chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@anthropic-ai/sdk	^0.71.0 → ^0.78.0			pnpm.catalog.ai	minor
@modelcontextprotocol/inspector	^0.19.0 → ^0.21.0			pnpm.catalog.ai	minor
@tmcp/transport-in-memory (source)	^0.0.5 → ^0.0.6			pnpm.catalog.tmcp	patch
actions/setup-node	v6.2.0 → v6.3.0			action	minor
changesets/action	v1.6.0 → v1.7.0			action	minor
pnpm (source)	10.28.2 → 10.32.0			packageManager	minor
pnpm (source)	10.28.2 → 10.32.0			uses-with	minor
tsdown (source)	^0.20.0 → ^0.21.0			pnpm.catalog.tooling	minor

---

Release Notes

anthropics/anthropic-sdk-typescript (@​anthropic-ai/sdk)

v0.78.0

Full Changelog: sdk-v0.77.0...sdk-v0.78.0

Features

• api: Add top-level cache control (automatic caching) (1e2f83d)

Bug Fixes

• bedrock: eliminate race condition in AWS credential resolution (#​901) (e5a101d)
• client: format batches test file (821e9bf)
• tests: fix issue in batches test (5f4ccf8)

Chores

• update mock server docs (25d337f)

v0.77.0

Full Changelog: sdk-v0.76.0...sdk-v0.77.0

Features

• api: fix shared UserLocation and error code types (c84038f)

Bug Fixes

• add backward-compat namespace re-exports for UserLocation (#​706) (b88834f)

v0.76.0

Full Changelog: sdk-v0.75.0...sdk-v0.76.0

Features

• api: manual updates (25fe41c)

v0.75.0

Full Changelog: sdk-v0.74.0...sdk-v0.75.0

Features

• api: Releasing claude-sonnet-4-6 (d75e1c0)

Bug Fixes

• api: fix spec errors (aa99e46)
• tests: fix erroneous speed tests (#​699) (fcac1ca)

Chores

• internal/client: fix form-urlencoded requests (cba82b4)
• internal: avoid type checking errors with ts-reset (c723296)
• readme: change badge color to blue (3f7e788)

v0.74.0

Full Changelog: sdk-v0.73.0...sdk-v0.74.0

Features

• api: enabling fast-mode in claude-opus-4-6 (e337981)

v0.73.0

Full Changelog: sdk-v0.72.1...sdk-v0.73.0

Features

• api: Release Claude Opus 4.6, adaptive thinking, and other features (f741f92)

Bug Fixes

• client: avoid memory leak in abort signal listener (#​895) (3bdd153)
• client: avoid memory leak with abort signals (53e47df)
• client: avoid removing abort listener too early (cd6e832)

Chores

• client: do not parse responses with empty content-length (2be2df9)
• client: restructure abort controller binding (0eeacb6)
• internal: fix pagination internals not accepting option promises (7c23a3f)
• remove claude-code-review workflow (#​644) (ad09c76)

v0.72.1

Full Changelog: sdk-v0.72.0...sdk-v0.72.1

Bug Fixes

• client: remove OutputFormat exports from index.ts (bf2cf08)

v0.72.0

Full Changelog: sdk-v0.71.2...sdk-v0.72.0

Features

• api: add support for Structured Outputs in the Messages API (eeb7fab)
• api: migrate sending message format in output_config rather than output_format (99f4066)
• ci: add breaking change detection workflow (b181568)
• client: migrate structured output format (#​625) (abcdddc)
• helpers: add MCP SDK helper functions (#​610) (b6c3963)

Bug Fixes

• mcp: correct code tool API endpoint (4bd6ad6)
• mcp: return correct lines on typescript errors (c425959)

Chores

• break long lines in snippets into multiline (2c44e2d)
• ci: Add Claude Code GitHub Workflow (#​612) (28a9a00)
• ci: fix multi package publishing (b9e3ab9)
• ci: upgrade actions/github-script (ff9dd44)
• internal: codegen related update (754de58)
• internal: codegen related update (cb411e4)
• internal: update actions/checkout version (c0057be)
• internal: upgrade babel, qs, js-yaml (494d9ed)
• internal: version bump (24ecc83)
• tests: remove extraneous header test (076a87c)

Documentation

• tool use documentation link (#​873) (664cdd6)
• update import paths for beta helpers (#​834) (d08fd40)
• update README with Claude branding (#​611) (2a9a5f7)

paoloricciuti/tmcp (@​tmcp/transport-in-memory)

v0.0.6

Compare Source

Patch Changes

• 475a408: fix: initialize ctx.sessionInfo with info from request on initialize

actions/setup-node (actions/setup-node)

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

changesets/action (changesets/action)

v1.7.0

Compare Source

Minor Changes

• #​564 935fe87 Thanks @​Andarist! - Automatically use the GitHub-provided token to allow most users to avoid explicit GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} configuration.

Patch Changes

• #​545 54220dd Thanks @​ryanbas21! - The .npmrc generation now intelligently handles both traditional NPM token authentication and trusted publishing scenarios by only appending the auth token when NPM_TOKEN is defined. This prevents 'undefined' from being written to the registry configuration when using OIDC tokens from GitHub Actions trusted publishing.

• #​563 6af4a7e Thanks @​Andarist! - Don't error on already committed symlinks and executables that stay untouched

pnpm/pnpm (pnpm)

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

• Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

• Reverted change related to setting explicitly the npm config file path, which caused regressions.
• Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Gold Sponsors

v10.31.0

Compare Source

v10.30.3

Compare Source

v10.30.2

Compare Source

v10.30.1: pnpm 10.30.1

Compare Source

Patch Changes

• Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #​10649.

Platinum Sponsors

Gold Sponsors

v10.30.0: pnpm 10.30

Compare Source

Minor Changes

• pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

• Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #​7122.
• Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #​10596.

Platinum Sponsors

Gold Sponsors

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

rolldown/tsdown (tsdown)

v0.21.1

Compare Source

   🚨 Breaking Changes

• css: Move all CSS support to @tsdown/css package  -  by @​sxzz in #​809 (1b1a1)

[!IMPORTANT]
If you are using CSS features (e.g., CSS imports), you now need to manually install the @tsdown/css package:

npm install @​tsdown/css -D
# or
pnpm add @​tsdown/css -D

Note: CSS support is still an experimental feature and does not follow SemVer. Breaking changes may occur in any release.

   🚀 Features

• css:
  • Add css.inject option to preserve CSS imports in JS output  -  by @​sxzz and Claude Haiku 4.5 in #​808 (ad745)
  • Support ?inline query for CSS imports  -  by @​sxzz in #​810 (b7379)
  • Support node_modules package resolution  -  by @​sxzz and Claude Haiku 4.5 in #​812 (b06b4)

   🐞 Bug Fixes

• Generate correct filename for sass files when dts is enabled  -  by @​ocavue in #​802 (848a7)
• css:
  • Handle virtual module IDs from framework plugins  -  by @​sxzz (c421f)
  • Ignore css imports with URL query  -  by @​ocavue and @​sxzz in #​806 (c1d23)

    View changes on GitHub

v0.21.0

Compare Source

v0.21.0 - Notable Changes

Breaking Changes

Dependency options renamed to deps namespace

The dependency-related options have been moved under a new deps namespace with clearer names:

• external -> deps.neverBundle
• noExternal -> deps.alwaysBundle
• inlineOnly -> deps.onlyAllowBundle
• skipNodeModulesBundle -> deps.skipNodeModulesBundle

Before:

export default defineConfig({
  external: ['vue'],
  noExternal: ['lodash'],
})

After:

export default defineConfig({
  deps: {
    neverBundle: ['vue'],
    alwaysBundle: ['lodash'],
  },
})

The old options still work but are deprecated and will emit warnings.

failOnWarn default changed from 'ci-only' to false

If you relied on the previous behavior where warnings would fail the build in CI environments, you now need to explicitly set failOnWarn: true or failOnWarn: 'ci-only' in your config.

Node.js < 22.18.0 deprecated

tsdown now emits a deprecation warning when running on Node.js versions below 22.18.0. Plan to upgrade your Node.js version accordingly.

New Features

Experimental Node.js SEA executable bundling (exe)

tsdown can now bundle your TypeScript project into a standalone executable using Node.js Single Executable Applications (SEA). A new @tsdown/exe package provides cross-platform executable building support. See the exe documentation for details.

export default defineConfig({
  exe: true, // or { useCodeCache: true, useSnapshot: true }
})

Full CSS pipeline with @tsdown/css

CSS handling has been reimplemented as a native Rolldown plugin and extracted into the @tsdown/css package, providing a complete CSS pipeline with Lightning CSS and PostCSS support via the css.transformer option. See the CSS documentation for details.

inlinedDependencies field in package.json

When using the exports feature, tsdown now auto-generates an inlinedDependencies field in your package.json, listing dependencies that are bundled into the output.

Object option for customExports

customExports now supports an object format for more fine-grained control over the generated exports field.

Migration Guide

1. Update dependency options: Rename external -> deps.neverBundle, noExternal -> deps.alwaysBundle, etc.
2. Check failOnWarn: If you need warnings to fail the build in CI, explicitly set failOnWarn: 'ci-only' or failOnWarn: true.
3. Upgrade Node.js: Ensure you're running Node.js >= 22.18.0 to avoid deprecation warnings.

Links

• tsdown Documentation
• v0.21.0-beta.1 Release
• v0.21.0-beta.2 Release
• v0.21.0-beta.3 Release
• v0.21.0-beta.4 Release
• v0.21.0-beta.5 Release
• Full diff from v0.20.3

---

   🚨 Breaking Changes

• Change failOnWarn default from 'ci-only' to false  -  by @​sxzz (ad8db)
• exe: Require Node >=25.7 and default format to esm  -  by @​sxzz in #​798 (0173c)

   🚀 Features

• Rename dependency options to deps namespace  -  by @​sxzz (7f509)
• Upgrade rolldown  -  by @​sxzz (7a528)
• Deprecate Node.js versions below 22.18.0  -  by @​sxzz (439f1)
• Support bundling .node files by default  -  by @​sxzz (944e9)
• css:
  • Implement full CSS pipeline as Rolldown plugin  -  by @​sxzz in #​787 (dbe3c)
  • Extract CSS pipeline into @tsdown/css package  -  by @​sxzz in #​790 (e4cbe)
  • Add PostCSS support with css.transformer option  -  by @​sxzz in #​791 (35bef)
  • Default css.transformer to lightningcss  -  by @​sxzz in #​797 (288a5)
• exe:
  • Add experimental Node.js SEA executable bundling  -  by @​sxzz in #​777 (418d5)
  • Add cross-platform executable building via @tsdown/exe  -  by @​sxzz in #​786 (b6833)
  • Support latest and latest-lts for nodeVersion  -  by @​sxzz (ce7ab)
• exports:
  • Support object option for customExports  -  by @​Joery-M and @​sxzz in #​769 (7fb72)
  • Add inlinedDependencies field to package.json  -  by @​sxzz in #​785 (5c71f)
• migrate:
  • Migrate external/noExternal to deps namespace  -  by @​sxzz (c59e7)

   🐞 Bug Fixes

• Apply failOnWarn to rolldown logs  -  by @​sxzz (149dc)
• Debounce onSuccess in watch mode to prevent duplicate execution  -  by @​sxzz (af748)
• Don't fail on PLUGIN_TIMINGS warnings when failOnWarn is enabled  -  by @​sxzz (9872a)
• Resolve css files in node_modules  -  by @​ocavue, @​sxzz and Rei in #​795 (d8a1f)
• config: Handle known Node.js bug in nativeImport error handling  -  by @​sxzz (e4230)
• copy: Don't warn if no files specified  -  by @​adamlohner, @​cursoragent and @​sxzz in #​780 (afaab)
• css: Remove empty js chunks  -  by @​ocavue and @​sxzz in #​799 (1183a)
• exe: Use runtime semver check for ESM SEA default format  -  by @​sxzz (5321c)
• exports: Include non-entry chunks in exports when all is true  -  by @​sxzz (79492)
• hooks: Set cwd for onSuccess  -  by @​sxzz (c114a)
• node-protocol: Respect alias and tsconfig paths when stripping node: prefix  -  by @​lazuee in #​773 (b1dd2)
• watch: Re-glob entry files on create/delete events  -  by @​sxzz (a1969)

    View changes on GitHub

v0.20.3

Compare Source

   🐞 Bug Fixes

• package: Ignore scripts when packing  -  by @​sxzz (0b10b)

    View changes on GitHub

v0.20.2

Compare Source

   🚀 Features

• Upgrade rolldown to 1.0.0-rc.3  -  by @​sxzz (0beea)
• dep: Keep inlineOnly clean with hint message on unused  -  by @​jycouet and @​sxzz in #​725 (13f1c)
• pkg: Optimize attw and publint packing  -  by @​sxzz in #​736 (375cf)

   🐞 Bug Fixes

• Throw error when skipNodeModulesBundle and noExternal are used together  -  by @​sxzz in #​746 (656d5)
• External type only packages @types/*  -  by @​kalvenschraut (0be7c)
• exports: Move import before require  -  by @​sxzz (3027a)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mcp	Ready	Preview, Comment	Mar 9, 2026 10:05pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: f5a9fd6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@sveltejs/mcp@150

npm i https://pkg.pr.new/@sveltejs/opencode@150

commit: 33215d3