chore(deps): update entities to latest for Node.js 24 compatibility

[kTelyakov]

close #14159

Summary

This PR fixes the Node.js 24 compatibility issue with @vue/compiler-core.

Problem

The entities package v4.5.0 uses lib/ directory for exports which causes ERR_PACKAGE_PATH_NOT_EXPORTED error in Node.js 24 due to stricter exports map resolution.

Solution

Updated entities to v5.0.0 which uses dist/ directory structure that is properly compatible with Node.js 24's exports resolution.

Changes

• Updated entities dependency from ^4.5.0 to ^5.0.0
• Changed import paths from entities/lib/decode.js to entities/dist/decode.js

Fixes #14159 14159

Summary by CodeRabbit

• Chores

  • Updated the "entities" dependency to v7.x in the compiler package; no user-facing behavior changes expected.

• Build

  • Adjusted module references and update configuration so the project now accepts updates for the "entities" package; no functional changes introduced.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated entities usage in packages/compiler-core: dependency bumped to ^7.0.0, imports and rollup externals changed from the internal path entities/lib/decode.js to the exported path entities/decode, and entities was removed from Renovate's ignore list. No runtime logic or public API changes.

Changes

Cohort / File(s)	Summary
Dependency update packages/compiler-core/package.json	Bumped entities dependency from ^4.5.0 to ^7.0.0.
Import / external path updates packages/compiler-core/src/parser.ts, packages/compiler-core/src/tokenizer.ts, rollup.config.js	Replaced entities/lib/decode.js references with entities/decode. No other logic changes.
Renovate config .github/renovate.json5	Removed entities from ignoreDeps (Renovate will now track updates).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Pay attention to:
  • Correct module resolution for entities/decode across Node.js versions and build environments.
  • Rollup externals/treeshake warnings after the external path change.
  • Lockfile updates and transitive dependency versions.

Poem

🐰 I hopped from lib to bright export gate,
Swapped a path, updated the crate,
Node's stricter rules I now appease,
With cleaner imports I bound the breeze,
Hop on, build fast — a carrot for fate! 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main objective of updating the entities dependency for Node.js 24 compatibility.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from #14159: upgraded entities to ^7.0.0 (exceeding minimum ^5.0.0), updated all import paths from entities/lib/decode.js to entities/decode, and removed entities from ignoreDeps to allow updates.
Out of Scope Changes check	✅ Passed	All changes are directly related to resolving the Node.js 24 compatibility issue: dependency upgrade, import path updates, renovate configuration adjustment, and rollup configuration alignment.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cb60bba and 9a6640f.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• packages/compiler-core/package.json (1 hunks)

🔇 Additional comments (1)

packages/compiler-core/package.json (1)

51-51: Verify import path consistency across the codebase.

The version bump from ^4.5.0 to ^7.0.0 represents a significant jump (3 major versions). Ensure that:

1. All import statements in parser, tokenizer, and build configuration files have been updated from entities/lib/decode.js to entities/decode to match the new package exports
2. Build configuration (rollup.config.js) properly references the new import path in externals definitions
3. Ecosystem CI failures (vuetify, router, vue-macros, vue-i18n) are unrelated to this dependency update

This is critical as the new API path is required for Node.js 24 compatibility, but inconsistent imports would break the build.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

❌ Deploy Preview for vue-sfc-playground failed. Why did it fail? →

Name	Link
🔨 Latest commit	f670c51
🔍 Latest deploy log	https://app.netlify.com/projects/vue-sfc-playground/deploys/692f94832c54db00087ff457

[netlify]

❌ Deploy Preview for vue-next-template-explorer failed. Why did it fail? →

Name	Link
🔨 Latest commit	f670c51
🔍 Latest deploy log	https://app.netlify.com/projects/vue-next-template-explorer/deploys/692f948346ce790008b6047c

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

packages/compiler-core/src/parser.ts (1)

49-49: Deep import into entities/dist/decode.js is OK for v5 but may hinder future upgrades

This path looks consistent with entities v5’s dist layout and fixes the immediate Node 24 issue. However, newer entities releases publish only . / ./decode / ./escape in their "exports" map, not ./dist/decode.js, so a future bump beyond ^5.x would likely break here with another ERR_PACKAGE_PATH_NOT_EXPORTED. Consider switching to the public subpath (entities/decode) once you’ve confirmed it’s exported in 5.0.0 as well, or at least leave a note that this import must be revisited when upgrading entities again.

Would you double‑check entities 5.0.0’s package.json exports and confirm whether ./decode is available (and whether ./dist/decode.js is explicitly exported) before locking in this path?

packages/compiler-core/src/tokenizer.ts (1)

34-39: Non‑browser decode import is correct for entities v5; watch for future exports changes

Routing DecodingMode/EntityDecoder/fromCodePoint/htmlDecodeTree through entities/dist/decode.js is consistent with the v5 layout and keeps all usage in non‑__BROWSER__ branches, so the non‑browser‑only dependency contract still holds. As with parser.ts, this is a deep import into dist/; if a later bump to entities >5 switches to only exporting ./decode / ./escape, this path will become invalid again. It’s worth planning to swap to the public entities/decode subpath once you’ve confirmed it’s exported in 5.0.0.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 25ebe3a and b6d994f.

📒 Files selected for processing (3)

• packages/compiler-core/package.json (1 hunks)
• packages/compiler-core/src/parser.ts (1 hunks)
• packages/compiler-core/src/tokenizer.ts (1 hunks)

🔇 Additional comments (1)

packages/compiler-core/package.json (1)

48-54: entities bump to ^5.0.0 aligns with the new imports; verify runtime behavior

Updating entities to ^5.0.0 matches the new dist-based imports and should address the Node 24 path-resolution issue. Since this is a major bump with a different layout, make sure the compiler-core test suite (especially entity decoding and tokenizer/parser specs) passes under Node 24 with a fresh install so we don’t miss any subtle behavior changes.

[edison1105]

Thanks for this PR, but v5.0.0 will bring #11603 back. see e9e0815

[github-actions]

Size Report

Bundles

File	Size	Gzip	Brotli
runtime-dom.global.prod.js	103 kB	39 kB	35.1 kB
vue.global.prod.js	161 kB	58.9 kB	52.6 kB

Usages

Name	Size	Gzip	Brotli
createApp (CAPI only)	47 kB	18.3 kB	16.8 kB
createApp	55.1 kB	21.4 kB	19.6 kB
createSSRApp	59.4 kB	23.2 kB	21.1 kB
defineCustomElement	60.7 kB	23.1 kB	21.1 kB
overall	69.4 kB	26.6 kB	24.3 kB

[pkg-pr-new]

Open in StackBlitz

@vue/compiler-core

npm i https://pkg.pr.new/@vue/compiler-core@14160

@vue/compiler-dom

npm i https://pkg.pr.new/@vue/compiler-dom@14160

@vue/compiler-sfc

npm i https://pkg.pr.new/@vue/compiler-sfc@14160

@vue/compiler-ssr

npm i https://pkg.pr.new/@vue/compiler-ssr@14160

@vue/reactivity

npm i https://pkg.pr.new/@vue/reactivity@14160

@vue/runtime-core

npm i https://pkg.pr.new/@vue/runtime-core@14160

@vue/runtime-dom

npm i https://pkg.pr.new/@vue/runtime-dom@14160

@vue/server-renderer

npm i https://pkg.pr.new/@vue/server-renderer@14160

@vue/shared

npm i https://pkg.pr.new/@vue/shared@14160

vue

npm i https://pkg.pr.new/vue@14160

@vue/compat

npm i https://pkg.pr.new/@vue/compat@14160

commit: 9a6640f

[edison1105]

I tested that "entities": "^6.0.0" does not cause a regression of #11603. Perhaps we can try upgrading it to 7.0.0.

[edison1105]

/ecosystem-ci run

[vue-bot]

📝 Ran ecosystem CI: Open

suite	result	latest scheduled
quasar	✅ success	✅ success
test-utils	✅ success	✅ success
radix-vue	✅ success	✅ success
pinia	✅ success	✅ success
primevue	✅ success	✅ success
vite-plugin-vue	✅ success	✅ success
vuetify	❌ failure	❌ failure
router	❌ failure	❌ failure
vue-macros	❌ failure	❌ failure
language-tools	✅ success	✅ success
vant	✅ success	✅ success
vue-i18n	❌ failure	❌ failure
vitepress	✅ success	✅ success
vueuse	✅ success	✅ success
vue-simple-compiler	✅ success	✅ success
nuxt	✅ success	✅ success

[kTelyakov]

@edison1105 Please tell me when this pull request will be merged ?