feat(deps): upgrade upstream dependencies

[Brooooooklyn]

Summary

• Automated daily upgrade of upstream dependencies.
• Bump rolldown to v1.0.0-rc.17, tsdown to 0.21.10, and @vitejs/devtools to 0.1.15.
• Re-merge the rolldown workspace into the root Cargo.toml: several rolldown crates were removed upstream, so the matching workspace entries and their now-unused transitive deps are dropped and the cargo-shear ignore list is cleared.
• Add an external filter to the tsdown bundling step in packages/core/build.ts so tsdown's runtime imports are not inlined.

Dependency updates

Package	From	To
rolldown	edec4fa	v1.0.0-rc.17 (d9d72c3)
tsdown	0.21.9	0.21.10
@vitejs/devtools	0.1.14	0.1.15

Unchanged dependencies

• vite: v8.0.9 (ce729f5)
• vitest: 4.1.5
• @oxc-node/cli: 0.1.0
• @oxc-node/core: 0.1.0
• oxfmt: 0.46.0
• oxlint: 1.61.0
• oxlint-tsgolint: 0.21.1
• @oxc-project/runtime: 0.127.0
• @oxc-project/types: 0.127.0
• oxc-minify: 0.127.0
• oxc-parser: 0.127.0
• oxc-transform: 0.127.0

Code changes

• Cargo.toml: Drop the rolldown crates removed upstream (rolldown_filter_analyzer, rolldown_plugin_vite_asset, rolldown_plugin_vite_asset_import_meta_url, rolldown_plugin_vite_css, rolldown_plugin_vite_css_post, rolldown_plugin_vite_html, rolldown_plugin_vite_html_inline_proxy) and their now-unused transitive dependencies (css-module-lexer, html5gum, prettyplease, proc-macro2, quote, string_cache, syn); empty the cargo-shear ignored list accordingly.
• packages/core/build.ts: Add an external predicate to the tsdown bundle step so imports starting with the tsdownExternal prefixes are not inlined.
• packages/core/package.json: Bump @vitejs/devtools to ^0.1.15, @tsdown/css/@tsdown/exe peer ranges to 0.21.10, and update bundledVersions for rolldown and tsdown.
• pnpm-workspace.yaml: Bump the tsdown catalog entry to ^0.21.10.
• packages/tools/.upstream-versions.json: Record the new rolldown hash.
• pnpm-lock.yaml: Regenerated to match the version bumps.

Build status

• sync-remote-and-build: failure
• build-upstream: failure

---

Note

Medium Risk
Moderate risk: bumps core build-time dependencies (rolldown, tsdown, @vitejs/devtools) and changes tsdown bundling externals, which can affect generated artifacts and runtime module resolution.

Overview
Upgrades upstream toolchain dependencies, including rolldown to 1.0.0-rc.17, tsdown to 0.21.10, and @vitejs/devtools to 0.1.15, with lockfile/workspace catalog updates.

Cleans up the Rust workspace config by dropping now-removed upstream rolldown crates and clearing the cargo-shear ignore list.

Adjusts packages/core/build.ts to mark tsdown peer dependency imports as external during the type-bundle step so those runtime imports are not inlined.

^{Reviewed by Cursor Bugbot for commit 4a2f598. Bugbot is set up for automated code reviews on this repo. Configure here.}

[netlify]

✅ Deploy Preview for viteplus-preview canceled.

Name	Link
🔨 Latest commit	fa78926
🔍 Latest deploy log	https://app.netlify.com/projects/viteplus-preview/deploys/69e989fae9d940000820a062

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​tsdown/​exe@​0.21.9 ⏵ 0.21.10				+1
	npm/​@​tsdown/​css@​0.21.9 ⏵ 0.21.10				+1
	npm/​@​vitejs/​devtools@​0.1.14 ⏵ 0.1.15	+1		+1	+1
	npm/​tsdown@​0.21.9 ⏵ 0.21.10	+1			+1

View full report

[fengmk2]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Another round soon, please!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".