Skip to content

chore(deps-dev): bump the dev-dependencies group across 1 directory with 8 updates#24

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dev-dependencies-31a6574d34
Open

chore(deps-dev): bump the dev-dependencies group across 1 directory with 8 updates#24
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dev-dependencies-31a6574d34

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 11, 2026
edited
Loading

Bumps the dev-dependencies group with 8 updates in the / directory:

Package From To
@biomejs/biome 2.4.4 2.4.15
@types/node 25.3.0 25.7.0
@vitest/coverage-v8 4.0.18 4.1.6
@vitest/ui 4.0.18 4.1.6
better-auth 1.5.0 1.6.10
happy-dom 20.7.0 20.9.0
ultracite 7.2.3 7.7.0
vitest 4.0.18 4.1.6

Updates @biomejs/biome from 2.4.4 to 2.4.15

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.15

2.4.15

Patch Changes

  • #9394 ba3480e Thanks @​dyc3! - Added the nursery rule useTestHooksInOrder in the test domain. The rule enforces that Jest/Vitest lifecycle hooks (beforeAll, beforeEach, afterEach, afterAll) are declared in the order they execute, making test setup and teardown easier to reason about.

  • #10254 e0a54cc Thanks @​dyc3! - Added a new nursery rule useVueNextTickPromise, which enforces Promise syntax when using Vue nextTick.

    For example, the following snippet triggers the rule:

    import { nextTick } from "vue";
nextTick(() => {
updateDom();
});

  • #10219 64aee45 Thanks @​dyc3! - Added a new nursery rule noVueVOnNumberValues, that disallows deprecated number modifiers on Vue v-on directives.

    For example, the following snippet triggers the rule:

    <input @keyup.13="submit" />

  • #10195 7b8d4e1 Thanks @​dyc3! - Added the new nursery rule useVueValidVFor, which validates Vue v-for directives and reports invalid aliases, missing component keys, and keys that do not use iteration variables.

  • #10238 1110256 Thanks @​dyc3! - Added the recommended nursery rule noVueImportCompilerMacros, which disallows importing Vue compiler macros such as defineProps from vue because they are automatically available.

  • #10201 1a08f89 Thanks @​realknove! - Fixed #10193: style/useReadonlyClassProperties no longer reports class properties as readonly-able when they are assigned inside arrow callbacks nested in class property initializers.

  • #9574 3bd2b6a Thanks @​Conaclos! - Fixed #9530. The diagnostics of organizeImports are now more detailed and more precise. They are also better at localizing where the issue is.

  • #10205 a704a6c Thanks @​Conaclos! - Fixed #10185. `organizeImports now errors when it encounters an unknown predefined group.

    The following configuration is now reported as invalid because :INEXISTENT: is an unknown predefined group.

    {
  "assist": {
    "actions": {
      "source": {
        "organizeImports": { "options": { "groups": [":INEXISTENT:"] } }
      }
    }
  }
}

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.15

Patch Changes

  • #9394 ba3480e Thanks @​dyc3! - Added the nursery rule useTestHooksInOrder in the test domain. The rule enforces that Jest/Vitest lifecycle hooks (beforeAll, beforeEach, afterEach, afterAll) are declared in the order they execute, making test setup and teardown easier to reason about.

  • #10254 e0a54cc Thanks @​dyc3! - Added a new nursery rule useVueNextTickPromise, which enforces Promise syntax when using Vue nextTick.

    For example, the following snippet triggers the rule:

    import { nextTick } from "vue";
nextTick(() => {
updateDom();
});

  • #10219 64aee45 Thanks @​dyc3! - Added a new nursery rule noVueVOnNumberValues, that disallows deprecated number modifiers on Vue v-on directives.

    For example, the following snippet triggers the rule:

    <input @keyup.13="submit" />

  • #10195 7b8d4e1 Thanks @​dyc3! - Added the new nursery rule useVueValidVFor, which validates Vue v-for directives and reports invalid aliases, missing component keys, and keys that do not use iteration variables.

  • #10238 1110256 Thanks @​dyc3! - Added the recommended nursery rule noVueImportCompilerMacros, which disallows importing Vue compiler macros such as defineProps from vue because they are automatically available.

  • #10201 1a08f89 Thanks @​realknove! - Fixed #10193: style/useReadonlyClassProperties no longer reports class properties as readonly-able when they are assigned inside arrow callbacks nested in class property initializers.

  • #9574 3bd2b6a Thanks @​Conaclos! - Fixed #9530. The diagnostics of organizeImports are now more detailed and more precise. They are also better at localizing where the issue is.

  • #10205 a704a6c Thanks @​Conaclos! - Fixed #10185. `organizeImports now errors when it encounters an unknown predefined group.

    The following configuration is now reported as invalid because :INEXISTENT: is an unknown predefined group.

    {
  "assist": {
    "actions": {
      "source": {
        "organizeImports": { "options": { "groups": [":INEXISTENT:"] } }
      }
    }
  }
}

... (truncated)

Commits

Updates @types/node from 25.3.0 to 25.7.0

Commits

Updates @vitest/coverage-v8 from 4.0.18 to 4.1.6

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.6

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

v4.1.4

   🚀 Experimental Features

   🐞 Bug Fixes

... (truncated)

Commits

Updates @vitest/ui from 4.0.18 to 4.1.6

Release notes

Sourced from @​vitest/ui's releases.

v4.1.6

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

v4.1.4

   🚀 Experimental Features

   🐞 Bug Fixes

... (truncated)

Commits

Updates better-auth from 1.5.0 to 1.6.10

Release notes

Sourced from better-auth's releases.

v1.6.10

better-auth

Bug Fixes

  • Exposed refreshUserSessions on the internal adapter (#7764)
  • Fixed organization invitation roles to accept dynamic access control roles (#9437)
  • Improved link accessibility (#9521)
  • Fixed incorrect email casing in one-tap, email-otp, and email-verification flows (#9369)
  • Fixed OpenAPI schema for POST /sign-in/social mis-declaring required fields (#9268)
  • Added a warning when the cookie plugin is placed last in the plugins array (#9484)
  • Fixed useSession not revalidating after admin impersonation starts or stops (#9402)
  • Fixed duplicate Set-Cookie headers being emitted on redirect responses from social sign-in and magic-link endpoints (#9497)
  • Fixed the bearer plugin writing duplicate cookie entries when merging the session token into request headers (#9387)
  • Fixed captcha plugin breaking the email-otp flow (#8339)
  • Fixed email enumeration protection not applying when emailAndPassword.autoSignIn is false (#8839)
  • Fixed a TypeError caused by non-ASCII characters in OAuth error descriptions on redirect (#9065)
  • Renamed internalAdapter.deleteAccount parameter from accountId to id to reflect that it queries by primary key (#9503)
  • Fixed OAuth callbacks accepting a missing provider account ID, which could link accounts under an undefined id (#9456)
  • Fixed cancelPendingInvitationsOnReInvite having no effect, where re-inviting the same email always returned USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION (#9453)
  • Fixed a TS2742 type error caused by missing re-exports when using additionalFields in the organization plugin (#9349)
  • Fixed useActiveMemberRole retaining a previous user's role after sign-out in SPA flows (#9440)
  • Fixed setActiveTeam to only accept teams from the currently active organization (#9239)
  • Added authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint (#9461)
  • Fixed callbackURL being ignored on signIn.username, so it now redirects correctly like signIn.email (#9475)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed sessionId typing in refresh token types to be optional, matching the schema (#9324)
  • Fixed stale prompt=login consent continuations not completing after a forced login
  • Exported OAuth provider helper types needed for portable downstream TypeScript declaration emit (#9406)
  • Fixed prompt=login not being honored after consent continuation, preventing session bypass (#9344)
  • Added database indexes to OAuth provider foreign-key fields in generated schemas (#9389)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed onSubscriptionUpdate to receive the raw stripeSubscription object, and fixed onSubscriptionCancel to receive the post-update subscription row instead of a stale snapshot (#9354)
  • Fixed getCheckoutSessionParams overriding internally managed Stripe Checkout Session fields such as success_url, cancel_url, customer, and line_items (#9481)
  • Fixed onSubscriptionDeleted, onTrialEnd, and onTrialExpired receiving a stale pre-update subscription snapshot instead of the post-update row (#9356)
  • Fixed getCheckoutSessionParams overriding free trial and internal metadata, which could hide trial periods and create duplicate subscription rows on webhook (#9474)
  • Renamed internal subscription webhook variables for clarity (#9355)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.10

Patch Changes

  • #8339 1e0f26d Thanks @​ping-maxwell! - fix(captcha): breaks email-otp flow

  • #9484 8c1e917 Thanks @​ping-maxwell! - fix: warn for cookie-plugin being last in array

  • #9437 b2d655c Thanks @​cyphercodes! - Allow organization invitation role input types to accept dynamic access control roles.

  • #9497 09f1327 Thanks @​bytaesu! - Endpoints that set cookies before redirecting (such as social sign-in callbacks and magic-link verification) no longer emit each Set-Cookie entry twice on the response.

  • #9387 906b7b3 Thanks @​bytaesu! - The bearer plugin now produces a single entry per cookie name when merging its session token into the request Cookie header. Previously the merged header could carry two entries for the same name if the request already had a stale session cookie, which would surface to downstream code that picks the first occurrence.

  • #9475 e9c978e Thanks @​jaydeep-pipaliya! - fix(username): respect callbackURL on /sign-in/username

    The endpoint accepted a callbackURL body field but ignored it, so authClient.signIn.username({ ..., callbackURL }) silently did nothing while authClient.signIn.email redirected as expected. The handler now sets a Location header when callbackURL is provided and returns { redirect, url } alongside token/user, matching the email flow.

  • #9440 e71aad3 Thanks @​cyphercodes! - Clear organization active hook state after sign-out so useActiveMemberRole does not retain a previous user's role in SPA sign-out/sign-in flows.

  • #9402 80a655d Thanks @​onmax! - Revalidate the client session after admin impersonation starts or stops.

  • #9503 15ff28a Thanks @​bytaesu! - internalAdapter.deleteAccount parameter renamed from accountId to id to reflect that it queries by primary key, not the accountId column. No runtime behavior change.

  • #9268 88a7c67 Thanks @​ping-maxwell! - fix: openAPI schema for POST /sign-in/social mis-declares required fields

  • #8839 9a7b51d Thanks @​dipan-ck! - Apply email enumeration protection when emailAndPassword.autoSignIn is false. Duplicate sign-ups now return a synthetic user (token: null) and trigger onExistingUserSignUp, and new sign-ups skip auto sign-in (token: null)—even without requireEmailVerification, aligning with the docs.

  • #9065 1b25902 Thanks @​ping-maxwell! - non-ASCII error_description in generic-oauth callback routes causes TypeError on redirect

  • #9349 cf59136 Thanks @​ping-maxwell! - fix(organization): re-export field types to prevent TS2742 with additionalFields

  • #9453 a597ee0 Thanks @​mausic! - The organization plugin's cancelPendingInvitationsOnReInvite option now actually cancels the prior pending invitation when re-inviting the same email. Previously the option had no effect — re-inviting always failed with USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION

  • #9456 fc02ced Thanks @​cyphercodes! - Reject OAuth callbacks when provider user info omits the account id to avoid linking accounts under the literal undefined id.

  • #9461 9f1ef1f Thanks @​cyphercodes! - Expose authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint.

  • #9369 36ef808 Thanks @​ping-maxwell! - fix: incorrect email casing across one-tap, email-otp & email-verification

... (truncated)

Commits
  • cbb5014 chore: release v1.6.10 (#9350)
  • 09f1327 fix(api): prevent duplicate set-cookie on redirect (#9497)
  • 15ff28a fix(internal-adapter): rename deleteAccount param from accountId to id (#...
  • fde0432 fix: improve link accessibility issues (#9521)
  • cf59136 fix(organization): re-export field types to prevent TS2742 with additionalFie...
  • 8c1e917 fix: warn for cookie-plugin being last in array (#9484)
  • 3a9a2c3 chore: expose refreshUserSessions on internal adapter (#7764)
  • e9c978e fix(username): respect callbackURL on sign-in (#9475)
  • 36ef808 fix: incorrect email casing across one-tap, email-otp & email-verification (#...
  • 9a7b51d fix(credential): apply enumeration protection when autoSignIn is false (#8839)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for better-auth since your current version.


Updates happy-dom from 20.7.0 to 20.9.0

Release notes

Sourced from happy-dom's releases.

v20.9.0

🎨 Features

  • Adds support for event listener properties on Window (e.g. Window.onkeydown) - By @​capricorn86 in task #2131

v20.8.9

👷‍♂️ Patch fixes

  • Fixes issue where cookies from the current origin was being forwarded to the target origin in fetch requests - By @​capricorn86 in task #2117

v20.8.8

👷‍♂️ Patch fixes

  • Fixes issue where export names can be interpolated as executable code in ESM - By @​capricorn86 in task #2113
    • A security advisory (GHSA-6q6h-j7hj-3r64) has been reported that shows a security vulnerability where it may be possible to escape the VM context and get access to process level functionality in unsafe environments using CommonJS. Big thanks to @​tndud042713 for reporting this!

v20.8.7

👷‍♂️ Patch fixes

  • Replace implementing Node.js Console with common IConsole interface to support latest version of Bun - By @​YevheniiKotyrlo in task #1845

v20.8.6

👷‍♂️ Patch fixes

v20.8.5

👷‍♂️ Patch fixes

  • Fixes error thrown when modifying DOM structure in connectedCallback() - By @​capricorn86 in task #2110

v20.8.4

👷‍♂️ Patch fixes

v20.8.3

👷‍♂️ Patch fixes

  • Throw error if event is not of type Event in EventTarget.dispatchEvent() - By @​capricorn86 in task #2054

v20.8.2

👷‍♂️ Patch fixes

  • Resets Event.cancelBubble and Event.defaultPrevented when calling Event.initEvent() - By @​capricorn86 in task #2090

v20.8.1

👷‍♂️ Patch fixes

v20.8.0

🎨 Features

  • Adds support for setPointerCapture, hasPointerCapture, and releasePointerCapture to Element - By @​coffeeandwork in task #1733

v20.7.2

👷‍♂️ Patch fixes

  • Properly decode CSS escape sequences in attribute selector values - By @​silverwind

... (truncated)

Commits

@dependabot
chore(deps-dev): bump the dev-dependencies group across 1 directory w…
3df6a7f 
…ith 8 updates

Bumps the dev-dependencies group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) | `2.4.4` | `2.4.15` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.3.0` | `25.7.0` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.6` |
| [@vitest/ui](https://github.com/vitest-dev/vitest/tree/HEAD/packages/ui) | `4.0.18` | `4.1.6` |
| [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.5.0` | `1.6.10` |
| [happy-dom](https://github.com/capricorn86/happy-dom) | `20.7.0` | `20.9.0` |
| [ultracite](https://github.com/haydenbleasel/ultracite) | `7.2.3` | `7.7.0` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.6` |



Updates `@biomejs/biome` from 2.4.4 to 2.4.15
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.4.15/packages/@biomejs/biome)

Updates `@types/node` from 25.3.0 to 25.7.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.6
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.6/packages/coverage-v8)

Updates `@vitest/ui` from 4.0.18 to 4.1.6
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.6/packages/ui)

Updates `better-auth` from 1.5.0 to 1.6.10
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/better-auth@1.6.10/packages/better-auth)

Updates `happy-dom` from 20.7.0 to 20.9.0
- [Release notes](https://github.com/capricorn86/happy-dom/releases)
- [Commits](capricorn86/happy-dom@v20.7.0...v20.9.0)

Updates `ultracite` from 7.2.3 to 7.7.0
- [Release notes](https://github.com/haydenbleasel/ultracite/releases)
- [Commits](https://github.com/haydenbleasel/ultracite/compare/ultracite@7.2.3...ultracite@7.7.0)

Updates `vitest` from 4.0.18 to 4.1.6
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.6/packages/vitest)

---
updated-dependencies:
- dependency-name: "@biomejs/biome"
  dependency-version: 2.4.15
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-dependencies
- dependency-name: "@types/node"
  dependency-version: 25.7.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.6
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
- dependency-name: "@vitest/ui"
  dependency-version: 4.1.6
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
- dependency-name: better-auth
  dependency-version: 1.6.10
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
- dependency-name: happy-dom
  dependency-version: 20.9.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
- dependency-name: ultracite
  dependency-version: 7.7.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
- dependency-name: vitest
  dependency-version: 4.1.6
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 11, 2026
@dependabot dependabot Bot requested a review from vcode-sh as a code owner May 11, 2026 21:02
@github-actions github-actions Bot enabled auto-merge (squash) May 11, 2026 21:03
@sentry
Copy link
Copy Markdown

sentry Bot commented May 11, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vcode-sh vcode-sh Awaiting requested review from vcode-sh vcode-sh is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants