Bump the minor-and-patch group across 1 directory with 8 updates

[dependabot]

Bumps the minor-and-patch group with 8 updates in the / directory:

Package	From	To
@types/vscode	1.107.0	1.118.0
@vscode/vsce	3.7.1	3.9.1
esbuild	0.27.2	0.28.0
eslint-plugin-no-only-tests	3.3.0	3.4.0
pnpm	10.26.2	10.33.2
prettier	3.7.4	3.8.3
selfsigned	5.4.0	5.5.0
typescript-eslint	8.50.1	8.59.1

Updates @types/vscode from 1.107.0 to 1.118.0

Commits

• See full diff in compare view

Updates @vscode/vsce from 3.7.1 to 3.9.1

Release notes

Sourced from @​vscode/vsce's releases.

v3.9.1

Changes:

• #1266: fix: module type mismatch

This list of changes was auto generated.

v3.9.1-0

Changes:

• #1266: fix: module type mismatch

This list of changes was auto generated.

v3.9.0

Changes:

• #1263: fix: build regressions in 3.8.1
• #1261: Add override for serialize-javascript

This list of changes was auto generated.

v3.8.2-1

Changes:

• #1263: fix: build regressions in 3.8.1

This list of changes was auto generated.

v3.8.2-0

Changes:

• #1261: Add override for serialize-javascript

This list of changes was auto generated.

v3.8.1

Changes:

... (truncated)

Commits

• 98cca9e fix: module type mismatch (#1266)
• 9329b35 fix: build regressions in 3.8.1 (#1263)
• 165b0f2 Add override for serialize-javascript (#1261)
• 7d124ab chore: update @​azure/identity to 4.13.1 and modernize TypeScript/Node.js conf...
• cbdd401 fix: run npm audit fix to update package-lock.json (#1258)
• 13c5fa8 Merge pull request #1255 from microsoft/dependabot/npm_and_yarn/multi-580a7c2f10
• c6f98dc Bump brace-expansion
• 01da009 Bump picomatch from 2.3.1 to 2.3.2 (#1253)
• bb899fa Merge pull request #1252 from microsoft/dependabot/npm_and_yarn/yauzl-3.2.1
• 3f4fa96 Bump yauzl from 2.10.0 to 3.2.1
• Additional commits viewable in compare view

Updates esbuild from 0.27.2 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

v0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }
  // New output (with --loader=ts --target=es2021)
  class Foo {

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2025

This changelog documents all esbuild versions published in the year 2025 (versions 0.25.0 through 0.27.2).

Commits

• 6a794df publish 0.28.0 to npm
• 64ee0ea fix #4435: support with { type: text } imports
• ef65aee fix sort order in snapshots_packagejson.txt
• 1a26a8e try to fix test-old-ts, also shuffle CI tasks
• 556ce6c use '' instead of null to omit build hashes
• 8e675a8 ci: allow missing binary hashes for tests
• 7067763 Reapply "update go 1.25.7 => 1.26.1"
• 39473a9 fix #4343: integrity check for binary download
• 2025c9f publish 0.27.7 to npm
• c6b586e fix typo in Makefile for @esbuild/win32-x64
• Additional commits viewable in compare view

Updates eslint-plugin-no-only-tests from 3.3.0 to 3.4.0

Release notes

Sourced from eslint-plugin-no-only-tests's releases.

v3.4.0

What's Changed

• Bump cross-spawn from 7.0.3 to 7.0.6 by @​dependabot[bot] in levibuzolic/eslint-plugin-no-only-tests#47
• Bump js-yaml from 4.1.0 to 4.1.1 by @​dependabot[bot] in levibuzolic/eslint-plugin-no-only-tests#51
• Update README for flat config by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#52
• Bump minimatch from 3.1.2 to 3.1.5 by @​dependabot[bot] in levibuzolic/eslint-plugin-no-only-tests#54
• Document oxlint setup by @​AndreyYolkin in levibuzolic/eslint-plugin-no-only-tests#53
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in levibuzolic/eslint-plugin-no-only-tests#55
• Add common framework setup docs for focused tests by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#57
• Optimize Oxlint integration and release v3.4.0 by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#58
• Update Actions for npm trusted publishing by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#59
• Remove npm registry auth from publish workflow by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#60
• Update release workflow for trusted publishing by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#61
• Fix GitHub release npm publish auth by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#62

New Contributors

• @​AndreyYolkin made their first contribution in levibuzolic/eslint-plugin-no-only-tests#53

Full Changelog: levibuzolic/eslint-plugin-no-only-tests@v3.3.0...v3.4.0

Changelog

Sourced from eslint-plugin-no-only-tests's changelog.

v3.4.0

Added

• Add CLI E2E coverage for both ESLint and Oxlint, including --fix verification and config-specific assertions
• Add a package-contents check to ensure test assets are never published

Changed

• Optimize Oxlint usage by adopting Oxlint's performance-focused createOnce entrypoint while preserving ESLint compatibility

Internal

• Switch repository tooling from Yarn to Bun
• Replace Biome/Prettier usage with Oxlint and Oxfmt
• Update GitHub Actions to use Bun and a modern Node test matrix
• Move test infrastructure into a dedicated test/ directory
• Tighten package metadata and improve JSDoc/type coverage

v3.0.0

Added

• Block scope matchers can accept a trailing * to optionally match blocks by prefix #35

Breaking

• Block matchers no longer match prefixes of blocks by default, can now be configured via options #35

v2.6.0

• Disable auto fixing by default, allow it to be optionally enabled. #26

v2.5.0

• Add support for auto fixing violations - #19 @​tgreen7

v2.4.0

• Add support for defining 2 levels deep in blocks (ie. ava.default)

v2.3.1

• Bump js-yaml from 3.13.0 to 3.13.1 due to security vulnerability - #11

v2.3.0

• Allow test block names to be specified in options - #10

v2.2.0

... (truncated)

Commits

• 2279c51 Merge pull request #62 from levibuzolic/levi/fix-github-release-action
• e234e55 Use Publish environment for npm release
• d304af4 Fix npm release auth
• 435b3a2 Merge pull request #61 from levibuzolic/fix-release-script
• 968e9d9 Switch release workflow to published events
• a0edb1a Merge pull request #60 from levibuzolic/fix-release-script
• 42ca3d8 Remove npm registry auth from publish workflow
• b7051fc Merge pull request #59 from levibuzolic/fix-release-script
• 36e23a2 Update GitHub Actions for npm trusted publishing
• 17f7389 Fix release script
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for eslint-plugin-no-only-tests since your current version.

Updates pnpm from 10.26.2 to 10.33.2

Release notes

Sourced from pnpm's releases.

pnpm 10.33.2

Patch Changes

• Globally-installed bins no longer fail with ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND when pnpm was installed via the standalone @pnpm/exe binary (e.g. curl -fsSL https://get.pnpm.io/install.sh | sh -) on a system without a separate Node.js installation. Previously, when which('node') failed during pnpm add --global, pnpm fell back to process.execPath, which in @pnpm/exe is the pnpm binary itself — and that path was baked into the generated bin shim, causing the shim to invoke pnpm instead of Node #11291, #4645.

• Fix an infinite fork-bomb that could happen when pnpm was installed with one version (e.g. npm install -g pnpm@A) and run inside a project whose package.json selected a different pnpm version via the packageManager field (e.g. pnpm@B), while a pnpm-workspace.yaml also existed at the project root.

  The child's environment is now forced to manage-package-manager-versions=false (v10) and pm-on-fail=ignore (v11+), which disables the package-manager-version handling in whichever pnpm runs as the child.

  Fixes #11337.

Platinum Sponsors

Gold Sponsors

... (truncated)

Changelog

Sourced from pnpm's changelog.

10.33.2

Patch Changes

• Globally-installed bins no longer fail with ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND when pnpm was installed via the standalone @pnpm/exe binary (e.g. curl -fsSL https://get.pnpm.io/install.sh | sh -) on a system without a separate Node.js installation. Previously, when which('node') failed during pnpm add --global, pnpm fell back to process.execPath, which in @pnpm/exe is the pnpm binary itself — and that path was baked into the generated bin shim, causing the shim to invoke pnpm instead of Node #11291, #4645.

• Fix an infinite fork-bomb that could happen when pnpm was installed with one version (e.g. npm install -g pnpm@A) and run inside a project whose package.json selected a different pnpm version via the packageManager field (e.g. pnpm@B), while a pnpm-workspace.yaml also existed at the project root.

  The child's environment is now forced to manage-package-manager-versions=false (v10) and pm-on-fail=ignore (v11+), which disables the package-manager-version handling in whichever pnpm runs as the child.

  Fixes #11337.

10.33.1

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #11328.

10.33.0

Minor Changes

• Added a new dedupePeers setting that reduces peer dependency duplication. When enabled, peer dependency suffixes use version-only identifiers (name@version) instead of full dep paths, eliminating nested suffixes like (foo@1.0.0(bar@2.0.0)). This dramatically reduces the number of package instances in projects with many recursive peer dependencies #11070.

Patch Changes

• Fail on incompatible lockfiles in CI when frozen lockfile mode is enabled, while preserving non-frozen CI fallback behavior.

• When package metadata is malformed or can't be fetched, the error thrown will now show the originating error.

• Fixed intermittent failures when multiple pnpm dlx calls run concurrently for the same package. When the global virtual store is enabled, the importer now verifies file content before skipping a rename, avoiding destructive swap-renames that break concurrent processes. Also tolerates EPERM during bin creation on Windows and properly propagates enableGlobalVirtualStore through the install pipeline.

• Fixed handling of non-string version selectors in hoistPeers, preventing invalid peer dependency specifiers.

• Improve the non-interactive modules purge error hint to include the confirmModulesPurge=false workaround.

  When pnpm needs to recreate node_modules but no TTY is available, the error now suggests either setting CI=true or disabling the purge confirmation prompt via confirmModulesPurge=false.

  Adds a regression test for the non-TTY flow.

• Fixed false "Command not found" errors on Windows when a command exists in PATH but exits with a non-zero code. Also fixed path resolution for --filter contexts where the command runs in a different package directory.

• When a pnpm-lock.yaml contains two documents, ignore the first one. pnpm v11 will write two lockfile documents into pnpm-lock.yaml in order to store pnpm version integrities and config dependency resolutions.

• Fixed a bug preventing the clearCache function returned by createNpmResolver from properly clearing metadata cache.

10.32.1

Patch Changes

• Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #10909.

10.32.0

Minor Changes

• Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #10136.

... (truncated)

Commits

• 2a1ffe1 chore(release): 10.33.2
• 08bf69c fix: prevent fork-bomb during packageManager-driven version switching (#11346)
• 89e3ac5 chore(release): 10.33.1
• 6315018 fix: scope minimatch overrides to their major version
• e528199 fix: update dependencies
• a6c24bd fix: defer npm-passthrough commands to main() when packageManager wants pnpm ...
• be07631 chore(release): 10.33.0
• cb17c44 fix(dlx): fix race conditions in parallel dlx calls sharing
• eaae772 chore(release): 10.32.1
• cda9b1d fix: update dependencies
• Additional commits viewable in compare view

Updates prettier from 3.7.4 to 3.8.3

Release notes

Sourced from prettier's releases.

3.8.3

• SCSS: Prevent trailing comma in if() function (prettier/prettier#18471 by @​kovsu)

🔗 Changelog

3.8.2

• Support Angular v21.2

🔗 Changelog

3.8.1

• Include available printers in plugin type declarations (#18706 by @​porada)

🔗 Changelog

3.8.0

• Support Angular v21.1

diff

🔗 Release note "Prettier 3.8: Support for Angular v21.1"

Changelog

Sourced from prettier's changelog.

3.8.3

diff

SCSS: Prevent trailing comma in if() function (#18471 by @​kovsu)

// Input
$value: if(sass(false): 1; else: -1);
// Prettier 3.8.2
$value: if(
sass(false): 1; else: -1,
);
// Prettier 3.8.3
$value: if(sass(false): 1; else: -1);

3.8.2

diff

Angular: Support Angular v21.2 (#18722, #19034 by @​fisker)

Exhaustive typechecking with @default never;

<!-- Input -->
@switch (foo) {
  @case (1) {}
  @default never;
}
<!-- Prettier 3.8.1 -->
SyntaxError: Incomplete block "default never". If you meant to write the @ character, you should use the "&#64;" HTML entity instead. (3:3)
<!-- Prettier 3.8.2 -->
@​switch (foo) {
@​case (1) {}
@​default never;
}

arrow function and instanceof expressions.

</tr></table> 

... (truncated)

Commits

• d7108a7 Release 3.8.3
• 177f908 Prevent trailing comma in SCSS if() function (#18471)
• 1cd4066 Release @​prettier/plugin-oxc@​0.1.4
• a8700e2 Update oxc-parser to v0.125.0
• 752157c Fix tests
• 053fd41 Bump Prettier dependency to 3.8.2
• 904c636 Clean changelog_unreleased
• dc1f7fc Update dependents count
• b31557c Release 3.8.2
• 96bbaed Support Angular v21.2 (#18722)
• Additional commits viewable in compare view

Updates selfsigned from 5.4.0 to 5.5.0

Commits

• bb4c2a8 5.5.0
• fddc893 feat: patch global CryptoProvider to use Node.js crypto (#84)
• a47d039 add package-lock back
• b29a4e1 add CI as gh action
• See full diff in compare view

Updates typescript-eslint from 8.50.1 to 8.59.1

Release notes

Sourced from typescript-eslint's releases.

v8.59.1

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.2

8.58.2 (2026-04-13)

🩹 Fixes

• remove tsbuildinfo cache file from published packages (#12187)
• eslint-plugin: [no-unnecessary-condition] use assignability checks in checkTypePredicates (#12147)

❤️ Thank You

• Abhijeet Singh @​cseas
• 송재욱

... (truncated)

Changelog

Sourced from typescript-eslint's changelog.

8.59.1 (2026-04-27)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.0 (2026-04-20)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.58.2 (2026-04-13)

🩹 Fixes

• remove tsbuildinfo cache file from published packages (#12187)

❤️ Thank You

• Abhijeet Singh @​cseas

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.58.1 (2026-04-08)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.58.0 (2026-03-30)

🚀 Features

• support TypeScript 6 (#12124)

❤️ Thank You

• Evyatar Daud @​StyleShit

See GitHub Releases for more information.

... (truncated)

Commits

• 5245793 chore(release): publish 8.59.1
• ea9ae4f chore(release): publish 8.59.0
• 90c2803 chore(release): publish 8.58.2
• b3315fd chore: convert import eslint to import js - followup (#12100)
• be6b49a fix: remove tsbuildinfo cache file from published packages (#12187)
• 5311ed3 chore(release): publish 8.58.1
• 4933417 chore(release): publish 8.58.0
• 8cde2d0 feat: support TypeScript 6 (#12124)
• be4d54d chore(release): publish 8.57.2
• c7c38aa chore(release): publish 8.57.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions