fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@babel/core (source)	^7.29.0 → ^7.29.7			dependencies	patch
@babel/plugin-syntax-decorators (source)	^7.28.6 → ^7.29.7			devDependencies	minor
@babel/plugin-syntax-typescript (source)	^7.28.6 → ^7.29.7			dependencies	minor
@babel/plugin-transform-typescript (source)	^7.28.6 → ^7.29.7			dependencies	minor
@babel/types (source)	^7.29.0 → ^7.29.7			devDependencies	patch
@rollup/plugin-swc (source)	^0.4.0 → ^0.4.1			devDependencies	patch
@swc/core (source)	^1.15.33 → ^1.15.40			devDependencies	patch
@typescript/native-preview (source)	7.0.0-dev.20260514.1 → 7.0.0-dev.20260527.2			devDependencies	patch
eslint (source)	^10.3.0 → ^10.4.1			devDependencies	minor
lint-staged	^17.0.5 → ^17.0.6			devDependencies	patch
oxfmt (source)	^0.49.0 → ^0.52.0			devDependencies	minor
pnpm (source)	10.33.4 → 10.34.1			packageManager	minor
sass	^1.99.0 → ^1.100.0			devDependencies	minor
tsdown (source)	^0.22.0 → ^0.22.1			devDependencies	patch
tsx (source)	^4.22.0 → ^4.22.3			devDependencies	patch
typescript-eslint (source)	^8.59.3 → ^8.60.0			devDependencies	minor
vitest (source)	^4.1.6 → ^4.1.7			devDependencies	patch
vue (source)	^3.5.34 → ^3.5.35			pnpm.catalog.default	patch
vue-router (source)	^5.0.7 → ^5.1.0			pnpm.catalog.default	minor
zizmorcore/zizmor-action	v0.5.3 → v0.5.6			action	patch

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

babel/babel (@​babel/core)

v7.29.7

Compare Source

v7.29.6

Compare Source

babel/babel (@​babel/plugin-syntax-decorators)

v7.29.7

Compare Source

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

rollup/plugins (@​rollup/plugin-swc)

v0.4.1

2026-05-29

Bugfixes

• fix: fix typings to match actual exports (#​1985)

swc-project/swc (@​swc/core)

v1.15.40

Compare Source

Bug Fixes

• (es/minifier) Preserve args for destructured callbacks (#​11830) (21873b0)

• (es/minifier) Avoid generating mangled property names that collide with existing properties (#​11839) (9b4fab5)

• (es/minifier) Respect ecma for iife temp vars (#​11873) (e481934)

• (es/minifier) Preserve default parameter object props (#​11884) (71ff84f)

• (es/parser) Reject object-rest assignment to array/object literal (#​11875) (7b57d1f)

• (es/parser) Reject object rest assignment to literals (#​11881) (4ec2eaf)

• (es/react) Exclude self-recursive hooks from refresh dependency array (#​11838) (9101c71)

• (ts/fast-dts) Strip definite assertions in dts (#​11858) (2ab1b8a)

• (ts/fast-strip) Reject unsafe assertion erasure in binary expressions (#​11828) (aa5b539)

• (typescript) Strip parameter binding defaults in dts (#​11857) (800bc17)

Documentation

• Update agent guidance (#​11842) (bf2d015)

• Add security policy (#​11876) (6c43c2d)

• Clarify security scope for npm packages (#​11877) (4662db8)

• Clarify untrusted input security model (#​11882) (5463777)

Features

• (es/minifier) Fine grained effect analysis of class (#​11814) (c9058ad)

• (swc_cli) Implement all features for swc_cli (#​11797) (9300ede)

Miscellaneous Tasks

• (es/minifier) Fix typo in debug log (#​11866) (3de0254)

• (html) Add webcontainer fallback for @swc/html (#​11860) (7692eed)

Performance

• (ecma) Reduce transformer compat overhead (#​11856) (d03cb71)

• (es/codegen) Speed up JsWriter position and srcmap tracking (#​11867) (dbceade)

• (es/codegen) Remove JsWriter last_srcmap cache (#​11869) (3bc1c2b)

• (es/minifier) Reduce minifier profiling hotspots (#​11853) (28c1091)

• Optimize es parser comment finalization (#​11852) (2959ddf)

Testing

• (es/minifier) Move issue_11835 fixture out of terser folder (#​11840) (3dd3431)

Ci

• Update corepack in publish docker jobs (#​11885) (9a7d954)

• Pass publish docker env explicitly (#​11888) (c5f7547)

• Lock issues closed by merged prs (#​11887) (6bd74e5)

• Provide aarch64 musl linker in publish job (#​11889) (20234fd)

• Fix publish musl linker and windows tests (#​11890) (a798a23)

• Make minifier test path explicit (#​11891) (e7cba97)

Security

• Save CI caches only on main (#​11848) (7582529)

• Update rkyv and Rust dependencies (#​11851) (20d92eb)

• Harden PR workflow permissions (#​11849) (e199564)

microsoft/typescript-go (@​typescript/native-preview)

v7.0.0-dev.20260527.2

Compare Source

v7.0.0-dev.20260527.1

Compare Source

v7.0.0-dev.20260526.1

Compare Source

v7.0.0-dev.20260525.1

Compare Source

v7.0.0-dev.20260524.1

Compare Source

v7.0.0-dev.20260523.1

Compare Source

v7.0.0-dev.20260522.1

Compare Source

v7.0.0-dev.20260521.1

Compare Source

v7.0.0-dev.20260519.1

Compare Source

v7.0.0-dev.20260518.1

Compare Source

v7.0.0-dev.20260517.1

Compare Source

v7.0.0-dev.20260516.1

Compare Source

v7.0.0-dev.20260515.1

Compare Source

eslint/eslint (eslint)

v10.4.1

Compare Source

v10.4.0

Compare Source

lint-staged/lint-staged (lint-staged)

v17.0.6

Compare Source

Patch Changes

• #​1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

• #​1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

• #​1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

• #​1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

oxc-project/oxc (oxfmt)

v0.52.0

Compare Source

🚀 Features

• 16b8058 oxfmt: Support vite-plus/resolveConfig for vite.config.ts (#​22454) (leaysgur)

v0.51.0

Compare Source

v0.50.0

Compare Source

🐛 Bug Fixes

• 43b9978 formatter/sort_imports: Treat subpath imports as internal (#​22440) (leaysgur)

pnpm/pnpm (pnpm)

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Gold Sponsors

v10.34.0

Compare Source

sass/dart-sass (sass)

v1.100.0

Compare Source

• Writing two compound selectors adjacent to one another without any whitespace
  between them, such as [class]a, is now deprecated. This was always an error
  in CSS and Sass only supported it by mistake.

  See the Sass website for
  details.

rolldown/tsdown (tsdown)

v0.22.1

Compare Source

   🚀 Features

• dts: Add deps.dts option to override dependency bundling for declaration files  -  by @​sxzz (881bf)

   🐞 Bug Fixes

• Improve error handling for unsupported TypeScript syntax on Node.js  -  by @​sxzz (b93db)
• Add extra space for emoji rendering in Windows Terminal  -  by @​sxzz (925cc)
• unbundle: Add shims support for unbundled builds  -  by @​sxzz (fc991)

    View changes on GitHub

privatenumber/tsx (tsx)

v4.22.3

Compare Source

v4.22.2

Compare Source

v4.22.1

Compare Source

typescript-eslint/typescript-eslint (typescript-eslint)

v8.60.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.4

Compare Source

🩹 Fixes

• typescript-eslint: export Compatible* types from typescript-eslint to resolve pnpm TS error (#​12340)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitest-dev/vitest (vitest)

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

vuejs/core (vue)

v3.5.35

Compare Source

Bug Fixes

• compiler-core: avoid double processing v-for keys with v-memo (#​14861) (34a0ded), closes #​14859
• compiler-sfc: resolve top-level exports from files registered as global types (#​14805) (3d077f2), closes nuxt/nuxt#33694
• runtime-core: avoid repeated hydration mismatch checks (#​14857) (170fc95), closes #​14855
• runtime-core: skip idle persisted transition hooks in keep-alive moves (#​14865) (80fc139), closes #​14031
• server-renderer: propagate sync errors from ssrRenderSuspense (#​14804) (4760997), closes nuxt/nuxt#28162
• teleport: skip child unmount when pending mount discarded (#​14876) (#​14877) (584beb1)

Performance Improvements

• reactivity: skip type checks for cached proxies (#​14860) (5734fe9)
• runtime-dom: optimize array event handler dispatch (#​14828) (bb18dc8)
• server-renderer: avoid materializing iterables in ssrRenderList (#​14821) (1b7a2cc)

vuejs/router (vue-router)

v5.1.0

Compare Source

   🚀 Features

• Typed definePage params.path  -  by @​posva in #​2716 (d65de)
• Strict type for definePage param default  -  by @​posva (0ae10)
• Support raw param parsers  -  by @​posva (eadec)
• Force array type raw param parsers  -  by @​posva (7a68b)
• Allow overriding the global Router type  -  by @​posva (1cd93)
• Emit runtime warning for invalid format in query params  -  by @​posva (8259a)
• Override useRouter() return with experimental types config  -  by @​posva (39a34)
• Allow string as a param parser for convenience  -  by @​posva (be37b)

   🐞 Bug Fixes

• Fix auto import fixes and make experimental esm only  -  by @​posva (db3a6)
• Deterministic param parser types order  -  by @​posva (bf0fc)
• Avoid importing unused param parsers  -  by @​posva (41c00)
• Filter invalid query params without failing to match  -  by @​posva (db717)
• Detect not set format  -  by @​posva (aa89e)
• Allow undefined values for params in query  -  by @​posva (4726e)
• experimental: Repeatable params in subsegments  -  by @​posva (84664)
• types: Add vite as optional peer dependency  -  by @​ForgottenR, @​posva and shihuijie in #​2712 (facbf)

    View changes on GitHub

zizmorcore/zizmor-action (zizmorcore/zizmor-action)

v0.5.6

Compare Source

• 1.25.2 is now available via the action
• 1.25.2 is now the default version of zizmor used by the action

v0.5.5

Compare Source

This is a no-op release.

v0.5.4

Compare Source

• 1.25.0 is now available via the action
• 1.25.0 is now the default version of zizmor used by the action

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@vitejs/plugin-vue@781

npm i https://pkg.pr.new/@vitejs/plugin-vue-jsx@781

commit: ddb8c32