Skip to content

Bump the development-dependencies group with 5 updates#21

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/development-dependencies-6914cc08e2
Open

Bump the development-dependencies group with 5 updates#21
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/development-dependencies-6914cc08e2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the development-dependencies group with 5 updates:

Package From To
oxfmt 0.53.0 0.56.0
tsdown 0.22.1 0.22.3
vitest 4.1.8 4.1.9
@biomejs/biome 2.4.16 2.5.1
prettier 3.8.3 3.8.4

Updates oxfmt from 0.53.0 to 0.56.0

Commits
  • c4be770 release(apps): oxlint v1.71.0 && oxfmt v0.56.0 (#23707)
  • aa79b5b release(apps): oxlint v1.70.0 && oxfmt v0.55.0 (#23442)
  • 9a2788b feat(linter/unicorn): implement prefer-export-from rule (#22935)
  • 44ae845 release(apps): oxlint v1.69.0 && oxfmt v0.54.0 (#23116)
  • dadafe3 docs(oxlint, oxfmt): mention migrate skills in npm READMEs (#22965)
  • f88961a docs(oxfmt): annotate each config option with supported languages (#22953)
  • See full diff in compare view

Updates tsdown from 0.22.1 to 0.22.3

Release notes

Sourced from tsdown's releases.

v0.22.3

   🚨 Breaking Changes

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub

v0.22.2

   🐞 Bug Fixes

    View changes on GitHub
Commits
  • 472b69e chore: release v0.22.3
  • a2eac3b feat!: drop node 24.0 - 24.10 support
  • 1ba7e12 docs: remove publicPath option from wasm plugin
  • 9f05179 perf(css): skip renderChunk when no CSS has been collected (#967)
  • 742f314 ci: switch deployment branch to release
  • 8e33975 chore: upgrade deps
  • 88900c9 ci: generate docs before void deploy (#970)
  • b587b03 ci: deploy docs to Void (#969)
  • bfc649e fix: inline CI detection
  • 15ac682 chore: release v0.22.2
  • Additional commits viewable in compare view

Updates vitest from 4.1.8 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

View changes on GitHub
Commits
  • a7a61e7 chore: release v4.1.9 (#10598)
  • 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
  • 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
  • a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
  • See full diff in compare view

Updates @biomejs/biome from 2.4.16 to 2.5.1

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.1

2.5.1

Patch Changes

  • #10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

    -@import url("print.css") print,
    -/* comment */
    -screen;
    +@import url("print.css") print, /* comment */ screen;
  • #10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

    -    "path": "src\account\setup-passkey.tsx",
    +    "path": "src\\account\\setup-passkey.tsx",
  • #10626 5f837df Thanks @​tom-groves! - Fixed #10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLognoConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

  • #10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@html expr} blocks were incorrectly reported as unused.

  • #10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

  • #10667 d8c3e87 Thanks @​Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.

  • #10696 ef2373f Thanks @​ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

  • #10705 4ccb410 Thanks @​ematipico! - Fixed #10652. Biome plugins are now properly filtered when using --only and --skip flags.

  • #10669 aa0a6eb Thanks @​Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

  • #10689 844b1be Thanks @​ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

    If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

  • #10695 043fbb5 Thanks @​ematipico! - Fixed #10674. Biome now throws an error when the field level is missing from a rule option.

  • #10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

  • #10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

  • #10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

  • #10701 6c2e0d7 Thanks @​ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.1

Patch Changes

  • #10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

    -@import url("print.css") print,
    -/* comment */
    -screen;
    +@import url("print.css") print, /* comment */ screen;
  • #10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

    -    "path": "src\account\setup-passkey.tsx",
    +    "path": "src\\account\\setup-passkey.tsx",
  • #10626 5f837df Thanks @​tom-groves! - Fixed #10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLognoConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

  • #10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@html expr} blocks were incorrectly reported as unused.

  • #10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

  • #10667 d8c3e87 Thanks @​Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.

  • #10696 ef2373f Thanks @​ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

  • #10705 4ccb410 Thanks @​ematipico! - Fixed #10652. Biome plugins are now properly filtered when using --only and --skip flags.

  • #10669 aa0a6eb Thanks @​Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

  • #10689 844b1be Thanks @​ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

    If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

  • #10695 043fbb5 Thanks @​ematipico! - Fixed #10674. Biome now throws an error when the field level is missing from a rule option.

  • #10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

  • #10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

  • #10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

  • #10701 6c2e0d7 Thanks @​ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

  • #10681 888515b Thanks @​Conaclos! - Fixed useExportType that reported useless details in some diagnostics.

... (truncated)

Commits

Updates prettier from 3.8.3 to 3.8.4

Release notes

Sourced from prettier's releases.

3.8.4

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.4

diff

Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#17746 by @​byplayer)

Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.

<!-- Input -->
- a


b


c

d



<!-- Prettier 3.8.3 -->

a

b


c

d



<!-- Prettier 3.8.4 -->


a

b



c

d
Commits
  • 1c6ba55 Release 3.8.4
  • 4a673dc Fix blank lines between list items and nested sub-lists being removed in Mark...
  • 074aaed Replace main branch in changelog link with tags (#19054)
  • c22a003 Bump Prettier dependency to 3.8.3
  • 07bad1f Clean changelog_unreleased
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the development-dependencies group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt) | `0.53.0` | `0.56.0` |
| [tsdown](https://github.com/rolldown/tsdown) | `0.22.1` | `0.22.3` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.8` | `4.1.9` |
| [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) | `2.4.16` | `2.5.1` |
| [prettier](https://github.com/prettier/prettier) | `3.8.3` | `3.8.4` |


Updates `oxfmt` from 0.53.0 to 0.56.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxfmt/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxfmt_v0.56.0/npm/oxfmt)

Updates `tsdown` from 0.22.1 to 0.22.3
- [Release notes](https://github.com/rolldown/tsdown/releases)
- [Commits](rolldown/tsdown@v0.22.1...v0.22.3)

Updates `vitest` from 4.1.8 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest)

Updates `@biomejs/biome` from 2.4.16 to 2.5.1
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.5.1/packages/@biomejs/biome)

Updates `prettier` from 3.8.3 to 3.8.4
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.8.3...3.8.4)

---
updated-dependencies:
- dependency-name: oxfmt
  dependency-version: 0.56.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
- dependency-name: tsdown
  dependency-version: 0.22.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-dependencies
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-dependencies
- dependency-name: "@biomejs/biome"
  dependency-version: 2.5.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
- dependency-name: prettier
  dependency-version: 3.8.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 1, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedoxfmt@​0.56.0691008996100
Addedvitest@​4.1.9981007998100
Addedtsdown@​0.22.3981008896100
Addedprettier@​3.8.4981009799100
Added@​biomejs/​biome@​2.5.110010010099100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/vitest@4.1.9npm/tsdown@0.22.3npm/@emnapi/runtime@1.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.56.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.56.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.56.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.56.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants