chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@rspack/core (source)	^1.1.6 -> ^1.1.8
@types/node (source)	^22.10.2 -> ^22.10.5
bumpp	^9.9.0 -> ^9.9.2
esbuild	^0.24.0 -> ^0.24.2
eslint (source)	^9.16.0 -> ^9.17.0
fast-glob	^3.3.2 -> ^3.3.3
pnpm (source)	9.9.0 -> 9.15.3
rollup (source)	^4.28.1 -> ^4.30.0
vite (source)	^6.0.3 -> ^6.0.7

---

Release Notes

web-infra-dev/rspack (@​rspack/core)

v1.1.8

Security Vulnerability Report

Overview

This is a re-release version of v1.1.6

On 12/19/2024, 02:01 (UTC), we discovered that our npm packages @rspack/core and @rspack/cli were maliciously attacked. The attacker released v1.1.7 using a compromised npm token, which contained malicious code. We took immediate action upon discovering the issue.

Impact

• Affected versions: @rspack/core and @rspack/cli v1.1.7
• Duration: 12/19/2024, 02:01 (UTC), lasting approximately 1 hour
• Malicious code impact: After npm install, the postinstall script in package.json runs malicious code in dist/util/support.js. See Malicious code analysis for more details.

Actions Taken

Upon discovery, we immediately deprecated the affected v1.1.7, redirected the npm latest tag to v1.1.6, and reset all related tokens.
Subsequently, we released a secure new version v1.1.8.

Recommended Actions

If you installed v1.1.7 during the affected period, please:

1. Update to the latest safe version immediately: @rspack/core and @rspack/cli to >= 1.1.8
2. Check your system for any unusual activity

Apology and Commitment

We deeply apologize for the risks caused by this incident. To prevent similar incidents from happening again, we will implement stricter token management protocols and enhance our security review processes.

If you have any questions or discover any suspicious activity, please create an issue or send an email to: web-infra-security@bytedance.com

We will continue to follow and respond to community feedback.

antfu/bumpp (bumpp)

v9.9.2

Compare Source

No significant changes

    View changes on GitHub

v9.9.1

Compare Source

   🐞 Bug Fixes

• --exec ENOENT tinyexec args, close #​62  -  by @​YunYouJun and @​antfu in https://github.com/antfu-collective/bumpp/issues/63 and https://github.com/antfu-collective/bumpp/issues/62 (1eda3)

    View changes on GitHub

evanw/esbuild (esbuild)

v0.24.2

Compare Source

• Fix regression with --define and import.meta (#​4010, #​4012, #​4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

v0.24.1

Compare Source

• Allow es2024 as a target in tsconfig.json (#​4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#​4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

  // The following code now transforms to "return true;\n"
  console.log(esbuild.transformSync(
    `return process.env['SOME-TEST-VAR']`,
    { define: { 'process.env["SOME-TEST-VAR"]': 'true' } },
  ))

  Note that if you're passing values like this on the command line using esbuild's --define flag, then you'll need to know how to escape quote characters for your shell. You may find esbuild's JavaScript API more ergonomic and portable than writing shell code.

• Minify empty try/catch/finally blocks (#​4003)

  With this release, esbuild will now attempt to minify empty try blocks:

  // Original code
  try {} catch { foo() } finally { bar() }
  
  // Old output (with --minify)
  try{}catch{foo()}finally{bar()}
  
  // New output (with --minify)
  bar();

  This can sometimes expose additional minification opportunities.

• Include entryPoint metadata for the copy loader (#​3985)

  Almost all entry points already include a entryPoint field in the outputs map in esbuild's build metadata. However, this wasn't the case for the copy loader as that loader is a special-case that doesn't behave like other loaders. This release adds the entryPoint field in this case.

• Source mappings may now contain null entries (#​3310, #​3878)

  With this change, sources that result in an empty source map may now emit a null source mapping (i.e. one with a generated position but without a source index or original position). This change improves source map accuracy by fixing a problem where minified code from a source without any source mappings could potentially still be associated with a mapping from another source file earlier in the generated output on the same minified line. It manifests as nonsensical files in source mapped stack traces. Now the null mapping "resets" the source map so that any lookups into the minified code without any mappings resolves to null (which appears as the output file in stack traces) instead of the incorrect source file.

  This change shouldn't affect anything in most situations. I'm only mentioning it in the release notes in case it introduces a bug with source mapping. It's part of a work-in-progress future feature that will let you omit certain unimportant files from the generated source map to reduce source map size.

• Avoid using the parent directory name for determinism (#​3998)

  To make generated code more readable, esbuild includes the name of the source file when generating certain variable names within the file. Specifically bundling a CommonJS file generates a variable to store the lazily-evaluated module initializer. However, if a file is named index.js (or with a different extension), esbuild will use the name of the parent directory instead for a better name (since many packages have files all named index.js but have unique directory names).

  This is problematic when the bundle entry point is named index.js and the parent directory name is non-deterministic (e.g. a temporary directory created by a build script). To avoid non-determinism in esbuild's output, esbuild will now use index instead of the parent directory in this case. Specifically this will happen if the parent directory is equal to esbuild's outbase API option, which defaults to the lowest common ancestor of all user-specified entry point paths.

• Experimental support for esbuild on NetBSD (#​3974)

  With this release, esbuild now has a published binary executable for NetBSD in the @esbuild/netbsd-arm64 npm package, and esbuild's installer has been modified to attempt to use it when on NetBSD. Hopefully this makes installing esbuild via npm work on NetBSD. This change was contributed by @​bsiegert.

  ⚠️ Note: NetBSD is not one of Node's supported platforms, so installing esbuild may or may not work on NetBSD depending on how Node has been patched. This is not a problem with esbuild. ⚠️

eslint/eslint (eslint)

v9.17.0

Compare Source

mrmlnc/fast-glob (fast-glob)

v3.3.3

Compare Source

pnpm/pnpm (pnpm)

v9.15.3

Compare Source

v9.15.2: pnpm 9.15.2

Compare Source

Patch Changes

• Fixed publish/pack error with workspace dependencies with relative paths #​8904. It was broken in v9.4.0 (398472c).
• Use double quotes in the command suggestion by pnpm patch on Windows #​7546.
• Do not fall back to SSH, when resolving a git-hosted package if git ls-remote works via HTTPS #​8906.
• Improve how packages with blocked lifecycle scripts are reported during installation. Always print the list of ignored scripts at the end of the output. Include a hint about how to allow the execution of those packages.

Platinum Sponsors

Gold Sponsors

v9.15.1

Compare Source

v9.15.0

Compare Source

v9.14.4

Compare Source

v9.14.3

Compare Source

v9.14.2

Compare Source

Patch Changes

• pnpm publish --json should work #​8788.

Platinum Sponsors

Gold Sponsors

v9.14.1

Compare Source

Minor Changes

• Added support for pnpm pack --json to print packed tarball and contents in JSON format #​8765.

Patch Changes

• pnpm exec should print a meaningful error message when no command is provided #​8752.
• pnpm setup should remove the CLI from the target location before moving the new binary #​8173.
• Fix ERR_PNPM_TARBALL_EXTRACT error while installing a dependency from GitHub having a slash in branch name #​7697.
• Don't crash if the use-node-version setting is used and the system has no Node.js installed #​8769.
• Convert settings in local .npmrc files to their correct types. For instance, child-concurrency should be a number, not a string #​5075.
• pnpm should fail if a project requires a different package manager even if manage-package-manager-versions is set to true.
• pnpm init should respect the --dir option #​8768.

Platinum Sponsors

Gold Sponsors

v9.14.0

Compare Source

v9.13.2: pnpm 9.13.2

Compare Source

Patch Changes

• Detection of circular peer dependencies should not crash with aliased dependencies #​8759. Fixes a regression introduced in the previous version.
• Fix race condition of symlink creations caused by multiple parallel dlx processes.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

v9.13.1: pnpm 9.13.1

Compare Source

Patch Changes

• Fixed some edge cases where resolving circular peer dependencies caused a dead lock #​8720.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

v9.13.0: pnpm 9.13

Compare Source

Minor Changes

• The self-update now accepts a version specifier to install a specific version of pnpm. E.g.:

  pnpm self-update 9.5.0
  

  or

  pnpm self-update next-10
  

Patch Changes

• Fix Cannot read properties of undefined (reading 'name') that is printed while trying to render the missing peer dependencies warning message #​8538.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

	config help if that's undesired. If you want to rebase/retry this PR, check this box This PR was generated by Mend Renovate. View the repository job log.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@rspack/core@1.1.8	environment, eval, filesystem, network, shell, unsafe	+7	4.78 MB	hardfist
npm/@types/node@22.10.5	None	+1	2.37 MB	types
npm/bumpp@9.9.2	Transitive: environment, filesystem, network, shell	+59	7.24 MB	antfu
npm/esbuild@0.24.2	None	0	134 kB	esbuild, evanw
npm/eslint@9.17.0	environment Transitive: eval, filesystem, shell, unsafe	+84	10.7 MB	eslintbot
npm/fast-glob@3.3.3	filesystem	+17	506 kB	mrmlnc
npm/rolldown@1.0.0-beta.1-commit.c170008	environment, shell	+3	2.39 MB	rolldownbot
npm/rollup@4.30.0	None	+1	2.64 MB	eventualbuddha, lukastaegert, rich_harris, ...2 more
npm/vite@6.0.7	Transitive: environment, filesystem	+4	3.22 MB	antfu, patak, soda, ...2 more

🚮 Removed packages: npm/@rspack/core@1.1.6, npm/@types/node@22.10.2, npm/bumpp@9.9.0, npm/esbuild@0.24.0, npm/eslint@9.16.0, npm/fast-glob@3.3.2, npm/rolldown@0.15.0-snapshot-3cea4f5-20241211003613, npm/rollup@4.28.1, npm/vite@6.0.3

View full report↗︎