Skip to content

chore(deps): bump the npm-deps group across 1 directory with 8 updates#22

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-3bf1e61880
Open

chore(deps): bump the npm-deps group across 1 directory with 8 updates#22
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-3bf1e61880

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 21, 2026

Bumps the npm-deps group with 8 updates in the / directory:

Package From To
@hono/node-server 2.0.0 2.0.2
better-auth 1.6.5 1.6.11
better-sqlite3 12.9.0 12.10.0
hono 4.12.14 4.12.18
eslint 10.2.0 10.3.0
fallow 2.40.3 2.73.0
globals 17.5.0 17.6.0
tap 21.7.0 21.7.3

Updates @hono/node-server from 2.0.0 to 2.0.2

Release notes

Sourced from @​hono/node-server's releases.

v2.0.2

What's Changed

Full Changelog: honojs/node-server@v2.0.1...v2.0.2

v2.0.1

What's Changed

New Contributors

Full Changelog: honojs/node-server@v2.0.0...v2.0.1

Commits

Updates better-auth from 1.6.5 to 1.6.11

Release notes

Sourced from better-auth's releases.

v1.6.11

better-auth

Bug Fixes

  • Added an error code to the change-email-disabled response to help clients identify the rejection reason (#8948)
  • Fixed access-control role statement types so predefined organization roles expose only their configured permissions in TypeScript (#9507)
  • Fixed the anonymous plugin to correctly call onLinkAccount when email verification triggers auto sign-in (#9548)
  • Fixed device authorization to bind pending codes to the verifying session, preventing any authenticated user from approving or denying another user's device code (#9573)
  • Fixed a race condition in the magic-link plugin that allowed concurrent requests to mint multiple sessions from the same single-use token (#9572)
  • Fixed the oidc-provider and mcp plugins to require client_secret for confidential clients on refresh token grants and use constant-time secret comparison (#9576)
  • Hardened oidc-provider and mcp plugins to follow OAuth 2.1: removed "none" from advertised signing algorithms, defaulted plain PKCE off, and rejected incomplete PKCE parameters (#9575)
  • Fixed an invitation takeover vulnerability by enabling requireEmailVerificationOnInvitation by default and extending the verification gate to getInvitation and listUserInvitations (#9577)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed a race condition in the OAuth authorization-code grant that allowed concurrent token-exchange requests to mint multiple token sets from the same authorization code
  • Fixed a race condition in OAuth refresh-token rotation that allowed concurrent requests to fork refresh token families, and added a unique constraint on oauthRefreshToken.token
  • Fixed OAuth account linking to require a verified local email before linking an OAuth identity to a local account (#9578)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

  • Fixed an invalid import list in the instrumentation module (#9582)
  • Widened advanced.ipAddress.ipv6Subnet to accept any valid IPv6 prefix length (0-128) instead of a narrow set of values (#9545)

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

  • Fixed session cleanup to run when admin, anonymous, or SCIM operations delete a user (#9162)
  • Fixed generateSCIMToken to reject providerId values that collide with built-in account providers, preventing tokens from authenticating against unintended accounts (#9579)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed SSO provider registration to require an org admin or owner role, preventing any organization member from registering providers (#9220)
  • Fixed an SSRF vulnerability by validating user-supplied OIDC endpoint URLs against a public-routable host allowlist at provider registration and update (#9574)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.11

Patch Changes

  • #9568 0cbddb8 Thanks @​gustavovalverde! - Add internalAdapter.consumeVerificationValue(identifier): atomically consume a verification row keyed by identifier. The first concurrent caller receives the row; later racers receive null. Backed by a new DBAdapter.consumeOne primitive implemented natively per adapter (memory, mongo, drizzle, kysely, prisma), with a transaction(findMany + delete) factory fallback. SecondaryStorage.getAndDelete is added as an optional companion; Redis ships it via an atomic Lua get-and-delete operation for compatibility with Redis versions before 6.2.

  • #9162 a26333b Thanks @​ping-maxwell! - fix: cleanup sessions when admin, anonymous, or SCIM deletes a user

  • #9573 99a254a Thanks @​gustavovalverde! - fix(device-authorization): require verify-time ownership claim for approve/deny

    Pending device codes were not bound to the user who entered the code on the verification page until approval, leaving a window where any authenticated user could approve or deny another user's pending code by knowing the user_code. GET /device now claims the pending row for the calling session, and POST /device/approve and POST /device/deny require the calling session to match the claimed owner. Custom verification pages must be served to an authenticated session for the flow to succeed.

  • #8948 ee93485 Thanks @​ping-maxwell! - fix: add error code to change-email-disabled

  • #9572 5f09d56 Thanks @​gustavovalverde! - Fix race condition in the magic-link plugin's verify handler that allowed two concurrent requests to mint two sessions from the same single-use token. The handler now consumes the verification row atomically via internalAdapter.consumeVerificationValue, so a given magic link mints at most one session regardless of concurrency. The allowedAttempts option is retained for backward compatibility but no longer multiplies successful redemptions; tokens are single-use. The second-redeem error code changes from ATTEMPTS_EXCEEDED to INVALID_TOKEN (the token no longer exists after consumption).

  • b4bc65a Thanks @​gustavovalverde! - Fix race condition in the OAuth authorization-code grant: two concurrent token-exchange requests sharing the same code could both pass the find step before either delete completed and each mint an independent access/refresh/id token set. The authorization_code handler in @better-auth/oauth-provider, plus the legacy oidc-provider and mcp plugins in better-auth, now consume the verification row atomically via internalAdapter.consumeVerificationValue. The first caller mints tokens; concurrent racers receive invalid_grant (RFC 6749 §5.2). Malformed-verification-value branches in @better-auth/oauth-provider previously returned a project-specific invalid_verification code; those are now invalid_grant so spec-compliant clients can branch on the standard code.

  • #9578 da7e50b Thanks @​gustavovalverde! - handleOAuthUserInfo (used by every social provider, generic-oauth, oauth-proxy, SSO OIDC and SAML, and idToken sign-in) implicitly linked a returning OAuth identity into a local user row whenever the IdP's email_verified claim was true or the provider was trusted. The local row's own emailVerified flag was read only to flip it after linking, never as a precondition. POST /sign-up/email creates rows with emailVerified: false for any caller, so an attacker who pre-registered a victim's email at the application could wait for the legitimate user's first OAuth sign-in: the IdP's verified claim was treated as ownership proof, and the victim's IdP identity was linked into the attacker-owned row.

    The implicit-link gate now requires dbUser.user.emailVerified === true in addition to the provider trust check by default. A new account.accountLinking.requireLocalEmailVerified option (default true) is the public surface for this gate. Apps whose users sign up via OAuth without verifying their email locally can opt back into the legacy behavior with account: { accountLinking: { requireLocalEmailVerified: false } }; understand the takeover risk before doing so. The option is @deprecated; a FIXME at each gate site points at the next-minor follow-up on next that drops the option and makes the gate unconditional.

    The one-tap plugin honored its own copy of the gate and was updated identically: requireLocalEmailVerified and accountLinking.disableImplicitLinking both apply on /one-tap/callback. The email_verified claim from the Google ID token is now normalized via toBoolean so a string "false" is treated as falsy.

    Test fixtures across admin, oidc-provider, mcp, generic-oauth, last-login-method, and oauth-provider suites now mark users emailVerified: true via a databaseHooks.user.create.before hook (or the disableTestUser opt-in on the oauth-provider RP) so the suites continue to exercise their role/flow logic rather than the new gate.

  • #9507 a1c9f3c Thanks @​GautamBytes! - Preserve exact access-control role statement types so predefined organization roles expose only their configured permissions in TypeScript.

  • #9577 23094a6 Thanks @​gustavovalverde! - The organization plugin's invitation recipient endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations) treated invitation.email.toLowerCase() === session.user.email.toLowerCase() as proof that the calling user owned the invited address. A session-authenticated user whose email matched but was never verified passed the gate, so anyone who could pre-register an unverified account at a victim's email could accept invitations addressed to that email. The requireEmailVerificationOnInvitation opt-in option closed the gap only when explicitly enabled and did not protect getInvitation or listUserInvitations at all.

    The gate is now applied on all four recipient endpoints and the requireEmailVerificationOnInvitation option default flips from false to true so existing apps are secure by default. Apps that intentionally accept invitations from unverified accounts can keep the legacy permissive behavior with organization({ requireEmailVerificationOnInvitation: false }), but they should understand the takeover risk before doing so. Server-side calls to listUserInvitations with ctx.query.email and no session continue to bypass the gate (the caller is trusted).

    The option is @deprecated. The next-minor release on next removes it entirely and makes the gate unconditional.

  • #9548 142b86c Thanks @​dipan-ck! - anonymous plugin now correctly calls onLinkAccount when email verification triggers auto sign-in

  • #9576 1f2ff42 Thanks @​gustavovalverde! - fix(oidc-provider, mcp): authenticate confidential clients on refresh_token grant and harden secret comparison

    Refresh-token grants on the legacy oidc-provider and mcp plugins now require the registered client_secret from confidential clients, matching the authorization_code path. Public clients (where code_verifier substitutes for the secret on the auth-code grant) continue to skip secret validation. Secret comparisons across both plugins now use constant-time equality. The /mcp/token endpoint no longer emits a wildcard CORS Access-Control-Allow-Origin: * header.

    These plugins are deprecated in favor of @better-auth/oauth-provider, which is unaffected. New deployments should adopt the replacement; this patch keeps existing deployments protected while migrating.

  • #9575 699b09a Thanks @​gustavovalverde! - fix(oidc-provider, mcp): drop "none" from advertised signing algorithms, default allowPlainCodeChallengeMethod to false, and reject missing PKCE method

    The legacy oidc-provider and mcp plugins now follow OAuth 2.1 (RFC 9700) on three protocol gates:

    • id_token_signing_alg_values_supported (oidc-provider, mcp) and resource_signing_alg_values_supported (mcp) no longer include "none". Relying parties that negotiate from this list will no longer be steered toward unsigned tokens.
    • allowPlainCodeChallengeMethod defaults to false. Callers who need plain PKCE must opt in explicitly.
    • Under the secure default the authorize endpoint no longer silently rewrites a missing code_challenge_method to "plain" before the allowlist check. A request that provides code_challenge without code_challenge_method is now rejected with invalid_request; the inverse case (code_challenge_method without code_challenge) is also rejected so no inconsistent PKCE state is persisted on the authorization code record.

    Non-breaking for callers who never relied on "none" advertisement or the plain default. Callers who explicitly set allowPlainCodeChallengeMethod: true keep plain on the allowlist and retain the legacy "missing method defaults to plain" behavior for backward compatibility, so existing integrations that opted into plain PKCE continue to work. The next-minor on next will drop both the plain allowlist entry and this fallback; until then, the option is the single explicit knob for legacy behavior. Migrate to @better-auth/oauth-provider for the canonical, spec-aligned implementation.

... (truncated)

Commits
  • f41514e chore: release v1.6.11 (#9532)
  • 699b09a fix(oidc-provider, mcp): drop "none" alg, default plain PKCE off, reject miss...
  • b4bc65a Merge commit from fork
  • a1c9f3c fix(access): preserve exact role statement types (#9507)
  • da7e50b fix(oauth): block OAuth linking to unverified local accounts (#9578)
  • 23094a6 fix(organization): default-on requireEmailVerificationOnInvitation & extend...
  • 1f2ff42 fix(oidc-provider, mcp): authenticate confidential clients on refresh_token g...
  • 5f09d56 fix(magic-link): consume verification token atomically on verify (#9572)
  • 99a254a fix(device-authorization): bind approval to verifier session (#9573)
  • 0cbddb8 refactor(db): rename claimOne adapter primitive to consumeOne (#9568)
  • Additional commits viewable in compare view

Updates better-sqlite3 from 12.9.0 to 12.10.0

Release notes

Sourced from better-sqlite3's releases.

v12.10.0

What's Changed

Full Changelog: WiseLibs/better-sqlite3@v12.9.1...v12.10.0

v12.9.1

⚠️CAUTION: NOT A VIABLE RELEASE

Electron v39+ prebuilds are not building successfully at the moment. Stick to v12.9.0 for now.

What's Changed

New Contributors

Full Changelog: WiseLibs/better-sqlite3@v12.9.0...v12.9.1

Commits

Updates hono from 4.12.14 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

... (truncated)

Commits

Updates eslint from 10.2.0 to 10.3.0

Release notes

Sourced from eslint's releases.

v10.3.0

Features

  • 379571a feat: add suggestions for no-unused-private-class-members (#20773) (sethamus)

Bug Fixes

  • b6ae5cf fix: handle unavailable require cache (#20812) (Simon Podlipsky)
  • 6fb3685 fix: rule suggestions cause continuation in class body (#20787) (Milos Djermanovic)

Documentation

  • 32cc7ab docs: fix typos in docs and comments (#20809) (Tanuj Kanti)
  • 7f47937 docs: Update README (GitHub Actions Bot)

Chores

  • d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#20826) (Francesco Trotta)
  • 3ffb14e chore: clean up typos in comments and JSDoc (#20821) (Pixel998)
  • 22eb58a chore: add missing continue-on-error to ecosystem-tests.yml (#20818) (Josh Goldberg ✨)
  • 88bf002 ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#20815) (dependabot[bot])
  • 97c8c33 chore: update ilshidur/action-discord action to v0.4.0 (#20811) (renovate[bot])
  • 2f58136 chore: pin peter-evans/create-pull-request action to 5f6978f (#20810) (renovate[bot])
  • 77add7f chore: add initial ecosystem plugin tests workflow (#19643) (Josh Goldberg ✨)
  • 4023b55 test: Add unit tests for SuppressionsService.prune() (#20797) (kuldeep kumar)
  • 54080da test: add unit tests for ForkContext (#20778) (kuldeep kumar)
  • f0e2bcc test: add unit tests for SuppressionsService.suppress() method (#20765) (kuldeep kumar)
  • a7f0b94 chore: update dependency prettier to v3.8.3 (#20782) (renovate[bot])
  • 7bf93d9 chore: update TypeScript to v6 (#20677) (sethamus)
  • b42dd72 ci: bump pnpm/action-setup from 6.0.0 to 6.0.1 (#20781) (dependabot[bot])
  • 2b252be test: add unit tests for IdGenerator (#20775) (kuldeep kumar)

v10.2.1

Bug Fixes

  • 14be92b fix: model generator yield resumption paths in code path analysis (#20665) (sethamus)
  • 84a19d2 fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx)
  • af764af fix: clarify language and processor validation errors (#20729) (Pixel998)
  • e251b89 fix: update eslint (#20715) (renovate[bot])

Documentation

  • ca92ca0 docs: reuse markdown-it instance for markdown filter (#20768) (Amaresh S M)
  • 57d2ee2 docs: Enable Eleventy incremental mode for watch (#20767) (Amaresh S M)
  • c1621b9 docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla)
  • 1418d52 docs: Update README (GitHub Actions Bot)
  • 39771e6 docs: Update README (GitHub Actions Bot)
  • 71e0469 docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar)
  • 22119ce docs: clarify scope of for-direction rule with dead code examples (#20723) (Amaresh S M)
  • 8f3fb77 docs: document meta.docs.dialects (#20718) (Pixel998)

Chores

  • 7ddfea9 chore: update dependency prettier to v3.8.2 (#20770) (renovate[bot])
  • fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763) (dependabot[bot])
  • 7246f92 test: add tests for SuppressionsService.load() error handling (#20734) (kuldeep kumar)
  • 4f34b1e chore: update pnpm/action-setup action to v5 (#20762) (renovate[bot])

... (truncated)

Commits
  • 7889204 10.3.0
  • 5b69b4f Build: changelog update for 10.3.0
  • d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#20826)
  • b6ae5cf fix: handle unavailable require cache (#20812)
  • 3ffb14e chore: clean up typos in comments and JSDoc (#20821)
  • 6fb3685 fix: rule suggestions cause continuation in class body (#20787)
  • 22eb58a chore: add missing continue-on-error to ecosystem-tests.yml (#20818)
  • 88bf002 ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#20815)
  • 379571a feat: add suggestions for no-unused-private-class-members (#20773)
  • 97c8c33 chore: update ilshidur/action-discord action to v0.4.0 (#20811)
  • Additional commits viewable in compare view

Updates fallow from 2.40.3 to 2.73.0

Release notes

Sourced from fallow's releases.

v2.73.0: pnpm overrides detection, catalog auto-fix, custom-location ESLint configs

Highlights

Two new detectors and one walker fix:

  • pnpm overrides: detection: flag entries whose target package no longer appears in any workspace package.json, plus a separate rule for malformed override grammar that pnpm install would refuse to honor.
  • fallow fix auto-removes unused pnpm catalog: entries: close the round-trip on the v2.70.0 catalog detector with a line-aware YAML deleter that preserves comments and rewrites emptied parents to {} so pnpm install keeps working.
  • Hidden directories referenced by package.json#scripts are now walked: .config/eslint.config.js (and similar custom-location configs) get parsed instead of silently invisible, so their imports are credited as used.

Upgrade note

The new misconfigured-dependency-overrides rule defaults to error. A workspace with a malformed override key or empty value will flip from a green fallow check on v2.72 to a red one on v2.73. To absorb the change without action, set rules.misconfigured-dependency-overrides: "warn" in your fallow config before upgrading.

Added

Detects unused and misconfigured pnpm overrides entries

Two new rules read both pnpm-workspace.yaml's overrides: top-level (canonical, pnpm 9+) and the root package.json's pnpm.overrides (legacy form).

unused-dependency-overrides (default warn) flags entries whose target package is not declared in any workspace package.json. The conservative static algorithm uses the parent-chain rule: react>react-dom is considered USED when EITHER react OR react-dom is declared, covering the CVE-fix pattern where the parent is declared and the override forces a transitive version. Findings carry the raw key, structured decomposition (target_package, parent_package, version_constraint, version_range), the source file (pnpm-workspace.yaml or package.json), a 1-based line number, and an optional hint flagging entries that may target a purely transitive dependency (CVE-fix or canary-alias pattern).

misconfigured-dependency-overrides (default error) catches entries whose key cannot be parsed (empty key, dangling separators) or whose value is missing; pnpm install refuses to honor these. Special pnpm values (- removal, $ref self-reference, npm:alias@^1) are explicitly allowlisted and never flagged as misconfigured.

Suppression is config-only via ignoreDependencyOverrides: [{ package, source? }]. Inline YAML / JSON comments are not feasible since pnpm-workspace.yaml uses YAML and package.json has no comment syntax; the optional source field scopes a suppression to "pnpm-workspace.yaml" or "package.json".

All six report formats render the findings: human two-tier, JSON with discriminated remove-dependency-override / fix-dependency-override primary actions + ignoreDependencyOverrides add-to-config suppress, SARIF rules fallow/unused-dependency-override and fallow/misconfigured-dependency-override, compact, markdown, CodeClimate. The GitHub Action and GitLab CI jq scripts surface both in summary tables and emit ::warning for unused and ::error for misconfigured annotations. The LSP emits matching diagnostics anchored on the source file line. The MCP analyze tool accepts issue_types: ["unused-dependency-overrides", "misconfigured-dependency-overrides"], and the VS Code "Unused Code" tree shows two new categories.

fallow explain unused-dependency-override and fallow explain misconfigured-dependency-override open with the CVE-pin caveat and pnpm-grammar examples respectively.

Closes #336.

fallow fix auto-removes unused pnpm catalog entries

The unused-catalog-entries detector shipped in v2.70.0, but until now the only available action was # fallow-ignore-next-line unused-catalog-entry; users had to hand-edit the YAML to drop the entry.

The fix is line-aware (preserves comments and stylistic choices) and detects object-form entries such as

react:
  specifier: ^18.2.0
  publishConfig: {}

by consuming subsequent lines whose indent is strictly greater than the entry's own.

When removing the last entry of a catalog group (default catalog: or a named catalogs.<name>:) leaves the header with no children, the fix rewrites the header to catalog: {} / <name>: {} so the file stays installable; bare key: in YAML parses as null which pnpm rejects with Cannot convert undefined or null to object at install time.

Entries whose hardcoded_consumers is non-empty are skipped: removing the catalog entry while a workspace package still pins a hardcoded version of the same package would break the user's next pnpm install. The skip is surfaced in the human stderr summary and in the JSON output ({"type": "remove_catalog_entry", "applied": false, "skipped": true, "skip_reason": "hardcoded_consumers", "consumers": [...]}), and the per-instance auto_fixable bool on the check-command action correctly flips to false for findings with hardcoded consumers so agents that filter on the bool skip those automatically.

After a successful run the CLI emits a one-line Run \pnpm install` to refresh pnpm-lock.yamlreminder so the workspace stays internally consistent. The fix output's top-level envelope adds a"skipped"count alongside the existing"total_fixed"` so consumers can gate on partial-fix runs.

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.73.0] - 2026-05-13

Fixed

  • Dependencies imported only from a config file in a hidden directory referenced by package.json#scripts are no longer reported as unused. A script like "lint": "eslint -c .config/eslint.config.js" puts the ESLint config in .config/, a hidden directory the file walker normally skips. Fallow detected the file as an entry point (the script-parser found it) but never parsed it, so the imports inside (@eslint/js, anything else the config pulls in) became phantom unused dependencies. The walker now traverses hidden directories referenced from package.json#scripts config arguments (--config / -c) and positional file arguments. The same scope mechanism React Router uses for .client / .server is reused; the names are extracted per-package and scoped to the package root, so a workspace's .config/ stays isolated from a sibling's. Three guardrails: a denylist of known build-cache / VCS / IDE directories (.git, .next, .nuxt, .output, .svelte-kit, .turbo, .nx, .cache, .parcel-cache, .vercel, .netlify, .yarn, .pnpm-store, .docusaurus, .vscode, .idea, .fallow, .husky) is never auto-scoped even when a script reads or writes into one; only the structured config_args / file_args outputs of the script parser are inspected, so a logging path like .nx/cache/result.json mentioned in a script body cannot pull .nx/ into scope; and paths containing .. segments are skipped so a workspace script referencing ../../.config/... cannot generate a scope rooted at a sibling. Projects without hidden-dir paths in their scripts see no behavior change. Surfaces a tracing::debug! line per inferred scope (RUST_LOG=fallow_core=debug) for support diagnostics. (Closes #358. Thanks @​FunctionDJ for the report.)

Added

  • fallow fix now auto-removes unused pnpm catalog entries from pnpm-workspace.yaml. The unused-catalog-entries detector shipped in v2.70.0, but until now the only available action was # fallow-ignore-next-line unused-catalog-entry; users had to hand-edit the YAML to drop the entry. The fix is line-aware (preserves comments and stylistic choices in the file) and detects object-form entries such as react:\n specifier: ^18.2.0\n publishConfig: {} by consuming subsequent lines whose indent is strictly greater than the entry's own. When removing the last entry of a catalog group (default catalog: or a named catalogs.<name>:) leaves the header with no children, the fix rewrites the header to catalog: {} / <name>: {} so the file stays installable; bare key: in YAML parses as null which pnpm rejects with Cannot convert undefined or null to object at install time. Entries whose hardcoded_consumers is non-empty are skipped: removing the catalog entry while a workspace package still pins a hardcoded version of the same package would break the user's next pnpm install. The skip is surfaced in the human stderr summary and in the JSON output ({"type": "remove_catalog_entry", "applied": false, "skipped": true, "skip_reason": "hardcoded_consumers", "consumers": [...], "description": "..."}), and the per-instance auto_fixable bool on the check-command action correctly flips to false for findings with hardcoded consumers so agents that filter on the bool skip those automatically. After a successful run the CLI emits a one-line Run \pnpm install` to refresh pnpm-lock.yamlreminder so the workspace stays internally consistent. The fix output's top-level envelope adds a"skipped"count alongside the existing"total_fixed"so consumers can gate on partial-fix runs. The LSPunused-catalog-entrydiagnostic now exposes a matchingRemove unused catalog entry quick-fix code action with the same hardcoded-consumer guard, the same empty-parent rewrite, and an anchored key-prefix sanity check so sibling entries with shared prefixes (reactvsreact-native, lodashvslodash-es`) cannot be deleted by mistake. (Closes #335.)

  • Detects unused and misconfigured pnpm overrides entries. Upgrade note: the new misconfigured-dependency-overrides rule defaults to error, so a workspace with a malformed override key or empty value will flip from a green fallow check on v2.72 to a red one on the next minor. To absorb the change without action, set rules.misconfigured-dependency-overrides: "warn" in your fallow config before upgrading. Two new rules read both pnpm-workspace.yaml's overrides: top-level (canonical, pnpm 9+) and the root package.json's pnpm.overrides (legacy form). unused-dependency-overrides (default warn) flags entries whose target package is not declared in any workspace package.json; conservative static algorithm uses the parent-chain rule (react>react-dom is considered USED when EITHER react OR react-dom is declared, covering the CVE-fix pattern where the parent is declared and the override forces a transitive version). Findings carry the raw key, structured target_package / parent_package / version_constraint / version_range decomposition, the source file (pnpm-workspace.yaml or package.json), 1-based line number, and an optional hint flagging entries that may target a purely transitive dependency (CVE-fix or canary-alias pattern). misconfigured-dependency-overrides (default error) catches entries whose key cannot be parsed (empty key, dangling separators) or whose value is missing; pnpm install refuses to honor these. Special pnpm values (- removal, $ref self-reference, npm:alias@^1) are explicitly allowlisted and never flagged as misconfigured. Suppression is config-only via ignoreDependencyOverrides: [{ package, source? }] (inline YAML / JSON comments are not feasible since pnpm-workspace.yaml uses YAML and package.json has no comment syntax); the optional source field scopes a suppression to "pnpm-workspace.yaml" or "package.json". New IssueKind::UnusedDependencyOverride (discriminant 23) and IssueKind::MisconfiguredDependencyOverride (discriminant 24); new UnusedDependencyOverride + MisconfiguredDependencyOverride structs on AnalysisResults. All six report formats render the findings (human two-tier, JSON with discriminated remove-dependency-override / fix-dependency-override primary actions + ignoreDependencyOverrides add-to-config suppress, SARIF rules fallow/unused-dependency-override and fallow/misconfigured-dependency-override, compact, markdown, CodeClimate). The GitHub Action and GitLab CI jq scripts surface both in summary tables and emit ::warning for unused and ::error for misconfigured annotations. The LSP emits matching diagnostics anchored on the source file line. The MCP analyze tool accepts issue_types: ["unused-dependency-overrides", "misconfigured-dependency-overrides"], and the VS Code "Unused Code" tree shows two new categories. fallow explain unused-dependency-override and fallow explain misconfigured-dependency-override open with the CVE-pin caveat and pnpm-grammar examples respectively. (Closes #336)

Changed

  • Internal refactor: drop redundant per-call FileId / path indices in detectors (find_unused_exports, find_private_type_leaks, find_duplicate_exports). These detectors each rebuilt the same FxHashMap of file lookups on every invocation; they now index graph.modules directly by sequential FileId.0 (the same pattern find_unused_files already used). Findings counts unchanged across next.js (24986), typescript, vite, vue-core, svelte. No behavior change. (Closes #333)
  • CI dependency bumps: pnpm/action-setup 6.0.3 -> 6.0.5, crate-ci/typos 1.45.2 -> 1.46.0.

[2.7...

Description has been truncated

@dependabot
chore(deps): bump the npm-deps group across 1 directory with 8 updates
176434f 
Bumps the npm-deps group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@hono/node-server](https://github.com/honojs/node-server) | `2.0.0` | `2.0.2` |
| [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.5` | `1.6.11` |
| [better-sqlite3](https://github.com/WiseLibs/better-sqlite3) | `12.9.0` | `12.10.0` |
| [hono](https://github.com/honojs/hono) | `4.12.14` | `4.12.18` |
| [eslint](https://github.com/eslint/eslint) | `10.2.0` | `10.3.0` |
| [fallow](https://github.com/fallow-rs/fallow) | `2.40.3` | `2.73.0` |
| [globals](https://github.com/sindresorhus/globals) | `17.5.0` | `17.6.0` |
| [tap](https://github.com/tapjs/tapjs) | `21.7.0` | `21.7.3` |



Updates `@hono/node-server` from 2.0.0 to 2.0.2
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.0...v2.0.2)

Updates `better-auth` from 1.6.5 to 1.6.11
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/better-auth@1.6.11/packages/better-auth)

Updates `better-sqlite3` from 12.9.0 to 12.10.0
- [Release notes](https://github.com/WiseLibs/better-sqlite3/releases)
- [Commits](WiseLibs/better-sqlite3@v12.9.0...v12.10.0)

Updates `hono` from 4.12.14 to 4.12.18
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.14...v4.12.18)

Updates `eslint` from 10.2.0 to 10.3.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.2.0...v10.3.0)

Updates `fallow` from 2.40.3 to 2.73.0
- [Release notes](https://github.com/fallow-rs/fallow/releases)
- [Changelog](https://github.com/fallow-rs/fallow/blob/main/CHANGELOG.md)
- [Commits](fallow-rs/fallow@v2.40.3...v2.73.0)

Updates `globals` from 17.5.0 to 17.6.0
- [Release notes](https://github.com/sindresorhus/globals/releases)
- [Commits](sindresorhus/globals@v17.5.0...v17.6.0)

Updates `tap` from 21.7.0 to 21.7.3
- [Release notes](https://github.com/tapjs/tapjs/releases)
- [Commits](https://github.com/tapjs/tapjs/compare/tap@21.7.0...tap@21.7.3)

---
updated-dependencies:
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: better-auth
  dependency-version: 1.6.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: better-sqlite3
  dependency-version: 12.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: hono
  dependency-version: 4.12.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: eslint
  dependency-version: 10.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: fallow
  dependency-version: 2.73.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: globals
  dependency-version: 17.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: tap
  dependency-version: 21.7.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants