chore(deps-dev): bump the dev-dependencies group with 4 updates

[dependabot]

Bumps the dev-dependencies group with 4 updates: @trivago/prettier-plugin-sort-imports, eslint, eslint-plugin-react-refresh and eslint-plugin-security.

Updates @trivago/prettier-plugin-sort-imports from 6.0.0 to 6.0.2

Release notes

Sourced from @​trivago/prettier-plugin-sort-imports's releases.

v6.0.2

What's Changed

• Fix recognising mandatory prefix built-in imports by @​TomFryersMidsummer in trivago/prettier-plugin-sort-imports#389

New Contributors

• @​TomFryersMidsummer made their first contribution in trivago/prettier-plugin-sort-imports#389

Full Changelog: trivago/prettier-plugin-sort-imports@v6.0.1...v6.0.2

v6.0.1

What's Changed

• ignore eslint errors due to undefined export variables by @​vladislavarsenev in trivago/prettier-plugin-sort-imports#391

Full Changelog: trivago/prettier-plugin-sort-imports@v6.0.0...v6.0.1

Changelog

Sourced from @​trivago/prettier-plugin-sort-imports's changelog.

6.0.2

Bug fixes

• Fix recognising mandatory prefix built-in imports #389 by @​TomFryersMidsummer - Fixed detection of Node.js built-in modules that are only accessible with the node: prefix (like node:test, node:sqlite) to be correctly recognized when using <BUILTIN_MODULES> placeholder

6.0.1

Bug fixes

• Fix Svelte export snippet parsing #390 - Fixed by adding support for new Svelte snippet syntax

Commits

• d9c690f bump version. update changelog.
• 97214c3 Merge pull request #389 from TomFryersMidsummer/patch-1
• 7235355 Merge branch 'main' into patch-1
• 0c37c9d bump version
• 035e20a Merge pull request #391 from trivago/svelte-snippet-support
• d626e1b ignore eslint errors due to undefined export variables
• 0b1dc59 Fix recognising mandatory prefix built-in imports
• See full diff in compare view

Updates eslint from 9.39.2 to 10.0.1

Release notes

Sourced from eslint's releases.

v10.0.1

Bug Fixes

• c87d5bd fix: update eslint (#20531) (renovate[bot])
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir)
• 04c2147 fix: update error message for unused suppressions (#20496) (fnx)
• 38b089c fix: update dependency @​eslint/config-array to ^0.23.1 (#20484) (renovate[bot])

Documentation

• 5b3dbce docs: add AI acknowledgement section to templates (#20431) (루밀LuMir)
• 6f23076 docs: toggle nav in no-JS mode (#20476) (Tanuj Kanti)
• b69cfb3 docs: Update README (GitHub Actions Bot)

Chores

• e5c281f chore: updates for v9.39.3 release (Jenkins)
• 8c3832a chore: update @​typescript-eslint/parser to ^8.56.0 (#20514) (Milos Djermanovic)
• 8330d23 test: add tests for config-api (#20493) (Milos Djermanovic)
• 37d6e91 chore: remove eslint v10 prereleases from eslint-config-eslint deps (#20494) (Milos Djermanovic)
• da7cd0e refactor: cleanup error message templates (#20479) (Francesco Trotta)
• 84fb885 chore: package.json update for @​eslint/js release (Jenkins)
• 1f66734 chore: add eslint to peerDependencies of @eslint/js (#20467) (Milos Djermanovic)

v10.0.0

Breaking Changes

• f9e54f4 feat!: estimate rule-tester failure location (#20420) (ST-DDT)
• a176319 feat!: replace chalk with styleText and add color to ResultsMeta (#20227) (루밀LuMir)
• c7046e6 feat!: enable JSX reference tracking (#20152) (Pixel998)
• fa31a60 feat!: add name to configs (#20015) (Kirk Waiblinger)
• 3383e7e fix!: remove deprecated SourceCode methods (#20137) (Pixel998)
• 501abd0 feat!: update dependency minimatch to v10 (#20246) (renovate[bot])
• ca4d3b4 fix!: stricter rule tester assertions for valid test cases (#20125) (唯然)
• 96512a6 fix!: Remove deprecated rule context methods (#20086) (Nicholas C. Zakas)
• c69fdac feat!: remove eslintrc support (#20037) (Francesco Trotta)
• 208b5cc feat!: Use ScopeManager#addGlobals() (#20132) (Milos Djermanovic)
• a2ee188 fix!: add uniqueItems: true in no-invalid-regexp option (#20155) (Tanuj Kanti)
• a89059d feat!: Program range span entire source text (#20133) (Pixel998)
• 39a6424 fix!: assert 'text' is a string across all RuleFixer methods (#20082) (Pixel998)
• f28fbf8 fix!: Deprecate "always" and "as-needed" options of the radix rule (#20223) (Milos Djermanovic)
• aa3fb2b fix!: tighten func-names schema (#20119) (Pixel998)
• f6c0ed0 feat!: report eslint-env comments as errors (#20128) (Francesco Trotta)
• 4bf739f fix!: remove deprecated LintMessage#nodeType and TestCaseError#type (#20096) (Pixel998)
• 523c076 feat!: drop support for jiti < 2.2.0 (#20016) (michael faith)
• 454a292 feat!: update eslint:recommended configuration (#20210) (Pixel998)
• 4f880ee feat!: remove v10_* and inactive unstable_* flags (#20225) (sethamus)
• f18115c feat!: no-shadow-restricted-names report globalThis by default (#20027) (sethamus)
• c6358c3 feat!: Require Node.js ^20.19.0 || ^22.13.0 || >=24 (#20160) (Milos Djermanovic)

Features

• bff9091 feat: handle Array.fromAsync in array-callback-return (#20457) (Francesco Trotta)
• 290c594 feat: add self to no-implied-eval rule (#20468) (sethamus)
• 43677de feat: fix handling of function and class expression names in no-shadow (#20432) (Milos Djermanovic)

... (truncated)

Commits

• 0bd5497 10.0.1
• ddb80ef Build: changelog update for 10.0.1
• c87d5bd fix: update eslint (#20531)
• e5c281f chore: updates for v9.39.3 release
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519)
• 8c3832a chore: update @​typescript-eslint/parser to ^8.56.0 (#20514)
• 5b3dbce docs: add AI acknowledgement section to templates (#20431)
• 04c2147 fix: update error message for unused suppressions (#20496)
• 8330d23 test: add tests for config-api (#20493)
• 37d6e91 chore: remove eslint v10 prereleases from eslint-config-eslint deps (#20494)
• Additional commits viewable in compare view

Updates eslint-plugin-react-refresh from 0.4.26 to 0.5.1

Release notes

Sourced from eslint-plugin-react-refresh's releases.

v0.5.1

• Mark ESLint v10 as supported
• Support false positives with TypeScript function overloading (fixes #105)
• Support nested function calls for extraHOCs (fixes #104)

v0.5.0

Breaking changes

• The package now ships as ESM and requires ESLint 9 + node 20. Because legacy config doesn't support ESM, this requires to use flat config
• A new reactRefresh export is available and prefered over the default export. It's an object with two properties:
  • plugin: The plugin object with the rules
  • configs: An object containing configuration presets, each exposed as a function. These functions accept your custom options, merge them with sensible defaults for that config, and return the final config object.
• customHOCs option was renamed to extraHOCs
• Validation of HOCs calls is now more strict, you may need to add some HOCs to the extraHOCs option (like connect or styled)

Config example:

import { defineConfig } from "eslint/config";
import { reactRefresh } from "eslint-plugin-react-refresh";
export default defineConfig(
/* Main config */
reactRefresh.configs.vite({ extraHOCs: ["someLibHOC"] }),
);

Config example without config:

import { defineConfig } from "eslint/config";
import { reactRefresh } from "eslint-plugin-react-refresh";
export default defineConfig({
files: ["/*.ts", "/*.tsx"],
plugins: {
// other plugins
"react-refresh": reactRefresh.plugin,
},
rules: {
// other rules
"react-refresh/only-export-components": [
"warn",
{ extraHOCs: ["someLibHOC"] },
],
},
});

Why

... (truncated)

Changelog

Sourced from eslint-plugin-react-refresh's changelog.

0.5.1

• Mark ESLint v10 as supported
• Support false positives with TypeScript function overloading (fixes #105)
• Support nested function calls for extraHOCs (fixes #104)

0.5.0

Breaking changes

• The package now ships as ESM and requires ESLint 9 + node 20. Because legacy config doesn't support ESM, this requires to use flat config
• A new reactRefresh export is available and prefered over the default export. It's an object with two properties:
  • plugin: The plugin object with the rules
  • configs: An object containing configuration presets, each exposed as a function. These functions accept your custom options, merge them with sensible defaults for that config, and return the final config object.
• customHOCs option was renamed to extraHOCs
• Validation of HOCs calls is now more strict, you may need to add some HOCs to the extraHOCs option

Config example:

import { defineConfig } from "eslint/config";
import { reactRefresh } from "eslint-plugin-react-refresh";
export default defineConfig(
/* Main config */
reactRefresh.configs.vite({ extraHOCs: ["someLibHOC"] }),
);

Config example without config:

import { defineConfig } from "eslint/config";
import { reactRefresh } from "eslint-plugin-react-refresh";
export default defineConfig({
files: ["/*.ts", "/*.tsx"],
plugins: {
// other plugins
"react-refresh": reactRefresh.plugin,
},
rules: {
// other rules
"react-refresh/only-export-components": [
"warn",
{ extraHOCs: ["someLibHOC"] },
],
},
});

... (truncated)

Commits

• 42a1805 Explicit v10 support (fixes #106) [publish]
• 199793e Support nested function calls for extraHOCs (fixes #104)
• 26b3c15 Support false positives with TypeScript function overloading (fixes #105)
• daa2efb Revamp logic to catch more cases [publish] (#97)
• See full diff in compare view

Updates eslint-plugin-security from 3.0.1 to 4.0.0

Release notes

Sourced from eslint-plugin-security's releases.

eslint-plugin-security: v4.0.0

4.0.0 (2026-02-19)

⚠ BREAKING CHANGES

• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146)
• switch the recommended config to flat (#118)

Features

• add config recommended-legacy (#132) (13d3f2f)
• Add meta object documentation for all rules (#79) (fb1d9ef)
• detect-bidi-characters rule (#95) (4294d29)
• detect-non-literal-fs-filename: change to track non-top-level require() as well (#105) (d3b1543)
• extend detect non literal fs filename (#92) (08ba476)
• improve detect-child-process rule (#108) (64ae529)
• non-literal-require: support template literals (#81) (208019b)
• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146) (df1b606)
• switch the recommended config to flat (#118) (e20a366)

Bug Fixes

• Add ESLint 10 compatibility for context.sourceCode API change (#186) (7f9ee77)
• add name to recommended flat config (#161) (aa1c8c5)
• Avoid crash when exec() is passed no arguments (7f97815), closes #82 #23
• Avoid TypeError when exec stub is used with no arguments (#97) (9c18f16)
• detect-child-process: false positive for destructuring with exec (#102) (657921a)
• detect-child-process: false positives for destructuring spawn (#103) (fdfe37d)
• Ensure empty eval() doesn't crash detect-eval-with-expression (#139) (8a7c7db)
• Ensure everything works with ESLint v9 (#145) (ac50ab4)
• false positives for static expressions in detect-non-literal-fs-filename, detect-child-process, detect-non-literal-regexp, and detect-non-literal-require (#109) (56102b5)
• generate provenance statement for release (#168) (eb3ee9c)
• Incorrect method name in detect-buffer-noassert. (313c0c6), closes #63 #80
• release-please config (#189) (2443d10)

Changelog

Sourced from eslint-plugin-security's changelog.

4.0.0 (2026-02-19)

⚠ BREAKING CHANGES

• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146)
• switch the recommended config to flat (#118)

Features

• add config recommended-legacy (#132) (13d3f2f)
• Add meta object documentation for all rules (#79) (fb1d9ef)
• detect-bidi-characters rule (#95) (4294d29)
• detect-non-literal-fs-filename: change to track non-top-level require() as well (#105) (d3b1543)
• extend detect non literal fs filename (#92) (08ba476)
• improve detect-child-process rule (#108) (64ae529)
• non-literal-require: support template literals (#81) (208019b)
• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146) (df1b606)
• switch the recommended config to flat (#118) (e20a366)

Bug Fixes

• Add ESLint 10 compatibility for context.sourceCode API change (#186) (7f9ee77)
• add name to recommended flat config (#161) (aa1c8c5)
• Avoid crash when exec() is passed no arguments (7f97815), closes #82 #23
• Avoid TypeError when exec stub is used with no arguments (#97) (9c18f16)
• detect-child-process: false positive for destructuring with exec (#102) (657921a)
• detect-child-process: false positives for destructuring spawn (#103) (fdfe37d)
• Ensure empty eval() doesn't crash detect-eval-with-expression (#139) (8a7c7db)
• Ensure everything works with ESLint v9 (#145) (ac50ab4)
• false positives for static expressions in detect-non-literal-fs-filename, detect-child-process, detect-non-literal-regexp, and detect-non-literal-require (#109) (56102b5)
• generate provenance statement for release (#168) (eb3ee9c)
• Incorrect method name in detect-buffer-noassert. (313c0c6), closes #63 #80
• release-please config (#189) (2443d10)

Commits

• 4b734af chore: release 4.0.0 🚀 (#192)
• 2443d10 fix: release-please config (#189)
• ee73862 chore(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#187)
• ca182d1 chore(deps): bump serialize-javascript and mocha (#184)
• 7f9ee77 fix: Add ESLint 10 compatibility for context.sourceCode API change (#186)
• 99032c3 ci: trusted publishing (#180)
• 5e096f2 ci(ci): add node 24 to test matrix (#176)
• e060aeb ci: migrate to manifest config (#173)
• fc0af81 chore(.eslint-doc-generatorrc): add missing 'use strict' directive (#170)
• f6a29ef chore(package): explicitly declare js module type (#171)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for eslint-plugin-security since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	43.88%	2962 / 6749
🔵	Statements	43.48%	3118 / 7171
🔵	Functions	45.72%	615 / 1345
🔵	Branches	48.51%	1924 / 3966

Generated in workflow #619 for commit 044dc8b by the Vitest Coverage Report Action