build(deps-dev): bump the dev-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the dev-dependencies group with 7 updates in the / directory:

Package	From	To
@arethetypeswrong/cli	0.18.3	0.18.4
@biomejs/biome	2.4.16	2.5.0
@sveltejs/kit	2.64.0	2.67.0
@vitest/coverage-v8	4.1.8	4.1.9
astro	6.4.5	7.0.0
hono	4.12.25	4.12.27
vitest	4.1.8	4.1.9

Updates @arethetypeswrong/cli from 0.18.3 to 0.18.4

Changelog

Sourced from @​arethetypeswrong/cli's changelog.

0.18.4

Patch Changes

• Updated dependencies [644fab1]
  • @​arethetypeswrong/core@​0.18.4

Commits

• See full diff in compare view

Updates @biomejs/biome from 2.4.16 to 2.5.0

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.0

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

  /* styles.css — .ghost is never used in any importing file */

... (truncated)

Commits

• c0b9832 ci: release (#10499)
• 995c1ff feat(lint): add useFunctionComponentDefinition rule (#10498)
• 311c2b2 fix(biome_configuration): avoid Markdown links in JSON schema descriptions (#...
• 04c3f19 fix: docs and readme (#10584)
• 961f41c refactor(useExportType): improve docs and code (#10569)
• 78075b7 feat(useExportType): add style option (#10561)
• 6642895 feat: rule promotion for v2.5 (#10562)
• 9a5855e feat: noRestrictedDependencies (#10467)
• 608a62f Merge branch 'main' into chore/merge-main-into-next
• 0f29b83 feat(linter): implement useIncludes rule (#10516)
• Additional commits viewable in compare view

Updates @sveltejs/kit from 2.64.0 to 2.67.0

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.67.0

Minor Changes

• feat: add prerender.handleInvalidUrl option for invalid URLs discovered while crawling (#16088)

Patch Changes

• fix: support exactOptionalPropertyTypes for optional form schema fields (#15866)

• fix: avoid unnecessarily overriding a user's Vite 8 codeSplitting setting (#16118)

@​sveltejs/kit@​2.66.0

Minor Changes

• feat: precompress prerendered .md and .mdx files (#15893)

• feat: warn the user when they forget to make boolean inputs optional in their form schemas (#15804)

Patch Changes

• fix: blur active element before component update during navigation so that blur/focusout handlers fire while old component data is still valid (#15452)

• fix: ensure base is available from $service-worker during development (#15882)

• fix: use correct relative asset paths when rendering an error page for a missing __data.json request (#15884)

• fix: preserve active for await consumers across query.live reconnects (#16022)

• fix: settle query.live reconnect promise on all exit paths, preventing invalidateAll() from deadlocking when a live query is offline or interrupted (#16022)

• fix: preserve last value when a query.live stream completes without yielding on reconnect (#16022)

• fix: remove types: ['node'] from generated tsconfig to avoid errors when @types/node is not installed (#15709)

• fix: prefer pages over endpoints when prerendering (#16076)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.67.0

Minor Changes

• feat: add prerender.handleInvalidUrl option for invalid URLs discovered while crawling (#16088)

Patch Changes

• fix: support exactOptionalPropertyTypes for optional form schema fields (#15866)

• fix: avoid unnecessarily overriding a user's Vite 8 codeSplitting setting (#16118)

2.66.0

Minor Changes

• feat: precompress prerendered .md and .mdx files (#15893)

• feat: warn the user when they forget to make boolean inputs optional in their form schemas (#15804)

Patch Changes

• fix: blur active element before component update during navigation so that blur/focusout handlers fire while old component data is still valid (#15452)

• fix: ensure base is available from $service-worker during development (#15882)

• fix: use correct relative asset paths when rendering an error page for a missing __data.json request (#15884)

• fix: preserve active for await consumers across query.live reconnects (#16022)

• fix: settle query.live reconnect promise on all exit paths, preventing invalidateAll() from deadlocking when a live query is offline or interrupted (#16022)

• fix: preserve last value when a query.live stream completes without yielding on reconnect (#16022)

• fix: remove types: ['node'] from generated tsconfig to avoid errors when @types/node is not installed (#15709)

• fix: prefer pages over endpoints when prerendering (#16076)

... (truncated)

Commits

• c5d0e83 Version Packages (#16086)
• cf15fa0 fix: add handleInvalidUrl prerender option for non-HTTP URL schemes (#16088)
• 2992e17 fix: avoid overwriting codeSplitting for split apps (#16118)
• d71dabb chore: fix internal types export target (#16113)
• 7b43b29 chore: fix more flaky tests (#16061)
• 5c76121 fix: allow optional remote form schema fields under `{exactOptionalPropertyTy...
• 4c9b8f1 Version Packages (#16062)
• 276744d fix: preflight schemas apply correctly when chained before for (#15863)
• e8c8d84 chore: DRY out __sveltekit_xyz123 stuff (#16085)
• 4eabadc fix: fail early if a route with +page and +server is marked as prerendera...
• Additional commits viewable in compare view

Updates @vitest/coverage-v8 from 4.1.8 to 4.1.9

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.9

🐞 Bug Fixes

• Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in vitest-dev/vitest#10546 (a5180)
• browser:
  • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10555 (7fb29)
  • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10497 and vitest-dev/vitest#10556 (fbc62)
• mocker:
  • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in vitest-dev/vitest#10548 (2c955)
• pool:
  • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in vitest-dev/vitest#10543 and vitest-dev/vitest#10564 (934b0)

View changes on GitHub

Commits

• a7a61e7 chore: release v4.1.9 (#10598)
• See full diff in compare view

Updates astro from 6.4.5 to 7.0.0

Release notes

Sourced from astro's releases.

astro@7.0.0

Major Changes

• #15819 cafec4e Thanks @​delucis! - Upgrade to Vite v8

• #16965 57ead0d Thanks @​Princesseuh! - Makes 'jsx' the default value for compressHTML

  Astro now strips whitespace from your HTML using JSX rules by default, the same way frameworks like React do. Whitespace and line breaks around elements are removed, but meaningful whitespace within a single line — like a space between two inline elements — is preserved. To keep a space that would otherwise be removed, write it explicitly in your source, for example with {" "}.

  This can change rendered output where whitespace between inline elements was previously meaningful. To keep Astro's earlier behavior, set compressHTML: true for HTML-aware compression, or compressHTML: false to preserve all whitespace.

• #16610 c63e7e4 Thanks @​matthewp! - Adds background dev server management for AI coding agents.

  When an AI coding agent is detected, astro dev now automatically starts the dev server as a detached background process. This prevents the dev server from blocking the agent's terminal and allows it to continue working while the server runs.

  A lock file (.astro/dev.json) is written when the dev server starts, recording the server's URL, port, and PID. This prevents duplicate servers from being started for the same project.

  New flag and subcommands

  • astro dev --background — Start the dev server as a background process (this is what runs automatically when an agent is detected).
  • astro dev stop — Stop a running background dev server.
  • astro dev status — Check if a dev server is running and display its URL, PID, and uptime.
  • astro dev logs — View logs from a background dev server. Use --follow (-f) to stream new output as it's written.

  These allow you to start and manage dev servers programmatically and were designed with AI coding agents in mind.

  What should I do?

  No action is required. If you are not using an AI coding agent, astro dev behaves exactly as before. If you are using an agent, background mode is enabled automatically — the agent will receive the server URL and PID, and can use astro dev stop to shut it down.

  To opt out of automatic background mode when an agent is detected, set the environment variable ASTRO_DEV_BACKGROUND=0 before running astro dev.

• #17010 0606073 Thanks @​ocavue! - Removes the @astrojs/db package as it is no longer maintained.

  The @astrojs/db package were deprecated in v6.4.5 and is now removed. This means the astro db, astro login, astro logout, astro link, and astro init CLI commands have also been removed.

  If you were using Astro DB in your project, remove @astrojs/db from your project's dependencies and replace it with one of the following alternatives:

  • Node.js built-in SQLite: Node.js now includes a built-in node:sqlite module (available since Node.js v22.5.0). This is a good option if you are using the Node.js adapter and were using @astrojs/db for local SQLite storage.
  • Drizzle ORM: If you were using @astrojs/db for its Drizzle-based schema and query API, you can use Drizzle directly with any supported database.
  • Other database libraries: Use any database library that suits your deployment platform (e.g. Turso, PlanetScale, Neon).

• #16462 c30a778 Thanks @​Princesseuh! - Replaces the Go compiler with a Rust-based version.

  The Rust-based Astro compiler (@astrojs/compiler-rs) is now the default compiler. This new compiler is faster and more reliable, leading to faster build times and iteration cycles during development.

  This new compiler is more strict regarding invalid syntax. For example, unclosed HTML tags will now throw an error instead of being ignored. It also does not attempt to correct semantically invalid HTML anymore, instead leaving it to the browser to handle, similar to other tools or document.write() in JavaScript.

  The previous Go-based compiler has been removed, along with the experimental.rustCompiler flag used to opt into the Rust compiler. If you were setting experimental.rustCompiler in your astro.config.mjs, you can now remove it. No other action is required.

... (truncated)

Changelog

Sourced from astro's changelog.

7.0.0

Major Changes

• #15819 cafec4e Thanks @​delucis! - Upgrade to Vite v8

• #16965 57ead0d Thanks @​Princesseuh! - Makes 'jsx' the default value for compressHTML

  Astro now strips whitespace from your HTML using JSX rules by default, the same way frameworks like React do. Whitespace and line breaks around elements are removed, but meaningful whitespace within a single line — like a space between two inline elements — is preserved. To keep a space that would otherwise be removed, write it explicitly in your source, for example with {" "}.

  This can change rendered output where whitespace between inline elements was previously meaningful. To keep Astro's earlier behavior, set compressHTML: true for HTML-aware compression, or compressHTML: false to preserve all whitespace.

• #16610 c63e7e4 Thanks @​matthewp! - Adds background dev server management for AI coding agents.

  When an AI coding agent is detected, astro dev now automatically starts the dev server as a detached background process. This prevents the dev server from blocking the agent's terminal and allows it to continue working while the server runs.

  A lock file (.astro/dev.json) is written when the dev server starts, recording the server's URL, port, and PID. This prevents duplicate servers from being started for the same project.

  New flag and subcommands

  • astro dev --background — Start the dev server as a background process (this is what runs automatically when an agent is detected).
  • astro dev stop — Stop a running background dev server.
  • astro dev status — Check if a dev server is running and display its URL, PID, and uptime.
  • astro dev logs — View logs from a background dev server. Use --follow (-f) to stream new output as it's written.

  These allow you to start and manage dev servers programmatically and were designed with AI coding agents in mind.

  What should I do?

  No action is required. If you are not using an AI coding agent, astro dev behaves exactly as before. If you are using an agent, background mode is enabled automatically — the agent will receive the server URL and PID, and can use astro dev stop to shut it down.

  To opt out of automatic background mode when an agent is detected, set the environment variable ASTRO_DEV_BACKGROUND=0 before running astro dev.

• #17010 0606073 Thanks @​ocavue! - Removes the @astrojs/db package as it is no longer maintained.

  The @astrojs/db package were deprecated in v6.4.5 and is now removed. This means the astro db, astro login, astro logout, astro link, and astro init CLI commands have also been removed.

  If you were using Astro DB in your project, remove @astrojs/db from your project's dependencies and replace it with one of the following alternatives:

  • Node.js built-in SQLite: Node.js now includes a built-in node:sqlite module (available since Node.js v22.5.0). This is a good option if you are using the Node.js adapter and were using @astrojs/db for local SQLite storage.
  • Drizzle ORM: If you were using @astrojs/db for its Drizzle-based schema and query API, you can use Drizzle directly with any supported database.
  • Other database libraries: Use any database library that suits your deployment platform (e.g. Turso, PlanetScale, Neon).

• #16462 c30a778 Thanks @​Princesseuh! - Replaces the Go compiler with a Rust-based version.

  The Rust-based Astro compiler (@astrojs/compiler-rs) is now the default compiler. This new compiler is faster and more reliable, leading to faster build times and iteration cycles during development.

  This new compiler is more strict regarding invalid syntax. For example, unclosed HTML tags will now throw an error instead of being ignored. It also does not attempt to correct semantically invalid HTML anymore, instead leaving it to the browser to handle, similar to other tools or document.write() in JavaScript.

  The previous Go-based compiler has been removed, along with the experimental.rustCompiler flag used to opt into the Rust compiler. If you were setting experimental.rustCompiler in your astro.config.mjs, you can now remove it. No other action is required.

• #16966 6650ec2 Thanks @​Princesseuh! - Makes Sätteri the default Markdown processor

... (truncated)

Commits

• f55ba4c [ci] release (#17132)
• 5f2b16b docs: update v7 docs links (#17143)
• 9a53f77 feat: add CDN cache providers (#16335)
• 5f1831b docs(logger): correct logHandlers @​example to use top-level logger option (#1...
• 823f0d8 [ci] release (beta) (#17119)
• f95e58e feat: stabilise route caching (#17116)
• 0fd535d [ci] format
• 3cf76c0 Fix Vite and Rolldown build warnings in Astro 7 (#17090)
• 0da0678 [ci] release (beta) (#17089)
• c0f33ed fix(core): encoded URLs (#17109) (#17111)
• Additional commits viewable in compare view

Updates hono from 4.12.25 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc

---

Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

What's Changed

• fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding by @​yusukebe in honojs/hono#5013
• ci: publish to npm from CI with OIDC trusted publishing by @​yusukebe in honojs/hono#5028
• chore: remove unused devcontainer and gitpod configs by @​yusukebe in honojs/hono#5029
• chore: replace arg and glob with Bun native APIs in build script by @​yusukebe in honojs/hono#5030

Full Changelog: honojs/hono@v4.12.25...v4.12.26

Commits

• 97c6fe1 4.12.27
• aa92177 Merge commit from fork
• cd3f6f7 Merge commit from fork
• d4853a8 fix(jsx): make merged context-isolation tests pass tsc type check (#5037)
• 6735fea fix(jsx): cast awaitedFallback through unknown to fix Deno type check (#5036)
• fab3b13 Merge commit from fork
• 9f0dadf ci: use npm Staged publishing (#5035)
• 27b7992 4.12.26
• d29982c chore: replace arg and glob with Bun native APIs in build script
• 16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.

Updates vitest from 4.1.8 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

• Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in vitest-dev/vitest#10546 (a5180)
• browser:
  • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10555 (7fb29)
  • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10497 and vitest-dev/vitest#10556 (fbc62)
• mocker:
  • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in vitest-dev/vitest#10548 (2c955)
• pool:
  • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in vitest-dev/vitest#10543 and vitest-dev/vitest#10564 (934b0)

View changes on GitHub

Commits

• a7a61e7 chore: release v4.1.9 (#10598)
• 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
• 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
• a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions