chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@antfu/eslint-config	^8.2.0 → ^8.3.0
@guiiai/logg	>= 1 → >= 1.2.11
@types/node (source)	^25.6.0 → ^25.9.1
bumpp	^11.0.1 → ^11.1.0
eslint (source)	^10.2.0 → ^10.4.0
eslint-plugin-oxlint	^1.60.0 → ^1.66.0
nanoid	>=5 → >=5.1.11
oxlint (source)	^1.60.0 → ^1.66.0
pnpm (source)	10.33.0 → 10.33.4
publint (source)	^0.3.18 → ^0.3.21
taze	^19.11.0 → ^19.14.1
tsdown (source)	^0.17.4 → ^0.22.0
typescript (source)	^6.0.2 → ^6.0.3
vite (source)	^8.0.8 → ^8.0.14
vitest (source)	^4.1.4 → ^4.1.7

---

Release Notes

antfu/eslint-config (@​antfu/eslint-config)

v8.3.0

Compare Source

   🚀 Features

• Make perfectionist configurable inside antfu()  -  by @​oliver139 in #​848 (ae1d6)
• stylistic: Allow easy setting brace style  -  by @​oliver139 in #​846 (bd784)
• svelte: Use recommended rules  -  by @​Jungzl in #​842 (6c839)

   🐞 Bug Fixes

• markdown: Scope user rule overrides away from md files  -  by @​antfu and Claude Opus 4.7 (1M context) in #​844 (8d25a)

    View changes on GitHub

guiiai/logg (@​guiiai/logg)

v1.2.11

Compare Source

   🚀 Features

• Hyperlink option  -  by @​Neko-233 in #​26 (226da)

    View changes on GitHub

v1.2.10

Compare Source

   🐞 Bug Fixes

• Export  -  by @​luoling8192 (3425f)

    View changes on GitHub

v1.2.9

Compare Source

   🚀 Features

• Context  -  by @​luoling8192 (a06d9)

    View changes on GitHub

v1.2.8

Compare Source

No significant changes

    View changes on GitHub

v1.2.7

Compare Source

v1.2.6

Compare Source

What's Changed

• fix: improve stack trace filtering in createLogger by @​luoling8192 in #​24

Full Changelog: guiiai/logg@v1.2.5...v1.2.6

v1.2.5

Compare Source

v1.2.4

Compare Source

v1.2.3

Compare Source

v1.2.2

Compare Source

Full Changelog: guiiai/logg@v1.2.1...v1.2.2

v1.2.1

Compare Source

v1.2.0

Compare Source

v1.1.0

Compare Source

What's Changed

• feat: enhance logging functionality with error stack parsing and hyperlink support by @​luoling8192 in #​16
• chore: bump deps, lint by @​luoling8192 in #​17

Full Changelog: guiiai/logg@v1.0.10...v1.1.0

v1.0.10

Compare Source

v1.0.9

Compare Source

v1.0.8

Compare Source

v1.0.7

Compare Source

v1.0.6

Compare Source

v1.0.5

Compare Source

v1.0.4

Compare Source

v1.0.3

Compare Source

v1.0.2

Compare Source

v1.0.1

Compare Source

antfu-collective/bumpp (bumpp)

v11.1.0

Compare Source

   🐞 Bug Fixes

• Inherit stdio for git push to support windows SSH passphrase  -  by @​awdr74100 in #​122 (a30af)
• cli: Prevent empty CLI files from overriding config-file files  -  by @​benny123tw in #​120 (4e42e)

    View changes on GitHub

eslint/eslint (eslint)

v10.4.0

Compare Source

v10.3.0

Compare Source

v10.2.1

Compare Source

oxc-project/eslint-plugin-oxlint (eslint-plugin-oxlint)

v1.66.0

Compare Source

No significant changes

    View changes on GitHub

v1.65.0

Compare Source

No significant changes

    View changes on GitHub

v1.64.0

Compare Source

No significant changes

    View changes on GitHub

v1.63.0

Compare Source

   🐞 Bug Fixes

• Ignore @​typescript-eslint/consistent-type-imports for vue, astro, and svelte files  -  by @​Sysix in #​710 (e9eb2)

    View changes on GitHub

v1.62.0

Compare Source

No significant changes

    View changes on GitHub

v1.61.0

Compare Source

No significant changes

    View changes on GitHub

ai/nanoid (nanoid)

v5.1.11

Compare Source

• Fixed breaking Nano ID by requesting big ID.

v5.1.10

Compare Source

• Fixed breaking Nano ID by requesting big ID (by @​alanzabihi).

v5.1.9

Compare Source

• Fixed npm package size regression.

v5.1.8

Compare Source

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

v5.1.7

Compare Source

• Added --version to CLI (by @​mahmoodhamdi).
• Updated nanoid.js for CDN (by @​mahmoodhamdi).
• Fixed docs (by @​mahmoodhamdi).
• Fixed customRandom types (by @​oguimbal).

v5.1.6

Compare Source

• Fixed infinite loop on 0 size for customAlphabet.

v5.1.5

Compare Source

• Fixed latest version on npm after 3.x release.

v5.1.4

Compare Source

• Fixed latest version on npm after 3.x release.

v5.1.3

Compare Source

• Fixed React Native support (by @​steida).

v5.1.2

Compare Source

• Fixed module docs.

v5.1.1

Compare Source

• Fixed opaque types support for non-secure generator.
• Added JSR support.

v5.1.0

Compare Source

• Added opaque types support (by @​kossnocorp).

v5.0.9

Compare Source

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

v5.0.8

Compare Source

• Reduced customAlphabet size (by @​kirillgroshkov).

v5.0.7

Compare Source

• Fixed Parcel support (by @​WilhelmYakunin).

v5.0.6

Compare Source

• Fixed React Native support.

v5.0.5

Compare Source

• Make browser’s version faster by increasing size a little (by Samuel Elgozi).

v5.0.4

Compare Source

• Fixed CLI docs (by @​ilyaboka).

v5.0.3

Compare Source

• Fixed CLI docs (by Chris Schmich).

v5.0.2

Compare Source

• Fixed webcrypto import (by Divyansh Singh).

v5.0.1

Compare Source

• Fixed Node.js 18 support.

oxc-project/oxc (oxlint)

v1.66.0

Compare Source

🚀 Features

• 0440b0f linter/eslint: Implement id-match rule (#​22379) (Vladislav Sayapin)
• 65bf119 linter: Implement react no-object-type-as-default-prop (#​22481) (uhyo)
• 2a6ddce linter/eslint: Implement no-implied-eval rule (#​22391) (Vladislav Sayapin)
• 625758a linter/vitest: Implement padding-around-after-all-blocks rule (#​21788) (kapobajza)
• 37680b0 linter: Implement react no-unstable-nested-components (#​22248) (Jovi De Croock)
• d8d9c74 linter: Implement import/newline-after-import rule (#​19142) (Ryuya Yanagi)

v1.65.0

Compare Source

🚀 Features

• 5478fb5 linter/jsdoc: Implement require-throws-description rule (#​22386) (Mikhail Baev)
• c73225e linter/eslint: Implement prefer-arrow-callback rule (#​22312) (박천(Cheon Park))
• de82b59 linter: Add support for eslint-plugin-jsx-a11y-x (#​22356) (mehm8128)
• f44b6c8 linter: Fill schemas DummyRuleMap with built-in rules (#​22288) (Sysix)

v1.64.0

Compare Source

🚀 Features

• fbb8f22 linter: Support ignores in overrides (#​22148) (camc314)

🐛 Bug Fixes

• 25b7017 linter: Undocument override ignores option (#​22213) (camc314)

v1.63.0

Compare Source

📚 Documentation

• cacbc4a linter: Fix jest settings docs. (#​22127) (connorshea)

v1.62.0

Compare Source

🚀 Features

• 348f46c linter: Add respectEslintDisableDirectives option (#​21384) (Christian Vuerings)

🐛 Bug Fixes

• 8c425db linter: Allow string for jest version in config schema (#​21649) (camc314)

v1.61.1

Compare Source

v1.61.0

Compare Source

🚀 Features

• 38d8090 linter/jest: Implemented jest version settings in config file. (#​21522) (Said Atrahouch)

pnpm/pnpm (pnpm)

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

v10.33.3

Compare Source

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

publint/publint (publint)

v0.3.21

Compare Source

Patch Changes

• Suggest adding "sideEffects": false when bundler-oriented package fields or conditions are detected and the field is missing. (#​228)

v0.3.20

Compare Source

Patch Changes

• Suggest adding engines.node when it is missing from detected Node.js packages (#​226)

• Loosen "breaking change" wording in lint messages (7bb3f4f)

v0.3.19

Compare Source

Patch Changes

• Add NESTED_PACKAGE_JSON_FIELD_IGNORED to warn when published nested package.json files define "exports" or "imports", which Node.js ignores outside the package root. (#​224)

• Fix internal browser directory traversal logic (#​224)

antfu-collective/taze (taze)

v19.14.1

Compare Source

   🐞 Bug Fixes

• Complete empathic find migration  -  by @​lyzno1 in #​275 (13838)

    View changes on GitHub

v19.14.0

Compare Source

   🚀 Features

• Respect package manager maturity exclusions  -  by @​firatciftci in #​271 (2a6f9)

   🐞 Bug Fixes

• Keep version selector visible  -  by @​Perdolique and @​antfu in #​272 (91d23)

   🏎 Performance

• Reduce interactive flicker  -  by @​Perdolique in #​273 (61aa1)
• Replace find-up-simple w/ empathic  -  by @​SukkaW in #​258 (813a3)

    View changes on GitHub

v19.13.0

Compare Source

   🚀 Features

• Auto-infer maturityPeriod from pnpm/yarn workspace config  -  by @​antfu in #​268 (416c4)

   🐞 Bug Fixes

• Respect maturity period in interactive mode  -  by @​firatciftci in #​267 (d7ad4)

    View changes on GitHub

v19.12.0

Compare Source

   🚀 Features

• Add JSON schema for tazerc config  -  by @​sxzz (96e7a)
• Add stable version mode  -  by @​pnodet and @​antfu in #​266 (cc827)

   🐞 Bug Fixes

• Improve getMaxSatisfying logic to handle latest and next tags co…  -  by @​rubiin in #​264 (799e3)
• Ignoring nested bun workspaces and env support for .npmrc  -  by @​jinghaihan in #​253 (9c2f7)
• Updates locked version with a mature version  -  by @​daiyam in #​261 (a7e72)
• Don't use Array.fromAsync with tinyglobby glob  -  by @​userquin in #​255 (ddd7d)
• Guard pkgData access in packageManager integrity refresh  -  by @​thashepherd and Claude Opus 4.7 (1M context) in #​263 (53b80)

    View changes on GitHub

rolldown/tsdown (tsdown)

v0.22.0

Compare Source

   🚨 Breaking Changes

• Drop Node.js < 22.18.0 support, make unrun optional, add tsx config loader  -  by @​sxzz (a1042)
• dts: Auto-enable dts when tsconfig declaration is true  -  by @​sxzz in #​872 (085f0)
• publint: Use pkg from publint results, require publint v0.3.8+  -  by @​sxzz (413bb)

   🚀 Features

• Upgrade rolldown to 1.0.0-rc.18  -  by @​sxzz (66085)
• Upgrade rolldown to v1.0.0  -  by @​sxzz (fabba)
• exports: Auto-enable bin detection by default  -  by @​sxzz in #​873 (abda9)

   🐞 Bug Fixes

• Explicitly drop node 23 support  -  by @​sxzz (85e65)
• debug: Enhance debug logging for pack tarball  -  by @​sxzz and Copilot (5de04)
• exports: Detect types fields nested in conditional exports  -  by @​sxzz (82fa1)
• pkg: Fix duplicate configuration warning logic  -  by @​ho991217 and @​sxzz in #​935 (6a0d9)

🔄 Migration Guide

Node.js version

Upgrade to Node.js 22.18.0 or later. Bun and Deno remain supported (experimental).

unrun is no longer bundled

If your environment relies on the unrun config loader (i.e. you're on a Node version without native TypeScript support and use the default auto loader), install it manually:

npm i -D unrun

# or, alternatively, the new tsx loader:
npm i -D tsx

If you use Node.js 22.18.0+ with native TypeScript support, no change is needed — the auto loader will pick native.

dts auto-enabled from tsconfig

If your tsconfig.json has compilerOptions.declaration: true but you do not want tsdown to emit .d.ts files, opt out explicitly:

// tsdown.config.ts
export default defineConfig({
  dts: false,
})

exports.bin auto-detection

Any entry chunk containing a shebang (e.g. #!/usr/bin/env node) now causes tsdown to write a bin field in package.json automatically. The semantics differ slightly from explicit bin: true:

Value	Single shebang	Multiple shebangs	No shebangs
(unset)	Auto-set bin	Warn, skip	Silent
true	Auto-set bin	Throw	Warn
false	No bin	No bin	No bin

To opt out entirely:

export default defineConfig({
  exports: { bin: false },
})

Links

• tsdown Documentation
• v0.22.0-beta.1 Release
• v0.22.0-beta.2 Release
• v0.22.0-beta.3 Release
• Full diff from v0.21.10

v0.21.10

Compare Source

   🚀 Features

• Upgrade rolldown  -  by @​sxzz (8a449)

    View changes on GitHub

v0.21.9

Compare Source

   🚀 Features

• Upgrade rolldown  -  by @​sxzz (2d74e)
• config: Track transitive config dependencies for watch reload  -  by @​sxzz in #​919 (16e27)
• exports: Add bin to publishConfig when devExports is enabled  -  by @​sxzz in #​911 (60592)
• plugin: Add tsdownConfig and tsdownConfigResolved plugin hooks  -  by @​sxzz in #​918 (665e5)

   🐞 Bug Fixes

• Skip package.json writting when content is deeply equal  -  by @​ocavue and @​sxzz in #​913 (d8e1c)
• Skip Node.js version check in Bun  -  by @​sxzz (38afd)
• css: Detect css modules from full id for vue virtual sfc styles  -  by @​sxzz in #​917 (e6021)

    View changes on GitHub

v0.21.8

Compare Source

   🚀 Features

• Upgrade rolldown  -  by @​sxzz (7f887)
• attw: Improve ignoreRules type to autocomplete known values  -  by @​mrlubos in #​892 (c8f5c)
• create-tsdown: Add Vite Plus template option  -  by @​sxzz (daed0)
• exports: Add extensions option for subpath export keys  -  by @​SinhSinhAn and @​sxzz in #​899 (1bb7a)
• target: Add support for baseline-widely-available target  -  by @​sxzz in #​896 (d6a16)

   🐞 Bug Fixes

• Export type only for cjs dts re-export  -  by @​sxzz (25510)
• Exclude shim file from bundled dependency hint  -  by @​sxzz in #​909 (3f8de)
• dts: Skip cjs dts reexport for non-entry chunks  -  by @​sxzz (5fee2)

    View changes on GitHub

v0.21.7

Compare Source

   🚀 Features

• Add module option for attw and publint to allow passing imported modules directly  -  by @​sxzz (31e90)

   🐞 Bug Fixes

• deps: Add skipNodeModulesBundle dep subpath e2e tests and fix docs  -  by @​sxzz (deff7)

    View changes on GitHub

v0.21.6

Compare Source

   🚀 Features

• Upgrade rolldown to v1.0.0-rc.12  -  by @​sxzz (51292)
• config:
  • Pass root config to workspace config functions  -  by @​sxzz (76169)
  • Use mergeConfig for workspace config merging and support variadic overrides  -  by @​sxzz (148aa)
• dts:
  • Add cjsReexport option to eliminate dual module type hazard

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 17, reused 0, downloaded 0, added 0
Progress: resolved 18, reused 0, downloaded 0, added 0
Progress: resolved 28, reused 0, downloaded 0, added 0
 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "tinyexec@1.2.2" (possible package takeover)

This error happened while installing the dependencies of bumpp@11.1.0

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had trusted publisher, but this version has provenance attestation. A trust downgrade may indicate a supply chain incident.