chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sxzz/eslint-config	^7.4.0 -> ^7.4.3
@types/node (source)	^24.10.1 -> ^24.10.4
eslint (source)	^9.39.1 -> ^9.39.2
pnpm (source)	10.24.0 -> 10.26.0
prettier (source)	^3.7.3 -> ^3.7.4
rolldown-plugin-require-cjs	^0.3.2 -> ^0.3.3
tsdown (source)	^0.16.8 -> ^0.18.1
vite (source)	^7.2.6 -> ^7.3.0
vitest (source)	^4.0.14 -> ^4.0.16
vue (source)	^3.5.25 -> ^3.5.26

---

Release Notes

sxzz/eslint-config (@​sxzz/eslint-config)

v7.4.3

Compare Source

No significant changes

    View changes on GitHub

v7.4.2

Compare Source

No significant changes

    View changes on GitHub

v7.4.1

Compare Source

   🐞 Bug Fixes

• Re-sort package.json  -  by @​sxzz (29b46)
• Re-sort tsconfig.json  -  by @​sxzz (d640c)
• Sort exports  -  by @​sxzz (0569f)

    View changes on GitHub

eslint/eslint (eslint)

v9.39.2

Compare Source

pnpm/pnpm (pnpm)

v10.26.0

Compare Source

v10.25.0

Compare Source

prettier/prettier (prettier)

v3.7.4

Compare Source

diff

LWC: Avoid quote around interpolations (#​18383 by @​kovsu)

<!-- Input -->
<div foo={bar}>   </div>

<!-- Prettier 3.7.3 (--embedded-language-formatting off) -->
<div foo="{bar}"></div>

<!-- Prettier 3.7.4 (--embedded-language-formatting off) -->
<div foo={bar}></div>

TypeScript: Fix comment inside union type gets duplicated (#​18393 by @​fisker)

// Input
type Foo = (/** comment */ a | b) | c;

// Prettier 3.7.3
type Foo = /** comment */ (/** comment */ a | b) | c;

// Prettier 3.7.4
type Foo = /** comment */ (a | b) | c;

TypeScript: Fix unstable comment print in union type comments (#​18395 by @​fisker)

// Input
type X = (A | B) & (
  // comment
  A | B
);

// Prettier 3.7.3 (first format)
type X = (A | B) &
  (// comment
  A | B);

// Prettier 3.7.3 (second format)
type X = (
  | A
  | B // comment
) &
  (A | B);

// Prettier 3.7.4
type X = (A | B) &
  // comment
  (A | B);

sxzz/rolldown-plugin-require-cjs (rolldown-plugin-require-cjs)

v0.3.3

Compare Source

No significant changes

    View changes on GitHub

rolldown/tsdown (tsdown)

v0.18.1

Compare Source

   🚀 Features

• Support glob patterns in object entry  -  by @​sxzz (bcb7a)

export default defineConfig({
  entry: {
    '*': './src/*.ts',
    'data-loaders': './src/data-loaders/entries/index.ts',
    'data-loaders/*': './src/data-loaders/entries/!(index).ts',
    'volar/*': './src/volar/entries/*.ts',
  },
}

• Upgrade rolldown to 1.0.0-beta.55  -  by @​sxzz (5be3e)
• Mark exports option as a stable feature  -  by @​sxzz (ce9e0)

   🐞 Bug Fixes

• Keep banner / footer as-is  -  by @​sxzz (f67e0)

    View changes on GitHub

v0.18.0

Compare Source

   🚨 Breaking Changes

• copy: Rework, sync behavior of rollup-plugin-copy  -  by @​sxzz (e864b)

v0.17.4

Compare Source

   🚨 Breaking Changes

• copy: Sync behavior of rollup-plugin-copy  -  by @​sxzz (e864b)

   🚀 Features

• exports: Add exclude option  -  by @​TheAlexLichter and @​sxzz in #​340 (9e634)
• shortcuts: Case insensitive  -  by @​btea in #​649 (019af)

   🐞 Bug Fixes

• Resolve cwd from user config  -  by @​sxzz (bc066)

    View changes on GitHub

v0.17.3

Compare Source

   🚀 Features

• copy: Support glob in copy  -  by @​kricsleo and @​sxzz in #​637 (c1fd4)
  • This may be a breaking change, as the behavior has changed again in v0.17.4. Please upgrade to v0.17.4 and verify the issue.

   🐞 Bug Fixes

• Print error stack  -  by @​sxzz (1c5b6)
• Add config name to rebuilt message  -  by @​sxzz (bfdc6)
• Call hooks for each format  -  by @​sxzz (19bdd)
• Merge input & output options  -  by @​sxzz (14181)

    View changes on GitHub

v0.17.2

Compare Source

   🐞 Bug Fixes

• Empty clean array  -  by @​sxzz (eae7f)

    View changes on GitHub

v0.17.1

Compare Source

   🐞 Bug Fixes

• Respect clean on watch mode  -  by @​sxzz (bfbfb)

    View changes on GitHub

v0.17.0

Compare Source

   🚨 Breaking Changes

Notable features: https://bsky.app/profile/sxzz.dev/post/3m6xi7e7d5k2b

• Rolldown native watcher  -  by @​sxzz in #​329 (1c4f8)
• Enable failOnWarn by default in CI  -  by @​sxzz in #​617 (245e7)
• Remove unconfig from configLoader  -  by @​sxzz (9d6a7)
• Support exports, publint, attw for multi-configs  -  by @​sxzz (f889a)
• refactor!(attw): rename profile value from esmOnly to esm-only  -  by @​sxzz (85c10f3)

   🚀 Features

• Export WatchPlugin  -  by @​sxzz (4ccb2)
• Add write option  -  by @​sxzz (64fea)
• Add chunks on build:done hook  -  by @​sxzz (eb45c)
• Override options by format  -  by @​sxzz (482f6)
• Upgrade rolldown to 1.0.0-beta.53  -  by @​sxzz (a04f2)
• migrate:
  • Migrate optionalDependencies  -  by @​sxzz (22fd9)
  • Use ast-grep for config file  -  by @​Doctor-wu and @​sxzz in #​620 (b0b34)

   🐞 Bug Fixes

• Move require before import  -  by @​sxzz (85c0e)
• copy: Call function  -  by @​sxzz (e4197)
• exports: Merge multi-config outputs  -  by @​pyyupsk and @​sxzz in #​625 (73984)
• migrate: Build before publish  -  by @​sxzz (bf0f5)
• workspace: Cwd defaults to config dirname, support filter for all configs  -  by @​sxzz (24f27)

   🏎 Performance

• Reload config via import-without-cache  -  by @​sxzz (0b7e4)
• Use native loader for bun  -  by @​sxzz (36dbf)

    View changes on GitHub

vitejs/vite (vite)

v7.3.0

Compare Source

Please refer to CHANGELOG.md for details.

v7.2.7

Compare Source

vitest-dev/vitest (vitest)

v4.0.16

Compare Source

   🐞 Bug Fixes

• Fix browser mode default testTimeout back to 15 seconds  -  by @​hi-ogawa in #​9167 (da0ad)
• Avoid crashing on process.versions stub  -  by @​AriPerkkio in #​9174 (78cfb)
• Reject calling suite function inside test  -  by @​hi-ogawa in #​9198 (1a259)
• Allow inlining fully dynamic import  -  by @​hi-ogawa in #​9137 (56851)
• Fix module graph UI on html reporter with headless browser mode  -  by @​hi-ogawa in #​9219 (60642)
• Log deprecated test.poolOptions if it's set  -  by @​sheremet-va in #​9226 (f7f6a)
• browser:
  • Import recordArtifact from the vitest package  -  by @​macarie in #​9186 (01c56)
  • Fix import.meta.env define  -  by @​hi-ogawa in #​9205 (01a9a)
  • String formatting bug when including placeholders in console.log  -  by @​michael-debs and @​hi-ogawa in #​9030 and #​9131 (84a30)
• coverage:
  • Istanbul untested files source maps are off  -  by @​AriPerkkio in #​9208 (372e8)
• experimental:
  • Export setupEnvironment for custom pools  -  by @​AriPerkkio in #​9187 (5d26b)

    View changes on GitHub

v4.0.15

Compare Source

   🚀 Experimental Features

• cache: Add opt-out on a plugin level, fix internal root cache  -  by @​sheremet-va in #​9154 (a68f7)
• reporters: Print import duration breakdown  -  by @​sheremet-va in #​9105 (122ff)

   🐞 Bug Fixes

• Keep built-in id as is in bun and deno  -  by @​sheremet-va in #​9117 (075ab)
• Use optimizeDeps.rolldownOptions to fix depreated warning + fix ssr.external: true  -  by @​hi-ogawa in #​9121 (fd8bd)
• Fix external behavior with deps.optimizer  -  by @​hi-ogawa in #​9125 (4c754)
• Very minor typo in "Chrome DevTools Protocol"  -  by @​HowToTestFrontend in #​9146 (20997)
• browser: Run toMatchScreenshot only once when used with expect.element  -  by @​macarie in #​9132 (0d2e7)
• coverage: Istanbul provider to not break source maps  -  by @​AriPerkkio in #​9040 (e4ca9)
• deps: Update dependency tinyexec to v1  -  in #​9122 (fd786)
• docs: Remove --browser.provider from docs  -  by @​sheremet-va in #​9115 (120b3)
• expect: Preserve currentTestName in extended matchers  -  by @​macarie in #​9106 (e4345)
• pool: Terminate workers on CTRL+c forceful exits  -  by @​AriPerkkio in #​9140 (d57d8)
• reporters: Show project in github reporter  -  by @​sheremet-va in #​9138 (bb65e)
• spy: Do not mock overriden method, if parent was automocked  -  by @​sheremet-va in #​9116 (1a246)
• web-worker: MessagePort objects passed to Worker.postMessage work when clone === "native"  -  by @​whitphx in #​9118 (deee8)

    View changes on GitHub

vuejs/core (vue)

v3.5.26

Compare Source

Bug Fixes

• compat: fix compat handler of draggable (#​12445) (ed85953), closes #​12444
• compat: handle v-model deprecation warning with missing appContext (#​14203) (945a543), closes #​14202
• compiler-sfc: demote const reactive bindings used in v-model (#​14214) (e24ff7d), closes #​11265 #​11275
• compiler-ssr: handle ssr attr fallthrough when preserve whitespace (#​12304) (4783118), closes #​8072
• hmr: handle cached text node update (#​14134) (69ce3c7), closes #​14127
• keep-alive: use resolved component name for async components in cache pruning (#​14212) (dfe667c), closes #​14210
• runtime-core: ensure correct anchor el for deeper unresolved async components (#​14182) (f5b3bf2), closes #​14173
• runtime-core: handle patch stable fragment edge case (#​12411) (94aeb64), closes #​12410
• runtime-core: pass component instance to flushPreFlushCbs on unmount (#​14221) (e857e12), closes #​14215

Performance Improvements

• compiler-core: use binary-search to get line and column (#​14222) (1904053)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-vue-jsx@102

commit: ae6ac84

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	rolldown-plugin-require-cjs@​0.3.2 ⏵ 0.3.3	+1		+1	+2
	vitest@​4.0.14 ⏵ 4.0.16	-1		+1
	@​types/​node@​24.10.1 ⏵ 24.10.4			+1
	@​sxzz/​eslint-config@​7.4.0 ⏵ 7.4.3	+1		+1
	vite@​7.2.6 ⏵ 7.3.0	-4		+1	+1
	prettier@​3.7.3 ⏵ 3.7.4	+1			-1
	vue@​3.5.25 ⏵ 3.5.26	+1			+1
	tsdown@​0.16.8 ⏵ 0.18.1			+1	+1
	eslint@​9.39.1 ⏵ 9.39.2	-3

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: package.json → npm/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report