Skip to content

chore(deps): (deps-dev): bump the development group across 1 directory with 9 updates#289

Merged
cb1kenobi merged 2 commits intomainfrom
dependabot/npm_and_yarn/development-fd9bc204d9
Apr 8, 2026
Merged

chore(deps): (deps-dev): bump the development group across 1 directory with 9 updates#289
cb1kenobi merged 2 commits intomainfrom
dependabot/npm_and_yarn/development-fd9bc204d9

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 8, 2026
edited
Loading

Bumps the development group with 9 updates in the / directory:

Package From To
@types/node 25.5.0 25.5.2
@vitest/coverage-v8 4.1.0 4.1.3
esbuild 0.27.4 0.28.0
lefthook 2.1.4 2.1.5
oxlint 1.56.0 1.59.0
rollup 4.59.0 4.60.1
rollup-plugin-dts 6.4.0 6.4.1
typescript 5.9.3 6.0.2
vitest 4.1.0 4.1.3

Updates @types/node from 25.5.0 to 25.5.2

Commits

Updates @vitest/coverage-v8 from 4.1.0 to 4.1.3

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.3

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

v4.1.2

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (vitest-dev/vitest#9975).

   🐞 Bug Fixes

    View changes on GitHub

v4.1.1

   🚀 Features

   🐞 Bug Fixes

... (truncated)

Commits

Updates esbuild from 0.27.4 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

  • Add support for with { type: 'text' } imports (#4435)

    The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

    import string from './example.txt' with { type: 'text' }
console.log(string)

  • Add integrity checks to fallback download path (#4343)

    Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

    This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

  • Update the Go compiler from 1.25.7 to 1.26.1

    This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

    • It now uses the new garbage collector that comes with Go 1.26.
    • The Go compiler is now more aggressive with allocating memory on the stack.
    • The executable format that the Go linker uses has undergone several changes.
    • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

    You can read the Go 1.26 release notes for more information.

v0.27.7

  • Fix lowering of define semantics for TypeScript parameter properties (#4421)

    The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

    // Original code
class Foo {
  constructor(public x = 1) {}
  y = 2
}
// Old output (with --loader=ts --target=es2021)
class Foo {
constructor(x = 1) {
this.x = x;
__publicField(this, "y", 2);
}
x;
}
// New output (with --loader=ts --target=es2021)
class Foo {

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.28.0

  • Add support for with { type: 'text' } imports (#4435)

    The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

    import string from './example.txt' with { type: 'text' }
console.log(string)

  • Add integrity checks to fallback download path (#4343)

    Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

    This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

  • Update the Go compiler from 1.25.7 to 1.26.1

    This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

    • It now uses the new garbage collector that comes with Go 1.26.
    • The Go compiler is now more aggressive with allocating memory on the stack.
    • The executable format that the Go linker uses has undergone several changes.
    • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

    You can read the Go 1.26 release notes for more information.

0.27.7

  • Fix lowering of define semantics for TypeScript parameter properties (#4421)

    The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

    // Original code
class Foo {
  constructor(public x = 1) {}
  y = 2
}
// Old output (with --loader=ts --target=es2021)
class Foo {
constructor(x = 1) {
this.x = x;
__publicField(this, "y", 2);
}
x;
}

... (truncated)

Commits
  • 6a794df publish 0.28.0 to npm
  • 64ee0ea fix #4435: support with { type: text } imports
  • ef65aee fix sort order in snapshots_packagejson.txt
  • 1a26a8e try to fix test-old-ts, also shuffle CI tasks
  • 556ce6c use '' instead of null to omit build hashes
  • 8e675a8 ci: allow missing binary hashes for tests
  • 7067763 Reapply "update go 1.25.7 => 1.26.1"
  • 39473a9 fix #4343: integrity check for binary download
  • 2025c9f publish 0.27.7 to npm
  • c6b586e fix typo in Makefile for @esbuild/win32-x64
  • Additional commits viewable in compare view

Updates lefthook from 2.1.4 to 2.1.5

Release notes

Sourced from lefthook's releases.

v2.1.5

Changelog

  • afac466157f88b5a5f9d03eb28acc90b095a4b5d chore(golangci-lint): upgrade to 2.11.4 (#1362)
  • f8e73b947e2eefd6950d6a19c20bbde19070809d chore: fix golangci-lint version lookup
  • 4564da343b1497f73f8a82f6104e1b5903f8a081 chore: move golangci-lint version to .tool-versions (#1349)
  • 236a5bd07c650aaa882963d68ab5e5e654a47681 chore: small cleanup (#1370)
  • 5ddf2206dd23e826c5434392e034fa7db523cd3d deps: April 2026 (#1375)
  • e26c719f5a85e8ff35871e9724649714d6f05c13 fix: git repository merge issue (#1372)
  • 3503a3b102c2b41c298e1e7dc6549181508518a6 fix: prevent lefthook run from overwriting global hooks (#1371)
  • f3fc175f6c638fd54ab49b8d7c060898f936c934 fix: use pre-push stdin for push file detection (#1368)
Changelog

Sourced from lefthook's changelog.

2.1.5 (2026-04-06)

Commits

Updates oxlint from 1.56.0 to 1.59.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

  • 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
  • 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
  • bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
  • 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
  • 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
  • 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
  • ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

  • 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
  • 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
  • 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
  • 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
  • a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
  • ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
  • 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
  • ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
  • e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
  • 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
  • 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
  • fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
  • ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
  • dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
  • 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
  • cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

  • 25d577e language_server: Start tools in parallel (#15500) (Sysix)
  • 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
  • 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
  • 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
  • 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
  • 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

  • 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
  • 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
  • a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
  • 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
  • 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
  • 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.59.0] - 2026-04-06

🐛 Bug Fixes

  • dd2df87 npm: Export package.json for oxlint and oxfmt (#20784) (kazuya kawaguchi)

[1.58.0] - 2026-03-30

🚀 Features

  • 16516de linter: Enhance types for DummyRule (#20751) (camc314)

📚 Documentation

  • be3dcc1 linter: Add note about node version + custom TS plugin (#19381) (camc314)

[1.55.0] - 2026-03-12

🐛 Bug Fixes

  • bc20217 oxlint,oxfmt: Omit useless | null for Option<T> field from schema (#20273) (leaysgur)

📚 Documentation

  • f339f10 linter/plugins: Promote JS plugins to alpha status (#20281) (overlookmotel)

[1.54.0] - 2026-03-12

📚 Documentation

  • 0c7da4f linter: Fix extra closing brace in example config. (#20253) (connorshea)

[1.52.0] - 2026-03-09

🚀 Features

  • 61bf388 linter: Add options.reportUnusedDisableDirectives to config file (#19799) (Peter Wagenet)
  • 2919313 linter: Introduce denyWarnings config options (#19926) (camc314)
  • a607119 linter: Introduce maxWarnings config option (#19777) (camc314)

📚 Documentation

  • 6c0e0b5 linter: Add oxlint.config.ts to the config docs. (#19941) (connorshea)
  • 160e423 linter: Add a note that the typeAware and typeCheck options require oxlint-tsgolint (#19940) (connorshea)

[1.51.0] - 2026-03-02

🚀 Features

  • f34f6fa linter: Introduce typeCheck config option (#19764) (camc314)

... (truncated)

Commits
  • a69e707 release(apps): oxlint v1.59.0 && oxfmt v0.44.0 (#21085)
  • dd2df87 fix(npm): export package.json for oxlint and oxfmt (#20784)
  • 0384f4b release(apps): oxlint v1.58.0 && oxfmt v0.43.0 (#20867)
  • 91f38fc chore(oxlint): bump min tsgolint version to 0.18.0 (#20800)
  • be3dcc1 docs(linter): add note about node version + custom TS plugin (#19381)
  • 16516de feat(linter): enhance types for DummyRule (#20751)
  • 8b0f61d release(apps): oxlint v1.57.0 && oxfmt v0.42.0 (#20680)
  • b33fbde Revert "release(apps): oxlint v1.57.0 && oxfmt v0.42.0 (#20680)"
  • 027ce4a release(apps): oxlint v1.57.0 && oxfmt v0.42.0 (#20680)
  • 180dd0f Revert "release(apps): oxlint v1.57.0 && oxfmt v0.42.0 (#20649)"
  • Additional commits viewable in compare view

Updates rollup from 4.59.0 to 4.60.1

Release notes

Sourced from rollup's releases.

v4.60.1

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

v4.60.0

4.60.0

2026-03-22

Features

  • Support source phase imports as long as they are external (#6279)

Pull Requests

v4.59.1

4.59.1

2026-03-21

Bug Fixes

  • Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

4.60.0

2026-03-22

Features

  • Support source phase imports as long as they are external (#6279)

Pull Requests

4.59.1

2026-03-21

Bug Fixes

  • Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

... (truncated)

Commits

Updates rollup-plugin-dts from 6.4.0 to 6.4.1

Changelog

Sourced from rollup-plugin-dts's changelog.

6.4.1

Fixes:

  • Fixed regression related to new SourceMap handling

Thank you:

Features, fixes and improvements in this release have been contributed by:

Commits

Updates typescript from 5.9.3 to 6.0.2

Release notes

Sourced from typescript's releases.

TypeScript 6.0

For release notes, check out the release announcement blog post.

Downloads are available on:

TypeScript 6.0 Beta

For release notes, check out the release announcement.

Downloads are available on:

Commits

Updates vitest from 4.1.0 to 4.1.3

Release notes

Sourced from vitest's releases.

v4.1.3

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

v4.1.2

This release bumps Vitest's flatted ...

Description has been truncated

@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 8, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedesbuild@​0.27.4 ⏵ 0.28.091 +110073 +194100
Updatedvitest@​4.1.0 ⏵ 4.1.398 +210079 +198 -1100
Updated@​vitest/​coverage-v8@​4.1.0 ⏵ 4.1.3991007999 +2100
Updated@​types/​node@​25.5.0 ⏵ 25.5.2100 +110081 +196100
Updatedrollup-plugin-dts@​6.4.0 ⏵ 6.4.1971001008970
Updatedrollup@​4.59.0 ⏵ 4.60.18810010098100
Updatedtypescript@​5.9.3 ⏵ 6.0.2100 +110090 +1100 +290
Updatedoxlint@​1.56.0 ⏵ 1.59.09910091 +196 +1100
Updatedlefthook@​2.1.4 ⏵ 2.1.59210010096 +2100

View full report

@dependabot
chore(deps): (deps-dev): bump the development group across 1 director…
870ce05 
…y with 9 updates

Bumps the development group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.5.0` | `25.5.2` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.0` | `4.1.3` |
| [esbuild](https://github.com/evanw/esbuild) | `0.27.4` | `0.28.0` |
| [lefthook](https://github.com/evilmartians/lefthook) | `2.1.4` | `2.1.5` |
| [oxlint](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxlint) | `1.56.0` | `1.59.0` |
| [rollup](https://github.com/rollup/rollup) | `4.59.0` | `4.60.1` |
| [rollup-plugin-dts](https://github.com/Swatinem/rollup-plugin-dts) | `6.4.0` | `6.4.1` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.9.3` | `6.0.2` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.0` | `4.1.3` |



Updates `@types/node` from 25.5.0 to 25.5.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@vitest/coverage-v8` from 4.1.0 to 4.1.3
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.3/packages/coverage-v8)

Updates `esbuild` from 0.27.4 to 0.28.0
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.27.4...v0.28.0)

Updates `lefthook` from 2.1.4 to 2.1.5
- [Release notes](https://github.com/evilmartians/lefthook/releases)
- [Changelog](https://github.com/evilmartians/lefthook/blob/master/CHANGELOG.md)
- [Commits](evilmartians/lefthook@v2.1.4...v2.1.5)

Updates `oxlint` from 1.56.0 to 1.59.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxlint/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxlint_v1.59.0/npm/oxlint)

Updates `rollup` from 4.59.0 to 4.60.1
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.59.0...v4.60.1)

Updates `rollup-plugin-dts` from 6.4.0 to 6.4.1
- [Changelog](https://github.com/Swatinem/rollup-plugin-dts/blob/master/CHANGELOG.md)
- [Commits](Swatinem/rollup-plugin-dts@v6.4.0...v6.4.1)

Updates `typescript` from 5.9.3 to 6.0.2
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Commits](microsoft/TypeScript@v5.9.3...v6.0.2)

Updates `vitest` from 4.1.0 to 4.1.3
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.3/packages/vitest)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.5.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development
- dependency-name: esbuild
  dependency-version: 0.28.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development
- dependency-name: lefthook
  dependency-version: 2.1.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development
- dependency-name: oxlint
  dependency-version: 1.59.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development
- dependency-name: rollup
  dependency-version: 4.60.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development
- dependency-name: rollup-plugin-dts
  dependency-version: 6.4.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development
- dependency-name: typescript
  dependency-version: 6.0.2
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: development
- dependency-name: vitest
  dependency-version: 4.1.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/development-fd9bc204d9 branch from a07c5c6 to 870ce05 Compare April 8, 2026 15:35
@cb1kenobi cb1kenobi merged commit 5d3a1d8 into main Apr 8, 2026
5 checks passed
@cb1kenobi cb1kenobi deleted the dependabot/npm_and_yarn/development-fd9bc204d9 branch April 8, 2026 21:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cb1kenobi