chore(deps): bump the npm-deps group with 4 updates

[dependabot]

Bumps the npm-deps group with 4 updates: better-auth, hono, fallow and prettier.

Updates better-auth from 1.6.15 to 1.6.16

Release notes

Sourced from better-auth's releases.

v1.6.16

better-auth

Bug Fixes

• Fixed SIWE verification to bind the signed message to server state before creating a session, preventing acceptance of signatures produced for a different message, earlier nonce, or unrelated domain.
• Fixed PayPal ID token verification to validate the signature, issuer, audience, expiration, and nonce against PayPal's JWKS (RS256) or client secret (HS256), rejecting tokens that pass only structural checks.
• Fixed Google hd (hosted domain) enforcement to verify the hd claim on the verified ID token and callback profile, preventing accounts outside the configured Workspace domain from signing in.
• Fixed verifyAccessToken remote introspection to reject tokens with a missing or mismatching aud claim; set remoteVerify.allowMissingAudience: true to permit tokens where the introspection response legitimately omits aud.
• Fixed the admin plugin to enforce permissions on role, ban, and email fields in /admin/create-user and /admin/update-user, and prevent data from overriding protected fields. (#9974)
• Fixed email sign-in and sign-up to validate Origin and Referer headers against trustedOrigins even when requests carry no cookies. (#9973)
• Fixed /update-session to reject plugin-managed fields (activeOrganizationId, activeTeamId, impersonatedBy) with a 400 error; use their dedicated endpoints to change these values. (#9965)
• Fixed /update-session and account token routes to immediately reject deleted sessions when cookie cache is enabled alongside database or secondary storage. (#9967)
• Fixed /refresh-token to only trust the account cookie when its userId, providerId, and accountId match the resolved session user.
• Fixed generic OAuth sign-in to reject sign-ins when no account ID can be resolved from the provider response, preventing account collisions on providers that omit sub.
• Fixed createInvitation and acceptInvitation to validate that all requested team IDs belong to the invitation's organization, preventing cross-organization team membership.
• Fixed the JWKS cache to be scoped per verification source with a TTL, preventing key cross-contamination when verifying tokens against multiple issuers simultaneously.
• Fixed the Reddit provider to stop storing oauth_client_id as the user email, preventing all users of the same app from sharing a single email address; a synthetic per-user address is now used when no real email is provided via mapProfileToUser.
• Fixed Facebook token verification to validate tokens against the configured app via the debug_token endpoint, requiring is_valid, a matching app_id, and a client secret for direct sign-in.

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed the token endpoint to enforce per-client grant types, preventing clients registered only for authorization_code from requesting client_credentials tokens.
• Fixed /oauth2/continue to derive post-login gate completion from a server-issued session marker rather than the client-submitted postLogin flag.
• Fixed token introspection to require an azp claim and a valid client on JWT access tokens, preventing session JWTs from being reported as active access tokens.

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML AuthnRequest handling to consume the request atomically, preventing replay attacks on concurrent requests. (#9972)
• Fixed SSO provider IDs to be isolated from the OAuth/social account-linking namespace, preventing unintended account linking when an SSO provider ID matches a trusted OAuth provider name.
• Fixed OIDC endpoint validation to reject server-side requests resolving to non-publicly-routable addresses, protecting against SSRF on token, userinfo, and JWKS endpoints.

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed API key verification to persist only the fields it mutates rather than the full record, preventing concurrent disables, permission changes, or expiry updates from being reverted by an in-flight verification.
• Fixed /api-key/create to verify the session against the authoritative store with disableCookieCache: true, preventing revoked sessions from being accepted within the cookie-cache window.

For detailed changes, see CHANGELOG

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.16

Patch Changes

• #9974 cb1cbfa Thanks @​Bekacru! - Guard protected user fields in the admin plugin behind their dedicated permissions. /admin/create-user now requires user:set-role when a role is supplied (top-level or via data.role), validates requested roles against the configured roles, requires user:ban for ban fields passed in data, and no longer lets data override email, name, or role. /admin/update-user now requires user:ban for banned/banReason/banExpires (revoking the user's sessions when banning and rejecting self-bans), requires the new user:set-email permission for email/emailVerified (with email validation, lowercasing, and uniqueness checks), and rejects password updates in favor of /admin/set-user-password. If you use a custom access control, add set-email to your statements and grant it (and ban) to roles that should be able to change those fields through update-user.

• #9974 cb1cbfa Thanks @​Bekacru! - Require a provider account id when signing in through generic OAuth. The default userinfo handler previously fell back to an empty string when the provider response had no sub (or id), and the callback never checked the resolved account id. With certain non-OIDC providers that omit sub, accounts could be stored under the same empty id and a later sign-in could resolve to an existing account. The generic OAuth callback now rejects sign-in when no account id can be resolved, the default userinfo handler returns no profile when neither sub nor id is present, and the built-in OAuth callback also rejects an empty account id.

• #9974 cb1cbfa Thanks @​Bekacru! - Scope organization invitation team IDs to the invited organization. createInvitation now validates that every requested teamId belongs to the invitation's organization regardless of whether teams.maximumMembersPerTeam is set, and acceptInvitation re-checks each stored team's organization before adding team membership. Previously, with the default unlimited team size, a team ID from another organization could be stored on an invitation and applied on acceptance.

• #9973 87e7aa5 Thanks @​gustavovalverde! - Email sign-in and sign-up now validate the Origin or Referer header against trustedOrigins even when the request carries no cookies. Requests that send no Origin/Referer header and no Fetch Metadata (such as curl or server-to-server clients) are unaffected. A non-browser client that sends an untrusted Origin/Referer without cookies now receives a 403 and must add that origin to trustedOrigins.

• #9974 cb1cbfa Thanks @​Bekacru! - Require /refresh-token to only trust the account cookie when its userId, providerId and (when supplied) accountId match the resolved session user.

• #9967 893cf6c Thanks @​gustavovalverde! - Deleting a session now immediately stops /update-session and the account token endpoints (/get-access-token, /refresh-token, /account-info) from accepting it, when cookie cache is enabled alongside a database or secondary storage. Before, these routes kept serving the deleted session from the cached cookie until the cache expired. Deployments that store the session only in the cookie are unaffected.

• #9974 cb1cbfa Thanks @​Bekacru! - Bind the SIWE signed message to server state before creating a session. Previously /siwe/verify only checked that a nonce row existed for the wallet address and then delegated entirely to verifyMessage. Since the documented verifyMessage (viem) performs signature recovery only — without inspecting the message body — a signature the wallet produced for a different message (an earlier nonce, another domain, or arbitrary content) could also satisfy verification against a freshly minted nonce.

  The plugin now parses the ERC-4361 message itself and requires its nonce, domain, address, and chain ID to match the server-issued nonce and configured domain, and enforces the message's Expiration Time / Not Before bounds, before verifying the signature. message must now be a valid ERC-4361 message (which all standard SIWE clients produce); non-conforming or mismatched messages are rejected with a 401 (UNAUTHORIZED_SIWE_MESSAGE_MISMATCH, UNAUTHORIZED_SIWE_MESSAGE_EXPIRED, or UNAUTHORIZED_SIWE_MESSAGE_NOT_YET_VALID). verifyMessage implementations should continue to perform signature recovery only.

• #9974 cb1cbfa Thanks @​Bekacru! - Separate SSO provider ids from the account-linking provider namespace used for social/OAuth providers. Previously an SSO provider registered with an id matching a configured accountLinking.trustedProviders entry (e.g. google) was treated as a trusted provider and could implicitly link to an existing verified account with the same email.

  SSO registration now rejects provider ids that collide with a configured social provider, a trustedProviders entry, or a reserved built-in id. In addition, the OIDC and SAML callbacks no longer derive trust from a trustedProviders name match — SSO trust comes solely from verified domain ownership (domainVerified). handleOAuthUserInfo gains a trustProviderByName option (default true, preserving social-provider behavior) that the SSO plugin sets to false.

• #9965 5e49c56 Thanks @​gustavovalverde! - Passing activeOrganizationId, activeTeamId, or impersonatedBy to /update-session now returns a 400. Change these plugin-managed session fields through their dedicated endpoints instead, such as organization.setActive.

• Updated dependencies [cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa]:

  • @​better-auth/core@​1.6.16
  • @​better-auth/drizzle-adapter@​1.6.16
  • @​better-auth/kysely-adapter@​1.6.16
  • @​better-auth/memory-adapter@​1.6.16
  • @​better-auth/mongo-adapter@​1.6.16
  • @​better-auth/prisma-adapter@​1.6.16
  • @​better-auth/telemetry@​1.6.16

Commits

• 1a3c8c4 chore: release v1.6.16 (#9958)
• cb1cbfa fix: address bug findings across packages (#9974)
• a6b0295 fix(sso): consume SAML AuthnRequest atomically (#9972)
• 87e7aa5 fix(api): validate Origin/Referer on cookieless email sign-in and sign-up (#9...
• 893cf6c fix(session): honor server-side session deletion in update-session and token ...
• 5e49c56 fix(auth): mark plugin-owned session fields as non-input (#9965)
• afcb4dd docs(two-factor): document newSession is null during 2FA challenge (#9957)
• See full diff in compare view

Updates hono from 4.12.24 to 4.12.25

Release notes

Sourced from hono's releases.

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

Commits

• fce483e 4.12.25
• 751ba41 Merge commit from fork
• f0b094d Merge commit from fork
• fa5f9bf Merge commit from fork
• 3892a6c Merge commit from fork
• 74c2cf8 test(aws-lambda): update integration tests (#5012)
• 7ae7cba Merge commit from fork
• 1b13848 chore(ci): bump codecov-action to v7.0.0 (#5011)
• See full diff in compare view

Updates fallow from 2.89.0 to 2.92.1

Release notes

Sourced from fallow's releases.

v2.92.1: rule packs, boundaries v2, bigger security engine, agent evidence

v2.92.1 turns project policy into data, ships a second generation of architecture boundaries, expands the security candidate engine, and gives coding agents richer evidence to act on.

Policy as data: declarative rule packs

The new rulePacks config key lists standalone JSON/JSONC pack files of banned-call and banned-import rules. Packs load as pure data: loading one never executes project code.

// .fallowrc.json
{ "rulePacks": ["./rule-packs/team-policy.jsonc"] }

Matches report as policy-violation findings identified by <pack>/<rule-id> across human, JSON, SARIF, CodeClimate, compact, and markdown output, LSP diagnostics, baselines, audit attribution, regression counts, and the GitHub Action / GitLab CI summaries. banned-call matching is segment-aware and import-resolved (one child_process.* pattern covers named, namespace, and default imports of child_process / node:child_process); banned-import matches raw specifiers segment-aware (moment covers moment/locale/nl, never moment-timezone). Rules scope via files / exclude globs and carry an optional per-rule severity over the new rules."policy-violation" master (default warn for a safe first rollout). Suppress with // fallow-ignore-next-line policy-violation. The new fallow rule-pack-schema command prints the pack JSON Schema for editor autocomplete.

Boundaries v2: forbidden calls and full-file coverage

Boundary zones gained two policy sections.

boundaries.calls.forbidden bans callee patterns per zone, so a domain layer can stay free of process execution or logging:

{
  "boundaries": {
    "calls": {
      "forbidden": [
        { "from": "domain", "callee": "child_process.*" },
        { "from": "domain", "callee": ["console.*", "process.exit"] }
      ]
    }
  }
}

Matching is segment-aware and import-resolved, including optional-chaining call sites. Violations report as boundary_call_violations, sharing the boundary-violation severity and suppression token.

boundaries.coverage.requireAllFiles reports any analyzed source file that falls into no configured zone as a boundary_coverage_violations finding, with allowUnmatched for generated or intentionally unzoned paths.

A bigger security candidate engine

fallow security got a large batch of accuracy, scoping, and output work this release:

• Newly-reachable gate. fallow security --gate newly-reachable --changed-since <ref> exits 8 only when an existing sink that was not runtime-reachable in the base tree becomes runtime-reachable in head. The GitHub Action exposes this as security-gate: newly-reachable; GitLab as FALLOW_SECURITY_GATE.
• Multi-hop local taint. Source-backing now follows up to three chained same-module local bindings, so injection shapes routed through one or two intermediate variables upgrade to arg-level confidence with the trace anchored at the original read.
• Fewer false positives. Trusted local sanitizer flows are suppressed, statically constant values no longer fire sink rules, and fixed-origin dynamic URLs are classified separately from SSRF / open-redirect candidates (url_shape).
• Richer JSON. Security JSON and summary JSON now carry version, elapsed_ms, a privacy-safe config block, optional unresolved_callee_diagnostics, and a compact summary payload. The independent security JSON schema version is now "6".
• Configurable request receivers. security.requestReceivers adds project-local request object names to the built-in req / request / ctx / context / event allowlist.
• Clearer human output. The renderer now leads by explaining that findings are items to check, not confirmed vulnerabilities, with plain-language evidence labels.

Evidence for agents

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.92.1] - 2026-06-10

Added

• Declarative rule packs encode project policy as pure data. The new rulePacks config key lists standalone JSON/JSONC pack files of banned-call and banned-import rules; loading a pack never executes project code. Matches report as policy-violation findings identified by <pack>/<rule-id> across human, JSON, SARIF, CodeClimate, compact, and markdown output, LSP diagnostics, baselines, audit attribution, regression counts, and the GitHub Action / GitLab CI summaries. banned-call matching is segment-aware and import-resolved (one child_process.* pattern covers child_process / node:child_process named, namespace, and default imports, and fires on literal-only and zero-argument calls); banned-import matches raw specifiers segment-aware (moment covers moment/locale/nl, never moment-timezone) over imports and re-exports, with ignoreTypeOnly to admit type-only imports. Rules scope via files / exclude globs and carry an optional per-rule severity that overrides the new rules."policy-violation" master (default warn for a safe first rollout; the exit-code gate reads the effective per-finding severity, so one error rule fails the run even under a warn master, and off on the master is a kill switch). Suppress with // fallow-ignore-next-line policy-violation (one token covers every pack rule). The new fallow rule-pack-schema command prints the pack JSON Schema for editor autocomplete, and invalid packs (unknown kind, missing file, inert callee pattern, glob traversal, duplicate ids) fail config load loudly. (Closes #1148.)
• Boundary zones can now forbid specific calls. The new boundaries.calls.forbidden section bans callee patterns per zone ({ "from": "domain", "callee": "child_process.*" }, with callee accepting a string or an array). Matching is segment-aware and import-resolved, so one pattern covers child_process and node:child_process named, namespace, and default imports as well as globals like console.*. Violations report as boundary_call_violations across human, JSON, SARIF, CodeClimate, compact, and markdown output, LSP diagnostics, baselines, audit attribution, and CI summaries, sharing the boundary-violation severity and suppression token (the rule-id-shaped boundary-call-violation token is accepted as an alias for the boundary family). Optional-chaining call sites (cp?.exec()) match like their non-optional form. Forbidden-call rules apply only to files classified into a zone; a rule pointing at a zone that matches no files warns at analysis time, and inert patterns such as a bare * are rejected at config load. (Refs #1147.)
• Boundary zones can now require full file coverage. The new boundaries.coverage section adds requireAllFiles and allowUnmatched, so teams can require every analyzed source file to fall into a configured boundary zone. Files matching no zone report as boundary coverage findings across human, JSON, SARIF, CodeClimate, compact, and markdown output, LSP diagnostics, baselines, regression counts, the GitHub Action / GitLab CI summaries, and the generated schemas. Coverage findings honor per-file boundary-violation severity overrides and the shared boundary suppression token, and render in human output even when they are the only structure finding. (Refs #1147.)
• fallow init --agents now scaffolds a starter AGENTS.md. The new opt-in init mode writes a short project guidance template for coding agents, including entry-point, architecture, command, and fallow workflow prompts. When the project shape is reliably detectable, the scaffold prefills the install, test, and typecheck commands and the monorepo module-boundary line from package.json (including the packageManager field) and pnpm-workspace.yaml, marks prefilled commands with a provenance comment, and leaves anything ambiguous blank rather than guessing (no lockfile-sniffed package managers, no test framework when several are present). It refuses to overwrite an existing AGENTS.md and does not compute or imply a project readiness score. (Closes #1124.)
• The GitHub Action and GitLab CI template now expose the security delta gate. Use command: security with security-gate: new or security-gate: newly-reachable in the Action, or FALLOW_COMMAND: "security" with FALLOW_SECURITY_GATE in GitLab. The wrappers forward to the existing fallow security --gate modes, count only matching gate candidates for the issues output, keep exit code 8 for gated security failures, and skip typed PR/MR comment renderers that do not support security envelopes yet. (Closes #886.)
• MCP now includes inspect_target for one evidence bundle per file or exported symbol. The new read-only tool accepts a tagged file or symbol target and composes existing trace, dead-code, duplication, complexity, and security evidence into one typed JSON bundle. Symbol targets include precise trace_export identity plus explicit file-scoped evidence sections for the analyses that do not yet expose enclosing-symbol mapping. (Closes #1144.)
• MCP adds code_execute, a read-only Code Mode sandbox. Agents can compose several fallow analysis calls in one bounded JavaScript run instead of shelling out repeatedly. The tool exposes a frozen, allowlisted fallow host API, injects a default root, rejects mutating fix tools, and returns a stable mcp-code-execute/v1 envelope with call metadata and limits. It runs QuickJS under memory, stack, timeout, host-call, code-size, and output limits, redirects fallow subprocess output through temporary files so large JSON cannot deadlock pipes, and fails oversized or timed-out runs with structured errors. Mutating fixes remain available only through the existing standalone MCP tools.
• fallow security --summary --format json now carries scan metadata. Summary JSON now includes the same version, elapsed_ms, and privacy-safe config block as full security JSON, carries security _meta when --explain is set, and adds fixed reachability and runtime-state aggregate buckets while still omitting candidate arrays. (Closes #1139.)
• fallow health --targets --format json now includes relation evidence for agents. Refactoring target evidence can now include direct importers with imported symbols and duplicate-code siblings with stable clone fingerprints, reusing existing graph and duplicate analysis data. Human target output shows the extra caller and clone lines only when that evidence is present, and generated schema and TypeScript output contracts are updated. (Closes #1145.)
• fallow security --format json now samples unresolved callee blind spots. Security JSON now includes an optional unresolved_callee_diagnostics block with deterministic sample locations, top files, and reason counts for dynamic or computed callees the sink catalogue could not flatten. This bumps the independent security JSON schema version, and the diagnostics follow --file, --workspace, --changed-since, and --gate new scoping. (Closes #1134.)
• fallow security --summary --format json now emits a compact aggregate payload. Summary JSON keeps kind: "security", schema_version, and an optional gate block, but replaces candidate arrays with summary counts by severity, category, unresolved static-analysis limits, and attack-surface entry count. The generated schema documents both the full and summary security JSON shapes. (Closes #1132.)
• fallow security --format json now includes scan metadata. Security JSON now emits the CLI version, elapsed_ms, and a privacy-safe config block with configured and effective security rule severities plus category include/exclude filters. --explain is now valid for security JSON and adds a security-specific _meta block. This bumps the independent security JSON schema version, and the generated schema and TypeScript output contracts are updated. (Closes #1135.)
• fallow security --gate newly-reachable now catches existing sinks newly exposed from entry points. The gate compares head security candidates against a base-tree reachability snapshot from --changed-since <ref>, then exits 8 only when a matching candidate was not runtime-reachable in base but is runtime-reachable in head. Diff-only inputs still exit 2 because this mode needs a materialized base tree. JSON and SARIF reuse the existing additive gate block with mode: "newly-reachable", and MCP security_candidates accepts the same gate value. (Closes #1056.)
• fallow security can extend HTTP request receiver detection from config. security.requestReceivers now adds project-local request object names to the built-in req / request / ctx / context / event allowlist for *.query, *.params, and *.body source reads. Values are trimmed, case-normalized, and additive only, while ORM receivers remain excluded and *.searchParams stays ungated. (Closes #1125.)

Changed

• Invalid plugin config regexes now fail with exit code 2. Regex values from plugin path-rule exclusions are validated after config parsing and aggregated into one invalid-config error instead of being dropped with a warning. This covers entry-pattern and used-export rules from built-in and external plugins, including TanStack Router route ignore patterns. External plugin config_patterns collisions and enabler typo diagnostics remain warnings. (Closes #513.)
• fallow security human output now leads with candidate framing. The human renderer's first lines explain that findings are items to check, not confirmed vulnerabilities, and evidence, code paths, import traces, and blind spots now use plain-language labels. JSON, SARIF, MCP, and downstream verifier output keep the detailed candidate framing unchanged.

Fixed

• VS Code tooltips now escape names taken from analyzed code. The complexity hover interpolated function names into tooltip markdown unescaped, so a crafted function name in the analyzed project could spoof tooltip content. All extension tooltips now share one canonical pair of markdown escape helpers (an inline variant that normalizes whitespace and a multiline variant that preserves it), and normal names render unchanged in the editor.
• fallow security now traces untrusted input through chained local bindings. Source-backing follows up to three chained same-module local bindings (const a = req.query.id; const b = \x-${a}`; execSync(`run ${b}`)), so common injection shapes that route a request value through one or two intermediate variables are upgraded to arg-level confidence with the trace anchored at the original read instead of staying module-level. Chains stay conservative: only plain aliases and template / string-concat / object-literal initializers chain (call, conditional, and property-read initializers do not), and a flow past the chain limit degrades to module-level rather than claiming arg-level. Set RUST_LOG=debug` to see when a chain is dropped for exceeding the limit. (Closes #1146.)
• fallow audit no longer diffs against a stale local default branch. With no --base, audit auto-detected the comparison base by discovering the default branch via origin/HEAD but returning the bare name main, which git resolves to the local refs/heads/main. On long-lived worktree checkouts cut from origin/main whose local main is never updated, this diffed every branch against an ancient base, surfaced the whole already-merged delta as changed, and could fail the agent gate on a one-line change. Auto-detection now resolves the base to the git merge-base (fork point) against the branch's upstream or the remote default (origin/HEAD, then origin/main, then origin/master), mirroring the fallow hooks install --target git pre-commit hook. The merge-base is also immune to an unfetched origin/main in the false-fail direction. Repositories with no origin remote still fall back to the local main / master branch, so offline checkouts are unaffected. A new FALLOW_AUDIT_BASE environment variable pins the base without editing the generated agent gate script (for example FALLOW_AUDIT_BASE=upstream/main on a fork), taking effect when no --base / --changed-since is passed. The human audit scope line now shows the resolved base with its provenance, for example vs a1b2c3d4e5f6 (merge-base with origin/main). Thanks @​Zain-Bin-Arshad for the detailed report. (Closes #1168.)
• napi-rs prebuilt platform packages no longer report as unused optional dependencies. Fallow now reads current package.json#napi metadata, derives platform package names from napi.packageName or package.json name, and credits only matching entries already present in optionalDependencies. Unrelated optional packages still report. Thanks @​BartWaardenburg for the report. (Closes #1164.)
• VS Code sidebar clicks now recover encoded dynamic route brackets before opening files. If a tree item receives an already encoded Next.js route segment such as %5BactivityId%5D, the extension decodes the route brackets before handing the filesystem path to VS Code or Cursor. This prevents the editor URI from double-encoding those segments to %255B...%255D and opening a nonexistent file. Thanks @​Ados12 for the report. (Closes #1160.)
• fallow security now suppresses trusted local sanitizer flows. The tainted-sink detector recognizes syntax-proven local HTML escape helpers, renderer helpers whose dynamic HTML text fragments are fully sanitizer-backed, and SQL identifier quoting helpers used in identifier positions. Mixed HTML or SQL templates with unsanitized dynamic fragments still report as candidates, and SQL identifier quoting is not treated as value parameterization. (Closes #1136.)
• fallow security now classifies fixed-origin dynamic URL candidates separately. SSRF and open-redirect candidates whose URL expression has a fixed origin with dynamic path or query now carry candidate.sink.url_shape: "fixed-origin-dynamic-path" and lower-alarm evidence, while dynamic-origin expressions carry url_shape: "dynamic-origin" when statically visible. Existing security categories and suppressions are unchanged, and the independent security JSON schema version is now "6" (up from "2" in v2.91.0). (Closes #1137.)
• fallow security now preserves source-backed ranking inside each severity tier. The final CLI ordering still groups candidates by high, medium, then low severity, but same-tier ties now keep the existing runtime, arg-level/source-backed, module-level source reachability, blast-radius, boundary, and dead-code ranking signals before falling back to path order. This keeps stronger candidates ahead of weaker same-severity candidates without changing schema shape or treating any candidate as a proven vulnerability. (Closes #1133.)
• fallow security no longer fires sink rules on statically known constant values. Simple module-scope constant expressions are now classified before security sink matching, with literal metadata carried through const identifiers, String(...) coercion, unary numeric constants, and constant-only templates, so non-literal catalogue rows do not match a value that is statically constant. Public CI metadata env names (build refs, SHAs) are treated as non-secret sources unless the name is secret-shaped, keeping them out of source-backed logging candidates while still flagging tokens and keys. (Closes #1138.)
• fallow security --help no longer lists global flags the command rejects. Inherited global flags that fallow security rejects through its structured validation path are now hidden from both security --help and help security, keeping the help surface aligned with runtime behavior without changing how unsupported flags are parsed or reported. --explain stays visible and supported after the metadata work. (Closes #1131.)
• A single huge minified bundle no longer exhausts memory during discovery. Vite-style generated assets can sit under the per-file byte limit while still expanding into very large parser and extraction payloads. While the max-file-size guard is enabled, source discovery now treats large one-line JS assets as generated output and skips them, recording each as a skipped-minified-file diagnostic on stderr and in --format json. --max-file-size 0 opts out, declaration files and large multiline JS stay in the analyzed set, and the output schema, generated TypeScript contracts, and CLI reference document the new diagnostic kind. (Closes #1086.)
• JSON output now carries the telemetry analysis run id when telemetry is enabled. With opt-in telemetry active, --format json adds an analysis_run_id so a run's JSON output can be correlated with its uploaded usage event. The field is omitted when telemetry is disabled or in inspect mode.

[2.91.0] - 2026-06-09

Added

• fallow security --surface now recognizes declarative validation boundaries. Route-level validation declarations in Elysia, Fastify, tRPC, Hono, NestJS, and express-validator are now surfaced as validation controls in defensive-boundary context when the framework package is imported or required. The annotation changes the verification prompt from the zero-control variant to the existing "are they sufficient" question, but it does not suppress candidates, prove exploitability, or add a new output schema field. (Closes #1094.)
• fallow explain now documents security candidate categories. The standalone explain command now accepts tainted-sink, client-server-leak, hardcoded-secret, and every surfaced security/<category> tainted-sink rule id from the security catalogue, with candidate-focused rationale and fix guidance. This is documentation and lookup coverage only: fallow security detection, output, and candidate framing are unchanged. (Closes #1098.)
• fallow security now recognizes source-backed local expression bindings. Tainted-sink candidates now keep the source-backed ranking signal when a local binding embeds request input or another known source inside a template literal, string concatenation, or object literal before reaching a sink. This improves evidence for common injection shapes such as command or regex construction without adding new finding categories, changing gates, or treating candidates as verified vulnerabilities. (Closes #1095.)
• fallow security now has an end-to-end agent verification recipe. The new guide shows how to combine fallow security --format json --surface, candidate evidence, source windows gathered by the caller, and MCP security_candidates output into a verifier-filtered survivor list. The recipe keeps model calls outside fallow core and treats fallow output as deterministic candidate evidence, not verified vulnerabilities. (Closes #1099.)
• fallow security now derives per-candidate severity tiers. Security findings now carry a required severity field (high, medium, or low) based on existing reachability, boundary, source-backed, and runtime-hot signals. Human output prefixes candidates with the tier, JSON bumps the independent security schema version to "2", and SARIF maps high/medium candidates to warning while leaving low candidates at note. The tier is review priority only: it does not mark candidates as verified vulnerabilities and does not change gate or exit semantics. (Closes #1096.)
• Opt-in telemetry now includes coarse analysis-scale buckets for slow workflow triage. file_count_bucket, function_count_bucket, and avg_fan_out_bucket segment eligible analysis runs into allowlisted size ranges while keeping exact counts, paths, package names, exact dependency graph shape, and expensive structural metrics out of the payload. The fields are optional and are emitted only from counts or graph counters already computed by the workflow. Combined and audit workflows keep the largest bucket reported by their sub-analyses. (Closes #1064.)
• Telemetry now separates admin workflow buckets. Opt-in CLI telemetry now records coarse project_inventory, setup, and license workflow labels for admin and setup commands that previously collapsed into unknown. The payload remains allowlisted and still does not include raw commands, paths, config values, repository identifiers, or license identifiers. (Closes #1061.)

... (truncated)

Commits

• 1f9aaac chore: release v2.92.1
• fcc7126 fix(ci): cross-compile aarch64-musl MCP binary with cargo-zigbuild
• fd30d63 chore: release v2.92.0
• d4f42ab chore: regenerate plugin schema and record vscode hover escaping fix (#1181)
• 3e93fdd docs: link rule-pack per-rule suppression follow-up to #1180
• d0ca8ab feat(config): declarative rule packs with policy-violation findings
• 1f5b9e7 fix(boundaries): accept the boundary-call-violation suppression token (#1178)
• a999409 feat(init): prefill AGENTS.md scaffold from detected project info (#1177)
• cfb3e5b chore: refresh code quality setup
• f4a218f fix(vscode): consolidate markdown escaping and escape complexity hover names ...
• Additional commits viewable in compare view

Updates prettier from 3.8.3 to 3.8.4

Release notes

Sourced from prettier's releases.

3.8.4

• Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (prettier/prettier#17746 by @​byplayer)

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.4

diff

Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#17746 by @​byplayer)

Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.

<!-- Input -->
- a


b


c

d



<!-- Prettier 3.8.3 -->

a

b


c

d



<!-- Prettier 3.8.4 -->


a

b



c

d

Commits

• 1c6ba55 Release 3.8.4
• 4a673dc Fix blank lines between list items and nested sub-lists being removed in Mark...
• 074aaed Replace main branch in changelog link with tags (#19054)
• c22a003 Bump Prettier dependency to 3.8.3
• 07bad1f Clean changelog_unreleased
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions