⬆️ deps: Update dependencies (non-major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@types/node (source)	24.10.6 → 24.10.9			devDependencies	patch
node (source)	24.12.0 → 24.13.0				minor
prettier (source)	3.7.4 → 3.8.0			devDependencies	minor
rolldown (source)	1.0.0-beta.59 → 1.0.0-beta.60			devDependencies	patch
vitest (source)	4.0.16 → 4.0.17			devDependencies	patch

---

Release Notes

nodejs/node (node)

v24.13.0: 2026-01-13, Version 24.13.0 'Krypton' (LTS), @​marco-ippolito

Compare Source

This is a security release.

Notable Changes

lib:

• (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
  lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
  src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
  src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
  tls:
• (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

Commits

• [2092785d01] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #​60997
• [3e58b7f2af] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #​61283
• [4ba536a5a6] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [89adaa21fd] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [7302b4dae1] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [ac030753c4] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [20075692fe] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [20591b0618] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

prettier/prettier (prettier)

v3.8.0

Compare Source

diff

🔗 Release note

rolldown/rolldown (rolldown)

v1.0.0-beta.60

Compare Source

💥 BREAKING CHANGES

• tsconfig: enable auto-discovery by default (#​7817) by @​shulaoda

🚀 Features

• distinguish transformer diagnostics from parse errors (#​7872) by @​shulaoda
• emit transformer warnings instead of ignoring them (#​7850) by @​shulaoda
• node: add output.codeSplitting option and deprecate output.advancedChunks (#​7855) by @​hyf0
• nativeMagicString reset (#​7828) by @​IWANABETHATGUY
• nativeMagicString lastChar (#​7819) by @​IWANABETHATGUY
• dev/lazy: inject lazy compilation runtime automatically (#​7816) by @​hyf0
• nativeMagicString snip (#​7818) by @​IWANABETHATGUY
• nativeMagicString construct with options (#​7814) by @​IWANABETHATGUY
• nativeMagicString clone (#​7813) by @​IWANABETHATGUY
• nativeMagicString insert (#​7812) by @​IWANABETHATGUY
• nativeMagicString slice (#​7807) by @​IWANABETHATGUY
• nativeMagicString trim methods (#​7800) by @​IWANABETHATGUY
• make closeBundle hook receive the last error (#​7278) by @​Copilot

🐛 Bug Fixes

• when package only contains export default, cjsDefault didn't resolve correctly (#​7873) by @​IWANABETHATGUY
• inline __name calls for default exports (#​7862) by @​IWANABETHATGUY
• improve variable renaming to avoid unnecessary shadowing in nested scopes (#​7859) by @​IWANABETHATGUY
• use correct index when inserting keepNames statements during export default transformation (#​7853) by @​IWANABETHATGUY
• transform non-static dynamic imports when dynamicImportInCjs is false (#​7823) by @​shulaoda
• dev/lazy: should include imported and non-executed modules in the patch (#​7815) by @​hyf0
• set ExportsKind to Esm when json is none object literal (#​7808) by @​IWANABETHATGUY
• nativeMagicString move api (#​7796) by @​IWANABETHATGUY
• remove unnecessary exports after merging into commong and user defined entry (#​7789) by @​IWANABETHATGUY
• use output.name instead of chunk.name in mixed export warning (#​7788) by @​Copilot

🚜 Refactor

• generalize ParseError to OxcError with dynamic EventKind (#​7868) by @​shulaoda
• rust: rename advanced_chunks to manual_code_splitting (#​7856) by @​hyf0
• string_wizard error hanlding (#​7830) by @​IWANABETHATGUY
• remove experimental.disableLiveBindings option (#​7820) by @​sapphi-red
• node/test: run fixture tests in concurrent (#​7790) by @​hyf0
• move ConfigExport and RolldownOptionsFunction types to define-config (#​7799) by @​shulaoda
• cli: validate config after resolving and improve error message (#​7798) by @​shulaoda

📚 Documentation

• rebrand (#​7670) by @​yyx990803
• fix incorrect default value for propertyReadSideEffects (#​7847) by @​Copilot
• remove options pages and redirect to reference pages (#​7834) by @​sapphi-red
• options: inline types to option property pages (#​7831) by @​sapphi-red
• options: port checks.pluginTimings content from options page to reference page (#​7832) by @​sapphi-red
• options: use @linkcode where possible (#​7824) by @​sapphi-red
• options: port content from options page to reference page (#​7822) by @​sapphi-red
• options: add descriptions for output options (#​7821) by @​sapphi-red
• options: add description for input options (#​7802) by @​sapphi-red
• options: add description for checks.* (#​7801) by @​sapphi-red
• apis: add hook graph (#​7671) by @​sapphi-red

🧪 Testing

• add all valid combination of chunk exports related test (#​7851) by @​IWANABETHATGUY
• enable MagicString test after api return type alignment (#​7797) by @​IWANABETHATGUY
• init magic-string test (#​7794) by @​IWANABETHATGUY

⚙️ Miscellaneous Tasks

• vite-tests: configure git user for rebase operation (#​7875) by @​shulaoda
• rolldown_binding: remove v3 native plugins (#​7837) by @​shulaoda
• rolldown_binding: allow crate-type as lib (#​7866) by @​Brooooooklyn
• README.md: adjust position and size of rolldown logo (#​7861) by @​hyf0
• deps: update test262 submodule for tests (#​7857) by @​sapphi-red
• deps: update oxc to v0.108.0 (#​7845) by @​renovate[bot]
• deps: update dependency oxlint to v1.39.0 (#​7849) by @​renovate[bot]
• deps: update dependency oxfmt to ^0.24.0 (#​7844) by @​renovate[bot]
• deps: update npm packages (#​7841) by @​renovate[bot]
• deps: update rust crates (#​7839) by @​renovate[bot]
• deps: update github-actions (#​7840) by @​renovate[bot]
• use workspace edition for all crates (#​7829) by @​IWANABETHATGUY
• deps: update dependency oxlint-tsgolint to v0.11.0 (#​7827) by @​renovate[bot]
• deps: update napi to v3.8.2 (#​7810) by @​renovate[bot]
• remove outdated snapshot files (#​7806) by @​shulaoda
• deps: update crate-ci/typos action to v1.42.0 (#​7792) by @​renovate[bot]

vitest-dev/vitest (vitest)

v4.0.17

Compare Source

   🚀 Features

• Support openTelemetry for browser mode  -  by @​hi-ogawa in #​9180 (1ec3a)
• Support TRACEPARENT and TRACESTATE environment variables for OpenTelemetry context propagation  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9295 (876cb)

   🐞 Bug Fixes

• Improve asymmetric matcher diff readability by unwrapping container matchers  -  by @​Copilot, sheremet-va, hi-ogawa and @​hi-ogawa in #​9330 (b2ec7)
• Improve runner error when importing outside of test context  -  by @​sheremet-va in #​9335 (2dd3d)
• Replace crypto.randomUUID to allow insecure environments (fix #​9…  -  by @​plusgut in #​9339 and #​9 (e6a3f)
• Handle null options in addEventHandler #​9371  -  by @​ThibautMarechal in #​9372 and #​9371 (40841)
• Typo in browser.provider error  -  by @​deammer in #​9394 (4b67f)
• browser:
  • Fix process.env and import.meta.env defines in inline project  -  by @​hi-ogawa in #​9239 (b70c9)
  • Fix upload File instance  -  by @​hi-ogawa in #​9294 (b6778)
  • Fix invalid project token for artifacts assets  -  by @​hi-ogawa in #​9321 (caa7d)
  • Log ErrorEvent.message when unhandled ErrorEvent.error is null  -  by @​hi-ogawa in #​9322 (5d84e)
  • Support fileParallelism on an instance  -  by @​sheremet-va in #​9328 (15006)
• coverage:
  • Remove unnecessary istanbul-lib-source-maps usage  -  by @​AriPerkkio in #​9344 (b0940)
  • Apply patch from istanbuljs/istanbuljs#837  -  by @​AriPerkkio and sapphi-red in #​9413 and #​837 (e05ce)
• fsModuleCache:
  • Don't store importers in cache  -  by @​sheremet-va in #​9422 (75136)
  • Add importers alongside importedModules  -  by @​sheremet-va in #​9423 (59f92)
• mocker:
  • Fix mock transform with class  -  by @​hi-ogawa in #​9421 (d390e)
• pool:
  • Validate environment options when reusing the worker  -  by @​sheremet-va in #​9349 (a8a88)
  • Handle worker start failures gracefully  -  by @​AriPerkkio in #​9337 (200da)
• reporter:
  • Report test module if it failed to run  -  by @​sheremet-va in #​9272 (c7888)
• runner:
  • Respect nested test.only within describe.only  -  by @​Ujjwaljain16 in #​9021 and #​9213 (55d5d)
• typecheck:
  • Improve error message when tsc outputs help text  -  by @​Ujjwaljain16 in #​9214 (7b10a)
• ui:
  • Detect gzip by magic numbers instead of Content-Type header in html reporter  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9278 (dd033)
• webdriverio:
  • Fall back to WebDriver Classic #​9244  -  by @​JustasMonkev in #​9373 and #​9244 (c23dd)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.