chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sxzz/eslint-config	^7.5.1 → ^7.6.0
@sxzz/prettier-config	^2.2.6 → ^2.3.1
@types/node (source)	^25.0.10 → ^25.2.0
pnpm (source)	10.28.1 → 10.28.2
rolldown (source)	1.0.0-rc.1 → 1.0.0-rc.2
rollup (source)	^4.56.0 → ^4.57.1

---

Release Notes

sxzz/eslint-config (@​sxzz/eslint-config)

v7.6.0

Compare Source

   🚀 Features

• Add Astro support  -  by @​sxzz in #​154 (5aa3e)
• Add importWithError utility for optional plugin imports  -  by @​sxzz (4ce53)

    View changes on GitHub

sxzz/prettier-config (@​sxzz/prettier-config)

v2.3.1

Compare Source

   🐞 Bug Fixes

• Missing dist  -  by @​sxzz (e1152)

    View changes on GitHub

v2.3.0

Compare Source

No significant changes

    View changes on GitHub

v2.2.7

Compare Source

   🐞 Bug Fixes

• deps:
  • Update all non-major dependencies  -  in #​83 (4484b)
  • Update all non-major dependencies  -  in #​84 (1a098)

    View changes on GitHub

pnpm/pnpm (pnpm)

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

rolldown/rolldown (rolldown)

v1.0.0-rc.2

Compare Source

💥 BREAKING CHANGES

• expose \0rolldown/runtime in transform hook (#​8068) by @​hyf0
• rename rolldown:runtime to \0rolldown/runtime.js (#​8067) by @​hyf0

🚀 Features

• remove inlined constants in smart mode (#​8085) by @​sapphi-red
• allow more options for this.emitFile with type: 'prebuilt-chunk' (#​8062) by @​sapphi-red
• warn when both code and postBanner contain shebang (#​8039) by @​Copilot

🐛 Bug Fixes

• update the links to Rolldown docs in the error messages (#​8103) by @​sapphi-red
• handle tsconfig.json load errors (#​8105) by @​sapphi-red
• include inlined constants in namespace object (#​8099) by @​sapphi-red
• vite test ci (#​8084) by @​IWANABETHATGUY
• renamer: nested binding shadowing external module namespace in UMD/IIFE formats (#​8083) by @​Dunqing
• deduplicate ESM chunk imports by canonical symbol (#​8059) by @​IWANABETHATGUY
• refine side-effect detection for BigInt and RegExp (#​8060) by @​IWANABETHATGUY
• rust: use string literal span for new URL error diagnostic (#​8043) by @​valadaptive
• rust: use ModuleType::Asset for new URL imports (#​8035) by @​valadaptive
• CJS-ESM interop - property assignment on CJS module exports (#​8006) by @​IWANABETHATGUY
• eliminate the facade chunk if the dynamic entry module has been merged into common chunk (#​8046) by @​IWANABETHATGUY
• Inlining dynamic imports broken with multiple entry points (#​8037) by @​IWANABETHATGUY
• devtools: revert Chunk#id to Chunk#chunk_id (#​8040) by @​hyf0
• invert __exportAll parameter logic to reduce default output size (#​8036) by @​Copilot
• </script tag search should be case insensitive (#​8033) by @​IWANABETHATGUY
• use directory name as-is for the variable name even if the name contained . (#​8029) by @​Copilot
• dev/lazy: remove unnecessary rewrite from top level this to undefined (#​8020) by @​hyf0
• dev/lazy: should keep lazy entries imports for patch file (#​8019) by @​hyf0
• output.generatedCode.preset: 'es2015' was not set by default (#​8026) by @​sapphi-red
• node: align option validator to types (#​8023) by @​sapphi-red
• node: allow output.strictExecutionOrder by the option validator (#​8022) by @​sapphi-red
• types: return this from on / off methods of RolldownWatcher (#​8015) by @​sapphi-red

🚜 Refactor

• rolldown_plugin_vite_dynamic_import_vars: remove v1 implementation (#​8096) by @​shulaoda
• rolldown_plugin_vite_import_glob: remove v1 implementation (#​8095) by @​shulaoda
• lazy-barrel: restructure lazy barrel implementation (#​8070) by @​shulaoda
• remove use_built_ins and use_spread from internal JSX options (#​8079) by @​sapphi-red
• remove experimental.transformHiresSourcemap (#​8055) by @​Copilot
• rust: use is_data_url more consistently (#​8042) by @​valadaptive
• use FxIndexMap to store EntryPoint (#​8032) by @​IWANABETHATGUY
• node: add type checks that ensures validator schema is up to date with types (#​8024) by @​sapphi-red

📚 Documentation

• link to vite plugin registry (#​8086) by @​sapphi-red
• lazy-barrel: improve documentation and enable in sidebar (#​8072) by @​shulaoda
• add more examples and details (#​8054) by @​sapphi-red
• in-depth: add dead code elimination page (#​8007) by @​sapphi-red
• update status from beta to release candidate (#​8012) by @​shulaoda

⚡ Performance

• run inline-const pass for modules that are affected by inlining (#​8064) by @​sapphi-red

🧪 Testing

• lazy-barrel: use package.json sideEffects instead of plugin hook (#​8077) by @​shulaoda
• lazy-barrel: enable tests and add treeshake-behavior cases (#​8071) by @​shulaoda

⚙️ Miscellaneous Tasks

• deps: update crate-ci/typos action to v1.42.3 (#​8087) by @​renovate[bot]
• deps: update rollup submodule for tests to v4.56.0 (#​8073) by @​sapphi-red
• deps: update oxc to v0.111.0 (#​8063) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to v0.21.6 (#​8076) by @​renovate[bot]
• deps: update test262 submodule for tests (#​8074) by @​sapphi-red
• deps: update crate-ci/typos action to v1.42.2 (#​8069) by @​renovate[bot]
• deps: update oxc apps (#​8066) by @​renovate[bot]
• remove {@​include ./foo.md} from d.ts files (#​8056) by @​sapphi-red
• deps: update dependency oxlint-tsgolint to v0.11.2 (#​8057) by @​renovate[bot]
• deps: update github-actions (#​8050) by @​renovate[bot]
• deps: update npm packages (#​8051) by @​renovate[bot]
• deps: update rust crates (#​8049) by @​renovate[bot]
• debug: add IdxExt debug trait for human-readable index debugging (#​8045) by @​IWANABETHATGUY
• deps: update dependency rolldown-plugin-dts to v0.21.5 (#​8034) by @​renovate[bot]
• deps: update oxc resolver to v11.16.4 (#​8031) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to v0.21.4 (#​8030) by @​renovate[bot]
• deps: update dependency rust to v1.93.0 (#​8018) by @​renovate[bot]
• archive 2025 beta changelog (#​8014) by @​shulaoda
• update release workflow version pattern from beta to rc (#​8013) by @​shulaoda

❤️ New Contributors

• @​valadaptive made their first contribution in #​8043

rollup/rollup (rollup)

v4.57.1

Compare Source

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#​6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#​6254)

Pull Requests

• #​6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)
• #​6252: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #​6253: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #​6254: Fully include dynamic imports in a try-catch (@​lukastaegert)
• #​6255: chore(deps): lock file maintenance (@​renovate[bot])

v4.57.0

Compare Source

2026-01-27

Features

• Add import attributes to all plugin hooks that did not provide them yet (#​5700)
• Deprecate returning import attributes from load or transform hooks as that will no longer be supported with rollup 5 (#​5700)

Pull Requests

• #​5700: extend more hooks to include import attributes and add warnings (@​TrickyPi, @​lukastaegert)
• #​6243: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #​6244: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #​6245: chore(deps): lock file maintenance (@​renovate[bot])
• #​6246: Refactor to reduce Rollup 5 upgrade diff (@​lukastaegert)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-replace@78

commit: a9cff73

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​sxzz/​prettier-config@​2.2.6 ⏵ 2.3.1	-1		+1	+2
	rolldown@​1.0.0-rc.2
	@​types/​node@​25.0.10 ⏵ 25.2.0	+1		+1
	@​sxzz/​eslint-config@​7.5.1 ⏵ 7.6.0			+1	+1
	rollup@​4.56.0 ⏵ 4.57.1

View full report