chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@rollup/plugin-commonjs (source)	^28.0.6 -> ^28.0.7
@rollup/plugin-node-resolve (source)	^16.0.1 -> ^16.0.3
@types/node (source)	^22.18.8 -> ^22.18.10
@types/react (source)	^19.1.16 -> ^19.2.2
@types/react-dom (source)	^19.1.9 -> ^19.2.2
bumpp	^10.2.3 -> ^10.3.1
eslint (source)	^9.36.0 -> ^9.37.0
eslint-plugin-react-refresh	^0.4.22 -> ^0.4.23
pnpm (source)	10.17.1 -> 10.18.3
rollup (source)	^4.52.3 -> ^4.52.4

---

Release Notes

rollup/plugins (@​rollup/plugin-commonjs)

v28.0.7

2025-10-14

Bugfixes

• fix: avoid hoisting dynamically required node: builtins under strictRequires (#​1909)

rollup/plugins (@​rollup/plugin-node-resolve)

v16.0.3

2025-10-13

Bugfixes

• fix: resolve bare targets of package "imports" using export maps; avoid fileURLToPath(null) (#​1908)

v16.0.2

2025-10-04

Bugfixes

• fix: error thrown with empty entry (#​1893)

antfu-collective/bumpp (bumpp)

v10.3.1

Compare Source

No significant changes

    View changes on GitHub

v10.3.0

Compare Source

   🚀 Features

• Support --release for release type  -  by @​luoling8192 in #​97 (5af7b)

    View changes on GitHub

eslint/eslint (eslint)

v9.37.0

Compare Source

ArnaudBarre/eslint-plugin-react-refresh (eslint-plugin-react-refresh)

v0.4.23

Compare Source

• Add "metadata", "generateMetadata" & "generateViewport" to allowExportNames in Next config

pnpm/pnpm (pnpm)

v10.18.3

Compare Source

Patch Changes

• Fix a bug where pnpm would infinitely recurse when using verifyDepsBeforeInstall: install and pre/post install scripts that called other pnpm scripts #​10060.
• Fixed scoped registry keys (e.g., @scope:registry) being parsed as property paths in pnpm config get when --location=project is used #​9362.
• Remove pnpm-specific CLI options before passing to npm publish to prevent "Unknown cli config" warnings #​9646.
• Fixed EISDIR error when bin field points to a directory #​9441.
• Preserve version and hasBin for variations packages #​10022.
• Fixed pnpm config set --location=project incorrectly handling keys with slashes (auth tokens, registry settings) #​9884.
• When both pnpm-workspace.yaml and .npmrc exist, pnpm config set --location=project now writes to pnpm-workspace.yaml (matching read priority) #​10072.
• Prevent a table width error in pnpm outdated --long #​10040.
• Sync bin links after injected dependencies are updated by build scripts. This ensures that binaries created during build processes are properly linked and accessible to consuming projects #​10057.

v10.18.2

Compare Source

Patch Changes

• pnpm outdated --long should work #​10040.
• Replace ndjson with split2. Reduce the bundle size of pnpm CLI #​10054.
• pnpm dlx should request the full metadata of packages, when minimumReleaseAge is set #​9963.
• pnpm version switching should work when the pnpm home directory is in a symlinked directory #​9715.
• Fix EPIPE errors when piping output to other commands #​10027.

v10.18.1

Compare Source

Patch Changes

• Don't print a warning, when --lockfile-only is used #​8320.
• pnpm setup creates a command shim to the pnpm executable. This is needed to be able to run pnpm self-update on Windows #​5700.
• When using pnpm catalogs and running a normal pnpm install, pnpm produced false positive warnings for "skip adding to the default catalog because it already exists". This warning now only prints when using pnpm add --save-catalog as originally intended.

v10.18.0

Compare Source

Minor Changes

• Added network performance monitoring to pnpm by implementing warnings for slow network requests, including both metadata fetches and tarball downloads.

  Added configuration options for warning thresholds: fetchWarnTimeoutMs and fetchMinSpeedKiBps.
  Warning messages are displayed when requests exceed time thresholds or fall below speed minimums

  Related PR: #​10025.

Patch Changes

• Retry filesystem operations on EAGAIN errors #​9959.
• Outdated command respects minimumReleaseAge configuration #​10030.
• Correctly apply the cleanupUnusedCatalogs configuration when removing dependent packages.
• Don't fail with a meaningless error when scriptShell is set to false #​8748.
• pnpm dlx should not fail when minimumReleaseAge is set #​10037.

rollup/rollup (rollup)

v4.52.4

Compare Source

2025-10-03

Bug Fixes

• Fix an issue where the wrong branch of nullish coalescing was picked (#​6133)

Pull Requests

• #​6128: Enable npm OIDC publishing (@​lukastaegert)
• #​6133: Correct nullish coalescing branch resolution for symbol left value (@​TrickyPi)
• #​6134: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

---

Configuration

📅 Schedule: Branch creation - Only on Sunday and Saturday ( * * * * 0,6 ) in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}