deps(deps): bump the minor-and-patch group with 6 updates

[dependabot]

Bumps the minor-and-patch group with 6 updates:

Package	From	To
@biomejs/biome	2.4.12	2.4.13
vite	8.0.9	8.0.10
vitest	4.1.4	4.1.5
hono	4.12.14	4.12.15
jose	6.2.2	6.2.3
otpauth	9.5.0	9.5.1

Updates @biomejs/biome from 2.4.12 to 2.4.13

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.13

2.4.13

Patch Changes

• #9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #10037 f785e8c Thanks @​minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #10084 5e2f90c Thanks @​jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #10035 946b50e Thanks @​Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.

• #9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.13

Patch Changes

• #9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #10037 f785e8c Thanks @​minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #10084 5e2f90c Thanks @​jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #10035 946b50e Thanks @​Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.

• #9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

  For example, the following code triggers the rule:

... (truncated)

Commits

• e316150 ci: release (#9991)
• 11ddc05 feat(lint): add useReactNativePlatformComponents rule and options (#10033)
• 1603f78 feat(js_analyze): implement noJsxLeakedDollar (#9911)
• c5eb92b feat(linter): add nursery rule noUnnecessaryTemplateExpression (#9969)
• 5cc83b1 feat(lint/js): add noLoopFunc (#9815)
• bd1e74f feat(lint): add react native deep import rule (#10023)
• 68fb8d4 feat(lint/js): add useDomNodeTextContent (#9865)
• 94ccca9 feat(lint): add noReactNativeLiteralColors (#10012)
• 3dce737 feat(lint/js): add useDomQuerySelector (#9885)
• 131019e feat(lint): add noReactNativeRawText (#10005)
• Additional commits viewable in compare view

Updates vite from 8.0.9 to 8.0.10

Release notes

Sourced from vite's releases.

v8.0.10

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.10 (2026-04-23)

Features

• update rolldown to 1.0.0-rc.17 (#22299) (a4d06d9)

Bug Fixes

• hmrClient.logger.debug and hmrClient.logger.error looked different from other HMR logs (#22147) (a4d828f)
• css: show filename in CSS minification warnings for .css?inline (#22292) (83f0a78)
• optimizer: allow user transform.target to override default in optimizeDeps (#22273) (5c7cec6)
• remove format sniffing module resolution from JS resolver (#22297) (b8a21cc)

Code Refactoring

• enable some typecheck rules (#22278) (9437518)
• typecheck client directory (#22284) (40a0847)

Commits

• 32c2978 release: v8.0.10
• a4d06d9 feat: update rolldown to 1.0.0-rc.17 (#22299)
• a4d828f fix: hmrClient.logger.debug and hmrClient.logger.error looked different f...
• 83f0a78 fix(css): show filename in CSS minification warnings for .css?inline (#22292)
• b8a21cc fix: remove format sniffing module resolution from JS resolver (#22297)
• 40a0847 refactor: typecheck client directory (#22284)
• 5c7cec6 fix(optimizer): allow user transform.target to override default in optimizeDe...
• 9437518 refactor: enable some typecheck rules (#22278)
• See full diff in compare view

Updates vitest from 4.1.4 to 4.1.5

Release notes

Sourced from vitest's releases.

v4.1.5

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in vitest-dev/vitest#10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in vitest-dev/vitest#10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in vitest-dev/vitest#10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in vitest-dev/vitest#10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in vitest-dev/vitest#8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in vitest-dev/vitest#10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in vitest-dev/vitest#10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in vitest-dev/vitest#10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9927 and vitest-dev/vitest#10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in vitest-dev/vitest#10154 (6abd5)

    View changes on GitHub

Commits

• e399846 chore: release v4.1.5
• 7dc6d54 Revert "fix: respect diff config options in soft assertions (#8696)"
• 9787ded fix: respect diff config options in soft assertions (#8696)
• 325463a fix(ast-collect): recognize _vi_import prefix in static test discovery (#10...
• 0e0ff41 feat(coverage): istanbul to support instrumenter option (#10119)
• 663b99f fix: alias agent reporter to minimal (#10157)
• 122c25b fix: fix vi.defineHelper called as object method (#10163)
• 6abd557 feat(api): make test-specification options writable (#10154)
• 596f739 fix: project color label on html reporter (#10142)
• 9423dc0 fix: --project negation excludes browser instances (#10131)
• Additional commits viewable in compare view

Updates hono from 4.12.14 to 4.12.15

Release notes

Sourced from hono's releases.

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

New Contributors

• @​hiendv made their first contribution in honojs/hono#4889

Full Changelog: honojs/hono@v4.12.14...v4.12.15

Commits

• f774f8d 4.12.15
• 18fe604 fix(jwt): support single-line PEM keys (#4889)
• See full diff in compare view

Updates jose from 6.2.2 to 6.2.3

Release notes

Sourced from jose's releases.

v6.2.3

Refactor

• cleanly reject invalid PBES2 p2c (0cdb851)

Changelog

Sourced from jose's changelog.

6.2.3 (2026-04-27)

Refactor

• cleanly reject invalid PBES2 p2c (0cdb851)

Commits

• 41ad7e9 chore(release): 6.2.3
• 988e90f chore: account for commit-and-tag-version instead of standard-version
• 4b24656 chore: update CHANGELOG.md header
• 0cdb851 refactor: cleanly reject invalid PBES2 p2c
• a0b261e test: update Bun expectations
• b39dc1a chore: use fs.globSync
• 0675be1 build: replace rollup umd build with a custom esbuild iife wrap
• 9b03323 chore: bump packages
• 914b73d chore(deps-dev): bump lodash
• 9dce817 chore: bump packages
• Additional commits viewable in compare view

Updates otpauth from 9.5.0 to 9.5.1

Release notes

Sourced from otpauth's releases.

v9.5.1

What's Changed

• Bump rollup from 4.57.1 to 4.59.0 by @​dependabot[bot] in hectorm/otpauth#674
• Bump minimatch by @​dependabot[bot] in hectorm/otpauth#673
• Bump the github-actions-all group with 3 updates by @​dependabot[bot] in hectorm/otpauth#675
• Bump the npm-development-minor-patch group across 1 directory with 7 updates by @​dependabot[bot] in hectorm/otpauth#677
• Bump the github-actions-all group with 3 updates by @​dependabot[bot] in hectorm/otpauth#679
• Bump @​rollup/plugin-terser from 0.4.4 to 1.0.0 by @​dependabot[bot] in hectorm/otpauth#680
• Bump eslint from 9.39.2 to 10.0.3 by @​dependabot[bot] in hectorm/otpauth#678
• Bump @​eslint/js from 9.39.2 to 10.0.1 by @​dependabot[bot] in hectorm/otpauth#670
• Bump the npm-development-minor-patch group across 1 directory with 8 updates by @​dependabot[bot] in hectorm/otpauth#686
• Bump the github-actions-all group with 5 updates by @​dependabot[bot] in hectorm/otpauth#685
• Bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in hectorm/otpauth#684
• Bump flatted from 3.3.3 to 3.4.2 by @​dependabot[bot] in hectorm/otpauth#682
• Bump the github-actions-all group with 4 updates by @​dependabot[bot] in hectorm/otpauth#692
• Bump @​noble/hashes from 2.0.1 to 2.2.0 in the npm-production-minor-patch group by @​dependabot[bot] in hectorm/otpauth#688
• Bump the npm-development-minor-patch group across 1 directory with 8 updates by @​dependabot[bot] in hectorm/otpauth#690

Full Changelog: hectorm/otpauth@v9.5.0...v9.5.1

Commits

• 4903d3d 9.5.1
• b5c6df7 Add 7 day cooldown for new dependency versions
• 01f7caf Update dependencies
• adff202 Bump the npm-development-minor-patch group across 1 directory with 8 updates ...
• 0e4fa84 Bump @​noble/hashes in the npm-production-minor-patch group (#688)
• b7f24c9 Bump the github-actions-all group with 4 updates (#692)
• 80b053d Bump flatted from 3.3.3 to 3.4.2 (#682)
• 4d0f0cc Bump picomatch from 4.0.3 to 4.0.4 (#684)
• 2f0e384 Bump the github-actions-all group with 5 updates (#685)
• 7097f14 Bump the npm-development-minor-patch group across 1 directory with 8 updates ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.