Bump the all-dependencies group with 7 updates

[dependabot]

Bumps the all-dependencies group with 7 updates:

Package	From	To
lint-staged	16.4.0	17.0.2
oxfmt	0.47.0	0.48.0
oxlint	1.62.0	1.63.0
react-dom	19.2.5	19.2.6
react	19.2.5	19.2.6
syncpack	14.3.1	15.0.0
vite	8.0.10	8.0.11

Updates lint-staged from 16.4.0 to 17.0.2

Release notes

Sourced from lint-staged's releases.

v17.0.2

Patch Changes

• #1779 88670ca Thanks @​iiroj! - Enable immutable GitHub releases

v17.0.1

Patch Changes

• #1776 4a5664b Thanks @​iiroj! - Adjust GitHub Actions workflow so that automatic publishing works with signed commits.

v17.0.0

Major Changes

• #1745 e244adf Thanks @​iiroj! - Node.js v20 is no longer supported, and the oldest supported version is now 22.22.1, which is an active LTS version at the time of this release. Node.js 20 will be EOL after April 2026. Please upgrade your Node.js version!

• #1676 0584e0b Thanks @​outslept! - Lint-staged now tries to verify the installed Git version is at least 2.32.0, released in 2021. If you're using an even older Git version, you need to upgrade it before running lint-staged!

• #1745 2dcc40a Thanks @​iiroj! - The dependency yaml is now marked as optional and probably won't be installed by default. If you're using a YAML configuration file you should install the package separately:

  npm install --development yaml

  If you're using .lintstagedrc as the config file name (without a file extension), it will be treated as a YAML file. If the content is JSON, consider renaming it to .lintstagedrc.json to avoid needing to install yaml.

Minor Changes

• #1748 809d5ef Thanks @​iiroj! - Add new option --hide-all for hiding all unstaged changes and untracked files, before running tasks. This makes it easier to run tools like Knip which check for unused code. Untracked files are included in the backup stash and restored automatically after running.

• #1759 f13045a Thanks @​iiroj! - Update dependencies, including tinyexec@1.1.1 to fix the following issues:

  • When using a Node.js version manager with multiple versions installed (nvm, n, for example), scripts with the #!/usr/bin/env node shebang (Prettier, ESLint, for example) were previously spawned using the default Node.js version configured by the version manager (the one which node points to) on POSIX systems. Now, they will be spawned with the same version that lint-staged itself was started with.
    • For example, if your default Node.js version is 24.14.1 but lint-staged is run with the latest version 25.9.0, the tasks spawned by lint-staged will now also use version 25.9.0. Previously they were spawned using 24.14.1.
  • When installing Node.js from the Ubuntu App Center (Snap store), the node executable available in PATH is a symlink pointing to Snap itself. The sandboxing features of Snap prevented lint-staged from spawning scripts with the #!/usr/bin/env node shebang, because it meant lint-staged tried to spawn Snap via the symlink. This resulted in an ENOENT error when trying to run prettier, for example. Now, since the real node executable's directory is available in the PATH, lint-staged will instead spawn the script with the real node binary succesfully.

• #1761 d3251b1 Thanks @​iiroj! - Lint-staged now runs git update-index --again after running tasks, instead of git add <originally staged files>. This should improve compatibility when using non-default indexes, for example when committing with a pathspec git commit -m "message" . instead of adding files to the index.

• #1745 a9585ac Thanks @​iiroj! - Remove commander as a dependency and use the built-in parseArgs from node:util to parse CLI flags.

Patch Changes

• #1755 c82d30b Thanks @​iiroj! - All tests now pass on the Bun runtime (latest).

• #1750 a401818 Thanks @​iiroj! - Remove manual handling for git stash --keep-index resurrecting deleted files, because the issue was fixed in Git 2.23.0 and lint-staged requires at least Git 2.32.0.

• #1771 c4b8936 Thanks @​iiroj! - Fix documentation about multiple config files and the --cwd option. When using it, all tasks will be run in the specified directory. For example, to run everything in the actual process.cwd(), use lint-staged --cwd=".".

Changelog

Sourced from lint-staged's changelog.

17.0.2

Patch Changes

• #1779 88670ca Thanks @​iiroj! - Enable immutable GitHub releases

17.0.1

Patch Changes

• #1776 4a5664b Thanks @​iiroj! - Adjust GitHub Actions workflow so that automatic publishing works with signed commits.

17.0.0

Major Changes

• #1745 e244adf Thanks @​iiroj! - Node.js v20 is no longer supported, and the oldest supported version is now 22.22.1, which is an active LTS version at the time of this release. Node.js 20 will be EOL after April 2026. Please upgrade your Node.js version!

• #1676 0584e0b Thanks @​outslept! - Lint-staged now tries to verify the installed Git version is at least 2.32.0, released in 2021. If you're using an even older Git version, you need to upgrade it before running lint-staged!

• #1745 2dcc40a Thanks @​iiroj! - The dependency yaml is now marked as optional and probably won't be installed by default. If you're using a YAML configuration file you should install the package separately:

  npm install --development yaml

  If you're using .lintstagedrc as the config file name (without a file extension), it will be treated as a YAML file. If the content is JSON, consider renaming it to .lintstagedrc.json to avoid needing to install yaml.

Minor Changes

• #1748 809d5ef Thanks @​iiroj! - Add new option --hide-all for hiding all unstaged changes and untracked files, before running tasks. This makes it easier to run tools like Knip which check for unused code. Untracked files are included in the backup stash and restored automatically after running.

• #1759 f13045a Thanks @​iiroj! - Update dependencies, including tinyexec@1.1.1 to fix the following issues:

  • When using a Node.js version manager with multiple versions installed (nvm, n, for example), scripts with the #!/usr/bin/env node shebang (Prettier, ESLint, for example) were previously spawned using the default Node.js version configured by the version manager (the one which node points to) on POSIX systems. Now, they will be spawned with the same version that lint-staged itself was started with.
    • For example, if your default Node.js version is 24.14.1 but lint-staged is run with the latest version 25.9.0, the tasks spawned by lint-staged will now also use version 25.9.0. Previously they were spawned using 24.14.1.
  • When installing Node.js from the Ubuntu App Center (Snap store), the node executable available in PATH is a symlink pointing to Snap itself. The sandboxing features of Snap prevented lint-staged from spawning scripts with the #!/usr/bin/env node shebang, because it meant lint-staged tried to spawn Snap via the symlink. This resulted in an ENOENT error when trying to run prettier, for example. Now, since the real node executable's directory is available in the PATH, lint-staged will instead spawn the script with the real node binary succesfully.

• #1761 d3251b1 Thanks @​iiroj! - Lint-staged now runs git update-index --again after running tasks, instead of git add <originally staged files>. This should improve compatibility when using non-default indexes, for example when committing with a pathspec git commit -m "message" . instead of adding files to the index.

• #1745 a9585ac Thanks @​iiroj! - Remove commander as a dependency and use the built-in parseArgs from node:util to parse CLI flags.

Patch Changes

• #1755 c82d30b Thanks @​iiroj! - All tests now pass on the Bun runtime (latest).

• #1750 a401818 Thanks @​iiroj! - Remove manual handling for git stash --keep-index resurrecting deleted files, because the issue was fixed in Git 2.23.0 and lint-staged requires at least Git 2.32.0.

• #1771 c4b8936 Thanks @​iiroj! - Fix documentation about multiple config files and the --cwd option. When using it, all tasks will be run in the specified directory. For example, to run everything in the actual process.cwd(), use lint-staged --cwd=".".

Commits

• 0a3b253 Merge pull request #1780 from lint-staged/changeset-release/main
• 36cae27 chore(changeset): release
• ff03baa Merge pull request #1779 from lint-staged/immutable-release
• 88670ca ci: force Changesets action to sign Git tag
• 7f4596b Merge pull request #1777 from lint-staged/changeset-release/main
• 697c9ae chore(changeset): release
• 7ed4125 Merge pull request #1778 from lint-staged/fix-changesets
• bf400fe ci: publish to npm in same Changesets workflow so that a personal token isn't...
• 0c2e6e5 Merge pull request #1776 from lint-staged/fix-changesets
• 4a5664b ci: use personal access token with semantic-release so that it can trigger pu...
• Additional commits viewable in compare view

Updates oxfmt from 0.47.0 to 0.48.0

Commits

• 5921a25 release(apps): oxlint v1.63.0 && oxfmt v0.48.0 (#22109)
• See full diff in compare view

Updates oxlint from 1.62.0 to 1.63.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

• 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
• 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
• bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
• 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
• 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
• 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
• ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

• 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
• 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
• 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
• 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
• a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
• ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
• 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
• ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
• e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
• 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
• 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
• fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
• ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
• dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
• 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
• cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

• 25d577e language_server: Start tools in parallel (#15500) (Sysix)
• 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
• 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
• 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
• 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
• 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

• 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
• 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
• a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
• 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
• 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
• 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.63.0] - 2026-05-05

📚 Documentation

• cacbc4a linter: Fix jest settings docs. (#22127) (connorshea)

Commits

• 5921a25 release(apps): oxlint v1.63.0 && oxfmt v0.48.0 (#22109)
• cacbc4a docs(linter): Fix jest settings docs. (#22127)
• d177595 chore(linter): Update oxlint-tsgolint peer dependency to the latest release. ...
• See full diff in compare view

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates syncpack from 14.3.1 to 15.0.0

Release notes

Sourced from syncpack's releases.

15.0.0

15.0.0 (2026-05-04)

This release adds full support for pnpm catalogs and bun catalogs. Your default catalog, named catalogs, and all of the entries within them are now first-class citizens in syncpack and can be grouped, targeted, updated, or even banned like any other dependency in your project.

A new Catalog Version Group lets you auto-migrate all or parts of your repo to use catalogs and ensures that the correct catalogs are always used in the future. syncpack update --dependency-types pnpmCatalog will update your default catalog with the latest versions from the npm registry, and Semver Groups can target your catalogs to ensure they always use exact version numbers (or ~, ^ etc).

There is also a new minimumReleaseAge config which defaults to your pnpm configuration, if neither are set then it will default to 1 day.

The customTypes docs have been rewritten and some catalogs examples have been added to the syncpack update docs.

Finally there is a new Migrate to 15 which repeats what is below, you should only be affected if you're on older versions of pnpm and using overrides.

With this huge overhaul to support all this catalogs functionality, there may be some new lint errors that appear, but I don't expect so as most of the behaviour is opt-in via you setting a "policy": "catalog" for parts of your monorepo.

Finally – syncpack is free and always will be, just please help us spread the word and spare a moment to share us on your socials.

⚠ BREAKING CHANGES

• pnpm: https://syncpack.dev/guide/migrate-v15/

pnpmOverrides now reads pnpm-workspace.yaml

The default pnpmOverrides dependency type now reads overrides from pnpm-workspace.yaml instead of pnpm.overrides in package.json. This matches pnpm's current convention for managing overrides.

Restoring the legacy behaviour

If your overrides still live in package.json under pnpm.overrides, define pnpmOverridesLegacy in your config to point at the legacy location:

{
  "customTypes": {
    "pnpmOverridesLegacy": {
      "strategy": "versionsByName",
      "path": "pnpm.overrides"
    }
  }
}

The default pnpmOverrides continues to manage the YAML location.

Features

• groups: add full pnpm/bun catalogs support (53d54e0), closes #258
• pnpm: read pnpmOverrides from pnpm-workspace.yaml (72ce5ef), closes #304
• update: add minimumReleaseAge and default to 1 day (a6648ab), closes #302

Bug Fixes

... (truncated)

Changelog

Sourced from syncpack's changelog.

15.0.0 (2026-05-04)

⚠ BREAKING CHANGES

• pnpm: https://syncpack.dev/guide/migrate-v15/

pnpmOverrides now reads pnpm-workspace.yaml

The default pnpmOverrides dependency type now reads overrides from pnpm-workspace.yaml instead of pnpm.overrides in package.json. This matches pnpm's current convention for managing overrides.

Restoring the legacy behaviour

If your overrides still live in package.json under pnpm.overrides, define pnpmOverridesLegacy in your config to point at the legacy location:

{
  "customTypes": {
    "pnpmOverridesLegacy": {
      "strategy": "versionsByName",
      "path": "pnpm.overrides"
    }
  }
}

The default pnpmOverrides continues to manage the YAML location.

Features

• groups: add full pnpm/bun catalogs support (53d54e0), closes #258
• pnpm: read pnpmOverrides from pnpm-workspace.yaml (72ce5ef), closes #304
• update: add minimumReleaseAge and default to 1 day (a6648ab), closes #302

Bug Fixes

• cargo: update dependencies (a375df4)
• cli: do not display --version and --help as errors (2abe490), closes #331
• cli: fix panic when using --config option (76f1553), closes #332
• config: prevent ERR_UNSUPPORTED_ESM_URL_SCHEME on Windows (127ae12), closes #327 #328
• core: widen detection of pnpm and bun projects (be883f5)
• npm: detect musl libc to resolve correct binary (89d5654), closes #329
• rust: update edition from 2021 to 2024 (efad1b5)

Commits

• 3ffa0e5 chore(release): 15.0.0
• bc6f813 chore(site): manually control frames on code blocks
• efad1b5 fix(rust): update edition from 2021 to 2024
• a375df4 fix(cargo): update dependencies
• a6648ab feat(update): add minimumReleaseAge and default to 1 day
• 89d5654 fix(npm): detect musl libc to resolve correct binary
• caa3e3d chore(fixtures): add some catalog scenarios
• 4726788 chore(core): add debug log of final config
• 76f1553 fix(cli): fix panic when using --config option
• 127ae12 fix(config): prevent ERR_UNSUPPORTED_ESM_URL_SCHEME on Windows
• Additional commits viewable in compare view

Updates vite from 8.0.10 to 8.0.11

Release notes

Sourced from vite's releases.

v8.0.11

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.11 (2026-05-07)

Features

• update rolldown to 1.0.0-rc.18 (#22360) (3f80524)

Bug Fixes

• deps: update all non-major dependencies (#22334) (672c962)
• deps: update all non-major dependencies (#22382) (5c0cfcb)
• glob: align hmr matcher options with glob enumeration (#22306) (30028f9)
• make separate object instance for each environment (#22276) (7c2aa3b)

Documentation

• create-vite: list react-compiler templates in README (#22347) (7c3a61f)
• explain mergeConfig skips null/undefined (#22325) (2151f70)
• mention native config loader in CLI options (#22348) (0420c5d)
• update evan's x handle (640202a)

Miscellaneous Chores

• deps: update dependency tsdown to ^0.21.10 (#22333) (3b51e05)
• deps: update rolldown-related dependencies (#22383) (555ff36)
• deps: update transitive packages to fix npm audit alerts (#22316) (86aee62)

Code Refactoring

• devtools integration (#22312) (3c8bf06)
• remove unnecessary async (#22296) (b31fd35)
• show direct path type in bad character warning (#22339) (0c162e9)

Tests

• create-vite: use short help alias (#22389) (994ab66)

Commits

• 66f3194 release: v8.0.11
• 5c0cfcb fix(deps): update all non-major dependencies (#22382)
• 555ff36 chore(deps): update rolldown-related dependencies (#22383)
• b31fd35 refactor: remove unnecessary async (#22296)
• 3c8bf06 refactor: devtools integration (#22312)
• 7c2aa3b fix: make separate object instance for each environment (#22276)
• 3f80524 feat: update rolldown to 1.0.0-rc.18 (#22360)
• 0c162e9 refactor: show direct path type in bad character warning (#22339)
• 672c962 fix(deps): update all non-major dependencies (#22334)
• 30028f9 fix(glob): align hmr matcher options with glob enumeration (#22306)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions