chore(deps): update devdependencies

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Change	Age	Confidence
@actions/cache (source)	4.0.3 -> 4.1.0
@babel/core (source)	7.28.0 -> 7.28.4
@octokit/core	7.0.2 -> 7.0.5
@octokit/plugin-paginate-rest	13.1.1 -> 13.2.0
@octokit/plugin-rest-endpoint-methods	16.0.0 -> 16.1.0
@swc/cli	0.7.7 -> 0.7.8
@swc/jest (source)	0.2.38 -> 0.2.39
@types/node (source)	22.17.2 -> 22.18.8
@types/semver (source)	7.7.0 -> 7.7.1
cspell (source)	9.1.3 -> 9.2.1
dprint	0.50.1 -> 0.50.2
fs-extra	11.3.0 -> 11.3.2
lefthook	1.11.16 -> 1.13.6
npm-check-updates	18.0.1 -> 18.3.1
rollup (source)	4.44.2 -> 4.52.3
tsx (source)	4.20.3 -> 4.20.6
turbo (source)	2.5.4 -> 2.5.8
typescript (source)	5.8.3 -> 5.9.3
vite (source)	6.3.5 -> 6.3.6
web-streams-polyfill	4.1.0 -> 4.2.0

---

Release Notes

actions/toolkit (@​actions/cache)

v4.1.0

• Remove client side 10GiB cache size limit check & update twirp client #​2118

v4.0.5

• Reintroduce @​protobuf-ts/runtime-rpc as a runtime dependency #​2113

v4.0.4

⚠️ Faulty patch release. Upgrade to 4.0.5 instead.

• Optimized cache dependencies by moving @protobuf-ts/plugin to dev dependencies #​2106
• Improved cache service availability determination for different cache service versions (v1 and v2) #​2100
• Enhanced server error handling: 5xx HTTP errors are now logged as errors instead of warnings #​2099
• Fixed cache hit logging to properly distinguish between exact key matches and restore key matches #​2101

babel/babel (@​babel/core)

v7.28.4

Compare Source

🏠 Internal

• babel-core, babel-helper-check-duplicate-nodes, babel-traverse, babel-types
  • #​17493 Update Jest to v30.1.1 (@​JLHwung)
• babel-plugin-transform-regenerator
  • #​17455 chore: Clean up transform-regenerator (@​liuxingbaoyu)
• babel-core
  • #​17474 Switch to @​jridgewell/remapping (@​mrginglymus)

v7.28.3

Compare Source

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #​17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #​17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #​17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #​17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #​17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #​17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #​17444 Optimize do expression output (@​JLHwung)

octokit/core.js (@​octokit/core)

v7.0.5

Compare Source

Bug Fixes

• deps: update octokit dependencies, and @​sinonjs/fake-timers (#​749) (14d23a1)

v7.0.4

Compare Source

Bug Fixes

• deps: update dependency @​octokit/types to v15 (#​748) (03b6c28)

v7.0.3

Compare Source

Bug Fixes

• add createLogger to ensure that pino does not break (#​744) (0896c50)

octokit/plugin-paginate-rest.js (@​octokit/plugin-paginate-rest)

v13.2.0

Compare Source

Features

• new Projects v2 endpoints, new code scanning dismissal endpoints, many other endpoints (#​690) (0e236cb)

octokit/plugin-rest-endpoint-methods.js (@​octokit/plugin-rest-endpoint-methods)

v16.1.0

Compare Source

Features

• new Projects v2 endpoints, new code scanning dismissal endpoints, many other endpoints (#​814) (0a8fdd9)

streetsidesoftware/cspell (cspell)

v9.2.1

Compare Source

Dictionary Updates

fix: Workflow Bot -- Update Dictionaries (main) (#​7795)

fix: Workflow Bot -- Update Dictionaries (main) (#​7795)

v9.2.0

Compare Source

refactor: Support url based cache entries (#​7639)

refactor: Support url based cache entries (#​7639)

---

Features

fix: Support remote dependencies in cache (#​7642)

fix: Support remote dependencies in cache (#​7642)

---

Fixes

fix: Remove `flat-cache` dependency (#​7636)

fix: Remove flat-cache dependency (#​7636)

flat-cache v6 is not compatible with the cspell cache. Since flat-cache was mostly a pass through to flatted, it was better to just replace it.

---

refactor: move towards caching URLs (#​7634)

refactor: move towards caching URLs (#​7634)

---

fix: Support async cache (#​7631)

fix: Support async cache (#​7631)

---

fix: Replace file-entry-cache (#​6579)

fix: Replace file-entry-cache (#​6579)

Deprecating the use of file-entry-cache.

v10 of file-entry-cache breaks the spell checker and bloats the cache size.

This PR is the first step in reducing the dependency upon file-entry-cache and its dependencies.

---

fix: Clean cspell-lib type exports (#​7615)

fix: Clean cspell-lib type exports (#​7615)

---

Dictionary Updates

fix: Workflow Bot -- Update Dictionaries (main) (#​7618)

fix: Workflow Bot -- Update Dictionaries (main) (#​7618)

v9.1.5

Compare Source

Fixes

fix: Compile before publish (#​7610)

fix: Compile before publish (#​7610)

---

dprint/dprint (dprint)

v0.50.2

Compare Source

Changes

• fix: upgrade wasmer to 6.1.0-rc.3 to fix build failure with Rust ≥ 1.89.0 (#​1021)
• fix: ignore empty proxy env (#​1014)

Install

Run dprint upgrade or see https://dprint.dev/install/

Checksums

Artifact	SHA-256 Checksum
dprint-x86_64-apple-darwin.zip	61becbf8d1b16540e364a4f00be704266ae322ee0ff3ba66a4a21033f66a8d55
dprint-aarch64-apple-darwin.zip	f534bcc054947ab2a42c069b5f6027914d252729bd15c1109812313b35a662a5
dprint-x86_64-pc-windows-msvc.zip	2dbdb57106818acd930a00bc0c2c33370bd4c7265f78a6cda000e3621f2d3c1c
dprint-x86_64-pc-windows-msvc-installer.exe	0b2dab815dd68501b7418831157a907a4db89b84b623a71c1deb486a08244b83
dprint-x86_64-unknown-linux-gnu.zip	95c7e633a67531ffc4990c152d59ed0802e1c0caf7e27e424e9cea9ef3d499d4
dprint-x86_64-unknown-linux-musl.zip	4b0e7911262049ccb8e1ac5968bf7a66dc490968fe1552a123bb2d6dadf2ad95
dprint-aarch64-unknown-linux-gnu.zip	039d4dca4360cb6622a2b56c3fc29ea71c356cd954e0b9566bff1a70e75beda8
dprint-aarch64-unknown-linux-musl.zip	a4982964a68aefc2720b4c79c51a57e49b32f8944c1641fd9e714503fcf01847
dprint-riscv64gc-unknown-linux-gnu.zip	6918c45b0070da1da137fa328c7ca82133c6ab0b49a651fa53513305611fe3a8

jprichardson/node-fs-extra (fs-extra)

v11.3.2

Compare Source

• Fix spurrious UnhandledPromiseRejectionWarning that could occur when calling .copy() in some cases (#​1056, #​1058)

v11.3.1

Compare Source

• Fix case where move/moveSync could incorrectly think files are identical on Windows (#​1050)

evilmartians/lefthook (lefthook)

v1.13.6

Compare Source

• fix: embed jsonschema into binary (#​1158) by @​mrexox

v1.13.5

Compare Source

• chore: a small cleanup by @​mrexox
• refactor: use semver to check versions (#​1152) by @​mrexox
• fix: add comprehensive tests for spinner name formatting (#​1145) @​technicalpickles
• docs: add LEFTHOOK_BIN environment variable to documentation (#​1151) @​technicalpickles
• chore: tests improvements (#​1148) by @​mrexox
• chore: fix naming for integration tests (#​1146) by @​mrexox
• docs: use codecov coverage badge by @​mrexox
• ci: codecov (#​1147) by @​mrexox
• docs: use actual latest version (#​1143) by @​mrexox
• docs: add exclude to hook-level settings by @​mrexox

v1.13.4

Compare Source

• fix: add exclude option to hook level (#​1141) by @​mrexox
• fix: allow skipping groups (#​1140) by @​mrexox

v1.13.3

Compare Source

• deps: September 2025 (#​1139) by @​mrexox
• fix: concurrent map access issue (#​1138) by @​mrexox

v1.13.2

Compare Source

• feat: inherit file_types from parent jobs (#​1135) by @​mrexox
• fix: move gen at root (#​1133) by @​mrexox
• refactor: better scope subpackages (#​1132) by @​mrexox

v1.13.1

Compare Source

• feat: add no stage fixed argument (#​1130) by @​mrexox
• refactor: reduce the amount of code in a single file (#​1131) by @​mrexox
• fix: re-evaluate status for changeset (#​1129) by @​mrexox
• refactor: reduce the amount of code in a single file (#​1118) by @​mrexox
• chore: update issue templates by @​mrexox
• docs: add fail_on_changes to configuration/README.md (#​1119) by @​7crabs
• docs: update go installation note (#​1117) by @​leakedmemory

v1.13.0

Compare Source

• fix: use batched cmd for calculating git hashes (#​1116) by @​mrexox
• fix: add mutex to prevent concurrent git adds (#​1115) by @​mrexox
• refactor: improve structuring (#​1103) by @​mrexox
• feat: fail on change (#​1095) by @​olivier-lacroix
• fix: set --force for git add command (#​1104) by @​michaelm
• feat: recursively log successful results in summary (#​1108) by @​siler
• fix: groups with successes and skips are successful (#​1107) by @​siler

v1.12.4

Compare Source

• deps: September 2025 (#​1102) by @​mrexox
• feat: add tags argument (#​1101) by @​mrexox
• chore: bump github.com/go-viper/mapstructure/v2 (#​1094)

v1.12.3

Compare Source

• feat: add MIME types to file_types filters (#​1092)
• fix: respect LEFTHOOK_CONFIG in lefthook install (#​1090) by @​TECHNOFAB11
• docs: update pnpm installation note (#​1089) by @​skoch13
• docs: improve wording of run, files, and files-global config descriptions, document that the sh shell is used (#​1086) by @​ItsHarper
• docs: 404 for local-config (#​1082) by @​rammanoj
• docs: fix typo (#​1079) by @​eai04191

v1.12.2

Compare Source

• feat: add implicit template lefthook_job_name (#​1074)
• docs: restructure documentation (#​1075) by @​mrexox
• feat: allow overriding config path using LEFTHOOK_CONFIG env (#​1072) by @​TECHNOFAB11

v1.12.1

Compare Source

• feat: add check-install command (#​1064) by @​mrexox
• chore: only check if local configs exist by @​mrexox
• feat: allow using local config only (#​1071) by @​sj26

v1.12.0

Compare Source

• feat: allow installing only specific hooks (#​1069)
• refactor: [breaking] restructure files and folders, remove deprecated options (#​1067)

raineorshine/npm-check-updates (npm-check-updates)

v18.3.1

Compare Source

v18.3.0

Compare Source

v18.2.1

Compare Source

v18.2.0

Compare Source

Thanks to community members for raising awareness and to @​SebastianSedzik for the implementation.

See: #​1547

Feature: --cooldown

Usage:

ncu --cooldown [n]
ncu -c [n]

The cooldown option helps protect against supply chain attacks by requiring package versions to be published at least the given number of days before considering them for upgrade.

Note that previous stable versions will not be suggested. The package will be completely ignored if its latest published version is within the cooldown period. This is due to a limitation of the npm registry, which does not provide a way to query previous stable versions.

Example:

Let's examine how cooldown works with a package that has these versions available:

1.0.0          Released 7 days ago    (initial version)
1.1.0          Released 6 days ago    (minor update)
1.1.1          Released 5 days ago    (patch update)
1.2.0          Released 5 days ago    (minor update)
2.0.0-beta.1   Released 5 days ago    (beta release)
1.2.1          Released 4 days ago    (patch update)
1.3.0          Released 4 days ago    (minor update) [latest]
2.0.0-beta.2   Released 3 days ago    (beta release)
2.0.0-beta.3   Released 2 days ago    (beta release) [beta]

With default target (latest):

$ ncu --cooldown 5

No update will be suggested because:

• Latest version (1.3.0) is only 4 days old.
• Cooldown requires versions to be at least 5 days old
• Use --cooldown 4 or lower to allow this update

With @beta/@tag target:

$ ncu --cooldown 3 --target @​beta

No update will be suggested because:

• Current beta (2.0.0-beta.3) is only 2 days old
• Cooldown requires versions to be at least 3 days old
• Use --cooldown 2 or lower to allow this update

With other targets:

$ ncu --cooldown 5 --target greatest|newest|minor|patch|semver

Each target will select the best version that is at least 5 days old:

greatest → 1.2.0        (highest version number outside cooldown)
newest   → 2.0.0-beta.1 (most recently published version outside cooldown)
minor    → 1.2.0        (highest minor version outside cooldown)
patch    → 1.1.1        (highest patch version outside cooldown)

Note for latest/tag targets:

⚠️ For packages that update frequently (e.g. daily releases), using a long cooldown period (7+ days) with the default --target latest or --target @​tag may prevent all updates since new versions will be published before older ones meet the cooldown requirement. Please consider this when setting your cooldown period.

v18.1.1

Compare Source

v18.1.0

Compare Source

v18.0.3

Compare Source

v18.0.2

Compare Source

rollup/rollup (rollup)

v4.52.3

Compare Source

2025-09-27

Bug Fixes

• Fix check in native loader for environments that do not support reports (#​6123)

Pull Requests

• #​6123: fix(native-loader): safely handle report.getReport() on Termux/Android (@​Jobians, @​lukastaegert)
• #​6124: chore(deps): pin msys2/setup-msys2 action to fb197b7 (@​renovate[bot])
• #​6125: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​6126: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])

v4.52.2

Compare Source

2025-09-23

Bug Fixes

• Fix Android build crashing due to failed dlopen (#​6109)

Pull Requests

• #​6109: fix(rust): use prebuilt std when it is available (@​cyyynthia)

v4.52.1

Compare Source

2025-09-23

Bug Fixes

• Opt-out of dynamic import optimization when using top-level await to effectively prevent deadlocks (#​6121)

Pull Requests

• #​6121: Simplify top-level await deadlock prevention (@​lukastaegert)

v4.52.0

Compare Source

2025-09-19

Features

• Add option output.onlyExplicitManualChunks to turn off merging additional dependencies into manual chunks (#​6087)
• Add support for x86_64-pc-windows-gnu platform (#​6110)

Pull Requests

• #​6087: fix: manualChunks and non manualChunks shared dependencies are merged with the first manualChunk encountered alphabetically (@​maiieul)
• #​6110: Add support x86_64-pc-windows-gnu (@​lsq, @​lukastaegert)
• #​6118: Automatically remove REPL artefacts label from PRs (@​lukastaegert)

v4.51.0

Compare Source

2025-09-19

Features

• Support ROLLUP_FILE_URL_OBJ placeholder to inject file URLs into the generated code (#​6108)

Bug Fixes

• Improve OpenHarmony build to work in more situations (#​6115)

Pull Requests

• #​6108: feat: support ROLLUP_FILE_URL_OBJ for URL object instead of string (@​guybedford, @​lukastaegert)
• #​6112: Disable Cargo cache for Android (@​lukastaegert)
• #​6113: fix(deps): update rust crate swc_compiler_base to v35 (@​renovate[bot])
• #​6114: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​6115: Disable local_dynamic_tls for OpenHarmony (@​hqzing)
• #​6116: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​6117: chore(deps): lock file maintenance (@​renovate[bot])

v4.50.2

Compare Source

2025-09-15

Bug Fixes

• Resolve an issue where unused destructured array pattern declarations would conflict with included variables (#​6100)

Pull Requests

• #​6100: Tree-shake un-included elements in array pattern (@​TrickyPi)
• #​6102: chore(deps): update actions/setup-node action to v5 (@​renovate[bot])
• #​6103: chore(deps): update dependency eslint-plugin-unicorn to v61 (@​renovate[bot])
• #​6104: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #​6105: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​6107: Improve CI stability (@​lukastaegert)

v4.50.1

Compare Source

2025-09-07

Bug Fixes

• Resolve a situation where a destructuring default value was removed (#​6090)

Pull Requests

• #​6088: feat(www): shorter repl shareables (@​cyyynthia, @​lukastaegert)
• #​6090: Call includeNode for self or children nodes in includeDestructuredIfNecessary (@​TrickyPi)
• #​6091: fix(deps): update rust crate swc_compiler_base to v33 (@​renovate[bot])
• #​6092: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​6094: perf: replace startsWith with strict equality (@​btea)

v4.50.0

Compare Source

2025-08-31

Features

• Support openharmony-arm64 platform (#​6081)

Bug Fixes

• Fix loading of extensionless imports in config files (#​6084)

Pull Requests

• #​6081: Add support for openharmony-arm64 platform (@​hqzing, @​lukastaegert)
• #​6084: Return null to defer to the default resolution behavior (@​TrickyPi)

v4.49.0

Compare Source

2025-08-27

Features

• Allow config plugins to resolve imports first before deciding whether to treat them as external (#​6038)

Pull Requests

• #​6038: feat: Run external check in cli/run/loadConfigFile.ts as last in order to allow handling of e.g. workspace package imports in TS monorepos correctly (@​stazz, @​TrickyPi)
• #​6082: Improve build pipeline performance (@​lukastaegert)

v4.48.1

Compare Source

2025-08-25

Bug Fixes

• Correctly ignore white-space in JSX strings around line-breaks (#​6051)

Pull Requests

• #​6051: fix: handle whitespace according to JSX common practice (@​cyyynthia)
• #​6078: build: optimize pipeline take two (@​cyyynthia)

v4.48.0

Compare Source

2025-08-23

Features

• If configured, also keep unparseable import attributes of external dynamic imports in the output(#​6071)

Bug Fixes

• Ensure variables referenced in non-removed import attributes are included (#​6071)

Pull Requests

• #​6071: Keep attributes for external dynamic imports (@​TrickyPi)
• #​6079: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #​6080: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])

v4.47.1

Compare Source

2025-08-21

Bug Fixes

• Revert build process changes to investigate issues (#​6077)

Pull Requests

• #​6077: Revert "build: aggressively optimize wasm build, improve pipeline (#​6053)" (@​lukastaegert)

v4.47.0

Compare Source

2025-08-21

Features

• Aggressively reduce WASM build size (#​6053)

Bug Fixes

• Fix illegal instruction error on Android ARM platforms (#​6072)
• Allow to pass explicit undefined for optional fields in Rollup types (#​6061)

Pull Requests

• #​6053: build: aggressively optimize wasm build, improve pipeline (@​cyyynthia)
• #​6061: fix(types): add support for exactOptionalPropertyTypes (@​remcohaszing, @​lukastaegert)
• #​6072: build(rust): mimalloc-safe/no_opt_arch on aarch64 (@​cyyynthia)

v4.46.4

Compare Source

2025-08-20

Bug Fixes

• Do not omit synthetic namespaces when only accessed via in operator (#​6052)

Pull Requests

• #​6052: fix: don't optimize in with syntheticNamedExports (@​hi-ogawa)
• #​6074: Update transitive dependency to fix audit (@​lukastaegert)

v4.46.3

Compare Source

2025-08-18

Bug Fixes

• Resolve illegal instruction error on arm64 architectures (#​6055)
• Resolve sourcemap generation performance regression (#​6057)

Pull Requests

• #​6043: Avoid generated by comment diff on Windows (@​sapphi-red)
• #​6048: chore(deps): update dependency cross-env to v10 (@​renovate[bot], @​lukastaegert)
• #​6049: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #​6055: Fix illegal instruction error on arm64 by enabling no_opt_arch feature for mimalloc-safe (@​sapphi-red)
• #​6057: fix: tweak the fallback logic for tracing segment (@​TrickyPi, @​lukastaegert)
• #​6062: docs: update Rust toolchain instructions (@​situ2001, @​lukastaegert)
• #​6063: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #​6067: chore(deps): update actions/checkout action to v5 (@​renovate[bot], @​lukastaegert)
• #​6068: chore(deps): update actions/download-artifact action to v5 (@​renovate[bot])
• #​6069: fix(deps): update rust crate swc_compiler_base to v31 (@​renovate[bot], @​lukastaegert)

v4.46.2

Compare Source

2025-07-29

Bug Fixes

• Fix in-operator handling for external namespace and when the left side cannot be analyzed (#​6041)

Pull Requests

• #​6041: Correct the logic of include in BinaryExpression and don't optimize external references away (@​TrickyPi, @​cyyynthia, @​lukastaegert)

v4.46.1

Compare Source

2025-07-28

Bug Fixes

• Do not fail when using the in operator on external namespaces (#​6036)

Pull Requests

• #​6036: disables optimization for external namespace when using the in operator (@​TrickyPi)

v4.46.0

[Compare Source](https://redirect.github.com/ro

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.