fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@sxzz/eslint-config	^5.2.0 -> ^5.3.0
@sxzz/prettier-config	^2.2.0 -> ^2.2.1
@types/node (source)	^22.13.9 -> ^22.13.10
ast-kit	^1.4.0 -> ^1.4.2
esbuild	^0.25.0 -> ^0.25.1
eslint (source)	^9.21.0 -> ^9.22.0
pnpm (source)	10.5.2 -> 10.6.2
rollup (source)	^4.34.9 -> ^4.35.0
tsdown	^0.6.3 -> ^0.6.4
unplugin-oxc	^0.2.6 -> ^0.2.7
unplugin-replace	^0.5.0 -> ^0.5.1
vite (source)	^6.2.0 -> ^6.2.1
vitest (source)	^3.0.7 -> ^3.0.8

---

Release Notes

sxzz/eslint-config (@​sxzz/eslint-config)

v5.3.0

Compare Source

   🚀 Features

• Deprecate vue 2 support  -  by @​sxzz (e3906)
• Sort pnpm workspace  -  by @​sxzz (7da97)

    View changes on GitHub

evanw/esbuild (esbuild)

v0.25.1

Compare Source

• Fix incorrect paths in inline source maps (#​4070, #​4075, #​4105)

  This fixes a regression from version 0.25.0 where esbuild didn't correctly resolve relative paths contained within source maps in inline sourceMappingURL data URLs. The paths were incorrectly being passed through as-is instead of being resolved relative to the source file containing the sourceMappingURL comment, which was due to the data URL not being a file URL. This regression has been fixed, and this case now has test coverage.

• Fix invalid generated source maps (#​4080, #​4082, #​4104, #​4107)

  This release fixes a regression from version 0.24.1 that could cause esbuild to generate invalid source maps. Specifically under certain conditions, esbuild could generate a mapping with an out-of-bounds source index. It was introduced by code that attempted to improve esbuild's handling of "null" entries in source maps (i.e. mappings with a generated position but no original position). This regression has been fixed.

  This fix was contributed by @​jridgewell.

• Fix a regression with non-file source map paths (#​4078)

  The format of paths in source maps that aren't in the file namespace was unintentionally changed in version 0.25.0. Path namespaces is an esbuild-specific concept that is optionally available for plugins to use to distinguish paths from file paths and from paths meant for other plugins. Previously the namespace was prepended to the path joined with a : character, but version 0.25.0 unintentionally failed to prepend the namespace. The previous behavior has been restored.

• Fix a crash with switch optimization (#​4088)

  The new code in the previous release to optimize dead code in switch statements accidentally introduced a crash in the edge case where one or more switch case values include a function expression. This is because esbuild now visits the case values first to determine whether any cases are dead code, and then visits the case bodies once the dead code status is known. That triggered some internal asserts that guard against traversing the AST in an unexpected order. This crash has been fixed by changing esbuild to expect the new traversal ordering. Here's an example of affected code:

  switch (x) {
    case '':
      return y.map(z => z.value)
    case y.map(z => z.key).join(','):
      return []
  }

• Update Go from 1.23.5 to 1.23.7 (#​4076, #​4077)

  This should have no effect on existing code as this version change does not change Go's operating system support. It may remove certain reports from vulnerability scanners that detect which version of the Go compiler esbuild uses.

  This PR was contributed by @​MikeWillCook.

eslint/eslint (eslint)

v9.22.0

Compare Source

pnpm/pnpm (pnpm)

v10.6.2

Compare Source

Patch Changes

• pnpm self-update should always update the version in the packageManager field of package.json.
• Fix running pnpm CLI from pnpm CLI on Windows when the CLI is bundled to an executable #​8971.
• pnpm patch-commit will now use the same filesystem as the store directory to compare and create patch files.
• Don't show info output when --loglevel=error is used.
• peerDependencyRules should be set in pnpm-workspace.yaml to take effect.

v10.6.1

Compare Source

Patch Changes

• The pnpm CLI process should not stay hanging, when --silent reporting is used.
• When --loglevel is set to error, don't show installation summary, execution time, and big tarball download progress.
• Don't ignore pnpm.patchedDependencies from package.json #​9226.
• When executing the approve-builds command, if package.json contains onlyBuiltDependencies or ignoredBuiltDependencies, the selected dependency package will continue to be written into package.json.
• When a package version cannot be found in the package metadata, print the registry from which the package was fetched.

v10.6.0

Compare Source

Minor Changes

• pnpm-workspace.yaml can now hold all the settings that .npmrc accepts. The settings should use camelCase #​9211.

  pnpm-workspace.yaml example:

  verifyDepsBeforeRun: install
  optimisticRepeatInstall: true
  publicHoistPattern:
    - "*types*"
    - "!@​types/react"

• Projects using a file: dependency on a local tarball file (i.e. .tgz, .tar.gz, .tar) will see a performance improvement during installation. Previously, using a file: dependency on a tarball caused the lockfile resolution step to always run. The lockfile will now be considered up-to-date if the tarball is unchanged.

Patch Changes

• pnpm self-update should not leave a directory with a broken pnpm installation if the installation fails.
• fast-glob replace with tinyglobby to reduce the size of the pnpm CLI dependencies #​9169.
• pnpm deploy should not remove fields from the deployed package's package.json file #​9215.
• pnpm self-update should not read the pnpm settings from the package.json file in the current working directory.
• Fix pnpm deploy creating a package.json without the imports and license field #​9193.
• pnpm update -i should list only packages that have newer versions #​9206.
• Fix a bug causing entries in the catalogs section of the pnpm-lock.yaml file to be removed when dedupe-peer-dependents=false on a filtered install. #​9112

rollup/rollup (rollup)

v4.35.0

Compare Source

2025-03-08

Features

• Pass build errors to the closeBundle hook (#​5867)

Pull Requests

• #​5852: chore(deps): update dependency eslint-plugin-unicorn to v57 (@​renovate[bot], @​lukastaegert)
• #​5862: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #​5867: feat(5858): make closeBundle hook receive the last error (@​GauBen)
• #​5872: chore(deps): update dependency builtin-modules to v5 (@​renovate[bot])
• #​5873: chore(deps): update uraimo/run-on-arch-action action to v3 (@​renovate[bot])
• #​5874: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])

unplugin/unplugin-oxc (unplugin-oxc)

v0.2.7

Compare Source

   🚀 Features

• Upgrade oxc toolchains  -  by @​sxzz (568df)

    View changes on GitHub

unplugin/unplugin-replace (unplugin-replace)

v0.5.1

Compare Source

   🐞 Bug Fixes

• deps: Update all non-major dependencies  -  in https://github.com/unplugin/unplugin-replace/issues/37 (3efa3)

    View changes on GitHub

vitejs/vite (vite)

v6.2.1

Compare Source

• refactor: remove isBuild check from preAliasPlugin (#​19587) (c9e086d), closes #​19587
• refactor: restore endsWith usage (#​19554) (6113a96), closes #​19554
• refactor: use applyToEnvironment in internal plugins (#​19588) (f678442), closes #​19588
• fix(css): stabilize css module hashes with lightningcss in dev mode (#​19481) (92125b4), closes #​19481
• fix(deps): update all non-major dependencies (#​19555) (f612e0f), closes #​19555
• fix(reporter): fix incorrect bundle size calculation with non-ASCII characters (#​19561) (437c0ed), closes #​19561
• fix(sourcemap): combine sourcemaps with multiple sources without matched source (#​18971) (e3f6ae1), closes #​18971
• fix(ssr): named export should overwrite export all (#​19534) (2fd2fc1), closes #​19534
• feat: add *?url&no-inline type and warning for .json?inline / .json?no-inline (#​19566) (c0d3667), closes #​19566
• test: add glob import test case (#​19516) (aa1d807), closes #​19516
• test: convert config playground to unit tests (#​19568) (c0e68da), closes #​19568
• test: convert resolve-config playground to unit tests (#​19567) (db5fb48), closes #​19567
• perf: flush compile cache after 10s (#​19537) (6c8a5a2), closes #​19537
• chore(css): move environment destructuring after condition check (#​19492) (c9eda23), closes #​19492
• chore(html): remove unnecessary value check (#​19491) (797959f), closes #​19491

vitest-dev/vitest (vitest)

v3.0.8

Compare Source

   🐞 Bug Fixes

• Fix fetch cache multiple writes  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7546 (1a8b4)
• Use browser.isolate instead of config.isolate  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7560 (4b5ed)
• Remove vestigial spy stub, import directly from @vitest/spy  -  by @​mrginglymus in https://github.com/vitest-dev/vitest/issues/7575 (7f7ff)
• Correctly split the argv string  -  by @​btea in https://github.com/vitest-dev/vitest/issues/7533 (4325a)
• browser:
  • Remove @​testing-library/dom from dependencies  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7555 (5387a)
  • Improve source map handling for bundled files  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7534 (e2c57)
  • Print related test file and potential test in unhandled errors  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7564 (fee90)
• runner:
  • Fix beforeEach/All cleanup callback timeout  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7500 (0c292)
  • Fix and simplify Task.suite initialization  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7414 (ca9ff)
• snapshot:
  • Allow inline snapshot calls on same location with same snapshot  -  by @​jycouet and @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7464 (d5cb8)
• vite-node:
  • Fix buildStart on Vite 6  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7480 (c0f47)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - "* 0-3 * * 1" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[socket-security]

New and updated dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@sxzz/eslint-config@5.2.0 ➜ 5.3.0	environment Transitive: eval, filesystem, unsafe	+227	32 MB	sxzz
npm/@types/node@22.13.9 ➜ 22.13.10	None	+1	2.4 MB	types
npm/esbuild@0.25.0 ➜ 0.25.1	None	0	134 kB	esbuild, evanw
npm/eslint@9.21.0 ➜ 9.22.0	Transitive: eval, filesystem, shell, unsafe	+85	6.69 MB
npm/rollup@4.34.9 ➜ 4.35.0	None	+1	2.72 MB	eventualbuddha, lukastaegert, rich_harris, ...2 more
npm/unplugin-oxc@0.2.6 ➜ 0.2.7	Transitive: environment, shell	+3	78.2 kB	sxzz
npm/unplugin-replace@0.5.0 ➜ 0.5.1	None	0	18.5 kB	sxzz
npm/vite@6.2.0 ➜ 6.2.1	Transitive: environment, filesystem	+4	405 kB
npm/vitest@3.0.7 ➜ 3.0.8	Transitive: environment, filesystem, shell, unsafe	+31	2.95 MB	antfu, oreanno, patak, ...1 more

View full report↗︎