chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@eslint-community/eslint-plugin-eslint-comments	^4.7.1 → ^4.7.2			devDependencies	patch
@types/node (source)	^24.12.2 → ^24.12.4			devDependencies	patch
docker/dockerfile	1.23 → 1.24			syntax	minor
oxfmt (source)	^0.47.0 → ^0.52.0			devDependencies	minor
oxlint (source)	^1.62.0 → ^1.67.0			devDependencies	minor
pnpm (source)	10.33.3 → 10.34.1			packageManager	minor
pnpm/action-setup	v6.0.5 → v6.0.8			action	patch
taze	^19.11.0 → ^19.14.1			devDependencies	minor
tsdown (source)	^0.21.10 → ^0.22.0			devDependencies	minor

---

Release Notes

eslint-community/eslint-plugin-eslint-comments (@​eslint-community/eslint-plugin-eslint-comments)

v4.7.2

Compare Source

Bug Fixes

• deps: pin modern-monaco version to 0.4.0 (#​320) (62a2c3a)
• docs: use modern-monaco instead of monaco-editor (#​311) (42919d0)

oxc-project/oxc (oxfmt)

v0.52.0

Compare Source

🚀 Features

• 16b8058 oxfmt: Support vite-plus/resolveConfig for vite.config.ts (#​22454) (leaysgur)

v0.51.0

Compare Source

v0.50.0

Compare Source

🐛 Bug Fixes

• 43b9978 formatter/sort_imports: Treat subpath imports as internal (#​22440) (leaysgur)

v0.49.0

Compare Source

🚀 Features

• 6e8e818 oxfmt: Experimental .svelte support (#​21700) (leaysgur)

v0.48.0

Compare Source

oxc-project/oxc (oxlint)

v1.67.0

Compare Source

🚀 Features

• b84941e linter/vue: Implement no-expose-after-await rule (#​22675) (bab)
• 98b98c1 linter/vue: Implement no-computed-properties-in-data rule (#​22674) (bab)
• 2d4c919 oxlint: Support vite-plus/resolveConfig for vite.config.ts (#​22456) (leaysgur)
• 2a60012 linter/vue: Implement require-render-return rule (#​22613) (bab)
• 9f227fd linter/vue: Implement no-deprecated-props-default-this rule (#​21892) (bab)
• 87f065e linter/vue: Implement return-in-emits-validator rule (#​21935) (bab)
• ea0380c linter/unicorn: Implement import-style rule (#​22173) (Hao Chen)
• dde40fe linter/vue: Implement no-watch-after-await rule (#​22006) (bab)
• a735eb0 linter/vue: Implement valid-next-tick rule (#​22531) (bab)
• 6dc615d linter/vue: Implement no-shared-component-data rule (#​21842) (bab)
• a656418 linter/vue: Implement valid-define-options rule (#​22107) (bab)
• bb6f1b2 linter/vue: Implement require-slots-as-functions rule (#​22244) (bab)
• 5fa4774 linter/n: Implement callback-return rule (#​22470) (Mikhail Baev)

v1.66.0

Compare Source

🚀 Features

• 0440b0f linter/eslint: Implement id-match rule (#​22379) (Vladislav Sayapin)
• 65bf119 linter: Implement react no-object-type-as-default-prop (#​22481) (uhyo)
• 2a6ddce linter/eslint: Implement no-implied-eval rule (#​22391) (Vladislav Sayapin)
• 625758a linter/vitest: Implement padding-around-after-all-blocks rule (#​21788) (kapobajza)
• 37680b0 linter: Implement react no-unstable-nested-components (#​22248) (Jovi De Croock)
• d8d9c74 linter: Implement import/newline-after-import rule (#​19142) (Ryuya Yanagi)

v1.65.0

Compare Source

🚀 Features

• 5478fb5 linter/jsdoc: Implement require-throws-description rule (#​22386) (Mikhail Baev)
• c73225e linter/eslint: Implement prefer-arrow-callback rule (#​22312) (박천(Cheon Park))
• de82b59 linter: Add support for eslint-plugin-jsx-a11y-x (#​22356) (mehm8128)
• f44b6c8 linter: Fill schemas DummyRuleMap with built-in rules (#​22288) (Sysix)

v1.64.0

Compare Source

🚀 Features

• fbb8f22 linter: Support ignores in overrides (#​22148) (camc314)

🐛 Bug Fixes

• 25b7017 linter: Undocument override ignores option (#​22213) (camc314)

v1.63.0

Compare Source

📚 Documentation

• cacbc4a linter: Fix jest settings docs. (#​22127) (connorshea)

pnpm/pnpm (pnpm)

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Gold Sponsors

v10.34.0

Compare Source

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

pnpm/action-setup (pnpm/action-setup)

v6.0.8

Compare Source

v6.0.7

Compare Source

v6.0.6

Compare Source

What's Changed

• fix: bin_dest output points to self-updated pnpm, not bootstrap by @​zkochan in #​249

Full Changelog: pnpm/action-setup@v6.0.5...v6.0.6

antfu-collective/taze (taze)

v19.14.1

Compare Source

   🐞 Bug Fixes

• Complete empathic find migration  -  by @​lyzno1 in #​275 (13838)

    View changes on GitHub

v19.14.0

Compare Source

   🚀 Features

• Respect package manager maturity exclusions  -  by @​firatciftci in #​271 (2a6f9)

   🐞 Bug Fixes

• Keep version selector visible  -  by @​Perdolique and @​antfu in #​272 (91d23)

   🏎 Performance

• Reduce interactive flicker  -  by @​Perdolique in #​273 (61aa1)
• Replace find-up-simple w/ empathic  -  by @​SukkaW in #​258 (813a3)

    View changes on GitHub

v19.13.0

Compare Source

   🚀 Features

• Auto-infer maturityPeriod from pnpm/yarn workspace config  -  by @​antfu in #​268 (416c4)

   🐞 Bug Fixes

• Respect maturity period in interactive mode  -  by @​firatciftci in #​267 (d7ad4)

    View changes on GitHub

v19.12.0

Compare Source

   🚀 Features

• Add JSON schema for tazerc config  -  by @​sxzz (96e7a)
• Add stable version mode  -  by @​pnodet and @​antfu in #​266 (cc827)

   🐞 Bug Fixes

• Improve getMaxSatisfying logic to handle latest and next tags co…  -  by @​rubiin in #​264 (799e3)
• Ignoring nested bun workspaces and env support for .npmrc  -  by @​jinghaihan in #​253 (9c2f7)
• Updates locked version with a mature version  -  by @​daiyam in #​261 (a7e72)
• Don't use Array.fromAsync with tinyglobby glob  -  by @​userquin in #​255 (ddd7d)
• Guard pkgData access in packageManager integrity refresh  -  by @​thashepherd and Claude Opus 4.7 (1M context) in #​263 (53b80)

    View changes on GitHub

rolldown/tsdown (tsdown)

v0.22.0

Compare Source

   🚨 Breaking Changes

• Drop Node.js < 22.18.0 support, make unrun optional, add tsx config loader  -  by @​sxzz (a1042)
• dts: Auto-enable dts when tsconfig declaration is true  -  by @​sxzz in #​872 (085f0)
• publint: Use pkg from publint results, require publint v0.3.8+  -  by @​sxzz (413bb)

   🚀 Features

• Upgrade rolldown to 1.0.0-rc.18  -  by @​sxzz (66085)
• Upgrade rolldown to v1.0.0  -  by @​sxzz (fabba)
• exports: Auto-enable bin detection by default  -  by @​sxzz in #​873 (abda9)

   🐞 Bug Fixes

• Explicitly drop node 23 support  -  by @​sxzz (85e65)
• debug: Enhance debug logging for pack tarball  -  by @​sxzz and Copilot (5de04)
• exports: Detect types fields nested in conditional exports  -  by @​sxzz (82fa1)
• pkg: Fix duplicate configuration warning logic  -  by @​ho991217 and @​sxzz in #​935 (6a0d9)

🔄 Migration Guide

Node.js version

Upgrade to Node.js 22.18.0 or later. Bun and Deno remain supported (experimental).

unrun is no longer bundled

If your environment relies on the unrun config loader (i.e. you're on a Node version without native TypeScript support and use the default auto loader), install it manually:

npm i -D unrun

# or, alternatively, the new tsx loader:
npm i -D tsx

If you use Node.js 22.18.0+ with native TypeScript support, no change is needed — the auto loader will pick native.

dts auto-enabled from tsconfig

If your tsconfig.json has compilerOptions.declaration: true but you do not want tsdown to emit .d.ts files, opt out explicitly:

// tsdown.config.ts
export default defineConfig({
  dts: false,
})

exports.bin auto-detection

Any entry chunk containing a shebang (e.g. #!/usr/bin/env node) now causes tsdown to write a bin field in package.json automatically. The semantics differ slightly from explicit bin: true:

Value	Single shebang	Multiple shebangs	No shebangs
(unset)	Auto-set bin	Warn, skip	Silent
true	Auto-set bin	Throw	Warn
false	No bin	No bin	No bin

To opt out entirely:

export default defineConfig({
  exports: { bin: false },
})

Links

• tsdown Documentation
• v0.22.0-beta.1 Release
• v0.22.0-beta.2 Release
• v0.22.0-beta.3 Release
• Full diff from v0.21.10

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 12pm on Sunday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.