chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@types/node (source)	^25.0.3 → ^25.2.0
@vitest/coverage-v8 (source)	^4.0.16 → ^4.0.18
eslint-config-unjs	^0.5.0 → ^0.6.2
obuild	^0.4.9 → ^0.4.22
pnpm (source)	10.26.0 → 10.28.2
prettier (source)	^3.7.4 → ^3.8.1
vite (source)	^7.3.0 → ^7.3.1
vitest (source)	^4.0.16 → ^4.0.18

---

Release Notes

vitest-dev/vitest (@​vitest/coverage-v8)

v4.0.18

Compare Source

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in #​9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in #​9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in #​9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in #​9472 (22543)

    View changes on GitHub

v4.0.17

Compare Source

   🚀 Experimental Features

• Support openTelemetry for browser mode  -  by @​hi-ogawa in #​9180 (1ec3a)
• Support TRACEPARENT and TRACESTATE environment variables for OpenTelemetry context propagation  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9295 (876cb)

   🐞 Bug Fixes

• Improve asymmetric matcher diff readability by unwrapping container matchers  -  by @​Copilot, sheremet-va, hi-ogawa and @​hi-ogawa in #​9330 (b2ec7)
• Improve runner error when importing outside of test context  -  by @​sheremet-va in #​9335 (2dd3d)
• Replace crypto.randomUUID to allow insecure environments (fix #​9…  -  by @​plusgut in #​9339 and #​9 (e6a3f)
• Handle null options in addEventHandler #​9371  -  by @​ThibautMarechal in #​9372 and #​9371 (40841)
• Typo in browser.provider error  -  by @​deammer in #​9394 (4b67f)
• browser:
  • Fix process.env and import.meta.env defines in inline project  -  by @​hi-ogawa in #​9239 (b70c9)
  • Fix upload File instance  -  by @​hi-ogawa in #​9294 (b6778)
  • Fix invalid project token for artifacts assets  -  by @​hi-ogawa in #​9321 (caa7d)
  • Log ErrorEvent.message when unhandled ErrorEvent.error is null  -  by @​hi-ogawa in #​9322 (5d84e)
  • Support fileParallelism on an instance  -  by @​sheremet-va in #​9328 (15006)
• coverage:
  • Remove unnecessary istanbul-lib-source-maps usage  -  by @​AriPerkkio in #​9344 (b0940)
  • Apply patch from istanbuljs/istanbuljs#837  -  by @​AriPerkkio and sapphi-red in #​9413 and #​837 (e05ce)
• fsModuleCache:
  • Don't store importers in cache  -  by @​sheremet-va in #​9422 (75136)
  • Add importers alongside importedModules  -  by @​sheremet-va in #​9423 (59f92)
• mocker:
  • Fix mock transform with class  -  by @​hi-ogawa in #​9421 (d390e)
• pool:
  • Validate environment options when reusing the worker  -  by @​sheremet-va in #​9349 (a8a88)
  • Handle worker start failures gracefully  -  by @​AriPerkkio in #​9337 (200da)
• reporter:
  • Report test module if it failed to run  -  by @​sheremet-va in #​9272 (c7888)
• runner:
  • Respect nested test.only within describe.only  -  by @​Ujjwaljain16 in #​9021 and #​9213 (55d5d)
• typecheck:
  • Improve error message when tsc outputs help text  -  by @​Ujjwaljain16 in #​9214 (7b10a)
• ui:
  • Detect gzip by magic numbers instead of Content-Type header in html reporter  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9278 (dd033)
• webdriverio:
  • Fall back to WebDriver Classic #​9244  -  by @​JustasMonkev in #​9373 and #​9244 (c23dd)

    View changes on GitHub

unjs/eslint-config (eslint-config-unjs)

v0.6.2

Compare Source

compare changes

🩹 Fixes

• Disable array immutation rules for now (3cde73a)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.6.1

Compare Source

compare changes

💅 Refactors

• Migrate to @eslint/markdown (2f92a53)
• Update default rules (84cdbad)

📦 Build

• Migrate to obuild (8f36bf1)

🏡 Chore

• Update deps (4347a4f)
• Update globals to v17 (4f168b4)
• Update unicorn to 62 (e737dd7)
• release: V0.6.0 (b683294)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.6.0

Compare Source

compare changes

💅 Refactors

• Migrate to @eslint/markdown (2f92a53)

📦 Build

• Migrate to obuild (8f36bf1)

🏡 Chore

• Update deps (4347a4f)
• Update globals to v17 (4f168b4)
• Update unicorn to 62 (e737dd7)

❤️ Contributors

• Pooya Parsa (@​pi0)

unjs/obuild (obuild)

v0.4.22

Compare Source

compare changes

💅 Refactors

• Silent build logs from analyze step (2f7ec85)
• Silent EVAL warns (73668e4)

🏡 Chore

• Lint (7833a45)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.21

Compare Source

compare changes

🔥 Performance

• Default minify to dce-only (823f72f)

🏡 Chore

• Update deps (7f6ca84)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.20

Compare Source

compare changes

🩹 Fixes

• Avoid analyze in stub mode (c840ae9)

💅 Refactors

• Update inlineDynamicImports to codeSplitting (334eab9)
• Multi-column layout for transform items (8df3220)
• Improve cli formatting (e28cbd4)

🏡 Chore

• Update dev deps (f817bff)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.19

Compare Source

compare changes

🏡 Chore

• Update readme (1affa56)
• Update dependencies (f1e82d1)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.18

Compare Source

compare changes

🩹 Fixes

• Add .d suffix to type chunk groups (e55c9f4)

💅 Refactors

• Update rollup to latest (74786e4)

📦 Build

• Always use obuild bin (d92d40b)

🤖 CI

• Setup nightly releases (a74933a)
• Build before nightly release (2144b6e)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.17

Compare Source

compare changes

🩹 Fixes

• Rollback rolldown to 59 (345aadf)
• Rollback rolldown config (070a2f4)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.16

Compare Source

compare changes

💅 Refactors

• rolldown: Use new codeSplitting option (1c68bd9)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.15

Compare Source

compare changes

📦 Build

• Import oxc utils from rolldown/experimental (cf5f16e)

🏡 Chore

• Update oxc to 0.110 (bc7a8f8)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.14

Compare Source

compare changes

🏡 Chore

• Update rolldown to 1.0.0-beta.59 (51bd7d2)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.13

Compare Source

compare changes

🩹 Fixes

• rolldown: Revert includeDependenciesRecursively (7325ddd)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.12

Compare Source

compare changes

🩹 Fixes

• rolldown: Enable includeDependenciesRecursively (6974fb5)
• bundle: Avoid recursion on resolveDeps (2bba5b9)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.11

Compare Source

compare changes

🏡 Chore

• Update deps (34c8198)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.10

Compare Source

compare changes

🏡 Chore

• Update deps (b0d98b8)

pnpm/pnpm (pnpm)

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1

Compare Source

v10.28.0

Compare Source

v10.27.0

Compare Source

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

• Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

• Fix installation of Git dependencies using annotated tags #​10335.

  Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

• Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

• Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Gold Sponsors

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

• Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
• Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Gold Sponsors

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

vitejs/vite (vite)

v7.3.1

Compare Source

Please refer to CHANGELOG.md for details.

---

Configuration

📅 Schedule: Branch creation - "after 2am and before 3am" (UTC), Automerge - "after 1am and before 2am" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.