chore(deps-dev): bump the dev-deps group across 1 directory with 12 updates

[dependabot]

Bumps the dev-deps group with 12 updates in the / directory:

Package	From	To
@biomejs/biome	2.4.4	2.4.9
@changesets/changelog-github	0.5.2	0.6.0
@changesets/cli	2.29.8	2.30.0
@cloudflare/vitest-pool-workers	0.12.17	0.13.5
@cloudflare/workers-types	4.20260303.0	4.20260329.1
@types/node	25.3.0	25.5.0
@vitest/coverage-istanbul	3.2.4	4.1.2
hono	4.12.2	4.12.9
itty-router	5.0.22	5.0.23
pkg-pr-new	0.0.63	0.0.66
typescript	5.9.3	6.0.2
wrangler	4.68.1	4.78.0

Updates @biomejs/biome from 2.4.4 to 2.4.9

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.9

2.4.9

Patch Changes

• #9315 085d324 Thanks @​ematipico! - Added a new nursery CSS rule noDuplicateSelectors, that disallows duplicate selector lists within the same at-rule context.

  For example, the following snippet triggers the rule because the second selector and the first selector are the same:

  /* First selector */
  .x .y .z {
  }
  /* Second selector */
  .x {
  .y {
  .z {
  }
  }
  }

• #9567 b7ab931 Thanks @​ematipico! - Fixed #7211: useOptionalChain now detects negated logical OR chains. The following code is now considered invalid:

  !foo || !foo.bar;

• #8670 607ebf9 Thanks @​tt-a1i! - Fixed #8345: useAdjacentOverloadSignatures no longer reports false positives for static and instance methods with the same name. Static methods and instance methods are now treated as separate overload groups.

  class Kek {
    static kek(): number {
      return 0;
    }
    another(): string {
      return "";
    }
    kek(): number {
      return 1;
    } // no longer reported as non-adjacent
  }

• #9476 97b80a8 Thanks @​masterkain! - Fixed [#9475](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome/issues/9475): Fixed a panic when Biome analyzed ambient TypeScript modules containing class constructor, getter, or setter signatures that reference local type aliases. Biome now handles these declarations without crashing during semantic analysis.

• #9553 0cd5298 Thanks @​dyc3! - Fixed a bug where enabling the rules of a whole group, would enable rules that belonged to a domain under the same group.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.9

Patch Changes

• #9315 085d324 Thanks @​ematipico! - Added a new nursery CSS rule noDuplicateSelectors, that disallows duplicate selector lists within the same at-rule context.

  For example, the following snippet triggers the rule because the second selector and the first selector are the same:

  /* First selector */
  .x .y .z {
  }
  /* Second selector */
  .x {
  .y {
  .z {
  }
  }
  }

• #9567 b7ab931 Thanks @​ematipico! - Fixed #7211: useOptionalChain now detects negated logical OR chains. The following code is now considered invalid:

  !foo || !foo.bar;

• #8670 607ebf9 Thanks @​tt-a1i! - Fixed #8345: useAdjacentOverloadSignatures no longer reports false positives for static and instance methods with the same name. Static methods and instance methods are now treated as separate overload groups.

  class Kek {
    static kek(): number {
      return 0;
    }
    another(): string {
      return "";
    }
    kek(): number {
      return 1;
    } // no longer reported as non-adjacent
  }

• #9476 97b80a8 Thanks @​masterkain! - Fixed [#9475](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome/issues/9475): Fixed a panic when Biome analyzed ambient TypeScript modules containing class constructor, getter, or setter signatures that reference local type aliases. Biome now handles these declarations without crashing during semantic analysis.

• #9553 0cd5298 Thanks @​dyc3! - Fixed a bug where enabling the rules of a whole group, would enable rules that belonged to a domain under the same group.

  For example, linter.rules.correctness = "error" no longer enables React- or Qwik-specific correctness rules unless linter.domains.react, linter.domains.qwik, or an explicit rule config also enables them, or their relative dependencies are installed.

... (truncated)

Commits

• ad37526 ci: release (#9620)
• eb57e3a chore: use npmx.dev badge (#9614)
• e168494 feat(linter): add rule noUntrustedLicenses (#9474)
• 085d324 feat(css): add noDuplicateSelectors (#9315)
• 4d050df feat(analyze): implement noInlineStyles (#9534)
• 723798b feat: apply fix to use consistent method signatures (#9544)
• f4bf341 ci: release (#9517)
• e7b3b10 feat(lint): add noDrizzleDeleteWithoutWhere and noDrizzleUpdateWithoutWhere r...
• 1f30838 ci: release (#9346)
• 3ac98eb feat(css/lint): useBaseline (#9318)
• Additional commits viewable in compare view

Updates @changesets/changelog-github from 0.5.2 to 0.6.0

Release notes

Sourced from @​changesets/changelog-github's releases.

@​changesets/changelog-github@​0.6.0

Minor Changes

• #1850 fd0bc2e Thanks @​mixelburg! - Linkify issue references in changelog entries.

Patch Changes

• #1810 27fd8f4 Thanks @​hirasso! - Replace deprecated String.prototype.trimRight with String.prototype.trimEnd

• Updated dependencies [d4b8ad8, e462d89]:

  • @​changesets/get-github-info@​0.8.0

Commits

• 3ab4d89 Version Packages (#1817)
• 1772598 Fix changelog entry insertion when no package title is present in the `CHANGE...
• 6df3a5e Allow versioned private packages to depend on skipped packages without requir...
• 2a73025 Fix confusing 'Question-2' prompt label when using external editor (#1857)
• 667fe5a Support ESM for custom changelog and commit options (#1774)
• e462d89 Add scopes automatically in the GitHub new token link in the printed error me...
• 503fcaa Support absolute paths in status output flag (#1776)
• d4b8ad8 Improve error messages when fetching from GitHub api (#1781)
• ece0376 Improve baseBranch docs (#1778)
• 0e8e01e Allow Changesets to be executed from non-root directories (#1806)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​changesets/changelog-github since your current version.

Updates @changesets/cli from 2.29.8 to 2.30.0

Release notes

Sourced from @​changesets/cli's releases.

@​changesets/cli@​2.30.0

Minor Changes

• #1840 057cca2 Thanks @​wotan-allfather! - Add --since flag to add command

  The add command now supports a --since flag that allows you to specify which branch, tag, or git ref to use when detecting changed packages. This is useful for gitflow workflows where you have multiple target branches and the baseBranch config option doesn't cover all use cases.

  Example: changeset add --since=develop

  If not provided, the command falls back to the baseBranch value in your .changeset/config.json.

• #1845 2b4a66a Thanks @​Andarist! - Delegate OTP prompting to the package manager instead of handling it in-process. This allows Changesets to use the package manager's native web auth support.

• #1774 667fe5a Thanks @​bluwy! - Support importing custom commit option ES module. Previously, it used require() which only worked for CJS modules, however now it uses import() which supports both CJS and ES modules.

• #1839 73b1809 Thanks @​leochiu-a! - Add a --message (-m) flag to changeset add (and default changeset) so the changeset summary can be provided from the command line. When --message is present, the summary prompt is skipped while the final confirmation step is kept.

• #1806 0e8e01e Thanks @​luisadame! - Changeset CLI can now be run from the nested directories in the project, where the .changeset directory has to be found in one of the parent directories

Patch Changes

• #1849 9dc3230 Thanks @​Andarist! - Compute the terminal's size lazily to avoid spurious stderr output in non-interactive mode

• #1857 2a73025 Thanks @​mixelburg! - Fix confusing prompt labels when entering changeset summary after external editor fallback

• #1842 6df3a5e Thanks @​RodrigoHamuy! - Allow private packages to depend on skipped packages without requiring them to also be skipped. Private packages are not published to npm, so it is safe for them to have dependencies on ignored or unversioned packages.

• #1776 503fcaa Thanks @​bluwy! - Support absolute paths in changeset status --output <path>

• Updated dependencies [667fe5a, 1772598, b6f4c74, 6df3a5e, 6df3a5e, 27fd8f4]:

  • @​changesets/apply-release-plan@​7.1.0
  • @​changesets/config@​3.1.3
  • @​changesets/get-release-plan@​4.0.15
  • @​changesets/read@​0.6.7

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​changesets/cli since your current version.

Updates @cloudflare/vitest-pool-workers from 0.12.17 to 0.13.5

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.13.5

Patch Changes

• #13077 11c77b7 Thanks @​penalosa! - fix: runInDurableObject now correctly returns redirect responses (3xx) from Durable Object callbacks instead of throwing "Expected callback for X" errors

• #13056 8384743 Thanks @​penalosa! - fix: Support dynamic import() inside entrypoint and Durable Object handlers

  Previously, calling exports.default.fetch() or SELF.fetch() on a worker whose handler used a dynamic import() would hang and fail with "Cannot perform I/O on behalf of a different Durable Object". This happened because the module runner's transport — which communicates over a WebSocket owned by the runner Durable Object — was invoked from a different DO context.

  The fix patches the module runner's transport via the onModuleRunner hook so that all invoke() calls are routed through the runner DO's I/O context, regardless of where the import() originates.

• #13074 4618c05 Thanks @​penalosa! - fix: only apply module fallback extension probing for require(), not import

  The module fallback service previously tried adding .js, .mjs, .cjs, and .json suffixes to extensionless specifiers unconditionally. Per the Node.js spec, this extension-probing behaviour is specific to CommonJS require(). ESM import statements must include explicit file extensions.

  Extension-less TypeScript import specifiers continue to work correctly — they are resolved by Vite's resolver rather than the fallback's extension loop.

• #13073 baec845 Thanks @​penalosa! - Add adminSecretsStore() to cloudflare:test for seeding secrets in tests

  Secrets store bindings only expose a read-only .get() method, so there was previously no way to seed secret values from within a test. The new adminSecretsStore() helper returns Miniflare's admin API for a secrets store binding, giving tests full control over create, update, and delete operations.

  import { adminSecretsStore } from "cloudflare:test";
  import { env } from "cloudflare:workers";
  const admin = adminSecretsStore(env.MY_SECRET);
  await admin.create("test-value");
  const value = await env.MY_SECRET.get(); // "test-value"

• #13083 cfd513f Thanks @​penalosa! - Add a 30-second timeout to waitUntil promise draining to prevent hanging tests

  Previously, if a ctx.waitUntil() promise never resolved, the test suite would hang indefinitely after the test file finished. Now, any waitUntil promises that haven't settled within 30 seconds are abandoned with a warning, allowing the test suite to continue. This aligns with the production waitUntil limit.

• Updated dependencies [eeaa473, 9fcdfca, bc24ec8, 1faff35, 0b4c21a, 535582d, 992f9a3, f4ea4ac, 91b7f73, f6cdab2, 53ed15a, ce65246, 7a5be20, 6b50bfa, 0386553, 9c5ebf5, 53ed15a, 53ed15a]:

  • wrangler@4.78.0
  • miniflare@4.20260317.3

@​cloudflare/vitest-pool-workers@​0.13.4

Patch Changes

• #12999 f9728fd Thanks @​hiendv! - chore: update some tests and fixtures to Vitest 4 / vpw 0.13.x

• Updated dependencies [593c4db, b8f3309, 451dae3, 5aaaab2, 5aaaab2, f8516dd, 9c9fe30, 379f2a2, c2e9163, 6a6449e, 9a1cf29, 875da60]:

  • wrangler@4.77.0
  • miniflare@4.20260317.2

@​cloudflare/vitest-pool-workers@​0.13.3

Patch Changes

... (truncated)

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.13.5

Patch Changes

• #13077 11c77b7 Thanks @​penalosa! - fix: runInDurableObject now correctly returns redirect responses (3xx) from Durable Object callbacks instead of throwing "Expected callback for X" errors

• #13056 8384743 Thanks @​penalosa! - fix: Support dynamic import() inside entrypoint and Durable Object handlers

  Previously, calling exports.default.fetch() or SELF.fetch() on a worker whose handler used a dynamic import() would hang and fail with "Cannot perform I/O on behalf of a different Durable Object". This happened because the module runner's transport — which communicates over a WebSocket owned by the runner Durable Object — was invoked from a different DO context.

  The fix patches the module runner's transport via the onModuleRunner hook so that all invoke() calls are routed through the runner DO's I/O context, regardless of where the import() originates.

• #13074 4618c05 Thanks @​penalosa! - fix: only apply module fallback extension probing for require(), not import

  The module fallback service previously tried adding .js, .mjs, .cjs, and .json suffixes to extensionless specifiers unconditionally. Per the Node.js spec, this extension-probing behaviour is specific to CommonJS require(). ESM import statements must include explicit file extensions.

  Extension-less TypeScript import specifiers continue to work correctly — they are resolved by Vite's resolver rather than the fallback's extension loop.

• #13073 baec845 Thanks @​penalosa! - Add adminSecretsStore() to cloudflare:test for seeding secrets in tests

  Secrets store bindings only expose a read-only .get() method, so there was previously no way to seed secret values from within a test. The new adminSecretsStore() helper returns Miniflare's admin API for a secrets store binding, giving tests full control over create, update, and delete operations.

  import { adminSecretsStore } from "cloudflare:test";
  import { env } from "cloudflare:workers";
  const admin = adminSecretsStore(env.MY_SECRET);
  await admin.create("test-value");
  const value = await env.MY_SECRET.get(); // "test-value"

• #13083 cfd513f Thanks @​penalosa! - Add a 30-second timeout to waitUntil promise draining to prevent hanging tests

  Previously, if a ctx.waitUntil() promise never resolved, the test suite would hang indefinitely after the test file finished. Now, any waitUntil promises that haven't settled within 30 seconds are abandoned with a warning, allowing the test suite to continue. This aligns with the production waitUntil limit.

• Updated dependencies [eeaa473, 9fcdfca, bc24ec8, 1faff35, 0b4c21a, 535582d, 992f9a3, f4ea4ac, 91b7f73, f6cdab2, 53ed15a, ce65246, 7a5be20, 6b50bfa, 0386553, 9c5ebf5, 53ed15a, 53ed15a]:

  • wrangler@4.78.0
  • miniflare@4.20260317.3

0.13.4

Patch Changes

• #12999 f9728fd Thanks @​hiendv! - chore: update some tests and fixtures to Vitest 4 / vpw 0.13.x

• Updated dependencies [593c4db, b8f3309, 451dae3, 5aaaab2, 5aaaab2, f8516dd, 9c9fe30, 379f2a2, c2e9163, 6a6449e, 9a1cf29, 875da60]:

  • wrangler@4.77.0
  • miniflare@4.20260317.2

... (truncated)

Commits

• 81b2b9b Version Packages (#13038)
• baec845 [vitest-pool-workers] Add adminSecretsStore() to cloudflare:test (#13073)
• 4618c05 [vitest-pool-workers] Only probe extensions in module fallback for `require()...
• 11c77b7 [vitest-pool-workers] fix: handle redirect responses in runInDurableObject ...
• 7125939 [vitest-pool-workers] Add regression test for Istanbul coverage across multip...
• cfd513f [vitest-pool-workers] Add 30s timeout to waitUntil promise draining (#13083)
• 8384743 [vitest-pool-workers] Fix dynamic import() in entrypoint and DO handlers (#13...
• a61451f Version Packages (#12980)
• f9728fd Update some missing tests and fixtures with Vitest 4 (#12999)
• 7d2661b Version Packages (#12945)
• Additional commits viewable in compare view

Updates @cloudflare/workers-types from 4.20260303.0 to 4.20260329.1

Commits

• See full diff in compare view

Updates @types/node from 25.3.0 to 25.5.0

Commits

• See full diff in compare view

Updates @vitest/coverage-istanbul from 3.2.4 to 4.1.2

Release notes

Sourced from @​vitest/coverage-istanbul's releases.

v4.1.2

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (vitest-dev/vitest#9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in vitest-dev/vitest#9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in vitest-dev/vitest#9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in vitest-dev/vitest#9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in vitest-dev/vitest#9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in vitest-dev/vitest#9851 (6f97b)

    View changes on GitHub

v4.1.1

   🚀 Features

• experimental:
  • Expose matchesTags to test if the current filter matches tags  -  by @​sheremet-va in vitest-dev/vitest#9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in vitest-dev/vitest#9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in vitest-dev/vitest#9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in vitest-dev/vitest#9831 and vitest-dev/vitest#9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in vitest-dev/vitest#9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in vitest-dev/vitest#9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in vitest-dev/vitest#9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in vitest-dev/vitest#9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in vitest-dev/vitest#9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in vitest-dev/vitest#9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in vitest-dev/vitest#9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in vitest-dev/vitest#9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in vitest-dev/vitest#9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in vitest-dev/vitest#9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in vitest-dev/vitest#9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in vitest-dev/vitest#9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in vitest-dev/vitest#9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in vitest-dev/vitest#9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9949 (0d5f9)

    View changes on GitHub

v4.1.0

Vitest 4.1 is out!

... (truncated)

Commits

• fc6f482 chore: release v4.1.2
• 1f2d318 chore: release v4.1.1
• aaf9f18 fix(coverage): simplify provider types (#9931)
• 4150b91 chore: release v4.1.0
• 0c2c013 chore: release v4.1.0-beta.6
• 8c96bb0 refator: update links to npmx (#9783)
• aaf7758 chore: standardize packages README (#9776)
• 79672d7 chore: release v4.1.0-beta.5
• 1d9e3b3 chore: release v4.1.0-beta.4
• 4ff8c6f chore(build): raise build target to the minimum supported, don't bundle utils...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​vitest/coverage-istanbul since your current version.

Updates hono from 4.12.2 to 4.12.9

Release notes

Sourced from hono's releases.

v4.12.9

What's Changed

• fix(request): remove parseBody from bodyCache to prevent TypeError by @​yusukebe in honojs/hono#4807
• feat(client): add PickResponseByStatusCode type by @​yusukebe in honojs/hono#4791
• fix(ssg): pass SSG_CONTEXT to forGetInfoURLRequest by @​yuintei in honojs/hono#4810
• fix(service-worker): make fire() fallback behavior consistent with handle() by @​yusukebe in honojs/hono#4821
• fix(cors): reflect request origin when credentials is true with wildcard by @​ctonneslan in honojs/hono#4813

New Contributors

• @​yuintei made their first contribution in honojs/hono#4810
• @​ctonneslan made their first contribution in honojs/hono#4813

Full Changelog: honojs/hono@v4.12.8...v4.12.9

v4.12.8

What's Changed

• fix(utils/mime): Normalize input extension to lowercase before MIME check by @​TheEssem in honojs/hono#4800
• fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @​otoneko1102 in honojs/hono#4750

New Contributors

• @​TheEssem made their first contribution in honojs/hono#4800

Full Changelog: honojs/hono@v4.12.7...v4.12.8

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

---

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

• fix(accept): replace regex split to mitigate ReDoS by @​EdamAme-x in honojs/hono#4758
• fix(jsx): align link hoisting and dedupe with React 19 by @​usualoma in honojs/hono#4792
• chore(builld): tsconfig project references by @​BarryThePenguin in honojs/hono#4797
• chore: add tsconfig.spec.json by @​yusukebe in honojs/hono#4798
• feat(jsx-renderer): support function-based options by @​3w36zj6 in honojs/hono#4780
• fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @​t0waxx in honojs/hono#4782

New Contributors

• @​t0waxx made their first contribution in honojs/hono#4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

• fix(request): return string | undefined from param() when path type is any by @​andrewdamelio in honojs/hono#4723

... (truncated)

Commits

• e1ae0eb 4.12.9
• 66fe9fe fix(cors): reflect request origin when credentials is true with wildcard (#4813)
• 50e2611 fix(service-worker): make fire() fallback behavior consistent with `handle(...
• be85106 fix(ssg): pass SSG_CONTEXT to forGetInfoURLRequest (#4810)
• d1722e3 feat(client): add PickResponseByStatusCode type (#4791)
• 8bd9ddd fix(request): remove parseBody from bodyCache to prevent TypeError (#4807)