build(deps-dev): bump the dev-dependencies group with 4 updates

[dependabot]

Bumps the dev-dependencies group with 4 updates: @biomejs/biome, posthog-node, semantic-release and typescript.

Updates @biomejs/biome from 2.4.8 to 2.5.0

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.0

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

  /* styles.css — .ghost is never used in any importing file */

... (truncated)

Commits

• c0b9832 ci: release (#10499)
• 995c1ff feat(lint): add useFunctionComponentDefinition rule (#10498)
• 311c2b2 fix(biome_configuration): avoid Markdown links in JSON schema descriptions (#...
• 04c3f19 fix: docs and readme (#10584)
• 961f41c refactor(useExportType): improve docs and code (#10569)
• 78075b7 feat(useExportType): add style option (#10561)
• 6642895 feat: rule promotion for v2.5 (#10562)
• 9a5855e feat: noRestrictedDependencies (#10467)
• 608a62f Merge branch 'main' into chore/merge-main-into-next
• 0f29b83 feat(linter): implement useIncludes rule (#10516)
• Additional commits viewable in compare view

Updates posthog-node from 5.28.5 to 5.38.2

Release notes

Sourced from posthog-node's releases.

posthog-node@5.38.2

5.38.2

Patch Changes

• #3903 6b21f77 Thanks @​marandaneto! - Validate custom event UUID overrides and generate new UUIDs when invalid. (2026-06-19)
• Updated dependencies [6b21f77]:
  • @​posthog/core@​1.35.3

posthog-node@5.38.1

5.38.1

Patch Changes

• #3886 e6d7fe2 Thanks @​marandaneto! - Stop sending deprecated no-op top-level type, library, and library_version fields in event batch payloads. Use properties.$lib and properties.$lib_version for SDK metadata; legacy queued library and library_version values are used as fallbacks when the official $ properties are missing. (2026-06-18)
• Updated dependencies [e6d7fe2]:
  • @​posthog/core@​1.35.2

posthog-node@5.38.0

5.38.0

Minor Changes

• #3845 a0553b3 Thanks @​marandaneto! - Add setPersonProperties() and unsetPersonProperties() helpers to manage person properties from the Node.js SDK. (2026-06-16)

Patch Changes

• Updated dependencies [b3ec845, c6c163a]:
  • @​posthog/core@​1.33.0

posthog-node@5.37.1

5.37.1

Patch Changes

• #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)
• Updated dependencies [29bf8e3]:
  • @​posthog/core@​1.32.4

posthog-node@5.37.0

5.37.0

Minor Changes

• #3705 d6fc0a5 Thanks @​gustavohstrassburger! - feat(feature-flags): support the early_exit condition option in local evaluation. When a flag enables early exit, evaluation now stops and returns false as soon as a condition group's property filters match but the rollout percentage excludes the user, instead of falling through to later groups — matching the server-side evaluation behavior. (2026-06-12)

... (truncated)

Changelog

Sourced from posthog-node's changelog.

5.38.2

Patch Changes

• #3903 6b21f77 Thanks @​marandaneto! - Validate custom event UUID overrides and generate new UUIDs when invalid. (2026-06-19)
• Updated dependencies [6b21f77]:
  • @​posthog/core@​1.35.3

5.38.1

Patch Changes

• #3886 e6d7fe2 Thanks @​marandaneto! - Stop sending deprecated no-op top-level type, library, and library_version fields in event batch payloads. Use properties.$lib and properties.$lib_version for SDK metadata; legacy queued library and library_version values are used as fallbacks when the official $ properties are missing. (2026-06-18)
• Updated dependencies [e6d7fe2]:
  • @​posthog/core@​1.35.2

5.38.0

Minor Changes

• #3845 a0553b3 Thanks @​marandaneto! - Add setPersonProperties() and unsetPersonProperties() helpers to manage person properties from the Node.js SDK. (2026-06-16)

Patch Changes

• Updated dependencies [b3ec845, c6c163a]:
  • @​posthog/core@​1.33.0

5.37.1

Patch Changes

• #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)
• Updated dependencies [29bf8e3]:
  • @​posthog/core@​1.32.4

5.37.0

Minor Changes

• #3705 d6fc0a5 Thanks @​gustavohstrassburger! - feat(feature-flags): support the early_exit condition option in local evaluation. When a flag enables early exit, evaluation now stops and returns false as soon as a condition group's property filters match but the rollout percentage excludes the user, instead of falling through to later groups — matching the server-side evaluation behavior. (2026-06-12)

5.36.17

Patch Changes

... (truncated)

Commits

• b0bd00f chore: update versions and lockfile [version bump]
• 6b21f77 fix: validate custom event UUIDs (#3903)
• 229efff chore: update versions and lockfile [version bump]
• e6d7fe2 fix: remove ignored batch metadata fields (#3886)
• f495510 chore: update versions and lockfile [version bump]
• bd07ec4 feat(flags): add disableRemoteFeatureFlags option and runtime updateFlags (#3...
• 4ff3bb3 chore: update versions and lockfile [version bump]
• a0553b3 feat(node): add person property helpers (#3845)
• 70d3dde chore: Generate versioned references only on release (#3858)
• 47aea13 chore: update versions and lockfile [version bump]
• Additional commits viewable in compare view

Updates semantic-release from 25.0.3 to 25.0.5

Release notes

Sourced from semantic-release's releases.

v25.0.5

25.0.5 (2026-06-09)

Bug Fixes

• revert: next (#4200) (db8ffaa)

v25.0.4

25.0.4 (2026-06-09)

Bug Fixes

• code-quality: add missing comma in context object for consistency (493d6cd)

Commits

• db8ffaa fix(revert): next (#4200)
• 4e476de docs: update README to include information about the new core engine integration
• 493d6cd fix(code-quality): add missing comma in context object for consistency
• d05e160 refactor: replace direct logger and env-ci replacements with a mockCore funct...
• 4f464a7 test: add tests for core delegation and dry-run policy handling
• 3f5d1b7 refactor: integrate core; remove unused imports and restructuring the main ...
• 7d71f2e refactor: remove obsolete release type constants and notes separator
• 1ae1a19 refactor: remove obsolete test files for logger, git, sensitive data handling...
• bedddc4 refactor: remove obsolete Git-related utilities and logging functions
• 7172195 refactor(tests): remove obsolete tests for plugins and verification
• Additional commits viewable in compare view

Updates typescript from 6.0.2 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).
• fixed issues query for TypeScript 6.0.3 (Stable).

Downloads are available on:

• npm

Commits

• 050880c Bump version to 6.0.3 and LKG
• eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
• ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
• 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	posthog-node@​5.28.5 ⏵ 5.38.2	+1		+2	+1
	typescript@​6.0.2 ⏵ 6.0.3
	semantic-release@​25.0.3 ⏵ 25.0.5
	@​biomejs/​biome@​2.4.8 ⏵ 2.5.0	+1			+1

View full report