fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
oxfmt (source)	^0.46.0 → ^0.48.0
pnpm (source)	10.33.0 → 10.33.4
publint (source)	^0.3.18 → ^0.3.19
rolldown (source)	^1.0.0-rc.16 → ^1.0.0
tinyexec	^1.1.1 → ^1.1.2

---

Release Notes

oxc-project/oxc (oxfmt)

v0.48.0

Compare Source

v0.47.0

Compare Source

pnpm/pnpm (pnpm)

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

v10.33.3

Compare Source

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

publint/publint (publint)

v0.3.19

Compare Source

Patch Changes

• Add NESTED_PACKAGE_JSON_FIELD_IGNORED to warn when published nested package.json files define "exports" or "imports", which Node.js ignores outside the package root. (#​224)

• Fix internal browser directory traversal logic (#​224)

rolldown/rolldown (rolldown)

v1.0.0

Compare Source

🐛 Bug Fixes

• dev/lazy: lazily compiled modules should be watched (#​9301) by @​h-a-n-a
• implement dynamic dominator merge logic (#​9270) by @​TheAlexLichter
• dev: apply __toCommonJS interop when CJS requires ESM in HMR finalizer (#​9261) by @​h-a-n-a

🚜 Refactor

• ecma_ast: tighten allocator access to enforce Sync invariant (#​9278) by @​IWANABETHATGUY
• scan_stage: remove stmt_infos field from EcmaView (#​9276) by @​IWANABETHATGUY
• link_stage: detach stmt_infos from EcmaView (#​9274) by @​IWANABETHATGUY
• link_stage: detach depended_runtime_helper from EcmaView to remove unsafe (#​9265) by @​IWANABETHATGUY
• link_stage: remove unsafe in determine_module_exports_kind (#​9253) by @​IWANABETHATGUY

📚 Documentation

• getting-started: remove RC warning for 1.0.0 release (#​9310) by @​shulaoda
• getting-started: update version references for 1.0.0 release (#​9309) by @​shulaoda
• add Vite+ tab to getting-started snippets (#​9285) by @​shulaoda
• lazy-barrel: clarify own-exports behavior for import-then-export records (#​9298) by @​shulaoda
• restructure top navigation around Learn vs Reference (#​9284) by @​shulaoda
• builtin-plugins: add bundle analyzer plugin docs (#​9292) by @​shulaoda
• design doc for reference_needed_symbols (#​9264) by @​IWANABETHATGUY

⚡ Performance

• devtools: write logs on a background thread (#​9219) by @​IWANABETHATGUY

⚙️ Miscellaneous Tasks

• mark esbuild/ts/parameter_props_use_define_for_class_fields_true as passed (#​9308) by @​sapphi-red
• deps: upgrade oxc to 0.129.0 (#​9297) by @​shulaoda
• deps: update rollup submodule for tests to v4.60.3 (#​9294) by @​sapphi-red
• deps: update test262 submodule for tests (#​9295) by @​sapphi-red
• ai: add rolldown REPL decode skill (#​9245) by @​Dunqing

v1.0.0-rc.18

Compare Source

💥 BREAKING CHANGES

• optimization: default unspecified inlineConst.mode to smart (#​9248) by @​IWANABETHATGUY

🐛 Bug Fixes

• rolldown_plugin_vite_import_glob: return error instead of panicking when virtual module uses a relative glob (#​9241) by @​shulaoda
• binding: treat empty inlineConst object as omitted (#​9247) by @​IWANABETHATGUY
• rolldown: keep enum declaration for optional-chain access (#​9229) by @​Dunqing
• link_stage: restore inline let-else in exports-kind filter (#​9237) by @​IWANABETHATGUY
• dev/lazy: avoid module reinitialization in lazy compilation patches (#​9179) by @​h-a-n-a
• dev: visit identifier references for runtime rewrites in HMR finalizer (#​9191) by @​h-a-n-a
• chunk-optimizer: pick dominator for runtime placement to avoid cycles (#​9164) by @​IWANABETHATGUY
• make this.emitFile chunk path synchronous to avoid deadlock (#​9031) by @​lazarv
• use sentinel id for browser: false ignored modules (#​9192) by @​shulaoda
• prevent chunk optimizer from creating import cycles (#​9228) by @​IWANABETHATGUY

🚜 Refactor

• replace tokio::sync::Mutex with std::sync::Mutex for non-IO data (#​9176) by @​shulaoda
• rolldown_plugin_vite_import_glob: do not rewrite import path for absolute base (#​9195) by @​shulaoda
• runtime_helper: wrap DependedRuntimeHelperMap in a struct (#​9215) by @​IWANABETHATGUY
• drop redundant clear() in determine_safely_merge_cjs_ns (#​9206) by @​IWANABETHATGUY
• clean up generate_lazy_export (#​9208) by @​IWANABETHATGUY
• bitset: return bool from set_bit to fuse guard-and-set (#​9207) by @​IWANABETHATGUY
• link_stage: simplify exports-kind filter and clarify safety comments (#​9205) by @​IWANABETHATGUY

📚 Documentation

• determine_module_exports_kind (#​9252) by @​IWANABETHATGUY
• fix dead link to esbuild ESM/CJS interop tests (#​9230) by @​Copilot
• remove CSS bundling references (#​9234) by @​shulaoda
• correct IncrementalFullBuild row in BundleMode table (#​9214) by @​IWANABETHATGUY
• design: add bundler data lifecycle design doc (#​9212) by @​hyf0
• remove minifier alpha status notices (#​9202) by @​sapphi-red

⚙️ Miscellaneous Tasks

• upgrade oxc to 0.128.0 (#​9260) by @​shulaoda
• deps: bump rolldown-ariadne to 0.6.0 (#​9254) by @​IWANABETHATGUY
• deps: update github actions (#​9259) by @​renovate[bot]
• deps: update github actions (#​9258) by @​renovate[bot]
• remove renovate overrides (#​9257) by @​Boshen
• use ubuntu-latest for security workflow (#​9256) by @​Boshen
• notify Discord around release publish (#​9251) by @​Boshen
• add release environment to npm publish workflow (#​9250) by @​Boshen
• justfile: drop the -- separator before forwarded args in vp run (#​9246) by @​shulaoda
• deps: update test262 submodule for tests (#​9243) by @​sapphi-red
• add more tracing instrumentations (#​9220) by @​sapphi-red
• rolldown_plugin_vite_import_glob: remove outdated sourcemap doc comment (#​9213) by @​shulaoda
• update security workflow (#​9201) by @​Boshen

❤️ New Contributors

• @​lazarv made their first contribution in #​9031

v1.0.0-rc.17

Compare Source

🐛 Bug Fixes

• link: error on missing export between TS modules (#​9197) by @​IWANABETHATGUY
• rolldown_plugin_vite_import_glob: import path should not be affected by absolute base option (#​9145) by @​kermanx
• this.resolve() returns null for bare relative paths without importer (#​9142) by @​Copilot
• collect destructured bindings in HMR module exports (#​9146) by @​h-a-n-a
• esbuild-tests: handle 0.28.0 test cases (#​9149) by @​sapphi-red
• plugin/copy-module: honor external resolutions from other plugins (#​9139) by @​TheAlexLichter
• allow undefined in sourcesContent type (#​9136) by @​jurijzahn8019
• reduce false positives in chunk optimizer circular dependency detection (#​9049) by @​AlonMiz

🚜 Refactor

• chunk-optimizer: extract runtime-module placement into rehome_runtime_module (#​9163) by @​IWANABETHATGUY

📚 Documentation

• add design doc for sort_modules execution ordering (#​9169) by @​IWANABETHATGUY
• add document for RenderedModule (#​9147) by @​sapphi-red

⚡ Performance

• rolldown_plugin_vite_import_glob: skip self-import earlier using raw path comparison (#​9193) by @​shulaoda

🧪 Testing

• lazy: add playground/lazy-compilation (#​7974) by @​hyf0

⚙️ Miscellaneous Tasks

• use app token for release PR (#​9198) by @​Boshen
• upgrade oxc to 0.127.0 (#​9194) by @​Dunqing
• use oxc security action (#​9196) by @​Boshen
• esbuild-tests: remove some tests from ignored list as enum inline is now supported (#​9184) by @​sapphi-red
• deps: update dependency vite-plus to v0.1.19 (#​9183) by @​renovate[bot]
• use vp instead of pnpm in check-wasi-binding-deps (#​9182) by @​shulaoda
• verify wasm32-wasi binding deps match @​rolldown/browser before publish (#​9162) by @​shulaoda
• deps: update esbuild for tests to 0.28.0 (#​9172) by @​sapphi-red
• deps: update rollup submodule for tests to v4.60.2 (#​9173) by @​sapphi-red
• deps: update test262 submodule for tests (#​9174) by @​sapphi-red
• sort_modules: fix stale async-entry sort key comment (#​9170) by @​IWANABETHATGUY
• deps: update npm packages (#​9157) by @​renovate[bot]
• deps: update dependency diff to v9 (#​9158) by @​renovate[bot]
• deps: update rust crates (#​9156) by @​renovate[bot]
• run Windows CI on PRs labeled with ci: windows (#​9153) by @​hyf0
• update-test-dependencies: run setup-rust before file changes (#​9151) by @​sapphi-red
• deps: update dependency rust to v1.95.0 (#​9140) by @​renovate[bot]

❤️ New Contributors

• @​jurijzahn8019 made their first contribution in #​9136
• @​AlonMiz made their first contribution in #​9049

tinylibs/tinyexec (tinyexec)

v1.1.2

Compare Source

What's Changed

• feat: accept readonly string[] for args parameters by @​tatzyr in #​112
• chore(deps-dev): bump the development-dependencies group with 7 updates by @​dependabot[bot] in #​113
• fix: Fix typo in README by @​porada in #​114
• chore(deps-dev): bump the development-dependencies group with 5 updates by @​dependabot[bot] in #​116
• chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 in the github-actions group by @​dependabot[bot] in #​115
• chore(deps-dev): bump the development-dependencies group with 4 updates by @​dependabot[bot] in #​117
• fix: remove normalisation of commands by @​43081j in #​118

New Contributors

• @​tatzyr made their first contribution in #​112

Full Changelog: tinylibs/tinyexec@1.1.1...1.1.2

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.