chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@vitest/coverage-v8 (source)	^4.0.15 → ^4.0.18
eslint (source)	^9.39.1 → ^9.39.2
eslint-config-unjs	^0.5.0 → ^0.6.2
h3 (source)	^2.0.1-rc.5 → ^2.0.1-rc.11
obuild	^0.4.7 → ^0.4.20
oxc-minify (source)	^0.101.0 → ^0.110.0
pnpm (source)	10.24.0 → 10.28.1
prettier (source)	^3.7.4 → ^3.8.1
srvx (source)	^0.9.7 → ^0.10.1
ufo	^1.6.1 → ^1.6.3
unstorage (source)	^1.17.3 → ^1.17.4
vitest (source)	^4.0.15 → ^4.0.18

---

Release Notes

vitest-dev/vitest (@​vitest/coverage-v8)

v4.0.18

Compare Source

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in #​9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in #​9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in #​9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in #​9472 (22543)

    View changes on GitHub

v4.0.17

Compare Source

   🚀 Experimental Features

• Support openTelemetry for browser mode  -  by @​hi-ogawa in #​9180 (1ec3a)
• Support TRACEPARENT and TRACESTATE environment variables for OpenTelemetry context propagation  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9295 (876cb)

   🐞 Bug Fixes

• Improve asymmetric matcher diff readability by unwrapping container matchers  -  by @​Copilot, sheremet-va, hi-ogawa and @​hi-ogawa in #​9330 (b2ec7)
• Improve runner error when importing outside of test context  -  by @​sheremet-va in #​9335 (2dd3d)
• Replace crypto.randomUUID to allow insecure environments (fix #​9…  -  by @​plusgut in #​9339 and #​9 (e6a3f)
• Handle null options in addEventHandler #​9371  -  by @​ThibautMarechal in #​9372 and #​9371 (40841)
• Typo in browser.provider error  -  by @​deammer in #​9394 (4b67f)
• browser:
  • Fix process.env and import.meta.env defines in inline project  -  by @​hi-ogawa in #​9239 (b70c9)
  • Fix upload File instance  -  by @​hi-ogawa in #​9294 (b6778)
  • Fix invalid project token for artifacts assets  -  by @​hi-ogawa in #​9321 (caa7d)
  • Log ErrorEvent.message when unhandled ErrorEvent.error is null  -  by @​hi-ogawa in #​9322 (5d84e)
  • Support fileParallelism on an instance  -  by @​sheremet-va in #​9328 (15006)
• coverage:
  • Remove unnecessary istanbul-lib-source-maps usage  -  by @​AriPerkkio in #​9344 (b0940)
  • Apply patch from istanbuljs/istanbuljs#837  -  by @​AriPerkkio and sapphi-red in #​9413 and #​837 (e05ce)
• fsModuleCache:
  • Don't store importers in cache  -  by @​sheremet-va in #​9422 (75136)
  • Add importers alongside importedModules  -  by @​sheremet-va in #​9423 (59f92)
• mocker:
  • Fix mock transform with class  -  by @​hi-ogawa in #​9421 (d390e)
• pool:
  • Validate environment options when reusing the worker  -  by @​sheremet-va in #​9349 (a8a88)
  • Handle worker start failures gracefully  -  by @​AriPerkkio in #​9337 (200da)
• reporter:
  • Report test module if it failed to run  -  by @​sheremet-va in #​9272 (c7888)
• runner:
  • Respect nested test.only within describe.only  -  by @​Ujjwaljain16 in #​9021 and #​9213 (55d5d)
• typecheck:
  • Improve error message when tsc outputs help text  -  by @​Ujjwaljain16 in #​9214 (7b10a)
• ui:
  • Detect gzip by magic numbers instead of Content-Type header in html reporter  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9278 (dd033)
• webdriverio:
  • Fall back to WebDriver Classic #​9244  -  by @​JustasMonkev in #​9373 and #​9244 (c23dd)

    View changes on GitHub

v4.0.16

Compare Source

   🐞 Bug Fixes

• Fix browser mode default testTimeout back to 15 seconds  -  by @​hi-ogawa in #​9167 (da0ad)
• Avoid crashing on process.versions stub  -  by @​AriPerkkio in #​9174 (78cfb)
• Reject calling suite function inside test  -  by @​hi-ogawa in #​9198 (1a259)
• Allow inlining fully dynamic import  -  by @​hi-ogawa in #​9137 (56851)
• Fix module graph UI on html reporter with headless browser mode  -  by @​hi-ogawa in #​9219 (60642)
• Log deprecated test.poolOptions if it's set  -  by @​sheremet-va in #​9226 (f7f6a)
• browser:
  • Import recordArtifact from the vitest package  -  by @​macarie in #​9186 (01c56)
  • Fix import.meta.env define  -  by @​hi-ogawa in #​9205 (01a9a)
  • String formatting bug when including placeholders in console.log  -  by @​michael-debs and @​hi-ogawa in #​9030 and #​9131 (84a30)
• coverage:
  • Istanbul untested files source maps are off  -  by @​AriPerkkio in #​9208 (372e8)
• experimental:
  • Export setupEnvironment for custom pools  -  by @​AriPerkkio in #​9187 (5d26b)

    View changes on GitHub

eslint/eslint (eslint)

v9.39.2

Compare Source

unjs/eslint-config (eslint-config-unjs)

v0.6.2

Compare Source

compare changes

🩹 Fixes

• Disable array immutation rules for now (3cde73a)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.6.1

Compare Source

compare changes

💅 Refactors

• Migrate to @eslint/markdown (2f92a53)
• Update default rules (84cdbad)

📦 Build

• Migrate to obuild (8f36bf1)

🏡 Chore

• Update deps (4347a4f)
• Update globals to v17 (4f168b4)
• Update unicorn to 62 (e737dd7)
• release: V0.6.0 (b683294)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.6.0

Compare Source

compare changes

💅 Refactors

• Migrate to @eslint/markdown (2f92a53)

📦 Build

• Migrate to obuild (8f36bf1)

🏡 Chore

• Update deps (4347a4f)
• Update globals to v17 (4f168b4)
• Update unicorn to 62 (e737dd7)

❤️ Contributors

• Pooya Parsa (@​pi0)

h3js/h3 (h3)

v2.0.1-rc.11

Compare Source

compare changes

📦 Build

• Fix types bundling (e32d9e6)

❤️ Contributors

• Pooya Parsa (@​pi0)

v2.0.1-rc.10

Compare Source

compare changes

📦 Build

• Move fetchdts to dependencies due to bundle issues (0d753cf)

❤️ Contributors

• Pooya Parsa (@​pi0)

v2.0.1-rc.9

Compare Source

compare changes

🩹 Fixes

• basic-auth: Use jitter and constant-time string comparison (#​1283)

🌊 Types

• onResponse: Allow returning any value (#​1277)

🏡 Chore

• Update deps (b85db16)
• Update undocs (3fc60f2)
• Update deps (4d87e29)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Huseeiin (@​huseeiin)

v2.0.1-rc.8

Compare Source

compare changes

🩹 Fixes

• fromNodeHandler: Pipe responses once (#​1273)

💅 Refactors

• Avoid unnecessary Error.captureStackTrace (652e883)

🏡 Chore

• Update deps (1dfe739)
• Lint (2ec1eea)

❤️ Contributors

• Pooya Parsa (@​pi0)

v2.0.1-rc.7

Compare Source

compare changes

🚀 Enhancements

• Experimental tracing support (#​1251)
• Customizable validation errors (#​1146)

🩹 Fixes

• mockEvent: Make sure duplex option is properly set (eb83aad)
• handleCacheHeaders: Round modifiedTime to seconds (#​1262)

🏡 Chore

• Fix typo in jsdocs (#​1263)
• Update deps (fcd9ff9)
• Update srvx to 0.10 (0385342)

❤️ Contributors

• Minsu Lee (@​amondnet)
• Sandro Circi (@​sandros94)
• Abdelrahman Awad (@​logaretm)
• Pooya Parsa (@​pi0)
• Huseeiin (@​huseeiin)

v2.0.1-rc.6

Compare Source

compare changes

🚀 Enhancements

• defineWebSocketHandler: Support callback with event (#​1242)

🩹 Fixes

• proxy: Strip transfer-encoding header from proxied response (#​1248)
• Clear event.res after prepare (#​1259)

📖 Documentation

• Add H3ravel to the community section (#​1239)
• Add intlify to community integrations (#​1244)

🏡 Chore

• Lint (4218cbe)
• Update deps (bb10838)
• Update build config (504e878)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Dardan Bujupaj (@​dardanbujupaj)
• Minsu Lee (@​amondnet)
• Kazuya Kawaguchi <kawakazu80@​gmail.com>
• Legacy (@​3m1n3nc3)

unjs/obuild (obuild)

v0.4.20

Compare Source

compare changes

🩹 Fixes

• Avoid analyze in stub mode (c840ae9)

💅 Refactors

• Update inlineDynamicImports to codeSplitting (334eab9)
• Multi-column layout for transform items (8df3220)
• Improve cli formatting (e28cbd4)

🏡 Chore

• Update dev deps (f817bff)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.19

Compare Source

compare changes

🏡 Chore

• Update readme (1affa56)
• Update dependencies (f1e82d1)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.18

Compare Source

compare changes

🩹 Fixes

• Add .d suffix to type chunk groups (e55c9f4)

💅 Refactors

• Update rollup to latest (74786e4)

📦 Build

• Always use obuild bin (d92d40b)

🤖 CI

• Setup nightly releases (a74933a)
• Build before nightly release (2144b6e)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.17

Compare Source

compare changes

🩹 Fixes

• Rollback rolldown to 59 (345aadf)
• Rollback rolldown config (070a2f4)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.16

Compare Source

compare changes

💅 Refactors

• rolldown: Use new codeSplitting option (1c68bd9)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.15

Compare Source

compare changes

📦 Build

• Import oxc utils from rolldown/experimental (cf5f16e)

🏡 Chore

• Update oxc to 0.110 (bc7a8f8)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.14

Compare Source

compare changes

🏡 Chore

• Update rolldown to 1.0.0-beta.59 (51bd7d2)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.13

Compare Source

compare changes

🩹 Fixes

• rolldown: Revert includeDependenciesRecursively (7325ddd)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.12

Compare Source

compare changes

🩹 Fixes

• rolldown: Enable includeDependenciesRecursively (6974fb5)
• bundle: Avoid recursion on resolveDeps (2bba5b9)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.11

Compare Source

compare changes

🏡 Chore

• Update deps (34c8198)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.10

Compare Source

compare changes

🏡 Chore

• Update deps (b0d98b8)

v0.4.9

Compare Source

compare changes

🏡 Chore

• Update deps (afc4bff)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.8

Compare Source

compare changes

📖 Documentation

• Add c12 to "currently used" section (#​66)

🏡 Chore

• Update deps (81d54e2)

🤖 CI

• Bump actions checkout (#​64)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Abeer0 (@​iiio2)
• David Abou (@​davidabou)

oxc-project/oxc (oxc-minify)

v0.106.0

🚀 Features

• e031056 codegen: Add sourcemap feature flag (#​17305) (Boshen)
• 8e4409a minifier: Add invalid_import_side_effects option (#​17300) (sapphi-red)

v0.102.0

💥 BREAKING CHANGES

• 083fea9 napi/parser: [BREAKING] Represent empty optional fields on JS side as null (#​16411) (overlookmotel)

pnpm/pnpm (pnpm)

v10.28.1

Compare Source

v10.28.0

Compare Source

v10.27.0

Compare Source

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

• Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

• Fix installation of Git dependencies using annotated tags #​10335.

  Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

• Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

• Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Gold Sponsors

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

• Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
• Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Gold Sponsors

v10.26.0

Compare Source

v10.25.0

Compare Source

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

h3js/srvx (srvx)

v0.10.1

Compare Source

compare changes

🚀 Enhancements

• Support force close with double Control+C (#​163)

🩹 Fixes

• node: Call request abort controller only on close (#​161)
• node: Handle multiple close calls (#​164)
• Handle non-parsable URLs in printListening (#​165)

🏡 Chore

• Swtich to tsgo (#​159)
• Update undocs (2b57ffe)
• Update deps (64a1485)
• Update deps (b553658)

✅ Tests

• Use vitest for bun (#​162)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Oskar Lebuda oskar.lebuda@enp.pl

v0.10.0

Compare Source

compare changes

🩹 Fixes

• types: Split http1 and http2 handler types (#​154)

💅 Refactors

• node: ⚠️ Avoid patching global request by default (#​155)

📖 Documentation

• Add notes about NodeRequest (f483611)
• node: Also mention req.clone() (7a88abf)

🌊 Types

• Add _request type (ddc4ac3)

⚠️ Breaking Changes

• node: ⚠️ Avoid patching global request by default (#​155)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kricsleo (@​kricsleo)

v0.9.8

Compare Source

compare changes

🚀 Enhancements

• Export AdapterMeta (#​151)
• Experimental tracing channel support (#​141)

🩹 Fixes

• node: Don't fire abort signal on normal request completion (#​153)

🏡 Chore

• Update deps (b79112e)
• Fix types (206a708)
• Update bench (4b58e3f)
• Small refactors on #​153 (#​153)
• Add experimental jsdocs for tracing (f4a7996)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Abdelrahman Awad (@​logaretm)
• Alpheus (@​alpheusmtx)
• David Citron (@​dcitron)

unjs/ufo (ufo)

v1.6.3

Compare Source

compare changes

🩹 Fixes

• withBase, withoutBase: Prevent false prefix matches (#​313)

🏡 Chore

• Update deps (04b73bd)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Florian Heuberger (@​Flo0806)

v1.6.2

Compare Source

compare changes

🩹 Fixes

• Fix parsePath return type (#​293)

📖 Documentation

• Add more examples in jsdoc (#​291)

📦 Build

• Fix exports condition order to prefer esm with default fallback (8457581)

🏡 Chore

• release: V1.6.1 (b83cbea)
• Update deps (9d1833b)
• Lint (0181677)

❤️ Contributors

• Daedalus (@​ComfortablyCoding)
• Pooya Parsa (@​pi0)
• Alex Liu (@​Mini-ghost)

unjs/unstorage (unstorage)

v1.17.4

Compare Source

compare changes

[!IMPORTANT]
Some dependencies now require Node.js 20 or later.
If you are on an older Node.js version, please upgrade.

[!IMPORTANT]
H3 has been updated with a security fix related to request body handling (read more).
If you use createH3StorageHandler, upgrading is strongly recommended.

📦 Dependency Updates

• Upgraded chokidar to v5 (454a024)
• Upgraded lru-cache to v11 (b867a09)
• Fixed @vercel/kv peer dependency range (b3dc1cf)

---

Configuration

📅 Schedule: Branch creation - "after 2am and before 3am" (UTC), Automerge - "after 1am and before 2am" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.27%. Comparing base (3189d0e) to head (2f5607e).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #286   +/-   ##
=======================================
  Coverage   72.27%   72.27%           
=======================================
  Files           8        8           
  Lines         404      404           
  Branches      104      104           
=======================================
  Hits          292      292           
  Misses         92       92           
  Partials       20       20           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.