Skip to content

chore(deps): update all non-major dependencies#149

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/all-minor-patch
May 11, 2026
Merged

chore(deps): update all non-major dependencies#149
renovate[bot] merged 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 11, 2026

This PR contains the following updates:

Package Change Age Confidence
@typescript/native-preview (source) 7.0.0-dev.20260503.17.0.0-dev.20260510.1 age confidence
pnpm (source) 10.33.210.33.4 age confidence
tsdown (source) ^0.21.10^0.22.0 age confidence
tsdown-preset-sxzz ^0.5.0^0.6.0 age confidence

Release Notes

microsoft/typescript-go (@​typescript/native-preview)

v7.0.0-dev.20260510.1

Compare Source

v7.0.0-dev.20260509.2

Compare Source

v7.0.0-dev.20260508.1

Compare Source

v7.0.0-dev.20260507.1

Compare Source

v7.0.0-dev.20260506.1

Compare Source

v7.0.0-dev.20260505.1

Compare Source

v7.0.0-dev.20260504.1

Compare Source

pnpm/pnpm (pnpm)

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

  • Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

    A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

  • Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.3

Compare Source

rolldown/tsdown (tsdown)

v0.22.0

Compare Source

   🚨 Breaking Changes
  • Drop Node.js < 22.18.0 support, make unrun optional, add tsx config loader  -  by @​sxzz (a1042)
  • dts: Auto-enable dts when tsconfig declaration is true  -  by @​sxzz in #​872 (085f0)
  • publint: Use pkg from publint results, require publint v0.3.8+  -  by @​sxzz (413bb)
   🚀 Features
   🐞 Bug Fixes

🔄 Migration Guide

Node.js version

Upgrade to Node.js 22.18.0 or later. Bun and Deno remain supported (experimental).

unrun is no longer bundled

If your environment relies on the unrun config loader (i.e. you're on a Node version without native TypeScript support and use the default auto loader), install it manually:

npm i -D unrun

# or, alternatively, the new tsx loader:
npm i -D tsx

If you use Node.js 22.18.0+ with native TypeScript support, no change is needed — the auto loader will pick native.

dts auto-enabled from tsconfig

If your tsconfig.json has compilerOptions.declaration: true but you do not want tsdown to emit .d.ts files, opt out explicitly:

// tsdown.config.ts
export default defineConfig({
  dts: false,
})
exports.bin auto-detection

Any entry chunk containing a shebang (e.g. #!/usr/bin/env node) now causes tsdown to write a bin field in package.json automatically. The semantics differ slightly from explicit bin: true:

Value Single shebang Multiple shebangs No shebangs
(unset) Auto-set bin Warn, skip Silent
true Auto-set bin Throw Warn
false No bin No bin No bin

To opt out entirely:

export default defineConfig({
  exports: { bin: false },
})
Links
sxzz/tsdown-preset-sxzz (tsdown-preset-sxzz)

v0.6.0

Compare Source

   🚨 Breaking Changes
    View changes on GitHub

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@bolt-new-by-stackblitz
Copy link
Copy Markdown

bolt-new-by-stackblitz Bot commented May 11, 2026

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 11, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-macros@149

commit: 94932fe

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 11, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedtsdown-preset-sxzz@​0.5.0 ⏵ 0.6.0681007692 +4100
Updated@​typescript/​native-preview@​7.0.0-dev.20260503.1 ⏵ 7.0.0-dev.20260510.110010082100100
Updatedtsdown@​0.21.10 ⏵ 0.22.09810088 +196 +1100

View full report

@renovate renovate Bot merged commit 301f074 into main May 11, 2026
12 checks passed
@renovate renovate Bot deleted the renovate/all-minor-patch branch May 11, 2026 04:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants