⬆️ deps: Update dependencies (non-major)

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@types/node (source)	22.18.3 -> 22.18.6			devDependencies	patch
node (source)	24.7.0 -> 24.8.0				minor
pnpm (source)	10.16.1 -> 10.17.0			packageManager	minor
rolldown (source)	1.0.0-beta.37 -> 1.0.0-beta.38			devDependencies	patch

---

Release Notes

nodejs/node (node)

v24.8.0: 2025-09-10, Version 24.8.0 (Current), @​targos

Compare Source

Notable Changes

HTTP/2 Network Inspection Support in Node.js

Node.js now supports inspection of HTTP/2 network calls in Chrome DevTools for Node.js.

Usage

Write a test.js script that makes HTTP/2 requests.

const http2 = require('node:http2');

const client = http2.connect('https://nghttp2.org');

const req = client.request([
  ':path', '/',
  ':method', 'GET',
]);

Run it with these options:

node --inspect-wait --experimental-network-inspection test.js

Open about:inspect on Google Chrome and click on Open dedicated DevTools for Node.
The Network tab will let you track your HTTP/2 calls.

Contributed by Darshan Sen in #​59611.

Other Notable Changes

• [7a8e2c251d] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in node:crypto (Filip Skokan) #​59570
• [4b631be0b0] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in Web Cryptography (Filip Skokan) #​59570
• [3e4b1e732c] - (SEMVER-MINOR) crypto: add KMAC Web Cryptography algorithms (Filip Skokan) #​59647
• [b1d28785b2] - (SEMVER-MINOR) crypto: add Argon2 Web Cryptography algorithms (Filip Skokan) #​59544
• [430691d1af] - (SEMVER-MINOR) crypto: support SLH-DSA KeyObject, sign, and verify (Filip Skokan) #​59537
• [d6d05ba397] - (SEMVER-MINOR) worker: add cpu profile APIs for worker (theanarkh) #​59428

Commits

• [d913872369] - assert: cap input size in myersDiff to avoid Int32Array overflow (Haram Jeong) #​59578
• [7bbbcf6666] - benchmark: sqlite prevent create both tables on prepare selects (Bruno Rodrigues) #​59709
• [44d7b92271] - benchmark: calibrate config array-vs-concat (Rafael Gonzaga) #​59587
• [7f347fc551] - build: fix getting OpenSSL version on Windows (Michaël Zasso) #​59609
• [4a317150d5] - build: fix 'implicit-function-declaration' on OpenHarmony platform (hqzing) #​59547
• [bda32af587] - build: use windows-2025 runner (Michaël Zasso) #​59673
• [a4a8ed8f6e] - build: compile bundled uvwasi conditionally (Carlo Cabrera) #​59622
• [d944a87761] - crypto: refactor subtle methods to use synchronous import (Filip Skokan) #​59771
• [7a8e2c251d] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in node:crypto (Filip Skokan) #​59570
• [4b631be0b0] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in Web Cryptography (Filip Skokan) #​59570
• [3e4b1e732c] - (SEMVER-MINOR) crypto: add KMAC Web Cryptography algorithms (Filip Skokan) #​59647
• [b1d28785b2] - (SEMVER-MINOR) crypto: add Argon2 Web Cryptography algorithms (Filip Skokan) #​59544
• [430691d1af] - (SEMVER-MINOR) crypto: support SLH-DSA KeyObject, sign, and verify (Filip Skokan) #​59537
• [0d1e53d935] - deps: update uvwasi to 0.0.23 (Node.js GitHub Bot) #​59791
• [68732cf426] - deps: update histogram to 0.11.9 (Node.js GitHub Bot) #​59689
• [f12c1ad961] - deps: update googletest to eb2d85e (Node.js GitHub Bot) #​59335
• [45af6966ae] - deps: upgrade npm to 11.6.0 (npm team) #​59750
• [57617244a4] - deps: V8: cherry-pick 6b1b9bc (Xiao-Tao) #​59283
• [2e6225a747] - deps: update amaro to 1.1.2 (Node.js GitHub Bot) #​59616
• [1f7f6dfae6] - diagnostics_channel: revoke DEP0163 (René) #​59758
• [8671a6cdb3] - doc: stabilize --disable-sigusr1 (Rafael Gonzaga) #​59707
• [583b1b255d] - doc: update OpenSSL default security level to 2 (Jeetu Suthar) #​59723
• [9b5eb6eb50] - doc: fix missing links in the errors page (Nam Yooseong) #​59427
• [e7bf712c57] - doc: update "Type stripping in dependencies" section (Josh Kelley) #​59652
• [96db47f91e] - doc: add Miles Guicent as triager (Miles Guicent) #​59562
• [87f829bd0c] - doc: mark path.matchesGlob as stable (Aviv Keller) #​59572
• [062b2f705e] - doc: improve documentation for raw headers in HTTP/2 APIs (Tim Perry) #​59633
• [6ab9306370] - doc: update install_tools.bat free disk space (Stefan Stojanovic) #​59579
• [c8d6b60da6] - doc: fix quic session instance typo (jakecastelli) #​59642
• [61d0a2d1ba] - doc: fix filehandle.read typo (Ruy Adorno) #​59635
• [3276bfa0d0] - doc: update migration recomendations for util.is**() deprecations (Augustin Mauroy) #​59269
• [11de6c7ebb] - doc: fix missing link to the Error documentation in the http page (Alexander Makarenko) #​59080
• [f5b6829bba] - doc,crypto: add description to the KEM and supports() methods (Filip Skokan) #​59644
• [5bfdc7ee74] - doc,crypto: cleanup unlinked and self method references webcrypto.md (Filip Skokan) #​59608
• [010458d061] - esm: populate separate cache for require(esm) in imported CJS (Joyee Cheung) #​59679
• [dbe6e63baf] - esm: fix missed renaming in ModuleJob.runSync (Joyee Cheung) #​59724
• [8eb0d9d834] - fs: fix wrong order of file names in cpSync error message (Nicholas Paun) #​59775
• [e69be5611f] - fs: fix dereference: false on cpSync (Nicholas Paun) #​59681
• [2865d2ac20] - http: unbreak keepAliveTimeoutBuffer (Robert Nagy) #​59784
• [ade1175475] - http: use cached '1.1' http version string (Robert Nagy) #​59717
• [74a09482de] - inspector: undici as shared-library should pass tests (Aras Abbasi) #​59837
• [772f8f415a] - inspector: add http2 tracking support (Darshan Sen) #​59611
• [3d225572d7] - Revert "lib: optimize writable stream buffer clearing" (Yoo) #​59743
• [4fd213ce73] - lib: fix isReadable and isWritable return type value (Gabriel Quaresma) #​59089
• [39befddb87] - lib: prefer TypedArrayPrototype primordials (Filip Skokan) #​59766
• [0748160d2e] - lib: fix DOMException subclass support (Chengzhong Wu) #​59680
• [1a93df808c] - lib: revert to using default derived class constructors (René) #​59650
• [bb0755df37] - meta: bump codecov/codecov-action (dependabot[bot]) #​59726
• [45d148d9be] - meta: bump actions/download-artifact from 4.3.0 to 5.0.0 (dependabot[bot]) #​59729
• [01b66b122e] - meta: bump github/codeql-action from 3.29.2 to 3.30.0 (dependabot[bot]) #​59728
• [34f7ab5502] - meta: bump actions/cache from 4.2.3 to 4.2.4 (dependabot[bot]) #​59727
• [5806ea02af] - meta: bump actions/checkout from 4.2.2 to 5.0.0 (dependabot[bot]) #​59725
• [f667215583] - path: refactor path joining logic for clarity and performance (Lee Jiho) #​59781
• [0340fe92a6] - repl: do not cause side effects in tab completion (Anna Henningsen) #​59774
• [a414c1eb51] - repl: fix REPL completion under unary expressions (Kingsword) #​59744
• [c206f8dd87] - repl: add isValidParentheses check before wrap input (Xuguang Mei) #​59607
• [0bf9775ee2] - sea: implement sea.getAssetKeys() (Joyee Cheung) #​59661
• [bf26b478d8] - sea: allow using inspector command line flags with SEA (Joyee Cheung) #​59568
• [92128a8fe2] - src: use DictionaryTemplate for node_url_pattern (James M Snell) #​59802
• [bcb29fb84f] - src: correctly report memory changes to V8 (Yaksh Bariya) #​59623
• [44c24657d3] - src: fixup node_messaging error handling (James M Snell) #​59792
• [2cd6a3b7ec] - src: track async resources via pointers to stack-allocated handles (Anna Henningsen) #​59704
• [34d752586f] - src: fix build on NetBSD (Thomas Klausner) #​59718
• [15fa779ac5] - src: fix race on process exit and off thread CA loading (Chengzhong Wu) #​59632
• [15cbd3966a] - src: separate module.hasAsyncGraph and module.hasTopLevelAwait (Joyee Cheung) #​59675
• [88d1ca8990] - src: use non-deprecated Get/SetPrototype methods (Michaël Zasso) #​59671
• [56ac9a2d46] - src: migrate WriteOneByte to WriteOneByteV2 (Chengzhong Wu) #​59634
• [3d88aa9f2f] - src: remove duplicate code (theanarkh) #​59649
• [0718a70b2a] - src: add name for more threads (theanarkh) #​59601
• [0379a8b254] - src: remove JSONParser (Joyee Cheung) #​59619
• [90d0a1b2e9] - src,sqlite: refactor value conversion (Edy Silva) #​59659
• [5e025c7ca7] - stream: replace manual function validation with validateFunction (방진혁) #​59529
• [155a999bed] - test: skip tests failing when run under root (Livia Medeiros) #​59779
• [6313706c69] - test: update WPT for urlpattern to cff1ac1 (Node.js GitHub Bot) #​59602
• [41245ad4c7] - test: skip more sea tests on Linux ppc64le (Richard Lau) #​59755
• [df63d37ec4] - test: fix internet/test-dns (Michaël Zasso) #​59660
• [1f6c335e82] - test: mark test-inspector-network-fetch as flaky again (Joyee Cheung) #​59640
• [1798683df1] - test: skip test-fs-cp* tests that are constantly failing on Windows (Joyee Cheung) #​59637
• [4c48ec09e5] - test: deflake test-http-keep-alive-empty-line (Luigi Pinca) #​59595
• [dcdb259e85] - test_runner: fix todo inheritance (Moshe Atlow) #​59721
• [24177973a2] - test_runner: set mock timer's interval undefined (hotpineapple) #​59479
• [83d11f8a7a] - tools: print appropriate output when test aborted (hotpineapple) #​59794
• [1eca2cc548] - tools: use sparse checkout in build-tarball.yml (Antoine du Hamel) #​59788
• [89fa1a929d] - tools: remove unused actions from build-tarball.yml (Antoine du Hamel) #​59787
• [794ca3511d] - tools: do not attempt to compress tgz archive (Antoine du Hamel) #​59785
• [377bdb9b7e] - tools: add v8windbg target (Chengzhong Wu) #​59767
• [6696d1d6c9] - tools: improve error handling in node_mksnapshot (James M Snell) #​59437
• [8dbd0f13e8] - tools: add sccache to test-internet workflow (Antoine du Hamel) #​59720
• [6523c2d7d9] - tools: update gyp-next to 0.20.4 (Node.js GitHub Bot) #​59690
• [19d633f40c] - tools: add script to make reviewing backport PRs easier (Antoine du Hamel) #​59161
• [15e547b3a4] - typings: add typing for 'uv' (방진혁) #​59606
• [ad5cfcc901] - typings: add missing properties in ConfigBinding (Lee Jiho) #​59585
• [70d2d6d479] - url: add err.input to ERR_INVALID_FILE_URL_PATH (Joyee Cheung) #​59730
• [e476e43c17] - util: fix numericSeparator with negative fractional numbers (sangwook) #​59379
• [b2e8f40d15] - util: remove unnecessary template strings (btea) #​59201
• [6f79450ea2] - util: remove outdated TODO comment (haramjeong) #​59760
• [32731432ef] - util: use getOptionValue('--no-deprecation') in deprecated() (haramjeong) #​59760
• [65e4e68c90] - util: hide duplicated stack frames when using util.inspect (Ruben Bridgewater) #​59447
• [2086f3365f] - vm: sync-ify SourceTextModule linkage (Chengzhong Wu) #​59000
• [c16163511d] - wasi: fix clean target in test/wasi/Makefile (Antoine du Hamel) #​59576
• [2e54411cb6] - worker: optimize cpu profile implement (theanarkh) #​59683
• [d6d05ba397] - (SEMVER-MINOR) worker: add cpu profile APIs for worker (theanarkh) #​59428

pnpm/pnpm (pnpm)

v10.17.0

Compare Source

Minor Changes

• The minimumReleaseAgeExclude setting now supports patterns. For instance:

  minimumReleaseAge: 1440
  minimumReleaseAgeExclude:
    - "@​eslint/*"

  Related PR: #​9984.

Patch Changes

• Don't ignore the minimumReleaseAge check, when the package is requested by exact version and the packument is loaded from cache #​9978.
• When minimumReleaseAge is set and the active version under a dist-tag is not mature enough, do not downgrade to a prerelease version in case the original version wasn't a prerelease one #​9979.

rolldown/rolldown (rolldown)

v1.0.0-beta.38

Compare Source

💥 BREAKING CHANGES

• rolldown_plugin_oxc_runtime: embed helpers to support browser environment (#​6177) by @​shulaoda

🚀 Features

• rolldown: oxc v0.89.0 (#​6220) by @​Boshen
• rolldown_plugin_esm_external_require: add duplicate external detection (#​6202) by @​shulaoda
• cross module noop function optimization (#​6199) by @​IWANABETHATGUY
• support to specify scan_mode in bundler.scan (#​6204) by @​IWANABETHATGUY
• warn when transform options override tsconfig compiler options (#​6197) by @​shulaoda
• support false in resolve.alias to ignore resolution (#​6203) by @​shulaoda
• cli: remove getJsonSchema (#​6186) by @​shulaoda
• cli: add Node.js version warning for unsupported versions (#​6150) by @​Copilot
• rolldown_plugin_oxc_runtime: include version in virtual module paths (#​6179) by @​shulaoda
• add native react-refresh-wrapper plugin (#​6144) by @​sapphi-red
• rolldown_plugin_utils: add to_string_literal (#​6178) by @​sapphi-red
• improve error messages for builtin plugins (#​6175) by @​shulaoda
• indent module content in IIFE format (#​6174) by @​IWANABETHATGUY
• rolldown_error: improve N-API error handling logic (#​6171) by @​shulaoda
• rolldown_error: improve ByteLocator#byte_offset (#​6169) by @​shulaoda
• dev: skip writing to file (#​6148) by @​sapphi-red
• dev: add skip_write option (#​6151) by @​sapphi-red
• dev: ignore file metadata changes (#​6138) by @​sapphi-red
• dev: add PathsMut for debounced PollWatcher (#​6139) by @​sapphi-red
• dev: use PathsMut for debounced RecommendedWatcher (#​6137) by @​sapphi-red
• improve bundler initialization error handling (#​6132) by @​shulaoda

🐛 Bug Fixes

• rolldown_plugin_vite_resolve: correctly handle Windows drive paths with leading slash (#​6209) by @​shulaoda
• allow jsx.pragmaFrag instead of jsx.pragmaFlag (#​6200) by @​sapphi-red
• improve import-glob plugin error handling without panic (#​6106) by @​hikomoon
• Panic with "jsx": "preserve" when rewrite a memberExpression (#​6192) by @​IWANABETHATGUY
• rolldown_error: use byte_slice instead of slice for correct span handling (#​6185) by @​shulaoda
• generate valid identifier for export names with minifyInternalExports (#​6166) by @​sapphi-red
• useless __export helper usage (#​6160) by @​IWANABETHATGUY
• incremental watch modify entry module (#​6156) by @​IWANABETHATGUY
• register trace subscriber (#​6145) by @​sapphi-red
• json imports error with eval or arguments in strict mode (#​6140) by @​IWANABETHATGUY
• process is not defined in repl (#​6147) by @​IWANABETHATGUY

💼 Other

• rolldown: support to build rolldown with .wasm binding (#​6153) by @​hyf0
• rolldown: refactor build.ts to prepare to support build rolldown package with wasi binding (#​6152) by @​hyf0

🚜 Refactor

• share FlatOptions in whole build session (#​6211) by @​IWANABETHATGUY
• remove unnecessary comments in ScopeHoistingFinalizerContext (#​6205) by @​IWANABETHATGUY
• move external string/regex matching from JS to Rust (#​6201) by @​shulaoda
• rename cross_module_inline_const to cross_module_optimization (#​6193) by @​IWANABETHATGUY
• rename class and function visitor to class_decl, function_decl (#​6176) by @​IWANABETHATGUY
• rolldown_error: tweak code (#​6168) by @​shulaoda
• improve BuildDiagnostic (#​6165) by @​shulaoda
• improve RolldownBuild (#​6136) by @​shulaoda
• rolldown_error: remove unused EventKind::IoError (#​6134) by @​shulaoda
• rename CustomPathsMut to NotifyPathsMutAdapter and move to utils (#​6135) by @​hyf0

📚 Documentation

• contrib-guide: add profiling instructions for macOS (#​6183) by @​sapphi-red
• contrib-guide: update just commands (#​6181) by @​sapphi-red

⚡ Performance

• pre calculate side_effects_free_function_symbol_ref (#​6206) by @​IWANABETHATGUY
• parallel clone ast (#​6167) by @​IWANABETHATGUY
• reserve capacity for rendered modules in instantiate_chunk (#​6159) by @​sapphi-red

🧪 Testing

• hmr: ensure each test isolated to be able to be retryed (#​6142) by @​hyf0

⚙️ Miscellaneous Tasks

• deps: lock file maintenance npm packages (#​6219) by @​renovate[bot]
• deps: lock file maintenance rust crates (#​6217) by @​renovate[bot]
• deps: update github-actions (#​6213) by @​renovate[bot]
• deps: lock file maintenance npm packages (#​6215) by @​renovate[bot]
• deps: update github-actions (major) (#​6214) by @​renovate[bot]
• tweak wordings (#​6208) by @​iiio2
• fix unused import warnings (#​6196) by @​shulaoda
• correct deprecated JSDoc reference for jsx option (#​6195) by @​shulaoda
• add if: always() to wasi-test (#​6190) by @​sapphi-red
• skip @rolldown/browser build if no node related changes detected (#​6189) by @​sapphi-red
• extract wasi build to reusable workflow (#​6188) by @​sapphi-red
• deps: update dependency tsdown to v0.15.1 (#​6184) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to v0.16.5 (#​6182) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to v0.16.4 (#​6180) by @​renovate[bot]
• dev: implement Debug trait for DevOptions (#​6173) by @​sapphi-red
• deps: update dependency rolldown-plugin-dts to v0.16.3 (#​6172) by @​renovate[bot]
• update @​napi-rs/cli and js binding (#​6157) by @​Brooooooklyn
• ci: ensure @rolldown/browser build without errors (#​6155) by @​hyf0
• ci: ensure running wasi tests correctly (#​6154) by @​hyf0
• add more tracing instrumentation (#​6149) by @​sapphi-red
• extend timeout for rollup test (#​6143) by @​IWANABETHATGUY
• rolldown_error: remove unnecessary type_aliases.rs (#​6133) by @​shulaoda

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.