fix(deps): update all non-major dependencies

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/vite-plugin (source)	^1.15.3 -> ^1.17.0
@rolldown/pluginutils (source)	1.0.0-beta.52 -> 1.0.0-beta.53
react-router (source)	7.9.6 -> 7.10.1
rolldown (source)	1.0.0-beta.52 -> 1.0.0-beta.53
tsdown (source)	^0.16.8 -> ^0.17.1
typescript-eslint (source)	^8.48.0 -> ^8.48.1
vite (source)	^7.2.8 -> ^7.2.10
vite (source)	^7.2.4 -> ^7.2.7
vitest (source)	^4.0.14 -> ^4.0.15
wrangler (source)	^4.51.0 -> ^4.53.0

---

Release Notes

cloudflare/workers-sdk (@​cloudflare/vite-plugin)

v1.17.0

Compare Source

Minor Changes

• #​11506 79d30d4 Thanks @​vicb! - Set the target JS version to ES2024

Patch Changes

• #​11466 4f15699 Thanks @​ascorbic! - Throw a more helpful error message when a Worker's entry module can't be resolved

• Updated dependencies [819e287, af54c63, 9988cc9, ce295bf, 45480b1, 9514c9a, 94c67e8, ac861f8, 79d30d4, 56e78c8, 0aa959a, f550b62]:

  • @​cloudflare/unenv-preset@​2.7.13
  • wrangler@​4.53.0
  • miniflare@​4.20251202.1

v1.16.1

Compare Source

Patch Changes

• Updated dependencies [59534ba, 7e80340]:
  • miniflare@​4.20251202.0
  • wrangler@​4.52.1

v1.16.0

Compare Source

Minor Changes

• #​11445 c8e22c3 Thanks @​ascorbic! - Allow Worker config to be customized in the plugin config

  The Vite plugin can now be used to generate a Worker configuration instead of needing a Wrangler config file, or to customize an existing user-provided configuration.

  This is done via a new config option on the plugin, which accepts either a partial Worker configuration object, or a function that receives the current configuration and returns a partial config object, or modifies the current config in place.

  import cloudflare from "@​cloudflare/vite-plugin";
  import { defineConfig } from "vite";
  
  // Define a partial config object
  
  export default defineConfig({
  	plugins: [
  		cloudflare({
  			config: {
  				compatibility_date: "2025-01-01",
  			},
  		}),
  	],
  });
  
  // Return a partial config from a function, conditional on some logic
  
  export default defineConfig({
  	plugins: [
  		cloudflare({
  			config: (workerConfig) => {
  				if (workerConfig.name === "my-worker") {
  					return {
  						compatibility_flags: ["nodejs_compat"],
  					};
  				}
  			},
  		}),
  	],
  });
  
  // Modify the config in place
  
  export default defineConfig({
  	plugins: [
  		cloudflare({
  			config: (workerConfig) => {
  				workerConfig.compatibility_date = "2025-01-01";
  			},
  		}),
  	],
  });

• #​11360 6b38532 Thanks @​emily-shen! - Containers: Allow users to directly authenticate external image registries in local dev

  Previously, we always queried the API for stored registry credentials and used those to pull images. This means that if you are using an external registry (ECR, dockerhub) then you have to configure registry credentials remotely before running local dev.

  Now you can directly authenticate with your external registry provider (using docker login etc.), and Wrangler or Vite will be able to pull the image specified in the containers.image field in your config file.

  The Cloudflare-managed registry (registry.cloudflare.com) currently still does not work with the Vite plugin.

• #​11408 f29e699 Thanks @​ascorbic! - Support zero-config operation

  If the Vite plugin is used in a project without an existing Wrangler config file, it should be able to operate in "zero-config" mode by generating a default Wrangler configuration for an assets-only worker.

• #​11417 2ca70b1 Thanks @​jamesopstad! - Register named entrypoints with the dev registry.

  This enables binding to named entrypoints defined in a vite dev session from another vite dev or wrangler dev session running locally.

Patch Changes

• #​11383 1d685cb Thanks @​dario-piotrowicz! - Fix: Ensure that vite dev and vite preview hard error with an appropriate error message when a remote proxy session is required but if the connection with it fails to be established

  When using remote bindings, either with vite dev or vite preview, the remote proxy session necessary to connect to the remote resources can fail to be created. This might happen if for example you try to set a binding with some invalid values such as:

  MY_R2: {
  	type: "r2_bucket",
  	bucket_name: "non-existent", // No bucket called "non-existent" exists
  	remote: true,
  },

  Before, this could go undetected and cause unwanted behaviors such as requests handling hanging indefinitely. Now, a hard error will be thrown instead causing the vite process to crash, clearly indicating that something went wrong during the remote session's creation.

• #​11009 e4ddbc2 Thanks @​dario-piotrowicz! - Make sure that the account_id present in the user's config file is used for remote bindings

• Updated dependencies [2b4813b, abe49d8, b154de2, f29e699, 5ee3780, 6e63b57, 71ab562, 76f0540, 2342d2f, 5e937c1, 9a1de61, 6b38532, e4ddbc2, 2aec2b4, 695fa25, 504e258, 5a873bb, d25f7e2, 1cfae2d, e7b690b, 1d685cb, edf896d, 2b4813b, c47ad11, a977701, 9eaa9e2]:

  • miniflare@​4.20251128.0
  • wrangler@​4.52.0
  • @​cloudflare/unenv-preset@​2.7.12

rolldown/rolldown (@​rolldown/pluginutils)

v1.0.0-beta.53

Compare Source

💥 BREAKING CHANGES

• drop i686-pc-windows-msvc target support (#​7230) by @​sapphi-red

🚀 Features

• rolldown_plugin_vite_manifest: pass normalized options to isLegacy callback (#​7321) by @​shulaoda
• plugin/vite-resolve: add disableCache option (#​6763) by @​sapphi-red
• rolldown: export createTokioRuntime for tsdown (#​7264) by @​shulaoda
• rolldown_plugin_vite_html: sync moduleSideEffects for already loaded modules (#​7254) by @​shulaoda
• rolldown_plugin_vite_html: load module scripts with side effects to prevent tree-shaking (#​7244) by @​shulaoda
• rolldown_plugin_vite_css_post: implement cssScopeTo for scoped CSS tree-shaking (#​7240) by @​shulaoda

🐛 Bug Fixes

• export default class decl __name runtime insertion (#​7316) by @​IWANABETHATGUY
• chunk side effects calculation (#​7273) by @​IWANABETHATGUY
• node: output.generateCode.preset: 'es2015' should set output.generateCode.symbols: true by default (#​7314) by @​sapphi-red
• skip name helper for classes with static name property (#​7312) by @​IWANABETHATGUY
• preserve chunk imports relationship after chunk merging (#​7303) by @​shulaoda
• dev: make register_modules async (#​7289) by @​hyf0
• preserve computed property in object destructuring (#​7288) by @​IWANABETHATGUY
• support dynamic imports with shared dependencies (#​7261) by @​IWANABETHATGUY
• call defer_sync_scan_data in non-incremental build mode (#​7255) by @​shulaoda
• optimize chunk merging for shared entry points (#​7194) by @​IWANABETHATGUY
• add indentation for UMD format output (#​7263) by @​IWANABETHATGUY
• rolldown_plugin_vite_css_post: pass options to isLegacy callback for proper legacy detection (#​7260) by @​shulaoda
• rolldown_plugin_vite_css_post: also detect ?inline=true query for inlined CSS (#​7245) by @​shulaoda
• rolldown_plugin_vite_css_post: distinguish empty CSS from no CSS (#​7241) by @​shulaoda
• add Windows support for t-run command (#​7242) by @​IWANABETHATGUY
• cjs: prevent duplicate require declarations for external modules with preserveModules (#​7234) by @​logaretm
• rolldown_plugin_vite_resolve: resolve from root for virtual modules (#​7236) by @​sapphi-red
• include entry level external modules in chunk exports (#​7218) by @​IWANABETHATGUY

🚜 Refactor

• dev: make removeClient async (#​7313) by @​hyf0
• move chunk merging code out of code_splitting.rs (#​7285) by @​IWANABETHATGUY
• extract common function util for chunk merging (#​7271) by @​IWANABETHATGUY
• use iterative method to merge chunks (#​7256) by @​IWANABETHATGUY
• use concat_string! instead of string replace for generating chunk level exports (#​7247) by @​IWANABETHATGUY

📚 Documentation

• add warning to experimental.resolveNewUrlToAsset about JS/TS files (#​7300) by @​Copilot
• add sequential hook execution difference in plugin-api.md (#​7308) by @​Copilot
• add migration example from onwarn to onLog (#​7299) by @​Copilot
• add migration example for manualChunks to advancedChunks (#​7298) by @​Copilot
• deps: bump vitepress to fix build (#​7307) by @​sapphi-red
• examples & text for experimental.resolveNewUrlToAsset (#​7259) by @​TheAlexLichter

⚡ Performance

• rolldown_plugin_vite_css_post: lazily load cssScopeTo from JS module options (#​7253) by @​shulaoda
• rolldown_plugin_vite_css_post: avoid unnecessary string clones in resolve_asset_urls_in_css (#​7250) by @​shulaoda

🧪 Testing

• generate relative path like name in advanced chunks (#​7267) by @​IWANABETHATGUY
• add test case for preserveEntrySignatures with re-exports (#​7279) by @​IWANABETHATGUY
• add test262 integration tests (#​7196) by @​sapphi-red

⚙️ Miscellaneous Tasks

• deps: update dependency rolldown-plugin-dts to v0.18.1 (#​7304) by @​renovate[bot]
• enable tracing feature for napi (#​7322) by @​sapphi-red
• deps: update napi (#​7320) by @​renovate[bot]
• deps: update oxc (#​7318) by @​renovate[bot]
• deps: update napi (#​7317) by @​renovate[bot]
• deps: update oxc to v0.100.0 (#​7301) by @​renovate[bot]
• deps: downgrade pnpm to 10.23.0 to fix Netlify build (#​7306) by @​shulaoda
• add trustPolicyExclude for chokidar and semver (#​7302) by @​sapphi-red
• update pnpm lockfile (#​7291) by @​IWANABETHATGUY
• deps: update npm packages (#​7272) by @​renovate[bot]
• deps: update rust crates (#​7270) by @​renovate[bot]
• deps: update oxc (#​7262) by @​renovate[bot]
• deps: update github-actions (#​7269) by @​renovate[bot]
• deps: update dependency dprint-typescript to v0.95.13 (#​7268) by @​renovate[bot]
• deps: update html5gum to 0.8.1 (#​7265) by @​shulaoda
• rolldown: remove unused getModuleOptions from PluginContext (#​7266) by @​shulaoda
• remove unnecessary justfile ignore (#​7243) by @​IWANABETHATGUY
• deps: update oxc apps (#​7238) by @​renovate[bot]
• add nul to workaround https://github.com/anthropics/claude-c… (#​7237) by @​IWANABETHATGUY
• deps: update dependency valibot to v1.2.0 [security] (#​7231) by @​renovate[bot]
• deps: update crate-ci/typos action to v1.40.0 (#​7232) by @​renovate[bot]

❤️ New Contributors

• @​logaretm made their first contribution in #​7234

remix-run/react-router (react-router)

v7.10.1

Compare Source

Patch Changes

• Update the useOptimistic stub we provide for React 18 users to use a stable setter function to avoid potential useEffect loops - specifically when using <Link viewTransition> (#​14628)

v7.10.0

Compare Source

Minor Changes

• Stabilize fetcher.reset() (#​14545)

  • ⚠️ This is a breaking change if you have begun using fetcher.unstable_reset()

• Stabilize the dataStrategy match.shouldRevalidateArgs/match.shouldCallHandler() APIs. (#​14592)

  • The match.shouldLoad API is now marked deprecated in favor of these more powerful alternatives

  • If you're using this API in a custom dataStrategy today, you can swap to the new API at your convenience:

    // Before
    const matchesToLoad = matches.filter((m) => m.shouldLoad);
    
    // After
    const matchesToLoad = matches.filter((m) => m.shouldCallHandler());

  • match.shouldRevalidateArgs is the argument that will be passed to the route shouldRevaliate function

  • Combined with the parameter accepted by match.shouldCallHandler, you can define a custom revalidation behavior for your dataStrategy:

  const matchesToLoad = matches.filter((m) => {
    const defaultShouldRevalidate = customRevalidationBehavior(
      match.shouldRevalidateArgs,
    );
    return m.shouldCallHandler(defaultShouldRevalidate);
    // The argument here will override the internal `defaultShouldRevalidate` value
  });

Patch Changes

• Fix a Framework Mode bug where the defaultShouldRevalidate parameter to shouldRevalidate would not be correct after action returned a 4xx/5xx response (true when it should have been false) (#​14592)

  • If your shouldRevalidate function relied on that parameter, you may have seen unintended revalidations

• Fix fetcher.submit failing with plain objects containing a tagName property (#​14534)

• [UNSTABLE] Add unstable_pattern to the parameters for client side unstable_onError, refactor how it's called by RouterProvider to avoid potential strict mode issues (#​14573)

• Add new unstable_useTransitions flag to routers to give users control over the usage of React.startTransition and React.useOptimistic. (#​14524)

  • Framework Mode + Data Mode:
    • <HydratedRouter unstable_transition>/<RouterProvider unstable_transition>
    • When left unset (current default behavior)
      • Router state updates are wrapped in React.startTransition
      • ⚠️ This can lead to buggy behaviors if you are wrapping your own navigations/fetchers in React.startTransition
      • You should set the flag to true if you run into this scenario to get the enhanced useOptimistic behavior (requires React 19)
    • When set to true
      • Router state updates remain wrapped in React.startTransition (as they are without the flag)
      • Link/Form navigations will be wrapped in React.startTransition
      • A subset of router state info will be surfaced to the UI during navigations via React.useOptimistic (i.e., useNavigation(), useFetchers(), etc.)
        • ⚠️ This is a React 19 API so you must also be React 19 to opt into this flag for Framework/Data Mode
    • When set to false
      • The router will not leverage React.startTransition or React.useOptimistic on any navigations or state changes
  • Declarative Mode
    • <BrowserRouter unstable_useTransitions>
    • When left unset
      • Router state updates are wrapped in React.startTransition
    • When set to true
      • Router state updates remain wrapped in React.startTransition (as they are without the flag)
      • Link/Form navigations will be wrapped in React.startTransition
    • When set to false
      • the router will not leverage React.startTransition on any navigations or state changes

• Fix the promise returned from useNavigate in Framework/Data Mode so that it properly tracks the duration of popstate navigations (i.e., navigate(-1)) (#​14524)

• Fix internal type error in useRoute types that surfaces when skipLibCheck is disabled (#​14577)

• Preserve statusText on the ErrorResponse instance when throwing data() from a route handler (#​14555)

• Optimize href() to avoid backtracking regex on splat (#​14329)

rolldown/tsdown (tsdown)

v0.17.1

Compare Source

   🐞 Bug Fixes

• Respect clean on watch mode  -  by @​sxzz (bfbfb)

    View changes on GitHub

v0.17.0

Compare Source

   🚨 Breaking Changes

Notable features: https://bsky.app/profile/sxzz.dev/post/3m6xi7e7d5k2b

• Rolldown native watcher  -  by @​sxzz in #​329 (1c4f8)
• Enable failOnWarn by default in CI  -  by @​sxzz in #​617 (245e7)
• Remove unconfig from configLoader  -  by @​sxzz (9d6a7)
• Support exports, publint, attw for multi-configs  -  by @​sxzz (f889a)
• refactor!(attw): rename profile value from esmOnly to esm-only  -  by @​sxzz (85c10f3)

   🚀 Features

• Export WatchPlugin  -  by @​sxzz (4ccb2)
• Add write option  -  by @​sxzz (64fea)
• Add chunks on build:done hook  -  by @​sxzz (eb45c)
• Override options by format  -  by @​sxzz (482f6)
• Upgrade rolldown to 1.0.0-beta.53  -  by @​sxzz (a04f2)
• migrate:
  • Migrate optionalDependencies  -  by @​sxzz (22fd9)
  • Use ast-grep for config file  -  by @​Doctor-wu and @​sxzz in #​620 (b0b34)

   🐞 Bug Fixes

• Move require before import  -  by @​sxzz (85c0e)
• copy: Call function  -  by @​sxzz (e4197)
• exports: Merge multi-config outputs  -  by @​pyyupsk and @​sxzz in #​625 (73984)
• migrate: Build before publish  -  by @​sxzz (bf0f5)
• workspace: Cwd defaults to config dirname, support filter for all configs  -  by @​sxzz (24f27)

   🏎 Performance

• Reload config via import-without-cache  -  by @​sxzz (0b7e4)
• Use native loader for bun  -  by @​sxzz (36dbf)

    View changes on GitHub

typescript-eslint/typescript-eslint (typescript-eslint)

v8.48.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

vitejs/rolldown-vite (vite)

v7.2.10

Compare Source

Features

• deprecate build.commonjsOptions (#​530) (9cb6db9)
• update rolldown to 1.0.0-beta.53 (#​537) (d488ed4)

Bug Fixes

• disable resolver cache when watcher is disabled (#​471) (7d8436c)

Documentation

• update content for beta (#​529) (0e6179b)

Tests

• remove failure expected cases (#​536) (308fcf6)

v7.2.9

Compare Source

Bug Fixes

• config: handle shebang properly (#​21158) (df5a30d)
• deps: update all non-major dependencies (#​21175) (72e398a)
• fix external: true merging (#​21164) (5ef557a)
• shortcuts not rebound after server restart (#​21166) (3765f7b)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​21174) (74559c9)

vitejs/vite (vite)

v7.2.7

Compare Source

v7.2.6

Compare Source

7.2.6 (2025-12-01)

vitest-dev/vitest (vitest)

v4.0.15

Compare Source

   🚀 Experimental Features

• cache: Add opt-out on a plugin level, fix internal root cache  -  by @​sheremet-va in #​9154 (a68f7)
• reporters: Print import duration breakdown  -  by @​sheremet-va in #​9105 (122ff)

   🐞 Bug Fixes

• Keep built-in id as is in bun and deno  -  by @​sheremet-va in #​9117 (075ab)
• Use optimizeDeps.rolldownOptions to fix depreated warning + fix ssr.external: true  -  by @​hi-ogawa in #​9121 (fd8bd)
• Fix external behavior with deps.optimizer  -  by @​hi-ogawa in #​9125 (4c754)
• Very minor typo in "Chrome DevTools Protocol"  -  by @​HowToTestFrontend in #​9146 (20997)
• browser: Run toMatchScreenshot only once when used with expect.element  -  by @​macarie in #​9132 (0d2e7)
• coverage: Istanbul provider to not break source maps  -  by @​AriPerkkio in #​9040 (e4ca9)
• deps: Update dependency tinyexec to v1  -  in #​9122 (fd786)
• docs: Remove --browser.provider from docs  -  by @​sheremet-va in #​9115 (120b3)
• expect: Preserve currentTestName in extended matchers  -  by @​macarie in #​9106 (e4345)
• pool: Terminate workers on CTRL+c forceful exits  -  by @​AriPerkkio in #​9140 (d57d8)
• reporters: Show project in github reporter  -  by @​sheremet-va in #​9138 (bb65e)
• spy: Do not mock overriden method, if parent was automocked  -  by @​sheremet-va in #​9116 (1a246)
• web-worker: MessagePort objects passed to Worker.postMessage work when clone === "native"  -  by @​whitphx in #​9118 (deee8)

    View changes on GitHub

cloudflare/workers-sdk (wrangler)

v4.53.0

Compare Source

Minor Changes

• #​11500 af54c63 Thanks @​dario-piotrowicz! - Add new autoconfig_summary field to the deploy output entry

  This change augments wrangler deploy output being printed to WRANGLER_OUTPUT_FILE_DIRECTORY or WRANGLER_OUTPUT_FILE_PATH to also include a new autoconfig_summary field containing the possible summary details for the autoconfig process (the field is undefined if autoconfig didn't run).

  Note: the field is experimental and could change while autoconfig is not GA

• #​11477 9988cc9 Thanks @​ascorbic! - Support Nuxt in autoconfig

• #​11472 ce295bf Thanks @​dario-piotrowicz! - Support Qwik projects in autoconfig

• #​10937 9514c9a Thanks @​ReppCodes! - Add support for "targeted" placement mode with region, host, and hostname fields

  This change adds a new mode to placement configuration. You can specify one of the following fields to target specific external resources for Worker placement:

  • region: Specify a region identifier (e.g., "aws:us-east-1") to target a region from another cloud service provider
  • host: Specify a host with (required) port (e.g., "example.com:8123") to target a TCP service
  • hostname: Specify a hostname (e.g., "example.com") to target an HTTP resource

  These fields are mutually exclusive - only one can be specified at a time.

  Example configuration:

  [placement]
  host = "example.com:8123"

• #​11498 ac861f8 Thanks @​penalosa! - Add React Router support in autoconfig

• #​11506 79d30d4 Thanks @​vicb! - Set the target JS version to ES2024

Patch Changes

• #​11393 45480b1 Thanks @​alsuren! - improved --help text for wrangler d1 subcommands

• #​11523 94c67e8 Thanks @​jamesopstad! - fix: types from @​cloudflare/workers-utils not being exported correctly from Wrangler

• #​11483 f550b62 Thanks @​edmundhung! - stop running npm install with --legacy-peer-deps flag when setting up a project

• Updated dependencies [819e287, 56e78c8, 0aa959a]:

  • @​cloudflare/unenv-preset@​2.7.13
  • miniflare@​4.20251202.1

v4.52.1

Compare Source

Patch Changes

• #​11504 7e80340 Thanks @​dario-piotrowicz! - Fix wrangler deploy failing for new workers containing environment variables or bindings

• Updated dependencies [59534ba]:

  • miniflare@​4.20251202.0

v4.52.0

Compare Source

Minor Changes

• #​11416 abe49d8 Thanks @​dario-piotrowicz! - Remove the wrangler deploy's --x-remote-diff-check experimental flag

  The remote diffing feature has been enabled by default for a while and its functionality is stable, as a result the experimental flag (only available for option-out of the feature right now) has been removed.

• #​11408 f29e699 Thanks @​ascorbic! - Export unstable helpers useful for generating wrangler config

• #​11389 2342d2f Thanks @​dario-piotrowicz! - Improve the wrangler deploy flow to also check for potential overrides of secrets.

  Now when you run wrangler deploy Wrangler will check the remote secrets for your workers for conflicts with the names of the bindings you're about to deploy. If there are conflicts, Wrangler will warn you and ask you for your permission before proceeding.

• #​11375 9a1de61 Thanks @​penalosa! - Support TanStack Start in autoconfig

• #​11360 6b38532 Thanks @​emily-shen! - Containers: Allow users to directly authenticate external image registries in local dev

  Previously, we always queried the API for stored registry credentials and used those to pull images. This means that if you are using an external registry (ECR, dockerhub) then you have to configure registry credentials remotely before running local dev.

  Now you can directly authenticate with your external registry provider (using docker login etc.), and Wrangler or Vite will be able to pull the image specified in the containers.image field in your

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.