Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update all non-major dependencies #170

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 2, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@babel/types (source) ^7.26.0 -> ^7.26.3 age adoption passing confidence
@jridgewell/gen-mapping ^0.3.5 -> ^0.3.8 age adoption passing confidence
@rspack/cli (source) 1.1.4 -> 1.1.8 age adoption passing confidence
@rspack/core (source) 1.1.4 -> 1.1.8 age adoption passing confidence
@swc/core (source) ^1.9.3 -> ^1.10.1 age adoption passing confidence
@sxzz/eslint-config ^4.5.0 -> ^4.5.1 age adoption passing confidence
@sxzz/test-utils ^0.3.7 -> ^0.3.11 age adoption passing confidence
@types/node (source) ^22.10.0 -> ^22.10.2 age adoption passing confidence
@vitest/ui (source) 2.1.6 -> 2.1.8 age adoption passing confidence
bumpp ^9.8.1 -> ^9.9.1 age adoption passing confidence
debug ^4.3.7 -> ^4.4.0 age adoption passing confidence
esbuild 0.24.0 -> 0.24.1 age adoption passing confidence
esbuild ^0.24.0 -> ^0.24.1 age adoption passing confidence
eslint (source) ^9.15.0 -> ^9.17.0 age adoption passing confidence
pnpm (source) 9.14.2 -> 9.15.1 age adoption passing confidence
rolldown (source) ^0.14.0 -> ^0.15.1 age adoption passing confidence
rollup (source) ^4.27.4 -> ^4.28.1 age adoption passing confidence
sass ^1.81.0 -> ^1.83.0 age adoption passing confidence
vite (source) ^6.0.0 -> ^6.0.5 age adoption passing confidence
vite-plugin-inspect ^0.8.8 -> ^0.10.4 age adoption passing confidence
vitest (source) 2.1.6 -> 2.1.8 age adoption passing confidence
webpack ^5.96.1 -> ^5.97.1 age adoption passing confidence
webpack-dev-server ^5.1.0 -> ^5.2.0 age adoption passing confidence

Release Notes

babel/babel (@​babel/types)

v7.26.3

Compare Source

🐛 Bug Fix
🏠 Internal
  • babel-helper-builder-binary-assignment-operator-visitor, babel-plugin-transform-exponentiation-operator
🏃‍♀️ Performance
jridgewell/gen-mapping (@​jridgewell/gen-mapping)

v0.3.8

Compare Source

v0.3.7

Compare Source

v0.3.6

Compare Source

web-infra-dev/rspack (@​rspack/cli)

v1.1.8

Security Vulnerability Report
Overview

This is a re-release version of v1.1.6

On 12/19/2024, 02:01 (UTC), we discovered that our npm packages @rspack/core and @rspack/cli were maliciously attacked. The attacker released v1.1.7 using a compromised npm token, which contained malicious code. We took immediate action upon discovering the issue.

Impact
  • Affected versions: @rspack/core and @rspack/cli v1.1.7
  • Duration: 12/19/2024, 02:01 (UTC), lasting approximately 1 hour
  • Malicious code impact: After npm install, the postinstall script in package.json runs malicious code in dist/util/support.js. See Malicious code analysis for more details.
Actions Taken

Upon discovery, we immediately deprecated the affected v1.1.7, redirected the npm latest tag to v1.1.6, and reset all related tokens.
Subsequently, we released a secure new version v1.1.8.

Recommended Actions

If you installed v1.1.7 during the affected period, please:

  1. Update to the latest safe version immediately: @rspack/core and @rspack/cli to >= 1.1.8
  2. Check your system for any unusual activity
Apology and Commitment

We deeply apologize for the risks caused by this incident. To prevent similar incidents from happening again, we will implement stricter token management protocols and enhance our security review processes.

If you have any questions or discover any suspicious activity, please create an issue or send an email to: [email protected]

We will continue to follow and respond to community feedback.

v1.1.6

Compare Source

What's Changed

Highlights 💡

Reduced memory usage

Rspack's memory usage in large projects has been significantly reduced since v1.1.6:

Related PRs:

Performance Improvements ⚡
Exciting New Features 🎉
Bug Fixes 🐞
Document Updates 📖
Other Changes

New Contributors

Full Changelog: web-infra-dev/rspack@v1.1.5...v1.1.6

v1.1.5

Compare Source

What's Changed

Highlights 💡

refactor css loading

Since #​7306, we have aligned with webpack's CSS loading strategy, which assumed that CSS finished loading before executing JavaScript, which is not true. Both Rspack and webpack have changed the CSS loading strategy to address this issue.

For more specific details on the original problem, please refer to this link.
Webpack fixed this in https://github.com/webpack/webpack/pull/19021
Rspack fixed this in #​8534

Performance Improvements ⚡
Exciting New Features 🎉
Bug Fixes 🐞
Document Updates 📖
Other Changes

Full Changelog: web-infra-dev/rspack@v1.1.4...v1.1.5

swc-project/swc (@​swc/core)

v1.10.1

Compare Source

Bug Fixes
  • (es/resolver) Fix wrong syntax context of vars with the same names as catch params (#​9786) (5a44c6b)
Features

v1.10.0

Compare Source

Bug Fixes
Features
Miscellaneous Tasks
Refactor
sxzz/eslint-config (@​sxzz/eslint-config)

v4.5.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
sxzz/test-utils (@​sxzz/test-utils)

v0.3.11

Compare Source

   🚀 Features
    View changes on GitHub

v0.3.10

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v0.3.9

Compare Source

   🚀 Features
    View changes on GitHub

v0.3.8

Compare Source

   🚀 Features
    View changes on GitHub
vitest-dev/vitest (@​vitest/ui)

v2.1.8

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v2.1.7

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
antfu/bumpp (bumpp)

v9.9.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v9.9.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub
debug-js/debug (debug)

v4.4.0

Compare Source

Fixes (hopefully) the inefficient regex warnings in .enable().

Minor version as this is invariably going to break certain users who misuse the .enable() API and expected it to work with regexes, which was never supported nor documented. That's on you, sorry - that functionality won't be added back.

Full Changelog: debug-js/debug@4.3.7...4.4.0

evanw/esbuild (esbuild)

v0.24.1

Compare Source

  • Allow es2024 as a target in tsconfig.json (#​4004)

    TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

    {
      "compilerOptions": {
        "target": "ES2024"
      }
    }

    As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

    This fix was contributed by @​billyjanitsch.

  • Allow automatic semicolon insertion after get/set

    This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

    class Foo {
      get
      *x() {}
      set
      *y() {}
    }

    The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

  • Allow quoted property names in --define and --pure (#​4008)

    The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

    // The following code now transforms to "return true;\n"
    console.log(esbuild.transformSync(
      `return process.env['SOME-TEST-VAR']`,
      { define: { 'process.env["SOME-TEST-VAR"]': 'true' } },
    ))

    Note that if you're passing values like this on the command line using esbuild's --define flag, then you'll need to know how to escape quote characters for your shell. You may find esbuild's JavaScript API more ergonomic and portable than writing shell code.

  • Minify empty try/catch/finally blocks (#​4003)

    With this release, esbuild will now attempt to minify empty try blocks:

    // Original code
    try {} catch { foo() } finally { bar() }
    
    // Old output (with --minify)
    try{}catch{foo()}finally{bar()}
    
    // New output (with --minify)
    bar();

    This can sometimes expose additional minification opportunities.

  • Include entryPoint metadata for the copy loader (#​3985)

    Almost all entry points already include a entryPoint field in the outputs map in esbuild's build metadata. However, this wasn't the case for the copy loader as that loader is a special-case that doesn't behave like other loaders. This release adds the entryPoint field in this case.

  • Source mappings may now contain null entries (#​3310, #​3878)

    With this change, sources that result in an empty source map may now emit a null source mapping (i.e. one with a generated position but without a source index or original position). This change improves source map accuracy by fixing a problem where minified code from a source without any source mappings could potentially still be associated with a mapping from another source file earlier in the generated output on the same minified line. It manifests as nonsensical files in source mapped stack traces. Now the null mapping "resets" the source map so that any lookups into the minified code without any mappings resolves to null (which appears as the output file in stack traces) instead of the incorrect source file.

    This change shouldn't affect anything in most situations. I'm only mentioning it in the release notes in case it introduces a bug with source mapping. It's part of a work-in-progress future feature that will let you omit certain unimportant files from the generated source map to reduce source map size.

  • Avoid using the parent directory name for determinism (#​3998)

    To make generated code more readable, esbuild includes the name of the source file when generating certain variable names within the file. Specifically bundling a CommonJS file generates a variable to store the lazily-evaluated module initializer. However, if a file is named index.js (or with a different extension), esbuild will use the name of the parent directory instead for a better name (since many packages have files all named index.js but have unique directory names).

    This is problematic when the bundle entry point is named index.js and the parent directory name is non-deterministic (e.g. a temporary directory created by a build script). To avoid non-determinism in esbuild's output, esbuild will now use index instead of the parent directory in this case. Specifically this will happen if the parent directory is equal to esbuild's outbase API option, which defaults to the lowest common ancestor of all user-specified entry point paths.

  • Experimental support for esbuild on NetBSD (#​3974)

    With this release, esbuild now has a published binary executable for NetBSD in the @esbuild/netbsd-arm64 npm package, and esbuild's installer has been modified to attempt to use it when on NetBSD. Hopefully this makes installing esbuild via npm work on NetBSD. This change was contributed by @​bsiegert.

    ⚠️ Note: NetBSD is not one of Node's supported platforms, so installing esbuild may or may not work on NetBSD depending on how Node has been patched. This is not a problem with esbuild. ⚠️

eslint/eslint (eslint)

v9.17.0

Compare Source

v9.16.0

Compare Source

Features

  • 8f70eb1 feat: Add ignoreComputedKeys option in sort-keys rule (#​19162) (Milos Djermanovic)

Documentation


Configuration

📅 Schedule: Branch creation - "* 0-3 * * 1" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies label Dec 2, 2024
Copy link

stackblitz bot commented Dec 2, 2024

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

Copy link

socket-security bot commented Dec 2, 2024

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@babel/[email protected] environment +2 2.63 MB nicolo-ribaudo
npm/@jridgewell/[email protected] None +2 131 kB
npm/@rspack/[email protected] environment, eval Transitive: filesystem, network, shell, unsafe +257 19.5 MB hardfist
npm/@rspack/[email protected] environment, eval, filesystem, network, shell, unsafe +7 4.79 MB hardfist
npm/@swc/[email protected] environment, filesystem, shell +2 197 kB kdy1
npm/@sxzz/[email protected] environment Transitive: eval, filesystem, network, shell, unsafe +230 36.7 MB sxzz
npm/@sxzz/[email protected] Transitive: filesystem +6 311 kB sxzz
npm/@types/[email protected] None +1 2.37 MB types
npm/@vitest/[email protected] Transitive: environment, filesystem +14 2.24 MB vitestbot
npm/[email protected] filesystem, unsafe Transitive: environment, network, shell +56 5.07 MB antfu
npm/[email protected] environment +1 49.5 kB qix
npm/[email protected] None 0 134 kB esbuild, evanw
npm/[email protected] Transitive: environment, eval, filesystem, shell, unsafe +78 10.6 MB eslintbot, openjsfoundation
npm/[email protected] environment, shell 0 798 kB rolldownbot
npm/[email protected] environment, filesystem +1 2.63 MB lukastaegert
npm/[email protected] Transitive: filesystem +3 868 kB
npm/[email protected] environment, filesystem +25 5.08 MB antfu
npm/[email protected] Transitive: environment, filesystem, network, shell +4 3.21 MB antfu, patak, soda, ...2 more
npm/[email protected] environment, eval Transitive: filesystem, network, shell, unsafe +33 7.97 MB vitestbot

🚮 Removed packages: npm/@babel/[email protected], npm/@jridgewell/[email protected], npm/@rspack/[email protected], npm/@rspack/[email protected], npm/@swc/[email protected], npm/@sxzz/[email protected], npm/@sxzz/[email protected], npm/@types/[email protected], npm/@vitest/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

Copy link

pkg-pr-new bot commented Dec 2, 2024

Open in Stackblitz

npm i https://pkg.pr.new/unplugin/unplugin-vue@170

commit: adeffb7

@renovate renovate bot force-pushed the renovate/all-minor-patch branch 16 times, most recently from 6bbe8ae to 75e97de Compare December 9, 2024 08:53
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 75e97de to 97919a7 Compare December 10, 2024 08:07
@renovate renovate bot changed the title chore(deps): update all non-major dependencies fix(deps): update all non-major dependencies Dec 10, 2024
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 8 times, most recently from 8d3d5ea to 3ee148c Compare December 13, 2024 21:46
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from 3a709e4 to 1f6a462 Compare December 20, 2024 14:17
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 1f6a462 to 33987f9 Compare December 20, 2024 18:00
Copy link
Contributor Author

renovate bot commented Dec 20, 2024

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant