chore: update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@biomejs/biome (source)	2.4.11 → 2.4.13				patch
@biomejs/biome (source)	^2.4.11 → ^2.4.13			devDependencies	patch
@bufbuild/buf	^1.67.0 → ^1.68.4			devDependencies	minor
@bufbuild/protobuf (source)	^2.11.0 → ^2.12.0			dependencies	minor
@bufbuild/protoc-gen-es (source)	^2.11.0 → ^2.12.0			devDependencies	minor
@hey-api/openapi-ts (source)	^0.95.0 → ^0.97.0			devDependencies	minor
@tailwindcss/vite (source)	^4.2.2 → ^4.2.4			devDependencies	patch
@tanstack/react-form (source)	^1.29.0 → ^1.29.1			dependencies	patch
@tanstack/react-form-devtools (source)	^0.2.21 → ^0.2.22			dependencies	patch
@tanstack/react-pacer (source)	^0.21.1 → ^0.22.0			dependencies	minor
@tanstack/react-pacer-devtools (source)	^0.6.1 → ^0.7.0			dependencies	minor
@tanstack/react-query (source)	^5.99.0 → ^5.100.6			dependencies	minor
@tanstack/react-query-devtools (source)	^5.99.0 → ^5.100.6			dependencies	minor
@tanstack/react-router (source)	^1.168.19 → ^1.168.25			dependencies	patch
@tanstack/router-plugin (source)	^1.167.20 → ^1.167.28			dependencies	patch
maplibre-gl (source)	^5.22.0 → ^5.24.0			dependencies	minor
node (source)	24.14.1 → 24.15.0				minor
pnpm (source)	10.33.0 → 10.33.2			packageManager	patch
tailwindcss (source)	^4.2.2 → ^4.2.4			dependencies	patch
typescript (source)	^6.0.2 → ^6.0.3			devDependencies	patch
vite (source)	^8.0.8 → ^8.0.10			devDependencies	patch

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.13

Compare Source

Patch Changes

• #​9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #​10037 f785e8c Thanks @​minseong0324! - Fixed #​9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #​10084 5e2f90c Thanks @​jiwon79! - Fixed #​10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #​10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #​10035 946b50e Thanks @​Netail! - Fixed #​10032: useIframeSandbox now flags if there's no initializer value.

• #​9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #​10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

  For example, the following code triggers the rule:

  import View from "react-native/Libraries/Components/View/View";

• #​9885 3dce737 Thanks @​dyc3! - Added a new nursery rule useDomQuerySelector that prefers querySelector() and querySelectorAll() over older DOM query methods such as getElementById() and getElementsByClassName().

• #​9995 4da9caf Thanks @​siketyan! - Fixed #​9994: Biome now parses nested CSS rules correctly when declarations follow them inside embedded snippets.

• #​10009 b41cc5a Thanks @​Jayllyz! - Fixed #​10004: noComponentHookFactories no longer reports false positives for object methods and class methods.

• #​9988 eabf54a Thanks @​Netail! - Tweaked the diagnostics range for useAltText, useButtonType, useHtmlLang, useIframeTitle, useValidAriaRole & useIfameSandbox to report on the opening tag instead of the full tag.

• #​10043 fc65902 Thanks @​mujpao! - Fixed #​10003: Biome no longer panics when parsing Svelte files containing {#}.

• #​9815 5cc83b1 Thanks @​dyc3! - Added the new nursery rule noLoopFunc. When enabled, it warns when a function declared inside a loop captures outer variables that can change across iterations.

• #​9702 ef470ba Thanks @​ryan-m-walker! - Added the nursery rule useRegexpTest that enforces RegExp.prototype.test() over String.prototype.match() and RegExp.prototype.exec() in boolean contexts. test() returns a boolean directly, avoiding unnecessary computation of match results.

  Invalid

  if ("hello world".match(/hello/)) {
  }

  Valid

  if (/hello/.test("hello world")) {
  }

• #​9743 245307d Thanks @​leetdavid! - Fixed #​2245: Svelte <script> tag language detection when the generics attribute contains > characters (e.g., <script lang="ts" generics="T extends Record<string, unknown>">). Biome now correctly recognizes TypeScript in such script blocks.

• #​10046 0707de7 Thanks @​Conaclos! - Fixed #​10038: organizeImports now sorts imports in TypeScript modules and declaration files.

    declare module "mymodule" {
  -  	import type { B } from "b";
    	import type { A } from "a";
  +  	import type { B } from "b";
    }

• #​10012 94ccca9 Thanks @​ematipico! - Added the nursery rule noReactNativeLiteralColors, which disallows color literals inside React Native styles.

  The rule belongs to the reactNative domain. It reports properties whose name contains color and whose value is a string literal when they appear inside a StyleSheet.create(...) call or inside a JSX attribute whose name contains style.

  // Invalid
  const Hello = () => <Text style={{ backgroundColor: "#FFFFFF" }}>hi</Text>;
  
  const styles = StyleSheet.create({
    text: { color: "red" },
  });

  // Valid
  const red = "#f00";
  const styles = StyleSheet.create({
    text: { color: red },
  });

• #​10005 131019e Thanks @​ematipico! - Added the nursery rule noReactNativeRawText, which disallows raw text outside of <Text> components in React Native.

  The rule belongs to the new reactNative domain.

  // Invalid
  <View>some text</View>
  <View>{'some text'}</View>

  // Valid
  <View>
    <Text>some text</Text>
  </View>

  Additional components can be allowlisted through the skip option:

  {
    "options": {
      "skip": ["Title"]
    }
  }

• #​9911 1603f78 Thanks @​Netail! - Added the nursery rule noJsxLeakedDollar, which flags text nodes with a trailing $ if the next sibling node is a JSX expression. This could be an unintentional mistake, resulting in a '$' being rendered as text in the output.

  Invalid:

  function MyComponent({ user }) {
    return <div>Hello ${user.name}</div>;
  }

• #​9999 f42405f Thanks @​minseong0324! - Fixed noMisleadingReturnType incorrectly flagging functions with reassigned let variables.

• #​10075 295f97f Thanks @​ematipico! - Fixed #9983: Biome now parses functions declared inside Svelte #snippet blocks without throwing errors.

• #​10006 cf4c1c9 Thanks @​minseong0324! - Fixed #​9810: noMisleadingReturnType incorrectly flagging nested object literals with widened properties.

• #​10033 11ddc05 Thanks @​ematipico! - Added the nursery rule useReactNativePlatformComponents that ensures platform-specific React Native components (e.g. ProgressBarAndroid, ActivityIndicatorIOS) are only imported in files with a matching platform suffix. It also reports when Android and iOS components are mixed in the same file.

  The following code triggers the rule when the file does not have an .android.js suffix:

  // file.js
  import { ProgressBarAndroid } from "react-native";

v2.4.12

Compare Source

Patch Changes

• #​9376 9701a33 Thanks @​dyc3! - Added the nursery/noIdenticalTestTitle lint rule. This rule disallows using the same title for two describe blocks or two test cases at the same nesting level.

  describe("foo", () => {});
  describe("foo", () => {
    // invalid: same title as previous describe block
    test("baz", () => {});
    test("baz", () => {}); // invalid: same title as previous test case
  });

• #​9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for useForOf to better explain the problem, why it matters, and how to fix it.

• #​9916 27dd7b1 Thanks @​Jayllyz! - Added a new nursery rule noComponentHookFactories, that disallows defining React components or custom hooks inside other functions.

  For example, the following snippets trigger the rule:

  function createComponent(label) {
    function MyComponent() {
      return <div>{label}</div>;
    }
    return MyComponent;
  }

  function Parent() {
    function Child() {
      return <div />;
    }
    return <Child />;
  }

• #​9980 098f1ff Thanks @​ematipico! - Fixed #​9941: Biome now emits a warning diagnostic when a file exceed the files.maxSize limit.

• #​9942 9956f1d Thanks @​dyc3! - Fixed #​9918: useConsistentTestIt no longer panics when applying fixes to chained calls such as test.for([])("x", () => {});.

• #​9891 4d9ac51 Thanks @​dyc3! - Improved the noGlobalObjectCalls diagnostic to better explain why calling global objects like Math or JSON is invalid and how to fix it.

• #​9902 3f4d103 Thanks @​ematipico! - Fixed #​9901: the command lint --write is now idempotent when it's run against HTML-ish files that contains scripts and styles.

• #​9891 4d9ac51 Thanks @​dyc3! - Improved the noMultiStr diagnostic to explain why escaped multiline strings are discouraged and what to use instead.

• #​9966 322675e Thanks @​siketyan! - Fixed #​9113: Biome now parses and formats @media and other conditional blocks correctly inside embedded CSS snippets.

• #​9835 f8d49d9 Thanks @​bmish! - The noFloatingPromises rule now detects floating promises through cross-module generic wrapper functions. Previously, patterns like export const fn = trace(asyncFn) — where trace preserves the function signature via a generic <F>(fn: F): F — were invisible to the rule when the wrapper was defined in a different file.

• #​9981 02bd8dd Thanks @​siketyan! - Fixed #​9975: Biome now parses nested CSS selectors correctly inside embedded snippets without requiring an explicit &.

• #​9949 e0ba71d Thanks @​Netail! - Added the nursery rule useIframeSandbox, which enforces the sandbox attribute for iframe tags.

  Invalid:

  <iframe></iframe>

• #​9913 d417803 Thanks @​Netail! - Added the nursery rule noJsxNamespace, which disallows JSX namespace syntax.

  Invalid:

  <ns:testcomponent />

• #​9892 e75d70e Thanks @​dyc3! - Improved the noSelfCompare diagnostic to better explain why comparing a value to itself is suspicious and what to use for NaN checks.

• #​9861 2cff700 Thanks @​dyc3! - Added the new nursery rule useVarsOnTop, which requires var declarations to appear at the top of their containing scope.

  For example, the following code now triggers the rule:

  function f() {
    doSomething();
    var value = 1;
  }

• #​9892 e75d70e Thanks @​dyc3! - Improved the noThenProperty diagnostic to better explain why exposing then can create thenable behavior and how to avoid it.

• #​9892 e75d70e Thanks @​dyc3! - Improved the noShorthandPropertyOverrides diagnostic to explain why later shorthand declarations can unintentionally overwrite earlier longhand properties.

• #​9978 4847715 Thanks @​mdevils! - Fixed #​9744: useExhaustiveDependencies no longer reports false positives for variables obtained via object destructuring with computed keys, e.g. const { [KEY]: key1 } = props.

• #​9892 e75d70e Thanks @​dyc3! - Improved the noRootType diagnostic to better explain that the reported root type is disallowed by project configuration and how to proceed.

• #​9927 7974ab7 Thanks @​dyc3! - Added eslint-plugin-unicorn's no-nested-ternary as a rule source for noNestedTernary

• #​9873 19ff706 Thanks @​minseong0324! - noMisleadingReturnType now checks class methods, object methods, and getters in addition to functions.

• #​9888 362b638 Thanks @​dyc3! - Updated metadata for biome migrate eslint to better reflect which ESLint rules are redundant versus unsupported versus unimplemented.

• #​9892 e75d70e Thanks @​dyc3! - Improved the noAutofocus diagnostic to better explain why autofocus harms accessibility outside allowed modal contexts.

• #​9982 d6bdf4a Thanks @​dyc3! - Improved performance of noMagicNumbers.
  Biome now maps ESLint no-magic-numbers sources more accurately during biome migrate eslint.

• #​9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for noConstantCondition to better explain the problem, why it matters, and how to fix it.

• #​9866 40bd180 Thanks @​dyc3! - Added a new nursery rule noExcessiveSelectorClasses, which limits how many class selectors can appear in a single CSS selector.

• #​9796 f1c1363 Thanks @​dyc3! - Added a new nursery rule useStringStartsEndsWith, which prefers startsWith() and endsWith() over verbose string prefix and suffix checks.

  The rule uses type information, so it only reports on strings and skips array lookups such as items[0] === "a".

• #​9942 9956f1d Thanks @​dyc3! - Fixed the safe fix for noSkippedTests so it no longer panics when rewriting skipped test function names such as xit(), xtest(), and xdescribe().

• #​9874 9e570d1 Thanks @​minseong0324! - Type-aware lint rules now resolve members through Pick<T, K> and Omit<T, K> utility types.

• #​9909 0d0e611 Thanks @​Netail! - Added the nursery rule useReactAsyncServerFunction, which requires React server actions to be async.

  Invalid:

  function serverFunction() {
    "use server";
    // ...
  }

• #​9925 29accb3 Thanks @​ematipico! - Fixed #​9910: added support for parsing member expressions in Svelte directive properties. Biome now correctly parses directives like in:renderer.in|global, use:obj.action, and deeply nested forms like in:a.b.c|global.

• #​9904 e7775a5 Thanks @​ematipico! - Fixed #​9626: noUnresolvedImports no longer reports false positives for named imports from packages that have a corresponding @types/* package installed. For example, import { useState } from "react" with @types/react installed is now correctly recognised.

• #​9942 9956f1d Thanks @​dyc3! - Fixed the safe fix for noFocusedTests so it no longer panics when rewriting focused test function names such as fit() and fdescribe().

• #​9577 c499f46 Thanks @​tt-a1i! - Added the nursery rule useReduceTypeParameter. It flags type assertions on the initial value passed to Array#reduce and Array#reduceRight and recommends using a type parameter instead.

  // before: type assertion on initial value
  arr.reduce((sum, num) => sum + num, [] as number[]);
  
  // after: type parameter on the call
  arr.reduce<number[]>((sum, num) => sum + num, []);

• #​9895 1c8e1ef Thanks @​Netail! - Added extra rule sources from react-xyz. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #​9891 4d9ac51 Thanks @​dyc3! - Improved the noInvalidUseBeforeDeclaration diagnostic to better explain why using a declaration too early is problematic and how to fix it.

• #​9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for noRedeclare to better explain the problem, why it matters, and how to fix it.

• #​9875 a951586 Thanks @​minseong0324! - Type-aware lint rules now resolve members through Partial<T>, Required<T>, and Readonly<T> utility types, preserving optional, readonly, and nullable member flags.

bufbuild/buf (@​bufbuild/buf)

v1.68.4

Compare Source

• Fix duplicated extension tags across imports from compiler.

v1.68.3

Compare Source

• Fix buf format error handling for edition 2024.

v1.68.2

Compare Source

• Fix build failures for modules with a vendored descriptor.proto.
• Fix LSP incorrectly reporting "edition '2024' not yet fully supported" errors.
• Fix CEL compilation error messages in buf lint to use the structured error API instead of parsing cel-go's text output.
• Add --debug-address flag to buf lsp serve to provide debug and profile support.

v1.68.1

Compare Source

• Revert the use of the new compiler report format and properly ungate Editions 2024 features.
• Fix absolute imports (leading-dot) marked unused in diagnostics.

v1.68.0

Compare Source

• Use new compiler for build process and support Editions 2024 features.
• Add LSP document links for buf.yaml deps, buf.gen.yaml remote plugins and input modules, buf.policy.yaml name and BSR plugins, and buf.lock dep names, making each a clickable link to its BSR page.
• Add LSP code lenses for buf.yaml files to update all dependencies (buf.dep.updateAll) or check for available updates (buf.dep.checkUpdates).
• Improve shell completions for buf flags with fixed value sets and file/directory arguments.
• Add buf curl URL path shell completions (service and method names) via
  server reflection, --schema, or the local buf module.
• Add support for Edition 2024 syntax to buf format.
• Fix buf generate --clean deleting files from nested plugin output directories.

bufbuild/protobuf-es (@​bufbuild/protobuf)

v2.12.0

Compare Source

What's Changed

• Gracefully handle Number for BigInt fields by @​timostamm in #​1346
• Support exactOptionalPropertyTypes by @​haines in #​1371
• Fix UTF-8 validation for proto3 and edition feature utf8_validation by @​emcfarlane in #​1386
• Fix binary tag parse validation to reject overlong values by @​emcfarlane in #​1387
• Fix Any JSON encoding for messages without a custom JSON representation by @​emcfarlane in #​1388
• Update to protocolbuffers/protobuf v34.0 by @​emcfarlane in #​1385
• Update conformance tests to protocolbuffers/protobuf v34.0 by @​emcfarlane in #​1391

New Contributors

• @​emcfarlane made their first contribution in #​1386

Full Changelog: bufbuild/protobuf-es@v2.11.0...v2.12.0

hey-api/openapi-ts (@​hey-api/openapi-ts)

v0.97.0

@​hey-api/openapi-ts 0.97.0

⚠️ Breaking

This release has 15 breaking changes. Please review the release notes carefully before upgrading.

Updates

• cli: print file count and generator speed (#​3828)
• ⚠️ Breaking: client: resolve runtimeConfigPath relative to the output folder (#​3770)

Changed runtimeConfigPath behavior

This was a known, long-standing issue confusing first-time users. Before, defining client runtimeConfigPath value would paste it verbatim to the generated output. This release changes the behavior to resolve relative to the current working directory the same way output path works.

• config: remove --apply flag from Biome post-processor commands (#​3812)

Plugins

@​hey-api/client-angular

• ⚠️ Breaking: request and response objects might be undefined (#​3814)
• ⚠️ Breaking: respect throwOnError when request validation fails (#​3814)

@​hey-api/client-fetch

• ⚠️ Breaking: pass previous result to error interceptors (#​3814)
• ⚠️ Breaking: request and response objects might be undefined (#​3814)
• ⚠️ Breaking: respect throwOnError when request validation fails (#​3814)

@​hey-api/client-ky

• ⚠️ Breaking: pass previous result to error interceptors (#​3814)
• ⚠️ Breaking: request and response objects might be undefined (#​3814)
• ⚠️ Breaking: respect throwOnError when request validation fails (#​3814)
• ⚠️ Breaking: respect ky instance defaults (#​3806)

Changed Ky client behavior

The Ky client was updated to be more intuitive. Some Ky options now need to be passed via the kyOptions field and you need to pass undefined to unset an option.

@​hey-api/client-next

• ⚠️ Breaking: request and response objects might be undefined (#​3814)
• ⚠️ Breaking: pass previous result to error interceptors (#​3814)
• ⚠️ Breaking: respect throwOnError when request validation fails (#​3814)

@​hey-api/client-ofetch

• ⚠️ Breaking: request and response objects might be undefined (#​3814)
• ⚠️ Breaking: respect throwOnError when request validation fails (#​3814)

@​tanstack/angular-query-experimental

• add setQueryData option (#​3824)

@​tanstack/preact-query

• add useSetQueryData option (#​3824)
• add setQueryData option (#​3824)

@​tanstack/react-query

• add useSetQueryData option (#​3824)
• add setQueryData option (#​3824)

@​tanstack/solid-query

• add setQueryData option (#​3824)

@​tanstack/svelte-query

• add setQueryData option (#​3824)

@​tanstack/vue-query

• add setQueryData option (#​3824)

zod

• fallback .discriminatedUnion to .union if members contain intersection (#​3813)

---

@​hey-api/codegen-core 0.8.1

Updates

• planner: speed up identifier conflict detector (#​3823)
• symbol: speed up symbol registry cache (#​3823)

---

@​hey-api/shared 0.4.2

Updates

• graph: speed up graph builder (#​3823)
• utils: speed up deep equality check (#​3823)

---

v0.96.1

@​hey-api/openapi-ts 0.96.1

Updates

• config: warn on duplicated plugin configurations (#​3753)
• output: surface postprocess errors (#​3683)
• parser: re-add implicitly-filtered schemas in collectOperations (#​3791)
• parser: avoid encoding url unsafe characters (#​3782)

Plugins

@​hey-api/client-angular

• narrow headers to Headers in ResolvedRequestOptions (#​3757)

@​hey-api/client-fetch

• narrow headers to Headers in ResolvedRequestOptions (#​3757)

@​hey-api/client-ky

• narrow headers to Headers in ResolvedRequestOptions (#​3757)

@​hey-api/client-next

• narrow headers to Headers in ResolvedRequestOptions (#​3757)

@​hey-api/client-ofetch

• narrow headers to Headers in ResolvedRequestOptions (#​3757)

valibot

• add support for .variant() (#​3780)

zod

• add support for .discriminatedUnion() (#​3780)
• support generating z.input and z.output types (#​3759)

---

@​hey-api/json-schema-ref-parser 1.4.1

Updates

• parser: avoid encoding url unsafe characters (#​3782)

---

@​hey-api/shared 0.4.1

Updates

• output: surface postprocess errors (#​3683)
• parser: avoid encoding url unsafe characters (#​3782)
• parser: re-add implicitly-filtered schemas in collectOperations (#​3791)
• config: warn on duplicated plugin configurations (#​3753)

---

@​hey-api/vite-plugin 0.3.1

Updates

• api: expose vite options (#​3776)

---

v0.96.0

@​hey-api/openapi-ts 0.96.0

⚠️ Breaking

This release has 1 breaking change. Please review the release notes carefully before upgrading.

Updates

• ⚠️ Breaking: This release bumps the minimum required Node version to 22.13. (#​3694)
• cli: improve error message on invalid input (#​3679)
• parser: keep orphans when explicitly included in filters (#​3714)
• parser: process enum metadata (#​3727)

Plugins

@​angular/common

• requests and resources broken default configuration (#​3678)

@​hey-api/client-angular

• simplify SSE line endings normalization (#​3686)

@​hey-api/client-axios

• simplify SSE line endings normalization (#​3686)

@​hey-api/client-fetch

• simplify SSE line endings normalization (#​3686)

@​hey-api/client-ky

• simplify SSE line endings normalization (#​3686)

@​hey-api/client-next

• simplify SSE line endings normalization ([#​3686](https://redirect.github.com/h

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying sit-frontend with    Cloudflare Pages

Latest commit:	115fbae
Status:	🚫  Build failed.

View logs