Bump the major group across 1 directory with 12 updates

[dependabot]

Bumps the major group with 12 updates in the / directory:

Package	From	To
i18next	25.8.14	26.2.0
i18next-http-backend	3.0.5	4.0.0
@aaroon/workbox-rspack-plugin	0.3.3	1.0.1
@eslint-react/eslint-plugin	3.0.0	5.8.4
@rspack/cli	1.7.7	2.0.4
@rspack/core	1.7.7	2.0.4
@rspack/plugin-react-refresh	1.6.1	2.0.0
jest-junit	16.0.0	17.0.0
lint-staged	16.3.2	17.0.5
marked	17.0.4	18.0.4
sass-loader	16.0.7	17.0.0
svgo-loader	4.0.0	5.0.0

Updates i18next from 25.8.14 to 26.2.0

Release notes

Sourced from i18next's releases.

v26.2.0

• feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
• fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

v26.1.0

• feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

v26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

v26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

v26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

v26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

v26.0.6

Security release — all issues found via an internal audit. GHSA advisory filed after release.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security docs for mitigation guidance (GHSA-TBD)
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

v26.0.5

• fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

v26.0.4

• fix(types): inline formatting options like {{price, currency(EUR)}} are now correctly resolved to their base format type (e.g. number for currency) instead of falling back to string 2378

v26.0.3

• fix(types): addResourceBundle now accepts an optional 6th options parameter ({ silent?: boolean; skipCopy?: boolean }) matching the runtime API 2419

v26.0.2

• fix(types): t("key", {} as TOptions) no longer produces a type error — the context constraint now bypasses strict checking when context is unknown (e.g. from TOptions) 2418

v26.0.1

• fix: Formatter no longer crashes when alwaysFormat is true and no format specifier is present (format is undefined)
• fix: Formatter now returns undefined/null values as-is instead of producing NaN when the value is missing

v26.0.0

This is a major breaking release:

Breaking Changes

... (truncated)

Changelog

Sourced from i18next's changelog.

26.2.0

• feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
• fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

26.1.0

• feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

26.0.6

Security release — all issues found via an internal audit.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security note in the Nesting docs for the full pattern and mitigations
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

26.0.5

• fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

26.0.4

• fix(types): inline formatting options like {{price, currency(EUR)}} are now correctly resolved to their base format type (e.g. number for currency) instead of falling back to string 2378

26.0.3

• fix(types): addResourceBundle now accepts an optional 6th options parameter ({ silent?: boolean; skipCopy?: boolean }) matching the runtime API 2419

26.0.2

... (truncated)

Commits

• 22fb6ad 26.2.0
• b640ac4 feat(types): parseInterpolation flag for ICU-friendly t() typing (i18next-icu...
• 0b9debd changelog: 26.1.1 entry for #2431
• 50509e4 fix(types): expose enableSelector on InitOptions (#2431)
• 80b5402 Enhance Pro Tip in README with i18next-locize-backend plugin link
• 5af0475 26.1.0
• 85c0951 feat: enableSelector: 'strict' — explicit-ns selector mode, no flattened prim...
• 8fec684 docs(types): clarify ExistsFunction note re: narrowing through wrappers
• 61eaf5b 26.0.10
• 47fd92f feat: getFixedT 4th-arg scopeNs decouples selector ns-detection from resoluti...
• Additional commits viewable in compare view

Updates i18next-http-backend from 3.0.5 to 4.0.0

Changelog

Sourced from i18next-http-backend's changelog.

4.0.0

• BREAKING: drop cross-fetch dependency. i18next-http-backend now requires a host-provided fetch. This is available in Node ≥ 18 (stable since Node 21), all modern browsers, Deno, and Bun. For runtimes without native fetch, install a ponyfill yourself and inject it via options.alternateFetch, or stay on v3.x.
• BREAKING: minimum Node version is now 18 (engines.node = ">=18").
• chore: simplified environment detection in lib/request.js — uses globalThis (with global / window fallbacks for legacy embedded runtimes) instead of separate global.* / window.* branches per API. XHR / ActiveXObject are still picked up if the host provides them, but no longer polyfilled.
• chore: declared "sideEffects": false for better tree-shaking by downstream bundlers.
• build: replaced babel + browserify + uglify-js with tsdown (rolldown + oxc). One config produces ESM, CJS, and the IIFE browser bundles. Drops @babel/cli, @babel/core, @babel/preset-env, babel-plugin-add-module-exports, browserify, uglify-js, the fixcjs rewrite hack, and the --ignore cross-fetch browserify flag. Side benefit: minified browser bundle shrinks from ~13 KB to ~6.8 KB (oxc minifier + no babel runtime helpers).
• build: ESM and CJS outputs are now bundled into a single index.js per format (previously one file per lib/*.js module). The package's exports map is unchanged, so this is invisible to consumers using documented entry points.
• lint: replaced eslint-config-standard (+ five plugins) with neostandard and migrated to ESLint 9 flat config (eslint.config.mjs). Removed deprecated tslint and dtslint — test:typescript now runs tsc --noEmit plus tsd.
• chore: tightened .npmignore — published tarball no longer includes the source lib/, the build configs (tsdown.config.ts, eslint.config.mjs, tsconfig.json), or the root index.js re-export shim. Drops from 21.3 KB → ~17 KB packed.
• docs: alternateFetch is now documented in the README options block as the supported escape hatch for fetch ponyfills, test mocking, and request interception. v4 migration note added to "Getting started".

3.0.6

• fix: allow forward slashes in ns values so nested namespace names (mapping to URL layouts such as /locales/en/a/b.json) fetch correctly again. 3.0.5's security fix applied the same strict URL-segment check to both lng and ns, which was correct for lng (no BCP-47 shape contains /) but over-strict for ns — nested namespaces containing / were never officially supported, but the behaviour fell out of the implicit string-substitution semantics of loadPath and is common enough in the wild to be worth accommodating. isSafeUrlSegment is now split into isSafeLangUrlSegment (strict — still rejects /) and isSafeNsUrlSegment (loose — allows / but still rejects .., \, URL-structure characters, control chars, prototype keys, and oversized inputs). isSafeUrlSegment is kept as a backwards-compatible alias for the strict check. The 3.0.5 security fix remains in force for every concrete attack pattern from the original advisory.

Commits

• a4d4a83 4.0.0
• fdf4f98 feat!: v4 — drop cross-fetch, switch build to tsdown, lint to neostandard
• d8dafd8 docs: clarify that nested-ns with slashes was never officially supported
• e534a62 build
• ddf1048 3.0.6
• d73cfdc fix: allow forward slashes in ns values
• 9abbdee Bump i18next-http-backend from 1.4.0 to 3.0.5 in /example/i18next-vue (#184)
• b4ca8bb Bump i18next-http-backend from 3.0.1 to 3.0.5 in /example/fallback (#183)
• dffddd4 Bump i18next-http-backend from 3.0.2 to 3.0.5 in /example/next (#182)
• fd29b40 Bump i18next-http-backend from 1.3.2 to 3.0.5 in /example/vue (#181)
• Additional commits viewable in compare view

Updates @aaroon/workbox-rspack-plugin from 0.3.3 to 1.0.1

Changelog

Sourced from @​aaroon/workbox-rspack-plugin's changelog.

1.0.1 (2026-05-23)

Bug Fixes

• fix CJS config loading regressions (16a6f181)
• add stripAnsi utility for error message formatting in tests (0c28760c)

1.0.0 (2026-05-15)

Features

• support rspack v2 and refresh compatibility tests (856c47b1)

Chores

• update rspack to v2, update all devDependencies, and update eslint config (0df48059)

  BREAKING CHANGE

  • Dropped support for rspack v0.x. Please update to rspack v1 or later.
  • Dropped support for Node.js v16. Please update to Node.js v18 or later.

• use OIDC in GitHub Actions workflow for package publishing (6c861510)

Commits

• See full diff in compare view

Updates @eslint-react/eslint-plugin from 3.0.0 to 5.8.4

Release notes

Sourced from @​eslint-react/eslint-plugin's releases.

v5.8.4 (2026-05-22)

What's Changed

📝 Documentation

• Website: Restructured the FAQ page from an accordion layout to standard headings for better SEO, accessibility, and direct anchor linking.
• Website: Replaced the homepage Hint popover with a direct link to the FAQ anchor explaining the project's human/LLM collaboration policy.
• Added a new "What does 90% human-written mean?" section to the FAQ.
• Updated documentation for isClassComponent and JsxConfig.
• Removed outdated documentation files.

🏗️ Internal

• core: Simplified isClassComponent by removing the context parameter and replacing isClassComponentLoose with the simplified function.
• eslint-plugin-react-x: Removed unnecessary optional chaining across multiple rules (immutability, no-unused-state, purity, refs, set-state-in-effect, static-components, use-memo, etc.) and expanded test coverage for edge cases (#1792).
• Added automated GitHub Release workflow and fixed actions/setup-node cache parameter error.
• Added null-safety boundary tests for rules affected by PR #1792 (#1794).
• Bumped dependencies across workspace packages: @takumi-rs/image-response to 1.2.1, fumadocs-mdx to 15.0.6, import-integrity-lint to 1.1.1, preact to 10.29.2, tsx to 4.22.1, @typescript-eslint to ^8.59.4, @types/node to ^25.9.0, dompurify to ^3.4.5, pnpm to 11.1.3, textlint to 15.7.1, and dprint TypeScript plugin to 0.96.1.
• Cleaned up stray empty string in tsl.config.ts.
• Cleaned up type and lint errors across the workspace (#1793).
• Downgraded TypeScript override in pnpm-workspace.yaml from ^6.0.3 to 5.9.3.
• Fixed zizmor security audit findings in release workflow and moved ignore comments inline, removing .github/zizmor.yml.
• Removed scripts/verify-lockfile.ts, scripts/verify-devtools.ts, and all references to them.
• Reordered handler functions in react-jsx/no-children-prop (no logic change).
• Updated baseline metrics and compacted tsconfig.

Full Changelog: Rel1cx/eslint-react@v5.8.3...v5.8.4

Attestation

https://github.com/Rel1cx/eslint-react/attestations/28384702

v5.8.4-beta.5 (2026-05-22)

What's Changed

🏗️ Internal

• Bumped @typescript-eslint packages from ^8.59.3 to ^8.59.4.
• Bumped @types/node from ^25.8.0 to ^25.9.0.
• Bumped dompurify from ^3.4.3 to ^3.4.5.
• Bumped pnpm from 11.1.2 to 11.1.3.
• Removed scripts/verify-lockfile.ts and all references to it.

Full Changelog: Rel1cx/eslint-react@v5.8.4-beta.4...v5.8.4-beta.5

Attestation

... (truncated)

Changelog

Sourced from @​eslint-react/eslint-plugin's changelog.

v5.8.4 (2026-05-22)

📝 Documentation

• Website: Restructured the FAQ page from an accordion layout to standard headings for better SEO, accessibility, and direct anchor linking.
• Website: Replaced the homepage Hint popover with a direct link to the FAQ anchor explaining the project's human/LLM collaboration policy.
• Added a new "What does 90% human-written mean?" section to the FAQ.
• Updated documentation for isClassComponent and JsxConfig.
• Removed outdated documentation files.

🏗️ Internal

• core: Simplified isClassComponent by removing the context parameter and replacing isClassComponentLoose with the simplified function.
• eslint-plugin-react-x: Removed unnecessary optional chaining across multiple rules (immutability, no-unused-state, purity, refs, set-state-in-effect, static-components, use-memo, etc.) and expanded test coverage for edge cases (#1792).
• Added automated GitHub Release workflow and fixed actions/setup-node cache parameter error.
• Added null-safety boundary tests for rules affected by PR #1792 (#1794).
• Bumped dependencies across workspace packages: @takumi-rs/image-response to 1.2.1, fumadocs-mdx to 15.0.6, import-integrity-lint to 1.1.1, preact to 10.29.2, tsx to 4.22.1, @typescript-eslint to ^8.59.4, @types/node to ^25.9.0, dompurify to ^3.4.5, pnpm to 11.1.3, textlint to 15.7.1, and dprint TypeScript plugin to 0.96.1.
• Cleaned up stray empty string in tsl.config.ts.
• Cleaned up type and lint errors across the workspace (#1793).
• Downgraded TypeScript override in pnpm-workspace.yaml from ^6.0.3 to 5.9.3.
• Fixed zizmor security audit findings in release workflow and moved ignore comments inline, removing .github/zizmor.yml.
• Removed scripts/verify-lockfile.ts, scripts/verify-devtools.ts, and all references to them.
• Reordered handler functions in react-jsx/no-children-prop (no logic change).
• Updated baseline metrics and compacted tsconfig.

Full Changelog: Rel1cx/eslint-react@v5.8.3...v5.8.4

v5.8.3 (2026-05-20)

🐞 Fixes

• react-dom/no-unknown-property: Added React 19 precedence and blocking attributes to the known property allowlist with version-gated tag checks, preventing false positives on <style>, <link>, and <script> elements (#1789, #1790).

Full Changelog: Rel1cx/eslint-react@v5.8.2...v5.8.3

v5.8.2 (2026-05-20)

📝 Documentation

• Added React 19 use hook guidance to error-boundaries, rules-of-hooks, and no-use-context docs.
• Added migration examples and corrected rule descriptions for class-component-related rules.
• Improved eslint-plugin-react-x rule documentation with scenario-based examples, Troubleshooting sections, and Further Reading links across 48 rule docs (#1786).
• Removed inline ESLint error annotations (^^^) from documentation examples for better readability (#1785).
• Updated migration guide for eslint-plugin-react with additional details.

🏗️ Internal

• Set up textlint and fixed inappropriate wording in documentation (#1787).
• Bumped dependencies across workspace packages (#1788).
• Updated pnpm-lock.yaml: bumped nx to 22.7.2 and brace-expansion to 5.0.5.

... (truncated)

Commits

• 39f2a0f release: 5.8.4
• f7fa04e release: 5.8.4-beta.5
• dbbd329 release: 5.8.4-beta.4
• e3d9585 release: 5.8.4-beta.3
• 1bae3a5 Link 90% human-written claim to FAQ
• 4b70b17 release: 5.8.4-beta.2
• 1d1fa4b release: 5.8.4-next.2
• ad39513 release: 5.8.4-beta.1
• b60987f release: 5.8.4-next.1
• 203f9c2 refactor: cleanup type and lint errors (#1793)
• Additional commits viewable in compare view

Updates @rspack/cli from 1.7.7 to 2.0.4

Release notes

Sourced from @​rspack/cli's releases.

v2.0.4

Highlights 💡

• Inline const with module declarations (#14032): Previously, Rspack only inlined constant exports from leaf modules in the module graph. Now constant exports from any module can be inlined, even when that module also imports or re-exports other modules. In rare circular-reference cases this can make a TDZ error disappear, but we do not expect real projects to rely on TDZ errors, so Rspack prioritizes the optimization.

  // constants.js
  import './setup';
  export const ENABLE_EXPERIMENT = false;
  // entry.js
  import { ENABLE_EXPERIMENT } from './constants';
  if (ENABLE_EXPERIMENT) {
  runExperiment();
  }
  // Before: constants.js is not a leaf module, so the branch could keep
  // reading the imported binding.
  if (ENABLE_EXPERIMENT) {
  runExperiment();
  }
  // Now: the constant can still be inlined, so dead branches are easier
  // to remove.
  if (false) {
  runExperiment();
  }

• Tree shake namespace default reexport (#13980): Previously, the import * as a from './a'; export default a; pattern did not tree-shake a through the default export. Now Rspack further analyzes the default-exported namespace object and can remove unused exports from the original namespace module.

  // a.js
  export function used() {}
  export function unused() {}
  // bridge.js
  import * as a from './a';
  export default a;
  // app.js
  import a from './bridge';
  a.used();
  // Before: both used and unused could be kept in the bundle.
  // Now: unused can be tree-shaken.

... (truncated)

Commits

• 744af1e chore: release v2.0.4
• c9e86b8 perf(cli): lazy load json stream helpers (#14079)
• c0db17f docs(cli): update cli option descriptions (#14071)
• 361ecde fix(cli): remove process title startup overhead (#14061)
• 9a2ef24 chore(deps): update patch npm dependencies (#14055)
• 3c6700c fix(cli): write logger trace output to file by default (#14022)
• dfcccd6 chore: release version 2.0.3 (#14015)
• ed2742a chore: enable tsgo for dts generation (#13952)
• 3998196 chore(deps): update patch npm dependencies (#13959)
• 45e3a8a chore: enable Rslint for more packages and fix lint issues (#13934)
• Additional commits viewable in compare view

Updates @rspack/core from 1.7.7 to 2.0.4

Release notes

Sourced from @​rspack/core's releases.

v2.0.4

Highlights 💡

• Inline const with module declarations (#14032): Previously, Rspack only inlined constant exports from leaf modules in the module graph. Now constant exports from any module can be inlined, even when that module also imports or re-exports other modules. In rare circular-reference cases this can make a TDZ error disappear, but we do not expect real projects to rely on TDZ errors, so Rspack prioritizes the optimization.

  // constants.js
  import './setup';
  export const ENABLE_EXPERIMENT = false;
  // entry.js
  import { ENABLE_EXPERIMENT } from './constants';
  if (ENABLE_EXPERIMENT) {
  runExperiment();
  }
  // Before: constants.js is not a leaf module, so the branch could keep
  // reading the imported binding.
  if (ENABLE_EXPERIMENT) {
  runExperiment();
  }
  // Now: the constant can still be inlined, so dead branches are easier
  // to remove.
  if (false) {
  runExperiment();
  }

• Tree shake namespace default reexport (#13980): Previously, the import * as a from './a'; export default a; pattern did not tree-shake a through the default export. Now Rspack further analyzes the default-exported namespace object and can remove unused exports from the original namespace module.

  // a.js
  export function used() {}
  export function unused() {}
  // bridge.js
  import * as a from './a';
  export default a;
  // app.js
  import a from './bridge';
  a.used();
  // Before: both used and unused could be kept in the bundle.
  // Now: unused can be tree-shaken.

... (truncated)

Commits

• 744af1e chore: release v2.0.4
• eb7ba47 fix: keep buildHttp imports bundled for node target (#14086)
• 9ceba09 feat: circular modules info plugin (#14031)
• c7353bc feat(css): support CSS module local ident options (#14009)
• 9a2ef24 chore(deps): update patch npm dependencies (#14055)
• f5cdf19 feat(css): add support for css/global module type (#13988)
• 3c6700c fix(cli): write logger trace output to file by default (#14022)
• dfcccd6 chore: release version 2.0.3 (#14015)
• 625d729 feat: support import.meta.rspackRsc (#13840)
• eae2abd feat(externals): add modern-module externals type (#13861)
• Additional commits viewable in compare view

Updates @rspack/plugin-react-refresh from 1.6.1 to 2.0.0

Release notes

Sourced from @​rspack/plugin-react-refresh's releases.

v2.0.0

Upgrade Guide

Pure ESM package

@rspack/plugin-react-refresh is now pure ESM (the same as Rspack 2.0).

Default export removed

The plugin now provides a named export only.

- import ReactRefreshRspackPlugin from '@rspack/plugin-react-refresh';
+ import { ReactRefreshRspackPlugin } from '@rspack/plugin-react-refresh';

overlay option removed

The overlay option has been removed. Rspack dev server and Rsbuild dev server already provide built-in error overlays, so this package no longer ships its own overlay integration.

Default option changes

The default extension filter has moved from include to test.

Before:

• test: undefined
• include: /\.([cm]js|[jt]sx?|flow)$/i

Now:

• test: /\.(?:js|jsx|mjs|cjs|ts|tsx|mts|cts)$/
• include: undefined

This makes custom include safer: when include points to a directory, the plugin still only applies to supported JS/TS module extensions by default.

What's Changed

Breaking Changes

• feat!: remove overlay support by @​chenjiahan in rstackjs/rspack-plugin-react-refresh#89
• feat!: update default include regex by @​chenjiahan in rstackjs/rspack-plugin-react-refresh#99
• refactor!: remove CommonJS and default export entrypoints by @​chenjiahan in rstackjs/rspack-plugin-react-refresh#90
• fix!: preserve default extension filter when include is customized by @​chenjiahan in rstackjs/rspack-plugin-react-refresh#100

Others

• refactor: migrate package runtime to ESM by @​chenjiahan in rstackjs/rspack-plugin-react-refresh#91

... (truncated)

Commits

• dd69f3d release: v2.0.0 (#104)
• 9a4036e Revert "fix: restore @​rspack/core ^1.0.0 peer range (#102)" (#103)
• 3289eec fix: restore @​rspack/core ^1.0.0 peer range (#102)
• 53020b5 release: 2.0.0-beta.0 (#101)
• 3802d58 fix!: preserve default extension filter when include is customized (#100)
• 1f5a44a feat!: update default include regex (#99)
• f088f5c refactor: modernize react refresh runtime helpers (#98)
• 6815c62 chore: update references from webpack to Rspack (#97)
• c22c6f3 feat: add optional peer dependency for @​rspack/core (#96)
• 35286d0 fix: remove deprecated static method for runtime paths (#95)
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates jest-junit from 16.0.0 to 17.0.0

Release notes

Sourced from jest-junit's releases.

v17.0.0

Upgrade uuid package to latest - jest-community/jest-junit#284

Commits

• 20d8f14 v17.0.0
• c91dd20 Merge pull request #284 from palmerj3/upgrade-uuid-14
• 8ff39ee Upgrade uuid to 14.0.0
• e866b5f Add CODEOWNERS
• 33a5a8b Merge pull request #278 from jest-community/update-ci-versions
• f33e1f2 Update to Jest 30.2.0 and regenerate snapshots
• 81c9775 NPM audit fix
• 50e2666 Convert from yarn to npm
• b4a7e14 Add snapshot update command to CLAUDE.md
• b56a503 Simplify CI to test only Jest 30.x
• Additional commits viewable in compare view

Updates lint-staged from 16.3.2 to 17.0.5

Release notes

Sourced from lint-staged's releases.

v17.0.5

Patch Changes

• #1792 1f67271 - Correctly set the --max-arg-length default value based on the running platform. This controls how very long lists of staged files are split into multiple chunks.

v17.0.4

Patch Changes

• #1788 f95c1f8 - Another fix for making sure lint-staged adds task modifications correctly to the commit in the following cases:

  • after editing <file> it is staged with git add <file>, and then committed with git commit
  • after editing <file> it is committed with git commit --all without explicit git add
  • after editing <file> it is committed with git commit <pathspec> without explicit git add

  There's new test cases which actually setup the Git pre_commit hook to run lint-staged and verify them. These issues started in v17.0.0 when trying to improve support for committig without having explicitly staged files.

v17.0.3

Patch Changes

• #1782 06813f9 Thanks @​iiroj! - Fix lint-staged behavior when implicitly committing files without using git add by either:
  • git commit -am "my commit message" where -a (--all) means to automatically stage all tracked modified and deleted files
  • git commit -m "my commit message" . where . is an example of a pathspec where matching files will be staged

v17.0.2

Patch Changes

• #1779 88670ca Thanks @​iiroj! - Enable immutable GitHub releases

v17.0.1

Patch Changes

• #1776 4a5664b Thanks @​iiroj! - Adjust GitHub Actions workflow so that automatic publishing works with signed commits.

v17.0.0

Major Changes

• #1745 e244adf Thanks @​iiroj! - Node.js v20 is no longer supported, and the oldest supported version is now 22.22.1, which is an active LTS version at ...

  Description has been truncated