fix(deps): update rolldown-related dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@oxc-project/types (source)	^0.126.0 → ^0.129.0
oxc-parser (source)	^0.126.0 → ^0.129.0
rolldown (source)	^1.0.0-rc.16 → ^1.0.0
rolldown (source)	1.0.0-rc.16 → 1.0.0
tsdown (source)	^0.21.9 → ^0.22.0
vite (source)	^8.0.9 → ^8.0.11

---

Release Notes

oxc-project/oxc (oxc-parser)

v0.129.0

🐛 Bug Fixes

• 429deac napi/parser: Export visitorKeys from wasm entrypoint (#​21996) (NullVoxPopuli)

v0.128.0

💥 BREAKING CHANGES

• 502e804 ast: [BREAKING] Reduce size of TSTypePredicateName (#​21711) (overlookmotel)
• 5651539 ast: [BREAKING] Reduce size of JSXExpression (#​21710) (overlookmotel)
• c44e280 ast: [BREAKING] Reduce size of ArrayExpressionElement (#​21709) (overlookmotel)

⚡ Performance

• 9fa362e napi/parser: Do not generate tokens except in tests (#​21811) (overlookmotel)

🛡️ Security

• d8076c9 deps: Update rolldown (#​21639) (renovate)

v0.127.0

🐛 Bug Fixes

• 00fc136 codegen: Preserve coverage comments before object properties (#​21312) (bab)

rolldown/rolldown (rolldown)

v1.0.0

Compare Source

🐛 Bug Fixes

• dev/lazy: lazily compiled modules should be watched (#​9301) by @​h-a-n-a
• implement dynamic dominator merge logic (#​9270) by @​TheAlexLichter
• dev: apply __toCommonJS interop when CJS requires ESM in HMR finalizer (#​9261) by @​h-a-n-a

🚜 Refactor

• ecma_ast: tighten allocator access to enforce Sync invariant (#​9278) by @​IWANABETHATGUY
• scan_stage: remove stmt_infos field from EcmaView (#​9276) by @​IWANABETHATGUY
• link_stage: detach stmt_infos from EcmaView (#​9274) by @​IWANABETHATGUY
• link_stage: detach depended_runtime_helper from EcmaView to remove unsafe (#​9265) by @​IWANABETHATGUY
• link_stage: remove unsafe in determine_module_exports_kind (#​9253) by @​IWANABETHATGUY

📚 Documentation

• getting-started: remove RC warning for 1.0.0 release (#​9310) by @​shulaoda
• getting-started: update version references for 1.0.0 release (#​9309) by @​shulaoda
• add Vite+ tab to getting-started snippets (#​9285) by @​shulaoda
• lazy-barrel: clarify own-exports behavior for import-then-export records (#​9298) by @​shulaoda
• restructure top navigation around Learn vs Reference (#​9284) by @​shulaoda
• builtin-plugins: add bundle analyzer plugin docs (#​9292) by @​shulaoda
• design doc for reference_needed_symbols (#​9264) by @​IWANABETHATGUY

⚡ Performance

• devtools: write logs on a background thread (#​9219) by @​IWANABETHATGUY

⚙️ Miscellaneous Tasks

• mark esbuild/ts/parameter_props_use_define_for_class_fields_true as passed (#​9308) by @​sapphi-red
• deps: upgrade oxc to 0.129.0 (#​9297) by @​shulaoda
• deps: update rollup submodule for tests to v4.60.3 (#​9294) by @​sapphi-red
• deps: update test262 submodule for tests (#​9295) by @​sapphi-red
• ai: add rolldown REPL decode skill (#​9245) by @​Dunqing

v1.0.0-rc.18

Compare Source

💥 BREAKING CHANGES

• optimization: default unspecified inlineConst.mode to smart (#​9248) by @​IWANABETHATGUY

🐛 Bug Fixes

• rolldown_plugin_vite_import_glob: return error instead of panicking when virtual module uses a relative glob (#​9241) by @​shulaoda
• binding: treat empty inlineConst object as omitted (#​9247) by @​IWANABETHATGUY
• rolldown: keep enum declaration for optional-chain access (#​9229) by @​Dunqing
• link_stage: restore inline let-else in exports-kind filter (#​9237) by @​IWANABETHATGUY
• dev/lazy: avoid module reinitialization in lazy compilation patches (#​9179) by @​h-a-n-a
• dev: visit identifier references for runtime rewrites in HMR finalizer (#​9191) by @​h-a-n-a
• chunk-optimizer: pick dominator for runtime placement to avoid cycles (#​9164) by @​IWANABETHATGUY
• make this.emitFile chunk path synchronous to avoid deadlock (#​9031) by @​lazarv
• use sentinel id for browser: false ignored modules (#​9192) by @​shulaoda
• prevent chunk optimizer from creating import cycles (#​9228) by @​IWANABETHATGUY

🚜 Refactor

• replace tokio::sync::Mutex with std::sync::Mutex for non-IO data (#​9176) by @​shulaoda
• rolldown_plugin_vite_import_glob: do not rewrite import path for absolute base (#​9195) by @​shulaoda
• runtime_helper: wrap DependedRuntimeHelperMap in a struct (#​9215) by @​IWANABETHATGUY
• drop redundant clear() in determine_safely_merge_cjs_ns (#​9206) by @​IWANABETHATGUY
• clean up generate_lazy_export (#​9208) by @​IWANABETHATGUY
• bitset: return bool from set_bit to fuse guard-and-set (#​9207) by @​IWANABETHATGUY
• link_stage: simplify exports-kind filter and clarify safety comments (#​9205) by @​IWANABETHATGUY

📚 Documentation

• determine_module_exports_kind (#​9252) by @​IWANABETHATGUY
• fix dead link to esbuild ESM/CJS interop tests (#​9230) by @​Copilot
• remove CSS bundling references (#​9234) by @​shulaoda
• correct IncrementalFullBuild row in BundleMode table (#​9214) by @​IWANABETHATGUY
• design: add bundler data lifecycle design doc (#​9212) by @​hyf0
• remove minifier alpha status notices (#​9202) by @​sapphi-red

⚙️ Miscellaneous Tasks

• upgrade oxc to 0.128.0 (#​9260) by @​shulaoda
• deps: bump rolldown-ariadne to 0.6.0 (#​9254) by @​IWANABETHATGUY
• deps: update github actions (#​9259) by @​renovate[bot]
• deps: update github actions (#​9258) by @​renovate[bot]
• remove renovate overrides (#​9257) by @​Boshen
• use ubuntu-latest for security workflow (#​9256) by @​Boshen
• notify Discord around release publish (#​9251) by @​Boshen
• add release environment to npm publish workflow (#​9250) by @​Boshen
• justfile: drop the -- separator before forwarded args in vp run (#​9246) by @​shulaoda
• deps: update test262 submodule for tests (#​9243) by @​sapphi-red
• add more tracing instrumentations (#​9220) by @​sapphi-red
• rolldown_plugin_vite_import_glob: remove outdated sourcemap doc comment (#​9213) by @​shulaoda
• update security workflow (#​9201) by @​Boshen

❤️ New Contributors

• @​lazarv made their first contribution in #​9031

v1.0.0-rc.17

Compare Source

🐛 Bug Fixes

• link: error on missing export between TS modules (#​9197) by @​IWANABETHATGUY
• rolldown_plugin_vite_import_glob: import path should not be affected by absolute base option (#​9145) by @​kermanx
• this.resolve() returns null for bare relative paths without importer (#​9142) by @​Copilot
• collect destructured bindings in HMR module exports (#​9146) by @​h-a-n-a
• esbuild-tests: handle 0.28.0 test cases (#​9149) by @​sapphi-red
• plugin/copy-module: honor external resolutions from other plugins (#​9139) by @​TheAlexLichter
• allow undefined in sourcesContent type (#​9136) by @​jurijzahn8019
• reduce false positives in chunk optimizer circular dependency detection (#​9049) by @​AlonMiz

🚜 Refactor

• chunk-optimizer: extract runtime-module placement into rehome_runtime_module (#​9163) by @​IWANABETHATGUY

📚 Documentation

• add design doc for sort_modules execution ordering (#​9169) by @​IWANABETHATGUY
• add document for RenderedModule (#​9147) by @​sapphi-red

⚡ Performance

• rolldown_plugin_vite_import_glob: skip self-import earlier using raw path comparison (#​9193) by @​shulaoda

🧪 Testing

• lazy: add playground/lazy-compilation (#​7974) by @​hyf0

⚙️ Miscellaneous Tasks

• use app token for release PR (#​9198) by @​Boshen
• upgrade oxc to 0.127.0 (#​9194) by @​Dunqing
• use oxc security action (#​9196) by @​Boshen
• esbuild-tests: remove some tests from ignored list as enum inline is now supported (#​9184) by @​sapphi-red
• deps: update dependency vite-plus to v0.1.19 (#​9183) by @​renovate[bot]
• use vp instead of pnpm in check-wasi-binding-deps (#​9182) by @​shulaoda
• verify wasm32-wasi binding deps match @​rolldown/browser before publish (#​9162) by @​shulaoda
• deps: update esbuild for tests to 0.28.0 (#​9172) by @​sapphi-red
• deps: update rollup submodule for tests to v4.60.2 (#​9173) by @​sapphi-red
• deps: update test262 submodule for tests (#​9174) by @​sapphi-red
• sort_modules: fix stale async-entry sort key comment (#​9170) by @​IWANABETHATGUY
• deps: update npm packages (#​9157) by @​renovate[bot]
• deps: update dependency diff to v9 (#​9158) by @​renovate[bot]
• deps: update rust crates (#​9156) by @​renovate[bot]
• run Windows CI on PRs labeled with ci: windows (#​9153) by @​hyf0
• update-test-dependencies: run setup-rust before file changes (#​9151) by @​sapphi-red
• deps: update dependency rust to v1.95.0 (#​9140) by @​renovate[bot]

❤️ New Contributors

• @​jurijzahn8019 made their first contribution in #​9136
• @​AlonMiz made their first contribution in #​9049

rolldown/tsdown (tsdown)

v0.22.0

Compare Source

   🚨 Breaking Changes

• Drop Node.js < 22.18.0 support, make unrun optional, add tsx config loader  -  by @​sxzz (a1042)
• dts: Auto-enable dts when tsconfig declaration is true  -  by @​sxzz in #​872 (085f0)
• publint: Use pkg from publint results, require publint v0.3.8+  -  by @​sxzz (413bb)

   🚀 Features

• Upgrade rolldown to 1.0.0-rc.18  -  by @​sxzz (66085)
• Upgrade rolldown to v1.0.0  -  by @​sxzz (fabba)
• exports: Auto-enable bin detection by default  -  by @​sxzz in #​873 (abda9)

   🐞 Bug Fixes

• Explicitly drop node 23 support  -  by @​sxzz (85e65)
• debug: Enhance debug logging for pack tarball  -  by @​sxzz and Copilot (5de04)
• exports: Detect types fields nested in conditional exports  -  by @​sxzz (82fa1)
• pkg: Fix duplicate configuration warning logic  -  by @​ho991217 and @​sxzz in #​935 (6a0d9)

🔄 Migration Guide

Node.js version

Upgrade to Node.js 22.18.0 or later. Bun and Deno remain supported (experimental).

unrun is no longer bundled

If your environment relies on the unrun config loader (i.e. you're on a Node version without native TypeScript support and use the default auto loader), install it manually:

npm i -D unrun

# or, alternatively, the new tsx loader:
npm i -D tsx

If you use Node.js 22.18.0+ with native TypeScript support, no change is needed — the auto loader will pick native.

dts auto-enabled from tsconfig

If your tsconfig.json has compilerOptions.declaration: true but you do not want tsdown to emit .d.ts files, opt out explicitly:

// tsdown.config.ts
export default defineConfig({
  dts: false,
})

exports.bin auto-detection

Any entry chunk containing a shebang (e.g. #!/usr/bin/env node) now causes tsdown to write a bin field in package.json automatically. The semantics differ slightly from explicit bin: true:

Value	Single shebang	Multiple shebangs	No shebangs
(unset)	Auto-set bin	Warn, skip	Silent
true	Auto-set bin	Throw	Warn
false	No bin	No bin	No bin

To opt out entirely:

export default defineConfig({
  exports: { bin: false },
})

Links

• tsdown Documentation
• v0.22.0-beta.1 Release
• v0.22.0-beta.2 Release
• v0.22.0-beta.3 Release
• Full diff from v0.21.10

v0.21.10

Compare Source

   🚀 Features

• Upgrade rolldown  -  by @​sxzz (8a449)

    View changes on GitHub

vitejs/vite (vite)

v8.0.11

Compare Source

Features

• update rolldown to 1.0.0-rc.18 (#​22360) (3f80524)

Bug Fixes

• deps: update all non-major dependencies (#​22334) (672c962)
• deps: update all non-major dependencies (#​22382) (5c0cfcb)
• glob: align hmr matcher options with glob enumeration (#​22306) (30028f9)
• make separate object instance for each environment (#​22276) (7c2aa3b)

Documentation

• create-vite: list react-compiler templates in README (#​22347) (7c3a61f)
• explain mergeConfig skips null/undefined (#​22325) (2151f70)
• mention native config loader in CLI options (#​22348) (0420c5d)
• update evan's x handle (640202a)

Miscellaneous Chores

• deps: update dependency tsdown to ^0.21.10 (#​22333) (3b51e05)
• deps: update rolldown-related dependencies (#​22383) (555ff36)
• deps: update transitive packages to fix npm audit alerts (#​22316) (86aee62)

Code Refactoring

• devtools integration (#​22312) (3c8bf06)
• remove unnecessary async (#​22296) (b31fd35)
• show direct path type in bad character warning (#​22339) (0c162e9)

Tests

• create-vite: use short help alias (#​22389) (994ab66)

v8.0.10

Compare Source

Features

• update rolldown to 1.0.0-rc.17 (#​22299) (a4d06d9)

Bug Fixes

• hmrClient.logger.debug and hmrClient.logger.error looked different from other HMR logs (#​22147) (a4d828f)
• css: show filename in CSS minification warnings for .css?inline (#​22292) (83f0a78)
• optimizer: allow user transform.target to override default in optimizeDeps (#​22273) (5c7cec6)
• remove format sniffing module resolution from JS resolver (#​22297) (b8a21cc)

Code Refactoring

• enable some typecheck rules (#​22278) (9437518)
• typecheck client directory (#​22284) (40a0847)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​oxc-project/​types@​0.129.0
	rolldown@​1.0.0
	vite@​8.0.9 ⏵ 8.0.11			+1
	tsdown@​0.21.9 ⏵ 0.22.0	+1		+1	+1
	oxc-parser@​0.126.0 ⏵ 0.129.0			+1	+1

View full report