fix(deps): update non-major dependencies #78

Merged
renovate-bot merged 1 commit from renovate/non-major-dependencies into main 2026-07-13 05:54:54 +00:00
Contributor

This PR contains the following updates:

Package Change Age Confidence
@xyflow/react (source) 12.11.112.11.2 age confidence
adm-zip ^0.5.16^0.6.0 age confidence
bullmq (source) 5.79.25.80.2 age confidence
dompurify 3.4.113.4.12 age confidence
helmet (source) 8.2.08.3.0 age confidence
marked (source) 18.0.518.0.6 age confidence
react-router (source) 8.1.08.2.0 age confidence
sanitize-html (source) 2.17.52.17.6 age confidence
tsx (source) 4.23.04.23.1 age confidence
vite (source) 8.1.38.1.4 age confidence

Release Notes

xyflow/xyflow (@​xyflow/react)

v12.11.2

Compare Source

Patch Changes
cthackers/adm-zip (adm-zip)

v0.6.0

Compare Source

==================

Security

  • Fixed CVE-2026-39244: a crafted archive declaring a huge uncompressed size could force an unbounded Buffer.alloc (memory exhaustion / DoS) before any validation. Allocation is now bounded by the data actually present — STORED output is sized from the real bytes, DEFLATED output is grown by the inflater and capped at the declared size (#​568)
  • Hardened the internal entry-name lookup table against object injection: entry names come from untrusted archives, and a name such as __proto__ previously resolved to Object.prototype, crashing addFile and hiding the entry from getEntry/readFile. The table is now prototype-less

Bug fixes

  • Fixed a regression (0.5.15) that rejected valid archives using a data descriptor (general-purpose bit 3). The payload is now validated against the authoritative central-directory CRC instead of requiring/parsing the trailing descriptor (#​548, #​533, #​554)
  • Fixed extractAllTo/extractAllToAsync not restoring directory permissions with keepOriginalPermission; directory modes are applied after their contents are written, deepest path first, and no longer lock the extractor out of a restrictive directory (#​530)
  • Fixed infinite recursion in addLocalFolder when a folder contains a symlink pointing back to an ancestor (e.g. workspace node_modules); the walk now tracks resolved real paths and skips already-visited directories (#​541)
  • Fixed an uncaught exception (ERR_INVALID_ARG_TYPE) that crashed the process when writeFileToAsync could not open the target file (bad permissions, invalid filename, exhausted file descriptors); write failures are now reported through the callback and write errors are no longer silently swallowed (#​470, #​459, #​402)
  • Fixed directory entries reporting an empty name (e.g. a/b/c/ now returns c) (#​466)
  • Fixed extractEntryTo flattening subdirectories when maintainEntryPath is false; the structure below the extracted directory is now preserved instead of collapsing (and overwriting) files by basename (#​306)
  • Fixed a failed utimes aborting extraction; setting the modification time is now best-effort and never fails extraction of already-written content (#​379)
  • Fixed test() always returning false for any archive containing a file (it indexed the entries array with an entry object instead of reading the entry); it now correctly verifies each entry's CRC

Performance

  • Faster entry sorting when writing archives with many entries: names are decoded once instead of on every comparison (about 6× faster sort for large archives)

Added

  • Bundled TypeScript type definitions (types.d.ts), so @types/adm-zip is no longer required

Notes

  • Behavior change: extractEntryTo(dir, target, /* maintainEntryPath */ false) now preserves subdirectories beneath the extracted directory rather than flattening them
  • Behavior change: extraction no longer fails when the modification time cannot be set
taskforcesh/bullmq (bullmq)

v5.80.2

Compare Source

Bug Fixes
  • job-scheduler: respect offset option in upsertJobScheduler (elixir) (rust) (#​3993) (78bbb25)

v5.80.1

Compare Source

Bug Fixes
  • job: enforce priority max of 2^21-1 to preserve FIFO at the boundary (#​4261) (418de1e)

v5.80.0

Compare Source

v5.79.4

Compare Source

Bug Fixes
  • job-scheduler: coerce string offset in Lua helper (#​4266) (python) (elixir) (5a88614)

v5.79.3

Compare Source

Bug Fixes
  • queue-events: correct delay event number type and documentation (#​3989) (6ffd88a)
cure53/DOMPurify (dompurify)

v3.4.12: DOMPurify 3.4.12

Compare Source

  • Fixed an issue where a hook would not get called for custom elements, thanks @​Rikuxx0
  • Hardened the handling of hooks removing elements, @​mkrause-bee360
  • Added support for a few new SVG attributes, thanks @​cbn-falias & @​Develop-KIM
  • Hardened the handling of declarative partial updates
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible
helmetjs/helmet (helmet)

v8.3.0

Compare Source

Changed
  • Content-Security-Policy: improved performance by ~7% when there are no dynamic directives
  • Content-Security-Policy: improved error handling for invalid directive names
Fixed
  • Content-Security-Policy: useDefaults: false with no directives is no longer valid, both at runtime and the type level
  • Content-Security-Policy: dynamically-computed directive values would throw, not call next, when invalid
  • Content-Security-Policy: dynamically-computed directive value entries would throw, not call next, when function threw
markedjs/marked (marked)

v18.0.6

Compare Source

Bug Fixes
  • Avoid O(n^2) backtracking in inline link href regex (#​4013) (a009808)
  • Fix ordered lists after blockquotes (#​4003) (33928d0)
  • keep trailing text on HTML block close line for PI, declarations, and CDATA (#​3991) (bbb84c8)
remix-run/react-router (react-router)

v8.2.0

Compare Source

Patch Changes
  • Fix href() to properly stringify and URL-encode param values, matching generatePath() (#​15277)
    • splat params preserve path separators while encoding each segment individually
  • Fix dynamic param extraction for routes with optional static segments (#​15200)
    • When a route path contains optional static segments (e.g. /school?/user/:id), the internal regex's incorrectly shifted parameter indices resulting in incorrect parameter extraction
    • Consecutive optional static segments (e.g. /one?/two?) were only partially handled
  • Preserve navigation blocker state through a revalidation (#​15246)
  • Fix route ranking for dynamic parameters with static extension suffixes (#​15273)
    • These were not being detected as dynamic param segments and instead got incorrectly scored higher as a static segment
    • This meant they could potentially tie truly static routes like /sitemap.xml and outrank them based on definition order
    • These are now correctly identified as dynamic parameter segments and scored correctly
  • Use ReactFormState types instead of unknown (#​15263)
privatenumber/tsx (tsx)

v4.23.1

Compare Source

Bug Fixes
  • support tsImport after global preload (8d4ffc2)
  • watch: avoid clearing piped output (95d0672)
  • watch: treat script and dependency paths literally (79fddde)
Performance Improvements
  • index transform cache lazily (e818ad6)
  • load esbuild lazily in CLI (d067938)
  • map Node TypeScript formats directly (cdcc623)
  • use sync module hooks on Node v22.22.3+ (f8992f1)

This release is also available on:

vitejs/vite (vite)

v8.1.4

Compare Source

Features
Bug Fixes
Documentation
Miscellaneous Chores
Code Refactoring
Tests
Build System

Configuration

📅 Schedule: (in timezone America/Chicago)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@xyflow/react](https://reactflow.dev) ([source](https://github.com/xyflow/xyflow/tree/HEAD/packages/react)) | [`12.11.1` → `12.11.2`](https://renovatebot.com/diffs/npm/@xyflow%2freact/12.11.1/12.11.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@xyflow%2freact/12.11.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@xyflow%2freact/12.11.1/12.11.2?slim=true) | | [adm-zip](https://github.com/cthackers/adm-zip) | [`^0.5.16` → `^0.6.0`](https://renovatebot.com/diffs/npm/adm-zip/0.5.18/0.6.0) | ![age](https://developer.mend.io/api/mc/badges/age/npm/adm-zip/0.6.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/adm-zip/0.5.18/0.6.0?slim=true) | | [bullmq](https://bullmq.io/) ([source](https://github.com/taskforcesh/bullmq)) | [`5.79.2` → `5.80.2`](https://renovatebot.com/diffs/npm/bullmq/5.79.2/5.80.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/bullmq/5.80.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/bullmq/5.79.2/5.80.2?slim=true) | | [dompurify](https://github.com/cure53/DOMPurify) | [`3.4.11` → `3.4.12`](https://renovatebot.com/diffs/npm/dompurify/3.4.11/3.4.12) | ![age](https://developer.mend.io/api/mc/badges/age/npm/dompurify/3.4.12?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/dompurify/3.4.11/3.4.12?slim=true) | | [helmet](https://helmet.js.org/) ([source](https://github.com/helmetjs/helmet)) | [`8.2.0` → `8.3.0`](https://renovatebot.com/diffs/npm/helmet/8.2.0/8.3.0) | ![age](https://developer.mend.io/api/mc/badges/age/npm/helmet/8.3.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/helmet/8.2.0/8.3.0?slim=true) | | [marked](https://marked.js.org) ([source](https://github.com/markedjs/marked)) | [`18.0.5` → `18.0.6`](https://renovatebot.com/diffs/npm/marked/18.0.5/18.0.6) | ![age](https://developer.mend.io/api/mc/badges/age/npm/marked/18.0.6?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/marked/18.0.5/18.0.6?slim=true) | | [react-router](https://github.com/remix-run/react-router) ([source](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router)) | [`8.1.0` → `8.2.0`](https://renovatebot.com/diffs/npm/react-router/8.1.0/8.2.0) | ![age](https://developer.mend.io/api/mc/badges/age/npm/react-router/8.2.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/react-router/8.1.0/8.2.0?slim=true) | | [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/main/packages/sanitize-html#readme) ([source](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html)) | [`2.17.5` → `2.17.6`](https://renovatebot.com/diffs/npm/sanitize-html/2.17.5/2.17.6) | ![age](https://developer.mend.io/api/mc/badges/age/npm/sanitize-html/2.17.6?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/sanitize-html/2.17.5/2.17.6?slim=true) | | [tsx](https://tsx.hirok.io) ([source](https://github.com/privatenumber/tsx)) | [`4.23.0` → `4.23.1`](https://renovatebot.com/diffs/npm/tsx/4.23.0/4.23.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/tsx/4.23.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/tsx/4.23.0/4.23.1?slim=true) | | [vite](https://vite.dev) ([source](https://github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.1.3` → `8.1.4`](https://renovatebot.com/diffs/npm/vite/8.1.3/8.1.4) | ![age](https://developer.mend.io/api/mc/badges/age/npm/vite/8.1.4?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/8.1.3/8.1.4?slim=true) | --- ### Release Notes <details> <summary>xyflow/xyflow (@&#8203;xyflow/react)</summary> ### [`v12.11.2`](https://github.com/xyflow/xyflow/blob/HEAD/packages/react/CHANGELOG.md#12112) [Compare Source](https://github.com/xyflow/xyflow/compare/@xyflow/react@12.11.1...@xyflow/react@12.11.2) ##### Patch Changes - [#&#8203;5825](https://github.com/xyflow/xyflow/pull/5825) [`5072914`](https://github.com/xyflow/xyflow/commit/5072914791f89d99e4484f1d36c9b6781a0a2c36) - Only create an `XYDrag` instance for draggable nodes. - [#&#8203;5847](https://github.com/xyflow/xyflow/pull/5847) [`742860c`](https://github.com/xyflow/xyflow/commit/742860c2939f1b5cba2fced275487fdaeee8a091) - Stop the `MiniMap` from re-rendering on every store update. - [#&#8203;5846](https://github.com/xyflow/xyflow/pull/5846) [`17c64a1`](https://github.com/xyflow/xyflow/commit/17c64a158554b2a6172f6030e6c280b1dd12786c) - Apply the viewport pan/zoom transform imperatively so the `Viewport` component only renders once. - Updated dependencies \[[`c707267`](https://github.com/xyflow/xyflow/commit/c707267bc80bc954fdc69a08c9e00c98068dd613), [`0c0cebc`](https://github.com/xyflow/xyflow/commit/0c0cebc08cc34d2852d1ea429df638732b3edf68), [`56cf3b0`](https://github.com/xyflow/xyflow/commit/56cf3b00369a680a71743e4fb277db26e861d4b0), [`a01bb6b`](https://github.com/xyflow/xyflow/commit/a01bb6bf51e2de4eeee052187f3ce533c0e77754), [`9b3f390`](https://github.com/xyflow/xyflow/commit/9b3f390e21c1801832449389b069c4e5a13b4d7f), [`cdfcbeb`](https://github.com/xyflow/xyflow/commit/cdfcbeb9618437b2e7c35336db157e36a5a0731e)]: - [@&#8203;xyflow/system](https://github.com/xyflow/system)@&#8203;0.0.79 </details> <details> <summary>cthackers/adm-zip (adm-zip)</summary> ### [`v0.6.0`](https://github.com/cthackers/adm-zip/blob/HEAD/history.md#060--2026-07-10) [Compare Source](https://github.com/cthackers/adm-zip/compare/v0.5.18...v0.6.0) \================== Security - Fixed CVE-2026-39244: a crafted archive declaring a huge uncompressed size could force an unbounded `Buffer.alloc` (memory exhaustion / DoS) before any validation. Allocation is now bounded by the data actually present — STORED output is sized from the real bytes, DEFLATED output is grown by the inflater and capped at the declared size ([#&#8203;568](https://github.com/cthackers/adm-zip/issues/568)) - Hardened the internal entry-name lookup table against object injection: entry names come from untrusted archives, and a name such as `__proto__` previously resolved to `Object.prototype`, crashing `addFile` and hiding the entry from `getEntry`/`readFile`. The table is now prototype-less Bug fixes - Fixed a regression (0.5.15) that rejected valid archives using a data descriptor (general-purpose bit 3). The payload is now validated against the authoritative central-directory CRC instead of requiring/parsing the trailing descriptor ([#&#8203;548](https://github.com/cthackers/adm-zip/issues/548), [#&#8203;533](https://github.com/cthackers/adm-zip/issues/533), [#&#8203;554](https://github.com/cthackers/adm-zip/issues/554)) - Fixed `extractAllTo`/`extractAllToAsync` not restoring directory permissions with `keepOriginalPermission`; directory modes are applied after their contents are written, deepest path first, and no longer lock the extractor out of a restrictive directory ([#&#8203;530](https://github.com/cthackers/adm-zip/issues/530)) - Fixed infinite recursion in `addLocalFolder` when a folder contains a symlink pointing back to an ancestor (e.g. workspace `node_modules`); the walk now tracks resolved real paths and skips already-visited directories ([#&#8203;541](https://github.com/cthackers/adm-zip/issues/541)) - Fixed an uncaught exception (`ERR_INVALID_ARG_TYPE`) that crashed the process when `writeFileToAsync` could not open the target file (bad permissions, invalid filename, exhausted file descriptors); write failures are now reported through the callback and write errors are no longer silently swallowed ([#&#8203;470](https://github.com/cthackers/adm-zip/issues/470), [#&#8203;459](https://github.com/cthackers/adm-zip/issues/459), [#&#8203;402](https://github.com/cthackers/adm-zip/issues/402)) - Fixed directory entries reporting an empty `name` (e.g. `a/b/c/` now returns `c`) ([#&#8203;466](https://github.com/cthackers/adm-zip/issues/466)) - Fixed `extractEntryTo` flattening subdirectories when `maintainEntryPath` is false; the structure below the extracted directory is now preserved instead of collapsing (and overwriting) files by basename ([#&#8203;306](https://github.com/cthackers/adm-zip/issues/306)) - Fixed a failed `utimes` aborting extraction; setting the modification time is now best-effort and never fails extraction of already-written content ([#&#8203;379](https://github.com/cthackers/adm-zip/issues/379)) - Fixed `test()` always returning false for any archive containing a file (it indexed the entries array with an entry object instead of reading the entry); it now correctly verifies each entry's CRC Performance - Faster entry sorting when writing archives with many entries: names are decoded once instead of on every comparison (about 6× faster sort for large archives) Added - Bundled TypeScript type definitions (`types.d.ts`), so `@types/adm-zip` is no longer required Notes - Behavior change: `extractEntryTo(dir, target, /* maintainEntryPath */ false)` now preserves subdirectories beneath the extracted directory rather than flattening them - Behavior change: extraction no longer fails when the modification time cannot be set </details> <details> <summary>taskforcesh/bullmq (bullmq)</summary> ### [`v5.80.2`](https://github.com/taskforcesh/bullmq/releases/tag/v5.80.2) [Compare Source](https://github.com/taskforcesh/bullmq/compare/v5.80.1...v5.80.2) ##### Bug Fixes - **job-scheduler:** respect offset option in upsertJobScheduler (elixir) (rust) ([#&#8203;3993](https://github.com/taskforcesh/bullmq/issues/3993)) ([78bbb25](https://github.com/taskforcesh/bullmq/commit/78bbb253546b4c45f7e23ceccc31eb644651416c)) ### [`v5.80.1`](https://github.com/taskforcesh/bullmq/releases/tag/v5.80.1) [Compare Source](https://github.com/taskforcesh/bullmq/compare/v5.80.0...v5.80.1) ##### Bug Fixes - **job:** enforce priority max of 2^21-1 to preserve FIFO at the boundary ([#&#8203;4261](https://github.com/taskforcesh/bullmq/issues/4261)) ([418de1e](https://github.com/taskforcesh/bullmq/commit/418de1e51db09ffc8e95bac35015a1057d8a7271)) ### [`v5.80.0`](https://github.com/taskforcesh/bullmq/compare/v5.79.4...v5.80.0) [Compare Source](https://github.com/taskforcesh/bullmq/compare/v5.79.4...v5.80.0) ### [`v5.79.4`](https://github.com/taskforcesh/bullmq/releases/tag/v5.79.4) [Compare Source](https://github.com/taskforcesh/bullmq/compare/v5.79.3...v5.79.4) ##### Bug Fixes - **job-scheduler:** coerce string offset in Lua helper ([#&#8203;4266](https://github.com/taskforcesh/bullmq/issues/4266)) (python) (elixir) ([5a88614](https://github.com/taskforcesh/bullmq/commit/5a88614312243a12bb9e56b525c4deb60d76cf12)) ### [`v5.79.3`](https://github.com/taskforcesh/bullmq/releases/tag/v5.79.3) [Compare Source](https://github.com/taskforcesh/bullmq/compare/v5.79.2...v5.79.3) ##### Bug Fixes - **queue-events:** correct delay event number type and documentation ([#&#8203;3989](https://github.com/taskforcesh/bullmq/issues/3989)) ([6ffd88a](https://github.com/taskforcesh/bullmq/commit/6ffd88a0070b3ab84b77539dca7c35266716425e)) </details> <details> <summary>cure53/DOMPurify (dompurify)</summary> ### [`v3.4.12`](https://github.com/cure53/DOMPurify/releases/tag/3.4.12): DOMPurify 3.4.12 [Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.11...3.4.12) - Fixed an issue where a hook would not get called for custom elements, thanks [@&#8203;Rikuxx0](https://github.com/Rikuxx0) - Hardened the handling of hooks removing elements, [@&#8203;mkrause-bee360](https://github.com/mkrause-bee360) - Added support for a few new SVG attributes, thanks [@&#8203;cbn-falias](https://github.com/cbn-falias) & [@&#8203;Develop-KIM](https://github.com/Develop-KIM) - Hardened the handling of declarative partial updates - Updated the documentation is several spots, README, wiki, etc. - Bumped several dependencies where possible </details> <details> <summary>helmetjs/helmet (helmet)</summary> ### [`v8.3.0`](https://github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#830---2026-07-11) [Compare Source](https://github.com/helmetjs/helmet/compare/v8.2.0...v8.3.0) ##### Changed - `Content-Security-Policy`: improved performance by \~7% when there are no dynamic directives - `Content-Security-Policy`: improved error handling for invalid directive names ##### Fixed - `Content-Security-Policy`: `useDefaults: false` with no directives is no longer valid, both at runtime and the type level - `Content-Security-Policy`: dynamically-computed directive values would `throw`, not call `next`, when invalid - `Content-Security-Policy`: dynamically-computed directive value entries would `throw`, not call `next`, when function threw </details> <details> <summary>markedjs/marked (marked)</summary> ### [`v18.0.6`](https://github.com/markedjs/marked/releases/tag/v18.0.6) [Compare Source](https://github.com/markedjs/marked/compare/v18.0.5...v18.0.6) ##### Bug Fixes - Avoid O(n^2) backtracking in inline link href regex ([#&#8203;4013](https://github.com/markedjs/marked/issues/4013)) ([a009808](https://github.com/markedjs/marked/commit/a0098085f4ff80392cc5221ed803083d3b576904)) - Fix ordered lists after blockquotes ([#&#8203;4003](https://github.com/markedjs/marked/issues/4003)) ([33928d0](https://github.com/markedjs/marked/commit/33928d06634570d44c3426f4f48615f4c0a30b11)) - keep trailing text on HTML block close line for PI, declarations, and CDATA ([#&#8203;3991](https://github.com/markedjs/marked/issues/3991)) ([bbb84c8](https://github.com/markedjs/marked/commit/bbb84c88cf3a187c93fbc8966002164d229eba62)) </details> <details> <summary>remix-run/react-router (react-router)</summary> ### [`v8.2.0`](https://github.com/remix-run/react-router/blob/HEAD/packages/react-router/CHANGELOG.md#v820) [Compare Source](https://github.com/remix-run/react-router/compare/react-router@8.1.0...react-router@8.2.0) ##### Patch Changes - Fix `href()` to properly stringify and URL-encode param values, matching `generatePath()` ([#&#8203;15277](https://github.com/remix-run/react-router/pull/15277)) - splat params preserve path separators while encoding each segment individually - Fix dynamic param extraction for routes with optional static segments ([#&#8203;15200](https://github.com/remix-run/react-router/pull/15200)) - When a route path contains optional static segments (e.g. `/school?/user/:id`), the internal regex's incorrectly shifted parameter indices resulting in incorrect parameter extraction - Consecutive optional static segments (e.g. `/one?/two?`) were only partially handled - Preserve navigation blocker state through a revalidation ([#&#8203;15246](https://github.com/remix-run/react-router/pull/15246)) - Fix route ranking for dynamic parameters with static extension suffixes ([#&#8203;15273](https://github.com/remix-run/react-router/pull/15273)) - These were not being detected as dynamic param segments and instead got incorrectly scored higher as a static segment - This meant they could potentially tie truly static routes like `/sitemap.xml` and outrank them based on definition order - These are now correctly identified as dynamic parameter segments and scored correctly - Use ReactFormState types instead of unknown ([#&#8203;15263](https://github.com/remix-run/react-router/pull/15263)) </details> <details> <summary>privatenumber/tsx (tsx)</summary> ### [`v4.23.1`](https://github.com/privatenumber/tsx/releases/tag/v4.23.1) [Compare Source](https://github.com/privatenumber/tsx/compare/v4.23.0...v4.23.1) ##### Bug Fixes - support tsImport after global preload ([8d4ffc2](https://github.com/privatenumber/tsx/commit/8d4ffc24f37b396ca2fe3f251aa92c4919f2c1a4)) - **watch:** avoid clearing piped output ([95d0672](https://github.com/privatenumber/tsx/commit/95d0672e0247a829ae4469daa493212967ea768e)) - **watch:** treat script and dependency paths literally ([79fddde](https://github.com/privatenumber/tsx/commit/79fddde523d3bb7d0af66682ce1265f95113a073)) ##### Performance Improvements - index transform cache lazily ([e818ad6](https://github.com/privatenumber/tsx/commit/e818ad608159a6fb36fb8a0bd59327fec313323d)) - load esbuild lazily in CLI ([d067938](https://github.com/privatenumber/tsx/commit/d0679381b60a55a9b5863603a4022a81db5d13c8)) - map Node TypeScript formats directly ([cdcc623](https://github.com/privatenumber/tsx/commit/cdcc6232a3277fb3028b226958b66c49a6d86c17)) - use sync module hooks on Node v22.22.3+ ([f8992f1](https://github.com/privatenumber/tsx/commit/f8992f1a50213e11b7ef8ab5121c78e0d2f29384)) *** This release is also available on: - [npm package (@&#8203;latest dist-tag)](https://www.npmjs.com/package/tsx/v/4.23.1) </details> <details> <summary>vitejs/vite (vite)</summary> ### [`v8.1.4`](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-814-2026-07-09-small) [Compare Source](https://github.com/vitejs/vite/compare/v8.1.3...v8.1.4) ##### Features - **legacy:** prefer oxc as minifier (fix [#&#8203;21973](https://github.com/vitejs/vite/issues/21973)) ([#&#8203;22468](https://github.com/vitejs/vite/issues/22468)) ([ab5dafa](https://github.com/vitejs/vite/commit/ab5dafa8e66296ef201f615489fb57954bb740ce)) ##### Bug Fixes - **build:** add workaround for building on stackblitz ([#&#8203;22840](https://github.com/vitejs/vite/issues/22840)) ([575c32c](https://github.com/vitejs/vite/commit/575c32c29925c554f4ef4068738ab89c6878f615)) - **build:** keep `import.meta.url` in preload function as-is ([#&#8203;22839](https://github.com/vitejs/vite/issues/22839)) ([f1f90ed](https://github.com/vitejs/vite/commit/f1f90ed4742b3cf453428c7e581a6016a4d47321)) - **deps:** update all non-major dependencies ([#&#8203;22865](https://github.com/vitejs/vite/issues/22865)) ([d4295a9](https://github.com/vitejs/vite/commit/d4295a9ffce428c0e51892373e00c07fccc0498a)) - **deps:** update rolldown-related dependencies ([#&#8203;22866](https://github.com/vitejs/vite/issues/22866)) ([7cf07e4](https://github.com/vitejs/vite/commit/7cf07e4c5f7a6af276012e0c2ec06e08499e951e)) - **html:** avoid backtracking in import-only check ([#&#8203;22848](https://github.com/vitejs/vite/issues/22848)) ([b5868c0](https://github.com/vitejs/vite/commit/b5868c01a124d345664450aaebd677bfba964c05)) - **optimizer:** avoid optimizer run for transform request before init ([#&#8203;22852](https://github.com/vitejs/vite/issues/22852)) ([72a5e21](https://github.com/vitejs/vite/commit/72a5e2192506f51a5efd09c059815a5c43a9eacb)) - **ssr:** align named export function call stacktrace column with Node ([#&#8203;22829](https://github.com/vitejs/vite/issues/22829)) ([173a1b6](https://github.com/vitejs/vite/commit/173a1b648c321e0f836e5a94fc47c4fa9b081bfc)) - strip pure CSS chunk imports when chunkImportMap is enabled ([#&#8203;22841](https://github.com/vitejs/vite/issues/22841)) ([648bd04](https://github.com/vitejs/vite/commit/648bd04933093d0aac9565f21a49811437776886)) ##### Documentation - fix incorrect `@default` for `server.cors` ([#&#8203;22859](https://github.com/vitejs/vite/issues/22859)) ([70435b2](https://github.com/vitejs/vite/commit/70435b2551ee4fe3a0d55c8a3bb61b96f44d2763)) ##### Miscellaneous Chores - **deps:** update dependency postcss-modules to v9 ([#&#8203;22867](https://github.com/vitejs/vite/issues/22867)) ([a9539d6](https://github.com/vitejs/vite/commit/a9539d69efc7a4ccf988bbf5da31c2b416ba990e)) ##### Code Refactoring - eliminate ineffectiveDynamicImport warn ([#&#8203;22876](https://github.com/vitejs/vite/issues/22876)) ([ea22fb3](https://github.com/vitejs/vite/commit/ea22fb352aad9a42c0a9d08f39d8a0bae8c111a5)) ##### Tests - avoid warnings ([#&#8203;22851](https://github.com/vitejs/vite/issues/22851)) ([af21ab6](https://github.com/vitejs/vite/commit/af21ab68adac3380dc9a854d2fe3f776654301cd)) ##### Build System - remove the custom onLog function ([#&#8203;22878](https://github.com/vitejs/vite/issues/22878)) ([2c4a217](https://github.com/vitejs/vite/commit/2c4a217a63dc0a7fcb10bc710a988f32b173f481)) - replace deprecated `onwarn` with `onLog` ([#&#8203;22741](https://github.com/vitejs/vite/issues/22741)) ([c581b55](https://github.com/vitejs/vite/commit/c581b5588cb8e94603d17bce2ff9fec8e8e0a3bf)) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDkuNSIsInVwZGF0ZWRJblZlciI6IjQzLjI0OS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
fix(deps): update non-major dependencies
All checks were successful
CI / App — typecheck, test & build (push) Successful in 1m34s
CI / API — typecheck & tests (push) Successful in 2m42s
CI / App — typecheck, test & build (pull_request) Successful in 1m32s
CI / API — typecheck & tests (pull_request) Successful in 2m51s
eecaef12da
renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-07-13 05:26:42 +00:00
renovate-bot deleted branch renovate/non-major-dependencies 2026-07-13 05:54:55 +00:00
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rbrooks/TeaLeaves!78
No description provided.