chore(deps-dev): bump the npm-development group with 3 updates

[dependabot]

Bumps the npm-development group with 3 updates: file-type, rolldown and testcontainers.

Updates file-type from 21.3.2 to 22.0.1

Release notes

Sourced from file-type's releases.

v22.0.1

• Fix: Work around esbuild resolving Node-only imports ce4262f

---

sindresorhus/file-type@v22.0.0...v22.0.1

v22.0.0

Breaking

• Requires Node.js 22

• Dropped Node.js stream.Readable support from fileTypeFromStream() and fileTypeStream()

  • These now only accept a web ReadableStream. Migrate with Readable.toWeb():

  // Before
  import fs from 'node:fs';
  fileTypeFromStream(fs.createReadStream('file.mp4'));
  // After
  import fs from 'node:fs';
  import {Readable} from 'node:stream';
  fileTypeFromStream(Readable.toWeb(fs.createReadStream('file.mp4')));

• Sub-exports (e.g. file-type/core) have been removed. Import everything from file-type directly.

• The ReadableStreamWithFileType type has been removed. Use AnyWebReadableByteStreamWithFileType instead.

• Several MIME types have been corrected or normalized:

  Type	Old MIME	New MIME
  lz	application/x-lzip	application/lzip
  lnk	application/x.ms.shortcut	application/x-ms-shortcut
  Apple Alias	application/x.apple.alias	application/x-ft-apple.alias
  fbx	application/x.autodesk.fbx	application/x-ft-fbx
  Draco	application/vnd.google.draco	application/x-ft-draco

  MIME subtypes prefixed with x-ft- are custom types defined by this package (not IANA-registered).

Improvements

• Added detection for Apple iWork files: .key (Keynote), .pages (Pages), .numbers (Numbers)

Fixes

• Fixed LibreOffice OOXML files being incorrectly detected as ZIP when reading from streams

---

sindresorhus/file-type@v21.3.4...v22.0.0

... (truncated)

Commits

• 3c4b7e0 22.0.1
• ce4262f Fix: Work around esbuild resolving Node-only imports
• 2c54d06 22.0.0
• 0ba6e0b Tweaks
• 0e679c7 Remove sub-exports
• 7079af7 Tweaks
• ec77458 Add support for iWork files (.key, .pages, .numbers)
• d4a975c Fix LibreOffice OOXML files detected as ZIP in streams
• 5de64e2 Normalize MIME types we invented with x-ft- prefix
• 7a60fa9 Require Node.js 22
• Additional commits viewable in compare view

Updates rolldown from 1.1.0 to 1.1.1

Release notes

Sourced from rolldown's releases.

v1.1.1

[1.1.1] - 2026-06-11

🚀 Features

• ecmascript_utils: introduce AstFactory for AST construction (#9682) by @​hyf0
• drop no-op init calls for empty wrapped-ESM modules (#9678) by @​IWANABETHATGUY

🐛 Bug Fixes

• resolver: honor package.json#type for .jsx/.tsx extensions (#9690) (#9699) by @​IWANABETHATGUY
• hmr: report the full-reload reason for the invalidate-loop case (#9708) by @​hyf0
• explicit moduleSideEffects from a hook must take priority over the package.json#sideEffects (#9688) by @​sapphi-red
• keep the rolldown-runtime name for the standalone runtime chunk (#9685) by @​shulaoda
• lazy-barrel: request all exports for entry barrels on first encounter (#9672) by @​shulaoda
• finalizer: skip init_*() for tree-shaken wrapped ESM owners (#9669) by @​IWANABETHATGUY
• order chunk.imports by execution order (#9654) by @​chuganzy
• vite-resolve: preserve slash separators for Sass partial exports (#9546) by @​cjc0013
• cross-chunk CJS wrapper shadowed by author-local binding (#9648) by @​IWANABETHATGUY

🚜 Refactor

• precompute wrapped-ESM init metadata in generate stage (#9712) by @​IWANABETHATGUY
• ecmascript_utils: fold construction ext traits onto AstFactory and delete AstSnippet (#9702) by @​hyf0
• finalizer: finish ScopeHoistingFinalizer migration to AstFactory (#9701) by @​hyf0
• finalizer: migrate module_finalizers/mod.rs to AstFactory (#9700) by @​hyf0
• hmr: migrate hmr finalizer to AstFactory (#9695) by @​hyf0
• plugin: migrate vite_build_import_analysis to AstFactory (#9693) by @​hyf0
• scanner: migrate tweak_ast_for_scanning to AstFactory (#9683) by @​hyf0
• always split runtime module first (#9419) by @​IWANABETHATGUY

📚 Documentation

• tsconfig: correct auto-discovery resolution to match TypeScript (#9714) by @​shulaoda
• design: plan to unify all internal AST construction (#9673) by @​hyf0
• tsconfig: align reference resolution docs with TypeScript behavior (#9641) by @​shulaoda

⚡ Performance

• avoid per-module join Strings in scope-hoisting concatenation (#9645) by @​Boshen
• avoid intermediate Strings in the ESM export clause (#9644) by @​Boshen
• reuse a scratch buffer for facade namespace names in the scanner (#9642) by @​Boshen
• reuse the import-matching tracker stack across named imports (#9643) by @​Boshen
• avoid cloning the per-chunk export-items map in render_chunk_exports (#9639) by @​Boshen
• avoid CompactStr allocation in sorted-exports membership check (#9640) by @​Boshen

🧪 Testing

• add more moduleSideEffects precedence tests (#9689) by @​sapphi-red
• 9651: drop shimMissingExports from regression fixture (#9674) by @​IWANABETHATGUY

... (truncated)

Changelog

Sourced from rolldown's changelog.

[1.1.1] - 2026-06-11

🚀 Features

• ecmascript_utils: introduce AstFactory for AST construction (#9682) by @​hyf0
• drop no-op init calls for empty wrapped-ESM modules (#9678) by @​IWANABETHATGUY

🐛 Bug Fixes

• resolver: honor package.json#type for .jsx/.tsx extensions (#9690) (#9699) by @​IWANABETHATGUY
• hmr: report the full-reload reason for the invalidate-loop case (#9708) by @​hyf0
• explicit moduleSideEffects from a hook must take priority over the package.json#sideEffects (#9688) by @​sapphi-red
• keep the rolldown-runtime name for the standalone runtime chunk (#9685) by @​shulaoda
• lazy-barrel: request all exports for entry barrels on first encounter (#9672) by @​shulaoda
• finalizer: skip init_*() for tree-shaken wrapped ESM owners (#9669) by @​IWANABETHATGUY
• order chunk.imports by execution order (#9654) by @​chuganzy
• vite-resolve: preserve slash separators for Sass partial exports (#9546) by @​cjc0013
• cross-chunk CJS wrapper shadowed by author-local binding (#9648) by @​IWANABETHATGUY

🚜 Refactor

• precompute wrapped-ESM init metadata in generate stage (#9712) by @​IWANABETHATGUY
• ecmascript_utils: fold construction ext traits onto AstFactory and delete AstSnippet (#9702) by @​hyf0
• finalizer: finish ScopeHoistingFinalizer migration to AstFactory (#9701) by @​hyf0
• finalizer: migrate module_finalizers/mod.rs to AstFactory (#9700) by @​hyf0
• hmr: migrate hmr finalizer to AstFactory (#9695) by @​hyf0
• plugin: migrate vite_build_import_analysis to AstFactory (#9693) by @​hyf0
• scanner: migrate tweak_ast_for_scanning to AstFactory (#9683) by @​hyf0
• always split runtime module first (#9419) by @​IWANABETHATGUY

📚 Documentation

• tsconfig: correct auto-discovery resolution to match TypeScript (#9714) by @​shulaoda
• design: plan to unify all internal AST construction (#9673) by @​hyf0
• tsconfig: align reference resolution docs with TypeScript behavior (#9641) by @​shulaoda

⚡ Performance

• avoid per-module join Strings in scope-hoisting concatenation (#9645) by @​Boshen
• avoid intermediate Strings in the ESM export clause (#9644) by @​Boshen
• reuse a scratch buffer for facade namespace names in the scanner (#9642) by @​Boshen
• reuse the import-matching tracker stack across named imports (#9643) by @​Boshen
• avoid cloning the per-chunk export-items map in render_chunk_exports (#9639) by @​Boshen
• avoid CompactStr allocation in sorted-exports membership check (#9640) by @​Boshen

🧪 Testing

• add more moduleSideEffects precedence tests (#9689) by @​sapphi-red
• 9651: drop shimMissingExports from regression fixture (#9674) by @​IWANABETHATGUY

... (truncated)

Commits

• d7f919c release: v1.1.1 (#9718)
• d8044a6 docs(tsconfig): correct auto-discovery resolution to match TypeScript (#9714)
• 492951f test: add more moduleSideEffects precedence tests (#9689)
• 3b0b5ad fix: explicit moduleSideEffects from a hook must take priority over the `pa...
• 924620a fix: keep the rolldown-runtime name for the standalone runtime chunk (#9685)
• 811b2f9 fix(lazy-barrel): request all exports for entry barrels on first encounter (#...
• 5cfff49 chore(deps): update oxc to 0.135.0 (#9670)
• a04e9bf fix: order chunk.imports by execution order (#9654)
• 8739a75 docs(tsconfig): align reference resolution docs with TypeScript behavior (#9641)
• See full diff in compare view

Updates testcontainers from 12.0.1 to 12.0.2

Release notes

Sourced from testcontainers's releases.

v12.0.2

Changes

🐛 Bug Fixes

• Reset stateful regex log waits between matches @​cristianrgreco (#1352)
• Fix Couchbase service configuration @​cristianrgreco (#1356)
• Configure Azurite custom service ports @​cristianrgreco (#1354)
• Preserve TCP and UDP bindings for the same container port @​cristianrgreco (#1350)
• Apply custom MSSQL startup wait messages @​cristianrgreco (#1351)
• Copy Redpanda runtime assets during build @​cristianrgreco (#1357)
• Fix Redis and Valkey initial data handling @​cristianrgreco (#1355)

📦 Dependency Updates

• Bump the dependencies group across 11 directories with 10 updates @dependabot[bot] (#1362)
• Bump the dependencies group across 1 directory with 27 updates @dependabot[bot] (#1363)
• Bump the dependencies group across 11 directories with 11 updates @dependabot[bot] (#1358)
• Bump the dependencies group across 6 directories with 6 updates @dependabot[bot] (#1349)

Commits

• 549bfa5 Bump the dependencies group across 11 directories with 10 updates (#1362)
• 6e7b6c8 Bump the dependencies group across 1 directory with 27 updates (#1363)
• 4ad504f Reset stateful regex log waits between matches (#1352)
• a1b87ed Fix Couchbase service configuration (#1356)
• 84aba48 Configure Azurite custom service ports (#1354)
• 1a32238 Preserve protocol-specific port bindings when filtering (#1350)
• 3286470 Apply custom MSSQL wait messages (#1351)
• 63653c1 Bump the dependencies group across 11 directories with 11 updates (#1358)
• 7c1ca77 Copy Redpanda runtime assets during build (#1357)
• eb24aed Fix Redis and Valkey initial data handling (#1355)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	rolldown@​1.1.1
	@​types/​node@​26.0.0
	testcontainers@​12.0.2
	@​typescript/​native-preview@​7.0.0-dev.20260620.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm yargs is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/testcontainers@12.0.2 → npm/yargs@17.7.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/mppx@574

commit: aebd444