chore(deps): bump the minor-and-patch group with 4 updates

[dependabot]

Bumps the minor-and-patch group with 4 updates: fast-xml-parser, react-hook-form, yaml and @biomejs/biome.

Updates fast-xml-parser from 5.5.5 to 5.5.8

Release notes

Sourced from fast-xml-parser's releases.

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

4.5.5 / 2026-03-22

apply fixes from v5 (legacy maintenance branch v4-maintenance)

• support maxEntityCount
• support onDangerousProperty
• support maxNestedTags
• handle prototype pollution
• fix incorrect entity name replacement
• fix incorrect condition for entity expansion

5.5.8 / 2026-03-20

• pass read only matcher in callback

5.5.7 / 2026-03-19

• fix: entity expansion limits
• update strnum package to 2.2.0

5.5.6 / 2026-03-16

• update builder dependency
• fix incorrect regex to replace . in entity name
• fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

• sanitize dangerous tag or attribute name
• error on critical property name
• support onDangerousProperty option

5.5.4 / 2026-03-13

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

• upgrade builder

5.5.2 / 2026-03-11

• update dependency to fix typings

5.5.1 / 2026-03-10

• fix dependency

5.5.0 / 2026-03-10

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

... (truncated)

Commits

• a92a665 pass read only matcher in call back
• a21c441 update package detail
• 239b64a check for min value for entity exapantion options
• 61cb666 restrict more properties to be unsafe
• 41abd66 performance improvement of reading DOCTYPE
• 3dfcd20 refactor: performance improvement
• 870043e update release info
• 6df401e update builder dependency
• bd26122 check for entitiy expansion for lastEntities and html entities too
• 7e70dd8 fix incorrect regex to replace . in entity name
• See full diff in compare view

Updates react-hook-form from 7.71.2 to 7.72.0

Release notes

Sourced from react-hook-form's releases.

Version 7.72.0

⚓️ feat: built-in form level validate (#13195)

const { register, formState: { errors } } = useForm({
  validate: async (formValue) => {
    if (formValue.test1.length > formValue.test.length) {
      return {
        type: 'formError',
        message: 'something is wrong here',
      };
    }
if (formValue.test === 'test') {
  return 'direct error message';
}
return true;

},
});

🐞 fix: prevent useFieldArray from marking unrelated fields as dirty (#13299) 🐞 fix #13300 checkbox form validation ignored with native validation (#13310) 🌉 allow subscribe formState to track submit state (#13319)

thanks to @​WiXSL, @​BrendanC23 & @​6810779s

Commits

• 1fecf73 7.72.0
• f5373fe 🌉 allow subscribe formState to track submit state (#13319)
• f5deec5 📖 chore: update issue template CodeSandbox links (#13315)
• 3f4d0f3 🐞 fix #13300 checkbox form valdiation ignored with native valdiation (#13310)
• 2e8f081 🐞 fix: prevent useFieldArray from marking unrelated fields as dirty (#13299)
• 6067c3f ⚓️ feat: build-in form level validate (#13195)
• See full diff in compare view

Updates yaml from 2.8.2 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

Commits

• ce14587 2.8.3
• 1e84ebb fix: Catch stack overflow during node composition
• 6b24090 ci: Include Prettier check in lint action
• 9424dee chore: Refresh lockfile
• d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
• 4321509 ci: Drop the branch filter from GitHub PR actions
• 47207d0 chore: Update docs-slate
• 5212fae chore: Update docs-slate
• See full diff in compare view

Updates @biomejs/biome from 2.4.7 to 2.4.8

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.8

2.4.8

Patch Changes

• #9488 bc709f6 Thanks @​mvanhorn! - Fixed #9463: the "Biome found a configuration file outside of the current working directory" diagnostic now includes the configuration file path and the working directory, giving users actionable information to debug the issue.

• #9527 2f8bf80 Thanks @​mdm317! - Fixed #8959: Fixed TypeScript arrow function formatting when a comment appears after =>.

• #9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleUpdateWithoutWhere to prevent accidental full-table updates when using Drizzle ORM without a .where() clause.

• #9531 1302740 Thanks @​ematipico! - Fixed #9187: Astro frontmatter containing regex literals with quotes (/'/, /"/) or dashes (/---/) no longer causes parse errors.

• #9535 b630d93 Thanks @​leno23! - Fixed #9524: remove extra space before > when bracketSameLine is true and the self-closing slash is absent in HTML formatter.

• #9537 81e6306 Thanks @​ematipico! - Fixed #9238: The HTML parser no longer incorrectly reports --- inside element content (e.g. <td>---</td>) as an "Unexpected value or character" error.

• #9532 4b64145 Thanks @​ematipico! - Fixed #9117: biome check --write no longer falsely reports Svelte and Vue files as changed when html.formatter.indentScriptAndStyle is enabled and the files are already correctly formatted.

• #9528 61451ef Thanks @​ematipico! - Fixed #9341: Fixed an LSP crash that could corrupt file content when saving with format-on-save enabled.

• #9538 794f79c Thanks @​ematipico! - Fixed #9279: The rule noSubstr now detects .substr() and .substring() calls in all expression contexts, including variable declarations, function arguments, return statements, and arrow function bodies.

• #9462 c23272c Thanks @​ematipico! - Fixed #9370: The resolver now correctly prioritizes more specific exports patterns over less specific ones. Previously, a pattern like "./*" could match before "./features/*", causing resolution failures for packages with overlapping subpath patterns.

• #9515 f85c069 Thanks @​shivamtiwari3! - Fixed #9506 and #9479: Biome no longer reports false parse errors on <script type="speculationrules"> and <script type="application/ld+json"> tags. These script types contain non-JavaScript content and are now correctly skipped by the embedded language detector.

• #9514 7fe43c8 Thanks @​ematipico! - Fixed #6964: Biome now correctly resolves the .gitignore file relative to vcs.root when configured. Previously, the vcs.root setting was ignored and Biome always looked for the ignore file in the workspace directory.

• #9521 af39936 Thanks @​ematipico! - Fixed #9483. Now the rule noRedeclare doesn't panic when it encounters constructor overloads.

• #9490 60cf024 Thanks @​willfarrell! - Added support for modern CSS properties, pseudo-classes, and pseudo-elements.

  New known properties: dynamic-range-limit, overlay, reading-flow, reading-order, scroll-marker-group, scroll-target-group.

  New pseudo-elements: ::checkmark, ::column, ::picker, ::picker-icon, ::scroll-button, ::scroll-marker, ::scroll-marker-group.

  New pseudo-classes: :active-view-transition-type, :has-slotted, :target-after, :target-before, :target-current.

• #9526 4d42823 Thanks @​ematipico! - Fixed #9358 and #9375. Now attributes that have text expressions such as class={buttonClass()} are correctly tracked in Svelte files.

• #9520 61f53ee Thanks @​ematipico! - Fixed #9519. Now noUnusedVariables doesn't flag variables that are used as typeof type.

• #9487 331dc0d Thanks @​mvanhorn! - Fixed #9477: source.fixAll.biome no longer sorts imports when source.organizeImports.biome is disabled in editor settings. The organize imports action is now excluded from the fix-all pass unless explicitly requested.

• #9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleDeleteWithoutWhere to prevent accidental full-table deletes when using Drizzle ORM without a .where() clause.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.8

Patch Changes

• #9488 bc709f6 Thanks @​mvanhorn! - Fixed #9463: the "Biome found a configuration file outside of the current working directory" diagnostic now includes the configuration file path and the working directory, giving users actionable information to debug the issue.

• #9527 2f8bf80 Thanks @​mdm317! - Fixed #8959: Fixed TypeScript arrow function formatting when a comment appears after =>.

• #9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleUpdateWithoutWhere to prevent accidental full-table updates when using Drizzle ORM without a .where() clause.

• #9531 1302740 Thanks @​ematipico! - Fixed #9187: Astro frontmatter containing regex literals with quotes (/'/, /"/) or dashes (/---/) no longer causes parse errors.

• #9535 b630d93 Thanks @​leno23! - Fixed #9524: remove extra space before > when bracketSameLine is true and the self-closing slash is absent in HTML formatter.

• #9537 81e6306 Thanks @​ematipico! - Fixed #9238: The HTML parser no longer incorrectly reports --- inside element content (e.g. <td>---</td>) as an "Unexpected value or character" error.

• #9532 4b64145 Thanks @​ematipico! - Fixed #9117: biome check --write no longer falsely reports Svelte and Vue files as changed when html.formatter.indentScriptAndStyle is enabled and the files are already correctly formatted.

• #9528 61451ef Thanks @​ematipico! - Fixed #9341: Fixed an LSP crash that could corrupt file content when saving with format-on-save enabled.

• #9538 794f79c Thanks @​ematipico! - Fixed #9279: The rule noSubstr now detects .substr() and .substring() calls in all expression contexts, including variable declarations, function arguments, return statements, and arrow function bodies.

• #9462 c23272c Thanks @​ematipico! - Fixed #9370: The resolver now correctly prioritizes more specific exports patterns over less specific ones. Previously, a pattern like "./*" could match before "./features/*", causing resolution failures for packages with overlapping subpath patterns.

• #9515 f85c069 Thanks @​shivamtiwari3! - Fixed #9506 and #9479: Biome no longer reports false parse errors on <script type="speculationrules"> and <script type="application/ld+json"> tags. These script types contain non-JavaScript content and are now correctly skipped by the embedded language detector.

• #9514 7fe43c8 Thanks @​ematipico! - Fixed #6964: Biome now correctly resolves the .gitignore file relative to vcs.root when configured. Previously, the vcs.root setting was ignored and Biome always looked for the ignore file in the workspace directory.

• #9521 af39936 Thanks @​ematipico! - Fixed #9483. Now the rule noRedeclare doesn't panic when it encounters constructor overloads.

• #9490 60cf024 Thanks @​willfarrell! - Added support for modern CSS properties, pseudo-classes, and pseudo-elements.

  New known properties: dynamic-range-limit, overlay, reading-flow, reading-order, scroll-marker-group, scroll-target-group.

  New pseudo-elements: ::checkmark, ::column, ::picker, ::picker-icon, ::scroll-button, ::scroll-marker, ::scroll-marker-group.

  New pseudo-classes: :active-view-transition-type, :has-slotted, :target-after, :target-before, :target-current.

• #9526 4d42823 Thanks @​ematipico! - Fixed #9358 and #9375. Now attributes that have text expressions such as class={buttonClass()} are correctly tracked in Svelte files.

• #9520 61f53ee Thanks @​ematipico! - Fixed #9519. Now noUnusedVariables doesn't flag variables that are used as typeof type.

• #9487 331dc0d Thanks @​mvanhorn! - Fixed #9477: source.fixAll.biome no longer sorts imports when source.organizeImports.biome is disabled in editor settings. The organize imports action is now excluded from the fix-all pass unless explicitly requested.

• #9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleDeleteWithoutWhere to prevent accidental full-table deletes when using Drizzle ORM without a .where() clause.

Commits

• f4bf341 ci: release (#9517)
• e7b3b10 feat(lint): add noDrizzleDeleteWithoutWhere and noDrizzleUpdateWithoutWhere r...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.