fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@clack/prompts (source)	^1.1.0 → ^1.2.0
@types/node (source)	^24.12.0 → ^24.12.2
@types/picomatch (source)	^4.0.2 → ^4.0.3
@vitejs/devtools (source)	^0.1.11 → ^0.1.13
@vue/shared (source)	^3.5.31 → ^3.5.32
artichokie	^0.4.2 → ^0.4.3
baseline-browser-mapping	^2.10.12 → ^2.10.15
browserslist	^4.28.1 → ^4.28.2
esbuild	^0.27.4 → ^0.28.0
host-validation-middleware	^0.1.2 → ^0.1.4
lodash (source)	^4.17.23 → ^4.18.1
lodash-es (source)	^4.17.23 → ^4.18.1
miniflare (source)	^4.20260317.3 → ^4.20260401.0
playwright-chromium (source)	^1.58.2 → ^1.59.1
preact (source)	^10.29.0 → ^10.29.1
sass	^1.98.0 → ^1.99.0
sass-embedded	^1.98.0 → ^1.99.0
svelte-check	^4.4.5 → ^4.4.6
typescript-eslint (source)	^8.57.2 → ^8.58.0
vite-plugin-solid	^2.11.11 → ^2.11.12
vue (source)	^3.5.31 → ^3.5.32

---

Release Notes

bombshell-dev/clack (@​clack/prompts)

v1.2.0

Compare Source

Minor Changes

• 9786226: Externalize fast-string-width and fast-wrap-ansi to avoid double dependencies
• 090902c: Adds date prompt with format support (YMD, MDY, DMY)

Patch Changes

• 134a1a1: Fix the path prompt so directory: true correctly enforces directory-only selection while still allowing directory navigation, and add regression tests for both directory and default file selection behavior.
• bdf89a5: Adds placeholder option to autocomplete. When the placeholder is set and the input is empty, pressing tab will set the value to placeholder.
• 336495a: Apply guide to wrapped multi-line messages in confirm prompt.
• 9fe8de6: Respect withGuide: false in autocomplete and multiselect prompts.
• 29a50cb: Fix path directory mode so pressing Enter with an existing directory initialValue submits that current directory instead of the first child option, and add regression coverage for immediate submit and child-directory navigation.
• Updated dependencies [9786226]
• Updated dependencies [bdf89a5]
• Updated dependencies [417b451]
• Updated dependencies [090902c]
  • @​clack/core@​1.2.0

vitejs/devtools (@​vitejs/devtools)

v0.1.13

Compare Source

No significant changes

    View changes on GitHub

vuejs/core (@​vue/shared)

v3.5.32

Compare Source

Bug Fixes

• runtime-core: prevent currentInstance leak into sibling render during async setup re-entry (#​14668) (f166353), closes #​14667
• teleport: handle updates before deferred mount (#​14642) (32b44f1), closes #​14640
• types: allow customRef to have different getter/setter types (#​14639) (e20ddb0)
• types: use private branding for shallowReactive (#​14641) (302c47a), closes #​14638 #​14493

Reverts

• Revert "fix(server-renderer): cleanup component effect scopes after SSR render" (#​14674) (219d83b), closes #​14674 #​14669

sapphi-red/artichokie (artichokie)

v0.4.3

Compare Source

web-platform-dx/baseline-browser-mapping (baseline-browser-mapping)

v2.10.15

Compare Source

v2.10.14

Compare Source

v2.10.13

Compare Source

browserslist/browserslist (browserslist)

v4.28.2

Compare Source

• Fix prototype pollution (by @​chluo1997).

evanw/esbuild (esbuild)

v0.28.0

Compare Source

• Add support for with { type: 'text' } imports (#​4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#​4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

v0.27.7

Compare Source

• Fix lowering of define semantics for TypeScript parameter properties (#​4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  
  // Old output (with --loader=ts --target=es2021)
  class Foo {
    constructor(x = 1) {
      this.x = x;
      __publicField(this, "y", 2);
    }
    x;
  }
  
  // New output (with --loader=ts --target=es2021)
  class Foo {
    constructor(x = 1) {
      __publicField(this, "x", x);
      __publicField(this, "y", 2);
    }
  }

v0.27.5

Compare Source

• Fix for an async generator edge case (#​4401, #​4417)

  Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:

  async function* inner() { yield 1; yield 2 }
  async function* outer() { yield* inner() }
  let gen = outer()
  for await (let x of [gen.next(), gen.next()]) console.log(x)

  Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

  This fix was contributed by @​2767mr.

• Fix a regression when metafile is enabled (#​4420, #​4418)

  This release fixes a regression introduced by the previous release. When metafile: true was enabled in esbuild's JavaScript API, builds with build errors were incorrectly throwing an error about an empty JSON string instead of an object containing the build errors.

• Use define semantics for TypeScript parameter properties (#​4421)

  Parameter properties are a TypeScript-specific code generation feature that converts constructor parameters into class fields when they are prefixed by certain keywords. When "useDefineForClassFields": true is present in tsconfig.json, the TypeScript compiler automatically generates class field declarations for parameter properties. Previously esbuild didn't do this, but esbuild will now do this starting with this release:

  // Original code
  class Foo {
    constructor(public x: number) {}
  }
  
  // Old output (with --loader=ts)
  class Foo {
    constructor(x) {
      this.x = x;
    }
  }
  
  // New output (with --loader=ts)
  class Foo {
    constructor(x) {
      this.x = x;
    }
    x;
  }

• Allow es2025 as a target in tsconfig.json (#​4432)

  TypeScript recently added es2025 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2025"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

sapphi-red/host-validation-middleware (host-validation-middleware)

v0.1.4

Compare Source

Patch Changes

• 588362d Thanks @​sapphi-red! - Correct script build output path so that exports field points to a correct file

v0.1.3

Compare Source

Patch Changes

• 11ee57e Thanks @​sapphi-red! - Maintenance release

cloudflare/workers-sdk (miniflare)

v4.20260401.0

Compare Source

Minor Changes

• #​13051 d5bffde Thanks @​dario-piotrowicz! - Deprecate supportedCompatibilityDate export

  The supportedCompatibilityDate export is now deprecated. Instead of relying on the workerd-derived compatibility date, callers should just use today's date directly, e.g. new Date().toISOString().slice(0, 10).

• #​13011 b9b7e9d Thanks @​ruifigueira! - Add experimental headful browser rendering support for local development

  Experimental: This feature may be removed or changed without notice.

  When developing locally with the Browser Rendering API, you can enable headful (visible) mode via the X_BROWSER_HEADFUL environment variable to see the browser while debugging:

  X_BROWSER_HEADFUL=true wrangler dev
  X_BROWSER_HEADFUL=true vite dev

  Note: when using @cloudflare/playwright, two Chrome windows may appear — the initial blank page and the one created by browser.newPage(). This is expected behavior due to how Playwright handles browser contexts via CDP.

• #​12992 48d83ca Thanks @​RiscadoA! - Add vpc_networks binding support for routing Worker traffic through a Cloudflare Tunnel or network.

  {
    "vpc_networks": [
      // Route through a specific Cloudflare Tunnel
      { "binding": "MY_FIRST_VPC", "tunnel_id": "<tunnel-id>" },
      // Route through the Cloudflare One mesh network
      { "binding": "MY_SECOND_VPC", "network_id": "cf1:network" }
    ]
  }

Patch Changes

• #​13155 5d29055 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260329.1	1.20260331.1

• #​13162 fb67a18 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260331.1	1.20260401.1

• #​13238 b2f53ea Thanks @​guybedford! - Fix source phase imports parsing in Miniflare

  Miniflare now uses the acorn-import-phases plugin to parse import source syntax when analyzing module dependencies. This fixes ERR_MODULE_PARSE errors when running Workers that use source phase imports for WebAssembly modules in local development.

v4.20260329.0

Compare Source

Minor Changes

• #​13025 9eff028 Thanks @​ruifigueira! - Add missing devtools endpoints to browser rendering local binding.

  The local browser rendering binding now implements the full set of devtools endpoints, matching the remote Browser Rendering API:

  • GET /v1/limits — returns local concurrency defaults
  • GET /v1/history — returns empty array (no persistence in local dev)
  • GET /v1/devtools/session - list and inspect active sessions
  • GET /v1/devtools/session/:id — list and inspect active session
  • GET /v1/devtools/browser/:id/json/version — Browser version metadata, includes webSocketDebuggerUrl
  • GET /v1/devtools/browser/:id/json/list — A list of all available websocket targets
  • GET /v1/devtools/browser/:id/json — Alias for GET /v1/devtools/browser/:id/json
  • GET /v1/devtools/browser/:id/json/protocol — The current devtools protocol, as JSON. Includes webSocketDebuggerUrl and devtoolsFrontendUrl
  • PUT /v1/devtools/browser/:id/json/new — Opens a new tab. Responds with the websocket target data for the new tab
  • GET /v1/devtools/browser/:id/json/activate/:target — Brings a page into the foreground (activate a tab)
  • GET /v1/devtools/browser/:id/json/close/:target — Closes the target page identified by targetId
  • GET /v1/devtools/browser/:id/page/:target — WebSocket connection to a page target
  • GET /v1/devtools/browser/:id — WebSocket connection to a previously acquired browser session
  • DELETE /v1/devtools/browser/:id — Closes a browser session
  • POST /v1/devtools/browser — Acquires a new session
  • GET /v1/devtools/browser — Acquire a new session and connect via WebSocket in one step, returning cf-browser-session-id header

• #​13086 d4c6158 Thanks @​pombosilva! - Add Workflows support to the local explorer UI.

  The local explorer (/cdn-cgi/explorer/) now includes a full Workflows dashboard for viewing and managing workflow instances during local development.

  UI features:

  • Workflow instance list with status badges, creation time, action buttons, and pagination
  • Status summary bar with instance counts per status
  • Status filter dropdown and search
  • Instance detail page with step history, params/output cards, error display, and expandable step details
  • Create instance dialog with optional ID and JSON params

Patch Changes

• #​13111 f214760 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260317.1	1.20260329.1

• #​13078 9282493 Thanks @​penalosa! - Fix noisy EBUSY errors on Windows when disposing Miniflare instances

  On Windows, workerd may not release file handles immediately after disposal, causing EBUSY errors when Miniflare tries to remove its temporary directory during dispose(). Previously, this error propagated to the caller (e.g. vitest-pool-workers), producing repeated noisy error messages in test output. The cleanup is now best-effort — matching the existing exit hook behaviour — since the temporary directory lives in os.tmpdir() and will be cleaned up by the OS.

• #​13090 a532eea Thanks @​edmundhung! - Remove LOCAL_EXPLORER_BASE_PATH and LOCAL_EXPLORER_API_PATH constants in favor of CorePaths.EXPLORER

  These were redundant aliases introduced before CorePaths was centralized. All internal consumers now use CorePaths.EXPLORER directly.

microsoft/playwright (playwright-chromium)

v1.59.1

Compare Source

v1.59.0

Compare Source

preactjs/preact (preact)

v10.29.1

Compare Source

Fixes

• Create a unique event-clock for each Preact instance on a page. (#​5068, thanks @​JoviDeCroock)
• Fix incorrect DOM order with conditional ContextProvider and inner keys (#​5067, thanks @​JoviDeCroock)

Maintenance

• fix: Remove postinstall script for playwright setup (#​5063, thanks @​rschristian)
• chore: speed up tests by using playwright instead of webdriverio (#​5060, thanks @​marvinhagemeister)
• chore: migrate remaining .js -> .jsx files (#​5059, thanks @​marvinhagemeister)
• chore: rename .test.js -> .test.jsx when JSX is used (#​5058, thanks @​marvinhagemeister)
• Migrate from biome to oxfmt (#​5033, thanks @​JoviDeCroock)

sass/dart-sass (sass)

v1.99.0

Compare Source

• Add support for parent selectors (&) at the root of the document. These are
  emitted as-is in the CSS output, where they're interpreted as the scoping
  root.

• User-defined functions named calc or clamp are no longer forbidden. If
  such a function exists without a namespace in the current module, it will be
  used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression,
  -url, -and, -or, or -not are no longer forbidden. These were
  originally intended to match vendor prefixes, but in practice no vendor
  prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that
  begin with - and end with -ELEMENT, as well as the same names with some
  lowercase letters are now deprecated, These are names conflict with plain CSS
  functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end
  with -expression and -url will no longer have special parsing. For now,
  these calls are deprecated if their behavior will change in the future.

  See the Sass website for details.

• Calls to functions whose names begin with - and end with -progid:... are
  deprecated.

  See the Sass website for details.

sass/embedded-host-node (sass-embedded)

v1.99.0

Compare Source

• Add support for parent selectors (&) at the root of the document. These are
  emitted as-is in the CSS output, where they're interpreted as the scoping
  root.

• User-defined functions named calc or clamp are no longer forbidden. If
  such a function exists without a namespace in the current module, it will be
  used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression,
  -url, -and, -or, or -not are no longer forbidden. These were
  originally intended to match vendor prefixes, but in practice no vendor
  prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that
  begin with - and end with -ELEMENT, as well as the same names with some
  lowercase letters are now deprecated, These are names conflict with plain CSS
  functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end
  with -expression and -url will no longer have special parsing. For now,
  these calls are deprecated if their behavior will change in the future.

  See the Sass website for details.

• Calls to functions whose names begin with - and end with -progid:... are
  deprecated.

  See the Sass website for details.

sveltejs/language-tools (svelte-check)

v4.4.6

Compare Source

Patch Changes

• fix: prevent config loading message in svelte-check --incremental (#​2974)

• fix: resolve svelte files with NodeNext in --incremental/tsgo (#​2990)

• perf: various optimization with ast walk (#​2969)

• fix: prevent error with escape sequence in attribute (#​2968)

• fix: typescript 6.0 compatibility (#​2988)

typescript-eslint/typescript-eslint (typescript-eslint)

v8.58.0

Compare Source

🚀 Features

• support TypeScript 6 (#​12124)

❤️ Thank You

• Evyatar Daud @​StyleShit

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

solidjs/vite-plugin-solid (vite-plugin-solid)

v2.11.12

Compare Source

Patch Changes

• 9e46d91: fix: preserve jsx for rolldown dep scan

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.