Skip to content

chore(deps): bump the npm-deps group across 1 directory with 8 updates#19

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm-deps-c40c034f7a
Open

chore(deps): bump the npm-deps group across 1 directory with 8 updates#19
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm-deps-c40c034f7a

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 7, 2026

Bumps the npm-deps group with 8 updates in the / directory:

Package From To
@hono/node-server 2.0.0 2.0.1
better-auth 1.6.5 1.6.9
hono 4.12.14 4.12.16
@commitlint/cli 20.5.0 20.5.3
@commitlint/config-conventional 20.5.0 20.5.3
eslint 10.2.0 10.2.1
fallow 2.40.3 2.56.0
tap 21.7.0 21.7.1

Updates @hono/node-server from 2.0.0 to 2.0.1

Release notes

Sourced from @​hono/node-server's releases.

v2.0.1

What's Changed

New Contributors

Full Changelog: honojs/node-server@v2.0.0...v2.0.1

Commits

Updates better-auth from 1.6.5 to 1.6.9

Release notes

Sourced from better-auth's releases.

v1.6.9

better-auth

Bug Fixes

  • Fixed instrumentation resolution in the adapter factory so edge and browser environments correctly use the pure variant (#9340)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​erquhart

Full changelog: v1.6.8...v1.6.9

v1.6.8

better-auth

Bug Fixes

  • Fixed mapProfileToUser fallback for OAuth providers that may omit email from their profile response (#9331)
  • Fixed support for passing id through beforeCreateTeam and beforeCreateInvitation hooks (#9253)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed authorization flows that do not include a state parameter (#9328)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed incompatibility with TypeScript's exactOptionalPropertyTypes compiler option (#9270)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​baptisteArno, @​gustavovalverde, @​ping-maxwell

Full changelog: v1.6.7...v1.6.8

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.9

Patch Changes

  • Updated dependencies [815ecf6]:
    • @​better-auth/core@​1.6.9
    • @​better-auth/drizzle-adapter@​1.6.9
    • @​better-auth/kysely-adapter@​1.6.9
    • @​better-auth/memory-adapter@​1.6.9
    • @​better-auth/mongo-adapter@​1.6.9
    • @​better-auth/prisma-adapter@​1.6.9
    • @​better-auth/telemetry@​1.6.9

1.6.8

Patch Changes

  • #9253 856ab24 Thanks @​baptisteArno! - fix(organization): allow passing id through beforeCreateTeam and beforeCreateInvitation

    Mirrors #4765 for teams and invitations: adapter.createTeam and adapter.createInvitation now pass forceAllowId: true, so ids returned from the respective hooks survive the DB insert.

  • #9331 9aa8e63 Thanks @​gustavovalverde! - fix(oauth): support mapProfileToUser fallback for providers that may omit email

    Social sign-in with OAuth providers that may return no email address (Discord phone-only accounts, Apple subsequent sign-ins, GitHub private emails, Facebook, LinkedIn, and Microsoft Entra ID managed users) can now be unblocked by synthesizing an email inside mapProfileToUser. Rejection logger messages now point at this workaround and at the new "Handling Providers Without Email" docs section.

    Provider profile types now reflect where email can be null or absent:

    • DiscordProfile.email is string | null and optional (absent when the email scope is not granted)
    • AppleProfile.email is optional
    • GithubProfile.email is string | null
    • FacebookProfile.email is optional
    • FacebookProfile.email_verified is optional (Meta's Graph API does not include this field)
    • LinkedInProfile.email is optional
    • LinkedInProfile.email_verified is optional
    • MicrosoftEntraIDProfile.email is optional

    TypeScript consumers who previously dereferenced profile.email directly inside mapProfileToUser will see a compile error that matches the runtime reality; use a nullish-coalescing fallback (profile.email ?? ...) or null-check the field.

    Sign-in still rejects with error=email_not_found (social callback) or error=email_is_missing (Generic OAuth plugin) when neither the provider nor mapProfileToUser produces an email. First-class support for users without an email, keyed on (providerId, accountId) per OpenID Connect Core §5.7, is tracked in #9124.

  • Updated dependencies [9aa8e63]:

    • @​better-auth/core@​1.6.8
    • @​better-auth/drizzle-adapter@​1.6.8
    • @​better-auth/kysely-adapter@​1.6.8
    • @​better-auth/memory-adapter@​1.6.8
    • @​better-auth/mongo-adapter@​1.6.8
    • @​better-auth/prisma-adapter@​1.6.8
    • @​better-auth/telemetry@​1.6.8

1.6.7

... (truncated)

Commits
  • f484269 chore: release v1.6.9 (#9341)
  • fef7dd6 chore: update readme (#9330)
  • b289ac6 chore: release v1.6.8 (#9316)
  • 9aa8e63 fix(oauth): support mapProfileToUser fallback for providers that may omit e...
  • 856ab24 fix(organization): allow passing id through beforeCreateTeam and `beforeCre...
  • f8076d1 chore: release v1.6.7 (#9289)
  • 4f373ee feat(social-providers): accept array of Client IDs for ID token audience (#9292)
  • e1b1cfc fix(oauth2): guard against undefined body when parsing state (#9293)
  • d053a45 fix(phone-number): call callbackOnVerification when updatePhoneNumber is enab...
  • 307196a fix(api): preserve response headers when APIError is thrown (#9211)
  • Additional commits viewable in compare view

Updates hono from 4.12.14 to 4.12.16

Release notes

Sourced from hono's releases.

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.14...v4.12.15

Commits

Updates @commitlint/cli from 20.5.0 to 20.5.3

Release notes

Sourced from @​commitlint/cli's releases.

v20.5.3

20.5.3 (2026-04-30)

Refactor

Docs

New Contributors

Full Changelog: conventional-changelog/commitlint@v20.5.2...v20.5.3

v20.5.2

20.5.2 (2026-04-25)

Just minor dep updates before the next breaking change

Chore & Docs

New Contributors

Full Changelog: conventional-changelog/commitlint@v20.5.1...v20.5.2

v20.5.1

20.5.1 (2026-03-31)

Bug Fixes

Reverts

... (truncated)

Changelog

Sourced from @​commitlint/cli's changelog.

20.5.3 (2026-04-30)

Note: Version bump only for package @​commitlint/cli

20.5.2 (2026-04-25)

Note: Version bump only for package @​commitlint/cli

Commits

Updates @commitlint/config-conventional from 20.5.0 to 20.5.3

Release notes

Sourced from @​commitlint/config-conventional's releases.

v20.5.3

20.5.3 (2026-04-30)

Refactor

Docs

New Contributors

Full Changelog: conventional-changelog/commitlint@v20.5.2...v20.5.3

v20.5.2

20.5.2 (2026-04-25)

Just minor dep updates before the next breaking change

Chore & Docs

New Contributors

Full Changelog: conventional-changelog/commitlint@v20.5.1...v20.5.2

v20.5.1

20.5.1 (2026-03-31)

Bug Fixes

Reverts

... (truncated)

Changelog

Sourced from @​commitlint/config-conventional's changelog.

20.5.3 (2026-04-30)

Note: Version bump only for package @​commitlint/config-conventional

Commits

Updates eslint from 10.2.0 to 10.2.1

Release notes

Sourced from eslint's releases.

v10.2.1

Bug Fixes

  • 14be92b fix: model generator yield resumption paths in code path analysis (#20665) (sethamus)
  • 84a19d2 fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx)
  • af764af fix: clarify language and processor validation errors (#20729) (Pixel998)
  • e251b89 fix: update eslint (#20715) (renovate[bot])

Documentation

  • ca92ca0 docs: reuse markdown-it instance for markdown filter (#20768) (Amaresh S M)
  • 57d2ee2 docs: Enable Eleventy incremental mode for watch (#20767) (Amaresh S M)
  • c1621b9 docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla)
  • 1418d52 docs: Update README (GitHub Actions Bot)
  • 39771e6 docs: Update README (GitHub Actions Bot)
  • 71e0469 docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar)
  • 22119ce docs: clarify scope of for-direction rule with dead code examples (#20723) (Amaresh S M)
  • 8f3fb77 docs: document meta.docs.dialects (#20718) (Pixel998)

Chores

  • 7ddfea9 chore: update dependency prettier to v3.8.2 (#20770) (renovate[bot])
  • fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763) (dependabot[bot])
  • 7246f92 test: add tests for SuppressionsService.load() error handling (#20734) (kuldeep kumar)
  • 4f34b1e chore: update pnpm/action-setup action to v5 (#20762) (renovate[bot])
  • 51080eb test: processor service (#20731) (kuldeep kumar)
  • e7e1889 chore: remove stale babel-eslint10 fixture and test (#20727) (kuldeep kumar)
  • 4e1a87c test: remove redundant async/await in flat config array tests (#20722) (Pixel998)
  • 066eabb test: add rule metadata coverage for languages and docs.dialects (#20717) (Pixel998)
Commits

Updates fallow from 2.40.3 to 2.56.0

Release notes

Sourced from fallow's releases.

v2.56.0 - workspace deps as first-class, Tailwind @​plugin, whole-enum fix

Monorepo workspace packages now check like external dependencies, Tailwind v4 @plugin is recognised, and fallow fix --yes removes whole export enum blocks instead of leaving dead shells.

Added

  • fallow fix --yes removes unused exported enum declarations entirely. When an exported enum is unused outside its file, the whole export enum Foo { ... } block is dropped instead of leaving a non-exported zombie declaration. Covers single-line, multi-line, export const enum, and export declare enum forms, with safe descending-index ordering when other export-list lines on the same file also get rewritten. Falls back to keyword-only stripping when the enum is still referenced locally so the file continues to compile. The remove-export action description in JSON output and the fix_apply MCP tool description are refreshed so consumers see the broader behaviour.
  • All-member enum-member removal folds into whole-enum removal. When fallow fix --yes would remove every member of an exported enum, the entire export enum X { ... } block is dropped in a single write instead of stripping members one at a time and leaving behind a syntactically valid but semantically dead export enum X {} shell that detection then fails to surface on the next pass. JSON output collapses the per-member entries for a folded enum into a single remove_export entry at the declaration line so consumers see exactly the edit that happened. Non-JSON output emits a stderr advisory pointing at the TypeScript build for importer cleanup, since fallow's reachability detector cannot surface a name-level dangling import once the file resolves successfully. Thanks @​mjfwebb for reporting. (Closes #232)
  • Tailwind v4 @plugin directive recognised in CSS, SCSS, and Vue/Svelte <style> blocks. @plugin "..." is parsed as a default import, so package plugins (daisyui, @tailwindcss/typography) are credited as used dependencies and relative plugin files have their default export marked used. Unlike SCSS @use, extensionless package names stay bare in .scss/.sass files because they are package specifiers, not local partials. Verified against daisyui's own packages/playground: without the fix, daisyui is flagged as an unused dev dependency; with the fix, it is correctly credited via @plugin "daisyui". Thanks @​filipw01 for reporting. (Closes #230)

Changed

  • Workspace packages treated as first-class dependencies. Workspace package names are now checked the same way as external npm packages: resolved internal-module imports whose specifier matches a workspace name are credited to package usage, so monorepo edges between workspace packages count as usage. Declared-but-unimported workspace deps now surface in unused_dependencies, and imports of a workspace package from a workspace whose own package.json does not list it surface in unlisted_dependencies. Self-references stay allowed without requiring a package to depend on itself. External plugin definitions (fallow-plugin-* / inline framework configs) now also activate per-workspace inside run_workspace_fast, so a custom plugin enabled by a workspace dependency keeps its alwaysUsed and toolingDependencies honored during real analysis instead of only appearing in fallow list --plugins. Verified against vue-core (real pnpm monorepo): the change surfaces 3 new unused-dependency findings (incl. @vue/reactivity declared but only referenced via declare module in runtime-dom) and 11 new unlisted-dependency findings on @vue/* internal packages. Thanks @​filipw01 for reporting. (Closes #228)

Fixed

  • Enum-member fix dedup keys on full triple so single-line folds fire. The sort + dedup of EnumMemberFix previously used line_idx alone, which collapsed distinct members of a single-line enum (export enum E { A, B }) down to one entry before detect_folded_enums could see them. The fold's all-members-removed check then concluded the body still held member B and refused to fire, leaving a half-stripped one-liner instead of the whole-block delete the fold path expects. Sort and dedup now use (line_idx desc, parent, member), so same-line distinct members survive into the fold pass.

Internal

  • Enum-declaration helpers (declares_exported_enum, find_enum_declaration_range, removable_exported_enum_range, supporting identifier-boundary helpers) extracted from fix/exports.rs into a new fix/enum_helpers.rs sibling module with pub(super) visibility, so both exports.rs and enum_members.rs can share them without re-implementation. No behaviour change.

Full Changelog: fallow-rs/fallow@v2.55.0...v2.56.0

v2.55.0 — private-type-leak rule, knip-parity ignoreExportsUsedInFile, faster audit

Highlights

  • New opt-in private-type-leaks rule flags exported function or method signatures that reference types not also exported from the same module. The leaks are real: consumers cannot name the type when wrapping, mocking, or destructuring an argument.
  • New ignoreExportsUsedInFile config option (knip parity) keeps exports quiet while another symbol in the same file still references them, and surfaces them once the last reference goes away.
  • TanStack Router virtual route configs now resolve correctly: route components reachable only via route(...) / index(...) / layout(...) declarations in a virtual config are no longer reported as unused. Thanks @​M-Hassan-Raza (#223).
  • fallow audit shares dead-code analysis across check, health, and dupes instead of re-parsing for each step. The local-developer flow is faster, no flag changes.
  • fallow health --score no longer auto-runs churn-backed hotspot analysis on plain invocations. Run with --hotspots (or --targets --score) to include the hotspot penalty. Snapshot and trend flows still trigger hotspots so saved data stays complete.
  • LSP pull diagnostics now respond. Modern Helix, Zed, and recent Neovim setups that use textDocument/diagnostic instead of the push channel will start receiving fallow findings.

Added

  • private-type-leak issue type for exported function and method signatures that reference an unexported type. Opt-in via the private-type-leaks rule (rules.private-type-leaks: "error" or "warn"); default severity is "off". Framework routing convention files (Next.js app/, Nuxt pages/, SvelteKit +page.ts/+layout.ts, Remix routes, TanStack route configs, Astro pages, Solid/Qwik routes) are skipped because their exports are framework contracts, not public API surface.
  • ignoreExportsUsedInFile config option (knip parity). Set true to keep exports referenced inside their own file from showing up as unused; default is false (the stricter fallow behavior).
  • TanStack Router virtual route configs are recognised. Route components consumed only by routeTree.gen.ts via virtual route(...) / index(...) / layout(...) declarations are no longer flagged. Thanks @​M-Hassan-Raza. (#223)

Changed

  • fallow health --score no longer auto-runs churn-backed hotspot analysis. Plain --score computes from duplication, dead-code, complexity, maintainability, unused-deps, circular-deps, unit-size, and coupling penalties. The hotspots penalty is included only when hotspot analysis runs (--hotspots, or --targets with --score). The previous behavior shelled out to git log on every --score, which dominated health timing on large repos. Snapshot (--save-snapshot) and trend (--trend) flows still trigger hotspot vital signs. Score numbers can rise on projects that previously took a non-zero hotspot penalty: CI --min-score gates may need re-baselining. Human output now hints N/A: hotspots (enable the corresponding analysis flags) and the JSON health_score.penalties.hotspots field is omitted when the penalty was not computed.

Fixed

  • LSP server now serves document diagnostic pulls. Editors that follow the textDocument/diagnostic pull model (modern Helix, Zed, recent Neovim configs) previously got no diagnostics from the fallow LSP. The pull handler now returns a RelatedFullDocumentDiagnosticReport keyed by the requested document's URI, so pull-mode and push-mode editors see the same findings.

Performance

  • Audit shares dead-code parse and analysis with health and dupes. fallow audit previously ran the dead-code pipeline (parse, semantic, graph build, plugin pass) once for check, again for health, and again for dupes. The orchestrator now computes the shared result once and threads the file list and analysis output through to both downstream steps, cutting redundant parsing work in the dominant local-developer flow.

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.56.0] - 2026-04-30

Added

  • fallow fix --yes removes unused exported enum declarations entirely. When an exported enum is unused outside its file, the whole export enum Foo { ... } block is dropped instead of leaving a non-exported zombie declaration. Covers single-line, multi-line, export const enum, and export declare enum forms, with safe descending-index ordering when other export-list lines on the same file also get rewritten. Falls back to keyword-only stripping when the enum is still referenced locally so the file continues to compile. The remove-export action description in JSON output and the fix_apply MCP tool description are refreshed so consumers see the broader behaviour.
  • All-member enum-member removal folds into whole-enum removal. When fallow fix --yes would remove every member of an exported enum, the entire export enum X { ... } block is dropped in a single write instead of stripping members one at a time and leaving behind a syntactically valid but semantically dead export enum X {} shell that detection then fails to surface on the next pass. JSON output collapses the per-member entries for a folded enum into a single remove_export entry at the declaration line so consumers see exactly the edit that happened. Non-JSON output emits a stderr advisory pointing at the TypeScript build for importer cleanup, since fallow's reachability detector cannot surface a name-level dangling import once the file resolves successfully. Thanks @​mjfwebb for reporting. (Closes #232)
  • Tailwind v4 @plugin directive recognised in CSS, SCSS, and Vue/Svelte <style> blocks. @plugin "..." is parsed as a default import, so package plugins (daisyui, @tailwindcss/typography) are credited as used dependencies and relative plugin files have their default export marked used. Unlike SCSS @use, extensionless package names stay bare in .scss/.sass files because they are package specifiers, not local partials. Verified against daisyui's own packages/playground: without the fix, daisyui is flagged as an unused dev dependency; with the fix, it is correctly credited via @plugin "daisyui". Thanks @​filipw01 for reporting. (Closes #230)

Changed

  • Workspace packages treated as first-class dependencies. Workspace package names are now checked the same way as external npm packages: resolved internal-module imports whose specifier matches a workspace name are credited to package usage, so monorepo edges between workspace packages count as usage. Declared-but-unimported workspace deps now surface in unused_dependencies, and imports of a workspace package from a workspace whose own package.json does not list it surface in unlisted_dependencies. Self-references stay allowed without requiring a package to depend on itself. External plugin definitions (fallow-plugin-* / inline framework configs) now also activate per-workspace inside run_workspace_fast, so a custom plugin enabled by a workspace dependency keeps its alwaysUsed and toolingDependencies honored during real analysis instead of only appearing in fallow list --plugins. Verified against vue-core (real pnpm monorepo): the change surfaces 3 new unused-dependency findings (incl. @vue/reactivity declared but only referenced via declare module in runtime-dom) and 11 new unlisted-dependency findings on @vue/* internal packages. Thanks @​filipw01 for reporting. (Closes #228)

Fixed

  • Enum-member fix dedup keys on full triple so single-line folds fire. The sort + dedup of EnumMemberFix previously used line_idx alone, which collapsed distinct members of a single-line enum (export enum E { A, B }) down to one entry before detect_folded_enums could see them. The fold's all-members-removed check then concluded the body still held member B and refused to fire, leaving a half-stripped one-liner instead of the whole-block delete the fold path expects. Sort and dedup now use (line_idx desc, parent, member), so same-line distinct members survive into the fold pass.

Internal

  • Enum-declaration helpers (declares_exported_enum, find_enum_declaration_range, removable_exported_enum_range, supporting identifier-boundary helpers) extracted from fix/exports.rs into a new fix/enum_helpers.rs sibling module with pub(super) visibility, so both exports.rs and enum_members.rs can share them without re-implementation. No behaviour change.

[2.55.0] - 2026-04-29

Added

  • private-type-leak issue type for exported function and method signatures. Detects when an exported function, class method, or class field references a type that is not also exported from the same module, producing a finding the consumer cannot name when they need to type a wrapper, mock, or destructured argument. Opt-in via the private-type-leaks rule (rules.private-type-leaks: "error" or "warn"); default severity is "off" so existing projects don't see new findings without explicit consent. Framework routing convention files (Next.js app/ route handlers, Nuxt pages/, SvelteKit +page.ts/+layout.ts, Remix routes, TanStack route configs, Astro pages, Solid/Qwik routes) are skipped because their exports are framework contracts rather than public API surface.
  • ignoreExportsUsedInFile config option (knip parity). When set to true, exports that are referenced inside the same file as their declaration are not reported as unused, matching knip's behavior for projects that re-export internal utilities purely for convenience or testing. Default false keeps the stricter fallow behavior.
  • TanStack virtual route configs supported. The TanStack Router plugin now recognises virtual route files declared via route(...) / index(...) / layout(...) in a config, so route components consumed only by routeTree.gen.ts are no longer reported as unused. Thanks @​M-Hassan-Raza. (#223)

Changed

  • fallow health --score no longer auto-runs churn-backed hotspot analysis. Plain --score now computes the score using duplication, dead-code, complexity, maintainability, unused-deps, circular-deps, unit-size, and coupling penalties. The hotspots penalty is only included when hotspot analysis runs (via --hotspots, or --targets with --score). The previous behavior forced every --score invocation to run a git log shell-out, which dominated health timing on large repos. Snapshot (--save-snapshot) and trend (--trend) flows still trigger hotspot vital signs so saved snapshots remain complete. Score numbers can rise on projects that previously took a non-zero hotspot penalty; CI --min-score gates may need re-baselining. The human output now hints N/A: hotspots (enable the corresponding analysis flags) and the JSON health_score.penalties.hotspots field is omitted when the penalty was not computed.

Fixed

  • LSP server now serves document diagnostic pulls. Editors that follow the textDocument/diagnostic pull model (modern Helix, Zed, recent Neovim configs) previously got no diagnostics from the fallow LSP because the server only published via the push channel. The pull handler now returns a RelatedFullDocumentDiagnosticReport keyed by the requested document's URI, so pull-mode and push-mode editors see the same findings.

Performance

  • Audit shares dead-code parse and analysis with health and dupes. fallow audit previously ran the dead-code pipeline (parse, semantic, graph build, plugin pass) once for check, again for health, and again for dupes. The orchestrator now computes the shared result once and threads the file list and analysis output through to both downstream steps, cutting redundant parsing work in the dominant local-developer flow.
  • Workspace plugin runs see only their own files. run_plugins now buckets discovered files by workspace root before parallel plugin execution and passes each workspace its own pre-computed relative paths, instead of feeding every workspace the full project file list. Cuts the per-workspace plugin matcher work from O(workspaces × all_files × matchers) to O(workspace_files × matchers) on monorepos. End-to-end plugin detection is unchanged because the filesystem-fallback Phase 3b still scans workspace and project roots for unmatched config files.
  • Duplicate-export importer overlap is single-pass. find_duplicate_exports pre-builds an FxHashMap<&Path, FileId> index instead of scanning every module per location, and has_common_importer walks each duplicate file's reverse_deps once into an importer_owner map instead of comparing every pair of importer sets. Same output, lower complexity on projects with many duplicate-export groups.

Internal

  • New regression test asserts expand_recursive_workspace_pattern preserves nested workspace roots (e.g., apps/app/packages/nested/) when both parent and child have a package.json.
  • New end-to-end test asserts run_workspace_fast invokes plugin.resolve_config() for workspace-local config files and surfaces the parsed entry pattern.
  • Pre-push hook now unsets GIT_DIR and GIT_WORK_TREE so integration tests run from the worktree path even when the user's shell environment exports those variables (fixes flaky push from worktrees with bare-repo-style configs).
  • .gitignore updated to exclude crash handover marker files.
  • Dependency bump: tokio 1.51.1 → 1.52.1 (#218).
  • Docs touch-ups: MCP analyze tool description, agent context note for the new opt-in default of the private-type-leaks rule, and crap_max description refined across coverage_model variants.

... (truncated)

Commits
  • 76ae5e9 chore: release v2.56.0
  • 7b40d18 feat(deps): treat internal workspace packages as first-class deps
  • a78736d fix(fix): dedup enum-member fixes by full key so single-line folds fire
  • 1487b30 feat(fix): fold all-member removal into whole-enum removal
  • 6787ea6 refactor(fix): extract enum-declaration helpers into fix/enum_helpers.rs
  • 5aa1796 feat(fix): remove unused exported enum declarations entirely
  • adcecc6 feat(css): support Tailwind v4 @​plugin directive
  • 9dbf862 chore(napi): sync package.json / package-lock / index.js to v2.55.0
  • 9aa1454 docs(changelog): clarify private-type-leaks rule key (plural) for v2.55.0 entry
  • 0d4af56 chore: release v2.55.0
  • Additional commits viewable in compare view

Updates tap from 21.7.0 to 21.7.1

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the npm-deps group across 1 directory with 8 updates
fce2163 
Bumps the npm-deps group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@hono/node-server](https://github.com/honojs/node-server) | `2.0.0` | `2.0.1` |
| [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.5` | `1.6.9` |
| [hono](https://github.com/honojs/hono) | `4.12.14` | `4.12.16` |
| [@commitlint/cli](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/cli) | `20.5.0` | `20.5.3` |
| [@commitlint/config-conventional](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/config-conventional) | `20.5.0` | `20.5.3` |
| [eslint](https://github.com/eslint/eslint) | `10.2.0` | `10.2.1` |
| [fallow](https://github.com/fallow-rs/fallow) | `2.40.3` | `2.56.0` |
| [tap](https://github.com/tapjs/tapjs) | `21.7.0` | `21.7.1` |



Updates `@hono/node-server` from 2.0.0 to 2.0.1
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.0...v2.0.1)

Updates `better-auth` from 1.6.5 to 1.6.9
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/better-auth@1.6.9/packages/better-auth)

Updates `hono` from 4.12.14 to 4.12.16
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.14...v4.12.16)

Updates `@commitlint/cli` from 20.5.0 to 20.5.3
- [Release notes](https://github.com/conventional-changelog/commitlint/releases)
- [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/cli/CHANGELOG.md)
- [Commits](https://github.com/conventional-changelog/commitlint/commits/v20.5.3/@commitlint/cli)

Updates `@commitlint/config-conventional` from 20.5.0 to 20.5.3
- [Release notes](https://github.com/conventional-changelog/commitlint/releases)
- [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/config-conventional/CHANGELOG.md)
- [Commits](https://github.com/conventional-changelog/commitlint/commits/v20.5.3/@commitlint/config-conventional)

Updates `eslint` from 10.2.0 to 10.2.1
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.2.0...v10.2.1)

Updates `fallow` from 2.40.3 to 2.56.0
- [Release notes](https://github.com/fallow-rs/fallow/releases)
- [Changelog](https://github.com/fallow-rs/fallow/blob/main/CHANGELOG.md)
- [Commits](fallow-rs/fallow@v2.40.3...v2.56.0)

Updates `tap` from 21.7.0 to 21.7.1
- [Release notes](https://github.com/tapjs/tapjs/releases)
- [Commits](https://github.com/tapjs/tapjs/commits)

---
updated-dependencies:
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: better-auth
  dependency-version: 1.6.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: hono
  dependency-version: 4.12.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: "@commitlint/cli"
  dependency-version: 20.5.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: "@commitlint/config-conventional"
  dependency-version: 20.5.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: eslint
  dependency-version: 10.2.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: fallow
  dependency-version: 2.56.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: tap
  dependency-version: 21.7.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants