chore(deps): bump the all-pnpm group across 3 directories with 8 updates

[dependabot]

Bumps the all-pnpm group with 1 update in the /e2e_tests/tests_omni_full directory: @biomejs/biome.
Bumps the all-pnpm group with 1 update in the /e2e_tests/tests_omni_light directory: @biomejs/biome.
Bumps the all-pnpm group with 8 updates in the /frontend/omni directory:

Package	From	To
@biomejs/biome	2.4.13	2.4.14
@ai-sdk/openai	3.0.53	3.0.58
@ai-sdk/svelte	4.0.168	4.0.174
ai	6.0.168	6.0.174
dompurify	3.4.1	3.4.2
marked	18.0.2	18.0.3
@lucide/svelte	1.11.0	1.14.0
bits-ui	2.18.0	2.18.1

Updates @biomejs/biome from 2.4.13 to 2.4.14

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.14

2.4.14

Patch Changes

• #9393 491b171 Thanks @​dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.

• #10157 eefc5ab Thanks @​dyc3! - Fixed #7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.

• #10054 0e9f569 Thanks @​minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

  A function annotated : object returning an object literal:

  function f(): object {
    return { retry: true };
  }

• #10116 53269eb Thanks @​jiwon79! - Fixed #6201: noUselessEscapeInRegex no longer flags an escaped backslash followed by - as a useless escape. Patterns like /[\\-]/ are now considered valid because the second \ is the escaped backslash, not an unnecessary escape of the trailing dash.

• #10092 33d8543 Thanks @​Conaclos! - Fixed #9097: organizeImports no longer adds a blank line between a never-matched group and a matched group.

  Given the following organizeImports options:

  {
    "groups": [":NODE:", ":BLANK_LINE:", ":PACKAGE:", ":BLANK_LINE:", ":PATH:"]
  }

  The following code...

  // Comment
  import "package";
  import "./file.js";

  ...was organized as:

  +
    // Comment
    import "package";
  +
    import "./file.js";

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.14

Patch Changes

• #9393 491b171 Thanks @​dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.

• #10157 eefc5ab Thanks @​dyc3! - Fixed #7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.

• #10054 0e9f569 Thanks @​minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

  A function annotated : object returning an object literal:

  function f(): object {
    return { retry: true };
  }

• #10116 53269eb Thanks @​jiwon79! - Fixed #6201: noUselessEscapeInRegex no longer flags an escaped backslash followed by - as a useless escape. Patterns like /[\\-]/ are now considered valid because the second \ is the escaped backslash, not an unnecessary escape of the trailing dash.

• #10092 33d8543 Thanks @​Conaclos! - Fixed #9097: organizeImports no longer adds a blank line between a never-matched group and a matched group.

  Given the following organizeImports options:

  {
    "groups": [":NODE:", ":BLANK_LINE:", ":PACKAGE:", ":BLANK_LINE:", ":PATH:"]
  }

  The following code...

  // Comment
  import "package";
  import "./file.js";

  ...was organized as:

  +
    // Comment
    import "package";
  +
    import "./file.js";

  A blank line was added even though the group ':NODE:' doesn't match any imports here. :BLANK_LINE: between never-matched groups and matched groups are now ignored.

... (truncated)

Commits

• 46393e0 ci: release (#10100)
• ae659dd feat(lint/js): add noExcessiveNestedCallbacks (#10188)
• d62b331 feat(lint/js): add useMathMinMax (#9926)
• 7acf1e0 feat(lint/js): add noReactStringRefs (#9922)
• 491b171 feat(lint/js): add useTestHooksOnTop (#9393)
• 4a664c1 fix(noShadow): make sure it doesn't shadow types (#10083)
• See full diff in compare view

Updates @biomejs/biome from 2.4.13 to 2.4.14

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.14

2.4.14

Patch Changes

• #9393 491b171 Thanks @​dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.

• #10157 eefc5ab Thanks @​dyc3! - Fixed #7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.

• #10054 0e9f569 Thanks @​minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

  A function annotated : object returning an object literal:

  function f(): object {
    return { retry: true };
  }

• #10116 53269eb Thanks @​jiwon79! - Fixed #6201: noUselessEscapeInRegex no longer flags an escaped backslash followed by - as a useless escape. Patterns like /[\\-]/ are now considered valid because the second \ is the escaped backslash, not an unnecessary escape of the trailing dash.

• #10092 33d8543 Thanks @​Conaclos! - Fixed #9097: organizeImports no longer adds a blank line between a never-matched group and a matched group.

  Given the following organizeImports options:

  {
    "groups": [":NODE:", ":BLANK_LINE:", ":PACKAGE:", ":BLANK_LINE:", ":PATH:"]
  }

  The following code...

  // Comment
  import "package";
  import "./file.js";

  ...was organized as:

  +
    // Comment
    import "package";
  +
    import "./file.js";

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.14

Patch Changes

• #9393 491b171 Thanks @​dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.

• #10157 eefc5ab Thanks @​dyc3! - Fixed #7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.

• #10054 0e9f569 Thanks @​minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

  A function annotated : object returning an object literal:

  function f(): object {
    return { retry: true };
  }

• #10116 53269eb Thanks @​jiwon79! - Fixed #6201: noUselessEscapeInRegex no longer flags an escaped backslash followed by - as a useless escape. Patterns like /[\\-]/ are now considered valid because the second \ is the escaped backslash, not an unnecessary escape of the trailing dash.

• #10092 33d8543 Thanks @​Conaclos! - Fixed #9097: organizeImports no longer adds a blank line between a never-matched group and a matched group.

  Given the following organizeImports options:

  {
    "groups": [":NODE:", ":BLANK_LINE:", ":PACKAGE:", ":BLANK_LINE:", ":PATH:"]
  }

  The following code...

  // Comment
  import "package";
  import "./file.js";

  ...was organized as:

  +
    // Comment
    import "package";
  +
    import "./file.js";

  A blank line was added even though the group ':NODE:' doesn't match any imports here. :BLANK_LINE: between never-matched groups and matched groups are now ignored.

... (truncated)

Commits

• 46393e0 ci: release (#10100)
• ae659dd feat(lint/js): add noExcessiveNestedCallbacks (#10188)
• d62b331 feat(lint/js): add useMathMinMax (#9926)
• 7acf1e0 feat(lint/js): add noReactStringRefs (#9922)
• 491b171 feat(lint/js): add useTestHooksOnTop (#9393)
• 4a664c1 fix(noShadow): make sure it doesn't shadow types (#10083)
• See full diff in compare view

Updates @biomejs/biome from 2.4.13 to 2.4.14

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.14

2.4.14

Patch Changes

• #9393 491b171 Thanks @​dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.

• #10157 eefc5ab Thanks @​dyc3! - Fixed #7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.

• #10054 0e9f569 Thanks @​minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

  A function annotated : object returning an object literal:

  function f(): object {
    return { retry: true };
  }

• #10116 53269eb Thanks @​jiwon79! - Fixed #6201: noUselessEscapeInRegex no longer flags an escaped backslash followed by - as a useless escape. Patterns like /[\\-]/ are now considered valid because the second \ is the escaped backslash, not an unnecessary escape of the trailing dash.

• #10092 33d8543 Thanks @​Conaclos! - Fixed #9097: organizeImports no longer adds a blank line between a never-matched group and a matched group.

  Given the following organizeImports options:

  {
    "groups": [":NODE:", ":BLANK_LINE:", ":PACKAGE:", ":BLANK_LINE:", ":PATH:"]
  }

  The following code...

  // Comment
  import "package";
  import "./file.js";

  ...was organized as:

  +
    // Comment
    import "package";
  +
    import "./file.js";

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.14

Patch Changes

• #9393 491b171 Thanks @​dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.

• #10157 eefc5ab Thanks @​dyc3! - Fixed #7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.

• #10054 0e9f569 Thanks @​minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

  A function annotated : object returning an object literal:

  function f(): object {
    return { retry: true };
  }

• #10116 53269eb Thanks @​jiwon79! - Fixed #6201: noUselessEscapeInRegex no longer flags an escaped backslash followed by - as a useless escape. Patterns like /[\\-]/ are now considered valid because the second \ is the escaped backslash, not an unnecessary escape of the trailing dash.

• #10092 33d8543 Thanks @​Conaclos! - Fixed #9097: organizeImports no longer adds a blank line between a never-matched group and a matched group.

  Given the following organizeImports options:

  {
    "groups": [":NODE:", ":BLANK_LINE:", ":PACKAGE:", ":BLANK_LINE:", ":PATH:"]
  }

  The following code...

  // Comment
  import "package";
  import "./file.js";

  ...was organized as:

  +
    // Comment
    import "package";
  +
    import "./file.js";

  A blank line was added even though the group ':NODE:' doesn't match any imports here. :BLANK_LINE: between never-matched groups and matched groups are now ignored.

... (truncated)

Commits

• 46393e0 ci: release (#10100)
• ae659dd feat(lint/js): add noExcessiveNestedCallbacks (#10188)
• d62b331 feat(lint/js): add useMathMinMax (#9926)
• 7acf1e0 feat(lint/js): add noReactStringRefs (#9922)
• 491b171 feat(lint/js): add useTestHooksOnTop (#9393)
• 4a664c1 fix(noShadow): make sure it doesn't shadow types (#10083)
• See full diff in compare view

Updates @ai-sdk/openai from 3.0.53 to 3.0.58

Release notes

Sourced from @​ai-sdk/openai's releases.

@​ai-sdk/openai@​3.0.58

Patch Changes

• 2370948: feat(openai): preserve namespace on function_call output items

@​ai-sdk/openai@​3.0.57

Patch Changes

• d33e7cc: chore(provider/openai): add type for image model options for type-safe processing

Changelog

Sourced from @​ai-sdk/openai's changelog.

3.0.58

Patch Changes

• 2370948: feat(openai): preserve namespace on function_call output items

3.0.57

Patch Changes

• d33e7cc: chore(provider/openai): add type for image model options for type-safe processing

3.0.56

Patch Changes

• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26

3.0.55

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [a727da4]
  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10

3.0.54

Patch Changes

• a7f3c72: trigger release for all packages after provenance setup
• 408a2ad: patch - send content: null instead of empty string for tool-only assistant messages
• c71ad14: feat(provider/openai): add gpt-image-2 model support
• Updated dependencies [a7f3c72]
  • @​ai-sdk/provider@​3.0.9
  • @​ai-sdk/provider-utils@​4.0.24

Commits

• 0129eb6 Version Packages (#14912)
• 2370948 Backport: feat(openai): preserve namespace on function_call output items (#14...
• 91d95c9 Version Packages (#14881)
• d33e7cc Backport: chore(provider/openai): add type for image model options for type-s...
• 8a46a3c Version Packages (#14875)
• 8e650ab Version Packages (#14824)
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 77a4e05 Version Packages (#14802)
• a7f3c72 Re-enable v6 releases (#14799)
• c71ad14 Backport: feat(provider/openai): add gpt-image-2 model support (#14682)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/openai since your current version.

Updates @ai-sdk/svelte from 4.0.168 to 4.0.174

Release notes

Sourced from @​ai-sdk/svelte's releases.

@​ai-sdk/svelte@​4.0.174

Patch Changes

• ai@6.0.174

@​ai-sdk/svelte@​4.0.173

Patch Changes

• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26
  • ai@6.0.173

Changelog

Sourced from @​ai-sdk/svelte's changelog.

4.0.174

Patch Changes

• ai@6.0.174

4.0.173

Patch Changes

• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26
  • ai@6.0.173

4.0.172

Patch Changes

• ai@6.0.172

4.0.171

Patch Changes

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
• Updated dependencies [48f842a]
• Updated dependencies [a727da4]
• Updated dependencies [5fee301]
  • ai@6.0.171
  • @​ai-sdk/provider-utils@​4.0.25

4.0.170

Patch Changes

• Updated dependencies [19d587a]
  • ai@6.0.170

4.0.169

Patch Changes

• a7f3c72: trigger release for all packages after provenance setup
• Updated dependencies [2662bb5]
• Updated dependencies [a7f3c72]
  • ai@6.0.169
  • @​ai-sdk/provider-utils@​4.0.24

Commits

• 0129eb6 Version Packages (#14912)
• 8a46a3c Version Packages (#14875)
• 29c80ec Version Packages (#14868)
• 8e650ab Version Packages (#14824)
• 7ab1e18 Version Packages (#14815)
• 77a4e05 Version Packages (#14802)
• a7f3c72 Re-enable v6 releases (#14799)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/svelte since your current version.

Updates ai from 6.0.168 to 6.0.174

Release notes

Sourced from ai's releases.

ai@6.0.174

Patch Changes

• Updated dependencies [49f6d44]
  • @​ai-sdk/gateway@​3.0.109

ai@6.0.173

Patch Changes

• 7beadf0: feat(mcp): propagate the server name through dynamic tool parts
• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26
  • @​ai-sdk/gateway@​3.0.108

Changelog

Sourced from ai's changelog.

6.0.174

Patch Changes

• Updated dependencies [49f6d44]
  • @​ai-sdk/gateway@​3.0.109

6.0.173

Patch Changes

• 7beadf0: feat(mcp): propagate the server name through dynamic tool parts
• Updated dependencies [7beadf0]
  • @​ai-sdk/provider-utils@​4.0.26
  • @​ai-sdk/gateway@​3.0.108

6.0.172

Patch Changes

• Updated dependencies [982af78]
  • @​ai-sdk/gateway@​3.0.107

6.0.171

Patch Changes

• 48f842a: fix(ai): enforce callOptionsSchema at runtime in ToolLoopAgent

  ToolLoopAgentSettings.callOptionsSchema was declared and documented as a runtime schema for options, but tool-loop-agent.ts never invoked it. Any invariant a developer encoded in the schema was silently bypassed at runtime, and unchecked options flowed straight into prepareCall and any instructions template that interpolated them.

  ToolLoopAgent.prepareCall now validates caller-supplied options against callOptionsSchema (when set) via safeValidateTypes, throwing InvalidArgumentError on failure before forwarding to prepareCall / generateText / streamText.

• a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles

• 5fee301: fix(mcp): prevent prototype pollution by using secureJsonParse

• Updated dependencies [a727da4]

  • @​ai-sdk/provider-utils@​4.0.25
  • @​ai-sdk/provider@​3.0.10
  • @​ai-sdk/gateway@​3.0.106

6.0.170

Patch Changes

• 19d587a: fix(ai): add allowSystemInMessages option and warn by default when system messages are found in prompt or messages

6.0.169

Patch Changes

... (truncated)

Commits

• 0129eb6 Version Packages (#14912)
• 8a46a3c Version Packages (#14875)
• 7beadf0 Backport: feat(mcp): propagate the server name through dynamic tool parts (#1...
• 29c80ec Version Packages (#14868)
• 8e650ab Version Packages (#14824)
• 48f842a backport v6: fix(ai): enforce callOptionsSchema at runtime in ToolLoopAgent (...
• a727da4 backport of chore: ensure consistent import handling and avoid import duplica...
• 5fee301 backport v6: fix(mcp): prevent prototype pollution by using secureJsonParse (...
• 7ab1e18 Version Packages (#14815)
• 19d587a v6: fix(ai): warn about system messages in messages or prompt (#14810)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for ai since your current version.

Updates dompurify from 3.4.1 to 3.4.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.2

• Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
• Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

Commits

• 6f67fd3 Sync/3.4.2 (#1322)
• See full diff in compare view

Updates marked from 18.0.2 to 18.0.3

Release notes

Sourced from marked's releases.

v18.0.3

18.0.3 (2026-05-01)

Bug Fixes

• avoid task checkbox for setext heading text (#3960) (2608e81)

Commits

• e8dc395 chore(release): 18.0.3 [skip ci]
• 2608e81 fix: avoid task checkbox for setext heading text (#3960)
• dba76f6 chore(deps-dev): bump eslint from 10.2.0 to 10.2.1 (#3953)
• 015f1eb chore(deps-dev): bump typescript from 6.0.2 to 6.0.3 (#3954)
• 17c06e9 chore: fix building license for docs (#3952)
• 55a54b5 chore: Rename LICENSE.md to LICENSE for better compatibility with Bazel tooli...
• See full diff in compare view

Updates @lucide/svelte from 1.11.0 to 1.14.0

Release notes

Sourced from @​lucide/svelte's releases.

Version 1.14.0

What's Changed

• feat(icons): added repeat-off icon by @​jguddas in lucide-icons/lucide#3102

Full Changelog: lucide-icons/lucide@1.13.0...1.14.0

Version 1.13.0

What's Changed

• fix(docs): sync URL params with UI state on categories page by @​taimar in lucide-icons/lucide#4111
• feat(icons): add waves-vertical icon by @​jamiemlaw in lucide-icons/lucide#3867

Full Changelog: lucide-icons/lucide@1.12.0...1.13.0

Version 1.12.0

What's Changed

• feat(icon): add folder-bookmark icon by @​swastik7805 in lucide-icons/lucide#4262
• docs(readme): Update readme files by @​ericfennis in lucide-icons/lucide#4320
• feat(icons): added astroid icon by @​whoisBugsbunny in lucide-icons/lucide#4217

Full Changelog: lucide-icons/lucide@1.10.0...1.12.0

Commits

• 50d8af5 docs(readme): Update readme files (#4320)
• See full diff in compare view

Updates bits-ui from 2.18.0 to 2.18.1

Release notes

Sourced from bits-ui's releases.

bits-ui@2.18.1

Patch Changes

• fix(text-selection-layer): snapshot enabled and pointer handlers for listeners (#2041)

• fix(Tooltip): set wrapper pointer-events when hoverable content is disabled (#2041)

• fix(Menu): prevent page scroll-jump on item hover when scroll-padding is set (#2035)

Commits

• 25f8137 Version Packages (#2042)
• 158364e fix(menu): use preventScroll when focusing items on hover and content on item...
• 5a3f7ce fix(Tooltip): pointer event handling (#2041)
• 788fc03 chore: update workflows to Node 24 and latest action versions (#2032)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.