fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@biomejs/biome (source)	^2.3.11 → ^2.4.10
@changesets/changelog-github (source)	^0.5.2 → ^0.6.0
@changesets/cli (source)	^2.29.8 → ^2.30.0
@cloudflare/vite-plugin (source)	^1.19.0 → ^1.31.0
@cloudflare/workers-types	^4.20260103.0 → ^4.20260403.1
@discordjs/rest (source)	^2.4.3 → ^2.6.1
@mantine/carousel (source)	^8.3.11 → ^8.3.18
@mantine/charts (source)	^8.3.11 → ^8.3.18
@mantine/code-highlight (source)	^8.3.11 → ^8.3.18
@mantine/core (source)	^8.3.11 → ^8.3.18
@mantine/dates (source)	^8.3.11 → ^8.3.18
@mantine/dropzone (source)	^8.3.11 → ^8.3.18
@mantine/form (source)	^8.3.11 → ^8.3.18
@mantine/hooks (source)	^8.3.11 → ^8.3.18
@mantine/modals (source)	^8.3.11 → ^8.3.18
@mantine/notifications (source)	^8.3.11 → ^8.3.18
@mantine/nprogress (source)	^8.3.11 → ^8.3.18
@sentry/cloudflare (source)	^10.32.1 → ^10.47.0
@sentry/tanstackstart-react (source)	^10.32.1 → ^10.47.0
@sentry/vite-plugin (source)	^4.6.1 → ^4.9.1
@tabler/icons-react (source)	^3.36.1 → ^3.41.1
@tailwindcss/postcss (source)	^4.1.18 → ^4.2.2
@tanstack/devtools-vite (source)	^0.4.0 → ^0.6.0
@tanstack/react-devtools (source)	^0.9.0 → ^0.10.1
@tanstack/react-query (source)	^5.90.16 → ^5.96.1
@tanstack/react-query-devtools (source)	^5.91.2 → ^5.96.1
@tanstack/react-router (source)	^1.145.6 → ^1.168.10
@tanstack/react-router-devtools (source)	^1.145.6 → ^1.166.11
@tanstack/react-router-ssr-query (source)	^1.145.6 → ^1.166.10
@tanstack/react-start (source)	^1.145.6 → ^1.167.16
@trpc/client (source)	11.8.1 → 11.16.0
@trpc/client (source)	^11.8.1 → ^11.16.0
@trpc/server (source)	11.8.1 → 11.16.0
@trpc/server (source)	^11.8.1 → ^11.16.0
@trpc/tanstack-react-query (source)	^11.8.1 → ^11.16.0
@types/node (source)	^25.0.3 → ^25.5.0
@types/react (source)	^19.2.7 → ^19.2.14
@vitejs/plugin-react (source)	^5.1.2 → ^5.2.0
@vitest/coverage-v8 (source)	^4.0.16 → ^4.1.2
better-auth (source)	^1.4.10 → ^1.5.6
better-sqlite3	^12.5.0 → ^12.8.0
bitflag-js	1.1.0 → 1.1.1
dayjs (source)	^1.11.19 → ^1.11.20
discord-api-types (source)	0.38.37 → 0.38.44
dotenv	^17.2.3 → ^17.4.0
drizzle-kit (source)	^0.31.8 → ^0.31.10
drizzle-orm (source)	^0.45.1 → ^0.45.2
esbuild@<=0.24.2	>=0.25.0 → >=0.28.0
hono (source)	^4.11.3 → ^4.12.10
i18next (source)	^25.7.3 → ^25.10.10
i18next-browser-languagedetector	^8.2.0 → ^8.2.1
intl-messageformat	10.7.16 → 10.7.18
lefthook	^2.0.13 → ^2.1.4
pnpm (source)	10.17.1 → 10.33.0
postcss (source)	^8.5.6 → ^8.5.8
react (source)	^19.2.3 → ^19.2.4
react-dom (source)	^19.2.3 → ^19.2.4
react-i18next	^16.5.1 → ^16.6.6
recharts	^3.6.0 → ^3.8.1
rimraf	^6.1.2 → ^6.1.3
slash-create (source)	^6.7.1 → ^6.8.1
turbo (source)	^2.7.2 → ^2.9.3
typescript (source)	^5.9.2 → ^5.9.3
unist-util-visit	^5.0.0 → ^5.1.0
vite (source)	^7.3.0 → ^7.3.1
vite-tsconfig-paths	^6.0.3 → ^6.1.1
vitest (source)	^4.0.16 → ^4.1.2
wrangler (source)	^4.56.0 → ^4.80.0
zod (source)	^4.3.5 → ^4.3.6

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.10

Compare Source

Patch Changes

• #​8838 f3a6a6b Thanks @​baeseokjae! - Added new lint nursery rule noImpliedEval.

  The rule detects implied eval() usage through functions like setTimeout, setInterval, and setImmediate when called with string arguments.

  // Invalid
  setTimeout("alert('Hello');", 100);
  
  // Valid
  setTimeout(() => alert("Hello"), 100);

• #​9320 93c3b6c Thanks @​taberoajorge! - Fixed #​7664: noUnusedVariables no longer reports false positives for TypeScript namespace declarations that participate in declaration merging with an exported or used value declaration (const, function, or class) of the same name. The reverse direction is also handled: a value declaration merged with an exported namespace is no longer flagged.

• #​9630 1dd4a56 Thanks @​raashish1601! - Fixed #​9629: noNegationElse now keeps ternary branch comments attached to the correct branch when applying its fixer.

• #​9216 04243b0 Thanks @​FrederickStempfle! - Fixed #​9061: noProcessEnv now also detects process.env when process is imported from the "process" or "node:process" modules.

  Previously, only the global process object was flagged:

  import process from "node:process";
  // This was not flagged, but now it is:
  console.log(process.env.NODE_ENV);

• #​9692 61b7ec5 Thanks @​mkosei! - Fixed Svelte #each destructuring parsing and formatting for nested patterns such as [key, { a, b }].

• #​9627 06a0f35 Thanks @​ematipico! - Fixed #​191: Improved the performance of how the Biome Language Server pulls code actions and diagnostics.

  Before, code actions were pulled and computed all at once in one request. This approach couldn't work in big files, and caused Biome to stale and have CPU usage spikes up to 100%.

  Now, code actions are pulled and computed lazily, and Biome won't choke anymore in big files.

• #​9643 5bfee36 Thanks @​dyc3! - Fixed #​9347: useVueValidVBind no longer reports valid object bindings like v-bind="props".

• #​9627 06a0f35 Thanks @​ematipico! - Fixed assist diagnostics being invisible when using --diagnostic-level=error. Enforced assist violations (e.g. useSortedKeys) were filtered out before being promoted to errors, causing biome check to incorrectly return success.

• #​9695 9856a87 Thanks @​dyc3! - Added the new nursery rule noUnsafePlusOperands, which reports + and += operations that use object-like, symbol, unknown, or never operands, or that mix number with bigint.

• #​9627 06a0f35 Thanks @​ematipico! - Fixed duplicate parse errors in check and ci output. When a file had syntax errors, the same parse error was printed twice and the error count was inflated.

• #​9627 06a0f35 Thanks @​ematipico! - Improved the performance of the commands lint and check when they are called with --write.

• #​9627 06a0f35 Thanks @​ematipico! - Fixed --diagnostic-level not fully filtering diagnostics. Setting --diagnostic-level=error now correctly excludes warnings and infos from both the output and the summary counts.

• #​9623 13b3261 Thanks @​ematipico! - Fixed #​9258: --skip no longer causes suppressions/unused warnings for suppression comments targeting skipped rules or domains.

• #​9631 599dd04 Thanks @​raashish1601! - Fixed #​9625: experimentalEmbeddedSnippetsEnabled no longer crashes when a file mixes formatable CSS-in-JS templates with tagged templates that the embedded formatter can't currently delegate, such as a styled-components interpolation returning `css```.

v2.4.9

Compare Source

Patch Changes

• #​9315 085d324 Thanks @​ematipico! - Added a new nursery CSS rule noDuplicateSelectors, that disallows duplicate selector lists within the same at-rule context.

  For example, the following snippet triggers the rule because the second selector and the first selector are the same:

  /* First selector */
  .x .y .z {
  }
  
  /* Second selector */
  .x {
    .y {
      .z {
      }
    }
  }

• #​9567 b7ab931 Thanks @​ematipico! - Fixed #​7211: useOptionalChain now detects negated logical OR chains. The following code is now considered invalid:

  !foo || !foo.bar;

• #​8670 607ebf9 Thanks @​tt-a1i! - Fixed #​8345: useAdjacentOverloadSignatures no longer reports false positives for static and instance methods with the same name. Static methods and instance methods are now treated as separate overload groups.

  class Kek {
    static kek(): number {
      return 0;
    }
    another(): string {
      return "";
    }
    kek(): number {
      return 1;
    } // no longer reported as non-adjacent
  }

• #​9476 97b80a8 Thanks @​masterkain! - Fixed #9475: Fixed a panic when Biome analyzed ambient TypeScript modules containing class constructor, getter, or setter signatures that reference local type aliases. Biome now handles these declarations without crashing during semantic analysis.

• #​9553 0cd5298 Thanks @​dyc3! - Fixed a bug where enabling the rules of a whole group, would enable rules that belonged to a domain under the same group.

  For example, linter.rules.correctness = "error" no longer enables React- or Qwik-specific correctness rules unless linter.domains.react, linter.domains.qwik, or an explicit rule config also enables them, or their relative dependencies are installed.

• #​9586 4cafb71 Thanks @​dyc3! - Fixed #​8828: Grit patterns using export { $foo } from $source now match named re-exports in JavaScript and TypeScript files.

• #​9550 d4e3d6e Thanks @​dyc3! - Fixed #​9548: Biome now parses conditional expressions whose consequent is an arrow function returning a parenthesized object expression.

• #​8696 a7c19cc Thanks @​Faizanq! - Fixed #​8685 where noUselessLoneBlockStatements would remove empty blocks containing comments. The rule now preserves these blocks since comments may contain important information like TODOs or commented-out code.

• #​9557 6671ac5 Thanks @​datalek! - Fixed #​9557: Biome's LSP server no longer crashes on startup when used with editors that don't send workspaceFolders during initialization. This affected any LSP client that only sends rootUri, which is valid per the LSP specification.

• #​9455 1710cf1 Thanks @​omar-y-abdi! - Fixed #​9174: useExpect now correctly rejects asymmetric matchers in Vitest or Jest like expect.stringContaining(), expect.objectContaining(), and utilities like expect.extend() that are not valid assertions. Previously these constructs caused false negatives, allowing tests without real assertions to pass the lint rule.

• #​9584 956e367 Thanks @​ematipico! - Fixed a bug where Vue directive attribute values like v-bind:class="{'dynamic': true}" were incorrectly parsed as JavaScript statements instead of expressions. Object literals inside directive values like :class, v-if, and v-html are now correctly parsed as expressions, preventing spurious parse errors.

• #​9474 e168494 Thanks @​ematipico! - Added the new nursery rule noUntrustedLicenses. This rule disallows dependencies that ship with invalid licenses or licenses that don't meet the criteria of your project/organisation.

  The rule has the following options:

  • allow: a list of licenses that can be allowed. Useful to bypass possible invalid licenses from downstream dependencies.
  • deny: a list of licenses that should trigger the rule. Useful to deny licenses that don't fit your project/organisation.
    When both deny and allow are provided, deny takes precedence.
  • requireOsiApproved: whether the licenses need to be approved by the Open Source Initiative.
  • requireFsfLibre: whether the licenses need to be approved by the Free Software Foundation.

• #​9544 723798b Thanks @​ViniciusDev26! - Added an unsafe fix to useConsistentMethodSignatures that automatically converts between method-style and property-style signatures.

• #​9555 8a3647b Thanks @​ematipico! - Fixed #188: the Biome Language Server no longer panics when open files change abruptly, such as during git branch checkouts.

• #​9605 f65c637 Thanks @​ematipico! - Fixed #​9589. Now Biome correctly parses object expressions inside props and directives. The following code doesn't emit errors anymore:

  <style is:global define:vars={{ bgLight: light }}>
  <Component name={{ first, name }} />

• #​9565 ccb249e Thanks @​eyupcanakman! - Fixed #​9505: noUselessStringConcat no longer reports tagged template literals as useless string concatenations. Tagged templates invoke a function and can return non-string values, so combining them with + is not equivalent to a single template literal.

• #​9534 4d050df Thanks @​Netail! - Added the nursery rule noInlineStyles. The rule disallows the use of inline style attributes in HTML and the style prop in JSX, including React.createElement calls. Inline styles make code harder to maintain and can interfere with Content Security Policy.

• #​9611 cddaa44 Thanks @​gaauwe! - Fixed a regression where Biome LSP could misread editor settings sent through workspace/didChangeConfiguration when the payload was wrapped in a top-level biome key. This caused requireConfiguration and related settings to be ignored in some editors.

v2.4.8

Compare Source

Patch Changes

• #​9488 bc709f6 Thanks @​mvanhorn! - Fixed #​9463: the "Biome found a configuration file outside of the current working directory" diagnostic now includes the configuration file path and the working directory, giving users actionable information to debug the issue.

• #​9527 2f8bf80 Thanks @​mdm317! - Fixed #​8959: Fixed TypeScript arrow function formatting when a comment appears after =>.

• #​9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleUpdateWithoutWhere to prevent accidental full-table updates when using Drizzle ORM without a .where() clause.

• #​9531 1302740 Thanks @​ematipico! - Fixed #​9187: Astro frontmatter containing regex literals with quotes (/'/, /"/) or dashes (/---/) no longer causes parse errors.

• #​9535 b630d93 Thanks @​leno23! - Fixed #​9524: remove extra space before > when bracketSameLine is true and the self-closing slash is absent in HTML formatter.

• #​9537 81e6306 Thanks @​ematipico! - Fixed #​9238: The HTML parser no longer incorrectly reports --- inside element content (e.g. <td>---</td>) as an "Unexpected value or character" error.

• #​9532 4b64145 Thanks @​ematipico! - Fixed #​9117: biome check --write no longer falsely reports Svelte and Vue files as changed when html.formatter.indentScriptAndStyle is enabled and the files are already correctly formatted.

• #​9528 61451ef Thanks @​ematipico! - Fixed #​9341: Fixed an LSP crash that could corrupt file content when saving with format-on-save enabled.

• #​9538 794f79c Thanks @​ematipico! - Fixed #​9279: The rule noSubstr now detects .substr() and .substring() calls in all expression contexts, including variable declarations, function arguments, return statements, and arrow function bodies.

• #​9462 c23272c Thanks @​ematipico! - Fixed #​9370: The resolver now correctly prioritizes more specific exports patterns over less specific ones. Previously, a pattern like "./*" could match before "./features/*", causing resolution failures for packages with overlapping subpath patterns.

• #​9515 f85c069 Thanks @​shivamtiwari3! - Fixed #​9506 and #​9479: Biome no longer reports false parse errors on <script type="speculationrules"> and <script type="application/ld+json"> tags. These script types contain non-JavaScript content and are now correctly skipped by the embedded language detector.

• #​9514 7fe43c8 Thanks @​ematipico! - Fixed #​6964: Biome now correctly resolves the .gitignore file relative to vcs.root when configured. Previously, the vcs.root setting was ignored and Biome always looked for the ignore file in the workspace directory.

• #​9521 af39936 Thanks @​ematipico! - Fixed #​9483. Now the rule noRedeclare doesn't panic when it encounters constructor overloads.

• #​9490 60cf024 Thanks @​willfarrell! - Added support for modern CSS properties, pseudo-classes, and pseudo-elements.

  New known properties: dynamic-range-limit, overlay, reading-flow, reading-order, scroll-marker-group, scroll-target-group.

  New pseudo-elements: ::checkmark, ::column, ::picker, ::picker-icon, ::scroll-button, ::scroll-marker, ::scroll-marker-group.

  New pseudo-classes: :active-view-transition-type, :has-slotted, :target-after, :target-before, :target-current.

• #​9526 4d42823 Thanks @​ematipico! - Fixed #​9358 and #​9375. Now attributes that have text expressions such as class={buttonClass()} are correctly tracked in Svelte files.

• #​9520 61f53ee Thanks @​ematipico! - Fixed #​9519. Now noUnusedVariables doesn't flag variables that are used as typeof type.

• #​9487 331dc0d Thanks @​mvanhorn! - Fixed #​9477: source.fixAll.biome no longer sorts imports when source.organizeImports.biome is disabled in editor settings. The organize imports action is now excluded from the fix-all pass unless explicitly requested.

• #​9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleDeleteWithoutWhere to prevent accidental full-table deletes when using Drizzle ORM without a .where() clause.

v2.4.7

Compare Source

Patch Changes

• #​9318 3ac98eb Thanks @​ematipico! - Added new nursery lint rule useBaseline for CSS. The rule reports when CSS properties, property values, at-rules, media conditions, functions, or pseudo-selectors are not part of the configured Baseline tier.

  For example, *at the

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.53%. Comparing base (8060bd3) to head (e267d30).

Additional details and impacted files

@@           Coverage Diff           @@
##              dev     #136   +/-   ##
=======================================
  Coverage   90.53%   90.53%           
=======================================
  Files           2        2           
  Lines         169      169           
  Branches       45       45           
=======================================
  Hits          153      153           
  Misses         16       16           

Flag	Coverage Δ
i18n	90.53% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.