fix(deps): update all non-major dependencies

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
@builder.io/qwik (source)	^1.16.0 -> ^1.16.1
@rolldown/pluginutils (source)	^1.0.0-beta.39 -> ^1.0.0-beta.41
@sveltejs/vite-plugin-svelte (source)	^6.2.0 -> ^6.2.1
@types/node (source)	^24.5.2 -> ^24.6.0
@types/node (source)	^22.18.6 -> ^22.18.7
@types/react (source)	^19.1.13 -> ^19.1.16
@vitejs/plugin-react (source)	^5.0.3 -> ^5.0.4
@vue/shared (source)	^3.5.21 -> ^3.5.22
baseline-browser-mapping	^2.8.6 -> ^2.8.9
dotenv	^17.2.2 -> ^17.2.3
eslint-plugin-react-refresh	^0.4.20 -> ^0.4.22
http-proxy-3	^1.21.0 -> ^1.21.1
lightningcss	^1.30.1 -> ^1.30.2
lint-staged	^16.1.6 -> ^16.2.3
miniflare (source)	^4.20250917.0 -> ^4.20250924.0
nanoid	^5.1.5 -> ^5.1.6
playwright-chromium (source)	^1.55.0 -> ^1.55.1
pnpm (source)	10.17.0 -> 10.17.1
rolldown-vite (source)	7.1.12 -> 7.1.14
sass	^1.93.0 -> ^1.93.2
sass-embedded	^1.93.0 -> ^1.93.2
strip-literal	^3.0.0 -> ^3.1.0
svelte (source)	^5.39.4 -> ^5.39.6
svelte-check	^4.3.1 -> ^4.3.2
tsx (source)	^4.20.5 -> ^4.20.6
typescript-eslint (source)	^8.44.0 -> ^8.45.0
vue (source)	^3.5.21 -> ^3.5.22
vue-tsc (source)	^3.0.7 -> ^3.1.0

---

Release Notes

QwikDev/qwik (@​builder.io/qwik)

v1.16.1

Compare Source

Patch Changes

• 🐞🩹 The entry.ssr renderToStream preloader.preloadProbability option is now deprecated because this could cause performance issues with bundles fetched on click instead of being preloaded ahead of time. (The preloader still relies on probabilities to know preload the most likely bundles first) (by @​maiieul in #​7847)

• 🐞🩹 Link prefetch now always preloads Link prefetch bundles on monorepos (by @​maiieul in #​7835)

• 🐞🩹 Rollup's hoistTranstiveImports is now set to false because the hoisting added unnecessary bundles to be preloaded to the bundle-graph static imports graph. This could lead to a suboptimal preloading experience. (by @​maiieul in #​7850)

• 🛠 Add check-client command to verify bundle freshness (by @​JerryWu1234 in #​7517)

• ✨ All qwik packages are now marked as side effect free in their package.json. This should remove a few unecessary empty imports added by rollup and then not tree-shaken like import "./preloader.js". (by @​maiieul in #​7908)

• 🐞🩹 unmount qwikify react root alongside with qwik component (by @​sashkashishka in #​7864)

• 🐞🩹 preloader now preloads bundles as long as they are part of the current viewport's bundles graph, even if their probability is very small (by @​maiieul in #​7836)

• ✨ maxIdlePreloads is now constant over time so you know for sure how many bundles will be preloaded concurrently during idle. (by @​maiieul in #​7846)

• 🛠 use patched domino instead of qwik-dom (by @​gioboa in #​7842)

• 🐞🩹 Qwik is now smarter at bundling non QRL source files and qwik libraries modules (e.g. helpers, enums, inline components, etc.) together. (by @​maiieul in #​7888)

rolldown/rolldown (@​rolldown/pluginutils)

v1.0.0-beta.41

Compare Source

🚀 Features

• support output.generatedCode.symbols (#​6335) by @​IWANABETHATGUY
• rolldown: oxc v0.93.0 (#​6364) by @​Boshen
• rolldown_plugin_vite_html: finish script tag logic (#​6355) by @​shulaoda
• rolldown_plugin_vite_html: support inline html proxy (#​6353) by @​shulaoda
• rolldown_plugin_vite_html: transform script tag into js import (#​6351) by @​shulaoda
• rolldown_plugin_vite_html: overwrite script src url (#​6349) by @​shulaoda
• rolldown_plugin_vite_html: remove vite-ignore attribute (#​6348) by @​shulaoda
• rolldown_plugin_vite_html: use html5ever and markup5ever_rcdom (#​6327) by @​shulaoda
• rust/dev: support on_output callback (#​6330) by @​hyf0
• rust/dev: support disable_watcher (#​6329) by @​hyf0
• dev: introduce client/session concept into dev engine (#​6297) by @​hyf0

🐛 Bug Fixes

• 'asset' module type and CJS format produces warnings and wrong output (#​6369) by @​IWANABETHATGUY
• inlining constants in CJS by optimization.inlineConst incorrectly inlines non-constant values if the value is assigned more than once (#​6328) by @​IWANABETHATGUY
• dev: add hasLatestBuildOutput instead of scheduleBuildIfStale and add edit-reload test (#​6321) by @​sapphi-red

🚜 Refactor

• rust/dev: rename HmrManager to HmrState and tweak namings (#​6358) by @​hyf0
• rust/dev: use Bundler to expose hmr related methods (#​6356) by @​hyf0
• rolldown_plugin_vite_html: use html5gum instead (#​6343) by @​shulaoda
• dev: remove deprecated new field from HMR options and related configurations (#​6337) by @​hyf0
• dev: remove unused hmr API (#​6336) by @​hyf0
• make cjs_ast_analyzer immutable for better reuse (#​6326) by @​IWANABETHATGUY
• simplify logic for determining entry is_lived (#​6325) by @​IWANABETHATGUY

⚡ Performance

• dev: compute depended data incrementally (#​6357) by @​hyf0

🧪 Testing

• rust/hmr: use dev engine to test hmr (#​6334) by @​hyf0

⚙️ Miscellaneous Tasks

• deps: update notify (#​6368) by @​sapphi-red
• deps: lock file maintenance npm packages (#​6366) by @​renovate[bot]
• deps: update github-actions (#​6365) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to v0.16.9 (#​6354) by @​renovate[bot]
• deps: update dependency tsdown to v0.15.5 (#​6350) by @​renovate[bot]
• node: use catalog: to unify version of all dependencies (#​6339) by @​hyf0
• ci: unify node installation via oxc-project/setup-node (#​6338) by @​Boshen
• deps: update crate-ci/typos action to v1.36.3 (#​6341) by @​renovate[bot]
• remove unused snapshots (#​6331) by @​IWANABETHATGUY

v1.0.0-beta.40

Compare Source

🚀 Features

• rolldown: oxc v0.92.0 (#​6322) by @​Boshen
• adding partial MagicString binding (#​6289) by @​IWANABETHATGUY
• rolldown_plugin_vite_html: initialize (#​6292) by @​shulaoda

🐛 Bug Fixes

• rolldown_plugin_react_refresh_wrapper: avoid using cwd to allow using as a callable plugin (#​6318) by @​sapphi-red
• rolldown_plugin_transform: resolve tsconfig from absolute path (#​6311) by @​shulaoda

🚜 Refactor

• Construct MagicString with Cow<str> instead of &str (#​6288) by @​IWANABETHATGUY
• throw error if generating oxc runtime helper fails (#​6291) by @​shulaoda

📚 Documentation

• add more description about sourcemapIgnoreList (#​6314) by @​IWANABETHATGUY

⚡ Performance

• reduce sourcemap_ignore_list js function call (#​6313) by @​IWANABETHATGUY
• string_wizard: use memchr to find patterns in replace (#​6312) by @​IWANABETHATGUY
• simplify sourcemap token processing in collapse_sourcemaps (#​6310) by @​IWANABETHATGUY
• rolldown: some minor perf optimization (#​6306) by @​Brooooooklyn
• rolldown: fine-tuning the tokio scheduler (#​6272) by @​Brooooooklyn

⚙️ Miscellaneous Tasks

• deps: lock file maintenance rust crates (#​6302) by @​renovate[bot]
• deps: lock file maintenance npm packages (#​6301) by @​renovate[bot]
• use lto: thin in profile mode for better profiling experience. (#​6320) by @​IWANABETHATGUY
• adjust the tokio runtime config in bench (#​6305) by @​Brooooooklyn
• deps: update dependency rolldown-plugin-dts to v0.16.8 (#​6307) by @​renovate[bot]

sveltejs/vite-plugin-svelte (@​sveltejs/vite-plugin-svelte)

v6.2.1

Compare Source

Patch Changes

• fix: remove unscopable global styles warning (#​1223)

• Remove automatic configuration for rolldownOptions.optimization.inlineConst because latest version of rolldown-vite has it enabled by default. (#​1225)

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v5.0.4

Compare Source

Perf: use native refresh wrapper plugin in rolldown-vite (#​881)

vuejs/core (@​vue/shared)

v3.5.22

Compare Source

Bug Fixes

• compiler-core: identifiers in switch-case should not be inferred as references (#​13923) (5953c9f)
• compiler-dom: nodes with v-once shouldn't be stringified (#​13878) (95c1975)
• compiler-sfc: add support for @vue-ignore in runtime type resolution (#​13906) (ba7f7f9)
• compiler-sfc: enhance inferRuntimeType to support TSMappedType with indexed access (#​13848) (e388f1a), closes #​13847
• compiler-sfc: ensure css custom properties do not start with a digit (#​13870) (9c27951)
• compiler-sfc: ensure props bindings register before compiling template (#​13922) (abd5638), closes #​13920
• compiler-ssr: ensure v-show has a higher priority in SSR (#​12171) (836b829), closes #​12162
• custom-element: properly mount multiple Teleports in custom element component w/ shadowRoot false (#​13900) (5e1e791), closes #​13899
• custom-element: set prop runs pending mutations before disconnect (#​13897) (c4a88cd), closes #​13315
• custom-element: use PatchFlags.BAIL for slot when props are present (#​13907) (5358bca), closes #​13904
• reactivity: respect readonly during ref unwrapping (#​13905) (aba7fed), closes #​13903
• reactivity: update iterator to check for completion instead of value presence (#​13761) (2078f8b)
• runtime-core: simplify block-tracking disabling in h helper (#​13841) (75220c7)
• transition-group: run forceReflow on the correct document (fix #​13849) (#​13853) (1be5ddf)
• types: more precise types for Events and added missing definitions (#​9675) (8bb8fb2)
• types: set dom stub type to never instead of {} (#​13915) (8620a61), closes #​11564
• types: widen directive arg type from string to any (#​13758) (4b71706), closes #​13757

Features

• custom-element: allow specifying additional options for shadowRoot in custom elements (#​12965) (47e628d), closes #​12964

Reverts

• Revert "fix(hmr): prevent VUE_HMR_RUNTIME from being overwritten by vue runtime in 3rd-party libraries" (#​13925) (6b68f72), closes #​13925

web-platform-dx/baseline-browser-mapping (baseline-browser-mapping)

v2.8.9

Compare Source

v2.8.8

Compare Source

v2.8.7

Compare Source

motdotla/dotenv (dotenv)

v17.2.3

Compare Source

Changed

• Fixed typescript error definition (#​912)

ArnaudBarre/eslint-plugin-react-refresh (eslint-plugin-react-refresh)

v0.4.22

Compare Source

• Add "viewport" to allowExportNames in Next config (#​89)

v0.4.21

Compare Source

• Add Next config (fixes #​85)

This allows exports like fetchCache and revalidate which are used in Page or Layout components and don't trigger a full page reload.

import reactRefresh from "eslint-plugin-react-refresh";

export default [
  /* Main config */
  reactRefresh.configs.next,
];

parcel-bundler/lightningcss (lightningcss)

v1.30.2

Compare Source

Fixes

• Fix installing on android
• Don't warn on ::grammar-error and ::spelling-error selectors
• Update browser compat data

Rust crate changes

• Bump browserslist-rs to 0.19.0
• migrate to maintained library instead of deprecated paste
• Use serde-content instead of private serde types

lint-staged/lint-staged (lint-staged)

v16.2.3

Compare Source

Patch Changes

• #​1669 27cd541 Thanks @​iiroj! - When using --fail-on-changes, automatically hidden (partially) unstaged changes are no longer counted to make lint-staged fail.

v16.2.2

Compare Source

Patch Changes

• #​1667 699f95d Thanks @​iiroj! - The backup stash will not be dropped when using --fail-on-changes and there are errors. When reverting to original state is disabled (via --no-revert or --fail-on-changes), hidden (partially) unstaged changes are still restored automatically so that it's easier to resolve the situation manually.

  Additionally, the example for using the backup stash manually now uses the correct backup hash, if available:

  % npx lint-staged --fail-on-changes
  ✔ Backed up original state in git stash (c18d55a3)
  ✔ Running tasks for staged files...
  ✖ Tasks modified files and --fail-on-changes was used!
  ↓ Cleaning up temporary files...
  
  ✖ lint-staged failed because `--fail-on-changes` was used.
  
  Any lost modifications can be restored from a git stash:
  
    > git stash list --format="%h %s"
    c18d55a3 On main: lint-staged automatic backup
    > git apply --index c18d55a3

v16.2.1

Compare Source

Patch Changes

• #​1664 8277b3b Thanks @​iiroj! - The built-in TypeScript types have been updated to more closely match the implementation. Notably, the list of staged files supplied to task functions is readonly string[] and can't be mutated. Thanks @​outslept!

  export default {
  ---  "*": (files: string[]) => void console.log('staged files', files)
  +++  "*": (files: readonly string[]) => void console.log('staged files', files)
  }

• #​1654 70b9af3 Thanks @​iiroj! - This version has been published from GitHub Actions using Trusted Publishing for npm packages.

• #​1659 4996817 Thanks @​iiroj! - Fix searching configuration files when the working directory is a subdirectory of a git repository, and there are package.json files in the working directory. This situation might happen when running lint-staged for a single package in a monorepo.

• #​1654 7021f0a Thanks @​iiroj! - Return the caret semver range (^) to direct dependencies so that future patch and minor versions are allowed. This enables projects to better maintain and deduplicate their own transitive dependencies while not requiring direct updates to lint-staged. This was changed in 16.2.0 after the vulnerability issues with chalk and debug, which were also removed in the same version.

  Given the recent vulnerabilities in the npm ecosystem, it's best to be very careful when updating dependencies.

v16.2.0

Compare Source

Minor Changes

• #​1615 99eb742 Thanks @​iiroj! - Added a new option --fail-on-changes to make lint-staged exit with code 1 when tasks modify any files, making the precommit hook fail. This is similar to the git diff --exit-code option. Using this flag also implies the --no-revert flag which means any changes made my tasks will be left in the working tree after failing, so that they can be manually staged and the commit tried again.

• #​1611 cd05fd3 Thanks @​rlorenzo! - Added a new option --continue-on-error so that lint-staged will run all tasks to completion even if some of them fail. By default, lint-staded will exit early on the first failure.

• #​1637 82fcc07 Thanks @​iiroj! - Internal lint-staged errors are now thrown and visible in the console output. Previously they were caught with the process exit code set to 1, but not logged. This happens when, for example, there's a syntax error in the lint-staged configuration file.

• #​1647 a5ecc06 Thanks @​iiroj! - Remove debug as a dependency due to recent malware issue; read more at debug-js/debug#1005. Because of this, the DEBUG environment variable is no longer supported — use the --debug to enable debugging

• #​1636 8db2717 Thanks @​iiroj! - Added a new option --hide-unstaged so that lint-staged will hide all unstaged changes to tracked files before running tasks. The changes will be applied back after running the tasks. Note that the combination of flags --hide-unstaged --no-hide-partially-staged isn't meaningful and behaves the same as just --hide-unstaged.

  Thanks to @​ItsNickBarry for the idea and initial implementation in #​1552.

• #​1648 7900b3b Thanks @​iiroj! - Remove lilconfig to reduce reliance on third-party dependencies. It was used to find possible config files outside of those tracked in Git, including from the parent directories. This behavior has been moved directly into lint-staged and should work about the same.

Patch Changes

• #​1633 7f9e485 Thanks @​dependabot! - Bumps listr2 from 9.0.3 to 9.0.4.

• #​1626 99d5a9b Thanks @​iiroj! - Due to recent phishing attacks, for example [email protected] was released with malware. To avoid lint-staged's users being at risk the direct dependencies are pinned to exact versions, instead of allowing future patch versions with the caret (^) range.

• #​1588 035bbf2 Thanks @​outslept! - Increase performance by listing staged files and searching for configuration concurrently.

• #​1645 deba3ad Thanks @​iiroj! - Remove chalk as a dependency due to recent malware issue; read more at chalk/chalk#656.

  If you are having trouble with ANSI color codes when using lint-staged, you can try setting either FORCE_COLOR=true or NO_COLOR=true env variables.

cloudflare/workers-sdk (miniflare)

v4.20250924.0

Compare Source

Patch Changes

• #​10745 06e9a48 Thanks @​dependabot! - chore: update dependencies of "miniflare" package

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20250923.0	1.20250924.0

v4.20250923.0

Compare Source

Minor Changes

• #​10647 555a6da Thanks @​efalcao! - VPC service binding support

Patch Changes

• #​10692 262393a Thanks @​dependabot! - chore: update dependencies of "miniflare" package

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20250917.0	1.20250918.0

• #​10705 3ec1f65 Thanks @​dependabot! - chore: update dependencies of "miniflare" package

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20250918.0	1.20250919.0

• #​10718 a434352 Thanks @​dependabot! - chore: update dependencies of "miniflare" package

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20250919.0	1.20250922.0

• #​10729 328e687 Thanks @​dependabot! - chore: update dependencies of "miniflare" package

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20250922.0	1.20250923.0

• #​10724 b4a4311 Thanks @​penalosa! - Use Cap'n Web in workers-sdk

ai/nanoid (nanoid)

v5.1.6

Compare Source

• Fixed infinite loop on 0 size for customAlphabet.

microsoft/playwright (playwright-chromium)

v1.55.1

Compare Source

Highlights

#​37479 - [Bug]: Upgrade Chromium to 140.0.7339.186.
#​37147 - [Regression]: Internal error: step id not found.
#​37146 - [Regression]: HTML reporter displays a broken chip link when there are no projects.
#​37137 - Revert "fix(a11y): track inert elements as hidden".

Browser Versions

• Chromium 140.0.7339.186
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

pnpm/pnpm (pnpm)

v10.17.1

Compare Source

Patch Changes

• When a version specifier cannot be resolved because the versions don't satisfy the minimumReleaseAge setting, print this information out in the error message #​9974.
• Fix state.json creation path when executing pnpm patch in a workspace project #​9733.
• When minimumReleaseAge is set and the latest tag is not mature enough, prefer a non-deprecated version as the new latest #​9987.

vitejs/rolldown-vite (rolldown-vite)

v7.1.14

Compare Source

Features

• set generatedCode: 'es2015' (4cfe8e1)
• update rolldown (bac2c1b)

Bug Fixes

• use readFileSync to avoid "too many open files" (7c7ffdc)

Performance Improvements

• use single regex for isEntirelyImport (ac1ceaf)

Documentation

• create-vite: provide deno example (#​20747) (fdb758a)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20810) (ea68a88)

v7.1.13

Compare Source

Features

• hmr: skip self-imports for import.meta.hot.invalidate ([ebd134f](https://github.com/vitejs/rolldown

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.