Skip to content

build(deps-dev): bump the npm-development group across 1 directory with 5 updates#22

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-development-a6154b76b3
Closed

build(deps-dev): bump the npm-development group across 1 directory with 5 updates#22
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-development-a6154b76b3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026

Copy link
Copy Markdown

Bumps the npm-development group with 4 updates in the / directory: @biomejs/biome, @vercel/ncc, @vitest/coverage-v8 and fallow.

Updates @biomejs/biome from 2.4.16 to 2.5.1

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.1

2.5.1

Patch Changes

  • #10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

    -@import url("print.css") print,
    -/* comment */
    -screen;
    +@import url("print.css") print, /* comment */ screen;
  • #10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

    -    "path": "src\account\setup-passkey.tsx",
    +    "path": "src\\account\\setup-passkey.tsx",
  • #10626 5f837df Thanks @​tom-groves! - Fixed #10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLognoConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

  • #10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@html expr} blocks were incorrectly reported as unused.

  • #10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

  • #10667 d8c3e87 Thanks @​Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.

  • #10696 ef2373f Thanks @​ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

  • #10705 4ccb410 Thanks @​ematipico! - Fixed #10652. Biome plugins are now properly filtered when using --only and --skip flags.

  • #10669 aa0a6eb Thanks @​Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

  • #10689 844b1be Thanks @​ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

    If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

  • #10695 043fbb5 Thanks @​ematipico! - Fixed #10674. Biome now throws an error when the field level is missing from a rule option.

  • #10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

  • #10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

  • #10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

  • #10701 6c2e0d7 Thanks @​ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.1

Patch Changes

  • #10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

    -@import url("print.css") print,
    -/* comment */
    -screen;
    +@import url("print.css") print, /* comment */ screen;
  • #10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

    -    "path": "src\account\setup-passkey.tsx",
    +    "path": "src\\account\\setup-passkey.tsx",
  • #10626 5f837df Thanks @​tom-groves! - Fixed #10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLognoConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

  • #10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@html expr} blocks were incorrectly reported as unused.

  • #10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

  • #10667 d8c3e87 Thanks @​Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.

  • #10696 ef2373f Thanks @​ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

  • #10705 4ccb410 Thanks @​ematipico! - Fixed #10652. Biome plugins are now properly filtered when using --only and --skip flags.

  • #10669 aa0a6eb Thanks @​Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

  • #10689 844b1be Thanks @​ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

    If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

  • #10695 043fbb5 Thanks @​ematipico! - Fixed #10674. Biome now throws an error when the field level is missing from a rule option.

  • #10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

  • #10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

  • #10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

  • #10701 6c2e0d7 Thanks @​ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

  • #10681 888515b Thanks @​Conaclos! - Fixed useExportType that reported useless details in some diagnostics.

... (truncated)

Commits

Updates @vercel/ncc from 0.38.4 to 0.44.0

Release notes

Sourced from @​vercel/ncc's releases.

0.44.0

0.44.0 (2026-06-09)

Features

0.43.0

0.43.0 (2026-06-09)

Changes

  • BREAKING CHANGE: add Node 24 and 26 support, remove 20 (#1318) (#1305)
  • switch npm releases to trusted publishing (OIDC) (#1325) (#1327) (#1328) (#1329) (#1330) (#1331) (#1332)
  • switch package management to pnpm (#1321)
  • fix predictable global cache directory in /tmp enables symlink/hijack risks (#1314)
  • reorder extension resolution to prioritise TypeScript over JSON (#1315)
  • support TypeScript 6 transpile builds (#1316)
Commits
  • 88be21f chore(deps): Bump actions/checkout from 5 to 6 (#1300)
  • 5ea625e feat: read permissions pr.yml (#1323)
  • a1ff315 feat: remove npm devDependency (#1332)
  • 9e077ab feat: add publishConfig to package.json (#1331)
  • 7290aa7 feat(ci): upgrade python and remove LLVM LTO flags from MSVC build to fix Nod...
  • a428a10 feat: publish using node@24 (#1329)
  • 3192116 feat: use canonical package repository metadata (#1328)
  • 4461a52 feat: lock semantic-release publish dependencies (#1327)
  • e00b2de feat: switch npm releases to trusted publishing (OIDC) (#1325)
  • 5f8f509 feat: delete .github/CODEOWNERS (#1324)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​vercel/ncc since your current version.


Updates @vitest/coverage-v8 from 4.1.7 to 4.1.9

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.9

🐞 Bug Fixes

View changes on GitHub

v4.1.8

   🐞 Bug Fixes

    View changes on GitHub
Commits

Updates fallow from 2.80.0 to 2.102.0

Release notes

Sourced from fallow's releases.

v2.102.0: code review brief, decision surface, and symbol-level trace

Code review for changed code

This release adds a toolkit for reviewing changed code, designed for both human reviewers and AI agents.

Review brief (fallow review, or fallow audit --brief)

A new advisory orientation mode over changed code. It runs the same dead-code + complexity + duplication analysis as fallow audit but answers "where do I look?" instead of "will CI block this?": it ALWAYS exits 0 (the verdict is carried informationally), so a reviewer or agent can read it regardless of the gate outcome. The brief renders a ranked decision surface, a weighted focus map, and change-impact context. --format is orthogonal to --brief.

Decision surface (fallow decision-surface and the decision_surface MCP tool)

Surfaces the consequential structural decisions a change embeds: a ranked, capped (3 to 5) set of coupling/boundary, public-API/contract, and dependency decisions, each framed as a judgment question with the routed expert to ask. Each decision carries an honest count of how many internal consumers it affects plus an explicit trade-off clause, so the reader sees the cost as well as the call. It is separable and cheap, advisory (always exits 0), and every decision is suppressible with // fallow-ignore. Use --base / --changed-since to pick the comparison point, exactly like fallow audit.

Symbol-level call chains (fallow trace <FILE:SYMBOL>)

Walks callers up (modules that import the symbol) and callees down (import-symbol edges plus intra-module call sites) through the module graph, bounded by --depth (default 2). Use --callers / --callees to scope the direction; both are walked by default. Best-effort and syntactic per ADR-001: resolved-vs-unresolved callees are reported honestly, never silently dropped.

fallow trace src/utils.ts:formatDate

Agent-contract walkthrough loop

For agents that review changed code, fallow audit --walkthrough-guide emits a deterministic digest (the brief, the decision surface, the review direction, the JSON schema the agent must return, and a graph-snapshot hash) built from the graph only, so PR prose is never folded in and the digest is injection-resistant. The agent produces judgment JSON and reopens with --walkthrough-file, which post-validates it against the LIVE graph: it rejects any judgment whose signal_id fallow did not emit (anti-hallucination) and refuses the whole payload as stale when the snapshot hash no longer matches. The verifier is the graph, not a second model. Both flags always exit 0.

A weighted focus map ranks changed units by review weight and collapses the de-prioritized tail by default; --show-deprioritized re-expands it (the deprioritized list is always present in --format json).

Framework health

  • Astro framework-health detection. .astro components now participate in the same health suite as Vue/Svelte/Angular/React: a reachable component rendered in no template surfaces as unrendered-component, an interface Props field read nowhere surfaces as unused-component-prop, and fallow health now scores .astro complexity. A zero-false-positive abstain ladder protects public surfaces. No new rules or severities.
  • Lit / web-component framework-health detection. A custom element registered via @customElement / customElements.define but rendered as a tag in no html template surfaces as unrendered-component, and a @state() reactive property read nowhere surfaces as unused-class-member. @property (the public attribute API) is never flagged. Gated on a lit / lit-element / @lit/reactive-element dependency.
  • Deeper React prop coverage for unused-component-prop. The React arm now harvests props from same-file typed interfaces and generic forwardRef components, not only inline destructure, while still abstaining on imported prop interfaces and exported public-API components.

Editor

  • React component intelligence. The LSP surfaces ambient React/Preact context with no new rule, finding, or severity. A code lens above each component summarizes render count, props, and hooks; a per-prop hover shows where a prop is read and passed from; a forwarded prop shows its forwarding chain. Editor-only context: fallow / audit / --format json output is unchanged.
  • VS Code: clearer tree badges, hardened health spawn, and de-duplicated diagnostics.

Security

  • LLM-call prompt-injection candidate. A new llm-call-injection category (CWE-1427) in the fallow security tainted-sink catalogue. It fires only when an untrusted source flows into the prompt/messages argument of a known LLM-call sink (a taint path into the call, not every LLM call). Like all fallow security output it is a candidate for verification, not a verified vulnerability, and never appears under bare fallow or the audit gate.

Fixed

  • Merged namespace values imported through star barrels are no longer falsely reported as unused. A value export sharing its name with an export declare namespace and consumed through export * now receives the same named-import credit as a direct import. Thanks @​TeoVezza95 for the report. (#1373)
  • VS Code now resolves the native fallow binary from platform packages when the binary is reached through a .cmd / .ps1 launcher shim on PATH, so LSP-backed diagnostics start reliably. Thanks @​ivan-palatov for the report. (#1359)
  • TanStack Router: custom routeFileIgnorePrefix is honored, so files using a configured ignore prefix are no longer flagged as dead code. Thanks @​Spiralis for the report. (#1358)
  • fallow audit base-snapshot worktree paths are unique per call, so concurrent audit runs no longer collide.
  • More precise telemetry failure classification when telemetry is enabled.
  • Vendored GitLab CI now bundles gitlab_common.sh, so fallow ci-template gitlab --vendor pipelines run without reaching out to raw.githubusercontent.com.

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.102.0] - 2026-06-23

Added

  • Code review brief (fallow review, or fallow audit --brief). A new advisory orientation mode over changed code. It runs the same dead-code + complexity + duplication analysis as fallow audit but answers "where do I look?" instead of "will CI block this?": it ALWAYS exits 0 (the verdict is carried informationally), so a reviewer or agent can read it regardless of the gate outcome. The brief renders a ranked decision surface, a weighted focus map, and change-impact context. --format is orthogonal to --brief. fallow review is an alias for fallow audit --brief.

  • fallow decision-surface command and decision_surface MCP tool. Surfaces the consequential structural decisions a change embeds (the apex of the review brief): a ranked, capped (3-5) set of coupling/boundary, public-API/contract, and dependency decisions, each framed as a judgment question with the routed expert to ask. Each decision carries an honest count of how many internal consumers it affects plus an explicit trade-off clause, so the reader sees the cost as well as the call. Separable and cheap, advisory (always exits 0), and every decision is suppressible with // fallow-ignore. Use --base / --changed-since to pick the comparison point, exactly like fallow audit.

  • fallow trace <FILE:SYMBOL> symbol-level call chains. Walks callers UP (modules that import the symbol) and callees DOWN (import-symbol edges plus intra-module call sites) through the module graph, bounded by --depth (default 2). --callers / --callees scope the direction; both are walked by default. Best-effort and syntactic per ADR-001: resolved-vs-unresolved callees are reported honestly, never silently dropped. It is its own surface, never folded into the ranked review brief.

  • Agent-contract walkthrough loop (--walkthrough-guide / --walkthrough-file). --walkthrough-guide emits a deterministic digest (the brief, the decision surface, the review direction, the JSON schema the agent must return, and a graph-snapshot hash) built from the graph only, so PR prose is never folded in and the digest is injection-resistant. --walkthrough-file ingests an agent's judgment JSON and post-validates it against the LIVE graph: it rejects any judgment whose signal_id fallow did not emit (anti-hallucination) and refuses the whole payload as stale when the echoed graph-snapshot hash no longer matches. The verifier is the graph, not a second model. Both imply the brief and always exit 0.

  • Weighted focus map with a de-prioritized escape hatch. The review brief ranks changed units by review weight and collapses the de-prioritized tail by default; --show-deprioritized re-expands the human render. The deprioritized list is always present in --format json regardless of the flag.

  • LLM-call prompt-injection candidate (fallow security). A new llm-call-injection category (CWE-1427) in the tainted-sink catalogue. It fires only when an untrusted source flows into the prompt/messages argument of a known LLM-call sink (a taint PATH into the call, not every LLM call), pinned to the distinctive LLM SDK call shapes. Like all fallow security output it is a CANDIDATE for verification, not a verified vulnerability, and never appears under bare fallow or the audit gate.

... (truncated)

Commits
  • 8a83dc0 chore: release v2.102.0
  • b5e53b5 fix(dead-code): credit merged namespace star re-export values
  • e890fbe chore(deps): bump napi from 3.9.0 to 3.9.2 (#1381)
  • 2238983 chore(deps): bump insta from 1.47.2 to 1.48.0 (#1380)
  • 4059812 chore(deps-dev): bump oxfmt from 0.54.0 to 0.55.0 (#1378)
  • 01e2813 chore(deps): bump rust-lang/crates-io-auth-action from 1.0.4 to 1.0.5 (#1375)
  • eb55b34 chore(deps-dev): bump @​tanstack/intent in /npm/fallow (#1376)
  • 7b8c570 chore(deps-dev): bump oxlint from 1.69.0 to 1.70.0 (#1377)
  • e585f05 refactor(review-app): namespace persisted state under fallow-review instead o...
  • 0ffd4ca test(unused-members): cover issue-844 typed-instance crediting at monorepo pa...
  • Additional commits viewable in compare view

Updates vitest from 4.1.7 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

View changes on GitHub

v4.1.8

   🐞 Bug Fixes

    View changes on GitHub
Commits
  • a7a61e7 chore: release v4.1.9 (#10598)
  • 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
  • 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
  • a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
  • e61f2dd chore: release v4.1.8
  • e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 21, 2026
…th 5 updates

Bumps the npm-development group with 4 updates in the / directory: [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome), [@vercel/ncc](https://github.com/vercel/ncc), [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) and [fallow](https://github.com/fallow-rs/fallow).


Updates `@biomejs/biome` from 2.4.16 to 2.5.1
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.5.1/packages/@biomejs/biome)

Updates `@vercel/ncc` from 0.38.4 to 0.44.0
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](vercel/ncc@0.38.4...0.44.0)

Updates `@vitest/coverage-v8` from 4.1.7 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/coverage-v8)

Updates `fallow` from 2.80.0 to 2.102.0
- [Release notes](https://github.com/fallow-rs/fallow/releases)
- [Changelog](https://github.com/fallow-rs/fallow/blob/main/CHANGELOG.md)
- [Commits](fallow-rs/fallow@v2.80.0...v2.102.0)

Updates `vitest` from 4.1.7 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest)

---
updated-dependencies:
- dependency-name: "@biomejs/biome"
  dependency-version: 2.5.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
- dependency-name: "@vercel/ncc"
  dependency-version: 0.44.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
- dependency-name: fallow
  dependency-version: 2.101.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-development-a6154b76b3 branch from e9cc636 to 5ab17ee Compare June 24, 2026 07:01
@dependabot @github

dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Author

Looks like these dependencies are no longer updatable, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 24, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm-development-a6154b76b3 branch June 24, 2026 07:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants