Update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@tsconfig/node22 (source)	22.0.2 → 22.0.5
@tsconfig/strictest (source)	2.0.7 → 2.0.8
@types/node (source)	22.18.13 → 22.19.7
nano-staged	0.8.0 → 0.9.0
pnpm (source)	10.20.0 → 10.28.2
prettier (source)	3.6.2 → 3.8.1
tinyexec	1.0.1 → 1.0.2
tsdown (source)	0.15.12 → 0.20.1
unplugin (source)	2.3.10 → 2.3.11

---

Release Notes

tsconfig/bases (@​tsconfig/node22)

v22.0.5

Compare Source

v22.0.4

Compare Source

v22.0.3

Compare Source

pnpm/pnpm (pnpm)

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1

Compare Source

v10.28.0

Compare Source

v10.27.0

Compare Source

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

• Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

• Fix installation of Git dependencies using annotated tags #​10335.

  Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

• Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

• Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Gold Sponsors

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

• Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
• Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Gold Sponsors

v10.26.0

Compare Source

v10.25.0

Compare Source

v10.24.0

Compare Source

v10.23.0: pnpm 10.23

Compare Source

Minor Changes

• Added --lockfile-only option to pnpm list #​10020.

Patch Changes

• pnpm self-update should download pnpm from the configured npm registry #​10205.
• pnpm self-update should always install the non-executable pnpm package (pnpm in the registry) and never the @pnpm/exe package, when installing v11 or newer. We currently cannot ship @pnpm/exe as pkg doesn't work with ESM #​10190.
• Node.js runtime is not added to "dependencies" on pnpm add, if there's a engines.runtime setting declared in package.json #​10209.
• The installation should fail if an optional dependency cannot be installed due to a trust policy check failure #​10208.
• pnpm list and pnpm why now display npm: protocol for aliased packages (e.g., foo npm:[email protected]) #​8660.
• Don't add an extra slash to the Node.js mirror URL #​10204.
• pnpm store prune should not fail if the store contains Node.js packages #​10131.

Platinum Sponsors

Gold Sponsors

v10.22.0: pnpm 10.22

Compare Source

Minor Changes

• Added support for trustPolicyExclude #​10164.

  You can now list one or more specific packages or versions that pnpm should allow to install, even if those packages don't satisfy the trust policy requirement. For example:

  trustPolicy: no-downgrade
  trustPolicyExclude:
    - [email protected]
    - [email protected] || 5.102.1

• Allow to override the engines field on publish by the publishConfig.engines field.

Patch Changes

• Don't crash when two processes of pnpm are hardlinking the contents of a directory to the same destination simultaneously #​10179.

Platinum Sponsors

Gold Sponsors

v10.21.0

Compare Source

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

v3.7.4

Compare Source

diff

LWC: Avoid quote around interpolations (#​18383 by @​kovsu)

<!-- Input -->
<div foo={bar}>   </div>

<!-- Prettier 3.7.3 (--embedded-language-formatting off) -->
<div foo="{bar}"></div>

<!-- Prettier 3.7.4 (--embedded-language-formatting off) -->
<div foo={bar}></div>

TypeScript: Fix comment inside union type gets duplicated (#​18393 by @​fisker)

// Input
type Foo = (/** comment */ a | b) | c;

// Prettier 3.7.3
type Foo = /** comment */ (/** comment */ a | b) | c;

// Prettier 3.7.4
type Foo = /** comment */ (a | b) | c;

TypeScript: Fix unstable comment print in union type comments (#​18395 by @​fisker)

// Input
type X = (A | B) & (
  // comment
  A | B
);

// Prettier 3.7.3 (first format)
type X = (A | B) &
  (// comment
  A | B);

// Prettier 3.7.3 (second format)
type X = (
  | A
  | B // comment
) &
  (A | B);

// Prettier 3.7.4
type X = (A | B) &
  // comment
  (A | B);

v3.7.3

Compare Source

diff

API: Fix prettier.getFileInfo() change that breaks VSCode extension (#​18375 by @​fisker)

An internal refactor accidentally broke the VSCode extension plugin loading.

v3.7.2

Compare Source

diff

JavaScript: Fix string print when switching quotes (#​18351 by @​fisker)

// Input
console.log("A descriptor\\'s .kind must be \"method\" or \"field\".")

// Prettier 3.7.1
console.log('A descriptor\\'s .kind must be "method" or "field".');

// Prettier 3.7.2
console.log('A descriptor\\\'s .kind must be "method" or "field".');

JavaScript: Preserve quote for embedded HTML attribute values (#​18352 by @​kovsu)

// Input
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;

// Prettier 3.7.1
const html = /* HTML */ ` <div class=${styles.banner}></div> `;

// Prettier 3.7.2
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;

TypeScript: Fix comment in empty type literal (#​18364 by @​fisker)

// Input
export type XXX = {
  // tbd
};

// Prettier 3.7.1
export type XXX = { // tbd };

// Prettier 3.7.2
export type XXX = {
  // tbd
};

v3.7.1

Compare Source

diff

API: Fix performance regression in doc printer (#​18342 by @​fisker)

Prettier 3.7.1 can be very slow when formatting big files, the regression has been fixed.

v3.7.0

Compare Source

diff

🔗 Release Notes

tinylibs/tinyexec (tinyexec)

v1.0.2

Compare Source

What's Changed

• refactor: migrate to tsdown by @​sxzz in #​50
• feat: OIDC publish by @​outslept in #​52
• docs: clarify documentation by @​outslept in #​54
• chore: set engine constraint by @​43081j in #​56
• test: migrate to vitest by @​43081j in #​58
• fix: read stdout/stderr in parallel by @​43081j in #​59

New Contributors

• @​sxzz made their first contribution in #​50
• @​outslept made their first contribution in #​52

Full Changelog: tinylibs/tinyexec@1.0.1...1.0.2

rolldown/tsdown (tsdown)

v0.20.1

Compare Source

   🚀 Features

• inline-only: Show warnings if bundled deps  -  by @​sxzz (1e0e7)

    View changes on GitHub

v0.20.0

Compare Source

   🚨 Breaking Changes

• Upgrade dts plugin, remove dts.resolve option  -  by @​sxzz (16655)

   🚀 Features

• Add option to disable legacy CJS warning  -  by @​sxzz (9fada)
• Apply inlineOnly option for dts files  -  by @​sxzz (7d89d)
• Upgrade rolldown to 1.0.0-beta.60  -  by @​sxzz (bb3ee)
• Upgrade rolldown to rc 1  -  by @​sxzz (1959f)
• entry: Support mixed array and object entries  -  by @​sxzz (a8083)

   🐞 Bug Fixes

• Optional parseEnv  -  by @​sxzz (be1b6)
• Reload config on restart  -  by @​sxzz (1756b)
• Config extensions typo  -  by @​aryaemami59 in #​722 (d2bb7)
• windows: Normalize path separators in build output  -  by @​ryuapp in #​719 (c4525)

   🏎 Performance

• Native filter for external plugin  -  by @​sxzz (8764e)

    View changes on GitHub

v0.19.0

Compare Source

   🚨 Breaking Changes

• Rename debugLogs to debug  -  by @​sxzz (bb4e7)
• Remove deprecated silent option  -  by @​sxzz (59015)
• devtools:
  • Rename debug to devtools, rename debug.devtools to devtools.ui  -  by @​sxzz (63e6f)
• exports:
  • Add legacy option, remove main & module fields if pure ESM  -  by @​sxzz (16841)
  • Exclude extension name for exports.exclude  -  by @​sxzz (53d38)
  • Only auto-fill types when exports.legacy  -  by @​lishaduck and @​sxzz in #​685 (7be6b)

   🚀 Features

• Add typeAssert util back  -  by @​sxzz (1d385)
• Generate CSS exports when css.splitting is disabled  -  by @​jinghaihan and @​sxzz in #​680 (b737c)
• Upgrade rolldown to 1.0.0-beta.58  -  by @​sxzz (48036)
• Expose enableDebug  -  by @​sxzz (2d922)
• Expose resolveUserConfig  -  by @​sxzz (c9acb)
• Upgrade rolldown to 1.0.0-beta.59  -  by @​sxzz (d564f)
• Clear console on rebuild start  -  by @​sxzz (78efd)
• migrate: Add monorepo support  -  by @​lauigi and @​sxzz in #​659 (efba2)

   🐞 Bug Fixes

• Print blank line only when the log level is info  -  by @​tomgao365 in #​689 (96d82)
• attw: Add --ignore-scripts to avoid lifecycle output  -  by @​Doctor-wu in #​661 (1c8b1)
• cjs: Update version check for require ESM support  -  by @​sxzz (beeff)

   🏎 Performance

• Optimize hot paths  -  by @​sxzz (7925d)

    View changes on GitHub

v0.18.4

Compare Source

   🚀 Features

• Export mergeConfig  -  by @​sxzz (ccd17)
• Warn deprecated removeNodeProtocol  -  by @​sxzz (90cd6)
• css: Add CSS code splitting support  -  by @​jinghaihan and @​sxzz in #​654 (0525f)
• entry: Support multiple patterns with same base  -  by @​sxzz (cee1b)
• exports: Add packageJson option  -  by @​sxzz (6d220)

    View changes on GitHub

v0.18.3

Compare Source

   🚀 Features

• Upgrade rolldown to 1.0.0-beta.57  -  by @​sxzz (525c0)
• Add envFile & envPrefix option  -  by @​toto6038 and @​sxzz in #​664 (d5493)
• attw: Add ignoreRules option to filter specified rule  -  by @​zyyv and Copilot in #​665 (450b0)

   🐞 Bug Fixes

• Inline PackageJson type  -  by @​sxzz (dfc43)

    View changes on GitHub

v0.18.2

Compare Source

   🚀 Features

• Support globs for noExternal / inlineOnly / exports.exclude  -  by @​sxzz and @​TheAlexLichter (84b68)
• entry: Support glob negation patterns in object entry  -  by @​Doctor-wu and @​sxzz in #​662 (8ed1b)

   🐞 Bug Fixes

• Preserve import cache for node_modules  -  by @​sxzz (426ab)
• skipNodeModulesBundle for monorepo  -  by @​sxzz (9a34f)
• attw: Show full entrypoint  -  by @​sxzz (c89c4)
• clean: Remove dot files  -  by @​sxzz (0430b)

    View changes on GitHub

v0.18.1

Compare Source

   🚀 Features

• Support glob patterns in object entry  -  by @​sxzz (bcb7a)

export default defineConfig({
  entry: {
    '*': './src/*.ts',
    'data-loaders': './src/data-loaders/entries/index.ts',
    'data-loaders/*': './src/data-loaders/entries/!(index).ts',
    'volar/*': './src/volar/entries/*.ts',
  },
}

• Upgrade rolldown to 1.0.0-beta.55  -  by @​sxzz (5be3e)
• Mark exports option as a stable feature  -  by @​sxzz (ce9e0)

   🐞 Bug Fixes

• Keep banner / footer as-is  -  by @​sxzz (f67e0)

    View changes on GitHub

v0.18.0

Compare Source

   🚨 Breaking Changes

• copy: Rework, sync behavior of rollup-plugin-copy  -  by @​sxzz (e864b)

v0.17.4

Compare Source

   🚨 Breaking Changes

• copy: Sync behavior of rollup-plugin-copy  -  by @​sxzz (e864b)

   🚀 Features

• exports: Add exclude option  -  by @​TheAlexLichter and @​sxzz in #​340 (9e634)
• shortcuts: Case insensitive  -  by @​btea in #​649 (019af)

   🐞 Bug Fixes

• Resolve cwd from user config  -  by @​sxzz (bc066)

    View changes on GitHub

v0.17.3

Compare Source

   🚀 Features

• copy: Support glob in copy  -  by @​kricsleo and @​sxzz in #​637 (c1fd4)
  • This may be a breaking change, as the behavior has changed again in v0.17.4. Please upgrade to v0.17.4 and verify the issue.

   🐞 Bug Fixes

• Print error stack  -  by @​sxzz (1c5b6)
• Add config name to rebuilt message  -  by @​sxzz (bfdc6)
• Call hooks for each format  -  by @​sxzz (19bdd)
• Merge input & output options  -  by @​sxzz (14181)

    View changes on GitHub

v0.17.2

Compare Source

   🐞 Bug Fixes

• Empty clean array  -  by @​sxzz (eae7f)

    View changes on GitHub

v0.17.1

Compare Source

   🐞 Bug Fixes

• Respect clean on watch mode  -  by @​sxzz (bfbfb)

    View changes on GitHub

v0.17.0

Compare Source

   🚨 Breaking Changes

Notable features: https://bsky.app/profile/sxzz.dev/post/3m6xi7e7d5k2b

• Rolldown native watcher  -  by @​sxzz in #​329 (1c4f8)
• Enable failOnWarn by default in CI  -  by @​sxzz in #​617 (245e7)
• Remove unconfig from configLoader  -  by @​sxzz (9d6a7)
• Support exports, publint, attw for multi-configs  -  by @​sxzz (f889a)
• refactor!(attw): rename profile value from esmOnly to esm-only  -  by @​sxzz (85c10f3)

   🚀 Features

• Export WatchPlugin  -  by @​sxzz (4ccb2)
• Add write option  -  by @​sxzz (64fea)
• Add chunks on build:done hook  -  by @​sxzz (eb45c)
• Override options by format  -  by @​sxzz (482f6)
• Upgrade rolldown to 1.0.0-beta.53  -  by @​sxzz (a04f2)
• migrate:
  • Migrate optionalDependencies  -  by @​sxzz (22fd9)
  • Use ast-grep for config file  -  by @​Doctor-wu and @​sxzz in #​620 (b0b34)

   🐞 Bug Fixes

• Move require before import  -  by @​sxzz (85c0e)
• copy: Call function  -  by @​sxzz (e4197)
• exports: Merge multi-config outputs  -  by @​pyyupsk and @​sxzz in #​625 (73984)
• migrate: Build before publish  -  by @​sxzz (bf0f5)
• workspace: Cwd defaults to config dirname, support filter for all configs  -  by @​sxzz (24f27)

   🏎 Performance

• Reload config via import-without-cache  -  by @​sxzz (0b7e4)
• Use native loader for bun  -  by @​sxzz (36dbf)

    View changes on GitHub

v0.16.8

Compare Source

   🚀 Features

• Upgrade rolldown to 1.0.0-beta.52  -  by @​sxzz (1ff67)
• Add enabled option to feature options  -  by @​sxzz (0b244)

Deprecation

• Deprecate attw.profile = 'esmOnly', use esm-only instead.

    View changes on GitHub

v0.16.7

Compare Source

   🚀 Features

• Support ci-only / local-only on addon features  -  by @​sxzz (8bbf0)

    View changes on GitHub

v0.16.6

Compare Source

   🚀 Features

• Upgrade rolldown to beta 51  -  by @​sxzz (f502b)

    View changes on GitHub

v0.16.5

Compare Source

   🚀 Features

• create-tsdown: Add react-compiler template  -  by @​elecmonkey and @​sxzz in #​604 (45229)

   🐞 Bug Fixes

• exports: Use correct indentation for output  -  by @​msigwart and @​sxzz in #​599 (4de70)

    View changes on GitHub

v0.16.4

Compare Source

   🚀 Features

• Upgrade rolldown to 1.0.0-beta.50  -  by @​sxzz (597d9)

    View changes on GitHub

v0.16.3

Compare Source

   🏎 Performance

• Replace debug with obug  -  by @​sxzz (222e9)

    View changes on GitHub

v0.16.2

Compare Source

   🚀 Features

• Upgrade rolldown to v1.0.0-beta.49  -  by @​sxzz (48181)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.