chore(deps-dev): bump the dev-deps group across 1 directory with 11 updates

[dependabot]

Bumps the dev-deps group with 11 updates in the / directory:

Package	From	To
@biomejs/biome	2.4.4	2.4.6
@changesets/changelog-github	0.5.2	0.6.0
@changesets/cli	2.29.8	2.30.0
@cloudflare/vitest-pool-workers	0.12.17	0.12.20
@cloudflare/workers-types	4.20260303.0	4.20260307.1
@types/node	25.3.0	25.3.5
@vitest/coverage-istanbul	3.2.4	4.0.18
hono	4.12.2	4.12.5
itty-router	5.0.22	5.0.23
pkg-pr-new	0.0.63	0.0.65
wrangler	4.68.1	4.71.0

Updates @biomejs/biome from 2.4.4 to 2.4.6

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.6

2.4.6

Patch Changes

• #9305 40869b5 Thanks @​ematipico! - Fixed #4946: noUnreachable no longer reports code inside finally blocks as unreachable when there is a break, continue, or return in the corresponding try body.

• #9303 464910c Thanks @​ematipico! - Fixed #2786: The formatter no longer produces different output on subsequent runs when a case clause has a trailing line comment followed by a single block statement.

• #9324 6294aa2 Thanks @​arendjr! - Fixed [#7730](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome/issues/7730): useAnchorContent now recognises SolidJS's innerHTML the same way as React's dangerouslySetInnerHTML.

• #9298 1003229 Thanks @​Netail! - Fixed [#9296](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome/issues/9296), so comments are moved along with the attributes in the useSortedAttributes assist rule code fix.

• #9329 855b451 Thanks @​dyc3! - Improved performance of noEmptyBlockStatements. The rule is now smarter about short-circuiting its logic.

• #9326 85dfe9b Thanks @​dyc3! - Improved performance for noImportCycles by explicitly excluding node_modules from the cycle detection. The performance improvement is directly proportional to how big your dependency tree is.

• #9323 d5ee469 Thanks @​ematipico! - Fixed #9217 and biomejs/biome-vscode#959, where the Biome language server didn't correctly resolve the editor setting configurationPath when the provided value is a relative path.

• #9302 86fbc70 Thanks @​sepagian! - Fixed #9300: Lowercase component member expressions like <form.Field> in Svelte and Astro files are now correctly formatted.

  -<form .Field></form.Field>
  +<form.Field></form.Field>

What's Changed

• fix(js_analyze): move comments with useSortedAttributes action by @​Netail in biomejs/biome#9298
• fix(formatter): switch case comments by @​ematipico in biomejs/biome#9303
• refactor(markdown-parser): promote list structural tokens from skipped trivia to explicit CST nodes by @​jfmcdowell in biomejs/biome#9274
• fix(noUnreachable): handle dead implicit jumps in finally by @​ematipico in biomejs/biome#9305
• refactor(markdown-parser): align newline/prescan paragraph-break checks by @​jfmcdowell in biomejs/biome#9197
• refactor(markdown-parser): promote blank lines between list items to MdNewline nodes by @​jfmcdowell in biomejs/biome#9313
• fix(linter): support SolidJS's innerHTML in useAnchorContent by @​arendjr in biomejs/biome#9324
• fix(lsp): correctly resolve configurationPath by @​ematipico in biomejs/biome#9323
• perf(noImportCycles): exclude node_modules from cycle detection by @​dyc3 in biomejs/biome#9326
• refactor(css_parser): split function parser into modules by @​denbezrukov in biomejs/biome#9325
• refactor(markdown-parser): promote fenced code block skipped trivia to explicit CST nodes by @​jfmcdowell in biomejs/biome#9321
• refactor(css): rename operator_token field to operator by @​denbezrukov in biomejs/biome#9327
• perf: add .skip(1) to .ancestors() calls in a bunch of places by @​dyc3 in biomejs/biome#9330
• perf(noEmptyBlockStatements): short circuit to avoid traversing descendants for comments by @​dyc3 in biomejs/biome#9329
• fix: lowercase component member expressions in Astro/Svelte by @​sepagian in biomejs/biome#9302
• chore: align parser options struct name by @​Netail in biomejs/biome#9332
• feat(css): use ScssExpression in ScssNestingDeclaration and CssGenericProperty by @​denbezrukov in biomejs/biome#9328
• refactor(css): align scss expression node variants by @​denbezrukov in biomejs/biome#9340
• feat(css): use expression in page by @​denbezrukov in biomejs/biome#9342
• ci: release by @​github-actions[bot] in biomejs/biome#9301

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.6

Patch Changes

• #9305 40869b5 Thanks @​ematipico! - Fixed #4946: noUnreachable no longer reports code inside finally blocks as unreachable when there is a break, continue, or return in the corresponding try body.

• #9303 464910c Thanks @​ematipico! - Fixed #2786: The formatter no longer produces different output on subsequent runs when a case clause has a trailing line comment followed by a single block statement.

• #9324 6294aa2 Thanks @​arendjr! - Fixed [#7730](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome/issues/7730): useAnchorContent now recognises SolidJS's innerHTML the same way as React's dangerouslySetInnerHTML.

• #9298 1003229 Thanks @​Netail! - Fixed [#9296](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome/issues/9296), so comments are moved along with the attributes in the useSortedAttributes assist rule code fix.

• #9329 855b451 Thanks @​dyc3! - Improved performance of noEmptyBlockStatements. The rule is now smarter about short-circuiting its logic.

• #9326 85dfe9b Thanks @​dyc3! - Improved performance for noImportCycles by explicitly excluding node_modules from the cycle detection. The performance improvement is directly proportional to how big your dependency tree is.

• #9323 d5ee469 Thanks @​ematipico! - Fixed #9217 and biomejs/biome-vscode#959, where the Biome language server didn't correctly resolve the editor setting configurationPath when the provided value is a relative path.

• #9302 86fbc70 Thanks @​sepagian! - Fixed #9300: Lowercase component member expressions like <form.Field> in Svelte and Astro files are now correctly formatted.

  -<form .Field></form.Field>
  +<form.Field></form.Field>

2.4.5

Patch Changes

• #9185 e43e730 Thanks @​dyc3! - Added the nursery rule useVueScopedStyles for Vue SFCs. This rule enforces that <style> blocks have the scoped attribute (or module for CSS Modules), preventing style leakage and conflicts between components.

• #9184 49c8fde Thanks @​chocky335! - Improved plugin performance by batching all plugins into a single syntax visitor with a kind-to-plugin lookup map, reducing per-node dispatch overhead from O(N) to O(1) where N is the number of plugins.

• #9283 071c700 Thanks @​dyc3! - Fixed noUndeclaredVariables erroneously flagging functions and variables defined in the <script setup> section of Vue SFCs.

• #9221 4612133 Thanks @​ematipico! - Fixed an issue where the JSON reporter didn't contain the duration of the command.

• #9294 1805c8f Thanks @​Netail! - Extra rule source reference. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #9178 101b3bb Thanks @​Bertie690! - Fixed #9172 and #9168: Biome now considers more constructs as valid test assertions.

  Previously, assert, expectTypeOf and assertType were not recognized as valid assertions by Biome's linting rules, producing false positives in lint/nursery/useExpect and other similar rules.

  Now, these rules will no longer produce errors in test cases that used these constructs instead of expect:

  import { expectTypeOf, assert, assertType } from "vitest";

... (truncated)

Commits

• cabc56c ci: release (#9301)
• 3bc07ab ci: release (#9188)
• 6b01778 feat(linter): add useUnicodeRegex rule (#8773)
• e43e730 feat(lint/html): add useVueScopedStyles (#9185)
• edf8bb6 feat(lint): add ||= to ??= detection in useNullishCoalescing (#9257)
• 9bbdf4d feat(lint): add nursery rule useNamedCaptureGroup (#9048)
• 1f2fe2e feat: prefer-array-some from eslint-plugin-unicorn (#9056)
• 1d2ca15 feat(lint): add useNullishCoalescing nursery rule (#8952)
• 101b3bb fix(lint): consider more constructs as valid test assertions (#9178)
• 3d0648f feat(biome_js_analyze): implement noVueRefAsOperand (#9063)
• See full diff in compare view

Updates @changesets/changelog-github from 0.5.2 to 0.6.0

Release notes

Sourced from @​changesets/changelog-github's releases.

@​changesets/changelog-github@​0.6.0

Minor Changes

• #1850 fd0bc2e Thanks @​mixelburg! - Linkify issue references in changelog entries.

Patch Changes

• #1810 27fd8f4 Thanks @​hirasso! - Replace deprecated String.prototype.trimRight with String.prototype.trimEnd

• Updated dependencies [d4b8ad8, e462d89]:

  • @​changesets/get-github-info@​0.8.0

Commits

• 3ab4d89 Version Packages (#1817)
• 1772598 Fix changelog entry insertion when no package title is present in the `CHANGE...
• 6df3a5e Allow versioned private packages to depend on skipped packages without requir...
• 2a73025 Fix confusing 'Question-2' prompt label when using external editor (#1857)
• 667fe5a Support ESM for custom changelog and commit options (#1774)
• e462d89 Add scopes automatically in the GitHub new token link in the printed error me...
• 503fcaa Support absolute paths in status output flag (#1776)
• d4b8ad8 Improve error messages when fetching from GitHub api (#1781)
• ece0376 Improve baseBranch docs (#1778)
• 0e8e01e Allow Changesets to be executed from non-root directories (#1806)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​changesets/changelog-github since your current version.

Updates @changesets/cli from 2.29.8 to 2.30.0

Release notes

Sourced from @​changesets/cli's releases.

@​changesets/cli@​2.30.0

Minor Changes

• #1840 057cca2 Thanks @​wotan-allfather! - Add --since flag to add command

  The add command now supports a --since flag that allows you to specify which branch, tag, or git ref to use when detecting changed packages. This is useful for gitflow workflows where you have multiple target branches and the baseBranch config option doesn't cover all use cases.

  Example: changeset add --since=develop

  If not provided, the command falls back to the baseBranch value in your .changeset/config.json.

• #1845 2b4a66a Thanks @​Andarist! - Delegate OTP prompting to the package manager instead of handling it in-process. This allows Changesets to use the package manager's native web auth support.

• #1774 667fe5a Thanks @​bluwy! - Support importing custom commit option ES module. Previously, it used require() which only worked for CJS modules, however now it uses import() which supports both CJS and ES modules.

• #1839 73b1809 Thanks @​leochiu-a! - Add a --message (-m) flag to changeset add (and default changeset) so the changeset summary can be provided from the command line. When --message is present, the summary prompt is skipped while the final confirmation step is kept.

• #1806 0e8e01e Thanks @​luisadame! - Changeset CLI can now be run from the nested directories in the project, where the .changeset directory has to be found in one of the parent directories

Patch Changes

• #1849 9dc3230 Thanks @​Andarist! - Compute the terminal's size lazily to avoid spurious stderr output in non-interactive mode

• #1857 2a73025 Thanks @​mixelburg! - Fix confusing prompt labels when entering changeset summary after external editor fallback

• #1842 6df3a5e Thanks @​RodrigoHamuy! - Allow private packages to depend on skipped packages without requiring them to also be skipped. Private packages are not published to npm, so it is safe for them to have dependencies on ignored or unversioned packages.

• #1776 503fcaa Thanks @​bluwy! - Support absolute paths in changeset status --output <path>

• Updated dependencies [667fe5a, 1772598, b6f4c74, 6df3a5e, 6df3a5e, 27fd8f4]:

  • @​changesets/apply-release-plan@​7.1.0
  • @​changesets/config@​3.1.3
  • @​changesets/get-release-plan@​4.0.15
  • @​changesets/read@​0.6.7

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​changesets/cli since your current version.

Updates @cloudflare/vitest-pool-workers from 0.12.17 to 0.12.20

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.12.20

Patch Changes

• Updated dependencies [ec2459e]:
  • [email protected]
  • [email protected]

@​cloudflare/vitest-pool-workers@​0.12.19

Patch Changes

• #12682 b5b91c9 Thanks @​hiendv! - Fix resource leak where remote proxy sessions were not disposed during pool shutdown, causing vitest processes to hang.

• Updated dependencies [6a8aa5f, d672e2e, 35b2c56, 5f7aaf2, 209b396, 23a365a, 596b8a0, 00e729e, 0769056, 150ef7b, bf9cb3d]:

  • [email protected]
  • [email protected]

@​cloudflare/vitest-pool-workers@​0.12.18

Patch Changes

• Updated dependencies [99037e3, 295297a, f765244, c0e9e08]:
  • [email protected]
  • [email protected]

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.12.20

Patch Changes

• Updated dependencies [ec2459e]:
  • [email protected]
  • [email protected]

0.12.19

Patch Changes

• #12682 b5b91c9 Thanks @​hiendv! - Fix resource leak where remote proxy sessions were not disposed during pool shutdown, causing vitest processes to hang.

• Updated dependencies [6a8aa5f, d672e2e, 35b2c56, 5f7aaf2, 209b396, 23a365a, 596b8a0, 00e729e, 0769056, 150ef7b, bf9cb3d]:

  • [email protected]
  • [email protected]

0.12.18

Patch Changes

• Updated dependencies [99037e3, 295297a, f765244, c0e9e08]:
  • [email protected]
  • [email protected]

Commits

• 9dff00c Version Packages (#12748)
• ea57dfd Version Packages (#12702)
• 35b2c56 containers: Add container and test Containers interceptOutboundHttp (#12649)
• b5b91c9 fix(vitest-pool-workers): dispose remote proxy sessions on pool close (#12682)
• 414799d Version Packages (#12670)
• See full diff in compare view

Updates @cloudflare/workers-types from 4.20260303.0 to 4.20260307.1

Commits

• See full diff in compare view

Updates @types/node from 25.3.0 to 25.3.5

Commits

• See full diff in compare view

Updates @vitest/coverage-istanbul from 3.2.4 to 4.0.18

Release notes

Sourced from @​vitest/coverage-istanbul's releases.

v4.0.18

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in vitest-dev/vitest#9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in vitest-dev/vitest#9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in vitest-dev/vitest#9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in vitest-dev/vitest#9472 (22543)

    View changes on GitHub

v4.0.17

   🚀 Experimental Features

• Support openTelemetry for browser mode  -  by @​hi-ogawa in vitest-dev/vitest#9180 (1ec3a)
• Support TRACEPARENT and TRACESTATE environment variables for OpenTelemetry context propagation  -  by @​Copilot, hi-ogawa and @​hi-ogawa in vitest-dev/vitest#9295 (876cb)

   🐞 Bug Fixes

• Improve asymmetric matcher diff readability by unwrapping container matchers  -  by @​Copilot, sheremet-va, hi-ogawa and @​hi-ogawa in vitest-dev/vitest#9330 (b2ec7)
• Improve runner error when importing outside of test context  -  by @​sheremet-va in vitest-dev/vitest#9335 (2dd3d)
• Replace crypto.randomUUID to allow insecure environments (fix #9…  -  by @​plusgut in vitest-dev/vitest#9339 and vitest-dev/vitest#9 (e6a3f)
• Handle null options in addEventHandler #9371  -  by @​ThibautMarechal in vitest-dev/vitest#9372 and vitest-dev/vitest#9371 (40841)
• Typo in browser.provider error  -  by @​deammer in vitest-dev/vitest#9394 (4b67f)
• browser:
  • Fix process.env and import.meta.env defines in inline project  -  by @​hi-ogawa in vitest-dev/vitest#9239 (b70c9)
  • Fix upload File instance  -  by @​hi-ogawa in vitest-dev/vitest#9294 (b6778)
  • Fix invalid project token for artifacts assets  -  by @​hi-ogawa in vitest-dev/vitest#9321 (caa7d)
  • Log ErrorEvent.message when unhandled ErrorEvent.error is null  -  by @​hi-ogawa in vitest-dev/vitest#9322 (5d84e)
  • Support fileParallelism on an instance  -  by @​sheremet-va in vitest-dev/vitest#9328 (15006)
• coverage:
  • Remove unnecessary istanbul-lib-source-maps usage  -  by @​AriPerkkio in vitest-dev/vitest#9344 (b0940)
  • Apply patch from istanbuljs/istanbuljs#837  -  by @​AriPerkkio and sapphi-red in vitest-dev/vitest#9413 and vitest-dev/vitest#837 (e05ce)
• fsModuleCache:
  • Don't store importers in cache  -  by @​sheremet-va in vitest-dev/vitest#9422 (75136)
  • Add importers alongside importedModules  -  by @​sheremet-va in vitest-dev/vitest#9423 (59f92)
• mocker:
  • Fix mock transform with class  -  by @​hi-ogawa in vitest-dev/vitest#9421 (d390e)
• pool:
  • Validate environment options when reusing the worker  -  by @​sheremet-va in vitest-dev/vitest#9349 (a8a88)
  • Handle worker start failures gracefully  -  by @​AriPerkkio in vitest-dev/vitest#9337 (200da)
• reporter:
  • Report test module if it failed to run  -  by @​sheremet-va in vitest-dev/vitest#9272 (c7888)
• runner:
  • Respect nested test.only within describe.only  -  by @​Ujjwaljain16 in vitest-dev/vitest#9021 and vitest-dev/vitest#9213 (55d5d)
• typecheck:
  • Improve error message when tsc outputs help text  -  by @​Ujjwaljain16 in vitest-dev/vitest#9214 (7b10a)
• ui:

... (truncated)

Commits

• 4d3e3c6 chore: release v4.0.18
• dd54e94 chore: release v4.0.17
• e05cedb fix(coverage): apply patch from istanbuljs/istanbuljs#837 (#9413)
• b46d744 chore: release v4.0.16
• 372e86f fix(coverage): istanbul untested files source maps are off (#9208)
• eb1abf0 chore: release v4.0.15
• e4ca917 fix(coverage): istanbul provider to not break source maps (#9040)
• 9ca74cf chore: release v4.0.14
• 6f22c67 fix(coverage): invalidate circular modules correctly on rerun with coverage (...
• acc5152 perf: replace debug with obug (#9057)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​vitest/coverage-istanbul since your current version.

Updates hono from 4.12.2 to 4.12.5

Release notes

Sourced from hono's releases.

v4.12.5

What's Changed

• fix(request): return string | undefined from param() when path type is any by @​andrewdamelio in honojs/hono#4723
• fix(jwt): validate token format in decode and decodeHeader functions by @​otoneko1102 in honojs/hono#4752
• fix(jsx): Fix "Invalid state: Controller is already closed" by @​gaearon in honojs/hono#4770
• chore(eslint): upgrade @hono/eslint-config by @​BarryThePenguin in honojs/hono#4781

New Contributors

• @​andrewdamelio made their first contribution in honojs/hono#4723
• @​otoneko1102 made their first contribution in honojs/hono#4752
• @​gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

---

Other changes

• fix(client): preserve route schema in ApplyGlobalResponse by @​agumy in honojs/hono#4777
• fix(utils/url): specify the return type of tryDecodeURI by @​yusukebe in honojs/hono#4779

New Contributors

• @​agumy made their first contribution in honojs/hono#4777

Full Changelog: honojs/hono@v4.12.3...v4.12.4

v4.12.3

What's Changed

• fix(validator): prevent type diff bug in form data parsing by @​EdamAme-x in honojs/hono#4753
• fix(jwt): use Math.floor instead of bitwise OR for safe timestamp by @​EdamAme-x in honojs/hono#4754
• fix(jwt): fix JwtVariables for ContextVariableMap by @​yusukebe in honojs/hono#4764

... (truncated)

Commits

• 18cc595 4.12.5
• 5d59ac7 chore(eslint): upgrade @hono/eslint-config (#4781)
• b8cff18 fix(jsx): Fix "Invalid state: Controller is already closed" (#4770)
• 8c4d7f3 fix(jwt): validate token format in decode and decodeHeader functions (#4752)
• 0f49915 fix(request): return string | undefined from param() when path type is any ...
• 19d20d2 4.12.4
• 44ae0c8 Merge commit from fork
• f4123ed Merge commit from fork
• 80a9837 fix(utils/url): specify the return type of tryDecodeURI (#4779)
• 6a0607a Merge commit from fork
• Additional commits viewable in compare view

Updates itty-router from 5.0.22 to 5.0.23

Release notes

Sourced from itty-router's releases.

Release v5.0.23

See v5.0.23 CHANGELOG entry for notes

Changelog

Sourced from itty-router's changelog.

v5.0.23

• fixed: cors/corsify should no longer throw immutable headers error (edge case fix)

v5.0.20

• docs: export default { ...router } as README example

v5.0.17

• fixed: corsify should clone response before appending headers

v5.0.16

• maintenance: README

v5.0.15

• maintenance: types cleanup and publishing test

v5.0.14

• maintenance: types cleanup and publishing test

v5.0.13

• fixed: Router/AutoRouter stages were not connected to router-level generics

v5.0.12

• fixed: ./types was not being properly exported

v5.0.10

• fixed: response formatters in finally stage could still cross pollute headers in Node

v5.0.9

• fixed: cors pr...

  Description has been truncated