Skip to content

fix(deps): update all non-major dependencies#1282

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

fix(deps): update all non-major dependencies#1282
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update
@babel/core (source) 8.0.0-rc.68.0.1 age confidence devDependencies patch
@cloudflare/vite-plugin (source) ^1.40.2^1.44.0 age confidence devDependencies minor
@eslint/js (source) ^9.39.4^9.39.5 age confidence devDependencies patch
@playwright/test (source) ^1.61.0^1.61.1 age confidence devDependencies patch
@tailwindcss/vite (source) ^4.3.1^4.3.2 age confidence devDependencies patch
@types/node (source) ^24.13.2^24.13.3 age confidence devDependencies patch
@vitejs/release-scripts ^1.7.1^1.8.0 age confidence devDependencies minor
es-module-lexer ^2.1.0^2.3.1 age confidence dependencies minor
eslint (source) ^9.39.4^9.39.5 age confidence devDependencies patch
eslint-plugin-import-x ^4.16.2^4.17.1 age confidence devDependencies minor
eslint-plugin-regexp ^3.1.0^3.1.1 age confidence devDependencies patch
fs-extra ^11.3.5^11.3.6 age confidence devDependencies patch
globals ^17.6.0^17.7.0 age confidence devDependencies minor
oxfmt (source) ^0.55.0^0.58.0 age confidence devDependencies minor
playwright-chromium (source) ^1.61.0^1.61.1 age confidence devDependencies patch
pnpm (source) 10.34.310.34.5 age confidence packageManager patch
react-router (source) 7.17.07.18.1 age confidence dependencies minor
rolldown (source) ^1.1.1^1.1.5 age confidence devDependencies patch
srvx (source) ^0.11.16^0.11.22 age confidence dependencies patch
styled-components (source) ^6.4.2^6.4.3 age confidence dependencies patch
tailwindcss (source) ^4.3.1^4.3.2 age confidence devDependencies patch
tsdown (source) ^0.22.2^0.22.5 age confidence devDependencies patch
typescript-eslint (source) ^8.61.1^8.63.0 age confidence devDependencies minor
vite (source) ^8.0.16^8.1.4 age confidence devDependencies minor
vitest (source) ^4.1.9^4.1.10 age confidence devDependencies patch
wrangler (source) ^4.100.0^4.110.0 age confidence devDependencies minor
zizmorcore/zizmor-action v0.5.6v0.5.7 age confidence action patch

Release Notes

babel/babel (@​babel/core)

v8.0.1

Compare Source

💥 Breaking Change
  • babel-core, babel-plugin-transform-object-rest-spread, babel-plugin-transform-runtime, babel-preset-env, babel-standalone

v8.0.0

Compare Source

👓 Spec Compliance
💥 Breaking Change
  • babel-cli, babel-node, babel-plugin-proposal-decorators, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-plugin-transform-modules-commonjs, babel-plugin-transform-object-rest-spread, babel-plugin-transform-parameters, babel-plugin-transform-react-constant-elements, babel-plugin-transform-regenerator, babel-preset-env, babel-register
  • babel-plugin-transform-runtime, babel-runtime-corejs3, babel-runtime
  • babel-parser
🐛 Bug Fix
  • babel-generator
  • babel-plugin-transform-modules-systemjs
📝 Documentation
🏠 Internal
🏃‍♀️ Performance
cloudflare/workers-sdk (@​cloudflare/vite-plugin)

v1.44.0

Compare Source

Minor Changes
  • #​14535 1b965c5 Thanks @​Naapperas! - Support dynamic retry delays for Workflow steps in local dev

    A step's retries.delay can now be a function that computes the delay per failed attempt, in addition to a static duration. The function receives { ctx, error } and returns a delay (a number of milliseconds or a duration string like "30 seconds"), and its result is fed into the configured backoff.

    await step.do(
      "call flaky API",
      {
        retries: {
          limit: 5,
          backoff: "constant",
          delay: ({ ctx }) => ctx.attempt * 1000,
        },
      },
      async () => {
        /* ... */
      }
    );

    The function is invoked once per failed attempt with a 5 second timeout. If it throws, times out, or returns an invalid value, the step fails without further retries.

Patch Changes

v1.43.3

Compare Source

Patch Changes

v1.43.2

Compare Source

Patch Changes

v1.43.1

Compare Source

Patch Changes

v1.43.0

Compare Source

Minor Changes
  • #​14382 fd92d56 Thanks @​petebacondarwin! - Add support for declarative Durable Object exports

    wrangler deploy now accepts an exports map in wrangler.json as a declarative alternative to the legacy migrations array.

    Each entry in exports is keyed by Durable Object class name. type carries the export kind (currently always "durable-object"); the state field carries the lifecycle and defaults to "created" (live) when omitted:

    {
      "exports": {
        // Provision a new Durable Object class (`MyDO`)
        "MyDO": { "type": "durable-object", "storage": "sqlite" },
        // Delete Durable Object class (`OldGone`)
        "OldGone": { "type": "durable-object", "state": "deleted" },
        // Rename a Durable Object class (from `OldName` to `NewName`)
        "OldName": {
          "type": "durable-object",
          "state": "renamed",
          "renamed_to": "NewName"
        },
        "NewName": { "type": "durable-object", "storage": "sqlite" },
        // Transfer a Durable Object (`Outgoing`) to a new Worker (`target-worker`)
        "Outgoing": {
          "type": "durable-object",
          "state": "transferred",
          "transferred_to": "target-worker"
        },
        // Prepare to receive the transfer of a Durable Object (`Incoming`) from another Worker (`source-worker`)
        "Incoming": {
          "type": "durable-object",
          "state": "expecting-transfer",
          "storage": "sqlite",
          "transfer_from": "source-worker"
        }
      }
    }

    When a Worker declares Durable Object class bindings but no lifecycle for them (neither a migrations array nor an exports map), wrangler warns and now suggests a declarative exports entry for each class (previously it suggested a legacy migrations block).

    The deployment response now surfaces the server's reconciliation result — created namespaces, applied tombstones, structured per-scenario info entries, and a removable_entries hint for stale tombstones that are safe to delete from the config. Blocking errors return the structured per-class detail with scenario tags, suggested remediation, and any referencing-script context.

    wrangler versions upload also forwards exports. Declarative exports lifecycle changes are reconciled when the version is deployed (wrangler versions deploy or wrangler deploy), so a versions upload payload can declare new classes in exports without immediately provisioning them. An actor binding (durable_objects.bindings) to a class declared only in exports on the same versions upload is rejected with a clear error (code 100406) — the binding cannot be resolved until the namespace is provisioned. Either stage the new class via ctx.exports.X (no binding required) on versions upload and add the binding at deploy time, or use wrangler deploy to provision and bind in one step (the same constraint applies to the migrations flow).

    Multi-version deploys (wrangler versions deploy A@50% B@50%) where the selected versions disagree on declarative exports are rejected server-side with a clear message: deploy the version that changes exports at 100% first, then run the percentage-split deploy. This prevents traffic on one branch routing to code that references unprovisioned or just-deleted DO namespaces. Single-version (100%) deploys are unaffected.

    Local development (wrangler dev, vite dev and unstable_startWorker) reads Durable Object SQLite storage settings from the new exports field, so applications using the declarative flow get correct local-dev storage without needing to also declare a migrations block.

    @cloudflare/vitest-pool-workers also picks up Durable Object configuration from exports, so tests against an exports-only Worker run with the correct local SQLite storage and can reach unbound Durable Object classes via ctx.exports.X.

    wrangler types is also aware of exports. Live entries (including expecting-transfer, the receiving side of a two-phase transfer) are added to Cloudflare.GlobalProps.durableNamespaces, which types ctx.exports.X for unbound Durable Objects declared only via exports.

Patch Changes

v1.42.4

Compare Source

Patch Changes

v1.42.3

Compare Source

Patch Changes

v1.42.2

Compare Source

Patch Changes
  • #​14358 4ef872f Thanks @​gabivlj! - Fix container egress interception on arm64 Docker runtimes

    Both wrangler dev and the Cloudflare Vite plugin no longer force the proxy-everything sidecar image to pull as linux/amd64, allowing Docker to select the native image from the multi-platform manifest. Set MINIFLARE_CONTAINER_EGRESS_IMAGE_PLATFORM to force a specific platform when needed.

  • Updated dependencies [a085dec, 9a0de8f, fab565f, 3f02864, 4ef872f, 2a02858, e312dec]:

    • miniflare@​4.20260623.0
    • wrangler@​4.104.0

v1.42.1

Compare Source

Patch Changes
  • #​14366 c6579d3 Thanks @​jamesopstad! - Resolve relative cf-worker entrypoint imports relative to the importing module

    When loading the experimental cloudflare.config.ts, a relative entrypoint imported with import ... with { type: "cf-worker" } (e.g. ./src/index.ts) is now anchored to the module where the import is written, rather than being passed through verbatim and later resolved against the top-level config file. This fixes incorrect resolution when the import lives in a file other than the entry config — for example a config that re-exports from a nested file.

    Bare specifiers (such as @scope/pkg) and virtual modules (such as virtual:foo) are still left unresolved so that consumers can apply their own resolution.

  • Updated dependencies [c6579d3, 444b75e, b38823f, cfd6205, cfd6205]:

    • wrangler@​4.103.0
    • miniflare@​4.20260617.1

v1.42.0

Compare Source

Minor Changes
  • #​14339 aa49856 Thanks @​jamesopstad! - Add a build command to the experimental, internal cf-vite delegate binary

    cf-vite build runs Vite's full multi-environment app build (via the Builder API) and enables the experimental Build Output API by default, emitting a self-contained .cloudflare/output/v0/ directory. It forces experimental.newConfig and experimental.newConfig.cfBuildOutput on, so a cloudflare.config.ts is required at the project root.

Patch Changes
  • #​14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

    GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #​14351 6c7df19 Thanks @​jamesopstad! - Force the experimental new config on by default in the cf-vite dev delegate

  • #​14218 4eed569 Thanks @​matingathani! - Allow resolve.external containing only Node.js built-ins in Worker environments

    Vitest 4 automatically sets resolve.external to the full list of Node.js built-in modules for non-standard Vite environments via its internal runnerTransform plugin. Previously, the Cloudflare Vite plugin rejected any non-empty resolve.external array, throwing an incompatibility error on startup when used alongside Vitest 4.

    The validation check now allows resolve.external arrays that contain only Node.js built-in module names (both bare fs and node:fs forms). The error is only thrown when resolve.external is true or contains non-built-in package names that would prevent user code from being bundled into the Worker.

  • Updated dependencies [673b09e, e930bd4, f6e49dd, 5c3bb11, 296ad65, 594544d, a79b899, 5dfb788, ca61558, 36777db]:

    • miniflare@​4.20260617.0
    • wrangler@​4.102.0

v1.41.0

Compare Source

Minor Changes
  • #​14279 e6e4b07 Thanks @​jamesopstad! - Add experimental.newConfig.cfBuildOutput option to support future deployments via the cf CLI

    // vite.config.ts
    import { defineConfig } from "vite";
    import { cloudflare } from "@&#8203;cloudflare/vite-plugin";
    
    export default defineConfig({
      plugins: [
        cloudflare({
          experimental: {
            newConfig: {
              cfBuildOutput: true,
            },
          },
        }),
      ],
    });
Patch Changes
eslint/eslint (@​eslint/js)

v9.39.5

Compare Source

microsoft/playwright (@​playwright/test)

v1.61.1

Compare Source

tailwindlabs/tailwindcss (@​tailwindcss/vite)

v4.3.2

Compare Source

Fixed
  • Support bare spacing values for auto-rows-* and auto-cols-* utilities (e.g. auto-rows-12 and auto-cols-16) (#​20229)
  • Prevent @tailwindcss/cli in --watch mode from crashing on Windows when @source points to a directory that doesn't exist (#​20242)
  • Prevent @tailwindcss/vite from crashing in Deno v2.8.x when context.parentURL is not a valid URL (#​20245)
  • Ensure @tailwindcss/cli in --watch mode rebuilds when the input CSS file changes in an ignored directory (#​20246)
  • Allow @variant rules used in addBase(…) to use custom variants defined later (#​20247)
  • Prevent @tailwindcss/vite from crashing during HMR when scanned files or directories are deleted (#​20259)
  • Generate font-size instead of color declarations for text-[--spacing(…)] (#​20260)
  • Prevent @source patterns from scanning unrelated sibling files and folders (#​20263)
  • Extract class candidates adjacent to Template Toolkit delimiters like %]…[% in .tt, .tt2, and .tx files (#​20269)
  • Extract class candidates from conditional Maud syntax like p.text-black[condition] (#​20269)
  • Prevent @position-try rules from triggering unknown at-rule warnings when optimizing CSS (#​20277)
  • Support class suggestions for named opacity modifiers from --opacity theme values (#​20287)
  • Prevent type errors in @tailwindcss/postcss when used with newer PostCSS patch releases (#​20289)
vitejs/release-scripts (@​vitejs/release-scripts)

v1.8.0

Compare Source

guybedford/es-module-lexer (es-module-lexer)

v2.3.1

Compare Source

What's Changed

Full Changelog: guybedford/es-module-lexer@2.3.0...2.3.1

v2.3.0

Compare Source

v2.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: guybedford/es-module-lexer@2.1.0...2.2.0

eslint/eslint (eslint)

v9.39.5

Compare Source

un-ts/eslint-plugin-import-x (eslint-plugin-import-x)

v4.17.1

Compare Source

Patch Changes
  • #​498 cf25a01 Thanks @​marcalexiei! - fix(extensions): don't require an extension for package subpaths that resolve to a .d.ts (e.g. vitest/config)

v4.17.0

Compare Source

Minor Changes
  • #​474 4b2c0c5 Thanks @​regseb! - Support RegExp in the import-x/ignore setting and the ignore option of the no-unresolved rule.
Patch Changes
  • #​494 1c84235 Thanks @​morgan-coded! - Fixed no-unresolved crashing when case-sensitive path checks encounter EACCES or EPERM on an ancestor directory.

  • #​481 3e13121 Thanks @​B4nan! - fix: memoize legacyNodeResolve resolver to avoid native memory leak

  • #​484 9a07009 Thanks @​sairus2k! - Make the extensions rule check Node.js subpath imports (specifiers starting with #, e.g. #utils/helper). Previously parsePath treated a leading # as a URL hash fragment, so the rule skipped extension validation for these imports.

    Note: single-segment subpath imports without a slash (e.g. #dep) are still skipped by the existing external-root-module classification; fixing that is deferred to avoid expanding scope.

  • #​468 240ed58 Thanks @​silverwind! - Make extensions handle .d.ts correctly

  • #​479 e3cc7e4 Thanks @​mrginglymus! - fix: strip querystrings and hash fragments when checking for file existence

  • #​476 fce29b1 Thanks @​nbouvrette! - fix(deps): replace @​package-json/types with an inline minimal type

ota-meshi/eslint-plugin-regexp (eslint-plugin-regexp)

v3.1.1

Compare Source

Patch Changes
  • Handle matchAll().toArray() capture usage (#​992)
jprichardson/node-fs-extra (fs-extra)

v11.3.6

Compare Source

sindresorhus/globals (globals)

v17.7.0

Compare Source

oxc-project/oxc (oxfmt)

v0.58.0

Compare Source

v0.57.0

Compare Source

v0.56.0

Compare Source

pnpm/pnpm (pnpm)

v10.34.5

Compare Source

v10.34.4: pnpm 10.34.4

Compare Source

Patch Changes
  • 352ae48: Security: validate config dependency names and versions before using them to build filesystem paths. A pnpm-workspace.yaml with a traversal-shaped configDependencies name (such as ../../PWNED) or version (such as ../../../PWNED) could previously cause pnpm install to create symlinks or write package files outside node_modules/.pnpm-config and the store. Names must now be valid npm package names and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.

  • 352ae48: Reject path-traversal and reserved dependency aliases (such as ../../../escape, .bin, .pnpm, or node_modules) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoisted node_modules directory, letting package files be written outside the intended install root or overwrite pnpm-owned layout.

    The nodeLinker: hoisted graph builder now validates each alias at the directory sink (safeJoinModulesDir), matching the validation pnpm already performs when resolving aliases from manifests. See GHSA-fr4h-3cph-29xv.

  • 352ae48: Prevent pnpm patch-remove from removing files outside the configured patches directory.

  • 217fbe0: Hardened the warning printed when a project .npmrc uses environment variables in registry/auth settings: the suggested pnpm config set command is now only included for keys made up of shell-inert characters. Because the key comes from a repository-controlled .npmrc and a shell expands $(...), backticks, and $VAR even inside double quotes, a crafted key could otherwise have turned the suggested copy-paste command into command execution.

Platinum Sponsors
config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants