chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@sxzz/eslint-config	^3.8.7 -> ^3.9.0
@types/node (source)	^20.12.2 -> ^20.12.6
magic-string	^0.30.8 -> ^0.30.9
pnpm (source)	8.15.5 -> 8.15.6
rolldown (source)	0.10.0 -> 0.10.1
rollup (source)	^4.13.2 -> ^4.14.1
tsx	^4.7.1 -> ^4.7.2
typescript (source)	^5.4.3 -> ^5.4.4
vite (source)	^5.2.7 -> ^5.2.8

---

Release Notes

sxzz/eslint-config (@​sxzz/eslint-config)

v3.9.0

Compare Source

Minor Changes

• Replace eslint-plugin-i with eslint-plugin-import-x for supporting ESLint v9.

---

   🚀 Features

• unicorn: Enable promise lint  -  by @​sxzz (46458)

   🐞 Bug Fixes

• deps:
  • Update dependency globals to v15  -  by @​renovate[bot] inhttps://github.com/sxzz/eslint-config/issues/700 (6f282)
  • Update dependency eslint-plugin-unicorn to v52  -  by @​renovate[bot] inhttps://github.com/sxzz/eslint-config/issues/722 (66574)

    View changes on GitHub

rich-harris/magic-string (magic-string)

v0.30.9

Compare Source

Performance Improvements

• avoid create uncessary overrides for replace (a1b857c)

pnpm/pnpm (pnpm)

v8.15.6

Compare Source

Patch Changes

• The exit code of the child process should be preserved on pnpm run #​7817.
• When sorting packages in a workspace, take into account workspace dependencies specified as peerDependencies #​7813.
• Add --ignore-scripts argument to prune command #​7836.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

rolldown/rolldown (rolldown)

v0.10.1

Compare Source

Bug Fixes

• rolldown node api should create graph (#​302) (c7749ba)
• A Symbol should only be declared in one chunk (#​338) (340cd27)
• add identifier for export default function without identifer (#​81) (e84cde7)
• add stmt info declare symbol for resolution found symbol (#​91) (50e191a)
• align with rollup, change output.format: 'esm' to output.format: 'es' (#​625) (70b6cfd)
• allow cjs to be both entry and dependency (#​336) (d53155b)
• async_scope_block_on (#​210) (51f1be1)
• bench/ci: use correctly github repo token (049566e)
• binding: only panic in the main thread (#​507) (d844125)
• build script pkgName parsing error (#​546) (0d6582f)
• bump to [email protected] (1af4b86)
• ci release (#​428) (483e533)
• ci: don't forget to checkout (fc231b8)
• ci: fix release-canary.yml (6fc0430)
• ci: fix testing in release.yml (#​651) (6e68b1a)
• ci: need to checkout for using local actions (bb87f9a)
• clean up render exports from external module (#​394) (e51a69a)
• cli: Make the CLI output color correctly (#​645) (c19c8dc)
• cli: normalize provided config path to satisfy esm-loader in windows (#​658) (be0540d)
• clippy (#​4) (f028cff)
• conflict between imported and local binding (#​356) (7387e35), closes #​355
• correct id in transform hook (#​473) (7af0262)
• correct the TS type of the banner ts-binding (#​689) (a072a00)
• deconflict export named declartion (#​386) (21aaa36)
• deconflict for duplicate canonical names (#​365) (eebea46), closes #​364
• defonflict export default function (#​385) (518aa5f)
• determine call expression result is used to render require call (#​144) (85224ea)
• don't rename symbols that show many times. Fixes #​419 (f985755)
• duplicate dynamic entries (#​380) (6067e74)
• dynamic import as entry (#​366) (8d33829)
• dynamic import chunk is_entry should be false (#​361) (6f2b75a)
• ensure valid output for import the same cjs twice (#​323) (87b5000)
• expect msg (#​456) (11e5598)
• export rolldown compat types (#​337) (3efa4fd)
• fix typo in README.md (#​443) (8ad8174)
• generate local symbol for esm import cjs instead of reference cjs namespace symbol (#​141) (5c53415)
• hoist statements. Fixes #​418 (276bbae)
• hoisted import declaration (#​80) (569409d)
• hoisted top level scope declartion for wrapped esm (#​387) (ec20c03)
• invalid output for conflict global and local name (#​359) (d464eee)
• keep the context of function call while deconflict symbols (7401a05)
• make sure namespace name is valid identifier (#​107) (d3c81aa)
• module execute order (#​148) (7ef1c20)
• more meaningful chunk filename (#​381) (47b4b6d), closes #​49
• node-bench: apply @rollup/plugin-commonjs on rollup (#​523) (181422a)
• node/types: resolve.alias should be optional (ee10a4f)
• only import needed runtime symbols (#​324) (51db31f), closes /github.com/rolldown-rs/rolldown/pull/319#discussion_r1398069930
• only pull out __export() when it's needed (670dbb6)
• packages/core: allow empty OutputOptions.format (#​224) (0a79036)
• packages/core: make outputOptions optional (#​223) (b2439b1)
• playground panic (#​263) (f97bea0)
• reexport star from local named export (#​290) (77c77ec)
• release: make prepare-publish-node folder (14d2cd5)
• release: remove build steps for android platform (161ef5f)
• rename in SimpleAssignmentTarget (1d24efc)
• rewrite AssignmentTargetProperty (5605fc2)
• rewrite object shorthand property reference (#​384) (9f3332b)
• rewrite unresolved symbol reference callee to indirect call (#​94) (6284028)
• rolldown example root is empty in debug mode (#​582) (88f61e8)
• runtime module should always be the first to be executed (#​116) (883168f)
• rust: fix bench for react by removing a lot of unsafe (#​522) (71da395)
• rust: remove RUNTIME_PATH (#​274) (c93a2fb)
• rust: should not hard code output.dir (37ded97)
• shoud accept args for just bump packages (778ae11)
• should correctly render export default xxx (#​377) (7fa642f)
• should rewrite export default import(...) correctly (#​220) (cd8ad5e)
• stable generated exports (#​313) (526a04b)
• support browser filed false value (#​395) (c3a82a4)
• top level await fix compile error (#​226) (ac60fdf)
• treeshaking: spreading an expression is consider having side effect (#​509) (d094d56)
• typo in README.md (#​458) (24a4018)
• use the same Resolver everywhere (#​253) (cbcee58)
• using vec to keep input options order (#​217) (4e4f20a)
• warpped require module (#​79) (ee9a682)
• wrong rolldown test config priority (#​642) (9490e31)

Features

• add (#​124) (ca07f3e)
• add ChunkRenderReturn struct to make code clear (87f02c2)
• add ExportsKind::None (#​315) (efdd252)
• add generateBundle hook (#​403) (21fe501)
• add OutputChunk is_entry and facade_module_id (#​230) (8fcfda3)
• add PluginContext#resolve (#​670) (43f5173)
• add referenced_symbols to StmtInfo (#​75) (465e6e7)
• add Renamer (#​123) (7709cd4)
• add resolve option (#​392) (cd52449)
• add RuntimeNormalModuleTask (#​40) (2401386)
• add banner output option (#​634) (60331fb)
• add basic renderChunk hook (#​401) (b7ea28b)
• add buildStart buildEnd hook (#​208) (e878c3b)
• add external option (#​259) (a80db39)
• add footer output option (#​693) (ca51a6b)
• add indentor for inserted code (#​159) (eaebf11)
• add native plugin example (#​262) (246693f)
• add node binding (#​50) (9391f16)
• add output chunk isDynamicEntry (#​373) (7f0e987)
• add OutputAsset (#​231) (42420d7)
• add OutputChunk exports (#​241) (46fe0bf)
• add OutputChunk map and sourcemapFileName (#​626) (3135778)
• add OutputChunk modules (#​240) (ccf06fe)
• add plugin adapter (#​53) (6438255)
• add PluginDriver (#​198) (526f896)
• add PluginDriver resolve_id (#​204) (1f0b4f2)
• add resolve_id hook options, include kind and is_entry (#​218) (763dedb)
• add rolldown_fs crate (#​173) (583c858)
• add side effect detection for most of the statements (#​555) (ec43f04)
• add sourcemap (#​420) (d6a0efd)
• add sourcemap option (#​424) (2f7c61b)
• add ViteScannerPlugin (#​261) (3d8aff7)
• add writeBundle hook (#​405) (683416a)
• allow custom require (#​170) (d792da2)
• allow to get current StmtInfo in visiting ast (#​370) (d962268)
• allow to use node module specifier as the bundle input (#​211) (51da74c)
• ast-based manipulation (#​410) (6f4bfed)
• basic code splitting (#​23) (74a7ccf)
• basic code splitting (#​97) (395abb8)
• basic commonjs support (#​38) (d40c919)
• basic error mechanism (#​150) (0c9ab02)
• basic support for generateBundle and writeBundle (#​708) (343cfb9)
• basic support for importing external module (#​168) (6d7e891)
• basic treeshaking (#​372) (b240923), closes #​16
• basic warning mechanism (#​332) (84697ce), closes #​331
• better display for errors and warnings (#​679) (8864a39)
• call PluginDriver load to get source content (#​199) (01b3563)
• call PluginDriver transform (#​202) (42cdd61)
• ci: add release-semver.yml (bb27d40)
• ci: add release workflow (#​409) (85c1b9e)
• cli: user-friendly console output of chunk information (#​727) (4b461cf)
• code splitting rely on tree shaking. Closes #​390 (5e7491e)
• code spltting for dynamic import (#​27) (6cd5c8e)
• collect errors from NormalModuleTask (#​298) (4d7d595)
• compat node module commonjs interop (#​56) (58c2786)
• compute cross chunk links in parallel. Closes #​354 (5844943)
• concat sourcemap (#​423) (f10dac8)
• correct indent for generated code (#​160) (21a70c2)
• correct indent for wrapped cjs module (#​161) (58dff4e)
• crates/rolldown: expose build api (#​266) (4430a89)
• create cross-chunk links for runtime module and facade symbols (#​114) (0c1e164)
• deconflict symbols in nested scopes in parallel (b3c5e01)
• deconflicting for symbols of nested scopes (#​188) (42a2421)
• detect side effects in ConditionalExpression (#​552) (4ec29f7)
• don't render empty module. Closes #​440, #​162 (b310a9a)
• emit warning for const assign code (#​538) (f7ec1b5)
• empty module should have ExportsKind::None (#​317) (b15ff14)
• enable bare import by default (#​284) (833dfc6)
• enable tree shaking in rust by default (#​501) (ee08ea8)
• exclude modules in code splitting (#​383) (ec60aca)
• expose cwd in input options (#​692) (ba42b29)
• extract html scripts at vite scanner plugin (#​268) (1045b0b)
• finish bench use @​rolldown/core (#​234) (aa7982b)
• follow virtual module convention (#​39) (a264b4a)
• generate cross chunk imports by usages (d9ccdb7)
• generate default export for cjs entry (#​219) (699fc5d)
• generate module namespace binding on demand (#​126) (e09002f)
• generate namespace decl (62768fe)
• generate sourcemap (#​425) (da9db71)
• generate the namespace variable on demand (44d5aa8)
• hoist exported function declaration (#​73) (f530305)
• impl Extend for BatchedErrors (e22acce)
• improve SideEffectDetector (#​497) (04a1e3c)
• improve side effect detection (#​534) (f38e7a0)
• improve side-effect detection of MemberExpression (#​374) (abbc8aa)
• introduce ChunkGraph (#​90) (0f7c82c)
• introduce rolldown_rstr (a97e444), closes #​427
• introduce trait BuildErrorLike (#​327) (158b11d)
• introduce helper method visit_top_level_stmt while visiting ast (#​371) (7bc5f92)
• make BuildError newtype (#​326) (475907e)
• make sure chunks are evaluated for their side effects (db6ac0a)
• migrate from yarn to pnpm (#​567) (fbe32d2)
• node/plugin: improve compatibility with rollup-plugin-esbuild (#​711) (73f4c5e)
• node: add scan api (#​340) (ba5257a)
• node: export some types (#​283) (aea91ab)
• only split runtime module into runtime chunk in rust test (#​117) (7d56461)
• only start including modules with entry point in tree shaking (f5b920d)
• output code block should be readonly (#​267) (629fd35)
• parsing with correct SourceType (#​179) (aeaf38b)
• plugin: basic support for buildStart,resolveId,buildEnd,load,transform,renderChunk hook (#​680) (3dd1d7c)
• prepare supporting runtime (#​37) (cd4899f)
• print fancy messages for errors (#​329) (8751ee4)
• reexport commonjs (#​87) (20271ad)
• refactor Symbols and remove a lot of ReferenceId (#​93) (5b980d5)
• rely on the standalone copy of rollup types. Closes #​439 (e231e14)
• remove build api (65b9bd6)
• remove VirtualStmtInfo (#​99) (344be1a)
• remove special tree shaking logic for entry point (ba046e6)
• rename vitest.config.ts to avoid warning; add empty caseConfig … (#​561) (da06dde)
• render chunk hook binding (#​402) (25fca9d)
• replace SymbolId with SymbolRef (#​95) (9c90067)
• resolve: more sensible default resolve options (#​606) (7ae8435)
• restrict typings and refactor RenderedModule (#​503) (1cc0fbe)
• rolldown cli first implementation (#​610) (c82e59d)
• runtime symbol deconflict (#​54) (0fc1d3a), closes #​59
• rust-plugin: pass PluginContext to JS (#​628) (e4d33fd)
• rust: add OutputFormat::Cjs (#​358) (44c6331), closes #​45
• rust: add print in OxcCompiler (#​281) (ad962af)
• rust: don't generate sourcemap for virtual modules (#​733) (b546e8f)
• rust: rendering runtime module in snapshot testing (#​375) (3cb39a2)
• rust: return errors from NormalModuleTask#resolve_dependencies (#​270) (fdbf290)
• rust: should create bundler with InputOptions and OutputOptions together (#​596) (d2c63d7)
• Setup nightly releases (#​579) (14797aa)
• setup rolldown node test (#​307) (7638193)
• should rewrite symbols in complex patterns correctly (#​193) (e267018)
• store source in BuildError (#​328) (c34d3cd)
• support enabling tracing (#​291) (8310a17), closes /github.com/rolldown-rs/rolldown/blob/6601e8863d8934f18f7b1aa9b44867aba854b6f4/crates/rolldown_tracing/src/lib.rs#L1-L6
• support export star commonjs (#​85) (07b8c03)
• support generating source map (#​607) (f2dcda2)
• support mix cjs and esm (#​76) (22794c3)
• support tree shaking (6e32999)
• suppport load hook return map ([#

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@sxzz/[email protected]	environment Transitive: eval, filesystem, shell, unsafe	+189	29.8 MB	sxzz
npm/[email protected]	None	+1	498 kB	antfu
npm/[email protected]	environment, filesystem	+1	2.29 MB	lukastaegert
npm/[email protected]	Transitive: environment, filesystem, network, shell, unsafe	+3	641 kB	hirokiosame
npm/[email protected]	None	0	32.4 MB	typescript-bot
npm/[email protected]	environment, eval, filesystem, network, shell, unsafe	+4	3.93 MB	vitebot

🚮 Removed packages: npm/@sxzz/[email protected], npm/@types/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Potential typo squat	npm/[email protected]	Did you mean: eslint-plugin-import~~-x~~ (900 times more downloads)	package.json pnpm-lock.yaml

View full report↗︎

Next steps

What is a typosquat?

Package name is similar to other popular packages and may not be the package you want.

Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.