Skip to content

Bump the development-dependencies group with 4 updates#683

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/development-dependencies-e8f7985f54
Open

Bump the development-dependencies group with 4 updates#683
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/development-dependencies-e8f7985f54

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the development-dependencies group with 4 updates: fs-fixture, oxfmt, rolldown and vitest.

Updates fs-fixture from 2.13.0 to 2.14.0

Release notes

Sourced from fs-fixture's releases.

v2.14.0

2.14.0 (2026-05-18)

Features

  • document grouped path prefixes (5b00042)
Commits

Updates oxfmt from 0.48.0 to 0.56.0

Commits
  • c4be770 release(apps): oxlint v1.71.0 && oxfmt v0.56.0 (#23707)
  • aa79b5b release(apps): oxlint v1.70.0 && oxfmt v0.55.0 (#23442)
  • 9a2788b feat(linter/unicorn): implement prefer-export-from rule (#22935)
  • 44ae845 release(apps): oxlint v1.69.0 && oxfmt v0.54.0 (#23116)
  • dadafe3 docs(oxlint, oxfmt): mention migrate skills in npm READMEs (#22965)
  • f88961a docs(oxfmt): annotate each config option with supported languages (#22953)
  • 964a758 release(apps): oxlint v1.68.0 && oxfmt v0.53.0 (#22883)
  • 68b455d release(apps): oxlint v1.67.0 && oxfmt v0.52.0 (#22735)
  • 16b8058 feat(oxfmt): Support vite-plus/resolveConfig for vite.config.ts (#22454)
  • 5570206 release(apps): oxlint v1.66.0 && oxfmt v0.51.0 (#22528)
  • Additional commits viewable in compare view

Updates rolldown from 1.0.1 to 1.1.2

Release notes

Sourced from rolldown's releases.

v1.1.2

[1.1.2] - 2026-06-18

📝 Notable tsconfig behavior changes

These ship via the oxc_resolver 11.21.3 bump (#9841) and affect resolve.tsconfigPaths (Vite 8 resolves through oxc-resolver):

  • Honor explicit non-TS extensions in includeoxc-project/oxc-resolver#1213compilerOptions.paths now resolve for importers whose extension is explicitly listed in a tsconfig's include (e.g. src/**/*.vue, src/**/*.svelte). Previously oxc-resolver filtered importers by extension before evaluating the include globs, so a .vue/.svelte file listed in include never matched its project and its paths were skipped. This unblocks the default create-vite Vue + TS layout (a solution-style root plus a referenced tsconfig.app.json that declares paths and include: ["src/**/*.ts", "src/**/*.vue"]). Matches vue-tsc and svelte-check, which register these extensions via TypeScript's extraFileExtensions.
  • No fallback to the outermost tsconfig in auto-discoveryoxc-project/oxc-resolver#1220tsconfig.json to a file that no project actually owns (via files / include / project references). Previously such a file inherited the outermost ancestor's paths / baseUrl, leaking aliases into files that project does not own. oxc-resolver now returns no config in that case, matching tsserver / typescript-go, which route such files to an inferred project with no aliases.

🚀 Features

🐛 Bug Fixes

🚜 Refactor

... (truncated)

Changelog

Sourced from rolldown's changelog.

[1.1.2] - 2026-06-18

🚀 Features

🐛 Bug Fixes

🚜 Refactor

📚 Documentation

  • tsconfig: align auto-discovery docs with oxc-resolver behavior (#9845) by @​shulaoda

... (truncated)

Commits
  • e0d0b1b release: v1.1.2 (#9863)
  • fd225a8 docs(tsconfig): align auto-discovery docs with oxc-resolver behavior (#9845)
  • 455fb60 chore(deps): update oxc to 0.137.0 (#9856)
  • 8606737 feat: add option names for invalid return type errors (#9821)
  • 01e4eee feat(transform): infer decorator strictNullChecks from tsconfig (#9590)
  • 6626e20 docs: relocate meta/design to internal-docs, split design from implementation...
  • bea835c refactor(options): merge manualCodeSplitting into codeSplitting object form (...
  • f480f9d feat: expose React Compiler options for rolldown and Vite users (#9801)
  • 697a7c4 fix: avoid O(N^2) rendering of high-volume diagnostics (#9748) (#9749)
  • 1af4293 feat(tracing): gate chrome-json trace layer behind chrome-tracing feature (...
  • Additional commits viewable in compare view

Updates vitest from 4.1.6 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

View changes on GitHub

v4.1.8

   🐞 Bug Fixes

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

    View changes on GitHub
Commits
  • a7a61e7 chore: release v4.1.9 (#10598)
  • 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
  • 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
  • a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
  • e61f2dd chore: release v4.1.8
  • e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • a09d472 chore: release v4.1.7
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the development-dependencies group with 4 updates: [fs-fixture](https://github.com/privatenumber/fs-fixture), [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt), [rolldown](https://github.com/rolldown/rolldown/tree/HEAD/packages/rolldown) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest).


Updates `fs-fixture` from 2.13.0 to 2.14.0
- [Release notes](https://github.com/privatenumber/fs-fixture/releases)
- [Commits](privatenumber/fs-fixture@v2.13.0...v2.14.0)

Updates `oxfmt` from 0.48.0 to 0.56.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxfmt/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxfmt_v0.56.0/npm/oxfmt)

Updates `rolldown` from 1.0.1 to 1.1.2
- [Release notes](https://github.com/rolldown/rolldown/releases)
- [Changelog](https://github.com/rolldown/rolldown/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rolldown/rolldown/commits/v1.1.2/packages/rolldown)

Updates `vitest` from 4.1.6 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest)

---
updated-dependencies:
- dependency-name: fs-fixture
  dependency-version: 2.14.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
- dependency-name: oxfmt
  dependency-version: 0.56.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
- dependency-name: rolldown
  dependency-version: 1.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 1, 2026
@changeset-bot

changeset-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 14fb171

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedoxfmt@​0.56.0691008996100
Addedrolldown@​1.1.2911007899100
Addedvitest@​4.1.9981007998100
Addedfs-fixture@​2.14.0861009789100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/rolldown@1.1.2npm/@emnapi/runtime@1.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.56.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.56.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.56.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.56.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants