Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@biomejs/biome (source)	2.4.6 → 2.4.7
hono (source)	4.12.5 → 4.12.8
wrangler (source)	4.71.0 → 4.73.0

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.7

Compare Source

Patch Changes

• #​9318 3ac98eb Thanks @​ematipico! - Added new nursery lint rule useBaseline for CSS. The rule reports when CSS properties, property values, at-rules, media conditions, functions, or pseudo-selectors are not part of the configured Baseline tier.

  For example, at the time of writing, the rule will trigger for the use of accent-color because it has limited availability:

  a {
    accent-color: bar;
  }

• #​9272 2de8362 Thanks @​terror! - Added the nursery rule useImportsFirst that enforces all import statements appear before any non-import statements in a module. Inspired by the eslint-plugin-import import/first rule.

  // Invalid
  import { foo } from "foo";
  const bar = 1;
  import { baz } from "baz"; // ← flagged
  
  // Valid
  import { foo } from "foo";
  import { baz } from "baz";
  const bar = 1;

• #​9285 93ea495 Thanks @​dyc3! - Fixed noUndeclaredVariables from erroneously flagging props only used in the template section in Vue SFCs

• #​9435 6c5a8f2 Thanks @​siketyan! - Fixed #​9432: Values referenced as a JSX element in Astro/Vue/Svelte templates are now correctly detected; noUnusedImports and useImportType rules no longer reports these values as false positives.

• #​9362 fc9ca4c Thanks @​Netail! - Extra rule source references. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #​9392 b881fea Thanks @​g-ortuno! - Fixed biomejs/biome-vscode#959: LSP now correctly resolves project directory when configurationPath points to a configuration file outside the workspace.

• #​9420 a1c46af Thanks @​ematipico! - Fixed #​9385: noUselessEscapeInString no longer incorrectly flags valid CSS hex escapes (e.g. \e7bb) as useless. The rule now recognizes all hex digits (0-9, a-f, A-F) as valid escape characters in CSS strings.

• #​9416 f2581b8 Thanks @​ematipico! - Fixed #​9131, #​9112, #​9166: the formatter no longer crashes or produces corrupt output when a JS file with experimentalEmbeddedSnippetsEnabled contains non-embedded template literals alongside embedded ones (e.g. console.log(\test`)next tographql(`...`)`).

• #​9344 cb4d7d7 Thanks @​ematipico! - Fixed #​6921: noShadow no longer incorrectly flags destructured variable bindings in sibling scopes as shadowing. Object destructuring, array destructuring, nested patterns, and rest elements are now properly recognized as declarations.

• #​9360 bc5dd99 Thanks @​ematipico! - Fixed #​7125: The rule noShadow no longer incorrectly flags parameters in TypeScript constructor and method overload signatures.

• #​9371 29cac17 Thanks @​ematipico! - Fixed #​5279: Tabs in diagnostic diff output are now rendered at a consistent width across context and changed lines, fixing visual misalignment when source files use tab indentation.

• #​9043 61e2a02 Thanks @​dyc3! - Fixed #​8897: Biome now parses @utility names containing / when Tailwind directives are enabled.

• #​9354 930c858 Thanks @​denbezrukov! - Improved CSS parser recovery for invalid unicode-range values that mix wildcard ranges with range intervals. For example, Biome now reports clearer diagnostics for invalid syntax like:

  unicode-range: U+11???-2??;
  unicode-range: U+11???-;

  with diagnostics such as:

  × Wildcard ranges cannot be combined with a range interval.
    > unicode-range: U+11???-2??;
                              ^
  
  × Expected a codepoint but instead found ';'.
    > unicode-range: U+11???-;
                               ^
  

• #​9355 78e74a2 Thanks @​SchahinRohani! - Fixed #​9349: Biome now correctly handles Vue dynamic :alt and v-bind:alt bindings in useAltText, preventing false positives in .vue files.

• #​9369 b309dde Thanks @​costajohnt! - Fixed #​9210: useAnchorContent no longer reports an accessibility error for Astro Image components inside links when they provide non-empty alt text.

• #​9345 70c2d4e Thanks @​ematipico! - Fixed #​7214: useOptionalChain now detects optional chain patterns that don't start at the beginning of a logical AND expression. For example, bar && foo && foo.length is now correctly flagged and fixed to bar && foo?.length.

• #​9311 78c4e9b Thanks @​ruidosujeira! - Fixed #​9245: the useSemanticElements rule no longer suggests <output> for role="status" and role="alert". The <output> element is only a relatedConcept of these roles, not a direct semantic equivalent. These roles are now excluded from suggestions, aligning with the intended behavior of the upstream prefer-tag-over-role rule.

• #​9363 b2ffb4a Thanks @​ematipico! - Fixed #​5212: useSemanticElements no longer reports a diagnostic when a semantic element already has its corresponding role attribute (e.g. <nav role="navigation">, <footer role="contentinfo">). These cases are now correctly left to noRedundantRoles.

• #​9364 1bb9edc Thanks @​xvchris! - Fixed #​9357. Improved the information emitted by some diagnostics.

• #​9434 bf12092 Thanks @​siketyan! - Fixed #​9433: noBlankTarget now correctly handles dynamic href attributes, such as <a href={company?.website} target="_blank">.

• #​9351 5046d2b Thanks @​Netail! - Expanded the noNegationElse rule to cover the inequality & strict inequality operator.

• #​9353 2a29e0d Thanks @​Conaclos! - Fixed #​7583:
  organizeImports now
  sorts named specifiers inside bare exports and merges bare exports.

  - export { b, a };
  - export { c };
  + export { a, b, c };

  Also, organizeImports now correctly adds a blank line between an import chunk
  and an export chunk.

    import { A } from "package";
  +
    export { A };

• #​8658 bdcc934 Thanks @​rksvc! - When the domains field is set in the configuration file, domains is now automatically enabled when Biome detects certain dependencies in package.json.

• #​9383 f5c8bf0 Thanks @​ematipico! - Fixed #​6606: The type inference engine now resolves Record<K, V> types, synthesizing them as object types with index signatures. This improves accuracy for type-aware lint rules such as noFloatingPromises, noMisusedPromises, useAwaitThenable, and useArraySortCompare when operating on Record-typed values.

• #​9359 701ddd3 Thanks @​ematipico! - Fixed #​7516: noUnusedImports no longer reports a false positive when a local variable shadows an imported type namespace that is still used in a type annotation.

• #​9473 50e93bd Thanks @​ematipico! - Improved the detection of variables inside Astro files. Now the rule noUnusedVariables and others will trigger fewer false positives.

• #​9459 171b2ee Thanks @​ematipico! - Fixed #​9314. Now Biome doesn't panic when useAriaPropsForRole is configured using an object.

• #​9465 c8918d6 Thanks @​Netail! - Fixed #​9464: Temporal is now correctly detected as a global.

• #​9367 722f0da Thanks @​Netail! - Added the nursery rule noTopLevelLiterals. It requires the root-level value to be an array or object.

  Invalid:

  "just a string"

• #​9333 a294b89 Thanks @​terror! - Fixed #​9310. Now the HTML formatter doesn't mangle elements that are followed by self-closing elements such as <br> or <img>.

• #​9391 4bffb66 Thanks @​ematipico! - Slightly increased the performance of the CLI in projects that have more than ~2K files.

• #​9365 776cb64 Thanks @​Netail! - Added the nursery rule noEmptyObjectKeys, which disallows the use of empty keys in JSON objects.

  Invalid:

  {
    "": "value"
  }

honojs/hono (hono)

v4.12.8

Compare Source

What's Changed

• fix(utils/mime): Normalize input extension to lowercase before MIME check by @​TheEssem in #​4800
• fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @​otoneko1102 in #​4750

New Contributors

• @​TheEssem made their first contribution in #​4800

Full Changelog: honojs/hono@v4.12.7...v4.12.8

v4.12.7

Compare Source

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

---

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

Compare Source

What's Changed

• fix(accept): replace regex split to mitigate ReDoS by @​EdamAme-x in #​4758
• fix(jsx): align link hoisting and dedupe with React 19 by @​usualoma in #​4792
• chore(builld): tsconfig project references by @​BarryThePenguin in #​4797
• chore: add tsconfig.spec.json by @​yusukebe in #​4798
• feat(jsx-renderer): support function-based options by @​3w36zj6 in #​4780
• fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @​t0waxx in #​4782

New Contributors

• @​t0waxx made their first contribution in #​4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

cloudflare/workers-sdk (wrangler)

v4.73.0

Compare Source

Minor Changes

• #​12853 ff543e3 Thanks @​gpanders! - Deprecate SSH passthrough flags in wrangler containers ssh

  The --cipher, --log-file, --escape-char, --config-file, --pkcs11, --identity-file, --mac-spec, --option, and --tag flags are now deprecated. These flags expose OpenSSH-specific options that are tied to the current implementation. A future release will replace the underlying SSH transport, at which point these flags will be removed. They still function for now.

• #​12815 e63539d Thanks @​NuroDev! - Support disabling persistence in unstable_startWorker() and unstable_dev()

  You can now disable persistence entirely by setting persist: false in the dev options:

  const worker = await unstable_dev("./src/worker.ts", {
  	persist: false,
  });

  Or when using unstable_startWorker():

  const worker = await unstable_startWorker({
  	entrypoint: "./src/worker.ts",
  	dev: {
  		persist: false,
  	},
  });

  This is useful for testing scenarios where you want to ensure a clean state on each run without any persisted data from previous runs.

Patch Changes

• #​12861 f7de0fd Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260310.1	1.20260312.1

• #​12734 8e89e85 Thanks @​flostellbrink! - Add back support for wrangler d1 exports with multiple tables.

  Example:

  # All tables (default)
  wrangler d1 export db --output all-tables.sql
  
  # Single table (unchanged)
  wrangler d1 export db --output single-table.sql --table foo
  
  # Multiple tables (new)
  wrangler d1 export db --output multiple-tables.sql --table foo --table bar

• #​12807 8d1e130 Thanks @​MaxwellCalkin! - fix: vectorize commands now output valid json

  This fixes:

  • wrangler vectorize create
  • wrangler vectorize info
  • wrangler vectorize insert
  • wrangler vectorize upsert
  • wrangler vectorize list
  • wrangler vectorize list-vectors
  • wrangler vectorize list-metadata-index

  Also, wrangler vectorize create --json now also includes the created_at, modified_on and description fields.

• #​12856 6ee18e1 Thanks @​dario-piotrowicz! - Fix autoconfig for Astro v6 projects to skip wrangler config generation

  Astro 6+ generates its own wrangler configuration on build, so autoconfig now detects the Astro version and skips creating a wrangler.jsonc file for projects using Astro 6 or later. This prevents conflicts between the autoconfig-generated config and Astro's built-in config generation.

• #​12700 4bb61b9 Thanks @​RiscadoA! - Add client-side validation for VPC service host flags

  The --hostname, --ipv4, and --ipv6 flags on wrangler vpc service create and wrangler vpc service update now validate input before sending requests to the API. Previously, invalid values were accepted by the CLI and only rejected by the API with opaque error messages. Now users get clear, actionable error messages for common mistakes like passing a URL instead of a hostname, using an IP address in the --hostname flag, or providing malformed IP addresses.

• Updated dependencies [f7de0fd, ecc7f79, 1dda1c8]:

  • miniflare@​4.20260312.0

v4.72.0

Compare Source

Minor Changes

• #​12746 211d75d Thanks @​NuroDev! - Add support for inheritable bindings in type generation

  When using wrangler types with multiple environments, bindings from inheritable config properties (like assets) are now correctly inherited from the top-level config in all named environments. Previously, if you defined assets.binding at the top level with named environments, the binding would be marked as optional in the generated Env type because the type generation didn't account for inheritance.

  Example:

  {
  	"assets": {
  		"binding": "ASSETS",
  		"directory": "./public"
  	},
  	"env": {
  		"staging": {},
  		"production": {}
  	}
  }

  Before this change, ASSETS would be typed as ASSETS?: Fetcher (optional). Now, ASSETS is correctly typed as ASSETS: Fetcher (required). This fix currently applies to the assets binding, with an extensible mechanism to support additional inheritable bindings in the future.

• #​12826 de65c58 Thanks @​gabivlj! - Enable container egress interception in local dev without the experimental compatibility flag

  Container local development now always prepares the egress interceptor sidecar image needed for interceptOutboundHttp(). This makes container-to-Worker interception available by default in Wrangler, Miniflare, and the Cloudflare Vite plugin.

Patch Changes

• #​12790 5451a7f Thanks @​petebacondarwin! - Bump node-forge to ^1.3.2 to address security vulnerabilities

  node-forge had ASN.1 unbounded recursion, OID integer truncation, and ASN.1 validator desynchronization vulnerabilities. This is a bundled dependency used for local HTTPS certificate handling.

• #​12795 82cc2a8 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260301.1	1.20260306.1

• #​12811 3c67c2a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260306.1	1.20260307.1

• #​12827 d645594 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260307.1	1.20260310.1

• #​12808 6ed249b Thanks @​MaxwellCalkin! - Fix wrangler d1 execute --json returning "null" (string) instead of null (JSON null) for SQL NULL values

  When using wrangler d1 execute --json with local execution, SQL NULL values were incorrectly serialized as the string "null" instead of JSON null. This produced invalid JSON output that violated RFC 4627. The fix removes the explicit null-to-string conversion so NULL values are preserved as proper JSON null in the output.

• #​12824 9f93b54 Thanks @​jamesopstad! - Strip query strings from module names before writing to disk

  When bundling modules with query string suffixes (e.g. .wasm?module), the ? character was included in the output filename. Since ? is not a valid filename character on Windows, this caused an ENOENT error during wrangler dev. This was particularly visible when using Prisma Client with the D1 adapter, which imports .wasm?module files.

  The fix strips query strings from module names before writing them to disk, while preserving correct module resolution.

• #​12771 b8c33f5 Thanks @​penalosa! - Make remote dev exchange_url optional

  The edge-preview API's exchange_url is now treated as optional. When unavailable or when the exchange fails, the initial token from the API response is used directly. The prewarm step and inspector_websocket have been removed from the remote dev flow in favour of tail_url for live logs.

• Updated dependencies [5451a7f, 82cc2a8, 3c67c2a, d645594, de65c58, cb14820, a7c87d1, e4d9510]:

  • miniflare@​4.20260310.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.