chore(deps): bump the minor-and-patch group with 5 updates

[dependabot]

Bumps the minor-and-patch group with 5 updates:

Package	From	To
fast-xml-parser	5.7.1	5.7.2
react-hook-form	7.72.1	7.74.0
vscode-marketplace-client	1.1.1	1.2.1
@biomejs/biome	2.4.12	2.4.13
postcss	8.5.10	8.5.12

Updates fast-xml-parser from 5.7.1 to 5.7.2

Release notes

Sourced from fast-xml-parser's releases.

backward compatibility for numerical external entity, fix #705, #817

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

• fix: entity replacement for numeric entities
• use @​nodable/entities to replace entities
  • this may change some error messages related to entities expansion limit or inavlid use
  • post check would be exposed in future version

5.5.12 / 2026-04-13

• Performance Improvement: update path-expression-matcher
  • use proxy pattern than Proxy class

5.5.11 / 2026-04-08

• Performance Improvement
  • integrate ExpressionSet for stopNodes

5.5.10 / 2026-04-03

• increase default entity explansion limit as many projects demand for that
• performance improvement
  • reduce calls to toString
  • early return when entities are not present
  • prepare rawAttrsForMatcher only if user sets jPath: false

... (truncated)

Commits

• b1d5b90 update releas info
• 78571ae tests for long tag expression
• ebaedc0 allow numerical external entities for backward compatibility
• 91245eb update changelog
• 79dd40d fix #705: don not group and nest attributes when both preserveOrder and attri...
• d6bce3b allow long attribute expressions
• 9a2561b remove unnecessary
• See full diff in compare view

Updates react-hook-form from 7.72.1 to 7.74.0

Release notes

Sourced from react-hook-form's releases.

Version 7.74.0

🪇 feat: setValues (#13201)

setValues((data) => {
  return {
    ...data,
    name: 'test'
  }
})
setValues(formValues);

🐞 fix: preserve previous field value when useController name changes (#13395) 🐞 fix: handle null parent when unregistering nested field (#13396) 🐞 fix: treat NaN as empty when valueAsNumber is true in validateField (#13388) 🪢 fix build to exclude test files (#13387)

thanks to @​Yihao-G & @​mixelburg

Version 7.73.1

⚡perf: memoize submit (#13378) 🚉 perf: improve deepEqual performance (#13362) 👀 perf: skip re-render in setValue when value is unchanged (#13352) ✂️ remove unneeded flag check for shouldDirty 🚨 fix: safely access field._f during register (#13365) 🧹 close #13298: improve fieldState errors when resolver uses dot-notation string keys (#13350) 🐞 fix #13178: update state correctly in watch callback with Controller, trigger, and reset (#13180) 🐞 fix #13331: skip field array validation when mode is onBlur (#13333) 🐞 fix #13334 sDirty remains false after deletion an item with shouldDirty: true (#13357) 🐞 fix: handle nested field when parent defaultValue is null (#13348)

thanks to @​Prasadzoman, @​cyphercodes, @​lorenzoceglia, @​rizwan-rizu, @​tomeelog & @​ap0nia

Commits

• 8a816ed 7.74.0
• ef641fe 🐞 fix: preserve previous field value when useController name changes (#13395)
• a08a8e8 🐞 fix: handle null parent when unregistering nested field (#13396)
• 2374a64 📖 thanks KANAME for the support over the years
• 6737b99 🌡️ test: cover valueAsNumber NaN required validation in validateField (#13391)
• 29cdd08 🐞 fix: treat NaN as empty when valueAsNumber is true in validateField (#13388)
• 44df01d Revert "Revert "🪢 fix build to exclude test files (#13387)""
• bf525c1 Revert "Revert "🪇 feat: setValues (#13201)""
• 6cd9e45 7.73.1
• 9b07561 Revert "🪢 fix build to exclude test files (#13387)"
• Additional commits viewable in compare view

Updates vscode-marketplace-client from 1.1.1 to 1.2.1

Changelog

Sourced from vscode-marketplace-client's changelog.

[1.2.1] - 2026-04-23

Changed

• Improved HTTP client configuration with Axios and custom HTTPS agent.
• Added timeout configuration to network requests.

Fixed

• Fixed ENOENT error when downloading VSIX files by ensuring output directories are created automatically.
• Fixed stream handling during downloads using Node.js pipeline.
• Reduced MaxListenersExceededWarning during multiple sequential downloads.

[1.2.0] - 2026-04-22

Added

• Integración de CI (GitHub Actions) para auditoría mensual de dependencias con npm.

Changed

• Update dependencies to their latest versions for improved performance and security.

Commits

• ff1b880 chore: 🔖 release 1.2.1
• 18e1fc9 fix: 🐛 improve download reliability and example setup
• 84cb2b5 chore: 🔖 release 1.2.0
• 7fc8ee8 chore: update dependencies and improve package.json
• 6ccbc11 chore: update CHANGELOG for unreleased section and correct version links
• See full diff in compare view

Updates @biomejs/biome from 2.4.12 to 2.4.13

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.13

2.4.13

Patch Changes

• #9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #10037 f785e8c Thanks @​minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #10084 5e2f90c Thanks @​jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #10035 946b50e Thanks @​Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.

• #9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.13

Patch Changes

• #9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #10037 f785e8c Thanks @​minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #10084 5e2f90c Thanks @​jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #10035 946b50e Thanks @​Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.

• #9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

  For example, the following code triggers the rule:

... (truncated)

Commits

• e316150 ci: release (#9991)
• 11ddc05 feat(lint): add useReactNativePlatformComponents rule and options (#10033)
• 1603f78 feat(js_analyze): implement noJsxLeakedDollar (#9911)
• c5eb92b feat(linter): add nursery rule noUnnecessaryTemplateExpression (#9969)
• 5cc83b1 feat(lint/js): add noLoopFunc (#9815)
• bd1e74f feat(lint): add react native deep import rule (#10023)
• 68fb8d4 feat(lint/js): add useDomNodeTextContent (#9865)
• 94ccca9 feat(lint): add noReactNativeLiteralColors (#10012)
• 3dce737 feat(lint/js): add useDomQuerySelector (#9885)
• 131019e feat(lint): add noReactNativeRawText (#10005)
• Additional commits viewable in compare view

Updates postcss from 8.5.10 to 8.5.12

Release notes

Sourced from postcss's releases.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

Changelog

Sourced from postcss's changelog.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

Commits

• 9bc81c4 Release 8.5.12 version
• 85c4d7d Another try to fix coverage
• 94484ca Try to fix coverage
• c64b748 Load only .map source maps
• aaec7b7 Avoid throwing JSON parsing errors for non-JSON source maps
• 233fb26 Mention original author of the solution
• 2502f75 Release 8.5.11 version
• 5ca1901 Speed up parsing many nested brackets
• 42b5337 Update dependencies
• 7e36e15 Cache node.raws locally in Stringifier hot methods
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.