deps(dev): bump the major-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the major-dependencies group with 5 updates in the / directory:

Package	From	To
@vitejs/plugin-react	4.7.0	5.0.2
env-cmd	10.1.0	11.0.0
jsdom	25.0.1	26.1.0
vite	6.3.5	7.1.4
vitest	2.1.9	3.2.4

Updates @vitejs/plugin-react from 4.7.0 to 5.0.2

Release notes

Sourced from @​vitejs/plugin-react's releases.

plugin-react@5.0.2

Skip transform hook completely in rolldown-vite in dev if possible (#783)

plugin-react@5.0.1

Set optimizeDeps.rollupOptions.transform.jsx instead of optimizeDeps.rollupOptions.jsx for rolldown-vite (#735)

optimizeDeps.rollupOptions.jsx is going to be deprecated in favor of optimizeDeps.rollupOptions.transform.jsx.

Perf: skip babel-plugin-react-compiler if code has no "use memo" when { compilationMode: "annotation" } (#734)

Respect tsconfig jsxImportSource (#726)

Fix reactRefreshHost option on rolldown-vite (#716)

Fix RefreshRuntime being injected twice for class components on rolldown-vite (#708)

Skip babel-plugin-react-compiler on non client environment (689)

plugin-react@5.0.0

(Same content as v5.0.0-beta.0 https://github.com/vitejs/vite-plugin-react/releases/tag/plugin-react%405.0.0-beta.0)

Use Oxc for react refresh transform in rolldown-vite

When used with rolldown-vite, this plugin now uses Oxc for react refresh transform.

Since this behavior is what @vitejs/plugin-react-oxc did, @vitejs/plugin-react-oxc is now deprecated and the disableOxcRecommendation option is removed.

Also, while @vitejs/plugin-react-oxc used the production JSX transform even for NODE_ENV=development build, @vitejs/plugin-react uses the development JSX transform for NODE_ENV=development build.

Allow processing files in node_modules

The default value of exclude options is now [/\/node_modules\//] to allow processing files in node_modules directory. It was previously [] and files in node_modules was always excluded regardless of the value of exclude option.

react and react-dom is no longer added to resolve.dedupe automatically

Adding values to resolve.dedupe forces Vite to resolve them differently from how Node.js does, which can be confusing and may not be expected. This plugin no longer adds react and react-dom to resolve.dedupe automatically.

If you encounter errors after upgrading, check your package.json for version mismatches in dependencies or devDependencies, as well as your package manager’s configuration. If you prefer the previous behavior, you can manually add react and react-dom to resolve.dedupe.

Remove old babel-plugin-react-compiler support that requires runtimeModule option

runtimeModule option is no longer needed in newer babel-plugin-react-compiler versions. Make sure to use a newer version of babel-plugin-react-compiler that supports target option.

Require Node 20.19+, 22.12+

This plugin now requires Node 20.19+ or 22.12+.

plugin-react@5.0.0-beta.0

Use Oxc for react refresh transform in rolldown-vite

... (truncated)

Changelog

Sourced from @​vitejs/plugin-react's changelog.

5.0.2 (2025-08-28)

Skip transform hook completely in rolldown-vite in dev if possible (#783)

5.0.1 (2025-08-19)

Set optimizeDeps.rollupOptions.transform.jsx instead of optimizeDeps.rollupOptions.jsx for rolldown-vite (#735)

optimizeDeps.rollupOptions.jsx is going to be deprecated in favor of optimizeDeps.rollupOptions.transform.jsx.

Perf: skip babel-plugin-react-compiler if code has no "use memo" when { compilationMode: "annotation" } (#734)

Respect tsconfig jsxImportSource (#726)

Fix reactRefreshHost option on rolldown-vite (#716)

Fix RefreshRuntime being injected twice for class components on rolldown-vite (#708)

Skip babel-plugin-react-compiler on non client environment (689)

5.0.0 (2025-08-07)

5.0.0-beta.0 (2025-07-28)

Use Oxc for react refresh transform in rolldown-vite

When used with rolldown-vite, this plugin now uses Oxc for react refresh transform.

Since this behavior is what @vitejs/plugin-react-oxc did, @vitejs/plugin-react-oxc is now deprecated and the disableOxcRecommendation option is removed.

Also, while @vitejs/plugin-react-oxc used the production JSX transform even for NODE_ENV=development build, @vitejs/plugin-react uses the development JSX transform for NODE_ENV=development build.

Allow processing files in node_modules

The default value of exclude options is now [/\/node_modules\//] to allow processing files in node_modules directory. It was previously [] and files in node_modules was always excluded regardless of the value of exclude option.

react and react-dom is no longer added to resolve.dedupe automatically

Adding values to resolve.dedupe forces Vite to resolve them differently from how Node.js does, which can be confusing and may not be expected. This plugin no longer adds react and react-dom to resolve.dedupe automatically.

If you encounter errors after upgrading, check your package.json for version mismatches in dependencies or devDependencies, as well as your package manager’s configuration. If you prefer the previous behavior, you can manually add react and react-dom to resolve.dedupe.

Remove old babel-plugin-react-compiler support that requires runtimeModule option

runtimeModule option is no longer needed in newer babel-plugin-react-compiler versions. Make sure to use a newer version of babel-plugin-react-compiler that supports target option.

Require Node 20.19+, 22.12+

This plugin now requires Node 20.19+ or 22.12+.

Commits

• 1f4b4d9 release: plugin-react@5.0.2
• c719e5d perf(react): skip transform hook completely in rolldown-vite in dev if possib...
• 9989897 fix(deps): update all non-major dependencies (#773)
• 1ab2666 build: watch common package (#748)
• efe4344 release: plugin-react@5.0.1
• 126bdb0 feat: set optimizeDeps.rollupOptions.transform.jsx instead of `optimizeDeps...
• d3934ad perf(react): skip react compiler when compilationMode: "annotation" but no ...
• e2f0c78 fix(react): respect tsconfig jsxImportSource by default (#726)
• ba0323c fix(deps): update all non-major dependencies (#729)
• d33f37d refactor(react): simplify rolldown-vite only plugins (#720)
• Additional commits viewable in compare view

Updates env-cmd from 10.1.0 to 11.0.0

Changelog

Sourced from env-cmd's changelog.

11.0.0

• BREAKING: Drop support for nodejs v8 to v20.9. The minimum supported nodejs version is now v20.10.
• BREAKING: Must use -- to separate the env-cmd flags from the command to execute (env-cmd -f .env -- node index.js).
• BREAKING: Removed -r flag and use only -f flag.
• BREAKING: Support inline comments in .env files. A # character now signifies the start of an inline comment, unless the value is surrounded by quotation marks (").
• BREAKING: Migrated the repository to ESM modules instead of CommonJS.
• BREAKING: Support variable expansion using curly-brace syntax (${MY_VAR}), when the -x option is enabled.
• Feature: Support loading env variables from .cjs and .mjs files.
• Feature: Support loading env variables from .ts, .cts, and .mts files.
• Feature: When loading an invalid JSON file, show the original parse error.
• Feature: Add a more helpful error message when trying to invoke env-cmd as a standalone command.
• Feature: Added support for nested env variables within env files with the --recursive flag
• Docs: clarify how variable expansion works.
• Internal: Replaced Travis CI with GitHub Actions, run unit tests on windows.
• Internal: Configure automatic releases to npm from GitHub Actions
• Internal: Refactor the loader logic, to make it easier to add other loaders.
• Upgrade: Update all dependencies.
• Upgrade: Upgraded all devDependencies

Commits

• 7242cb0 Merge pull request #416 from toddbluhm/fix-failing-tests
• feb6c6f fix(parse-env-file.spec): fix the failing test cases due to node version changes
• 6ced969 Merge pull request #411 from toddbluhm/release-11.0.0
• 164e597 chore(changelog): updated changelog
• 22ca151 docs: create a draft changelog for v11
• b5f3ef4 feat: version 11.0.0 release
• 3db3c8f Merge pull request #410 from toddbluhm/feat-recursive-var-expansion
• 0846e5d fix(expand-envs): test more edge cases
• 18e8a28 fix(recursive): cleaned up after rebase
• f47b9f3 chore: update readme for new option
• Additional commits viewable in compare view

Updates jsdom from 25.0.1 to 26.1.0

Release notes

Sourced from jsdom's releases.

Version 26.1.0

• Added at least partial support for various SVG elements and their classes: <defs> (SVGDefsElement), <desc> (SVGDescElement), <g> (SVGGElement), <metadata> (SVGMetadataElement), <switch> (SVGSwitchElement), and <symbol> (SVGSymbolElement).
• Added SVGAnimatedPreserveAspectRatio and SVGAnimatedRect, including support in the reflection layer.
• Added the SVGSVGElement createSVGRect() method, and the SVGRect type (which is distinct from DOMRect.)
• Added indexed property support to HTMLFormElement.
• Updated the SVGElement viewportElement() method to correctly establish the viewport based on ancestor elements.
• Removed the now-bloated form-data dependency in favor of our own smaller implementation of multipart/form-data serialization. No functional changes are expected.
• Various performance improvements, caches, microoptimizations, and deferred object creation.

Version 26.0.0

Breaking change: canvas peer dependency requirement has been upgraded from v2 to v3. (sebastianwachter)

Other changes:

• Added AbortSignal.any(). (jdbevan)
• Added initial support for form-associated custom elements, in particular making them labelable and supporting the ElementInternals labels property. The form-associated callbacks are not yet supported. (hesxenon)
• Updated whatwg-url, adding support for URL.parse().
• Updated cssstyle and rrweb-cssom, to improve CSS parsing capabilities.
• Updated nwsapi, improving CSS selector matching.
• Updated parse5, fixing a bug around <noframes> elements and HTML entity decoding.
• Fixed JSDOM.fromURL() to properly reject the returned promise if the server redirects to an invalid URL, instead of causing an uncaught exception.

Changelog

Sourced from jsdom's changelog.

Changes since 26.1.0

• Node.js v20 is now the minimum supported version.
• Added a variety of event constructors, even though we do not implement their associated specifications or ever fire them: BeforeUnloadEvent, BlobEvent, DeviceMotionEvent (omitting requestPermission()), DeviceOrientationEvent (omitting requestPermission()), PointerEvent, PromiseRejectionEvent, and TransitionEvent.
• Added movementX and movementY to MouseEvent. (These are from the Pointer Lock specification, the rest of which is not implemented.)
• Added customElements.getName(). (mash-graz)
• Updated the virtual console:
  • "jsdomError" events are now documented, with specific type properties and other properties that depend on the type.
  • sendTo() was renamed to forwardTo().
  • The jsdomErrors option to forwardTo() can be used to control which errors are sent to the Node.js console. This replaces the previous omitJSDOMErrors boolean option.
  • "jsdomError"s for failed XMLHttpRequest fetches are no longer emitted.
  • The values that are printed when forwarding "jsdomError"s to the Node.js console are streamlined.
• Switched our CSS selector engine from nwsapi to @asamuzakjp/dom-selector, closing over 20 selector-related bugs.
• Upgraded tough-cookie, which now considers URLs like http://localhost/ to be secure contexts (per the spec), and thus will return Secure-flagged cookies for such URLs. (colincasey)
• Upgraded cssstyle, which brings along many improvements and fixes to the CSSStyleDeclaration object and its properties.
• Updated the user agent stylesheet to be derived from the HTML Standard, instead of from an old revision of Chromium.
• Changed element.click() to fire a PointerEvent instead of a MouseEvent.
• Changed certain events to be passive by default.
• Changed the <input> element's pattern="" attribute to use the v regular expression flag, instead of u.
• Fixed many specification conformance issues with the Window object, including named properties and changing various data properties to accessor properties.
• Fixed document.createEvent() to accept a more correct set of event names.
• Fixed the ElementInternals accessibility getters and setters. (They were introduced in v23.1.0, but due to inadequate test coverage never actually worked.)
• Fixed using Object.defineProperty() on certain objects, such as HTMLSelectElement instances.
• Fixed jsdom.reconfigure({ url }) not updating document.baseURI or properties derived from it. (This regressed in v26.1.0.)
• Fixed CSS system colors, as well as the initial, inherit, and unset keywords, to resolve correctly. (asamuzaK)
• Fixed CSS display style resolution. (asamuzaK)

Changes since 27.0.0-beta.3

• Upgraded cssstyle, which brings along various CSS parsing fixes.

27.0.0-beta.3

• Breaking change: upgraded tough-cookie, which now considers URLs like http://localhost/ to be secure contexts (per the spec), and thus will return Secure-flagged cookies for such URLs. (colincasey)
• Added customElements.getName(). (mash-graz)
• Changed the <input> element's pattern="" attribute to use the v regular expression flag, instead of u.
• Fixed jsdom.reconfigure({ url }) not updating document.baseURI or properties derived from it. This regressed in v26.1.0.
• Fixed CSS system colors, as well as the initial, inherit, and unset keywords, to resolve correctly. This is especially important since the change in v27.0.0-beta.1 to use system colors in the user agent stylesheet. (asamuzaK)
• Fixed CSS background property parsing and serialization. (asamuzaK)
• Fixed CSS color parsing and serialization inside of gradients. (asamuzaK)
• Fixed CSS display style resolution. (asamuzaK)
• Upgraded @asamuzakjp/dom-selector, which notably fixed repeated use of the :scope selector. (asamuzaK)

27.0.0-beta.2

Significantly improved specification conformance for the Window object, including named properties and changing various data properties to accessor properties. This is not likely to be breaking, but since it's a complex change to such a core object, we're happy to do another beta testing release with this included before graduating the v27 line to stable.

Additionally, updated cssstyle to v4.4.0, which brings along various conformance fixes to the CSSStyleDeclaration object and its properties.

27.0.0-beta.1

... (truncated)

Commits

• 1911c80 Version 26.1.0
• ea6e851 Add failing script execution order test
• 2be9dcf Add passing tests for CSS parsing errors
• 9c68fe3 Add failing CSS container queries test
• 501b1cc Add failing CSS cascade layer test
• 1916583 Add passing font-face with a data URL parsing test
• fc2a337 Add passing javascript: URL href test
• 91c610d Move to-upstream CSS tests to correct directory
• a5be813 Add failing calc() serialization test
• 326745d Add passing oklch() serialization test
• Additional commits viewable in compare view

Updates vite from 6.3.5 to 7.1.4

Release notes

Sourced from vite's releases.

v7.1.4

Please refer to CHANGELOG.md for details.

v7.1.3

Please refer to CHANGELOG.md for details.

create-vite@7.1.3

Please refer to CHANGELOG.md for details.

v7.1.2

Please refer to CHANGELOG.md for details.

create-vite@7.1.2

Please refer to CHANGELOG.md for details.

v7.1.1

Please refer to CHANGELOG.md for details.

create-vite@7.1.1

Please refer to CHANGELOG.md for details.

plugin-legacy@7.1.0

Please refer to CHANGELOG.md for details.

create-vite@7.1.0

Please refer to CHANGELOG.md for details.

v7.1.0

Please refer to CHANGELOG.md for details.

v7.1.0-beta.1

Please refer to CHANGELOG.md for details.

v7.1.0-beta.0

Please refer to CHANGELOG.md for details.

v7.0.8

Please refer to CHANGELOG.md for details.

v7.0.7

Please refer to CHANGELOG.md for details.

v7.0.6

Please refer to CHANGELOG.md for details.

v7.0.5

Please refer to CHANGELOG.md for details.

v7.0.4

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

7.1.4 (2025-09-01)

Bug Fixes

• add missing awaits (#20697) (79d10ed)
• deps: update all non-major dependencies (#20676) (5a274b2)
• deps: update all non-major dependencies (#20709) (0401feb)
• pass rollup watch options when building in watch mode (#20674) (f367453)

Miscellaneous Chores

• remove unused constants entry from rolldown.config.ts (#20710) (537fcf9)

Code Refactoring

• remove unnecessary minify parameter from finalizeCss (#20701) (8099582)

7.1.3 (2025-08-19)

Features

• cli: add Node.js version warning for unsupported versions (#20638) (a1be1bf)
• generate code frame for parse errors thrown by terser (#20642) (a9ba017)
• support long lines in generateCodeFrame (#20640) (1559577)

Bug Fixes

• deps: update all non-major dependencies (#20634) (4851cab)
• optimizer: incorrect incompatible error (#20439) (446fe83)
• support multiline new URL(..., import.meta.url) expressions (#20644) (9ccf142)

Performance Improvements

• cli: dynamically import resolveConfig (#20646) (f691f57)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#20633) (98b92e8)

Code Refactoring

• replace startsWith with strict equality (#20603) (42816de)
• use import in worker threads (#20641) (530687a)

Tests

• remove checkNodeVersion test (#20647) (731d3e6)

7.1.2 (2025-08-12)

Bug Fixes

• client: add [vite] prefixes to debug logs (#20595) (7cdef61)

... (truncated)

Commits

• bcc3144 release: v7.1.4
• 0401feb fix(deps): update all non-major dependencies (#20709)
• 537fcf9 chore: remove unused constants entry from rolldown.config.ts (#20710)
• 79d10ed fix: add missing awaits (#20697)
• 8099582 refactor: remove unnecessary minify parameter from finalizeCss (#20701)
• f367453 fix: pass rollup watch options when building in watch mode (#20674)
• 5a274b2 fix(deps): update all non-major dependencies (#20676)
• e090b7d release: v7.1.3
• 9ccf142 fix: support multiline new URL(..., import.meta.url) expressions (#20644)
• 731d3e6 test: remove checkNodeVersion test (#20647)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vite since your current version.

Updates vitest from 2.1.9 to 3.2.4

Release notes

Sourced from vitest's releases.

v3.2.4

   🐞 Bug Fixes

• Use correct path for optimisation of strip-literal  -  by @​mrginglymus in vitest-dev/vitest#8139 (44940)
• Print uint and buffer as a simple string  -  by @​sheremet-va in vitest-dev/vitest#8141 (b86bf)
• browser:
  • Show a helpful error when spying on an export  -  by @​sheremet-va in vitest-dev/vitest#8178 (56007)
• cli:
  • vitest run --watch should be watch-mode  -  by @​AriPerkkio in vitest-dev/vitest#8128 (657e8)
  • Use absolute path environment on Windows  -  by @​colinaaa in vitest-dev/vitest#8105 (85dc0)
  • Throw error when --shard x/<count> exceeds count of test files  -  by @​AriPerkkio in vitest-dev/vitest#8112 (8a18c)
• coverage:
  • Ignore SCSS in browser mode  -  by @​sheremet-va in vitest-dev/vitest#8161 (0c3be)
• deps:
  • Update all non-major dependencies  -  in vitest-dev/vitest#8123 (93f32)
• expect:
  • Handle async errors in expect.soft  -  by @​lzl0304 in vitest-dev/vitest#8145 (68699)
• pool:
  • Auto-adjust minWorkers when only maxWorkers specified  -  by @​AriPerkkio in vitest-dev/vitest#8110 (14dc0)
• reporter:
  • task.meta should be available in custom reporter's errors  -  by @​AriPerkkio in vitest-dev/vitest#8115 (27df6)
• runner:
  • Preserve handler wrapping on extend  -  by @​pengooseDev in vitest-dev/vitest#8153 (a9281)
• ui:
  • Ensure ui config option works correctly  -  by @​lzl0304 in vitest-dev/vitest#8147 (42eeb)

    View changes on GitHub

v3.2.3

   🚀 Features

• browser: Use base url instead of vitest  -  by @​sheremet-va in vitest-dev/vitest#8126 (1d8eb)
• ui: Show test annotations and metadata in the test report tab  -  by @​sheremet-va in vitest-dev/vitest#8093 (c69be)

   🐞 Bug Fixes

• Rerun tests when project's setup file is changed  -  by @​sheremet-va in vitest-dev/vitest#8097 (0f335)
• Revert expect.any return type  -  by @​sheremet-va in vitest-dev/vitest#8129 (47514)
• Run only the name plugin last, not all config plugins  -  by @​sheremet-va in vitest-dev/vitest#8130 (83862)
• pool:
  • Throw if user's tests use process.send()  -  by @​AriPerkkio in vitest-dev/vitest#8125 (dfe81)
• runner:
  • Fast sequential task updates missing  -  by @​AriPerkkio in vitest-dev/vitest#8121 (7bd11)
  • Comments between fixture destructures  -  by @​AriPerkkio in vitest-dev/vitest#8127 (dc469)
• vite-node:
  • Unable to handle errors where sourcemap mapping empty  -  by @​blake-newman and @​hi-ogawa in vitest-dev/vitest#8071 (8aa25)

    View changes on GitHub

v3.2.2

... (truncated)

Commits

• c666d14 chore: release v3.2.4
• 8a18c8e fix(cli): throw error when --shard x/\<count> exceeds count of test files (#...
• 8abd7cc chore(deps): update tinypool (#8174)
• 93f3200 fix(deps): update all non-major dependencies (#8123)
• 0c3be6f fix(coverage): ignore SCSS in browser mode (#8161)
• 790bc31 chore: update deprecation notice for globs (#8148)
• c0eae7d chore: update deprecated workspace file log (#8118)
• 14dc072 fix(pool): auto-adjust minWorkers when only maxWorkers specified (#8110)
• 85dc019 fix(cli): use absolute path environment on Windows (#8105)
• 27df68a fix(reporter): task.meta should be available in custom reporter's errors (#...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions