chore(deps): bump the node-dependencies group in /client with 13 updates

[dependabot]

Bumps the node-dependencies group in /client with 13 updates:

Package	From	To
react-router-dom	7.14.1	7.14.2
@bufbuild/buf	1.68.1	1.68.3
@tailwindcss/postcss	4.2.2	4.2.4
@typescript-eslint/eslint-plugin	8.58.2	8.59.0
@typescript-eslint/parser	8.58.2	8.59.0
chromatic	16.3.0	16.4.0
eslint	10.2.0	10.2.1
eslint-plugin-playwright	2.10.1	2.10.2
eslint-plugin-react-hooks	7.0.1	7.1.1
tailwindcss	4.2.2	4.2.4
typescript	6.0.2	6.0.3
vite	8.0.8	8.0.9
vitest	4.1.4	4.1.5

Updates react-router-dom from 7.14.1 to 7.14.2

Changelog

Sourced from react-router-dom's changelog.

v7.14.2

Patch Changes

• Updated dependencies:
  • react-router@7.14.2

Commits

• cf1d250 Release v7.14.2 (#14993)
• See full diff in compare view

Updates @bufbuild/buf from 1.68.1 to 1.68.3

Release notes

Sourced from @​bufbuild/buf's releases.

v1.68.3

• Fix buf format error handling for edition 2024.

v1.68.2

• Fix build failures for modules with a vendored descriptor.proto.
• Fix LSP incorrectly reporting "edition '2024' not yet fully supported" errors.
• Fix CEL compilation error messages in buf lint to use the structured error API instead of parsing cel-go's text output.
• Add --debug-address flag to buf lsp serve to provide debug and profile support.

Changelog

Sourced from @​bufbuild/buf's changelog.

[v1.68.3] - 2026-04-20

• Fix buf format error handling for edition 2024.

[v1.68.2] - 2026-04-17

• Fix build failures for modules with a vendored descriptor.proto.
• Fix LSP incorrectly reporting "edition '2024' not yet fully supported" errors.
• Fix CEL compilation error messages in buf lint to use the structured error API instead of parsing cel-go's text output.
• Add --debug-address flag to buf lsp serve to provide debug and profile support.

Commits

• d907e27 Release v1.68.3 (#4491)
• 7197d64 Upgrade protocompile and add changlog (#4490)
• f2d3a5e Upgrade protocompile to reduce allocs in fastscan (#4489)
• 0c2be68 Make upgrade (#4488)
• 2695df0 LSP fix format for edition 2024 syntax (#4483)
• d9844fe Return to development (#4482)
• c40a3a8 Release v1.68.2 (#4481)
• 233aed7 Add --debug-address flag for debug and profiling of the LSP (#4437)
• 1254fac Handle vendored descriptor.proto gracefully (#4478)
• 080510f LSP filter diagnostics by filepath (#4479)
• Additional commits viewable in compare view

Updates @tailwindcss/postcss from 4.2.2 to 4.2.4

Release notes

Sourced from @​tailwindcss/postcss's releases.

v4.2.4

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

v4.2.3

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

Changelog

Sourced from @​tailwindcss/postcss's changelog.

[4.2.4] - 2026-04-21

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

[4.2.3] - 2026-04-20

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

Commits

• 69ad7cc 4.2.4 (#19948)
• 685c19e Fix issue around resolving paths in @tailwindcss/vite (#19947)
• 2e3fa49 4.2.3 (#19944)
• 4527123 docs(postcss): remove duplicated optimize example from README (#19938)
• aad6017 docs/fix-lightning-css-typo-postcss-readme (#19913)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tailwindcss/postcss since your current version.

Updates @typescript-eslint/eslint-plugin from 8.58.2 to 8.59.0

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• ea9ae4f chore(release): publish 8.59.0
• cfca550 feat(eslint-plugin): [no-unnecessary-type-assertion] report more cases based ...
• 6d599b4 chore(eslint-plugin): switch auto-generated test cases to hand-written in ret...
• 33c8169 chore: fix cspell violations in code blocks (#12167)
• See full diff in compare view

Updates @typescript-eslint/parser from 8.58.2 to 8.59.0

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.59.0 (2026-04-20)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• ea9ae4f chore(release): publish 8.59.0
• See full diff in compare view

Updates chromatic from 16.3.0 to 16.4.0

Release notes

Sourced from chromatic's releases.

v16.4.0

🚀 Enhancement

• Upgrade to Storybook 10 #1268 (@​jmhobbs)
• React Native build command #1274 (@​jmhobbs)

🐛 Bug Fix

• Upgrade to tsdown #1282 (@​jmhobbs)

Authors: 1

• John Hobbs (@​jmhobbs)

Changelog

Sourced from chromatic's changelog.

v16.4.0 (Tue Apr 21 2026)

🚀 Enhancement

• Upgrade to Storybook 10 #1268 (@​jmhobbs)
• React Native build command #1274 (@​jmhobbs)

🐛 Bug Fix

• Upgrade to tsdown #1282 (@​jmhobbs)

Authors: 1

• John Hobbs (@​jmhobbs)

---

Commits

• 9be8ac4 Bump version to: 16.4.0 [skip ci]
• 2a93a53 Update CHANGELOG.md [skip ci]
• 3518000 Merge pull request #1268 from chromaui/jmhobbs/cap-4067-upgrade-storybook
• 8bb70bf Clean up storybook preview.ts
• dbd4b08 Change cwd in SB to root, to match existing
• 0757e7f Polyfill process.cwd for Storybook
• 8187c9f Copy semver into the GitHub action
• 558ebfc Move semver into dependencies
• 3ea46c1 Upgrade @​typescript-eslint
• 7aa4516 Fix TS lints
• Additional commits viewable in compare view

Updates eslint from 10.2.0 to 10.2.1

Release notes

Sourced from eslint's releases.

v10.2.1

Bug Fixes

• 14be92b fix: model generator yield resumption paths in code path analysis (#20665) (sethamus)
• 84a19d2 fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx)
• af764af fix: clarify language and processor validation errors (#20729) (Pixel998)
• e251b89 fix: update eslint (#20715) (renovate[bot])

Documentation

• ca92ca0 docs: reuse markdown-it instance for markdown filter (#20768) (Amaresh S M)
• 57d2ee2 docs: Enable Eleventy incremental mode for watch (#20767) (Amaresh S M)
• c1621b9 docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla)
• 1418d52 docs: Update README (GitHub Actions Bot)
• 39771e6 docs: Update README (GitHub Actions Bot)
• 71e0469 docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar)
• 22119ce docs: clarify scope of for-direction rule with dead code examples (#20723) (Amaresh S M)
• 8f3fb77 docs: document meta.docs.dialects (#20718) (Pixel998)

Chores

• 7ddfea9 chore: update dependency prettier to v3.8.2 (#20770) (renovate[bot])
• fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763) (dependabot[bot])
• 7246f92 test: add tests for SuppressionsService.load() error handling (#20734) (kuldeep kumar)
• 4f34b1e chore: update pnpm/action-setup action to v5 (#20762) (renovate[bot])
• 51080eb test: processor service (#20731) (kuldeep kumar)
• e7e1889 chore: remove stale babel-eslint10 fixture and test (#20727) (kuldeep kumar)
• 4e1a87c test: remove redundant async/await in flat config array tests (#20722) (Pixel998)
• 066eabb test: add rule metadata coverage for languages and docs.dialects (#20717) (Pixel998)

Commits

• 4d1d8f9 10.2.1
• 3e33105 Build: changelog update for 10.2.1
• ca92ca0 docs: reuse markdown-it instance for markdown filter (#20768)
• 7ddfea9 chore: update dependency prettier to v3.8.2 (#20770)
• 57d2ee2 docs: Enable Eleventy incremental mode for watch (#20767)
• c1621b9 docs: fix typos in code-path-analyzer.js (#20700)
• fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763)
• 7246f92 test: add tests for SuppressionsService.load() error handling (#20734)
• 4f34b1e chore: update pnpm/action-setup action to v5 (#20762)
• 1418d52 docs: Update README
• Additional commits viewable in compare view

Updates eslint-plugin-playwright from 2.10.1 to 2.10.2

Release notes

Sourced from eslint-plugin-playwright's releases.

v2.10.2

2.10.2 (2026-04-20)

Bug Fixes

• missing-playwright-await: Fix false positive when re-assigning awaited variable (8cca0ac), closes #456
• no-duplicate-hooks: handle anonymous describe blocks in forEach loops (8b4ec60), closes #459
• valid-test-tags: Support template literal strings (d98a05c), closes #460

Commits

• 613db7a chore: Fix type errors
• 8cca0ac fix(missing-playwright-await): Fix false positive when re-assigning awaited v...
• 8b4ec60 fix(no-duplicate-hooks): handle anonymous describe blocks in forEach loops
• d98a05c fix(valid-test-tags): Support template literal strings
• 1158eda chore(deps): Bump flatted from 3.3.3 to 3.4.2 (#452)
• 6e66967 chore(deps): Bump lodash-es from 4.17.23 to 4.18.1 (#457)
• ab4e713 chore(deps): Bump vite from 7.3.1 to 7.3.2 (#458)
• 47cc83a chore(deps): Bump handlebars from 4.7.8 to 4.7.9 (#455)
• b224504 chore(deps): Bump picomatch from 2.3.1 to 2.3.2 (#454)
• See full diff in compare view

Updates eslint-plugin-react-hooks from 7.0.1 to 7.1.1

Release notes

Sourced from eslint-plugin-react-hooks's releases.

eslint-plugin-react-hooks@7.1.1 (April 17, 2026)

Note: 7.1.0 accidentally removed the component-hook-factories rule, causing errors for users who referenced it in their ESLint config. This is now fixed.

• Add deprecated no-op component-hook-factories rule for backwards compatibility. (@​mofeiZ in #36307)

eslint-plugin-react-hooks@7.1.0 (April 16, 2026)

This release adds ESLint v10 support, improves performance by skipping compilation for non-React files, and includes compiler lint improvements including better set-state-in-effect detection, improved ref validation, and more helpful error reporting.

• Add ESLint v10 support. (@​azat-io in #35720)
• Skip compilation for non-React files to improve performance. (@​josephsavona in #35589)
• Fix exhaustive deps bug with Flow type casting. (@​jorge-cab in #35691)
• Fix useEffectEvent checks in component syntax. (@​jbrown215 in #35041)
• Improved set-state-in-effect validation with fewer false negatives. (@​jorge-cab in #35134, @​josephsavona in #35147, @​jackpope in #35214, @​chesnokov-tony in #35419, @​jsleitor in #36107)
• Improved ref validation for non-mutating functions and event handler props. (@​josephsavona in #35893, @​kolvian in #35062)
• Compiler now reports all errors instead of stopping at the first. (@​josephsavona in #35873–#35884)
• Improved source locations and error display in compiler diagnostics. (@​nathanmarks in #35348, @​josephsavona in #34963)

Changelog

Sourced from eslint-plugin-react-hooks's changelog.

7.1.1

Note: 7.1.0 accidentally removed the component-hook-factories rule, causing errors for users who referenced it in their ESLint config. This is now fixed.

• Add deprecated no-op component-hook-factories rule for backwards compatibility. (@​mofeiZ in #36307)

7.1.0

This release adds ESLint v10 support, improves performance by skipping compilation for non-React files, and includes compiler lint improvements including better set-state-in-effect detection, improved ref validation, and more helpful error reporting.

• Add ESLint v10 support. (@​azat-io in #35720)
• Skip compilation for non-React files to improve performance. (@​josephsavona in #35589)
• Fix exhaustive deps bug with Flow type casting. (@​jorge-cab in #35691)
• Fix useEffectEvent checks in component syntax. (@​jbrown215 in #35041)
• Improved set-state-in-effect validation with fewer false negatives. (@​jorge-cab in #35134, @​josephsavona in #35147, @​jackpope in #35214, @​chesnokov-tony in #35419, @​jsleitor in #36107)
• Improved ref validation for non-mutating functions and event handler props. (@​josephsavona in #35893, @​kolvian in #35062)
• Compiler now reports all errors instead of stopping at the first. (@​josephsavona in #35873–#35884)
• Improved source locations and error display in compiler diagnostics. (@​nathanmarks in #35348, @​josephsavona in #34963)

Commits

• See full diff in compare view

Updates tailwindcss from 4.2.2 to 4.2.4

Release notes

Sourced from tailwindcss's releases.

v4.2.4

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

v4.2.3

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

Changelog

Sourced from tailwindcss's changelog.

[4.2.4] - 2026-04-21

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

[4.2.3] - 2026-04-20

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

Commits

• 69ad7cc 4.2.4 (#19948)
• 2e3fa49 4.2.3 (#19944)
• df6209a Canonicalize negative arbitrary values (#19858)
• 52fd421 Small refactor of canonicalization tests (#19851)
• c385fd3 use test.each instead of manual loop
• 0d6e038 fix index in test name
• 88a2d22 Add more canonicalization rules for deprecated utilities (#19849)
• 2c1ef9e Use --placeholder-color instead of --background-color for placeholder-*...
• 28d5268 Collapse more utilities by expanding their declarations (#19842)
• b55d960 fix(canonicalize): collapse arbitrary values into shorthand utilities (#19837)
• Additional commits viewable in compare view

Updates typescript from 6.0.2 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).
• fixed issues query for TypeScript 6.0.3 (Stable).

Downloads are available on:

• npm

Commits

• 050880c Bump version to 6.0.3 and LKG
• eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
• ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
• 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
• See full diff in compare view

Updates vite from 8.0.8 to 8.0.9

Release notes

Sourced from vite's releases.

v8.0.9

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.9 (2026-04-20)

Features

• update rolldown to 1.0.0-rc.16 (#22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (

[github-actions]

🔐 Codex Security Review

Note: This is an automated security-focused code review generated by Codex.
It should be used as a supplementary check alongside human review.
False positives are possible - use your judgment.

Scope summary

• Reviewed pull request diff only (b8945fb1b4db0f6486a33066a2640c9263246d2f...6d2dad5ee3d1db46d53e419aaea0a73da149f2a1, exact PR three-dot diff)
• Model: gpt-5.4

💡 Click "edited" above to see previous reviews for this PR.

---

Review Summary

Overall Risk: LOW

Findings

[LOW] Frontend lint guardrails are disabled project-wide instead of being scoped to existing violations

• Category: Frontend
• Location: client/eslint.config.js:41, client/package.json:15
• Description: The PR upgrades eslint-plugin-react-hooks to 7.1.1, then turns off react-hooks/set-state-in-effect, react-hooks/refs, react-hooks/immutability, react-hooks/preserve-manual-memoization, and react-hooks/use-memo for all *.ts/*.tsx files. It also disables unused-disable reporting in config and removes --report-unused-disable-directives from the lint script. That is broader than just tolerating existing suppressions: it suppresses detection of new violations anywhere in the frontend.
• Impact: This is a reliability regression rather than an immediate exploit. New render-time ref misuse, direct mutation, or effect-driven state churn can now merge without automated detection, which increases the chance of subtle UI correctness bugs and makes future suppressions harder to audit.
• Recommendation: Keep the new rules at warn, or scope suppressions to the specific legacy files that currently violate them. If temporary global suppression is unavoidable, keep unused-disable reporting enabled everywhere else and track removal with a concrete follow-up issue.

Notes

• The scoped diff only changes client/eslint.config.js, client/package.json, and client/package-lock.json. It does not touch backend auth, SQL/migrations, Connect/gRPC handlers, plugin boundaries, network discovery, or deployment/runtime config.
• I did not find evidence in the changed hunks of auth bypass, SQL injection, command injection, plugin trust-boundary bugs, cryptostealing/pool hijack logic, protobuf wire-format breakage, or exposed secrets.
• Aside from the lint-policy relaxation above, the remaining changes are frontend tooling/version churn plus removal of chromatic; I did not find a concrete security or correctness regression in those version bumps from the diff alone.

---

_{Generated by Codex Security Review |
Triggered by: @dependabot[bot] |
Review workflow run}

[mcharles-square]

@flesher can you get this one over the line? looks like the version bump changed some eslint rules