chore(deps): update all non-major dependencies by renovate[bot] · Pull Request #39 · unplugin/unplugin-lightningcss

renovate · 2025-12-29T02:10:12Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@typescript/native-preview (source)	`7.0.0-dev.20260122.3` → `7.0.0-dev.20260512.1`
pnpm (source)	`11.0.9` → `11.1.0`
tsdown (source)	`^0.20.0` → `^0.22.0`
tsdown-preset-sxzz	`^0.3.1` → `^0.6.0`

Release Notes

microsoft/typescript-go (@typescript/native-preview)

pnpm/pnpm (pnpm)

`v11.1.0`

Compare Source

Minor Changes

Added pnpm audit signatures to verify ECDSA registry signatures for installed packages against keys from /-/npm/v1/keys #7909. Scoped registries are respected, and registries without signing keys are skipped.
Added support for installing packages from the GitHub Packages npm registry via a built-in gh: prefix (e.g. pnpm add gh:@acme/private), and, more broadly, for arbitrary named registries in the style of vlt's named-registry aliases. Authentication is picked up from the existing per-URL .npmrc entries (e.g. //npm.pkg.github.com/:_authToken=...), so no separate auth mechanism is required.

Additional aliases — or an override for the built-in gh alias, for GitHub Enterprise Server — can be configured under namedRegistries in pnpm-workspace.yaml:
```
namedRegistries:
  gh: https://npm.pkg.github.example.com/
  work: https://npm.work.example.com/
```
With this, work:@corp/lib@^2.0.0 resolves against https://npm.work.example.com/. #8941.
Allow setting sbom spec version using --sbom-spec-version #11389.
Add --no-runtime flag (config: runtime=false) to skip installing runtime entries (e.g. Node.js downloaded via devEngines.runtime) without modifying the lockfile. The lockfile keeps the runtime entry so frozen-lockfile validation still passes; only the runtime fetch and .bin linking are skipped. Useful in CI matrices where the runtime is provisioned externally (e.g. via pnpm runtime -g set node <version>) before pnpm install runs.
Added the pnpm bugs command that opens a package's bug tracker URL in the browser. With no arguments, it reads the current project's package.json; with one or more package names, it fetches each package's metadata from the registry and opens its bug tracker. Falls back to <repository>/issues when the bugs field is missing #11279.
Added pnpm owner command to manage package owners on the registry.

Patch Changes

Added "published X ago by Y" information to the pnpm view command output, similar to npm view. This is useful when comparing against minimumReleaseAge.

For example, pnpm view pnpm now shows:
```
published 17 hours ago by GitHub Actions
```
pnpm publish now honors the configured HTTP/HTTPS proxy (including https_proxy/http_proxy/no_proxy environment variables) when polling the registry's doneUrl during the web-based authentication flow. Previously the poll bypassed the proxy, causing the registry to respond 403 from a different source IP and the login to never complete #11561.
pnpm add -g now installs each space-separated package into its own isolated directory by default. To bundle multiple packages into the same isolated install (so that they share dependencies and are removed together), pass them as a comma-separated list. For example:
- pnpm add -g foo bar installs foo and bar as two independent globals — removing one does not affect the other.
- pnpm add -g foo,bar qar bundles foo and bar into a single isolated install while qar is installed on its own.
Related: #11587.
pnpm runtime set <name> <version> no longer fails in the root of a multi-package workspace with the ADDING_TO_ROOT error. Installing the workspace root is a valid target for a runtime, so the command now bypasses that safety check.
Fix pnpm --version hanging for the lifetime of the worker pool after the version was printed. main.ts's --version short-circuit returned before reaching the command-handler finally that calls finishWorkers(), so the worker pool that switchCliVersion had spawned during integrity resolution stayed alive and held the Node event loop open. The CLI entry now runs finishWorkers() from its own finally, so every exit path tears the pool down.

Repro: pnpm --version in a workspace whose devEngines.packageManager version already matches the running pnpm + onFail: "download". switchCliVersion resolves the integrity (spawning workers), finds nothing to swap, returns. The version prints, then the process hangs.

rolldown/tsdown (tsdown)

`v0.22.0`

Compare Source

🚨 Breaking Changes

Drop Node.js < 22.18.0 support, make unrun optional, add tsx config loader - by @sxzz (a1042)
dts: Auto-enable dts when tsconfig declaration is true - by @sxzz in #872 (085f0)
publint: Use pkg from publint results, require publint v0.3.8+ - by @sxzz (413bb)

🚀 Features

Upgrade rolldown to 1.0.0-rc.18 - by @sxzz (66085)
Upgrade rolldown to v1.0.0 - by @sxzz (fabba)
exports: Auto-enable bin detection by default - by @sxzz in #873 (abda9)

🐞 Bug Fixes

Explicitly drop node 23 support - by @sxzz (85e65)
debug: Enhance debug logging for pack tarball - by @sxzz and Copilot (5de04)
exports: Detect types fields nested in conditional exports - by @sxzz (82fa1)
pkg: Fix duplicate configuration warning logic - by @ho991217 and @sxzz in #935 (6a0d9)

🔄 Migration Guide

Node.js version

Upgrade to Node.js 22.18.0 or later. Bun and Deno remain supported (experimental).

`unrun` is no longer bundled

If your environment relies on the unrun config loader (i.e. you're on a Node version without native TypeScript support and use the default auto loader), install it manually:

npm i -D unrun

# or, alternatively, the new tsx loader:
npm i -D tsx

If you use Node.js 22.18.0+ with native TypeScript support, no change is needed — the auto loader will pick native.

`dts` auto-enabled from tsconfig

If your tsconfig.json has compilerOptions.declaration: true but you do not want tsdown to emit .d.ts files, opt out explicitly:

// tsdown.config.ts
export default defineConfig({
  dts: false,
})

`exports.bin` auto-detection

Any entry chunk containing a shebang (e.g. #!/usr/bin/env node) now causes tsdown to write a bin field in package.json automatically. The semantics differ slightly from explicit bin: true:

Value	Single shebang	Multiple shebangs	No shebangs
(unset)	Auto-set bin	Warn, skip	Silent
`true`	Auto-set bin	Throw	Warn
`false`	No bin	No bin	No bin

To opt out entirely:

export default defineConfig({
  exports: { bin: false },
})

Links

`v0.21.10`

Compare Source

🚀 Features

Upgrade rolldown - by @sxzz (8a449)

View changes on GitHub

`v0.21.9`

Compare Source

🚀 Features

Upgrade rolldown - by @sxzz (2d74e)
config: Track transitive config dependencies for watch reload - by @sxzz in #919 (16e27)
exports: Add bin to publishConfig when devExports is enabled - by @sxzz in #911 (60592)
plugin: Add tsdownConfig and tsdownConfigResolved plugin hooks - by @sxzz in #918 (665e5)

🐞 Bug Fixes

Skip package.json writting when content is deeply equal - by @ocavue and @sxzz in #913 (d8e1c)
Skip Node.js version check in Bun - by @sxzz (38afd)
css: Detect css modules from full id for vue virtual sfc styles - by @sxzz in #917 (e6021)

View changes on GitHub

`v0.21.8`

Compare Source

🚀 Features

Upgrade rolldown - by @sxzz (7f887)
attw: Improve ignoreRules type to autocomplete known values - by @mrlubos in #892 (c8f5c)
create-tsdown: Add Vite Plus template option - by @sxzz (daed0)
exports: Add extensions option for subpath export keys - by @SinhSinhAn and @sxzz in #899 (1bb7a)
target: Add support for baseline-widely-available target - by @sxzz in #896 (d6a16)

🐞 Bug Fixes

Export type only for cjs dts re-export - by @sxzz (25510)
Exclude shim file from bundled dependency hint - by @sxzz in #909 (3f8de)
dts: Skip cjs dts reexport for non-entry chunks - by @sxzz (5fee2)

View changes on GitHub

`v0.21.7`

Compare Source

🚀 Features

Add module option for attw and publint to allow passing imported modules directly - by @sxzz (31e90)

🐞 Bug Fixes

deps: Add skipNodeModulesBundle dep subpath e2e tests and fix docs - by @sxzz (deff7)

View changes on GitHub

`v0.21.6`

Compare Source

🚀 Features

Upgrade rolldown to v1.0.0-rc.12 - by @sxzz (51292)
config:
- Pass root config to workspace config functions - by @sxzz (76169)
- Use mergeConfig for workspace config merging and support variadic overrides - by @sxzz (148aa)
dts:
- Add cjsReexport option to eliminate dual module type hazard - by @mandarini and @sxzz in #856 (875c1)
exports:
- Add bin option to auto-generate package.json bin field - by @sxzz in #869 (7ebd6)

🐞 Bug Fixes

css:
- Compile preprocessor langs in virtual CSS modules - by @sxzz in #865 (7b2e0)
- Strip .module from CSS output filenames - by @sxzz in #866 (03ade)
- Default splitting to true in unbundle mode for CSS inject - by @sxzz in [#867](https://redir

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

bolt-new-by-stackblitz · 2025-12-29T02:10:15Z

Run & review this pull request in StackBlitz Codeflow.

pkg-pr-new · 2025-12-29T02:10:42Z

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-lightningcss@39

commit: 4546972

socket-security · 2026-01-08T09:55:41Z

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

socket-security · 2026-03-06T02:11:19Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality	Maintenance
tsdown-preset-sxzz@0.3.1 ⏵ 0.6.0	⁺¹	⁺¹	⁺¹
@typescript/native-preview@7.0.0-dev.20260122.3 ⏵ 7.0.0-dev.20260512.1	⁺¹	⁺¹¹
tsdown@0.20.0 ⏵ 0.22.0		^-4

View full report

renovate Bot added the dependencies label Dec 29, 2025

renovate Bot force-pushed the renovate/all-minor-patch branch 10 times, most recently from 9aea6eb to dac8bec Compare January 5, 2026 08:56

renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from c4e0483 to 558f461 Compare January 8, 2026 09:55

renovate Bot force-pushed the renovate/all-minor-patch branch 12 times, most recently from 1f5110d to f7e4fcd Compare January 13, 2026 17:03

renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from ecb4aca to 3c4b791 Compare January 22, 2026 16:44

renovate Bot changed the title ~~fix(deps): update all non-major dependencies~~ fix(deps): update all non-major dependencies - autoclosed Jan 22, 2026

renovate Bot closed this Jan 22, 2026

renovate Bot deleted the renovate/all-minor-patch branch January 22, 2026 17:44

renovate Bot changed the title ~~fix(deps): update all non-major dependencies - autoclosed~~ chore(deps): update all non-major dependencies Jan 26, 2026

renovate Bot reopened this Jan 26, 2026

renovate Bot force-pushed the renovate/all-minor-patch branch 13 times, most recently from 5855856 to fa38aa7 Compare February 1, 2026 21:32

renovate Bot force-pushed the renovate/all-minor-patch branch 6 times, most recently from 8224c6b to 8b74bc2 Compare February 5, 2026 08:57

chore(deps): update all non-major dependencies

4546972

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update all non-major dependencies#39

chore(deps): update all non-major dependencies#39
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

renovate Bot commented Dec 29, 2025 •

edited

Loading

Uh oh!

bolt-new-by-stackblitz Bot commented Dec 29, 2025

Uh oh!

pkg-pr-new Bot commented Dec 29, 2025 •

edited

Loading

Uh oh!

socket-security Bot commented Jan 8, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Mar 6, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

renovate Bot commented Dec 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Minor Changes

Patch Changes

🚨 Breaking Changes

🚀 Features

🐞 Bug Fixes

🔄 Migration Guide

Node.js version

unrun is no longer bundled

dts auto-enabled from tsconfig

exports.bin auto-detection

Links

🚀 Features

🚀 Features

🐞 Bug Fixes

🚀 Features

🐞 Bug Fixes

🚀 Features

renovate Bot commented Dec 29, 2025 •

edited

Loading

`unrun` is no longer bundled

`dts` auto-enabled from tsconfig

`exports.bin` auto-detection