chore: bump the npm-patch-minor group across 1 directory with 3 updates

[dependabot]

Bumps the npm-patch-minor group with 3 updates in the / directory: @vitest/coverage-v8, esbuild and vite-plus.

Updates @vitest/coverage-v8 from 4.1.5 to 4.1.7

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

Commits

• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• See full diff in compare view

Updates esbuild from 0.27.4 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

v0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }
  // New output (with --loader=ts --target=es2021)
  class Foo {

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }

... (truncated)

Commits

• 6a794df publish 0.28.0 to npm
• 64ee0ea fix #4435: support with { type: text } imports
• ef65aee fix sort order in snapshots_packagejson.txt
• 1a26a8e try to fix test-old-ts, also shuffle CI tasks
• 556ce6c use '' instead of null to omit build hashes
• 8e675a8 ci: allow missing binary hashes for tests
• 7067763 Reapply "update go 1.25.7 => 1.26.1"
• 39473a9 fix #4343: integrity check for binary download
• 2025c9f publish 0.27.7 to npm
• c6b586e fix typo in Makefile for @esbuild/win32-x64
• Additional commits viewable in compare view

Updates vite-plus from 0.1.20 to 0.1.22

Release notes

Sourced from vite-plus's releases.

vite-plus v0.1.22

A critical Vitest browser-mode security fix, parallel vp add -g installs, a built-in oxlint rule to prefer vite-plus imports, and a new --git switch for vp create.

Highlights

• Security: bundled vitest bumped to 4.1.6 to address GHSA-2h32-95rg-cppp (Critical, CVSS 9.6), an XSS to RCE chain via the otelCarrier query parameter in Vitest browser mode (#1633)
• Parallel global install: vp add/install/update -g now installs packages concurrently with a progress bar and a --concurrency flag (default 5) (#1597)
• Prefer vite-plus imports: new bundled oxlint rule rewrites vite/vitest imports to vite-plus, enabled by default in generated and migrated lint configs (#1408)
• Git init on scaffold: vp create learns --git/--no-git (interactive prompt; auto-commits "Initial commit from Vite+") (#1484)

Features

• Spawn npm for global installation in parallel with a progress bar and a --concurrency option (#1597), by @​liangmiQwQ
• Add bundled oxlint rule to prefer vite-plus imports over vite/vitest (#1408), by @​Han5991
• vp create: initialize a git repository and create an initial commit on scaffold (#1484), by @​ryohidaka
• vp create: rename underscore-prefixed files (_gitignore, _npmrc, _yarnrc.yml) to dotfiles for @org/create bundled templates (#1574), by @​jong-kyung
• Add VP_PR_VERSION env var to install unreleased PR builds via pkg.pr.new (#1578), by @​fengmk2

Fixes & Enhancements

• Skip merging standalone .oxfmtrc/.oxlintrc config when the fmt:/lint: key is already declared in vite.config.ts (fixes duplicate-block regression in vp create fate) (#1601), by @​fengmk2
• Suppress the VITE+ - The Unified Toolchain for the Web banner for vp lint --lsp, vp fmt --lsp, and vp fmt --stdin-filepath so stdout stays a pure LSP / formatter stream (#1619), by @​fengmk2
• vp create: detect output directory when running in the current directory (#1606), by @​jong-kyung
• vp update -g: skip installs when the recorded global package version already matches the npm-resolved version, and tolerate string/array outputs from npm view ... version --json (#1596), by @​leno23
• vp create: preserve single-segment project path in updateWorkspaceConfig (#1582), by @​jong-kyung
• vp env use: keep the change session-scoped on Windows (#1577), by @​fengmk2
• vp rebuild: accept positional package names (#1564), by @​fengmk2
• Adopt the new vite-task error formatter; errors now print as error: <top-level> plus * <source> chain lines, with bold-red highlight on a TTY (vite-task#390), by @​branchseer
• vite-task: forward LOCALAPPDATA so Node's compile cache stays outside the workspace on Windows (vite-task#389), by @​branchseer
• Bump vite-task to c945cc0 (#1628), by @​branchseer

Refactor

• Revert vp pm plugin command (per discussion in #1038) (#1623), by @​jong-kyung

Docs

• Add vitepress-plugin-llms to the docs site so the published docs include LLM-friendly outputs (/llms.txt) (#1625), by @​jong-kyung
• Refresh home stats for oxlint, vite, and vitest (#1512), by @​nozomee
• Mention vp env doctor in agent instructions (#1603), by @​leno23

Chore

• Consolidate the upstream build chain into a single pnpm build script (justfile recipe now just calls pnpm build) (#1626), by @​fengmk2
• Fix bootstrap-cli on Windows (#1583), by @​fengmk2
• Refresh trusted stack stats (#1573, #1616), by @​voidzero-guard[bot]
• Update GitHub Actions (#1611, #1612), by @​renovate[bot]
• Address zizmor findings in composite actions and the release workflow; drop unused actions-cool/issues-helper (#1630), by @​Boshen
• Switch plain checkouts to taiki-e/checkout-action (#1620), by @​Boshen
• Switch release to a version-bump PR + push trigger flow (#1575), by @​Boshen

... (truncated)

Commits

• 12368da release: v0.1.22 (#1637)
• 2a44bce chore: bump vite-task to c945cc0 (#1628)
• f0ae621 feat(cli): spawn npm for global installation in parallel and refine output (#...
• e80e241 revert: remove vp pm plugin command (#1623)
• 3dc7c75 docs: mention env doctor in agent instructions (#1603)
• 9e44db1 fix(cli): skip merging standalone oxfmt/oxlint config when key already in vit...
• 9f718e7 fix(cli): detect create output in current directory (#1606)
• 99d3e41 feat(cli): add oxlint rule to prefer vite-plus imports (#1408)
• 5d68116 feat(cli): Initialize a git repository and create an initial commit on scaffo...
• 023e700 test(cli): add --help case to config snap tests for npm10/yarn1/yarn4 (#1585)
• Additional commits viewable in compare view

[cubic-dev-ai]

No issues found across 2 files

_{Re-trigger cubic}

[putio-release-bot]

🎉 This PR is included in version 1.2.4 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀