chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@types/node (source)	^25.0.3 → ^25.0.6
pnpm (source)	10.27.0 → 10.28.0
rolldown (source)	1.0.0-beta.58 → 1.0.0-beta.59
rollup (source)	^4.54.0 → ^4.55.1
tsdown (source)	^0.18.4 → ^0.19.0
vite (source)	^7.3.0 → ^7.3.1

---

Release Notes

pnpm/pnpm (pnpm)

v10.28.0

Compare Source

rolldown/rolldown (rolldown)

v1.0.0-beta.59

Compare Source

🚀 Features

• plugin_timings: add 3s threshold and doc link to warning message (#​7741) by @​shulaoda
• improve treeshaking logic to handle empty parameter list in dynamic import .then() callbacks (#​7781) by @​Copilot
• dev/lazy: don't include already executed modules (#​7745) by @​hyf0
• dev/lazy: support dynamic import(..) (#​7726) by @​hyf0
• inline dynamic imports that imports statically imported modules (#​7742) by @​IWANABETHATGUY
• option: add experimental option to control chunk optimization (#​7738) by @​IWANABETHATGUY

🐛 Bug Fixes

• inline dynamic entry to user defined entry with esm wrap kind (#​7783) by @​IWANABETHATGUY
• use canonical namespace reference for property access (#​7777) by @​IWANABETHATGUY
• dynamic entry merged into common chunk with cjs and esm wrap kind (#​7771) by @​IWANABETHATGUY
• tla: should not await non-tla-related modules (#​7768) by @​hyf0
• dynamic entry captured by common chunk with CJS format (#​7757) by @​IWANABETHATGUY
• module_loader: mark emitted chunks as user-defined entry when already loaded (#​7765) by @​shulaoda
• normalize preserveModulesRoot path (#​7737) by @​IWANABETHATGUY
• linker: resolve race condition in side effects computation for export-star (#​7728) by @​camc314

🚜 Refactor

• plugin_timings: filter out plugins with duration < 1s from timing warnings (#​7785) by @​shulaoda
• module_loader: remove unnecessary collect before extend (#​7769) by @​shulaoda
• rename _id suffixes to _idx for oxc_index types (#​7767) by @​IWANABETHATGUY
• remove duplicate preserve_entry_signatures from AddEntryModuleMsg (#​7762) by @​shulaoda
• module_loader: pass user_defined_entries by reference (#​7756) by @​shulaoda
• dev/lazy: get proxy entry's ResolvedId correctly (#​7746) by @​hyf0
• simplify try_rewrite_import_expression control flow (#​7753) by @​IWANABETHATGUY
• module_loader: remove unnecessary dynamic import handling for runtime module (#​7754) by @​shulaoda
• inline __toDynamicImportESM (#​7747) by @​IWANABETHATGUY
• use From impl for ModuleLoaderOutput conversion (#​7732) by @​shulaoda
• remove duplicate fields from ModuleLoader (#​7731) by @​shulaoda
• tweak resolve_user_defined_entries (#​7727) by @​shulaoda

📚 Documentation

• add rolldown-string reference to native MagicString compatibility section (#​7778) by @​Copilot
• improve comments for export star side effects handling (#​7730) by @​IWANABETHATGUY

🧪 Testing

• use assertion instead of console.log for some testcase (#​7744) by @​IWANABETHATGUY

⚙️ Miscellaneous Tasks

• tweak some output.dynamicImportInCjs related rollup test results (#​7776) by @​sapphi-red
• mark esbuild/dce/dce_of_symbol_ctor_call as passed (#​7775) by @​sapphi-red
• deps: update oxc apps (#​7772) by @​renovate[bot]
• vite-tests: allow running on PRs with test: vite-tests label (#​7770) by @​shulaoda
• deps: update oxc apps (#​7760) by @​renovate[bot]
• deps: update rollup submodule for tests to v4.55.1 (#​7763) by @​sapphi-red
• deps: update test262 submodule for tests (#​7764) by @​sapphi-red
• deps: update oxc to v0.107.0 (#​7758) by @​camc314
• deps: update taiki-e/install-action action to v2.65.13 (#​7751) by @​renovate[bot]
• deps: update rust crates (#​7750) by @​renovate[bot]
• deps: update npm packages (#​7749) by @​renovate[bot]
• deps: update github-actions (#​7748) by @​renovate[bot]
• deps: update dependency oxlint-tsgolint to v0.10.1 (#​7729) by @​renovate[bot]
• deps: update crate-ci/typos action to v1.41.0 (#​7725) by @​renovate[bot]

rollup/rollup (rollup)

v4.55.1

Compare Source

2026-01-05

Bug Fixes

• Fix artifact reference for OpenBSD (#​6231)

Pull Requests

• #​6231: Fix OpenBSD artifacts and ensure OIDC is working (@​lukastaegert)

rolldown/tsdown (tsdown)

v0.19.0

Compare Source

   🚨 Breaking Changes

• Rename debugLogs to debug  -  by @​sxzz (bb4e7)
• Remove deprecated silent option  -  by @​sxzz (59015)
• devtools:
  • Rename debug to devtools, rename debug.devtools to devtools.ui  -  by @​sxzz (63e6f)
• exports:
  • Add legacy option, remove main & module fields if pure ESM  -  by @​sxzz (16841)
  • Exclude extension name for exports.exclude  -  by @​sxzz (53d38)
  • Only auto-fill types when exports.legacy  -  by @​lishaduck and @​sxzz in #​685 (7be6b)

   🚀 Features

• Add typeAssert util back  -  by @​sxzz (1d385)
• Generate CSS exports when css.splitting is disabled  -  by @​jinghaihan and @​sxzz in #​680 (b737c)
• Upgrade rolldown to 1.0.0-beta.58  -  by @​sxzz (48036)
• Expose enableDebug  -  by @​sxzz (2d922)
• Expose resolveUserConfig  -  by @​sxzz (c9acb)
• Upgrade rolldown to 1.0.0-beta.59  -  by @​sxzz (d564f)
• Clear console on rebuild start  -  by @​sxzz (78efd)
• migrate: Add monorepo support  -  by @​lauigi and @​sxzz in #​659 (efba2)

   🐞 Bug Fixes

• Print blank line only when the log level is info  -  by @​tomgao365 in #​689 (96d82)
• attw: Add --ignore-scripts to avoid lifecycle output  -  by @​Doctor-wu in #​661 (1c8b1)
• cjs: Update version check for require ESM support  -  by @​sxzz (beeff)

   🏎 Performance

• Optimize hot paths  -  by @​sxzz (7925d)

    View changes on GitHub

vitejs/vite (vite)

v7.3.1

Compare Source

Please refer to CHANGELOG.md for details.

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	rolldown@​1.0.0-beta.58 ⏵ 1.0.0-beta.59	+1		+1
	@​types/​node@​25.0.3 ⏵ 25.0.6	+1		+1
	vite@​7.3.0 ⏵ 7.3.1			+1
	rollup@​4.54.0 ⏵ 4.55.1
	tsdown@​0.18.4 ⏵ 0.19.0	+1		+1	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm unrun is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: pnpm-lock.yaml → npm/tsdown@0.19.0 → npm/unrun@0.2.24 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrun@0.2.24. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-replace@74

commit: fd4041a