Skip to content

deps(npm): bump the npm-minor-patch group with 3 updates#123

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-minor-patch-d744f4b3c8
May 4, 2026
Merged

deps(npm): bump the npm-minor-patch group with 3 updates#123
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-minor-patch-d744f4b3c8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 4, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-minor-patch group with 3 updates: zod, @biomejs/biome and openclaw.

Updates zod from 4.3.6 to 4.4.1

Release notes

Sourced from zod's releases.

v4.4.1

Commits:

  • 481f7be4238c83ed58183f921b2646f340a91c6a ci: gate release publishing on full test workflow
  • 95ccab423aec720b2523c3a64cdc7e3204537cc7 test(v3): restore optional undefined expectations
  • cede2c63739a5823d6aa5093d291e9a111da943d fix(v4): reject tuple holes before required defaults (#5900)
  • edd0bf0f5ada4a8dc581c259407d7bbad0a71ea7 release: 4.4.1
  • 180d83d1dbe6a59260710cc8637a3dea2281ee56 docs: remove Jazz featured sponsor

v4.4.0

4.4.0

This is a minor release with a wide set of correctness and soundness fixes. Some fixes intentionally make Zod stricter, so code that depended on previously accepted invalid or ambiguous inputs may need small updates.

Potentially breaking bug fixes

Tuple defaults now materialize output values correctly

Fixed in #5661. Tuple parsing now more accurately reflects defaults, optional tails, explicit undefined, and under-filled inputs. The headline behavior is that defaults in tuple positions now properly appear in parsed output.

const schema = z.tuple([
  z.string(),
  z.string().default("fallback"),
]);
schema.parse(["a"]);
// ["a", "fallback"]

Trailing optional elements that are absent still stay absent; they are not filled with undefined.

const schema = z.tuple([
  z.string(),
  z.string().optional(),
]);
schema.parse(["a"]);
// ["a"]

But explicit undefined values supplied by the caller are preserved.

schema.parse(["a", undefined]);
// ["a", undefined]

When optional elements appear before later defaults, the parsed tuple is now dense so array operations behave predictably.

... (truncated)

Commits
  • 180d83d docs: remove Jazz featured sponsor
  • edd0bf0 release: 4.4.1
  • cede2c6 fix(v4): reject tuple holes before required defaults (#5900)
  • 95ccab4 test(v3): restore optional undefined expectations
  • 481f7be ci: gate release publishing on full test workflow
  • d05f026 release: 4.4.0
  • f778e02 build: bump zshy for JSR wildcard exports
  • 6db607b fix(release): keep JSR manifest publishable
  • ad0b827 ci: update release workflow for trusted publishing
  • b6066b3 fix(v4): align object and tuple optionality handling (#5661)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for zod since your current version.


Updates @biomejs/biome from 2.4.13 to 2.4.14

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.14

2.4.14

Patch Changes

  • #9393 491b171 Thanks @​dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.

  • #10157 eefc5ab Thanks @​dyc3! - Fixed #7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.

  • #10054 0e9f569 Thanks @​minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

    A function annotated : object returning an object literal:

    function f(): object {
  return { retry: true };
}

  • #10116 53269eb Thanks @​jiwon79! - Fixed #6201: noUselessEscapeInRegex no longer flags an escaped backslash followed by - as a useless escape. Patterns like /[\\-]/ are now considered valid because the second \ is the escaped backslash, not an unnecessary escape of the trailing dash.

  • #10092 33d8543 Thanks @​Conaclos! - Fixed #9097: organizeImports no longer adds a blank line between a never-matched group and a matched group.

    Given the following organizeImports options:

    {
  "groups": [":NODE:", ":BLANK_LINE:", ":PACKAGE:", ":BLANK_LINE:", ":PATH:"]
}

    The following code...

    // Comment
import "package";
import "./file.js";

    ...was organized as:

    +
  // Comment
  import "package";
+
  import "./file.js";

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.14

Patch Changes

  • #9393 491b171 Thanks @​dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.

  • #10157 eefc5ab Thanks @​dyc3! - Fixed #7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.

  • #10054 0e9f569 Thanks @​minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

    A function annotated : object returning an object literal:

    function f(): object {
  return { retry: true };
}

  • #10116 53269eb Thanks @​jiwon79! - Fixed #6201: noUselessEscapeInRegex no longer flags an escaped backslash followed by - as a useless escape. Patterns like /[\\-]/ are now considered valid because the second \ is the escaped backslash, not an unnecessary escape of the trailing dash.

  • #10092 33d8543 Thanks @​Conaclos! - Fixed #9097: organizeImports no longer adds a blank line between a never-matched group and a matched group.

    Given the following organizeImports options:

    {
  "groups": [":NODE:", ":BLANK_LINE:", ":PACKAGE:", ":BLANK_LINE:", ":PATH:"]
}

    The following code...

    // Comment
import "package";
import "./file.js";

    ...was organized as:

    +
  // Comment
  import "package";
+
  import "./file.js";

    A blank line was added even though the group ':NODE:' doesn't match any imports here. :BLANK_LINE: between never-matched groups and matched groups are now ignored.

... (truncated)

Commits

Updates openclaw from 2026.4.23 to 2026.4.29

Release notes

Sourced from openclaw's releases.

openclaw 2026.4.29

2026.4.29

Highlights

Changes

  • Security/tools: configured tool sections (tools.exec, tools.fs) no longer implicitly widen restrictive profiles (messaging, minimal). Users who need those tools under a restricted profile must add explicit alsoAllow entries; a startup warning identifies affected configs. Fixes #47487. Thanks @​amknight.
  • Agents/commitments: add opt-in inferred follow-up commitments with hidden batched extraction, per-agent/per-channel scoping, heartbeat delivery, CLI management, a simple commitments.enabled/commitments.maxPerDay config, and heartbeat-interval due-time clamping so magical check-ins do not echo immediately. (#74189) Thanks @​vignesh07.
  • Messages/queue: make steer drain all pending Pi steering messages at the next model boundary, keep legacy one-at-a-time steering as queue, and add a dedicated steering queue docs page. Thanks @​vincentkoc.
  • Messages/queue: default active-run queueing to steer with a 500ms followup fallback debounce, and document the queue modes, precedence, and drop policies on the command queue page. Thanks @​vincentkoc.
  • Messages: add global messages.visibleReplies so operators can require visible output to go through message(action=send) for any source chat, while messages.groupChat.visibleReplies stays available as the group/channel override. Thanks @​scoootscooob.
  • Gateway/events: surface spawnedBy on subagent chat and agent broadcast payloads so clients can route child session events without an extra session lookup. (#63244) Thanks @​samzong.
  • Memory/wiki: add agent-facing people wiki metadata, canonical aliases, person cards, relationship graphs, privacy/provenance reports, evidence-kind drilldown, and search modes for person lookup, question routing, source evidence, and raw claims. Thanks @​vincentkoc.
  • Active Memory: add optional per-conversation allowedChatIds and deniedChatIds filters so operators can enable recall only for selected direct, group, or channel conversations while keeping broad sessions skipped. (#67977) Thanks @​quengh.
  • Active Memory: return bounded partial recall summaries when the hidden memory sub-agent times out, including the default temporary-transcript path, so useful recovered context is not discarded. (#73219) Thanks @​joeykrug.
  • Gateway/memory: add a read-only doctor.memory.remHarness RPC so operator clients can preview bounded REM dreaming output without running mutation paths. (#66673) Thanks @​samzong.
  • Providers/NVIDIA: add the NVIDIA provider with API-key onboarding, setup docs, static catalog metadata, and literal model-ref picker support so NVIDIA hosted models can be selected with their provider prefix intact. (#71204) Thanks @​eleqtrizit.
  • Models: suppress explicitly configured openai-codex/gpt-5.4-mini inline entries so a stale models config written by openclaw doctor --fix cannot bypass the manifest capability block and cause repeated assistant-turn failures when the runtime switches to that model on ChatGPT-backed Codex accounts. Conditional suppressions (e.g. qwen Coding Plan endpoint guards) remain bypassable by explicit user configuration. (#74451) Thanks @​0xCyda, @​hclsys, and @​Marvae.
  • Added SQLite-backed plugin state store (api.runtime.state.openKeyedStore) for restart-safe keyed registries with TTL, eviction, and automatic plugin isolation. Thanks @​amknight.
  • Plugin SDK: mark remaining legacy alias exports and diffs tool/config aliases with deprecation metadata, and add a guard so future legacy alias comments require @deprecated tags. Thanks @​vincentkoc.
  • CLI/QR/dependencies: internalize small terminal progress and QR wrapper helpers while keeping the real QR encoder dependency direct, reducing the default runtime dependency graph without changing QR output behavior. Thanks @​vincentkoc.
  • Dependencies: refresh workspace runtime, plugin, and tooling packages, including ACP, Pi, AWS SDK, TypeBox, pnpm, oxlint, oxfmt, jsdom, pdfjs, ciao, and tokenjuice, while keeping patched ACP behavior and lint gates current. Thanks @​mariozechner.
  • Gateway/dev: run pnpm gateway:watch through a named tmux session by default, with gateway:watch:raw and OPENCLAW_GATEWAY_WATCH_TMUX=0 for foreground mode, so repeated starts respawn an inspectable watcher without trapping the invoking agent shell. Thanks @​vincentkoc.
  • Gateway/diagnostics: emit an opt-in startup diagnostics timeline that records gateway lifecycle and plugin-load phases behind a config flag, so slow-start diagnosis no longer requires bespoke instrumentation. Thanks @​shakkernerd.
  • Control UI/i18n: extend the locale registry with new Persian (fa), Dutch (nl), Vietnamese (vi), Italian (it), Arabic (ar), and Thai (th) entries and ship fa, nl, vi, and zh-TW docs glossaries, so the docs translation pipeline and the Control UI language picker stay aligned across surfaces. Thanks @​vincentkoc.
  • Channels: add Yuanbao channel docs entrance so the Tencent Yuanbao bot appears in the channel listing and sidebar navigation. (#73443) Thanks @​loongfay.
  • Channels/Yuanbao: update plugin GitHub location to YuanbaoTeam/yuanbao-openclaw-plugin and add "yuanbao" alias to channel catalog. (#74253) Thanks @​loongfay.
  • Docker setup: add OPENCLAW_SKIP_ONBOARDING so automated Docker installs can skip the interactive onboarding step while still applying gateway defaults. (#55518) Thanks @​jinjimz.
  • Security policy: classify media/base64 decode and format-conversion overhead after configured acceptance limits as performance-only for GHSA triage unless a report demonstrates a limit bypass, crash, exhaustion, data exposure, or another boundary bypass. (#74311)
  • Security/OpenGrep: add a precise OpenGrep rulepack, source-rule compiler, provenance metadata check, and PR/full scan workflows that validate first-party code and rulepack-only changes while uploading SARIF to GitHub Code Scanning. (#69483) Thanks @​jesse-merhi.

Fixes

  • Providers/OpenAI Codex: preserve existing wrapped Codex streams during OpenAI attribution so PI OAuth bearer injection reaches ChatGPT/Codex Responses, and strip native Codex-only unsupported payload fields without touching custom compatible endpoints. (#75111) Thanks @​keshavbotagent.
  • Agents/tool-result guard: use the resolved runtime context token budget for non-context-engine tool-result overflow checks, so long tool-heavy sessions no longer compact early when contextTokens is larger than native contextWindow. Fixes #74917. Thanks @​kAIborg24.
  • Gateway/systemd: exit with sysexits 78 for supervised lock and EADDRINUSE conflicts so RestartPreventExitStatus=78 stops Restart=always restart loops instead of repeatedly reloading plugins against an occupied port. Fixes #75115. Thanks @​yhyatt.
  • Agents/runtime: skip blank visible user prompts at the embedded-runner boundary before provider submission while still allowing internal runtime-only turns and media-only prompts, so Telegram/group sessions no longer leak raw empty-input provider errors when replay history exists. Fixes #74137. Thanks @​yelog, @​Gracker, and @​nhaener.
  • Auto-reply/group chats: fall back to automatic source delivery when a channel precomputes message-tool-only replies but the message tool is unavailable, so Discord/Slack-style group turns do not silently complete without a visible reply. Fixes #74868. Thanks @​kagura-agent.
  • Browser/gateway: share one browser control runtime across the HTTP control server and browser.request, and refresh browser profile config from the source snapshot, so CLI status/start honors configured browser.executablePath, headless, and noSandbox instead of falling back to stale auto-detection. Fixes #75087; repairs #73617. Thanks @​civiltox and @​martingarramon.
  • Agents/subagents: bound automatic orphan recovery with persisted recovery attempts and a wedged-session tombstone, and teach task maintenance/doctor to reconcile those sessions so restart loops no longer require manual sessions.json surgery. Fixes #74864. Thanks @​solosage1.
  • Gateway/startup: skip pre-bind web-fetch provider discovery for credential-free tools.web.fetch config, so Docker/Kubernetes gateways bind even when optional fetch limits are present. Fixes #74896. Thanks @​KoykL.
  • Infra/tmp: tolerate concurrent temp-dir permission repairs by rechecking directories that another process already tightened, so parallel ACP subprocess startup no longer throws Unsafe fallback OpenClaw temp dir. Fixes #66867. Thanks @​Kane808-AI and @​jarvisz8.

... (truncated)

Commits
  • a448042 test(qa): extend restart boundary wait
  • a911070 chore(release): prepare 2026.4.29
  • d052f85 test(release): align beta validation harness
  • f68c232 chore(release): prepare 2026.4.29-beta.4
  • b048351 fix(auth): scope external CLI credential discovery
  • cad9026 fix(codex): time out silent app-server turns
  • 25cb61c fix(plugins): harden runtime mirrors
  • a4d338c fix: guard blank prompt submissions (#74168)
  • 6a18a2e fix(deepseek): expose V4 max thinking levels (#73008)
  • 8be5a7e fix: keep telegram polling timeout above long poll
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
deps(npm): bump the npm-minor-patch group with 3 updates
168f3ee 
Bumps the npm-minor-patch group with 3 updates: [zod](https://github.com/colinhacks/zod), [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) and [openclaw](https://github.com/openclaw/openclaw).


Updates `zod` from 4.3.6 to 4.4.1
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](colinhacks/zod@v4.3.6...v4.4.1)

Updates `@biomejs/biome` from 2.4.13 to 2.4.14
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.4.14/packages/@biomejs/biome)

Updates `openclaw` from 2026.4.23 to 2026.4.29
- [Release notes](https://github.com/openclaw/openclaw/releases)
- [Commits](openclaw/openclaw@v2026.4.23...v2026.4.29)

---
updated-dependencies:
- dependency-name: zod
  dependency-version: 4.4.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-minor-patch
- dependency-name: "@biomejs/biome"
  dependency-version: 2.4.14
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: openclaw
  dependency-version: 2026.4.29
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Copilot AI review requested due to automatic review settings May 4, 2026 13:42
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 4, 2026
@dependabot dependabot Bot review requested due to automatic review settings May 4, 2026 13:42
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 4, 2026
@github-actions github-actions Bot added the deps label May 4, 2026
@github-actions github-actions Bot merged commit 0725bbc into main May 4, 2026
14 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm-minor-patch-d744f4b3c8 branch May 4, 2026 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file deps javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants