fix(deps): update patch updates (patch)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@anolilab/multi-semantic-release (source)	4.4.1 → 4.4.4
@anolilab/semantic-release-pnpm (source)	8.1.9 → 8.1.15
@anolilab/semantic-release-preset (source)	13.4.10 → 13.4.16
@arethetypeswrong/cli (source)	^0.18.2 → ^0.18.3
@eslint-community/eslint-plugin-eslint-comments	4.7.1 → 4.7.2
@eslint-react/eslint-plugin (source)	5.7.3 → 5.7.10
@eslint/config-inspector	2.0.0 → 2.0.1
@eslint/markdown	8.0.1 → 8.0.2
@textlint/ast-node-types	15.6.0 → 15.6.1
@textlint/types (source)	15.6.0 → 15.6.1
@vitest/eslint-plugin	1.6.16 → 1.6.19
brace-expansion@>=4.0.0 <5.0.5	[>=5.0.5 → >=5.0.6](https://renovatebot.com/diffs/npm/brace-expansion@>=4.0.0 <5.0.5/5.0.5/5.0.6)
caniuse-lite	1.0.30001792 → 1.0.30001797
hono@<4.12.14 (source)	>=4.12.18 → >=4.12.24
hono@<4.12.21 (source)	>=4.12.21 → >=4.12.24
lint-staged	17.0.5 → 17.0.7
pkg-pr-new (source)	0.0.70 → 0.0.75
publint (source)	0.3.19 → 0.3.21
tailwind-csstree	0.3.1 → 0.3.2
textlint-rule-no-dead-link	6.2.1 → 6.2.3
tinyglobby (source)	0.2.16 → 0.2.17
tsx (source)	^4.21.0 → ^4.21.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

anolilab/semantic-release (@​anolilab/multi-semantic-release)

v4.4.4

Compare Source

Miscellaneous Chores

• deps: bump deps and upgrade to pnpm 11 (#​312) (100be77)

Dependencies

• @​anolilab/semantic-release-clean-package-json: upgraded to 5.5.13
• @​anolilab/semantic-release-pnpm: upgraded to 8.1.15

v4.4.3

Compare Source

Dependencies

• @​anolilab/semantic-release-clean-package-json: upgraded to 5.5.12
• @​anolilab/semantic-release-pnpm: upgraded to 8.1.14

v4.4.2

Compare Source

Miscellaneous Chores

• security: apply audit overrides (9607d56)

Code Refactoring

• multi-semantic-release: satisfy exports-last lint rule and tighten test types (1d61f30)

Dependencies

• @​anolilab/semantic-release-clean-package-json: upgraded to 5.5.11
• @​anolilab/semantic-release-pnpm: upgraded to 8.1.13

anolilab/semantic-release (@​anolilab/semantic-release-pnpm)

v8.1.15

Compare Source

Bug Fixes

• semantic-release-pnpm: handle non-AggregateError in verify and skip re-publish (#​309) (6acb075)
• semantic-release-pnpm: soft-fail whoami for non-official registries (#​310) (b041d88)

Miscellaneous Chores

• deps: bump deps and upgrade to pnpm 11 (#​312) (100be77)

Dependencies

• @​anolilab/rc: upgraded to 4.0.3

v8.1.14

Compare Source

v8.1.13

Compare Source

v8.1.12

Compare Source

v8.1.11

Compare Source

v8.1.10

Compare Source

Miscellaneous Chores

• security: apply audit overrides (9607d56)

anolilab/semantic-release (@​anolilab/semantic-release-preset)

v13.4.16

Compare Source

Dependencies

• @​anolilab/semantic-release-clean-package-json: upgraded to 5.5.13
• @​anolilab/semantic-release-pnpm: upgraded to 8.1.15

v13.4.15

Compare Source

Dependencies

• @​anolilab/semantic-release-clean-package-json: upgraded to 5.5.12
• @​anolilab/semantic-release-pnpm: upgraded to 8.1.14

v13.4.14

Compare Source

Dependencies

• @​anolilab/semantic-release-clean-package-json: upgraded to 5.5.11
• @​anolilab/semantic-release-pnpm: upgraded to 8.1.13

v13.4.13

Compare Source

Dependencies

• @​anolilab/semantic-release-clean-package-json: upgraded to 5.5.10
• @​anolilab/semantic-release-pnpm: upgraded to 8.1.12

v13.4.12

Compare Source

Dependencies

• @​anolilab/semantic-release-clean-package-json: upgraded to 5.5.9
• @​anolilab/semantic-release-pnpm: upgraded to 8.1.11

v13.4.11

Compare Source

Dependencies

• @​anolilab/semantic-release-clean-package-json: upgraded to 5.5.8
• @​anolilab/semantic-release-pnpm: upgraded to 8.1.10

arethetypeswrong/arethetypeswrong.github.io (@​arethetypeswrong/cli)

v0.18.3

Patch Changes

• 14e61d5: Update @​types/node, use @​typescript/native-preview for local build/check
• Updated dependencies [14e61d5]
• Updated dependencies [25031aa]
  • @​arethetypeswrong/core@​0.18.3

eslint-community/eslint-plugin-eslint-comments (@​eslint-community/eslint-plugin-eslint-comments)

v4.7.2

Compare Source

Bug Fixes

• deps: pin modern-monaco version to 0.4.0 (#​320) (62a2c3a)
• docs: use modern-monaco instead of monaco-editor (#​311) (42919d0)

Rel1cx/eslint-react (@​eslint-react/eslint-plugin)

v5.7.10

🐞 Fixes

• react-x/no-leaked-conditional-rendering, react-x/set-state-in-effect: Added cycle detection to prevent stack overflow in recursive function analysis (#​1769).

📝 Documentation

• Added third-party-plugins.mdx documentation page.
• Added spec diff and compiler test fixtures for react-x/globals rule.
• Updated ESLint Stylistic link to rules anchor.
• Updated community projects (added Obsidian Copilot).
• Added redirects and simplified removed docs page.

🏗️ Internal

• react-x/error-boundaries: Simplified getEnclosingTryBlock implementation.
• Added minimumReleaseAge and minimumReleaseAgeExclude entries to pnpm-workspace.yaml.
• Bumped fumadocs-core and fumadocs-ui to 16.8.11.
• Pinned pnpm to v11 in CI and adjusted install hooks.
• Fixed the git diff noise issue caused by a large number of external repository files introduced by "Vendored facebook/react as git subtree under .repos" in v5.7.9 (re-released as v5.7.10, closes #​1772).

Full Changelog: Rel1cx/eslint-react@v5.7.8...v5.7.10

v5.7.8

Compare Source

🐞 Fixes

• react-x/no-missing-key: Fixed the rule not detecting ConditionalExpression/LogicalExpression returned from block-bodied .map/Array.from callbacks. The rule now reports both branches when both lack a key, instead of only the first (#​1767, #​1766).

📝 Documentation

• Added [NEEDS VERIFICATION] markers to spec diffs for React Compiler aligned rules.
• Added Issue Labels Design Doc and migration scripts.
• Added a Hint component to the website and used it on the home page.

🏗️ Internal

• Bumped @effect/language-service to 0.86.0.
• Bumped dompurify to 3.4.3.
• Bumped fumadocs-mdx to 15.0.4 and related dependencies.
• Bumped pnpm from 11.1.0 to 11.1.1.
• Enabled caching for Nx targets.
• Removed experimental.useFlatConfig from Zed settings.
• Removed two dprint plugins from dprint.json.
• Updated Sentrux baseline metrics.

v5.7.7

Compare Source

🐞 Fixes

• Fixed the rule documentation URLs returned by eslint-plugin-react-jsx and eslint-plugin-react-rsc to include the jsx- / rsc- prefixes so editor Open documentation links resolve correctly (#​1757) — by @​kasmacioma.

🏗️ Internal

• Bumped @types/node from 25.6.2 to 25.7.0.
• Bumped pnpm from 11.0.9 to 11.1.0.
• Bumped mermaid from 11.14.0 to 11.15.0 and pinned it via pnpm-workspace.yaml overrides, dropping the transitive chevrotain@12.0.0 chain in favor of @chevrotain/types@11.1.2.
• Enabled trustPolicy: "no-downgrade" in pnpm-workspace.yaml.

v5.7.6

Compare Source

📝 Documentation

• Migrated the website to the fumadocs solar theme; removed the WIP Frutiger Aero variant and consolidated theme overrides.
• Each rule documentation page now lists prior versions in a Versions accordion sourced from per-rule CHANGELOG.md.
• Added the mikoto project to the community showcase.
• Updated README badges to use @eslint-react/core.

🏗️ Internal

• Bumped @typescript-eslint packages from 8.59.2 to 8.59.3.
• Bumped fumadocs-core and fumadocs-ui from 16.8.7 to 16.8.10.
• Bumped fumadocs-mdx from 14.3.2 to 15.0.3.
• Bumped tailwindcss and @tailwindcss/postcss from 4.2.4 to 4.3.0.
• Bumped tailwind-merge from 3.5.0 to 3.6.0.
• Bumped vitest from 4.1.5 to 4.1.6.
• Bumped ansis from 4.2.0 to 4.3.0.
• Bumped semver from 7.7.4 to 7.8.0.
• Bumped pnpm from 11.0.8 to 11.0.9.
• Upgraded dprint biome plugin from 0.12.10 to 0.12.11.
• Reverted nx from a 23.0.0 canary back to 22.7.1 stable.
• Renamed the verify:rule-docs script to verify:docs.
• Removed unused assets/logo.html and assets/react-icon.html (#​1755, #​1756).
• Updated Sentrux baseline metrics.

Full Changelog: Rel1cx/eslint-react@v5.7.5...v5.7.6

v5.7.5

Compare Source

🏗️ Internal

• Bumped @eslint/compat from 2.0.5 to 2.1.0.
• Bumped @types/node from 25.6.0 to 25.6.2.
• Bumped next from 16.2.5 to 16.2.6.
• Bumped publint from 0.3.19 to 0.3.20.
• Bumped tsdown from 0.21.10 to 0.22.0.
• Bumped pnpm from 10.33.4 to 11.0.8.
• Adjusted website styles.

Full Changelog: Rel1cx/eslint-react@v5.7.4...v5.7.5

v5.7.4

Compare Source

🏗️ Internal

• Bumped @typescript-eslint packages from 8.59.1 to 8.59.2.
• Bumped react and react-dom from 19.2.5 to 19.2.6.
• Bumped next from 16.2.4 to 16.2.5.
• Bumped nx from 22.7.1 to 23.0.0-canary.20260506-b594537.
• Bumped fumadocs-core and fumadocs-ui from 16.8.5 to 16.8.7.
• Bumped postcss from 8.5.13 to 8.5.14.
• Bumped publint from 0.3.18 to 0.3.19.
• Bumped pnpm from 10.33.2 to 10.33.4.

Full Changelog: Rel1cx/eslint-react@v5.7.3...v5.7.4

eslint/config-inspector (@​eslint/config-inspector)

v2.0.1

Compare Source

Bug Fixes

• missing replacement of baseURL in cli (#​235) (2eec296)

eslint/markdown (@​eslint/markdown)

v8.0.2

Compare Source

Bug Fixes

• allow InlineConfigComment node to be reported (#​652) (65aaadf)
• update eslint (#​642) (55dc070)
• update eslint (#​644) (d09ea4a)
• update TypeScript to v6 and tighten the return type of getParent (#​637) (2573a54)

textlint/textlint (@​textlint/ast-node-types)

v15.6.1

Compare Source

What's Changed

CI

• chore(deps): update starkware-libs/merge-gatekeeper action to v1.2.0 by @​renovate[bot] in #​2023
• chore(deps): update github/codeql-action action to v3.35.3 by @​renovate[bot] in #​2026
• Replace Merge Gatekeeper with automerge-gate workflow by @​azu in #​2036

Dependency Updates

• chore(deps): update dependency ajv to ^8.20.0 by @​renovate[bot] in #​2016
• chore(deps): update dependency oxlint-tsgolint to ^0.22.0 by @​renovate[bot] in #​2017
• chore(deps): update dependency oxlint-tsgolint to ^0.22.1 by @​renovate[bot] in #​2018
• chore(deps): update docusaurus monorepo to ^3.10.1 (patch) by @​renovate[bot] in #​2019
• chore(deps): update dependency @​babel/register to ^7.29.3 by @​renovate[bot] in #​2021
• chore(deps): update dependency @​babel/preset-env to ^7.29.3 by @​renovate[bot] in #​2020
• chore(deps): update pnpm to v10.33.3 by @​renovate[bot] in #​2024
• chore(deps): update dependency @​babel/preset-env to ^7.29.5 by @​renovate[bot] in #​2025
• chore(deps): update pnpm to v10.33.4 by @​renovate[bot] in #​2028
• chore(deps): update react monorepo to ^19.2.6 (patch) by @​renovate[bot] in #​2029
• chore(deps): update dependency @​types/node to ^24.12.3 by @​renovate[bot] in #​2035
• chore(deps): update glob dependency to ^13.0.6 in pnpm workspace by @​314systems in #​2033

Other Changes

• chore: add core-js to allowBuilds with false setting by @​314systems in #​2034

New Contributors

• @​314systems made their first contribution in #​2034

Full Changelog: textlint/textlint@v15.6.0...v15.6.1

vitest-dev/eslint-plugin-vitest (@​vitest/eslint-plugin)

v1.6.19

Compare Source

No significant changes

    View changes on GitHub

v1.6.18

Compare Source

   🐞 Bug Fixes

• Correct requiresTypeChecking metadata for four rules  -  by @​inglec-arista in #​905 (e06a3)

    View changes on GitHub

v1.6.17

Compare Source

   🐞 Bug Fixes

• Recommend toBeTypeOf instead of expectTypeOf in prefer-expect-type-of  -  by @​sheremet-va in #​896 (a4bcd)
• no-standalone-expect: Allow expect inside vi.defineHelper callbacks  -  by @​nami8824 in #​894 (fd8eb)

    View changes on GitHub

juliangruber/brace-expansion (brace-expansion@>=4.0.0 <5.0.5)

v5.0.6

Compare Source

browserslist/caniuse-lite (caniuse-lite)

v1.0.30001797

Compare Source

v1.0.30001793

Compare Source

honojs/hono (hono@<4.12.14)

v4.12.24

Compare Source

v4.12.23

Compare Source

What's Changed

• fix(serve-static): normalize all backslashes in file paths, not just the first in #​4962
• feat(context): export the Context class publicly by @​BlankParticle in #​4543
• docs(contribution): add AI Usage Policy by @​yusukebe in #​4970
• feat(compress): add contentTypeFilter option and COMPRESSIBLE_CONTENT_TYPE_REGEX re-export by @​na-trium-144 in #​4961
• fix(utils/ipaddr): do not compress a single 0 group to :: by @​yusukebe in #​4971

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

Compare Source

What's Changed

• chore: update vitest to v4 and cleanups by @​BlankParticle in #​4952
• fix(mime): specify charset parameter per MIME type instead of mechanical detection by @​renatograsso10 in #​4912
• fix(compress): respect Accept-Encoding when encoding option is set by @​LeSingh1 in #​4951
• fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @​ATOM00blue in #​4955
• feat: add msgpack as a compressible content type by @​na-trium-144 in #​4957

New Contributors

• @​renatograsso10 made their first contribution in #​4912
• @​LeSingh1 made their first contribution in #​4951
• @​ATOM00blue made their first contribution in #​4955
• @​na-trium-144 made their first contribution in #​4957

Full Changelog: honojs/hono@v4.12.21...v4.12.22

v4.12.21

Compare Source

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

v4.12.20

Compare Source

What's Changed

• fix(route): preserve the base path of the mounted route() app by @​usualoma in #​4942
• fix(jsx): widen jsx and jsxFn children to Child[] by @​ashunar0 in #​4947

New Contributors

• @​ashunar0 made their first contribution in #​4947

Full Changelog: honojs/hono@v4.12.19...v4.12.20

v4.12.19

Compare Source

What's Changed

• ci: pin GitHub Actions to SHAs by @​yusukebe in #​4932
• fix(serveStatic): make options parameter optional in all adapters by @​mixelburg in #​4934
• fix(cookie): return the first cookie when there are multiple cookies with the same name by @​usualoma in #​4922
• feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @​justinnais in #​4913
• feat(cache): key cache entries by configured vary headers by @​usualoma in #​4915
• feat(request): add bytes() by @​yusukebe in #​4921
• fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @​yusukebe in #​4940

New Contributors

• @​justinnais made their first contribution in #​4913

Full Changelog: honojs/hono@v4.12.18...v4.12.19

lint-staged/lint-staged (lint-staged)

v17.0.7

Compare Source

Patch Changes

• #​1806 e692e58 - Update dependency tinyexec@^1.2.4.

v17.0.6

Compare Source

Patch Changes

• #​1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

• #​1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

• #​1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

• #​1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

stackblitz-labs/pkg.pr.new (pkg-pr-new)

v0.0.75

Compare Source

v0.0.74

Compare Source

v0.0.73

Compare Source

v0.0.72

Compare Source

v0.0.71

Compare Source

publint/publint (publint)

v0.3.21

Compare Source

Patch Changes

• Suggest adding "sideEffects": false when bundler-oriented package fields or conditions are detected and the field is missing. (#​228)

v0.3.20

Compare Source

Patch Changes

• Suggest adding engines.node when it is missing from detected Node.js packages (#​226)

• Loosen "breaking change" wording in lint messages (7bb3f4f)

humanwhocodes/tailwind-csstree (tailwind-csstree)

v0.3.2

Compare Source

Bug Fixes

• Allow [@theme](https://redirect.github.com/theme) inline/static preludes (#​60) (31286c3)
• parsing issue in @​apply arbitrary bracket classes (#​58) (6767a32)

textlint-rule/textlint-rule-no-dead-link (textlint-rule-no-dead-link)

v6.2.3

Compare Source

What's Changed

Bug Fixes

• fix: "Failed to parse URL" false positive by @​pddg in #​182

Full Changelog: textlint-rule/textlint-rule-no-dead-link@v6.2.2...v6.2.3

v6.2.2

Compare Source

What's Changed

Bug Fixes

• fix: retry GET requests on network errors by @​pddg in #​179
• fix: skip retry on successful HTTP responses by @​pddg in #​177

New Contributors

• @​pddg made their first contribution in #​179

Full Changelog: textlint-rule/textlint-rule-no-dead-link@v6.2.1...v6.2.2

SuperchupuDev/tinyglobby (tinyglobby)

v0.2.17

Compare Source

Changed

• Enabled staged publishing for stronger supply-chain security

Fixed

• Defaults when undefined is passed to any of the options by chloeelim
• Drive-relative paths on Windows by Andrej730
• FileSystemAdapter is now exported again

privatenumber/tsx (tsx)

v4.21.1

Compare Source

Bug Fixes

• support Node 20.11/21.2 import.meta paths (acf3d8f)
• support Node.js 24.15.0 (c1d2d45)
• support Node.js 26.1.0 and 25.9.0 (1d7e528)

---

This release is also available on:

• npm package (@​latest dist-tag)

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • "after 10:00 before 19:00 every weekday except after 13:00 before 14:00"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Thank you for following the naming conventions! 🙏

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​anolilab/​semantic-release-preset@​13.4.16
	@​anolilab/​eslint-config@​27.0.9
	@​eslint-community/​eslint-plugin-eslint-comments@​4.7.2
	@​anolilab/​semantic-release-pnpm@​8.1.15
	@​arethetypeswrong/​cli@​0.18.3
	@​textlint/​ast-node-types@​15.6.1
	@​eslint/​markdown@​8.0.2
	@​textlint/​types@​15.6.1
	@​eslint/​config-inspector@​2.0.1
	@​anolilab/​multi-semantic-release@​4.4.4
	@​eslint-react/​eslint-plugin@​5.7.10
	@​vitest/​eslint-plugin@​1.6.19

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[prisis]

Applied directly to main (consolidated local merge + lockfile regen, audit clean, frozen install verified). Closing as merged-by-hand.