build(deps-dev): bump the npm-development group with 2 updates

[dependabot]

Bumps the npm-development group with 2 updates: @types/node and fallow.

Updates @types/node from 26.0.0 to 26.0.1

Commits

• See full diff in compare view

Updates fallow from 2.102.0 to 2.103.0

Release notes

Sourced from fallow's releases.

v2.103.0: typed output contracts, runtime trust-output, false-positive fixes

Runtime coverage trust-output

coverage analyze --format json now mirrors the cloud runtime trust-output contract on the local report, so an agent can reproduce a verdict instead of re-deriving it:

• Actionability + provenance. Each report carries actionable, actionability_reason, and actionability_verdict (a capture with no tracked functions is a first-class insufficient_evidence verdict, never silently read as cold), plus a provenance block (data_source, freshness_days, untracked_ratio, unresolved_ratio, stale, stale_after_days). The block is context only: it never gates a positive verdict or a confidence score.
• Confidence discriminators. Every finding now carries a discriminators block exposing the inputs behind its verdict: tracking_state (called / never_called / untracked), invocation_ratio, the low_traffic_threshold and min_observation_volume in effect, and trace_count with meets_observation_volume.
• Source-map upload hint. When coverage analyze --cloud cannot map runtime positions to source and built source maps exist on disk, fallow prints the exact fallow coverage upload-source-maps --dir <dir> command. Human output only; JSON consumers already get the structured coverage_unresolved warning.

All three additions are additive and backwards-compatible.

Typed output contracts

The engine, output, API, and programmatic-CLI boundaries are now explicit: typed engine results feed the CLI, LSP, NAPI, MCP, and programmatic consumers through shared contracts instead of CLI rendering being the implicit API surface.

As part of this, workspace_diagnostics is now a typed WorkspaceDiagnostic array on CheckOutput and DupesOutput (and the combined + audit envelopes), matching WorkspacesOutput. docs/output-schema.json and the generated npm / VS Code .d.ts now describe it precisely instead of as an opaque value. Thanks @​riker-wamf for flagging it (#1635).

MCP

get_blast_radius and get_importance now state the augment-not-gate rule in their tool descriptions: both return review context (caller counts, risk bands, importance scores) that must not gate a safe_to_delete decision or a confidence score. Only the three-state runtime tracking signal can issue a deletion verdict.

Changed

• fallow dupes now ignores test and mock files by default. Duplicate-code analysis skips *.test.*, *.spec.*, __tests__, and __mocks__ paths out of the box, reducing first-run noise. Set duplicates.ignoreDefaults: false to restore the previous corpus.

Bug fixes

• unused-component-props no longer false-flags Svelte bind:/style:/class: directive shorthands or Vue value-less v-bind same-name shorthands. A value-less directive (bind:open, style:height) or a Vue 3.4+ :open shorthand references the prop itself, and <style> v-bind(accent) references bind script/prop values into CSS. All three are now credited. Thanks @​hniedner for the report (#1641).
• unused-store-members no longer false-flags a Pinia store member reached through indirection, including inline useFooStore().member, a store passed as a ReturnType<typeof useFooStore> param, and member usage in .ts files. Thanks @​Jerc92 and @​Ericlm for the reports (#1489, #1488).
• unused-class-members no longer false-flags a member reached through a factory or composable return value, including when the factory's return type is inferred rather than annotated. Thanks @​Jerc92 (#1441).
• unused-component-props no longer aborts on a spaced </template > closing tag, which previously reported every prop and emit in that SFC as unused. Thanks @​Jerc92 (#1439).
• ignorePatterns now accepts a leading ./. Entries such as ./src/generated/** match the same files as src/generated/** (also applies to ignoreUnresolvedImports).

Full Changelog: fallow-rs/fallow@v2.102.0...v2.103.0

Changelog

Sourced from fallow's changelog.

[2.103.0] - 2026-06-28

Added

• coverage analyze --format json now emits the runtime trust-output contract on the local report. Each report carries actionable, actionability_reason, and actionability_verdict (a capture with no tracked functions is a first-class insufficient_evidence verdict, never silently read as cold), plus a provenance block (data_source, freshness_days, untracked_ratio, unresolved_ratio, stale, stale_after_days). The block is context only: it never gates a positive verdict or a confidence score. Additive, JSON-only.

• coverage analyze findings now carry a discriminators block. Alongside each verdict, the inputs that produced it are now legible instead of needing to be re-derived: tracking_state (called / never_called / untracked), invocation_ratio, the low_traffic_threshold and min_observation_volume in effect, and trace_count with meets_observation_volume. It makes the existing signals visible and gates nothing. Additive and backwards-compatible (omitted when absent).

• get_blast_radius and get_importance MCP tools now state the augment-not-gate rule in their descriptions. Both return review context (caller counts, risk bands, importance scores); the descriptions now make explicit that these signals must not gate a safe_to_delete decision or a confidence score. Only the three-state runtime tracking signal (called / never_called / untracked) can issue a deletion verdict, matching the server-side enforcement.

• coverage analyze --cloud now hints the source-map upload command when coverage is unresolved. When the cloud cannot map runtime positions to source (almost always because no source maps were uploaded for the commit) and built source maps exist on disk, fallow prints the exact fallow coverage upload-source-maps --dir <dir> command and build directory. Human output only; JSON consumers already get the structured coverage_unresolved warning in report.warnings.

Changed

• Typed output contracts across every consumer. Engine results now feed the CLI, LSP, NAPI, MCP, and programmatic callers through shared typed contracts instead of CLI rendering being the implicit API surface. As part of this, workspace_diagnostics is now a typed WorkspaceDiagnostic array on CheckOutput and DupesOutput (and the combined and audit envelopes), matching WorkspacesOutput, so docs/output-schema.json and the generated npm / VS Code .d.ts describe it precisely instead of as an opaque value. Thanks @​riker-wamf for flagging it. (Closes #1635)

• fallow dupes now ignores test and mock files by default. Duplicate-code

... (truncated)

Commits

• ac68a1a chore: release v2.103.0
• f8eb3dd refactor: consolidate engine api and output contracts
• 5a664de feat(coverage): mirror cloud trust-output contract on local analyze report (#...
• b006fb7 feat(coverage): confidence-discriminator contract on analyze findings (#1645)
• c413eab feat(mcp): teach blast-radius + importance tools the F4 augment-not-gate rule...
• 1775944 fix(vue): credit v-bind shorthand and <style> v-bind() as prop usage
• 7dadcaa fix(svelte): credit bind:/style:/class: directive shorthands as prop usage
• 2a34835 docs(changelog): record the #1634 cluster FP fixes
• 400c841 test(core): pin #1441 inferred-return factory member crediting
• 367ecaf fix(extract): credit Pinia store members through typed params (#1489 Case 2)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions