chore(deps): update all non-major dependencies - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@ntnyq/utils	^0.13.1 → ^0.13.2
@types/node (source)	^25.6.0 → ^25.7.0
@typescript/native-preview (source)	^7.0.0-dev.20260420.1 → ^7.0.0-dev.20260513.1
bumpp	^11.0.1 → ^11.1.0
jsdom	^29.0.2 → ^29.1.1
oxfmt (source)	^0.45.0 → ^0.49.0
oxlint (source)	^1.60.0 → ^1.64.0
pnpm (source)	10.33.0 → 10.33.4
tsdown (source)	^0.21.9 → ^0.22.0
vitest (source)	^4.1.4 → ^4.1.6

---

Release Notes

microsoft/typescript-go (@​typescript/native-preview)

v7.0.0-dev.20260513.1

Compare Source

v7.0.0-dev.20260512.1

Compare Source

v7.0.0-dev.20260511.1

Compare Source

v7.0.0-dev.20260510.1

Compare Source

v7.0.0-dev.20260509.2

Compare Source

v7.0.0-dev.20260508.1

Compare Source

v7.0.0-dev.20260507.1

Compare Source

v7.0.0-dev.20260506.1

Compare Source

v7.0.0-dev.20260505.1

Compare Source

v7.0.0-dev.20260504.1

Compare Source

v7.0.0-dev.20260503.1

Compare Source

v7.0.0-dev.20260502.1

Compare Source

v7.0.0-dev.20260501.1

Compare Source

v7.0.0-dev.20260430.1

Compare Source

v7.0.0-dev.20260429.1

Compare Source

v7.0.0-dev.20260428.1

Compare Source

v7.0.0-dev.20260427.1

Compare Source

v7.0.0-dev.20260426.1

Compare Source

v7.0.0-dev.20260425.1

Compare Source

v7.0.0-dev.20260424.2

Compare Source

v7.0.0-dev.20260424.1

Compare Source

v7.0.0-dev.20260423.1

Compare Source

v7.0.0-dev.20260422.1

Compare Source

v7.0.0-dev.20260421.2

Compare Source

v7.0.0-dev.20260421.1

Compare Source

antfu-collective/bumpp (bumpp)

v11.1.0

Compare Source

   🐞 Bug Fixes

• Inherit stdio for git push to support windows SSH passphrase  -  by @​awdr74100 in #​122 (a30af)
• cli: Prevent empty CLI files from overriding config-file files  -  by @​benny123tw in #​120 (4e42e)

    View changes on GitHub

jsdom/jsdom (jsdom)

v29.1.1

Compare Source

v29.1.0

Compare Source

oxc-project/oxc (oxfmt)

v0.49.0

Compare Source

🚀 Features

• 6e8e818 oxfmt: Experimental .svelte support (#​21700) (leaysgur)

v0.48.0

Compare Source

v0.47.0

Compare Source

v0.46.0

Compare Source

oxc-project/oxc (oxlint)

v1.64.0

Compare Source

🚀 Features

• fbb8f22 linter: Support ignores in overrides (#​22148) (camc314)

🐛 Bug Fixes

• 25b7017 linter: Undocument override ignores option (#​22213) (camc314)

v1.63.0

Compare Source

📚 Documentation

• cacbc4a linter: Fix jest settings docs. (#​22127) (connorshea)

v1.62.0

Compare Source

🚀 Features

• 348f46c linter: Add respectEslintDisableDirectives option (#​21384) (Christian Vuerings)

🐛 Bug Fixes

• 8c425db linter: Allow string for jest version in config schema (#​21649) (camc314)

v1.61.1

Compare Source

v1.61.0

Compare Source

🚀 Features

• 38d8090 linter/jest: Implemented jest version settings in config file. (#​21522) (Said Atrahouch)

pnpm/pnpm (pnpm)

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

v10.33.3

Compare Source

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

rolldown/tsdown (tsdown)

v0.22.0

Compare Source

   🚨 Breaking Changes

• Drop Node.js < 22.18.0 support, make unrun optional, add tsx config loader  -  by @​sxzz (a1042)
• dts: Auto-enable dts when tsconfig declaration is true  -  by @​sxzz in #​872 (085f0)
• publint: Use pkg from publint results, require publint v0.3.8+  -  by @​sxzz (413bb)

   🚀 Features

• Upgrade rolldown to 1.0.0-rc.18  -  by @​sxzz (66085)
• Upgrade rolldown to v1.0.0  -  by @​sxzz (fabba)
• exports: Auto-enable bin detection by default  -  by @​sxzz in #​873 (abda9)

   🐞 Bug Fixes

• Explicitly drop node 23 support  -  by @​sxzz (85e65)
• debug: Enhance debug logging for pack tarball  -  by @​sxzz and Copilot (5de04)
• exports: Detect types fields nested in conditional exports  -  by @​sxzz (82fa1)
• pkg: Fix duplicate configuration warning logic  -  by @​ho991217 and @​sxzz in #​935 (6a0d9)

🔄 Migration Guide

Node.js version

Upgrade to Node.js 22.18.0 or later. Bun and Deno remain supported (experimental).

unrun is no longer bundled

If your environment relies on the unrun config loader (i.e. you're on a Node version without native TypeScript support and use the default auto loader), install it manually:

npm i -D unrun

# or, alternatively, the new tsx loader:
npm i -D tsx

If you use Node.js 22.18.0+ with native TypeScript support, no change is needed — the auto loader will pick native.

dts auto-enabled from tsconfig

If your tsconfig.json has compilerOptions.declaration: true but you do not want tsdown to emit .d.ts files, opt out explicitly:

// tsdown.config.ts
export default defineConfig({
  dts: false,
})

exports.bin auto-detection

Any entry chunk containing a shebang (e.g. #!/usr/bin/env node) now causes tsdown to write a bin field in package.json automatically. The semantics differ slightly from explicit bin: true:

Value	Single shebang	Multiple shebangs	No shebangs
(unset)	Auto-set bin	Warn, skip	Silent
true	Auto-set bin	Throw	Warn
false	No bin	No bin	No bin

To opt out entirely:

export default defineConfig({
  exports: { bin: false },
})

Links

• tsdown Documentation
• v0.22.0-beta.1 Release
• v0.22.0-beta.2 Release
• v0.22.0-beta.3 Release
• Full diff from v0.21.10

v0.21.10

Compare Source

   🚀 Features

• Upgrade rolldown  -  by @​sxzz (8a449)

    View changes on GitHub

vitest-dev/vitest (vitest)

v4.1.6

Compare Source

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in #​10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in #​10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in #​10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in #​10276 (9f7b1)

    View changes on GitHub

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.