fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/vite-plugin (source)	^1.31.0 → ^1.31.2
@rolldown/pluginutils (source)	1.0.0-rc.13 → 1.0.0-rc.15
globals	^17.4.0 → ^17.5.0
oxfmt (source)	^0.43.0 → ^0.44.0
rolldown (source)	1.0.0-rc.13 → 1.0.0-rc.15
styled-components (source)	^6.3.12 → ^6.4.0
tinyexec	^1.0.4 → ^1.1.1
typescript-eslint (source)	^8.58.0 → ^8.58.1
vite (source)	^8.0.3 → ^8.0.8
vitest (source)	^4.1.2 → ^4.1.4
wrangler (source)	^4.80.0 → ^4.81.1

---

Release Notes

cloudflare/workers-sdk (@​cloudflare/vite-plugin)

v1.31.2

Compare Source

Patch Changes

• Updated dependencies [42c7ef0, c510494, 8b71eca, a42e0e8, 7ca6f6e]:
  • miniflare@​4.20260409.0
  • wrangler@​4.81.1

v1.31.1

Compare Source

Patch Changes

• Updated dependencies [a3e3b57, 7d318e1, fa6d84f, 96ee5d4, 7d318e1, 7a60d4b, 78cbe37, 6fa5dfd]:
  • miniflare@​4.20260405.0
  • wrangler@​4.81.0

rolldown/rolldown (@​rolldown/pluginutils)

v1.0.0-rc.15

Compare Source

🐛 Bug Fixes

• prevent stack overflow in generate_transitive_esm_init on circular dependencies (#​9041) by @​shulaoda

🚜 Refactor

• agents: rename Spec-Driven Development to Context Engineering (#​9036) by @​hyf0

v1.0.0-rc.14

Compare Source

🚀 Features

• rust: add disable_panic_hook feature to disable the panic hook (#​9023) by @​sapphi-red
• support inlineConst for CJS exports accessed through module.exports (#​8976) by @​h-a-n-a

🐛 Bug Fixes

• rolldown_plugin_vite_import_glob: normalize resolved alias path to prevent double slashes (#​9032) by @​shulaoda
• rolldown_plugin_vite_import_glob: follow symlinks in file scanning (#​9000) by @​Copilot
• wrap CJS entry modules for IIFE/UMD when using exports/module (#​8999) by @​IWANABETHATGUY
• emit separate __toESM bindings for mixed ESM/CJS external imports (#​8987) by @​IWANABETHATGUY
• tree-shake dead dynamic imports to side-effect-free CJS modules (#​8529) by @​sapphi-red
• skip inlining stale CJS export constants on module.exports reassignment (#​8990) by @​IWANABETHATGUY

🚜 Refactor

• generator: migrate ecma formatting from npx oxfmt to vp fmt (#​9022) by @​shulaoda
• generator: replace npx oxfmt with vp fmt for ecma formatting (#​9021) by @​shulaoda

📚 Documentation

• contrib-guide: mention that running tests on older Node.js version will have different stat results (#​8996) by @​Claude

⚙️ Miscellaneous Tasks

• deps: update npm packages (#​9002) by @​renovate[bot]
• deps: update dependency @​napi-rs/cli to v3.6.1 (#​9034) by @​renovate[bot]
• deps: upgrade oxc to 0.124.0 (#​9018) by @​shulaoda
• deps: update test262 submodule for tests (#​9010) by @​sapphi-red
• deps: update dependency oxfmt to ^0.44.0 (#​9012) by @​renovate[bot]
• deps: update dependency vite to v8.0.5 [security] (#​9009) by @​renovate[bot]
• deps: update dependency vite-plus to v0.1.16 (#​9008) by @​renovate[bot]
• deps: update rust crates (#​9003) by @​renovate[bot]
• deps: update github-actions (#​9004) by @​renovate[bot]
• deps: update dependency lodash-es to v4.18.1 [security] (#​8992) by @​renovate[bot]
• deps: update crate-ci/typos action to v1.45.0 (#​8988) by @​renovate[bot]
• upgrade oxc npm packages to 0.123.0 (#​8985) by @​shulaoda

◀️ Revert

• "chore(deps): update dependency oxfmt to ^0.44.0 (#​9012)" (#​9019) by @​shulaoda

❤️ New Contributors

• @​Claude made their first contribution in #​8996

sindresorhus/globals (globals)

v17.5.0

Compare Source

oxc-project/oxc (oxfmt)

v0.44.0

Compare Source

🐛 Bug Fixes

• dd2df87 npm: Export package.json for oxlint and oxfmt (#​20784) (kazuya kawaguchi)
• 4216380 oxfmt: Support .editorconfig tab_width fallback (#​20988) (leaysgur)

styled-components/styled-components (styled-components)

v6.4.0

Compare Source

Minor Changes

• b0f3d29: .attrs() improvements: props supplied via attrs are now automatically made optional on the resulting component (previously required even when attrs provided a default). Also fixes a bug where the attrs callback received a mutable props object that could be changed by subsequent attrs processing; it now receives an immutable snapshot.

• 2a973d8: Dropped IE11 support: ES2015 build target, inlined unitless CSS properties (removing @​emotion/unitless dependency), removed legacy React class statics from hoist and other unnecessary code.

• 9e07d95: Add createTheme(defaultTheme, options?) for CSS variable theming that works across RSC and client components.

  Returns an object with the same shape where every leaf is var(--prefix-path, fallback). Pass it to ThemeProvider for stable class name hashes across themes (no hydration mismatch on light/dark switch).

  const theme = createTheme({ colors: { primary: '#​0070f3' } });
  // theme.colors.primary → "var(--sc-colors-primary, #​0070f3)"
  // theme.raw → original object
  // theme.vars.colors.primary → "--sc-colors-primary"
  // theme.resolve(el?) → computed values from DOM (client-only)
  // theme.GlobalStyle → component that emits CSS var declarations

  vars exposes bare CSS custom property names (same shape as the theme) for use in createGlobalStyle dark mode overrides without hand-writing variable names:

  const { vars } = createTheme({ colors: { bg: '#fff', text: '#​000' } });
  
  const DarkOverrides = createGlobalStyle`
    @​media (prefers-color-scheme: dark) {
      :root {
        ${vars.colors.bg}: #​111;
        ${vars.colors.text}: #eee;
      }
    }
  `;

  Options: prefix (default "sc"), selector (default ":root", use ":host" for Shadow DOM).

• 79cc7b4: Add first-class CSP nonce support. Nonces can now be configured via StyleSheetManager's nonce prop (recommended for Next.js, Remix), ServerStyleSheet's constructor, <meta property="csp-nonce"> (Vite convention), <meta name="sc-nonce">, or the legacy __webpack_nonce__ global.

• b0f3d29: Rearchitect createGlobalStyle to use shared stylesheet groups.

  All instances of a createGlobalStyle component now share a single stylesheet group, registered once at definition time. This fixes unmounting one instance removing styles needed by others (#​5695), styles scattering after remount (#​3146), and group ID leaks during SSR (#​3022).

  CSS injection order is now fully determined at definition time (lower group ID = earlier in stylesheet). Render order no longer affects CSS order. Keyframes defined before a component correctly appear before that component's rules.

  Also fixes: O(n^2) performance regression in jsdom test environments from unbounded rule accumulation, and stale static global styles during client-side HMR (effect deps now include the globalStyle reference so module re-evaluation triggers re-injection).

• b0f3d29: Significant render performance improvements via three-layer memoization and hot-path micro-optimizations. Client-only; server renders are unaffected.

  Re-renders that don't change styling now skip style resolution entirely. Components sharing the same CSS (e.g., list items) benefit from cross-sibling caching. Hot-path changes include forEach → for/for...of, template literal → manual concat, and reduced allocations.

  Benchmarks vs 6.3.12:

  • Parent re-render (most common): 3.3x faster
  • First mount: 1.7-2.5x faster
  • Prop cycling: 2.3-2.4x faster
  • 10K heavy layouts: 1.9x faster
  • No regressions on any benchmark

• 9ada92b: React Server Components support: inline style injection, deduplication, and a new stylisPluginRSC for child-index selector fixes.

  Inline style injection: RSC-rendered styled components emit <style data-styled> tags alongside their elements. CSS is deduplicated per render via React.cache (React 19+). Extended components use :where() zero-specificity wrapping on base CSS so extensions always win the cascade regardless of injection order.

  StyleSheetManager works in RSC: stylisPlugins and shouldForwardProp are now applied in server component environments where React context is unavailable.

  stylisPluginRSC — opt-in stylis plugin that fixes :first-child, :last-child, :nth-child(), and :nth-last-child() selectors broken by inline <style> tags shifting child indices. Rewrites them using CSS Selectors Level 4 of S syntax to exclude styled-components style tags from the count.

  import { StyleSheetManager, stylisPluginRSC } from 'styled-components';
  
  <StyleSheetManager stylisPlugins={[stylisPluginRSC]}>{children}</StyleSheetManager>;

  The plugin rewrites :first-child, :last-child, :nth-child(), and :nth-last-child() using CSS Selectors Level 4 of S syntax to exclude injected style tags from the child count.

  Browser support: Chrome 111+, Firefox 113+, Safari 9+ (~93% global). In unsupported browsers, the entire CSS rule is dropped — only opt in if your audience supports it. Use :first-of-type / :nth-of-type() as a universally compatible alternative.

  HMR: Stale styles during client-side HMR are detected and invalidated when module re-evaluation creates new component instances while IDs remain stable (SWC plugin assigns IDs by file location). createGlobalStyle additionally clears stale sheet entries when the instance changes between renders.

  The plugin is fully tree-shakeable — zero bytes in bundles that don't import it.

Patch Changes

• b0f3d29: Expose as and forwardedAs props in React.ComponentProps extraction for styled components
• 553cbb4: Fix memory leak in long-running apps using components with free-form string interpolations (e.g. color: ${p => p.$dynamicValue} where the value comes from unbounded user input).
• b0f3d29: React Native improvements: replaced postcss with a lightweight CSS declaration parser, fixing nanoid crashes in Expo/Metro (#​5705) and improving parse speed 4-6x. Parent re-renders with unchanged children are 2.6-3.2x faster via cache-first render. Updated native component alias list (removed 5 dead components, added 4 missing). Added react-native as an optional peer dependency.
• 74e8b76: Smaller install footprint via unused dependency cleanup.

tinylibs/tinyexec (tinyexec)

v1.1.1

Compare Source

What's Changed

• fix: install npm twice to make publish work by @​43081j in #​111

Full Changelog: tinylibs/tinyexec@1.1.0...1.1.1

typescript-eslint/typescript-eslint (typescript-eslint)

v8.58.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.0.8

Compare Source

Features

• update rolldown to 1.0.0-rc.15 (#​22201) (6baf587)

Bug Fixes

• avoid dns.getDefaultResultOrder temporary (#​22202) (15f1c15)
• ssr: class property keys hoisting matching imports (#​22199) (e137601)

v8.0.7

Compare Source

Bug Fixes

• use sync dns.getDefaultResultOrder instead of dns.promises (#​22185) (5c05b04)

v8.0.6

Compare Source

Features

• update rolldown to 1.0.0-rc.13 (#​22097) (51d3e48)

Bug Fixes

• css: avoid mutating sass error multiple times (#​22115) (d5081c2)
• optimize-deps: hoist CJS interop assignment (#​22156) (17a8f9e)

Performance Improvements

• early return in getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#​22151) (56ec256)

Miscellaneous Chores

• create-vite: remove unnecessary DOM.Iterable (#​22168) (bdc53ab)
• replace remaining prettier script (#​22179) (af71fb2)

vitest-dev/vitest (vitest)

v4.1.4

Compare Source

   🚀 Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in #​10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in #​10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in #​9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in #​10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in #​10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in #​10068 (a1b5f)
• Do not hoist imports whose names match class properties .  -  by @​SunsetFi in #​10093 and #​10094 (0fc4b)
• browser: Spread user server options into browser Vite server in project  -  by @​GoldStrikeArch in #​10049 (65c9d)

    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in #​10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in #​10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in #​9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in #​9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in #​10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in #​10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in #​9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in #​10004 (ec204)
• snapshot:
  • Fix flagging obsolete snapshots for snapshot properties mismatch  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​9986 (6b869)
  • Export custom snapshot matcher helper from vitest  -  by @​hi-ogawa and Codex in #​10042 (691d3)
• ui:
  • Don't leak vite types  -  by @​sheremet-va in #​10005 (fdff1)
• vm:
  • Fix external module resolve error with deps optimizer query  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10024 (9dbf4)

    View changes on GitHub

cloudflare/workers-sdk (wrangler)

v4.81.1

Compare Source

Patch Changes

• #​13337 c510494 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260405.1	1.20260408.1

• #​13362 8b71eca Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260408.1	1.20260409.1

• #​13329 7ca6f6e Thanks @​G4brym! - fix: Treat AI Search bindings as always-remote in local dev

  AI Search namespace (ai_search_namespaces) and instance (ai_search) bindings are always-remote (they have no local simulation), but pickRemoteBindings() did not include them in its always-remote type list. This caused the remote proxy session to exclude these bindings when remote: true was not explicitly set in the config, resulting in broken AI Search bindings during wrangler dev.

  Additionally, removeRemoteConfigFieldFromBindings() in the deploy config-diff logic was not stripping the remote field from AI Search bindings, which could cause false config diffs during deployment.

• Updated dependencies [42c7ef0, c510494, 8b71eca, a42e0e8]:

  • miniflare@​4.20260409.0

v4.81.0

Compare Source

Minor Changes

• #​12932 96ee5d4 Thanks @​thomasgauvin! - feat: add wrangler email routing and wrangler email sending commands

  Email Routing commands:

  • wrangler email routing list - list zones with email routing status
  • wrangler email routing settings <domain> - get email routing settings for a zone
  • wrangler email routing enable/disable <domain> - enable or disable email routing
  • wrangler email routing dns get/unlock <domain> - manage DNS records
  • wrangler email routing rules list/get/create/update/delete <domain> - manage routing rules (use catch-all as the rule ID for the catch-all rule)
  • wrangler email routing addresses list/get/create/delete - manage destination addresses

  Email Sending commands:

  • wrangler email sending list - list zones with email sending
  • wrangler email sending settings <domain> - get email sending settings for a zone
  • wrangler email sending enable <domain> - enable email sending for a zone or subdomain
  • wrangler email sending disable <domain> - disable email sending for a zone or subdomain
  • wrangler email sending dns get <domain> - get DNS records for a sending domain
  • wrangler email sending send - send an email using the builder API
  • wrangler email sending send-raw - send a raw MIME email message

  Also adds email_routing:write and email_sending:write OAuth scopes to wrangler login.

Patch Changes

• #​13241 7d318e1 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260401.1	1.20260402.1

• #​13305 fa6d84f Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260402.1	1.20260405.1

• #​13193 78cbe37 Thanks @​dario-piotrowicz! - During autoconfig filter out Hono when there are 2 detected frameworks

  During the auto-configuration process Hono is now treated as an auxiliary framework (like Vite) and automatically filtered out when two frameworks are detected (before Hono was being filtered out only when the other framework was Waku).

• #​13205 6fa5dfd Thanks @​petebacondarwin! - fix: use formatConfigSnippet for compatibility_date warning in wrangler dev

  The compatibility_date warning shown when no date is configured in wrangler dev was hardcoded in TOML format. This now uses formatConfigSnippet to render the snippet in the correct format (TOML or JSON) based on the user's config file type.

• Updated dependencies [a3e3b57, 7d318e1, fa6d84f, 7d318e1, 7a60d4b]:

  • miniflare@​4.20260405.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.