fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/vite-plugin (source)	^1.30.0 → ^1.30.3
@playwright/test (source)	^1.58.2 → ^1.59.0
@rolldown/pluginutils (source)	1.0.0-rc.10 → 1.0.0-rc.12
oxfmt (source)	^0.41.0 → ^0.43.0
playwright-chromium (source)	^1.58.2 → ^1.59.0
pnpm (source)	10.32.1 → 10.33.0
react-router (source)	7.13.1 → 7.13.2
rolldown (source)	1.0.0-rc.10 → 1.0.0-rc.12
srvx (source)	^0.11.12 → ^0.11.13
tsdown (source)	^0.21.4 → ^0.21.7
typescript-eslint (source)	^8.57.1 → ^8.58.0
vite (source)	^8.0.1 → ^8.0.3
vitest (source)	^4.1.0 → ^4.1.2
wrangler (source)	^4.76.0 → ^4.79.0

---

Release Notes

cloudflare/workers-sdk (@​cloudflare/vite-plugin)

v1.30.3

Compare Source

Patch Changes

• #​13111 f214760 Thanks @​dependabot! - Add missing connect key to WorkerEntrypoint and DurableObject key lists in the runner worker

  The connect method was added to the WorkerEntrypoint and DurableObject types in workerd 1.20260329.1 but was missing from the WORKER_ENTRYPOINT_KEYS and DURABLE_OBJECT_KEYS arrays used for RPC property access in the Vite plugin runner worker. This caused the compile-time exhaustiveness check to fail with the updated workers-types.

• Updated dependencies [ffbc268, 9eff028, ed20a9b, f214760, 746858a, 9aad27f, 1fc5518, b539dc7, 9282493, a532eea, cd0e971, d4c6158, 2565b1d]:

  • wrangler@​4.79.0
  • miniflare@​4.20260329.0

v1.30.2

Compare Source

Patch Changes

• #​12953 80b093e Thanks @​jamesopstad! - Fix Cannot perform I/O on behalf of a different request errors for deferred dynamic imports

  Concurrent requests that loaded the same dynamic import were previously sharing the same promise to resolve it in a Worker context. We now ensure that all imports execute within a Durable Object's IoContext before the result is returned to the Worker.

• Updated dependencies [eeaa473, 9fcdfca, bc24ec8, 1faff35, 0b4c21a, 535582d, 992f9a3, f4ea4ac, 91b7f73, f6cdab2, 53ed15a, ce65246, 7a5be20, 6b50bfa, 0386553, 9c5ebf5, 53ed15a, 53ed15a]:

  • wrangler@​4.78.0
  • miniflare@​4.20260317.3

v1.30.1

Compare Source

Patch Changes

• #​12851 86a40f0 Thanks @​jamesopstad! - Fix a bug that prevented using subpath imports for additional module types

  You can now use subpath imports for additional module types (.html, .txt, .sql, .bin, .wasm) by defining them in your package.json imports field:

  // package.json
  {
    "imports": {
      "#templates/page": "./src/templates/page.html"
    }
  }

  import page from "#templates/page";
  
  export default {
    fetch() {
      return new Response(page, {
        headers: { "Content-Type": "text/html" },
      });
    },
  } satisfies ExportedHandler;

• Updated dependencies [593c4db, b8f3309, 451dae3, 5aaaab2, 5aaaab2, f8516dd, 9c9fe30, 379f2a2, c2e9163, 6a6449e, 9a1cf29, 875da60]:

  • wrangler@​4.77.0
  • miniflare@​4.20260317.2

microsoft/playwright (@​playwright/test)

v1.59.0

Compare Source

rolldown/rolldown (@​rolldown/pluginutils)

v1.0.0-rc.12

Compare Source

🚀 Features

• chunk-optimizer: skip circular dependency check when strict execution order is enabled (#​8886) by @​hyf0

🐛 Bug Fixes

• emit build warnings during watch mode rebuilds (#​8897) by @​IWANABETHATGUY
• lazy-barrel: load import-then-export specifiers when barrel has local exports (#​8895) by @​shulaoda
• correct execution order of transferred CJS init calls (#​8877) by @​IWANABETHATGUY
• mcs: entriesAware should calculate sizes without duplication (#​8887) by @​hyf0
• non-deterministic chunk generation (#​8882) by @​sapphi-red
• is_top_level incorrectly treats strict-mode scopes as top-level (#​8878) by @​Dunqing

🚜 Refactor

• treeshake: migrate SideEffectDetector to Oxc's MayHaveSideEffects trait (#​8624) by @​Dunqing

🧪 Testing

• make dev server tests deterministic by replacing fixed sleeps with event-driven polling (#​8561) by @​Boshen

⚙️ Miscellaneous Tasks

• deps: update dependency vite-plus to v0.1.14 (#​8902) by @​camc314
• deps: update dependency oxfmt to ^0.42.0 (#​8891) by @​renovate[bot]
• deps: update rust crate oxc_sourcemap to v6.1.1 (#​8890) by @​renovate[bot]
• remove Rolldown MF plan (#​8883) by @​shulaoda
• deps: update rollup submodule for tests to v4.60.0 (#​8881) by @​sapphi-red
• deps: update test262 submodule for tests (#​8880) by @​sapphi-red
• deps: upgrade oxc crates to 0.122.0 (#​8879) by @​shulaoda

v1.0.0-rc.11

Compare Source

🚀 Features

• magicString replace with regex (#​8802) by @​IWANABETHATGUY
• support output.sourcemapExcludeSources option (#​8828) by @​sapphi-red
• support getIndentString in MagicString (#​8775) by @​IWANABETHATGUY
• MagicString ignoreList support (#​8773) by @​IWANABETHATGUY

🐛 Bug Fixes

• forward test filters through vp run (#​8870) by @​younggglcy
• types: remove pluginName from MinimalPluginContext (#​8864) by @​sapphi-red
• do not report eval?.() as direct eval (#​8860) by @​IWANABETHATGUY
• handle negative indices, overlapping ranges, and moved content in MagicString remove (#​8829) by @​IWANABETHATGUY
• enable arbitrary_precision for serde_json to fix JSON float parsing (#​8848) by @​elderapo
• resolve TypeScript lint errors (#​8841) by @​Boshen
• avoid panic on multi-byte UTF-8 chars in hash placeholder iterator (#​8790) by @​shulaoda
• ci: skip failing vite build watch raw query test (#​8840) by @​Boshen
• ci: use step-level env override to unset VITE_PLUS_CLI_BIN in vite tests (#​8838) by @​Boshen
• ci: move vite tests into CI workflow by @​Boshen
• ci: unset all VITE_PLUS_* env vars in vite-tests workflow (#​8837) by @​Boshen
• test: skip watch CLI tests on Windows (#​8830) by @​Boshen
• ci: unset VITE_PLUS_CLI_BIN in vite-tests workflow (#​8832) by @​Boshen
• remove redundant bare side-effect imports in entry/facade chunks (#​8804) by @​h-a-n-a
• magicString prepend issues (#​8797) by @​IWANABETHATGUY
• ci: use vpx instead of vp exec for pkg-pr-new (#​8827) by @​Boshen
• set order for callable plugins (#​8815) by @​sapphi-red
• handle reversed slice ranges with moved content (#​8750) by @​IWANABETHATGUY
• update emnapi to latest to avoid version mismatch (#​8781) by @​sapphi-red
• external.md on Windows OS (#​8780) by @​bddjr
• align MagicString length/isEmpty with reference magic-string (#​8776) by @​IWANABETHATGUY

🚜 Refactor

• extract canonical_ref_resolving_namespace helper (#​8836) by @​Boshen

📚 Documentation

• improve external examples for cross-platform correctness (#​8786) by @​hyf0-agent
• update reference to transform function in plugin API documentation (#​8778) by @​zOadT

⚡ Performance

• reduce timing of dervie_entries_aware_chunk_name (#​8847) by @​AliceLanniste
• bench: remove redundant sourcemap benchmark cases (#​8825) by @​Boshen
• reduce intermediate allocations in collapse_sourcemaps (#​8821) by @​Boshen
• enable parallel AST cloning on macOS (#​8814) by @​Boshen

🧪 Testing

• watch: use polling watcher and retry for watch error test (#​8772) by @​sapphi-red

⚙️ Miscellaneous Tasks

• deps: update dependency @​oxc-project/types to v0.122.0 (#​8873) by @​renovate[bot]
• publish-to-npm: use correct vp pm publish (#​8871) by @​shulaoda
• justfile: skip setup-vite-plus if vp is already installed (#​8862) by @​Boshen
• add expectWarning option to test config (#​8861) by @​IWANABETHATGUY
• justfile: support windows for just setup (#​8846) by @​AliceLanniste
• deps: update rust crates (#​8852) by @​renovate[bot]
• deps: update endbug/version-check action to v3 (#​8855) by @​renovate[bot]
• deps: update github-actions (#​8853) by @​renovate[bot]
• deps: update dependency vitepress to v2.0.0-alpha.17 (#​8854) by @​renovate[bot]
• deps: update npm packages (#​8851) by @​renovate[bot]
• bench: use mimalloc as global allocator in bench crate (#​8844) by @​IWANABETHATGUY
• reuse native build artifact in node-validation job (#​8826) by @​Boshen
• speed up CodSpeed benchmark build by disabling LTO (#​8824) by @​Boshen
• remove redundant critcmp benchmark job (#​8823) by @​Boshen
• deps: update rust crate oxc_sourcemap to v6.1.0 (#​8785) by @​renovate[bot]
• node: migrate oxlint and oxfmt to Vite+ (#​8813) by @​Boshen
• revert namespace runners for release build jobs (#​8820) by @​Boshen
• migrate runners to namespace (#​8819) by @​Boshen
• test: relax test utils path assertion to support git worktrees (#​8816) by @​younggglcy
• rename examples/lazy to examples/lazy-compilation (#​8789) by @​shulaoda
• improve "needs reproduction" wording by @​Boshen
• deps: update dependency oxlint-tsgolint to v0.17.1 (#​8807) by @​renovate[bot]
• enable 7 previously-skipped MagicString tests (#​8771) by @​IWANABETHATGUY
• upgrade oxc to 0.121.0 (#​8784) by @​shulaoda
• increase Windows dev drive size from 12GB to 20GB (#​8779) by @​Copilot

❤️ New Contributors

• @​younggglcy made their first contribution in #​8870
• @​elderapo made their first contribution in #​8848
• @​bddjr made their first contribution in #​8780
• @​zOadT made their first contribution in #​8778

oxc-project/oxc (oxfmt)

v0.43.0

Compare Source

🚀 Features

• 6ef440a oxfmt: Support bool for object style options (#​20853) (leaysgur)

v0.42.0

Compare Source

🚀 Features

• 416865a formatter,oxfmt: Add doc comments for JsdocConfig (#​20644) (leaysgur)
• 4fec907 formatter: Add JSDoc comment formatting support (#​19828) (Dunqing)

pnpm/pnpm (pnpm)

v10.33.0

Compare Source

remix-run/react-router (react-router)

v7.13.2

Compare Source

Patch Changes

• Fix clientLoader.hydrate when an ancestor route is also hydrating a clientLoader (#​14835)

• Fix type error when passing Framework Mode route components using Route.ComponentProps to createRoutesStub (#​14892)

• Fix percent encoding in relative path navigation (#​14786)

• Add future.unstable_passThroughRequests flag (#​14775)

  By default, React Router normalizes the request.url passed to your loader, action, and middleware functions by removing React Router's internal implementation details (.data suffixes, index + _routes query params).

  Enabling this flag removes that normalization and passes the raw HTTP request instance to your handlers. This provides a few benefits:

  • Reduces server-side overhead by eliminating multiple new Request() calls on the critical path
  • Allows you to distinguish document from data requests in your handlers base don the presence of a .data suffix (useful for observability purposes)

  If you were previously relying on the normalization of request.url, you can switch to use the new sibling unstable_url parameter which contains a URL instance representing the normalized location:

  // ❌ Before: you could assume there was no `.data` suffix in `request.url`
  export async function loader({ request }: Route.LoaderArgs) {
    let url = new URL(request.url);
    if (url.pathname === "/path") {
      // This check will fail with the flag enabled because the `.data` suffix will
      // exist on data requests
    }
  }
  
  // ✅ After: use `unstable_url` for normalized routing logic and `request.url`
  // for raw routing logic
  export async function loader({ request, unstable_url }: Route.LoaderArgs) {
    if (unstable_url.pathname === "/path") {
      // This will always have the `.data` suffix stripped
    }
  
    // And now you can distinguish between document versus data requests
    let isDataRequest = new URL(request.url).pathname.endsWith(".data");
  }

• Internal refactor to consolidate framework-agnostic/React-specific route type layers - no public API changes (#​14765)

• Sync protocol validation to rsc flows (#​14882)

• Add a new unstable_url: URL parameter to route handler methods (loader, action, middleware, etc.) representing the normalized URL the application is navigating to or fetching, with React Router implementation details removed (.datasuffix, index/_routes query params) (#​14775)

  This is being added alongside the new future.unstable_passthroughRequests future flag so that users still have a way to access the normalized URL when that flag is enabled and non-normalized request's are being passed to your handlers. When adopting this flag, you will only need to start leveraging this new parameter if you are relying on the normalization of request.url in your application code.

  If you don't have the flag enabled, then unstable_url will match request.url.

rolldown/tsdown (tsdown)

v0.21.7

Compare Source

   🚀 Features

• Add module option for attw and publint to allow passing imported modules directly  -  by @​sxzz (31e90)

   🐞 Bug Fixes

• deps: Add skipNodeModulesBundle dep subpath e2e tests and fix docs  -  by @​sxzz (deff7)

    View changes on GitHub

v0.21.6

Compare Source

   🚀 Features

• Upgrade rolldown to v1.0.0-rc.12  -  by @​sxzz (51292)
• config:
  • Pass root config to workspace config functions  -  by @​sxzz (76169)
  • Use mergeConfig for workspace config merging and support variadic overrides  -  by @​sxzz (148aa)
• dts:
  • Add cjsReexport option to eliminate dual module type hazard  -  by @​mandarini and @​sxzz in #​856 (875c1)
• exports:
  • Add bin option to auto-generate package.json bin field  -  by @​sxzz in #​869 (7ebd6)

   🐞 Bug Fixes

• css:
  • Compile preprocessor langs in virtual CSS modules  -  by @​sxzz in #​865 (7b2e0)
  • Strip .module from CSS output filenames  -  by @​sxzz in #​866 (03ade)
  • Default splitting to true in unbundle mode for CSS inject  -  by @​sxzz in #​867 (a4da6)
  • Split CSS plugin into pre/post phases for scoped CSS support  -  by @​sxzz in #​870 (ff0c4)
• entry:
  • Correctly output relative paths in logger output  -  by @​sxzz (00050)

    View changes on GitHub

v0.21.5

Compare Source

   🚀 Features

• Update rolldown to 1.0.0-rc.10  -  by @​wChenonly in #​845 (41411)
• Support typescript v6  -  by @​ocavue in #​858 (bffc4)

   🐞 Bug Fixes

• css:
  • Run final minification on merged CSS output  -  by @​sxzz in #​853 (475df)
  • Don't override internal importer  -  by @​Laupetin in #​860 (af40e)
  • Use aliased exports for CSS module keys  -  by @​wChenonly and @​sxzz in #​840 (bb6de)
• deps:
  • External optionalDependencies by default  -  by @​sxzz (cd24d)
  • Resolve subpath extensions for packages without exports field  -  by @​sxzz in #​863 (c5150)
  • Correctly resolve root @types packages for dts deep imports  -  by @​brc-dd and @​sxzz in #​852 (0b276)

    View changes on GitHub

typescript-eslint/typescript-eslint (typescript-eslint)

v8.58.0

Compare Source

🚀 Features

• support TypeScript 6 (#​12124)

❤️ Thank You

• Evyatar Daud @​StyleShit

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.57.2

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.0.3

Compare Source

Features

• update rolldown to 1.0.0-rc.12 (#​22024) (84164ef)

Bug Fixes

• html: cache unfiltered CSS list to prevent missing styles across entries (#​22017) (5464190)
• module-runner: handle non-ascii characters in base64 sourcemaps (#​21985) (77c95bf)
• module-runner: skip re-import if the runner is closed (#​22020) (ee2c2cd)
• optimizer: scan is not resolving sub path import if used in a glob import (#​22018) (ddfe20d)
• ssr: ssrTransform incorrectly rewrites meta identifier inside import.meta when a binding named meta exists (#​22019) (cff5f0c)

Miscellaneous Chores

• deps: bump picomatch from 4.0.3 to 4.0.4 (#​22027) (7e56003)

Tests

• html: add tests for getCssFilesForChunk (#​22016) (43fbbf9)

v8.0.2

Compare Source

Features

• update rolldown to 1.0.0-rc.11 (#​21998) (ff91c31)

Bug Fixes

• deps: update all non-major dependencies (#​21988) (9b7d150)

Miscellaneous Chores

• deps: update dependency @​vitejs/devtools to ^0.1.5 (#​21992) (b2dd65b)

vitest-dev/vitest (vitest)

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in #​9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in #​9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in #​9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in #​9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in #​9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in #​9851 (6f97b)

    View changes on GitHub

v4.1.1

Compare Source

   🚀 Features

• experimental:
  • Expose matchesTagsFilter to test if the current filter matches tags  -  by @​sheremet-va in #​9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in #​9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in #​9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in #​9831 and #​9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in #​9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in #​9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in #​9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in #​9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in #​9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in #​9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in #​9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in #​9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in #​9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in #​9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in #​9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in #​9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in #​9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in #​9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in #​9949 (0d5f9)

    View changes on GitHub

cloudflare/workers-sdk (wrangler)

v4.79.0

Compare Source

Minor Changes

• #​12868 ffbc268 Thanks @​danielgek! - Add wrangler ai-search command namespace for managing Cloudflare AI Search instances

  Introduces a CLI surface for the Cloudflare AI Search API (open beta), including:

  • Instance management: ai-search list, create, get, update, delete
  • Semantic search: ai-search search with repeatable --filter key=value flags
  • Instance stats: ai-search stats

  The create command uses an interactive wizard to guide configuration. All commands require authentication via wrangler login.

• #​13097 cd0e971 Thanks @​pombosilva! - Add --local flag to Workflows commands for interacting with local dev

  All Workflows CLI commands now support a --local flag that targets a running wrangler dev session instead of the Cloudflare production API. This uses the /cdn-cgi/explorer/api/workflows endpoints served by the local dev server.

  wrangler workflows list --local
  wrangler workflows trigger my-workflow '{"key":"value"}' --local
  wrangler workflows instances describe my-workflow latest --local
  wrangler workflows instances pause my-workflow <id> --local --port 9000
  

  By default, commands continue to hit remote (production). Pass --local to opt in, and optionally --port to specify a custom dev server port (defaults to 8787).

Patch Changes

• #​13050 ed20a9b Thanks [@​dario-piotrowicz](https:/

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.