fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/vite-plugin (source)	^1.25.2 → ^1.25.6
@rolldown/pluginutils (source)	1.0.0-rc.5 → 1.0.0-rc.6
@types/node (source)	^24.10.13 → ^24.11.0
globals	^17.3.0 → ^17.4.0
lint-staged	^16.2.7 → ^16.3.1
oxfmt (source)	^0.34.0 → ^0.36.0
pnpm (source)	10.30.1 → 10.30.3
react-router (source)	7.13.0 → 7.13.1
rolldown (source)	1.0.0-rc.5 → 1.0.0-rc.6
srvx (source)	^0.11.7 → ^0.11.8
turbo-stream	^3.1.0 → ^3.2.0
typescript-eslint (source)	^8.56.0 → ^8.56.1
vitefu	^1.1.1 → ^1.1.2
wrangler (source)	^4.67.0 → ^4.69.0

---

Release Notes

cloudflare/workers-sdk (@​cloudflare/vite-plugin)

v1.25.6

Compare Source

Patch Changes

• #​12673 a04f6f1 Thanks @​jamesopstad! - Move proxy shared secret to a constant that is reused across restarts.

• #​12684 53025f9 Thanks @​jamesopstad! - Fix Miniflare being incorrectly disposed during rapid dev server restarts

• Updated dependencies [99037e3, 295297a, f765244, c0e9e08]:

  • miniflare@​4.20260305.0
  • wrangler@​4.69.0

v1.25.5

Compare Source

Patch Changes

• #​12628 494ee7b Thanks @​Master-Hash! - Append Cloudflare defaults to existing .assetsignore files during build output

  When a project includes a PUBLIC_DIR/.assetsignore, the plugin now preserves those rules and appends the required wrangler.json and .dev.vars entries instead of replacing the file content.

• Updated dependencies [3d6e421, 294297e]:

  • wrangler@​4.68.1
  • miniflare@​4.20260302.0

rolldown/rolldown (@​rolldown/pluginutils)

v1.0.0-rc.6

Compare Source

💥 BREAKING CHANGES

• css: remove css_entry_filenames , css_chunk_filenames and related code (#​8402) by @​hyf0
• css: drop builtin CSS bundling to explore alternative solutions (#​8399) by @​hyf0

🚀 Features

• rust/data-url: use hash as id for data url modules to prevent long string overhead (#​8420) by @​hyf0
• validate bundle stays within output dir (#​8441) by @​sapphi-red
• rust: support PluginOrder::PinPost (#​8417) by @​hyf0
• support ModuleType:Copy (#​8407) by @​hyf0
• expose ESTree types from rolldown/utils (#​8400) by @​sapphi-red

🐛 Bug Fixes

• incorrect sourcemap when postBanner/postFooter is used with shebang (#​8459) by @​Copilot
• resolver: disable node_path option to align ESM resolver behavior (#​8472) by @​sapphi-red
• parse .js within "type": "commonjs" as ESM for now (#​8470) by @​sapphi-red
• case-insensitive filename conflict detection for chunk deduplication (#​8458) by @​Copilot
• prevent inlining CJS exports that are mutated by importers (#​8456) by @​IWANABETHATGUY
• parse .cjs / .cts / .js within "type": "commonjs" as CommonJS (#​8455) by @​sapphi-red
• plugin/copy-module: correct hooks' priority (#​8423) by @​hyf0
• plugin/chunk-import-map: ensure render_chunk_meta run after users plugin (#​8422) by @​hyf0
• rust: correct hooks order of DataUriPlugin (#​8418) by @​hyf0
• jsx.preserve should also considering tsconfig json preserve (#​8324) by @​IWANABETHATGUY
• deferred_scan_data.rs "Should have resolved id: NotFound" error (#​8379) by @​sapphi-red
• cli: require value for --dir/-d and --file/-o (#​8378) by @​Copilot
• dev: avoid mutex deadlock caused by inconsistent lock order (#​8370) by @​sapphi-red

🚜 Refactor

• watch: rename TaskStart/TaskEnd to BundleStart/BundleEnd (#​8463) by @​hyf0
• rust: rename rolldown_plugin_data_uri to rolldown_plugin_data_url (#​8421) by @​hyf0
• bindingify-build-hook: extract helper for PluginContextImpl (#​8438) by @​ShroXd
• give source loading a proper name (#​8436) by @​IWANABETHATGUY
• ban holding DashMap refs across awaits (#​8362) by @​sapphi-red

📚 Documentation

• add glob pattern usage example to input option (#​8469) by @​IWANABETHATGUY
• remove https://rolldown.rs from links in reference docs (#​8454) by @​sapphi-red
• mention execution order issue in output.codeSplitting docs (#​8452) by @​sapphi-red
• clarify output.comments behavior a bit (#​8451) by @​sapphi-red
• replace npmjs package links with npmx.dev (#​8439) by @​Boshen
• reference: add Exported from for values / types exported from subpath exports (#​8394) by @​sapphi-red
• add JSDocs for APIs exposed from subpath exports (#​8393) by @​sapphi-red
• reference: generate reference pages for APIs exposed from subpath exports (#​8392) by @​sapphi-red
• avoid pipe character in codeSplitting example to fix broken rendering (#​8391) by @​IWANABETHATGUY

⚡ Performance

• avoid redundant PathBuf allocations in resolve paths (#​8435) by @​Brooooooklyn
• bump to sugar_path@2 (#​8432) by @​hyf0
• use flag-based convergence detection in include_statements (#​8412) by @​Brooooooklyn

🧪 Testing

• execute _test.mjs even if executeOutput is false (#​8398) by @​sapphi-red
• add retry to tree-shake/module-side-effects-proxy4 as it is flaky (#​8397) by @​sapphi-red
• avoid expect.assertions() as it is not concurrent test friendly (#​8383) by @​sapphi-red
• disable mockReset option (#​8382) by @​sapphi-red
• fix flaky failure caused by concurrent resolveId calls (#​8381) by @​sapphi-red

⚙️ Miscellaneous Tasks

• deps: update dependency rollup to v4.59.0 [security] (#​8471) by @​renovate[bot]
• ai/design: add design doc about watch mode (#​8453) by @​hyf0
• deps: update oxc resolver to v11.19.0 (#​8461) by @​renovate[bot]
• ai: introduce progressive spec-driven development pattern (#​8446) by @​hyf0
• deprecate output.legalComments (#​8450) by @​sapphi-red
• deps: update dependency oxlint-tsgolint to v0.15.0 (#​8448) by @​renovate[bot]
• ai: make CLAUDE.md a symlink of AGENTS.md (#​8445) by @​hyf0
• deps: update rollup submodule for tests to v4.59.0 (#​8433) by @​sapphi-red
• deps: update test262 submodule for tests (#​8434) by @​sapphi-red
• deps: update oxc to v0.115.0 (#​8430) by @​renovate[bot]
• deps: update oxc apps (#​8429) by @​renovate[bot]
• deps: update npm packages (#​8426) by @​renovate[bot]
• deps: update rust crate owo-colors to v4.3.0 (#​8428) by @​renovate[bot]
• deps: update github-actions (#​8424) by @​renovate[bot]
• deps: update rust crates (#​8425) by @​renovate[bot]
• deps: update oxc resolver to v11.18.0 (#​8406) by @​renovate[bot]
• deps: update dependency oxlint-tsgolint to v0.14.2 (#​8405) by @​renovate[bot]
• ban expect.assertions in all fixture tests (#​8395) by @​sapphi-red
• deps: update oxc apps (#​8389) by @​renovate[bot]
• ban expect.assertions in fixture tests (#​8387) by @​sapphi-red
• enable lint for _config.ts files (#​8386) by @​sapphi-red
• deps: update dependency oxlint-tsgolint to v0.14.1 (#​8385) by @​renovate[bot]

sindresorhus/globals (globals)

v17.4.0

Compare Source

lint-staged/lint-staged (lint-staged)

v16.3.1

Compare Source

Patch Changes

• #​1729 cd5d762 Thanks @​iiroj! - Remove nano-spawn as a dependency from package.json as it was replaced with tinyexec and is no longer used.

v16.3.0

Compare Source

Minor Changes

• #​1698 feda37a Thanks @​iiroj! - Run external processes with tinyexec instead of nano-spawn. nano-spawn replaced execa in lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope tinyexec improves the situation.

• #​1699 1346d16 Thanks @​iiroj! - Remove pidtree as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the taskkill command on Windows.

Patch Changes

• #​1726 87467aa Thanks @​iiroj! - Incorrect brace expansions like *.{js} (nothing to expand) are detected exhaustively, instead of just a single pass.

oxc-project/oxc (oxfmt)

v0.36.0

Compare Source

🐛 Bug Fixes

• 04e6223 npm: Add preferUnplugged for Yarn PnP compatibility (#​19829) (Boshen)

📚 Documentation

• 2fa936f README.md: Map npm package links to npmx.dev (#​19666) (Boshen)

v0.35.0

Compare Source

🚀 Features

• 984dc07 oxfmt: Strip "experimental"SortXxx prefix (#​19567) (leaysgur)

pnpm/pnpm (pnpm)

v10.30.3

Compare Source

v10.30.2

Compare Source

remix-run/react-router (react-router)

v7.13.1

Compare Source

Patch Changes

• fix null reference exception in bad codepath leading to invalid route tree comparisons (#​14780)

• fix: clear timeout when turbo-stream encoding completes (#​14810)

• Improve error message when Origin header is invalid (#​14743)

• Fix matchPath optional params matching without a "/" separator. (#​14689)

  • matchPath("/users/:id?", "/usersblah") now returns null.
  • matchPath("/test_route/:part?", "/test_route_more") now returns null.

• add RSC unstable_getRequest (#​14758)

• Fix HydrateFallback rendering during initial lazy route discovery with matching splat route (#​14740)

• [UNSTABLE] Add support for <Link unstable_mask> in Data Mode which allows users to navigate to a URL in the router but "mask" the URL displayed in the browser. This is useful for contextual routing usages such as displaying an image in a model on top of a gallery, but displaying a browser URL directly to the image that can be shared and loaded without the contextual gallery in the background. (#​14716)

  // routes/gallery.tsx
  export function clientLoader({ request }: Route.LoaderArgs) {
    let sp = new URL(request.url).searchParams;
    return {
      images: getImages(),
      // When the router location has the image param, load the modal data
      modalImage: sp.has("image") ? getImage(sp.get("image")!) : null,
    };
  }
  
  export default function Gallery({ loaderData }: Route.ComponentProps) {
    return (
      <>
        <GalleryGrid>
          {loaderData.images.map((image) => (
            <Link
              key={image.id}
              {/* Navigate the router to /galley?image=N */}}
              to={`/gallery?image=${image.id}`}
              {/* But display /images/N in the URL bar */}}
              unstable_mask={`/images/${image.id}`}
            >
              <img src={image.url} alt={image.alt} />
            </Link>
          ))}
        </GalleryGrid>
  
        {/* When the modal data exists, display the modal */}
        {data.modalImage ? (
          <dialog open>
            <img src={data.modalImage.url} alt={data.modalImage.alt} />
          </dialog>
        ) : null}
      </>
    );
  }

  Notes:

  • The masked location, if present, will be available on useLocation().unstable_mask so you can detect whether you are currently masked or not.
  • Masked URLs only work for SPA use cases, and will be removed from history.state during SSR.
  • This provides a first-class API to mask URLs in Data Mode to achieve the same behavior you could do in Declarative Mode via manual backgroundLocation management.

• RSC: Update failed origin checks to return a 400 status and appropriate UI instead of a generic 500 (#​14755)

• Preserve query parameters and hash on manifest version mismatch reload (#​14813)

h3js/srvx (srvx)

v0.11.8

Compare Source

compare changes

🩹 Fixes

• node: Validate host header (7c8c962)

🏡 Chore

• Update deps (b6738bd)

❤️ Contributors

• Pooya Parsa (@​pi0)

jacob-ebey/turbo-stream (turbo-stream)

v3.2.0

Compare Source

Features

• handle large chunks via highWaterMark (#​82) (2f22ca8)

Bug Fixes

• handle large chunks (2f22ca8)
• handle large chunks (#​79) (cf0f429)

svitejs/vitefu (vitefu)

v1.1.2

Compare Source

• Allow Vite 8 peer dependency (#​28)

cloudflare/workers-sdk (wrangler)

v4.69.0

Compare Source

Minor Changes

• #​12625 c0e9e08 Thanks @​WillTaylorDev! - Add cache configuration option for enabling worker cache (experimental)

  You can now enable cache before worker execution using the new cache configuration:

  {
  	"cache": {
  		"enabled": true,
  	},
  }

  This setting is environment-inheritable and opt-in. When enabled, cache behavior is applied before your worker runs.

  Note: This feature is experimental. The runtime API is not yet generally available.

Patch Changes

• #​12661 99037e3 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260302.0	1.20260303.0

• #​12680 295297a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260303.0	1.20260305.0

• #​12671 f765244 Thanks @​MattieTK! - fix: Only redact account names in CI environments, not all non-interactive contexts

  The multi-account selection error in getAccountId now only redacts account names
  when running in a CI environment (detected via ci-info). Non-interactive terminals
  such as coding agents and piped commands can now see account names, which they need
  to identify which account to configure. CI logs remain protected.

• Updated dependencies [99037e3, 295297a]:

  • miniflare@​4.20260305.0

v4.68.1

Compare Source

Patch Changes

• #​12648 3d6e421 Thanks @​petebacondarwin! - Fix Angular scaffolding to allow localhost SSR in development mode

  Recent versions of Angular's AngularAppEngine block serving SSR on localhost by default. This caused wrangler dev / wrangler pages dev to fail with URL with hostname "localhost" is not allowed.

  The fix passes allowedHosts: ["localhost"] to the AngularAppEngine constructor in server.ts, which is safe to do even in production since Cloudflare will already restrict which host is allowed.

• #​12657 294297e Thanks @​dario-piotrowicz! - Update Waku autoconfig logic

  As of 1.0.0-alpha.4, Waku projects can be built on top of the Cloudflare Vite plugin, and the changes here allow Wrangler autoconfig to support this. Running autoconfig on older versions of Waku will result in an error.

• Updated dependencies []:

  • miniflare@​4.20260302.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.