Update Non-breaking updates#20
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate/non-breaking-updates
branch
3 times, most recently
from
July 16, 2026 21:15
37505ec to
758a7e5
Compare
renovate
Bot
force-pushed
the
renovate/non-breaking-updates
branch
from
July 17, 2026 12:46
758a7e5 to
d836295
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.5.0→2.5.32.5.42.0.5→2.0.82.0.10(+1)22.19.21→22.20.1v6.0.2→v6.0.34.12.25→4.12.294.12.3011.8.0→11.11.011.14.0(+1)4.22.4→4.23.04.23.14.1.9→4.1.10Release Notes
biomejs/biome (@biomejs/biome)
v2.5.3Compare Source
Patch Changes
#10815
86613d5Thanks @WaterWhisperer! - Fixed a parser panic reported in #10708: Biome now recovers when unsupported CSS Modules@valuerules or scoped@keyframesnames end at EOF.#10534
da9b403Thanks @Mokto! - FixednoUnusedVariablesfalse positives in Svelte files: Svelte store subscriptions ($storereferences in templates now keep the underlyingstorebinding from being flagged), and$bindable()props that are only written to in the script block (write-only is intentional for bindable props) are no longer reported as unused.#10827
098ba41Thanks @Aqu1bp! - Fixed #10698: ThenoUnsafeOptionalChainingrule now reports unsafe optional chains wrapped in TypeScriptas,satisfies, type assertion, and instantiation expressions, such asnew (value?.constructor as Constructor)().#10773
3c6513dThanks @otkrickey! - Fixed #10772:useVueValidVOnno longer reports a missing handler for v-on directives using a verb modifier (.stop/.prevent) without an expression, e.g.<div @​click.stop></div>. The rule also accepts the arg-less object syntax<div v-on="$listeners"></div>instead of reporting a missing event name.#10721
d83c66bThanks @minseong0324! - Improved type-aware lint rule inference for built-in globals and indexed function calls. Biome now resolvesError(...),new Error(...), optionalError#stack, and calls through indexed function values such ashandlers[0]()more accurately.#10865
6450276Thanks @ematipico! - Fixed #10845. Biome Language Server no longer goes in deadlock when the scanner is enabled.#10853
93d8e53Thanks @Netail! - Fixed #10840: Astro shorthand attribute syntax is now correctly being parsed from embedded nodes.#10820
bba3092Thanks @JamBalaya56562! - Fixed #10619:noProcessEnvnow also reports computed (bracket) member access. Previously only dot access was checked, soprocess["env"]andenv["NODE_ENV"](whereenvis imported fromnode:process) were missed. Both static and computed accesses are now reported.#10835
3447b2fThanks @dyc3! - Fixed #10824:useDomQuerySelectornow supports anignoreoption for receiver identifiers that should not be reported.#10875
b12e486Thanks @dyc3! - Fixed #10795:--profile-rulesnow reports timings for each plugin separately asplugin/<pluginName>, matching the naming used by plugin suppressions, instead of aggregating all plugins under a singleplugin/pluginentry.#10877
d6bc447Thanks @ematipico! - Fixed biome-zed#164: Biome no longer inserts stray whitespace when format-on-type runs after closing delimiters such as),], and}.#10867
a21463eThanks @dyc3! - Fixed #10864: Biome no longer crashes when checking or linting HTML files with unquoted attribute values such as<textarea rows=4></textarea>.v2.5.2Compare Source
Patch Changes
#10595
f458028Thanks @pkallos! - Added the optionignoreBooleanCoercionto useNullishCoalescing. When enabled, Biome ignores||and||=used inside aBoolean()call, where coalescing on falsy values is intentional.#10798
4a32b63Thanks @pkallos! - Added the optionignorePrimitivesto useNullishCoalescing. When enabled, Biome ignores||,||=, and ternary expressions whose non-nullish operands are all primitives the option opts out of. Usetrueto ignore all primitives, or an object selectingstring,number,boolean, orbigint.#10545
f3d4c00Thanks @Mokto! - Added the new nursery rulenoSvelteUnnecessaryStateWrap, which reports unnecessary$state()wrapping of classes fromsvelte/reactivitythat are already reactive.#10752
f62fb8bThanks @ematipico! - Fixed #10739. Now the ruleuseValidAutocompletecorrectly flags theautoCompleteattribute.#10796
f1b3ab2Thanks @ematipico! - Fixed #10768. Improved the performance of the Biome Language Server by cancelling certain in-flight operations when there are fast updates.#10719
aa649b5Thanks @minseong0324! - FixednoMisleadingReturnTypefalse positive on returns that use a widening type assertion:"a" as stringis no longer reported as misleading. The rule now also reports a literal-pinning assertion such asfalse as false, matching the existingas constbehavior.#10678
8f073a7Thanks @PranavAchar01! - Fixed #7718: Biome now correctly parses CSS nesting selectors when&appears as a trailing sub-selector after a type selector, e.g.h1& { color: red; }.#10756
5ec965aThanks @denbezrukov! - Fixed CSS formatter output for selector lists withallowWrongLineCommentsand//comments after a selector comma. Biome now keeps the selector before the line comment inline instead of breaking it across descendant combinators.#10757
6232fcdThanks @PranavAchar01! - Fixed #8269: the CSS parser now accepts Tailwind@variantand@utilitynames that start with a digit, such as the2xlbreakpoint.#10777
575ced6Thanks @WaterWhisperer! - Fixed an issue reported in #10708: the GitLab reporter now handles--verbosediagnostics filtering correctly.#10281
0efe244Thanks @Zelys-DFKH! - Fixed a bug where GritQL patterns rejected positional (unkeyed) arguments.#10758
e36fd8aThanks @henrybrewer00-dotcom! - Fixed #10697: The formatter no longer removes the parentheses around anawaitoryieldexpression used as the target of a TypeScript instantiation expression. For example,(await makeFactory)<Value>is no longer reformatted toawait makeFactory<Value>, which would change the meaning of the code.#10586
3617094Thanks @IxxyDev! - Fixed #9568:noFloatingPromisesno longer reports a false positive when calling an overloaded function and the selected overload does not return a promise.#10766
7aff4c1Thanks @JamBalaya56562! - Fixed #2862:noInteractiveElementToNoninteractiveRoleno longer reports custom elements (a tag name containing a dash, e.g.<my-button role="img" />). Per the W3C HTML-ARIA specification, a custom element may be given any role or none.#10680
771daa4Thanks @WaterWhisperer! - Fixed #10635: Biome now recognizes chainedtable tests such as
test.concurrent.each()andit.concurrent.each()as test calls, fixingnoMisplacedAssertionfalse positives and improving formatting for those test declarations.#10759
34570b5Thanks @henrybrewer00-dotcom! - Fixed #10636: noStaticElementInteractions no longer reports a false positive for event handlers on Svelte special elements such as<svelte:window>,<svelte:document>, and<svelte:body>. These are not real DOM elements, so they are now ignored by the rule.#10741
bd2364eThanks @JamBalaya56562! - Fixed #6686: theragecommand now respects the--config-pathoption and theBIOME_CONFIG_PATHenvironment variable when loading the Biome configuration. Previously it always used the default configuration resolution and reported the configuration asNot setwhen nobiome.jsonexisted in the working directory.#10763
2c3e82dThanks @Aqu1bp! - Fixed #10742:noSolidDestructuredPropsnow reports destructured props in Solid function components and JSX children.#10606
a4cc4abThanks @Mokto! - Fixed false positives innoUnusedImports,noUnusedVariables, anduseImportTypefor Svelte components that use both a<script module>and a<script>block. The two blocks compile to a single module and share a top-level scope, so a binding (import, function, or variable) declared in one block and used only in the other is no longer reported as unused.#10767
36d5aa7Thanks @otkrickey! - Fixed #10754:useVueValidVBindno longer reports the Vue 3.4+ same-name shorthand as missing a value.:fooandv-bind:fooare now accepted as equivalent to:foo="foo", whilev-bind,v-bind:[dynamicArg], and:[dynamicArg]without a value continue to be reported.#10775
a918af0Thanks @WaterWhisperer! - Fixed an issue reported in #10708:biome ragedidn't detect running Biome daemon pipes on Windows.#10730
5a2e65bThanks @dinocosta! - Fixed an issue where Biome was resolving the well-known Zed settings file from the wrong location on macOS and Windows.#10807
d97fffeThanks @ematipico! - Fixed an issue where.scssfiles were incorrectly analyzed when runningbiome check.#10672
53c6efcThanks @ematipico! - Fixed a bug where Biome incorrectly formatted snippets that have parsing errors.#10719
aa649b5Thanks @minseong0324! - FixeduseAwaitThenablefalse positive when awaiting a custom thenable that is not the globalPromise. A value with a callablethenmember is now recognized as awaitable.#10734
4396496Thanks @BangDori! - Fixed #10708:biome migratenow preserves trivia when migrating the deprecatedrecommendedoption topreset.#10683
ae31a00Thanks @Netail! - Fixed #10657 #10671 #10661 #10637 #10718: HTML rules now correctly handle dynamic attributes.#10746
54e8239Thanks @ematipico! - Fixed an issue wherenoUndeclaredClassesdidn't correctly detect styles defined inside the Astro directiveis:global.#10770
dd1429cThanks @ematipico! - Improved the Biome Language Server DX by orchestrating certain operations, so that they won't block the editor during typing. This improvement is more visible in large documents.#10473
d9b5133Thanks @Mokto! - ImprovednoUnusedImports,noUnusedVariables,noUnusedFunctionParameters, anduseImportTypefor Svelte, Vue, and Astro files (withhtml.experimentalFullSupportEnabled). Bindings used only in the template — including component tags, attribute interpolations, directives,bind:shorthand, and snippet parameters — are no longer reported as unused, while genuinely unused ones still are.#10796
f1b3ab2Thanks @ematipico! - Fixed an issue where the Biome Language Server didn't enable project or type-aware lint rules, even when they were explicitly enabled.#10746
54e8239Thanks @ematipico! - Fixed an issue wherenoUndeclaredClassesdidn't detect styles declared inside HTML documents.#10774
bde945bThanks @pattrickrice! - Fixed #10268 where a race condition resulted in internal errors such as:The file biome.json does not exist in the workspace.v2.5.1Compare Source
Patch Changes
#10722
f8a303dThanks @denbezrukov! - Fixed CSS formatter output for comments between import media queries.#10738
9fdc560Thanks @JamBalaya56562! - Fixed #9899: thejsonandjson-prettyreporters now escape backslashes in a diagnostic'slocation.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.#10626
5f837dfThanks @tom-groves! - Fixed #10625:biome migrateno longer emits an invalid trailing comma when a renamed rule (such asnoConsoleLog→noConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSONbiome.jsonwith a parsing error.#10535
c245f9dThanks @Mokto! - Fixed a false positive innoUnusedVariablesfor Svelte files where variables referenced inside{@​html expr}blocks were incorrectly reported as unused.#10668
a0f197eThanks @Netail! - Thebiome initcommand has been updated to include a more up-to-date URL to the first-party extensions page.#10667
d8c3e87Thanks @Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.#10696
ef2373fThanks @ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.#10705
4ccb410Thanks @ematipico! - Fixed #10652. Biome plugins are now properly filtered when using--onlyand--skipflags.#10669
aa0a6ebThanks @Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.#10689
844b1beThanks @ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.
#10695
043fbb5Thanks @ematipico! - Fixed #10674. Biome now throws an error when the fieldlevelis missing from a rule option.#10712
5941df2Thanks @Conaclos! - Improved the diagnostic and the documentation ofuseFlatMap.#10615
23814f1Thanks @qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.#10688
ec69489Thanks @ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.#10701
6c2e0d7Thanks @ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.#10681
888515bThanks @Conaclos! - FixeduseExportTypethat reported useless details in some diagnostics.#10220
3694a13Thanks @theBGuy! - FixeduseAnchorContentfalse positive for<a>elements used as render prop values (e.g.render={<a href="..." />}), a pattern where the receiving component renders its children inside the anchor element.#10702
98823fbThanks @ematipico! - Fixed #10612. The Biome parser now correctly parses processing instructions. The following SVG doesn't throw errors anymore:honojs/node-server (@hono/node-server)
v2.0.8Compare Source
What's Changed
--no-git-checksoption forpnpm stage publishby @yusukebe in #369Full Changelog: honojs/node-server@v2.0.7...v2.0.8
v2.0.6Compare Source
actions/checkout (actions/checkout)
v6.0.3Compare Source
honojs/hono (hono)
v4.12.29Compare Source
What's Changed
compatibilityDateby @yusukebe in #5100*as a match by @yusukebe in #5084New Contributors
Full Changelog: honojs/hono@v4.12.28...v4.12.29
v4.12.28Compare Source
What's Changed
*.tsbuildinfoby @yusukebe in #5066devDependenciesby @yusukebe in #5085New Contributors
Full Changelog: honojs/hono@v4.12.27...v4.12.28
v4.12.27Compare Source
Security fixes
This release includes fixes for the following security issues:
hono/jsx does not isolate context per request
Affects:
hono/jsx,hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, souseContext()/useRequestContext()read after anawaitin an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfjServer-Side XSS via JSX escaping bypass in cx()
Affects:
hono/css.cx()marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSXclassattribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59API Gateway v1 adapter can drop a repeated request header value
Affects:
hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g.203.0.113.1dropped when203.0.113.10is present) — affecting logic such asX-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvcUsers of
hono/jsx/hono/jsx-renderer,hono/css(cx()), or thehono/aws-lambdaAPI Gateway v1 / VPC Lattice adapters are encouraged to upgrade.v4.12.26Compare Source
What's Changed
Full Changelog: honojs/hono@v4.12.25...v4.12.26
pnpm/pnpm (pnpm)
v11.11.0Compare Source
Minor Changes
508b8c2: Added thepnpm accesscommand for managing package access and visibility on the registry, supporting listing packages and collaborators, getting and setting package status and MFA requirements, and granting or revoking team access.Patch Changes
c70e33e: AllowallowBuildsentries for git-hosted packages to match by repository URL without pinning the resolved commit hash. This lets trusted git repositories keep running their build scripts after branch updates without approving each new commit, while package-name-only rules still do not approve git-hosted artifacts.3067e4f: Reduced peak memory usage during cold-cache dependency resolution. The metadata fetch is memoized for the whole resolution phase, and it was retaining each package's raw registry response body (used only to mirror the response to disk) for that entire time. The memoized cache now holds a body-less copy, so the raw body only lives as long as the call that writes the disk mirror. On large graphs that fetch full metadata (e.g. withminimumReleaseAgeortrustPolicyenabled) this cuts peak RSS by roughly 30%, back in line with pnpm 10. The resolved lockfile is unchanged.51300fd: Prevent a craftedpnpm-lock.yamlfrom writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g.../../../tmp/x@1.0.0) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshotversion: "../../x") is now rejected atformatGlobalVirtualStorePath, the single point every global-virtual-store slot path funnels through — closing the same escape in the isolated linker, the resolver's dependency-graph builder, and the config-dependency installer.f8058eb: Reject symlinkedpnpm-lock.yamlfiles when reading or writing the env lockfile document.9318a11: AllowregistriesandnamedRegistriesto be configured in the globalconfig.yamlfile.51300fd: Fixed a path traversal vulnerability where a dependency whose manifestnamewas a scoped path traversal (e.g.@x/../../../<path>) could be written outsidenode_modulesto an attacker-controlled location duringpnpm install, even with--ignore-scripts. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.14332f0: Fail instead of silently removing an optional dependency's locked entries frompnpm-lock.yamlwhen the registry cannot resolve it. Previously, when registry metadata lacked a version that the lockfile already pinned (for example, a mirror that had not synced a recent release yet),pnpm installandpnpm dedupesilently dropped the optional dependency's entries — emptying maps such as the platform binaries of@napi-rs/canvas— so the lockfile differed between machines and frozen installs on other hosts had nothing to link #12853.fecfe83: Fixed peer dependency resolution withautoInstallPeerswhen a workspace package depends on a version of a package that a transitive dependency's self-contained closure also provides for itself. The peer providers that are attached to the root project for reuse are no longer peer-resolved a second time in the root context, so packages inside such a closure no longer get their peers bound to the root project's incompatible version #4993.5a4daec:${...}environment-variable placeholders in thehttpProxy,httpsProxy,noProxy,proxy, andnoproxysettings are no longer expanded when these settings come from a project'spnpm-workspace.yaml. They now receive the same protection already applied toregistry,namedRegistries, andpnprServer.d1da02e:pnpm publishno longer prints credentials when the target registry is configured with inlineuser:pass@credentials (e.g.registry=https://user:pass@example.com/). They are now redacted both from the "publishing to registry" line and from the OIDC (trusted publishing) failure messages.dcfc611:pnpm self-updatenow honorstrustPolicy=no-downgrade. It resolves the target pnpm version against full registry metadata, so it refuses to switch to a version whose supply-chain trust evidence is weaker than an earlier-published one, the same way a regular install does.a8ad82d: Register thepnalias in generated shell completion scripts.25bd5c3: Fixed standalone installer downgrades from pnpm v12 to v11.23996e9:pnpm runtime set <name> <version>now validates its arguments: the name must benode,deno, orbun, and the version must not contain a comma. Previously these were interpolated straight into apnpm addselector, where an unsupported name or a comma (e.g.node 22,is-positive) could be misread as a list of packages or a local directory and install unintended packages or bins.v11.10.0Compare Source
Minor Changes
e2e3c81: Added theissuescommand as an alias ofbugs, sopnpm issuesopens the package's bug tracker URL in the browser.8491f8e: Added theprefixcommand which prints the current package prefix directory (or global prefix directory if-g/--globalis used).3425e80: Added an_authsetting for configuring registry authentication as a single structured (URL-keyed) value. It can be set in the global pnpm config (config.yaml) or, for CI, via thepnpm_config__authenvironment variable. The env form sidesteps the GitHub Actions / bash / zsh limitation that broke the existingpnpm_config_//host/:_authToken=…form (env var names containing/,:, or.are silently dropped). Closes #12314.The value is keyed by registry URL so each secret is explicitly bound to the host that may receive it. Registry URL keys must use
httporhttpsand must not include credentials, query strings, or fragments:The equivalent in the global
config.yaml:Within each registry URL,
@means registry-wide/default credentials and package scopes like@orgbind credentials to that scope on the same host. The only supported credential field isauthToken(maps to_authToken/ bearer auth); the deprecatedbasicAuth/username+passwordforms are intentionally not accepted here.Each entry also infers a trusted registry route:
@routes the default registry (andpnpm add <pkg>resolves there), and@orgroutes that scope. Because the credential and destination host arrive in one trusted value, repo-controlledpnpm-workspace.yamlor project.npmrccannot redirect the token to a different host._authis honored only from the env var and the global config — it is ignored in a projectpnpm-workspace.yaml/.npmrc, so repo-controlled config can never supply registry auth. Precedence: CLI flags (--registry,--@​scope:registry) >pnpm_config__auth> globalconfig.yaml_auth>pnpm-workspace.yaml.Both
pnpm_config__auth(lowercase, documented form) andPNPM_CONFIG__AUTH(all-caps, the shell convention some CI runners apply) are honored. If both are set, lowercase wins unless it is empty, in which case uppercase is used. The env var wins over the globalconfig.yaml_authon a conflicting key.tokenHelperis not supported in_auth. Parsing is strict: a malformed value (bad JSON, wrong shape, invalid registry URL or scope, an unsupported credential field) fails fast with an error rather than being silently dropped.Pacquet parity note: the pacquet (Rust) port supports the same single credential field as the TS CLI:
authToken.a33eeec:pnpm self-updateandpackageManagerversion-switching can now install and link pnpm v12 (the Rust port), published with equal content under both thepnpmand@pnpm/exenames on thenext-12dist-tag. Its native binaries ship as@pnpm/exe.<platform>-<arch>packages, which pnpm's built-in installer links directly — no Node.js launcher, so the command pays no Node startup cost. v12 is initialized exactly like@pnpm/exe, including per-platform global-virtual-store hashing. From v12 onward the install converges on the unscopedpnpmpackage (the Rust exe) — even when updating from the SEA@pnpm/exebuild.1dd12bd: When resolving through a pnpr install-accelerator server, pnpm no longer forwards its own upstream registry credentials in the resolve request. Only theAuthorizationheader identifying the caller to pConfiguration
📅 Schedule: (in timezone Asia/Tokyo)
* 0 * * *)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.