chore(deps): bump the monorepo-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the monorepo-dependencies group with 10 updates in the / directory:

Package	From	To
@biomejs/biome	2.3.14	2.4.8
@changesets/changelog-github	0.5.2	0.6.0
@changesets/cli	2.29.8	2.30.0
@types/node	25.2.3	25.5.0
esbuild	0.27.3	0.27.4
lint-staged	16.2.7	16.4.0
preact	10.28.3	10.29.0
turbo	2.8.6	2.8.18
preact-render-to-string	6.6.5	6.6.6
es-module-lexer	1.7.0	2.0.0

Updates @biomejs/biome from 2.3.14 to 2.4.8

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.8

2.4.8

Patch Changes

• #9488 bc709f6 Thanks @​mvanhorn! - Fixed #9463: the "Biome found a configuration file outside of the current working directory" diagnostic now includes the configuration file path and the working directory, giving users actionable information to debug the issue.

• #9527 2f8bf80 Thanks @​mdm317! - Fixed #8959: Fixed TypeScript arrow function formatting when a comment appears after =>.

• #9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleUpdateWithoutWhere to prevent accidental full-table updates when using Drizzle ORM without a .where() clause.

• #9531 1302740 Thanks @​ematipico! - Fixed #9187: Astro frontmatter containing regex literals with quotes (/'/, /"/) or dashes (/---/) no longer causes parse errors.

• #9535 b630d93 Thanks @​leno23! - Fixed #9524: remove extra space before > when bracketSameLine is true and the self-closing slash is absent in HTML formatter.

• #9537 81e6306 Thanks @​ematipico! - Fixed #9238: The HTML parser no longer incorrectly reports --- inside element content (e.g. <td>---</td>) as an "Unexpected value or character" error.

• #9532 4b64145 Thanks @​ematipico! - Fixed #9117: biome check --write no longer falsely reports Svelte and Vue files as changed when html.formatter.indentScriptAndStyle is enabled and the files are already correctly formatted.

• #9528 61451ef Thanks @​ematipico! - Fixed #9341: Fixed an LSP crash that could corrupt file content when saving with format-on-save enabled.

• #9538 794f79c Thanks @​ematipico! - Fixed #9279: The rule noSubstr now detects .substr() and .substring() calls in all expression contexts, including variable declarations, function arguments, return statements, and arrow function bodies.

• #9462 c23272c Thanks @​ematipico! - Fixed #9370: The resolver now correctly prioritizes more specific exports patterns over less specific ones. Previously, a pattern like "./*" could match before "./features/*", causing resolution failures for packages with overlapping subpath patterns.

• #9515 f85c069 Thanks @​shivamtiwari3! - Fixed #9506 and #9479: Biome no longer reports false parse errors on <script type="speculationrules"> and <script type="application/ld+json"> tags. These script types contain non-JavaScript content and are now correctly skipped by the embedded language detector.

• #9514 7fe43c8 Thanks @​ematipico! - Fixed #6964: Biome now correctly resolves the .gitignore file relative to vcs.root when configured. Previously, the vcs.root setting was ignored and Biome always looked for the ignore file in the workspace directory.

• #9521 af39936 Thanks @​ematipico! - Fixed #9483. Now the rule noRedeclare doesn't panic when it encounters constructor overloads.

• #9490 60cf024 Thanks @​willfarrell! - Added support for modern CSS properties, pseudo-classes, and pseudo-elements.

  New known properties: dynamic-range-limit, overlay, reading-flow, reading-order, scroll-marker-group, scroll-target-group.

  New pseudo-elements: ::checkmark, ::column, ::picker, ::picker-icon, ::scroll-button, ::scroll-marker, ::scroll-marker-group.

  New pseudo-classes: :active-view-transition-type, :has-slotted, :target-after, :target-before, :target-current.

• #9526 4d42823 Thanks @​ematipico! - Fixed #9358 and #9375. Now attributes that have text expressions such as class={buttonClass()} are correctly tracked in Svelte files.

• #9520 61f53ee Thanks @​ematipico! - Fixed #9519. Now noUnusedVariables doesn't flag variables that are used as typeof type.

• #9487 331dc0d Thanks @​mvanhorn! - Fixed #9477: source.fixAll.biome no longer sorts imports when source.organizeImports.biome is disabled in editor settings. The organize imports action is now excluded from the fix-all pass unless explicitly requested.

• #9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleDeleteWithoutWhere to prevent accidental full-table deletes when using Drizzle ORM without a .where() clause.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.8

Patch Changes

• #9488 bc709f6 Thanks @​mvanhorn! - Fixed #9463: the "Biome found a configuration file outside of the current working directory" diagnostic now includes the configuration file path and the working directory, giving users actionable information to debug the issue.

• #9527 2f8bf80 Thanks @​mdm317! - Fixed #8959: Fixed TypeScript arrow function formatting when a comment appears after =>.

• #9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleUpdateWithoutWhere to prevent accidental full-table updates when using Drizzle ORM without a .where() clause.

• #9531 1302740 Thanks @​ematipico! - Fixed #9187: Astro frontmatter containing regex literals with quotes (/'/, /"/) or dashes (/---/) no longer causes parse errors.

• #9535 b630d93 Thanks @​leno23! - Fixed #9524: remove extra space before > when bracketSameLine is true and the self-closing slash is absent in HTML formatter.

• #9537 81e6306 Thanks @​ematipico! - Fixed #9238: The HTML parser no longer incorrectly reports --- inside element content (e.g. <td>---</td>) as an "Unexpected value or character" error.

• #9532 4b64145 Thanks @​ematipico! - Fixed #9117: biome check --write no longer falsely reports Svelte and Vue files as changed when html.formatter.indentScriptAndStyle is enabled and the files are already correctly formatted.

• #9528 61451ef Thanks @​ematipico! - Fixed #9341: Fixed an LSP crash that could corrupt file content when saving with format-on-save enabled.

• #9538 794f79c Thanks @​ematipico! - Fixed #9279: The rule noSubstr now detects .substr() and .substring() calls in all expression contexts, including variable declarations, function arguments, return statements, and arrow function bodies.

• #9462 c23272c Thanks @​ematipico! - Fixed #9370: The resolver now correctly prioritizes more specific exports patterns over less specific ones. Previously, a pattern like "./*" could match before "./features/*", causing resolution failures for packages with overlapping subpath patterns.

• #9515 f85c069 Thanks @​shivamtiwari3! - Fixed #9506 and #9479: Biome no longer reports false parse errors on <script type="speculationrules"> and <script type="application/ld+json"> tags. These script types contain non-JavaScript content and are now correctly skipped by the embedded language detector.

• #9514 7fe43c8 Thanks @​ematipico! - Fixed #6964: Biome now correctly resolves the .gitignore file relative to vcs.root when configured. Previously, the vcs.root setting was ignored and Biome always looked for the ignore file in the workspace directory.

• #9521 af39936 Thanks @​ematipico! - Fixed #9483. Now the rule noRedeclare doesn't panic when it encounters constructor overloads.

• #9490 60cf024 Thanks @​willfarrell! - Added support for modern CSS properties, pseudo-classes, and pseudo-elements.

  New known properties: dynamic-range-limit, overlay, reading-flow, reading-order, scroll-marker-group, scroll-target-group.

  New pseudo-elements: ::checkmark, ::column, ::picker, ::picker-icon, ::scroll-button, ::scroll-marker, ::scroll-marker-group.

  New pseudo-classes: :active-view-transition-type, :has-slotted, :target-after, :target-before, :target-current.

• #9526 4d42823 Thanks @​ematipico! - Fixed #9358 and #9375. Now attributes that have text expressions such as class={buttonClass()} are correctly tracked in Svelte files.

• #9520 61f53ee Thanks @​ematipico! - Fixed #9519. Now noUnusedVariables doesn't flag variables that are used as typeof type.

• #9487 331dc0d Thanks @​mvanhorn! - Fixed #9477: source.fixAll.biome no longer sorts imports when source.organizeImports.biome is disabled in editor settings. The organize imports action is now excluded from the fix-all pass unless explicitly requested.

• #9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleDeleteWithoutWhere to prevent accidental full-table deletes when using Drizzle ORM without a .where() clause.

2.4.7

Patch Changes

... (truncated)

Commits

• f4bf341 ci: release (#9517)
• e7b3b10 feat(lint): add noDrizzleDeleteWithoutWhere and noDrizzleUpdateWithoutWhere r...
• 1f30838 ci: release (#9346)
• 3ac98eb feat(css/lint): useBaseline (#9318)
• 2de8362 feat(lint): add nursery rule useImportsFirst (#9272)
• 776cb64 feat(json_analyze): implement noEmptyObjectKeys (#9365)
• dda9b3d chore: update rule count in readme (#9374)
• 722f0da feat(json_analyze): implement noTopLevelLiterals (#9367)
• cabc56c ci: release (#9301)
• 3bc07ab ci: release (#9188)
• Additional commits viewable in compare view

Updates @changesets/changelog-github from 0.5.2 to 0.6.0

Release notes

Sourced from @​changesets/changelog-github's releases.

@​changesets/changelog-github@​0.6.0

Minor Changes

• #1850 fd0bc2e Thanks @​mixelburg! - Linkify issue references in changelog entries.

Patch Changes

• #1810 27fd8f4 Thanks @​hirasso! - Replace deprecated String.prototype.trimRight with String.prototype.trimEnd

• Updated dependencies [d4b8ad8, e462d89]:

  • @​changesets/get-github-info@​0.8.0

Commits

• 3ab4d89 Version Packages (#1817)
• 1772598 Fix changelog entry insertion when no package title is present in the `CHANGE...
• 6df3a5e Allow versioned private packages to depend on skipped packages without requir...
• 2a73025 Fix confusing 'Question-2' prompt label when using external editor (#1857)
• 667fe5a Support ESM for custom changelog and commit options (#1774)
• e462d89 Add scopes automatically in the GitHub new token link in the printed error me...
• 503fcaa Support absolute paths in status output flag (#1776)
• d4b8ad8 Improve error messages when fetching from GitHub api (#1781)
• ece0376 Improve baseBranch docs (#1778)
• 0e8e01e Allow Changesets to be executed from non-root directories (#1806)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​changesets/changelog-github since your current version.

Updates @changesets/cli from 2.29.8 to 2.30.0

Release notes

Sourced from @​changesets/cli's releases.

@​changesets/cli@​2.30.0

Minor Changes

• #1840 057cca2 Thanks @​wotan-allfather! - Add --since flag to add command

  The add command now supports a --since flag that allows you to specify which branch, tag, or git ref to use when detecting changed packages. This is useful for gitflow workflows where you have multiple target branches and the baseBranch config option doesn't cover all use cases.

  Example: changeset add --since=develop

  If not provided, the command falls back to the baseBranch value in your .changeset/config.json.

• #1845 2b4a66a Thanks @​Andarist! - Delegate OTP prompting to the package manager instead of handling it in-process. This allows Changesets to use the package manager's native web auth support.

• #1774 667fe5a Thanks @​bluwy! - Support importing custom commit option ES module. Previously, it used require() which only worked for CJS modules, however now it uses import() which supports both CJS and ES modules.

• #1839 73b1809 Thanks @​leochiu-a! - Add a --message (-m) flag to changeset add (and default changeset) so the changeset summary can be provided from the command line. When --message is present, the summary prompt is skipped while the final confirmation step is kept.

• #1806 0e8e01e Thanks @​luisadame! - Changeset CLI can now be run from the nested directories in the project, where the .changeset directory has to be found in one of the parent directories

Patch Changes

• #1849 9dc3230 Thanks @​Andarist! - Compute the terminal's size lazily to avoid spurious stderr output in non-interactive mode

• #1857 2a73025 Thanks @​mixelburg! - Fix confusing prompt labels when entering changeset summary after external editor fallback

• #1842 6df3a5e Thanks @​RodrigoHamuy! - Allow private packages to depend on skipped packages without requiring them to also be skipped. Private packages are not published to npm, so it is safe for them to have dependencies on ignored or unversioned packages.

• #1776 503fcaa Thanks @​bluwy! - Support absolute paths in changeset status --output <path>

• Updated dependencies [667fe5a, 1772598, b6f4c74, 6df3a5e, 6df3a5e, 27fd8f4]:

  • @​changesets/apply-release-plan@​7.1.0
  • @​changesets/config@​3.1.3
  • @​changesets/get-release-plan@​4.0.15
  • @​changesets/read@​0.6.7

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​changesets/cli since your current version.

Updates @types/node from 25.2.3 to 25.5.0

Commits

• See full diff in compare view

Updates esbuild from 0.27.3 to 0.27.4

Release notes

Sourced from esbuild's releases.

v0.27.4

• Fix a regression with CSS media queries (#4395, #4405, #4406)

  Version 0.25.11 of esbuild introduced support for parsing media queries. This unintentionally introduced a regression with printing media queries that use the <media-type> and <media-condition-without-or> grammar. Specifically, esbuild was failing to wrap an or clause with parentheses when inside <media-condition-without-or>. This release fixes the regression.

  Here is an example:

  /* Original code */
  @media only screen and ((min-width: 10px) or (min-height: 10px)) {
    a { color: red }
  }
  /* Old output (incorrect) */
  @​media only screen and (min-width: 10px) or (min-height: 10px) {
  a {
  color: red;
  }
  }
  /* New output (correct) */
  @​media only screen and ((min-width: 10px) or (min-height: 10px)) {
  a {
  color: red;
  }
  }

• Fix an edge case with the inject feature (#4407)

  This release fixes an edge case where esbuild's inject feature could not be used with arbitrary module namespace names exported using an export {} from statement with bundling disabled and a target environment where arbitrary module namespace names is unsupported.

  With the fix, the following inject file:

  import jquery from 'jquery';
  export { jquery as 'window.jQuery' };

  Can now always be rewritten as this without esbuild sometimes incorrectly generating an error:

  export { default as 'window.jQuery' } from 'jquery';

• Attempt to improve API handling of huge metafiles (#4329, #4415)

  This release contains a few changes that attempt to improve the behavior of esbuild's JavaScript API with huge metafiles (esbuild's name for the build metadata, formatted as a JSON object). The JavaScript API is designed to return the metafile JSON as a JavaScript object in memory, which makes it easy to access from within a JavaScript-based plugin. Multiple people have encountered issues where this API breaks down with a pathologically-large metafile.

  The primary issue is that V8 has an implementation-specific maximum string length, so using the JSON.parse API with large enough strings is impossible. This release will now attempt to use a fallback JavaScript-based JSON parser that operates directly on the UTF8-encoded JSON bytes instead of using JSON.parse when the JSON metafile is too big to fit in a JavaScript string. The new fallback path has not yet been heavily-tested. The metafile will also now be generated with whitespace removed if the bundle is significantly large, which will reduce the size of the metafile JSON slightly.

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.27.4

• Fix a regression with CSS media queries (#4395, #4405, #4406)

  Version 0.25.11 of esbuild introduced support for parsing media queries. This unintentionally introduced a regression with printing media queries that use the <media-type> and <media-condition-without-or> grammar. Specifically, esbuild was failing to wrap an or clause with parentheses when inside <media-condition-without-or>. This release fixes the regression.

  Here is an example:

  /* Original code */
  @media only screen and ((min-width: 10px) or (min-height: 10px)) {
    a { color: red }
  }
  /* Old output (incorrect) */
  @​media only screen and (min-width: 10px) or (min-height: 10px) {
  a {
  color: red;
  }
  }
  /* New output (correct) */
  @​media only screen and ((min-width: 10px) or (min-height: 10px)) {
  a {
  color: red;
  }
  }

• Fix an edge case with the inject feature (#4407)

  This release fixes an edge case where esbuild's inject feature could not be used with arbitrary module namespace names exported using an export {} from statement with bundling disabled and a target environment where arbitrary module namespace names is unsupported.

  With the fix, the following inject file:

  import jquery from 'jquery';
  export { jquery as 'window.jQuery' };

  Can now always be rewritten as this without esbuild sometimes incorrectly generating an error:

  export { default as 'window.jQuery' } from 'jquery';

• Attempt to improve API handling of huge metafiles (#4329, #4415)

  This release contains a few changes that attempt to improve the behavior of esbuild's JavaScript API with huge metafiles (esbuild's name for the build metadata, formatted as a JSON object). The JavaScript API is designed to return the metafile JSON as a JavaScript object in memory, which makes it easy to access from within a JavaScript-based plugin. Multiple people have encountered issues where this API breaks down with a pathologically-large metafile.

... (truncated)

Commits

• f9c9012 publish 0.27.4 to npm
• 207dbc7 js api: fall back to js-based metafile json parser
• 1ca56dc fix #4329: auto-minify metafile for large bundles
• e3823aa fix #4415: add uint cast to stdio int parser
• d50e88c chore: correct copy&paste panic message (#4399)
• 8b829b1 fix #4407: incorrect error for inject edge case
• 4384bad fix #4395 close #4405 close #4406: parens for or
• See full diff in compare view

Updates lint-staged from 16.2.7 to 16.4.0

Release notes

Sourced from lint-staged's releases.

v16.4.0

Minor Changes

• #1739 687fc90 Thanks @​hyperz111! - Replace micromatch with picomatch to reduce dependencies.

v16.3.4

Patch Changes

• #1742 9d6e827 Thanks @​iiroj! - Update dependencies, including tinyexec@1.0.4 to make sure local node_modules/.bin are preferred to global locations (released in tinyexec@1.0.3).

v16.3.3

Patch Changes

• #1740 0109e8d Thanks @​iiroj! - Make sure Git's warning about CRLF line-endings doesn't interfere with creating initial backup stash.

v16.3.2

Patch Changes

• #1735 2adaf6c Thanks @​iiroj! - Hide the extra cmd window on Windows by spawning tasks without the detached option.

v16.3.1

Patch Changes

• #1729 cd5d762 Thanks @​iiroj! - Remove nano-spawn as a dependency from package.json as it was replaced with tinyexec and is no longer used.

v16.3.0

Minor Changes

• #1698 feda37a Thanks @​iiroj! - Run external processes with tinyexec instead of nano-spawn. nano-spawn replaced execa in lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope tinyexec improves the situation.

• #1699 1346d16 Thanks @​iiroj! - Remove pidtree as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the taskkill command on Windows.

Patch Changes

• #1726 87467aa Thanks @​iiroj! - Incorrect brace expansions like *.{js} (nothing to expand) are detected exhaustively, instead of just a single pass.

Changelog

Sourced from lint-staged's changelog.

16.4.0

Minor Changes

• #1739 687fc90 Thanks @​hyperz111! - Replace micromatch with picomatch to reduce dependencies.

16.3.4

Patch Changes

• #1742 9d6e827 Thanks @​iiroj! - Update dependencies, including tinyexec@1.0.4 to make sure local node_modules/.bin are preferred to global locations (released in tinyexec@1.0.3).

16.3.3

Patch Changes

• #1740 0109e8d Thanks @​iiroj! - Make sure Git's warning about CRLF line-endings doesn't interfere with creating initial backup stash.

16.3.2

Patch Changes

• #1735 2adaf6c Thanks @​iiroj! - Hide the extra cmd window on Windows by spawning tasks without the detached option.

16.3.1

Patch Changes

• #1729 cd5d762 Thanks @​iiroj! - Remove nano-spawn as a dependency from package.json as it was replaced with tinyexec and is no longer used.

16.3.0

Minor Changes

• #1698 feda37a Thanks @​iiroj! - Run external processes with tinyexec instead of nano-spawn. nano-spawn replaced execa in lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope tinyexec improves the situation.

• #1699 1346d16 Thanks @​iiroj! - Remove pidtree as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the taskkill command on Windows.

Patch Changes

• #1726 87467aa Thanks @​iiroj! - Incorrect brace expansions like *.{js} (nothing to expand) are detected exhaustively, instead of just a single pass.

Commits

• 445f9dd chore(changeset): release
• d91be60 docs: update readme to use picomatch
• b392a9f refactor: extract matchFiles and add unit tests
• 687fc90 refactor: replace micromatch with picomatch
• 26dadf9 chore(changeset): release
• 9d6e827 build(deps): update dependencies
• 8aea986 chore(changeset): release
• 0109e8d fix: strip Git CRLF warning from output
• dfd6a7a chore(changeset): release
• 2adaf6c fix(Windows): do not spawn tasks as detached since it opens a cmd window on ...
• Additional commits viewable in compare view

Updates preact from 10.28.3 to 10.29.0

Release notes

Sourced from preact's releases.

10.29.0

Features

• Implement flushSync (#5036, thanks @​JoviDeCroock)

Fixes

• Ensure we reset renderCount (#5017, thanks @​JoviDeCroock)
• undefined prototype (#5041, thanks @​JoviDeCroock)

Performance

• Golf down compat (#5025, thanks @​JoviDeCroock)

10.28.4

Fixes

• Fix crash where a synchronous effect render unmounts the tree (#5026, thanks @​JoviDeCroock)

Performance

• Core size optimizations (#5022, thanks @​JoviDeCroock)
• Hooks size optimizations (#5021, thanks @​JoviDeCroock)
• Make oldProps diffing more compact (#5004) (#5019, thanks @​JoviDeCroock)
• Compat size optimizations (#5020, thanks @​JoviDeCroock)
• Land size optimization separately (#5018, thanks @​JoviDeCroock)

Commits

• 6ef4405 10.29.0 (#5052)
• 55254ef Ensure we reset renderCount (#5017)
• b341bfe undefined prototype (#5041)
• 978c0b9 Implement flushSync (#5036)
• af4c459 Golf down compat (#5025)
• b4f9cab 10.28.4 (#5027)
• 8cbed5f Fix crash where a synchronous effect render unmounts the tree (#5026)
• 4ac7204 Core size optimizations (#5022)
• e02fd69 Make forEach --> some (#5021)
• 387d8f2 refactor(diff): make oldProps diffing more compact (#5004) (#5019)
• Additional commits viewable in compare view

Updates turbo from 2.8.6 to 2.8.18

Release notes

Sourced from turbo's releases.

Turborepo v2.8.18

What's Changed

create-turbo

• fix: Sort uninstalled package managers to bottom of create-turbo selection by @​anthonyshew in vercel/turborepo#12353

@​turbo/codemod

• fix: Stop add-package-names codemod from silently renaming existing packages by @​anthonyshew in vercel/turborepo#12332

Examples

• fix: Sync yarn lockfile before upgrading turbo in examples updater by @​anthonyshew in vercel/turborepo#12286

Changelog

• feat: Add turbo query affected CLI shorthand by @​anthonyshew in vercel/turborepo#12283
• chore: Add turborepo-log crate to improve our logging situation by @​anthonyshew in vercel/turborepo#12285
• fix: Ensure pkg#task CLI args are always included in filtered packages by @​anthonyshew in vercel/turborepo#12287
• feat: Wire up turborepo-log with TerminalSink and convert first warning by @​anthonyshew in vercel/turborepo#12289
• feat: Add git SHA and dirty hash to cache metadata by @​mehulkar in vercel/turborepo#12288
• feat: Surface cache SCM metadata in Run Summary by @​mehulkar in vercel/turborepo#12291
• fix: Inline PlopTypes in @​turbo/gen to fix implicit any for consumers by @​anthonyshew in vercel/turborepo#12292
• chore: Disable update notifier for this repo by @​anthonyshew in vercel/turborepo#12293
• feat: Add TuiSink to route log events into the TUI by @​anthonyshew in vercel/turborepo#12294
• feat: Publish platform binaries under @turbo/ scoped packages by @​anthonyshew in vercel/turborepo#12296
• feat: Initialize turborepo-log in turbo watch by @​anthonyshew in