chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@types/node (source)	^25.2.1 → ^25.2.3
@typescript/native-preview (source)	^7.0.0-dev.20260205.1 → ^7.0.0-dev.20260214.1
citty	^0.2.0 → ^0.2.1
obuild	^0.4.22 → ^0.4.27
oxfmt (source)	^0.28.0 → ^0.32.0
oxlint (source)	^1.43.0 → ^1.47.0
pnpm (source)	10.28.2 → 10.29.3
rolldown (source)	^1.0.0-rc.3 → ^1.0.0-rc.4

---

Release Notes

microsoft/typescript-go (@​typescript/native-preview)

v7.0.0-dev.20260214.1

Compare Source

v7.0.0-dev.20260213.1

Compare Source

v7.0.0-dev.20260212.1

Compare Source

v7.0.0-dev.20260211.1

Compare Source

v7.0.0-dev.20260210.1

Compare Source

v7.0.0-dev.20260209.1

Compare Source

v7.0.0-dev.20260208.1

Compare Source

v7.0.0-dev.20260207.1

Compare Source

v7.0.0-dev.20260206.1

Compare Source

unjs/citty (citty)

v0.2.1

Compare Source

compare changes

🩹 Fixes

• Propagate --no- negation to aliases and main option (#​225)

🏡 Chore

• Fix readme formatting (#​223)
• Use oxlint and oxfmt (f1d05f4)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kai Gritun kaigritun@gmail.com
• Jimmy Guzman (@​jimmy-guzman)

unjs/obuild (obuild)

v0.4.27

Compare Source

compare changes

🩹 Fixes

• Append licenses with multi entries (e504807)

🏡 Chore

• Migrate to oxlint and oxfmt (a989953)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.26

Compare Source

compare changes

🩹 Fixes

• Prefer module over main for bundling (57f42b6)

🏡 Chore

• Lint (cb1a3c8)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.25

Compare Source

compare changes

🚀 Enhancements

• Generate dist/THIRD-PARTY-LICENSES.md (#​72)

🩹 Fixes

• Windows compatibility for reading package.json (#​71)

🏡 Chore

• release: V0.4.24 (c2af661)
• Apply automated updates (c6ba2f1)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Yizack Rangel (@​Yizack)

v0.4.24

Compare Source

compare changes

🩹 Fixes

• Windows compatibility for reading package.json (#​71)

❤️ Contributors

• Yizack Rangel (@​Yizack)

v0.4.23

Compare Source

compare changes

🏡 Chore

• Update rolldown (825b757)

❤️ Contributors

• Pooya Parsa (@​pi0)

oxc-project/oxc (oxfmt)

v0.32.0

Compare Source

v0.30.0

🐛 Bug Fixes

• 1b2f354 ci: Add missing riscv64/s390x napi targets for oxfmt and oxlint (#​19217) (Cameron)

oxc-project/oxc (oxlint)

v1.47.0

Compare Source

v1.45.0

🐛 Bug Fixes

• 1b2f354 ci: Add missing riscv64/s390x napi targets for oxfmt and oxlint (#​19217) (Cameron)

pnpm/pnpm (pnpm)

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

rolldown/rolldown (rolldown)

v1.0.0-rc.4

Compare Source

🚀 Features

• rename error name to RolldownError from RollupError (#​8262) by @​sapphi-red
• add hidden resolve_tsconfig function for Vite (#​8257) by @​sapphi-red
• rust: introduce rolldown_watcher (#​8161) by @​hyf0
• unify comments and legalComments into a single granular comments option (#​8229) by @​IWANABETHATGUY
• add builtin plugin for visualizing chunk graph (#​8162) by @​IWANABETHATGUY
• show import declaration location in AssignToImport errors (#​8222) by @​Copilot
• show import declaration span in CannotCallNamespace error (#​8223) by @​Copilot
• emit error when plugin accidentally removes runtime module symbols (#​8203) by @​IWANABETHATGUY
• support tsconfig loading & inputMap for transform (#​8180) by @​sapphi-red
• rolldown_plugin_vite_reporter: update warning message to link to Rolldown docs (#​8205) by @​sapphi-red

🐛 Bug Fixes

• avoid panic on untranspiled JSX syntax by reporting a diagnostic error (#​8226) by @​IWANABETHATGUY
• rolldown_plugin_vite_import_glob: relax absolute path check and improve invalid glob warning (#​8219) by @​shulaoda
• merge chunks after detect circular reference (#​8154) by @​IWANABETHATGUY
• rust: detect runtime module side effects based on its content (#​8209) by @​hyf0

🚜 Refactor

• rename other to jsdoc in comments options (#​8256) by @​IWANABETHATGUY
• rename chunk-visualize plugin with bundle-analyzer plugin (#​8255) by @​IWANABETHATGUY
• remove EXPORT_UNDEFINED_VARIABLE error (#​8228) by @​Copilot
• consolidate missing runtime symbol errors into a single diagnostic (#​8220) by @​IWANABETHATGUY
• stabilize parse and parseSync (#​8215) by @​sapphi-red
• return errors instead of panicking on builtin plugin conversion failure (#​8217) by @​shulaoda
• expose parse / minify / transform from rolldown/utils (#​8214) by @​sapphi-red
• prepare defer chunk merging (#​8153) by @​IWANABETHATGUY

📚 Documentation

• remove <script> escape behavior difference note from platform option (#​8253) by @​sapphi-red
• TypeScript & JSX support by plugins (#​8183) by @​sapphi-red

🧪 Testing

• ensure runtime module is preserved even if it's not used but has side effects (#​8213) by @​hyf0

⚙️ Miscellaneous Tasks

• deps: update oxc to v0.113.0 (#​8267) by @​renovate[bot]
• deps: update dependency oxlint-tsgolint to v0.12.0 (#​8272) by @​renovate[bot]
• deps: update oxc apps (#​8269) by @​renovate[bot]
• deps: update test262 submodule for tests (#​8261) by @​sapphi-red
• deps: update crate-ci/typos action to v1.43.4 (#​8260) by @​renovate[bot]
• deps: update dependency esbuild to v0.27.3 (#​8250) by @​renovate[bot]
• deps: update rust crates (#​8244) by @​renovate[bot]
• deps: update dependency semver to v7.7.4 (#​8247) by @​renovate[bot]
• deps: update github-actions (#​8243) by @​renovate[bot]
• deps: update npm packages (#​8245) by @​renovate[bot]
• deps: update oxc resolver to v11.17.1 (#​8240) by @​renovate[bot]
• deps: update rust crate oxc_sourcemap to v6.0.2 (#​8241) by @​renovate[bot]
• rust: handle ignored RUSTSEC-2025-0141 cargo check error (#​8235) by @​hyf0
• deps: update dependency oxlint-tsgolint to v0.11.5 (#​8233) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to ^0.22.0 (#​8232) by @​renovate[bot]
• deps: update crate-ci/typos action to v1.43.3 (#​8225) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to v0.21.9 (#​8224) by @​renovate[bot]
• deps: update crate-ci/typos action to v1.43.2 (#​8212) by @​renovate[bot]
• remove rolldown_plugin_vite_wasm_helper (#​8207) by @​shulaoda
• build docs for production (#​8206) by @​sapphi-red

---

Configuration

📅 Schedule: Branch creation - "after 2am and before 3am" (UTC), Automerge - "after 1am and before 2am" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.