chore(deps): update all non-major dependencies #165

renovate · 2025-09-14T12:24:10Z

This PR contains the following updates:

Package	Change	Type	Update
@biomejs/biome (source)	`^2.2.3` -> `^2.2.7`	devDependencies	patch
@biomejs/biome (source)	`2.2.3` -> `2.2.7`		patch
@types/node (source)	`^24.3.1` -> `^24.9.1`	devDependencies	minor
fs-fixture	`^2.8.1` -> `^2.9.0`	devDependencies	minor
pnpm (source)	`10.15.1` -> `10.19.0`	packageManager	minor
pnpm/action-setup	`v4.1.0` -> `v4.2.0`	action	minor
tsdown	`^0.14.2` -> `^0.15.9`	devDependencies	minor
typescript (source)	`^5.9.2` -> `^5.9.3`	devDependencies	patch

Release Notes

biomejs/biome (@biomejs/biome)

`v2.2.7`

Compare Source

Patch Changes

#7715 b622425 Thanks @Netail! - Added the nursery rule noEmptySource, disallowing meaningless js, css, json & graphql files to prevent codebase clutter.
#7714 c7e5a14 Thanks @MeGaNeKoS! - Increased the maximum line limit for noExcessiveLinesPerFunction from 255 to 65,535 to better support large JSX/front-end components.
#5868 2db73ae Thanks @bushuai! - Fixed #5856, noRedundantUseStrict now keeps leading trivia
#7756 d665c97 Thanks @ematipico! - Improved the diagnostic message of the rule noDuplicateTestHooks.

`v2.2.6`

Compare Source

Patch Changes

#7071 a8e7301 Thanks @ptkagori! - Added the useQwikMethodUsage lint rule for the Qwik domain.

This rule validates Qwik hook usage. Identifiers matching useXxx must be called only within serialisable reactive contexts (for example, inside component$, route loaders/actions, or within other Qwik hooks), preventing common Qwik antipatterns.

Invalid:

// Top-level hook call is invalid.
const state = useStore({ count: 0 });

function helper() {
  // Calling a hook in a non-reactive function is invalid.
  const loc = useLocation();
}

Valid:

component$(() => {
  const state = useStore({ count: 0 }); // OK inside component$.
  return <div>{state.count}</div>;
});

const handler = $(() => {
  const loc = useLocation(); // OK inside a $-wrapped closure.
  console.log(loc.params);
});

#7685 52071f5 Thanks @denbezrukov! - Fixed #6981: The NoUnknownPseudoClass rule no longer reports local pseudo-classes when CSS Modules are used.
#7640 899f7b2 Thanks @arendjr! - Fixed #7638: useImportExtensions no longer emits diagnostics on valid import paths that end with a query or hash.

Example

// This no longer warns if `index.css` exists:
import style from "../theme/index.css?inline";

#7071 a8e7301 Thanks @ptkagori! - Added the useQwikValidLexicalScope rule to the Qwik domain.

This rule helps you avoid common bugs in Qwik components by checking that your variables and functions are declared in the correct place.

Invalid:

// Invalid: state defined outside the component's lexical scope.
let state = useStore({ count: 0 });
const Component = component$(() => {
  return (
    <button onClick$={() => state.count++}>Invalid: {state.count}</button>
  );
});

Valid:

// Valid: state initialised within the component's lexical scope and captured by the event.
const Component = component$(() => {
  const state = useStore({ count: 0 });
  return <button onClick$={() => state.count++}>Valid: {state.count}</button>;
});

#7620 5beb1ee Thanks @Netail! - Added the rule useDeprecatedDate, which makes a deprecation date required for the graphql @deprecated directive.

Invalid

query {
  member @&#8203;deprecated(reason: "Use `members` instead") {
    id
  }
}

Valid

query {
  member
    @&#8203;deprecated(reason: "Use `members` instead", deletionDate: "2099-12-25") {
    id
  }
}

#7709 d6da4d5 Thanks @siketyan! - Fixed #7704: The useExhaustiveDependencies rule now correctly adds an object dependency when its method is called within the closure.

For example:
```
function Component(props) {
  useEffect(() => {
    props.foo();
  }, []);
}
```
will now be fixed to:
```
function Component(props) {
  useEffect(() => {
    props.foo();
  }, [props]);
}
```
#7624 309ae41 Thanks @lucasweng! - Fixed #7595: noUselessEscapeInString no longer reports $\{ escape in template literals.
#7665 29e4229 Thanks @ryan-m-walker! - Fixed #7619: Added support for parsing the CSS :state() pseudo-class.
```
custom-selector:state(checked) {
}
```
#7608 41df59b Thanks @ritoban23! - Fixed #7604: the useMaxParams rule now highlights parameter lists instead of entire function bodies. This provides more precise error highlighting. Previously, the entire function was highlighted; now only the parameter list is highlighted, such as (a, b, c, d, e, f, g, h).
#7643 459a6ac Thanks @daivinhtran! - Fixed #7580: Include plugin in summary report

`v2.2.5`

Compare Source

Patch Changes

#7597 5c3d542 Thanks @arendjr! - Fixed #6432: useImportExtensions now works correctly with aliased paths.
#7269 f18dac1 Thanks @CDGardner! - Fixed #6648, where Biome's noUselessFragments contained inconsistencies with ESLint for fragments only containing text.

Previously, Biome would report that fragments with only text were unnecessary under the noUselessFragments rule. Further analysis of ESLint's behavior towards these cases revealed that text-only fragments (<>A</a>, <React.Fragment>B</React.Fragment>, <RenamedFragment>B</RenamedFragment>) would not have noUselessFragments emitted for them.

On the Biome side, instances such as these would emit noUselessFragments, and applying the suggested fix would turn the text content into a proper JS string.
```
// Ended up as: - const t = "Text"
const t = <>Text</>

// Ended up as: - const e = t ? "Option A" : "Option B"
const e = t ? <>Option A</> : <>Option B</>

/* Ended up as:
  function someFunc() {
    return "Content desired to be a multi-line block of text."
  }
*/
function someFunc() {
  return <>
    Content desired to be a multi-line
    block of text.
  <>
}
```
The proposed update was to align Biome's reaction to this rule with ESLint's; the aforementioned examples will now be supported from Biome's perspective, thus valid use of fragments.
```
// These instances are now valid and won't be called out by noUselessFragments.

const t = <>Text</>
const e = t ? <>Option A</> : <>Option B</>

function someFunc() {
  return <>
    Content desired to be a multi-line
    block of text.
  <>
}
```
#7498 002cded Thanks @siketyan! - Fixed #6893: The useExhaustiveDependencies rule now correctly adds a dependency that is captured in a shorthand object member. For example:
```
useEffect(() => {
  console.log({ firstId, secondId });
}, []);
```
is now correctly fixed to:
```
useEffect(() => {
  console.log({ firstId, secondId });
}, [firstId, secondId]);
```
#7509 1b61631 Thanks @siketyan! - Added a new lint rule noReactForwardRef, which detects usages of forwardRef that is no longer needed and deprecated in React 19.

For example:
```
export const Component = forwardRef(function Component(props, ref) {
  return <div ref={ref} />;
});
```
will be fixed to:
```
export const Component = function Component({ ref, ...props }) {
  return <div ref={ref} />;
};
```
Note that the rule provides an unsafe fix, which may break the code. Don't forget to review the code after applying the fix.
#7520 3f06e19 Thanks @arendjr! - Added new nursery rule noDeprecatedImports to flag imports of deprecated symbols.

Invalid example

// foo.js
import { oldUtility } from "./utils.js";

// utils.js
/**
 * @&#8203;deprecated
 */
export function oldUtility() {}

Valid examples

// foo.js
import { newUtility, oldUtility } from "./utils.js";

// utils.js
export function newUtility() {}

// @&#8203;deprecated (this is not a JSDoc comment)
export function oldUtility() {}

#7457 9637f93 Thanks @kedevked! - Added style and requireForObjectLiteral options to the lint rule useConsistentArrowReturn.

This rule enforces a consistent return style for arrow functions. It can be configured with the following options:
- style: (default: asNeeded)
  - always: enforces that arrow functions always have a block body.
  - never: enforces that arrow functions never have a block body, when possible.
  - asNeeded: enforces that arrow functions have a block body only when necessary (e.g. for object literals).

`style: "always"`

Invalid:

const f = () => 1;

Valid:

const f = () => {
  return 1;
};

`style: "never"`

Invalid:

const f = () => {
  return 1;
};

Valid:

const f = () => 1;

`style: "asNeeded"`

Invalid:

const f = () => {
  return 1;
};

Valid:

const f = () => 1;

`style: "asNeeded"` and `requireForObjectLiteral: true`

Valid:

const f = () => {
  return { a: 1 };
};

#7510 527cec2 Thanks @rriski! - Implements #7339. GritQL patterns can now use native Biome AST nodes using their PascalCase names, in addition to the existing TreeSitter-compatible snake_case names.

engine biome(1.0)
language js(typescript,jsx)

or {
  // TreeSitter-compatible pattern
  if_statement(),

  // Native Biome AST node pattern
  JsIfStatement()
} as $stmt where {
  register_diagnostic(
    span=$stmt,
    message="Found an if statement"
  )
}

#7574 47907e7 Thanks @kedevked! - Fixed 7574. The diagnostic message for the rule useSolidForComponent now correctly emphasizes <For /> and provides a working hyperlink to the Solid documentation.
#7497 bd70f40 Thanks @siketyan! - Fixed #7320: The useConsistentCurlyBraces rule now correctly detects a string literal including " inside a JSX attribute value.
#7522 1af9931 Thanks @Netail! - Added extra references to external rules to improve migration for the following rules: noUselessFragments & noNestedComponentDefinitions
#7597 5c3d542 Thanks @arendjr! - Fixed an issue where package.json manifests would not be correctly discovered
when evaluating files in the same directory.
#7565 38d2098 Thanks @siketyan! - The resolver can now correctly resolve .ts, .tsx, .d.ts, .js files by .js extension if exists, based on the file extension substitution in TypeScript.

For example, the linter can now detect the floating promise in the following situation, if you have enabled the noFloatingPromises rule.

foo.ts
```
export async function doSomething(): Promise<void> {}
```
bar.ts
```
import { doSomething } from "./foo.js"; // doesn't exist actually, but it is resolved to `foo.ts`

doSomething(); // floating promise!
```

#7542 cadad2c Thanks @mdevils! - Added the rule noVueDuplicateKeys, which prevents duplicate keys in Vue component definitions.

This rule prevents the use of duplicate keys across different Vue component options such as props, data, computed, methods, and setup. Even if keys don't conflict in the script tag, they may cause issues in the template since Vue allows direct access to these keys.

Invalid examples

<script>
export default {
  props: ["foo"],
  data() {
    return {
      foo: "bar",
    };
  },
};
</script>

<script>
export default {
  data() {
    return {
      message: "hello",
    };
  },
  methods: {
    message() {
      console.log("duplicate key");
    },
  },
};
</script>

<script>
export default {
  computed: {
    count() {
      return this.value * 2;
    },
  },
  methods: {
    count() {
      this.value++;
    },
  },
};
</script>

Valid examples

<script>
export default {
  props: ["foo"],
  data() {
    return {
      bar: "baz",
    };
  },
  methods: {
    handleClick() {
      console.log("unique key");
    },
  },
};
</script>

<script>
export default {
  computed: {
    displayMessage() {
      return this.message.toUpperCase();
    },
  },
  methods: {
    clearMessage() {
      this.message = "";
    },
  },
};
</script>

#7546 a683acc Thanks @siketyan! - Internal data for Unicode strings have been updated to Unicode 17.0.
#7497 bd70f40 Thanks @siketyan! - Fixed #7256: The useConsistentCurlyBraces rule now correctly ignores a string literal with braces that contains only whitespaces. Previously, literals that contains single whitespace were only allowed.
#7565 38d2098 Thanks @siketyan! - The useImportExtensions rule now correctly detects imports with an invalid extension. For example, importing .ts file with .js extension is flagged by default. If you are using TypeScript with neither the allowImportingTsExtensions option nor the rewriteRelativeImportExtensions option, it's recommended to turn on the forceJsExtensions option of the rule.
#7581 8653921 Thanks @lucasweng! - Fixed #7470: solved a false positive for noDuplicateProperties. Previously, declarations in @container and @starting-style at-rules were incorrectly flagged as duplicates of identical declarations at the root selector.

For example, the linter no longer flags the display declaration in @container or the opacity declaration in @starting-style.
```
a {
  display: block;
  @&#8203;container (min-width: 600px) {
    display: none;
  }
}

[popover]:popover-open {
  opacity: 1;
  @&#8203;starting-style {
    opacity: 0;
  }
}
```
#7529 fea905f Thanks @qraqras! - Fixed #7517: the useOptionalChain rule no longer suggests changes for typeof checks on global objects.
```
// ok
typeof window !== "undefined" && window.location;
```
#7476 c015765 Thanks @ematipico! - Fixed a bug where the suppression action for noPositiveTabindex didn't place the suppression comment in the correct position.
#7511 a0039fd Thanks @arendjr! - Added nursery rule noUnusedExpressions to flag expressions used as a statement that is neither an assignment nor a function call.

Invalid examples

f; // intended to call `f()` instead

function foo() {
  0; // intended to `return 0` instead
}

Valid examples

f();

function foo() {
  return 0;
}

#7564 40e515f Thanks @turbocrime! - Fixed #6617: improved useIterableCallbackReturn to correctly handle arrow functions with a single-expression void body.

Now the following code doesn't trigger the rule anymore:
```
[].forEach(() => void null);
```

`v2.2.4`

Compare Source

Patch Changes

#7453 aa8cea3 Thanks @arendjr! - Fixed #7242: Aliases specified in
package.json's imports section now support having multiple targets as part of an array.
#7454 ac17183 Thanks @arendjr! - Greatly improved performance of
noImportCycles by eliminating allocations.

In one repository, the total runtime of Biome with only noImportCycles enabled went from ~23s down to ~4s.
#7447 7139aad Thanks @rriski! - Fixes #7446. The GritQL
$... spread metavariable now correctly matches members in object literals, aligning its behavior with arrays and function calls.
#6710 98cf9af Thanks @arendjr! - Fixed #4723: Type inference now recognises
index signatures and their accesses when they are being indexed as a string.

Example

type BagOfPromises = {
  // This is an index signature definition. It declares that instances of type
  // `BagOfPromises` can be indexed using arbitrary strings.
  [property: string]: Promise<void>;
};

let bag: BagOfPromises = {};
// Because `bag.iAmAPromise` is equivalent to `bag["iAmAPromise"]`, this is
// considered an access to the string index, and a Promise is expected.
bag.iAmAPromise;

#7415 d042f18 Thanks @qraqras! - Fixed #7212, now the useOptionalChain rule recognizes optional chaining using
typeof (e.g., typeof foo !== 'undefined' && foo.bar).
#7419 576baf4 Thanks @Conaclos! - Fixed #7323. noUnusedPrivateClassMembers no longer reports as unused TypeScript
private members if the rule encounters a computed access on this.

In the following example, member as previously reported as unused. It is no longer reported.
```
class TsBioo {
  private member: number;

  set_with_name(name: string, value: number) {
    this[name] = value;
  }
}
```
351bccd Thanks @ematipico! - Added the new nursery lint rule
noJsxLiterals, which disallows the use of string literals inside JSX.

The rule catches these cases:
```
<>
  <div>test</div> {/* test is invalid */}
  <>test</>
  <div>
    {/* this string is invalid */}
    asdjfl test foo
  </div>
</>
```
#7406 b906112 Thanks @mdevils! - Fixed an issue (#6393) where the useHookAtTopLevel rule reported excessive diagnostics for nested hook calls.

The rule now reports only the offending top-level call site, not sub-hooks of composite hooks.
```
// Before: reported twice (useFoo and useBar).
function useFoo() {
  return useBar();
}
function Component() {
  if (cond) useFoo();
}
// After: reported once at the call to useFoo().
```
#7461 ea585a9 Thanks @arendjr! - Improved performance of
noPrivateImports by eliminating allocations.

In one repository, the total runtime of Biome with only noPrivateImports enabled went from ~3.2s down to ~1.4s.
351bccd Thanks @ematipico! - Fixed #7411. The Biome Language Server had a regression where opening an editor with a file already open wouldn't load the project settings correctly.
#7142 53ff5ae Thanks @Netail! - Added the new nursery rule noDuplicateDependencies, which verifies that no dependencies are duplicated between the
bundledDependencies, bundleDependencies, dependencies, devDependencies, overrides,
optionalDependencies, and peerDependencies sections.

For example, the following snippets will trigger the rule:
```
{
  "dependencies": {
    "foo": ""
  },
  "devDependencies": {
    "foo": ""
  }
}
```
```
{
  "dependencies": {
    "foo": ""
  },
  "optionalDependencies": {
    "foo": ""
  }
}
```
```
{
  "dependencies": {
    "foo": ""
  },
  "peerDependencies": {
    "foo": ""
  }
}
```
351bccd Thanks @ematipico! - Fixed #3824. Now the option CLI
--color is correctly applied to logging too.

privatenumber/fs-fixture (fs-fixture)

`v2.9.0`

Compare Source

Bug Fixes

types: readFile & writeFile to inherit fs types (5482c45)

Features

accept buffer as content (6b877a9)
add readdir (7ea32e6)
add readJson method (48f3f6e)
improve json methods (5aa7d57)

pnpm/pnpm (pnpm)

`v10.19.0`

Compare Source

Minor Changes

You can now allow specific versions of dependencies to run postinstall scripts. onlyBuiltDependencies now accepts package names with lists of trusted versions. For example:
```
onlyBuiltDependencies:
  - [email protected] || 21.6.5
  - [email protected]
```
Related PR: #10104.
Added support for exact versions in minimumReleaseAgeExclude #9985.

You can now list one or more specific versions that pnpm should allow to install, even if those versions don’t satisfy the maturity requirement set by minimumReleaseAge. For example:
```
minimumReleaseAge: 1440
minimumReleaseAgeExclude:
  - [email protected]
  - [email protected] || 5.102.1
```

`v10.18.3`

Compare Source

Patch Changes

Fix a bug where pnpm would infinitely recurse when using verifyDepsBeforeInstall: install and pre/post install scripts that called other pnpm scripts #10060.
Fixed scoped registry keys (e.g., @scope:registry) being parsed as property paths in pnpm config get when --location=project is used #9362.
Remove pnpm-specific CLI options before passing to npm publish to prevent "Unknown cli config" warnings #9646.
Fixed EISDIR error when bin field points to a directory #9441.
Preserve version and hasBin for variations packages #10022.
Fixed pnpm config set --location=project incorrectly handling keys with slashes (auth tokens, registry settings) #9884.
When both pnpm-workspace.yaml and .npmrc exist, pnpm config set --location=project now writes to pnpm-workspace.yaml (matching read priority) #10072.
Prevent a table width error in pnpm outdated --long #10040.
Sync bin links after injected dependencies are updated by build scripts. This ensures that binaries created during build processes are properly linked and accessible to consuming projects #10057.

`v10.18.2`

Compare Source

Patch Changes

pnpm outdated --long should work #10040.
Replace ndjson with split2. Reduce the bundle size of pnpm CLI #10054.
pnpm dlx should request the full metadata of packages, when minimumReleaseAge is set #9963.
pnpm version switching should work when the pnpm home directory is in a symlinked directory #9715.
Fix EPIPE errors when piping output to other commands #10027.

`v10.18.1`

Compare Source

Patch Changes

Don't print a warning, when --lockfile-only is used #8320.
pnpm setup creates a command shim to the pnpm executable. This is needed to be able to run pnpm self-update on Windows #5700.
When using pnpm catalogs and running a normal pnpm install, pnpm produced false positive warnings for "skip adding to the default catalog because it already exists". This warning now only prints when using pnpm add --save-catalog as originally intended.

`v10.18.0`

Compare Source

Minor Changes

Added network performance monitoring to pnpm by implementing warnings for slow network requests, including both metadata fetches and tarball downloads.

Added configuration options for warning thresholds: fetchWarnTimeoutMs and fetchMinSpeedKiBps.
Warning messages are displayed when requests exceed time thresholds or fall below speed minimums

Related PR: #10025.

Patch Changes

Retry filesystem operations on EAGAIN errors #9959.
Outdated command respects minimumReleaseAge configuration #10030.
Correctly apply the cleanupUnusedCatalogs configuration when removing dependent packages.
Don't fail with a meaningless error when scriptShell is set to false #8748.
pnpm dlx should not fail when minimumReleaseAge is set #10037.

`v10.17.1`

Compare Source

Patch Changes

When a version specifier cannot be resolved because the versions don't satisfy the minimumReleaseAge setting, print this information out in the error message #9974.
Fix state.json creation path when executing pnpm patch in a workspace project #9733.
When minimumReleaseAge is set and the latest tag is not mature enough, prefer a non-deprecated version as the new latest #9987.

`v10.17.0`

Compare Source

Minor Changes

The minimumReleaseAgeExclude setting now supports patterns. For instance:
```
minimumReleaseAge: 1440
minimumReleaseAgeExclude:
  - "@&#8203;eslint/*"
```
Related PR: #9984.

Patch Changes

Don't ignore the minimumReleaseAge check, when the package is requested by exact version and the packument is loaded from cache #9978.
When minimumReleaseAge is set and the active version under a dist-tag is not mature enough, do not downgrade to a prerelease version in case the original version wasn't a prerelease one #9979.

`v10.16.1`

Compare Source

Patch Changes

The full metadata cache should be stored not at the same location as the abbreviated metadata. This fixes a bug where pnpm was loading the abbreviated metadata from cache and couldn't find the "time" field as a result #9963.
Forcibly disable ANSI color codes when generating patch diff #9914.

`v10.16.0`

Compare Source

Minor Changes

There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new setting that delays the installation of newly released dependencies. In most cases, such attacks are discovered quickly and the malicious versions are removed from the registry within an hour.

The new setting is called minimumReleaseAge. It specifies the number of minutes that must pass after a version is published before pnpm will install it. For example, setting minimumReleaseAge: 1440 ensures that only packages released at least one day ago can be installed.

If you set minimumReleaseAge but need to disable this restriction for certain dependencies, you can list them under the minimumReleaseAgeExclude setting. For instance, with the following configuration pnpm will always install the latest version of webpack, regardless of its release time:
```
minimumReleaseAgeExclude:
  - webpack
```
Related issue: #9921.
Added support for finders #9946.

In the past, pnpm list and pnpm why could only search for dependencies by name (and optionally version). For example:
```
pnpm why minimist
```
prints the chain of dependencies to any installed instance of minimist:
```
verdaccio 5.20.1
├─┬ handlebars 4.7.7
│ └── minimist 1.2.8
└─┬ mv 2.1.1
  └─┬ mkdirp 0.5.6
    └── minimist 1.2.8
```
What if we want to search by other properties of a dependency, not just its name? For instance, find all packages that have react@17 in their peer dependencies?

This is now possible with "finder functions". Finder functions can be declared in .pnpmfile.cjs and invoked with the --find-by=<function name> flag when running pnpm list or pnpm why.

Let's say we want to find any dependencies that have React 17 in peer dependencies. We can add this finder to our .pnpmfile.cjs:
```
module.exports = {
  finders: {
    react17: (ctx) => {
      return ctx.readManifest().peerDependencies?.react === "^17.0.0";
    },
  },
};
```
Now we can use this finder function by running:
```
pnpm why --find-by=react17
```
pnpm will find all dependencies that have this React in peer dependencies and print their exact locations in the dependency graph.
```
@&#8203;apollo/client 4.0.4
├── @&#8203;graphql-typed-document-node/core 3.2.0
└── graphql-tag 2.12.6
```
It is also possible to print out some additional information in the output by returning a string from the finder. For example, with the following finder:
```
module.exports = {
  finders: {
    react17: (ctx) => {
      const manifest = ctx.readManifest();
      if (manifest.peerDependencies?.react === "^17.0.0") {
        return `license: ${manifest.license}`;
      }
      return false;
    },
  },
};
```
Every matched package will also print out the license from its package.json:
```
@&#8203;apollo/client 4.0.4
├── @&#8203;graphql-typed-document-node/core 3.2.0
│   license: MIT
└── graphql-tag 2.12.6
    license: MIT
```

Patch Changes

Fix deprecation warning printed when executing pnpm with Node.js 24 #9529.
Throw an error if nodeVersion is not set to an exact semver version #9934.
pnpm publish should be able to publish a .tar.gz file #9927.
Canceling a running process with Ctrl-C should make pnpm run return a non-zero exit code #9626.