chore(deps): update non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pnpm (source)	10.20.0 -> 10.26.2
tsdown (source)	^0.16.7 -> ^0.18.0

---

Release Notes

pnpm/pnpm (pnpm)

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

• Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

• Fix installation of Git dependencies using annotated tags #​10335.

  Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

• Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

• Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Gold Sponsors

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

• Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
• Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Gold Sponsors

v10.26.0

Compare Source

v10.25.0

Compare Source

v10.24.0

Compare Source

v10.23.0: pnpm 10.23

Compare Source

Minor Changes

• Added --lockfile-only option to pnpm list #​10020.

Patch Changes

• pnpm self-update should download pnpm from the configured npm registry #​10205.
• pnpm self-update should always install the non-executable pnpm package (pnpm in the registry) and never the @pnpm/exe package, when installing v11 or newer. We currently cannot ship @pnpm/exe as pkg doesn't work with ESM #​10190.
• Node.js runtime is not added to "dependencies" on pnpm add, if there's a engines.runtime setting declared in package.json #​10209.
• The installation should fail if an optional dependency cannot be installed due to a trust policy check failure #​10208.
• pnpm list and pnpm why now display npm: protocol for aliased packages (e.g., foo npm:is-odd@3.0.1) #​8660.
• Don't add an extra slash to the Node.js mirror URL #​10204.
• pnpm store prune should not fail if the store contains Node.js packages #​10131.

Platinum Sponsors

Gold Sponsors

v10.22.0: pnpm 10.22

Compare Source

Minor Changes

• Added support for trustPolicyExclude #​10164.

  You can now list one or more specific packages or versions that pnpm should allow to install, even if those packages don't satisfy the trust policy requirement. For example:

  trustPolicy: no-downgrade
  trustPolicyExclude:
    - chokidar@4.0.3
    - webpack@4.47.0 || 5.102.1

• Allow to override the engines field on publish by the publishConfig.engines field.

Patch Changes

• Don't crash when two processes of pnpm are hardlinking the contents of a directory to the same destination simultaneously #​10179.

Platinum Sponsors

Gold Sponsors

v10.21.0

Compare Source

rolldown/tsdown (tsdown)

v0.18.3

Compare Source

   🚀 Features

• Upgrade rolldown to 1.0.0-beta.57  -  by @​sxzz (525c0)
• Add envFile & envPrefix option  -  by @​toto6038 and @​sxzz in #​664 (d5493)
• attw: Add ignoreRules option to filter specified rule  -  by @​zyyv and Copilot in #​665 (450b0)

   🐞 Bug Fixes

• Inline PackageJson type  -  by @​sxzz (dfc43)

    View changes on GitHub

v0.18.2

Compare Source

   🚀 Features

• Support globs for noExternal / inlineOnly / exports.exclude  -  by @​sxzz and @​TheAlexLichter (84b68)
• entry: Support glob negation patterns in object entry  -  by @​Doctor-wu and @​sxzz in #​662 (8ed1b)

   🐞 Bug Fixes

• Preserve import cache for node_modules  -  by @​sxzz (426ab)
• skipNodeModulesBundle for monorepo  -  by @​sxzz (9a34f)
• attw: Show full entrypoint  -  by @​sxzz (c89c4)
• clean: Remove dot files  -  by @​sxzz (0430b)

    View changes on GitHub

v0.18.1

Compare Source

   🚀 Features

• Support glob patterns in object entry  -  by @​sxzz (bcb7a)

export default defineConfig({
  entry: {
    '*': './src/*.ts',
    'data-loaders': './src/data-loaders/entries/index.ts',
    'data-loaders/*': './src/data-loaders/entries/!(index).ts',
    'volar/*': './src/volar/entries/*.ts',
  },
}

• Upgrade rolldown to 1.0.0-beta.55  -  by @​sxzz (5be3e)
• Mark exports option as a stable feature  -  by @​sxzz (ce9e0)

   🐞 Bug Fixes

• Keep banner / footer as-is  -  by @​sxzz (f67e0)

    View changes on GitHub

v0.18.0

Compare Source

   🚨 Breaking Changes

• copy: Rework, sync behavior of rollup-plugin-copy  -  by @​sxzz (e864b)

v0.17.4

Compare Source

   🚨 Breaking Changes

• copy: Sync behavior of rollup-plugin-copy  -  by @​sxzz (e864b)

   🚀 Features

• exports: Add exclude option  -  by @​TheAlexLichter and @​sxzz in #​340 (9e634)
• shortcuts: Case insensitive  -  by @​btea in #​649 (019af)

   🐞 Bug Fixes

• Resolve cwd from user config  -  by @​sxzz (bc066)

    View changes on GitHub

v0.17.3

Compare Source

   🚀 Features

• copy: Support glob in copy  -  by @​kricsleo and @​sxzz in #​637 (c1fd4)
  • This may be a breaking change, as the behavior has changed again in v0.17.4. Please upgrade to v0.17.4 and verify the issue.

   🐞 Bug Fixes

• Print error stack  -  by @​sxzz (1c5b6)
• Add config name to rebuilt message  -  by @​sxzz (bfdc6)
• Call hooks for each format  -  by @​sxzz (19bdd)
• Merge input & output options  -  by @​sxzz (14181)

    View changes on GitHub

v0.17.2

Compare Source

   🐞 Bug Fixes

• Empty clean array  -  by @​sxzz (eae7f)

    View changes on GitHub

v0.17.1

Compare Source

   🐞 Bug Fixes

• Respect clean on watch mode  -  by @​sxzz (bfbfb)

    View changes on GitHub

v0.17.0

Compare Source

   🚨 Breaking Changes

Notable features: https://bsky.app/profile/sxzz.dev/post/3m6xi7e7d5k2b

• Rolldown native watcher  -  by @​sxzz in #​329 (1c4f8)
• Enable failOnWarn by default in CI  -  by @​sxzz in #​617 (245e7)
• Remove unconfig from configLoader  -  by @​sxzz (9d6a7)
• Support exports, publint, attw for multi-configs  -  by @​sxzz (f889a)
• refactor!(attw): rename profile value from esmOnly to esm-only  -  by @​sxzz (85c10f3)

   🚀 Features

• Export WatchPlugin  -  by @​sxzz (4ccb2)
• Add write option  -  by @​sxzz (64fea)
• Add chunks on build:done hook  -  by @​sxzz (eb45c)
• Override options by format  -  by @​sxzz (482f6)
• Upgrade rolldown to 1.0.0-beta.53  -  by @​sxzz (a04f2)
• migrate:
  • Migrate optionalDependencies  -  by @​sxzz (22fd9)
  • Use ast-grep for config file  -  by @​Doctor-wu and @​sxzz in #​620 (b0b34)

   🐞 Bug Fixes

• Move require before import  -  by @​sxzz (85c0e)
• copy: Call function  -  by @​sxzz (e4197)
• exports: Merge multi-config outputs  -  by @​pyyupsk and @​sxzz in #​625 (73984)
• migrate: Build before publish  -  by @​sxzz (bf0f5)
• workspace: Cwd defaults to config dirname, support filter for all configs  -  by @​sxzz (24f27)

   🏎 Performance

• Reload config via import-without-cache  -  by @​sxzz (0b7e4)
• Use native loader for bun  -  by @​sxzz (36dbf)

    View changes on GitHub

v0.16.8

Compare Source

   🚀 Features

• Upgrade rolldown to 1.0.0-beta.52  -  by @​sxzz (1ff67)
• Add enabled option to feature options  -  by @​sxzz (0b244)

Deprecation

• Deprecate attw.profile = 'esmOnly', use esm-only instead.

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0c6c2a2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!