chore(deps): bump the prod-dependencies group across 1 directory with 4 updates

[dependabot]

Bumps the prod-dependencies group with 3 updates in the / directory: solid-js, @clack/prompts and esbuild.

Updates solid-js from 1.9.12 to 1.9.13

Commits

• See full diff in compare view

Updates @clack/prompts from 1.2.0 to 1.4.0

Release notes

Sourced from @​clack/prompts's releases.

@​clack/prompts@​1.4.0

Minor Changes

• 284677e: Support scrolling and maxItems option for groupMultiselect, and removes indent when withGuide is set to false

Patch Changes

• aab46a2: docs: add jsdoc for text, password, and multiline prompts
• 54be8d7: Fix line wrapping and overflow computation in group multi-select and other list-like prompts.
• Updated dependencies [54be8d7]
  • @​clack/core@​1.3.1

@​clack/prompts@​1.3.0

Minor Changes

• ea5702e: fix: add engines field expressing node >=20.12 requirement
• 814ab9a: Add new multiline prompt for multi-line text input.

Patch Changes

• 5b897a7: Fix mixed type-only and runtime exports from @​clack/core.
• Updated dependencies [78fd3ae]
• Updated dependencies [ea5702e]
• Updated dependencies [814ab9a]
  • @​clack/core@​1.3.0

Changelog

Sourced from @​clack/prompts's changelog.

1.4.0

Minor Changes

• 284677e: Support scrolling and maxItems option for groupMultiselect, and removes indent when withGuide is set to false

Patch Changes

• aab46a2: docs: add jsdoc for text, password, and multiline prompts
• 54be8d7: Fix line wrapping and overflow computation in group multi-select and other list-like prompts.
• Updated dependencies [54be8d7]
  • @​clack/core@​1.3.1

1.3.0

Minor Changes

• ea5702e: fix: add engines field expressing node >=20.12 requirement
• 814ab9a: Add new multiline prompt for multi-line text input.

Patch Changes

• 5b897a7: Fix mixed type-only and runtime exports from @​clack/core.
• Updated dependencies [78fd3ae]
• Updated dependencies [ea5702e]
• Updated dependencies [814ab9a]
  • @​clack/core@​1.3.0

Commits

• fe2bcd2 [ci] release (#530)
• aab46a2 docs: add jsdoc for text, password, and multiline prompts (#523)
• 54be8d7 fix: trim lines from correct end (#532)
• 284677e feat(prompts): support maxItems in groupMultiselect (#528)
• 05bfd43 [ci] release (#501)
• 5b897a7 fix: split type-only and runtime exports (#518)
• cd7e5cd deps: update pnpm and align node types version (#515)
• 970268b chore(deps): update deps in core and prompts packages (#512)
• ea5702e chore: add engines field to prompts and core (#514)
• ec432f9 docs: correct Progress example in README (#505)
• Additional commits viewable in compare view

Updates esbuild from 0.21.5 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

v0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }
  // New output (with --loader=ts --target=es2021)
  class Foo {

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

... (truncated)

Commits

• 6a794df publish 0.28.0 to npm
• 64ee0ea fix #4435: support with { type: text } imports
• ef65aee fix sort order in snapshots_packagejson.txt
• 1a26a8e try to fix test-old-ts, also shuffle CI tasks
• 556ce6c use '' instead of null to omit build hashes
• 8e675a8 ci: allow missing binary hashes for tests
• 7067763 Reapply "update go 1.25.7 => 1.26.1"
• 39473a9 fix #4343: integrity check for binary download
• 2025c9f publish 0.27.7 to npm
• c6b586e fix typo in Makefile for @esbuild/win32-x64
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for esbuild since your current version.

Updates vite-plus from 0.1.19 to 0.1.22

Release notes

Sourced from vite-plus's releases.

vite-plus v0.1.22

A critical Vitest browser-mode security fix, parallel vp add -g installs, a built-in oxlint rule to prefer vite-plus imports, and a new --git switch for vp create.

Highlights

• Security: bundled vitest bumped to 4.1.6 to address GHSA-2h32-95rg-cppp (Critical, CVSS 9.6), an XSS to RCE chain via the otelCarrier query parameter in Vitest browser mode (#1633)
• Parallel global install: vp add/install/update -g now installs packages concurrently with a progress bar and a --concurrency flag (default 5) (#1597)
• Prefer vite-plus imports: new bundled oxlint rule rewrites vite/vitest imports to vite-plus, enabled by default in generated and migrated lint configs (#1408)
• Git init on scaffold: vp create learns --git/--no-git (interactive prompt; auto-commits "Initial commit from Vite+") (#1484)

Features

• Spawn npm for global installation in parallel with a progress bar and a --concurrency option (#1597), by @​liangmiQwQ
• Add bundled oxlint rule to prefer vite-plus imports over vite/vitest (#1408), by @​Han5991
• vp create: initialize a git repository and create an initial commit on scaffold (#1484), by @​ryohidaka
• vp create: rename underscore-prefixed files (_gitignore, _npmrc, _yarnrc.yml) to dotfiles for @org/create bundled templates (#1574), by @​jong-kyung
• Add VP_PR_VERSION env var to install unreleased PR builds via pkg.pr.new (#1578), by @​fengmk2

Fixes & Enhancements

• Skip merging standalone .oxfmtrc/.oxlintrc config when the fmt:/lint: key is already declared in vite.config.ts (fixes duplicate-block regression in vp create fate) (#1601), by @​fengmk2
• Suppress the VITE+ - The Unified Toolchain for the Web banner for vp lint --lsp, vp fmt --lsp, and vp fmt --stdin-filepath so stdout stays a pure LSP / formatter stream (#1619), by @​fengmk2
• vp create: detect output directory when running in the current directory (#1606), by @​jong-kyung
• vp update -g: skip installs when the recorded global package version already matches the npm-resolved version, and tolerate string/array outputs from npm view ... version --json (#1596), by @​leno23
• vp create: preserve single-segment project path in updateWorkspaceConfig (#1582), by @​jong-kyung
• vp env use: keep the change session-scoped on Windows (#1577), by @​fengmk2
• vp rebuild: accept positional package names (#1564), by @​fengmk2
• Adopt the new vite-task error formatter; errors now print as error: <top-level> plus * <source> chain lines, with bold-red highlight on a TTY (vite-task#390), by @​branchseer
• vite-task: forward LOCALAPPDATA so Node's compile cache stays outside the workspace on Windows (vite-task#389), by @​branchseer
• Bump vite-task to c945cc0 (#1628), by @​branchseer

Refactor

• Revert vp pm plugin command (per discussion in #1038) (#1623), by @​jong-kyung

Docs

• Add vitepress-plugin-llms to the docs site so the published docs include LLM-friendly outputs (/llms.txt) (#1625), by @​jong-kyung
• Refresh home stats for oxlint, vite, and vitest (#1512), by @​nozomee
• Mention vp env doctor in agent instructions (#1603), by @​leno23

Chore

• Consolidate the upstream build chain into a single pnpm build script (justfile recipe now just calls pnpm build) (#1626), by @​fengmk2
• Fix bootstrap-cli on Windows (#1583), by @​fengmk2
• Refresh trusted stack stats (#1573, #1616), by @​voidzero-guard[bot]
• Update GitHub Actions (#1611, #1612), by @​renovate[bot]
• Address zizmor findings in composite actions and the release workflow; drop unused actions-cool/issues-helper (#1630), by @​Boshen
• Switch plain checkouts to taiki-e/checkout-action (#1620), by @​Boshen
• Switch release to a version-bump PR + push trigger flow (#1575), by @​Boshen

... (truncated)

Commits

• 12368da release: v0.1.22 (#1637)
• 2a44bce chore: bump vite-task to c945cc0 (#1628)
• f0ae621 feat(cli): spawn npm for global installation in parallel and refine output (#...
• e80e241 revert: remove vp pm plugin command (#1623)
• 3dc7c75 docs: mention env doctor in agent instructions (#1603)
• 9e44db1 fix(cli): skip merging standalone oxfmt/oxlint config when key already in vit...
• 9f718e7 fix(cli): detect create output in current directory (#1606)
• 99d3e41 feat(cli): add oxlint rule to prefer vite-plus imports (#1408)
• 5d68116 feat(cli): Initialize a git repository and create an initial commit on scaffo...
• 023e700 test(cli): add --help case to config snap tests for npm10/yarn1/yarn4 (#1585)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9c02d62

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR