Bump the npm-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the npm-dependencies group with 7 updates in the / directory:

Package	From	To
@biomejs/biome	2.3.11	2.4.9
@redocly/cli	2.14.7	2.25.1
@types/node	25.0.10	25.5.0
lefthook	2.0.15	2.1.4
typedoc	0.28.16	0.28.18
typescript	5.9.3	6.0.2
vitest	4.0.18	4.1.2

Updates @biomejs/biome from 2.3.11 to 2.4.9

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.9

2.4.9

Patch Changes

• #9315 085d324 Thanks @​ematipico! - Added a new nursery CSS rule noDuplicateSelectors, that disallows duplicate selector lists within the same at-rule context.

  For example, the following snippet triggers the rule because the second selector and the first selector are the same:

  /* First selector */
  .x .y .z {
  }
  /* Second selector */
  .x {
  .y {
  .z {
  }
  }
  }

• #9567 b7ab931 Thanks @​ematipico! - Fixed #7211: useOptionalChain now detects negated logical OR chains. The following code is now considered invalid:

  !foo || !foo.bar;

• #8670 607ebf9 Thanks @​tt-a1i! - Fixed #8345: useAdjacentOverloadSignatures no longer reports false positives for static and instance methods with the same name. Static methods and instance methods are now treated as separate overload groups.

  class Kek {
    static kek(): number {
      return 0;
    }
    another(): string {
      return "";
    }
    kek(): number {
      return 1;
    } // no longer reported as non-adjacent
  }

• #9476 97b80a8 Thanks @​masterkain! - Fixed [#9475](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome/issues/9475): Fixed a panic when Biome analyzed ambient TypeScript modules containing class constructor, getter, or setter signatures that reference local type aliases. Biome now handles these declarations without crashing during semantic analysis.

• #9553 0cd5298 Thanks @​dyc3! - Fixed a bug where enabling the rules of a whole group, would enable rules that belonged to a domain under the same group.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.9

Patch Changes

• #9315 085d324 Thanks @​ematipico! - Added a new nursery CSS rule noDuplicateSelectors, that disallows duplicate selector lists within the same at-rule context.

  For example, the following snippet triggers the rule because the second selector and the first selector are the same:

  /* First selector */
  .x .y .z {
  }
  /* Second selector */
  .x {
  .y {
  .z {
  }
  }
  }

• #9567 b7ab931 Thanks @​ematipico! - Fixed #7211: useOptionalChain now detects negated logical OR chains. The following code is now considered invalid:

  !foo || !foo.bar;

• #8670 607ebf9 Thanks @​tt-a1i! - Fixed #8345: useAdjacentOverloadSignatures no longer reports false positives for static and instance methods with the same name. Static methods and instance methods are now treated as separate overload groups.

  class Kek {
    static kek(): number {
      return 0;
    }
    another(): string {
      return "";
    }
    kek(): number {
      return 1;
    } // no longer reported as non-adjacent
  }

• #9476 97b80a8 Thanks @​masterkain! - Fixed [#9475](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome/issues/9475): Fixed a panic when Biome analyzed ambient TypeScript modules containing class constructor, getter, or setter signatures that reference local type aliases. Biome now handles these declarations without crashing during semantic analysis.

• #9553 0cd5298 Thanks @​dyc3! - Fixed a bug where enabling the rules of a whole group, would enable rules that belonged to a domain under the same group.

  For example, linter.rules.correctness = "error" no longer enables React- or Qwik-specific correctness rules unless linter.domains.react, linter.domains.qwik, or an explicit rule config also enables them, or their relative dependencies are installed.

... (truncated)

Commits

• ad37526 ci: release (#9620)
• eb57e3a chore: use npmx.dev badge (#9614)
• e168494 feat(linter): add rule noUntrustedLicenses (#9474)
• 085d324 feat(css): add noDuplicateSelectors (#9315)
• 4d050df feat(analyze): implement noInlineStyles (#9534)
• 723798b feat: apply fix to use consistent method signatures (#9544)
• f4bf341 ci: release (#9517)
• e7b3b10 feat(lint): add noDrizzleDeleteWithoutWhere and noDrizzleUpdateWithoutWhere r...
• 1f30838 ci: release (#9346)
• 3ac98eb feat(css/lint): useBaseline (#9318)
• Additional commits viewable in compare view

Updates @redocly/cli from 2.14.7 to 2.25.1

Release notes

Sourced from @​redocly/cli's releases.

@​redocly/cli@​2.25.1

Patch Changes

• Fixed an issue where a message about a missing configuration was shown even though the --extends option was provided.
• Updated @​redocly/openapi-core to v2.25.1.

@​redocly/cli@​2.25.0

Minor Changes

• Added no-mixed-number-range-constraints rule for OpenAPI 3.1+, as well as for AsyncAPI and Arazzo. This rule warns when schemas use both maximum and exclusiveMaximum or both minimum and exclusiveMinimum keywords.

Patch Changes

• Fixed an issue where invalid discriminator mapping values could cause linting to fail.
• Resolved high severity audit vulnerabilities by updating dependency versions.
• Updated @​redocly/openapi-core to v2.25.0.

@​redocly/cli@​2.24.1

Patch Changes

• Downgraded undici to resolve an issue where formData was being submitted empty.
• Updated @​redocly/openapi-core to v2.24.1.

@​redocly/cli@​2.24.0

Patch Changes

• Updated @​redocly/openapi-core to v2.24.0.

@​redocly/cli@​2.23.0

Minor Changes

• Added support of targets property in scorecardClassic. Use this property to override scorecardClassic rules for a specific API.

Patch Changes

• Updated @​redocly/openapi-core to v2.23.0.

@​redocly/cli@​2.22.1

Patch Changes

• Updated undici to the 6.24.1 version to ensure improved performance, security, and compatibility.
• Updated @​redocly/openapi-core to v2.22.1.

@​redocly/cli@​2.22.0

Minor Changes

• Added support of checkstyle format for scorecard-classic command.

... (truncated)

Commits

• bb802e1 chore: 🔖 release new versions (#2688)
• d336c1e fix: do not show the message about missing configuration when the --extends o...
• 176a255 chore: add cli performence test (#2686)
• af1ff60 chore: 🔖 release new versions (#2678)
• 3aa0473 chore: update config to 0.43.0 (#2685)
• 7e85583 chore: update analytics data format (#2597)
• 544533b fix: prevent failing when discriminator mapping value is null (#2681)
• 4c53b0b chore: fix github actions (#2683)
• d4858cc chore(security): update github actions and pin to commit sha (#2682)
• b7c0c0f feat: allow the no-mixed-number-range-constraints rule for AsyncAPI and Arazz...
• Additional commits viewable in compare view

Updates @types/node from 25.0.10 to 25.5.0

Commits

• See full diff in compare view

Updates lefthook from 2.0.15 to 2.1.4

Release notes

Sourced from lefthook's releases.

v2.1.4

Changelog

• 21479f941dcf73bd826cd169088983320fdc31d6 fix: bring back {lefthook_job_name} template (#1347)
• c586f14d15cbef841c988420da6e21d903859764 fix: separate more commands' non-option args with -- (#1339)
• 8dcd4aef558c1676d0ac724e220d241a71e6a861 pkg: fix scripts (#1348)
• 2fac7285db9090f0e88478fdcb50353452250655 pkg: make it easier to read (#1340)
• 32af36b1b832891df7dfb7411b4c2e273aefc3d7 pkg: refactor packaging (2) (#1346)
• 5354773b454a8c5e7a916d909782661bc6b1f896 pkg: refactor packaging scripts (#1308)

v2.1.3

Changelog

• 044ebf3a8c36f323d3ca32f4d1c42dc22cfd3cb9 chore(ci): switch artifact attestations gen to actions/attest v4 (#1338)
• 73d1680f6bd934ee2d18071ae14df2338a2ee670 chore: describe ENV variables usage in CLI help output (#1337)
• a9cb6568acb08dfde150b9753afe815abb030e84 chore: small code improvements (#1336)
• 9478fd55f0cd485cd4bbe62187357f27239c43c2 deps: March 2026 (#1330)
• 5afae26dc3a03503ceb0f66be4a8c61aca084662 feat: update minimum go version (#1331)
• 8da90752970ad6733c27cee44e15b3349856b12a fix: support git debug versions (#1334)

v2.1.2

Changelog

• 737a6f71589e6a2e6f704be4d6c485d473c25b69 ci: freeze docmd (#1327)
• 6fb8e50d09202a71683fd0c160ba9458d0fe38be feat: introduce setup hook option (#1326)
• 246f1c99f02be680a8ce24c9d880f2570d25b212 fix: rollback auto-staged changes if unwanted changes detected (#1251)
• af21ce3978a6a9ab79cdc8150e515d4dcd15434d pkg(pypi): fix python packages publishing
• 52c5d93b452c67490b8aa7488761ad19a098fb33 refactor: recovering logic for changesets (#1324)

v2.1.1

Changelog

• beae38f0e4f132d685247310116464a50ac6a11b chore: reduce verbosity of hints in lefthook install (#1303)
• 59c72606e76f6ca42cc5989a28ed79f42cf0d5a7 ci: fix publishing to PyPi
• b6cdb2ed9778561860b244df033c73af23ef0291 docs(install): add missing /v2 suffix for go get -tool (#1304)
• 47b48679bf1af27633902fa4d1098cf79547bcfd fix: reset colors on config read (#1309)

v2.1.0

Changelog

• 6cb576e73621d7b263094663c64827ab96e271ae chore: fancy wording and indentation for hits
• 9ace994a09c6a642a1be7df8fe11586f72827bfe ci: skip Python publishing
• 47b8f5c06f19db0ba26a6283579238248e995bfe feat: allow installing non-git hooks (#1301)
• ec7e8e18afc0d5c002d761f937ae5db84dddb6e0 feat: check core.hooksPath when lefthook install (#1292)

v2.0.16

Changelog

• 432efde268b98e5874281d7ca3cb16306bcdd04a chore(golangci-lint): upgrade to 2.8.0 (#1278)
• 130855b6a576799afcd1d32f7ab4e1e286ef69d1 chore: timeout cleanup (#1297)
• 4217025c2fef2caa2abe334ef2beeabeca3d7e05 deps: January 2026 (#1285)
• 272b59b38c50e948602e28c363c39a6e33936f43 docs(remotes): elaborate on when to refetch and failure mode (#1287)
• e6adbbaf0b12e6cbe72e95e9e482617d0b4ac36c feat: add timeout argument (#1263)
• a50fcff10df9ccc0afa0c4c7236d1b48b4215f93 fix(jsonschema): accept string in file_types (#1288)
• 8b88796491706f4c897b26d289d429988c4be411 fix: try reading direct file instead of all remotes (#1243)
• 7c6b73327162b93661ad59fe6705ccbfd4beefc1 perf!: skip ghost hook when hooks are already configured (#1255)

... (truncated)

Changelog

Sourced from lefthook's changelog.

2.1.4 (2026-03-12)

• pkg: fix scripts (#1348) by @​mrexox
• fix: bring back {lefthook_job_name} template (#1347) by @​mrexox
• pkg: refactor packaging (2) (#1346) by @​mrexox
• fix: separate more commands' non-option args with -- (#1339) by @​scop
• docs: change logo to point to landing page instead of itself (#1343) by @​igas
• pkg: make it easier to read (#1340) by @​mrexox
• pkg: refactor packaging scripts (#1308) by @​mrexox

2.1.3 (2026-03-07)

• chore: switch artifact attestations gen to actions/attest v4 (#1338) by @​scop
• chore: describe ENV variables usage in CLI help output (#1337) by @​mrexox
• fix: support git debug versions (#1334) by @​mrexox
• deps: March 2026 (#1330) by @​mrexox
• feat: update minimum go version (#1331) by @​mrexox

2.1.2 (2026-03-01)

• feat: introduce setup hook option (#1326) by @​mrexox
• refactor: recovering logic for changesets (#1324) by @​mrexox
• fix: rollback auto-staged changes if unwanted changes detected (#1251) by @​tuchfarber
• docs: improve docs ui (#1323) by @​mrexox
• docs: additional skip example and note about reinstallation (#1319) by @​iloveitaly
• docs: fix incorrect --verbose usage (#1318) by @​iloveitaly
• pkg: fix python packages publishing by @​mrexox

2.1.1 (2026-02-12)

• ci: fix publishing to PyPi by @​mrexox
• fix: reset colors on config read (#1309) by @​mrexox
• chore: reduce verbosity of hints in lefthook install (#1303) by @​joevin-slq-docto
• docs: add missing /v2 suffix for go get -tool (#1304) by @​alexandregv

2.1.0 (2026-02-03)

• ci: skip Python publishing by [@​mrexox][]
• chore: fancy wording and indentation for hits by [@​mrexox][]
• feat: check core.hooksPath when lefthook install (#1292) by [@​joevin-slq-docto][]
• feat: allow installing non-git hooks (#1301) by [@​mrexox][]

2.0.16 (2026-01-27)

• chore: timeout cleanup (#1297) by @​mrexox
• feat: add timeout argument (#1263) by @​franzramadhan
• deps: January 2026 (#1285) by @​mrexox
• pkg: pack one binary per platform into python wheels (#1181) by @​danfimov
• fix: accept string in file_types (#1288) by @​scop
• docs: elaborate on when to refetch and failure mode (#1287) by @​scop

... (truncated)

Commits

• 83ec3a9 2.1.4: bring back {lefthook_job_name}
• 8dcd4ae pkg: fix scripts (#1348)
• 21479f9 fix: bring back {lefthook_job_name} template (#1347)
• 32af36b pkg: refactor packaging (2) (#1346)
• c586f14 fix: separate more commands' non-option args with -- (#1339)
• e021d4d docs: change logo to point to landing page istead of itself (#1343)
• 2fac728 pkg: make it easier to read (#1340)
• 5354773 pkg: refactor packaging scripts (#1308)
• c32f9a4 2.1.3: update dependencies
• 044ebf3 chore(ci): switch artifact attestations gen to actions/attest v4 (#1338)
• Additional commits viewable in compare view

Updates typedoc from 0.28.16 to 0.28.18

Release notes

Sourced from typedoc's releases.

v0.28.18

Features

• Support TypeScript 6.0, #3084.

v0.28.17

Bug Fixes

• Improved handling of comments for type aliases which have been declaration merged with functions, #3064.
• Fixed anchor link generation to members named $, #3065.
• Corrected typing of the plugin option to permit functions, #3066.
• Warnings about unused @param tags will now be properly suppressed when they come from declaration files and the suppressCommentWarningsInDeclarationFiles option is enabled, #3070.
• Fixed conversion of types referencing type parameters on functions, #3071.

Thanks!

• @​pjeby

Changelog

Sourced from typedoc's changelog.

v0.28.18 (2026-03-23)

Features

• Support TypeScript 6.0, #3084.

v0.28.17 (2026-02-13)

Bug Fixes

• Improved handling of comments for type aliases which have been declaration merged with functions, #3064.
• Fixed anchor link generation to members named $, #3065.
• Corrected typing of the plugin option to permit functions, #3066.
• Warnings about unused @param tags will now be properly suppressed when they come from declaration files and the suppressCommentWarningsInDeclarationFiles option is enabled, #3070.
• Fixed conversion of types referencing type parameters on functions, #3071.

Thanks!

• @​pjeby

Commits

• 1ebdcb1 Update changelog for release
• 59463c1 Bump version to 0.28.18
• af07198 Fix example build, plugin list tweaks
• 2a2ccdd Support TypeScript 6.x and update dependencies
• 2d23fc0 Actually fix lint
• 807f346 Fix lint, update dprint plugins
• f5be63f Update deps, closes #3080
• 207f1b6 Update docs for @​ignore
• 7b25e84 More docs about custom tags
• fe89773 Recommend a JS config file for defining tags
• Additional commits viewable in compare view

Updates typescript from 5.9.3 to 6.0.2

Release notes

Sourced from typescript's releases.

TypeScript 6.0

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).

Downloads are available on:

• npm

TypeScript 6.0 Beta

For release notes, check out the release announcement.

• fixed issues query for Typescript 6.0.0 (Beta).

Downloads are available on:

• npm

Commits

• 607a22a Bump version to 6.0.2 and LKG
• 9e72ab7 🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...
• 35ff23d 🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...
• e175b69 Bump version to 6.0.1-rc and LKG
• af4caac Update LKG
• 8efd7e8 Merge remote-tracking branch 'origin/main' into release-6.0
• 206ed1a Deprecate assert in import() (#63172)
• e688ac8 Update dependencies (#63156)
• 29b300d Bump the github-actions group across 1 directory with 2 updates (#63205)
• 0c2c7a3 DOM update (#63183)
• Additional commits viewable in compare view

Updates vitest from 4.0.18 to 4.1.2

Release notes

Sourced from vitest's releases.

v4.1.2

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (vitest-dev/vitest#9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in vitest-dev/vitest#9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in vitest-dev/vitest#9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in vitest-dev/vitest#9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in vitest-dev/vitest#9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in vitest-dev/vitest#9851 (6f97b)

    View changes on GitHub

v4.1.1

   🚀 Features

• experimental:
  • Expose matchesTags to test if the current filter matches tags  -  by @​sheremet-va in vitest-dev/vitest#9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in vitest-dev/vitest#9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in vitest-dev/vitest#9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in vitest-dev/vitest#9831 and vitest-dev/vitest#9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in vitest-dev/vitest#9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in vitest-dev/vitest#9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in vitest-dev/vitest#9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in vitest-dev/vitest#9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in vitest-dev/vitest#9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in vitest-dev/vitest#9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in vitest-dev/vitest#9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in vitest-dev/vitest#9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in vitest-dev/vitest#9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in vitest-dev/vitest#9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in vitest-dev/vitest#9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in vitest-dev/vitest#9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in vitest-dev/vitest#9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in vitest-dev/vitest#9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9949 (0d5f9)

    View changes on GitHub

v4.1.0

Vitest 4.1 is out!

... (truncated)

Commits

• fc6f482 chore: release v4.1.2
• 6f97b55 feat: disable colors if agent is detected (#9851)
• b3c992c fix(coverage): correct coverageConfigDefaults values and types (#9940)
• 7c06598 fix: ensure sequential mock/unmock resolution (#9830)
• f54abad chore: add typo-checker skill and fix typos (#9963)
• 7aa9377 fix: don't resolve setupFiles from parent directory (#9960)
• 1f2d318 chore: release v4.1.1
• ebfde79 refactor: rename matchesTagsFilter to matchesTags (#9956)
• 5611500 feat(experimental): introduce experimental.vcsProvider (#9928)
• eec53d9 feat(experimental): expose matchesTagsFilter to test if the current filter ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions