chore(deps)(deps-dev): bump the dev-minor-patch group across 1 directory with 8 updates

[dependabot]

Bumps the dev-minor-patch group with 8 updates in the / directory:

Package	From	To
@biomejs/biome	2.4.4	2.4.7
turbo	2.8.13-canary.8	2.8.17
@types/node	25.3.3	25.5.0
happy-dom	20.7.0	20.8.4
serwist	9.5.6	9.5.7
@cloudflare/workers-types	4.20260305.0	4.20260316.1
wrangler	4.69.0	4.74.0
fast-check	4.5.3	4.6.0

Updates @biomejs/biome from 2.4.4 to 2.4.7

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.7

2.4.7

Patch Changes

• #9318 3ac98eb Thanks @​ematipico! - Added new nursery lint rule useBaseline for CSS. The rule reports when CSS properties, property values, at-rules, media conditions, functions, or pseudo-selectors are not part of the configured Baseline tier.

  For example, at the time of writing, the rule will trigger for the use of accent-color because it has limited availability:

  a {
    accent-color: bar;
  }

• #9272 2de8362 Thanks @​terror! - Added the nursery rule useImportsFirst that enforces all import statements appear before any non-import statements in a module. Inspired by the eslint-plugin-import import/first rule.

  // Invalid
  import { foo } from "foo";
  const bar = 1;
  import { baz } from "baz"; // ← flagged
  // Valid
  import { foo } from "foo";
  import { baz } from "baz";
  const bar = 1;

• #9285 93ea495 Thanks @​dyc3! - Fixed noUndeclaredVariables from erroneously flagging props only used in the template section in Vue SFCs

• #9435 6c5a8f2 Thanks @​siketyan! - Fixed #9432: Values referenced as a JSX element in Astro/Vue/Svelte templates are now correctly detected; noUnusedImports and useImportType rules no longer reports these values as false positives.

• #9362 fc9ca4c Thanks @​Netail! - Extra rule source references. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #9392 b881fea Thanks @​g-ortuno! - Fixed biomejs/biome-vscode#959: LSP now correctly resolves project directory when configurationPath points to a configuration file outside the workspace.

• #9420 a1c46af Thanks @​ematipico! - Fixed #9385: noUselessEscapeInString no longer incorrectly flags valid CSS hex escapes (e.g. \e7bb) as useless. The rule now recognizes all hex digits (0-9, a-f, A-F) as valid escape characters in CSS strings.

• #9416 f2581b8 Thanks @​ematipico! - Fixed #9131, #9112, #9166: the formatter no longer crashes or produces corrupt output when a JS file with experimentalEmbeddedSnippetsEnabled contains non-embedded template literals alongside embedded ones (e.g. console.log(\test`)next tographql(`...`)`).

• #9344 cb4d7d7 Thanks @​ematipico! - Fixed #6921: noShadow no longer incorrectly flags destructured variable bindings in sibling scopes as shadowing. Object destructuring, array destructuring, nested patterns, and rest elements are now properly recognized as declarations.

• #9360 bc5dd99 Thanks @​ematipico! - Fixed #7125: The rule noShadow no longer incorrectly flags parameters in TypeScript constructor and method overload signatures.

• #9371 29cac17 Thanks @​ematipico! - Fixed #5279: Tabs in diagnostic diff output are now rendered at a consistent width across context and changed lines, fixing visual misalignment when source files use tab indentation.

• #9043 61e2a02 Thanks @​dyc3! - Fixed #8897: Biome now parses @utility names containing / when Tailwind directives are enabled.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.7

Patch Changes

• #9318 3ac98eb Thanks @​ematipico! - Added new nursery lint rule useBaseline for CSS. The rule reports when CSS properties, property values, at-rules, media conditions, functions, or pseudo-selectors are not part of the configured Baseline tier.

  For example, at the time of writing, the rule will trigger for the use of accent-color because it has limited availability:

  a {
    accent-color: bar;
  }

• #9272 2de8362 Thanks @​terror! - Added the nursery rule useImportsFirst that enforces all import statements appear before any non-import statements in a module. Inspired by the eslint-plugin-import import/first rule.

  // Invalid
  import { foo } from "foo";
  const bar = 1;
  import { baz } from "baz"; // ← flagged
  // Valid
  import { foo } from "foo";
  import { baz } from "baz";
  const bar = 1;

• #9285 93ea495 Thanks @​dyc3! - Fixed noUndeclaredVariables from erroneously flagging props only used in the template section in Vue SFCs

• #9435 6c5a8f2 Thanks @​siketyan! - Fixed #9432: Values referenced as a JSX element in Astro/Vue/Svelte templates are now correctly detected; noUnusedImports and useImportType rules no longer reports these values as false positives.

• #9362 fc9ca4c Thanks @​Netail! - Extra rule source references. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #9392 b881fea Thanks @​g-ortuno! - Fixed biomejs/biome-vscode#959: LSP now correctly resolves project directory when configurationPath points to a configuration file outside the workspace.

• #9420 a1c46af Thanks @​ematipico! - Fixed #9385: noUselessEscapeInString no longer incorrectly flags valid CSS hex escapes (e.g. \e7bb) as useless. The rule now recognizes all hex digits (0-9, a-f, A-F) as valid escape characters in CSS strings.

• #9416 f2581b8 Thanks @​ematipico! - Fixed #9131, #9112, #9166: the formatter no longer crashes or produces corrupt output when a JS file with experimentalEmbeddedSnippetsEnabled contains non-embedded template literals alongside embedded ones (e.g. console.log(\test`)next tographql(`...`)`).

• #9344 cb4d7d7 Thanks @​ematipico! - Fixed #6921: noShadow no longer incorrectly flags destructured variable bindings in sibling scopes as shadowing. Object destructuring, array destructuring, nested patterns, and rest elements are now properly recognized as declarations.

• #9360 bc5dd99 Thanks @​ematipico! - Fixed #7125: The rule noShadow no longer incorrectly flags parameters in TypeScript constructor and method overload signatures.

• #9371 29cac17 Thanks @​ematipico! - Fixed #5279: Tabs in diagnostic diff output are now rendered at a consistent width across context and changed lines, fixing visual misalignment when source files use tab indentation.

• #9043 61e2a02 Thanks @​dyc3! - Fixed #8897: Biome now parses @utility names containing / when Tailwind directives are enabled.

• #9354 930c858 Thanks @​denbezrukov! - Improved CSS parser recovery for invalid unicode-range values that mix wildcard ranges with range intervals. For example, Biome now reports clearer diagnostics for invalid syntax like:

... (truncated)

Commits

• 1f30838 ci: release (#9346)
• 3ac98eb feat(css/lint): useBaseline (#9318)
• 2de8362 feat(lint): add nursery rule useImportsFirst (#9272)
• 776cb64 feat(json_analyze): implement noEmptyObjectKeys (#9365)
• dda9b3d chore: update rule count in readme (#9374)
• 722f0da feat(json_analyze): implement noTopLevelLiterals (#9367)
• cabc56c ci: release (#9301)
• 3bc07ab ci: release (#9188)
• 6b01778 feat(linter): add useUnicodeRegex rule (#8773)
• e43e730 feat(lint/html): add useVueScopedStyles (#9185)
• Additional commits viewable in compare view

Updates turbo from 2.8.13-canary.8 to 2.8.17

Release notes

Sourced from turbo's releases.

Turborepo v2.8.17

Full Changelog: vercel/turborepo@v2.8.17-canary.16...v2.8.17

Turborepo v2.8.17-canary.16

What's Changed

create-turbo

• fix: Remove redundant online check from create-turbo by @​anthonyshew in vercel/turborepo#12281

Full Changelog: vercel/turborepo@v2.8.17-canary.15...v2.8.17-canary.16

Turborepo v2.8.17-canary.15

What's Changed

Changelog

• fix: Fix non-deterministic hashOfExternalDependencies with Bun lockfiles by @​anthonyshew in vercel/turborepo#12279

Full Changelog: vercel/turborepo@v2.8.17-canary.14...v2.8.17-canary.15

Turborepo v2.8.17-canary.14

What's Changed

create-turbo

• fix: Replace dns.lookup with https.get for create-turbo online check by @​anthonyshew in vercel/turborepo#12277

Full Changelog: vercel/turborepo@v2.8.17-canary.13...v2.8.17-canary.14

Turborepo v2.8.17-canary.13

What's Changed

Changelog

• feat: Use task graph for watch by @​anthonyshew in vercel/turborepo#12275
• fix: Use BTreeMap for bundled_deps in bun PackageIndex by @​anthonyshew in vercel/turborepo#12266

Full Changelog: vercel/turborepo@v2.8.17-canary.12...v2.8.17-canary.13

Turborepo v2.8.17-canary.12

... (truncated)

Commits

• fd0e0f6 publish 2.8.17 to registry
• c921a26 release(turborepo): 2.8.17-canary.16 (#12282)
• 766dad4 fix: Remove redundant online check from create-turbo (#12281)
• 8fb7673 release(turborepo): 2.8.17-canary.15 (#12280)
• bb1e1da fix: Fix non-deterministic hashOfExternalDependencies with Bun lockfiles (#12...
• 85719d6 release(turborepo): 2.8.17-canary.14 (#12278)
• 9b69f8c fix: Replace dns.lookup with https.get for create-turbo online check (#12277)
• 5677b17 release(turborepo): 2.8.17-canary.13 (#12276)
• d1833fa fix: Use BTreeMap for bundled_deps in bun PackageIndex (#12266)
• 29bf4a5 feat: Use task graph for watch (#12275)
• Additional commits viewable in compare view

Updates @types/node from 25.3.3 to 25.5.0

Commits

• See full diff in compare view

Updates happy-dom from 20.7.0 to 20.8.4

Release notes

Sourced from happy-dom's releases.

v20.8.4

👷‍♂️ Patch fixes

• Replace ConsoleConstructor import with indexed access type - By @​YevheniiKotyrlo in task #1845

v20.8.3

👷‍♂️ Patch fixes

• Throw error if event is not of type Event in EventTarget.dispatchEvent() - By @​capricorn86 in task #2054

v20.8.2

👷‍♂️ Patch fixes

• Resets Event.cancelBubble and Event.defaultPrevented when calling Event.initEvent() - By @​capricorn86 in task #2090

v20.8.1

👷‍♂️ Patch fixes

• Make "inert" attribute block focus interactions - By @​coffeeandwork in task #1422

v20.8.0

🎨 Features

• Adds support for setPointerCapture, hasPointerCapture, and releasePointerCapture to Element - By @​coffeeandwork in task #1733

v20.7.2

👷‍♂️ Patch fixes

• Properly decode CSS escape sequences in attribute selector values - By @​silverwind

v20.7.1

👷‍♂️ Patch fixes

• Fixes issue related to parsing direct descendants (>) and universal (*) query selectors - By @​Cherry in task #2078

Commits

• 82a0888 fix: #1845 Replace ConsoleConstructor import with indexed access type (#2095)
• 5998eea fix: #2054 Throw error if event is not of type Event in dispatchEvent (#2092)
• 7a11238 fix: #2090 Resets cancelBubble and defaultPrevented when calling initEvent ...
• 7d27984 fix: #1422 Make inert attribute block focus interactions (#2083)
• 53e4ec9 feat: #1733 Adds support for setPointerCapture, hasPointerCapture, and rele...
• 1c73c3f fix: Properly decode CSS escape sequences in attribute selector values (#2080)
• 7fa06b3 fix: #2078 Fixes direct descendants > and universal * query selectors (#2079)
• See full diff in compare view

Updates serwist from 9.5.6 to 9.5.7

Release notes

Sourced from serwist's releases.

serwist@9.5.7

Patch Changes

• Updated dependencies []:
  • @​serwist/utils@​9.5.7

Commits

• f22ca21 chore(packages): publish packages (#347)
• 9e649b3 chore(deps): updated deps & removed ESLint
• d813c3b fix(turbo): resolve default.default issue breaking bun build (#344)
• f88382b feat(turbo): add option to rebuild sw.js on content change (#346)
• See full diff in compare view

Updates @cloudflare/workers-types from 4.20260305.0 to 4.20260316.1

Commits

• See full diff in compare view

Updates wrangler from 4.69.0 to 4.74.0

Release notes

Sourced from wrangler's releases.

wrangler@4.74.0

Minor Changes

• #10896 351e1e1 Thanks @​devin-ai-integration! - feat: add --secrets-file parameter to wrangler deploy and wrangler versions upload

  You can now upload secrets alongside your Worker code in a single operation using the --secrets-file parameter on both wrangler deploy and wrangler versions upload. The file format matches what's used by wrangler versions secret bulk, supporting both JSON and .env formats.

  Example usage:

  wrangler deploy --secrets-file .env.production
  wrangler versions upload --secrets-file secrets.json

  Secrets not included in the file will be inherited from the previous version, matching the behavior of wrangler versions secret bulk.

• #12873 2b9a186 Thanks @​gpanders! - Add wrangler containers instances <application_id> command to list container instances

  Lists all container instances for a given application, matching the Dash instances view. Displays instance ID, state, location, version, and creation time. Supports pagination for applications with many instances. Also adds paginated request support to the containers-shared API client.

Patch Changes

• #12873 2b9a186 Thanks @​gpanders! - Add escapeCodeTimeout option to onKeyPress utility for faster Esc key detection

  The onKeyPress utility now accepts an optional escapeCodeTimeout parameter that controls how long readline waits to disambiguate a standalone Esc press from multi-byte escape sequences (e.g. arrow keys). The default remains readline's built-in 500ms, but callers can pass a lower value (e.g. 25ms) for near-instant Esc handling in interactive prompts.

• #12676 65f1092 Thanks @​dario-piotrowicz! - Fix autoconfig package installation always failing at workspace roots

  When running autoconfig at the root of a monorepo workspace, package installation commands now include the appropriate workspace root flags (--workspace-root for pnpm, -W for yarn). This prevents errors like "Running this command will add the dependency to the workspace root" that previously occurred when configuring projects at the workspace root.

  Additionally, autoconfig now allows running at the workspace root if the root directory itself is listed as a workspace package (e.g., workspaces: ["packages/*", "."]).

• #12841 7b0d8f5 Thanks @​dario-piotrowicz! - Fix unclear error when assets upload session returns a null response

  When deploying assets, if the Cloudflare API returns a null response object, Wrangler now provides a clear error message asking users to retry instead of failing with a confusing error.

• Updated dependencies [ade0aed]:

  • miniflare@4.20260312.1

wrangler@4.73.0

Minor Changes

• #12853 ff543e3 Thanks @​gpanders! - Deprecate SSH passthrough flags in wrangler containers ssh

  The --cipher, --log-file, --escape-char, --config-file, --pkcs11, --identity-file, --mac-spec, --option, and --tag flags are now deprecated. These flags expose OpenSSH-specific options that are tied to the current implementation. A future release will replace the underlying SSH transport, at which point these flags will be removed. They still function for now.

• #12815 e63539d Thanks @​NuroDev! - Support disabling persistence in unstable_startWorker() and unstable_dev()

  You can now disable persistence entirely by setting persist: false in the dev options:

... (truncated)

Commits

• 2e6b4ab Version Packages (#12876)
• 65f1092 Fix autoconfig package installation always failing at workspace roots (#12676)
• 2b9a186 Add wrangler containers instances command (#12873)
• 351e1e1 [wrangler] feat: add --secrets-file parameter to deploy and versions upload (...
• bd079a6 [wrangler] Deduplicate unenv-preset e2e tests and bump beforeAll timeout (#12...
• 7b0d8f5 Fix unclear error when assets upload session returns a null response (#12841)
• 25b090a Version Packages (#12840)
• 6ee18e1 Fix autoconfig for Astro 6+ projects to skip wrangler config generation (#12856)
• f7de0fd Bump the workerd-and-workers-types group with 2 updates (#12861)
• ff543e3 CC-7209: Deprecate and hide OpenSSH options from ssh command (#12853)
• Additional commits viewable in compare view

Updates fast-check from 4.5.3 to 4.6.0

Release notes

Sourced from fast-check's releases.

Better stringMatching with maxLength

[Code][Diff]

Features

• (PR#6599) Add basic maxLength support to stringMatching
• (PR#6600) Better clamp on regexes when maxLength on stringMatching
• (PR#6687) Deprecate Random::next(n) and Random::nextInt()

Fixes

• (PR#6502) Bug: Bad d.ts import in BuildInversedRelationsMapping
• (PR#6578) Bug: Don't crash when stringifying detached ArrayBuffers
• (PR#6700) Bug: Fix object unmapper and depth computation for special keys
• (PR#6432) CI: Move all dependencies to dev on examples/
• (PR#6443) CI: Migrate to Docusaurus v4 configuration format
• (PR#6456) CI: Enable persist-credentials in add-contributor workflow
• (PR#6501) CI: Bump module in tsconfig to node18
• (PR#6548) CI: Fix zizmor ignore config line numbers
• (PR#6554) CI: Drop tests against Node 20
• (PR#6563) CI: Fix check_publish status to be success on no error
• (PR#6565) CI: Add create release workflow
• (PR#6610) CI: Rework pnpm configuration
• (PR#6619) CI: Add PR template enforcement workflow
• (PR#6622) CI: Skip Netlify doc publish on PRs
• (PR#6625) CI: Run PR template check without approval
• (PR#6623) CI: Skip PR template check for Renovate bot
• (PR#6638) CI: Bundle fast-check using rolldown
• (PR#6662) CI: Rework configuration of examples
• (PR#6683) CI: Add Claude Code GitHub Action workflow
• (PR#6684) CI: Add configuration for pre and post tool Claude hooks
• (PR#6690) CI: Refine GH Action triggering CLAUDE
• (PR#6693) CI: Configure another Claude model
• (PR#6703) CI: Add top-level permissions: {} to workflows missing it
• (PR#6704) CI: Refactor Claude workflow custom instructions configuration
• (PR#6705) CI: Add SessionStart hook to ensure dependencies are installed
• (PR#6597) Clean: Drop runkit file
• (PR#6640) Clean: Drop unused "tsd" in package.json
• (PR#6441) Doc: Release note for 4.5.0
• (PR#6442) Doc: Replace generic blog tags with feature-specific taxonomy
• (PR#6458) Doc: Add adamni21 as doc contributor
• (PR#6496) Doc: Refine npm keywords
• (PR#6514) Doc: Skill for JavaScript testing expert
• (PR#6516) Doc: Add note to avoid overusing filter and fc.pre
• (PR#6517) Doc: Update testing skill to recommend mimicking existing test structure
• (PR#6523) Doc: Add PR template requirement to Copilot instructions
• (PR#6522) Doc: Add note on complementary testing approaches
• (PR#6524) Doc: Add snapshot vs screenshot guidance
• (PR#6527) Doc: Push to install missing tooling

... (truncated)

Changelog

Sourced from fast-check's changelog.

4.6.0

Better stringMatching with maxLength [Code][Diff]

Features

• (PR#6599) Add basic maxLength support to stringMatching
• (PR#6600) Better clamp on regexes when maxLength on stringMatching
• (PR#6687) Deprecate Random::next(n) and Random::nextInt()

Fixes

• (PR#6502) Bug: Bad d.ts import in BuildInversedRelationsMapping
• (PR#6578) Bug: Don't crash when stringifying detached ArrayBuffers
• (PR#6700) Bug: Fix object unmapper and depth computation for special keys
• (PR#6432) CI: Move all dependencies to dev on examples/
• (PR#6443) CI: Migrate to Docusaurus v4 configuration format
• (PR#6456) CI: Enable persist-credentials in add-contributor workflow
• (PR#6501) CI: Bump module in tsconfig to node18
• (PR#6548) CI: Fix zizmor ignore config line numbers
• (PR#6554) CI: Drop tests against Node 20
• (PR#6563) CI: Fix check_publish status to be success on no error
• (PR#6565) CI: Add create release workflow
• (PR#6610) CI: Rework pnpm configuration
• (PR#6619) CI: Add PR template enforcement workflow
• (PR#6622) CI: Skip Netlify doc publish on PRs
• (PR#6625) CI: Run PR template check without approval
• (PR#6623) CI: Skip PR template check for Renovate bot
• (PR#6638) CI: Bundle fast-check using rolldown
• (PR#6662) CI: Rework configuration of examples
• (PR#6683) CI: Add Claude Code GitHub Action workflow
• (PR#6684) CI: Add configuration for pre and post tool Claude hooks
• (PR#6690) CI: Refine GH Action triggering CLAUDE
• (PR#6693) CI: Configure another Claude model
• (PR#6703) CI: Add top-level permissions: {} to workflows missing it
• (PR#6704) CI: Refactor Claude workflow custom instructions configuration
• (PR#6705) CI: Add SessionStart hook to ensure dependencies are installed
• (PR#6597) Clean: Drop runkit file
• (PR#6640) Clean: Drop unused "tsd" in package.json
• (PR#6441) Doc: Release note for 4.5.0
• (PR#6442) Doc: Replace generic blog tags with feature-specific taxonomy
• (PR#6458) Doc: Add adamni21 as doc contributor
• (PR#6496) Doc: Refine npm keywords
• (PR#6514) Doc: Skill for JavaScript testing expert
• (PR#6516) Doc: Add note to avoid overusing filter and fc.pre
• (PR#6517) Doc: Update testing skill to recommend mimicking existing test structure
• (PR#6523) Doc: Add PR template requirement to Copilot instructions
• (PR#6522) Doc: Add note on complementary testing approaches
• (PR#6524) Doc: Add snapshot vs screenshot guidance

... (truncated)

Commits

• f4b9e1d 🔖 Update CHANGELOG.md for fast-check@4.6.0, @​fast-check/ava@​3.0.0, @​fast-chec...
• 8b55808 🐛 Fix object unmapper and depth computation for special keys (#6700)
• 2c12205 👥 Add rushelex as code contributor (#6696)
• c62a288 🗑️ Deprecate Random::next(n) and Random::nextInt() (#6687)
• bd3f718 ⬆️ Update dependency @​types/node to ^24.12.0 (#6669)
• 5bb3fe4 ⚡️ Bump pure-rand to v8 (#6679)
• 8e47b45 ♻️ Drop @​rollup/plugin-replace for rolldown builtin (#6675)
• 77c43fa ⚡️ Import less from pure-rand (#5718)
• 3fe4d52 ⬆️ Update dependency @​types/node to ^24.10.15 (#6647)
• 74960cd ⬆️ Update dependency @​microsoft/api-extractor to ^7.57.6 (#6643)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nextcalc-pro	Ready	Preview, Comment	Mar 16, 2026 1:35pm