deps(deps): Bump the build-tools group with 3 updates

[dependabot]

Bumps the build-tools group with 3 updates: @vercel/ncc, esbuild and rollup.

Updates @vercel/ncc from 0.38.3 to 0.38.4

Release notes

Sourced from @​vercel/ncc's releases.

0.38.4

0.38.4 (2025-09-18)

Bug Fixes

• cjs-build: enable evaluating import.meta in cjs build (#1236) (e72d34d), closes vercel/ncc#897 #1019

Commits

• e72d34d fix(cjs-build): enable evaluating import.meta in cjs build (#1236)
• 186af2b chore(deps): Bump amannn/action-semantic-pull-request from 5.5.3 to 6.1.1 (#1...
• 162c7d4 chore(deps): Bump actions/checkout from 4 to 5 (#1283)
• 24734b5 chore(deps): Bump cipher-base from 1.0.4 to 1.0.6 (#1280)
• 7bf44d5 chore(deps): Bump sha.js from 2.4.11 to 2.4.12 (#1281)
• 50f1851 chore(deps): Bump tmp from 0.2.3 to 0.2.4 (#1278)
• d797f1b chore(deps-dev): Bump koa from 2.16.1 to 3.0.1 (#1272)
• 9bdbd47 chore(deps): Bump pbkdf2 from 3.1.2 to 3.1.3 (#1266)
• cbfd660 chore(deps-dev): bump test deps for aws-sdk (#1263)
• d17397f chore(deps-dev): Bump axios from 1.7.7 to 1.8.2 (#1262)
• Additional commits viewable in compare view

Updates esbuild from 0.25.9 to 0.25.10

Release notes

Sourced from esbuild's releases.

v0.25.10

• Fix a panic in a minification edge case (#4287)

  This release fixes a panic due to a null pointer that could happen when esbuild inlines a doubly-nested identity function and the final result is empty. It was fixed by emitting the value undefined in this case, which avoids the panic. This case must be rare since it hasn't come up until now. Here is an example of code that previously triggered the panic (which only happened when minifying):

  function identity(x) { return x }
  identity({ y: identity(123) })

• Fix @supports nested inside pseudo-element (#4265)

  When transforming nested CSS to non-nested CSS, esbuild is supposed to filter out pseudo-elements such as ::placeholder for correctness. The CSS nesting specification says the following:

  The nesting selector cannot represent pseudo-elements (identical to the behavior of the ':is()' pseudo-class). We’d like to relax this restriction, but need to do so simultaneously for both ':is()' and '&', since they’re intentionally built on the same underlying mechanisms.

  However, it seems like this behavior is different for nested at-rules such as @supports, which do work with pseudo-elements. So this release modifies esbuild's behavior to now take that into account:

  /* Original code */
  ::placeholder {
    color: red;
    body & { color: green }
    @supports (color: blue) { color: blue }
  }
  /* Old output (with --supported:nesting=false) */
  ::placeholder {
  color: red;
  }
  body :is() {
  color: green;
  }
  @​supports (color: blue) {
  {
  color: blue;
  }
  }
  /* New output (with --supported:nesting=false) */
  ::placeholder {
  color: red;
  }
  body :is() {
  color: green;
  }
  @​supports (color: blue) {
  ::placeholder {
  color: blue;
  }

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.25.10

• Fix a panic in a minification edge case (#4287)

  This release fixes a panic due to a null pointer that could happen when esbuild inlines a doubly-nested identity function and the final result is empty. It was fixed by emitting the value undefined in this case, which avoids the panic. This case must be rare since it hasn't come up until now. Here is an example of code that previously triggered the panic (which only happened when minifying):

  function identity(x) { return x }
  identity({ y: identity(123) })

• Fix @supports nested inside pseudo-element (#4265)

  When transforming nested CSS to non-nested CSS, esbuild is supposed to filter out pseudo-elements such as ::placeholder for correctness. The CSS nesting specification says the following:

  The nesting selector cannot represent pseudo-elements (identical to the behavior of the ':is()' pseudo-class). We’d like to relax this restriction, but need to do so simultaneously for both ':is()' and '&', since they’re intentionally built on the same underlying mechanisms.

  However, it seems like this behavior is different for nested at-rules such as @supports, which do work with pseudo-elements. So this release modifies esbuild's behavior to now take that into account:

  /* Original code */
  ::placeholder {
    color: red;
    body & { color: green }
    @supports (color: blue) { color: blue }
  }
  /* Old output (with --supported:nesting=false) */
  ::placeholder {
  color: red;
  }
  body :is() {
  color: green;
  }
  @​supports (color: blue) {
  {
  color: blue;
  }
  }
  /* New output (with --supported:nesting=false) */
  ::placeholder {
  color: red;
  }
  body :is() {
  color: green;
  }
  @​supports (color: blue) {
  ::placeholder {
  color: blue;

... (truncated)

Commits

• d6b668f publish 0.25.10 to npm
• 5088c19 refactor: use strings.Builder (#4290)
• 755da31 run make update-compat-table
• a1d9c86 fix #4287: marked the wrong issue as fixed
• 73a0b2a fix #4286: minifier panic due to identity function
• 134dadf fix #4265: @supports nested inside ::pseudo
• See full diff in compare view

Updates rollup from 4.50.1 to 4.52.0

Release notes

Sourced from rollup's releases.

v4.52.0

4.52.0

2025-09-19

Features

• Add option output.onlyExplicitManualChunks to turn off merging additional dependencies into manual chunks (#6087)
• Add support for x86_64-pc-windows-gnu platform (#6110)

Pull Requests

• #6087: fix: manualChunks and non manualChunks shared dependencies are merged with the first manualChunk encountered alphabetically (@​maiieul)
• #6110: Add support x86_64-pc-windows-gnu (@​lsq, @​lukastaegert)
• #6118: Automatically remove REPL artefacts label from PRs (@​lukastaegert)

v4.51.0

4.51.0

2025-09-19

Features

• Support ROLLUP_FILE_URL_OBJ placeholder to inject file URLs into the generated code (#6108)

Bug Fixes

• Improve OpenHarmony build to work in more situations (#6115)

Pull Requests

• #6108: feat: support ROLLUP_FILE_URL_OBJ for URL object instead of string (@​guybedford, @​lukastaegert)
• #6112: Disable Cargo cache for Android (@​lukastaegert)
• #6113: fix(deps): update rust crate swc_compiler_base to v35 (@​renovate[bot])
• #6114: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6115: Disable local_dynamic_tls for OpenHarmony (@​hqzing)
• #6116: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6117: chore(deps): lock file maintenance (@​renovate[bot])

v4.50.2

4.50.2

2025-09-15

Bug Fixes

• Resolve an issue where unused destructured array pattern declarations would conflict with included variables (#6100)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.52.0

2025-09-19

Features

• Add option output.onlyExplicitManualChunks to turn off merging additional dependencies into manual chunks (#6087)
• Add support for x86_64-pc-windows-gnu platform (#6110)

Pull Requests

• #6087: fix: manualChunks and non manualChunks shared dependencies are merged with the first manualChunk encountered alphabetically (@​maiieul)
• #6110: Add support x86_64-pc-windows-gnu (@​lsq, @​lukastaegert)
• #6118: Automatically remove REPL artefacts label from PRs (@​lukastaegert)

4.51.0

2025-09-19

Features

• Support ROLLUP_FILE_URL_OBJ placeholder to inject file URLs into the generated code (#6108)

Bug Fixes

• Improve OpenHarmony build to work in more situations (#6115)

Pull Requests

• #6108: feat: support ROLLUP_FILE_URL_OBJ for URL object instead of string (@​guybedford, @​lukastaegert)
• #6112: Disable Cargo cache for Android (@​lukastaegert)
• #6113: fix(deps): update rust crate swc_compiler_base to v35 (@​renovate[bot])
• #6114: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6115: Disable local_dynamic_tls for OpenHarmony (@​hqzing)
• #6116: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6117: chore(deps): lock file maintenance (@​renovate[bot])

4.50.2

2025-09-15

Bug Fixes

• Resolve an issue where unused destructured array pattern declarations would conflict with included variables (#6100)

Pull Requests

• #6100: Tree-shake un-included elements in array pattern (@​TrickyPi)
• #6102: chore(deps): update actions/setup-node action to v5 (@​renovate[bot])
• #6103: chore(deps): update dependency eslint-plugin-unicorn to v61 (@​renovate[bot])

... (truncated)

Commits

• 2029f63 4.52.0
• 039ba6b Fix release script for commits without GitHub authors
• 98f5d35 Automatically remove REPL artefacts label from PRs (#6118)
• 3f124ba fix: manualChunks and non manualChunks shared dependencies are merged with th...
• a0bb78c Add support x86_64-pc-windows-gnu (#6110)
• 1748736 4.51.0
• e518bde chore(deps): lock file maintenance (#6117)
• 9265955 Disable local_dynamic_tls for OpenHarmony (#6115)
• 0b8e19d fix(deps): update rust crate swc_compiler_base to v35 (#6113)
• b14f803 chore(deps): lock file maintenance minor/patch updates (#6116)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

🔗 Related Issues: #1236, #897, #1019, #1, #1283, #1280, #1281, #1278, #1272, #1266, #1263, #1262, #4287, #4265, #4290, #4286, #6087, #6110, #6118, #6108, #6115, #6112, #6113, #6114, #6116, #6117, #6100, #6102, #6103

This PR appears to reference the above issues. Consider using "fixes #issue" or "closes #issue" syntax to automatically close them when this PR is merged.

[github-actions]

⚡ Performance Analysis Results

Node.js Version	Bundle Size	Status	Change
22 (Development)	668 KB	✅	✅ OK
24 (Runtime)	668 KB	✅	✅ OK

✅ No performance regressions detected. Bundle size is within acceptable limits.

📊 Thresholds

• Excellent/Baseline: ≤ 672 KB
• Acceptable: < 700 KB
• Regression Alert: > 5% increase

Performance data updated on every commit. View detailed reports →

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.