fix(deps): update all non-major dependencies

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/vite-plugin (source)	^1.12.3 -> ^1.13.3
@remix-run/node-fetch-server (source)	^0.8.0 -> ^0.9.0
@rolldown/pluginutils (source)	1.0.0-beta.35 -> 1.0.0-beta.38
@types/node (source)	^22.18.1 -> ^22.18.6
@types/react (source)	^19.1.12 -> ^19.1.13
eslint-plugin-n	^17.21.3 -> ^17.23.1
fs-extra	^11.3.1 -> ^11.3.2
globals	^16.3.0 -> ^16.4.0
magic-string	^0.30.18 -> ^0.30.19
pnpm (source)	10.15.1 -> 10.17.0
react-router (source)	7.8.2 -> 7.9.1
rolldown (source)	1.0.0-beta.35 -> 1.0.0-beta.38
tsdown	^0.14.2 -> ^0.15.2
typescript-eslint (source)	^8.42.0 -> ^8.44.0
vite (source)	^7.1.6 -> ^7.1.11
vite (source)	^7.1.4 -> ^7.1.6
vite (source)	^7.1.5 -> ^7.1.6
wrangler (source)	^4.34.0 -> ^4.38.0

---

Release Notes

cloudflare/workers-sdk (@​cloudflare/vite-plugin)

v1.13.3

Compare Source

Patch Changes

• #​10664 924fdde Thanks @​jamesopstad! - Avoid mutating the Worker config during build.

• Updated dependencies [b59e3e1, a4e2439, 1cc258e, f76da43, b30263e, b30263e, 769ffb1, e9b0c66, 6caf938, 88132bc]:

  • miniflare@​4.20250917.0
  • wrangler@​4.38.0
  • @​cloudflare/unenv-preset@​2.7.4

v1.13.2

Compare Source

Patch Changes

• #​10632 60631d5 Thanks @​jamesopstad! - Ensure that correct error messages and stack traces are displayed.

• Updated dependencies [3029b9a, 783afeb, 31ec996]:

  • wrangler@​4.37.1
  • miniflare@​4.20250913.0

v1.13.1

Compare Source

Patch Changes

• Updated dependencies [d53a0bc, 735785e, 15c34e2]:
  • wrangler@​4.37.0
  • miniflare@​4.20250906.2

v1.13.0

Compare Source

Minor Changes

• #​10212 0837a8d Thanks @​jamesopstad! - Support packages and virtual modules in the main field of the Worker config. The primary use case is to enable users to directly provide a file exported by a framework as the Worker entry module.

• #​10604 135e066 Thanks @​penalosa! - Enable Remote Bindings without the need for the experimental: { remoteBindings: true } property

Patch Changes

• Updated dependencies [0837a8d, da24079, ffa2600, 135e066, e2b838f, 30f558e, d8860ac, 336a75d, 51553ef]:
  • wrangler@​4.36.0
  • miniflare@​4.20250906.1

v1.12.4

Compare Source

Patch Changes

• #​10534 dceb550 Thanks @​dario-piotrowicz! - Ensure that preview config values are used for remote bindings

  Ensure that if in some remote binding configuration provides a preview value (e.g. preview_database_id for D1 bindings) such value gets used instead of the standard ones

• #​10552 3b78839 Thanks @​vicb! - Bump unenv to 2.0.0-rc.21

• Updated dependencies [dac302c, 4e49d3e, dceb550, 3b78839, 5cb806f]:

  • miniflare@​4.20250906.0
  • wrangler@​4.35.0
  • @​cloudflare/unenv-preset@​2.7.3

remix-run/remix (@​remix-run/node-fetch-server)

v0.9.0

Compare Source

• Support statusText in HTTP/1 responses (#​10745)

v0.8.1

Compare Source

• Only abort request.signal when the connection closes before the response completes (see #​10726)

rolldown/rolldown (@​rolldown/pluginutils)

v1.0.0-beta.38

Compare Source

💥 BREAKING CHANGES

• rolldown_plugin_oxc_runtime: embed helpers to support browser environment (#​6177) by @​shulaoda

🚀 Features

• rolldown: oxc v0.89.0 (#​6220) by @​Boshen
• rolldown_plugin_esm_external_require: add duplicate external detection (#​6202) by @​shulaoda
• cross module noop function optimization (#​6199) by @​IWANABETHATGUY
• support to specify scan_mode in bundler.scan (#​6204) by @​IWANABETHATGUY
• warn when transform options override tsconfig compiler options (#​6197) by @​shulaoda
• support false in resolve.alias to ignore resolution (#​6203) by @​shulaoda
• cli: remove getJsonSchema (#​6186) by @​shulaoda
• cli: add Node.js version warning for unsupported versions (#​6150) by @​Copilot
• rolldown_plugin_oxc_runtime: include version in virtual module paths (#​6179) by @​shulaoda
• add native react-refresh-wrapper plugin (#​6144) by @​sapphi-red
• rolldown_plugin_utils: add to_string_literal (#​6178) by @​sapphi-red
• improve error messages for builtin plugins (#​6175) by @​shulaoda
• indent module content in IIFE format (#​6174) by @​IWANABETHATGUY
• rolldown_error: improve N-API error handling logic (#​6171) by @​shulaoda
• rolldown_error: improve ByteLocator#byte_offset (#​6169) by @​shulaoda
• dev: skip writing to file (#​6148) by @​sapphi-red
• dev: add skip_write option (#​6151) by @​sapphi-red
• dev: ignore file metadata changes (#​6138) by @​sapphi-red
• dev: add PathsMut for debounced PollWatcher (#​6139) by @​sapphi-red
• dev: use PathsMut for debounced RecommendedWatcher (#​6137) by @​sapphi-red
• improve bundler initialization error handling (#​6132) by @​shulaoda

🐛 Bug Fixes

• rolldown_plugin_vite_resolve: correctly handle Windows drive paths with leading slash (#​6209) by @​shulaoda
• allow jsx.pragmaFrag instead of jsx.pragmaFlag (#​6200) by @​sapphi-red
• improve import-glob plugin error handling without panic (#​6106) by @​hikomoon
• Panic with "jsx": "preserve" when rewrite a memberExpression (#​6192) by @​IWANABETHATGUY
• rolldown_error: use byte_slice instead of slice for correct span handling (#​6185) by @​shulaoda
• generate valid identifier for export names with minifyInternalExports (#​6166) by @​sapphi-red
• useless __export helper usage (#​6160) by @​IWANABETHATGUY
• incremental watch modify entry module (#​6156) by @​IWANABETHATGUY
• register trace subscriber (#​6145) by @​sapphi-red
• json imports error with eval or arguments in strict mode (#​6140) by @​IWANABETHATGUY
• process is not defined in repl (#​6147) by @​IWANABETHATGUY

💼 Other

• rolldown: support to build rolldown with .wasm binding (#​6153) by @​hyf0
• rolldown: refactor build.ts to prepare to support build rolldown package with wasi binding (#​6152) by @​hyf0

🚜 Refactor

• share FlatOptions in whole build session (#​6211) by @​IWANABETHATGUY
• remove unnecessary comments in ScopeHoistingFinalizerContext (#​6205) by @​IWANABETHATGUY
• move external string/regex matching from JS to Rust (#​6201) by @​shulaoda
• rename cross_module_inline_const to cross_module_optimization (#​6193) by @​IWANABETHATGUY
• rename class and function visitor to class_decl, function_decl (#​6176) by @​IWANABETHATGUY
• rolldown_error: tweak code (#​6168) by @​shulaoda
• improve BuildDiagnostic (#​6165) by @​shulaoda
• improve RolldownBuild (#​6136) by @​shulaoda
• rolldown_error: remove unused EventKind::IoError (#​6134) by @​shulaoda
• rename CustomPathsMut to NotifyPathsMutAdapter and move to utils (#​6135) by @​hyf0

📚 Documentation

• contrib-guide: add profiling instructions for macOS (#​6183) by @​sapphi-red
• contrib-guide: update just commands (#​6181) by @​sapphi-red

⚡ Performance

• pre calculate side_effects_free_function_symbol_ref (#​6206) by @​IWANABETHATGUY
• parallel clone ast (#​6167) by @​IWANABETHATGUY
• reserve capacity for rendered modules in instantiate_chunk (#​6159) by @​sapphi-red

🧪 Testing

• hmr: ensure each test isolated to be able to be retryed (#​6142) by @​hyf0

⚙️ Miscellaneous Tasks

• deps: lock file maintenance npm packages (#​6219) by @​renovate[bot]
• deps: lock file maintenance rust crates (#​6217) by @​renovate[bot]
• deps: update github-actions (#​6213) by @​renovate[bot]
• deps: lock file maintenance npm packages (#​6215) by @​renovate[bot]
• deps: update github-actions (major) (#​6214) by @​renovate[bot]
• tweak wordings (#​6208) by @​iiio2
• fix unused import warnings (#​6196) by @​shulaoda
• correct deprecated JSDoc reference for jsx option (#​6195) by @​shulaoda
• add if: always() to wasi-test (#​6190) by @​sapphi-red
• skip @rolldown/browser build if no node related changes detected (#​6189) by @​sapphi-red
• extract wasi build to reusable workflow (#​6188) by @​sapphi-red
• deps: update dependency tsdown to v0.15.1 (#​6184) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to v0.16.5 (#​6182) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to v0.16.4 (#​6180) by @​renovate[bot]
• dev: implement Debug trait for DevOptions (#​6173) by @​sapphi-red
• deps: update dependency rolldown-plugin-dts to v0.16.3 (#​6172) by @​renovate[bot]
• update @​napi-rs/cli and js binding (#​6157) by @​Brooooooklyn
• ci: ensure @rolldown/browser build without errors (#​6155) by @​hyf0
• ci: ensure running wasi tests correctly (#​6154) by @​hyf0
• add more tracing instrumentation (#​6149) by @​sapphi-red
• extend timeout for rollup test (#​6143) by @​IWANABETHATGUY
• rolldown_error: remove unnecessary type_aliases.rs (#​6133) by @​shulaoda

v1.0.0-beta.37

Compare Source

🚀 Features

• partial align with const inline strategy with oxc in smart mode (#​6126) by @​IWANABETHATGUY
• dev: use PathsMut for non-debounced RecommendedWatcher (#​6120) by @​sapphi-red
• dev: return whether the build is already scheduled from scheduleBuildIfStale method (#​6116) by @​sapphi-red
• handle errors from BundlerBuilder#build (#​6104) by @​shulaoda
• add debounceTickRate option for debounced watchers (#​6113) by @​hyf0
• support full build in incrementalBuild mode (#​6098) by @​IWANABETHATGUY
• add compare_contents_for_polling option to dev watcher (#​6108) by @​hyf0
• dev: add scheduleBuildIfStale method to DevEngine (#​6087) by @​sapphi-red
• dev: return changed files in onHmrUpdates callback (#​6086) by @​sapphi-red
• support function config with custom CLI arguments (#​6076) by @​IWANABETHATGUY
• improve MISSING_EXPORT warning to suggest type modifier (#​6085) by @​sapphi-red
• crates/rolldown_watcher: introduce PathsMut to batch watch/unwatch behaviors (#​6075) by @​hyf0
• enable treeshake.commonjs by default (#​6072) by @​IWANABETHATGUY
• dev: add debounce control and PollWatcher support to DevWatchOptions (#​6070) by @​hyf0

🐛 Bug Fixes

• use kqueue for file watch on mac (#​6124) by @​sapphi-red
• use patched notify for better file change event debouncing (#​6125) by @​sapphi-red
• support passing all js primitive value for alias plugin (#​6123) by @​IWANABETHATGUY
• track spans in member expression properties for accurate sourcemaps (#​6100) by @​IWANABETHATGUY
• correctly handle inlined CommonJS exports in member expressions (#​6090) by @​IWANABETHATGUY
• dev: ensure patch file names to be unique (#​6096) by @​sapphi-red
• dev: normalize slash on Windows before comparing paths (#​6095) by @​sapphi-red
• dev/watch: debounce duration should default to 10 (#​6078) by @​hyf0

🚜 Refactor

• simplify __export runtime helper to create target object internally (#​6114) by @​IWANABETHATGUY
• simplify module_namespace construction second try (#​6118) by @​IWANABETHATGUY
• simplify module_namespace construction (#​5939) by @​IWANABETHATGUY
• optimize member expression creation in AstSnippet (#​6091) by @​IWANABETHATGUY
• test-dev-server: sensible watcher configuration for CI env (#​6077) by @​hyf0

🧪 Testing

• dev: apply HMR edits on Windows (#​6094) by @​sapphi-red

⚙️ Miscellaneous Tasks

• Revert "chore: adjust breaking change template of cliff (#​6069)" (#​6130) by @​IWANABETHATGUY
• test-dev-server: improve hmr test configuration (#​6115) by @​hyf0
• deps: update dependency rolldown-plugin-dts to v0.16.2 (#​6128) by @​renovate[bot]
• Revert "refactor: simplify module_namespace construction (#​5939)" (#​6117) by @​IWANABETHATGUY
• test-dev-server: optimize test log output (#​6107) by @​hyf0
• enable compare_contents_for_polling and update poll interval for CI test-dev-server (#​6110) by @​hyf0
• deps: update dependency vite to v7.1.5 [security] (#​6111) by @​renovate[bot]
• fix warnings reported by just lint (#​6105) by @​shulaoda
• deps: update dependency tsdown to v0.15.0 (#​6102) by @​renovate[bot]
• use debug builds for browser tests in CI (#​6092) by @​hyf0
• test-dev-server: update polling interval and add retry logic for CI tests (#​6088) by @​hyf0
• adjust breaking change template of cliff (#​6069) by @​IWANABETHATGUY

◀️ Revert

• "fix: replace_plugin does not work as expected with .ts config (#​5920)" (#​6074) by @​IWANABETHATGUY

v1.0.0-beta.36

Compare Source

💥 BREAKING CHANGES

• drop CJS format, increase minimum required node (#​6025) by @​sxzz

🚀 Features

• rolldown_plugin_reporter: statically imported dynamic import warning (#​6065) by @​shulaoda
• rolldown_plugin_reporter: warn large chunks (#​6063) by @​shulaoda
• rolldown: oxc v0.87.0 (#​5975) by @​Boshen

🐛 Bug Fixes

• allow keeping whitespace while enabling minify (#​5893) by @​sapphi-red
• dev/watch: build connection between file in this.addWatchFile and currently transformed module during transform hook (#​6048) by @​hyf0
• validator of output.minify (#​6062) by @​IWANABETHATGUY
• codspeed rust benchmark ci (#​6052) by @​IWANABETHATGUY
• just command in ci (#​6045) by @​IWANABETHATGUY
• watch: only consider files read from disk are able to watch (#​6037) by @​hyf0

🚜 Refactor

• dev: introduce DevWatchOptions for enhanced file watching configuration (#​6057) by @​hyf0
• unify to use is_in_node_modules from rolldown_plugin_utils (#​6066) by @​shulaoda

🧪 Testing

• rust: ensure unused pure function call got treeshaked (#​4524) by @​hyf0
• hmr: tweak improper test (#​6034) by @​hyf0
• hmr: add test of editing multiple files in the same timeframe (#​6029) by @​hyf0
• hmr: support to edit multiple files in the same timeframe (#​6014) by @​hyf0

⚙️ Miscellaneous Tasks

• deps: lock file maintenance rust crates (#​6003) by @​renovate[bot]
• deps: lock file maintenance npm packages (#​5995) by @​renovate[bot]
• add auto-assign PR workflow for organization members (#​6058) by @​IWANABETHATGUY
• fix benchmark-node workflow (#​6060) by @​IWANABETHATGUY
• adding test-node-rolldown-only just command (#​6055) by @​IWANABETHATGUY
• just commands in ci (#​6056) by @​IWANABETHATGUY
• run test ci when justfile is changed (#​6049) by @​IWANABETHATGUY
• remove unused warning for conditional compiledSimplifyMinifyOptions (#​6047) by @​IWANABETHATGUY
• remove auto approval ci (#​6051) by @​IWANABETHATGUY
• adding rustfmt components for repo-validation (#​6053) by @​IWANABETHATGUY
• repo: check format/style in just lint-rust (#​6050) by @​hyf0
• repo/ai: refine justfile (#​6038) by @​hyf0
• repo/ai: add AGENTS.md and CLAUDE.md (#​6039) by @​hyf0
• deps: update github-actions (major) (#​6041) by @​renovate[bot]
• deps: update github-actions (#​6040) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to v0.16.1 (#​6035) by @​renovate[bot]

eslint-community/eslint-plugin-n (eslint-plugin-n)

v17.23.1

Compare Source

🩹 Fixes

• node-builtins-modules/tls.js: Update minimal version (#​484) (fe94432)

📚 Documentation

• improve clarity of no-missing-import and no-missing-require (#​455) (92ea876)

v17.23.0

Compare Source

🌟 Features

• Support latest node v23.x ✨ (#​478) (6516414)

v17.22.0

Compare Source

🌟 Features

• Add missing features from node 20.19.0 (#​473) (fd0c192)
• support latest node 22 (#​474) (0ab562b)

🩹 Fixes

• ci: bump markdowncli-lint version (#​468) (91a56d0)
• no-unsupported: URL.createObjectURL, URL.revokeObjectURL are supported (#​471) (844155c)

jprichardson/node-fs-extra (fs-extra)

v11.3.2

Compare Source

• Fix spurrious UnhandledPromiseRejectionWarning that could occur when calling .copy() in some cases (#​1056, #​1058)

sindresorhus/globals (globals)

v16.4.0

Compare Source

• Update globals (#​309) 8b8a2d6

---

rich-harris/magic-string (magic-string)

v0.30.19

Compare Source

Bug Fixes

• this.outro need to be mapped (#​300) (8852c8d)

Features

• replace(All) support replacement for functions when the first parameter is a string (#​304) (fd1d887)

pnpm/pnpm (pnpm)

v10.17.0

Compare Source

Minor Changes

• The minimumReleaseAgeExclude setting now supports patterns. For instance:

  minimumReleaseAge: 1440
  minimumReleaseAgeExclude:
    - "@​eslint/*"

  Related PR: #​9984.

Patch Changes

• Don't ignore the minimumReleaseAge check, when the package is requested by exact version and the packument is loaded from cache #​9978.
• When minimumReleaseAge is set and the active version under a dist-tag is not mature enough, do not downgrade to a prerelease version in case the original version wasn't a prerelease one #​9979.

v10.16.1

Compare Source

Patch Changes

• The full metadata cache should be stored not at the same location as the abbreviated metadata. This fixes a bug where pnpm was loading the abbreviated metadata from cache and couldn't find the "time" field as a result #​9963.
• Forcibly disable ANSI color codes when generating patch diff #​9914.

v10.16.0

Compare Source

Minor Changes

• There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new setting that delays the installation of newly released dependencies. In most cases, such attacks are discovered quickly and the malicious versions are removed from the registry within an hour.

  The new setting is called minimumReleaseAge. It specifies the number of minutes that must pass after a version is published before pnpm will install it. For example, setting minimumReleaseAge: 1440 ensures that only packages released at least one day ago can be installed.

  If you set minimumReleaseAge but need to disable this restriction for certain dependencies, you can list them under the minimumReleaseAgeExclude setting. For instance, with the following configuration pnpm will always install the latest version of webpack, regardless of its release time:

  minimumReleaseAgeExclude:
    - webpack

  Related issue: #​9921.

• Added support for finders #​9946.

  In the past, pnpm list and pnpm why could only search for dependencies by name (and optionally version). For example:

  pnpm why minimist
  

  prints the chain of dependencies to any installed instance of minimist:

  verdaccio 5.20.1
  ├─┬ handlebars 4.7.7
  │ └── minimist 1.2.8
  └─┬ mv 2.1.1
    └─┬ mkdirp 0.5.6
      └── minimist 1.2.8
  

  What if we want to search by other properties of a dependency, not just its name? For instance, find all packages that have react@17 in their peer dependencies?

  This is now possible with "finder functions". Finder functions can be declared in .pnpmfile.cjs and invoked with the --find-by=<function name> flag when running pnpm list or pnpm why.

  Let's say we want to find any dependencies that have React 17 in peer dependencies. We can add this finder to our .pnpmfile.cjs:

  module.exports = {
    finders: {
      react17: (ctx) => {
        return ctx.readManifest().peerDependencies?.react === "^17.0.0";
      },
    },
  };

  Now we can use this finder function by running:

  pnpm why --find-by=react17
  

  pnpm will find all dependencies that have this React in peer dependencies and print their exact locations in the dependency graph.

  @​apollo/client 4.0.4
  ├── @​graphql-typed-document-node/core 3.2.0
  └── graphql-tag 2.12.6
  

  It is also possible to print out some additional information in the output by returning a string from the finder. For example, with the following finder:

  module.exports = {
    finders: {
      react17: (ctx) => {
        const manifest = ctx.readManifest();
        if (manifest.peerDependencies?.react === "^17.0.0") {
          r

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hi-ogawa]

Reported an issue for @cloudflare/vite-plugin in cloudflare/workers-sdk#10650