Skip to content

Update Non-breaking updates#20

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/non-breaking-updates
Open

Update Non-breaking updates#20
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/non-breaking-updates

Conversation

@renovate

@renovate renovate Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
@biomejs/biome (source) 2.5.02.5.3 age confidence pnpm.catalog.default patch 2.5.4
@hono/node-server 2.0.52.0.8 age confidence pnpm.catalog.default patch 2.0.10 (+1)
@types/node (source) 22.19.2122.20.1 age confidence pnpm.catalog.default minor
actions/checkout v6.0.2v6.0.3 age confidence action patch
hono (source) 4.12.254.12.29 age confidence pnpm.catalog.default patch 4.12.30
pnpm (source) 11.8.011.11.0 age confidence packageManager minor 11.14.0 (+1)
tsx (source) 4.22.44.23.0 age confidence pnpm.catalog.default minor 4.23.1
vitest (source) 4.1.94.1.10 age confidence pnpm.catalog.default patch

Release Notes

biomejs/biome (@​biomejs/biome)

v2.5.3

Compare Source

Patch Changes
  • #​10815 86613d5 Thanks @​WaterWhisperer! - Fixed a parser panic reported in #​10708: Biome now recovers when unsupported CSS Modules @value rules or scoped @keyframes names end at EOF.

  • #​10534 da9b403 Thanks @​Mokto! - Fixed noUnusedVariables false positives in Svelte files: Svelte store subscriptions ($store references in templates now keep the underlying store binding from being flagged), and $bindable() props that are only written to in the script block (write-only is intentional for bindable props) are no longer reported as unused.

  • #​10827 098ba41 Thanks @​Aqu1bp! - Fixed #​10698: The noUnsafeOptionalChaining rule now reports unsafe optional chains wrapped in TypeScript as, satisfies, type assertion, and instantiation expressions, such as new (value?.constructor as Constructor)().

  • #​10773 3c6513d Thanks @​otkrickey! - Fixed #​10772: useVueValidVOn no longer reports a missing handler for v-on directives using a verb modifier (.stop / .prevent) without an expression, e.g. <div @&#8203;click.stop></div>. The rule also accepts the arg-less object syntax <div v-on="$listeners"></div> instead of reporting a missing event name.

  • #​10721 d83c66b Thanks @​minseong0324! - Improved type-aware lint rule inference for built-in globals and indexed function calls. Biome now resolves Error(...), new Error(...), optional Error#stack, and calls through indexed function values such as handlers[0]() more accurately.

  • #​10865 6450276 Thanks @​ematipico! - Fixed #​10845. Biome Language Server no longer goes in deadlock when the scanner is enabled.

  • #​10853 93d8e53 Thanks @​Netail! - Fixed #​10840: Astro shorthand attribute syntax is now correctly being parsed from embedded nodes.

  • #​10820 bba3092 Thanks @​JamBalaya56562! - Fixed #​10619: noProcessEnv now also reports computed (bracket) member access. Previously only dot access was checked, so process["env"] and env["NODE_ENV"] (where env is imported from node:process) were missed. Both static and computed accesses are now reported.

  • #​10835 3447b2f Thanks @​dyc3! - Fixed #​10824: useDomQuerySelector now supports an ignore option for receiver identifiers that should not be reported.

  • #​10875 b12e486 Thanks @​dyc3! - Fixed #​10795: --profile-rules now reports timings for each plugin separately as plugin/<pluginName>, matching the naming used by plugin suppressions, instead of aggregating all plugins under a single plugin/plugin entry.

  • #​10877 d6bc447 Thanks @​ematipico! - Fixed biome-zed#164: Biome no longer inserts stray whitespace when format-on-type runs after closing delimiters such as ), ], and }.

  • #​10867 a21463e Thanks @​dyc3! - Fixed #​10864: Biome no longer crashes when checking or linting HTML files with unquoted attribute values such as <textarea rows=4></textarea>.

v2.5.2

Compare Source

Patch Changes
  • #​10595 f458028 Thanks @​pkallos! - Added the option ignoreBooleanCoercion to useNullishCoalescing. When enabled, Biome ignores || and ||= used inside a Boolean() call, where coalescing on falsy values is intentional.

  • #​10798 4a32b63 Thanks @​pkallos! - Added the option ignorePrimitives to useNullishCoalescing. When enabled, Biome ignores ||, ||=, and ternary expressions whose non-nullish operands are all primitives the option opts out of. Use true to ignore all primitives, or an object selecting string, number, boolean, or bigint.

  • #​10545 f3d4c00 Thanks @​Mokto! - Added the new nursery rule noSvelteUnnecessaryStateWrap, which reports unnecessary $state() wrapping of classes from svelte/reactivity that are already reactive.

    <script>
    import { SvelteMap } from "svelte/reactivity";
    const map = $state(new SvelteMap()); // redundant
    </script>
  • #​10752 f62fb8b Thanks @​ematipico! - Fixed #​10739. Now the rule useValidAutocomplete correctly flags the autoComplete attribute.

  • #​10796 f1b3ab2 Thanks @​ematipico! - Fixed #​10768. Improved the performance of the Biome Language Server by cancelling certain in-flight operations when there are fast updates.

  • #​10719 aa649b5 Thanks @​minseong0324! - Fixed noMisleadingReturnType false positive on returns that use a widening type assertion: "a" as string is no longer reported as misleading. The rule now also reports a literal-pinning assertion such as false as false, matching the existing as const behavior.

    // No longer flagged (returns are `string`):
    function getValue(b: boolean): string {
      if (b) return "a" as string;
      return "b" as string;
    }
    
    // Now also reported, like `as const` (returns `false`):
    function isReady(): boolean {
      return false as false;
    }
  • #​10678 8f073a7 Thanks @​PranavAchar01! - Fixed #​7718: Biome now correctly parses CSS nesting selectors when & appears as a trailing sub-selector after a type selector, e.g. h1& { color: red; }.

  • #​10756 5ec965a Thanks @​denbezrukov! - Fixed CSS formatter output for selector lists with allowWrongLineComments and // comments after a selector comma. Biome now keeps the selector before the line comment inline instead of breaking it across descendant combinators.

    -.powerPathNavigator
    -  .helm
    -  button.pressedButton, // pressed
    +.powerPathNavigator .helm button.pressedButton, // pressed
     .powerPathNavigator .helm button:active:not(.disabledButton) {
     }
  • #​10757 6232fcd Thanks @​PranavAchar01! - Fixed #​8269: the CSS parser now accepts Tailwind @variant and @utility names that start with a digit, such as the 2xl breakpoint.

    @&#8203;utility container {
      @&#8203;variant 2xl {
        max-width: 1400px;
      }
    }
  • #​10777 575ced6 Thanks @​WaterWhisperer! - Fixed an issue reported in #​10708: the GitLab reporter now handles --verbose diagnostics filtering correctly.

  • #​10281 0efe244 Thanks @​Zelys-DFKH! - Fixed a bug where GritQL patterns rejected positional (unkeyed) arguments.

  • #​10758 e36fd8a Thanks @​henrybrewer00-dotcom! - Fixed #​10697: The formatter no longer removes the parentheses around an await or yield expression used as the target of a TypeScript instantiation expression. For example, (await makeFactory)<Value> is no longer reformatted to await makeFactory<Value>, which would change the meaning of the code.

  • #​10586 3617094 Thanks @​IxxyDev! - Fixed #​9568: noFloatingPromises no longer reports a false positive when calling an overloaded function and the selected overload does not return a promise.

    function bestEffort(cb: () => Promise<number>): Promise<number>;
    function bestEffort(cb: () => number): number;
    function bestEffort(
      cb: () => number | Promise<number>,
    ): Promise<number> | number {
      return cb() as Promise<number> | number;
    }
    
    // This resolves to the second overload, which returns `number`, so it is no
    // longer flagged as a floating promise.
    bestEffort(() => 42);
  • #​10766 7aff4c1 Thanks @​JamBalaya56562! - Fixed #​2862: noInteractiveElementToNoninteractiveRole no longer reports custom elements (a tag name containing a dash, e.g. <my-button role="img" />). Per the W3C HTML-ARIA specification, a custom element may be given any role or none.

  • #​10680 771daa4 Thanks @​WaterWhisperer! - Fixed #​10635: Biome now recognizes chained
    table tests such as test.concurrent.each() and it.concurrent.each() as test calls, fixing
    noMisplacedAssertion false positives and improving formatting for those test declarations.

  • #​10759 34570b5 Thanks @​henrybrewer00-dotcom! - Fixed #​10636: noStaticElementInteractions no longer reports a false positive for event handlers on Svelte special elements such as <svelte:window>, <svelte:document>, and <svelte:body>. These are not real DOM elements, so they are now ignored by the rule.

  • #​10741 bd2364e Thanks @​JamBalaya56562! - Fixed #​6686: the rage command now respects the --config-path option and the BIOME_CONFIG_PATH environment variable when loading the Biome configuration. Previously it always used the default configuration resolution and reported the configuration as Not set when no biome.json existed in the working directory.

  • #​10763 2c3e82d Thanks @​Aqu1bp! - Fixed #​10742: noSolidDestructuredProps now reports destructured props in Solid function components and JSX children.

  • #​10606 a4cc4ab Thanks @​Mokto! - Fixed false positives in noUnusedImports, noUnusedVariables, and useImportType for Svelte components that use both a <script module> and a <script> block. The two blocks compile to a single module and share a top-level scope, so a binding (import, function, or variable) declared in one block and used only in the other is no longer reported as unused.

  • #​10767 36d5aa7 Thanks @​otkrickey! - Fixed #​10754: useVueValidVBind no longer reports the Vue 3.4+ same-name shorthand as missing a value. :foo and v-bind:foo are now accepted as equivalent to :foo="foo", while v-bind, v-bind:[dynamicArg], and :[dynamicArg] without a value continue to be reported.

  • #​10775 a918af0 Thanks @​WaterWhisperer! - Fixed an issue reported in #​10708: biome rage didn't detect running Biome daemon pipes on Windows.

  • #​10730 5a2e65b Thanks @​dinocosta! - Fixed an issue where Biome was resolving the well-known Zed settings file from the wrong location on macOS and Windows.

  • #​10807 d97fffe Thanks @​ematipico! - Fixed an issue where .scss files were incorrectly analyzed when running biome check.

  • #​10672 53c6efc Thanks @​ematipico! - Fixed a bug where Biome incorrectly formatted snippets that have parsing errors.

  • #​10719 aa649b5 Thanks @​minseong0324! - Fixed useAwaitThenable false positive when awaiting a custom thenable that is not the global Promise. A value with a callable then member is now recognized as awaitable.

    interface Thenable<T> {
      then(onfulfilled: (value: T) => void): void;
    }
    declare const t: Thenable<number>;
    async function f() {
      await t;
    }
  • #​10734 4396496 Thanks @​BangDori! - Fixed #​10708: biome migrate now preserves trivia when migrating the deprecated recommended option to preset.

  • #​10683 ae31a00 Thanks @​Netail! - Fixed #​10657 #​10671 #​10661 #​10637 #​10718: HTML rules now correctly handle dynamic attributes.

  • #​10746 54e8239 Thanks @​ematipico! - Fixed an issue where noUndeclaredClasses didn't correctly detect styles defined inside the Astro directive is:global.

  • #​10770 dd1429c Thanks @​ematipico! - Improved the Biome Language Server DX by orchestrating certain operations, so that they won't block the editor during typing. This improvement is more visible in large documents.

  • #​10473 d9b5133 Thanks @​Mokto! - Improved noUnusedImports, noUnusedVariables, noUnusedFunctionParameters, and useImportType for Svelte, Vue, and Astro files (with html.experimentalFullSupportEnabled). Bindings used only in the template — including component tags, attribute interpolations, directives, bind: shorthand, and snippet parameters — are no longer reported as unused, while genuinely unused ones still are.

  • #​10796 f1b3ab2 Thanks @​ematipico! - Fixed an issue where the Biome Language Server didn't enable project or type-aware lint rules, even when they were explicitly enabled.

  • #​10746 54e8239 Thanks @​ematipico! - Fixed an issue where noUndeclaredClasses didn't detect styles declared inside HTML documents.

  • #​10774 bde945b Thanks @​pattrickrice! - Fixed #​10268 where a race condition resulted in internal errors such as: The file biome.json does not exist in the workspace.

v2.5.1

Compare Source

Patch Changes
honojs/node-server (@​hono/node-server)

v2.0.8

Compare Source

What's Changed

Full Changelog: honojs/node-server@v2.0.7...v2.0.8

v2.0.6

Compare Source

actions/checkout (actions/checkout)

v6.0.3

Compare Source

honojs/hono (hono)

v4.12.29

Compare Source

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.28...v4.12.29

v4.12.28

Compare Source

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.27...v4.12.28

v4.12.27

Compare Source

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc


Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

Compare Source

What's Changed

Full Changelog: honojs/hono@v4.12.25...v4.12.26

pnpm/pnpm (pnpm)

v11.11.0

Compare Source

Minor Changes
  • 508b8c2: Added the pnpm access command for managing package access and visibility on the registry, supporting listing packages and collaborators, getting and setting package status and MFA requirements, and granting or revoking team access.
Patch Changes
  • c70e33e: Allow allowBuilds entries for git-hosted packages to match by repository URL without pinning the resolved commit hash. This lets trusted git repositories keep running their build scripts after branch updates without approving each new commit, while package-name-only rules still do not approve git-hosted artifacts.
  • 3067e4f: Reduced peak memory usage during cold-cache dependency resolution. The metadata fetch is memoized for the whole resolution phase, and it was retaining each package's raw registry response body (used only to mirror the response to disk) for that entire time. The memoized cache now holds a body-less copy, so the raw body only lives as long as the call that writes the disk mirror. On large graphs that fetch full metadata (e.g. with minimumReleaseAge or trustPolicy enabled) this cuts peak RSS by roughly 30%, back in line with pnpm 10. The resolved lockfile is unchanged.
  • 51300fd: Prevent a crafted pnpm-lock.yaml from writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g. ../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshot version: "../../x") is now rejected at formatGlobalVirtualStorePath, the single point every global-virtual-store slot path funnels through — closing the same escape in the isolated linker, the resolver's dependency-graph builder, and the config-dependency installer.
  • f8058eb: Reject symlinked pnpm-lock.yaml files when reading or writing the env lockfile document.
  • 9318a11: Allow registries and namedRegistries to be configured in the global config.yaml file.
  • 51300fd: Fixed a path traversal vulnerability where a dependency whose manifest name was a scoped path traversal (e.g. @x/../../../<path>) could be written outside node_modules to an attacker-controlled location during pnpm install, even with --ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.
  • 14332f0: Fail instead of silently removing an optional dependency's locked entries from pnpm-lock.yaml when the registry cannot resolve it. Previously, when registry metadata lacked a version that the lockfile already pinned (for example, a mirror that had not synced a recent release yet), pnpm install and pnpm dedupe silently dropped the optional dependency's entries — emptying maps such as the platform binaries of @napi-rs/canvas — so the lockfile differed between machines and frozen installs on other hosts had nothing to link #​12853.
  • fecfe83: Fixed peer dependency resolution with autoInstallPeers when a workspace package depends on a version of a package that a transitive dependency's self-contained closure also provides for itself. The peer providers that are attached to the root project for reuse are no longer peer-resolved a second time in the root context, so packages inside such a closure no longer get their peers bound to the root project's incompatible version #​4993.
  • 5a4daec: ${...} environment-variable placeholders in the httpProxy, httpsProxy, noProxy, proxy, and noproxy settings are no longer expanded when these settings come from a project's pnpm-workspace.yaml. They now receive the same protection already applied to registry, namedRegistries, and pnprServer.
  • d1da02e: pnpm publish no longer prints credentials when the target registry is configured with inline user:pass@ credentials (e.g. registry=https://user:pass@example.com/). They are now redacted both from the "publishing to registry" line and from the OIDC (trusted publishing) failure messages.
  • dcfc611: pnpm self-update now honors trustPolicy=no-downgrade. It resolves the target pnpm version against full registry metadata, so it refuses to switch to a version whose supply-chain trust evidence is weaker than an earlier-published one, the same way a regular install does.
  • a8ad82d: Register the pn alias in generated shell completion scripts.
  • 25bd5c3: Fixed standalone installer downgrades from pnpm v12 to v11.
  • 23996e9: pnpm runtime set <name> <version> now validates its arguments: the name must be node, deno, or bun, and the version must not contain a comma. Previously these were interpolated straight into a pnpm add selector, where an unsupported name or a comma (e.g. node 22,is-positive) could be misread as a list of packages or a local directory and install unintended packages or bins.

v11.10.0

Compare Source

Minor Changes
  • e2e3c81: Added the issues command as an alias of bugs, so pnpm issues opens the package's bug tracker URL in the browser.

  • 8491f8e: Added the prefix command which prints the current package prefix directory (or global prefix directory if -g / --global is used).

  • 3425e80: Added an _auth setting for configuring registry authentication as a single structured (URL-keyed) value. It can be set in the global pnpm config (config.yaml) or, for CI, via the pnpm_config__auth environment variable. The env form sidesteps the GitHub Actions / bash / zsh limitation that broke the existing pnpm_config_//host/:_authToken=… form (env var names containing /, :, or . are silently dropped). Closes #​12314.

    The value is keyed by registry URL so each secret is explicitly bound to the host that may receive it. Registry URL keys must use http or https and must not include credentials, query strings, or fragments:

    export pnpm_config__auth='{"https://registry.npmjs.org":{"@&#8203;":{"authToken":"npm-token"},"@&#8203;org":{"authToken":"org-token"}}}'

    The equivalent in the global config.yaml:

    _auth:
      https://registry.npmjs.org:
        "@&#8203;":
          authToken: npm-token
        "@&#8203;org":
          authToken: org-token

    Within each registry URL, @ means registry-wide/default credentials and package scopes like @org bind credentials to that scope on the same host. The only supported credential field is authToken (maps to _authToken / bearer auth); the deprecated basicAuth / username + password forms are intentionally not accepted here.

    Each entry also infers a trusted registry route: @ routes the default registry (and pnpm add <pkg> resolves there), and @org routes that scope. Because the credential and destination host arrive in one trusted value, repo-controlled pnpm-workspace.yaml or project .npmrc cannot redirect the token to a different host. _auth is honored only from the env var and the global config — it is ignored in a project pnpm-workspace.yaml / .npmrc, so repo-controlled config can never supply registry auth. Precedence: CLI flags (--registry, --@&#8203;scope:registry) > pnpm_config__auth > global config.yaml _auth > pnpm-workspace.yaml.

    Both pnpm_config__auth (lowercase, documented form) and PNPM_CONFIG__AUTH (all-caps, the shell convention some CI runners apply) are honored. If both are set, lowercase wins unless it is empty, in which case uppercase is used. The env var wins over the global config.yaml _auth on a conflicting key. tokenHelper is not supported in _auth. Parsing is strict: a malformed value (bad JSON, wrong shape, invalid registry URL or scope, an unsupported credential field) fails fast with an error rather than being silently dropped.

    Pacquet parity note: the pacquet (Rust) port supports the same single credential field as the TS CLI: authToken.

  • a33eeec: pnpm self-update and packageManager version-switching can now install and link pnpm v12 (the Rust port), published with equal content under both the pnpm and @pnpm/exe names on the next-12 dist-tag. Its native binaries ship as @pnpm/exe.<platform>-<arch> packages, which pnpm's built-in installer links directly — no Node.js launcher, so the command pays no Node startup cost. v12 is initialized exactly like @pnpm/exe, including per-platform global-virtual-store hashing. From v12 onward the install converges on the unscoped pnpm package (the Rust exe) — even when updating from the SEA @pnpm/exe build.

  • 1dd12bd: When resolving through a pnpr install-accelerator server, pnpm no longer forwards its own upstream registry credentials in the resolve request. Only the Authorization header identifying the caller to p

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone Asia/Tokyo)

  • Branch creation
    • Between 12:00 AM and 12:59 AM (* 0 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot force-pushed the renovate/non-breaking-updates branch 3 times, most recently from 37505ec to 758a7e5 Compare July 16, 2026 21:15
@renovate
renovate Bot force-pushed the renovate/non-breaking-updates branch from 758a7e5 to d836295 Compare July 17, 2026 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants