deps(deps): bump the minor-and-patch group across 1 directory with 7 updates

[dependabot]

Bumps the minor-and-patch group with 7 updates in the / directory:

Package	From	To
@lucide/svelte	1.16.0	1.17.0
better-auth	1.6.11	1.6.14
@biomejs/biome	2.4.15	2.4.16
@electric-sql/pglite	0.4.5	0.5.1
@internationalized/date	3.12.1	3.12.2
knip	6.14.1	6.15.0
vite	8.0.13	8.0.16

Updates @lucide/svelte from 1.16.0 to 1.17.0

Release notes

Sourced from @​lucide/svelte's releases.

Version 1.17.0

What's Changed

• chore(lucide-vue-next|lucide-svelte|lucide-angular): Remove deprecated packages by @​ericfennis in lucide-icons/lucide#4376
• chore(repo): Update issue templates and documentation for package ren… by @​ericfennis in lucide-icons/lucide#4379
• feat(site): Adds survey overlay to website by @​ericfennis in lucide-icons/lucide#4380
• feat(site): Certificate dev links by @​ericfennis in lucide-icons/lucide#4390
• fix(icons): changed martini icon by @​jamiemlaw in lucide-icons/lucide#4335
• chore(deps): bump brace-expansion from 1.1.11 to 5.0.6 by @​dependabot[bot] in lucide-icons/lucide#4386
• chore(deps): bump @​tootallnate/once from 2.0.0 to 2.0.1 by @​dependabot[bot] in lucide-icons/lucide#4404
• chore(deps): bump devalue from 5.8.0 to 5.8.1 by @​dependabot[bot] in lucide-icons/lucide#4391
• chore(deps): bump ws from 8.18.0 to 8.20.1 by @​dependabot[bot] in lucide-icons/lucide#4392
• fix(gh-icon): limit icon size to a maximum of 256 pixels by @​jguddas in lucide-icons/lucide#4398
• chore(dependencies): Update dependencies by @​ericfennis in lucide-icons/lucide#4377
• feat(copilot): Adding copilot instructions by @​ericfennis in lucide-icons/lucide#4407
• feat(icons): add globe-check by @​Barakudum in lucide-icons/lucide#4342
• feat(metadata): Require use-cases in meta json by @​ericfennis in lucide-icons/lucide#4321
• feat(icons): added parasol icon by @​karsa-mistmere in lucide-icons/lucide#4347

Full Changelog: lucide-icons/lucide@1.16.0...1.17.0

Commits

• See full diff in compare view

Updates better-auth from 1.6.11 to 1.6.14

Release notes

Sourced from better-auth's releases.

v1.6.14

better-auth

Bug Fixes

• Fixed Google One Tap authenticating the wrong user when the presented Google account was already linked to a different local user.
• Fixed null values being rejected for optional fields in the generated database schema (#9841)
• Fixed getSessionCookie to prefer the __Secure- prefixed cookie over a non-secure leftover, preventing a stale cookie from shadowing the current session (#9806)
• Fixed redirect URI validation to work on all supported runtimes and to reject URIs containing a fragment component per RFC 6749 §3.1.2 (#9845)
• Fixed organization invitation verification to restore the normal emailed-invitation flow while enforcing stricter email verification for externally controlled or predictable invitation IDs (#9877)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML Single Logout leaving the user signed in due to the logout handlers matching the session by ID instead of token.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​bytaesu, @​gustavovalverde

Full changelog: v1.6.13...v1.6.14

v1.6.13

better-auth

Features

• Added support for server-side accountInfo calls with an optional userId parameter, allowing trusted callers to read provider profiles without constructing session headers (#9813)

Bug Fixes

• Clarified that viewBackupCodes is a server-only function not accessible via HTTP in its API documentation (#9822)
• Fixed Google One Tap authenticating the wrong user when the presented Google account is already linked to a different local user, by resolving identity through the shared OAuth path
• Fixed storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, preventing oversized-cookie errors on platforms like AWS Lambda (#9591)
• Fixed updateUserInfoOnLink not being applied when linking accounts through the standard OAuth redirect flow (#8758)
• Fixed oidc-provider and mcp plugins accepting invalid redirect_uri schemes such as javascript: and data: (#9838)
• Fixed organization logo not accepting null, preventing users from clearing an existing logo on create and update (#9842)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.14

Patch Changes

• #9877 2d9781a Thanks @​gustavovalverde! - Restore the normal emailed-invitation flow while documenting the stricter verification posture for organization invitations.

  Client-side listUserInvitations now always requires a verified session email because it enumerates invitation IDs from session.user.email. The requireEmailVerificationOnInvitation option now controls recipient calls that carry an invitation ID (acceptInvitation, rejectInvitation, getInvitation). When unset, Better Auth keeps the emailed-invitation sign-up flow for built-in opaque invitation IDs, including the default generator or advanced.database.generateId: "uuid", and requires verified email when invitation IDs are externally controlled or predictable, such as advanced.database.generateId: "serial" / false or custom ID generation. Apps that expose invitation IDs outside the invited user's mailbox, expose organization invitation lists to members, or require stricter ownership proof should set requireEmailVerificationOnInvitation: true or require verified email before sign-in.

• #9841 5a2d642 Thanks @​bytaesu! - Optional fields (required: false) now accept null, not just omission. The generated input validation previously rejected null even though the column is nullable, so a nullable field could not be cleared by passing null.

• #9845 13abc79 Thanks @​gustavovalverde! - Harden redirect-URI validation across the OAuth provider plugins. isSafeUrlScheme and SafeUrlSchema no longer call URL.canParse, which is absent on some supported runtimes and could throw or silently disable the dangerous-scheme check. They now parse with a try/catch fallback. SafeUrlSchema also rejects redirect URIs that contain a fragment component, per RFC 6749 §3.1.2.

• #9806 9d3450a Thanks @​bytaesu! - getSessionCookie now prefers the __Secure- cookie when both it and a non-secure cookie are present, so the non-secure cookie no longer shadows the current session cookie.

• Updated dependencies [13abc79]:

  • @​better-auth/core@​1.6.14
  • @​better-auth/drizzle-adapter@​1.6.14
  • @​better-auth/kysely-adapter@​1.6.14
  • @​better-auth/memory-adapter@​1.6.14
  • @​better-auth/mongo-adapter@​1.6.14
  • @​better-auth/prisma-adapter@​1.6.14
  • @​better-auth/telemetry@​1.6.14

1.6.13

Patch Changes

• #9813 d3919dc Thanks @​gustavovalverde! - Support server-side accountInfo calls without session headers.

  auth.api.accountInfo now accepts an optional userId, so a trusted server-side caller can read a user's provider profile without constructing session headers. This mirrors getAccessToken and refreshToken. HTTP callers still require a valid session, and a session always takes precedence over a supplied userId.

  The shared "resolve the target user, then fetch a valid access token" logic behind these three endpoints now lives in one place. As part of that, a server-side call that supplies neither a session nor a userId reports USER_ID_OR_SESSION_REQUIRED (400) consistently, rather than UNAUTHORIZED on some endpoints.

• #9591 5f282bd Thanks @​Vishesh-Verma-07! - When only secondaryStorage is configured (no primary database), storeStateStrategy now defaults to "database" instead of "cookie", preventing oversized-cookie errors on platforms like AWS Lambda. The account cookie that holds OAuth tokens in database-less setups stays enabled, so getAccessToken keeps working.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix two buggy internalAdapter helpers.

  Remove findAccount(accountId). It looked accounts up by account ID alone, which is unique neither across providers nor across users, so it returned a non-deterministic match. All callers now use a user-scoped or provider-scoped lookup.

  Replace the ambiguous deleteSessions(string | string[]) with two explicit methods. deleteUserSessions(userId) revokes every session for a user, and deleteSessions(tokens) revokes sessions by token. The old single-string overload silently treated its argument as a user ID, so a caller that meant to delete one session token could instead wipe all of a user's sessions or quietly match nothing.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix Google One Tap signing in the wrong user when the presented Google account is already linked to someone else. One Tap now resolves identity through the shared OAuth path, so the user who owns the Google subject is signed in, matching the redirect and signIn.social flows. Previously it matched a local user by the token's email and used the subject only to decide linking, so a Google credential owned by one user could authenticate a different user who happened to share that email.

  /account-info now resolves the account from the signed-in user's own linked accounts and accepts an optional providerId to disambiguate when two providers issue the same account ID. A colliding account ID returns a distinct AMBIGUOUS_ACCOUNT error instead of a misleading "not found", and an account with no configured social provider returns a 400 rather than a 500.

• #9838 be32012 Thanks @​gustavovalverde! - Validate the scheme of OAuth redirect_uris in the oidc-provider and mcp plugins.

  Both plugins previously accepted any string as a redirect_uri at registration. They now reject the javascript:, data:, and vbscript: schemes, which are never valid OAuth redirect targets. The @better-auth/oauth-provider package already applied this check, so this change brings the two older plugins in line with it.

... (truncated)

Commits

• 5038d41 chore: release v1.6.14 (#9846)
• 2d9781a fix(organization): split invitation verification gates (#9877)
• 5a2d642 fix: accept null for optional fields in generated schema (#9841)
• 9d3450a fix(cookies): prefer __Secure- cookie in getSessionCookie (#9806)
• a6f38c7 chore: release v1.6.13 (#9804)
• 87c1a0c fix(organization): allow null logo on create and update (#9842)
• be32012 fix(oauth): validate redirect_uri schemes in oidc-provider and mcp (#9838)
• 9c8ded6 docs(two-factor): mark viewBackupCodes as server-only in its API comment (#...
• 43c08a2 fix(account): scope OAuth account identity and fix buggy internalAdapter help...
• 23d7cbf fix(oauth): apply updateUserInfoOnLink in OAuth callback link flow (#8758)
• Additional commits viewable in compare view

Updates @biomejs/biome from 2.4.15 to 2.4.16

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.16

2.4.16

Patch Changes

• #10329 ef764d5 Thanks @​Conaclos! - Fixed an issue where diagnostics showed an incorrect location in Astro files.

• #10363 50aa415 Thanks @​dyc3! - Fixed HTML formatting for a case where comments could cause the formatter to split up a closing tag, which would cause the resulting HTML to be syntactically invalid.

  Input:

  <span
    ><!-- 1
  --><span>a</span
    ><!-- 2
  --><span>b</span
    ><!-- 3
  --></span>

  Output:

    <span
  	  ><!-- 1
  - --> <span>a</span<!-- 2
  - --> ><span>b</span><!-- 3
  + --><span>a</span><!-- 2
  + --><span>b</span><!-- 3
    --></span
    >

• #10465 0c718da Thanks @​dfedoryshchev! - Fixed diagnostics emitted by the noUntrustedLicenses rule.

• #10358 05c2617 Thanks @​dyc3! - Fixed #10356: biome rage --linter now displays rules enabled through linter domains in the enabled rules list.

• #10300 950247c Thanks @​dyc3! - Fixed #10265: Svelte function bindings such as bind:value={get, set} are now parsed more precisely, so noCommaOperator won't emit false positives for that syntax anymore.

• #9786 e71f584 Thanks @​MeGaNeKoS! - Fixed #8480: useDestructuring now provides variableDeclarator and assignmentExpression options to control which contexts enforce destructuring, matching ESLint's prefer-destructuring configuration. Both default to {array: true, object: true}. The diagnostic for object destructuring in assignment expressions now instructs users to wrap the assignment in parentheses.

• #10425 1948b72 Thanks @​sjh9714! - Fixed #10244: The useOptionalChain rule now detects negated guard inequality chains like !foo || foo.bar !== "x".

• #10442 001f94f Thanks @​ematipico! - Fixed #10411: noMisusedPromises no longer causes a stack overflow when a nested function returns an object with shorthand properties that shadow destructured variables from an outer scope.

• #10318 9b1577f Thanks @​dyc3! - Added support for formatter.trailingCommas in overrides. This option was previously available in the top-level formatter configuration but missing from formatter overrides.

• #10319 2e37709 Thanks @​dyc3! - Fixed Vue and Svelte formatting for standalone interpolations in inline elements. Biome now preserves existing newlines in cases like:

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.16

Patch Changes

• #10329 ef764d5 Thanks @​Conaclos! - Fixed an issue where diagnostics showed an incorrect location in Astro files.

• #10363 50aa415 Thanks @​dyc3! - Fixed HTML formatting for a case where comments could cause the formatter to split up a closing tag, which would cause the resulting HTML to be syntactically invalid.

  Input:

  <span
    ><!-- 1
  --><span>a</span
    ><!-- 2
  --><span>b</span
    ><!-- 3
  --></span>

  Output:

    <span
  	  ><!-- 1
  - --> <span>a</span<!-- 2
  - --> ><span>b</span><!-- 3
  + --><span>a</span><!-- 2
  + --><span>b</span><!-- 3
    --></span
    >

• #10465 0c718da Thanks @​dfedoryshchev! - Fixed diagnostics emitted by the noUntrustedLicenses rule.

• #10358 05c2617 Thanks @​dyc3! - Fixed #10356: biome rage --linter now displays rules enabled through linter domains in the enabled rules list.

• #10300 950247c Thanks @​dyc3! - Fixed #10265: Svelte function bindings such as bind:value={get, set} are now parsed more precisely, so noCommaOperator won't emit false positives for that syntax anymore.

• #9786 e71f584 Thanks @​MeGaNeKoS! - Fixed #8480: useDestructuring now provides variableDeclarator and assignmentExpression options to control which contexts enforce destructuring, matching ESLint's prefer-destructuring configuration. Both default to {array: true, object: true}. The diagnostic for object destructuring in assignment expressions now instructs users to wrap the assignment in parentheses.

• #10425 1948b72 Thanks @​sjh9714! - Fixed #10244: The useOptionalChain rule now detects negated guard inequality chains like !foo || foo.bar !== "x".

• #10442 001f94f Thanks @​ematipico! - Fixed #10411: noMisusedPromises no longer causes a stack overflow when a nested function returns an object with shorthand properties that shadow destructured variables from an outer scope.

• #10318 9b1577f Thanks @​dyc3! - Added support for formatter.trailingCommas in overrides. This option was previously available in the top-level formatter configuration but missing from formatter overrides.

• #10319 2e37709 Thanks @​dyc3! - Fixed Vue and Svelte formatting for standalone interpolations in inline elements. Biome now preserves existing newlines in cases like:

... (truncated)

Commits

• 5f4ea56 ci: release (#10326)
• de2a33c fix(core): regression in emitted types (#10478)
• d835303 docs: remove redundant default phrase in useConsistentObjectDefinitions rul...
• 4f1aaf2 fix: incorrect build when using build or test (#10426)
• dc73b6b refactor: make plugins opt-in via feature gate (#10418)
• e71f584 feat(useDestructuring): add options for assignment/declaration and improve di...
• 9b1577f fix(config): support trailingCommas in overrides (#10318)
• See full diff in compare view

Updates @electric-sql/pglite from 0.4.5 to 0.5.1

Release notes

Sourced from @​electric-sql/pglite's releases.

@​electric-sql/pglite@​0.5.1

Patch Changes

• 930e2d0: fix PGlite version; redeploy external extensions

@​electric-sql/pglite-prepopulatedfs@​0.5.1

Patch Changes

• Updated dependencies [930e2d0]
  • @​electric-sql/pglite@​0.5.1

@​electric-sql/pglite@​0.5.0

Minor Changes

• 93d50aa: Upgrade to Postgres 18.3; move other extensions to their own npm packages;

Changelog

Sourced from @​electric-sql/pglite's changelog.

0.5.1

Patch Changes

• 930e2d0: fix PGlite version; redeploy external extensions

0.5.0

Minor Changes

• 93d50aa: Upgrade to Postgres 18.3; move other extensions to their own npm packages;

0.4.6

Patch Changes

• 2aa4d1a: Allow parsing of nulls in arrays #997
• 2095d4e: Add ICU support.
• e937669: Restore process.exitCode
• 54ed6dc: new API method copyToFs() and new param postgresqlconf
• 817d073: restore exit code

Commits

• 4244a3e Version Packages (#1015)
• 1c517da Fix release (#1013)
• 01f00c5 chore: publish new package versions (#1011)
• 93d50aa PGlite on Postgres 18.3 (#984)
• 657171e Update Postgres source links to newer repo (#1006)
• d964ace Version Packages (#981)
• 54ed6dc Allow copy to FS, useful for allowing postgresql.conf (#1000)
• 2095d4e ICU support (new) (#933)
• 2aa4d1a Parse nulls in arrays (#998)
• e08e501 Faster basic tests (#999)
• Additional commits viewable in compare view

Updates @internationalized/date from 3.12.1 to 3.12.2

Release notes

Sourced from @​internationalized/date's releases.

React Spectrum S2 v1.4.0

This release brings long awaited drag and drop support to ListView, TableView, and TreeView! TableView now also supports highlight selection and a new TableFooter component. Form components such as ComboBox and TextField now allow custom prefixes, and the new LabeledValue can be used to display non-editable values. In addition, description and error messages can be configured for Checkbox, Radio, and Switch. Last but not least, Calendar now supports multiple date selection.

Full Release Notes

React Spectrum S2 v1.3.0

In this release we are excited to announce support for expandable rows in TableView, highlight selection in TreeView, and window scrolling in collection components! Window scrolling enables virtualized collections to automatically scroll with the rest of the page – no height needed. In addition, we've updated the set of available workflow icons, and reduced the number of dependencies installed when using S2 by over 90% – see the full release notes for details.

To help assist with migrations from S1 to S2, we've added a new end to end migration Agent skill that you can use with your agent of choice. Our existing S2 Agent skill has also been updated to greatly improve its ability to select the proper S2 component to use from context, so be sure to update.

Full release notes

React Spectrum S2 v1.2.0

In this release, we are excited to announce that ListView and unavailable menu items are now available! In addition, we have added ActionBar support for TreeView and custom renderer support for the Picker's display value. We also shipped multiple TableView fixes and a set of documentation improvements including a Typography search view now available in the main search menu.

Thanks to all of our contributors for the updates in this release.

Full release notes

React Spectrum S2 v1.1.0

It’s our first release of the new year and we’ve got plenty of exciting treats we’re bringing to the table. We’ve added a variety of new features to our documentation site including a new dark/light mode switch in the site header. Our search menu also now features a Colors section where you can browse the Spectrum-defined colors and search by name or hex value to find close or exact matches. We also now offer our docs in the form of Agent Skills that can be installed locally and used by your favorite AI coding tools.

This release also includes several bugs fixes, such as properly rendering menus when rendered from within a popover and updates to TreeView disabledBehavior styling to match the latest designs.

Full Release Notes

Commits

• 791377f Publish
• 7840603 chore: update test util page badges (#10123)
• 2cea5b5 chore: update circleci resource classes (#10119)
• 83e5b53 chore: Omit calendar features from v3 (#10122)
• 2c18eb6 fix: Custom 454 Calendar month (#10115)
• ed9170f fix: ensure Tableview and ListView render their dividers and borders with the...
• 6206fc3 chore: Only export DragPreview from useDragAndDrop subpath (#10114)
• 8e4498f docs: add api section with slots to DragPreview (#10113)
• 719ebb2 fix: optimize locales not tree-shaking react-stately intl messages (#10111)
• 3547c08 fix: stabilise our flaky CI jobs (#10106)
• Additional commits viewable in compare view

Updates knip from 6.14.1 to 6.15.0

Release notes

Sourced from knip's releases.

Release 6.15.0

• Report exported type used only in inferred-return function body (resolve #1765) (2413408753f7abc7a9dfdba520990afd18c53ee0)
• Work that EXPORTS.md again (7e13451fab7ad85362fb63a4715ea450690aedef)
• Update npmx ecosystem snapshot (dfc401145a880f156c66eb83ea1622a99540304a)
• Link dependencies key with notes (closes #1764) (e3e66cea9e946558940bf8705129efea3f23b3ba)
• Resolve tsconfig paths when loading plugin configs (#1762) (0177c7466559e2ae99b5e1cd1e3a8043ca494edc) - thanks @​jakeleventhal!
• Avoid caching failed plugin config loads (#1768) (5e201cde9b1ba2568ead2ae790ab888c966828ae) - thanks @​jakeleventhal!
• Resolve extensionless .sass imports in SCSS compiler (#1770) (30c22835383b2355787cc2a871b22de80ff75544) - thanks @​sebacardello!
• fix(vite): detect inline module script entry points in index.html (#1772) (51f4eddc9e1b2fed1ba25e81fc596e9fb514ce01) - thanks @​lucas-spin!
• Harden vite inline module script import detection (b8abcfd2f4f5486aea08a934514bc55de86be030)
• Use RecordableHistogram for timerified function stats (d575c6905704af1b0b4620edd874fc09bc86ed28)
• Add orval plugin (resolves #1751) (4c82aa82c2a02fbda27a316389f210d11621f8cb)
• Add treatTagHintsAsErrors and --no-tag-hints (resolves #1767) (4b6a573e0c1e0daf65c76c32f7336ea71db6bb64)
• Add nano-spawn plugin (resolves #1769) (b2cad06dfd9958485537c5545c6c497fc8823ac3)
• Simplify glob cache validation and ignore-list assembly (df1a9603a5ea8ed7bad9588bf13672cedf37c90e)
• Dedupe ignore-pattern collection and dependency fixing (d49b626ad6736d7123d44568ef8c42a3e1d28aa3)
• Simplify installed-binaries collection in manifest metadata (55143941eebbc8dac12c79b77c1f65a8b61dfbef)
• Flatten control flow in ConfigurationChief (010d5709b0f9a3adc5ebe6e7169b9f5c4f29abc5)
• Inline trivial installed-binaries and types-included accessors (b5afb9f29e3474eee4bf276c1de83cb0682a5663)
• Format (eb4b178d5d90a719cdc576d644766f8f95a47876)
• Replace @​wdio/types dev dep with inline types (a3747d61ee0e594854e5da0ca6cb7597e0096b99)
• Bump dependencies (822ab3905cb7b5a216404231607a7820105930a2)
• Work AGENTS.md, etcetera (361bd4803934a01e01b08170565f8374e4e49eb2)
• Remove rootDirs workaround resolved by oxc-resolver 11.20.0 (e190a9fec22db41975cf9568a31970a05c86e66b)
• Add nuxt no-root-tsconfig fixture guarding alias resolution (e3e5bc94d5f7b6ffdbc89b18d7c8d5acbb5a9008)
• Allow extra args for release-it (f9c59952fa2c8c4c13bd42edc0935610900d1980)
• Add @​vercel as platinum sponsor (c4c06a9149c986680f0d1aa74b57a46ff1f88601)
• Overhaul & improve --trace functionailty (60df0b05f364c8d841c0f784a06bab2a3215a32f)
• Re-gen plugins.md (0f9d044d312053154498a562e3a9422a4f44afe6)

Release 6.14.2

• Fix vscode-knip build: pin native oxc bindings to bundled JS version (1b45a4103312c9c059560ae2e1eac25d86b4e2ac)
• Release vscode-knip@2.1.5 (328892eb04e65b4702e1ef2303db3156b8f2e1a3)
• Fix Astro plugin to support both possible middleware entry points (#1749) (33e0cc1a530a8cf5b6b05c8b3a3ca55f8fce8a75) - thanks @​schmalz-dmi!
• Fix LICENSE link (#1760) (829620f9077ddea086a610c279c7c1250dd66e11) - thanks @​vortispy!
• Fix GraphQL Codegen script config dependencies (#1756) (e841c6355e7eff240e74010bfd2be8bbb22ff2b6) - thanks @​jakeleventhal!
• Set pnpm config via env vars, disable verify-deps in ecosystem tests (53c12248cc3e79fd79f3efde691d463fc795c40f)
• Update slonik ecosystem snapshot (f18410b34c8554364a9f003660bebae5e826de57)
• Fix Serverless TypeScript plugin dependencies (#1757) (ebde7f8f3e3004db7f51fb5d60a0bdc2452116ef) - thanks @​jakeleventhal!
• Fix extended tsconfig type dependency attribution (#1758) (f600b09e562317a37844ed8cdf1b9b46e06c9405) - thanks @​jakeleventhal!
• Fix Bun binary dependency tracking (#1759) (1b289239f35ff2912195b7e39a96c667c54c1fc5) - thanks @​jakeleventhal!
• Detect Babel plugins/presets in Vite plugin options (resolve #1761) (2753d6910743a12a207fca81cb8325c00803963a)

Commits

• 3f3769e Release knip@6.15.0
• 60df0b0 Overhaul & improve --trace functionailty
• e3e5bc9 Add nuxt no-root-tsconfig fixture guarding alias resolution
• e190a9f Remove rootDirs workaround resolved by oxc-resolver 11.20.0
• 822ab39 Bump dependencies
• a3747d6 Replace @​wdio/types dev dep with inline types
• eb4b178 Format
• b5afb9f Inline trivial installed-binaries and types-included accessors
• 010d570 Flatten control flow in ConfigurationChief
• 5514394 Simplify installed-binaries collection in manifest metadata
• Additional commits viewable in compare view

Updates vite from 8.0.13 to 8.0.16

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
• reject windows alternate paths (#22572) (dc245c7)

8.0.15 (2026-06-01)

Features

• send 408 on request timeout (#22476) (c85c9ee)
• update rolldown to 1.0.3 (#22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
• deps: update all non-major dependencies (#22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#22562) (6978a9c)

8.0.14 (2026-05-21)

Features

• update rolldown to 1.0.2 (#22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#22471) (98b8163)
• dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#22310) (0ae2844)

... (truncated)

Commits

• f94df87 release: v8.0.16
• dc245c7 fix: reject windows alternate paths (#22572)
• 50b9512 fix(deps): reject UNC paths for launch-editor-middleware (#22571)
• 8d1b019 release: v8.0.15
• 2686d7d fix(deps): update all non-major dependencies (#22511)
• 3052a67 chore(deps): update rolldown-related dependencies (#22566)
• e3cfb9d fix(optimizer): close the rolldown bundle when write() rejects (#22528)
• 6978a9c refactor: correct logic in collectAllModules function (#22562)
• 646dbed feat: update rolldown to 1.0.3 (#22538)
• 85a0eff fix: capitalize error messages and remove spurious space in parse error (#22488)
• Additional commits view...

  Description has been truncated

[dependabot]

Labels

The following labels could not be found: bun. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.