build: update all non-major dependencies (main)

[angular-robot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@babel/generator (source)	7.29.0 → 7.29.1
@modelcontextprotocol/sdk (source)	1.25.3 → 1.26.0
@typescript-eslint/eslint-plugin (source)	8.54.0 → 8.55.0
@typescript-eslint/parser (source)	8.54.0 → 8.55.0
algoliasearch (source)	5.47.0 → 5.48.0
esbuild	0.27.2 → 0.27.3
esbuild-wasm	0.27.2 → 0.27.3
less-loader	12.3.0 → 12.3.1
ora	9.2.0 → 9.3.0
pacote	21.1.0 → 21.3.1
rolldown (source)	1.0.0-rc.3 → 1.0.0-rc.4
sass-loader	16.0.6 → 16.0.7
semver	7.7.3 → 7.7.4
undici (source)	7.20.0 → 7.21.0
webpack	5.105.0 → 5.105.1

---

Release Notes

babel/babel (@​babel/generator)

v7.29.1

Compare Source

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.26.0

Compare Source

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

• chore: bump v1.25.3 for backport fixes by @​pcarleton in #​1412
• fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @​samuv in #​1382
• Fix #​1430: Client Credentials providers scopes support (backported) by @​NSeydoux in #​1442
• chore: bump version to 1.26.0 by @​pcarleton in #​1479

New Contributors

• @​samuv made their first contribution in #​1382
• @​NSeydoux made their first contribution in #​1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.55.0

Compare Source

🚀 Features

• utils: deprecate defaultOptions in favor of meta.defaultOptions (#​11992)

🩹 Fixes

• eslint-plugin: [no-useless-default-assignment] reduce param index to ts this handling (#​11949)
• eslint-plugin: [no-useless-default-assignment] report unnecessary defaults in ternary expressions (#​11984)
• eslint-plugin: [no-useless-default-assignment] require strictNullChecks (#​11966, #​12000)
• eslint-plugin: [no-unused-vars] remove trailing newline when removing entire import (#​11990)

❤️ Thank You

• Christian Rose @​chrros95
• Josh Goldberg
• Maria Solano @​MariaSolOs
• Minyeong Kim @​minyeong981
• SungHyun627 @​SungHyun627
• Yukihiro Hasegawa @​y-hsgw

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.55.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

algolia/algoliasearch-client-javascript (algoliasearch)

v5.48.0

Compare Source

BREAKING CHANGES: this minor version includes multiple breaking changes related to fixes on different APIs. See below for more details.

• b39e3e013 feat(specs): conditions is not required anymore in composition rules (#​5853) by @​ClaraMuller
• 9ef126ccd docs(SearchParams): Document that filter scores are supported in virtual replicas (#​5716) by @​NixFrog
• 6a3e60802 fix(specs): BREAKING CHANGE – remove baseRecommendRequest from trendingFacets [CR-10264] (#​5858) by @​raed667
  • The TrendingFacets model has been updated to reflect the API response.
• f9453e693 docs: BREAKING CHANGE – authentication type can't be updated (#​5824) by @​sbellone
  • The AuthenticationUpdate model has been updated to reflect that the type field can't be updated.
• 2d1c05654 chore(deps): dependencies 2026-01-26 (#​5859) by @​algolia-bot
• 6591e14a6 feat(clients): Test python timeout (#​5883) by @​eric-zaharia
• 52aed5b35 fix(specs): allow additionalProperties on insights-api events (#​5885) by @​sirockin
• 2925f56d1 fix(specs): BREAKING CHANGE – more accurate composition behavior typing (#​5892) by @​gavinwade12
  • The CompositionBehavior model is now a union type for better accuracy.
• 63b0c5464 feat(specs): BREAKING CHANGE – Ingestion API: new code property in oauth authentication (#​5897) by @​sbellone
  • The AuthOAuth and AuthOAuthPartial models have been updated to reflect that the clientId field is now optional, and the code field can be set.
• d4d385654 chore(deps): dependencies 2026-02-02 (#​5898) by @​algolia-bot

evanw/esbuild (esbuild)

v0.27.3

Compare Source

• Preserve URL fragments in data URLs (#​4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

• Parse and print CSS @scope rules (#​4322)

  This release includes dedicated support for parsing @scope rules in CSS. These rules include optional "start" and "end" selector lists. One important consequence of this is that the local/global status of names in selector lists is now respected, which improves the correctness of esbuild's support for CSS modules. Minification of selectors inside @scope rules has also improved slightly.

  Here's an example:

  /* Original code */
  @​scope (:global(.foo)) to (:local(.bar)) {
    .bar {
      color: red;
    }
  }
  
  /* Old output (with --loader=local-css --minify) */
  @​scope (:global(.foo)) to (:local(.bar)){.o{color:red}}
  
  /* New output (with --loader=local-css --minify) */
  @​scope(.foo)to (.o){.o{color:red}}

• Fix a minification bug with lowering of for await (#​4378, #​4385)

  This release fixes a bug where the minifier would incorrectly strip the variable in the automatically-generated catch clause of lowered for await loops. The code that generated the loop previously failed to mark the internal variable references as used.

• Update the Go compiler from v1.25.5 to v1.25.7 (#​4383, #​4388)

  This PR was contributed by @​MikeWillCook.

webpack/less-loader (less-loader)

v12.3.1

Compare Source

sindresorhus/ora (ora)

v9.3.0

Compare Source

• Reduce flicker in rendering 2ab4f76

---

npm/pacote (pacote)

v21.3.1

Compare Source

Bug Fixes

• 96e571a #​439 ensure that resolved git ref matches expected sha (#​439) (@​klassiker, pacotedev)

Chores

• 91847c4 #​447 fix test for ssri ignoring invalid hashes (#​447) (@​wraithgar)

v21.3.0

Compare Source

Features

• 8f5091d #​445 add support for git-256 sha lengths (#​445) (@​wraithgar)

v21.2.0

Compare Source

Features

• db21624 #​442 implement gitSubdir according to npa spec (#​442) (@​Kakadus)
• c2a4217 #​443 add allowRemote, allowFile, allowDirectory (#​443) (@​wraithgar)

rolldown/rolldown (rolldown)

v1.0.0-rc.4

Compare Source

🚀 Features

• rename error name to RolldownError from RollupError (#​8262) by @​sapphi-red
• add hidden resolve_tsconfig function for Vite (#​8257) by @​sapphi-red
• rust: introduce rolldown_watcher (#​8161) by @​hyf0
• unify comments and legalComments into a single granular comments option (#​8229) by @​IWANABETHATGUY
• add builtin plugin for visualizing chunk graph (#​8162) by @​IWANABETHATGUY
• show import declaration location in AssignToImport errors (#​8222) by @​Copilot
• show import declaration span in CannotCallNamespace error (#​8223) by @​Copilot
• emit error when plugin accidentally removes runtime module symbols (#​8203) by @​IWANABETHATGUY
• support tsconfig loading & inputMap for transform (#​8180) by @​sapphi-red
• rolldown_plugin_vite_reporter: update warning message to link to Rolldown docs (#​8205) by @​sapphi-red

🐛 Bug Fixes

• avoid panic on untranspiled JSX syntax by reporting a diagnostic error (#​8226) by @​IWANABETHATGUY
• rolldown_plugin_vite_import_glob: relax absolute path check and improve invalid glob warning (#​8219) by @​shulaoda
• merge chunks after detect circular reference (#​8154) by @​IWANABETHATGUY
• rust: detect runtime module side effects based on its content (#​8209) by @​hyf0

🚜 Refactor

• rename other to jsdoc in comments options (#​8256) by @​IWANABETHATGUY
• rename chunk-visualize plugin with bundle-analyzer plugin (#​8255) by @​IWANABETHATGUY
• remove EXPORT_UNDEFINED_VARIABLE error (#​8228) by @​Copilot
• consolidate missing runtime symbol errors into a single diagnostic (#​8220) by @​IWANABETHATGUY
• stabilize parse and parseSync (#​8215) by @​sapphi-red
• return errors instead of panicking on builtin plugin conversion failure (#​8217) by @​shulaoda
• expose parse / minify / transform from rolldown/utils (#​8214) by @​sapphi-red
• prepare defer chunk merging (#​8153) by @​IWANABETHATGUY

📚 Documentation

• remove <script> escape behavior difference note from platform option (#​8253) by @​sapphi-red
• TypeScript & JSX support by plugins (#​8183) by @​sapphi-red

🧪 Testing

• ensure runtime module is preserved even if it's not used but has side effects (#​8213) by @​hyf0

⚙️ Miscellaneous Tasks

• deps: update oxc to v0.113.0 (#​8267) by @​renovate[bot]
• deps: update dependency oxlint-tsgolint to v0.12.0 (#​8272) by @​renovate[bot]
• deps: update oxc apps (#​8269) by @​renovate[bot]
• deps: update test262 submodule for tests (#​8261) by @​sapphi-red
• deps: update crate-ci/typos action to v1.43.4 (#​8260) by @​renovate[bot]
• deps: update dependency esbuild to v0.27.3 (#​8250) by @​renovate[bot]
• deps: update rust crates (#​8244) by @​renovate[bot]
• deps: update dependency semver to v7.7.4 (#​8247) by @​renovate[bot]
• deps: update github-actions (#​8243) by @​renovate[bot]
• deps: update npm packages (#​8245) by @​renovate[bot]
• deps: update oxc resolver to v11.17.1 (#​8240) by @​renovate[bot]
• deps: update rust crate oxc_sourcemap to v6.0.2 (#​8241) by @​renovate[bot]
• rust: handle ignored RUSTSEC-2025-0141 cargo check error (#​8235) by @​hyf0
• deps: update dependency oxlint-tsgolint to v0.11.5 (#​8233) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to ^0.22.0 (#​8232) by @​renovate[bot]
• deps: update crate-ci/typos action to v1.43.3 (#​8225) by @​renovate[bot]
• deps: update dependency rolldown-plugin-dts to v0.21.9 (#​8224) by @​renovate[bot]
• deps: update crate-ci/typos action to v1.43.2 (#​8212) by @​renovate[bot]
• remove rolldown_plugin_vite_wasm_helper (#​8207) by @​shulaoda
• build docs for production (#​8206) by @​sapphi-red

webpack/sass-loader (sass-loader)

v16.0.7

Compare Source

npm/node-semver (semver)

v7.7.4

Compare Source

Bug Fixes

• a29faa5 #​835 cli: pass options to semver.valid() for loose version validation (#​835) (@​mldangelo)

Documentation

• 1d28d5e #​836 fix typos and update -n CLI option documentation (#​836) (@​mldangelo)

Dependencies

• 120968b #​840 @npmcli/template-oss@4.29.0 (#​840)

Chores

• 44d7130 #​824 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#​824) (@​dependabot[bot])
• 7073576 #​820 reorder parameters in invalid-versions.js test (#​820) (@​reggi)
• 5816d4c #​829 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#​829) (@​dependabot[bot], @​npm-cli-bot)

nodejs/undici (undici)

v7.21.0

Compare Source

What's Changed

• build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 by @​dependabot[bot] in #​4796
• test: restore global dispatcher after fetch tests by @​mcollina in #​4790
• Add missing close method to WebSocketStream interface by @​piotr-cz in #​4802
• fix: error stream instead of canceling by @​KhafraDev in #​4804
• Fix clientTtl cleanup race in Agent by @​mcollina in #​4807
• feat(#​4230): Implement pingInterval for dispatching PING frames by @​metcoder95 in #​4296
• fix: handle undefined __filename in bundled environments by @​mcollina in #​4812
• fix: set finalizer only for fetch responses by @​tsctx in #​4803

New Contributors

• @​piotr-cz made their first contribution in #​4802

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

webpack/webpack (webpack)

v5.105.1

Compare Source

Patch Changes

• Fix VirtualUrlPlugin Windows compatibility by sanitizing cache keys and filenames. Cache keys now use toSafePath to replace colons (:) with double underscores (__) and sanitize other invalid characters, ensuring compatibility with Windows filesystem restrictions. (by @​xiaoxiaojx in #​20424)

• Revert part of the createRequire generation behavior for require("node:...") to keep compatibility with those modules exports, e.g. const EventEmitter = require("node:events");. (by @​hai-x in #​20433)

• Skip guard collection when exports-presence mode is disabled to improve parsing performance. (by @​hai-x in #​20433)

---

• If you want to rebase/retry this PR, check this box