Chore(deps): Bump the npm-minor-patch group with 9 updates

[dependabot]

Bumps the npm-minor-patch group with 9 updates:

Package	From	To
@tanstack/form-core	1.32.0	1.33.0
@tanstack/react-form	1.32.0	1.33.0
@tanstack/react-router	1.170.8	1.170.9
@tanstack/router-core	1.171.6	1.171.7
fallow	2.80.0	2.84.0
@babel/core	7.29.0	7.29.7
@tanstack/router-plugin	1.168.11	1.168.12
rolldown	1.0.2	1.0.3
typescript-eslint	8.59.4	8.60.0

Updates @tanstack/form-core from 1.32.0 to 1.33.0

Release notes

Sourced from @​tanstack/form-core's releases.

@​tanstack/form-core@​1.33.0

Minor Changes

• #2128 808f158 - Added FormGroup API

@​tanstack/form-core@​1.32.1

Patch Changes

• #2190 b402d7a - Fix array async default values not updating

• #2152 d0d941d - Improve performance for mounting/unmounting <form.Field>

Changelog

Sourced from @​tanstack/form-core's changelog.

1.33.0

Minor Changes

• #2128 808f158 - Added FormGroup API

1.32.1

Patch Changes

• #2190 b402d7a - Fix array async default values not updating

• #2152 d0d941d - Improve performance for mounting/unmounting <form.Field>

Commits

• 1d2c585 ci: Version Packages (#2196)
• 808f158 Form Groups (#2128)
• 5d8b2cd ci: Version Packages (#2193)
• 120473e Fix trusted provenance (#2194)
• b402d7a fix(form-core): bump _arrayVersion when async defaultValues update array fiel...
• d0d941d feat(form-core): 5-10x faster makePathArray (#2152)
• See full diff in compare view

Updates @tanstack/react-form from 1.32.0 to 1.33.0

Release notes

Sourced from @​tanstack/react-form's releases.

@​tanstack/react-form-nextjs@​1.33.0

Patch Changes

• Updated dependencies [808f158]:
  • @​tanstack/react-form@​1.33.0

@​tanstack/react-form-remix@​1.33.0

Patch Changes

• Updated dependencies [808f158]:
  • @​tanstack/react-form@​1.33.0

@​tanstack/react-form-start@​1.33.0

Patch Changes

• Updated dependencies [808f158]:
  • @​tanstack/react-form@​1.33.0

@​tanstack/react-form@​1.33.0

Minor Changes

• #2128 808f158 - Added FormGroup API

Patch Changes

• Updated dependencies [808f158]:
  • @​tanstack/form-core@​1.33.0

@​tanstack/react-form-nextjs@​1.32.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-form@​1.32.1

@​tanstack/react-form-remix@​1.32.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-form@​1.32.1

@​tanstack/react-form-start@​1.32.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-form@​1.32.1

@​tanstack/react-form@​1.32.1

Patch Changes

• Updated dependencies [b402d7a, d0d941d]:

... (truncated)

Changelog

Sourced from @​tanstack/react-form's changelog.

1.33.0

Minor Changes

• #2128 808f158 - Added FormGroup API

Patch Changes

• Updated dependencies [808f158]:
  • @​tanstack/form-core@​1.33.0

1.32.1

Patch Changes

• Updated dependencies [b402d7a, d0d941d]:
  • @​tanstack/form-core@​1.32.1

Commits

• 1d2c585 ci: Version Packages (#2196)
• 808f158 Form Groups (#2128)
• 5d8b2cd ci: Version Packages (#2193)
• 120473e Fix trusted provenance (#2194)
• b402d7a fix(form-core): bump _arrayVersion when async defaultValues update array fiel...
• See full diff in compare view

Updates @tanstack/react-router from 1.170.8 to 1.170.9

Release notes

Sourced from @​tanstack/react-router's releases.

@​tanstack/react-router@​1.170.9

Patch Changes

• #7497 d1997b6 - fix streaming

• Updated dependencies [d1997b6]:

  • @​tanstack/router-core@​1.171.7

Changelog

Sourced from @​tanstack/react-router's changelog.

1.170.9

Patch Changes

• #7497 d1997b6 - fix streaming

• Updated dependencies [d1997b6]:

  • @​tanstack/router-core@​1.171.7

Commits

• 8b36591 ci: Version Packages (#7504)
• d1997b6 fix: fix streaming (#7497)
• See full diff in compare view

Updates @tanstack/router-core from 1.171.6 to 1.171.7

Release notes

Sourced from @​tanstack/router-core's releases.

@​tanstack/router-core@​1.171.7

Patch Changes

• #7497 d1997b6 - fix streaming

Changelog

Sourced from @​tanstack/router-core's changelog.

1.171.7

Patch Changes

• #7497 d1997b6 - fix streaming

Commits

• 8b36591 ci: Version Packages (#7504)
• d1997b6 fix: fix streaming (#7497)
• See full diff in compare view

Updates fallow from 2.80.0 to 2.84.0

Release notes

Sourced from fallow's releases.

v2.84.0: @​sanity/pkg-utils support

@​sanity/pkg-utils support

Projects built with @sanity/pkg-utils no longer need to hand-list their build configs in entry.

A new pkg-utils plugin keeps package.config.{ts,js,mts,mjs,cts,cjs} and package.bundle.{ts,js,mts,mjs,cts,cjs} reachable automatically, at the repo root and in every workspace package. The tool discovers these files by filename rather than importing them from source, so they previously surfaced as unused-file and had to be listed manually.

The plugin activates only on an exact @sanity/pkg-utils dependency, so a plain @sanity/client consumer with a stray package.config.ts keeps reporting it. It also credits @sanity/pkg-utils as a tooling dependency. The credit is scoped to the two build-config filenames, so an unreferenced ordinary source file still reports.

pkg-utils monorepos can drop the package.config.ts / package.bundle.ts lines from their entry config entirely.

Full Changelog: fallow-rs/fallow@v2.83.0...v2.84.0

v2.83.0: line-move-tolerant runtime-coverage baselines, Nuxt auto-imports, more framework plugins

Runtime coverage

• Cross-surface function identity. Runtime coverage now adopts the fallow-cov-protocol v2 FunctionIdentity (a fallow:fn:<hash> join key over file, name, and start line). One value identifies a function across findings, hot paths, blast-radius, and importance entries, and across V8 / Istanbul / oxc producers (columns are excluded from the hash). Old artifacts without an identity keep working via the existing path/name/line fallback. (Closes #506)
• Baselines survive line moves. Function identities can now carry a source_hash: a content digest of the function body that excludes position. Runtime-coverage baselines match on it in addition to stable_id and the legacy id, so a function that moves to a different line but is otherwise unedited stays suppressed; editing the body re-surfaces it for review. (Closes #742)

Framework support

• Nuxt components referenced only by template tag are now tracked. A new auto_imports plugin capability synthesizes a real graph edge from <MyComponent />-style tags to their component files (directory-prefixed PascalCase, <Lazy...>, .client/.server/.global). Additive by default; opt into autoImports: true to report genuinely-unreferenced convention components as unused. Thanks @​Hal-Spidernight for the detailed proposal. (Closes #704)
• New built-in plugins: Contentlayer, Obsidian, WXT, Varlock, OpenNext Cloudflare, and browser-extension (WebExtension / Chrome MV2+MV3 manifests) projects no longer report their config files, entrypoints, and manifest-declared runtime files as unused.

Fixes

• ignoreUnresolvedImports config field accepts import-specifier globs to suppress expected unresolved-import findings. Thanks @​OmerGronich. (Closes #726)
• tsdown .mts / .cts config files are treated as entry points. Thanks @​eojoel. (Closes #744)
• fallow audit no longer emits spurious Nuxt/Astro prerequisite warnings on its base pass (#705).
• Workspace packages without an exports map resolve missing prebuild output back to source. (Closes #725)
• File health scores surface high CRAP-risk files even when their Maintainability Index is not the lowest. (Closes #554)
• POSIX-rooted paths from Linux tooling stay absolute on Windows. (Closes #614)
• GitHub Action: artifacts-dir writes generated files outside the repository root. Thanks @​Guria. (Closes #735)

Notes

stable_id values use the reconciled cross-producer recipe shared by the CLI, the fallow-cov sidecar, and cloud aggregation. Runtime-coverage baselines written on a previous version re-baseline once.

Full Changelog: fallow-rs/fallow@v2.82.0...v2.83.0

v2.82.0: framework plugins, quieter output, safer fixes

Highlights

A broad framework-plugin release: ng-packagr Angular libraries, electron-vite, Playwright webServer, SvelteKit remote functions, k6, Supabase Edge Functions, Mintlify, and Iconify icon packages all stop producing false unused findings out of the box. Plus quieter JSON output, smarter fallow fix, and a binary-verification model that no longer relies on npm install scripts.

Features

Framework plugins

• Angular ng-packagr libraries: lib.entryFile from ng-package.json / ng-package.prod.json (default src/public_api.ts) is now a package entry point, resolved relative to the config directory, so the library public API and everything reachable through its re-export chain stays alive instead of reporting as unused. Nested secondary-entry-point configs (packages/lib/client/ng-package.json) are scanned too, and the plugin also activates on a ng-packagr dependency. (#606)

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.84.0] - 2026-05-28

Fixed

• @sanity/pkg-utils build configs no longer report as unused. Projects built with @sanity/pkg-utils keep their package.config.{ts,js,mts,mjs,cts,cjs} and package.bundle.{ts,js,mts,mjs,cts,cjs} build configs reachable automatically, at the repo root and in every workspace package. The tool discovers these files by filename rather than importing them from source, so previously each one surfaced as an unused-file and had to be listed manually in entry. A new pkg-utils plugin (activated only by an exact @sanity/pkg-utils dependency, so plain @sanity/client consumers are unaffected) marks them always-used and credits @sanity/pkg-utils as a tooling dependency. pkg-utils monorepos can now drop the package.config.ts / package.bundle.ts lines from their entry config.

[2.83.0] - 2026-05-27

Added

• GitHub Action artifacts can now be written outside the workspace root. The action now accepts artifacts-dir, a workspace-relative directory for generated files such as fallow-results.json, fallow-results.sarif, fallow-stderr.log, and fallow-analysis-args.sh. Before, those files always appeared at the repository root and could be picked up by later formatter or linter steps. After, workflows can use a generated directory such as .var/fallow, while outputs.results and outputs.sarif continue to expose the resolved paths for downstream steps. Thanks @​Guria for the report. (Closes #735.)

• Runtime coverage now uses a cross-surface function identity to join evidence and key baselines. Fallow adopts the fallow-cov-protocol v2 FunctionIdentity (a fallow:fn:<hash> join key derived from file, name, and start line). The static inventory uploaded by fallow coverage upload-inventory and the sidecar request now carry this identity; fallow coverage analyze --cloud and runtime-coverage ingestion prefer it over (path, name, line) when joining runtime evidence to local analysis; and runtime-coverage JSON exposes a stable_id field on findings, hot paths, blast-radius, and importance entries (alongside the existing per-finding id). The same function shares ONE stable_id across findings, hot paths, blast-radius, and importance entries (the per-finding id uses a per-surface salt and differs), and across V8, Istanbul, and oxc producers (columns are excluded from the hash). The identity hash is computed over the repo-relative path, so --path-prefix (used for containerized runtime paths) does not affect the join. Old coverage artifacts without an identity continue to work via the existing path/name/line fallback, and fallow ... --explain documents the fallback order plus the suppression-key vs join-key distinction. Baselines prefer stable_id when present and the grace-window reader accepts both the new fallow:fn: and the legacy fallow:prod: keys, so existing baselines keep suppressing. Like the legacy id, stable_id hashes the function's start line, so a function that moves to a different line gets a new key under either; the value of stable_id is cross-surface and cross-producer joinability, not line-move immunity (the new source_hash content digest provides line-move-tolerant matching separately, see below). (Closes #506.)

• Runtime-coverage baselines now survive line moves. Each function identity can carry an optional source_hash: a content digest of the function body that excludes position, so a function that moves to a different line but is otherwise unedited keeps the same source_hash. The static analyzer computes it during extraction, the fallow-cov sidecar carries it through from the uploaded static index, and runtime-coverage baselines match on (file, name, source_hash) in addition to stable_id and the legacy fallow:prod: id. A baselined finding therefore stays suppressed across a pure line shift, while editing the function body re-surfaces it for review. Findings with no source_hash fall back to the existing keys, so behavior is unchanged where it is absent. (Closes #742.)

• Nuxt components referenced only by template tag are now tracked in the module graph. Frameworks like Nuxt expose components to templates by filesystem convention (<Card001 /> resolving to components/Card001.vue) with no import statement, so fallow previously kept whole convention directories alive as entry points and could never report a genuinely-unreferenced component as unused. A new first-class auto_imports plugin capability now synthesizes a real graph edge from each <Card001 />-style template tag to its component file, covering Nuxt's directory-prefixed PascalCase naming (components/base/Button.vue to <BaseButton>), the implicit <Lazy...> variant, and .client / .server / .global paired files. By default this is additive: components stay registered as entry points (no new unused-file reports) while their default export is credited when consumed via a tag under --include-entry-exports. Opt into the new autoImports: true config field to drop the Nuxt component entry patterns so a genuinely-unreferenced component is reported as unused-file; the flag is conservative (a components: key in nuxt.config keeps the entry patterns, since custom prefix / pathPrefix / dirs are not yet modeled) and stays off by default. Composable, util, and Pinia store auto-imports are tracked separately (#739, #740). Thanks @​Hal-Spidernight for the detailed proposal. (Closes #704.)

• Public Fallow config corpus tooling makes recurring workaround mining repeatable. Maintainers can now run scripts/public-config-corpus.py to search public .fallowrc.json, .fallowrc.jsonc, and fallow.toml files with gh, cache pinned config snapshots under .fallow/public-config-corpus/, and write a deterministic markdown report plus manifest. The manifest records repo/path identity, blob URL, raw URL, blob SHA, URL ref fallback, byte count, sha256, parse status, search query, cap, fetch time, gh version, and fetch failures, so a report can be reviewed instead of trusted as an ad hoc scrape. docs/public-config-corpus.md documents the maintainer workflow, privacy boundaries, and the first seeded public-config research pass that led to #546, #586, #588, #589, #590, #600, #601, and #602. The fixture harness scripts/test-public-config-corpus.sh verifies deterministic offline output without GitHub access. (Closes #603.)

Fixed

• tsdown .mts and .cts config files are now treated as entry points. Before, projects using tsdown.config.mts or tsdown.config.cts could see the config file reported as unused even though tsdown loads those extensions. After, the tsdown plugin recognizes the same config extension family as neighboring bundler plugins, keeps those config files alive, and still extracts their entry arrays as source entry points. Thanks @​eojoel for the report. (Closes #744.)

• Expected unresolved import specifiers can now be ignored from config. Before, generated or runtime-provided imports such as @example/icons, @example/icons/metadata, or ../generated/client required line comments because ignoreDependencies intentionally does not apply to unresolved-import. After, ignoreUnresolvedImports accepts raw import-specifier glob patterns, validates glob syntax without filesystem traversal checks, and suppresses only matching unresolved-import findings. Exact specifiers and subpath globs stay explicit (["@example/icons", "@example/icons/**"]), and JSON actions now suggest adding the reported specifier to this config field. Thanks @​OmerGronich for the report. (Closes #726.)

• fallow audit no longer emits spurious Nuxt/Astro prerequisite warnings on its base pass. Before, the audit base worktree was created with git worktree add --detach, which omits the gitignored .nuxt/ and .astro/ generated directories, so meta-framework projects saw missing .nuxt/tsconfig.json / missing .astro/ types warnings and a broken tsconfig references chain that dropped affected files into resolver-less resolution on the baseline comparison. After, the base worktree symlinks .nuxt/ and .astro/ from the host checkout alongside the existing node_modules symlink, driven by a shared MATERIALIZED_CONTEXT_DIRS constant that stays aligned with the plugin registry's meta-framework prerequisite list. (#705.)

• Workspace packages without exports now resolve missing prebuild output back to source. Before, a sibling workspace package that omitted exports but pointed module or types at missing dist/ files could surface as both an unresolved import and an unused dependency before the package was built. After, bare workspace package imports without an exports map use the same source fallback as prebuild package-map targets, so @example/lib resolves to packages/lib/src/index.ts and dependency usage is credited. (Closes #725.)

• Contentlayer configs, content roots, and generated output are no longer reported as unused. Before, Contentlayer and Contentlayer2 projects commonly needed manual entries for contentlayer.config.*, data/**/*.mdx, generated .contentlayer/** files, and remark or rehype packages loaded only through the config. After, a built-in Contentlayer plugin activates from contentlayer, contentlayer2, next-contentlayer, next-contentlayer2, or a root config file; keeps contentlayer.config.{ts,js,mts,mjs} and generated .contentlayer/**/*.{ts,tsx,js,jsx,mts,mjs,cts,cjs} files reachable; traverses .contentlayer only for active projects; credits packages imported by the config; and extracts static contentDirPath plus same-file defineDocumentType filePathPattern literals as content roots. Dynamic config and cross-file document type evaluation remain out of scope. (Closes #610.)

• File health scores now surface high CRAP-risk files even when their Maintainability Index is not the lowest. Before, --file-scores sorted only by Maintainability Index, so an untested, very high-CRAP file could appear below a lower-MI file whose tested complexity made it less urgent. After, file scores are sorted by risk-aware triage concern: the larger of low-MI concern and a CRAP risk curve aligned to the low/moderate/high CRAP bands, with equal-concern ties broken by raw CRAP so the displayed Risk column reads top-down. The human table tags each row risk or structure to show which signal placed it. JSON, markdown, compact, MCP, grouped health, and API consumers receive the same order. (Closes #554.)

• Obsidian plugin entry files and lifecycle overrides are no longer reported as unused. Before, Obsidian plugins commonly needed manual config for src/main.ts, styles.css, cdp.js, and framework-called lifecycle methods such as Plugin.onload, Plugin.onunload, Modal.onOpen, and ItemView.onOpen. After, a built-in obsidian plugin activates from the obsidian dependency or a conservative Obsidian-shaped manifest.json, treats src/main.{ts,js}, main.{ts,js}, and root cdp.js as runtime entrypoints, keeps manifest.json and styles.css reachable, and credits documented lifecycle overrides only on direct Plugin, Modal, ItemView, and View subclasses. Ordinary classes and aliased or transitive local base classes still report unused methods. (Closes #617.)

• POSIX-rooted paths from Linux tooling stay absolute on Windows. Before, several path resolvers used host-specific Path::is_absolute, so values such as /ci/workspace/... from Linux-generated coverage data, config inheritance, or plugin setup-file paths could be treated as relative on Windows and joined under the project root. After, the shared cross-platform absolute-path helper lives in fallow-types, remains re-exported for CLI callers, and the high-risk config extends, plugin setup-file, and health coverage path resolvers use it consistently. (Closes #614.)

• WXT config modules and extension entrypoints are no longer reported as unused. Before, WXT browser-extension projects often needed manual entries for entrypoints/ files and dependency ignores for packages loaded only through wxt.config.* modules. After, a built-in wxt plugin activates from wxt, @wxt-dev/*, or wxt.config.*; keeps WXT config files reachable; credits the config default export under entry-export validation; marks documented single-file entrypoints and directory index.* entrypoints as runtime roots; and credits static modules: [...] package specifiers, including subpaths such as @wxt-dev/i18n/module. Helper files under entrypoint directories remain reportable unless imported. (Closes #612.)

• Browser extension manifest entrypoints are no longer reported as unused. Before, WebExtension and Chrome Extension projects that declared their runtime files only in manifest.json could report background service workers, content scripts, popup/options page scripts, and manifest-exposed local resources as unused-files because there was no import edge from the app graph. After, a built-in browser-extension plugin activates from conservative extension-shaped manifests (manifest_version 2 or 3 plus extension runtime keys), discovers root and nested extension manifests, and seeds MV3 service workers, MV2 background scripts, content script JS/CSS, popup/options/devtools/side-panel HTML, and MV2/MV3 web_accessible_resources entries as runtime entrypoints. Ordinary PWA web manifests remain ignored. (Closes #616.)

• Varlock schema plugins and Vite integration packages no longer report as unused. Before, projects that loaded provider packages from .env.schema decorators or used @varlock/vite-integration only through Vite config needed manual ignoreDependencies entries because fallow had no Varlock-aware plugin. After, the built-in Varlock plugin activates from varlock, @varlock/*, or .env.schema, keeps schema files reachable, credits package-like @plugin(...) schema references, and treats varlock plus @varlock/vite-integration as tooling dependencies while leaving local paths and URL/protocol plugin references ignored. (Closes #622.)

• OpenNext Cloudflare config files no longer report as unused in adapter projects. Before, open-next.config.* files consumed by opennextjs-cloudflare build could surface as unused files because the Next.js and Wrangler plugins do not own that adapter config surface. After, a built-in OpenNext Cloudflare plugin activates from @opennextjs/cloudflare or package scripts invoking opennextjs-cloudflare, keeps root and nested open-next.config.{ts,js,mjs,cjs} files reachable, and credits packages imported only from those configs while leaving plain Next.js projects unchanged. (Closes #613.)

• Serialized PathBuf fields are now covered by a drift gate and normalized consistently. A new schema test walks CLI/core/types Serialize structs and enum struct variants to require serde_path serializers for PathBuf, Option<PathBuf>, and Vec<PathBuf> fields, with support for skipped serde fields and custom scalar/option serializers. Existing health/runtime-coverage/setup path fields now use those serializers, including optional component-inherited coverage paths, so Windows paths stay slash-normalized in JSON output. (Closes #615.)

• React Compiler's Babel plugin is no longer reported as unused when consumed through explicit Next.js or Vite compiler config. Before, projects that followed the documented Next.js reactCompiler option or Vite @vitejs/plugin-react Babel plugin configuration still saw babel-plugin-react-compiler as an unused dependency because the package is consumed by the framework/compiler pipeline rather than by app imports. After, the Next plugin credits babel-plugin-react-compiler for reactCompiler: true and object-valued reactCompiler config, and the Vite plugin credits explicit React Compiler Babel plugin strings inside provenance-checked @vitejs/plugin-react / documented Babel integration calls. Disabled, missing, unrelated, and arbitrary nested string shapes still report the dependency as unused. (Closes #623.)

... (truncated)

Commits

• 1fe7ae6 chore: release v2.84.0
• 9475785 feat(plugins): add @​sanity/pkg-utils build-config plugin (#749)
• bcd212c chore(napi): sync package.json / package-lock / index.js to v2.83.0
• 8c56182 chore: release v2.83.0
• 7871342 feat(coverage)!: adopt fallow-cov-protocol 0.8.0 stable_id recipe
• e2bf34b feat(coverage): compute source_hash for line-move-tolerant baselines
• 92b245d fix: recognize tsdown mts and cts configs
• 429577d feat(plugins): resolve Nuxt convention auto-imported components in the module...
• e581961 docs(coverage): correct stable_id cross-surface framing
• 92cc059 feat(coverage): consume FunctionIdentity v2 across coverage joins
• Additional commits viewable in compare view

Updates @babel/core from 7.29.0 to 7.29.7

Release notes

Sourced from @​babel/core's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• 04ea6b2 v7.29.6
• 99f498a [7.x packport]Improve input source map handling (#18001)
• feba0a3 Preserve original identifier names from input sourcemaps (#17992) (#17998)
• See full diff in compare view

Updates @tanstack/router-plugin from 1.168.11 to 1.168.12

Release notes

Sourced from @​tanstack/router-plugin's releases.

@​tanstack/router-plugin@​1.168.12

Patch Changes

• Updated dependencies [d1997b6]:
  • @​tanstack/react-router@​1.170.9
  • @​tanstack/router-core@​1.171.7
  • @​tanstack/router-generator@​1.167.11

Changelog

Sourced from @​tanstack/router-plugin's changelog.

1.168.12

Patch Changes

• Updated dependencies [d1997b6]:
  • @​tanstack/react-router@​1.170.9
  • @​tanstack/router-core@​1.171.7
  • @​tanstack/router-generator@​1.167.11

Commits

• 8b36591 ci: Version Packages (#7504)
• See full diff in compare view

Updates rolldown from 1.0.2 to 1.0.3

Release notes

Sourced from rolldown's releases.

v1.0.3

[1.0.3] - 2026-05-27

🚀 Features

• transform: respect decorator strictNullChecks option (#9580) by @​kylecannon
• drop defer keyword (#9503) by @​TheAlexLichter

🐛 Bug Fixes

• ci: create target dir before cargo release-oxc update (#9584) by @​shulaoda
• ci: reorder prepare-release steps to avoid dirty git check failure (#9583) by @​shulaoda
• testing: canonicalize temp dir early and use platform-specific separator in test262 (#9582) by @​shulaoda
• testing: resolve symlinked temp dir in test262 snapshot normalization (#9581) by @​shulaoda
• testing: canonicalize temp dir path in test262 snapshot normalization (#9579) by @​shulaoda
• dev: onOutput called twice when initial build fails (#9552) by @​hyf0
• dev: make ensureCurrentBuildFinish not returning error when engine closes (#9564) by @​h-a-n-a
• oxc-runtime: route require() to CJS helper variant (#9263) (#9526) by @​IWANABETHATGUY
• generator: use exporter chunk's export mode for CJS default re-exports (#9299) (#9529) by @​IWANABETHATGUY
• rolldown: always run reduced-atom static cycle check (#9441) (#9514) by @​IWANABETHATGUY
• apply transform.dropLabels before scanning (#9521) (#9522) by @​IWANABETHATGUY
• rolldown_watcher: take rolldown dep through the workspace (#9510) by @​Boshen
• cache: keep the scan-stage cache consistent when a build fails (#9495) by @​h-a-n-a
• skip JSON default-import namespace optimization for write targets (#9484) (#9489) by @​IWANABETHATGUY
• deps: skip pnpm frozen-lockfile on Netlify to dodge catalog mismatch bug (#9471) by @​Boshen

🚜 Refactor

• oxc-runtime: use Cow for helper path construction (#9538) by @​IWANABETHATGUY
• fold import defer phase drop into PreProcessor (#9524) by @​IWANABETHATGUY
• distinguish map: null vs map: undefined in transform hook output (#9497) by @​sapphi-red

📚 Documentation

• explain the policy for Rust crates (#9547) by @​sapphi-red
• cache: add design doc for cache (#9544) by @​h-a-n-a
• guide/troubleshooting: add TDZ error section (#9537) by @​sapphi-red
• dev-engine: add design doc for dev-engine (#9479) by @​h-a-n-a
• lazy-barrel: tweak some words (#9483) by @​shulaoda
• lazy-barrel: expand reasoning behind LARGE_BARREL_MODULES advice (#9477) by @​shulaoda

⚡ Performance

• generate: thread ast_table by value into codegen consumer (#9555) by @​Boshen
• finalizers: replace _reExport construction with a direct call to avoid calling clone_in (#9501) by @​Dunqing
• reorder hot-path boolean checks to short-circuit on cheap predicates first (#9523) by @​Boshen

🧪 Testing

• rolldown: regression fixture for #9401 (#9418) by @​IWANABETHATGUY

... (truncated)

Changelog

Sourced from rolldown's changelog.

[1.0.3] - 2026-05-27

🚀 Features

• transform: respect decorator strictNullChecks option (#9580) by @​kylecannon
• drop defer keyword (#9503) by @​TheAlexLichter

🐛 Bug Fixes

• ci: create target dir before cargo release-oxc update (#9584) by @​shulaoda
• ci: reorder prepare-release steps to avoid dirty git check failure (#9583) by @​shulaoda
• testing: canonicalize temp dir early and use platform-specific separator in test262 (#9582) by @​shulaoda
• testing: resolve symlinked temp dir in test262 snapshot normalization (#9581) by @​shulaoda
• testing: canonicalize temp dir path in test262 snapshot normalization (#9579) by @​shulaoda
• dev: onOutput called twice when initial build fails (#9552) by @​hyf0
• dev: make ensureCurrentBuildFinish not returning error when engine closes (#9564) by @​h-a-n-a
• oxc-runtime: route require() to CJS helper variant (#9263) (#9526) by @​IWANABETHATGUY
• generator: use exporter chunk's export mode for CJS default re-exports (#9299) (#9529) by @​IWANABETHATGUY
• rolldown: always run reduced-atom static cycle check (#9441) (#9514) by @​IWANABETHATGUY
• apply transform.dropLabels before scanning (#9521) (#9522) by @​IWANABETHATGUY
• rolldown_watcher: take rolldown dep through the workspace (#9510) by @​Boshen
• cache: keep the scan-stage cache consistent when a build fails (#9495) by @​h-a-n-aDescription has been truncated