build(deps-dev): bump lint-staged from 15.2.0 to 16.2.6

[dependabot]

Bumps lint-staged from 15.2.0 to 16.2.6.

Release notes

Sourced from lint-staged's releases.

v16.2.6

Patch Changes

• #1693 33d4502 Thanks @​Adrian-Baran-GY! - Fix problems with --continue-on-error option, where tasks might have still been killed (SIGINT) when one of them failed.

v16.2.5

Patch Changes

• #1687 9e02d9d Thanks @​iiroj! - Fix unhandled promise rejection when spawning tasks (instead of the tasks themselves failing). Previously when a task failed to spawn, lint-staged also failed and the backup stash might not have been automatically restored.

v16.2.4

Patch Changes

• #1682 0176038 Thanks @​iiroj! - Update dependencies, including nano-spawn@2.0.0 with bug fixes.

• #1671 581a54e Thanks @​iiroj! - Speed up execution by only importing the yaml depedency if using YAML configuration files.

v16.2.3

Patch Changes

• #1669 27cd541 Thanks @​iiroj! - When using --fail-on-changes, automatically hidden (partially) unstaged changes are no longer counted to make lint-staged fail.

v16.2.2

Patch Changes

• #1667 699f95d Thanks @​iiroj! - The backup stash will not be dropped when using --fail-on-changes and there are errors. When reverting to original state is disabled (via --no-revert or --fail-on-changes), hidden (partially) unstaged changes are still restored automatically so that it's easier to resolve the situation manually.

  Additionally, the example for using the backup stash manually now uses the correct backup hash, if available:

  % npx lint-staged --fail-on-changes
  ✔ Backed up original state in git stash (c18d55a3)
  ✔ Running tasks for staged files...
  ✖ Tasks modified files and --fail-on-changes was used!
  ↓ Cleaning up temporary files...
  ✖ lint-staged failed because --fail-on-changes was used.
  Any lost modifications can be restored from a git stash:
  > git stash list --format="%h %s"
  c18d55a3 On main: lint-staged automatic backup
  > git apply --index c18d55a3

v16.2.1

Patch Changes

• #1664 8277b3b Thanks @​iiroj! - The built-in TypeScript types have been updated to more closely match the implementation. Notably, the list of staged files supplied to task functions is readonly string[] and can't be mutated. Thanks @​outslept!

... (truncated)

Changelog

Sourced from lint-staged's changelog.

16.2.6

Patch Changes

• #1693 33d4502 Thanks @​Adrian-Baran-GY! - Fix problems with --continue-on-error option, where tasks might have still been killed (SIGINT) when one of them failed.

16.2.5

Patch Changes

• #1687 9e02d9d Thanks @​iiroj! - Fix unhandled promise rejection when spawning tasks (instead of the tasks themselves failing). Previously when a task failed to spawn, lint-staged also failed and the backup stash might not have been automatically restored.

16.2.4

Patch Changes

• #1682 0176038 Thanks @​iiroj! - Update dependencies, including nano-spawn@2.0.0 with bug fixes.

• #1671 581a54e Thanks @​iiroj! - Speed up execution by only importing the yaml depedency if using YAML configuration files.

16.2.3

Patch Changes

• #1669 27cd541 Thanks @​iiroj! - When using --fail-on-changes, automatically hidden (partially) unstaged changes are no longer counted to make lint-staged fail.

16.2.2

Patch Changes

• #1667 699f95d Thanks @​iiroj! - The backup stash will not be dropped when using --fail-on-changes and there are errors. When reverting to original state is disabled (via --no-revert or --fail-on-changes), hidden (partially) unstaged changes are still restored automatically so that it's easier to resolve the situation manually.

  Additionally, the example for using the backup stash manually now uses the correct backup hash, if available:

  % npx lint-staged --fail-on-changes
  ✔ Backed up original state in git stash (c18d55a3)
  ✔ Running tasks for staged files...
  ✖ Tasks modified files and --fail-on-changes was used!
  ↓ Cleaning up temporary files...
  ✖ lint-staged failed because --fail-on-changes was used.
  Any lost modifications can be restored from a git stash:
  > git stash list --format="%h %s"
  c18d55a3 On main: lint-staged automatic backup
  > git apply --index c18d55a3

... (truncated)

Commits

• a1ec972 chore(changeset): release
• ddd5340 build(deps): regenerate package-lock.json
• ceb253a build(deps): update Vitest 4
• 58cc126 build(deps): update listr2
• 33d4502 fix: run all tasks when --continue-on-error=true
• 54ba9eb test: fix test usage for --continue-on-error
• b1715d9 test: fix test assertions for --continue-on-error to reveal incorrect behavior
• 1f6a326 chore(changeset): release
• 6ab937c ci: use separate caches for MSYS2 and Cygwin
• 6d71384 fix: catch errors when calling spawn
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for lint-staged since your current version.

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[github-actions]

@dependabot merge

[dependabot]

Beginning January 27, 2026, Dependabot will no longer support the @dependabot merge command. Please use GitHub's native pull request controls instead. Please see the changelog announcement for additional details.

[dependabot]

Sorry, only users with push access can use that command.

[codacy-production]

This PR upgrades lint-staged from 15.2.0 to 16.2.6 and includes many transitive dependency updates in package-lock.json. Codacy/Trivy flagged a medium-severity vulnerable dependency (micromatch 4.0.4) which this bump addresses by moving micromatch to 4.0.8. Most changes are dependency metadata updates (versions, engines, licenses). Key risks: dependency compatibility (node engine minimums raised in several packages) and one reported security finding was fixed. Recommend verifying CI/node versions and running tests locally/CI before merging.

Security: Codacy (Trivy) reported micromatch@4.0.4 (CVE-2024-4067). This PR upgrades micromatch to 4.0.8 via lint-staged bump — that addresses the flagged medium severity vulnerability. Good to run a dependency-audit (npm audit / Snyk) as a double-check.

Platform compatibility: Several packages raised their minimal Node engine (e.g. lint-staged -> node >=20.17, nano-spawn, commander, listr2, etc.). Ensure CI and developer environments run a compatible Node version or pin versions appropriately.
Test & CI: Many dev deps changed and some packages changed transitive deps (emoji-regex, ansi-regex, strip-ansi, string-width, etc.). Run full test suite and your precommit flows (husky/lint-staged) in CI to catch runtime/behavioral regressions.

[codacy-production]

You added lint-staged@16.2.6 in package.json — this upgrade pulls newer transitive deps and raises Node engine requirements. Confirm CI/node versions or constrain the upgrade if you need to support older Node versions.

[codacy-production]

package-lock.json still contained micromatch@4.0.4 under fast-glob previously; I see micromatch bumped to 4.0.8 in the lockfile — this resolves the Trivy medium-severity finding (CVE-2024-4067). Good — ensure npm audit shows no remaining critical/medium issues.

[codacy-production]

Many packages now require newer Node engines (examples: lint-staged node >=20.17, listr2 node >=20.0.0, nano-spawn node >=20.17). If your CI or contributors use older Node, test locally or adapt engine fields/CI images.

[codacy-production]

This update replaces older ansi/ansi-regex/ansi-styles/strip-ansi/string-width/emoji-regex variants across the lockfile. These changes can affect terminal output formatting; run interactive commands (precommit hooks) and CLI flows to validate behavior.

[codacy-production]

Restored/updated packages (restore-cursor, onetime, mimic-function, etc.) bump engines to newer Node versions. Confirm transitive change doesn't break other dev scripts that run under older Node.