build(deps): bump the minor-and-patch group across 1 directory with 7 updates

[dependabot]

Bumps the minor-and-patch group with 7 updates in the / directory:

Package	From	To
oxlint	1.47.0	1.51.0
turbo	2.8.9	2.8.14
wrangler	4.66.0	4.71.0
@vitejs/plugin-rsc	0.5.19	0.5.21
srvx	0.11.4	0.11.8
tsdown	0.20.3	0.21.0
@types/node	25.2.3	25.3.5

Updates oxlint from 1.47.0 to 1.51.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

• 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
• 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
• bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
• 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
• 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
• 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
• ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

• 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
• 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
• 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
• 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
• a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
• ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
• 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
• ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
• e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
• 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
• 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
• fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
• ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
• dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
• 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
• cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

• 25d577e language_server: Start tools in parallel (#15500) (Sysix)
• 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
• 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
• 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
• 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
• 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

• 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
• 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
• a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
• 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
• 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
• 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.51.0] - 2026-03-02

🚀 Features

• f34f6fa linter: Introduce typeCheck config option (#19764) (camc314)
• 694be7d linter: Introduce typeAware as config options (#19614) (camc314)

🐛 Bug Fixes

• 04e6223 npm: Add preferUnplugged for Yarn PnP compatibility (#19829) (Boshen)

📚 Documentation

• 2fa936f README.md: Map npm package links to npmx.dev (#19666) (Boshen)

[1.45.0] - 2026-02-10

🐛 Bug Fixes

• 1b2f354 ci: Add missing riscv64/s390x napi targets for oxfmt and oxlint (#19217) (Cameron)

[1.44.0] - 2026-02-10

🚀 Features

• ee2925b oxlint/lsp: Enable JS plugins (#18834) (overlookmotel)
• 9788a96 oxlint,oxfmt: Add more native builds (#18853) (Boshen)

📚 Documentation

• 9561e7f linter/plugins: Alter JS plugins example (#18900) (overlookmotel)
• b425a0c linter: Document jsPlugins examples (#18671) (Cameron)
• df2b7fa linter: Expand settings example with reference to custom plugins (#18670) (camc314)

[1.42.0] - 2026-01-26

🚀 Features

• 15d69dc linter: Implement react/display-name rule (#18426) (camchenry)

📚 Documentation

• 8ccd853 npm: Update package homepage URLs and add keywords (#18509) (Boshen)

[1.41.0] - 2026-01-19

📚 Documentation

• 8a294d5 oxfmt, oxlint: Update logo (#18242) (Dunqing)

... (truncated)

Commits

• 3d7b2ec release(apps): oxlint v1.51.0 && oxfmt v0.36.0 (#19912)
• 04e6223 fix(npm): add preferUnplugged for Yarn PnP compatibility (#19829)
• f34f6fa feat(linter): introduce typeCheck config option (#19764)
• 694be7d feat(linter): introduce typeAware as config options (#19614)
• 3c57b5e chore(linter, formatter): update playground url (#19697)
• 7d7d0b0 chore(oxlint): bump min tsgolint version to 0.15.0 (#19693)
• 2fa936f docs(README.md): map npm package links to npmx.dev (#19666)
• a08c28d release(apps): oxlint v1.50.0 && oxfmt v0.35.0 (#19627)
• 3f0d1dd release(apps): oxlint v1.49.0 && oxfmt v0.34.0 (#19553)
• c34263c chore(oxlint): bump min tsgolint version to 0.14.1 (#19554)
• Additional commits viewable in compare view

Updates turbo from 2.8.9 to 2.8.14

Release notes

Sourced from turbo's releases.

Turborepo v2.8.14-canary.9

What's Changed

Changelog

• perf: Fire-and-forget telemetry and analytics HTTP flushes on shutdown by @​anthonyshew in vercel/turborepo#12162
• perf: Defer lockfile await until after internal dependency resolution by @​anthonyshew in vercel/turborepo#12164
• refactor: Extract turborepo-query-api trait crate for compile-time decoupling by @​anthonyshew in vercel/turborepo#12165
• feat: Include version, platform, and CPU count in Chrome trace profiles by @​anthonyshew in vercel/turborepo#12166
• docs: Remove bespoke AI prompts from documentation pages by @​anthonyshew in vercel/turborepo#12167
• test: Add comprehensive path traversal tests for cache archive by @​anthonyshew in vercel/turborepo#12169
• test: Add regression tests and OutputWatcher trait to prepare for daemon removal from turbo watch by @​anthonyshew in vercel/turborepo#12171

Full Changelog: vercel/turborepo@v2.8.14-canary.8...v2.8.14-canary.9

Turborepo v2.8.14-canary.5

What's Changed

Changelog

• fix: Preserve deeply nested workspace deps during npm lockfile pruning by @​anthonyshew in vercel/turborepo#12146

Full Changelog: vercel/turborepo@v2.8.14-canary.4...v2.8.14-canary.5

Turborepo v2.8.14-canary.4

What's Changed

Changelog

• feat: Add runAttributes config to OTel metrics for cardinality control by @​bkonkle in vercel/turborepo#12144

Full Changelog: vercel/turborepo@v2.8.14-canary.3...v2.8.14-canary.4

Turborepo v2.8.14-canary.3

What's Changed

Changelog

• fix: Treat Bun runtime modules as builtins in Boundaries by @​anthonyshew in vercel/turborepo#12141
• feat: Add futureFlags.longerSignatureKey to enforce minimum HMAC key length by @​anthonyshew in vercel/turborepo#12142

Full Changelog: vercel/turborepo@v2.8.14-canary.2...v2.8.14-canary.3

Turborepo v2.8.14-canary.2

... (truncated)

Commits

• c8fe2c1 publish 2.8.14 to registry
• 27e8e67 release(turborepo): 2.8.14-canary.9 (#12173)
• 0efbe30 test: Add regression tests and OutputWatcher trait to prepare for daemon re...
• 6fbd5bb test: Add comprehensive path traversal tests for cache archive (#12169)
• c456ad3 ci: Remove redundant rust_check job from lint workflow (#12168)
• ebe5e87 docs: Remove bespoke AI prompts from documentation pages (#12167)
• 716d886 feat: Include version, platform, and CPU count in Chrome trace profiles (#12166)
• 7acfdc4 refactor: Extract turborepo-query-api trait crate for compile-time decoupli...
• 14dd839 perf: Defer lockfile await until after internal dependency resolution (#12164)
• 6923c52 perf: Fire-and-forget telemetry and analytics HTTP flushes on shutdown (#12162)
• Additional commits viewable in compare view

Updates wrangler from 4.66.0 to 4.71.0

Release notes

Sourced from wrangler's releases.

wrangler@4.71.0

Minor Changes

• #11656 ec2459e Thanks @​prydt! - feat(hyperdrive): add MySQL SSL mode and Custom CA support

  Hyperdrive now supports MySQL-specific SSL modes (REQUIRED, VERIFY_CA, VERIFY_IDENTITY) alongside the existing PostgreSQL modes. The --sslmode flag now validates the provided value based on the database scheme (PostgreSQL or MySQL) and enforces appropriate CA certificate requirements for each.

  Usage:

  # MySQL with CA verification
  wrangler hyperdrive create my-config --connection-string="mysql://user:pass@host:3306/db" --sslmode=VERIFY_CA --ca-certificate-id=<cert-id>
  PostgreSQL (unchanged)
  wrangler hyperdrive create my-config --connection-string="postgres://user:pass@host:5432/db" --sslmode=verify-full --ca-certificate-id=<cert-id>

Patch Changes

• Updated dependencies [5cc8fcf]:
  • @​cloudflare/unenv-preset@​2.15.0
  • miniflare@4.20260301.1

wrangler@4.70.0

Minor Changes

• #11332 6a8aa5f Thanks @​nikitassharma! - Users are now able to configure DockerHub credentials and have containers reference images stored there.

  DockerHub can be configured as follows:

  echo $PAT_TOKEN | npx wrangler@latest containers registries configure docker.io --dockerhub-username=user --secret-name=DockerHub_PAT_Token

  Containers can then specify an image from DockerHub in their wrangler.jsonc as follows:

  "containers": {
    "image": "docker.io/namespace/image:tag",
    ...
  }

• #12649 35b2c56 Thanks @​gabivlj! - Add experimental support for containers to workers communication with interceptOutboundHttp

  This feature is experimental and requires adding the "experimental" compatibility flag to your Wrangler configuration.

• #12701 23a365a Thanks @​jamesopstad! - Add local dev validation for the experimental secrets configuration property

  When the new secrets property is defined, wrangler dev and vite dev now validate secrets declared in secrets.required. When required secrets are missing from .dev.vars or .env/process.env, a warning is logged listing the missing secret names.

... (truncated)

Commits

• 9dff00c Version Packages (#12748)
• 331d4de Revert "Bump the workerd-and-workers-types group with 2 updates" (#12776)
• 48bbe20 Bump the workerd-and-workers-types group with 2 updates (#12768)
• ec2459e Add MySQL SSL options for hyperdrive creation (#11656)
• 5cc8fcf [unenv] Use the native workerd perf_hooks modules when available (#10618)
• ea57dfd Version Packages (#12702)
• bf9cb3d feat: add configurable step limits for Workflows (#12622)
• 6a8aa5f Allow users to configure DockerHub for use with containers (#11332)
• d672e2e Fix SolidStart autoconfig for projects using version 2.0.0-alpha or later (#1...
• 35b2c56 containers: Add container and test Containers interceptOutboundHttp (#12649)
• Additional commits viewable in compare view

Updates @vitejs/plugin-rsc from 0.5.19 to 0.5.21

Release notes

Sourced from @​vitejs/plugin-rsc's releases.

plugin-rsc@0.5.21

Please refer to CHANGELOG.md for details.

plugin-rsc@0.5.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from @​vitejs/plugin-rsc's changelog.

0.5.21 (2026-02-26)

Bug Fixes

• deps: update all non-major dependencies (#1115) (377cfda)
• rsc: exclude react 3rd party libs from server optimizeDeps (#1119) (580788d)

Miscellaneous Chores

• rsc: update starter-cf-single to remove serverHandler: false (#1113) (0a15886)

0.5.20 (2026-02-17)

Bug Fixes

• deps: update all non-major dependencies (#1103) (12ffadc)
• deps: update all non-major dependencies (#1110) (829b2ca)
• rsc: copy only imported css and assets from rsc environemnt to client environment (#1112) (a4572ab)

Miscellaneous Chores

• deps: update dependency @​types/react to ^19.2.13 (#1102) (a6e6502)
• deps: update dependency @​types/react to ^19.2.14 (#1108) (c35c18c)

Commits

• db9221f release: plugin-rsc@0.5.21
• 580788d fix(rsc): exclude react 3rd party libs from server optimizeDeps (#1119)
• 377cfda fix(deps): update all non-major dependencies (#1115)
• 0a15886 chore(rsc): update starter-cf-single to remove serverHandler: false (#1113)
• d11fda9 release: plugin-rsc@0.5.20
• a4572ab fix(rsc): copy only imported css and assets from rsc environemnt to client en...
• 829b2ca fix(deps): update all non-major dependencies (#1110)
• c35c18c chore(deps): update dependency @​types/react to ^19.2.14 (#1108)
• a6e6502 chore(deps): update dependency @​types/react to ^19.2.13 (#1102)
• 12ffadc fix(deps): update all non-major dependencies (#1103)
• See full diff in compare view

Updates srvx from 0.11.4 to 0.11.8

Release notes

Sourced from srvx's releases.

v0.11.8

compare changes

🩹 Fixes

• node: Validate host header (7c8c962) (thanks @​hibwyli for reporting ❤️)

v0.11.7

compare changes

🚀 Enhancements

• loader: Access to the whole intercepted srvx instance (bbf4d9d)
• loader: Allow passing custom node server to inspector (4a817ec)

💅 Refactors

• cli, loader: Pass underlying server without depending on globals (c0d9520)

v0.11.6

compare changes

🚀 Enhancements

• bunny: Add support for native waitUntil (#186)

❤️ Contributors

• Sandro Circi (@​sandros94)

v0.11.5

compare changes

🚀 Enhancements

• Expose server.waitUntil (#183)
• Add bunny adapter (#182)

❤️ Contributors

• Sandro Circi (@​sandros94)
• Rihan Arfan (@​RihanArfan)

Changelog

Sourced from srvx's changelog.

v0.11.8

compare changes

🩹 Fixes

• node: Validate host header (7c8c962)

🏡 Chore

• Update deps (b6738bd)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.11.7

compare changes

🚀 Enhancements

• loader: Access to the whole intercepted srvx instance (bbf4d9d)
• loader: Allow passing custom node server to inspector (4a817ec)

💅 Refactors

• cli, loader: Pass underlying server without depending on globals (c0d9520)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.11.6

compare changes

🚀 Enhancements

• bunny: Add support for native waitUntil (#186)

❤️ Contributors

• Sandro Circi (@​sandros94)

v0.11.5

compare changes

🚀 Enhancements

... (truncated)

Commits

• f2aa00b chore(release): v0.11.8
• 7c8c962 fix(node): validate host header
• b6738bd chore: update deps
• 6ca2676 chore(release): v0.11.7
• c0d9520 refactor(cli, loader): pass underlying server without depending on globals
• 4a817ec feat(loader): allow passing custom node server to inspector
• bbf4d9d feat(loader): access to the whole intercepted srvx instance
• 76cf8e7 chore(release): v0.11.6
• b24b4b3 refactor bunny waitUntil
• 4b03ea8 feat(bunny): add support for native waitUntil (#186)
• Additional commits viewable in compare view

Updates tsdown from 0.20.3 to 0.21.0

Release notes

Sourced from tsdown's releases.

v0.21.0 - Notable Changes

Breaking Changes

Dependency options renamed to deps namespace

The dependency-related options have been moved under a new deps namespace with clearer names:

• external -> deps.neverBundle
• noExternal -> deps.alwaysBundle
• inlineOnly -> deps.onlyAllowBundle
• skipNodeModulesBundle -> deps.skipNodeModulesBundle

Before:

export default defineConfig({
  external: ['vue'],
  noExternal: ['lodash'],
})

After:

export default defineConfig({
  deps: {
    neverBundle: ['vue'],
    alwaysBundle: ['lodash'],
  },
})

The old options still work but are deprecated and will emit warnings.

failOnWarn default changed from 'ci-only' to false

If you relied on the previous behavior where warnings would fail the build in CI environments, you now need to explicitly set failOnWarn: true or failOnWarn: 'ci-only' in your config.

Node.js < 22.18.0 deprecated

tsdown now emits a deprecation warning when running on Node.js versions below 22.18.0. Plan to upgrade your Node.js version accordingly.

New Features

Experimental Node.js SEA executable bundling (exe)

tsdown can now bundle your TypeScript project into a standalone executable using Node.js Single Executable Applications (SEA). A new @tsdown/exe package provides cross-platform executable building support. See the exe documentation for details.

export default defineConfig({
  exe: true, // or { useCodeCache: true, useSnapshot: true }
</tr></table> 

... (truncated)

Commits

• 5145496 chore: release v0.21.0
• c5db6dc refactor(exe): improve nodeVersion type
• ce7abe9 feat(exe): support latest and latest-lts for nodeVersion
• 944e92a feat: support bundling .node files by default
• 1183ad3 fix(css): remove empty js chunks (#799)
• 0aae946 chore: upgrade rolldown
• 9440739 chore: release v0.21.0-beta.5
• d8a1f5c fix: resolve css files in node_modules (#795)
• 0173c6e feat(exe)!: require Node >=25.7 and default format to esm (#798)
• 288a5f0 feat(css): default css.transformer to lightningcss (#797)
• Additional commits viewable in compare view

Updates @types/node from 25.2.3 to 25.3.5

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions