chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@types/node (source)	^25.0.3 → ^25.2.1
@vitest/coverage-v8 (source)	^4.0.16 → ^4.0.18
esbuild	^0.27.2 → ^0.27.3
eslint-config-unjs	^0.5.0 → ^0.6.2
obuild	^0.4.9 → ^0.4.24
pnpm (source)	10.26.0 → 10.28.2
prettier (source)	^3.7.4 → ^3.8.1
vite (source)	^7.3.0 → ^7.3.1
vitest (source)	^4.0.16 → ^4.0.18

---

Release Notes

vitest-dev/vitest (@​vitest/coverage-v8)

v4.0.18

Compare Source

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in #​9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in #​9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in #​9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in #​9472 (22543)

    View changes on GitHub

v4.0.17

Compare Source

   🚀 Experimental Features

• Support openTelemetry for browser mode  -  by @​hi-ogawa in #​9180 (1ec3a)
• Support TRACEPARENT and TRACESTATE environment variables for OpenTelemetry context propagation  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9295 (876cb)

   🐞 Bug Fixes

• Improve asymmetric matcher diff readability by unwrapping container matchers  -  by @​Copilot, sheremet-va, hi-ogawa and @​hi-ogawa in #​9330 (b2ec7)
• Improve runner error when importing outside of test context  -  by @​sheremet-va in #​9335 (2dd3d)
• Replace crypto.randomUUID to allow insecure environments (fix #​9…  -  by @​plusgut in #​9339 and #​9 (e6a3f)
• Handle null options in addEventHandler #​9371  -  by @​ThibautMarechal in #​9372 and #​9371 (40841)
• Typo in browser.provider error  -  by @​deammer in #​9394 (4b67f)
• browser:
  • Fix process.env and import.meta.env defines in inline project  -  by @​hi-ogawa in #​9239 (b70c9)
  • Fix upload File instance  -  by @​hi-ogawa in #​9294 (b6778)
  • Fix invalid project token for artifacts assets  -  by @​hi-ogawa in #​9321 (caa7d)
  • Log ErrorEvent.message when unhandled ErrorEvent.error is null  -  by @​hi-ogawa in #​9322 (5d84e)
  • Support fileParallelism on an instance  -  by @​sheremet-va in #​9328 (15006)
• coverage:
  • Remove unnecessary istanbul-lib-source-maps usage  -  by @​AriPerkkio in #​9344 (b0940)
  • Apply patch from istanbuljs/istanbuljs#837  -  by @​AriPerkkio and sapphi-red in #​9413 and #​837 (e05ce)
• fsModuleCache:
  • Don't store importers in cache  -  by @​sheremet-va in #​9422 (75136)
  • Add importers alongside importedModules  -  by @​sheremet-va in #​9423 (59f92)
• mocker:
  • Fix mock transform with class  -  by @​hi-ogawa in #​9421 (d390e)
• pool:
  • Validate environment options when reusing the worker  -  by @​sheremet-va in #​9349 (a8a88)
  • Handle worker start failures gracefully  -  by @​AriPerkkio in #​9337 (200da)
• reporter:
  • Report test module if it failed to run  -  by @​sheremet-va in #​9272 (c7888)
• runner:
  • Respect nested test.only within describe.only  -  by @​Ujjwaljain16 in #​9021 and #​9213 (55d5d)
• typecheck:
  • Improve error message when tsc outputs help text  -  by @​Ujjwaljain16 in #​9214 (7b10a)
• ui:
  • Detect gzip by magic numbers instead of Content-Type header in html reporter  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9278 (dd033)
• webdriverio:
  • Fall back to WebDriver Classic #​9244  -  by @​JustasMonkev in #​9373 and #​9244 (c23dd)

    View changes on GitHub

evanw/esbuild (esbuild)

v0.27.3

Compare Source

• Preserve URL fragments in data URLs (#​4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

• Parse and print CSS @scope rules (#​4322)

  This release includes dedicated support for parsing @scope rules in CSS. These rules include optional "start" and "end" selector lists. One important consequence of this is that the local/global status of names in selector lists is now respected, which improves the correctness of esbuild's support for CSS modules. Minification of selectors inside @scope rules has also improved slightly.

  Here's an example:

  /* Original code */
  @​scope (:global(.foo)) to (:local(.bar)) {
    .bar {
      color: red;
    }
  }
  
  /* Old output (with --loader=local-css --minify) */
  @​scope (:global(.foo)) to (:local(.bar)){.o{color:red}}
  
  /* New output (with --loader=local-css --minify) */
  @​scope(.foo)to (.o){.o{color:red}}

• Fix a minification bug with lowering of for await (#​4378, #​4385)

  This release fixes a bug where the minifier would incorrectly strip the variable in the automatically-generated catch clause of lowered for await loops. The code that generated the loop previously failed to mark the internal variable references as used.

• Update the Go compiler from v1.25.5 to v1.25.7 (#​4383, #​4388)

  This PR was contributed by @​MikeWillCook.

unjs/eslint-config (eslint-config-unjs)

v0.6.2

Compare Source

compare changes

🩹 Fixes

• Disable array immutation rules for now (3cde73a)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.6.1

Compare Source

compare changes

💅 Refactors

• Migrate to @eslint/markdown (2f92a53)
• Update default rules (84cdbad)

📦 Build

• Migrate to obuild (8f36bf1)

🏡 Chore

• Update deps (4347a4f)
• Update globals to v17 (4f168b4)
• Update unicorn to 62 (e737dd7)
• release: V0.6.0 (b683294)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.6.0

Compare Source

compare changes

💅 Refactors

• Migrate to @eslint/markdown (2f92a53)

📦 Build

• Migrate to obuild (8f36bf1)

🏡 Chore

• Update deps (4347a4f)
• Update globals to v17 (4f168b4)
• Update unicorn to 62 (e737dd7)

❤️ Contributors

• Pooya Parsa (@​pi0)

unjs/obuild (obuild)

v0.4.24

Compare Source

compare changes

🩹 Fixes

• Windows compatibility for reading package.json (#​71)

❤️ Contributors

• Yizack Rangel (@​Yizack)

v0.4.23

Compare Source

compare changes

🏡 Chore

• Update rolldown (825b757)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.22

Compare Source

compare changes

💅 Refactors

• Silent build logs from analyze step (2f7ec85)
• Silent EVAL warns (73668e4)

🏡 Chore

• Lint (7833a45)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.21

Compare Source

compare changes

🔥 Performance

• Default minify to dce-only (823f72f)

🏡 Chore

• Update deps (7f6ca84)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.20

Compare Source

compare changes

🩹 Fixes

• Avoid analyze in stub mode (c840ae9)

💅 Refactors

• Update inlineDynamicImports to codeSplitting (334eab9)
• Multi-column layout for transform items (8df3220)
• Improve cli formatting (e28cbd4)

🏡 Chore

• Update dev deps (f817bff)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.19

Compare Source

compare changes

🏡 Chore

• Update readme (1affa56)
• Update dependencies (f1e82d1)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.18

Compare Source

compare changes

🩹 Fixes

• Add .d suffix to type chunk groups (e55c9f4)

💅 Refactors

• Update rollup to latest (74786e4)

📦 Build

• Always use obuild bin (d92d40b)

🤖 CI

• Setup nightly releases (a74933a)
• Build before nightly release (2144b6e)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.17

Compare Source

compare changes

🩹 Fixes

• Rollback rolldown to 59 (345aadf)
• Rollback rolldown config (070a2f4)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.16

Compare Source

compare changes

💅 Refactors

• rolldown: Use new codeSplitting option (1c68bd9)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.15

Compare Source

compare changes

📦 Build

• Import oxc utils from rolldown/experimental (cf5f16e)

🏡 Chore

• Update oxc to 0.110 (bc7a8f8)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.14

Compare Source

compare changes

🏡 Chore

• Update rolldown to 1.0.0-beta.59 (51bd7d2)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.13

Compare Source

compare changes

🩹 Fixes

• rolldown: Revert includeDependenciesRecursively (7325ddd)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.12

Compare Source

compare changes

🩹 Fixes

• rolldown: Enable includeDependenciesRecursively (6974fb5)
• bundle: Avoid recursion on resolveDeps (2bba5b9)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.11

Compare Source

compare changes

🏡 Chore

• Update deps (34c8198)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.10

Compare Source

compare changes

🏡 Chore

• Update deps (b0d98b8)

pnpm/pnpm (pnpm)

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1

Compare Source

v10.28.0

Compare Source

v10.27.0

Compare Source

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

• Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

• Fix installation of Git dependencies using annotated tags #​10335.

  Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

• Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

• Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Gold Sponsors

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

• Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
• Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Gold Sponsors

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

vitejs/vite (vite)

v7.3.1

Compare Source

Please refer to CHANGELOG.md for details.

---

Configuration

📅 Schedule: Branch creation - "after 2am and before 3am" (UTC), Automerge - "after 1am and before 2am" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.