fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@biomejs/biome (source)	^2.4.8 → ^2.4.9			devDependencies	patch
@microlink/react-json-view	^1.31.14 → ^1.31.15			devDependencies	patch
@modelcontextprotocol/ext-apps	^1.3.1 → ^1.3.2			dependencies	patch
@modelcontextprotocol/sdk (source)	^1.27.1 → ^1.28.0			devDependencies	minor
@modelcontextprotocol/sdk (source)	^1.27.1 → ^1.28.0			dependencies	minor
@oclif/core	^4.10.2 → ^4.10.3			dependencies	patch
@vitest/ui (source)	^4.1.1 → ^4.1.2			devDependencies	patch
alpic (source)	^1.101.0 → ^1.103.0			devDependencies	minor
aws-cdk (source)	^2.1113.0 → ^2.1114.1			devDependencies	minor
aws-cdk-lib (source)	^2.244.0 → ^2.245.0			dependencies	minor
giget	^3.1.2 → ^3.2.0			dependencies	minor
lucide-react (source)	^1.0.1 → ^1.7.0			devDependencies	minor
mintlify (source)	^4.2.447 → ^4.2.458			devDependencies	patch
node (source)	>=24.14.0 → >=24.14.1			engines	patch
node (source)	>=20.20.1 → >=20.20.2			engines	patch
pnpm (source)	10.32.1 → 10.33.0			packageManager	minor
posthog-node (source)	^5.28.5 → ^5.28.8			dependencies	patch
react-resizable-panels (source)	^4.7.5 → ^4.7.6			devDependencies	patch
shadcn (source)	^4.1.0 → ^4.1.1			devDependencies	patch
vite (source)	^8.0.2 → ^8.0.3			devDependencies	patch
vite (source)	^8.0.2 → ^8.0.3			dependencies	patch
vitest (source)	^4.1.1 → ^4.1.2			devDependencies	patch

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.9

Compare Source

Patch Changes

• #​9315 085d324 Thanks @​ematipico! - Added a new nursery CSS rule noDuplicateSelectors, that disallows duplicate selector lists within the same at-rule context.

  For example, the following snippet triggers the rule because the second selector and the first selector are the same:

  /* First selector */
  .x .y .z {
  }
  
  /* Second selector */
  .x {
    .y {
      .z {
      }
    }
  }

• #​9567 b7ab931 Thanks @​ematipico! - Fixed #​7211: useOptionalChain now detects negated logical OR chains. The following code is now considered invalid:

  !foo || !foo.bar;

• #​8670 607ebf9 Thanks @​tt-a1i! - Fixed #​8345: useAdjacentOverloadSignatures no longer reports false positives for static and instance methods with the same name. Static methods and instance methods are now treated as separate overload groups.

  class Kek {
    static kek(): number {
      return 0;
    }
    another(): string {
      return "";
    }
    kek(): number {
      return 1;
    } // no longer reported as non-adjacent
  }

• #​9476 97b80a8 Thanks @​masterkain! - Fixed #9475: Fixed a panic when Biome analyzed ambient TypeScript modules containing class constructor, getter, or setter signatures that reference local type aliases. Biome now handles these declarations without crashing during semantic analysis.

• #​9553 0cd5298 Thanks @​dyc3! - Fixed a bug where enabling the rules of a whole group, would enable rules that belonged to a domain under the same group.

  For example, linter.rules.correctness = "error" no longer enables React- or Qwik-specific correctness rules unless linter.domains.react, linter.domains.qwik, or an explicit rule config also enables them, or their relative dependencies are installed.

• #​9586 4cafb71 Thanks @​dyc3! - Fixed #​8828: Grit patterns using export { $foo } from $source now match named re-exports in JavaScript and TypeScript files.

• #​9550 d4e3d6e Thanks @​dyc3! - Fixed #​9548: Biome now parses conditional expressions whose consequent is an arrow function returning a parenthesized object expression.

• #​8696 a7c19cc Thanks @​Faizanq! - Fixed #​8685 where noUselessLoneBlockStatements would remove empty blocks containing comments. The rule now preserves these blocks since comments may contain important information like TODOs or commented-out code.

• #​9557 6671ac5 Thanks @​datalek! - Fixed #​9557: Biome's LSP server no longer crashes on startup when used with editors that don't send workspaceFolders during initialization. This affected any LSP client that only sends rootUri, which is valid per the LSP specification.

• #​9455 1710cf1 Thanks @​omar-y-abdi! - Fixed #​9174: useExpect now correctly rejects asymmetric matchers in Vitest or Jest like expect.stringContaining(), expect.objectContaining(), and utilities like expect.extend() that are not valid assertions. Previously these constructs caused false negatives, allowing tests without real assertions to pass the lint rule.

• #​9584 956e367 Thanks @​ematipico! - Fixed a bug where Vue directive attribute values like v-bind:class="{'dynamic': true}" were incorrectly parsed as JavaScript statements instead of expressions. Object literals inside directive values like :class, v-if, and v-html are now correctly parsed as expressions, preventing spurious parse errors.

• #​9474 e168494 Thanks @​ematipico! - Added the new nursery rule noUntrustedLicenses. This rule disallows dependencies that ship with invalid licenses or licenses that don't meet the criteria of your project/organisation.

  The rule has the following options:

  • allow: a list of licenses that can be allowed. Useful to bypass possible invalid licenses from downstream dependencies.
  • deny: a list of licenses that should trigger the rule. Useful to deny licenses that don't fit your project/organisation.
    When both deny and allow are provided, deny takes precedence.
  • requireOsiApproved: whether the licenses need to be approved by the Open Source Initiative.
  • requireFsfLibre: whether the licenses need to be approved by the Free Software Foundation.

• #​9544 723798b Thanks @​ViniciusDev26! - Added an unsafe fix to useConsistentMethodSignatures that automatically converts between method-style and property-style signatures.

• #​9555 8a3647b Thanks @​ematipico! - Fixed #188: the Biome Language Server no longer panics when open files change abruptly, such as during git branch checkouts.

• #​9605 f65c637 Thanks @​ematipico! - Fixed #​9589. Now Biome correctly parses object expressions inside props and directives. The following code doesn't emit errors anymore:

  <style is:global define:vars={{ bgLight: light }}>
  <Component name={{ first, name }} />

• #​9565 ccb249e Thanks @​eyupcanakman! - Fixed #​9505: noUselessStringConcat no longer reports tagged template literals as useless string concatenations. Tagged templates invoke a function and can return non-string values, so combining them with + is not equivalent to a single template literal.

• #​9534 4d050df Thanks @​Netail! - Added the nursery rule noInlineStyles. The rule disallows the use of inline style attributes in HTML and the style prop in JSX, including React.createElement calls. Inline styles make code harder to maintain and can interfere with Content Security Policy.

• #​9611 cddaa44 Thanks @​gaauwe! - Fixed a regression where Biome LSP could misread editor settings sent through workspace/didChangeConfiguration when the payload was wrapped in a top-level biome key. This caused requireConfiguration and related settings to be ignored in some editors.

microlinkhq/react-json-view (@​microlink/react-json-view)

v1.31.15

Compare Source

1.31.15 (2026-03-26)

modelcontextprotocol/ext-apps (@​modelcontextprotocol/ext-apps)

v1.3.2

Compare Source

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.28.0

Compare Source

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #​580) by @​antogyn in #​757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in #​1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in #​1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in #​1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in #​1738
• chore: bump version to 1.28.0 by @​felixweinberger in #​1746

New Contributors

• @​antogyn made their first contribution in #​757
• @​tiluckdave made their first contribution in #​1596
• @​poteat made their first contribution in #​1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

oclif/core (@​oclif/core)

v4.10.3

Compare Source

Bug Fixes

• proper WSL handling @​W-18398048@​ (ce37266)

vitest-dev/vitest (@​vitest/ui)

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in #​9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in #​9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in #​9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in #​9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in #​9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in #​9851 (6f97b)

    View changes on GitHub

aws/aws-cdk-cli (aws-cdk)

v2.1114.1

Compare Source

v2.1114.0

Compare Source

2.1114.0 (2026-03-26)

Features

• aws-cdk: remove legacy exports (#​1250) (37a8766), closes #​310 #​310

Bug Fixes

• CLI ignores root cause of CDK App termination (#​1243) (a07449b)
• CloudFormation deployment errors are not classified (#​1253) (d4448eb)
• error codes are not collected (#​1244) (2f61ab4)
• new stacks cannot be deployed with hotswap (#​1248) (5a7ac29)
• show diff when requesting approval for any-change (#​1255) (cd31d30)

aws/aws-cdk (aws-cdk-lib)

v2.245.0

Compare Source

Features

• update L1 CloudFormation resource definitions (#​37332) (6cdf84a)
• autoscaling: add instanceLifecyclePolicy support to AutoScalingGroup Property (#​36434) (b72ffcc)
• cloudfront: use JavaScript runtime 2.0 as the default for CloudFront Functions (under feature flag) (#​35941) (cd0df14)
• core: add source tracing for L1 construct property mutations (#​37285) (f0b6da8)
• ecr-assets: add support for docker build context (#​36930) (c0849ea), closes #​31598
• s3: add blockedEncryptionTypes field to s3.Bucket (#​37047) (262e8a7), closes #​36988
• synthetics: add enum value for Synthetics Canary NodeJS 3.1 runtime (#​37282) (af1e89c), closes /docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_Nodejs.html#CloudWatch_Synthetics_runtimeversion-syn-nodejs-3

Bug Fixes

• aws-cdk-lib: toolkit is unaware of CDK app errors (#​37294) (093de92)
• eks: throw error when kubectl subnets are isolated (#​37217) (73e5006), closes #​26613
• lambda: fix typo in addPermission() warning message (#​37365) (fa21e62)
• lambda-nodejs: use direct spawn for local bundling (#​37292) (9bf4263)
• mixin: use withMixin in Stack to set mixin metadata in its constructs (#​37269) (293ce90), closes /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/mixins/private/mixin-metadata.ts#L30
• rds: enablePerformanceInsights false is ignored when other performance insight properties are set (#​37287) (b4bca75), closes #​37051
• construct errors are rendered in a messy way (#​37290) (5104256)
• spec2cdk: throw on unrecognized uppercase prefix in event pattern (#​37283) (c68f2f5)

---

Alpha modules (2.245.0-alpha.0)

Features

• s3tables-alpha: add support for partition spec, sort order, and table properties (#​36811) (2696cd1)
• s3tables-alpha: add metrics configuration support for TableBucket (#​37275) (e8786f5)
• s3tables-alpha: implement ITaggableV2 on TableBucket and Table L2 constructs (#​37277) (69c8944), closes #​33054

unjs/giget (giget)

v3.2.0

Compare Source

compare changes

🚀 Enhancements

• git: provider with sparse cloning support (#​211)

🩹 Fixes

• _utils: Move hyphens to start of character classes in parseGitURI regex (#​256)
• cli: Prevent duplicate error messages (#​220)
• gitlab: Support subgroups and :: subdir delimiter (#​141)

🏡 Chore

• Init agents.md (774822c)
• Update deps (ac02cb2)
• Fix type issues (bf48c80)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Michael Slowik (@​sl0wik)
• Ted Kesgar (@​tkesgar)
• Terminal Chai (@​terminalchai)

lucide-icons/lucide (lucide-react)

v1.7.0: Version 1.7.0

Compare Source

What's Changed

• fix(lucide-react): Fix dynamic imports by @​ericfennis in #​4210
• feat(icons): added map-pin-search icon by @​TonySullivan in #​4125

New Contributors

• @​TonySullivan made their first contribution in #​4125

Full Changelog: lucide-icons/lucide@1.6.0...1.7.0

v1.6.0: Version 1.6.0

Compare Source

What's Changed

• feat(icons): added radio-off icon by @​kongsgard in #​4138

New Contributors

• @​kongsgard made their first contribution in #​4138

Full Changelog: lucide-icons/lucide@1.5.0...1.6.0

v1.5.0: Version 1.5.0

Compare Source

What's Changed

• feat(icons): added beef-off icon by @​jguddas in #​3816

Full Changelog: lucide-icons/lucide@1.4.0...1.5.0

v1.4.0: Version 1.4.0

Compare Source

What's Changed

• feat(icons): added sport-shoe icon by @​Youya-ui in #​3953

New Contributors

• @​Youya-ui made their first contribution in #​3953

Full Changelog: lucide-icons/lucide@1.3.0...1.4.0

v1.3.0: Version 1.3.0

Compare Source

What's Changed

• feat(icons): added shield-cog icon by @​KnarliX in #​3902

New Contributors

• @​KnarliX made their first contribution in #​3902

Full Changelog: lucide-icons/lucide@1.2.0...1.3.0

v1.2.0: Version 1.2.0

Compare Source

What's Changed

• feat(icons): added line-style icon by @​dg-ac in #​4030

New Contributors

• @​dg-ac made their first contribution in #​4030

Full Changelog: lucide-icons/lucide@1.1.0...1.2.0

v1.1.0: Version 1.1.0

Compare Source

What's Changed

• fix(astro): add Astro v6 compatibility by @​iseraph-dev in #​4135
• fix(packages/lucide-react-native): add preserveModulesRoot to lucide-react-native by @​karsa-mistmere in #​4199
• fix(lucide-preact): add conditional exports map for ESM/CJS resolution by @​coloneljade in #​4198
• fix(scripts): correct import extension in optimizeStagedSvgs.mts by @​jerv in #​4185
• ci(ci.yml): Fix release flow by @​ericfennis in #​4193
• fix(icons): changed arrow-big-* icon by @​jguddas in #​3527
• fix(icons): changed signpost icon by @​jguddas in #​3531
• fix(github/workflows): revert release workflow & add --fail-if-no-match by @​karsa-mistmere in #​4201
• fix(icons): changed circle-user-round icon by @​karsa-mistmere in #​4165
• feat(icons): added road icon by @​uibalint in #​3014

New Contributors

• @​iseraph-dev made their first contribution in #​4135
• @​coloneljade made their first contribution in #​4198
• @​jerv made their first contribution in #​4185
• @​uibalint made their first contribution in #​3014

Full Changelog: lucide-icons/lucide@1.0.2...1.1.0

mintlify/mint (mintlify)

v4.2.458

Compare Source

v4.2.457

Compare Source

v4.2.456

Compare Source

v4.2.455

Compare Source

v4.2.454

Compare Source

v4.2.453

Compare Source

v4.2.452

Compare Source

v4.2.451

Compare Source

v4.2.450

Compare Source

v4.2.449

Compare Source

v4.2.448

Compare Source

nodejs/node (node)

v24.14.1

Compare Source

pnpm/pnpm (pnpm)

v10.33.0

Compare Source

PostHog/posthog-js (posthog-node)

v5.28.8

Compare Source

Patch Changes

• Updated dependencies [4bdfdbc]:
  • @​posthog/core@​1.24.3

v5.28.7

Compare Source

Patch Changes

• Updated dependencies [8d34289]:
  • @​posthog/core@​1.24.2

v5.28.6

Compare Source

Patch Changes

• #​3282 5784dca Thanks @​marandaneto! - fix: captureException now uses distinctId from request context
  (2026-03-26)

bvaughn/react-resizable-panels (react-resizable-panels)

v4.7.6

Compare Source

• 698: Replace Panel aria-disabled attribute with data-disabled

shadcn-ui/ui (shadcn)

v4.1.1

Compare Source

Patch Changes

• #​10202 12b49c986fcf7e6db9be7f515df6142f822f2236 Thanks @​shadcn! - fix packageManager in package.json

vitejs/vite (vite)

v8.0.3

Compare Source

Features

• update rolldown to 1.0.0-rc.12 (#​22024) (84164ef)

Bug Fixes

• html: cache unfiltered CSS list to prevent missing styles across entries (#​22017) (5464190)
• module-runner: handle non-ascii characters in base64 sourcemaps (#​21985) (77c95bf)
• module-runner: skip re-import if the runner is closed (#​22020) (ee2c2cd)
• optimizer: scan is not resolving sub path import if used in a glob import (#​22018) (ddfe20d)
• ssr: ssrTransform incorrectly rewrites meta identifier inside import.meta when a binding named meta exists (#​22019) (cff5f0c)

Miscellaneous Chores

• deps: bump picomatch from 4.0.3 to 4.0.4 (#​22027) (7e56003)

Tests

• html: add tests for getCssFilesForChunk (#​22016) (43fbbf9)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.