Update Mend: high confidence minor and patch dependency updates

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@biomejs/biome (source)	2.4.11 → 2.4.13
@tailwindcss/postcss (source)	4.2.2 → 4.2.4
add-to-calendar-button-react (source)	2.13.8 → 2.14.0
autoprefixer	10.4.27 → 10.5.0
axios (source)	1.15.0 → 1.15.2
lucide-react (source)	1.8.0 → 1.14.0
pnpm (source)	10.33.0 → 10.33.2
postcss (source)	8.5.9 → 8.5.13
react-hook-form (source)	7.72.1 → 7.74.0
react-resizable-panels (source)	4.9.0 → 4.10.0
react-router-dom (source)	7.14.0 → 7.14.2
tailwindcss (source)	4.2.2 → 4.2.4
typescript (source)	6.0.2 → 6.0.3
vite (source)	8.0.8 → 8.0.10
zod (source)	4.3.6 → 4.4.1

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.13

Compare Source

Patch Changes

• #​9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #​10037 f785e8c Thanks @​minseong0324! - Fixed #​9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #​10084 5e2f90c Thanks @​jiwon79! - Fixed #​10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #​10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #​10035 946b50e Thanks @​Netail! - Fixed #​10032: useIframeSandbox now flags if there's no initializer value.

• #​9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #​10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

  For example, the following code triggers the rule:

  import View from "react-native/Libraries/Components/View/View";

• #​9885 3dce737 Thanks @​dyc3! - Added a new nursery rule useDomQuerySelector that prefers querySelector() and querySelectorAll() over older DOM query methods such as getElementById() and getElementsByClassName().

• #​9995 4da9caf Thanks @​siketyan! - Fixed #​9994: Biome now parses nested CSS rules correctly when declarations follow them inside embedded snippets.

• #​10009 b41cc5a Thanks @​Jayllyz! - Fixed #​10004: noComponentHookFactories no longer reports false positives for object methods and class methods.

• #​9988 eabf54a Thanks @​Netail! - Tweaked the diagnostics range for useAltText, useButtonType, useHtmlLang, useIframeTitle, useValidAriaRole & useIfameSandbox to report on the opening tag instead of the full tag.

• #​10043 fc65902 Thanks @​mujpao! - Fixed #​10003: Biome no longer panics when parsing Svelte files containing {#}.

• #​9815 5cc83b1 Thanks @​dyc3! - Added the new nursery rule noLoopFunc. When enabled, it warns when a function declared inside a loop captures outer variables that can change across iterations.

• #​9702 ef470ba Thanks @​ryan-m-walker! - Added the nursery rule useRegexpTest that enforces RegExp.prototype.test() over String.prototype.match() and RegExp.prototype.exec() in boolean contexts. test() returns a boolean directly, avoiding unnecessary computation of match results.

  Invalid

  if ("hello world".match(/hello/)) {
  }

  Valid

  if (/hello/.test("hello world")) {
  }

• #​9743 245307d Thanks @​leetdavid! - Fixed #​2245: Svelte <script> tag language detection when the generics attribute contains > characters (e.g., <script lang="ts" generics="T extends Record<string, unknown>">). Biome now correctly recognizes TypeScript in such script blocks.

• #​10046 0707de7 Thanks @​Conaclos! - Fixed #​10038: organizeImports now sorts imports in TypeScript modules and declaration files.

    declare module "mymodule" {
  -  	import type { B } from "b";
    	import type { A } from "a";
  +  	import type { B } from "b";
    }

• #​10012 94ccca9 Thanks @​ematipico! - Added the nursery rule noReactNativeLiteralColors, which disallows color literals inside React Native styles.

  The rule belongs to the reactNative domain. It reports properties whose name contains color and whose value is a string literal when they appear inside a StyleSheet.create(...) call or inside a JSX attribute whose name contains style.

  // Invalid
  const Hello = () => <Text style={{ backgroundColor: "#FFFFFF" }}>hi</Text>;
  
  const styles = StyleSheet.create({
    text: { color: "red" },
  });

  // Valid
  const red = "#f00";
  const styles = StyleSheet.create({
    text: { color: red },
  });

• #​10005 131019e Thanks @​ematipico! - Added the nursery rule noReactNativeRawText, which disallows raw text outside of <Text> components in React Native.

  The rule belongs to the new reactNative domain.

  // Invalid
  <View>some text</View>
  <View>{'some text'}</View>

  // Valid
  <View>
    <Text>some text</Text>
  </View>

  Additional components can be allowlisted through the skip option:

  {
    "options": {
      "skip": ["Title"]
    }
  }

• #​9911 1603f78 Thanks @​Netail! - Added the nursery rule noJsxLeakedDollar, which flags text nodes with a trailing $ if the next sibling node is a JSX expression. This could be an unintentional mistake, resulting in a '$' being rendered as text in the output.

  Invalid:

  function MyComponent({ user }) {
    return <div>Hello ${user.name}</div>;
  }

• #​9999 f42405f Thanks @​minseong0324! - Fixed noMisleadingReturnType incorrectly flagging functions with reassigned let variables.

• #​10075 295f97f Thanks @​ematipico! - Fixed #9983: Biome now parses functions declared inside Svelte #snippet blocks without throwing errors.

• #​10006 cf4c1c9 Thanks @​minseong0324! - Fixed #​9810: noMisleadingReturnType incorrectly flagging nested object literals with widened properties.

• #​10033 11ddc05 Thanks @​ematipico! - Added the nursery rule useReactNativePlatformComponents that ensures platform-specific React Native components (e.g. ProgressBarAndroid, ActivityIndicatorIOS) are only imported in files with a matching platform suffix. It also reports when Android and iOS components are mixed in the same file.

  The following code triggers the rule when the file does not have an .android.js suffix:

  // file.js
  import { ProgressBarAndroid } from "react-native";

v2.4.12

Compare Source

Patch Changes

• #​9376 9701a33 Thanks @​dyc3! - Added the nursery/noIdenticalTestTitle lint rule. This rule disallows using the same title for two describe blocks or two test cases at the same nesting level.

  describe("foo", () => {});
  describe("foo", () => {
    // invalid: same title as previous describe block
    test("baz", () => {});
    test("baz", () => {}); // invalid: same title as previous test case
  });

• #​9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for useForOf to better explain the problem, why it matters, and how to fix it.

• #​9916 27dd7b1 Thanks @​Jayllyz! - Added a new nursery rule noComponentHookFactories, that disallows defining React components or custom hooks inside other functions.

  For example, the following snippets trigger the rule:

  function createComponent(label) {
    function MyComponent() {
      return <div>{label}</div>;
    }
    return MyComponent;
  }

  function Parent() {
    function Child() {
      return <div />;
    }
    return <Child />;
  }

• #​9980 098f1ff Thanks @​ematipico! - Fixed #​9941: Biome now emits a warning diagnostic when a file exceed the files.maxSize limit.

• #​9942 9956f1d Thanks @​dyc3! - Fixed #​9918: useConsistentTestIt no longer panics when applying fixes to chained calls such as test.for([])("x", () => {});.

• #​9891 4d9ac51 Thanks @​dyc3! - Improved the noGlobalObjectCalls diagnostic to better explain why calling global objects like Math or JSON is invalid and how to fix it.

• #​9902 3f4d103 Thanks @​ematipico! - Fixed #​9901: the command lint --write is now idempotent when it's run against HTML-ish files that contains scripts and styles.

• #​9891 4d9ac51 Thanks @​dyc3! - Improved the noMultiStr diagnostic to explain why escaped multiline strings are discouraged and what to use instead.

• #​9966 322675e Thanks @​siketyan! - Fixed #​9113: Biome now parses and formats @media and other conditional blocks correctly inside embedded CSS snippets.

• #​9835 f8d49d9 Thanks @​bmish! - The noFloatingPromises rule now detects floating promises through cross-module generic wrapper functions. Previously, patterns like export const fn = trace(asyncFn) — where trace preserves the function signature via a generic <F>(fn: F): F — were invisible to the rule when the wrapper was defined in a different file.

• #​9981 02bd8dd Thanks @​siketyan! - Fixed #​9975: Biome now parses nested CSS selectors correctly inside embedded snippets without requiring an explicit &.

• #​9949 e0ba71d Thanks @​Netail! - Added the nursery rule useIframeSandbox, which enforces the sandbox attribute for iframe tags.

  Invalid:

  <iframe></iframe>

• #​9913 d417803 Thanks @​Netail! - Added the nursery rule noJsxNamespace, which disallows JSX namespace syntax.

  Invalid:

  <ns:testcomponent />

• #​9892 e75d70e Thanks @​dyc3! - Improved the noSelfCompare diagnostic to better explain why comparing a value to itself is suspicious and what to use for NaN checks.

• #​9861 2cff700 Thanks @​dyc3! - Added the new nursery rule useVarsOnTop, which requires var declarations to appear at the top of their containing scope.

  For example, the following code now triggers the rule:

  function f() {
    doSomething();
    var value = 1;
  }

• #​9892 e75d70e Thanks @​dyc3! - Improved the noThenProperty diagnostic to better explain why exposing then can create thenable behavior and how to avoid it.

• #​9892 e75d70e Thanks @​dyc3! - Improved the noShorthandPropertyOverrides diagnostic to explain why later shorthand declarations can unintentionally overwrite earlier longhand properties.

• #​9978 4847715 Thanks @​mdevils! - Fixed #​9744: useExhaustiveDependencies no longer reports false positives for variables obtained via object destructuring with computed keys, e.g. const { [KEY]: key1 } = props.

• #​9892 e75d70e Thanks @​dyc3! - Improved the noRootType diagnostic to better explain that the reported root type is disallowed by project configuration and how to proceed.

• #​9927 7974ab7 Thanks @​dyc3! - Added eslint-plugin-unicorn's no-nested-ternary as a rule source for noNestedTernary

• #​9873 19ff706 Thanks @​minseong0324! - noMisleadingReturnType now checks class methods, object methods, and getters in addition to functions.

• #​9888 362b638 Thanks @​dyc3! - Updated metadata for biome migrate eslint to better reflect which ESLint rules are redundant versus unsupported versus unimplemented.

• #​9892 e75d70e Thanks @​dyc3! - Improved the noAutofocus diagnostic to better explain why autofocus harms accessibility outside allowed modal contexts.

• #​9982 d6bdf4a Thanks @​dyc3! - Improved performance of noMagicNumbers.
  Biome now maps ESLint no-magic-numbers sources more accurately during biome migrate eslint.

• #​9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for noConstantCondition to better explain the problem, why it matters, and how to fix it.

• #​9866 40bd180 Thanks @​dyc3! - Added a new nursery rule noExcessiveSelectorClasses, which limits how many class selectors can appear in a single CSS selector.

• #​9796 f1c1363 Thanks @​dyc3! - Added a new nursery rule useStringStartsEndsWith, which prefers startsWith() and endsWith() over verbose string prefix and suffix checks.

  The rule uses type information, so it only reports on strings and skips array lookups such as items[0] === "a".

• #​9942 9956f1d Thanks @​dyc3! - Fixed the safe fix for noSkippedTests so it no longer panics when rewriting skipped test function names such as xit(), xtest(), and xdescribe().

• #​9874 9e570d1 Thanks @​minseong0324! - Type-aware lint rules now resolve members through Pick<T, K> and Omit<T, K> utility types.

• #​9909 0d0e611 Thanks @​Netail! - Added the nursery rule useReactAsyncServerFunction, which requires React server actions to be async.

  Invalid:

  function serverFunction() {
    "use server";
    // ...
  }

• #​9925 29accb3 Thanks @​ematipico! - Fixed #​9910: added support for parsing member expressions in Svelte directive properties. Biome now correctly parses directives like in:renderer.in|global, use:obj.action, and deeply nested forms like in:a.b.c|global.

• #​9904 e7775a5 Thanks @​ematipico! - Fixed #​9626: noUnresolvedImports no longer reports false positives for named imports from packages that have a corresponding @types/* package installed. For example, import { useState } from "react" with @types/react installed is now correctly recognised.

• #​9942 9956f1d Thanks @​dyc3! - Fixed the safe fix for noFocusedTests so it no longer panics when rewriting focused test function names such as fit() and fdescribe().

• #​9577 c499f46 Thanks @​tt-a1i! - Added the nursery rule useReduceTypeParameter. It flags type assertions on the initial value passed to Array#reduce and Array#reduceRight and recommends using a type parameter instead.

  // before: type assertion on initial value
  arr.reduce((sum, num) => sum + num, [] as number[]);
  
  // after: type parameter on the call
  arr.reduce<number[]>((sum, num) => sum + num, []);

• #​9895 1c8e1ef Thanks @​Netail! - Added extra rule sources from react-xyz. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #​9891 4d9ac51 Thanks @​dyc3! - Improved the noInvalidUseBeforeDeclaration diagnostic to better explain why using a declaration too early is problematic and how to fix it.

• #​9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for noRedeclare to better explain the problem, why it matters, and how to fix it.

• #​9875 a951586 Thanks @​minseong0324! - Type-aware lint rules now resolve members through Partial<T>, Required<T>, and Readonly<T> utility types, preserving optional, readonly, and nullable member flags.

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.2.4

Compare Source

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#​19947)

v4.2.3

Compare Source

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#​19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#​19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#​19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#​19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#​19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#​19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#​19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#​19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#​19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#​19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#​19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#​19846)
• Upgrade: never migrate files that are ignored by git (#​19846)
• Add .env and .env.* to default ignored content files (#​19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#​19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#​19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#​19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#​19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#​19858)
• Improve performance when scanning JSONL / NDJSON files (#​19862)
• Support NODE_PATH environment variable in standalone CLI (#​19617)

add2cal/add-to-calendar-button-react (add-to-calendar-button-react)

v2.14.0

Compare Source

Dropping atcb_decorate_data_recurrence export; various bug fixes

v2.13.9

Compare Source

minor msteams description fix

postcss/autoprefixer (autoprefixer)

v10.5.0

Compare Source

• Added mask-position-x and mask-position-y support (by @​toporek).

axios/axios (axios)

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

v1.15.1

Compare Source

lucide-icons/lucide (lucide-react)

v1.14.0: Version 1.14.0

Compare Source

What's Changed

• feat(icons): added repeat-off icon by @​jguddas in #​3102

Full Changelog: lucide-icons/lucide@1.13.0...1.14.0

v1.13.0: Version 1.13.0

Compare Source

What's Changed

• fix(docs): sync URL params with UI state on categories page by @​taimar in #​4111
• feat(icons): add waves-vertical icon by @​jamiemlaw in #​3867

Full Changelog: lucide-icons/lucide@1.12.0...1.13.0

v1.12.0: Version 1.12.0

Compare Source

What's Changed

• feat(icon): add folder-bookmark icon by @​swastik7805 in #​4262
• docs(readme): Update readme files by @​ericfennis in #​4320
• feat(icons): added astroid icon by @​whoisBugsbunny in #​4217

Full Changelog: lucide-icons/lucide@1.10.0...1.12.0

v1.11.0: Version 1.11.0

Compare Source

What's Changed

• docs: add missing period to TypeScript Support description by @​jglu in #​4309
• fix(@​lucide/svelte): proper doc comments for svelte components by @​blt-r in #​4267
• chore(deps): bump svgo from 3.3.2 to 3.3.3 by @​dependabot[bot] in #​4119
• chore(deps-dev): bump astro from 6.0.8 to 6.1.6 by @​dependabot[bot] in #​4310
• feat(icons): add power and quick tags to zap and zap-off by @​swastik7805 in #​4268
• test(build-font): added comprehensive unit tests on build-font tool by @​karsa-mistmere in #​4315
• feat(docs): blur background of framework-select by @​Spleefies in #​4238
• feat(icon): add heart-x icon by @​swastik7805 in #​4264
• fix(icons): optimised rotate-3d icon by @​jamiemlaw in #​4299
• feat(icons): added layers-minus icon by @​Spleefies in #​4005
• feat(icons): added bell-check icon by @​pettelau in #​4152

New Contributors

• @​jglu made their first contribution in #​4309
• @​pettelau made their first contribution in #​4152

Full Changelog: lucide-icons/lucide@1.9.0...1.11.0

v1.10.0: Version 1.10.0

Compare Source

What's Changed

• docs: add missing period to TypeScript Support description by @​jglu in #​4309
• fix(@​lucide/svelte): proper doc comments for svelte components by @​blt-r in #​4267
• chore(deps): bump svgo from 3.3.2 to 3.3.3 by @​dependabot[bot] in #​4119
• chore(deps-dev): bump astro from 6.0.8 to 6.1.6 by @​dependabot[bot] in #​4310
• feat(icons): add power and quick tags to zap and zap-off by @​swastik7805 in #​4268
• test(build-font): added comprehensive unit tests on build-font tool by @​karsa-mistmere in #​4315
• feat(docs): blur background of framework-select by @​Spleefies in #​4238
• feat(icon): add heart-x icon by @​swastik7805 in #​4264
• fix(icons): optimised rotate-3d icon by @​jamiemlaw in #​4299
• feat(icons): added layers-minus icon by @​Spleefies in #​4005
• feat(icons): added bell-check icon by @​pettelau in #​4152

New Contributors

• @​jglu made their first contribution in #​4309
• @​pettelau made their first contribution in #​4152

Full Changelog: lucide-icons/lucide@1.9.0...1.10.0

v1.9.0: Version 1.9.0

Compare Source

What's Changed

• fix(packages/angular): allow string inputs for size by @​swastik7805 in #​4253
• fix(gh-icon): update colors for ColoredPath component by @​jguddas in #​4233
• feat(packages): use .mjs for ESM bundles by @​karsa-mistmere in #​4285
• fix(build-font): add collision detection to font codepoints by @​karsa-mistmere in #​4300
• feat(icons): added timeline icon by @​jguddas in #​4270

New Contributors

• @​swastik7805 made their first contribution in #​4253

Full Changelog: lucide-icons/lucide@1.8.0...1.9.0

pnpm/pnpm (pnpm)

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

config help if that's undesired. If you want to rebase/retry this PR, check this box This PR was generated by Mend Renovate. View the repository job log.