chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sxzz/eslint-config	^7.2.8 -> ^7.3.0
@sxzz/prettier-config	^2.2.4 -> ^2.2.5
@types/node (source)	^24.10.0 -> ^24.10.1
pnpm (source)	10.20.0 -> 10.23.0
rollup (source)	^4.53.0 -> ^4.53.3
tsdown (source)	^0.16.1 -> ^0.16.6
vite (source)	^7.2.2 -> ^7.2.4
vitest (source)	^4.0.8 -> ^4.0.13

---

Release Notes

sxzz/eslint-config (@​sxzz/eslint-config)

v7.3.0

Compare Source

   🚀 Features

• Add baseline plugin  -  by @​sxzz (e9e51)

    View changes on GitHub

v7.2.10

Compare Source

   🚀 Features

• Sort overrides  -  by @​sxzz (6a452)

    View changes on GitHub

v7.2.9

Compare Source

   🐞 Bug Fixes

• Sort all pnpm workspace fields  -  by @​sxzz (4fed2)

    View changes on GitHub

sxzz/prettier-config (@​sxzz/prettier-config)

v2.2.5

Compare Source

No significant changes

    View changes on GitHub

pnpm/pnpm (pnpm)

v10.23.0: pnpm 10.23

Compare Source

Minor Changes

• Added --lockfile-only option to pnpm list #​10020.

Patch Changes

• pnpm self-update should download pnpm from the configured npm registry #​10205.
• pnpm self-update should always install the non-executable pnpm package (pnpm in the registry) and never the @pnpm/exe package, when installing v11 or newer. We currently cannot ship @pnpm/exe as pkg doesn't work with ESM #​10190.
• Node.js runtime is not added to "dependencies" on pnpm add, if there's a engines.runtime setting declared in package.json #​10209.
• The installation should fail if an optional dependency cannot be installed due to a trust policy check failure #​10208.
• pnpm list and pnpm why now display npm: protocol for aliased packages (e.g., foo npm:[email protected]) #​8660.
• Don't add an extra slash to the Node.js mirror URL #​10204.
• pnpm store prune should not fail if the store contains Node.js packages #​10131.

Platinum Sponsors

Gold Sponsors

v10.22.0: pnpm 10.22

Compare Source

Minor Changes

• Added support for trustPolicyExclude #​10164.

  You can now list one or more specific packages or versions that pnpm should allow to install, even if those packages don't satisfy the trust policy requirement. For example:

  trustPolicy: no-downgrade
  trustPolicyExclude:
    - [email protected]
    - [email protected] || 5.102.1

• Allow to override the engines field on publish by the publishConfig.engines field.

Patch Changes

• Don't crash when two processes of pnpm are hardlinking the contents of a directory to the same destination simultaneously #​10179.

Platinum Sponsors

Gold Sponsors

v10.21.0

Compare Source

rollup/rollup (rollup)

v4.53.3

Compare Source

2025-11-19

Bug Fixes

• Fix an error where too many modules where flagged for having an unused external import (#​6182)
• Fix an error where an assignment was wrongly tree-shaken when mutating it (#​6183)

Pull Requests

• #​6171: Add test-install CI job to test packaging, installation and importing of rollup package (@​antoninkriz, @​lukastaegert)
• #​6174: Re-enable TypeScript test (@​lukastaegert)
• #​6180: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #​6182: Tracing the importers chain for exported variables in external module (@​TrickyPi, @​lukastaegert)
• #​6183: Check if left side is included when checking if assigning to an assignment has side effects (@​lukastaegert)

v4.53.2

Compare Source

2025-11-10

Bug Fixes

• Do not throw when using invalid escape sequences in template literals (#​6177)

Pull Requests

• #​6177: handle TemplateElement with null cooked value (@​TrickyPi)

v4.53.1

Compare Source

2025-11-07

Bug Fixes

• Fix install script (#​6172)

Pull Requests

• #​6172: fix: move patch-package from postinstall to prepare script (@​mshima)

rolldown/tsdown (tsdown)

v0.16.6

Compare Source

   🚀 Features

• Upgrade rolldown to beta 51  -  by @​sxzz (f502b)

    View changes on GitHub

v0.16.5

Compare Source

   🚀 Features

• create-tsdown: Add react-compiler template  -  by @​elecmonkey and @​sxzz in #​604 (45229)

   🐞 Bug Fixes

• exports: Use correct indentation for output  -  by @​msigwart and @​sxzz in #​599 (4de70)

    View changes on GitHub

v0.16.4

Compare Source

   🚀 Features

• Upgrade rolldown to 1.0.0-beta.50  -  by @​sxzz (597d9)

    View changes on GitHub

v0.16.3

Compare Source

   🏎 Performance

• Replace debug with obug  -  by @​sxzz (222e9)

    View changes on GitHub

v0.16.2

Compare Source

   🚀 Features

• Upgrade rolldown to v1.0.0-beta.49  -  by @​sxzz (48181)
• entry: Auto enable glob, support infer entry extension  -  by @​sxzz and jinghaihan (2c525)

    View changes on GitHub

vitejs/vite (vite)

v7.2.4

Compare Source

Bug Fixes

• revert "perf(deps): replace debug with obug (#​21107)" (2d66b7b)

v7.2.3

Compare Source

Bug Fixes

• allow multiple bindCLIShortcuts calls with shortcut merging (#​21103) (5909efd)
• deps: update all non-major dependencies (#​21096) (6a34ac3)
• deps: update all non-major dependencies (#​21128) (4f8171e)

Performance Improvements

• deps: replace debug with obug (#​21107) (acfe939)

Miscellaneous Chores

• deps: update dependency @​rollup/plugin-commonjs to v29 (#​21099) (02ceaec)
• deps: update rolldown-related dependencies (#​21095) (39a0a15)
• deps: update rolldown-related dependencies (#​21127) (5029720)

vitest-dev/vitest (vitest)

v4.0.13

   🐞 Bug Fixes

• types:
  • Don't use type from Vite 7.1  -  by @​sheremet-va in #​9071 (6356b)
  • Don't import node.js dependent types in vitest/browser  -  by @​sheremet-va in #​9068 (332af)

   🏎 Performance

• Avoid fetchModule roundtrip if the module is cached  -  by @​sheremet-va in #​9075 (b27e0)
• experimental: If fsCacheModule is enabled, read from the memory when possible  -  by @​sheremet-va in #​9076 (6b9a1)

    View changes on GitHub

v4.0.12

Compare Source

   🐞 Bug Fixes

• Inherit fsModuleCachePath by default  -  by @​sheremet-va in #​9063 (9a8bc)
• Don't import from @opentelemetry/api in public types  -  by @​sheremet-va in #​9066 (e944a)

    View changes on GitHub

v4.0.11

Compare Source

   🚀 Experimental Features

• api: Add extensible test artifact API  -  by @​macarie in #​8987 (77292)
  • See more at https://vitest.dev/api/advanced/artifacts
• expect: Provide task in MatchState  -  by @​macarie in #​9022 (afd1f)
• experimental: Support OpenTelemetry traces  -  by @​sheremet-va in #​8994 (d6d33)
  • See more at https://vitest.dev/guide/open-telemetry

   🏎 Performance

• experimental: Add file system cache  -  by @​sheremet-va in #​9026 (1b147)
  • See more at https://vitest.dev/config/experimental#experimental-fsmodulecache

    View changes on GitHub

v4.0.10

Compare Source

   🐞 Bug Fixes

• Remove onCancel when worker is terminated  -  by @​sheremet-va in #​9033 (6d7f0)
• browser:
  • Don't scale the iframe if UI is disabled  -  by @​sheremet-va in #​9018 (5406e)
  • Handle dependency stack traces with external source maps. Resolves: #​9003  -  by @​iclectic in #​9016 and #​9003 (57ae5)
• bun:
  • Parsing of stack trace for bun runtime  -  by @​nazarhussain in #​9032 (f3ec6)
• core:
  • Prevent starting new run when cancelling  -  by @​AriPerkkio in #​8991 (eb98d)
• pool:
  • Prevent writing to closed worker  -  by @​AriPerkkio and @​sheremet-va in #​9023 (042c6)
• reporters:
  • Report correct test run duration at the end  -  by @​sheremet-va in #​8969 (bc3a6)
• ui:
  • Use execution time from ws reporter (onFinished)  -  by @​userquin in #​8975 (f56dc)

    View changes on GitHub

v4.0.9

Compare Source

   🚀 Experimental Features

• expect: Add Set support to toBeOneOf  -  by @​tim-we and @​sheremet-va in #​8906 (a415d)

   🐞 Bug Fixes

• browser: Add favicon icons to the browser mode ui  -  by @​userquin in #​8972 (353ee)
• forks: Increase worker start timeout  -  by @​AriPerkkio in #​9027 (5e750)
• jsdom: Cloned request is an instance of Request  -  by @​sheremet-va in #​8985 (506a9)
• ui: Collect file/suite/test duration correctly  -  by @​userquin in #​8976 (8016d)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​sxzz/​prettier-config@​2.2.4 ⏵ 2.2.5	+13		+2	+1
	vitest@​4.0.8 ⏵ 4.0.13	-2		-21	-1
	@​types/​node@​24.10.0 ⏵ 24.10.1			+1
	@​sxzz/​eslint-config@​7.2.8 ⏵ 7.3.0	-1			+1
	vite@​7.2.2 ⏵ 7.2.4	+1		+1	+2
	tsdown@​0.16.1 ⏵ 0.16.6	-2		-8	-4
	rollup@​4.53.0 ⏵ 4.53.3	-3			-1

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-ast@107

commit: d2643e3