fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/vite-plugin (source)	^1.30.0 → ^1.30.2
@rolldown/pluginutils (source)	1.0.0-rc.10 → 1.0.0-rc.12
oxfmt (source)	^0.41.0 → ^0.42.0
pnpm (source)	10.32.1 → 10.33.0
react-router (source)	7.13.1 → 7.13.2
rolldown (source)	1.0.0-rc.10 → 1.0.0-rc.12
srvx (source)	^0.11.12 → ^0.11.13
tsdown (source)	^0.21.4 → ^0.21.7
typescript-eslint (source)	^8.57.1 → ^8.58.0
vite (source)	^8.0.1 → ^8.0.3
vitest (source)	^4.1.0 → ^4.1.2
wrangler (source)	^4.76.0 → ^4.78.0

---

Release Notes

cloudflare/workers-sdk (@​cloudflare/vite-plugin)

v1.30.2

Compare Source

Patch Changes

• #​12953 80b093e Thanks @​jamesopstad! - Fix Cannot perform I/O on behalf of a different request errors for deferred dynamic imports

  Concurrent requests that loaded the same dynamic import were previously sharing the same promise to resolve it in a Worker context. We now ensure that all imports execute within a Durable Object's IoContext before the result is returned to the Worker.

• Updated dependencies [eeaa473, 9fcdfca, bc24ec8, 1faff35, 0b4c21a, 535582d, 992f9a3, f4ea4ac, 91b7f73, f6cdab2, 53ed15a, ce65246, 7a5be20, 6b50bfa, 0386553, 9c5ebf5, 53ed15a, 53ed15a]:

  • wrangler@​4.78.0
  • miniflare@​4.20260317.3

v1.30.1

Compare Source

Patch Changes

• #​12851 86a40f0 Thanks @​jamesopstad! - Fix a bug that prevented using subpath imports for additional module types

  You can now use subpath imports for additional module types (.html, .txt, .sql, .bin, .wasm) by defining them in your package.json imports field:

  // package.json
  {
    "imports": {
      "#templates/page": "./src/templates/page.html"
    }
  }

  import page from "#templates/page";
  
  export default {
    fetch() {
      return new Response(page, {
        headers: { "Content-Type": "text/html" },
      });
    },
  } satisfies ExportedHandler;

• Updated dependencies [593c4db, b8f3309, 451dae3, 5aaaab2, 5aaaab2, f8516dd, 9c9fe30, 379f2a2, c2e9163, 6a6449e, 9a1cf29, 875da60]:

  • wrangler@​4.77.0
  • miniflare@​4.20260317.2

rolldown/rolldown (@​rolldown/pluginutils)

v1.0.0-rc.12

Compare Source

🚀 Features

• chunk-optimizer: skip circular dependency check when strict execution order is enabled (#​8886) by @​hyf0

🐛 Bug Fixes

• emit build warnings during watch mode rebuilds (#​8897) by @​IWANABETHATGUY
• lazy-barrel: load import-then-export specifiers when barrel has local exports (#​8895) by @​shulaoda
• correct execution order of transferred CJS init calls (#​8877) by @​IWANABETHATGUY
• mcs: entriesAware should calculate sizes without duplication (#​8887) by @​hyf0
• non-deterministic chunk generation (#​8882) by @​sapphi-red
• is_top_level incorrectly treats strict-mode scopes as top-level (#​8878) by @​Dunqing

🚜 Refactor

• treeshake: migrate SideEffectDetector to Oxc's MayHaveSideEffects trait (#​8624) by @​Dunqing

🧪 Testing

• make dev server tests deterministic by replacing fixed sleeps with event-driven polling (#​8561) by @​Boshen

⚙️ Miscellaneous Tasks

• deps: update dependency vite-plus to v0.1.14 (#​8902) by @​camc314
• deps: update dependency oxfmt to ^0.42.0 (#​8891) by @​renovate[bot]
• deps: update rust crate oxc_sourcemap to v6.1.1 (#​8890) by @​renovate[bot]
• remove Rolldown MF plan (#​8883) by @​shulaoda
• deps: update rollup submodule for tests to v4.60.0 (#​8881) by @​sapphi-red
• deps: update test262 submodule for tests (#​8880) by @​sapphi-red
• deps: upgrade oxc crates to 0.122.0 (#​8879) by @​shulaoda

v1.0.0-rc.11

Compare Source

🚀 Features

• magicString replace with regex (#​8802) by @​IWANABETHATGUY
• support output.sourcemapExcludeSources option (#​8828) by @​sapphi-red
• support getIndentString in MagicString (#​8775) by @​IWANABETHATGUY
• MagicString ignoreList support (#​8773) by @​IWANABETHATGUY

🐛 Bug Fixes

• forward test filters through vp run (#​8870) by @​younggglcy
• types: remove pluginName from MinimalPluginContext (#​8864) by @​sapphi-red
• do not report eval?.() as direct eval (#​8860) by @​IWANABETHATGUY
• handle negative indices, overlapping ranges, and moved content in MagicString remove (#​8829) by @​IWANABETHATGUY
• enable arbitrary_precision for serde_json to fix JSON float parsing (#​8848) by @​elderapo
• resolve TypeScript lint errors (#​8841) by @​Boshen
• avoid panic on multi-byte UTF-8 chars in hash placeholder iterator (#​8790) by @​shulaoda
• ci: skip failing vite build watch raw query test (#​8840) by @​Boshen
• ci: use step-level env override to unset VITE_PLUS_CLI_BIN in vite tests (#​8838) by @​Boshen
• ci: move vite tests into CI workflow by @​Boshen
• ci: unset all VITE_PLUS_* env vars in vite-tests workflow (#​8837) by @​Boshen
• test: skip watch CLI tests on Windows (#​8830) by @​Boshen
• ci: unset VITE_PLUS_CLI_BIN in vite-tests workflow (#​8832) by @​Boshen
• remove redundant bare side-effect imports in entry/facade chunks (#​8804) by @​h-a-n-a
• magicString prepend issues (#​8797) by @​IWANABETHATGUY
• ci: use vpx instead of vp exec for pkg-pr-new (#​8827) by @​Boshen
• set order for callable plugins (#​8815) by @​sapphi-red
• handle reversed slice ranges with moved content (#​8750) by @​IWANABETHATGUY
• update emnapi to latest to avoid version mismatch (#​8781) by @​sapphi-red
• external.md on Windows OS (#​8780) by @​bddjr
• align MagicString length/isEmpty with reference magic-string (#​8776) by @​IWANABETHATGUY

🚜 Refactor

• extract canonical_ref_resolving_namespace helper (#​8836) by @​Boshen

📚 Documentation

• improve external examples for cross-platform correctness (#​8786) by @​hyf0-agent
• update reference to transform function in plugin API documentation (#​8778) by @​zOadT

⚡ Performance

• reduce timing of dervie_entries_aware_chunk_name (#​8847) by @​AliceLanniste
• bench: remove redundant sourcemap benchmark cases (#​8825) by @​Boshen
• reduce intermediate allocations in collapse_sourcemaps (#​8821) by @​Boshen
• enable parallel AST cloning on macOS (#​8814) by @​Boshen

🧪 Testing

• watch: use polling watcher and retry for watch error test (#​8772) by @​sapphi-red

⚙️ Miscellaneous Tasks

• deps: update dependency @​oxc-project/types to v0.122.0 (#​8873) by @​renovate[bot]
• publish-to-npm: use correct vp pm publish (#​8871) by @​shulaoda
• justfile: skip setup-vite-plus if vp is already installed (#​8862) by @​Boshen
• add expectWarning option to test config (#​8861) by @​IWANABETHATGUY
• justfile: support windows for just setup (#​8846) by @​AliceLanniste
• deps: update rust crates (#​8852) by @​renovate[bot]
• deps: update endbug/version-check action to v3 (#​8855) by @​renovate[bot]
• deps: update github-actions (#​8853) by @​renovate[bot]
• deps: update dependency vitepress to v2.0.0-alpha.17 (#​8854) by @​renovate[bot]
• deps: update npm packages (#​8851) by @​renovate[bot]
• bench: use mimalloc as global allocator in bench crate (#​8844) by @​IWANABETHATGUY
• reuse native build artifact in node-validation job (#​8826) by @​Boshen
• speed up CodSpeed benchmark build by disabling LTO (#​8824) by @​Boshen
• remove redundant critcmp benchmark job (#​8823) by @​Boshen
• deps: update rust crate oxc_sourcemap to v6.1.0 (#​8785) by @​renovate[bot]
• node: migrate oxlint and oxfmt to Vite+ (#​8813) by @​Boshen
• revert namespace runners for release build jobs (#​8820) by @​Boshen
• migrate runners to namespace (#​8819) by @​Boshen
• test: relax test utils path assertion to support git worktrees (#​8816) by @​younggglcy
• rename examples/lazy to examples/lazy-compilation (#​8789) by @​shulaoda
• improve "needs reproduction" wording by @​Boshen
• deps: update dependency oxlint-tsgolint to v0.17.1 (#​8807) by @​renovate[bot]
• enable 7 previously-skipped MagicString tests (#​8771) by @​IWANABETHATGUY
• upgrade oxc to 0.121.0 (#​8784) by @​shulaoda
• increase Windows dev drive size from 12GB to 20GB (#​8779) by @​Copilot

❤️ New Contributors

• @​younggglcy made their first contribution in #​8870
• @​elderapo made their first contribution in #​8848
• @​bddjr made their first contribution in #​8780
• @​zOadT made their first contribution in #​8778

oxc-project/oxc (oxfmt)

v0.42.0

Compare Source

🚀 Features

• 416865a formatter,oxfmt: Add doc comments for JsdocConfig (#​20644) (leaysgur)
• 4fec907 formatter: Add JSDoc comment formatting support (#​19828) (Dunqing)

pnpm/pnpm (pnpm)

v10.33.0

Compare Source

remix-run/react-router (react-router)

v7.13.2

Compare Source

Patch Changes

• Fix clientLoader.hydrate when an ancestor route is also hydrating a clientLoader (#​14835)

• Fix type error when passing Framework Mode route components using Route.ComponentProps to createRoutesStub (#​14892)

• Fix percent encoding in relative path navigation (#​14786)

• Add future.unstable_passThroughRequests flag (#​14775)

  By default, React Router normalizes the request.url passed to your loader, action, and middleware functions by removing React Router's internal implementation details (.data suffixes, index + _routes query params).

  Enabling this flag removes that normalization and passes the raw HTTP request instance to your handlers. This provides a few benefits:

  • Reduces server-side overhead by eliminating multiple new Request() calls on the critical path
  • Allows you to distinguish document from data requests in your handlers base don the presence of a .data suffix (useful for observability purposes)

  If you were previously relying on the normalization of request.url, you can switch to use the new sibling unstable_url parameter which contains a URL instance representing the normalized location:

  // ❌ Before: you could assume there was no `.data` suffix in `request.url`
  export async function loader({ request }: Route.LoaderArgs) {
    let url = new URL(request.url);
    if (url.pathname === "/path") {
      // This check will fail with the flag enabled because the `.data` suffix will
      // exist on data requests
    }
  }
  
  // ✅ After: use `unstable_url` for normalized routing logic and `request.url`
  // for raw routing logic
  export async function loader({ request, unstable_url }: Route.LoaderArgs) {
    if (unstable_url.pathname === "/path") {
      // This will always have the `.data` suffix stripped
    }
  
    // And now you can distinguish between document versus data requests
    let isDataRequest = new URL(request.url).pathname.endsWith(".data");
  }

• Internal refactor to consolidate framework-agnostic/React-specific route type layers - no public API changes (#​14765)

• Sync protocol validation to rsc flows (#​14882)

• Add a new unstable_url: URL parameter to route handler methods (loader, action, middleware, etc.) representing the normalized URL the application is navigating to or fetching, with React Router implementation details removed (.datasuffix, index/_routes query params) (#​14775)

  This is being added alongside the new future.unstable_passthroughRequests future flag so that users still have a way to access the normalized URL when that flag is enabled and non-normalized request's are being passed to your handlers. When adopting this flag, you will only need to start leveraging this new parameter if you are relying on the normalization of request.url in your application code.

  If you don't have the flag enabled, then unstable_url will match request.url.

rolldown/tsdown (tsdown)

v0.21.7

Compare Source

   🚀 Features

• Add module option for attw and publint to allow passing imported modules directly  -  by @​sxzz (31e90)

   🐞 Bug Fixes

• deps: Add skipNodeModulesBundle dep subpath e2e tests and fix docs  -  by @​sxzz (deff7)

    View changes on GitHub

v0.21.6

Compare Source

   🚀 Features

• Upgrade rolldown to v1.0.0-rc.12  -  by @​sxzz (51292)
• config:
  • Pass root config to workspace config functions  -  by @​sxzz (76169)
  • Use mergeConfig for workspace config merging and support variadic overrides  -  by @​sxzz (148aa)
• dts:
  • Add cjsReexport option to eliminate dual module type hazard  -  by @​mandarini and @​sxzz in #​856 (875c1)
• exports:
  • Add bin option to auto-generate package.json bin field  -  by @​sxzz in #​869 (7ebd6)

   🐞 Bug Fixes

• css:
  • Compile preprocessor langs in virtual CSS modules  -  by @​sxzz in #​865 (7b2e0)
  • Strip .module from CSS output filenames  -  by @​sxzz in #​866 (03ade)
  • Default splitting to true in unbundle mode for CSS inject  -  by @​sxzz in #​867 (a4da6)
  • Split CSS plugin into pre/post phases for scoped CSS support  -  by @​sxzz in #​870 (ff0c4)
• entry:
  • Correctly output relative paths in logger output  -  by @​sxzz (00050)

    View changes on GitHub

v0.21.5

Compare Source

   🚀 Features

• Update rolldown to 1.0.0-rc.10  -  by @​wChenonly in #​845 (41411)
• Support typescript v6  -  by @​ocavue in #​858 (bffc4)

   🐞 Bug Fixes

• css:
  • Run final minification on merged CSS output  -  by @​sxzz in #​853 (475df)
  • Don't override internal importer  -  by @​Laupetin in #​860 (af40e)
  • Use aliased exports for CSS module keys  -  by @​wChenonly and @​sxzz in #​840 (bb6de)
• deps:
  • External optionalDependencies by default  -  by @​sxzz (cd24d)
  • Resolve subpath extensions for packages without exports field  -  by @​sxzz in #​863 (c5150)
  • Correctly resolve root @types packages for dts deep imports  -  by @​brc-dd and @​sxzz in #​852 (0b276)

    View changes on GitHub

typescript-eslint/typescript-eslint (typescript-eslint)

v8.58.0

Compare Source

🚀 Features

• support TypeScript 6 (#​12124)

❤️ Thank You

• Evyatar Daud @​StyleShit

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.57.2

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.0.3

Compare Source

Features

• update rolldown to 1.0.0-rc.12 (#​22024) (84164ef)

Bug Fixes

• html: cache unfiltered CSS list to prevent missing styles across entries (#​22017) (5464190)
• module-runner: handle non-ascii characters in base64 sourcemaps (#​21985) (77c95bf)
• module-runner: skip re-import if the runner is closed (#​22020) (ee2c2cd)
• optimizer: scan is not resolving sub path import if used in a glob import (#​22018) (ddfe20d)
• ssr: ssrTransform incorrectly rewrites meta identifier inside import.meta when a binding named meta exists (#​22019) (cff5f0c)

Miscellaneous Chores

• deps: bump picomatch from 4.0.3 to 4.0.4 (#​22027) (7e56003)

Tests

• html: add tests for getCssFilesForChunk (#​22016) (43fbbf9)

v8.0.2

Compare Source

Features

• update rolldown to 1.0.0-rc.11 (#​21998) (ff91c31)

Bug Fixes

• deps: update all non-major dependencies (#​21988) (9b7d150)

Miscellaneous Chores

• deps: update dependency @​vitejs/devtools to ^0.1.5 (#​21992) (b2dd65b)

vitest-dev/vitest (vitest)

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in #​9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in #​9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in #​9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in #​9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in #​9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in #​9851 (6f97b)

    View changes on GitHub

v4.1.1

Compare Source

   🚀 Features

• experimental:
  • Expose matchesTagsFilter to test if the current filter matches tags  -  by @​sheremet-va in #​9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in #​9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in #​9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in #​9831 and #​9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in #​9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in #​9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in #​9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in #​9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in #​9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in #​9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in #​9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in #​9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in #​9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in #​9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in #​9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in #​9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in #​9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in #​9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in #​9949 (0d5f9)

    View changes on GitHub

cloudflare/workers-sdk (wrangler)

v4.78.0

Compare Source

Minor Changes

• #​13031 eeaa473 Thanks @​WalshyDev! - Add support for Cloudflare Access Service Token authentication via environment variables

  When running wrangler dev with remote bindings behind a Cloudflare Access-protected domain, Wrangler previously required cloudflared access login which opens a browser for interactive authentication. This does not work in CI/CD environments.

  You can now set the CLOUDFLARE_ACCESS_CLIENT_ID and CLOUDFLARE_ACCESS_CLIENT_SECRET environment variables to authenticate using an Access Service Token instead:

  export CLOUDFLARE_ACCESS_CLIENT_ID="<your-client-id>.access"
  export CLOUDFLARE_ACCESS_CLIENT_SECRET="<your-client-secret>"
  wrangler dev

  Additionally, when running in a non-interactive environment (CI) without these credentials, Wrangler now throws a clear, actionable error instead of hanging on cloudflared access login.

• #​13027 9fcdfca Thanks @​G4brym! - feat: Add ai_search_namespaces and ai_search binding types

  Two new binding types for AI Search:

  • ai_search_namespaces: Namespace binding — namespace is required and auto-provisioned at deploy time if it doesn't exist (like R2 buckets)
  • ai_search: Single instance binding bound directly to a pre-existing instance in the default namespace

  Both are remote-only in local dev.

• #​12874 53ed15a Thanks @​xortive! - Add Workers VPC service support for Hyperdrive origins

  Hyperdrive configs can now connect to databases through Workers VPC services using the --service-id option:

  wrangler hyperdrive create my-config --service-id <vpc-service-uuid> --database mydb --user myuser --password mypassword

  This enables Hyperdrive to connect to databases hosted in private networks that are accessible through Workers VPC TCP services.

• #​12852 6b50bfa Thanks @​Carolx715! - Add interactive data catalog validation to R2 object and lifecycle commands.

  When performing R2 operations that could affect data catalog state (object put, object delete, lifecycle add, lifecycle set), Wrangler now validates with the API and prompts users for confirmation if a conflict is detected. For bulk put operations, Wrangler prompts upfront before starting the batch. Users can bypass prompts with --force (-y). In non-interactive/CI environments, the operation proceeds automatically.

• #​13030 0386553 Thanks @​natewong1313! - Add local mode support for Stream bindings

  Miniflare and wrangler dev now support using Cloudflare Stream bindings locally.

  Supported operations:

  • upload() — upload video via URL
  • video(id).details(), .update(), .delete(), .generateToken()
  • videos.list()
  • captions.generate(), .list(), .delete()
  • downloads.generate(), .get(), .delete()
  • watermarks.generate(), .list(), .get(), .delete()

  The following are not yet supported in local mode and will throw:

  • createDirectUpload()
  • Caption upload via File
  • Watermark generation via File

  Data is persisted across restarts by default. You must set streamPersist: false in Miniflare options to disable persistence.

• #​12874 53ed15a Thanks @​xortive! - Add --cert-verification-mode option to wrangler vpc service create and wrangler vpc service update

  You can now configure the TLS certificate verification mode when creating or updating a VPC connectivity service. This controls how the connection to the origin server verifies TLS certificates.

  Available modes:

  • verify_full (default) -- verify certificate chain and hostname
  • verify_ca -- verify certificate chain only, skip hostname check
  • disabled -- do not verify the server certificate at all

  wrangler vpc service create my-service --type tcp --tcp-port 5432 --ipv4 10.0.0.1 --tunnel-id <tunnel-uuid> --cert-verification-mode verify_ca

  This applies to both TCP and HTTP VPC service types. When omitted, the default verify_full behavior is used.

• #​12874 53ed15a Thanks @​xortive! - Add TCP service type support for Workers VPC

  You can now create TCP services in Workers VPC using the --type tcp option:

  wrangler vpc service create my-db --type tcp --tcp-port 5432 --ipv4 10.0.0.1 --tunnel-id <tunnel-uuid>

  This enables exposing TCP-based services like PostgreSQL, MySQL, and other database servers through Workers VPC.

Patch Changes

• #​13039 bc24ec8 Thanks [@&Expand "@vitejs/plugin-react-refresh" to allow class components and non-component exports #8

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.