build: update all non-major dependencies (main)

[angular-robot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@modelcontextprotocol/sdk (source)	1.27.1 → 1.28.0
@typescript-eslint/eslint-plugin (source)	8.57.1 → 8.57.2
@typescript-eslint/parser (source)	8.57.1 → 8.57.2
@vitejs/plugin-basic-ssl	2.2.0 → 2.3.0
@vitest/coverage-v8 (source)	4.1.0 → 4.1.1
algoliasearch (source)	5.49.2 → 5.50.0
picomatch	4.0.3 → 4.0.4
rolldown (source)	1.0.0-rc.10 → 1.0.0-rc.12
undici (source)	7.24.5 → 7.24.6
vitest (source)	4.1.0 → 4.1.1

---

• If you want to rebase/retry this PR, check this box

---

Release Notes

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.28.0

Compare Source

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #​580) by @​antogyn in #​757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in #​1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in #​1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in #​1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in #​1738
• chore: bump version to 1.28.0 by @​felixweinberger in #​1746

New Contributors

• @​antogyn made their first contribution in #​757
• @​tiluckdave made their first contribution in #​1596
• @​poteat made their first contribution in #​1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.57.2

Compare Source

🩹 Fixes

• eslint-plugin: [prefer-readonly-parameter-types] preserve type alias infomation (#​11954)
• eslint-plugin: [no-useless-default-assignment] skip reporting false positives for unresolved type parameters (#​12127)
• eslint-plugin: [no-unsafe-return] false positive on unwrapping generic (#​12125)
• eslint-plugin: [no-restricted-types] flag banned generics in extends or implements (#​12120)
• eslint-plugin: [array-type] ignore Array and ReadonlyArray without type arguments (#​11971)
• eslint-plugin: [prefer-optional-chain] remove dangling closing parenthesis (#​11865)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger
• Konv Suu
• mdm317
• Newton Yuan @​NewtonYuan
• SungHyun627 @​SungHyun627
• Tamashoo @​Tamashoo

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.57.2

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite-plugin-basic-ssl (@​vitejs/plugin-basic-ssl)

v2.3.0

Compare Source

Features

• add optional ttlDays parameter (#​98) (eb373f0)

Miscellaneous Chores

• deps: update all non-major dependencies (#​100) (34ef8a0)
• deps: update all non-major dependencies (#​96) (acb0779)
• deps: update dependency vite to v8 (#​99) (987fb1a)
• deps: update pnpm/action-setup action to v5 (#​101) (4b9d639)

Build System

• refactor post-build code (#​102) (2499cce)

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.1

Compare Source

   🚀 Features

• experimental:
  • Expose matchesTags to test if the current filter matches tags  -  by @​sheremet-va in #​9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in #​9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in #​9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in #​9831 and #​9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in #​9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in #​9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in #​9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in #​9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in #​9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in #​9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in #​9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in #​9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in #​9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in #​9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in #​9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in #​9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in #​9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in #​9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in #​9949 (0d5f9)

    View changes on GitHub

algolia/algoliasearch-client-javascript (algoliasearch)

v5.50.0

Compare Source

• 2d6c9b2727 feat(javascript): Implement gzip compression (#​6052) by @​MarioAlexandruDan
• a196c9cf73 feat(clients): response decompression (#​6095) by @​eric-zaharia
• 1ad4bcd99b fix(javascript): Update Node options to target ES2018 (#​6101) by @​MarioAlexandruDan
• 600f157a13 fix(specs): remove query parameter that are not accepted by the Composition API (#​6128) by @​ClaraMuller
• 90d96d575a chore(deps): dependencies 2026-03-16 (#​6102) by @​algolia-bot
• 6064369533 fix(javascript): move gzip compression to node-only builds, remove fflate (#​6154) by @​Fluf22

micromatch/picomatch (picomatch)

v4.0.4

Compare Source

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

rolldown/rolldown (rolldown)

v1.0.0-rc.12

Compare Source

🚀 Features

• chunk-optimizer: skip circular dependency check when strict execution order is enabled (#​8886) by @​hyf0

🐛 Bug Fixes

• emit build warnings during watch mode rebuilds (#​8897) by @​IWANABETHATGUY
• lazy-barrel: load import-then-export specifiers when barrel has local exports (#​8895) by @​shulaoda
• correct execution order of transferred CJS init calls (#​8877) by @​IWANABETHATGUY
• mcs: entriesAware should calculate sizes without duplication (#​8887) by @​hyf0
• non-deterministic chunk generation (#​8882) by @​sapphi-red
• is_top_level incorrectly treats strict-mode scopes as top-level (#​8878) by @​Dunqing

🚜 Refactor

• treeshake: migrate SideEffectDetector to Oxc's MayHaveSideEffects trait (#​8624) by @​Dunqing

🧪 Testing

• make dev server tests deterministic by replacing fixed sleeps with event-driven polling (#​8561) by @​Boshen

⚙️ Miscellaneous Tasks

• deps: update dependency vite-plus to v0.1.14 (#​8902) by @​camc314
• deps: update dependency oxfmt to ^0.42.0 (#​8891) by @​renovate[bot]
• deps: update rust crate oxc_sourcemap to v6.1.1 (#​8890) by @​renovate[bot]
• remove Rolldown MF plan (#​8883) by @​shulaoda
• deps: update rollup submodule for tests to v4.60.0 (#​8881) by @​sapphi-red
• deps: update test262 submodule for tests (#​8880) by @​sapphi-red
• deps: upgrade oxc crates to 0.122.0 (#​8879) by @​shulaoda

v1.0.0-rc.11

Compare Source

🚀 Features

• magicString replace with regex (#​8802) by @​IWANABETHATGUY
• support output.sourcemapExcludeSources option (#​8828) by @​sapphi-red
• support getIndentString in MagicString (#​8775) by @​IWANABETHATGUY
• MagicString ignoreList support (#​8773) by @​IWANABETHATGUY

🐛 Bug Fixes

• forward test filters through vp run (#​8870) by @​younggglcy
• types: remove pluginName from MinimalPluginContext (#​8864) by @​sapphi-red
• do not report eval?.() as direct eval (#​8860) by @​IWANABETHATGUY
• handle negative indices, overlapping ranges, and moved content in MagicString remove (#​8829) by @​IWANABETHATGUY
• enable arbitrary_precision for serde_json to fix JSON float parsing (#​8848) by @​elderapo
• resolve TypeScript lint errors (#​8841) by @​Boshen
• avoid panic on multi-byte UTF-8 chars in hash placeholder iterator (#​8790) by @​shulaoda
• ci: skip failing vite build watch raw query test (#​8840) by @​Boshen
• ci: use step-level env override to unset VITE_PLUS_CLI_BIN in vite tests (#​8838) by @​Boshen
• ci: move vite tests into CI workflow by @​Boshen
• ci: unset all VITE_PLUS_* env vars in vite-tests workflow (#​8837) by @​Boshen
• test: skip watch CLI tests on Windows (#​8830) by @​Boshen
• ci: unset VITE_PLUS_CLI_BIN in vite-tests workflow (#​8832) by @​Boshen
• remove redundant bare side-effect imports in entry/facade chunks (#​8804) by @​h-a-n-a
• magicString prepend issues (#​8797) by @​IWANABETHATGUY
• ci: use vpx instead of vp exec for pkg-pr-new (#​8827) by @​Boshen
• set order for callable plugins (#​8815) by @​sapphi-red
• handle reversed slice ranges with moved content (#​8750) by @​IWANABETHATGUY
• update emnapi to latest to avoid version mismatch (#​8781) by @​sapphi-red
• external.md on Windows OS (#​8780) by @​bddjr
• align MagicString length/isEmpty with reference magic-string (#​8776) by @​IWANABETHATGUY

🚜 Refactor

• extract canonical_ref_resolving_namespace helper (#​8836) by @​Boshen

📚 Documentation

• improve external examples for cross-platform correctness (#​8786) by @​hyf0-agent
• update reference to transform function in plugin API documentation (#​8778) by @​zOadT

⚡ Performance

• reduce timing of dervie_entries_aware_chunk_name (#​8847) by @​AliceLanniste
• bench: remove redundant sourcemap benchmark cases (#​8825) by @​Boshen
• reduce intermediate allocations in collapse_sourcemaps (#​8821) by @​Boshen
• enable parallel AST cloning on macOS (#​8814) by @​Boshen

🧪 Testing

• watch: use polling watcher and retry for watch error test (#​8772) by @​sapphi-red

⚙️ Miscellaneous Tasks

• deps: update dependency @​oxc-project/types to v0.122.0 (#​8873) by @​renovate[bot]
• publish-to-npm: use correct vp pm publish (#​8871) by @​shulaoda
• justfile: skip setup-vite-plus if vp is already installed (#​8862) by @​Boshen
• add expectWarning option to test config (#​8861) by @​IWANABETHATGUY
• justfile: support windows for just setup (#​8846) by @​AliceLanniste
• deps: update rust crates (#​8852) by @​renovate[bot]
• deps: update endbug/version-check action to v3 (#​8855) by @​renovate[bot]
• deps: update github-actions (#​8853) by @​renovate[bot]
• deps: update dependency vitepress to v2.0.0-alpha.17 (#​8854) by @​renovate[bot]
• deps: update npm packages (#​8851) by @​renovate[bot]
• bench: use mimalloc as global allocator in bench crate (#​8844) by @​IWANABETHATGUY
• reuse native build artifact in node-validation job (#​8826) by @​Boshen
• speed up CodSpeed benchmark build by disabling LTO (#​8824) by @​Boshen
• remove redundant critcmp benchmark job (#​8823) by @​Boshen
• deps: update rust crate oxc_sourcemap to v6.1.0 (#​8785) by @​renovate[bot]
• node: migrate oxlint and oxfmt to Vite+ (#​8813) by @​Boshen
• revert namespace runners for release build jobs (#​8820) by @​Boshen
• migrate runners to namespace (#​8819) by @​Boshen
• test: relax test utils path assertion to support git worktrees (#​8816) by @​younggglcy
• rename examples/lazy to examples/lazy-compilation (#​8789) by @​shulaoda
• improve "needs reproduction" wording by @​Boshen
• deps: update dependency oxlint-tsgolint to v0.17.1 (#​8807) by @​renovate[bot]
• enable 7 previously-skipped MagicString tests (#​8771) by @​IWANABETHATGUY
• upgrade oxc to 0.121.0 (#​8784) by @​shulaoda
• increase Windows dev drive size from 12GB to 20GB (#​8779) by @​Copilot

❤️ New Contributors

• @​younggglcy made their first contribution in #​8870
• @​elderapo made their first contribution in #​8848
• @​bddjr made their first contribution in #​8780
• @​zOadT made their first contribution in #​8778

nodejs/undici (undici)

v7.24.6

Compare Source

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in #​4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in #​4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in #​4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in #​4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in #​4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in #​4834
• docs: clarify fetch and FormData pairing by @​mcollina in #​4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in #​4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in #​4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in #​4926
• test: auto-init WPT submodule by @​mcollina in #​4930

New Contributors

• @​rozzilla made their first contribution in #​4909
• @​veeceey made their first contribution in #​4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

[gemini-code-assist]

Code Review

This pull request updates several JavaScript/TypeScript dependencies across various package.json files and their corresponding pnpm-lock.yaml file. Key updates include @vitest/* packages from 4.1.0 to 4.1.1, @typescript-eslint/* packages from 8.57.1 to 8.57.2, algoliasearch from 5.49.2 to 5.50.0, @vitejs/plugin-basic-ssl from 2.2.0 to 2.3.0, picomatch from 4.0.3 to 4.0.4, and rolldown from 1.0.0-rc.10 to 1.0.0-rc.11. These are generally minor or patch version updates. There is no feedback to provide.