fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@babel/core (source)	^7.28.6 → ^7.29.0
@babel/parser (source)	^7.28.6 → ^7.29.0
@babel/plugin-transform-modules-systemjs (source)	^7.28.5 → ^7.29.0
@babel/preset-env (source)	^7.28.6 → ^7.29.0
@builder.io/qwik (source)	^1.18.0 → ^1.19.0
@clack/prompts (source)	^1.0.0-alpha.9 → ^1.0.0
@preact/preset-vite	^2.10.2 → ^2.10.3
@shikijs/vitepress-twoslash (source)	^3.21.0 → ^3.22.0
@types/react (source)	^19.2.9 → ^19.2.10
@​voidzero-dev/vitepress-theme	^4.3.0 → ^4.4.1
autoprefixer	^10.4.23 → ^10.4.24
baseline-browser-mapping	^2.9.18 → ^2.9.19
eslint-plugin-react-refresh	^0.4.25 → ^0.5.0
globals	^17.1.0 → ^17.3.0
miniflare (source)	^4.20260120.0 → ^4.20260128.0
playwright-chromium (source)	^1.58.0 → ^1.58.1
pnpm (source)	10.28.1 → 10.28.2
preact (source)	^10.28.2 → ^10.28.3
react (source)	^19.2.3 → ^19.2.4
react (source)	19.2.3 → 19.2.4
react-dom (source)	^19.2.3 → ^19.2.4
react-fake-client (source)	^19.2.3 → ^19.2.4
react-fake-server (source)	^19.2.3 → ^19.2.4
svelte (source)	^5.48.2 → ^5.49.1
svelte-check	^4.3.5 → ^4.3.6
typescript-eslint (source)	^8.53.1 → ^8.54.0
vitepress (source)	^2.0.0-alpha.15 → ^2.0.0-alpha.16

---

Release Notes

babel/babel (@​babel/core)

v7.29.0

Compare Source

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #​17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #​17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #​17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #​17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #​17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #​17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #​17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

🏃‍♀️ Performance

• babel-generator, babel-runtime-corejs3
  • #​17642 [Babel 7] Improve generator performance (@​liuxingbaoyu)

Committers: 6

• David (@​simbahax)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• @​magic-akari

QwikDev/qwik (@​builder.io/qwik)

v1.19.0

Compare Source

Minor Changes

• ✨ untrack() now accepts signals and stores directly, as well as accepting arguments when you pass a function. This makes retrieving values without subscribing to them more efficient. (by @​wmertens in #​8247)

Patch Changes

• 🐞🩹 we now prevent merging useVisibleTask$ code together with other segments to prevent overpreloading when their entry contains a lot of transitive imports. (by @​maiieul in #​8275)

• 🐞🩹 duplicated preload bundles in SSR preload (by @​chebanenko in #​8248)

• ⚡️: the core.js and preloader.js references in q-manifest and bundle-graph are now filtered out for smaller outputs. (by @​maiieul in #​8278)

bombshell-dev/clack (@​clack/prompts)

v1.0.0

Compare Source

Major Changes

• c713fd5: The package is now distributed as ESM-only. In v0 releases, the package was dual-published as CJS and ESM.

  For existing CJS projects using Node v20+, please see Node's guide on Loading ECMAScript modules using require().

Minor Changes

• 415410b: This adds a custom filter function to autocompleteMultiselect. It could be used, for example, to support fuzzy searching logic.

• 7bc3301: Prompts now have a userInput stored separately from their value.

• 8409f2c: feat: add styleFrame option for spinner

• 2837845: Adds suggestion and path prompts

• 99c3530: Adds format option to the note prompt to allow formatting of individual lines

• 0aaee4c: Added new taskLog prompt for log output which is cleared on success

• 729bbb6: Add support for customizable spinner cancel and error messages. Users can now customize these messages either per spinner instance or globally via the updateSettings function to support multilingual CLIs.

  This update also improves the architecture by exposing the core settings to the prompts package, enabling more consistent default message handling across the codebase.

  // Per-instance customization
  const spinner = prompts.spinner({
    cancelMessage: "Operación cancelada", // "Operation cancelled" in Spanish
    errorMessage: "Se produjo un error", // "An error occurred" in Spanish
  });
  
  // Global customization via updateSettings
  prompts.updateSettings({
    messages: {
      cancel: "Operación cancelada", // "Operation cancelled" in Spanish
      error: "Se produjo un error", // "An error occurred" in Spanish
    },
  });
  
  // Settings can now be accessed directly
  console.log(prompts.settings.messages.cancel); // "Operación cancelada"
  
  // Direct options take priority over global settings
  const spinner = prompts.spinner({
    cancelMessage: "Cancelled", // This will be used instead of the global setting
  });

• 44df9af: Adds a new groupSpacing option to grouped multi-select prompts. If set to an integer greater than 0, it will add that number of new lines between each group.

• 55645c2: Support wrapping autocomplete and select prompts.

• 9e5bc6c: Add support for signals in prompts, allowing them to be aborted.

• f2c2b89: Adds AutocompletePrompt to core with comprehensive tests and implement both autocomplete and autocomplete-multiselect components in prompts package.

• 38019c7: Updates the API for stopping spinners and progress bars to be clearer

  Previously, both the spinner and progress bar components used a single stop method that accepted a code to indicate success, cancellation, or error. This update separates these into distinct methods: stop(), cancel(), and error():

  const spinner = prompts.spinner();
  spinner.start();
  
  // Cancelling a spinner
  - spinner.stop(undefined, 1);
  + spinner.cancel();
  
  // Stopping with an error
  - spinner.stop(undefined, 2);
  + spinner.error();

  As before, you can pass a message to each method to customize the output displayed:

  spinner.cancel("Operation cancelled by user");
  progressBar.error("An error occurred during processing");

• c45b9fb: Adds support for detecting spinner cancellation via CTRL+C. This allows for graceful handling of user interruptions during long-running operations.

• f10071e: Using the group method, task logs can now have groups which themselves can have scrolling windows of logs.

• df4eea1: Remove suggestion prompt and change path prompt to be an autocomplete prompt.

• 76fd17f: Added new box prompt for rendering boxed text, similar a note.

• 9a09318: Adds new progress prompt to display a progess-bar

• 1604f97: Add clearOnError option to password prompt to automatically clear input when validation fails

• 9bd8072: Add a required option to autocomplete multiselect.

• 19558b9: Added support for custom frames in spinner prompt

Patch Changes

• 46dc0a4: Fixes multiselect only shows hints on the first item in the options list. Now correctly shows hints for all selected options with hint property.
• aea4573: Clamp scrolling windows to 5 rows.
• bfe0dd3: Prevents placeholder from being used as input value in text prompts
• 55eb280: Fix placeholder rendering when using autocomplete.
• 4d1d83b: Fixes rendering of multi-line messages and options in select prompt.
• 6176ced: Add withGuide support to note prompt
• 7b009df: Fix spinner clearing too many lines upwards when non-wrapping.
• 43aed55: Change styling of disabled multi-select options to have strikethrough.
• 17342d2: Exposes a new SpinnerResult type to describe the return type of spinner
• 282b39e: Wrap spinner output to allow for multi-line/wrapped messages.
• 2feaebb: Fix duplicated logs when scrolling through options with multiline messages by calculating rowPadding dynamically based on actual rendered lines instead of using a hardcoded value.
• 69681ea: Strip destructive ANSI codes from task log messages.
• b0fa7d8: Add support for wrapped messages in multi line prompts
• 9999adf: fix note component overflow bug
• 6868c1c: Adds a new selectableGroups boolean to the group multi-select prompt. Using selectableGroups: false will disable the ability to select a top-level group, but still allow every child to be selected individually.
• 7df841d: Removed all trailing space in prompt output and fixed various padding rendering bugs.
• 2839c66: fix(note): hard wrap text to column limit
• 7a556ad: Updates all prompts to accept a custom output and input stream
• 17d3650: Use a default import for picocolors to avoid run time errors in some environments.
• 7cc8a55: Messages passed to the stop method of a spinner no longer have dots stripped.
• b103ad3: Allow disabled options in multi-select and select prompts.
• 71b5029: Add missing nullish checks around values.
• 1a45f93: Switched from wrap-ansi to fast-wrap-ansi
• f952592: Fixes missing guide when rendering empty log lines.
• 372b526: Add clear method to spinner for stopping and clearing.
• d25f6d0: fix(note, box): handle CJK correctly
• 94fee2a: Changes placeholder to be a visual hint rather than a tabbable value.
• 7530af0: Fixes wrapping of cancelled and success messages of select prompt
• 4c89dd7: chore: use more accurate type to replace any in group select
• 0b852e1: Handle stop calls on spinners which have not yet been started.
• 42adff8: fix: add missing guide line in autocomplete-multiselect
• 8e2e30a: fix: fix autocomplete bar color when validate
• 2048eb1: Fix spinner's dots behavior with custom frames
• acc4c3a: Add a new withGuide option to all prompts to disable the default clack border
• 9b92161: Show symbol when withGuide is true for log messages
• 68dbf9b: select-key: Fixed wrapping and added new caseSensitive option
• 09e596c: refactor(progress): remove unnecessary return statement in start function
• 2310b43: Allow custom writables as output stream.
• ae84dd0: Update key binding text to show tab/space when navigating, and tab otherwise.
• Updated dependency on @clack/core to 1.0.0

v1.0.0-alpha.10

Compare Source

Minor Changes

• 415410b: This adds a custom filter function to autocompleteMultiselect. It could be used, for example, to support fuzzy searching logic.

Patch Changes

• 55eb280: Fix placeholder rendering when using autocomplete.
• 68dbf9b: select-key: Fixed wrapping and added new caseSensitive option
• Updated dependencies [68dbf9b]
  • @​clack/core@​1.0.0-alpha.8

preactjs/preset-vite (@​preact/preset-vite)

v2.10.3

Compare Source

What's Changed

• fix: Add jsx-runtime to aliases by @​rschristian in #​171
• Add support for mts/cts by @​JoviDeCroock in #​172
• chore: Bump deps by @​rschristian in #​175
• chore: Bump Node version by @​rschristian in #​177
• Upgrade @​rollup/pluginutils by @​andrewiggins in #​181

Full Changelog: preactjs/preset-vite@2.10.2...2.10.3

shikijs/shiki (@​shikijs/vitepress-twoslash)

v3.22.0

Compare Source

   🚀 Features

• Update grammar and themes  -  by @​antfu (40676)

    View changes on GitHub

postcss/autoprefixer (autoprefixer)

v10.4.24

Compare Source

• Made Autoprefixer a little faster (by @​Cherry).

web-platform-dx/baseline-browser-mapping (baseline-browser-mapping)

v2.9.19

Compare Source

ArnaudBarre/eslint-plugin-react-refresh (eslint-plugin-react-refresh)

v0.5.0

Compare Source

Breaking changes

• The package now ships as ESM and requires ESLint 9 + node 20. Because legacy config doesn't support ESM, this requires to use flat config
• A new reactRefresh export is available and prefered over the default export. It's an object with two properties:
  • plugin: The plugin object with the rules
  • configs: An object containing configuration presets, each exposed as a function. These functions accept your custom options, merge them with sensible defaults for that config, and return the final config object.
• customHOCs option was renamed to extraHOCs
• Validation of HOCs calls is now more strict, you may need to add some HOCs to the extraHOCs option

Config example:

import { defineConfig } from "eslint/config";
import { reactRefresh } from "eslint-plugin-react-refresh";

export default defineConfig(
  /* Main config */
  reactRefresh.configs.vite({ extraHOCs: ["someLibHOC"] }),
);

Config example without config:

import { defineConfig } from "eslint/config";
import { reactRefresh } from "eslint-plugin-react-refresh";

export default defineConfig({
  files: ["**/*.ts", "**/*.tsx"],
  plugins: {
    // other plugins
    "react-refresh": reactRefresh.plugin,
  },
  rules: {
    // other rules
    "react-refresh/only-export-components": [
      "warn",
      { extraHOCs: ["someLibHOC"] },
    ],
  },
});

Why

This version follows a revamp of the internal logic to better make the difference between random call expressions like export const Enum = Object.keys(Record) and actual React HOC calls like export const MemoComponent = memo(Component). (fixes #​93)

The rule now handles ternaries and patterns like export default customHOC(props)(Component) which makes it able to correctly support files like this one given this config:

{
  "react-refresh/only-export-components": [
    "warn",
    { "extraHOCs": ["createRootRouteWithContext"] }
  ]
}

[!NOTE]
Actually createRoute functions from TanStack Router are not React HOCs, they return route objects that fake to be a memoized component but are not. When only doing createRootRoute({ component: Foo }), HMR will work fine, but as soon as you add a prop to the options that is not a React component, HMR will not work. I would recommend to avoid adding any TanStack function to extraHOCs it you want to preserve good HMR in the long term. Bluesky thread.

Because I'm not 100% sure this new logic doesn't introduce any false positive, this is done in a major-like version. This also give me the occasion to remove the hardcoded connect from the rule. If you are using connect from react-redux, you should now add it to extraHOCs like this:

{
  "react-refresh/only-export-components": ["warn", { "extraHOCs": ["connect"] }]
}

sindresorhus/globals (globals)

v17.3.0

Compare Source

• Update globals (2026-02-01) (#​336) 295fba9

---

v17.2.0

Compare Source

• jasmine: Add throwUnless and throwUnlessAsync globals (#​335) 97f23a7

---

cloudflare/workers-sdk (miniflare)

v4.20260128.0

Compare Source

Minor Changes

• #​12152 8a210af Thanks @​emily-shen! - Implement local KV API for experimental/WIP local resource explorer

  The following APIs have been (mostly) implemented:
  GET /storage/kv/namespaces - List namespaces
  GET /storage/kv/namespaces/:id/keys - List keys
  GET /storage/kv/namespaces/:id/values/:key - Get value
  PUT /storage/kv/namespaces/:id/values/:key - Write value
  DELETE /storage/kv/namespaces/:id/values/:key - Delete key
  POST /storage/kv/namespaces/:id/bulk/get - Bulk get values

Patch Changes

• #​12183 17961bb Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260124.0	1.20260127.0

• #​12196 52fdfe7 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260127.0	1.20260128.0

v4.20260124.0

Compare Source

Minor Changes

• #​12008 e414f05 Thanks @​penalosa! - Add support for customising the inspector IP address

  Adds a new --inspector-ip CLI flag and dev.inspector_ip configuration option to allow customising the IP address that the inspector server listens on. Previously, the inspector was hardcoded to listen only on 127.0.0.1.

  Example usage:

  # CLI flag
  wrangler dev --inspector-ip 0.0.0.0

  // wrangler.json
  {
  	"dev": {
  		"inspector_ip": "0.0.0.0",
  	},
  }

• #​12034 05714f8 Thanks @​emily-shen! - Add a no-op local explorer worker, which is gated by the experimental flag X_LOCAL_EXPLORER.

Patch Changes

• #​11853 014e7aa Thanks @​43081j! - Use built-in stripVTControlCharacters utility rather than the strip-ansi package.

• #​12040 77e82d2 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260120.0	1.20260122.0

• #​12061 f08ef21 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260122.0	1.20260123.0

• #​12088 0641e6c Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260123.0	1.20260124.0

• #​11897 bbd8a5e Thanks @​dario-piotrowicz! - Bundle the zod dependency to reduce supply chain attack surface

  In order to prevent possible npm vulnerability attacks, the team's policy is to bundle
  dependencies in our packages where possible. This helps ensure that only trusted code
  runs on the user's system, even if compromised packages are later published to npm.

  This change bundles zod (a pure JavaScript validation library with no native dependencies)
  into miniflare and @​cloudflare/vitest-pool-workers.

  Other dependencies remain external for technical reasons:

  • sharp: Native binary with platform-specific builds
  • undici: Dynamically required at runtime in worker threads
  • ws: Has optional native bindings for performance
  • workerd: Native binary (Cloudflare's JavaScript runtime)
  • @cspotcode/source-map-support: Uses require.cache manipulation at runtime
  • youch: Dynamically required for lazy loading

microsoft/playwright (playwright-chromium)

v1.58.1

Compare Source

Highlights

#​39036 fix(msedge): fix local network permissions
#​39037 chore: update cft download location
#​38995 chore(webkit): disable frame sessions on fronzen builds

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

pnpm/pnpm (pnpm)

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

preactjs/preact (preact)

v10.28.3

Compare Source

Fixes

• Avoid scheduling suspense state udpates (#​5006, thanks @​JoviDeCroock)
• Resolve some suspense crashes (#​4999, thanks @​JoviDeCroock)
• Support inheriting namespace through portals (#​4993, thanks @​JoviDeCroock)

Maintenance

• Update test with addition of _original (#​4989, thanks @​JoviDeCroock)

facebook/react (react)

v19.2.4: 19.2.4 (January 26th, 2026)

Compare Source

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#​35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

sveltejs/svelte (svelte)

v5.49.1

Compare Source

Patch Changes

• fix: merge consecutive large text nodes (#​17587)

• fix: only create async functions in SSR output when necessary (#​17593)

• fix: properly separate multiline html blocks from each other in print() (#​17319)

• fix: prevent unhandled exceptions arising from dangling promises in <script> (#​17591)

v5.49.0

Compare Source

Minor Changes

• feat: allow passing ShadowRootInit object to custom element shadow option (#​17088)

Patch Changes

• fix: throw for unset createContext get on the server (#​17580)

• fix: reset effects inside skipped branches (#​17581)

• fix: preserve old dependencies when updating reaction inside fork (#​17579)

• fix: more conservative assignment_value_stale warnings (#​17574)

• fix: disregard popover elements when determining whether an element has content (#​17367)

• fix: fire introstart/outrostart events after delay, if specified (#​17567)

• fix: increment signal versions when discarding forks (#​17577)

v5.48.5

Compare Source

Patch Changes

• fix: run boundary onerror callbacks in a microtask, in case they result in the boundary's destruction (#​17561)

• fix: prevent unintended exports from namespaces (#​17562)

• fix: each block breaking with effects interspersed among items (#​17550)

v5.48.4

Compare Source

Patch Changes

• fix: avoid duplicating escaped characters in CSS AST (#​17554)

v5.48.3

Compare Source

Patch Changes

• fix: hydration failing with settled async blocks (#​17539)

• fix: add pointer and touch events to a11y_no_static_element_interactions warning (#​17551)

• fix: handle false dynamic components in SSR (#​17542)

• fix: avoid unnecessary block effect re-runs after async work completes (#​17535)

• fix: avoid using dev-mode array.includes wrapper on internal array checks (#​17536)

sveltejs/language-tools (svelte-check)

v4.3.6

Compare Source

Patch Changes

• fix: don't hoist type/snippet referencing $store (#​2926)

typescript-eslint/typescript-eslint (typescript-eslint)

v8.54.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

vuejs/vitepress (vitepress)

v2.0.0-alpha.16

Compare Source

Bug Fixes

• always log error when failed to fetch page (66cf64e)
• theme: add fallback for heroImageSlotExists (#​5076) (f119b18)
• theme: align badges in h1 and h2 (#​5087) (closes #​5063) (b200865)
• theme: highlight active link in mobile nav menu (#​5086) (closes #​5068, closes #​5074) (923aa90)
• theme: overflow clip is buggy on safari (8ed6ea0), closes #​5050 #​5039 #​5027
• theme: remove margin between code groups and blocks in markdown containers (a28e171), closes #​5099

Features

• theme: upgrade DocSearch to 4.5 with sidepanel (#​5092) (0d646a6)
• theme: use @layer __vitepress_base to wrap the styles in base.css (#​4905) (f8d8c0d)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[sapphi-red]

Downgraded vitepress as it requires some change on the theme side