build: update all non-major dependencies (main)

[angular-robot]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@rollup/wasm-node (source)	4.61.0 → 4.61.1
@typescript-eslint/eslint-plugin (source)	8.60.1 → 8.61.0
@typescript-eslint/parser (source)	8.60.1 → 8.61.0
algoliasearch (source)	5.53.0 → 5.54.0
esbuild	0.28.0 → 0.28.1
esbuild-wasm	0.28.0 → 0.28.1
http-proxy-middleware	4.0.0 → 4.1.0
https-proxy-agent (source)	9.0.0 → 9.1.0
jasmine (source)	~6.2.0 → ~6.3.0
jasmine-core (source)	~6.2.0 → ~6.3.0
pacote	21.5.0 → 21.5.1
rolldown (source)	1.0.3 → 1.1.1
rollup (source)	4.61.0 → 4.61.1
sass	1.100.0 → 1.101.0
semver	7.8.1 → 7.8.4
undici (source)	8.3.0 → 8.4.1
watchpack	2.5.1 → 2.5.2

---

• If you want to rebase/retry this PR, check this box

---

Release Notes

rollup/rollup (@​rollup/wasm-node)

v4.61.1

Compare Source

2026-06-04

Bug Fixes

• Avoid extraneous newlines when adding headers via plugins (#​6403)
• Fix a rare issue where starting Rollup would hang on Windows (#​6404)

Pull Requests

• #​6402: Improve documentation for manualPureFunctions (@​lukastaegert)
• #​6403: Does not add an extra leading line feed for addons (@​TrickyPi)
• #​6404: fix: set report.excludeNetwork=true before getReport() to avoid blocking PTR lookups (@​jdz321, @​lukastaegert)

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.61.0

Compare Source

🚀 Features

• ast-spec: change type of UnaryExpression.prefix to always true (#​12372)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.61.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

algolia/algoliasearch-client-javascript (algoliasearch)

v5.54.0

Compare Source

• e6753bc802 chore(deps): dependencies 2026-06-01 (#​6476) by @​algolia-bot
• 7f2ce8cd3a feat(clients): Agent Studio v1 (#​6097) by @​Fluf22

evanw/esbuild (esbuild)

v0.28.1

Compare Source

• Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

  This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

  Thanks to @​dellalibera for reporting this issue.

• Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

  The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

  Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

  Thanks to @​sondt99 for reporting this issue.

• Avoid inlining using and await using declarations (#​4482)

  Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

  // Original code
  {
    using x = new Resource()
    x.activate()
  }
  
  // Old output (with --minify)
  new Resource().activate();
  
  // New output (with --minify)
  {using e=new Resource;e.activate()}

• Fix module evaluation when an error is thrown (#​4461, #​4467)

  If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

• Fix some edge cases around the new operator (#​4477)

  Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()
  
  // Old output
  new foo()`bar`();
  new (foo())?.bar();
  
  // New output
  new (foo())`bar`();
  new (foo()?.bar)();

• Fix renaming of nested var declarations (#​4471)

  This release fixes a bug where var declarations in nested scopes that are hoisted up to module scope were not correctly being renamed during bundling. That could previously lead to name collisions when minification was disabled, which could potentially cause a behavior change. The bug has been fixed so that these hoisted declarations are now considered to be module-level symbols during the name collision avoidance pass.

• Emit var instead of const for certain TypeScript-only constructs for ES5 (#​4448)

  While esbuild doesn't generally support converting const to var for ES5 due to nested scoping rules (which is currently a build-time error), esbuild previously incorrectly converted TypeScript-only import assignment constructs into a const declaration even when targeting ES5. With this release, esbuild will now use var for this case instead:

  // Original code
  import x = require('y')
  
  // Old output (with --target=es5)
  const x = require("y");
  
  // New output (with --target=es5)
  var x = require("y");

chimurai/http-proxy-middleware (http-proxy-middleware)

v4.1.0

Compare Source

• feat(definePlugin): helper function to create plugins
• chore(package.json): update to httpxy@​0.5.3
• fix(ipv6): preserve credentials when normalizing bracketed IPv6 target string
• fix(ipv6): unspecified IPv6 target hostname (::)
• fix(response-interceptor): reduce responseInterceptor buffer churn
• fix(ws): handle multi-server upgrade subscription and safe proxy shutdown
• feat(router): add 'res' and 'options' to router function
• feat(pathRewrite): add 'res' and 'options' to custom pathRewrite function
• fix(responseInterceptor): prevent trailer/content-length conflict
• feat(zstd): support zstd compression in responseInterceptor and fixRequestBody
• fix(responseInterceptor): handle bodyless responses (HEAD/1xx/204/304) with content-encoding
• fix(router): harden proxy-table matching

TooTallNate/proxy-agents (https-proxy-agent)

v9.1.0

Compare Source

Minor Changes

• 84e85ed: Add onProxyAuth callback and negotiate option for Kerberos/SPNEGO proxy authentication

  • Extract shared Negotiate/SPNEGO auth logic into new proxy-agent-negotiate package
  • Added optional onProxyAuth async callback to HttpsProxyAgent and HttpProxyAgent options
  • When the proxy responds with 407 Proxy-Authentication Required, the callback is invoked with the response and auth scheme
  • The callback returns headers (e.g. Proxy-Authorization) to retry the request with
  • Added negotiate: true option that uses the kerberos package for automatic Negotiate/SPNEGO auth
  • Added kerberos as an optional peer dependency of proxy-agent-negotiate
  • Extended the proxy test package to support authenticate: 'negotiate' mode for mock testing

• 3ebf4b2: Add proxy event emission on the request object for all proxy agents. After the proxy connection is established, the request emits a proxy event with { proxy, socket } where proxy is the proxy URL string. This is useful for debugging and logging which proxy was used for a connection.

Patch Changes

• 1852c75: Fix socket event race condition by deferring socket.resume() via setImmediate(), ensuring HTTP client machinery has time to attach data listeners before data starts flowing
• Updated dependencies [84e85ed]
  • proxy-agent-negotiate@​1.1.0

jasmine/jasmine-npm (jasmine)

v6.3.0: 6.3.0

Compare Source

Please see the release notes.

jasmine/jasmine (jasmine-core)

v6.3.0: 6.3.0

Compare Source

Please see the release notes.

npm/pacote (pacote)

v21.5.1

Compare Source

Bug Fixes

• 627a7dc #​499 avoid ReDoS in addGitSha committish stripping (@​owlstronaut)

Chores

• 790a24b #​500 template-oss-apply (#​500) (@​owlstronaut, test)
• 09cb304 #​499 template-oss-apply (@​owlstronaut)
• bea9f84 #​499 @npmcli/template-oss@5.1.0 (@​owlstronaut)

rolldown/rolldown (rolldown)

v1.1.1

Compare Source

🚀 Features

• ecmascript_utils: introduce AstFactory for AST construction (#​9682) by @​hyf0
• drop no-op init calls for empty wrapped-ESM modules (#​9678) by @​IWANABETHATGUY

🐛 Bug Fixes

• resolver: honor package.json#type for .jsx/.tsx extensions (#​9690) (#​9699) by @​IWANABETHATGUY
• hmr: report the full-reload reason for the invalidate-loop case (#​9708) by @​hyf0
• explicit moduleSideEffects from a hook must take priority over the package.json#sideEffects (#​9688) by @​sapphi-red
• keep the rolldown-runtime name for the standalone runtime chunk (#​9685) by @​shulaoda
• lazy-barrel: request all exports for entry barrels on first encounter (#​9672) by @​shulaoda
• finalizer: skip init_*() for tree-shaken wrapped ESM owners (#​9669) by @​IWANABETHATGUY
• order chunk.imports by execution order (#​9654) by @​chuganzy
• vite-resolve: preserve slash separators for Sass partial exports (#​9546) by @​cjc0013
• cross-chunk CJS wrapper shadowed by author-local binding (#​9648) by @​IWANABETHATGUY

🚜 Refactor

• precompute wrapped-ESM init metadata in generate stage (#​9712) by @​IWANABETHATGUY
• ecmascript_utils: fold construction ext traits onto AstFactory and delete AstSnippet (#​9702) by @​hyf0
• finalizer: finish ScopeHoistingFinalizer migration to AstFactory (#​9701) by @​hyf0
• finalizer: migrate module_finalizers/mod.rs to AstFactory (#​9700) by @​hyf0
• hmr: migrate hmr finalizer to AstFactory (#​9695) by @​hyf0
• plugin: migrate vite_build_import_analysis to AstFactory (#​9693) by @​hyf0
• scanner: migrate tweak_ast_for_scanning to AstFactory (#​9683) by @​hyf0
• always split runtime module first (#​9419) by @​IWANABETHATGUY

📚 Documentation

• tsconfig: correct auto-discovery resolution to match TypeScript (#​9714) by @​shulaoda
• design: plan to unify all internal AST construction (#​9673) by @​hyf0
• tsconfig: align reference resolution docs with TypeScript behavior (#​9641) by @​shulaoda

⚡ Performance

• avoid per-module join Strings in scope-hoisting concatenation (#​9645) by @​Boshen
• avoid intermediate Strings in the ESM export clause (#​9644) by @​Boshen
• reuse a scratch buffer for facade namespace names in the scanner (#​9642) by @​Boshen
• reuse the import-matching tracker stack across named imports (#​9643) by @​Boshen
• avoid cloning the per-chunk export-items map in render_chunk_exports (#​9639) by @​Boshen
• avoid CompactStr allocation in sorted-exports membership check (#​9640) by @​Boshen

🧪 Testing

• add more moduleSideEffects precedence tests (#​9689) by @​sapphi-red
• 9651: drop shimMissingExports from regression fixture (#​9674) by @​IWANABETHATGUY

⚙️ Miscellaneous Tasks

• update react repo links (#​9711) by @​iiio2
• remove outdated pnpm configurations (#​9666) by @​btea
• deps: update github actions to v2.81.5 (#​9665) by @​renovate[bot]
• testing: migrate test harness off deprecated inlineDynamicImports (#​9710) by @​IWANABETHATGUY
• hmr: delete commented-out dead code left from old register-module codegen (#​9707) by @​hyf0
• deps: update napi-rs toolchain (#​9706) by @​shulaoda
• deps: update rollup submodule for tests to v4.61.1 (#​9676) by @​rolldown-guard[bot]
• deps: update test262 submodule for tests (#​9677) by @​rolldown-guard[bot]
• deps: update oxc to 0.135.0 (#​9670) by @​Boshen
• pass ALGOLIA_APP_ID and ALGOLIA_API_KEY to void deploy (#​9667) by @​Boshen
• deps: update github actions (#​9662) by @​renovate[bot]
• deps: update rust crates (#​9663) by @​renovate[bot]
• deps: update rolldown-plugin-dts to v0.25.2 (#​9661) by @​renovate[bot]
• deps: update typos to v1.47.2 (#​9660) by @​renovate[bot]
• deps: update docs dependencies (#​9657) by @​bddjr
• deps: update typos to v1.47.1 (#​9655) by @​renovate[bot]
• deploy website in its own workflow, only on docs output change (#​9650) by @​Boshen
• publish to pkg.pr.new add pm and commentWithDev option (#​9638) by @​btea

❤️ New Contributors

• @​chuganzy made their first contribution in #​9654
• @​cjc0013 made their first contribution in #​9546

v1.1.0

Compare Source

🚀 Features

• enable experimental.lazyBarrel by default (#​9632) by @​shulaoda
• import.meta.glob support caseSensitive option (#​9594) by @​btea
• add SOURCEMAP_BROKEN warning for renderChunk hook (#​9601) by @​sapphi-red
• add SOURCEMAP_BROKEN warning for transform hook (#​9600) by @​sapphi-red
• add @__NO_SIDE_EFFECTS__ hint for invalid @__PURE__ before function declarations (#​9505) by @​Copilot
• code-splitting: support group-local includeDependenciesRecursively (#​9587) by @​hyf0

🐛 Bug Fixes

• report TSCONFIG_ERROR instead of UNHANDLEABLE_ERROR for a missing tsconfig file (#​9633) by @​shulaoda
• browser: add missing exports and ensure consistency with rolldown package (#​9629) by @​sapphi-red
• should build test-dev-server when test-node (#​9610) by @​situ2001
• chunk-optimizer: refuse asymmetric merge for cyclic dynamic entries (#​9320) (#​9322) by @​aminpaks
• dev: handle the remaining errors in dev (#​9570) by @​h-a-n-a
• handle slash-normalized ids with preserveModulesRoot (#​9595) by @​IWANABETHATGUY
• json: preserve .default access on JSON default imports (#​9568) by @​IWANABETHATGUY
• testing: remove unintended trigger_full_build from test harness (#​9573) by @​hyf0

🚜 Refactor

• js-regex: use regress native replace/replace_all (#​9607) by @​IWANABETHATGUY
• remove never-constructed ImportStatus variants (#​9606) by @​Boshen

📚 Documentation

• clarify that RolldownBuild::close method should be called in most cases (#​9619) by @​sapphi-red

⚡ Performance

• avoid unnecessary intermediate sourcemaps (#​9599) by @​sapphi-red

🧪 Testing

• add unit test for collapsing module sourcemap (#​9626) by @​sapphi-red
• cover vite-alias regex capture-group expansion (#​9602) (#​9608) by @​IWANABETHATGUY

⚙️ Miscellaneous Tasks

• deps: update oxc_resolver to 11.21.0 (#​9634) by @​shulaoda
• update invalid option diagnostic link to point to Rolldown docs (#​9631) by @​sapphi-red
• deps: update vite+ to v0.1.24 (#​9628) by @​renovate[bot]
• deps: update oxc resolver to v11.20.0 (#​9549) by @​renovate[bot]
• deps: update dependency vite-plus to v0.1.24 (#​9470) by @​renovate[bot]
• deps: update npm packages (#​9614) by @​renovate[bot]
• deps: upgrade oxc to 0.134.0 (#​9625) by @​shulaoda
• deps: update crate-ci/typos action to v1.47.0 (#​9620) by @​renovate[bot]
• deps: update rollup submodule for tests to v4.61.0 (#​9623) by @​rolldown-guard[bot]
• deps: update github actions (#​9613) by @​renovate[bot]
• deps: update pnpm to v11.4.0 (#​9616) by @​renovate[bot]
• deps: update rust crates (#​9615) by @​renovate[bot]
• deps: update test262 submodule for tests (#​9624) by @​rolldown-guard[bot]
• deps: update dependency @​napi-rs/cli to v3.7.0 (#​9588) by @​renovate[bot]
• deps: update dependency rust to v1.96.0 (#​9596) by @​renovate[bot]
• re-enable WASI testing with proper infrastructure (#​9397) by @​Boshen

❤️ New Contributors

• @​aminpaks made their first contribution in #​9322

sass/dart-sass (sass)

v1.101.0

Compare Source

• Potentially breaking bug fix: The Node package importer now properly
  supports resolving import-only variants of Sass files declared in the
  exports, sass, and style fields of package.json. Previously, these
  files were ignored even when loaded via @import, so any code relying on
  loading module-system-only files this way may break.

npm/node-semver (semver)

v7.8.4

Compare Source

Bug Fixes

• e583226 #​874 reject numeric segments after x-ranges (@​pupuking723)

v7.8.3

Compare Source

Bug Fixes

• 046da7f #​872 align caret includePrerelease lower bounds (#​872) (@​wayyoungboy)

Chores

• 3485dda #​866 bump @​npmcli/eslint-config from 6.0.1 to 7.0.0 (#​866) (@​dependabot[bot])

v7.8.2

Compare Source

Bug Fixes

• bea6028 #​870 increment dotted prerelease identifiers (#​870) (@​liuzemei, @​SheldonNeo)

nodejs/undici (undici)

v8.4.1

Compare Source

What's Changed

• test: avoid localhost lookup in fetch cookies tests by @​mcollina in #​5363
• fix: prevent race condition between onEnd and onTrailers in HTTP/2 client (#​5216) by @​mcollina in #​5343
• fix(dns): skip requests without origin by @​marko1olo in #​5376
• docs: add Getting Started guide by @​AliMahmoudDev in #​5371
• docs: fix code examples that crash at runtime and other inaccuracies by @​AliMahmoudDev in #​5386
• fix: handle paused parser on socket end (issue #​5360) by @​mcollina in #​5389
• fix(client): reject pipelined TLS altname errors by @​marko1olo in #​5373
• docs: fix multiple inaccuracies in API documentation by @​AliMahmoudDev in #​5384
• docs: fix remaining broken links in API documentation by @​AliMahmoudDev in #​5342

New Contributors

• @​marko1olo made their first contribution in #​5376

Full Changelog: nodejs/undici@v8.4.0...v8.4.1

v8.4.0

Compare Source

What's Changed

• fix: register connect listener before initiating requests in close-and-destroy test by @​mcollina in #​5272
• test: stabilize tls-cert-leak regression by @​mcollina in #​5306
• fix: replace tspl with native test context in test/examples.js by @​mcollina in #​5300
• http2: remove redundant request stream binding by @​trivikr in #​5302
• test: limit cache-tests workers on Windows by @​mcollina in #​5309
• test: use test context cleanup hooks in parser issue tests by @​mcollina in #​5282
• Add redirect option to strip headers on redirect by @​mcollina in #​5281
• chore(test): fix lint failure by @​aduh95 in #​5316
• chore(ci): use npm ci instead of npm install by @​aduh95 in #​5315
• docs: clarify formData security considerations by @​mcollina in #​5320
• docs: add EventSource server example by @​Will-thom in #​5321
• fix(core): simplify addAbortListener util by @​aduh95 in #​5317
• build(deps-dev): bump ws from 8.20.0 to 8.21.0 by @​dependabot[bot] in #​5325
• build(deps-dev): bump jsondiffpatch from 0.7.3 to 0.7.6 by @​dependabot[bot] in #​5313
• docs: match undici EoL to node version it's bundled in by @​trivikr in #​5330
• fix: handle all HTTP/2 request stream sync errors by @​mcollina in #​5311
• fix: preserve timeout errors for HTTP/2 requests by @​mcollina in #​5091
• fix(core): normalize autoSelectFamily timeout AggregateError by @​youcefzemmar in #​5329
• chore(core): define kEnumerableProperty atomically by @​aduh95 in #​5332
• chore(core): use regex.exec instead of string.match by @​aduh95 in #​5331
• fix: reset invalid HTTP/2 sessions by @​mcollina in #​5310
• feat(connect): add preferH2 connector option to offer h2 first in ALPN by @​Antamansid in #​5327
• test: fix flaky http2 trailers test by @​mcollina in #​5338
• fix(mock): restore single-arg MockCallHistory.filterCallsByX by @​youcefzemmar in #​5328
• docs: document missing error types in Errors.md by @​cesarvspr in #​5339
• build(deps): bump github/codeql-action from 4.35.3 to 4.36.1 by @​dependabot[bot] in #​5346
• build(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 by @​dependabot[bot] in #​5347
• build(deps): bump uWebSockets.js from v20.67.0 to v20.68.0 in /benchmarks by @​dependabot[bot] in #​5352
• build(deps): bump concurrently from 9.2.1 to 10.0.3 in /benchmarks by @​dependabot[bot] in #​5353
• build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.4 by @​dependabot[bot] in #​5348
• build(deps): bump actions/checkout from 6.0.2 to 6.0.3 by @​dependabot[bot] in #​5351
• build(deps): bump codecov/codecov-action from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​5349
• docs: improve connect option documentation in Client.md by @​AliMahmoudDev in #​5344
• fix(mock): do not persist snapshots on close in playback mode by @​GeoffreyBooth in #​5359
• fix(fetch): remove abort listener when request settles by @​ATOM00blue in #​5318
• test: add Node.js global fetch regression coverage by @​mcollina in #​5361
• fix(h2): make Client multiplex on h2 (#​4143) by @​mcollina in #​5362

New Contributors

• @​Will-thom made their first contribution in #​5321
• @​youcefzemmar made their first contribution in #​5329
• @​Antamansid made their first contribution in #​5327
• @​cesarvspr made their first contribution in #​5339
• @​AliMahmoudDev made their first contribution in #​5344
• @​ATOM00blue made their first contribution in #​5318

Full Changelog: nodejs/undici@v8.3.0...v8.4.0

webpack/watchpack (watchpack)

v2.5.2

Compare Source

Patch Changes

• fix: retry fs.lstat on transient EBUSY errors instead of emitting a spurious remove event (fixes #​223, #​44). The retry count is controlled by the WATCHPACK_RETRIES environment variable (default: 3; set to 0 or "false" to disable retrying). (by @​alexander-akait in #​293)

• Improve perfomance for ignored and improve perfomance for reduce plan. (by @​alexander-akait in #​289)

• perf: speed up ignored matchers (~35–45% faster on POSIX paths) and reducePlan (~20–40% faster on medium and large plans). Also adds a tinybench suite under bench/ and a CodSpeed GitHub Actions workflow to catch future regressions. (by @​alexander-akait in #​287)

• fix: don't log "Watchpack Error (initial scan)" for unreadable entries inside a watched parent directory, e.g. pagefile.sys on WSL or /efi on Linux (fixes #​187). EACCES / ENODEV (and EINVAL on Windows) errors are now handled like EPERM / ENOENT / EBUSY: the entry is recorded as missing and the scan continues silently. (by [@​alexander-akait](https://redirect.gi

✂ Note

PR body was truncated to here.

[gemini-code-assist]

Code Review

This pull request updates several package dependencies across multiple package.json files in the workspace, including rollup, semver, undici, http-proxy-middleware, and jasmine, to their newer versions. There are no review comments, and I have no feedback to provide.