build(deps-dev): bump all

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
@biomejs/biome (source)	1.7.3 -> 1.8.1					devDependencies	minor
@devcontainers/cli	0.62.0 -> 0.64.0					devDependencies	minor
actions/checkout	v4.1.6 -> v4.1.7					action	patch
cspell (source)	8.8.3 -> 8.8.4					devDependencies	patch
cssnano	7.0.1 -> 7.0.2					devDependencies	patch
dprint	0.46.1 -> 0.46.2					devDependencies	patch
editorconfig-checker	5.1.5 -> 5.1.8					devDependencies	patch
github/codeql-action	v3.25.7 -> v3.25.10					action	patch
pnpm (source)	9.1.4 -> 9.3.0					packageManager	minor
pnpm (source)	9.1.4 -> 9.3.0					engines	minor
prettier (source)	3.3.0 -> 3.3.2					devDependencies	patch
returntocorp/semgrep	cffeb57 -> 550dfda					container	digest
ruby (source)	3.3.2 -> 3.3.3						patch
ruby/setup-ruby	v1.178.0 -> v1.180.0					action	minor

---

Release Notes

biomejs/biome (@​biomejs/biome)

v1.8.1

Compare Source

Analyzer

CLI

Bug fixes

• Fix #​3069, prevent overwriting paths when using --staged or --changed options. Contributed by @​unvalley
• Fix a case where the file link inside a diagnostic wasn't correctly displayed inside a terminal run by VSCode. Contributed by @​uncenter

Configuration

Bug fixes

• Fix #​3067, by assigning the correct default value to indentWidth. Contributed by @​ematipico

Editors

Formatter

Bug fixes

• Fix the bug where whitespace after the & character in CSS nesting was incorrectly trimmed, ensuring proper targeting of child classes #​3061. Contributed by @​denbezrukov
• Fix #​3068 where the CSS formatter was inadvertently converting variable declarations and function calls to lowercase. Contributed by @​denbezrukov
• Fix the formatting of CSS grid layout properties. Contributed by @​denbezrukov

JavaScript APIs

Linter

Bug fixes

• The noEmptyBlock css lint rule now treats empty blocks containing comments as valid ones. Contributed by @​Sec-ant

• useLiteralKeys no longer reports quoted member names (#​3085).

  Previously useLiteralKeys reported quoted member names that can be unquoted.
  For example, the rule suggested the following fix:

  - const x = { "prop": 0 };
  + const x = { prop: 0 };

  This conflicted with the option quoteProperties of our formatter.

  The rule now ignores quoted member names.

  Contributed by @​Conaclos

• noEmptyInterface now ignores empty interfaces in ambient modules (#​3110). Contributed by @​Conaclos

• noUnusedVariables and noUnusedFunctionParameters no longer report the parameters of a constructor type (#​3135).

  Previously, arg was reported as unused in a constructor type like:

  export type Classlike = new (arg: unknown) => string;

  Contributed by @​Conaclos

• noStringCaseMismatch now ignores escape sequences (#​3134).

  The following code is no longer reported by the rule:

  s.toUpperCase() === "\u001b";

  Contributed by @​Conaclos

Parser

New features

• Implemented CSS Unknown At-Rule parsing, allowing the parser to gracefully handle unsupported or unrecognized CSS at-rules. Contributed by @​denbezrukov

Bug fixes

• Fix #​3055 CSS: Layout using named grid lines is now correctly parsed. Contributed by @​denbezrukov
• Fix #​3091. Allows the parser to handle nested style rules and at-rules properly, enhancing the parser's compatibility with the CSS Nesting Module. Contributed by @​denbezrukov

v1.8.0

Compare Source

Analyzer

New features

• Allow suppression comments to suppress individual instances of rules. This is
  used for the lint rule useExhaustiveDependencies, which is now able to
  suppress specific dependencies. Fixes #​2509. Contributed by @​arendjr

Enhancements

• Assume Astro object is always a global when processing .astro files. Contributed by @​minht11
• Assume Vue compiler macros are globals when processing .vue files. (#​2771) Contributed by @​dyc3

CLI

New features

• New clean command. Use this new command to clean after the biome-logs directory, and remove all the log files.

  biome clean

• Add two new options --only and --skip to the command biome lint (#​58).

  The --only option allows you to run a given rule or rule group,
  For example, the following command runs only the style/useNamingConvention and style/noInferrableTypes rules.
  If the rule is disabled in the configuration, then its severity level is set to error for a recommended rule or warn otherwise.

  biome lint --only=style/useNamingConvention --only=style/noInferrableTypes

  Passing a group does not change the severity level of the rules in the group.
  All the disabled rules in the group will remain disabled.
  To ensure that the group is run, the recommended field of the group is enabled.
  The nursery group cannot be passed, as no rules are enabled by default in the nursery group.

  The --skip option allows you to skip the execution of a given group or a given rule.
  For example, the following command skips the style group and the suspicious/noExplicitAny rule.

  biome lint --skip=style --skip=suspicious/noExplicitAny

  You can also use --only and --skip together. --skip oevrrides --only.
  The following command executes only the rules from the style group, but the style/useNamingConvention rule.

  biome lint --only=style --skip=style/useNamingConvention

  These options are compatible with other options such as --write (previously --apply), and --reporter.

  Contributed by @​Conaclos

• Add new command biome clean. Use this command to purge all the logs emitted by the Biome daemon. This command is really useful, because the Biome daemon tends
  log many files and contents during its lifecycle. This means that if your editor is open for hours (or even days), the biome-logs folder could become quite heavy. Contributed by @​ematipico

• Add support for formatting and linting CSS files from the CLI. These operations are opt-in for the time being.

  If you don't have a configuration file, you can enable these features with --css-formatter-enabled and --css-linter-enabled:

  biome check --css-formatter-enabled=true --css-linter-enabled=true ./

  Contributed by @​ematipico

• Add new CLI options to control the CSS formatting. Check the CLI reference page for more details. Contributed by @​ematipico

• Add new options --write, --fix (alias of --write) and --unsafe to the command biome lint and biome check.
  Add a new option --fix (alias of --write) to the command biome format and biome migrate.

  biome <lint|check> --<write|fix> [--unsafe]
  biome format --<write|fix>
  biome migrate --<write|fix>

  The biome <lint|check> --<write|fix> has the same behavior as biome <lint|check> --apply.
  The biome <lint|check> --<write|fix> --unsafe has the same behavior as biome <lint|check> --apply-unsafe.
  The biome format --fix has the same behavior as biome format --write.
  The biome migrate --fix has the same behavior as biome migrate --write.

  This change allows these commands to write modifications in the same options.
  With this change, the --apply and --apply-unsafe options are deprecated.

  Contributed by @​unvalley

Enhancements

• Biome now executes commands (lint, format, check and ci) on the working directory by default. #​2266 Contributed by @​unvalley

  - biome check .
  + biome check    # You can run the command without the path

• biome migrate eslint now tries to convert ESLint ignore patterns into Biome ignore patterns.

  ESLint uses gitignore patterns.
  Biome now tries to convert these patterns into Biome ignore patterns.

  For example, the gitignore pattern /src is a relative path to the file in which it appears.
  Biome now recognizes this and translates this pattern to ./src.

  Contributed by @​Conaclos

• biome migrate eslint now supports the eslintIgnore field in package.json.

  ESLint allows the use of package.json as an ESLint configuration file.
  ESLint supports two fields: eslintConfig and eslintIgnore.
  Biome only supported the former. It now supports both.

  Contributed by @​Conaclos

• biome migrate eslint now propagates NodeJS errors to the user.

  This will help users to identify why Biome is unable to load some ESLint configurations.

  Contributed by @​Conaclos

• Add a new --reporter called summary. This reporter will print diagnostics in a different way, based on the tools (formatter, linter, etc.) that are executed.
  Import sorting and formatter shows the name of the files that require formatting. Instead, the linter will group the number of rules triggered and the number of errors/warnings:

  Formatter ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  The following files needs to be formatted:
  main.ts
  index.ts
  
  Organize Imports ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  The following files needs to have their imports sorted:
  main.ts
  index.ts
  
  Analyzer ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  Some analyzer rules were triggered
  
  Rule Name                                               Diagnostics
  lint/suspicious/noImplicitAnyLet                        12 (12 error(s), 0 warning(s), 0 info(s))
  lint/suspicious/noDoubleEquals                          8 (8 error(s), 0 warning(s), 0 info(s))
  lint/suspicious/noRedeclare                             12 (12 error(s), 0 warning(s), 0 info(s))
  lint/suspicious/noDebugger                              20 (20 error(s), 0 warning(s), 0 info(s))
  

  Contributed by @​ematipico

• biome ci now enforces printing the output using colours. If you were previously using --colors=force, you can remove it because it's automatically set. Contributed by @​ematipico

• Add a new --reporter called github. This reporter will print diagnostics using GitHub workflow commands:

  ::error title=lint/suspicious/noDoubleEquals,file=main.ts,line=4,endLine=4,col=3,endColumn=5::Use === instead of ==
  ::error title=lint/suspicious/noDebugger,file=main.ts,line=6,endLine=6,col=1,endColumn=9::This is an unexpected use of the debugger statement.
  ::error title=lint/nursery/noEvolvingAny,file=main.ts,line=8,endLine=8,col=5,endColumn=6::This variable's type is not allowed to evolve implicitly, leading to potential any types.
  

  Contributed by @​ematipico

• Add a new --reporter called junit. This reporter will print diagnostics using GitHub workflow commands:

  <?xml version="1.0" encoding="UTF-8"?>
  <testsuites name="Biome" tests="16" failures="16" errors="20" time="<TIME>">
    <testsuite name="main.ts" tests="1" disabled="0" errors="0" failures="1" package="org.biome">
        <testcase name="org.biome.lint.suspicious.noDoubleEquals" line="4" column="3">
            <failure message="Use === instead of ==. == is only allowed when comparing against `null`">line 3, col 2, Use === instead of ==. == is only allowed when comparing against `null`</failure>
        </testcase>
    </testsuite>
    <testsuite name="main.ts" tests="1" disabled="0" errors="0" failures="1" package="org.biome">
        <testcase name="org.biome.lint.suspicious.noDebugger" line="6" column="1">
            <failure message="This is an unexpected use of the debugger statement.">line 5, col 0, This is an unexpected use of the debugger statement.</failure>
        </testcase>
    </testsuite>
    <testsuite name="main.ts" tests="1" disabled="0" errors="0" failures="1" package="org.biome">
        <testcase name="org.biome.lint.nursery.noEvolvingAny" line="8" column="5">
            <failure message="This variable&apos;s type is not allowed to evolve implicitly, leading to potential any types.">line 7, col 4, This variable&apos;s type is not allowed to evolve implicitly, leading to potential any types.</failure>
        </testcase>
    </testsuite>
  </testsuites>

  Contributed by @​ematipico

Bug fixes

• Fix #​3024, where running biome init would create biome.json even if biome.jsonc already exists. Contributed by @​minht11

Configuration

New features

• Add an rule option fix to override the code fix kind of a rule (#​2882).

  A rule can provide a safe or an unsafe code action.
  You can now tune the kind of code actions thanks to the fix option.
  This rule option takes a value among:

  • none: the rule no longer emits code actions.
  • safe: the rule emits safe code action.
  • unsafe: the rule emits unsafe code action.

  The following configuration disables the code actions of noUnusedVariables, makes the emitted code actions of style/useConst and style/useTemplate unsafe and safe respectively.

  {
    "linter": {
      "rules": {
        "correctness": {
          "noUnusedVariables": {
            "level": "error",
            "fix": "none"
          },
          "style": {
            "useConst": {
              "level": "warn",
              "fix": "unsafe"
            },
            "useTemplate": {
              "level": "warn",
              "fix": "safe"
            }
          }
        }
      }
    }
  }

  Contributed by @​Conaclos

• Add option javascript.linter.enabled to control the linter for JavaScript (and its super languages) files. Contributed by @​ematipico

• Add option json.linter.enabled to control the linter for JSON (and its super languages) files. Contributed by @​ematipico

• Add option css.linter.enabled to control the linter for CSS (and its super languages) files. Contributed by @​ematipico

• Add option css.formatter, to control the formatter options for CSS (and its super languages) files. Contributed by @​ematipico

• You can now change the severity of lint rules down to "info". The "info" severity doesn't emit error codes, and it isn't affected by other options like --error-on-warnings:

  {
    "linter": {
      "rules": {
        "suspicious": {
          "noDebugger": "info"
        }
      }
    }
  }

  Contributed by @​ematipico

Enhancements

• The javascript.formatter.trailingComma option is deprecated and renamed to javascript.formatter.trailingCommas. The corresponding CLI option --trailing-comma is also deprecated and renamed to --trailing-commas. Details can be checked in #​2492. Contributed by @​Sec-ant

Bug fixes

• Fix a bug where if the formatter was disabled at the language level, it could be erroneously enabled by an
  override that did not specify the formatter section #​2924. Contributed by @​dyc3
• Fix #​2990, now Biome doesn't add a trailing comma when formatting biome.json. Contributed by @​dyc3

Editors

New features

• Add support for LSP Workspaces

Enhancements

• The LSP doesn't crash anymore when the configuration file contains errors. If the configuration contains errors, Biome now shows a pop-up to the user, and it will only parse files using the default configuration.
  Formatting and linting is disabled until the configuration file is fixed. Contributed by @​ematipico

Bug fixes

• Fixes #​2781, by correctly computing the configuration to apply to a specific file. Contributed by @​ematipico

Formatter

Bug fixes

• Fix #​2470 by avoid introducing linebreaks in single line string interpolations. Contributed by @​ah-yu
• Resolve deadlocks by narrowing the scope of locks. Contributed by @​mechairoi
• Fix #​2782 by computing the enabled rules by taking the override settings into consideration. Contributed by @​ematipico
• Fix [https://github.com/biomejs/biome/issues/2877](https://togithub.com/biomejs/biome/issues/2877)7] by correctly handling line terminators in JSX string. Contributed by @​ah-yu

Linter

Promoted rules

New rules are incubated in the nursery group. Once stable, we promote them to a stable group. The following rules are promoted:

• useImportRestrictions
• noNodejsModules
• useArrayLiterals
• noConstantMathMinMaxClamp
• noFlatMapIdentity

New features

• Add nursery/useDateNow. Contributed by @​minht11

• Add nursery/useErrorMessage. Contributed by @​minht11

• Add nursery/useThrowOnlyError. Contributed by @​minht11

• Add nursery/useImportExtensions. Contributed by @​minht11

• useNamingConvention now supports an option to enforce custom conventions (#​1900).

  For example, you can enforce the use of a prefix for private class members:

  {
  	"linter": {
  		"rules": {
  			"style": {
  				"useNamingConvention": {
  					"level": "error",
  					"options": {
  						"conventions": [
  							{
  								"selector": {
  									"kind": "classMember",
  									"modifiers": ["private"]
  								},
  								"match": "_(.*)",
                  "formats": ["camelCase"]
  							}
  						]
  					}
  				}
  			}
  		}
  	}
  }

  Please, find more details in the rule documentation.

  Contributed by @​Conaclos

• Add nursery/useNumberToFixedDigitsArgument.
  Contributed by @​minht11

• Add nursery/useThrowNewError.
  Contributed by @​minht11

• Add nursery/useTopLevelRegex, which enforces defining regular expressions at the top level of a module. #​2148 Contributed by @​dyc3.

• Add nursery/noCssEmptyBlock. #​2513 Contributed by @​togami2864

• Add nursery/noDuplicateAtImportRules. #​2658 Contributed by @​DerTimonius

• Add nursery/noDuplicateFontNames. #​2308 Contributed by @​togami2864

• Add nursery/noDuplicateSelectorsKeyframeBlock. #​2534 Contributed by @​isnakode

• Add nursery/noImportantInKeyframe. #​2542 Contributed by @​isnakode

• Add nursery/noInvalidPositionAtImportRule. #​2717 Contributed by @​t-shiratori

• Add nursery/noUnknownFunction. #​2570 Contributed by @​neokidev

• Add nursery/noUnknownMediaFeatureName. #​2751 Contributed by @​Kazuhiro-Mimaki

• Add nursery/noUnknownProperty. #​2755 Contributed by @​chansuke

• Add nursery/noUnknownSelectorPseudoElement. #​2655 Contributed by @​keita-hino

• Add nursery/noUnknownUnit. #​2535 Contributed by @​neokidev

• Add nursery/noUnmatchableAnbSelector. #​2706 Contributed by @​togami2864

• Add nursery/useGenericFontNames. #​2573 Contributed by @​togami2864

• Add nursery/noYodaExpression. Contributed by @​michellocana

• Add nursery/noUnusedFunctionParameters Contributed by @​printfn

Enhancements

• Add a code action for noConfusingVoidType and improve the diagnostics.

  The rule now suggests using undefined instead of void in confusing places.
  The diagnosis is also clearer.

  Contributed by @​Conaclos

• Improve code action for nursery/noUselessUndefinedInitialization to handle comments.

  The rule now places inline comments after the declaration statement, instead of removing them.
  The code action is now safe to apply.

  Contributed by @​lutaok

• Make useExhaustiveDependencies report duplicate dependencies. Contributed by @​tunamaguro

• Rename noEvolvingAny into noEvolvingTypes (#​48). Contributed by @​Conaclos

Bug fixes

• noUndeclaredVariables and noUnusedImports now correctly handle import namespaces (#​2796).

  Previously, Biome bound unqualified type to import namespaces.
  Import namespaces can only be used as qualified names in a type (ambient) context.

  // Unused import
  import * as Ns1 from "";
  // This doesn't reference the import namespace `Ns1`
  type T1 = Ns1; // Undeclared variable `Ns1`
  
  // Unused import
  import type * as Ns2 from "";
  // This doesn't reference the import namespace `Ns2`
  type T2 = Ns2; // Undeclared variable `Ns2`
  
  import type * as Ns3 from "";
  // This references the import namespace because it is a qualified name.
  type T3 = Ns3.Inner;
  // This also references the import namespace.
  export type { Ns3 }

  Contributed by @​Conaclos

• noUndeclaredVariables now correctly handle ambient computed member names (#​2975).

  A constant can be imported as a type and used in a computed member name of a member signature.
  Previously, Biome was unable to bind the value imported as a type to the computed member name.

  import type { NAME } from "./constants.js";
  type X = { [NAME]: number };

  Contributed by @​Conaclos

• noUndeclaredVariables now ignores this in JSX components (#​2636).

  The rule no longer reports this as undeclared in following code.

  import { Component } from 'react';
  
  export class MyComponent extends Component {
    render() {
      return <this.foo />
    }
  }

  Contributed by @​printfn and @​Conaclos

• useJsxKeyInIterable now handles more cases involving fragments. See the snippets below. Contributed by @​dyc3

// valid
[].map((item) => {
	return <>{item.condition ? <div key={item.id} /> : <div key={item.id}>foo</div>}</>;
});

// invalid
[].map((item) => {
	return <>{item.condition ? <div /> : <div>foo</div>}</>;
});

• noExcessiveNestedTestSuites no longer erroneously alerts on describe calls that are not invoking the global describe function. #​2599 Contributed by @​dyc3

// now valid
z.object({})
  .describe('')
  .describe('')
  .describe('')
  .describe('')
  .describe('')
  .describe('');

• noEmptyBlockStatements no longer reports empty constructors using typescript parameter properties. #​3005 Contributed by @​dyc3

• noEmptyBlockStatements no longer reports empty private or protected constructors. Contributed by @​dyc3

• noExportsInTest rule no longer treats files with in-source testing as test files https://github.com/biomejs/biome/issues/2859. Contributed by @​ah-yu

• useSortedClasses now keeps leading and trailing spaces when applying the code action inside template literals:

  i Unsafe fix: Sort the classes.
  
    1 1 │   <>
    2   │ - → <div·class={`${variable}·px-2·foo·p-4·bar`}/>
      2 │ + → <div·class={`${variable}·foo·bar·p-4·px-2`}/>
    3 3 │   	<div class={`px-2 foo p-4 bar ${variable}`}/>
    4 4 │   </>
  

• noUndeclaredDependencies is correctly triggered when running biome ci. Contributed by @​ematipico

• noUnusedVariables no longer panics when a certain combination of characters is typed. Contributed by @​ematipico

• noUndeclaredVariables no logger alerts on arguments object in a function scope. Contributed by @​ah-yu

Parser

Enhancements

• lang="tsx" is now supported in Vue Single File Components. #​2765 Contributed by @​dyc3

Bug fixes

• The const modifier for type parameters is now accepted for TypeScript new signatures (#​2825).

  The following code is now correctly parsed:

  interface I {
    new<const T>(x: T): T
  }

  Contributed by @​Conaclos

• Some invalid TypeScript syntax caused the Biome parser to crash.

  The following invalid syntax no longer causes the Biome parser to crash:

  declare using x: null;
  declare qwait using x: null;

  Contributed by @​Conaclos

devcontainers/cli (@​devcontainers/cli)

v0.64.0

Compare Source

• Fix project name with env variable. (https://github.com/devcontainers/cli/issues/839)

v0.63.0

Compare Source

• Surface additional information in devcontainer up. (https://github.com/devcontainers/cli/pull/836)
• Changes the config layer of the Feature manifest to a empty descriptor (https://github.com/devcontainers/cli/pull/815)

actions/checkout (actions/checkout)

v4.1.7

Compare Source

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in https://github.com/actions/checkout/pull/1739
• Bump actions/checkout from 3 to 4 by @​dependabot in https://github.com/actions/checkout/pull/1697
• Check out other refs/* by commit by @​orhantoy in https://github.com/actions/checkout/pull/1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in https://github.com/actions/checkout/pull/1776

streetsidesoftware/cspell (cspell)

v8.8.4

Compare Source

• ci: Fix Lint -- Workflow Bot (#​5699) (211113a), closes #​5699

cssnano/cssnano (cssnano)

v7.0.2: v7.0.2

Compare Source

Bug Fixes

• fix invalid output in some cases where selectors contain comments

dprint/dprint (dprint)

v0.46.2

Compare Source

Changes

• fix: analyze Wasm plugin version without instantiating plugin (#​857)

Install

Run dprint upgrade or see https://dprint.dev/install/

Checksums

Artifact	SHA-256 Checksum
dprint-x86_64-apple-darwin.zip	88abd8a6f416b624fdfae338ae6fca440f4a36b35199f0d03438caeb7715d820
dprint-aarch64-apple-darwin.zip	a331d1c9ad2abb96d46c33d25f1166bd5497dde0c48eb8a8f3d98143cd4bca5b
dprint-x86_64-pc-windows-msvc.zip	53ab1991d23be9de8bf3b920f8605aee55629321fcacccfc5df38d49b2eb5160
dprint-x86_64-pc-windows-msvc-installer.exe	e4c015ddbc247fe889f03a011ec4832bc339175977f7db4f674ae0313e2fe726
dprint-x86_64-unknown-linux-gnu.zip	e2819a2f1092750227cbd0a92b1172e889a30ddbb5773e85db133c1c8859edf6
dprint-x86_64-unknown-linux-musl.zip	bbe9fe8eae9abdcfccdeca97fd8c524efd6137de702ee96e82b0ecb4ad432ebf
dprint-aarch64-unknown-linux-gnu.zip	3f01bc1d7d47fec7c00af52ee5e270f4759743da1f6e1b31a593bfdaa1dc1906
dprint-aarch64-unknown-linux-musl.zip	d7b6f88c320bffcbb1dfeb6030d5a1ef23d18d81721e39abdbf4b8bdab389ba4

editorconfig-checker/editorconfig-checker.javascript (editorconfig-checker)

v5.1.8

Compare Source

Reverts

• Revert "chore(deps-dev): bump undici from 6.6.2 to 6.11.1 (#​411)" (51a754a), closes #​411

v5.1.6 release didn't work because of an issue with the @vercel/ncc compiler: https://github.com/vercel/ncc/issues/1193, for now we revert the changes, so basically v5.1.8 is the same as v5.1.5.
Sorry for the troubles, we also improved our CI, so we should be able to detect this kind of issues in the future.

v5.1.7

Compare Source

Reverts

• Revert "fix: update dependencies to latest (#​412)" (f04e860), closes #​412 #​413
• Revert "fix: semantic-release v23" (d1b7b93)

v5.1.6

Compare Source

Bug Fixes

• semantic-release v23 (52f4b29)
• update dependencies to latest (#​412) (5b68e04)

github/codeql-action (github/codeql-action)

v3.25.10

Compare Source

v3.25.9

Compare Source

v3.25.8

Compare Source

pnpm/pnpm (pnpm)

v9.3.0

Compare Source

Minor Changes

• Semi-breaking. Dependency key names in the lockfile are shortened if they are longer than 1000 characters. We don't expect this change to affect many users. Affected users most probably can't run install successfully at the moment. This change is required to fix some edge cases in which installation fails with an out-of-memory error or "Invalid string length (RangeError: Invalid string length)" error. The max allowed length of the dependency key can be controlled with the peers-suffix-max-length setting #​8177.

Patch Changes

• Set reporter-hide-prefix to true by default for pnpm exec. In order to show prefix, the user now has to explicitly set reporter-hide-prefix=false #​8174.

Platinum Sponsors

Gold Sponsors

Our Silver Sponsors

v9.2.0

[

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected]	environment, network Transitive: filesystem, unsafe	+61	5.35 MB	jason-dent
npm/[email protected]	Transitive: environment, filesystem, network, shell, unsafe	+63	10.3 MB	ludovicofischer
npm/[email protected]	environment, filesystem, shell	0	8.03 kB	dsherret
npm/[email protected]	None	0	719 kB	theoludwig
npm/[email protected]	environment, filesystem, unsafe	0	8.25 MB	prettier-bot

🚮 Removed packages: npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: npm/@biomejs/[email protected]

View full report↗︎

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

[DerekNonGeneric]

@SocketSecurity ignore npm/@biomejs/[email protected] npm/@biomejs/[email protected] npm/[email protected]

[DerekNonGeneric]

lgtm