chore(deps): bump the npm_and_yarn group across 4 directories with 16 updates

[dependabot]

Bumps the npm_and_yarn group with 14 updates in the / directory:

Package	From	To
@babel/plugin-transform-modules-systemjs	7.25.9	7.29.7
@tootallnate/once	2.0.0	2.0.1
brace-expansion	1.1.11	1.1.15
dompurify	2.5.8	2.5.9
fast-uri	3.0.5	3.1.2
follow-redirects	1.15.9	1.16.0
handlebars	4.7.8	4.7.9
immutable	4.3.7	4.3.8
picomatch	2.3.1	2.3.2
protobufjs	6.11.4	6.11.6
socket.io-parser	3.3.4	3.3.5
undici	5.28.5	5.29.0
velocityjs	2.0.6	2.1.6
yaml	1.10.2	1.10.3

Bumps the npm_and_yarn group with 1 update in the /dynamic-script directory: vite.
Bumps the npm_and_yarn group with 1 update in the /evidence-display directory: vite.
Bumps the npm_and_yarn group with 1 update in the /sdk directory: vitest.

Updates @babel/plugin-transform-modules-systemjs from 7.25.9 to 7.29.7

Release notes

Sourced from @​babel/plugin-transform-modules-systemjs's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• a458f66 v7.29.4
• 32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
• aa8394e v7.29.0
• 0053db6 Update polyfill packages (#17727)
• 61647ae v7.28.5
• a177d55 [Babel 8] Use t.traverseFast to replace some path.traverse (#17518)
• eebd3a0 v7.27.1
• 317e332 Enforce node protocol import (#17207)
• fdc0fb5 [Babel 8] Bump nodejs requirements to ^20.19.0 || >= 22.12.0 (#17204)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/plugin-transform-modules-systemjs since your current version.

Updates @tootallnate/once from 2.0.0 to 2.0.1

Release notes

Sourced from @​tootallnate/once's releases.

v2.0.1

Patch Changes

• a1e5e2d: Fix promise hang when AbortSignal is aborted

Changelog

Sourced from @​tootallnate/once's changelog.

2.0.1

Patch Changes

• a1e5e2d: Fix promise hang when AbortSignal is aborted

Commits

• bcbb21d ci: fix OIDC publishing — Node 24, npm latest, provenance
• dc24387 Version Packages (2.x) (#12)
• b8a6f80 CI: test all Node versions on Linux only
• dabcc0f ci: drop EOL Node.js 14.x/16.x, add 22.x
• b464efc Update CI: modern Node versions, fix macOS ARM64 compat
• a1e5e2d Fix promise hang when AbortSignal is aborted
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tootallnate/once since your current version.

Updates brace-expansion from 1.1.11 to 1.1.15

Release notes

Sourced from brace-expansion's releases.

v1.1.15

• Backport v5.0.6 change to v1 (#111) 0b09384

---

juliangruber/brace-expansion@v1.1.14...v1.1.15

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 2203f4f 1.1.15
• 0b09384 Backport v5.0.6 change to v1 (#111)
• 10c05fc 1.1.14
• 1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
• 2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
• 0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• Additional commits viewable in compare view

Updates dompurify from 2.5.8 to 2.5.9

Release notes

Sourced from dompurify's releases.

DOMPurify 2.5.9

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing

Commits

• 0951ca4 chore: Updated minor version on demo website
• 1049002 Getting 2.x branch ready for 2.5.9 release
• ca136fa Merge branch '2.x' of github.com:cure53/DOMPurify into 2.x
• d59bfe7 fix: Added fixes for the jsdom parser issue in 2.x
• d13358d Update README.md
• 25b59f6 Update README.md
• d5a8731 Update README.md
• 58a799f Update README.md
• 184e548 Update README.md
• cfce1dd Update README.md
• Additional commits viewable in compare view

Updates fast-uri from 3.0.5 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

• Fix for GHSA-v39h-62p7-jpjc

What's Changed

• Handle malformed fragment decoding as a parse error by @​mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

• Fix for GHSA-q3j6-qgpj-74h6

What's Changed

• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in fastify/fast-uri#148
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#149
• chore(.npmrc): ignore scripts by @​Fdawgs in fastify/fast-uri#150
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in fastify/fast-uri#151
• build(deps): bump actions/setup-node from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#152
• ci(ci): add concurrency config by @​Fdawgs in fastify/fast-uri#153
• build(deps): bump actions/setup-node from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#154
• build(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#156
• chore(license): standardise license notice by @​Fdawgs in fastify/fast-uri#159
• style: remove trailing whitespace by @​Fdawgs in fastify/fast-uri#161
• ci: remove unused github files by @​Tony133 in fastify/fast-uri#162
• chore: update readme by @​Tony133 in fastify/fast-uri#164
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#165
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#166
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in fastify/fast-uri#167
• ci: add lock-threads workflow by @​Fdawgs in fastify/fast-uri#169

New Contributors

• @​Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

v3.1.0

What's Changed

• ci: remove master branch support by @​Fdawgs in fastify/fast-uri#126
• chore(test) remove .gitkeep by @​Fdawgs in fastify/fast-uri#128
• ci(ci): set job permissions by @​Fdawgs in fastify/fast-uri#129
• ci: set permissions at workflow level by @​Fdawgs in fastify/fast-uri#131
• ci: set workflow permissions to read-only by default by @​Fdawgs in fastify/fast-uri#132
• ci(ci): restore job level permissions by @​Fdawgs in fastify/fast-uri#133
• build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @​dependabot[bot] in fastify/fast-uri#134
• ci(ci): pin actions to commit-hash by @​Fdawgs in fastify/fast-uri#135
• ci: add node 24 to test matrix by @​Fdawgs in fastify/fast-uri#136

... (truncated)

Commits

• 919dd8e Bumped v3.1.2
• c65ba57 fixup: linting
• 6c86c17 Merge commit from fork
• a95158a Handle malformed fragment decoding without throwing (#171)
• cea547c Bumped v3.1.1
• 876ce79 Merge commit from fork
• dcdf690 ci: add lock-threads workflow (#169)
• c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
• 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
• 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
• Additional commits viewable in compare view

Updates follow-redirects from 1.15.9 to 1.16.0

Commits

• 0c23a22 Release version 1.16.0 of the npm package.
• 844c4d3 Add sensitiveHeaders option.
• 5e8b8d0 ci: add Node.js 24.x to the CI matrix
• 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
• 86dc1f8 Sanitizing input.
• 21ef28a Release version 1.15.11 of the npm package.
• 7c88135 Roll back tree shaking.
• 6e389ba Release version 1.15.10 of the npm package.
• 5bc496e Shake me up before you go-go.
• 694d6b4 Bump minimist from 1.2.5 to 1.2.8
• See full diff in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates immutable from 4.3.7 to 4.3.8

Release notes

Sourced from immutable's releases.

v4.3.8

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Changelog

Sourced from immutable's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning. Dates are formatted as YYYY-MM-DD.

Unreleased

• fix(IndexedCollection): has(index) on a lazy Seq of unknown size now checks index existence instead of searching for a value equal to the index

5.1.6

• fix(reverseFactory): read reversedSequence.size in __iterator instead of this #2196

5.1.5

• Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

• Migrate some files to TS by @​jdeniau in immutable-js/immutable-js#2125
  • Iterator.ts
  • PairSorting.ts
  • toJS.ts
  • Math.ts
  • Hash.ts
• Extract CollectionHelperMethods and convert to TS by @​jdeniau in immutable-js/immutable-js#2131
• Use npm trusted publishing only to avoid token stealing.

Documentation

• Fix/a11y issues by @​lyannel in immutable-js/immutable-js#2136
• Doc add Map.get signature update by @​borracciaBlu in immutable-js/immutable-js#2138
• fix(doc):minor-issues#2132 by @​JayMeDotDot in immutable-js/immutable-js#2133
• Fix algolia search by @​jdeniau in immutable-js/immutable-js#2135
• Typo in OrderedMap by @​jdeniau in immutable-js/immutable-js#2144

Internal

• chore: Sort all imports and activate eslint import rule by @​jdeniau in immutable-js/immutable-js#2119

5.1.3

TypeScript

• fix: allow readonly map entry constructor by @​septs in immutable-js/immutable-js#2123

Documentation

... (truncated)

Commits

• 485cbe0 4.3.8
• 6ed4eb6 Merge commit from fork
• 94bcd3c fix new proto key injection
• faeb58b fix Prototype Pollution in mergeDeep, toJS, etc.
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for immutable since your current version.

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates protobufjs from 6.11.4 to 6.11.6

Commits

• 869caf6 chore: rebuild and release 6.11.6
• 086916b fix: filter invalid characters from the type name (#2127) (#2221)
• 70544ee fix: rebuild and release 6.11.5
• See full diff in compare view

Maintainer changes

This version was pushed to npm by fenster, a new releaser for protobufjs since your current version.

Updates socket.io-parser from 3.3.4 to 3.3.5

Release notes

Sourced from socket.io-parser's releases.

socket.io-parser@3.3.5

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

• add a limit to the number of binary attachments (9d39f1f)

Changelog

Sourced from socket.io-parser's changelog.

3.3.5 (2026-03-17)

Bug Fixes

• add a limit to the number of binary attachments (9d39f1f)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for socket.io-parser since your current version.

Updates undici from 5.28.5 to 5.29.0

Release notes

Sourced from undici's releases.

v5.29.0

What's Changed

• Fix tests in v5.x for Node 20 by @​mcollina in nodejs/undici#4104
• Removed clients with unrecoverable errors from the Pool nodejs/undici#4088

Full Changelog: nodejs/undici@v5.28.5...v5.29.0

Commits

• 9528f68 Bumped v5.29.0
• f1d75a4 increase timeout for redirect test
• 2d31ed6 remove fuzzing tests
• 6b36d49 fix redirect test in Node v16
• 648dd8f more fix for the wpt runner on Windows
• a0516ba don't use internal header state for cookies (#3295)
• 87ce4af fix test/client for node 20
• c2c8fd5 fix: accept v20 SSL specific error for alpn selection in http/2
• 82200bd [v6.x] fix wpts on windows (#4093)
• 47546fa test: fix windows wpt (#4050)
• Additional commits viewable in compare view

Updates velocityjs from 2.0.6 to 2.1.6

Changelog

Sourced from velocityjs's changelog.

v2.1.6

• fix: guard #set paths against prototype pollution [#188](https://github.com/shepherdwind/velocity.js/issues/188)
• chore(deps): bump postcss from 8.5.3 to 8.5.14 [#187](https://github.com/shepherdwind/velocity.js/issues/187)
• chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2 [#182](https://github.com/shepherdwind/velocity.js/issues/182)
• chore(deps-dev): bump handlebars from 4.7.8 to 4.7.9 [#183](https://github.com/shepherdwind/velocity.js/issues/183)
• chore(deps-dev): bump vite from 6.4.1 to 6.4.2 [#184](https://github.com/shepherdwind/velocity.js/issues/184)
• chore(deps): bump lodash and @​microsoft/api-extractor [#185](https://github.com/shepherdwind/velocity.js/issues/185)
• chore(deps): bump minimatch and @​microsoft/api-extractor [#180](https://github.com/shepherdwind/velocity.js/issues/180)
• chore(deps): bump rollup from 4.40.0 to 4.59.0 [#179](https://github.com/shepherdwind/velocity.js/issues/179)
• chore(deps-dev): bump vite from 6.3.6 to 6.4.1 [#175](https://github.com/shepherdwind/velocity.js/issues/175)
• chore(deps-dev): bump lodash from 4.17.21 to 4.17.23 [#177](https://github.com/shepherdwind/velocity.js/issues/177)
• Chore: Update github action node versions [#178](https://github.com/shepherdwind/velocity.js/issues/178)
• chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 [#176](https://github.com/shepherdwind/velocity.js/issues/176)
• chore(deps-dev): bump vite from 6.3.4 to 6.3.6 [#174](https://github.com/shepherdwind/velocity.js/issues/174)
• chore(deps-dev): bump vite from 6.2.6 to 6.3.4 [#173](https://github.com/shepherdwind/velocity.js/issues/173)
• fix: guard set paths against prototype pollution b9a030d
• fix: preserve set assignments after rhs side effects 6c7e6f0
• docs: explain set path prototype guards 221d197

v2.1.5

23 April 2025

• chore: update type definitions path in package.json to point to src directory 52c651a

v2.1.4

23 April 2025

• chore: update type definitions path in package.json and remove install script from package-lock.json 6b44cbb

v2.1.3

14 April 2025

• feat: add default export for velocity object [#169](https://github.com/shepherdwind/velocity.js/issues/169)
• chore: remove Chinese README and update English documentation dcc646e

v2.1.2

14 April 2025

• chore: update package-lock.json to use npm registry cbeaab3
• chore: update dependencies in package.json and package-lock.json 456e6d2
• chore: modify publish script in package.json 0f7fa8f

v2.1.1

13 April 2025

... (truncated)

Commits

• b6c39bf chore(deps): update flatted
• fdd33ae chore: update history.md
• 55afa89 Merge pull request #188 from shepherdwind/fix/set-prototype-pollution-safe-paths
• 221d197 docs: explain set path prototype guards
• 6c7e6f0 fix: preserve set assignments after rhs side effects
• b9a030d fix: guard set paths against prototype pollution
• 1ec0192 Merge pull request #187 from shepherdwind/dependabot/npm_and_yarn/postcss-8.5.14
• 3492408 chore(deps): bump postcss from 8.5.3 to 8.5.14
• 55b5c8c Merge pull request #182 from shepherdwind/dependabot/npm_and_yarn/picomatch-2...
• 384f594 Merge pull request #183 from shepherdwind/dependabot/npm_and_yarn/handlebars-...
• Additional commits viewable in compare view

Updates yaml from 1.10.2 to 1.10.3

Commits

• cfe8f04 1.10.3
• 7abcf45 fix: Catch stack overflow during CST composition
• a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
• a5e83b0 style: Apply updates Prettier rules
• b8ddca0 chore: Refresh lockfile
• 395f892 ci: Use a different (working) submodule checkout
• 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
• See full diff in compare view

Updates vite from 5.4.21 to 8.0.16

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

v8.0.10

Please refer to CHANGELOG.md for details.

v8.0.9

Please refer to CHANGELOG.md for details.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

create-vite@8.0.2

Please refer to CHANGELOG.md for details.

v8.0.2

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
• reject windows alternate paths (#22572) (dc245c7)

8.0.15 (2026-06-01)

Features

• send 408 on request timeout (#22476) (c85c9ee)
• update rolldown to 1.0.3 (#22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
• deps: update all non-major dependencies (#22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#22562) (6978a9c)

8.0.14 (2026-05-21)

Features

• update rolldown to 1.0.2 (#22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#22471) (98b8163)
• dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (