chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
biome		patch	2.4.15 → 2.4.16
bit		patch	0.20.1 → 0.20.2
caddy		patch	2.11.3 → 2.11.4
github.com/alecthomas/chroma/v2	require	minor	v2.24.1 → v2.26.1
github.com/dlclark/regexp2/v2	require	patch	v2.1.1 → v2.1.2
github.com/mattn/go-colorable	require	patch	v0.1.14 → v0.1.15
go		patch	1.26.3 → 1.26.4
uv		patch	0.11.16 → 0.11.19

---

Release Notes

biomejs/biome (biome)

v2.4.16

alecthomas/bit (bit)

v0.20.2

What's Changed

• chore: add just bump command by @​alecthomas in 6518324
• chore: fix state drift in example BUILD.bit by @​alecthomas in d4a232f
• fix(go.test): show build errors on failure by @​alecthomas in 29234ea

caddyserver/caddy (caddy)

v2.11.4

This release patches more security, security-adjacent, and normal bugs. The FrankenPHP project has collaborated on PHP-adjacent patches, which we are grateful for.

The recent surge of patches is mostly attributed to token predictors. We have had to reject more than 75% of "security" reports because they were AI slop spam (or just lazy/incorrect). Please use LLMs and agents wisely to avoid wasting precious maintainer resources. We have started blocking offending accounts that spam slop reports. Thank you to all who submit responsible reports following our security policy to make the project better. We appreciate that the community deems the Caddy project worthy of contribution to improve the broader ecosystem!

Security-related patches:

• caddyhttp: Normalize Windows backslashes in path matcher (thanks @​Vincent550102)
• rewrite: Prevent placeholder re-expansion in injected query (thanks @​WhiskerEnt)
• templates: Improved stripHTML action to more reliably remove malformed HTML (thanks to @​jmrcsnchz)
• caddyhttp: Ignore header fields with underscores to prevent collisions (thanks @​Vincent550102 for the report and @​dunglas for the patch)

There are also several other various fixes and enhancements by many other contributors. Thank you everyone who participated!

What's Changed

• reverseproxy: further prevent body closes from dial errors by @​jameshartig in #​7715
• caddytls: Fix client auth (fix #​7724) by @​mholt in #​7727
• chore: deps upgrade by @​mohammed90 in #​7751
• caddyhttp: omit Last-Modified for unusable mod times by @​bb4242 in #​7740
• caddytls: fix TLS state races and ECH rotation retry by @​broady in #​7756
• chore: clean up wording and typo fixes by @​steadytao in #​7745
• reverseproxy: Add regression test for DialInfo network override by @​eyupcanakman in #​7758
• caddyauth: add candidate placeholders for rejected identities by @​steadytao in #​7698
• cmd: support caddy start on IPv6-only hosts by @​steadytao in #​7744
• caddyfile: preserve implicit TLS issuer semantics by @​steadytao in #​7743
• reverseproxy: wraps request body to prevent closing if not read by @​WeidiDeng in #​7719
• caddytls: match IDN SNI in connection policies by @​steadytao in #​7742
• build(deps): bump the all-updates group across 1 directory with 9 updates by @​dependabot[bot] in #​7752
• caddyhttp: normalize Windows backslashes in path matcher by @​Vincent550102 in #​7763
• go.mod: update x/net by @​steadytao in #​7767
• rewrite: prevent placeholder re-expansion in injected query by @​WhiskerEnt in #​7761
• perf(replacer): optimize memory allocation for file placeholders by @​Jualhosting in #​7773
• caddytls: skip idna.ToASCII for pure ASCII SNI values by @​sleet0922 in #​7770
• encode: prioritize zstd and br over gzip in content negotiation by @​Jualhosting in #​7772
• httpcaddyfile: fix incorrect error message on duplicate matchers by @​Brunotlps in #​7780
• Patch for GHSA-vcc4-2c75-vc9v by @​jmrcsnchz in #​7785

New Contributors

• @​jameshartig made their first contribution in #​7715
• @​bb4242 made their first contribution in #​7740
• @​broady made their first contribution in #​7756
• @​eyupcanakman made their first contribution in #​7758
• @​Vincent550102 made their first contribution in #​7763
• @​WhiskerEnt made their first contribution in #​7761
• @​Jualhosting made their first contribution in #​7773
• @​sleet0922 made their first contribution in #​7770
• @​Brunotlps made their first contribution in #​7780
• @​jmrcsnchz made their first contribution in #​7785

Full Changelog: caddyserver/caddy@v2.11.3...v2.11.4

alecthomas/chroma (github.com/alecthomas/chroma/v2)

v2.26.1

Compare Source

Changelog

• 56c7702 fix: downgrade go.mod version to 1.25

v2.26.0

Compare Source

Changelog

• a4d3f60 feat(chromad): use style counterparts for theme switching
• ce159e6 chore: migrate to new bit format
• 180ea9f perf(colour): replace Sprintf/ParseUint round-trip in NewColour with direct bit arithmetic (#​1274)
• 68a08b0 docs: how to support dynamic theme switching
• 6fb9d92 feat(html): tag output with style mode
• a71fea3 feat(styles): add light/dark mode support

v2.25.0

Compare Source

Changelog

• c3826f0 chore: go mod tidy
• fb5bc39 fix: emit HTTP body tokens without Coalesce
• a3c2946 Improve Nu file detection (#​1260)
• e841b1a chore(deps): update all non-major dependencies (#​1272)
• 3ed2db8 Add Gemfile.lock lexer (& ruby improvements) (#​1269)
• 41fb546 Add YAML+Jinja lexer (#​1268)
• e99b881 chore(deps): update all non-major dependencies (#​1263)
• e67dd2f (Markless) Fix parse issue for embed directives without options (#​1266)
• dffa370 fix(go): tokenize trailing // as comment instead of consuming next line (#​1265)
• 1cf1560 chore: upgrade to github.com/dlclark/regexp2/v2
• 2cbcf7b chore: upgrade golangci-lint
• 786675b chore(deps): update all non-major dependencies (#​1257)
• 235590c feat: add JSONL support to JSON lexer (#​1262)
• f9b5c97 fix(dart): match single-line comments without trailing newline (#​1225) (#​1261)
• 097f8e9 Mention Arturo in README (#​1256)
• d46ce60 feat(markdown): highlight frontmatter and comments (#​1245)
• f786b2a feat(lexers): add support for LilyPond (#​1255)
• 0a02b98 chore(deps): update actions/checkout digest to de0fac2 (#​1212)
• c55009e Fix AGENTS.md referencing a non-existent scripts directory (#​1231)
• c5e763e Improve protobuf lexer (#​1253)
• 113cd0e Add Arturo lexer (#​1232)
• 4498d71 chore(deps): update dependency binaryen to v129 (#​1238)
• 885f912 Added f4 to "Projects using Chroma" list (#​1242)
• c42c9ef Update java lexer (#​1254)

dlclark/regexp2 (github.com/dlclark/regexp2/v2)

v2.1.2

Compare Source

mattn/go-colorable (github.com/mattn/go-colorable)

v0.1.15

Compare Source

golang/go (go)

v1.26.4

astral-sh/uv (uv)

v0.11.19

Compare Source

Released on 2026-06-03.

Python

• Add CPython 3.15.0b2 (#​19531)

Enhancements

• Always compute SHA256 for remote distributions (#​19662)
• Add PyEmscripten platform (PEP 783) (#​19629)
• Add Pyodide 2025 target triple (#​19653)

Preview features

• Make preview features for commands have names that aren't ambiguous with the command (#​19645)
• Respect --isolated in uv check (#​19666)

Bug fixes

• Continue tool uninstall after dangling receipts (#​19623)
• Skip Unix-specific installation steps when cross-installing Windows Python distributions (#​19424)

v0.11.18

Compare Source

Released on 2026-06-01.

Performance

• Fix performance regression in unzip of local wheels (#​19637)

Preview

• Add uv check to run ty from uv (#​19605)

Bug fixes

• Update activation scripts with upstream fixes (#​19628)

Other changes

• Bump MSRV to 1.94 (#​19600)

v0.11.17

Compare Source

Released on 2026-05-28.

Enhancements

• Add a diagnostic for uv add with standard library modules (#​19572)
• Expose uv workspace and its list subcommand in help output (#​19533)
• Improve the "403 forbidden" hint to suggest ignore-error-codes when applicable (#​19521)
• Skip direct URL lock freshness checks while offline (#​19596)
• Add import-names and import-namespaces support to uv-build (PEP 794) (#​19380)
• Add a --no-editable-package flag to various commands (#​19584)
• Infer Python version requests from source trees in uv tool invocations (#​19577)

Preview features

• Add module owners to uv workspace metadata (#​19122)
• Do not allow uv venv --clear to remove non-virtual environments (#​19595)

Bug fixes

• Improve the performance of large entries in tool.uv.conflicts (#​19538)
• Avoid modifying the parent process' env with --env-file in uv run (#​19567)
• Fix script environment creation for scripts with long filenames (#​19539)
• Fix transitive Git archive dependencies in lockfiles (#​19589)
• Preserve Git repository URLs in direct URL metadata (#​19590)
• Support redirects in --check-url (#​19594)
• Accept case-insensitive HTML tags in --find-links parsing (#​19537)
• Reject duplicate script metadata blocks (#​19544)
• Ban names like "python3" as script entry points (#​19535, #​19536)
• Validate Git LFS artifacts for Git archives (#​19592)
• Use a relative path when creating symlinks in cache to improve relocatability (#​19033)

Documentation

• Fix malformed positional anchors in the CLI reference (#​19575)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.