fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@swc/core (source)	^1.15.33 → ^1.15.40
@tanstack/react-query (source)	^5.100.11 → ^5.100.14
@utoo/pack-cli (source)	^1.4.7 → ^1.4.8
date-fns	^4.2.1 → ^4.3.0
framer-motion	^12.39.0 → ^12.40.0
pnpm (source)	11.2.1 → 11.2.2
postcss-url	^10.1.3 → ^10.1.4
react-hook-form (source)	^7.76.0 → ^7.76.1
vite (source)	^8.0.13 → ^8.0.14
webpack	^5.107.0 → ^5.107.1

---

Release Notes

swc-project/swc (@​swc/core)

v1.15.40

Compare Source

Bug Fixes

• (es/minifier) Preserve args for destructured callbacks (#​11830) (21873b0)

• (es/minifier) Avoid generating mangled property names that collide with existing properties (#​11839) (9b4fab5)

• (es/minifier) Respect ecma for iife temp vars (#​11873) (e481934)

• (es/minifier) Preserve default parameter object props (#​11884) (71ff84f)

• (es/parser) Reject object-rest assignment to array/object literal (#​11875) (7b57d1f)

• (es/parser) Reject object rest assignment to literals (#​11881) (4ec2eaf)

• (es/react) Exclude self-recursive hooks from refresh dependency array (#​11838) (9101c71)

• (ts/fast-dts) Strip definite assertions in dts (#​11858) (2ab1b8a)

• (ts/fast-strip) Reject unsafe assertion erasure in binary expressions (#​11828) (aa5b539)

• (typescript) Strip parameter binding defaults in dts (#​11857) (800bc17)

Documentation

• Update agent guidance (#​11842) (bf2d015)

• Add security policy (#​11876) (6c43c2d)

• Clarify security scope for npm packages (#​11877) (4662db8)

• Clarify untrusted input security model (#​11882) (5463777)

Features

• (es/minifier) Fine grained effect analysis of class (#​11814) (c9058ad)

• (swc_cli) Implement all features for swc_cli (#​11797) (9300ede)

Miscellaneous Tasks

• (es/minifier) Fix typo in debug log (#​11866) (3de0254)

• (html) Add webcontainer fallback for @swc/html (#​11860) (7692eed)

Performance

• (ecma) Reduce transformer compat overhead (#​11856) (d03cb71)

• (es/codegen) Speed up JsWriter position and srcmap tracking (#​11867) (dbceade)

• (es/codegen) Remove JsWriter last_srcmap cache (#​11869) (3bc1c2b)

• (es/minifier) Reduce minifier profiling hotspots (#​11853) (28c1091)

• Optimize es parser comment finalization (#​11852) (2959ddf)

Testing

• (es/minifier) Move issue_11835 fixture out of terser folder (#​11840) (3dd3431)

Ci

• Update corepack in publish docker jobs (#​11885) (9a7d954)

• Pass publish docker env explicitly (#​11888) (c5f7547)

• Lock issues closed by merged prs (#​11887) (6bd74e5)

• Provide aarch64 musl linker in publish job (#​11889) (20234fd)

• Fix publish musl linker and windows tests (#​11890) (a798a23)

• Make minifier test path explicit (#​11891) (e7cba97)

Security

• Save CI caches only on main (#​11848) (7582529)

• Update rkyv and Rust dependencies (#​11851) (20d92eb)

• Harden PR workflow permissions (#​11849) (e199564)

TanStack/query (@​tanstack/react-query)

v5.100.14

Compare Source

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#​10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

v5.100.13

Compare Source

Patch Changes

• Updated dependencies [d423168]:
  • @​tanstack/query-core@​5.100.13

v5.100.12

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.12

utooland/utoo (@​utoo/pack-cli)

v1.4.8

Compare Source

date-fns/date-fns (date-fns)

v4.3.0

Compare Source

Kudos to @​ImRodry and @​puneetdixit200 for their contributions.

Fixed

• Fixed missing modularized optimization fallback (for Next.js and others). See #​4193.

• Fixed pt locale first day of week to be Sunday. See #​4195 by @​ImRodry.

• Fixed zh-CN, zh-HK, and zh-TW locale month parsing for October, November, and December. See #​4194 by @​puneetdixit200.

motiondivision/motion (framer-motion)

v12.40.0

Compare Source

Added

• path option to transition.
• arc() for motion along an arc.

pnpm/pnpm (pnpm)

v11.2.2

Compare Source

Patch Changes

• When the install engine is delegated to pacquet via configDependencies, the user's CLI flags passed to pnpm install (e.g. --no-runtime, --prod, --dev, --no-optional, --node-linker, --cpu/--os/--libc, --offline, --prefer-offline) are now forwarded to pacquet's install subcommand verbatim. Previously pacquet was invoked with a fixed argument list, so flags like --no-runtime were silently dropped. Flag forwarding is gated on the command being install/i; add, update, and dedupe still don't forward (their flag surface doesn't line up with pacquet's install).
• Fixed pnpm up (and pnpm add / pnpm remove) failing with pacquet_package_manager::outdated_lockfile when pacquet is declared in configDependencies. pnpm now passes --ignore-manifest-check to pacquet so its --frozen-lockfile check doesn't fire against the (pre-mutation) package.json pnpm hasn't written yet #​11797. Requires a pacquet release that supports the flag — bump PACQUET_VERSION in the e2e tests once it ships.

postcss/postcss-url (postcss-url)

v10.1.4

Compare Source

Fixed: update minimatch dependency to address CVEs https://nvd.nist.gov/vuln/detail/CVE-2026-27903 https://nvd.nist.gov/vuln/detail/CVE-2026-27904 https://nvd.nist.gov/vuln/detail/CVE-2026-26996 by @​diegocr

react-hook-form/react-hook-form (react-hook-form)

v7.76.1: Version 7.76.1

Compare Source

🐞 fix: pass options parameter through setValues to enable validation (#​13457)
🐞 fix(setValues): emit whole-form change without stale name/type (#​13450)
🚗 perf(setValues): thread skipClone through setFieldValue (#​13448)
🚗 perf(setValues): skip redundant per-field deep clones (#​13445)
Revert "🐞 fix: treat NaN as empty when valueAsNumber is true in validateField (#​13388)"

thanks to @​philibea & @​maxkostow

vitejs/vite (vite)

v8.0.14

Compare Source

Features

• update rolldown to 1.0.2 (#​22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#​22471) (98b8163)
• dev: handle errors when sending messages to vite server (#​22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#​22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#​22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#​22310) (0ae2844)

Tests

• css: sass does not use main field (#​22449) (ebf39a0)

webpack/webpack (webpack)

v5.107.1

Compare Source

Patch Changes

• Align the experimental HTML tokenizer with the WHATWG spec: fix offset-range bugs in the script-data, content-mode end-tag, attribute-value, and EOF states; surface tokenizer parse errors to consumers via a new parseError callback ("warning" when the tokenizer recovers and the emitted token is still well-formed, "error" when the offset range is incomplete — e.g. eof-in-tag); and add the full WHATWG named character references table so decodeHtmlEntities handles all named entities (including legacy bare forms like &AMP and multi-code-point entities like ≂̸) with proper longest-prefix backtracking. (by @​alexander-akait in #​21000)

• Tree-shake CommonJS modules imported through a const NAME = require(LITERAL) binding when only static members of NAME are read. Previously webpack treated every export of such modules as referenced (because the bare require() dependency reports EXPORTS_OBJECT_REFERENCED), so unused exports.x = ... assignments remained in the bundle even with usedExports enabled. The parser now forwards NAME.x / NAME.x() / NAME["x"] accesses to the underlying CommonJsRequireDependency as referenced exports, falling back to the full exports object the moment NAME is read in any other context (passed by value, destructured later, accessed with a dynamic key, …). This brings the binding form to parity with the existing destructuring form (const { x } = require(...)). (by @​alexander-akait in #​21003)

• Fix RangeError: Maximum call stack size exceeded thrown from HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState on long linear chains of side-effect-free imports. NormalModule.getSideEffectsConnectionState previously descended through HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState recursively, adding two stack frames per module, which overflowed V8's stack at a few thousand modules deep. The traversal is now iterative. (by @​alexander-akait in #​20993)

• Fix NormalModuleFactory parser/generator types: (by @​alexander-akait in #​20999)

  • module.generator.html now uses HtmlGeneratorOptions instead of EmptyGeneratorOptions (the extract option was hidden from the createGenerator / generator hook types).
  • WebAssembly (webassembly/async, webassembly/sync) generator hooks now use EmptyGeneratorOptions instead of EmptyParserOptions.
  • NormalModuleFactory#getParser / createParser / getGenerator / createGenerator are now generic over the module-type string, returning the specific parser/generator class for known types (e.g. JavascriptParser for "javascript/auto", CssGenerator for "css", etc.) instead of always returning the base Parser / Generator.
  • NormalModuleCreateData is now generic over the module type so parser, parserOptions, generator, and generatorOptions are narrowed to the specific class / options for the given type.

• Link import bindings used inside define(...) callbacks in ES modules. Previously, HarmonyDetectionParserPlugin skipped walking the arguments of define calls in harmony modules, so references to imported bindings inside an inline AMD define factory (e.g. define(function () { console.log(foo); })) were not rewritten to their imported references and could cause ReferenceError at runtime. Inner graph usage analysis is also fixed for the related pattern const fn = function () { foo; }; define(fn);. (by @​alexander-akait in #​20990)

• HTML-entry pipeline (experiments.html + experiments.css): emit <link rel="stylesheet"> tags for CSS chunks reachable from a <script src> entry. Previously when the bundled JS imported CSS, the resulting .css file was emitted to disk but never referenced from the extracted HTML (no <link> tag), and when splitChunks extracted CSS into sibling chunks the HTML cloned the originating <script> for each one — producing <script src="style.js"> pointing at non-existent JS filenames instead of <link rel="stylesheet" href="style.css">. CSS chunks are now sorted by the entrypoint's module post-order index so the <link> tags also appear in source import order, fixing the cascade ordering issue documented in html-webpack-plugin#1838 and webpack/mini-css-extract-plugin#959 for HTML-entry builds. nonce/crossorigin/referrerpolicy are copied from the originating tag onto the emitted <link>. (by @​alexander-akait in #​21002)

• Allow devtool and SourceMapDevToolPlugin (or multiple SourceMapDevToolPlugin instances) to coexist on the same asset. Previously the second instance would silently skip any asset whose info.related.sourceMap had already been set by an earlier instance, and even when it ran the asset had been rewrapped as a RawSource so no source map could be recovered — producing an empty .map file. The plugin now keeps a per-compilation stash of pristine source maps, namespaces its persistent cache entries by the options that affect output, and appends additional related.sourceMap entries instead of overwriting them. The classic workaround of pairing devtool: 'hidden-source-map' with a new webpack.SourceMapDevToolPlugin({ filename: '[file].secondary.map', noSources: true }) now produces both maps in a single build. (by @​alexander-akait in #​21001)

• Narrow TemplatePathFn callback types by context. pathData.chunk is now non-optional for chunk filename callbacks (output.filename, chunkFilename, cssFilename, cssChunkFilename, htmlFilename, htmlChunkFilename, optimization.splitChunks.cacheGroups[*].filename), and pathData.module is non-optional for module filename callbacks (output.assetModuleFilename, per-module generator.filename / generator.outputPath, module.parser.css.localIdentName). (by @​alexander-akait in #​20987)

• Tighten the CreateData typedef in NormalModuleFactory. CreateData now represents the fully-populated value passed to the createModule, module, and createModuleClass hooks (NormalModuleCreateData & { settings: ModuleSettings }), while ResolveData.createData is typed as Partial<CreateData> to reflect the empty initial state. Plugins tapping those hooks no longer need to cast individual fields away from optional. (by @​alexander-akait in #​20992)

• Stop webpackPrefetch / webpackPreload magic comments from leaking across import() call sites that share a webpackChunkName. When two imports targeted the same named chunk and only one of them set webpackPrefetch: true, the prefetch directive was applied from every parent chunk that referenced the named chunk. Prefetch and preload orders are now resolved per import() call site instead of from the shared chunk group's accumulated options. (by @​alexander-akait in #​20994)

• Fix [fullhash:N] and [hash:N] (with length suffix) in output.publicPath not being interpolated at runtime. The detection regex in RuntimePlugin only matched [fullhash] / [hash] without a length suffix, so the PublicPathRuntimeModule was not flagged as a full-hash module and __webpack_require__.p was emitted with the placeholder XXXX left in place (e.g. out/XXXX/) instead of the real hash truncated to the requested length. (by @​alexander-akait in #​21004)

• Re-export ModuleNotFoundError from webpack/lib/ModuleNotFoundError for backward compatibility with old plugins that import it from that path. This re-export will be removed in webpack 6. (by @​alexander-akait in #​20988)

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.