deps: bump the dependencies group with 8 updates

[dependabot]

Bumps the dependencies group with 8 updates:

Package	From	To
@biomejs/biome	2.4.11	2.4.12
@changesets/cli	2.30.0	2.31.0
effect	3.21.0	3.21.1
lefthook	2.1.5	2.1.6
tsdown	0.21.7	0.21.9
typescript	6.0.2	6.0.3
ultracite	7.5.6	7.6.0
vite	8.0.8	8.0.9

Updates @biomejs/biome from 2.4.11 to 2.4.12

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.12

2.4.12

Patch Changes

• #9376 9701a33 Thanks @​dyc3! - Added the nursery/noIdenticalTestTitle lint rule. This rule disallows using the same title for two describe blocks or two test cases at the same nesting level.

  describe("foo", () => {});
  describe("foo", () => {
    // invalid: same title as previous describe block
    test("baz", () => {});
    test("baz", () => {}); // invalid: same title as previous test case
  });

• #9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for useForOf to better explain the problem, why it matters, and how to fix it.

• #9916 27dd7b1 Thanks @​Jayllyz! - Added a new nursery rule noComponentHookFactories, that disallows defining React components or custom hooks inside other functions.

  For example, the following snippets trigger the rule:

  function createComponent(label) {
    function MyComponent() {
      return <div>{label}</div>;
    }
    return MyComponent;
  }

  function Parent() {
    function Child() {
      return <div />;
    }
    return <Child />;
  }

• #9980 098f1ff Thanks @​ematipico! - Fixed #9941: Biome now emits a warning diagnostic when a file exceed the files.maxSize limit.

• #9942 9956f1d Thanks @​dyc3! - Fixed #9918: useConsistentTestIt no longer panics when applying fixes to chained calls such as test.for([])("x", () => {});.

• #9891 4d9ac51 Thanks @​dyc3! - Improved the noGlobalObjectCalls diagnostic to better explain why calling global objects like Math or JSON is invalid and how to fix it.

• #9902 3f4d103 Thanks @​ematipico! - Fixed #9901: the command lint --write is now idempotent when it's run against HTML-ish files that contains scripts and styles.

• #9891 4d9ac51 Thanks @​dyc3! - Improved the noMultiStr diagnostic to explain why escaped multiline strings are discouraged and what to use instead.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.12

Patch Changes

• #9376 9701a33 Thanks @​dyc3! - Added the nursery/noIdenticalTestTitle lint rule. This rule disallows using the same title for two describe blocks or two test cases at the same nesting level.

  describe("foo", () => {});
  describe("foo", () => {
    // invalid: same title as previous describe block
    test("baz", () => {});
    test("baz", () => {}); // invalid: same title as previous test case
  });

• #9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for useForOf to better explain the problem, why it matters, and how to fix it.

• #9916 27dd7b1 Thanks @​Jayllyz! - Added a new nursery rule noComponentHookFactories, that disallows defining React components or custom hooks inside other functions.

  For example, the following snippets trigger the rule:

  function createComponent(label) {
    function MyComponent() {
      return <div>{label}</div>;
    }
    return MyComponent;
  }

  function Parent() {
    function Child() {
      return <div />;
    }
    return <Child />;
  }

• #9980 098f1ff Thanks @​ematipico! - Fixed #9941: Biome now emits a warning diagnostic when a file exceed the files.maxSize limit.

• #9942 9956f1d Thanks @​dyc3! - Fixed #9918: useConsistentTestIt no longer panics when applying fixes to chained calls such as test.for([])("x", () => {});.

• #9891 4d9ac51 Thanks @​dyc3! - Improved the noGlobalObjectCalls diagnostic to better explain why calling global objects like Math or JSON is invalid and how to fix it.

• #9902 3f4d103 Thanks @​ematipico! - Fixed #9901: the command lint --write is now idempotent when it's run against HTML-ish files that contains scripts and styles.

• #9891 4d9ac51 Thanks @​dyc3! - Improved the noMultiStr diagnostic to explain why escaped multiline strings are discouraged and what to use instead.

• #9966 322675e Thanks @​siketyan! - Fixed #9113: Biome now parses and formats @media and other conditional blocks correctly inside embedded CSS snippets.

... (truncated)

Commits

• baaacfc ci: release (#9890)
• e0ba71d feat: implement useIframeSandbox (#9949)
• 2cff700 feat(lint/js): add useVarsOnTop (#9861)
• 27dd7b1 feat(react/js): add noComponentHookFactories (#9916)
• 0d0e611 feat(js_analyze): implement useReactAsyncServerFunction (#9909)
• f1c1363 feat(lint/js): add useStringStartsEndsWith (#9796)
• d417803 feat(js_analyze): implement noJsxNamespace (#9913)
• 9701a33 feat(lint/js): add noIdenticalTestTitle (#9376)
• c499f46 feat(lint): implement useReduceTypeParameter nursery rule (#9577)
• 40bd180 feat(lint/js): add noExcessiveSelectorClasses (#9866)
• See full diff in compare view

Updates @changesets/cli from 2.30.0 to 2.31.0

Release notes

Sourced from @​changesets/cli's releases.

@​changesets/cli@​2.31.0

Minor Changes

• #1889 96ca062 Thanks @​mixelburg! - Error on unsupported flags for individual CLI commands and print the matching command usage to make mistakes easier to spot.

• #1873 42943b7 Thanks @​mixelburg! - Respond to --help on all subcommands. Previously, --help was only handled when it was the sole argument; passing it alongside a subcommand (e.g. changeset version --help) would silently execute the command instead. Now --help always exits early and prints per-command usage when a known subcommand is provided, or the general help text otherwise.

Patch Changes

• d2121dc Thanks @​Andarist! - Fix npm auth for path-based registries during publish by preserving configured registry URLs instead of normalizing them.

• #1888 036fdd4 Thanks @​mixelburg! - Fix several changeset version issues with workspace protocol dependencies. Valid explicit workspace: ranges and aliases are no longer rewritten unnecessarily, and workspace path references are handled correctly during versioning.

• #1903 5c4731f Thanks @​Andarist! - Gracefully handle stale npm info data leading to duplicate publish attempts.

• #1867 f61e716 Thanks @​Andarist! - Improved detection for published state of prerelease-only packages without latest dist-tag on GitHub Packages registry.

• Updated dependencies [036fdd4, 036fdd4, 036fdd4]:

  • @​changesets/assemble-release-plan@​6.0.10
  • @​changesets/get-dependents-graph@​2.1.4
  • @​changesets/apply-release-plan@​7.1.1
  • @​changesets/get-release-plan@​4.0.16
  • @​changesets/config@​3.1.4

Commits

• 9cce6db Version Packages (#1897)
• d2121dc Fix npm auth for path-based registries during publish by preserving configure...
• 036fdd4 Fix several changeset version issues with workspace protocol dependencies (...
• 5c4731f Gracefully handle stale npm info data leading to duplicate publish attempts...
• 96ca062 Error on unsupported flags for individual CLI commands (#1889)
• 42943b7 fix(cli): respond to --help on all subcommands (#1873)
• f61e716 Improved detection for published state of prerelease-only packages without ...
• See full diff in compare view

Updates effect from 3.21.0 to 3.21.1

Release notes

Sourced from effect's releases.

effect@3.21.1

Patch Changes

• #6139 f99048e Thanks @​marbemac! - Fix batched request resolver defects causing consumer fibers to hang forever.

  When a RequestResolver.makeBatched resolver died with a defect, the request Deferreds were never completed because the cleanup logic in invokeWithInterrupt used flatMap (which only runs on success). Changed to ensuring so uncompleted request entries are always resolved regardless of exit type.

Changelog

Sourced from effect's changelog.

3.21.1

Patch Changes

• #6139 f99048e Thanks @​marbemac! - Fix batched request resolver defects causing consumer fibers to hang forever.

  When a RequestResolver.makeBatched resolver died with a defect, the request Deferreds were never completed because the cleanup logic in invokeWithInterrupt used flatMap (which only runs on success). Changed to ensuring so uncompleted request entries are always resolved regardless of exit type.

Commits

• cc0c40a Version Packages (#6142)
• f99048e fix: resolve batched request resolver defects hanging consumer fibers (#6139)
• See full diff in compare view

Updates lefthook from 2.1.5 to 2.1.6

Release notes

Sourced from lefthook's releases.

v2.1.6

Changelog

• bf73ea2f1ea5468c9af7a6f06b5ef8cd43e66040 fix(packaging): do not pipe stdout and stderr (#1382)
• 04da00697cd8a6241023c1962feb720eeaa62698 fix(windows): normalize lefthook path for sh script (#1383)
• de9597a1bf456d2cf0fbcb8816858b6e5cf6b609 fix: log full scoped name for skipped jobs (#1291)
• eb3e70dbbd2442200ec8ff2140a3ee9daa7d9e70 fix: normalize root to always include trailing slash before path replacement (#1381)
• f90f3f570ef9227ddf345a79cec687dac41a5d31 fix: skip pty allocation when stdout is not a terminal (#1393)

Changelog

Sourced from lefthook's changelog.

2.1.6 (2026-04-16)

• fix: normalize lefthook path for sh script (#1383) by @​AndrewKahr
• fix: normalize root to always include trailing slash before path replacement (#1381) by @​Copilot
• fix: skip pty allocation when stdout is not a terminal (#1393) by @​technicalpickles
• docs: upgrade docmd (#1391) by @​mrexox
• fix: log full scoped name for skipped jobs (#1291) by @​scop
• fix: do not pipe stdout and stderr (#1382) by @​mrexox

Commits

• 679ce27 2.1.6: fixes for Windows and AI tools execution
• 04da006 fix(windows): normalize lefthook path for sh script (#1383)
• eb3e70d fix: normalize root to always include trailing slash before path replacemen...
• f90f3f5 fix: skip pty allocation when stdout is not a terminal (#1393)
• 1481e9d docs: upgrade docmd (#1391)
• de9597a fix: log full scoped name for skipped jobs (#1291)
• bf73ea2 fix(packaging): do not pipe stdout and stderr (#1382)
• See full diff in compare view

Updates tsdown from 0.21.7 to 0.21.9

Release notes

Sourced from tsdown's releases.

v0.21.9

   🚀 Features

• Upgrade rolldown  -  by @​sxzz (2d74e)
• config: Track transitive config dependencies for watch reload  -  by @​sxzz in rolldown/tsdown#919 (16e27)
• exports: Add bin to publishConfig when devExports is enabled  -  by @​sxzz in rolldown/tsdown#911 (60592)
• plugin: Add tsdownConfig and tsdownConfigResolved plugin hooks  -  by @​sxzz in rolldown/tsdown#918 (665e5)

   🐞 Bug Fixes

• Skip package.json writting when content is deeply equal  -  by @​ocavue and @​sxzz in rolldown/tsdown#913 (d8e1c)
• Skip Node.js version check in Bun  -  by @​sxzz (38afd)
• css: Detect css modules from full id for vue virtual sfc styles  -  by @​sxzz in rolldown/tsdown#917 (e6021)

    View changes on GitHub

v0.21.8

   🚀 Features

• Upgrade rolldown  -  by @​sxzz (7f887)
• attw: Improve ignoreRules type to autocomplete known values  -  by @​mrlubos in rolldown/tsdown#892 (c8f5c)
• create-tsdown: Add Vite Plus template option  -  by @​sxzz (daed0)
• exports: Add extensions option for subpath export keys  -  by @​SinhSinhAn and @​sxzz in rolldown/tsdown#899 (1bb7a)
• target: Add support for baseline-widely-available target  -  by @​sxzz in rolldown/tsdown#896 (d6a16)

   🐞 Bug Fixes

• Export type only for cjs dts re-export  -  by @​sxzz (25510)
• Exclude shim file from bundled dependency hint  -  by @​sxzz in rolldown/tsdown#909 (3f8de)
• dts: Skip cjs dts reexport for non-entry chunks  -  by @​sxzz (5fee2)

    View changes on GitHub

Commits

• 752c3e5 chore: release v0.21.9
• 2d74e05 feat: upgrade rolldown
• 16e2795 feat(config): track transitive config dependencies for watch reload (#919)
• 38afd8f fix: skip Node.js version check in Bun
• 665e5ac feat(plugin): add tsdownConfig and tsdownConfigResolved plugin hooks (#918)
• e6021f5 fix(css): detect css modules from full id for vue virtual sfc styles (#917)
• abe87e7 chore: upgrade deps
• d8e1c1f fix: skip package.json writting when content is deeply equal (#913)
• 60592ef feat(exports): add bin to publishConfig when devExports is enabled (#911)
• ded1b9c chore: release v0.21.8
• Additional commits viewable in compare view

Updates typescript from 6.0.2 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).
• fixed issues query for TypeScript 6.0.3 (Stable).

Downloads are available on:

• npm

Commits

• 050880c Bump version to 6.0.3 and LKG
• eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
• ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
• 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
• See full diff in compare view

Updates ultracite from 7.5.6 to 7.6.0

Release notes

Sourced from ultracite's releases.

ultracite@7.6.0

Minor Changes

• 67227c9: Add new Biome rules
• f506624: Add new oxlint 1.160.0 rules

Patch Changes

• a684c4a: Fix Tanstack Query ESLint plugin import
• 4983eaa: Skip the init skill-install prompt when the Ultracite skill is already installed in the current project or globally.

ultracite@7.5.9

Patch Changes

• 77e9b41: Aggregate all ignore patterns
• 73fc21c: Code reliability improvements
• 63f7426: Migrate remaining json parsing to jsonc-parser
• aa199d1: fix conflicting prefer-describe-function-title / valid-title rules in vitest
• 402908e: Replace custom yaml parser with dependency
• 3dbfe5c: Validate framework name to prevent injection
• a2cdc0f: Warn if the file looks like it has ultracite config but we couldn't parse it
• 95718bb: Use cross-spawn for cross-platform spawn compatibility
• d09174b: Ignore .open-next in the Biome and ESLint core presets.
• 71aeca4: Remove remaining execSync calls
• e81a604: Add zod for safer json parsing

ultracite@7.5.8

Patch Changes

• c35a1b3: Performance improvements - doctor
• 56e4c00: Remove process.exit() - swap with typed Error
• d35d03c: Performance optimizations - mkdir(), readFile()
• ee224a6: Use Commander.js args properly
• a2b7a46: Rework doctor command
• cf4a044: Fix angular eslint plugin typo
• 25eb24f: Optimize dev dep install
• b46537a: Performance optimizations - exists()

ultracite@7.5.7

Patch Changes

• a63d9c5: Fix cross-config leaking rules
• d18d0e7: Configure Prettier with frameworks context
• 1d6de0d: Add declaration files for ultracite/oxlint/* and ultracite/oxfmt so TypeScript config imports resolve without ts(7016) errors.
• 1073f34: Ensure init'ed JSON files have newlines

Commits

• 79e4d2f Version Packages (#670)
• 6303cd7 Switch new rules to minor
• 67227c9 Add new Biome rules
• f506624 Add new oxlint 1.160.0 rules
• f39f9f6 Bump deps
• 4983eaa fix(cli): skip installed skill prompt (#672)
• a2335bf fix(ci): add Node.js 22.x setup to check job (#673)
• 8d4b6ab Resolves #674
• a684c4a Resolves #675
• b4ac684 Version Packages (#669)
• Additional commits viewable in compare view

Updates vite from 8.0.8 to 8.0.9

Release notes

Sourced from vite's releases.

v8.0.9

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.9 (2026-04-20)

Features

• update rolldown to 1.0.0-rc.16 (#22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#22039) (374bb5d)
• deps: update all non-major dependencies (#22219) (4cd0d67)
• deps: update all non-major dependencies (#22268) (c28e9c1)
• detect Deno workspace root (fix #22237) (#22238) (1b793c0)
• dev: handle errors in watchChange hook (#22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#22231) (44c42b9)
• fix reuses wording in dev environment comment (#22173) (9163412)
• fix wording in sass error comment (#22214) (bc5c6a7)
• update build CLI defaults (#22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#22271) (0a3887d)

Commits

• ce729f5 release: v8.0.9
• 605bb97 docs: update build CLI defaults (#22261)
• c28e9c1 fix(deps): update all non-major dependencies (#22268)
• 0a3887d chore(deps): update dependency dotenv-expand to v13 (#22271)
• 868f141 fix(bundled-dev): reject requests to HMR patch files in non potentially trust...
• 3ec9cda fix: skip fallback sourcemap generation for ?raw imports (#22148)
• 3f24533 fix(optimizer): handle more chars that will be sanitized (#22208)
• 1b793c0 fix: detect Deno workspace root (fix #22237) (#22238)
• fc08bda fix(dev): handle errors in watchChange hook (#22188)
• 374bb5d fix(css): use unique key for cssEntriesMap to prevent same-basename collision...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: d319370

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR