chore(deps-dev): bump tsdown from 0.20.3 to 0.21.0

[dependabot]

Bumps tsdown from 0.20.3 to 0.21.0.

Release notes

Sourced from tsdown's releases.

v0.21.0 - Notable Changes

Breaking Changes

Dependency options renamed to deps namespace

The dependency-related options have been moved under a new deps namespace with clearer names:

• external -> deps.neverBundle
• noExternal -> deps.alwaysBundle
• inlineOnly -> deps.onlyAllowBundle
• skipNodeModulesBundle -> deps.skipNodeModulesBundle

Before:

export default defineConfig({
  external: ['vue'],
  noExternal: ['lodash'],
})

After:

export default defineConfig({
  deps: {
    neverBundle: ['vue'],
    alwaysBundle: ['lodash'],
  },
})

The old options still work but are deprecated and will emit warnings.

failOnWarn default changed from 'ci-only' to false

If you relied on the previous behavior where warnings would fail the build in CI environments, you now need to explicitly set failOnWarn: true or failOnWarn: 'ci-only' in your config.

Node.js < 22.18.0 deprecated

tsdown now emits a deprecation warning when running on Node.js versions below 22.18.0. Plan to upgrade your Node.js version accordingly.

New Features

Experimental Node.js SEA executable bundling (exe)

tsdown can now bundle your TypeScript project into a standalone executable using Node.js Single Executable Applications (SEA). A new @tsdown/exe package provides cross-platform executable building support. See the exe documentation for details.

export default defineConfig({
  exe: true, // or { useCodeCache: true, useSnapshot: true }
</tr></table> 

... (truncated)

Commits

• 5145496 chore: release v0.21.0
• c5db6dc refactor(exe): improve nodeVersion type
• ce7abe9 feat(exe): support latest and latest-lts for nodeVersion
• 944e92a feat: support bundling .node files by default
• 1183ad3 fix(css): remove empty js chunks (#799)
• 0aae946 chore: upgrade rolldown
• 9440739 chore: release v0.21.0-beta.5
• d8a1f5c fix: resolve css files in node_modules (#795)
• 0173c6e feat(exe)!: require Node >=25.7 and default format to esm (#798)
• 288a5f0 feat(css): default css.transformer to lightningcss (#797)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	tsdown@​0.20.3 ⏵ 0.21.0			+1	+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm @rolldown/binding-wasm32-wasi is 90.0% likely to have a medium risk anomaly Notes: The file itself does not contain overt malicious code (no network calls, no obfuscated payloads, no hardcoded credentials). However, it deliberately exposes powerful capabilities to loaded WASM modules and local scripts: it passes all environment variables into WASI and preopens the filesystem root, and it implements importScripts by reading and eval-ing local files. These choices make the environment capable of data theft or system access if untrusted wasm or scripts are executed. Treat wasm modules and files loaded via importScripts as fully trusted/native — do not run untrusted modules with this loader. Recommend restricting WASI preopens to a minimal directory and avoid passing full process.env, and avoid eval-based importScripts when possible. Confidence: 0.90 Severity: 0.60 From: ? → npm/tsdown@0.21.0 → npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm rolldown URLs: https://github.com/npm/cli/issues/4828, https://github.com/streamich/memfs, https://rolldown.rs/., output.name, https://rollupjs.org/plugin-development/#generatebundle:~:text=DANGER,this.emitFile., Function.prototype.name, Class.prototype.name, https://github.com/webpack/enhanced-resolve#resolver-options, https://webpack.js.org/configuration/resolve/, https://github.com/defunctzombie/package-browser-field-spec, https://github.com/webpack/enhanced-resolve/pull/285, https://webpack.js.org/configuration/module/#resolvefullyspecified, https://nodejs.org/api/module.html#modulebuiltinmodules, https://github.com/vitejs/vite/pull/20252, https://github.com/nodejs/node/issues/58827, https://nodejs.org/docs/latest/api/esm.html#resolution-algorithm-specification, https://github.com/dividab/tsconfig-paths-webpack-plugin#options, https://www.typescriptlang.org/tsconfig/#experimentalDecorators, https://www.typescriptlang.org/tsconfig/#emitDecoratorMetadata, https://www.typescriptlang.org/tsconfig/#stripInternal, https://oxc.rs/docs/guide/usage/transformer/jsx, https://github.com/facebook/react/tree/v18.3.1/packages/react-refresh, https://oxc.rs/docs/guide/usage/transformer/plugins#styled-components, https://oxc.rs/docs/guide/usage/transformer/typescript, https://oxc.rs/docs/guide/usage/transformer/lowering#target, https://oxc.rs/docs/guide/usage/transformer/global-variable-replacement#define, https://oxc.rs/docs/guide/usage/transformer/global-variable-replacement#inject, https://oxc.rs/docs/guide/usage/transformer/plugins, https://www.typescriptlang.org/docs/handbook/release-notes/typescript-5-5.html#isolated-declarations, https://www.typescriptlang.org/tsconfig/#declaration, https://developer.mozilla.org/en-US/docs/Glossary/IIFE, https://github.com/umdjs/umd, https://github.com/tc39/ecma426/blob/main/proposals/debug-id.md, https://cdn.jsdelivr.net/npm/d3@7, comments.legal, https://rolldown.rs/in-depth/directives, https://rolldown.rs/guide/troubleshooting#avoiding-direct-eval, https://rolldown.rs/reference/OutputOptions.globals, https://rolldown.rs/reference/OutputOptions.name, https://rolldown.rs/reference/OutputOptions.exports, https://rolldown.rs/in-depth/non-esm-output-formats#import-meta, https://rolldown.rs/reference/OutputOptions.cleanDir, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Property_accessors, https://oxc.rs/docs/guide/usage/transformer/global-variable-replacement.html#inject, https://rolldown.rs/apis/plugin-api/hook-filters, https://rolldown.rs/apis/plugin-api/inter-plugin-communication#custom-resolver-options, https://oxc.rs/docs/guide/usage/minifier/dead-code-elimination#define-pure-functions, https://oxc.rs/docs/guide/usage/minifier/dead-code-elimination#ignoring-global-variable-access-side-effects, https://oxc.rs/docs/guide/usage/minifier/dead-code-elimination#ignoring-invalid-import-statement-side-effects, exports.property, https://rolldown.rs/apis/plugin-api, https://api.example.com, https://github.com/rolldown/rolldown/issues/3615, https://rolldown.rs/in-depth/dead-code-elimination, https://github.com/rolldown/rolldown/tree/main/examples/chunk-import-map, https://github.com/rich-harris/magic-string Location: Package overview From: ? → npm/tsdown@0.21.0 → npm/rolldown@1.0.0-rc.7 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rolldown@1.0.0-rc.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm tsdown URLs: https://nodejs.org/en/learn/modules/publishing-a-package#how-did-we-get-here, 127.0.0.1, https://nodejs.org/api/single-executable-applications.html#generating-single-executable-applications-with---build-sea, https://nodejs.org/docs/latest-v14.x/api/esm.html#esm_package_json_type_field, https://nodejs.org/docs/latest-v14.x/api/esm.html#esm_exports_sugar, https://nodejs.org/api/packages.html#imports, https://classic.yarnpkg.com/blog/2018/02/15/nohoist/, https://nodejs.org/api/packages.html#packagemanager, https://docs.npmjs.com/cli/v11/using-npm/scripts#pre--post-scripts, https://docs.npmjs.com/cli/v11/using-npm/scripts#life-cycle-operation-order, https://pnpm.io/scripts#lifecycle-scripts, publishConfig.directory, https://tsdown.dev/options/target#supported-targets, https://rolldown.rs/options/treeshake, https://www.typescriptlang.org/tsconfig/#declarationMap Location: Package overview From: package.json → npm/tsdown@0.21.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsdown@0.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[dependabot]

Superseded by #14.