chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@types/node (source)	^22.17.0 -> ^22.18.0			devDependencies	minor
esbuild	^0.25.8 -> ^0.25.9			devDependencies	patch
node	22 -> 22.18.0			uses-with	minor
pnpm (source)	10.13.1 -> 10.15.0			packageManager	minor
typescript (source)	^5.8.3 -> ^5.9.2			devDependencies	minor

---

Release Notes

evanw/esbuild (esbuild)

v0.25.9

Compare Source

• Better support building projects that use Yarn on Windows (#​3131, #​3663)

  With this release, you can now use esbuild to bundle projects that use Yarn Plug'n'Play on Windows on drives other than the C: drive. The problem was as follows:

  1. Yarn in Plug'n'Play mode on Windows stores its global module cache on the C: drive
  2. Some developers put their projects on the D: drive
  3. Yarn generates relative paths that use ../.. to get from the project directory to the cache directory
  4. Windows-style paths don't support directory traversal between drives via .. (so D:\.. is just D:)
  5. I didn't have access to a Windows machine for testing this edge case

  Yarn works around this edge case by pretending Windows-style paths beginning with C:\ are actually Unix-style paths beginning with /C:/, so the ../.. path segments are able to navigate across drives inside Yarn's implementation. This was broken for a long time in esbuild but I finally got access to a Windows machine and was able to debug and fix this edge case. So you should now be able to bundle these projects with esbuild.

• Preserve parentheses around function expressions (#​4252)

  The V8 JavaScript VM uses parentheses around function expressions as an optimization hint to immediately compile the function. Otherwise the function would be lazily-compiled, which has additional overhead if that function is always called immediately as lazy compilation involves parsing the function twice. You can read V8's blog post about this for more details.

  Previously esbuild did not represent parentheses around functions in the AST so they were lost during compilation. With this change, esbuild will now preserve parentheses around function expressions when they are present in the original source code. This means these optimization hints will not be lost when bundling with esbuild. In addition, esbuild will now automatically add this optimization hint to immediately-invoked function expressions. Here's an example:

  // Original code
  const fn0 = () => 0
  const fn1 = (() => 1)
  console.log(fn0, function() { return fn1() }())
  
  // Old output
  const fn0 = () => 0;
  const fn1 = () => 1;
  console.log(fn0, function() {
    return fn1();
  }());
  
  // New output
  const fn0 = () => 0;
  const fn1 = (() => 1);
  console.log(fn0, (function() {
    return fn1();
  })());

  Note that you do not want to wrap all function expressions in parentheses. This optimization hint should only be used for functions that are called on initial load. Using this hint for functions that are not called on initial load will unnecessarily delay the initial load. Again, see V8's blog post linked above for details.

• Update Go from 1.23.10 to 1.23.12 (#​4257, #​4258)

  This should have no effect on existing code as this version change does not change Go's operating system support. It may remove certain false positive reports (specifically CVE-2025-4674 and CVE-2025-47907) from vulnerability scanners that only detect which version of the Go compiler esbuild uses.

actions/node-versions (node)

v22.18.0: 22.18.0

Compare Source

Node.js 22.18.0

v22.17.1: 22.17.1

Compare Source

Node.js 22.17.1

v22.17.0: 22.17.0

Compare Source

Node.js 22.17.0

v22.16.0: 22.16.0

Compare Source

Node.js 22.16.0

v22.15.1: 22.15.1

Compare Source

Node.js 22.15.1

v22.15.0: 22.15.0

Compare Source

Node.js 22.15.0

v22.14.0: 22.14.0

Compare Source

Node.js 22.14.0

v22.13.1: 22.13.1

Compare Source

Node.js 22.13.1

v22.13.0: 22.13.0

Compare Source

Node.js 22.13.0

v22.12.0: 22.12.0

Compare Source

Node.js 22.12.0

v22.11.0: 22.11.0

Compare Source

Node.js 22.11.0

v22.10.0: 22.10.0

Compare Source

Node.js 22.10.0

v22.9.0: 22.9.0

Compare Source

Node.js 22.9.0

v22.8.0: 22.8.0

Compare Source

Node.js 22.8.0

v22.7.0: 22.7.0

Compare Source

Node.js 22.7.0

v22.6.0: 22.6.0

Compare Source

Node.js 22.6.0

v22.5.1: 22.5.1

Compare Source

Node.js 22.5.1

v22.5.0: 22.5.0

Compare Source

Node.js 22.5.0

v22.4.1: 22.4.1

Compare Source

Node.js 22.4.1

v22.4.0: 22.4.0

Compare Source

Node.js 22.4.0

v22.3.0: 22.3.0

Compare Source

Node.js 22.3.0

v22.2.0: 22.2.0

Compare Source

Node.js 22.2.0

v22.1.0: 22.1.0

Compare Source

Node.js 22.1.0

pnpm/pnpm (pnpm)

v10.15.0

Compare Source

Minor Changes

• Added the cleanupUnusedCatalogs configuration. When set to true, pnpm will remove unused catalog entries during installation #​9793.
• Automatically load pnpmfiles from config dependencies that are named @*/pnpm-plugin-* #​9780.
• pnpm config get now prints an INI string for an object value #​9797.
• pnpm config get now accepts property paths (e.g. pnpm config get catalog.react, pnpm config get .catalog.react, pnpm config get 'packageExtensions["@​babel/parser"].peerDependencies["@​babel/types"]'), and pnpm config set now accepts dot-leading or subscripted keys (e.g. pnpm config set .ignoreScripts true).
• pnpm config get --json now prints a JSON serialization of config value, and pnpm config set --json now parses the input value as JSON.

Patch Changes

• Semi-breaking. When automatically installing missing peer dependencies, prefer versions that are already present in the direct dependencies of the root workspace package #​9835.
• When executing the pnpm create command, must verify whether the node version is supported even if a cache already exists #​9775.
• When making requests for the non-abbreviated packument, add */* to the Accept header to avoid getting a 406 error on AWS CodeArtifact #​9862.
• The standalone exe version of pnpm works with glibc 2.26 again #​9734.
• Fix a regression in which pnpm dlx pkg --help doesn't pass --help to pkg #​9823.

v10.14.0

Compare Source

Minor Changes

• Added support for JavaScript runtime resolution

  Declare Node.js, Deno, or Bun in devEngines.runtime (inside package.json) and let pnpm download and pin it automatically.

  Usage example:

  {
    "devEngines": {
      "runtime": {
        "name": "node",
        "version": "^24.4.0",
        "onFail": "download" (we only support the "download" value for now)
      }
    }
  }

  How it works:

  1. pnpm install resolves your specified range to the latest matching runtime version.
  2. The exact version (and checksum) is saved in the lockfile.
  3. Scripts use the local runtime, ensuring consistency across environments.

  Why this is better:

  1. This new setting supports also Deno and Bun (vs. our Node-only settings useNodeVersion and executionEnv.nodeVersion)
  2. Supports version ranges (not just a fixed version).
  3. The resolved version is stored in the pnpm lockfile, along with an integrity checksum for future validation of the Node.js content's validity.
  4. It can be used on any workspace project (like executionEnv.nodeVersion). So, different projects in a workspace can use different runtimes.
  5. For now devEngines.runtime setting will install the runtime locally, which we will improve in future versions of pnpm by using a shared location on the computer.

  Related PR: #​9755.

• Add --cpu, --libc, and --os to pnpm install, pnpm add, and pnpm dlx to customize supportedArchitectures via the CLI #​7510.

Patch Changes

• Fix a bug in which pnpm add downloads packages whose libc differ from pnpm.supportedArchitectures.libc.
• The integrities of the downloaded Node.js artifacts are verified #​9750.
• Allow dlx to parse CLI flags and options between the dlx command and the command to run or between the dlx command and -- #​9719.
• pnpm install --prod should removing hoisted dev dependencies #​9782.
• Fix an edge case bug causing local tarballs to not re-link into the virtual store. This bug would happen when changing the contents of the tarball without renaming the file and running a filtered install.
• Fix a bug causing pnpm install to incorrectly assume the lockfile is up to date after changing a local tarball that has peers dependencies.

microsoft/TypeScript (typescript)

v5.9.2

Compare Source

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.