chore(deps): update dependency tsdown to ^0.20.0 by renovate[bot] · Pull Request #5766 · eggjs/egg

renovate · 2026-01-11T07:02:55Z

This PR contains the following updates:

Package	Change	Age	Confidence
tsdown (source)	`^0.18.2` → `^0.20.0`

Release Notes

rolldown/tsdown (tsdown)

`v0.20.3`

Compare Source

🐞 Bug Fixes

package: Ignore scripts when packing - by @sxzz (0b10b)

View changes on GitHub

`v0.20.2`

Compare Source

🚀 Features

Upgrade rolldown to 1.0.0-rc.3 - by @sxzz (0beea)
dep: Keep inlineOnly clean with hint message on unused - by @jycouet and @sxzz in #725 (13f1c)
pkg: Optimize attw and publint packing - by @sxzz in #736 (375cf)

🐞 Bug Fixes

Throw error when skipNodeModulesBundle and noExternal are used together - by @sxzz in #746 (656d5)
External type only packages @types/* - by @kalvenschraut (0be7c)
exports: Move import before require - by @sxzz (3027a)

View changes on GitHub

`v0.20.1`

Compare Source

🚀 Features

inline-only: Show warnings if bundled deps - by @sxzz (1e0e7)

View changes on GitHub

`v0.20.0`

Compare Source

🚨 Breaking Changes

Upgrade dts plugin, remove dts.resolve option - by @sxzz (16655)

🚀 Features

Add option to disable legacy CJS warning - by @sxzz (9fada)
Apply inlineOnly option for dts files - by @sxzz (7d89d)
Upgrade rolldown to 1.0.0-beta.60 - by @sxzz (bb3ee)
Upgrade rolldown to rc 1 - by @sxzz (1959f)
entry: Support mixed array and object entries - by @sxzz (a8083)

🐞 Bug Fixes

Optional parseEnv - by @sxzz (be1b6)
Reload config on restart - by @sxzz (1756b)
Config extensions typo - by @aryaemami59 in #722 (d2bb7)
windows: Normalize path separators in build output - by @ryuapp in #719 (c4525)

🏎 Performance

Native filter for external plugin - by @sxzz (8764e)

View changes on GitHub

`v0.19.0`

Compare Source

🚨 Breaking Changes

Rename debugLogs to debug - by @sxzz (bb4e7)
Remove deprecated silent option - by @sxzz (59015)
devtools:
- Rename debug to devtools, rename debug.devtools to devtools.ui - by @sxzz (63e6f)
exports:
- Add legacy option, remove main & module fields if pure ESM - by @sxzz (16841)
- Exclude extension name for exports.exclude - by @sxzz (53d38)
- Only auto-fill types when exports.legacy - by @lishaduck and @sxzz in #685 (7be6b)

🚀 Features

Add typeAssert util back - by @sxzz (1d385)
Generate CSS exports when css.splitting is disabled - by @jinghaihan and @sxzz in #680 (b737c)
Upgrade rolldown to 1.0.0-beta.58 - by @sxzz (48036)
Expose enableDebug - by @sxzz (2d922)
Expose resolveUserConfig - by @sxzz (c9acb)
Upgrade rolldown to 1.0.0-beta.59 - by @sxzz (d564f)
Clear console on rebuild start - by @sxzz (78efd)
migrate: Add monorepo support - by @lauigi and @sxzz in #659 (efba2)

🐞 Bug Fixes

Print blank line only when the log level is info - by @tomgao365 in #689 (96d82)
attw: Add --ignore-scripts to avoid lifecycle output - by @Doctor-wu in #661 (1c8b1)
cjs: Update version check for require ESM support - by @sxzz (beeff)

🏎 Performance

Optimize hot paths - by @sxzz (7925d)

View changes on GitHub

`v0.18.4`

Compare Source

🚀 Features

Export mergeConfig - by @sxzz (ccd17)
Warn deprecated removeNodeProtocol - by @sxzz (90cd6)
css: Add CSS code splitting support - by @jinghaihan and @sxzz in #654 (0525f)
entry: Support multiple patterns with same base - by @sxzz (cee1b)
exports: Add packageJson option - by @sxzz (6d220)

View changes on GitHub

`v0.18.3`

Compare Source

🚀 Features

Upgrade rolldown to 1.0.0-beta.57 - by @sxzz (525c0)
Add envFile & envPrefix option - by @toto6038 and @sxzz in #664 (d5493)
attw: Add ignoreRules option to filter specified rule - by @zyyv and Copilot in #665 (450b0)

🐞 Bug Fixes

Inline PackageJson type - by @sxzz (dfc43)

View changes on GitHub

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

coderabbitai · 2026-01-11T07:03:03Z

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

🔍 Trigger a full review

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

cloudflare-workers-and-pages · 2026-01-11T07:04:09Z

Deploying egg with Cloudflare Pages

Latest commit:	`51b1350`
Status:	🚫 Build failed.

View logs

codecov · 2026-01-11T07:04:38Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.56%. Comparing base (8c09d7b) to head (23d81e8).

Additional details and impacted files

@@            Coverage Diff             @@
##             next    #5766      +/-   ##
==========================================
- Coverage   87.57%   87.56%   -0.01%     
==========================================
  Files         563      563              
  Lines       10940    10940              
  Branches     1242     1242              
==========================================
- Hits         9581     9580       -1     
- Misses       1275     1276       +1     
  Partials       84       84

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

cloudflare-workers-and-pages · 2026-01-11T07:05:23Z

Deploying egg-v3 with Cloudflare Pages

Latest commit:	`51b1350`
Status:	🚫 Build failed.

View logs

socket-security · 2026-01-22T17:03:32Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: npm `entities` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → `npm/cheerio@1.1.2` → `npm/entities@4.5.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/entities@4.5.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `entities` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → `npm/cheerio@1.1.2` → `npm/entities@6.0.1` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/entities@6.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `ioredis` is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: plugins/redis/package.json → `npm/ioredis@5.8.1` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ioredis@5.8.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `js-beautify` is 100.0% likely obfuscated Confidence: 1.00 Location: Package overview From: pnpm-lock.yaml → `npm/js-beautify@1.15.4` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/js-beautify@1.15.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `markdown-it` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → `npm/markdown-it@14.1.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/markdown-it@14.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

socket-security · 2026-02-02T20:57:40Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@types/encodeurl@1.0.3
	@types/koa-range@0.3.5
	@types/lodash.snakecase@4.1.9
	@types/sqlstring@2.3.2
	@types/destroy@1.0.3
	husky@9.1.7
	@types/fresh@0.5.3
	@types/fs-readdir-recursive@1.1.3
	@types/vary@1.1.3
	@types/parseurl@1.3.3
	@types/on-finished@2.3.5
	@types/stack-trace@0.0.33
	@types/mime-types@3.0.1
	@types/type-is@1.6.7
	@vitest/coverage-v8@4.0.15
	@types/js-beautify@1.14.3
	@types/body-parser@1.19.6
	@types/express@5.0.3
	@types/js-yaml@4.0.9
	@typescript/native-preview@7.0.0-dev.20260117.1
	@types/nunjucks@3.2.6
	@types/escape-html@1.0.4
	@types/content-type@1.1.9
	@types/common-tags@1.8.4
	egg-plugin-puml@2.4.0
	@eggjs/compressible@3.0.0
	@types/extend@3.0.4
	assert-file@1.0.0
	esbuild@0.27.0
	@types/safe-timers@1.1.2
	@types/urijs@1.19.25
	@types/mustache@4.2.6
	@types/superagent@8.1.9
See 78 more rows in the dashboard

View full report

renovate · 2026-02-04T22:02:14Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 73 workspace projects
.                                        |  WARN  There are cyclic workspace dependencies: /tmp/renovate/repos/github/eggjs/egg/packages/cluster, /tmp/renovate/repos/github/eggjs/egg/plugins/mock, /tmp/renovate/repos/github/eggjs/egg/packages/egg; /tmp/renovate/repos/github/eggjs/egg/tegg/core/runtime, /tmp/renovate/repos/github/eggjs/egg/tegg/core/test-util
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 3, reused 0, downloaded 0, added 0
Progress: resolved 18, reused 0, downloaded 0, added 0
Progress: resolved 19, reused 0, downloaded 0, added 0
packages/cookies                         |  WARN  deprecated keygrip@1.1.0
Progress: resolved 39, reused 0, downloaded 0, added 0
Progress: resolved 94, reused 0, downloaded 0, added 0
plugins/logrotator                       |  WARN  deprecated glob@11.0.3
Progress: resolved 169, reused 0, downloaded 0, added 0
Progress: resolved 217, reused 0, downloaded 0, added 0
 ERR_PNPM_NO_MATURE_MATCHING_VERSION  Version 0.2.27 (released 10 hours ago) of unrun does not meet the minimumReleaseAge constraint

This error happened while installing the dependencies of tsdown@0.20.3

The latest release of unrun is "0.2.27". Published at 2/4/2026 8:59:12 PM

If you need the full list of all 29 published versions run "$ pnpm view unrun versions".

If you want to install the matched version ignoring the time it was published, you can add the package name to the minimumReleaseAgeExclude setting. Read more about it: https://pnpm.io/settings#minimumreleaseageexclude

renovate bot force-pushed the renovate/tsdown-0.x branch 5 times, most recently from c8bf639 to bd46f97 Compare January 19, 2026 16:28

renovate bot force-pushed the renovate/tsdown-0.x branch from bd46f97 to 52e4031 Compare January 22, 2026 17:01

renovate bot changed the title ~~chore(deps): update dependency tsdown to ^0.19.0~~ chore(deps): update dependency tsdown to ^0.20.0 Jan 22, 2026

renovate bot force-pushed the renovate/tsdown-0.x branch from 52e4031 to 1ec65bc Compare January 23, 2026 18:10

renovate bot force-pushed the renovate/tsdown-0.x branch from 1ec65bc to 23d81e8 Compare February 2, 2026 20:56

chore(deps): update dependency tsdown to ^0.20.0

51b1350

renovate bot force-pushed the renovate/tsdown-0.x branch from 23d81e8 to 51b1350 Compare February 4, 2026 22:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update dependency tsdown to ^0.20.0#5766

chore(deps): update dependency tsdown to ^0.20.0#5766
renovate[bot] wants to merge 1 commit intonextfrom
renovate/tsdown-0.x

renovate bot commented Jan 11, 2026 •

edited

Loading

Uh oh!

coderabbitai bot commented Jan 11, 2026 •

edited

Loading

Review skipped

Uh oh!

cloudflare-workers-and-pages bot commented Jan 11, 2026 •

edited

Loading

Uh oh!

codecov bot commented Jan 11, 2026 •

edited

Loading

Uh oh!

cloudflare-workers-and-pages bot commented Jan 11, 2026 •

edited

Loading

Uh oh!

socket-security bot commented Jan 22, 2026 •

edited

Loading

Uh oh!

socket-security bot commented Feb 2, 2026 •

edited

Loading

Uh oh!

renovate bot commented Feb 4, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

renovate bot commented Jan 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

🐞 Bug Fixes

🚀 Features

🐞 Bug Fixes

🚀 Features

🚨 Breaking Changes

🚀 Features

🐞 Bug Fixes

🏎 Performance

🚨 Breaking Changes

🚀 Features

🐞 Bug Fixes

🏎 Performance

🚀 Features

🚀 Features

🐞 Bug Fixes

Configuration

Uh oh!

coderabbitai bot commented Jan 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Uh oh!

cloudflare-workers-and-pages bot commented Jan 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Deploying egg with Cloudflare Pages

Uh oh!

codecov bot commented Jan 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

cloudflare-workers-and-pages bot commented Jan 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Deploying egg-v3 with Cloudflare Pages

Uh oh!

socket-security bot commented Jan 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Feb 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

renovate bot commented Feb 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Artifact update problem

File name: pnpm-lock.yaml

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Jan 11, 2026 •

edited

Loading

coderabbitai bot commented Jan 11, 2026 •

edited

Loading

cloudflare-workers-and-pages bot commented Jan 11, 2026 •

edited

Loading

codecov bot commented Jan 11, 2026 •

edited

Loading

cloudflare-workers-and-pages bot commented Jan 11, 2026 •

edited

Loading

socket-security bot commented Jan 22, 2026 •

edited

Loading

socket-security bot commented Feb 2, 2026 •

edited

Loading

renovate bot commented Feb 4, 2026 •

edited

Loading