chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@types/node (source)	^24.4.0 -> ^24.8.0
esbuild	^0.25.9 -> ^0.25.11
eslint (source)	^9.35.0 -> ^9.37.0
jiti	^2.5.1 -> ^2.6.1
nypm	^0.6.1 -> ^0.6.2
pnpm (source)	10.16.1 -> 10.18.3
typescript (source)	^5.9.2 -> ^5.9.3

---

Release Notes

evanw/esbuild (esbuild)

v0.25.11

Compare Source

• Add support for with { type: 'bytes' } imports (#​4292)

  The import bytes proposal has reached stage 2.7 in the TC39 process, which means that although it isn't quite recommended for implementation, it's generally approved and ready for validation. Furthermore it has already been implemented by Deno and Webpack. So with this release, esbuild will also add support for this. It behaves exactly the same as esbuild's existing binary loader. Here's an example:

  import data from './image.png' with { type: 'bytes' }
  const view = new DataView(data.buffer, 0, 24)
  const width = view.getInt32(16)
  const height = view.getInt32(20)
  console.log('size:', width + '\xD7' + height)

• Lower CSS media query range syntax (#​3748, #​4293)

  With this release, esbuild will now transform CSS media query range syntax into equivalent syntax using min-/max- prefixes for older browsers. For example, the following CSS:

  @&#8203;media (640px <= width <= 960px) {
    main {
      display: flex;
    }
  }

  will be transformed like this with a target such as --target=chrome100 (or more specifically with --supported:media-range=false if desired):

  @​media (min-width: 640px) and (max-width: 960px) {
    main {
      display: flex;
    }
  }

v0.25.10

Compare Source

• Fix a panic in a minification edge case (#​4287)

  This release fixes a panic due to a null pointer that could happen when esbuild inlines a doubly-nested identity function and the final result is empty. It was fixed by emitting the value undefined in this case, which avoids the panic. This case must be rare since it hasn't come up until now. Here is an example of code that previously triggered the panic (which only happened when minifying):

  function identity(x) { return x }
  identity({ y: identity(123) })

• Fix @supports nested inside pseudo-element (#​4265)

  When transforming nested CSS to non-nested CSS, esbuild is supposed to filter out pseudo-elements such as ::placeholder for correctness. The CSS nesting specification says the following:

  The nesting selector cannot represent pseudo-elements (identical to the behavior of the ':is()' pseudo-class). We’d like to relax this restriction, but need to do so simultaneously for both ':is()' and '&', since they’re intentionally built on the same underlying mechanisms.

  However, it seems like this behavior is different for nested at-rules such as @supports, which do work with pseudo-elements. So this release modifies esbuild's behavior to now take that into account:

  /* Original code */
  ::placeholder {
    color: red;
    body & { color: green }
    @​supports (color: blue) { color: blue }
  }
  
  /* Old output (with --supported:nesting=false) */
  ::placeholder {
    color: red;
  }
  body :is() {
    color: green;
  }
  @​supports (color: blue) {
     {
      color: blue;
    }
  }
  
  /* New output (with --supported:nesting=false) */
  ::placeholder {
    color: red;
  }
  body :is() {
    color: green;
  }
  @​supports (color: blue) {
    ::placeholder {
      color: blue;
    }
  }

eslint/eslint (eslint)

v9.37.0

Compare Source

v9.36.0

Compare Source

unjs/jiti (jiti)

v2.6.1

Compare Source

compare changes

🩹 Fixes

• interop: Only passthrough default if it is not a promise (#​408)

📦 Build

• Revert to terser-webpack-plugin (#​407)

🏡 Chore

• Update bench (037c646)
• Update deps (974ca40)
• Remove unused code (8b41497)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kricsleo (@​kricsleo)

v2.6.0

Compare Source

compare changes

🔥 Performance

• Lazy load babel transform (#​405)

🩹 Fixes

• cjs-interop: Handle function default exports (#​396)
• Always use native for node: specifiers (#​392)

📦 Build

• Migrate to rspack (#​404)

🏡 Chore

• Update deps (5123334)

✅ Tests

• Update deno and bun native test ignores (df844f8)
• New bench script (6404427)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Volodymyr Kolesnykov (@​sjinks)
• Jungwoo LEE <jungwoo3490@​naver.com>

unjs/nypm (nypm)

v0.6.2

Compare Source

compare changes

🚀 Enhancements

• runScript: Support custom env (#​215)
• dlx and packages option for dlxCommand (#​218)

🏡 Chore

• Update deps (71dd2a2)
• Uopdate deps (539afd3)
• Update readme (3e9f5d3)

❤️ Contributors

• Rihan (@​RihanArfan)
• Pooya Parsa (@​pi0)
• Fedor Chubukov (@​Exeteres)

pnpm/pnpm (pnpm)

v10.18.3

Compare Source

Patch Changes

• Fix a bug where pnpm would infinitely recurse when using verifyDepsBeforeInstall: install and pre/post install scripts that called other pnpm scripts #​10060.
• Fixed scoped registry keys (e.g., @scope:registry) being parsed as property paths in pnpm config get when --location=project is used #​9362.
• Remove pnpm-specific CLI options before passing to npm publish to prevent "Unknown cli config" warnings #​9646.
• Fixed EISDIR error when bin field points to a directory #​9441.
• Preserve version and hasBin for variations packages #​10022.
• Fixed pnpm config set --location=project incorrectly handling keys with slashes (auth tokens, registry settings) #​9884.
• When both pnpm-workspace.yaml and .npmrc exist, pnpm config set --location=project now writes to pnpm-workspace.yaml (matching read priority) #​10072.
• Prevent a table width error in pnpm outdated --long #​10040.
• Sync bin links after injected dependencies are updated by build scripts. This ensures that binaries created during build processes are properly linked and accessible to consuming projects #​10057.

v10.18.2

Compare Source

Patch Changes

• pnpm outdated --long should work #​10040.
• Replace ndjson with split2. Reduce the bundle size of pnpm CLI #​10054.
• pnpm dlx should request the full metadata of packages, when minimumReleaseAge is set #​9963.
• pnpm version switching should work when the pnpm home directory is in a symlinked directory #​9715.
• Fix EPIPE errors when piping output to other commands #​10027.

v10.18.1

Compare Source

Patch Changes

• Don't print a warning, when --lockfile-only is used #​8320.
• pnpm setup creates a command shim to the pnpm executable. This is needed to be able to run pnpm self-update on Windows #​5700.
• When using pnpm catalogs and running a normal pnpm install, pnpm produced false positive warnings for "skip adding to the default catalog because it already exists". This warning now only prints when using pnpm add --save-catalog as originally intended.

v10.18.0

Compare Source

Minor Changes

• Added network performance monitoring to pnpm by implementing warnings for slow network requests, including both metadata fetches and tarball downloads.

  Added configuration options for warning thresholds: fetchWarnTimeoutMs and fetchMinSpeedKiBps.
  Warning messages are displayed when requests exceed time thresholds or fall below speed minimums

  Related PR: #​10025.

Patch Changes

• Retry filesystem operations on EAGAIN errors #​9959.
• Outdated command respects minimumReleaseAge configuration #​10030.
• Correctly apply the cleanupUnusedCatalogs configuration when removing dependent packages.
• Don't fail with a meaningless error when scriptShell is set to false #​8748.
• pnpm dlx should not fail when minimumReleaseAge is set #​10037.

v10.17.1

Compare Source

Patch Changes

• When a version specifier cannot be resolved because the versions don't satisfy the minimumReleaseAge setting, print this information out in the error message #​9974.
• Fix state.json creation path when executing pnpm patch in a workspace project #​9733.
• When minimumReleaseAge is set and the latest tag is not mature enough, prefer a non-deprecated version as the new latest #​9987.

v10.17.0

Compare Source

Minor Changes

• The minimumReleaseAgeExclude setting now supports patterns. For instance:

  minimumReleaseAge: 1440
  minimumReleaseAgeExclude:
    - "@​eslint/*"

  Related PR: #​9984.

Patch Changes

• Don't ignore the minimumReleaseAge check, when the package is requested by exact version and the packument is loaded from cache #​9978.
• When minimumReleaseAge is set and the active version under a dist-tag is not mature enough, do not downgrade to a prerelease version in case the original version wasn't a prerelease one #​9979.

microsoft/TypeScript (typescript)

v5.9.3

Compare Source

---

Configuration

📅 Schedule: Branch creation - "after 2am and before 3am" (UTC), Automerge - "after 1am and before 2am" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.