deps: bump the dependencies group with 10 updates

[dependabot]

Bumps the dependencies group with 10 updates:

Package	From	To
domhandler	5.0.3	6.0.1
@arethetypeswrong/cli	0.18.2	0.18.3
@biomejs/biome	2.4.15	2.4.16
@types/node	25.8.0	25.9.1
lefthook	2.1.6	2.1.9
tsdown	0.22.0	0.22.1
ultracite	7.7.0	7.8.1
valibot	1.4.0	1.4.1
vite	8.0.13	8.0.16
vitest	4.1.6	4.1.8

Updates domhandler from 5.0.3 to 6.0.1

Release notes

Sourced from domhandler's releases.

v6.0.1

What's Changed

• add JSR import map for domelementtype

Full Changelog: fb55/domhandler@v6.0.0...v6.0.1

v6.0.0

What's Changed

BREAKING: domhandler is now ESM-only fb55/domhandler#1867

Full Changelog: fb55/domhandler@v5.0.3...v6.0.0

Commits

• 8f66071 6.0.1
• 39183cd ci: add JSR import map for domelementtype
• a54417e build(deps-dev): Bump @​feedic/eslint-config from 0.2.3 to 0.3.1 (#1865)
• 1346b9c 6.0.0
• 4a790c7 refactor!: ESM-only (#1867)
• 39f39e9 build(deps-dev): Bump typescript-eslint from 8.57.0 to 8.57.1 (#1866)
• 5a45546 build(deps-dev): Bump @​eslint/compat from 2.0.2 to 2.0.3 (#1864)
• 76be7b1 build(deps-dev): Bump typescript-eslint from 8.56.1 to 8.57.0 (#1863)
• 07eb031 build(deps-dev): Bump @​biomejs/biome from 2.4.6 to 2.4.7 (#1862)
• 5d68735 chore: Remove Tidelift funding information (#1861)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for domhandler since your current version.

Updates @arethetypeswrong/cli from 0.18.2 to 0.18.3

Release notes

Sourced from @​arethetypeswrong/cli's releases.

@​arethetypeswrong/cli@​0.18.3

Patch Changes

• 14e61d5: Update @​types/node, use @​typescript/native-preview for local build/check
• Updated dependencies [14e61d5]
• Updated dependencies [25031aa]
  • @​arethetypeswrong/core@​0.18.3

Changelog

Sourced from @​arethetypeswrong/cli's changelog.

0.18.3

Patch Changes

• 14e61d5: Update @​types/node, use @​typescript/native-preview for local build/check
• Updated dependencies [14e61d5]
• Updated dependencies [25031aa]
  • @​arethetypeswrong/core@​0.18.3

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​arethetypeswrong/cli since your current version.

Updates @biomejs/biome from 2.4.15 to 2.4.16

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.16

2.4.16

Patch Changes

• #10329 ef764d5 Thanks @​Conaclos! - Fixed an issue where diagnostics showed an incorrect location in Astro files.

• #10363 50aa415 Thanks @​dyc3! - Fixed HTML formatting for a case where comments could cause the formatter to split up a closing tag, which would cause the resulting HTML to be syntactically invalid.

  Input:

  <span
    ><!-- 1
  --><span>a</span
    ><!-- 2
  --><span>b</span
    ><!-- 3
  --></span>

  Output:

    <span
  	  ><!-- 1
  - --> <span>a</span<!-- 2
  - --> ><span>b</span><!-- 3
  + --><span>a</span><!-- 2
  + --><span>b</span><!-- 3
    --></span
    >

• #10465 0c718da Thanks @​dfedoryshchev! - Fixed diagnostics emitted by the noUntrustedLicenses rule.

• #10358 05c2617 Thanks @​dyc3! - Fixed #10356: biome rage --linter now displays rules enabled through linter domains in the enabled rules list.

• #10300 950247c Thanks @​dyc3! - Fixed #10265: Svelte function bindings such as bind:value={get, set} are now parsed more precisely, so noCommaOperator won't emit false positives for that syntax anymore.

• #9786 e71f584 Thanks @​MeGaNeKoS! - Fixed #8480: useDestructuring now provides variableDeclarator and assignmentExpression options to control which contexts enforce destructuring, matching ESLint's prefer-destructuring configuration. Both default to {array: true, object: true}. The diagnostic for object destructuring in assignment expressions now instructs users to wrap the assignment in parentheses.

• #10425 1948b72 Thanks @​sjh9714! - Fixed #10244: The useOptionalChain rule now detects negated guard inequality chains like !foo || foo.bar !== "x".

• #10442 001f94f Thanks @​ematipico! - Fixed #10411: noMisusedPromises no longer causes a stack overflow when a nested function returns an object with shorthand properties that shadow destructured variables from an outer scope.

• #10318 9b1577f Thanks @​dyc3! - Added support for formatter.trailingCommas in overrides. This option was previously available in the top-level formatter configuration but missing from formatter overrides.

• #10319 2e37709 Thanks @​dyc3! - Fixed Vue and Svelte formatting for standalone interpolations in inline elements. Biome now preserves existing newlines in cases like:

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.16

Patch Changes

• #10329 ef764d5 Thanks @​Conaclos! - Fixed an issue where diagnostics showed an incorrect location in Astro files.

• #10363 50aa415 Thanks @​dyc3! - Fixed HTML formatting for a case where comments could cause the formatter to split up a closing tag, which would cause the resulting HTML to be syntactically invalid.

  Input:

  <span
    ><!-- 1
  --><span>a</span
    ><!-- 2
  --><span>b</span
    ><!-- 3
  --></span>

  Output:

    <span
  	  ><!-- 1
  - --> <span>a</span<!-- 2
  - --> ><span>b</span><!-- 3
  + --><span>a</span><!-- 2
  + --><span>b</span><!-- 3
    --></span
    >

• #10465 0c718da Thanks @​dfedoryshchev! - Fixed diagnostics emitted by the noUntrustedLicenses rule.

• #10358 05c2617 Thanks @​dyc3! - Fixed #10356: biome rage --linter now displays rules enabled through linter domains in the enabled rules list.

• #10300 950247c Thanks @​dyc3! - Fixed #10265: Svelte function bindings such as bind:value={get, set} are now parsed more precisely, so noCommaOperator won't emit false positives for that syntax anymore.

• #9786 e71f584 Thanks @​MeGaNeKoS! - Fixed #8480: useDestructuring now provides variableDeclarator and assignmentExpression options to control which contexts enforce destructuring, matching ESLint's prefer-destructuring configuration. Both default to {array: true, object: true}. The diagnostic for object destructuring in assignment expressions now instructs users to wrap the assignment in parentheses.

• #10425 1948b72 Thanks @​sjh9714! - Fixed #10244: The useOptionalChain rule now detects negated guard inequality chains like !foo || foo.bar !== "x".

• #10442 001f94f Thanks @​ematipico! - Fixed #10411: noMisusedPromises no longer causes a stack overflow when a nested function returns an object with shorthand properties that shadow destructured variables from an outer scope.

• #10318 9b1577f Thanks @​dyc3! - Added support for formatter.trailingCommas in overrides. This option was previously available in the top-level formatter configuration but missing from formatter overrides.

• #10319 2e37709 Thanks @​dyc3! - Fixed Vue and Svelte formatting for standalone interpolations in inline elements. Biome now preserves existing newlines in cases like:

... (truncated)

Commits

• 5f4ea56 ci: release (#10326)
• de2a33c fix(core): regression in emitted types (#10478)
• d835303 docs: remove redundant default phrase in useConsistentObjectDefinitions rul...
• 4f1aaf2 fix: incorrect build when using build or test (#10426)
• dc73b6b refactor: make plugins opt-in via feature gate (#10418)
• e71f584 feat(useDestructuring): add options for assignment/declaration and improve di...
• 9b1577f fix(config): support trailingCommas in overrides (#10318)
• See full diff in compare view

Updates @types/node from 25.8.0 to 25.9.1

Commits

• See full diff in compare view

Updates lefthook from 2.1.6 to 2.1.9

Release notes

Sourced from lefthook's releases.

v2.1.9

Changelog

• 1d35cbabe1ebaf2a5ed4d2186caa0402de6448e2 chore: add pretty gradient (#1432)
• 22be6c50e1412c748f3c6b60e9c61cd056dc693b deps: May 2026 (#1415)
• 1bae568f03dfb88af9185031fa44e9fee285e917 fix: update hooks path after resetting (#1431)

v2.1.8

Changelog

• 488a5f99a5a496e5837f757f8ce3e6c6d1415792 fix: do not warn if local hooks path is equal to default hooks path (#1421)

v2.1.7

Changelog

• f415a9d3fce1d4f6af62622cf96c72e04ecf7bd3 chore: go mod tidy
• cf4ab9ea4580f5aeb0d4b61d4dd169533e5bb0c9 fix: always restore unstaged changes (#1416)
• 4c0e000d6fe9f35f42efefb9263b0b4cb5dfbd49 fix: apply stage_fixed only if it is safe (#1418)
• 76aa843ef5ceb6970f61cd2ff28d16dd2ec82272 fix: linter, sacrifice optimization for readability
• 9d53c36ed9a26d3bf66e341a9650a0ecac9b6a37 fix: separate fallback push branch from pathspecs (#1396)
• 22c9f773cf93b59005bd244c5b00caab2947a755 fix: try to always restore unstaged changes (#1417)
• 37d83986d8e6d6bf6792f57e22e7cbb1a9e28064 fix: use contrast colors (#1420)
• eb1064d0b8c6248627960bea1abf6891db5a21b1 refactor: add new logger without a global state (#1385)

Changelog

Sourced from lefthook's changelog.

2.1.9 (2026-05-29)

• fix: update hooks path after resetting (#1431) by @​mrexox
• deps: May 2026 (#1415) by @​mrexox

2.1.8 (2026-05-19)

• fix: do not warn if local hooks path is equal to default hooks path (#1421) by @​mrexox

2.1.7 (2026-05-19)

• fix: use contrast colors (#1420) by @​mrexox
• fix: apply stage_fixed only if it is safe (#1418) by @​mrexox
• fix: try to always restore unstaged changes (#1417) by @​mrexox
• fix: always restore unstaged changes (#1416) by @​mrexox
• refactor: add new logger without a global state (#1385) by @​mrexox
• fix: linter, sacrifice optimization for readability by @​mrexox
• fix: separate fallback push branch from pathspecs (#1396) by @​lawrence3699

Commits

• 75f99ff 2.1.9: fix install with --reset-hooks-path
• 1d35cba chore: add pretty gradient (#1432)
• 1bae568 fix: update hooks path after resetting (#1431)
• 22be6c5 deps: May 2026 (#1415)
• 9e75b21 2.1.8: reduce warning for core.hooksPath if it matches the default
• 488a5f9 fix: do not warn if local hooks path is equal to default hooks path (#1421)
• b5c8310 2.1.7: restore unstaged changes when possible
• 37d8398 fix: use contrast colors (#1420)
• 4c0e000 fix: apply stage_fixed only if it is safe (#1418)
• 22c9f77 fix: try to always restore unstaged changes (#1417)
• Additional commits viewable in compare view

Updates tsdown from 0.22.0 to 0.22.1

Release notes

Sourced from tsdown's releases.

v0.22.1

   🚀 Features

• dts: Add deps.dts option to override dependency bundling for declaration files  -  by @​sxzz (881bf)

   🐞 Bug Fixes

• Improve error handling for unsupported TypeScript syntax on Node.js  -  by @​sxzz (b93db)
• Add extra space for emoji rendering in Windows Terminal  -  by @​sxzz (925cc)
• unbundle: Add shims support for unbundled builds  -  by @​sxzz (fc991)

    View changes on GitHub

Commits

• 0bddff1 chore: release v0.22.1
• fc9913d fix(unbundle): add shims support for unbundled builds
• 3504171 chore: upgrade deps
• 881bf0d feat(dts): add deps.dts option to override dependency bundling for declarat...
• 937f253 ci: use actionspack to bundle workflows
• 6c92bcd chore: upgrade deps
• 6ac0214 chore: upgrade deps
• 5d6b054 refactor: tsup outExtension migration compatibility (#950)
• d424e08 docs: remove dts.cjsReexport and clarify Node.js requirement
• 27dee93 docs: clarify dts.cjsReexport outDir limitation and CJS maintenance status
• Additional commits viewable in compare view

Updates ultracite from 7.7.0 to 7.8.1

Release notes

Sourced from ultracite's releases.

ultracite@7.8.1

Patch Changes

• 8335be7: Build the CLI with bun build and a tsgo type-check gate instead of tsup.
• f747449: Fix the Oxlint TanStack preset so route files under routes/ and app/routes/ are exempt from unicorn/filename-case, matching the documented 7.8.0 behavior.
• 092597e: Fix generated oxlint.config.ts to be pre-formatted according to oxfmt rules, so ultracite check passes immediately after ultracite init without requiring a separate format step.
• 81da6e8: Generate agent and editor hook commands through nypm's package-manager script helper.
• 81da6e8: Keep hyphen-prefixed file operands from being forwarded to linters as options.

ultracite@7.8.0

Minor Changes

• 4e2fea0: Add a dedicated tanstack framework preset for Biome, ESLint, and Oxlint. The ESLint preset layers @tanstack/eslint-plugin-query, @tanstack/eslint-plugin-router, and @tanstack/eslint-plugin-start, while the Biome and Oxlint presets relax file-naming conventions for routes/ directories and the generated routeTree.gen.ts. Framework detection now maps @tanstack/react-query, @tanstack/react-router, and @tanstack/react-start to the new tanstack preset.

  Two behavior changes for existing consumers: TanStack Query rules now live in the tanstack preset instead of react, so projects that relied on Query rules must opt into tanstack; and TanStack Router projects now resolve to the tanstack preset rather than remix.

Patch Changes

• 51a2af0: Recognize .biome.json and .biome.jsonc as valid Biome config files across the CLI. detectLinter, the doctor command, and the Biome config resolver now match the dot-prefixed names alongside biome.json/biome.jsonc, following Biome's documented configuration file resolution order. Closes #700.

• 14b557c: Harden the generated standalone Husky hook by using git add -- "$file" when restaging formatted files. This prevents option-shaped filenames from being interpreted as Git options during the hook.

• baa3dd0: Add ignorePatterns to the generated oxlint config at the root level so they are actually applied. Oxlint does not merge ignorePatterns through extends (see oxc-project/oxc#10223), so patterns set in the core preset were silently ignored. The generated config now sets ignorePatterns: core.ignorePatterns at the top level, reusing the patterns from the imported core preset.

• bd27fd4: Add newly supported Oxlint rules from the latest release to the core, React, and Vitest presets:

  • Core: id-match, no-implicit-globals, no-implied-eval, prefer-arrow-callback, prefer-regex-literals, import/newline-after-import, jsdoc/require-throws-description, jsdoc/require-throws-type, and jsdoc/require-yields-type
  • React: jsx-a11y/control-has-associated-label, jsx-a11y/no-interactive-element-to-noninteractive-role, jsx-a11y/no-noninteractive-element-interactions, jsx-a11y/no-noninteractive-element-to-interactive-role, react/no-object-type-as-default-prop, and react/no-unstable-nested-components
  • Vitest: vitest/padding-around-after-all-blocks

• 14b557c: Reject symlinked generated config targets before writing project files. CLI config writers now route through a shared project-file write guard that checks for symlinks and project-root escapes before mutating files.

• 14b557c: Validate package-manager names before generating agent and editor hook commands. Hook configuration now only uses supported package-manager prefixes, preventing unsafe values from being persisted into later-executed hook commands.

• 14b557c: Reject unsupported package-manager names during ultracite init. Explicit --pm values and detected packageManager metadata are now runtime-validated against the supported package managers before dependency installation, preventing malicious project metadata from selecting an arbitrary executable.

Commits

• e98d16d Version Packages (#711)
• 092597e fix: pre-format generated oxlint.config.ts to match oxfmt rules (#707)
• f747449 fix(oxlint): relax filename-case for TanStack route files (#710)
• 3d6ea4a Remove SVGs from bundle
• 8335be7 Migrate from tsup to bun + tsgo
• 304160d Update README.md
• 81da6e8 Misc fixes
• 02e79d9 Version Packages (#705)
• 37210dd Revert "fix: move mockFs to module scope for unicorn/consistent-function-scop...
• cc16ca2 fix: move mockFs to module scope for unicorn/consistent-function-scoping (#708)
• Additional commits viewable in compare view

Updates valibot from 1.4.0 to 1.4.1

Release notes

Sourced from valibot's releases.

v1.4.1

• Fix intersect schema to infer correct input and output types for non-tuple array options instead of never (pull request #1478)

Commits

• 6991ea7 Bump version to 1.4.1 and update changelog for release (#1479)
• c3a8f07 Fix intersect schema to infer correct types (#1478)
• 106893c Change syntax highlighting form Prism to Shiki (#1468)
• 5949d9e Bump to-json-schema version to 1.7.0 and update changelog for release
• 9f90a74 Bump i18n version to 1.2.0 and update changelog for release
• d00a646 Add release notes for Valibot v1.4 to blog
• See full diff in compare view

Updates vite from 8.0.13 to 8.0.16

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
• reject windows alternate paths (#22572) (dc245c7)

8.0.15 (2026-06-01)

Features

• send 408 on request timeout (#22476) (c85c9ee)
• update rolldown to 1.0.3 (#22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
• deps: update all non-major dependencies (#22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#22562) (6978a9c)

8.0.14 (2026-05-21)

Features

• update rolldown to 1.0.2 (#22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#22471) (98b8163)
• dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#22310) (0ae2844)

... (truncated)

Commits

• f94df87 release: v8.0.16
• dc245c7 fix: reject windows alternate paths (#22572)
• 50b9512 fix(deps): reject UNC paths for launch-editor-middleware (#22571)
• 8d1b019 release: v8.0.15
• 2686d7d fix(deps): update all non-major dependencies (#22511)
• 3052a67 chore(deps): update rolldown-related dependencies (#22566)
• e3cfb9d fix(optimizer): close the rolldown bundle when write() rejects (#22528)
• 6978a9c refactor: correct logic in collectAllModules function (#22562)
• 646dbed feat: update rolldown to 1.0.3 (#22538)
• 85a0eff fix: capitalize error messages and remove spurious space in parse error (#22488)
• Additional commits viewable in compare view

Updates vitest from 4.1.6 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: b3ce789

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR