fix(deps): update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@biomejs/biome (source)	^2.4.9 → ^2.5.0			devDependencies	minor
@changesets/changelog-github (source)	^0.6.0 → ^0.7.0			devDependencies	minor
@changesets/cli (source)	^2.30.0 → ^2.31.0			devDependencies	minor
@effect/cli (source)	^0.75.0 → ^0.75.2			dependencies	patch
@effect/cluster (source)	^0.58.0 → ^0.59.0			dependencies	minor
@effect/platform (source)	^0.96.0 → ^0.96.1			dependencies	patch
@effect/platform-node (source)	^0.106.0 → ^0.107.0			dependencies	minor
@effect/rpc (source)	^0.75.0 → ^0.75.1			dependencies	patch
@effect/sql (source)	^0.51.0 → ^0.51.1			dependencies	patch
@effect/workflow (source)	^0.18.0 → ^0.18.2			dependencies	patch
@eslint-community/eslint-plugin-eslint-comments	^4.7.1 → ^4.7.2			devDependencies	patch
@eslint/compat (source)	2.0.3 → 2.1.0			devDependencies	minor
@types/node (source)	^25.5.0 → ^25.9.3			devDependencies	minor
@typescript-eslint/eslint-plugin (source)	^8.57.2 → ^8.61.1			devDependencies	minor
@typescript-eslint/parser (source)	^8.57.2 → ^8.61.1			devDependencies	minor
@typescript-eslint/rule-tester (source)	8.57.2 → 8.61.1			devDependencies	minor
@typescript-eslint/utils (source)	8.57.2 → 8.61.1			dependencies	minor
@vitest/coverage-v8 (source)	^4.1.2 → ^4.1.9			devDependencies	patch
@vitest/eslint-plugin	^1.6.13 → ^1.6.20			devDependencies	patch
biome (source)	^2.4.9 → ^2.5.0			devDependencies	minor
effect (source)	^3.21.0 → ^3.21.3			dependencies	patch
eslint (source)	^10.1.0 → ^10.5.0			devDependencies	minor
eslint-doc-generator	^3.3.2 → ^3.6.0			devDependencies	minor
eslint-import-resolver-typescript	^4.4.4 → ^4.4.5			devDependencies	patch
eslint-plugin-eslint-plugin	^7.3.2 → ^7.4.0			devDependencies	minor
eslint-plugin-simple-import-sort	^12.1.1 → ^13.0.0			devDependencies	major
eslint-plugin-sonarjs (source)	^4.0.2 → ^4.0.3			devDependencies	patch
eslint-plugin-unicorn	^63.0.0 → ^67.0.0			devDependencies	major
globals	^17.4.0 → ^17.6.0			devDependencies	minor
jscpd (source)	^4.0.8 → ^5.0.9			devDependencies	major
node	24.14.1 → 24.16.0			uses-with	minor
npm (source)	^11.12.1 → ^11.17.0			devDependencies	minor
pnpm (source)	10.33.0 → 11.7.0			packageManager	major
pnpm/action-setup	v5 → v6			action	major
ts-morph	^27.0.2 → ^28.0.0			devDependencies	major
typescript (source)	^6.0.2 → ^6.0.3			devDependencies	patch
typescript-eslint (source)	^8.57.2 → ^8.61.1			devDependencies	minor
vite (source)	^8.0.3 → ^8.0.16			devDependencies	patch
vitest (source)	^4.1.2 → ^4.1.9			devDependencies	patch

cc @skulidropek

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.5.0

Compare Source

Minor Changes

• #​9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #​9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #​9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #​9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

  /* styles.css — .ghost is never used in any importing file */
  .button {
    color: blue;
  }
  .ghost {
    color: red;
  }

  /* App.jsx */
  import "./styles.css";
  export default () => <div className="button" />;

• #​9546 6567efa Thanks @​nhedger! - Added a biome upgrade command for standalone installations. It upgrades Homebrew installs with brew upgrade biome, updates manually installed binaries from the latest GitHub release, and tells npm users to upgrade with their package manager instead.

• #​9716 701767a Thanks @​faizkhairi! - Added the HTML version of the useHeadingContent rule. The rule now enforces that heading elements (h1-h6) have content accessible to screen readers in HTML, Vue, Svelte, and Astro files.

  <!-- Invalid: empty heading -->
  <h1></h1>
  
  <!-- Invalid: heading hidden from screen readers -->
  <h1 aria-hidden="true">invisible content</h1>
  
  <!-- Valid: heading with text content -->
  <h1>heading</h1>
  
  <!-- Valid: heading with accessible name -->
  <h1 aria-label="Screen reader content"></h1>

• #​9582 f437ef8 Thanks @​rahuld109! - Added the HTML version of the useKeyWithMouseEvents rule. The rule now enforces that onmouseover is accompanied by onfocus and onmouseout is accompanied by onblur in HTML, Vue, Svelte, and Astro files.

  <!-- Invalid: onmouseover without onfocus -->
  <div onmouseover="handleMouseOver()"></div>
  
  <!-- Valid: onmouseover paired with onfocus -->
  <div onmouseover="handleMouseOver()" onfocus="handleFocus()"></div>

• #​9275 1fdbcee Thanks @​ff1451! - Added the new assist action useSortedTypeFields, which sorts the fields of GraphQL object types, interface types and input object types alphabetically, e.g. name, age, id becomes age, id, name.

• #​10561 78075b7 Thanks @​Conaclos! - Added a new style option to useExportType,
  which enforces a style for exporting types.
  This is the same option as the one provided by useImportType.

• #​8987 d16e32b Thanks @​DerTimonius! - Ported the useValidAnchor rule to HTML. This rule enforces that all anchors are valid and that they are navigable elements.

• #​9533 4d251d4 Thanks @​ematipico! - The init command now prints the Biome logo.

• #​10069 0eb9310 Thanks @​Netail! - Added the HTML lint rule noStaticElementInteractions, which enforces that static, visible elements (such as <div>) that have click handlers use the valid role attribute.

  Invalid:

  <div onclick="myFunction()"></div>

• #​9134 2a43488 Thanks @​ematipico! - Added the assist action useSortedPackageJson.

  This action organizes package.json fields according to the same conventions as the popular sort-package-json tool.

• #​9309 7daa18b Thanks @​Bertie690! - The allowDoubleNegation option has been added to noImplicitCoercions to allow ignoring double negations inside code.

  With the option enabled, the following example is considered valid and is ignored by the rule:

  const truthy = !!value;

• #​9700 894f3fb Thanks @​ematipico! - The Biome Language server now supports the "go-to definition" feature.

  When the cursor of the mouse is hovering an entity (variable, CSS class, type, etc.), and the command CTRL + click is triggered, the editor jumps to where this entity is defined, if the language server can find it.

  Here's what Biome is able to resolve:

  • Variables and types used in JavaScript modules, defined in the same file or imported from another module.
  • JSX Components used in JavaScript modules, defined in the same file or imported from another module.
  • CSS classes used in JSX and HTML-ish files (Vue, Svelte and Astro), and defined in CSS files.
  • Components used in HTML-ish files and defined in other HTML-ish.
  • Variables used in HTML-ish files and defined in the same file or imported from another module (JavaScript or HTML-ish).

• #​10070 bae0710 Thanks @​Conaclos! - Added the :STYLE: group matcher for organizeImports that matches style imports.

  For example, the following configuration...

  {
    "assist": {
      "actions": {
        "source": {
          "organizeImports": {
            "level": "on",
            "options": {
              "groups": ["**", "!:STYLE:"],
              "sortBareImports": true
            }
          }
        }
      }
    }
  }

  ...places style imports last:

  - import "./style.css"
    import A from "./a.js"
  + import "./style.css"

• #​9170 e3107de Thanks @​mdrobny! - Added bundleDependencies option to NoUndeclaredDependencies rule.

  This rule now supports imports of packages that are defined only in bundleDependencies and bundledDependencies arrays.

• #​9547 01f8473 Thanks @​mujpao! - Added new assist rule useSortedAttributes for HTML, porting the existing JSX rule. This rule enforces sorted HTML attributes.

  Invalid

  <input type="text" id="name" name="name" />

• #​9366 2ca1117 Thanks @​dyc3! - Added the html.parser.vue configuration option. When enabled, it adds support for the parsing of Vue in .html files. Most Vue users don't need to enable this option since Vue files typically use the .vue extension, but it can be useful for projects that embed Vue syntax in regular HTML files.

• #​9073 74b20ee Thanks @​chocky335! - Added support for applying GritQL plugin rewrites as code actions. GritQL plugins that use the rewrite operator (=>) now produce fixable diagnostics for JavaScript, CSS, and JSON files. By default, plugin rewrites are treated as unsafe fixes and require --write --unsafe to apply. Plugin authors can pass fix_kind = "safe" to register_diagnostic() to mark a fix as safe, allowing it to be applied with just --write.

  Example plugin (useConsoleInfo.grit):

  language js
  
  `console.log($msg)` as $call where {
      register_diagnostic(span = $call, message = "Use console.info instead of console.log.", severity = "warn", fix_kind = "safe"),
      $call => `console.info($msg)`
  }
  

  Running biome check --write applies safe rewrites. Unsafe rewrites (the default, or fix_kind = "unsafe") still require --write --unsafe.

• #​9384 f4c9edc Thanks @​Conaclos! - Added the sortBareImports option to organizeImports,
  which allows bare imports to be sorted within other imports when set to false.

  {
    "assist": {
      "actions": {
        "source": {
          "organizeImports": {
            "level": "on",
            "options": { "sortBareImports": true }
          }
        }
      }
    }
  }

  - import "b";
    import "a";
  + import "b";
    import { A } from "a";
  + import "./file";
    import { Local } from "./file";
  - import "./file";

• #​8731 e7872bf Thanks @​siketyan! - Added the watch mode (--watch) to the CLI for check/format/lint commands. By enabling this option, Biome will re-run the check automatically when any file in the workspace has changed after the first run.

• #​10106 9b35f78 Thanks @​ematipico! - Biome can now format and lint .svg files.

• #​9967 e9b6c17 Thanks @​dyc3! - Added HTML support for noExcessiveLinesPerFile. Biome now reports HTML files that exceed the configured line limit, including when skipBlankLines is enabled.

• #​9491 b3eb63c Thanks @​IxxyDev! - Added the HTML lint rule noAriaUnsupportedElements. This rule enforces that elements that do not support ARIA roles, states, and properties (meta, html, script, style) do not have role or aria-* attributes.

  <!-- Invalid: meta does not support aria attributes -->
  <meta charset="UTF-8" role="meta" />

• #​9306 afd57a6 Thanks @​viraxslot! - Added the noNoninteractiveTabindex lint rule for HTML. This rule enforces that tabindex is not used on non-interactive elements, as it can cause usability issues for keyboard users.

  <div tabindex="0">Invalid: non-interactive element</div>
  `

• #​9276 6d041d9 Thanks @​IxxyDev! - Added the HTML lint rule noRedundantRoles. This rule enforces that explicit role attributes are not the same as the implicit/default role of an HTML element. It supports HTML, Vue, Svelte, and Astro files.

  <!-- Invalid: role="button" is redundant on <button> -->
  <button role="button"></button>

• #​9813 69aadc2 Thanks @​ematipico! - Added a new linter configuration called preset. With the new option, users can enable different kinds of rules at once.

  The following presets are available:

  • "recommended": it enables all Biome-recommended rules, or recommended rules of a group;
  • "all": it enables all Biome rules, or enables all rules of a group;
  • "none": it disables all Biome rules, or disable all rules of a group.

  You can enable recommended rules:

  {
    "linter": {
      "rules": {
        "preset": "recommended"
      }
    }
  }

  You can enable all rules at once:

  {
    linter: {
      rules: {
        preset: "all", // enables all rules
      },
    },
  }

  Or enable all rules for a group:

  {
    linter: {
      rules: {
        style: {
          preset: "all", // enables all rules in the style group
        },
      },
    },
  }

  This new option, however, doesn't affect how nursery rules work. Nursery rules must be enabled singularly, due to their nature.

  This new option is meant to replace recommended, so make sure to run the migrate command.

• #​10022 3422d71 Thanks @​Netail! - Added the HTML lint rule noNoninteractiveElementToInteractiveRole, which enforces that interactive ARIA roles are not assigned to non-interactive HTML elements.

  Invalid:

  <h1 role="checkbox"></h1>

• #​8396 13785fc Thanks @​apple-yagi! - Biome now supports pnpm catalogs (default and named) when resolving dependencies for linting. This behavior is opt-in and requires setting javascript.resolver.experimentalPnpmCatalogs to true.

• #​10028 1009414 Thanks @​Netail! - Added the HTML lint rule noInteractiveElementToNoninteractiveRole, which enforces that non-interactive ARIA roles are not assigned to interactive HTML elements.

  Invalid:

  <input role="img" />

• #​9853 816302f Thanks @​Netail! - Added the new assist action useSortedSelectionSet, which sorts GraphQL selection sets alphabetically, e.g. name, age, id becomes age, id, name.

  Invalid:

  query {
    name
    age
    id
  }

• #​10074 9c7c6eb Thanks @​georgephillips! - Added a kind field to the ImportMatcher used by the organizeImports assist action. The new field selects imports by their syntactic kind and currently supports bare (matching side-effect imports such as import "polyfill") with optional ! negation (!bare). The matcher composes with the existing type and source fields, so users can express patterns such as "only bare imports that import a CSS file" ({ "kind": "bare", "source": "**/*.css" }).

  For example, with the following configuration:

  {
    "assist": {
      "actions": {
        "source": {
          "organizeImports": {
            "level": "on",
            "options": {
              "sortBareImports": true,
              "groups": [
                { "kind": "!bare" },
                ":BLANK_LINE:",
                { "kind": "bare" }
              ]
            }
          }
        }
      }
    }
  }

  ...the following code:

  import "./register-my-component";
  import { render } from "react-dom";
  import "./polyfill";
  import { Button } from "@​/components/Button";

  ...is organized as:

  import { render } from "react-dom";
  import { Button } from "@​/components/Button";
  
  import "./polyfill";
  import "./register-my-component";

• #​9171 ce65710 Thanks @​chocky335! - Added includes option for plugin file scoping. Plugins can now be configured with glob patterns to restrict which files they run on. Use negated globs for exclusions.

  {
    "plugins": [
      "global-plugin.grit",
      {
        "path": "scoped-plugin.grit",
        "includes": ["src/**/*.ts", "!**/*.test.ts"]
      }
    ]
  }

• #​9617 dcb99ef Thanks @​faizkhairi! - Ported useAriaActivedescendantWithTabindex a11y rule to HTML.

• #​9496 1dfb829 Thanks @​aviraldua93! - Added HTML support for the noAriaHiddenOnFocusable accessibility lint rule, which enforces that aria-hidden="true" is not set on focusable elements. Focusable elements include native interactive elements (<button>, <input>, <select>, <textarea>), elements with href (<a>, <area>), elements with tabindex >= 0, and editing hosts (contenteditable). Includes an unsafe fix to remove the aria-hidden attribute.

  <!-- Invalid: aria-hidden on a focusable element -->
  <button aria-hidden="true">Submit</button>
  
  <!-- Valid: aria-hidden on a non-focusable element -->
  <div aria-hidden="true">decorative content</div>

• #​9792 f516854 Thanks @​Maximiliano-Zeballos! - Added the useSemanticElements lint rule for HTML. The rule now detects the use of role attributes in HTML elements and suggests using semantic elements instead.

  For example, the following code is now flagged:

  <div role="navigation"></div>

  The rule suggests using <nav> instead.

• #​9761 cbbb7d5 Thanks @​Maximiliano-Zeballos! - Ported the useValidAriaProps lint rule to HTML. This rule checks that all aria-* attributes used in HTML elements are valid ARIA attributes as defined by the WAI-ARIA specification.

• #​9928 aa82576 Thanks @​aviraldua93! - Ported useValidAriaValues to HTML. Biome now validates static aria-* attribute values in HTML elements against WAI-ARIA types, catching invalid values such as aria-hidden="yes".

• #​10562 6642895 Thanks @​ematipico! - Promoted 73 nursery rules to stable groups.

  Four rules were renamed as part of the promotion:

  • noFloatingClasses is now noUnusedInstantiation, because the rule checks any discarded new expression, not only classes.
  • noMultiStr is now noMultilineString.
  • useFind is now useArrayFind.
  • useSpread is now useSpreadOverApply, because the rule enforces spread call arguments over Function.apply(), not array or object spread.

Correctness

Promoted the following rules to the correctness group:

• noBeforeInteractiveScriptOutsideDocument
• noUnusedInstantiation
• useInlineScriptId (recommended, Next.js domain)
• noVueVIfWithVFor (recommended, Vue domain)
• useVueValidVBind (recommended, Vue domain)
• useVueValidVElse (recommended, Vue domain)
• useVueValidVElseIf (recommended, Vue domain)
• useVueValidVHtml (recommended, Vue domain)
• useVueValidVIf (recommended, Vue domain)
• useVueValidVOn (recommended, Vue domain)
• useVueValidVText (recommended, Vue domain)
• useVueValidTemplateRoot (recommended, Vue domain)
• useVueValidVCloak (recommended, Vue domain)
• useVueValidVOnce (recommended, Vue domain)
• useVueValidVPre (recommended, Vue domain)
• useVueVForKey (recommended, Vue domain)
• noDuplicateAttributes (recommended)
• noDuplicateArgumentNames (recommended)
• noDuplicateInputFieldNames (recommended)
• noDuplicateVariableNames (recommended)
• noDuplicateEnumValueNames (recommended)
• useLoneAnonymousOperation (recommended)

Suspicious

Promoted the following rules to the suspicious group:

• noShadow
• noUnnecessaryConditions
• noParametersOnlyUsedInRecursion
• noUnknownAttribute
• useArraySortCompare
• noForIn
• noDuplicatedSpreadProps
• noEqualsToNull
• noProto (recommended)
• noUndeclaredEnvVars (recommended, Turborepo domain)
• noReturnAssign (default severity: error)
• noDuplicateEnumValues (recommended)
• noVueArrowFuncInWatch (recommended, Vue domain)
• noNestedPromises
• noLeakedRender
• noDeprecatedMediaType (recommended)
• noDuplicateGraphqlOperationName
• useRequiredScripts

Style

Promoted the following rules to the style group:

• useVueMultiWordComponentNames (recommended, Vue domain)
• useVueDefineMacrosOrder
• noIncrementDecrement
• noContinue
• useSpreadOverApply
• noTernary
• noMultilineString
• noMultiAssign
• noExcessiveClassesPerFile
• noExcessiveLinesPerFile
• noVueOptionsApi
• useErrorCause
• useConsistentEnumValueType
• useConsistentMethodSignatures
• useGlobalThis (default severity: warn)
• useDestructuring
• useVueHyphenatedAttributes (recommended, Vue domain)
• useVueConsistentVBindStyle (recommended, Vue domain)
• useVueConsistentVOnStyle (recommended, Vue domain)
• noHexColors
• useConsistentGraphqlDescriptions
• noRootType
• useLoneExecutableDefinition
• useInputName

Complexity

Promoted the following rules to the complexity group:

• useArrayFind
• noRedundantDefaultExport (default severity: warn)
• noUselessReturn
• noDivRegex

Performance

Promoted the following rules to the performance group:

• noSyncScripts
• noJsxPropsBind
• useVueVapor

Security

Promoted the following rules to the security group:

• noScriptUrl (recommended)

A11y

Promoted the following rules to the a11y group:

• noAmbiguousAnchorText (recommended)

• #​10121 450f8e1 Thanks @​jongwan56! - Biome now applies Git's local exclude file when VCS ignore files are enabled. Files listed in .git/info/exclude are skipped the same way as files listed in .gitignore, including in linked worktrees.

• #​9397 d5913c9 Thanks @​mvarendorff! - Added ignore option to the noUnusedVariables rule. The option allows excluding identifiers by providing a list of ignored names. It also allows excluding kinds of identifiers from this rule entirely, which may be useful when loading classes dynamically.

  For example, unused classes as well as all unused variables, functions, etc. called "unused" may be ignored entirely with the following configuration:

  {
    "ignore": {
      "*": ["unused"],
      "class": ["*"]
    }
  }

• #​10089 71a21f0 Thanks @​Netail! - Added the lint rule noLabelWithoutControl to HTML, which enforces that a label element or component has a text label and an associated input.

  <label></label>

• #​10015 1828261 Thanks @​Netail! - Added the HTML lint rule useAriaPropsSupportedByRole, which enforces that ARIA properties are valid for the roles that are supported by the element.

  <a href="#" aria-checked></a>

• #​10234 1a51569 Thanks @​ematipico! - Added the delimiterSpacing formatter option. This option inserts spaces inside delimiters (after the opening delimiter and before the closing delimiter) when the content fits on a single line. Empty delimiters are not affected, and no space is added before the opening delimiter. The specific delimiters affected depend on the language. It can be configured globally via formatter.delimiterSpacing or per-language via javascript.formatter.delimiterSpacing, json.formatter.delimiterSpacing, and css.formatter.delimiterSpacing. Defaults to false.

  - callFn(foo)
  + callFn( foo )

  - const arr = [1, 2, 3];
  + const arr = [ 1, 2, 3 ];

  JavaScript

  When enabled, Biome inserts spaces inside parentheses (e.g., foo( a, b )), square brackets (e.g., [ a, b ]), template literal interpolations (e.g., ${ expr }), and the logical NOT operator (e.g., ! x, but in chains only after the last one: !! x). Only applies when the content fits on a single line. Empty delimiters and the space before the opening delimiter are not affected.

  - if (condition) {}
  + if ( condition ) {}

  - `Hello ${name}!`
  + `Hello ${ name }!`

  JSX

  When enabled, Biome inserts spaces inside JSX expression braces (e.g., attr={ value }) and spread attributes (e.g., { ...props }). Only applies when the content fits on a single line. Empty delimiters are not affected.

  - <Foo bar={value} />
  + <Foo bar={ value } />

  TypeScript

  When enabled, Biome inserts spaces inside TypeScript angle brackets (e.g., foo< T >()), indexed access types (e.g., T[ K ]), mapped types, tuple types, type parameters, and index signatures. Only applies when the content fits on a single line. Empty delimiters are not affected.

  - type Result = Map<string, number>;
  + type Result = Map< string, number >;

  JSON

  When enabled, Biome inserts spaces inside square brackets when the

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Upgrade CI and workspace toolchain: pnpm/action-setup → v6, Node runtime bumped in dependency workflow, workspace packageManager → pnpm@11.1.2, and multiple runtime/dev dependency version bumps across app and template packages.

Changes

Dependency and Toolchain Upgrade

Layer / File(s)	Summary
GitHub Actions versions .github/actions/setup/action.yml, .github/workflows/checking-dependencies.yml	Updated pnpm/action-setup from @v5 to @v6 and bumped Node.js runtime to 24.15.0 in the dependency check workflow.
Workspace pnpm version alignment package.json, packages/app/package.json	Updated packageManager from pnpm@10.33.0 to pnpm@11.1.2 across root and packages/app; root devDependencies also bumped.
Application package dependencies packages/app/package.json	Bumped Effect ecosystem (@effect/*, effect) and numerous devDependencies (Biome, ESLint, @typescript-eslint, Vitest, Vite, tooling).
Template package dependencies packages/eslint-template/package.json	Updated runtime (@effect/platform, @typescript-eslint/utils, effect) and broad devDependencies (Biome, Changesets, @typescript-eslint, Vitest, ESLint plugins, ts-morph, TypeScript, Vite).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Dependency Dashboard effect-eslint-template#6: Mirrors the same pnpm/action-setup and Node/workspace pnpm version updates.
• Dependency Dashboard dist-deps-prune#2: Related Renovate/dashboard dependency updates for pnpm and action versions.
• Dependency Dashboard openapi-effect#1: Shares pnpm and package dependency bump scope across manifests and workflows.
• Dependency Dashboard context-doc#5: Similar dependency bumps (pnpm action, pnpm workspace, multiple package.json updates).
• Dependency Dashboard effect-template#10: Related workspace and workflow dependency version upgrades.

Poem

🐰 I hopped through package trees tonight,

nudged pnpm and actions to shine bright,
lint and tests got spruced and primed,
CI woke up on bumped Node time,
carrot-toast for every updated line.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(deps): update all dependencies' is clear and directly summarizes the main change—a comprehensive dependency update across the entire repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description clearly details a comprehensive dependency update, listing specific package versions and changes across multiple configuration files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/all

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

51-53: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Remove or update the patch version in patchedDependencies to match the installed version.

The patchedDependencies entry references @typescript-eslint/eslint-plugin@8.57.2, but the installed version is 8.59.3 (as shown in the lockfile and package.json). This version mismatch prevents the patch from being applied. Since 8.59.3 was released after the patch was created and the underlying optional chaining fix was already included in an earlier release, the patch is likely obsolete. Either update the key to @typescript-eslint/eslint-plugin@8.59.3 if the patch is still needed, or remove it if the issue is already resolved in 8.59.3.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` around lines 51 - 53, The patchedDependencies entry for
"@typescript-eslint/eslint-plugin@8.57.2" in package.json doesn't match the
installed version (8.59.3) so the patch won't apply; open package.json, locate
the "patchedDependencies" object and either (a) update the key to
"@typescript-eslint/eslint-plugin@8.59.3" if the patch is still required and
ensure the corresponding patch file exists, or (b) remove the
"@typescript-eslint/eslint-plugin@..." entry entirely if the upstream release
already contains the fix (preferred if the optional chaining issue is resolved).

♻️ Duplicate comments (1)

packages/app/package.json (1)

55-86: ⚠️ Potential issue | 🟠 Major

Same major version bumps as eslint-template package.

This package includes the same major version bumps flagged in packages/eslint-template/package.json:

• ts-morph 27 → 28 (line 80)
• eslint-plugin-simple-import-sort 12 → 13 (line 73)
• eslint-plugin-unicorn 63 → 64 (line 76)

Please ensure the verification for those breaking changes applies to this package as well.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/app/package.json` around lines 55 - 86, The same major-version
upgrades flagged for the eslint-template package also affect this package:
update verification for the dependencies ts-morph,
eslint-plugin-simple-import-sort, and eslint-plugin-unicorn in packages/app by
running the identical compatibility checks you ran for eslint-template (exercise
unit tests, linting, build, and any dedicated migration/compat scripts) and
address any API or config changes uncovered; ensure package lock/lockfile is
updated and any fixes or code changes required for the ts-morph 27→28,
eslint-plugin-simple-import-sort 12→13, and eslint-plugin-unicorn 63→64 upgrades
are applied here as well.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 6: The package.json currently pins "packageManager": "pnpm@11.1.2" but
the repo must be migrated to pnpm v11 config changes: run the pnpm v10→v11
codemod to move settings from the "pnpm" field in package.json and any .npmrc
entries into a new pnpm-workspace.yaml (use camelCase keys), replace any
npm_config_* env usages with pnpm_config_*, stop using pnpm link --global (use
pnpm add -g), convert build-related settings (neverBuiltDependencies,
ignoreDepScripts, etc.) into the allowBuilds map, verify Node engine
compatibility (v18–v21 removed, ensure pure ESM readiness), and confirm global
install path expectations (pnpmHomeDir/global/v11/{hash}); update packageManager
value only after these migrations and verify CI/environment variables and
workspace config are correct.

In `@packages/eslint-template/package.json`:
- Line 33: The package.json now pins "eslint-plugin-simple-import-sort" to
^13.0.0 which enforces deterministic ordering when the same module is imported
multiple times with different styles; search the codebase for modules imported
more than once using different styles (namespace imports like import * as X,
default imports like import X, and named imports like import {a}) and
consolidate them into a single consistent import per source (e.g., combine
default and named into one line or convert namespace to named/default as
appropriate) so autofix no longer changes ordering unexpectedly; update any
files referencing the same source in multiple import statements (look for
occurrences of the module names flagged by the linter) to use a single unified
import form.

---

Outside diff comments:
In `@package.json`:
- Around line 51-53: The patchedDependencies entry for
"@typescript-eslint/eslint-plugin@8.57.2" in package.json doesn't match the
installed version (8.59.3) so the patch won't apply; open package.json, locate
the "patchedDependencies" object and either (a) update the key to
"@typescript-eslint/eslint-plugin@8.59.3" if the patch is still required and
ensure the corresponding patch file exists, or (b) remove the
"@typescript-eslint/eslint-plugin@..." entry entirely if the upstream release
already contains the fix (preferred if the optional chaining issue is resolved).

---

Duplicate comments:
In `@packages/app/package.json`:
- Around line 55-86: The same major-version upgrades flagged for the
eslint-template package also affect this package: update verification for the
dependencies ts-morph, eslint-plugin-simple-import-sort, and
eslint-plugin-unicorn in packages/app by running the identical compatibility
checks you ran for eslint-template (exercise unit tests, linting, build, and any
dedicated migration/compat scripts) and address any API or config changes
uncovered; ensure package lock/lockfile is updated and any fixes or code changes
required for the ts-morph 27→28, eslint-plugin-simple-import-sort 12→13, and
eslint-plugin-unicorn 63→64 upgrades are applied here as well.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: db3c2e88-f3f6-4ca6-8964-0ab35e5ab234

📥 Commits

Reviewing files that changed from the base of the PR and between e03feb6 and 5784ad7.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• .github/actions/setup/action.yml
• .github/workflows/checking-dependencies.yml
• package.json
• packages/app/package.json
• packages/eslint-template/package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

What are the breaking changes in pnpm 11 compared to pnpm 10?

💡 Result:

The breaking changes in pnpm 11 compared to pnpm 10, as detailed in the official migration guide and release notes, are primarily around configuration handling, command behaviors, and removed features. Here's a complete list: Configuration changes [1][2][3]: - pnpm no longer reads settings from the pnpm field in package.json; move them to pnpm-workspace.yaml [1][2][3]. - .npmrc now only reads auth and registry settings; all other settings (e.g., hoist-pattern, node-linker, save-exact) must be moved to pnpm-workspace.yaml using camelCase keys [1][2][3]. - npm_config_* environment variables are no longer read; use pnpm_config_* instead [1][2][3]. - pnpm no longer reads npm's global config at $PREFIX/etc/npmrc [3]. - Package manager strictness settings (managePackageManagerVersions, packageManagerStrict, packageManagerStrictVersion) collapsed into pmOnFail: download | ignore | warn | error [1]. - allowNonAppliedPatches renamed to allowUnusedPatches; auditConfig.ignoreCves to auditConfig.ignoreGhsas (requires manual CVE to GHSA conversion) [1][2]. Command and behavior changes [1][2][3]: - pnpm link no longer resolves from global store; use relative/absolute paths (e.g., pnpm link ./foo). Removed --global flag (use pnpm add -g .) and pnpm link with no args [1][3]. - pnpm install -g (no args) unsupported; use pnpm add -g <pkg> [1]. - pnpm server command removed [1][2]. - Script names like clean, setup, deploy, rebuild now shadow built-in commands; use pnpm pm <command> to force built-ins [1]. - Removed npm CLI fallback: commands like access, bugs, docs, edit, home, issues, owner, ping, prefix, profile, pkg, search, set-script, team, token, unstar, whoami, xmas (and aliases) now throw errors; many reimplemented natively [2][3]. - Global installs (pnpm add -g) now use isolated directories in {pnpmHomeDir}/global/v11/{hash}/ to prevent interference [3]. - Globally installed binaries now in bin/ subdirectory of PNPM_HOME [3]. Removed/deprecated features [2][3]: - Deprecated build dependency settings removed: onlyBuiltDependencies, onlyBuiltDependenciesFile, neverBuiltDependencies, ignoredBuiltDependencies, ignoreDepScripts. Use allowBuilds map instead [2][3]. - Removed support for useNodeVersion, Env.nodeVersion, pnpmfile [2]. Other [1][2][3]: - Bumps packageManager in package.json to pnpm v11 version [1]. - Default changes: optimisticRepeatInstall: true, verifyDepsBeforeRun: install, minimumReleaseAge: 1440 (1 day), minimumReleaseAgeStrict: false [2]. - Drops Node.js 18-21 support; now pure ESM; standalone exe requires glibc 2.27+ [3]. A codemod is available to automate many config migrations [4]. pnpm prints a pointer to the migration guide on pnpm self-update from v10 [1].

Citations:

• 1: https://pnpm.io/migration
• 2: https://github.com/pnpm/pnpm/releases/tag/v11.0.0-rc.0
• 3: https://pnpm.io/blog/releases/11.0
• 4: https://app.codemod.com/registry/pnpm-v10-to-v11

---

Review pnpm 11 migration guide and update configuration accordingly.

pnpm 11 introduces breaking changes requiring configuration updates:

• Settings in the pnpm field in package.json and .npmrc must migrate to pnpm-workspace.yaml with camelCase keys
• npm_config_* environment variables replaced with pnpm_config_*
• pnpm link --global removed; use pnpm add -g <pkg> instead
• Build dependency settings (neverBuiltDependencies, ignoreDepScripts, etc.) replaced with allowBuilds map
• Node.js 18-21 support dropped; now pure ESM
• Global installs now use isolated directories at {pnpmHomeDir}/global/v11/{hash}/

Use the pnpm codemod to automate most config migrations, then verify all settings are correctly moved to pnpm-workspace.yaml.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 6, The package.json currently pins "packageManager":
"pnpm@11.1.2" but the repo must be migrated to pnpm v11 config changes: run the
pnpm v10→v11 codemod to move settings from the "pnpm" field in package.json and
any .npmrc entries into a new pnpm-workspace.yaml (use camelCase keys), replace
any npm_config_* env usages with pnpm_config_*, stop using pnpm link --global
(use pnpm add -g), convert build-related settings (neverBuiltDependencies,
ignoreDepScripts, etc.) into the allowBuilds map, verify Node engine
compatibility (v18–v21 removed, ensure pure ESM readiness), and confirm global
install path expectations (pnpmHomeDir/global/v11/{hash}); update packageManager
value only after these migrations and verify CI/environment variables and
workspace config are correct.

[coderabbitai]

♻️ Duplicate comments (1)

package.json (1)

6-6: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

pnpm v11 bump needs config migration validation before merge.

Line 6 upgrades to pnpm@11.1.2, but this file still contains legacy pnpm config keys (Lines 42 and 46) that may no longer behave as intended under v11. Please validate and migrate config to the v11-supported shape before releasing.

#!/bin/bash
set -euo pipefail

echo "1) Locate workspace-level pnpm config files"
fd -HI '^pnpm-workspace\.yaml$' .
fd -HI '^\.npmrc$' .

echo
echo "2) Find deprecated/legacy pnpm keys and any new allowBuilds usage"
rg -n --hidden --glob '!.git' '"(ignoredBuiltDependencies|onlyBuiltDependencies|neverBuiltDependencies|ignoreDepScripts|allowBuilds)"'

echo
echo "3) Find packageManager pin and pnpm config blocks"
rg -n --hidden --glob '!.git' '"packageManager"\s*:|^\s*"pnpm"\s*:'

echo
echo "4) Check env var usage needing pnpm v11 migration"
rg -n --hidden --glob '!.git' '\bnpm_config_[A-Za-z0-9_]+\b|\bpnpm_config_[A-Za-z0-9_]+\b'

echo
echo "5) Check for removed global-link patterns"
rg -n --hidden --glob '!.git' 'pnpm\s+link(\s+--global|\s+-g|\s*$)'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 6, The packageManager bump to "pnpm@11.1.2" requires
validating and migrating legacy pnpm config keys (e.g.,
ignoredBuiltDependencies, onlyBuiltDependencies, neverBuiltDependencies,
ignoreDepScripts, allowBuilds) before merge; inspect and update workspace-level
pnpm config (pnpm-workspace.yaml) and project .npmrc entries to the
v11-supported shape, replace/deprecate old env var usages
(npm_config_*/pnpm_config_*), remove any deprecated global link patterns (pnpm
link --global/-g), and ensure the packageManager pin remains correct; run the
provided shell checks (search for pnpm-workspace.yaml, .npmrc, the legacy keys,
packageManager/pnpm blocks, and env var patterns) and apply migrations so the
repo config matches pnpm v11 expectations.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@package.json`:
- Line 6: The packageManager bump to "pnpm@11.1.2" requires validating and
migrating legacy pnpm config keys (e.g., ignoredBuiltDependencies,
onlyBuiltDependencies, neverBuiltDependencies, ignoreDepScripts, allowBuilds)
before merge; inspect and update workspace-level pnpm config
(pnpm-workspace.yaml) and project .npmrc entries to the v11-supported shape,
replace/deprecate old env var usages (npm_config_*/pnpm_config_*), remove any
deprecated global link patterns (pnpm link --global/-g), and ensure the
packageManager pin remains correct; run the provided shell checks (search for
pnpm-workspace.yaml, .npmrc, the legacy keys, packageManager/pnpm blocks, and
env var patterns) and apply migrations so the repo config matches pnpm v11
expectations.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e766f135-c608-4b3a-b538-99c7494d15cb

📥 Commits

Reviewing files that changed from the base of the PR and between 2a1dd99 and 845acb7.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• .github/actions/setup/action.yml
• .github/workflows/checking-dependencies.yml
• package.json
• packages/app/package.json
• packages/eslint-template/package.json

✅ Files skipped from review due to trivial changes (3)

• .github/workflows/checking-dependencies.yml
• .github/actions/setup/action.yml
• packages/eslint-template/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/app/package.json