @lauigi and @sxzz in #659 (efba2)

🐞 Bug Fixes

Print blank line only when the log level is info - by @tomgao365 in #689 (96d82)
attw: Add --ignore-scripts to avoid lifecycle output - by @Doctor-wu in #661 (1c8b1)
cjs: Update version check for require ESM support - by @sxzz (beeff)

🏎 Performance

Optimize hot paths - by @sxzz (7925d)

View changes on GitHub

`v0.18.4`

Compare Source

🚀 Features

Export mergeConfig - by @sxzz (ccd17)
Warn deprecated removeNodeProtocol - by @sxzz (90cd6)
css: Add CSS code splitting support - by @jinghaihan and @sxzz in #654 (0525f)
entry: Support multiple patterns with same base - by @sxzz (cee1b)
exports: Add packageJson option - by @sxzz (6d220)

View changes on GitHub

`v0.18.3`

Compare Source

🚀 Features

Upgrade rolldown to 1.0.0-beta.57 - by @sxzz (525c0)
Add envFile & envPrefix option - by @toto6038 and @sxzz in #664 (d5493)
attw: Add ignoreRules option to filter specified rule - by @zyyv and Copilot in #665 (450b0)

🐞 Bug Fixes

Inline PackageJson type - by @sxzz (dfc43)

View changes on GitHub

vitejs/vite (vite)

`v7.3.1`

Compare Source

Please refer to CHANGELOG.md for details.

vitest-dev/vitest (vitest)

`v4.0.17`

Compare Source

🚀 Features

Support openTelemetry for browser mode - by @hi-ogawa in #9180 (1ec3a)
Support TRACEPARENT and TRACESTATE environment variables for OpenTelemetry context propagation - by @Copilot, hi-ogawa and @hi-ogawa in #9295 (876cb)

🐞 Bug Fixes

Improve asymmetric matcher diff readability by unwrapping container matchers - by @Copilot, sheremet-va, hi-ogawa and @hi-ogawa in #9330 (b2ec7)
Improve runner error when importing outside of test context - by @sheremet-va in #9335 (2dd3d)
Replace crypto.randomUUID to allow insecure environments (fix #9… - by @plusgut in #9339 and #9 (e6a3f)
Handle null options in addEventHandler #9371 - by @ThibautMarechal in #9372 and #9371 (40841)
Typo in browser.provider error - by @deammer in #9394 (4b67f)
browser:
- Fix process.env and import.meta.env defines in inline project - by @hi-ogawa in #9239 (b70c9)
- Fix upload File instance - by @hi-ogawa in #9294 (b6778)
- Fix invalid project token for artifacts assets - by @hi-ogawa in #9321 (caa7d)
- Log ErrorEvent.message when unhandled ErrorEvent.error is null - by @hi-ogawa in #9322 (5d84e)
- Support fileParallelism on an instance - by @sheremet-va in #9328 (15006)
coverage:
- Remove unnecessary istanbul-lib-source-maps usage - by @AriPerkkio in #9344 (b0940)
- Apply patch from istanbuljs/istanbuljs#837 - by @AriPerkkio and sapphi-red in #9413 and #837 (e05ce)
fsModuleCache:
- Don't store importers in cache - by @sheremet-va in #9422 (75136)
- Add importers alongside importedModules - by @sheremet-va in #9423 (59f92)
mocker:
- Fix mock transform with class - by @hi-ogawa in #9421 (d390e)
pool:
- Validate environment options when reusing the worker - by @sheremet-va in #9349 (a8a88)
- Handle worker start failures gracefully - by @AriPerkkio in #9337 (200da)
reporter:
- Report test module if it failed to run - by @sheremet-va in #9272 (c7888)
runner:
- Respect nested test.only within describe.only - by @Ujjwaljain16 in #9021 and #9213 (55d5d)
typecheck:
- Improve error message when tsc outputs help text - by @Ujjwaljain16 in #9214 (7b10a)
ui:
- Detect gzip by magic numbers instead of Content-Type header in html reporter - by @Copilot, hi-ogawa and @hi-ogawa in #9278 (dd033)
webdriverio:
- Fall back to WebDriver Classic #9244 - by @JustasMonkev in #9373 and #9244 (c23dd)

View changes on GitHub

vuejs/core (vue)

`v3.5.27`

Compare Source

Bug Fixes

compile-sfc: correctly handle variable shadowing in for loop for defineProps destructuring. (#14296) (6a1bb50), closes #14294
compiler-sfc: handle indexed access types in declare global blocks (#14260) (e4091fe), closes #14236
compiler-sfc: use correct scope when resolving indexed access types from external files (#14297) (f0f0a21), closes #14292
reactivity: collection iteration should inherit iterator instance methods (#12644) (3c8b2fc), closes #12615
runtime-core: skip patching reserved props for custom elements (#14275) (19cc7e2), closes #14274
server-renderer: use ssrRenderClass helper for className attribute (#14327) (a4708f3)
ssr: handle v-bind modifiers during render attrs (#14263) (c2f5964), closes #14262

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

bolt-new-by-stackblitz · 2025-12-29T02:10:15Z

Run & review this pull request in StackBlitz Codeflow.

pkg-pr-new · 2025-12-29T02:10:42Z

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-lightningcss@39

commit: 3c4b791

socket-security · 2026-01-03T09:11:32Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality	Maintenance
@typescript/native-preview@7.0.0-dev.20251221.1 ⏵ 7.0.0-dev.20260122.3	⁺¹	⁺¹
vitest@4.0.16 ⏵ 4.0.17		⁺¹	⁺²
@types/node@25.0.3 ⏵ 25.0.10	⁺¹	⁺¹
bumpp@10.3.2 ⏵ 10.4.0	⁺¹		⁺³
vite@7.3.0 ⏵ 7.3.1		⁺¹	^-1
@sxzz/eslint-config@7.4.3 ⏵ 7.5.0	⁺¹
lightningcss@1.30.2 ⏵ 1.31.1	⁺¹	⁺¹
rollup@4.54.0 ⏵ 4.56.0			⁺¹
prettier@3.7.4 ⏵ 3.8.1		⁺¹	⁺¹
vue@3.5.26 ⏵ 3.5.27	⁺¹	⁺¹
tsdown@0.18.2 ⏵ 0.20.0	⁺¹	⁺¹	⁺¹

View full report

socket-security · 2026-01-08T09:55:41Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: npm `unrun` is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: pnpm-lock.yaml → `npm/tsdown@0.20.0` → `npm/unrun@0.2.26` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/unrun@0.2.26`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

renovate bot added the dependencies label Dec 29, 2025

renovate bot force-pushed the renovate/all-minor-patch branch 8 times, most recently from c9dc9b2 to 7e1bbb8 Compare January 3, 2026 09:11

renovate bot force-pushed the renovate/all-minor-patch branch 6 times, most recently from c4e0483 to 558f461 Compare January 8, 2026 09:55

renovate bot force-pushed the renovate/all-minor-patch branch 11 times, most recently from dbc3f9c to 1f5110d Compare January 13, 2026 12:07

renovate bot force-pushed the renovate/all-minor-patch branch 11 times, most recently from 0ca9260 to 3f0ab13 Compare January 20, 2026 05:52

renovate bot changed the title ~~chore(deps): update all non-major dependencies~~ fix(deps): update all non-major dependencies Jan 20, 2026

renovate bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from aca3672 to ecb4aca Compare January 22, 2026 09:24

fix(deps): update all non-major dependencies

3c4b791

renovate bot force-pushed the renovate/all-minor-patch branch from ecb4aca to 3c4b791 Compare January 22, 2026 16:44

renovate bot changed the title ~~fix(deps): update all non-major dependencies~~ fix(deps): update all non-major dependencies - autoclosed Jan 22, 2026

renovate bot closed this Jan 22, 2026

renovate bot deleted the renovate/all-minor-patch branch January 22, 2026 17:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): update all non-major dependencies - autoclosed #39

fix(deps): update all non-major dependencies - autoclosed #39

Uh oh!

renovate bot commented Dec 29, 2025 •

edited

Loading

Uh oh!

bolt-new-by-stackblitz bot commented Dec 29, 2025

Uh oh!

pkg-pr-new bot commented Dec 29, 2025 •

edited

Loading

Uh oh!

socket-security bot commented Jan 3, 2026 •

edited

Loading

Uh oh!

socket-security bot commented Jan 8, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

fix(deps): update all non-major dependencies - autoclosed #39

fix(deps): update all non-major dependencies - autoclosed #39

Uh oh!

Conversation

renovate bot commented Dec 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

🚀 Features

Features

Fixes

v10.26.2: pnpm 10.26.2

Patch Changes

Platinum Sponsors

Gold Sponsors

Features

Bug Fixes

Pull Requests

Bug Fixes

Pull Requests

Bug Fixes

Pull Requests

Bug Fixes

Pull Requests

🚨 Breaking Changes

🚀 Features

🐞 Bug Fixes

🏎 Performance

🚨 Breaking Changes

🚀 Features

🐞 Bug Fixes

🏎 Performance

🚀 Features

🚀 Features

🐞 Bug Fixes

🚀 Features

🐞 Bug Fixes

Bug Fixes

Configuration

Uh oh!

bolt-new-by-stackblitz bot commented Dec 29, 2025

Uh oh!

pkg-pr-new bot commented Dec 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Jan 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Jan 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate bot commented Dec 29, 2025 •

edited

Loading

`v10.26.2`: pnpm 10.26.2

pkg-pr-new bot commented Dec 29, 2025 •

edited

Loading

socket-security bot commented Jan 3, 2026 •

edited

Loading

socket-security bot commented Jan 8, 2026 •

edited

Loading