chore(deps)(deps-dev): bump the development-dependencies group with 8 updates

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps the development-dependencies group with 8 updates:

Package	From	To
@types/node	25.5.0	25.5.2
turbo	2.8.21	2.9.4
@oclif/plugin-help	6.2.41	6.2.43
@nestjs/common	11.1.17	11.1.18
@nestjs/core	11.1.17	11.1.18
h3	1.15.10	1.15.11
@sveltejs/kit	2.55.0	2.56.1
esbuild	0.27.4	0.28.0

Updates @types/node from 25.5.0 to 25.5.2

Commits

• See full diff in compare view

Updates turbo from 2.8.21 to 2.9.4

Release notes

Sourced from turbo's releases.

Turborepo v2.9.4

What's Changed

@​turbo/codemod

• fix: Always update $schema URL to versioned format during migration by @​anthonyshew in vercel/turborepo#12529
• fix: Support turbo.jsonc in codemod transforms by @​anthonyshew in vercel/turborepo#12532
• fix: Preserve prerelease info in schema URL during codemod migration by @​anthonyshew in vercel/turborepo#12542

Examples

• build(deps): Bump @​xmldom/xmldom from 0.8.11 to 0.8.12 in /examples/with-react-native-web by @​dependabot[bot] in vercel/turborepo#12537

Changelog

• feat: Add incremental task caching by @​anthonyshew in vercel/turborepo#12531
• docs: Send siteId as label on feedback GitHub issues by @​molebox in vercel/turborepo#12527
• Replace local ai-agent-detection with @​vercel/agent-readability by @​molebox in vercel/turborepo#12528
• fix: Prevent filterUsingTasks --filter from pulling dependents into Task Graph by @​anthonyshew in vercel/turborepo#12535
• fix: Only enforce signature key length for keys that exist by @​anthonyshew in vercel/turborepo#12538
• fix: Validate engine concurrency after task-level filtering by @​anthonyshew in vercel/turborepo#12540
• feat: Allow --affected and --filter to be combined by @​anthonyshew in vercel/turborepo#12543
• fix(config): Deep-merge nested OTEL config across priority sources by @​bitttttten in vercel/turborepo#12513
• fix: Retain microfrontend proxy tasks when using filterUsingTasks by @​anthonyshew in vercel/turborepo#12545
• fix: Bun workspace lockfile pruning producing invalid output by @​JRoy in vercel/turborepo#12548
• fix: Respect dirty .gitignore patterns during task input hashing by @​anthonyshew in vercel/turborepo#12557

New Contributors

• @​JRoy made their first contribution in vercel/turborepo#12548

Full Changelog: vercel/turborepo@v2.9.3...v2.9.4

Turborepo v2.9.4-canary.8

What's Changed

Changelog

• fix: Bun workspace lockfile pruning producing invalid output by @​JRoy in vercel/turborepo#12548

New Contributors

• @​JRoy made their first contribution in vercel/turborepo#12548

Full Changelog: vercel/turborepo@v2.9.4-canary.7...v2.9.4-canary.8

Turborepo v2.9.4-canary.7

What's Changed

Changelog

• fix(config): Deep-merge nested OTEL config across priority sources by @​bitttttten in vercel/turborepo#12513
• fix: Retain microfrontend proxy tasks when using filterUsingTasks by @​anthonyshew in vercel/turborepo#12545

Full Changelog: vercel/turborepo@v2.9.4-canary.6...v2.9.4-canary.7

... (truncated)

Commits

• 5f7a52c publish 2.9.4 to registry
• 01802b4 release(turborepo): 2.9.4-canary.8 (#12558)
• 1254916 fix: Respect dirty .gitignore patterns during task input hashing (#12557)
• 0346076 fix: Bun workspace lockfile pruning producing invalid output (#12548)
• b7d89a4 release(turborepo): 2.9.4-canary.7 (#12546)
• a4b943e fix: Retain microfrontend proxy tasks when using filterUsingTasks (#12545)
• 0e763f8 release(turborepo): 2.9.4-canary.6 (#12544)
• f214dc8 fix(config): Deep-merge nested OTEL config across priority sources (#12513)
• 98ab3b6 feat: Allow --affected and --filter to be combined (#12543)
• 81b39a5 fix: Preserve prerelease info in schema URL during codemod migration (#12542)
• Additional commits viewable in compare view

Updates @oclif/plugin-help from 6.2.41 to 6.2.43

Release notes

Sourced from @​oclif/plugin-help's releases.

6.2.43

Bug Fixes

• deps: bump lodash from 4.17.23 to 4.18.1 (#1114) (4eec1aa)

6.2.42

Bug Fixes

• deps: bump @​oclif/core from 4.10.3 to 4.10.4 (#1113) (8df7b4f)

Changelog

Sourced from @​oclif/plugin-help's changelog.

6.2.43 (2026-04-05)

Bug Fixes

• deps: bump lodash from 4.17.23 to 4.18.1 (#1114) (4eec1aa)

6.2.42 (2026-04-04)

Bug Fixes

• deps: bump @​oclif/core from 4.10.3 to 4.10.4 (#1113) (8df7b4f)

Commits

• 0df322f chore(release): 6.2.43 [skip ci]
• 4eec1aa fix(deps): bump lodash from 4.17.23 to 4.18.1 (#1114)
• 728c762 chore(dev-deps): bump eslint-config-oclif from 6.0.153 to 6.0.154 (#1112)
• 871a9db chore(release): 6.2.42 [skip ci]
• 8df7b4f fix(deps): bump @​oclif/core from 4.10.3 to 4.10.4 (#1113)
• See full diff in compare view

Updates @nestjs/common from 11.1.17 to 11.1.18

Release notes

Sourced from @​nestjs/common's releases.

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

Commits

• 3c1cc5f chore(release): publish v11.1.18 release
• a39e345 refactor(common): change console logger helpers to protected
• 34f0f28 chore(deps): bump file-type from 21.3.3 to 21.3.4
• 0e96b0a chore(deps): bump file-type from 21.3.2 to 21.3.3
• 5a05f52 chore: update readme
• See full diff in compare view

Updates @nestjs/core from 11.1.17 to 11.1.18

Release notes

Sourced from @​nestjs/core's releases.

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

Commits

• 3c1cc5f chore(release): publish v11.1.18 release
• 0f962c7 fix(core): sanitize sse message
• 94aa424 Merge pull request #16679 from nestjs/renovate/path-to-regexp-8.x
• 368691c fix(core): prevent injector hang when design:paramtypes is missing
• 25d4fde fix(deps): update dependency path-to-regexp to v8.4.2
• 5c0b11e fix(deps): update dependency path-to-regexp to v8.4.1
• f7d4460 Merge pull request #16637 from JakobStaudinger/moduleref-create-transient-sco...
• d0a9dc9 fix(deps): update dependency path-to-regexp to v8.4.0
• 4677434 feat(core): export IEntryNestModule type
• 7493b94 fix(core): dependency injection edge case with moduleref.create
• Additional commits viewable in compare view

Updates h3 from 1.15.10 to 1.15.11

Release notes

Sourced from h3's releases.

v1.15.11

compare changes

🏡 Chore

• Update defu to 6.1.6 (6125485)
• Update deps (4998dd8)
• Update cookie-es (d166186)

Changelog

Sourced from h3's changelog.

v1.15.11

compare changes

🏡 Chore

• Update defu to 6.1.6 (6125485)
• Update deps (4998dd8)
• Update cookie-es (d166186)

❤️ Contributors

• Pooya Parsa (@​pi0)

Commits

• 7b9f41f chore(release): v1.15.11
• d166186 chore: update cookie-es
• 4998dd8 chore: update deps
• 6125485 chore: update defu to 6.1.6
• See full diff in compare view

Updates @sveltejs/kit from 2.55.0 to 2.56.1

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.56.1

Patch Changes

• chore: update JSDoc (#15640)

@​sveltejs/kit@​2.56.0

Minor Changes

• breaking: rework client-driven refreshes (#15562)

• breaking: stabilize remote function caching by sorting object keys (#15570)

• breaking: add run() method to queries, disallow awaiting queries outside render (#15533)

• feat: support TypeScript 6.0 (#15595)

• breaking: isolate command-triggered query refresh failures per-query (#15562)

• feat: use hydratable for remote function transport (#15533)

• feat: allow form fields to specify a default value (field.as(type, value)) (#15577)

Patch Changes

• fix: don't request new data when .refresh is called on a query with no cache entry (#15533)

• fix: allow using multiple remote functions within one async derived (#15561)

• fix: avoid false-positive overridden Vite base setting warning when setting a paths.base in svelte.config.js (#15623)

• fix: manage queries in their own $effect.root (#15533)

• fix: avoid inlineDynamicImports deprecation warning when building the service worker with Vite 8 (#15550)

• fix: correctly escape backticks when precomputing CSS (#15593)

• fix: discard obsolete forks before finishing navigation (#15634)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.56.1

Patch Changes

• chore: update JSDoc (#15640)

2.56.0

Minor Changes

• breaking: rework client-driven refreshes (#15562)

• breaking: stabilize remote function caching by sorting object keys (#15570)

• breaking: add run() method to queries, disallow awaiting queries outside render (#15533)

• feat: support TypeScript 6.0 (#15595)

• breaking: isolate command-triggered query refresh failures per-query (#15562)

• feat: use hydratable for remote function transport (#15533)

• feat: allow form fields to specify a default value (field.as(type, value)) (#15577)

Patch Changes

• fix: don't request new data when .refresh is called on a query with no cache entry (#15533)

• fix: allow using multiple remote functions within one async derived (#15561)

• fix: avoid false-positive overridden Vite base setting warning when setting a paths.base in svelte.config.js (#15623)

• fix: manage queries in their own $effect.root (#15533)

• fix: avoid inlineDynamicImports deprecation warning when building the service worker with Vite 8 (#15550)

• fix: correctly escape backticks when precomputing CSS (#15593)

... (truncated)

Commits

• a22d80a Version Packages (#15641)
• ece6b2e fix: JSDoc link (#15640)
• 0b6bc3b Version Packages (#15552)
• b790c32 fix: discard obsolete forks before finishing navigation (#15634)
• 8cb2b26 fix: docs (#15635)
• 31c7504 breaking: rework client-driven refreshes (#15562)
• 56c921d fix: avoid false-positive overridden base warning when setting paths.base (...
• c2e8f04 feat: TypeScript 6.0 (#15595)
• b1d0d27 chore: remove unused svelte-preprocess dev dependency (#15625)
• 2aa92af feat: improve remote function caching by sorting object keys (#15570)
• Additional commits viewable in compare view

Updates esbuild from 0.27.4 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

v0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }
  // New output (with --loader=ts --target=es2021)
  class Foo {

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }

... (truncated)

Commits

• 6a794df publish 0.28.0 to npm
• 64ee0ea fix #4435: support with { type: text } imports
• ef65aee fix sort order in snapshots_packagejson.txt
• 1a26a8e try to fix test-old-ts, also shuffle CI tasks
• 556ce6c use '' instead of null to omit build hashes
• 8e675a8 ci: allow missing binary hashes for tests
• 7067763 Reapply "update go 1.25.7 => 1.26.1"
• 39473a9 fix #4343: integrity check for binary download
• 2025c9f publish 0.27.7 to npm
• c6b586e fix typo in Makefile for @esbuild/win32-x64
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
objectstack-play	Ready	Preview, Comment	Apr 6, 2026 2:25am
spec	Ready	Preview, Comment	Apr 6, 2026 2:25am