fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
oxfmt (source)	^0.51.0 → ^0.53.0			devDependencies	minor
pnpm (source)	10.33.4 → 10.34.1			packageManager	minor
rolldown (source)	^1.0.1 → ^1.0.3			devDependencies	patch
semver	^7.8.0 → ^7.8.1			dependencies	patch
tinyexec	^1.1.2 → ^1.2.4			dependencies	minor
vitest (source)	^4.1.7 → ^4.1.8			devDependencies	patch
zizmorcore/zizmor-action	v0.5.3 → v0.5.6			action	patch

---

Release Notes

oxc-project/oxc (oxfmt)

v0.53.0

Compare Source

v0.52.0

Compare Source

🚀 Features

• 16b8058 oxfmt: Support vite-plus/resolveConfig for vite.config.ts (#​22454) (leaysgur)

pnpm/pnpm (pnpm)

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Gold Sponsors

v10.34.0: pnpm 10.34

Compare Source

Minor Changes

• Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

  pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

  The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

  --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

Patch Changes

• Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
• Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
• Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.
• Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.
• Fixed --prefix=<dir> not being honored when locating the workspace root. The --prefix → dir rename was applied after workspace detection, so workspace settings declared in <dir>/pnpm-workspace.yaml were not loaded when pnpm was invoked from outside <dir> #​11535.
• Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

Platinum Sponsors

Gold Sponsors

rolldown/rolldown (rolldown)

v1.0.3

Compare Source

🚀 Features

• transform: respect decorator strictNullChecks option (#​9580) by @​kylecannon
• drop defer keyword (#​9503) by @​TheAlexLichter

🐛 Bug Fixes

• ci: create target dir before cargo release-oxc update (#​9584) by @​shulaoda
• ci: reorder prepare-release steps to avoid dirty git check failure (#​9583) by @​shulaoda
• testing: canonicalize temp dir early and use platform-specific separator in test262 (#​9582) by @​shulaoda
• testing: resolve symlinked temp dir in test262 snapshot normalization (#​9581) by @​shulaoda
• testing: canonicalize temp dir path in test262 snapshot normalization (#​9579) by @​shulaoda
• dev: onOutput called twice when initial build fails (#​9552) by @​hyf0
• dev: make ensureCurrentBuildFinish not returning error when engine closes (#​9564) by @​h-a-n-a
• oxc-runtime: route require() to CJS helper variant (#​9263) (#​9526) by @​IWANABETHATGUY
• generator: use exporter chunk's export mode for CJS default re-exports (#​9299) (#​9529) by @​IWANABETHATGUY
• rolldown: always run reduced-atom static cycle check (#​9441) (#​9514) by @​IWANABETHATGUY
• apply transform.dropLabels before scanning (#​9521) (#​9522) by @​IWANABETHATGUY
• rolldown_watcher: take rolldown dep through the workspace (#​9510) by @​Boshen
• cache: keep the scan-stage cache consistent when a build fails (#​9495) by @​h-a-n-a
• skip JSON default-import namespace optimization for write targets (#​9484) (#​9489) by @​IWANABETHATGUY
• deps: skip pnpm frozen-lockfile on Netlify to dodge catalog mismatch bug (#​9471) by @​Boshen

🚜 Refactor

• oxc-runtime: use Cow for helper path construction (#​9538) by @​IWANABETHATGUY
• fold import defer phase drop into PreProcessor (#​9524) by @​IWANABETHATGUY
• distinguish map: null vs map: undefined in transform hook output (#​9497) by @​sapphi-red

📚 Documentation

• explain the policy for Rust crates (#​9547) by @​sapphi-red
• cache: add design doc for cache (#​9544) by @​h-a-n-a
• guide/troubleshooting: add TDZ error section (#​9537) by @​sapphi-red
• dev-engine: add design doc for dev-engine (#​9479) by @​h-a-n-a
• lazy-barrel: tweak some words (#​9483) by @​shulaoda
• lazy-barrel: expand reasoning behind LARGE_BARREL_MODULES advice (#​9477) by @​shulaoda

⚡ Performance

• generate: thread ast_table by value into codegen consumer (#​9555) by @​Boshen
• finalizers: replace _reExport construction with a direct call to avoid calling clone_in (#​9501) by @​Dunqing
• reorder hot-path boolean checks to short-circuit on cheap predicates first (#​9523) by @​Boshen

🧪 Testing

• rolldown: regression fixture for #​9401 (#​9418) by @​IWANABETHATGUY
• failing test for #​9441 (#​9504) by @​TheAlexLichter

⚙️ Miscellaneous Tasks

• deps: upgrade oxc to 0.133.0 (#​9563) by @​Dunqing
• deps: update crate-ci/typos action to v1.46.3 (#​9576) by @​renovate[bot]
• deps: update mimalloc-safe to 0.1.62 (#​9577) by @​shulaoda
• mimalloc-safe: update to a bug-fix branch for verification (#​9569) by @​shulaoda
• deps: update test262 submodule for tests (#​9551) by @​rolldown-guard[bot]
• point published crates' readme to root README.md (#​9553) by @​Boshen
• replace actions-cool/issues-helper with gh CLI (#​9543) by @​Boshen
• deps: update cargo-shear to 1.12.4 (#​9541) by @​Boshen
• deps: update taiki-e/install-action action to v2.79.4 (#​9535) by @​renovate[bot]
• deps: update github actions (#​9532) by @​renovate[bot]
• deps: update rust crates (#​9534) by @​renovate[bot]
• deps: update npm packages (#​9533) by @​renovate[bot]
• gate experimental/testing-only items to silence dead_code in publish builds (#​9517) by @​Boshen
• docs: deploy to Void (#​9509) by @​Boshen
• release: set up cargo-release-oxc for publishing crates (#​9476) by @​Boshen
• rolldown_plugin_lazy_compilation: add missing description (#​9507) by @​Boshen
• mimalloc-safe: update to a bug-fix branch for verification (#​9506) by @​shulaoda
• deps: update crate-ci/typos action to v1.46.2 (#​9468) by @​renovate[bot]

❤️ New Contributors

• @​kylecannon made their first contribution in #​9580

v1.0.2

Compare Source

🚀 Features

• devtools: emit package size in PackageGraphReady (#​9434) by @​IWANABETHATGUY
• devtools: classify package dependency types (#​9427) by @​IWANABETHATGUY
• devtools: map packages to modules and chunks (#​9426) by @​IWANABETHATGUY
• devtools: mark used packages (#​9423) by @​IWANABETHATGUY
• devtools: make duplicate packages discoverable (#​9422) by @​IWANABETHATGUY
• devtools: emit package metadata (#​9421) by @​IWANABETHATGUY
• update oxc to 0.132.0 (#​9449) by @​shulaoda
• update oxc to 0.131.0 (#​9424) by @​shulaoda
• allow checks.* to escalate emissions to hard errors (#​9388) by @​IWANABETHATGUY
• dev: support watcher options include and exclude (#​9395) by @​h-a-n-a
• emit warnings for invalid pure annotations (#​9381) by @​Kyujenius

🐛 Bug Fixes

• hash: keep chunk file names stable when an unrelated entry is added (#​9444) by @​hyf0
• call codeSplitting.groups[].name in deterministic order (#​9457) by @​sapphi-red
• dev/lazy: make resolve_id idempotent when the resolved id is already a lazy entry (#​9439) by @​h-a-n-a
• chunk-optimization: publish absorbed dynamic-entry namespace cross-chunk (#​9448) by @​IWANABETHATGUY
• treeshake: propagate pure annotation through compound exprs (#​9431) by @​Dunqing
• finalizer: skip redundant init call when barrel executes in same chunk (#​9354) by @​IWANABETHATGUY
• linking: initialize wrapped ESM re-export owners (#​9353) by @​IWANABETHATGUY
• do not inherit __toESM across chunks for named-only external imports (#​9333) (#​9415) by @​IWANABETHATGUY
• watcher: don't write output or emit events after close() (#​9328) by @​situ2001
• chunk-optimization: avoid unsafe dynamic-only merges (#​9398) by @​IWANABETHATGUY
• cjs: rename CJS-wrapped locals that would shadow chunk-scope names (#​9392) by @​hyf0
• dev/lazy: watch lazy modules added in rebuilds (#​9391) by @​h-a-n-a

🚜 Refactor

• rolldown_dev: move dev example to break publish cycle (#​9465) by @​Boshen
• binding: drop unsafe napi string helper, hoist transform ArcStr (#​9456) by @​hyf0
• ecmascript_utils: split rewrite_ident_reference off JsxExt trait (#​9417) by @​IWANABETHATGUY
• use ThreadsafeFunction::call_async_catch (#​9390) by @​sapphi-red

📚 Documentation

• devtools: document @​rolldown/debug usage and package graph consumption (#​9435) by @​IWANABETHATGUY
• replace Inter with system font stack in OG template SVG (#​9240) by @​yvbopeng
• remove output.comments warning as all issues have been resolved (#​9393) by @​sapphi-red
• in-depth: clarify @​PURE scope and document positions (#​9389) by @​Kyujenius
• readme: remove release candidate notice (#​9387) by @​shulaoda

⚡ Performance

• vite-resolve: cache importer existence checks (#​9443) by @​Brooooooklyn
• binding: reduce plugin string clones (#​9436) by @​Brooooooklyn

🧪 Testing

• enable legal_comments_inline test (#​9394) by @​sapphi-red

⚙️ Miscellaneous Tasks

• bump pnpm to v11.1.2 (#​9447) by @​Boshen
• deps: update rust crates (#​9461) by @​renovate[bot]
• deps: update rollup submodule for tests to v4.60.4 (#​9453) by @​rolldown-guard[bot]
• deps: update test262 submodule for tests (#​9454) by @​rolldown-guard[bot]
• deps: update npm packages (#​9430) by @​renovate[bot]
• deps: update github actions (#​9429) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to v0.25.1 (#​9452) by @​renovate[bot]
• deps: update rust crates (#​9428) by @​renovate[bot]
• revert allow checks.* to escalate emissions to hard errors (#​9388) (#​9438) by @​IWANABETHATGUY
• update mimalloc-safe to 0.1.61 (#​9413) by @​shulaoda
• deny todo, unimplemented, and print_stderr clippy lints (#​9412) by @​Boshen
• deps: update mimalloc-safe to 0.1.60 (#​9410) by @​shulaoda
• remove pip install setuptools workaround for node-gyp on macOS (#​9370) by @​sapphi-red
• renovate: disable automerge to require manual approval (#​9386) by @​shulaoda
• deps: update napi (#​9385) by @​renovate[bot]

❤️ New Contributors

• @​yvbopeng made their first contribution in #​9240

npm/node-semver (semver)

v7.8.1

Compare Source

Bug Fixes

• 17aa702 #​869 strip build metadata before comparator trimming (#​869) (@​owlstronaut)
• 5f3ca13 #​867 handle prerelease bounds in subset (#​867) (@​puneetdixit200, Puneet Dixit)

tinylibs/tinyexec (tinyexec)

v1.2.4

Compare Source

What's Changed

• fix: revert grandchild fix for now by @​43081j in #​140

Full Changelog: tinylibs/tinyexec@1.2.3...1.2.4

v1.2.3

Compare Source

What's Changed

• chore(deps-dev): bump the development-dependencies group with 4 updates by @​dependabot[bot] in #​135
• fix: destroy piped streams on child exit to prevent grandchild deadlock by @​Mearman in #​137

New Contributors

• @​Mearman made their first contribution in #​137

Full Changelog: tinylibs/tinyexec@1.2.2...1.2.3

v1.2.2

Compare Source

What's Changed

• fix: correct shebang regex by @​43081j in #​134

Full Changelog: tinylibs/tinyexec@1.2.1...1.2.2

v1.2.1

Compare Source

What's Changed

• test: add async throw tests by @​43081j in #​133

Full Changelog: tinylibs/tinyexec@1.2.0...1.2.1

v1.2.0

Compare Source

What's Changed

• refactor: inline parse by @​hyperz111 in #​100
• chore: check types on lint by @​43081j in #​119
• test: add more normalize tests by @​43081j in #​120
• build: update tsdown config and dependencies by @​hyperz111 in #​121
• chore(deps-dev): bump the development-dependencies group with 2 updates by @​dependabot[bot] in #​122
• chore(deps-dev): bump the development-dependencies group with 6 updates by @​dependabot[bot] in #​123
• chore: set workflow permissions by @​43081j in #​124
• feat: add nodePath flag by @​43081j in #​125
• test: tidy up env tests by @​43081j in #​126
• chore(deps-dev): bump the development-dependencies group with 4 updates by @​dependabot[bot] in #​128
• chore(deps): bump the github-actions group with 2 updates by @​dependabot[bot] in #​127
• chore: setup funding / publish env by @​43081j in #​129
• chore: enable staged publishes by @​43081j in #​130

New Contributors

• @​hyperz111 made their first contribution in #​100

Full Changelog: tinylibs/tinyexec@1.1.2...1.2.0

vitest-dev/vitest (vitest)

v4.1.8

Compare Source

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in #​10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in #​10474 (675b4)

    View changes on GitHub

zizmorcore/zizmor-action (zizmorcore/zizmor-action)

v0.5.6

Compare Source

• 1.25.2 is now available via the action
• 1.25.2 is now the default version of zizmor used by the action

v0.5.5

Compare Source

This is a no-op release.

v0.5.4

Compare Source

• 1.25.0 is now available via the action
• 1.25.0 is now the default version of zizmor used by the action

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.