chore(deps): lock file maintenance

[renovate]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: c21cd8a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

⚡ pkg.pr.new

@tailor-platform/sdk

pnpm add https://pkg.pr.new/@tailor-platform/sdk@c21cd8a

pnpm dlx https://pkg.pr.new/@tailor-platform/sdk@c21cd8a --help

@tailor-platform/create-sdk

pnpm add https://pkg.pr.new/@tailor-platform/create-sdk@c21cd8a

pnpm dlx https://pkg.pr.new/@tailor-platform/create-sdk@c21cd8a my-app

commit: c21cd8a

[github-actions]

Code Metrics Report (packages/sdk)

	main (f29e473)	#1119 (bfdf200)	+/-
Coverage	60.7%	60.7%	0.0%
Code to Test Ratio	1:0.4	1:0.4	0.0

Details

  |                    | main (f29e473) | #1119 (bfdf200) | +/-  |
  |--------------------|----------------|-----------------|------|
  | Coverage           |          60.7% |           60.7% | 0.0% |
  |   Files            |            357 |             357 |    0 |
  |   Lines            |          12120 |           12120 |    0 |
  |   Covered          |           7359 |            7359 |    0 |
  | Code to Test Ratio |          1:0.4 |           1:0.4 |  0.0 |
  |   Code             |          79761 |           79761 |    0 |
  |   Test             |          32753 |           32753 |    0 |

SDK Configure Bundle Size

	main (f29e473)	#1119 (bfdf200)	+/-
configure-index-size	17.78KB	17.78KB	0KB
dependency-chunks-size	33.56KB	33.56KB	0KB
total-bundle-size	51.34KB	51.34KB	0KB

Runtime Performance

	main (f29e473)	#1119 (bfdf200)	+/-
Generate Median	2,613ms	2,554ms	-59ms
Generate Max	2,782ms	2,571ms	-211ms
Apply Build Median	2,663ms	2,583ms	-80ms
Apply Build Max	2,696ms	2,632ms	-64ms

Type Performance (instantiations)

	main (f29e473)	#1119 (bfdf200)	+/-
tailordb-basic	35,130	35,130	0
tailordb-optional	3,841	3,841	0
tailordb-relation	7,428	7,428	0
tailordb-validate	2,566	2,566	0
tailordb-hooks	5,767	5,767	0
tailordb-object	12,136	12,136	0
tailordb-enum	2,462	2,462	0
resolver-basic	9,424	9,424	0
resolver-nested	26,111	26,111	0
resolver-array	18,187	18,187	0
executor-schedule	4,234	4,234	0
executor-webhook	873	873	0
executor-record	8,166	8,166	0
executor-resolver	4,369	4,369	0
executor-operation-function	869	869	0
executor-operation-gql	869	869	0
executor-operation-webhook	888	888	0
executor-operation-workflow	1,714	1,714	0

---

Reported by octocov

[claude]

🤖 Claude Dependency Review

📦 Update Summary

This is a lock file maintenance update that refreshes all dependency locks to their latest compatible versions within semver ranges. No changes to `package.json` - only `pnpm-lock.yaml` was updated.

Key Updates:

• rolldown: 1.0.0-rc.15 → 1.0.0-rc.17 (Minor - RC bump)
• vite: 8.0.8 → 8.0.10 (Patch)
• @vue/compiler-*: 3.5.32 → 3.5.33 (Patch)
• protobufjs: 8.0.1 → 8.0.3 (Patch)
• ajv: 6.14.0 → 6.15.0, added 8.20.0 (Minor/Major)
• @typescript-eslint/*: added 8.59.1 packages alongside 8.59.0 (Patch)
• detective-* packages: multiple minor/patch updates (transitive via madge)
• Various other patches: dependency-tree, enhanced-resolve, es-module-lexer, etc.

📝 Release Notes

rolldown (1.0.0-rc.15 → 1.0.0-rc.17)

🔗 Source: GitHub Releases

rc.16 (April 16, 2026):

• ✨ Added const enum cross-module inlining support
• ✨ Added module tagging system for code splitting
• 🐛 Fixed namespace member access optimization
• 🐛 Fixed circular dependency prevention in facade elimination
• 🐛 Fixed top-level await handling in module exports
• 🐛 Fixed execution ordering for transitive ESM initialization

rc.17 (April 22, 2026):

• 🐛 Resolved missing export errors between TypeScript modules
• 🐛 Fixed destructured binding collection in HMR module exports
• 🐛 Fixed external resolution handling in copy-module plugin
• 🐛 Enhanced type safety for sourcesContent definitions
• 📚 Added design documentation for module execution ordering

vite (8.0.8 → 8.0.10)

🔗 Source: CHANGELOG.md

8.0.9 (April 20, 2026):

• ⬆️ Updated rolldown to rc.16
• 🐛 Fixed port binding when strictPort is configured
• 🐛 Fixed `emptyOutDir` execution during watch mode rebuilds
• 🔒 Security: Reject HMR patch file requests from non-trustworthy origins
• 🐛 Fixed CSS entry collision issues
• 🐛 Fixed Deno workspace root detection
• 🐛 Fixed sourcemap generation for `?raw` imports

8.0.10 (April 23, 2026):

• ⬆️ Updated rolldown to rc.17
• 🐛 Fixed HMR logger output inconsistency
• 🐛 Enhanced CSS minification warnings to display filenames for `.css?inline`
• 🐛 Fixed user-defined `transform.target` settings override in optimizeDeps
• 🐛 Removed format sniffing from JavaScript module resolver

@vue/compiler-* (3.5.32 → 3.5.33)

🔗 Source: CHANGELOG.md

3.5.33 (April 22, 2026):

• 🐛 compiler-sfc: Fixed nested `:deep` selectors within pseudo-elements
• 🐛 reactivity: Fixed effect scopes properly unlinking when callbacks triggered out of sequence
• 🐛 runtime-dom: Fixed textarea resize dimensions preservation
• 🐛 teleport: Fixed moving child elements when component hasn't finished mounting
• 🐛 transition: Fixed preserving placeholders for conditional explicit default slots

protobufjs (8.0.1 → 8.0.3)

🔗 Source: GitHub Releases

8.0.2 (April 27, 2026):

• 🐛 Accept empty statements in proto definitions
• 🐛 Correct alternate comment mode line numbers
• 🐛 Correct ES6 wrapper imports in static-module output
• 🐛 Forward group end tag in lazy decode
• 🔒 Harden input handling
• 🔒 Limit depth of recursion in Reader.prototype.skipType
• 🐛 Support .cjs and .mjs extensions in pbts

8.0.3 (April 27, 2026):

• 🐛 Accept imports after declarations

ajv (6.14.0 → 6.15.0, added 8.20.0)

🔗 Source: GitHub Releases

8.20.0 (April 24, 2024):

• ✨ Added support for Node.js 22 and 24
• ⚠️ Dropped support for Node.js 16 and 21
• ✨ Introduced ES2022.RegExp support for RegExpIndicesArray

Note: Detailed release notes for v6.15.0 are not available.

🔍 Impact Analysis

rolldown is extensively used in 16 files across the SDK's bundling infrastructure:

• Query bundling: `src/cli/bundler/query/query-bundler.ts`
• Resolver bundling: `src/cli/services/resolver/bundler.ts`
• Executor bundling: `src/cli/services/executor/bundler.ts`
• Workflow bundling: `src/cli/services/workflow/bundler.ts`
• Auth bundling: `src/cli/services/auth/bundler.ts`
• Migration bundling: `src/cli/commands/tailordb/migrate/bundler.ts`
• Function bundling: `src/cli/commands/function/bundle.ts`
• Seed generation: `src/cli/commands/generate/seed/bundler.ts`
• TailorDB hooks validation: `src/cli/services/tailordb/hooks-validate-bundler.ts`
• Custom plugins: `src/cli/cache/dep-collector-plugin.ts`, `src/cli/cache/bundle-cache.ts`, `src/cli/shared/trigger-context.ts`
• Build config: `tsdown.config.ts`
• Tests: `src/cli/bundler/query/query-bundler.test.ts`, `src/cli/cache/dep-collector-plugin.test.ts`

Impact: All bundling operations benefit from the rolldown improvements, particularly:

• Better TypeScript const enum support (rc.16)
• Fixed export resolution between TS modules (rc.17)
• Improved circular dependency handling
• Better top-level await support
• Enhanced module execution ordering

madge is used in `src/cli/commands/generate/watch/index.ts` for dependency graph analysis. Benefits from updated detective-* packages (transitive dependencies).

vite, @vue/compiler-*, protobufjs, ajv: Transitive dependencies with no direct usage found in the codebase.

✅ Recommended Actions

No Breaking Changes

✅ No breaking changes identified in any updated packages.

Testing Recommendations

Given the extensive use of rolldown:

1. Run the full test suite:
   ```bash
   pnpm exec turbo run test
   ```

2. Verify build output:
   ```bash
   pnpm exec turbo run build
   pnpm exec turbo run check
   ```

3. Test key scenarios (if not already covered):

   • Query bundling (`tailor-sdk query`)
   • Resolver bundling (`tailor-sdk apply`)
   • Workflow bundling with top-level await
   • Function bundling

Benefits

• Better TypeScript support: Const enum cross-module inlining
• Improved module resolution: Fixed TS export resolution
• Enhanced reliability: Bug fixes in bundling, HMR, circular dependencies
• Security improvements: HMR security fixes (vite), input hardening (protobufjs)

---