Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@biomejs/biome (source)	2.4.8 → 2.4.10
@sentry/react (source)	10.45.0 → 10.46.0
axios (source)	1.13.6 → 1.14.0
graphql	16.13.1 → 16.13.2
graphql-ws (source)	6.0.7 → 6.0.8
pnpm (source)	10.32.1 → 10.33.0

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.10

Compare Source

Patch Changes

• #​8838 f3a6a6b Thanks @​baeseokjae! - Added new lint nursery rule noImpliedEval.

  The rule detects implied eval() usage through functions like setTimeout, setInterval, and setImmediate when called with string arguments.

  // Invalid
  setTimeout("alert('Hello');", 100);
  
  // Valid
  setTimeout(() => alert("Hello"), 100);

• #​9320 93c3b6c Thanks @​taberoajorge! - Fixed #​7664: noUnusedVariables no longer reports false positives for TypeScript namespace declarations that participate in declaration merging with an exported or used value declaration (const, function, or class) of the same name. The reverse direction is also handled: a value declaration merged with an exported namespace is no longer flagged.

• #​9630 1dd4a56 Thanks @​raashish1601! - Fixed #​9629: noNegationElse now keeps ternary branch comments attached to the correct branch when applying its fixer.

• #​9216 04243b0 Thanks @​FrederickStempfle! - Fixed #​9061: noProcessEnv now also detects process.env when process is imported from the "process" or "node:process" modules.

  Previously, only the global process object was flagged:

  import process from "node:process";
  // This was not flagged, but now it is:
  console.log(process.env.NODE_ENV);

• #​9692 61b7ec5 Thanks @​mkosei! - Fixed Svelte #each destructuring parsing and formatting for nested patterns such as [key, { a, b }].

• #​9627 06a0f35 Thanks @​ematipico! - Fixed #​191: Improved the performance of how the Biome Language Server pulls code actions and diagnostics.

  Before, code actions were pulled and computed all at once in one request. This approach couldn't work in big files, and caused Biome to stale and have CPU usage spikes up to 100%.

  Now, code actions are pulled and computed lazily, and Biome won't choke anymore in big files.

• #​9643 5bfee36 Thanks @​dyc3! - Fixed #​9347: useVueValidVBind no longer reports valid object bindings like v-bind="props".

• #​9627 06a0f35 Thanks @​ematipico! - Fixed assist diagnostics being invisible when using --diagnostic-level=error. Enforced assist violations (e.g. useSortedKeys) were filtered out before being promoted to errors, causing biome check to incorrectly return success.

• #​9695 9856a87 Thanks @​dyc3! - Added the new nursery rule noUnsafePlusOperands, which reports + and += operations that use object-like, symbol, unknown, or never operands, or that mix number with bigint.

• #​9627 06a0f35 Thanks @​ematipico! - Fixed duplicate parse errors in check and ci output. When a file had syntax errors, the same parse error was printed twice and the error count was inflated.

• #​9627 06a0f35 Thanks @​ematipico! - Improved the performance of the commands lint and check when they are called with --write.

• #​9627 06a0f35 Thanks @​ematipico! - Fixed --diagnostic-level not fully filtering diagnostics. Setting --diagnostic-level=error now correctly excludes warnings and infos from both the output and the summary counts.

• #​9623 13b3261 Thanks @​ematipico! - Fixed #​9258: --skip no longer causes suppressions/unused warnings for suppression comments targeting skipped rules or domains.

• #​9631 599dd04 Thanks @​raashish1601! - Fixed #​9625: experimentalEmbeddedSnippetsEnabled no longer crashes when a file mixes formatable CSS-in-JS templates with tagged templates that the embedded formatter can't currently delegate, such as a styled-components interpolation returning `css```.

v2.4.9

Compare Source

Patch Changes

• #​9315 085d324 Thanks @​ematipico! - Added a new nursery CSS rule noDuplicateSelectors, that disallows duplicate selector lists within the same at-rule context.

  For example, the following snippet triggers the rule because the second selector and the first selector are the same:

  /* First selector */
  .x .y .z {
  }
  
  /* Second selector */
  .x {
    .y {
      .z {
      }
    }
  }

• #​9567 b7ab931 Thanks @​ematipico! - Fixed #​7211: useOptionalChain now detects negated logical OR chains. The following code is now considered invalid:

  !foo || !foo.bar;

• #​8670 607ebf9 Thanks @​tt-a1i! - Fixed #​8345: useAdjacentOverloadSignatures no longer reports false positives for static and instance methods with the same name. Static methods and instance methods are now treated as separate overload groups.

  class Kek {
    static kek(): number {
      return 0;
    }
    another(): string {
      return "";
    }
    kek(): number {
      return 1;
    } // no longer reported as non-adjacent
  }

• #​9476 97b80a8 Thanks @​masterkain! - Fixed #9475: Fixed a panic when Biome analyzed ambient TypeScript modules containing class constructor, getter, or setter signatures that reference local type aliases. Biome now handles these declarations without crashing during semantic analysis.

• #​9553 0cd5298 Thanks @​dyc3! - Fixed a bug where enabling the rules of a whole group, would enable rules that belonged to a domain under the same group.

  For example, linter.rules.correctness = "error" no longer enables React- or Qwik-specific correctness rules unless linter.domains.react, linter.domains.qwik, or an explicit rule config also enables them, or their relative dependencies are installed.

• #​9586 4cafb71 Thanks @​dyc3! - Fixed #​8828: Grit patterns using export { $foo } from $source now match named re-exports in JavaScript and TypeScript files.

• #​9550 d4e3d6e Thanks @​dyc3! - Fixed #​9548: Biome now parses conditional expressions whose consequent is an arrow function returning a parenthesized object expression.

• #​8696 a7c19cc Thanks @​Faizanq! - Fixed #​8685 where noUselessLoneBlockStatements would remove empty blocks containing comments. The rule now preserves these blocks since comments may contain important information like TODOs or commented-out code.

• #​9557 6671ac5 Thanks @​datalek! - Fixed #​9557: Biome's LSP server no longer crashes on startup when used with editors that don't send workspaceFolders during initialization. This affected any LSP client that only sends rootUri, which is valid per the LSP specification.

• #​9455 1710cf1 Thanks @​omar-y-abdi! - Fixed #​9174: useExpect now correctly rejects asymmetric matchers in Vitest or Jest like expect.stringContaining(), expect.objectContaining(), and utilities like expect.extend() that are not valid assertions. Previously these constructs caused false negatives, allowing tests without real assertions to pass the lint rule.

• #​9584 956e367 Thanks @​ematipico! - Fixed a bug where Vue directive attribute values like v-bind:class="{'dynamic': true}" were incorrectly parsed as JavaScript statements instead of expressions. Object literals inside directive values like :class, v-if, and v-html are now correctly parsed as expressions, preventing spurious parse errors.

• #​9474 e168494 Thanks @​ematipico! - Added the new nursery rule noUntrustedLicenses. This rule disallows dependencies that ship with invalid licenses or licenses that don't meet the criteria of your project/organisation.

  The rule has the following options:

  • allow: a list of licenses that can be allowed. Useful to bypass possible invalid licenses from downstream dependencies.
  • deny: a list of licenses that should trigger the rule. Useful to deny licenses that don't fit your project/organisation.
    When both deny and allow are provided, deny takes precedence.
  • requireOsiApproved: whether the licenses need to be approved by the Open Source Initiative.
  • requireFsfLibre: whether the licenses need to be approved by the Free Software Foundation.

• #​9544 723798b Thanks @​ViniciusDev26! - Added an unsafe fix to useConsistentMethodSignatures that automatically converts between method-style and property-style signatures.

• #​9555 8a3647b Thanks @​ematipico! - Fixed #188: the Biome Language Server no longer panics when open files change abruptly, such as during git branch checkouts.

• #​9605 f65c637 Thanks @​ematipico! - Fixed #​9589. Now Biome correctly parses object expressions inside props and directives. The following code doesn't emit errors anymore:

  <style is:global define:vars={{ bgLight: light }}>
  <Component name={{ first, name }} />

• #​9565 ccb249e Thanks @​eyupcanakman! - Fixed #​9505: noUselessStringConcat no longer reports tagged template literals as useless string concatenations. Tagged templates invoke a function and can return non-string values, so combining them with + is not equivalent to a single template literal.

• #​9534 4d050df Thanks @​Netail! - Added the nursery rule noInlineStyles. The rule disallows the use of inline style attributes in HTML and the style prop in JSX, including React.createElement calls. Inline styles make code harder to maintain and can interfere with Content Security Policy.

• #​9611 cddaa44 Thanks @​gaauwe! - Fixed a regression where Biome LSP could misread editor settings sent through workspace/didChangeConfiguration when the payload was wrapped in a top-level biome key. This caused requireConfiguration and related settings to be ignored in some editors.

getsentry/sentry-javascript (@​sentry/react)

v10.46.0

Compare Source

Important Changes

• feat(elysia): @sentry/elysia - Alpha Release (#​19509)

  New Sentry SDK for the Elysia web framework, supporting both Bun and Node.js runtimes.

  Note: This is an alpha release. Please report any issues or feedback on GitHub.

  Features

  • Automatic error capturing — 5xx errors captured via global onError hook; 3xx/4xx ignored by default. Customizable with shouldHandleError.
  • Automatic tracing — Lifecycle spans for every Elysia phase (Request, Parse, Transform, BeforeHandle, Handle, AfterHandle, MapResponse, AfterResponse, Error) with parameterized route names (e.g. GET /users/:id).
  • Distributed tracing — sentry-trace and baggage headers propagated automatically on incoming/outgoing requests.

  Usage

  import * as Sentry from '@​sentry/elysia';
  import { Elysia } from 'elysia';
  
  Sentry.init({ dsn: '__DSN__', tracesSampleRate: 1.0 });
  
  const app = Sentry.withElysia(new Elysia());
  app.get('/', () => 'Hello World');
  app.listen(3000);

Other Changes

• feat(nuxt): Conditionally use plugins based on Nitro version (v2/v3) (#​19955)
• fix(cloudflare): Forward ctx argument to Workflow.do user callback (#​19891)
• fix(cloudflare): Send correct events in local development (#​19900)
• fix(core): Do not overwrite user provided conversation id in Vercel (#​19903)
• fix(core): Preserve .withResponse() on Anthropic instrumentation (#​19935)
• fix(core): Send internal_error as span status for Vercel error spans (#​19921)
• fix(core): Truncate content array format in Vercel (#​19911)
• fix(deps): bump fast-xml-parser to 5.5.8 in @​azure/core-xml chain (#​19918)
• fix(deps): bump socket.io-parser to 4.2.6 to fix CVE-2026-33151 (#​19880)
• fix(nestjs): Add node to nest metadata (#​19875)
• fix(serverless): Add node to metadata (#​19878)

Internal Changes

• chore(ci): Fix "Gatbsy" typo in issue package label workflow (#​19905)
• chore(claude): Enable Claude Code Intelligence (LSP) (#​19930)
• chore(deps): bump mongodb-memory-server-global from 10.1.4 to 11.0.1 (#​19888)
• chore(deps-dev): bump @​react-router/node from 7.13.0 to 7.13.1 (#​19544)
• chore(deps-dev): bump effect from 3.19.19 to 3.20.0 (#​19926)
• chore(deps-dev): bump qunit-dom from 3.2.1 to 3.5.0 (#​19546)
• chore(node-integration-tests): Remove unnecessary file-type dependency (#​19824)
• chore(remix): Replace glob with native recursive fs walk (#​19531)
• feat(deps): bump stacktrace-parser from 0.1.10 to 0.1.11 (#​19887)
• fix(craft): Add missing mainDocsUrl for @​sentry/effect SDK (#​19860)
• fix(deps): bump next to 15.5.14 in nextjs-15 and nextjs-15-intl E2E test apps (#​19917)
• fix(deps): update lockfile to resolve h3@​1.15.10 (#​19933)
• ref(core): Remove duplicate buildMethodPath utility from openai (#​19969)
• ref(elysia): Drop @elysiajs/opentelemetry dependency (#​19947)
• ref(nuxt): Extract core logic for storage/database to prepare for Nuxt v5 (#​19920)
• ref(nuxt): Extract handler patching to extra plugin for Nitro v2/v3 (#​19915)
• ref(sveltekit): Replace recast + @​babel/parser with acorn (#​19533)
• test(astro): Re-enable server island tracing e2e test in Astro 6 (#​19872)
• test(cloudflare): Enable multi-worker tests for CF integration tests (#​19938)

Work in this release was contributed by @​roli-lpci. Thank you for your contributions!

Important Changes

• feat(node): Add nodeRuntimeMetricsIntegration for automatic Node.js runtime metrics (#​19923)

  The new nodeRuntimeMetricsIntegration automatically collects Node.js runtime health metrics and sends them to Sentry. Eight metrics are emitted by default every 30 seconds: memory (RSS, heap used/total), CPU utilization, event loop delay (p50, p99), event loop utilization, and process uptime. Additional metrics are available as opt-in.

  import * as Sentry from '@​sentry/node';
  
  Sentry.init({
    dsn: '...',
    integrations: [Sentry.nodeRuntimeMetricsIntegration()],
  });

axios/axios (axios)

v1.14.0

Compare Source

graphql/graphql-js (graphql)

v16.13.2

Compare Source

enisdenjo/graphql-ws (graphql-ws)

v6.0.8

Compare Source

Patch Changes

• #​667 fc03004 Thanks @​endigma! - Fix the server sending a Complete message after an Error message for subscriptions.

  Previously, when a subscription's async iterable threw an error, the server would send:

  {"id":"1","type":"error","payload":[{"message":"..."}]}
  {"id":"1","type":"complete"}
  

  Per the protocol spec:

  Error: This message terminates the operation and no further messages will be sent.

  Complete (Server → Client): If the server dispatched the Error message relative to the original Subscribe message, no Complete message will be emitted.

  The server now correctly sends only the Error message:

  {"id":"1","type":"error","payload":[{"message":"..."}]}
  

  Clients that correctly follow the spec should be unaffected, as they are expected to ignore messages for operations they consider already completed.

pnpm/pnpm (pnpm)

v10.33.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "before 6:00am on Monday" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.