fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@babel/types (source)	^7.26.0 -> ^7.26.3
@farmfe/cli	^1.0.2 -> ^1.0.4
@farmfe/core	^1.3.0 -> ^1.6.2
@jridgewell/gen-mapping	^0.3.5 -> ^0.3.8
@rspack/cli (source)	1.1.4 -> 1.1.8
@rspack/core (source)	1.1.4 -> 1.1.8
@swc/core (source)	^1.9.3 -> ^1.10.4
@sxzz/eslint-config	^4.5.0 -> ^4.5.1
@sxzz/test-utils	^0.3.7 -> ^0.3.11
@types/node (source)	^22.10.0 -> ^22.10.3
@vitejs/plugin-vue (source)	^5.0.4 -> ^5.2.1
@vitest/ui (source)	2.1.6 -> 2.1.8
bumpp	^9.8.1 -> ^9.9.2
core-js (source)	^3.30.1 -> ^3.39.0
debug	^4.3.7 -> ^4.4.0
esbuild	0.24.0 -> 0.24.2
esbuild	^0.24.0 -> ^0.24.2
eslint (source)	^9.15.0 -> ^9.17.0
pnpm (source)	9.14.2 -> 9.15.2
rolldown (source)	^0.14.0 -> ^0.15.1
rollup (source)	^4.27.4 -> ^4.29.1
sass	^1.81.0 -> ^1.83.0
unplugin-unused	^0.2.3 -> ^0.3.0
vite (source)	^6.0.0 -> ^6.0.6
vite-plugin-inspect	^0.8.8 -> ^0.10.6
vitest (source)	2.1.6 -> 2.1.8
vue (source)	^3.4.0 -> ^3.5.13
webpack	^5.96.1 -> ^5.97.1
webpack-dev-server	^5.1.0 -> ^5.2.0

---

Release Notes

babel/babel (@​babel/types)

v7.26.3

Compare Source

🐛 Bug Fix

• babel-generator
  • #​16958 [preserveFormat] force semicolons when invalidating ASI (@​nicolo-ribaudo)

🏠 Internal

• babel-helper-builder-binary-assignment-operator-visitor, babel-plugin-transform-exponentiation-operator
  • #​16895 Remove helper-builder-binary-assignment-operator-visitor (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-generator
  • #​16959 perf: Reduce the use of temporary objects (@​liuxingbaoyu)
• babel-traverse
  • #​16923 perf: Improve scope information collection performance (@​liuxingbaoyu)
  • #​16964 perf: Avoid repeated traversal when creating scope (@​liuxingbaoyu)
• babel-plugin-transform-modules-commonjs
  • #​16954 perf: Remove use of simplifyAccess (@​liuxingbaoyu)

farm-fe/farm (@​farmfe/core)

v1.6.2

Compare Source

Patch Changes

• 43e0ea0: do not clean up then watch graph monitoring module

v1.6.1

Compare Source

Patch Changes

• 9e9e94e: fix namespace fallback when use literal computed

v1.6.0

Compare Source

Minor Changes

• 6b84912: js plugin supports process module hook

Patch Changes

• b235a91: feat: support invalidateModule

v1.5.0

Compare Source

Minor Changes

• e63b163: Support object style script.importNotUsedAsValues and reset the default value to remove

Patch Changes

• e63b163: Fix vue lazy compilation transform error when persistent cache enabled
• e63b163: Fix mixed hmr ws protocol when proxy online host to localhost
• e63b163: Fix module_group_graph panic which is caused by inconsistent module.module_groups when persistent cache is enabled
• 80b13ce: new import meta url runtime & merge electron preload output files
• Updated dependencies [e63b163]
  • @​farmfe/runtime-plugin-hmr@​3.5.10

v1.4.7

Compare Source

Patch Changes

• c6df3d2: Fix server.hmr.protocol does not work
• Updated dependencies [c6df3d2]
  • @​farmfe/runtime-plugin-hmr@​3.5.9

v1.4.6

Compare Source

Patch Changes

• Updated dependencies [249e9a2]
  • @​farmfe/runtime-plugin-import-meta@​0.2.3
  • @​farmfe/runtime-plugin-hmr@​3.5.8
  • @​farmfe/runtime@​0.12.10

jridgewell/gen-mapping (@​jridgewell/gen-mapping)

v0.3.8

Compare Source

v0.3.7

Compare Source

v0.3.6

Compare Source

web-infra-dev/rspack (@​rspack/cli)

v1.1.8

Security Vulnerability Report

Overview

This is a re-release version of v1.1.6

On 12/19/2024, 02:01 (UTC), we discovered that our npm packages @rspack/core and @rspack/cli were maliciously attacked. The attacker released v1.1.7 using a compromised npm token, which contained malicious code. We took immediate action upon discovering the issue.

Impact

• Affected versions: @rspack/core and @rspack/cli v1.1.7
• Duration: 12/19/2024, 02:01 (UTC), lasting approximately 1 hour
• Malicious code impact: After npm install, the postinstall script in package.json runs malicious code in dist/util/support.js. See Malicious code analysis for more details.

Actions Taken

Upon discovery, we immediately deprecated the affected v1.1.7, redirected the npm latest tag to v1.1.6, and reset all related tokens.
Subsequently, we released a secure new version v1.1.8.

Recommended Actions

If you installed v1.1.7 during the affected period, please:

1. Update to the latest safe version immediately: @rspack/core and @rspack/cli to >= 1.1.8
2. Check your system for any unusual activity

Apology and Commitment

We deeply apologize for the risks caused by this incident. To prevent similar incidents from happening again, we will implement stricter token management protocols and enhance our security review processes.

If you have any questions or discover any suspicious activity, please create an issue or send an email to: [email protected]

We will continue to follow and respond to community feedback.

v1.1.6

Compare Source

What's Changed

Highlights 💡

Reduced memory usage

Rspack's memory usage in large projects has been significantly reduced since v1.1.6:

Related PRs:

• perf: improve cached source data struct by @​SyMind in https://github.com/web-infra-dev/rspack/pull/8602
• perf: reduce heap allocations for RuntimeModule by @​h-a-n-a in https://github.com/web-infra-dev/rspack/pull/8620
• perf: avoid heap allocation for getting connections by @​ahabhgk in https://github.com/web-infra-dev/rspack/pull/8625

Performance Improvements ⚡

• perf: replace RawSource with smaller RawStringSource and RawBufferSource by @​h-a-n-a in https://github.com/web-infra-dev/rspack/pull/8629

Exciting New Features 🎉

• feat: implement output.clean.keep: Option by @​ClSlaid in https://github.com/web-infra-dev/rspack/pull/8479
• feat: support output.trustedTypes.onPolicyCreationFailure by @​LingyuCoder in https://github.com/web-infra-dev/rspack/pull/8619
• feat(incremental): named module ids by @​ahabhgk in https://github.com/web-infra-dev/rspack/pull/8593
• feat: support getResolve in external function context by @​fi3ework in https://github.com/web-infra-dev/rspack/pull/8577
• feat: add intermediate file system by @​LingyuCoder in https://github.com/web-infra-dev/rspack/pull/8631
• feat(persistent cache): add make occasion by @​jerrykingxyz in https://github.com/web-infra-dev/rspack/pull/8586

Bug Fixes 🐞

• fix: importModule should have err by @​JSerFeng in https://github.com/web-infra-dev/rspack/pull/8590
• fix: trusted type should add module runtime requirements by @​LingyuCoder in https://github.com/web-infra-dev/rspack/pull/8617
• fix: source map file should use contenthash itself by @​LingyuCoder in https://github.com/web-infra-dev/rspack/pull/8623
• fix: sync minify file comments from SWC by @​fi3ework in https://github.com/web-infra-dev/rspack/pull/8628
• fix: generate wrong chunk filename runtime code on win32 by @​LingyuCoder in https://github.com/web-infra-dev/rspack/pull/8622
• fix: avoid unnamed module ids by @​ahabhgk in https://github.com/web-infra-dev/rspack/pull/8634
• fix: passively rebuild modules imported by importModule by @​CPunisher in https://github.com/web-infra-dev/rspack/pull/8595

Document Updates 📖

• docs: fix typo by @​cbbfcd in https://github.com/web-infra-dev/rspack/pull/8607
• docs: rewrite CopyRspackPlugin documentation by @​chenjiahan in https://github.com/web-infra-dev/rspack/pull/8621
• docs: fix error links by @​xuexb in https://github.com/web-infra-dev/rspack/pull/8635

Other Changes

• chore: add release-check task by @​hardfist in https://github.com/web-infra-dev/rspack/pull/8578
• refactor: remove compilation.built_module by @​jerrykingxyz in https://github.com/web-infra-dev/rspack/pull/8589
• chore(deps): update github-actions by @​renovate in https://github.com/web-infra-dev/rspack/pull/8610
• chore(deps): update rspress to v1.37.3 by @​renovate in https://github.com/web-infra-dev/rspack/pull/8613
• chore(deps): update pnpm to v9.14.4 by @​renovate in https://github.com/web-infra-dev/rspack/pull/8612
• chore: remove tracking subjects by @​h-a-n-a in https://github.com/web-infra-dev/rspack/pull/8616
• test(snapshot): make snapshots cleaner and update path-serializer 0.3.4 by @​SoonIter in https://github.com/web-infra-dev/rspack/pull/8161
• chore(deps): update napi by @​renovate in https://github.com/web-infra-dev/rspack/pull/8611
• test: create issues for failed webpack test by @​GiveMe-A-Name in https://github.com/web-infra-dev/rspack/pull/8618
• refactor: improve dependency location by @​shulaoda in https://github.com/web-infra-dev/rspack/pull/8606
• chore(deps): update crates by @​renovate in https://github.com/web-infra-dev/rspack/pull/8198
• chore(deps): update crates (major) by @​renovate in https://github.com/web-infra-dev/rspack/pull/6926
• ci: run miri on main by @​h-a-n-a in https://github.com/web-infra-dev/rspack/pull/8632
• chore: remove unnecessary code by @​shulaoda in https://github.com/web-infra-dev/rspack/pull/8641

New Contributors

• @​ClSlaid made their first contribution in https://github.com/web-infra-dev/rspack/pull/8479
• @​cbbfcd made their first contribution in https://github.com/web-infra-dev/rspack/pull/8607
• @​xuexb made their first contribution in https://github.com/web-infra-dev/rspack/pull/8635

Full Changelog: web-infra-dev/rspack@v1.1.5...v1.1.6

v1.1.5

Compare Source

What's Changed

Highlights 💡

refactor css loading

Since #​7306, we have aligned with webpack's CSS loading strategy, which assumed that CSS finished loading before executing JavaScript, which is not true. Both Rspack and webpack have changed the CSS loading strategy to address this issue.

For more specific details on the original problem, please refer to this link.
Webpack fixed this in https://github.com/webpack/webpack/pull/19021
Rspack fixed this in #​8534

Performance Improvements ⚡

• perf: create tsfn error resolver once by @​h-a-n-a in https://github.com/web-infra-dev/rspack/pull/8540
• perf: mem cache for chunk render source by @​ahabhgk in https://github.com/web-infra-dev/rspack/pull/8528
• perf: move from Buffer to zero-copy BufferSlice by @​h-a-n-a in https://github.com/web-infra-dev/rspack/pull/8574
• perf: register cleanup hook on global by @​SyMind in https://github.com/web-infra-dev/rspack/pull/8564
• perf: reduce memory consumption of paths by @​h-a-n-a in https://github.com/web-infra-dev/rspack/pull/8581

Exciting New Features 🎉

• feat(mf): recursive search for versions of shared dependencies by @​inottn in https://github.com/web-infra-dev/rspack/pull/8388
• feat: support output.environment.nodePrefixForCoreModules by @​inottn in https://github.com/web-infra-dev/rspack/pull/8516
• feat(rspack_cacheable): as attr support use with dyn trait by @​jerrykingxyz in https://github.com/web-infra-dev/rspack/pull/8535
• feat: support analysing AMD module format by @​nilptr in https://github.com/web-infra-dev/rspack/pull/8389
• feat(cli): set default process.title by @​chenjiahan in https://github.com/web-infra-dev/rspack/pull/8576
• feat: support chunksSortMode option to HtmlRspackPlugin by @​inottn in https://github.com/web-infra-dev/rspack/pull/8585

Bug Fixes 🐞

• fix: reset the progress bar in the correct hook by @​inottn in https://github.com/web-infra-dev/rspack/pull/8429
• fix: get encoded asset content correctly by @​inottn in https://github.com/web-infra-dev/rspack/pull/8545
• fix: missing dependencies type in Module class by @​SyMind in https://github.com/web-infra-dev/rspack/pull/8552
• fix: chunk render cache panic on css extract diagnostics by @​ahabhgk in https://github.com/web-infra-dev/rspack/pull/8562
• fix: should report errors if stats was being accessed after the compiler was closed by @​h-a-n-a in https://github.com/web-infra-dev/rspack/pull/8561
• fix: add missing affectedHooks parameter to ProvidePlugin by @​inottn in https://github.com/web-infra-dev/rspack/pull/8570
• fix: rule.issuerLayer by @​SyMind in https://github.com/web-infra-dev/rspack/pull/8572
• fix: should have module-post-order-index when incremental build by @​JSerFeng in https://github.com/web-infra-dev/rspack/pull/8559
• fix: rebuild should reset module.preOrderIndex by @​JSerFeng in https://github.com/web-infra-dev/rspack/pull/8413
• fix(incremental): infer async modules test cases and add loggings for incremental by @​ahabhgk in https://github.com/web-infra-dev/rspack/pull/8580
• fix: prevent from accessing outdated compilation by @​SyMind in https://github.com/web-infra-dev/rspack/pull/8591
• fix(incremental): get affected modules with chunk graph perf regression by @​ahabhgk in https://github.com/web-infra-dev/rspack/pull/8592

Document Updates 📖

• docs: add examples for watchOptions by @​chenjiahan in https://github.com/web-infra-dev/rspack/pull/8532
• docs: polish Rule configuration by @​chenjiahan in https://github.com/web-infra-dev/rspack/pull/8565

Other Changes

• refactor: remove unnecessary filesystem trait by @​hardfist in https://github.com/web-infra-dev/rspack/pull/8525
• chore(deps): update dependency prettier to v3.4.1 by @​renovate in https://github.com/web-infra-dev/rspack/pull/8544
• chore(deps): update github-actions by @​renovate in https://github.com/web-infra-dev/rspack/pull/8542
• chore(deps): update pnpm to v9.14.2 by @​renovate in https://github.com/web-infra-dev/rspack/pull/8543
• refactor: css loading by @​JSerFeng in https://github.com/web-infra-dev/rspack/pull/8534
• test: create issues for webpack-test failures by @​GiveMe-A-Name in https://github.com/web-infra-dev/rspack/pull/8551
• chore: update rspress to v1.37.2, fix sass test case warnings by @​renovate in https://github.com/web-infra-dev/rspack/pull/8514
• refactor: remove unused cssHeadDataCompression config by @​JSerFeng in https://github.com/web-infra-dev/rspack/pull/8555
• chore: bump rspack crate to 0.2.0 by @​hardfist in https://github.com/web-infra-dev/rspack/pull/8573
• chore: fix crate publish problems by @​hardfist in https://github.com/web-infra-dev/rspack/pull/8575
• refactor: CSS HMR by @​JSerFeng in https://github.com/web-infra-dev/rspack/pull/8587

Full Changelog: web-infra-dev/rspack@v1.1.4...v1.1.5

swc-project/swc (@​swc/core)

v1.10.4

Compare Source

Bug Fixes

• (deps) Update cargo (patch) (#​9733) (fb2f6e4)

• Remove Caused by: 'failed to parse' from TS blank space (#​9820) (aaeb0ab)

v1.10.3

Compare Source

Bug Fixes

• (es/codegen) Emit semicolon after using declarations (#​9816) (556d924)

v1.10.2

Compare Source

Bug Fixes

• (es) Don't panic when wasm bytecheck faild (#​9803) (c81be2e)

• (es/parser) Do not parse empty stmt after using decl (#​9798) (c2696db)

Documentation

• (types) Fix broken links (#​9812) (7768114)

v1.10.1

Compare Source

Bug Fixes

• (es/resolver) Fix wrong syntax context of vars with the same names as catch params (#​9786) (5a44c6b)

Features

• (es/transforms) Add module.outFileExtension (#​9784) (e04c7b3)

v1.10.0

Compare Source

Bug Fixes

• (es/codegen) Use raw value for emitting JSX text (#​9762) (b83c44f)

• (es/compat) Fix marker for inlined helpers (#​9776) (f54ec2c)

• (es/minifier) Drop console in optional chainings (#​9759) (39271ad)

• (es/minifier) Do not inline into the exact LHS (#​9777) (985977b)

Features

• (es/minifier) Support preserve_annotations of terser (#​9775) (6e1c9fd)

• (typescript) Align isolatedDeclaration implementation with tsc (#​9715) (0adad25)

• Apply Wasm-breaking changes (#​9771) (ed65eee)

Miscellaneous Tasks

• (deps) Update dependency magic-string to v0.30.13 (#​9747) (fa80a1e)

• (deps) Update dependency magic-string to v0.30.14 (#​9764) (6e46a8b)

Refactor

• (estree/compat) Do not use nightly features (#​9772) (0f12bbd)

sxzz/test-utils (@​sxzz/test-utils)

v0.3.11

Compare Source

   🚀 Features

• expectFilesSnapshot: Return state  -  by @​sxzz (637be)

    View changes on GitHub

v0.3.10

Compare Source

   🐞 Bug Fixes

• expectFilesSnapshot: Sort files by name  -  by @​sxzz (bad38)

    View changes on GitHub

v0.3.9

Compare Source

   🚀 Features

• expectFilesSnapshot  -  by @​sxzz (74f31)

    View changes on GitHub

v0.3.8

Compare Source

   🚀 Features

• Replace cwd to [cwd] in snapshot  -  by @​sxzz (3a2a2)

    View changes on GitHub

vitest-dev/vitest (@​vitest/ui)

v2.1.8

Compare Source

   🐞 Bug Fixes

• Support Node 21  -  by @​sheremet-va (92f7a)

    View changes on GitHub

v2.1.7

Compare Source

   🐞 Bug Fixes

• Revert support for Vite 6  -  by @​sheremet-va (fbe5c)
  • This introduced some breaking changes (https://github.com/vitest-dev/vitest/issues/6992). We will enable support at a later time. In the meantime, you can still use pnpm.overrides or yarn resolutions to override the vite version in the vitest package - the APIs are compatible.

    View changes on GitHub

antfu/bumpp (bumpp)

v9.9.2

Compare Source

No significant changes

    View changes on GitHub

v9.9.1

Compare Source

   🐞 Bug Fixes

• --exec ENOENT tinyexec args, close #​62  -  by [@​YunYouJun](https:

---

Configuration

📅 Schedule: Branch creation - "* 0-3 * * 1" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[pkg-pr-new]

Open in Stackblitz

npm i https://pkg.pr.new/unplugin/unplugin-vue-fervid@3

commit: 262c850

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@babel/[email protected]	environment	+2	2.63 MB	nicolo-ribaudo
npm/@farmfe/[email protected]	environment, filesystem, network, shell Transitive: eval, unsafe	+188	40.1 MB	wre232114
npm/@jridgewell/[email protected]	None	+2	212 kB	jridgewell
npm/@rspack/[email protected]	environment, eval Transitive: filesystem, network, unsafe	+79	3.17 MB	hardfist
npm/@rspack/[email protected]	environment, eval, filesystem, network, shell, unsafe	+7	4.77 MB	hardfist
npm/@swc/[email protected]	None	+2	197 kB	kdy1, kwonoj
npm/@sxzz/[email protected]	None	+4	241 kB	sxzz
npm/@types/[email protected]	None	0	2.28 MB	types
npm/@vitest/[email protected]	Transitive: environment	+6	2.01 MB	vitestbot
npm/[email protected]	Transitive: environment, filesystem, network, shell	+39	4.34 MB	antfu
npm/[email protected]	environment, eval, filesystem	0	1.26 MB	zloirock
npm/[email protected]	environment	+1	49.5 kB	qix
npm/[email protected]	None	0	134 kB	esbuild, evanw
npm/[email protected]	environment Transitive: eval, filesystem, shell, unsafe	+71	10.1 MB	eslintbot
npm/[email protected]	environment, shell	0	798 kB	rolldownbot
npm/[email protected]	None	+1	2.63 MB	eventualbuddha, lukastaegert, rich_harris, ...2 more
npm/[email protected]	Transitive: environment, filesystem	+3	976 kB

🚮 Removed packages: npm/@babel/[email protected], npm/@farmfe/[email protected], npm/@jridgewell/[email protected], npm/@rspack/[email protected], npm/@rspack/[email protected], npm/@swc/[email protected], npm/@sxzz/[email protected], npm/@types/[email protected], npm/@vitest/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎