chore: bump the dev-dependencies group across 1 directory with 11 updates

[dependabot]

Bumps the dev-dependencies group with 11 updates in the / directory:

Package	From	To
@changesets/changelog-github	0.5.1	0.5.2
@changesets/cli	2.29.4	2.29.8
@types/node	20.17.57	25.3.3
c8	10.1.3	11.0.0
eslint	9.28.0	10.0.2
eslint-plugin-security	3.0.1	4.0.0
lint-staged	16.1.0	16.3.1
lockfile-lint	4.14.1	5.0.0
neostandard	0.12.1	0.13.0
tsup	8.5.0	8.5.1
typescript	5.8.3	5.9.3

Updates @changesets/changelog-github from 0.5.1 to 0.5.2

Commits

• 4f8d76c Version Packages (#670)
• d8f0e68 Fixed an issue with parsing --json output when publishing (#676)
• fe8db75 Upgrade @manypkg/get-packages dependencies to latest version (#667)
• 9a993ba Add resolutions to the PackageJSON type (#668)
• a8c8a03 Version Packages (#663)
• 5413f3e Fixed an issue with adding [undefined] to the generated changelog (#660)
• 74dda8c Add support for workspace:~ and workspace:^ (#585)
• 2b49c39 Implement changeset tag and getAllTags (#634)
• 09a7dab Make master branch rename suggestion more clear (#638)
• a3628d5 Helpful note about status command (#639)
• Additional commits viewable in compare view

Updates @changesets/cli from 2.29.4 to 2.29.8

Release notes

Sourced from @​changesets/cli's releases.

@​changesets/cli@​2.29.7

Patch Changes

• Updated dependencies [957f24e]:
  • @​changesets/apply-release-plan@​7.0.13

@​changesets/cli@​2.29.6

Patch Changes

• #1712 a3563b0 Thanks @​benmccann! - Switch to maintained fork of external-editor

@​changesets/cli@​2.29.5

Patch Changes

• #1693 6352819 Thanks @​Andarist! - Fixed an issue with workspace:^ and workspace:~ dependency ranges not being semantically treated as, respectively, ^CURRENT_VERSION and ~CURRENT_VERSION. This led to dependent packages being, at times, bumped too often when their dependencies with those ranges were bumped.

• Updated dependencies [6352819]:

  • @​changesets/assemble-release-plan@​6.0.9
  • @​changesets/get-release-plan@​4.0.13

Commits

• See full diff in compare view

Updates @types/node from 20.17.57 to 25.3.3

Commits

• See full diff in compare view

Updates c8 from 10.1.3 to 11.0.0

Release notes

Sourced from c8's releases.

v11.0.0

11.0.0 (2026-02-22)

⚠ BREAKING CHANGES

• deps: transitive deps require 20 || >=22

Bug Fixes

• deps: pull newer minimatch addressing CVE-2026-26996 (#576) (678eeca)

Changelog

Sourced from c8's changelog.

11.0.0 (2026-02-22)

⚠ BREAKING CHANGES

• deps: transitive deps require 20 || >=22

Bug Fixes

• deps: pull newer minimatch addressing CVE-2026-26996 (#576) (678eeca)

Commits

• ce78df4 chore(main): release 11.0.0 (#577)
• 678eeca fix(deps)!: pull newer minimatch addressing CVE-2026-26996 (#576)
• ec4c5e4 chore: .editorconfig to avoid unintended mods to .snap files (#556)
• See full diff in compare view

Updates eslint from 9.28.0 to 10.0.2

Release notes

Sourced from eslint's releases.

v10.0.2

Bug Fixes

• 2b72361 fix: update ajv to 6.14.0 to address security vulnerabilities (#20537) (루밀LuMir)

Documentation

• 13eeedb docs: link rule type explanation to CLI option --fix-type (#20548) (Mike McCready)
• 98cbf6b docs: update migration guide per Program range change (#20534) (Huáng Jùnliàng)
• 61a2405 docs: add missing semicolon in vars-on-top rule example (#20533) (Abilash)

Chores

• 951223b chore: update dependency @​eslint/eslintrc to ^3.3.4 (#20553) (renovate[bot])
• 6aa1afe chore: update dependency eslint-plugin-jsdoc to ^62.7.0 (#20536) (Milos Djermanovic)

v10.0.1

Bug Fixes

• c87d5bd fix: update eslint (#20531) (renovate[bot])
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir)
• 04c2147 fix: update error message for unused suppressions (#20496) (fnx)
• 38b089c fix: update dependency @​eslint/config-array to ^0.23.1 (#20484) (renovate[bot])

Documentation

• 5b3dbce docs: add AI acknowledgement section to templates (#20431) (루밀LuMir)
• 6f23076 docs: toggle nav in no-JS mode (#20476) (Tanuj Kanti)
• b69cfb3 docs: Update README (GitHub Actions Bot)

Chores

• e5c281f chore: updates for v9.39.3 release (Jenkins)
• 8c3832a chore: update @​typescript-eslint/parser to ^8.56.0 (#20514) (Milos Djermanovic)
• 8330d23 test: add tests for config-api (#20493) (Milos Djermanovic)
• 37d6e91 chore: remove eslint v10 prereleases from eslint-config-eslint deps (#20494) (Milos Djermanovic)
• da7cd0e refactor: cleanup error message templates (#20479) (Francesco Trotta)
• 84fb885 chore: package.json update for @​eslint/js release (Jenkins)
• 1f66734 chore: add eslint to peerDependencies of @eslint/js (#20467) (Milos Djermanovic)

v10.0.0

Breaking Changes

• f9e54f4 feat!: estimate rule-tester failure location (#20420) (ST-DDT)
• a176319 feat!: replace chalk with styleText and add color to ResultsMeta (#20227) (루밀LuMir)
• c7046e6 feat!: enable JSX reference tracking (#20152) (Pixel998)
• fa31a60 feat!: add name to configs (#20015) (Kirk Waiblinger)
• 3383e7e fix!: remove deprecated SourceCode methods (#20137) (Pixel998)
• 501abd0 feat!: update dependency minimatch to v10 (#20246) (renovate[bot])
• ca4d3b4 fix!: stricter rule tester assertions for valid test cases (#20125) (唯然)
• 96512a6 fix!: Remove deprecated rule context methods (#20086) (Nicholas C. Zakas)
• c69fdac feat!: remove eslintrc support (#20037) (Francesco Trotta)
• 208b5cc feat!: Use ScopeManager#addGlobals() (#20132) (Milos Djermanovic)
• a2ee188 fix!: add uniqueItems: true in no-invalid-regexp option (#20155) (Tanuj Kanti)
• a89059d feat!: Program range span entire source text (#20133) (Pixel998)
• 39a6424 fix!: assert 'text' is a string across all RuleFixer methods (#20082) (Pixel998)
• f28fbf8 fix!: Deprecate "always" and "as-needed" options of the radix rule (#20223) (Milos Djermanovic)

... (truncated)

Commits

• 55122d6 10.0.2
• 80f1e29 Build: changelog update for 10.0.2
• 951223b chore: update dependency @​eslint/eslintrc to ^3.3.4 (#20553)
• 13eeedb docs: link rule type explanation to CLI option --fix-type (#20548)
• 6aa1afe chore: update dependency eslint-plugin-jsdoc to ^62.7.0 (#20536)
• 2b72361 fix: update ajv to 6.14.0 to address security vulnerabilities (#20537)
• 98cbf6b docs: update migration guide per Program range change (#20534)
• 61a2405 docs: add missing semicolon in vars-on-top rule example (#20533)
• 0bd5497 10.0.1
• ddb80ef Build: changelog update for 10.0.1
• Additional commits viewable in compare view

Updates eslint-plugin-security from 3.0.1 to 4.0.0

Release notes

Sourced from eslint-plugin-security's releases.

eslint-plugin-security: v4.0.0

4.0.0 (2026-02-19)

⚠ BREAKING CHANGES

• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146)
• switch the recommended config to flat (#118)

Features

• add config recommended-legacy (#132) (13d3f2f)
• Add meta object documentation for all rules (#79) (fb1d9ef)
• detect-bidi-characters rule (#95) (4294d29)
• detect-non-literal-fs-filename: change to track non-top-level require() as well (#105) (d3b1543)
• extend detect non literal fs filename (#92) (08ba476)
• improve detect-child-process rule (#108) (64ae529)
• non-literal-require: support template literals (#81) (208019b)
• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146) (df1b606)
• switch the recommended config to flat (#118) (e20a366)

Bug Fixes

• Add ESLint 10 compatibility for context.sourceCode API change (#186) (7f9ee77)
• add name to recommended flat config (#161) (aa1c8c5)
• Avoid crash when exec() is passed no arguments (7f97815), closes #82 #23
• Avoid TypeError when exec stub is used with no arguments (#97) (9c18f16)
• detect-child-process: false positive for destructuring with exec (#102) (657921a)
• detect-child-process: false positives for destructuring spawn (#103) (fdfe37d)
• Ensure empty eval() doesn't crash detect-eval-with-expression (#139) (8a7c7db)
• Ensure everything works with ESLint v9 (#145) (ac50ab4)
• false positives for static expressions in detect-non-literal-fs-filename, detect-child-process, detect-non-literal-regexp, and detect-non-literal-require (#109) (56102b5)
• generate provenance statement for release (#168) (eb3ee9c)
• Incorrect method name in detect-buffer-noassert. (313c0c6), closes #63 #80
• release-please config (#189) (2443d10)

Changelog

Sourced from eslint-plugin-security's changelog.

4.0.0 (2026-02-19)

⚠ BREAKING CHANGES

• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146)
• switch the recommended config to flat (#118)

Features

• add config recommended-legacy (#132) (13d3f2f)
• Add meta object documentation for all rules (#79) (fb1d9ef)
• detect-bidi-characters rule (#95) (4294d29)
• detect-non-literal-fs-filename: change to track non-top-level require() as well (#105) (d3b1543)
• extend detect non literal fs filename (#92) (08ba476)
• improve detect-child-process rule (#108) (64ae529)
• non-literal-require: support template literals (#81) (208019b)
• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146) (df1b606)
• switch the recommended config to flat (#118) (e20a366)

Bug Fixes

• Add ESLint 10 compatibility for context.sourceCode API change (#186) (7f9ee77)
• add name to recommended flat config (#161) (aa1c8c5)
• Avoid crash when exec() is passed no arguments (7f97815), closes #82 #23
• Avoid TypeError when exec stub is used with no arguments (#97) (9c18f16)
• detect-child-process: false positive for destructuring with exec (#102) (657921a)
• detect-child-process: false positives for destructuring spawn (#103) (fdfe37d)
• Ensure empty eval() doesn't crash detect-eval-with-expression (#139) (8a7c7db)
• Ensure everything works with ESLint v9 (#145) (ac50ab4)
• false positives for static expressions in detect-non-literal-fs-filename, detect-child-process, detect-non-literal-regexp, and detect-non-literal-require (#109) (56102b5)
• generate provenance statement for release (#168) (eb3ee9c)
• Incorrect method name in detect-buffer-noassert. (313c0c6), closes #63 #80
• release-please config (#189) (2443d10)

Commits

• 4b734af chore: release 4.0.0 🚀 (#192)
• 2443d10 fix: release-please config (#189)
• ee73862 chore(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#187)
• ca182d1 chore(deps): bump serialize-javascript and mocha (#184)
• 7f9ee77 fix: Add ESLint 10 compatibility for context.sourceCode API change (#186)
• 99032c3 ci: trusted publishing (#180)
• 5e096f2 ci(ci): add node 24 to test matrix (#176)
• e060aeb ci: migrate to manifest config (#173)
• fc0af81 chore(.eslint-doc-generatorrc): add missing 'use strict' directive (#170)
• f6a29ef chore(package): explicitly declare js module type (#171)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for eslint-plugin-security since your current version.

Updates lint-staged from 16.1.0 to 16.3.1

Release notes

Sourced from lint-staged's releases.

v16.3.1

Patch Changes

• #1729 cd5d762 Thanks @​iiroj! - Remove nano-spawn as a dependency from package.json as it was replaced with tinyexec and is no longer used.

v16.3.0

Minor Changes

• #1698 feda37a Thanks @​iiroj! - Run external processes with tinyexec instead of nano-spawn. nano-spawn replaced execa in lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope tinyexec improves the situation.

• #1699 1346d16 Thanks @​iiroj! - Remove pidtree as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the taskkill command on Windows.

Patch Changes

• #1726 87467aa Thanks @​iiroj! - Incorrect brace expansions like *.{js} (nothing to expand) are detected exhaustively, instead of just a single pass.

v16.2.7

Patch Changes

• #1711 ef74c8d Thanks @​iiroj! - Do not display a "failed to spawn" error message when a task fails normally. This message is reserved for when the task didn't run because spawning it failed.

v16.2.6

Patch Changes

• #1693 33d4502 Thanks @​Adrian-Baran-GY! - Fix problems with --continue-on-error option, where tasks might have still been killed (SIGINT) when one of them failed.

v16.2.5

Patch Changes

• #1687 9e02d9d Thanks @​iiroj! - Fix unhandled promise rejection when spawning tasks (instead of the tasks themselves failing). Previously when a task failed to spawn, lint-staged also failed and the backup stash might not have been automatically restored.

v16.2.4

Patch Changes

• #1682 0176038 Thanks @​iiroj! - Update dependencies, including nano-spawn@2.0.0 with bug fixes.

• #1671 581a54e Thanks @​iiroj! - Speed up execution by only importing the yaml depedency if using YAML configuration files.

v16.2.3

Patch Changes

• #1669 27cd541 Thanks @​iiroj! - When using --fail-on-changes, automatically hidden (partially) unstaged changes are no longer counted to make lint-staged fail.

v16.2.2

Patch Changes

• #1667 699f95d Thanks @​iiroj! - The backup stash will not be dropped when using --fail-on-changes and there are errors. When reverting to original state is disabled (via --no-revert or --fail-on-changes), hidden (partially) unstaged changes are still restored automatically so that it's easier to resolve the situation manually.

  Additionally, the example for using the backup stash manually now uses the correct backup hash, if available:

... (truncated)

Changelog

Sourced from lint-staged's changelog.

16.3.1

Patch Changes

• #1729 cd5d762 Thanks @​iiroj! - Remove nano-spawn as a dependency from package.json as it was replaced with tinyexec and is no longer used.

16.3.0

Minor Changes

• #1698 feda37a Thanks @​iiroj! - Run external processes with tinyexec instead of nano-spawn. nano-spawn replaced execa in lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope tinyexec improves the situation.

• #1699 1346d16 Thanks @​iiroj! - Remove pidtree as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the taskkill command on Windows.

Patch Changes

• #1726 87467aa Thanks @​iiroj! - Incorrect brace expansions like *.{js} (nothing to expand) are detected exhaustively, instead of just a single pass.

16.2.7

Patch Changes

• #1711 ef74c8d Thanks @​iiroj! - Do not display a "failed to spawn" error message when a task fails normally. This message is reserved for when the task didn't run because spawning it failed.

16.2.6

Patch Changes

• #1693 33d4502 Thanks @​Adrian-Baran-GY! - Fix problems with --continue-on-error option, where tasks might have still been killed (SIGINT) when one of them failed.

16.2.5

Patch Changes

• #1687 9e02d9d Thanks @​iiroj! - Fix unhandled promise rejection when spawning tasks (instead of the tasks themselves failing). Previously when a task failed to spawn, lint-staged also failed and the backup stash might not have been automatically restored.

16.2.4

Patch Changes

• #1682 0176038 Thanks @​iiroj! - Update dependencies, including nano-spawn@2.0.0 with bug fixes.

• #1671 581a54e Thanks @​iiroj! - Speed up execution by only importing the yaml depedency if using YAML configuration files.

16.2.3

Patch Changes

• #1669 27cd541 Thanks @​iiroj! - When using --fail-on-changes, automatically hidden (partially) unstaged changes are no longer counted to make lint-staged fail.

... (truncated)

Commits

• 2a74cd2 chore(changeset): release
• cd5d762 refactor: remove nano-spawn dependency completely
• e342cab build(deps): move nano-spawn to dev
• 9aa2cd7 chore(changeset): release
• 0c387bc test: make long-running task longer because of GitHub Actions slowness
• 87467aa refactor: detect incorrect brace expansion exhaustively
• dceabc6 ci: run npm audit in GitHub Actions
• d0e4c2a build(deps): update dependencies
• 93cf144 docs: add tip about lint-staged.sh
• 9809fee test: adjust integration test logging setup for concurrency
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for lint-staged since your current version.

Updates lockfile-lint from 4.14.1 to 5.0.0

Release notes

Sourced from lockfile-lint's releases.

lockfile-lint@5.0.0

Major Changes

• 00f595c7b9cad499b86cbc33c3e6492c3b131849 Thanks @​lirantal! - feat: support loading of ESM cosmiconfig files

Changelog

Sourced from lockfile-lint's changelog.

5.0.0

Major Changes

• 00f595c7b9cad499b86cbc33c3e6492c3b131849 Thanks @​lirantal! - feat: support loading of ESM cosmiconfig files

Commits

• 09dabb4 build: update for provenance release
• 3d62d47 chore: new release (#209)
• f65c7b2 feat: add ESM configuration file support (#208)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for lockfile-lint since your current version.

Updates neostandard from 0.12.1 to 0.13.0

Release notes

Sourced from neostandard's releases.

v0.13.0

0.13.0 (2026-02-26)

⚠ BREAKING CHANGES

• Require Node.js ^20.19.0 || ^22.13.0 || >=24 (#339)
• eslint-plugin-import-x is no longer included by default. Projects relying on import-x rules will need to manually install and configure eslint-plugin-import-x. See the "Adding back import checking" section in the README for migration instructions. As an alternative, we recommend using TypeScript's compiler (tsc --noEmit) for import validation, which provides more comprehensive checking.
• update dependency globals to v17 (#335)

🌟 Features

• deps: update dependency globals to ^17.2.0 (#347) (66d504e)
• deps: update dependency typescript-eslint to ^8.54.0 (#348) (2cdd443)
• deps: update dependency typescript-eslint to ^8.56.0 (#357) (fe4ba92)
• remove eslint-plugin-import-x and related dependencies (#330) (248de35)
• Require Node.js ^20.19.0 || ^22.13.0 || >=24 (#339) (ba575f3)
• update dependency globals to v17 (#335) (a856b81)

🩹 Fixes

• deps: update dependency eslint-plugin-n to ^17.23.2 (#303) (76d50ed)
• deps: update dependency find-up to v8 (#324) (d95b6e3)
• deps: update dependency globals to ^17.3.0 (#351) (94ab3ce)
• deps: update dependency peowly to ^1.3.3 (#356) (b873608)
• deps: update dependency typescript-eslint to ^8.53.1 (#322) (6beb36b)

🧹 Chores

• properly apply filter (#336) (bd1ad55)

v0.12.2

0.12.2 (2025-07-04)

🩹 Fixes

• deps: update dependency eslint-plugin-n to ^17.20.0 (#238) (70fc310)
• deps: update dependency eslint-plugin-react to ^7.37.5 (#245) (dfb5f6c)
• deps: update dependency globals to ^15.15.0 (#244) (d4825fa)
• deps: update dependency typescript-eslint to ^8.35.1 (#239) (da922e8)
• deps: update eslint-plugin-import etc. (#290) (cd398d4)

📚 Documentation

• add examples for all configuration options, CJS note, base example and a better table of content (#268) (3f76650)

Changelog

Sourced from neostandard's changelog.

0.13.0 (2026-02-26)

⚠ BREAKING CHANGES

• Require Node.js ^20.19.0 || ^22.13.0 || >=24 (#339)
• eslint-plugin-import-x is no longer included by default. Projects relying on import-x rules will need to manually install and configure eslint-plugin-import-x. See the "Adding back import checking" section in the README for migration instructions. As an alternative, we recommend using TypeScript's compiler (tsc --noEmit) for import validation, which provides more comprehensive checking.
• update dependency globals to v17 (#335)

🌟 Features

• deps: update dependency globals to ^17.2.0 (#347) (66d504e)
• deps: update dependency typescript-eslint to ^8.54.0 (#348) (2cdd443)
• deps: update dependency typescript-eslint to ^8.56.0 (#357) (fe4ba92)
• remove eslint-plugin-import-x and related dependencies (#330) (248de35)
• Require Node.js ^20.19.0 || ^22.13.0 || >=24 (#339) (ba575f3)
• update dependency globals to v17 (#335) (a856b81)

🩹 Fixes

• deps: update dependency eslint-plugin-n to ^17.23.2 (#303) (76d50ed)
• deps: update dependency find-up to v8 (#324) (d95b6e3)
• deps: update dependency globals to ^17.3.0 (#351) (94ab3ce)
• deps: update dependency peowly to ^1.3.3 (#356) (