chore(deps): update all non-major dependencies#57
Conversation
|
Warning Review limit reached
More reviews will be available in 1 minute and 45 seconds. Learn how PR review limits work. To continue reviewing without waiting, enable usage-based billing in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
988c1bd to
e928323
Compare
This PR contains the following updates:
^2.0.7→^2.0.14^0.21.5→^0.22.1^24.12.4→^24.13.224.15.0→24.16.011.3.0→11.6.0^3.8.3→^3.8.4Release Notes
web-infra-dev/rsbuild (@rsbuild/core)
v2.0.14Compare Source
What's Changed
Performance 🚀
Other Changes
Full Changelog: web-infra-dev/rsbuild@v2.0.13...v2.0.14
v2.0.13Compare Source
What's Changed
New Features 🎉
Bug Fixes 🐞
Document 📖
Other Changes
Full Changelog: web-infra-dev/rsbuild@v2.0.12...v2.0.13
v2.0.12Compare Source
What's Changed
New Features 🎉
Performance 🚀
Bug Fixes 🐞
Refactor 🔨
Document 📖
Other Changes
Full Changelog: web-infra-dev/rsbuild@v2.0.11...v2.0.12
v2.0.11Compare Source
What's Changed
Bug Fixes 🐞
Document 📖
Other Changes
Full Changelog: web-infra-dev/rsbuild@v2.0.10...v2.0.11
v2.0.10Compare Source
What's Changed
New Features 🎉
Bug Fixes 🐞
Document 📖
Other Changes
Full Changelog: web-infra-dev/rsbuild@v2.0.9...v2.0.10
v2.0.9Compare Source
Highlights
Safer npm Staged Publishing
Rsbuild 2.0.9 updates the release workflow so all packages are now published through npm staged publishing, making package releases safer by staging them before final publication.
What's Changed
New Features 🎉
Bug Fixes 🐞
Document 📖
Other Changes
Full Changelog: web-infra-dev/rsbuild@v2.0.8...v2.0.9
v2.0.8Compare Source
Highlights
Tailwind CSS Plugin
Rsbuild 2.0.8 introduces
@rsbuild/plugin-tailwindcss, a first-party plugin for integrating Tailwind CSS v4 through @tailwindcss/webpack.Compared with the
@tailwindcss/postcsspackage, it avoids running Tailwind CSS transforms through PostCSS and provides better build performance.What's Changed
New Features 🎉
Bug Fixes 🐞
Refactor 🔨
Document 📖
Other Changes
Full Changelog: web-infra-dev/rsbuild@v2.0.7...v2.0.8
web-infra-dev/rslib (@rslib/core)
v0.22.1Compare Source
What's Changed
Bug Fixes 🐞
Document 📖
Other Changes
e853652by @renovate[bot] in #1684Full Changelog: web-infra-dev/rslib@v0.22.0...v0.22.1
v0.22.0Compare Source
Highlights
Isolated Declaration Generation
Rslib now supports generating declaration files with the experimental
dts.isolatedoption, powered by Rspack's built-in SWCfast_dtscapability.dts.isolatedemits declaration files directly during the build without running a full type check, making declaration generation significantly faster.This makes it a good fit for monorepo projects that use a separate high-performance type-checking workflow, such as rslint --type-check.
What's Changed
New Features 🎉
Performance 🚀
Bug Fixes 🐞
Document 📖
Other Changes
a3cd90cby @renovate[bot] in #1666Full Changelog: web-infra-dev/rslib@v0.21.5...v0.22.0
actions/node-versions (node)
v24.16.0: 24.16.0Compare Source
Node.js 24.16.0
pnpm/pnpm (pnpm)
v11.6.0Compare Source
Minor Changes
pnpm installcompletes without re-resolving whenpnpm-lock.yamlwas deleted butnode_modulesis intact: the up-to-date check now treats the current lockfile (node_modules/.pnpm/lock.yaml) — the record of what the previous install materialized — as the wanted lockfile, verifies the manifests still match it, restorespnpm-lock.yamlfrom it, and reports "Already up to date". Previously this scenario triggered a full resolution and a re-verification of every locked package against the registry.615c669: Added support for configuring URL-scoped registry settings throughnpm_config_//…andpnpm_config_//…environment variables, for example:This provides a file-free way to supply registry authentication. Because the registry a value applies to is encoded in the (trusted) environment variable name, it is host-scoped by construction and cannot be redirected to another registry by repository-controlled config. The environment value is treated as trusted config: it takes precedence over a project/workspace
.npmrcbut is still overridden by command-line options. When the same key is provided through both prefixes,pnpm_config_wins.Raised the default network concurrency from
min(64, max(cpuCores * 3, 16))tomin(96, max(cpuCores * 3, 64)). Package downloads are I/O-bound, not CPU-bound, so deriving the floor from the core count left machines with few cores (for example 4-vCPU CI runners) downloading only 16 tarballs at a time and unable to saturate a low-latency registry. ThenetworkConcurrencysetting still overrides the default.Patch Changes
.npmrcuses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by moving the line to the user-level~/.npmrcor runningpnpm config set "<key>" <value>— with a link to https://pnpm.io/npmrc. Thepnpm config setexample is only suggested when the key has no${...}placeholder, so the snippet is always safe to copy-paste.os/cpu/libcfields are missing from the registry metadata or the lockfile. Some registries strip these fields from the package metadata, which made pnpm download and install the binaries of every platform regardless ofsupportedArchitectures. The missing platform fields of an optional dependency are now inferred from its name (e.g.@nx/nx-win32-arm64-msvc→os: win32,cpu: arm64), so foreign-platform binaries are skipped without even downloading them #11702.v11.5.3Compare Source
Patch Changes
Stopped expanding environment variables in repository-controlled registry/proxy request destinations and registry credential values from
.npmrc, and in workspace registry URLs frompnpm-workspace.yaml. Move dynamic registry URL and token configuration to trusted user, global, CLI, or environment config.Resolve package-manager bootstrap dependencies with trusted user or CLI registry and network config, and reject package-manager env-lockfile records that do not use registry package paths with integrity-only resolutions before auto-switch execution.
Avoid writing
packageManagerDependenciestopnpm-lock.yamlwhen package manager policy is set toonFail: ignoreorpmOnFail: ignore#12228.Avoid running dependency-status auto-install when the dependency status is unavailable without a project manifest.
Using the
$version reference syntax inoverrides(e.g."react": "$react") now prints a deprecation warning. The syntax still works, but catalogs are the recommended way to keep an overridden version in sync with the rest of the workspace. Reference a catalog entry with thecatalog:protocol instead.Fixed
pnpm config get globalconfigto return the globalconfig.yamlpath again pnpm/pnpm#11962.Fixed bare
--colorso it does not consume the following CLI flag, allowing command shorthands like--parallelto expand correctly and forms likepnpm --color with current <command>to dispatch the inner command instead of failing withMISSING_WITH_CURRENT_CMD.Fix
pnpm installignoringenableGlobalVirtualStoretoggle by including it in the workspace state settings check #12142.Security: pnpm now verifies the npm registry signature of a package-manager binary before spawning it, so a cloned repository cannot make pnpm download and execute an arbitrary native binary.
This covers two paths that select an executable from repository-controlled input:
pacquet(or@pnpm/pacquet) inconfigDependenciesopts in to pnpm's Rust install engine. pnpm now verifies that the installedpacquetshim and the host's@pacquet/<platform>-<arch>binary carry a valid npm registry signature for their exactname@version, and refuses to run pacquet (failing the command) if the signature does not verify or cannot be checked. The only graceful fallback to pnpm's own engine is when pacquet has no binary for the current platform.self-update— thepackageManager/devEngines.packageManagerfield makes pnpm download and run a specific pnpm version. pnpm now verifies the registry signature ofpnpm,@pnpm/exe, and the host platform binary before installing/spawning them, and refuses to run an engine whose signature does not match a published, signed release. The check runs only on an actual download (store cache miss), so it does not add a network round trip to every command.In both cases the signature is verified over the installed integrity, against npm's public signing keys that ship embedded in the pnpm CLI (like corepack), so bytes substituted via a tampered lockfile or a repository-controlled registry fail verification — and a registry the user did not vouch for cannot supply its own signing keys. The signed packument is fetched from the configured registry, so an npm mirror works transparently. Verification fails closed: if it cannot be completed (for example, the registry is unreachable), the command fails rather than running an unverified binary. The embedded keys are kept current by a release-time check against npm's signing-keys endpoint.
Made peer-dependent deduplication deterministic. When a peer-suf
Configuration
📅 Schedule: (in timezone Asia/Shanghai)
* 0-3 1,15 * *)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.