fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sxzz/eslint-config	^7.2.8 -> ^7.3.2
@sxzz/prettier-config	^2.2.4 -> ^2.2.5
@sxzz/test-utils	^0.5.12 -> ^0.5.13
@types/node (source)	^24.10.0 -> ^24.10.1
pnpm (source)	10.21.0 -> 10.23.0
rollup (source)	^4.53.1 -> ^4.53.3
tsdown (source)	^0.16.1 -> ^0.16.7
unplugin (source)	^2.3.10 -> ^2.3.11
vite (source)	^7.2.2 -> ^7.2.4
vitest (source)	^4.0.8 -> ^4.0.14
webpack	^5.102.1 -> ^5.103.0

---

Release Notes

sxzz/eslint-config (@​sxzz/eslint-config)

v7.3.2

Compare Source

   🐞 Bug Fixes

• Baseline order  -  by @​sxzz (2fd87)

    View changes on GitHub

v7.3.1

Compare Source

   🐞 Bug Fixes

• Disable baseline in markdown  -  by @​sxzz (e4899)

    View changes on GitHub

v7.3.0

Compare Source

   🚀 Features

• Add baseline plugin  -  by @​sxzz (e9e51)

    View changes on GitHub

v7.2.10

Compare Source

   🚀 Features

• Sort overrides  -  by @​sxzz (6a452)

    View changes on GitHub

v7.2.9

Compare Source

   🐞 Bug Fixes

• Sort all pnpm workspace fields  -  by @​sxzz (4fed2)

    View changes on GitHub

sxzz/prettier-config (@​sxzz/prettier-config)

v2.2.5

Compare Source

No significant changes

    View changes on GitHub

sxzz/test-utils (@​sxzz/test-utils)

v0.5.13

Compare Source

   🚀 Features

• Add createVueProgram  -  by @​sxzz (c6554)

    View changes on GitHub

pnpm/pnpm (pnpm)

v10.23.0: pnpm 10.23

Compare Source

Minor Changes

• Added --lockfile-only option to pnpm list #​10020.

Patch Changes

• pnpm self-update should download pnpm from the configured npm registry #​10205.
• pnpm self-update should always install the non-executable pnpm package (pnpm in the registry) and never the @pnpm/exe package, when installing v11 or newer. We currently cannot ship @pnpm/exe as pkg doesn't work with ESM #​10190.
• Node.js runtime is not added to "dependencies" on pnpm add, if there's a engines.runtime setting declared in package.json #​10209.
• The installation should fail if an optional dependency cannot be installed due to a trust policy check failure #​10208.
• pnpm list and pnpm why now display npm: protocol for aliased packages (e.g., foo npm:[email protected]) #​8660.
• Don't add an extra slash to the Node.js mirror URL #​10204.
• pnpm store prune should not fail if the store contains Node.js packages #​10131.

Platinum Sponsors

Gold Sponsors

v10.22.0: pnpm 10.22

Compare Source

Minor Changes

• Added support for trustPolicyExclude #​10164.

  You can now list one or more specific packages or versions that pnpm should allow to install, even if those packages don't satisfy the trust policy requirement. For example:

  trustPolicy: no-downgrade
  trustPolicyExclude:
    - [email protected]
    - [email protected] || 5.102.1

• Allow to override the engines field on publish by the publishConfig.engines field.

Patch Changes

• Don't crash when two processes of pnpm are hardlinking the contents of a directory to the same destination simultaneously #​10179.

Platinum Sponsors

Gold Sponsors

rollup/rollup (rollup)

v4.53.3

Compare Source

2025-11-19

Bug Fixes

• Fix an error where too many modules where flagged for having an unused external import (#​6182)
• Fix an error where an assignment was wrongly tree-shaken when mutating it (#​6183)

Pull Requests

• #​6171: Add test-install CI job to test packaging, installation and importing of rollup package (@​antoninkriz, @​lukastaegert)
• #​6174: Re-enable TypeScript test (@​lukastaegert)
• #​6180: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #​6182: Tracing the importers chain for exported variables in external module (@​TrickyPi, @​lukastaegert)
• #​6183: Check if left side is included when checking if assigning to an assignment has side effects (@​lukastaegert)

v4.53.2

Compare Source

2025-11-10

Bug Fixes

• Do not throw when using invalid escape sequences in template literals (#​6177)

Pull Requests

• #​6177: handle TemplateElement with null cooked value (@​TrickyPi)

rolldown/tsdown (tsdown)

v0.16.7

Compare Source

   🚀 Features

• Support ci-only / local-only on addon features  -  by @​sxzz (8bbf0)

    View changes on GitHub

v0.16.6

Compare Source

   🚀 Features

• Upgrade rolldown to beta 51  -  by @​sxzz (f502b)

    View changes on GitHub

v0.16.5

Compare Source

   🚀 Features

• create-tsdown: Add react-compiler template  -  by @​elecmonkey and @​sxzz in #​604 (45229)

   🐞 Bug Fixes

• exports: Use correct indentation for output  -  by @​msigwart and @​sxzz in #​599 (4de70)

    View changes on GitHub

v0.16.4

Compare Source

   🚀 Features

• Upgrade rolldown to 1.0.0-beta.50  -  by @​sxzz (597d9)

    View changes on GitHub

v0.16.3

Compare Source

   🏎 Performance

• Replace debug with obug  -  by @​sxzz (222e9)

    View changes on GitHub

v0.16.2

Compare Source

   🚀 Features

• Upgrade rolldown to v1.0.0-beta.49  -  by @​sxzz (48181)
• entry: Auto enable glob, support infer entry extension  -  by @​sxzz and jinghaihan (2c525)

    View changes on GitHub

unjs/unplugin (unplugin)

v2.3.11

Compare Source

   🚀 Features

• Expose input source map for webpack-like bundlers  -  by @​sethfowler-datadog in #​565 (60ad4)

    View changes on GitHub

vitejs/vite (vite)

v7.2.4

Compare Source

Bug Fixes

• revert "perf(deps): replace debug with obug (#​21107)" (2d66b7b)

v7.2.3

Compare Source

Bug Fixes

• allow multiple bindCLIShortcuts calls with shortcut merging (#​21103) (5909efd)
• deps: update all non-major dependencies (#​21096) (6a34ac3)
• deps: update all non-major dependencies (#​21128) (4f8171e)

Performance Improvements

• deps: replace debug with obug (#​21107) (acfe939)

Miscellaneous Chores

• deps: update dependency @​rollup/plugin-commonjs to v29 (#​21099) (02ceaec)
• deps: update rolldown-related dependencies (#​21095) (39a0a15)
• deps: update rolldown-related dependencies (#​21127) (5029720)

vitest-dev/vitest (vitest)

v4.0.14

Compare Source

   🚀 Experimental Features

• browser: Expose utils.configurePrettyDOM  -  by @​sheremet-va in #​9103 (2cc34)
• runner: Add full names to tasks  -  by @​macarie in #​9087 (821aa)
• ui: Add tabbed failure view for toMatchScreenshot with comparison slider  -  by @​macarie in #​8813 (c37c2)

   🐞 Bug Fixes

• Externalize before caching  -  by @​sheremet-va in #​9077 (e1b2e)
• Collect the duration of external imports  -  by @​sheremet-va in #​9097 (3326c)
• Rename collect to import, remove prepare  -  by @​sheremet-va in #​9091 (1256b)
• browser:
  • Unsubscribe onCancel on rpc destroy  -  by @​AriPerkkio in #​9088 (f5b72)
  • Revert the viewport scaling in non-ui mode #​9018  -  by @​sheremet-va in #​9072 and #​9018 (64502)
• coverage:
  • Invalidate circular modules correctly on rerun with coverage  -  by @​aicest in #​9096 (6f22c)
• expect:
  • Allow function as standard schema  -  by @​hi-ogawa in #​9099 (ed8a2)
• jsdom:
  • Reuse abort signals if possible  -  by @​sheremet-va in #​9090 (2c468)
• pool:
  • Init VITEST_POOL_ID + VITEST_WORKER_ID before environment setup  -  by @​AriPerkkio in #​9085 (37918)
• web-worker:
  • postMessage to send ports to workers  -  by @​whitphx and @​AriPerkkio in #​9078 (9d176)

   🏎 Performance

• Replace debug with obug  -  by @​sxzz and @​AriPerkkio in #​9057 (acc51)

    View changes on GitHub

v4.0.13

Compare Source

   🐞 Bug Fixes

• types:
  • Don't use type from Vite 7.1  -  by @​sheremet-va in #​9071 (6356b)
  • Don't import node.js dependent types in vitest/browser  -  by @​sheremet-va in #​9068 (332af)

   🏎 Performance

• Avoid fetchModule roundtrip if the module is cached  -  by @​sheremet-va in #​9075 (b27e0)
• experimental: If fsCacheModule is enabled, read from the memory when possible  -  by @​sheremet-va in #​9076 (6b9a1)

    View changes on GitHub

v4.0.12

Compare Source

   🐞 Bug Fixes

• Inherit fsModuleCachePath by default  -  by @​sheremet-va in #​9063 (9a8bc)
• Don't import from @opentelemetry/api in public types  -  by @​sheremet-va in #​9066 (e944a)

    View changes on GitHub

v4.0.11

Compare Source

   🚀 Experimental Features

• api: Add extensible test artifact API  -  by @​macarie in #​8987 (77292)
  • See more at https://vitest.dev/api/advanced/artifacts
• expect: Provide task in MatchState  -  by @​macarie in #​9022 (afd1f)
• experimental: Support OpenTelemetry traces  -  by @​sheremet-va in #​8994 (d6d33)
  • See more at https://vitest.dev/guide/open-telemetry

   🏎 Performance

• experimental: Add file system cache  -  by @​sheremet-va in #​9026 (1b147)
  • See more at https://vitest.dev/config/experimental#experimental-fsmodulecache

    View changes on GitHub

v4.0.10

Compare Source

   🐞 Bug Fixes

• Remove onCancel when worker is terminated  -  by @​sheremet-va in #​9033 (6d7f0)
• browser:
  • Don't scale the iframe if UI is disabled  -  by @​sheremet-va in #​9018 (5406e)
  • Handle dependency stack traces with external source maps. Resolves: #​9003  -  by @​iclectic in #​9016 and #​9003 (57ae5)
• bun:
  • Parsing of stack trace for bun runtime  -  by @​nazarhussain in #​9032 (f3ec6)
• core:
  • Prevent starting new run when cancelling  -  by @​AriPerkkio in #​8991 (eb98d)
• pool:
  • Prevent writing to closed worker  -  by @​AriPerkkio and @​sheremet-va in #​9023 (042c6)
• reporters:
  • Report correct test run duration at the end  -  by @​sheremet-va in #​8969 (bc3a6)
• ui:
  • Use execution time from ws reporter (onFinished)  -  by @​userquin in #​8975 (f56dc)

    View changes on GitHub

v4.0.9

Compare Source

   🚀 Experimental Features

• expect: Add Set support to toBeOneOf  -  by @​tim-we and @​sheremet-va in #​8906 (a415d)

   🐞 Bug Fixes

• browser: Add favicon icons to the browser mode ui  -  by @​userquin in #​8972 (353ee)
• forks: Increase worker start timeout  -  by @​AriPerkkio in #​9027 (5e750)
• jsdom: Cloned request is an instance of Request  -  by @​sheremet-va in #​8985 (506a9)
• ui: Collect file/suite/test duration correctly  -  by @​userquin in #​8976 (8016d)

    View changes on GitHub

webpack/webpack (webpack)

v5.103.0

Compare Source

Features

• Added DotenvPlugin and top level dotenv option to enable this plugin
• Added WebpackManifestPlugin
• Added support the ignoreList option in devtool plugins
• Allow to use custom javascript parse function
• Added import.meta.env support for environment variables
• Added support for import.meta.dirname and import.meta.filename
• Added support import.defer() for statistical path
• Handle import.meta.main
• Added suport to setup named exports for JSON modules and disable usage named export for import file from "./file.json" with { type: "json" }
• Added support __dirname/__filename/import.meta.dirname/import.meta.filename for universal target
• [CSS] Added the exportType option with link (by default), "text" and css-style-sheet values
• [CSS] Added support for composes properties

Fixes

• The dependOn chunk must be loaded before the common chunk
• Return to namespace import when the external request includes a specific export
• No runtime extra runtime code for module libraries
• Delay HMR accept dependencies to preserve import attributes
• Properly handle external presets for universal target
• Fixed incorrect identifier of import binding for module externals
• Fixed when defer import and dynamic default export mixed
• Reduce generated output when globalThis supported
• Fixed loading async modules in defer import
• Reexport module for default import when no used exports for systemjs library
• Rename HarmonyExportDependencyParserPlugin exported id to CompatibilityPlugin tagged id
• Handle __dirname and __filename for ES modules
• Rename single nested __webpack_export__ and __webpack_require__ in already bundled code
• [Types] webpack function type
• [Types] NormalModule type
• [Types] Multi compiler configuration type
• [Types] Fixed regression in custom hashDigest type
• [CSS] No extra runtime for initial chunk
• [CSS] Fixed a lot of CSS modules bugs

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​sxzz/​test-utils@​0.5.12 ⏵ 0.5.13				+1
	@​sxzz/​prettier-config@​2.2.4 ⏵ 2.2.5	+13		+2	+1
	@​types/​node@​24.10.0 ⏵ 24.10.1			+1
	@​sxzz/​eslint-config@​7.2.8 ⏵ 7.3.2	-1			+1
	vite@​7.2.2 ⏵ 7.2.4	+1		+1
	unplugin@​2.3.10 ⏵ 2.3.11
	tsdown@​0.16.1 ⏵ 0.16.7	-2		-8	-4
	webpack@​5.102.1 ⏵ 5.103.0				-1
	rollup@​4.53.1 ⏵ 4.53.3
	vitest@​4.0.8 ⏵ 4.0.14	+3		+22	+2

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-replace@71

commit: f68ff04