Bump the npm-minor-patch group with 9 updates

[dependabot]

Bumps the npm-minor-patch group with 9 updates:

Package	From	To
@tanstack/react-query	5.96.0	5.96.2
@types/node	25.5.0	25.5.2
fuse.js	7.1.0	7.3.0
lodash	4.17.23	4.18.1
react-router	7.13.2	7.14.0
react-router-dom	7.13.2	7.14.0
@eslint/compat	2.0.3	2.0.4
eslint	10.1.0	10.2.0
ts-loader	9.5.4	9.5.7

Updates @tanstack/react-query from 5.96.0 to 5.96.2

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.96.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.96.2
  • @​tanstack/react-query@​5.96.2

@​tanstack/react-query-next-experimental@​5.96.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.96.2

@​tanstack/react-query-persist-client@​5.96.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.96.2
  • @​tanstack/react-query@​5.96.2

@​tanstack/react-query@​5.96.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.96.2

@​tanstack/react-query-devtools@​5.96.1

Patch Changes

• fix(build): exclude config files from production DTS rollup to prevent @types/node type pollution (#10358)

• Updated dependencies []:

  • @​tanstack/query-devtools@​5.96.1
  • @​tanstack/react-query@​5.96.1

@​tanstack/react-query-next-experimental@​5.96.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.96.1

@​tanstack/react-query-persist-client@​5.96.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.96.1
  • @​tanstack/react-query@​5.96.1

@​tanstack/react-query@​5.96.1

Patch Changes

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.96.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.96.2

5.96.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.96.1

Commits

• 5ca721f ci: Version Packages (#10379)
• 75052a7 ci: Version Packages (#10370)
• See full diff in compare view

Updates @types/node from 25.5.0 to 25.5.2

Commits

• See full diff in compare view

Updates fuse.js from 7.1.0 to 7.3.0

Release notes

Sourced from fuse.js's releases.

v7.3.0

Features

• Token search — per-term fuzzy matching with IDF scoring (68c1dcf)
• Fuse.match() — static method for single string matching (460eb5b)
• BigInt support for indexing and search (0ae662c)
• removeAt() now returns the removed item (8cec7e2)
• Support keyless string entries in logical queries (8695556)
• getFn null return, escaped pipe in extended search, empty query returns all (d33b735)

Bug Fixes

• Merge overlapping match indices in extended search (06c5e97)
• Inverse patterns now work correctly across multiple keys (9351882)
• Handle quoted tokens with inner spaces and quotes in extended search (c226523)
• Handle non-decomposable diacritics in stripDiacritics (5a01f29)
• Coerce non-string array values to strings during indexing (db0e181)
• Strip getFn from keys in toJSON() for safe serialization (0f2a69b)

Internal

• Full TypeScript rewrite of source code
• Dropped UMD builds and babel preset-env
• Upgraded to Rollup 4, Vitest 2, TypeScript 6, ESLint 9
• Frozen default config to prevent mutation across instances
• Rewrote documentation as standalone markdown files

v7.2.0

Features

• Add Fuse.use() for runtime plugin registration

Performance

• Inline Bitap score computation to reduce object allocation in hot loops
• Batch removeAll for O(n) bulk removes instead of O(n*k)
• Heap-based top-k selection when limit is set
• Cache compiled searcher for repeated queries

Benchmarked on 10k records: 9-14% faster core search, 49x faster bulk remove.

Bug Fixes

• search: Deduplicate and merge overlapping match indices (#735)
• search: Preserve original array indices in nested path traversal (#786)
• types: Correct key type in FuseSortFunctionMatch (#811)
• types: Correct keys type in parseIndex parameter (#794)

Full Changelog: krisk/Fuse@v7.1.0...v7.2.0

Changelog

Sourced from fuse.js's changelog.

7.3.0 (2026-04-04)

Features

• add BigInt support for indexing and search (0ae662c), closes #814
• add static Fuse.match() for single string matching (460eb5b)
• add token search — per-term fuzzy matching with IDF scoring (68c1dcf)
• getFn null return, escaped pipe in extended search, empty query returns all (d33b735), closes #800 #765 #728
• removeAt() now returns the removed item (8cec7e2), closes #675
• search: support keyless string entries in logical queries (8695556), closes #736

Bug Fixes

• index: coerce non-string array values to strings during indexing (db0e181), closes #738
• index: strip getFn from keys in toJSON() for safe serialization (0f2a69b), closes #798
• lint: suppress unused var in toJSON destructure (d63c0e8)
• merge overlapping match indices in extended search (06c5e97)
• search: handle non-decomposable diacritics in stripDiacritics (5a01f29), closes home-assistant/frontend#30399 #816
• search: handle quoted tokens with inner spaces and quotes in extended search (c226523), closes #810
• search: inverse patterns now work correctly across multiple keys (9351882), closes #712

7.2.0 (2026-04-02)

Features

• add Fuse.use() for runtime plugin registration (8546a9b)

Performance

• inline Bitap score computation to reduce object allocation in hot loops (8546a9b)
• batch removeAll for O(n) bulk removes instead of O(n*k) (8546a9b)
• heap-based top-k selection when limit is set (8546a9b)
• cache compiled searcher for repeated queries (8546a9b)

Bug Fixes

• search: deduplicate and merge overlapping match indices (60c393a), closes #735
• search: preserve original array indices in nested path traversal (a1451be), closes #786
• types: correct key type in FuseSortFunctionMatch (fecee16), closes #811
• types: correct keys type in parseIndex parameter (58c7c73), closes #794

Commits

• aae48f5 chore(release): 7.3.0
• d63c0e8 fix(lint): suppress unused var in toJSON destructure
• 44dfdb4 chore: add funding field to package.json
• 65dadf5 docs: add performance guide with benchmark script
• 0ae662c feat: add BigInt support for indexing and search
• 8153c9d docs: fix tsconfig to resolve "no inputs found" error
• 6afb2ed docs: add "When to Use It" section to token search page
• 0e74a9c docs: simplify Getting Started page title
• 80330ed docs: fix sidebar titles and restore subheading expansion
• 6cd0cee docs: remove unused TwitterFollow and Version components
• Additional commits viewable in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates react-router from 7.13.2 to 7.14.0

Release notes

Sourced from react-router's releases.

v7.14.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7140

Changelog

Sourced from react-router's changelog.

7.14.0

Patch Changes

• UNSTABLE RSC FRAMEWORK MODE BREAKING CHANGE - Existing route module exports remain unchanged from stable v7 non-RSC mode, but new exports are added for RSC mode. If you want to use RSC features, you will need to update your route modules to export the new annotations. (#14901)

  If you are using RSC framework mode currently, you will need to update your route modules to the new conventions. The following route module components have their own mutually exclusive server component counterparts:

  Server Component Export	Client Component
  ServerComponent	default
  ServerErrorBoundary	ErrorBoundary
  ServerLayout	Layout
  ServerHydrateFallback	HydrateFallback

  If you were previously exporting a ServerComponent, your ErrorBoundary, Layout, and HydrateFallback were also server components. If you want to keep those as server components, you can rename them and prefix them with Server. If you were previously importing the implementations of those components from a client module, you can simply inline them.

  Example:

  Before

  import { ErrorBoundary as ClientErrorBoundary } from "./client";
  export function ServerComponent() {
  // ...
  }
  export function ErrorBoundary() {
  return <ClientErrorBoundary />;
  }
  export function Layout() {
  // ...
  }
  export function HydrateFallback() {
  // ...
  }

  After

  export function ServerComponent() {
    // ...
  }
  export function ErrorBoundary() {
  // previous implementation of ClientErrorBoundary, this is now a client component

... (truncated)

Commits

• e31077b chore: Update version for release (#14945)
• 6683e85 chore: Update version for release (pre) (#14943)
• 49a2ed5 Merge branch 'main' into release-next
• e8b3c3a feat: RSC framework mode prerender (#14907)
• 82eca19 docs: clarify useViewTransitionState matches to or from path (#14922)
• d439188 feat:! new RSC framework mode module API (#14901)
• 98641e2 feat: rsc prefetch (#14902)
• 903d924 chore: format
• 0d57748 Merge branch 'release-next' into dev
• 921db15 chore: format
• Additional commits viewable in compare view

Updates react-router-dom from 7.13.2 to 7.14.0

Changelog

Sourced from react-router-dom's changelog.

7.14.0

Patch Changes

• Updated dependencies:
  • react-router@7.14.0

Commits

• e31077b chore: Update version for release (#14945)
• 6683e85 chore: Update version for release (pre) (#14943)
• See full diff in compare view

Updates @eslint/compat from 2.0.3 to 2.0.4

Release notes

Sourced from @​eslint/compat's releases.

migrate-config: v2.0.4

2.0.4 (2026-03-20)

Bug Fixes

• update dependency @​eslint/eslintrc to ^3.3.5 (#397) (8567c19)

compat: v2.0.4

2.0.4 (2026-04-03)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^1.1.1 to ^1.2.0

Changelog

Sourced from @​eslint/compat's changelog.

2.0.4 (2026-04-03)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^1.1.1 to ^1.2.0

Commits

• fe114ee chore: release main (#413)
• 8863791 docs: Update README sponsors
• 835ddf9 docs: Update README sponsors
• 8cd3676 docs: Update README sponsors
• 4d73459 docs: Update README sponsors
• a6c7a26 chore: update eslint and eslint-config-eslint (#401)
• See full diff in compare view

Updates eslint from 10.1.0 to 10.2.0

Release notes

Sourced from eslint's releases.

v10.2.0

Features

• 586ec2f feat: Add meta.languages support to rules (#20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#20645) (kuldeep kumar)

Commits

• 000128c 10.2.0
• 1988fad Build: changelog update for 10.2.0
• 542cb3e fix: update first-party dependencies (#20714)
• a2af743 docs: add language to configuration objects (#20712)
• 845f23f docs: Update README
• 5fbcf59 docs: remove sourceType from ts playground link (#20477)
• 8702a47 docs: Update README
• ddeaded docs: Update README
• 8120e30 refactor: extract no unmodified loop condition (#20679)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697)
• Additional commits viewable in compare view

Updates ts-loader from 9.5.4 to 9.5.7

Release notes

Sourced from ts-loader's releases.

v9.5.7

• fix: TS5011 errors with TypeScript 6.0: transpileModule called with rootDir: undefined #1678 - thanks @​julioz and @​errorx666
• feat: migrate to trusted publishing - thanks @​johnnyreilly

Skipping 9.5.5-9.5.6 due to publishing issues

Changelog

Sourced from ts-loader's changelog.

9.5.7

• fix: TS5011 errors with TypeScript 6.0: transpileModule called with rootDir: undefined #1678 - thanks @​julioz and @​errorx666
• feat: migrate to trusted publishing - thanks @​johnnyreilly

Skipping 9.5.5-9.5.6 due to publishing issues

Commits

• 4a60de4 chore: trusted publishing attempt 3
• b03b4aa chore: version bump
• 2421dcf fix: trusted publishing by changing respository.url in package.json
• f84480f fix: TS5011 errors with TypeScript 6.0: transpileModule called with rootDir: ...
• 0cef777 feat: migrate to trusted publishing (#1680)
• a0cfb39 docs: add AGENTS.md / CLAUDE.md
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for ts-loader since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions