deps(deps): bump the minor-updates group across 1 directory with 10 updates

[dependabot]

Bumps the minor-updates group with 10 updates in the / directory:

Package	From	To
@cloudflare/containers	0.3.2	0.3.3
alchemy	0.91.2	0.92.2
better-auth	1.6.5	1.6.6
@cloudflare/vitest-pool-workers	0.14.7	0.14.9
@cloudflare/workers-types	4.20260418.1	4.20260421.1
@tailwindcss/vite	4.2.2	4.2.4
tailwindcss	4.2.2	4.2.4
vite	8.0.8	8.0.9
vitest	4.1.4	4.1.5
wrangler	4.83.0	4.84.1

Updates @cloudflare/containers from 0.3.2 to 0.3.3

Release notes

Sourced from @​cloudflare/containers's releases.

v0.3.3

Patch Changes

• 7901d0b: Attach custom labels to your containers to help with observability and attribution. Set a labels property on your Container subclass, or pass labels in the startOptions argument to start() / startAndWaitForPorts(), and tag containers by tenant, environment, feature flag, canary cohort, or any other dimension you want to track. In local development, labels are visible on the underlying Docker container via docker inspect.

  class MyContainer extends Container {
    labels = { tenant: 'acme', env: 'prod' };
  }

Changelog

Sourced from @​cloudflare/containers's changelog.

0.3.3

Patch Changes

• 7901d0b: Attach custom labels to your containers to help with observability and attribution. Set a labels property on your Container subclass, or pass labels in the startOptions argument to start() / startAndWaitForPorts(), and tag containers by tenant, environment, feature flag, canary cohort, or any other dimension you want to track. In local development, labels are visible on the underlying Docker container via docker inspect.

  class MyContainer extends Container {
    labels = { tenant: 'acme', env: 'prod' };
  }

Commits

• 805ad73 Merge pull request #187 from cloudflare/changeset-release/main
• 9e98721 Version Packages
• 7901d0b containers: Add labels support to start options
• See full diff in compare view

Updates alchemy from 0.91.2 to 0.92.2

Release notes

Sourced from alchemy's releases.

v0.92.2

   🐞 Bug Fixes

• cloudflare: Revert miniflare version  -  by @​john-royal (bc15f)

    View changes on GitHub

v0.92.1

No significant changes

    View changes on GitHub

v0.92.0

   🚀 Features

• cloudflare: Send email binding support  -  by @​Dawsson and John Royal in alchemy-run/alchemy#1388 (de51e)

   🐞 Bug Fixes

• cloudflare: Remove agw scopes  -  by @​mattzcarey in alchemy-run/alchemy#1387 (5349d)

    View changes on GitHub

Changelog

Sourced from alchemy's changelog.

v0.92.2

   🐞 Bug Fixes

• cloudflare: Revert miniflare version  -  by John Royal (bc15f)

    View changes on GitHub

---

v0.92.1

No significant changes

    View changes on GitHub

---

v0.92.0

   🚀 Features

• cloudflare: Send email binding support  -  by Dawson and John Royal in alchemy-run/alchemy#1388 (de51e)

   🐞 Bug Fixes

• cloudflare: Remove agw scopes  -  by Matt in alchemy-run/alchemy#1387 (5349d)

    View changes on GitHub

---

Commits

• 7ad0cc9 chore(release): 0.92.2
• bc15f98 fix(cloudflare): revert miniflare version
• de8ad9c chore(release): 0.92.1
• ec35133 chore(release): 0.92.0
• de51ea3 feat(cloudflare): send email binding support (#1388)
• 5349deb fix(cloudflare): remove agw scopes (#1387)
• See full diff in compare view

Updates better-auth from 1.6.5 to 1.6.6

Release notes

Sourced from better-auth's releases.

v1.6.6

better-auth

Bug Fixes

• Fixed preservation of the Partitioned attribute when forwarding Set-Cookie headers (#9235)
• Fixed boolean coercion for the disableRefresh query parameter in custom session validation (#9214)
• Fixed incorrect inference of team additional fields in the organization plugin (#9266)
• Added support for removing a phone number via updateUser({ phoneNumber: null }) (#9219)

For detailed changes, see CHANGELOG

@better-auth/core

Features

• Added mapConcurrent, a bounded-concurrency async utility, at @better-auth/core/utils/async (#9227)

Bug Fixes

• Made @opentelemetry/api an optional peer dependency (#9111)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Improved performance by running secondary-storage API key lookups in parallel (#9187)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

• Fixed session loading to read cached data from SecureStore on app startup, eliminating the login screen flash for returning users (#8953)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed several SSRF vulnerabilities by unifying host classification and closing loopback bypass vectors across packages (#9226)

For detailed changes, see CHANGELOG

@better-auth/sso

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.6

Patch Changes

• #9214 4debfb6 Thanks @​ping-maxwell! - fix(custom-session): use coerced boolean for disableRefresh query param validation

• #9235 9ea7eb1 Thanks @​bytaesu! - Preserve the Partitioned attribute when the customSession plugin and framework integrations forward Set-Cookie headers.

• #9266 ab4c10f Thanks @​ping-maxwell! - fix(organization): infer team additional fields correctly

• #9219 a61083e Thanks @​bytaesu! - Allow removing a phone number with updateUser({ phoneNumber: null }). The verified flag is reset atomically. Changing to a different number still requires OTP verification through verify({ updatePhoneNumber: true }).

• #9226 e64ff72 Thanks @​gustavovalverde! - Consolidate host/IP classification behind @better-auth/core/utils/host and close several loopback/SSRF bypasses that the previous per-package regex checks missed.

  Electron user-image proxy: SSRF bypasses closed (@better-auth/electron). fetchUserImage previously gated outbound requests with a bespoke IPv4/IPv6 regex that missed multiple vectors. All of the following were reachable in production and are now blocked:

  • http://tenant.localhost/ and other *.localhost names (RFC 6761 reserves the entire TLD for loopback).
  • http://[::ffff:169.254.169.254]/ (IPv4-mapped IPv6 to AWS IMDS, the classic SSRF bypass).
  • http://metadata.google.internal/, http://metadata.goog/ (GCP instance metadata).
  • http://instance-data/, http://instance-data.ec2.internal/ (AWS IMDS alternate FQDNs).
  • http://100.100.100.200/ (Alibaba Cloud IMDS; lives in RFC 6598 shared address space 100.64/10, which the old regex did not cover).
  • http://0.0.0.0:PORT/ (the Linux/macOS kernel routes the unspecified address to loopback: Oligo's "0.0.0.0 Day").
  • http://[fc00::...]/, http://[fd00::...]/ (IPv6 ULA per RFC 4193) and IPv6 link-local fe80::/10, neither of which the regex recognized.

  Documentation ranges (RFC 5737 / RFC 3849), benchmarking (198.18/15), multicast, and broadcast are also now rejected.

  better-auth: 0.0.0.0 is no longer treated as loopback. The previous isLoopbackHost implementation in packages/better-auth/src/utils/url.ts classified 0.0.0.0 alongside 127.0.0.1 / ::1 / localhost. 0.0.0.0 is the unspecified address, not loopback; treating it as such lets browser-origin requests reach localhost-bound dev services (Oligo's "0.0.0.0 Day"). The helper now accepts the full 127.0.0.0/8 range and any *.localhost name, and rejects 0.0.0.0.

  better-auth: trusted-origin substring hardening. getTrustedOrigins previously used host.includes("localhost") || host.includes("127.0.0.1") when deciding whether to add an http:// variant for a dynamic baseURL.allowedHosts entry. Misconfigurations like evil-localhost.com or 127.0.0.1.nip.io would incorrectly gain an HTTP origin in the trust list. The check now uses the shared classifier, so only real loopback hosts get the HTTP variant.

  @better-auth/oauth-provider: RFC 8252 compliance.

  • §7.3 redirect URI matching now accepts the full 127.0.0.0/8 range (not just 127.0.0.1) plus [::1], with port-flexible comparison. Port-flexible matching is limited to IP literals; DNS names such as localhost continue to use exact-string matching per §8.3 ("NOT RECOMMENDED" for loopback).
  • validateIssuerUrl uses the shared loopback check rather than a two-hostname literal comparison.

  New module: @better-auth/core/utils/host. Exposes classifyHost, isLoopbackIP, isLoopbackHost, and isPublicRoutableHost. One RFC 6890 / RFC 6761 / RFC 8252 implementation that handles IPv4, IPv6 (including bracketed literals, zone IDs, IPv4-mapped addresses, and 6to4 / NAT64 / Teredo tunnel forms with embedded-IPv4 recursion), and FQDNs, with a curated cloud-metadata FQDN set. All bespoke loopback/private/link-local checks across the monorepo now route through it.

• Updated dependencies [b5742f9, a844c7d, e64ff72]:

  • @​better-auth/core@​1.6.6
  • @​better-auth/drizzle-adapter@​1.6.6
  • @​better-auth/kysely-adapter@​1.6.6
  • @​better-auth/memory-adapter@​1.6.6
  • @​better-auth/mongo-adapter@​1.6.6
  • @​better-auth/prisma-adapter@​1.6.6
  • @​better-auth/telemetry@​1.6.6

Commits

• 0290077 chore: release v1.6.6 (#9222)
• 9ea7eb1 fix(cookies): preserve partitioned attribute on set-cookie round-trip (#9235)
• 4debfb6 fix(custom-session): use coerced boolean for disableRefresh query param valid...
• ab4c10f fix(organization): infer team additional fields correctly (#9266)
• e64ff72 fix: unify host classification and close SSRF gaps across packages (#9226)
• a844c7d chore(core): update @opentelemetry/api dep declaration to be optional (#9111)
• a61083e fix(phone-number): allow removing phone number via updateUser (#9219)
• See full diff in compare view

Updates @cloudflare/vitest-pool-workers from 0.14.7 to 0.14.9

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.14.9

Patch Changes

• Updated dependencies [8fec8b8, 2f3d7b9, a610749]:
  • miniflare@4.20260421.0
  • wrangler@4.84.1

@​cloudflare/vitest-pool-workers@​0.14.8

Patch Changes

• #13548 1aee990 Thanks @​emily-shen! - Update warning message when attempting to access exports not defined on the main worker

  Previously this referred to the SELF worker, which is now a deprecated API in the Vitest integration.

• #13607 d5d0446 Thanks @​petebacondarwin! - fix: Restore workflow binding before async cleanup in WorkflowIntrospectorHandle.dispose()

  Previously, dispose() awaited all instance abort operations before restoring the original env binding. On slower CI environments (especially Windows), this left a window where the next test could see a stale proxy, causing "Trying to mock step multiple times" errors or failed introspection. The binding is now restored synchronously before the async instance cleanup begins.

• #13007 2c3258d Thanks @​sheplu! - Reduce default log verbosity from VERBOSE to INFO

  The pool logger was previously hardcoded to VERBOSE, causing noisy debug messages on every test run (e.g. [vpw:debug] Adding compatibility flag...). Only informational, warning, and error messages are now printed by default.

  For debugging, set NODE_DEBUG=vitest-pool-workers to restore the detailed output.

• Updated dependencies [05f4443, 4a9ba90, d8c895a, b35617b, 7dc0433, 8ca78bb, b6e1351, d8314c6, b35617b, 7f50300, 4fda685, be5e6a0, e456952, 59eec63, 50bf819, cc1413a, d0a9d1c, 4eb1da9, 8ca78bb, 266c418, 6d887db, 5716d69]:

  • wrangler@4.84.0
  • miniflare@4.20260420.0

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.14.9

Patch Changes

• Updated dependencies [8fec8b8, 2f3d7b9, a610749]:
  • miniflare@4.20260421.0
  • wrangler@4.84.1

0.14.8

Patch Changes

• #13548 1aee990 Thanks @​emily-shen! - Update warning message when attempting to access exports not defined on the main worker

  Previously this referred to the SELF worker, which is now a deprecated API in the Vitest integration.

• #13607 d5d0446 Thanks @​petebacondarwin! - fix: Restore workflow binding before async cleanup in WorkflowIntrospectorHandle.dispose()

  Previously, dispose() awaited all instance abort operations before restoring the original env binding. On slower CI environments (especially Windows), this left a window where the next test could see a stale proxy, causing "Trying to mock step multiple times" errors or failed introspection. The binding is now restored synchronously before the async instance cleanup begins.

• #13007 2c3258d Thanks @​sheplu! - Reduce default log verbosity from VERBOSE to INFO

  The pool logger was previously hardcoded to VERBOSE, causing noisy debug messages on every test run (e.g. [vpw:debug] Adding compatibility flag...). Only informational, warning, and error messages are now printed by default.

  For debugging, set NODE_DEBUG=vitest-pool-workers to restore the detailed output.

• Updated dependencies [05f4443, 4a9ba90, d8c895a, b35617b, 7dc0433, 8ca78bb, b6e1351, d8314c6, b35617b, 7f50300, 4fda685, be5e6a0, e456952, 59eec63, 50bf819, cc1413a, d0a9d1c, 4eb1da9, 8ca78bb, 266c418, 6d887db, 5716d69]:

  • wrangler@4.84.0
  • miniflare@4.20260420.0

Commits

• f138e83 Version Packages (#13608)
• fe874ac Version Packages (#13511)
• d5d0446 Fix flaky CI tests in miniflare browser and workflow fixtures (#13607)
• 2c3258d Reduce @cloudflare/vitest-pool-workers log noise (#13007)
• 1aee990 Update vitest integration recipes (#13548)
• See full diff in compare view

Updates @cloudflare/workers-types from 4.20260418.1 to 4.20260421.1

Commits

• See full diff in compare view

Updates @tailwindcss/vite from 4.2.2 to 4.2.4

Release notes

Sourced from @​tailwindcss/vite's releases.

v4.2.4

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

v4.2.3

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

Changelog

Sourced from @​tailwindcss/vite's changelog.

[4.2.4] - 2026-04-21

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

[4.2.3] - 2026-04-20

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

Commits

• 69ad7cc 4.2.4 (#19948)
• 685c19e Fix issue around resolving paths in @tailwindcss/vite (#19947)
• 2e3fa49 4.2.3 (#19944)
• 5cb1efd fix(vite): resolve tsconfig paths in CSS and JS resolvers (#19803)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tailwindcss/vite since your current version.

Updates tailwindcss from 4.2.2 to 4.2.4

Release notes

Sourced from tailwindcss's releases.

v4.2.4

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

v4.2.3

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

Changelog

Sourced from tailwindcss's changelog.

[4.2.4] - 2026-04-21

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

[4.2.3] - 2026-04-20

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

Commits

• 69ad7cc 4.2.4 (#19948)
• 2e3fa49 4.2.3 (#19944)
• df6209a Canonicalize negative arbitrary values (#19858)
• 52fd421 Small refactor of canonicalization tests (#19851)
• c385fd3 use test.each instead of manual loop
• 0d6e038 fix index in test name
• 88a2d22 Add more canonicalization rules for deprecated utilities (#19849)
• 2c1ef9e Use --placeholder-color instead of --background-color for placeholder-*...
• 28d5268 Collapse more utilities by expanding their declarations (#19842)
• b55d960 fix(canonicalize): collapse arbitrary values into shorthand utilities (#19837)
• Additional commits viewable in compare view

Updates vite from 8.0.8 to 8.0.9

Release notes

Sourced from vite's releases.

v8.0.9

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.9 (2026-04-20)

Features

• update rolldown to 1.0.0-rc.16 (#22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#22039) (374bb5d)
• deps: update all non-major dependencies (#22219) (4cd0d67)
• deps: update all non-major dependencies (#22268) (c28e9c1)
• detect Deno workspace root (fix #22237) (#22238) (1b793c0)
• dev: handle errors in watchChange hook (#22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (