chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@biomejs/biome (source)	2.4.15 → 2.4.16			devDependencies	patch
@clack/prompts (source)	^1.4.0 → ^1.5.0			devDependencies	minor
@rslib/core (source)	0.21.5 → 0.22.0			devDependencies	minor
@rstest/core (source)	0.10.2 → 0.10.3			devDependencies	patch
eslint (source)	^10.4.0 → ^10.4.1			devDependencies	patch
eslint-plugin-svelte (source)	^3.17.1 → ^3.19.0			devDependencies	minor
node	24.15.0 → 24.16.0			uses-with	minor
pnpm (source)	11.3.0 → 11.5.0			packageManager	minor
rslog	^2.1.1 → ^2.1.2			devDependencies	patch
tinyexec	^1.2.2 → ^1.2.3			devDependencies	patch	1.2.4
typescript-eslint (source)	^8.59.4 → ^8.60.0			devDependencies	minor

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.16

Compare Source

Patch Changes

• #​10329 ef764d5 Thanks @​Conaclos! - Fixed an issue where diagnostics showed an incorrect location in Astro files.

• #​10363 50aa415 Thanks @​dyc3! - Fixed HTML formatting for a case where comments could cause the formatter to split up a closing tag, which would cause the resulting HTML to be syntactically invalid.

  Input:

  <span
    ><!-- 1
  --><span>a</span
    ><!-- 2
  --><span>b</span
    ><!-- 3
  --></span>

  Output:

    <span
  	  ><!-- 1
  - --> <span>a</span<!-- 2
  - --> ><span>b</span><!-- 3
  + --><span>a</span><!-- 2
  + --><span>b</span><!-- 3
    --></span
    >

• #​10465 0c718da Thanks @​dfedoryshchev! - Fixed diagnostics emitted by the noUntrustedLicenses rule.

• #​10358 05c2617 Thanks @​dyc3! - Fixed #​10356: biome rage --linter now displays rules enabled through linter domains in the enabled rules list.

• #​10300 950247c Thanks @​dyc3! - Fixed #​10265: Svelte function bindings such as bind:value={get, set} are now parsed more precisely, so noCommaOperator won't emit false positives for that syntax anymore.

• #​9786 e71f584 Thanks @​MeGaNeKoS! - Fixed #​8480: useDestructuring now provides variableDeclarator and assignmentExpression options to control which contexts enforce destructuring, matching ESLint's prefer-destructuring configuration. Both default to {array: true, object: true}. The diagnostic for object destructuring in assignment expressions now instructs users to wrap the assignment in parentheses.

• #​10425 1948b72 Thanks @​sjh9714! - Fixed #​10244: The useOptionalChain rule now detects negated guard inequality chains like !foo || foo.bar !== "x".

• #​10442 001f94f Thanks @​ematipico! - Fixed #​10411: noMisusedPromises no longer causes a stack overflow when a nested function returns an object with shorthand properties that shadow destructured variables from an outer scope.

• #​10318 9b1577f Thanks @​dyc3! - Added support for formatter.trailingCommas in overrides. This option was previously available in the top-level formatter configuration but missing from formatter overrides.

• #​10319 2e37709 Thanks @​dyc3! - Fixed Vue and Svelte formatting for standalone interpolations in inline elements. Biome now preserves existing newlines in cases like:

  - <span> {{ value }} </span>
  + <span>
  +   {{ value }}
  + </span>

• #​10365 0a58eb0 Thanks @​Netail! - Fixed #​10361: noUnusedFunctionParameters now mentions the parameter name in the diagnostic.

• #​10439 df6b867 Thanks @​denbezrukov! - Fixed CSS and SCSS formatting for comments around declaration colons so comments between property names, colons, and values stay at the same boundary as Prettier.

   .selector {
  -  color: /* red, */
  -    blue;
  +  color: /* red, */ blue;
   }

• #​10344 b30208c Thanks @​siketyan! - Fixed #10123: Corrected the noReactNativeDeepImports source rule to point to the proper upstream rule, so users can migrate from the original rule correctly.

• #​10328 b59133f Thanks @​dyc3! - Fixed #​10309: Biome no longer adds newlines to Astro frontmatter when linter or assist --write mode is enabled.

bombshell-dev/clack (@​clack/prompts)

v1.5.0

Compare Source

Minor Changes

• #​543 83428ac Thanks @​florian-lefebvre! - Adds support for Standard Schema validation

  Prompts accept an optional validate() function to validate user input. While a function provides more flexibility and customization over your validation, it can be a bit verbose. To help solve this, there are libraries that provide schema-based validation to make shorthand and type-strict validation substantially easier.

  Libraries following the Standard Schema specification are now natively supported. For example, using Arktype:

  import { text } from '@​clack/prompts';
  import { type } from 'arktype';
  
  const name = await text({
  	message: 'Enter your email',
  +	validate: type('string.email').describe('Invalid email'),
  });

Patch Changes

• #​542 adb6af9 Thanks @​ghostdevv! - docs: add jsdoc for box, group, and group-multi-select

• #​534 3dcb31a Thanks @​MattStypa! - Fixed spaces and uppercase characters in multiline prompt

• #​540 3170ed9 Thanks @​ghostdevv! - docs: add jsdoc for autocomplete, confirm, and path prompts

• Updated dependencies [83428ac, 3dcb31a]:

  • @​clack/core@​1.4.0

web-infra-dev/rslib (@​rslib/core)

v0.22.0

Compare Source

Highlights

Isolated Declaration Generation

Rslib now supports generating declaration files with the experimental dts.isolated option, powered by Rspack's built-in SWC fast_dts capability.

dts.isolated emits declaration files directly during the build without running a full type check, making declaration generation significantly faster.

This makes it a good fit for monorepo projects that use a separate high-performance type-checking workflow, such as rslint --type-check.

export default {
  lib: [
    {
      dts: {
        isolated: true,
      },
    },
  ],
};

More details: dts.isolated

What's Changed

New Features 🎉

• feat(dts): support isolated declaration emit by @​Timeless0911 in #​1664
• feat(create-rslib): add svelte template and related-doc by @​elecmonkey in #​1653

Performance 🚀

• perf(cli): remove process title startup overhead by @​chenjiahan in #​1649

Bug Fixes 🐞

• fix(dts): preserve explicit module extensions by @​Timeless0911 in #​1648
• fix(create-rslib): use js config for esm templates by @​Timeless0911 in #​1655

Document 📖

• docs: fix vue footer dts anchor by @​elecmonkey in #​1654
• docs: fix rsbuild assetsInclude badge by @​chenjiahan in #​1658
• docs: fix stale Rsbuild doc links by @​elecmonkey in #​1659
• docs: add acknowledgment for tsdown inspiration by @​chenjiahan in #​1665
• docs: update README credits by @​Timeless0911 in #​1668
• docs: clarify dts bundle limitations by @​Timeless0911 in #​1669
• docs: update Tailwind CSS v4 integration by @​elecmonkey in #​1671

Other Changes

• chore: exclude rsbuild-plugin-dts from release age by @​Timeless0911 in #​1647
• chore(deps): update all non-major dependencies by @​renovate[bot] in #​1651
• chore: harden GitHub Actions permissions by @​Timeless0911 in #​1656
• ci: allow ecosystem CI commit comments by @​Timeless0911 in #​1657
• chore(deps): update rsbuild 2.0.7 by @​Timeless0911 in #​1660
• chore: restore Renovate workspace scanning by @​Timeless0911 in #​1662
• chore: update draft release notes skill by @​Timeless0911 in #​1663
• chore(deps): update dependency @​rsbuild/plugin-stylus to v2 by @​renovate[bot] in #​1667
• chore(deps): update rstackjs/rstack-ecosystem-ci digest to a3cd90c by @​renovate[bot] in #​1666
• chore(deps): update all non-major dependencies by @​renovate[bot] in #​1661
• test: cover Tailwind CSS plugin by @​elecmonkey in #​1670
• chore(deps): upgrade pnpm to v11 by @​Timeless0911 in #​1674
• chore(vscode): sort TypeScript imports on save by @​Timeless0911 in #​1675
• chore(deps): upgrade rsbuild to 2.0.8 by @​Timeless0911 in #​1676
• chore(deps): update dependency rsbuild-plugin-workspace-dev to v1 by @​renovate[bot] in #​1679
• chore(deps): update all non-major dependencies by @​renovate[bot] in #​1677
• chore: update workspace dependency policies by @​Timeless0911 in #​1680
• release: v0.22.0 by @​Timeless0911 in #​1681

Full Changelog: web-infra-dev/rslib@v0.21.5...v0.22.0

web-infra-dev/rstest (@​rstest/core)

v0.10.3

Compare Source

What's Changed

New Features 🎉

• feat(core): add --coverage.reporters CLI flag by @​fi3ework in #​1335
• feat(core): support TestOptions as third arg of test/it by @​9aoy in #​1324
• feat(core): add @​rstest/core/api programmatic runner by @​9aoy in #​1320
• feat(core): support scoped utility cleanup by @​fi3ework in #​1339
• feat(core): support more coverage CLI options by @​9aoy in #​1336

Performance 🚀

• perf(coverage): speed up coverage map merges by @​9aoy in #​1319

Bug Fixes 🐞

• fix(cli): support filter args after coverage by @​kwonoj in #​1325
• fix(deps): restore rspack peer ranges by @​9aoy in #​1334
• fix(core): round duration before minute formatting by @​9aoy in #​1333
• fix(core): avoid cloning URL objects in ESM resolution by @​9aoy in #​1338
• fix(core): resolve require.resolve from source module by @​9aoy in #​1322

Refactor 🔨

• refactor(core): use interface for TestContext and SuiteContext by @​9aoy in #​1323
• refactor(core): simplify mock runtime plugin by @​9aoy in #​1342

Document 📖

• docs: add rstest debugging skill links by @​9aoy in #​1315
• docs: prefer rs runtime utility examples by @​chenjiahan in #​1314
• docs: clarify pool parallelism guidance by @​9aoy in #​1317
• docs: split console config group by @​9aoy in #​1318
• docs(config): document CLI flags for pool and coverage.reporters by @​9aoy in #​1337

Other Changes

• chore(deps): update all non-major dependencies by @​renovate in #​1302
• chore(deps): upgrade transitive deps for CVE remediation [security] by @​fi3ework in #​1316
• ci(preview): post pkg.pr.new install URLs back to the dispatched PR by @​fi3ework in #​1330
• chore(deps): pin rsbuild and rspack minors by @​9aoy in #​1331
• chore(deps): update all non-major dependencies by @​renovate in #​1340
• chore(deps): update dependency tinybench to v6 by @​renovate in #​1303
• test: update cjs v8 coverage expectations by @​9aoy in #​1341
• release: 0.10.3 by @​9aoy in #​1347

Full Changelog: web-infra-dev/rstest@v0.10.2...v0.10.3

eslint/eslint (eslint)

v10.4.1

Compare Source

sveltejs/eslint-plugin-svelte (eslint-plugin-svelte)

v3.19.0

Compare Source

Minor Changes

• #​1533 f0416be Thanks @​dummdidumm! - feat: support Svelte 5 declaration tags

• #​1533 f0416be Thanks @​dummdidumm! - feat: update svelte-eslint-parser to 1.7.0

v3.18.0

Compare Source

Minor Changes

• #​1530 f110d75 Thanks @​SAY-5! - feat: add no-nested-style-tag rule

• #​1531 d3043d3 Thanks @​SAY-5! - feat: add prefer-derived-over-derived-by rule

• #​1532 aa8fe83 Thanks @​marekdedic! - feat(no-navigation-without-resolve): recognizing nullish TS types as allowed

actions/node-versions (node)

v24.16.0: 24.16.0

Compare Source

Node.js 24.16.0

pnpm/pnpm (pnpm)

v11.5.0

Compare Source

Minor Changes

• Added a new hoistingLimits setting for nodeLinker: hoisted installs, mirroring yarn's nmHoistingLimits. It accepts none (the default — hoist as far as possible), workspaces (hoist only as far as each workspace package), or dependencies (hoist only up to each workspace package's direct dependencies). Originally proposed in #​6468, closing #​6457.

• Replaced enquirer with @inquirer/prompts for all interactive prompts. Fixes the update -i scrolling overflow bug where long choice lists were clipped in the terminal #​6643.

  User-facing changes:

  • pnpm update -i / pnpm update -i --latest: Scrolling now works correctly when many packages are available; the new library uses visual-line-aware pagination via usePagination
  • pnpm audit --fix -i: Same scrolling fix for vulnerability selection
  • pnpm approve-builds: Interactive build approval prompts updated
  • pnpm patch: Version selection and "apply to all" prompts updated
  • pnpm patch-remove: Patch removal selection updated
  • pnpm publish: Branch confirmation prompt updated
  • pnpm login: Credential prompts updated
  • pnpm run / pnpm exec (with verifyDepsBeforeRun=prompt): Confirmation prompt updated

  Vim-style j/k keys still work for up/down navigation in all interactive prompts.

  Internal: The OtpEnquirer and LoginEnquirer DI interfaces changed from { prompt } to { input } / { input, password } respectively. Plugins or custom builds that inject their own enquirer mock will need to update.

• Staged publishes are now recognized in the trust scale. When a package version's registry metadata carries an approver field, it is treated as the strongest trust evidence (ranked above trusted publishers and provenance attestations), since staged publishes require 2FA publish approvals. This prevents false-positive trust downgrade errors when moving from a staged publish to a lower trust level #​11887.

Patch Changes

• Fix pnpm hanging during peer resolution when an aliased install pulls in transitive packages with mutual peer cycles at different depths in the dependency tree (for example, pnpm i nuxt@npm:nuxt-nightly@5x). Cycles whose members hit the findHit cache instead of running their own calculateDepPath are now short-circuited by sibling resolutions at the level where the cycle is detected, so the cached path promises no longer deadlock. #​11999.

• Fix pnpm dist-tag add and pnpm dist-tag rm against npmjs.org failing without --otp with [ERR_PNPM_UNAUTHORIZED] You must be logged in to set dist-tag … "You must provide a one-time pass. Upgrade your client to npm@latest in order to use 2FA.". pnpm now sends npm-auth-type: web on dist-tag writes and surfaces the resulting OTP challenge through the existing browser-based 2FA flow (the same withOtpHandling helper used by pnpm publish), so the browser opens, the user authenticates, and the dist-tag is set on retry. --otp=<code> continues to work via the classic flow.

• Fix minimumReleaseAgeExclude handling in npm resolution fast paths so excluded packages do not get pinned to stale versions. Excludes are honored consistently during publishedBy metadata selection and cache-mtime shortcuts.

• Fix the integrity field being dropped from the lockfile entry of a remote (non-registry) https-tarball dependency when an unrelated package is installed afterwards. URL/tarball resolvers do not return an integrity (it is only known after the tarball is downloaded), so when such a dependency was reused from the lockfile without being re-fetched, its integrity was lost. It is now carried over from the existing resolution. With pnpm's lockfile-integrity hardening, the missing integrity made subsequent --frozen-lockfile installs fail with ERR_PNPM_MISSING_TARBALL_INTEGRITY. #​12001.

• Skip dependency re-resolution when pnpm-lock.yaml is missing but node_modules/.pnpm/lock.yaml exists and still satisfies the manifest. pnpm install now reuses the materialized snapshot to regenerate pnpm-lock.yaml instead of walking the registry to rebuild it from scratch, turning the cache+node_modules variation into a near-no-op for users who deleted the lockfile but kept the install #​11993.

  --frozen-lockfile still refuses to proceed when pnpm-lock.yaml is absent — the regenerated lockfile must be committed, so failing loudly is the correct behavior for CI.

v11.4.0

Compare Source

Minor Changes

• Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

  pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

  The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

  --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

• pnpm runtime set <name> <version> now saves the runtime to devEngines.runtime by default instead of engines.runtime. Pass --save-prod (or -P) to save it to engines.runtime instead #​11948.

Patch Changes

• Fix a credential disclosure issue where an unscoped _authToken (or _auth, or username + _password, or tokenHelper) defined in one source — ~/.npmrc, ~/.config/pnpm/auth.ini, a workspace .npmrc, CLI flags, etc. — would be sent as an Authorization header to whichever registry a different (potentially untrusted) source named. The same fix extends to client TLS credentials (cert, key) so they aren't presented to a registry their author didn't choose.

  pnpm now rewrites each unscoped per-registry setting (_authToken, _auth, username, _password, tokenHelper, cert, key) to its URL-scoped form at load time, using the registry= value declared in the same source (or the npmjs default registry if the source declares none). A later layer overriding registry= therefore cannot pull an unscoped credential along, because it is already pinned to the URL its author intended. ca/cafile are intentionally not rescoped — they're trust anchors, not credentials, and corporate MITM-proxy setups rely on them applying globally.

  Every rescope emits a deprecation warning telling the user where the setting was pinned and how to write it directly. npm has rejected unscoped credentials outright since npm@9, and pnpm intends to remove support in a future major release. To target a specific registry, write the setting URL-scoped (e.g. //registry.example.com/:_authToken=... or //registry.example.com/:cert=...).

  @pnpm/network.auth-header: removed the defaultRegistry parameter from createGetAuthHeaderByURI and getAuthHeadersFromCreds. Now that credentials are URL-scoped at load time, the merged configByUri never contains the empty-string "default registry" placeholder slot, so re-keying it onto the merged default registry is no longer needed.

• Fix pnpm deploy crashing with ENOENT: ... lstat '<deployDir>/node_modules' when configDependencies declares pacquet (pacquet or @pnpm/pacquet). The deploy directory never installs config dependencies, so the install engine they designate isn't on disk to invoke; the nested install now skips them.

• Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.

• Limit concurrent project manifest reads while listing large workspaces to avoid EMFILE errors.

• Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.

• Improve the log message that pnpm prints after auto-adding entries to minimumReleaseAgeExclude when minimumReleaseAge is set without minimumReleaseAgeStrict. The message previously referred to the internal "loose mode" terminology, which wasn't searchable in the docs; it now tells the user to set minimumReleaseAgeStrict to true if they want these updates gated behind a prompt instead #​11747.

• Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

• Validate devEngines.runtime and engines.runtime version ranges for node, deno, and bun when onFail is set to error or warn. Previously these settings only had an effect with onFail: 'download' — the error and warn modes silently did nothing #​11818. Violations now throw ERR_PNPM_BAD_RUNTIME_VERSION.

• Require provenance before treating trusted publisher metadata as the strongest trust evidence.

rstackjs/rslog (rslog)

v2.1.2

Compare Source

tinylibs/tinyexec (tinyexec)

v1.2.3

Compare Source

What's Changed

• chore(deps-dev): bump the development-dependencies group with 4 updates by @​dependabot[bot] in #​135
• fix: destroy piped streams on child exit to prevent grandchild deadlock by @​Mearman in #​137

New Contributors

• @​Mearman made their first contribution in #​137

Full Changelog: tinylibs/tinyexec@1.2.2...1.2.3

typescript-eslint/typescript-eslint (typescript-eslint)

v8.60.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 and 15 of the month (* 0-3 1,15 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.