fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@biomejs/biome (source)	2.2.2 -> 2.2.3			devDependencies	patch
@biomejs/biome (source)	2.2.2 -> 2.2.3				patch
@types/node (source)	^24.3.0 -> ^24.3.1			devDependencies	patch
knip (source)	^5.63.0 -> ^5.63.1			devDependencies	patch
node (source)	>=20.19.4 -> >=20.19.5			engines	patch
npm (source)	11.5.2 -> 11.6.0			packageManager	minor
zod (source)	^4.1.4 -> ^4.1.5			dependencies	patch

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.2.3

Compare Source

Patch Changes

• #​7353 4d2b719 Thanks @​JeetuSuthar! - Fixed #​7340: The linter now allows the navigation property for view-transition in CSS.

  Previously, the linter incorrectly flagged navigation: auto as an unknown property. This fix adds navigation to the list of known CSS properties, following the CSS View Transitions spec.

• #​7275 560de1b Thanks @​arendjr! - Fixed #​7268: Files that are explicitly passed as CLI arguments are now correctly ignored if they reside in an ignored folder.

• #​7358 963a246 Thanks @​ematipico! - Fixed #​7085, now the rule noDescendingSpecificity correctly calculates the specificity of selectors when they are included inside a media query.

• #​7387 923674d Thanks @​qraqras! - Fixed #​7381, now the useOptionalChain rule recognizes optional chaining using Yoda expressions (e.g., undefined !== foo && foo.bar).

• #​7316 f9636d5 Thanks @​Conaclos! - Fixed #​7289. The rule useImportType now inlines import type into import { type } when the style option is set to inlineType.

  Example:

  import type { T } from "mod";
  // becomes
  import { type T } from "mod";

• #​7350 bb4d407 Thanks @​siketyan! - Fixed #​7261: two characters ・ (KATAKANA MIDDLE DOT, U+30FB) and ･ (HALFWIDTH KATAKANA MIDDLE DOT, U+FF65) are no longer considered as valid characters in identifiers. Property keys containing these character(s) are now preserved as string literals.

• #​7377 811f47b Thanks @​ematipico! - Fixed a bug where the Biome Language Server didn't correctly compute the diagnostics of a monorepo setting, caused by an incorrect handling of the project status.

• #​7245 fad34b9 Thanks @​kedevked! - Added the new lint rule useConsistentArrowReturn.

  This rule enforces a consistent return style for arrow functions.

Invalid

const f = () => {
  return 1;
};

This rule is a port of ESLint's arrow-body-style rule.

• #​7370 e8032dd Thanks @​fireairforce! - Support dynamic import defer and import source. The syntax looks like:

  import.source("foo");
  import.source("x", { with: { attr: "val" } });
  import.defer("foo");
  import.defer("x", { with: { attr: "val" } });

• #​7369 b1f8cbd Thanks @​siketyan! - Range suppressions are now supported for Grit plugins.

  For JavaScript, you can suppress a plugin as follows:

  // biome-ignore-start lint/plugin/preferObjectSpread: reason
  Object.assign({ foo: "bar" }, baz);
  // biome-ignore-end lint/plugin/preferObjectSpread: reason

  For CSS, you can suppress a plugin as follows:

  body {
    /* biome-ignore-start lint/plugin/useLowercaseColors: reason */
    color: #fff;
    /* biome-ignore-end lint/plugin/useLowercaseColors: reason */
  }

• #​7384 099507e Thanks @​ematipico! - Reduced the severity of certain diagnostics emitted when Biome deserializes the configuration files.
  Now these diagnostics are emitted as Information severity, which means that they won't interfere when running commands with --error-on-warnings

• #​7302 2af2380 Thanks @​unvalley! - Fixed #​7301: useReadonlyClassProperties now correctly skips JavaScript files.

• #​7288 94d85f8 Thanks @​ThiefMaster! - Fixed #​7286. Files are now formatted with JSX behavior when javascript.parser.jsxEverywhere is explicitly set.

  Previously, this flag was only used for parsing, but not for formatting, which resulted in incorrect formatting of conditional expressions when JSX syntax is used in .js files.

• #​7311 62154b9 Thanks @​qraqras! - Added the new nursery rule noUselessCatchBinding. This rule disallows unnecessary catch bindings.

  try {
      // Do something
  - } catch (unused) {}
  + } catch {}

• #​7349 45c1dfe Thanks @​ematipico! - Fixed #​4298. Biome now correctly formats CSS declarations when it contains one single value:

  .bar {
  -  --123456789012345678901234567890: var(--1234567890123456789012345678901234567);
  +  --123456789012345678901234567890: var(
  +    --1234567890123456789012345678901234567
  +  );
  }

• #​7295 7638e84 Thanks @​ematipico! - Fixed #​7130. Removed the emission of a false-positive diagnostic. Biome no longer emits the following diagnostic:

  lib/main.ts:1:5 suppressions/unused ━━━━━━━━━━━━━━━━━━━━━━━━━
  
    ⚠ Suppression comment has no effect because the tool is not enabled.
  
    > 1 │ /** biome-ignore-all assist/source/organizeImports: For the lib root file, we don't want to organize exports */
        │     ^^^^^^^^^^^^^^^^
  
  

• #​7377 811f47b Thanks @​ematipico! - Fixed #​7371 where the Biome Language Server didn't correctly recompute the diagnostics when updating a nested configuration file.

• #​7348 ac27fc5 Thanks @​ematipico! - Fixed #​7079. Now the rule useSemanticElements doesn't trigger components and custom elements.

• #​7389 ab06a7e Thanks @​Conaclos! - Fixed #​7344. useNamingConvention no longer reports interfaces defined in global declarations.

  Interfaces declared in global declarations augment existing interfaces.
  Thus, they must be ignored.

  In the following example, useNamingConvention reported HTMLElement.
  It is now ignored.

  export {};
  declare global {
    interface HTMLElement {
      foo(): void;
    }
  }

• #​7315 4a2bd2f Thanks @​vladimir-ivanov! - Fixed #​7310: useReadonlyClassProperties correctly handles nested assignments, avoiding false positives when a class property is assigned within another assignment expression.

  Example of code that previously triggered a false positive but is now correctly ignored:

  class test {
    private thing: number = 0; // incorrectly flagged
  
    public incrementThing(): void {
      const temp = { x: 0 };
      temp.x = this.thing++;
    }
  }

webpro-nl/knip (knip)

v5.63.1

Compare Source

• Fix rsbuild Plugin (#​1227) (e91eea3) - thanks @​joealden!
• Binaries don't contain colons (closes #​1234) (1d060ac)
• Refactor options all over the place (982d327)
• feat: detect nuxt modules as dependencies (#​1241) (f2072e6) - thanks @​danielamaia!
• Add missing pnpm commands (#​1236) (a4eb20b) - thanks @​kretajak!
• Hire me (165c9ea)
• feat: pnpm plugin (#​1219) (e81eac3) - thanks @​lishaduck!
• Bump zod a bit (8b338a2)
• Update rsbuild Plugin to Check Environments (#​1246) (c7366b5) - thanks @​joealden!

nodejs/node (node)

v20.19.5: 2025-09-03, Version 20.19.5 'Iron' (LTS), @​marco-ippolito

Compare Source

Notable Changes

• [f5b293ad48] - doc: add JonasBa to collaborators (Jonas Badalic) #​58355
• [4e6ae787c6] - doc: add puskin to collaborators (Giovanni Bucci) #​58308
• [d06db658fc] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #​58499
• [3c6206cac9] - doc: add @​geeksilva97 to collaborators (Edy Silva) #​57241

Commits

• [ea20403467] - build: fix uvwasi pkgname (Antoine du Hamel) #​58270
• [c647aa4b30] - build: fix pointer compression builds (Joyee Cheung) #​58171
• [d2c5e609ae] - build: disable v8_enable_pointer_compression_shared_cage on non-64bit (Shelley Vohr) #​58867
• [84d5c4d244] - build: search for libnode.so in multiple places (Jan Staněk) #​58213
• [068c439552] - crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 (Filip Skokan) #​58942
• [edff105c34] - debugger: fix behavior of plain object exec in debugger repl (Dario Piotrowicz) #​57498
• [0473e35b7f] - deps: update zlib to 1.3.1-470d3a2 (Node.js GitHub Bot) #​58628
• [1218dbbea5] - deps: update zlib to 1.3.0.1-motley-780819f (Node.js GitHub Bot) #​57768
• [0e3cd9ec00] - deps: update zlib to 1.3.0.1-motley-788cb3c (Node.js GitHub Bot) #​56655
• [a194dd9bd4] - deps: update archs files for openssl-3.0.16 (Node.js GitHub Bot) #​57335
• [cc9b79ca70] - deps: upgrade openssl sources to quictls/openssl-3.0.16 (Node.js GitHub Bot) #​57335
• [82c46d5358] - deps: update cjs-module-lexer to 2.1.0 (Node.js GitHub Bot) #​57180
• [43e3f9b26b] - deps: update cjs-module-lexer to 2.0.0 (Michael Dawson) #​56855
• [91282ff16b] - deps: update corepack to 0.33.0 (Node.js GitHub Bot) #​58566
• [b76bca6f38] - deps: update acorn to 8.15.0 (Node.js GitHub Bot) #​58711
• [ae11481011] - deps: update acorn to 8.14.1 (Node.js GitHub Bot) #​57382
• [142d701201] - deps: update minimatch to 10.0.3 (Node.js GitHub Bot) #​58712
• [fee082d684] - deps: update llhttp to 9.3.0 (Fedor Indutny) #​58144
• [c06f6f3f05] - dns: remove redundant code using common variable (Deokjin Kim) #​57386
• [cded8e7e77] - dns: fix parse memory leaky (theanarkh) #​58973
• [182ae67233] - dns: fix dns query cache implementation (Ethan Arrowood) #​58404
• [621b66a297] - doc: add review guidelines for collaborator nominations (Antoine du Hamel) #​57449
• [b1009b5b72] - doc: explicit mention arbitrary code execution as a vuln (Rafael Gonzaga) #​57426
• [f5b293ad48] - doc: add JonasBa to collaborators (Jonas Badalic) #​58355
• [4e6ae787c6] - doc: add puskin to collaborators (Giovanni Bucci) #​58308
• [530473f479] - doc: add ovflowd back to core collaborators (Claudio W.) #​58911
• [38e8bbc131] - doc: add info on how project manages social media (Michael Dawson) #​57318
• [d06bb4dcc2] - doc: ping nodejs/tsc for each security pull request (Rafael Gonzaga) #​57309
• [d06db658fc] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #​58499
• [8c3bc156ed] - doc: clarify path.isAbsolute is not path traversal mitigation (Eric Fortis) #​57073
• [e688410bda] - doc: fix rendering of DEP0174 description (David Sanders) #​56835
• [e6a0c6a0fa] - doc: add missing assert return types (Colin Ihrig) #​57219
• [026b3cab6a] - doc: add 1ilsang to triage team (1ilsang) #​57183
• [3c6206cac9] - doc: add @​geeksilva97 to collaborators (Edy Silva) #​57241
• [ef3a4675c7] - doc: fix web.libera.chat link in pull-requests.md (Samuel Bronson) #​57076
• [1db42b76f7] - doc: remove buffered flag from performance hooks examples (Pavel Romanov) #​52607
• [b73a1356ce] - doc: add module namespace object links (Dario Piotrowicz) #​57093
• [09368db20f] - doc: disambiguate pseudo-code statement (Dario Piotrowicz) #​57092
• [2c3dc569a1] - doc: fix wrong articles used to address modules (Dario Piotrowicz) #​57090
• [cd8259cb4e] - doc: modules.md: fix distance definition (Alexander “weej” Jones) #​57046
• [7b0ea9ab2d] - doc: fix wrong verb form (Dario Piotrowicz) #​57091
• [14fcfc242b] - doc: add a note about require('../common') in testing documentation (Aditi) #​56953
• [bc7d18b6ea] - doc: recommend writing tests in new files and including comments (Joyee Cheung) #​57028
• [acd4d7f269] - doc: improve documentation on argument validation (Aditi) #​56954
• [4cd6b3ca73] - doc: buffer: fix typo on Buffer.copyBytesFrom( offset option (tpoisseau) #​57015
• [01220607f2] - doc: update cleanup to trust on vuln db automation (Rafael Gonzaga) #​57004
• [77a0505a32] - doc: update post sec release process (Rafael Gonzaga) #​56907
• [77dbcfce5f] - doc: add section about using npx with permission model (Rafael Gonzaga) #​56539
• [73e51407b7] - doc: remove RedYetiDev from triagers team (Aviv Keller) #​55947
• [9a36cbb792] - doc: fix relative path mention in --allow-fs (Rafael Gonzaga) #​55791
• [04d9c5baeb] - doc: add scroll margin to links (Roman Reiss) #​58982
• [959a67f6ff] - doc: make Stability labels not sticky in Stability index (Livia Medeiros) #​58291
• [8757a5532f] - doc: update release key for aduh95 (Antoine du Hamel) #​58877
• [6fa0626327] - doc,src,test: fix typos (Noritaka Kobayashi) #​58477
• [9991788e4a] - http: coerce content-length to number (Marco Ippolito) #​57458
• [ff5cf8a428] - http2: fix check for frame->hd.type (hanguanqiang) #​57644
• [2f333b6c51] - lib: optimize prepareStackTrace on builtin frames (Chengzhong Wu) #​56299
• [cdf985071f] - lib: suppress source map lookup exceptions (Chengzhong Wu) #​56299
• [faa08b14ed] - lib: fixup incorrect argument order in assertEncoding (James M Snell) #​57177
• [a683cd1232] - meta: add IlyasShabi to collaborators (Ilyas Shabi) #​58916
• [b145bb28aa] - meta: bump codecov/codecov-action from 5.4.2 to 5.4.3 (dependabot[bot]) #​58551
• [2c59789001] - meta: bump ossf/scorecard-action from 2.4.1 to 2.4.2 (dependabot[bot]) #​58550
• [4095337e96] - meta: bump rtCamp/action-slack-notify from 2.3.2 to 2.3.3 (dependabot[bot]) #​58108
• [631fed8e39] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​58456
• [7d2f7180b6] - meta: bump codecov/codecov-action from 5.4.0 to 5.4.2 (dependabot[bot]) #​58110
• [1558551ea5] - meta: bump actions/download-artifact from 4.2.1 to 4.3.0 (dependabot[bot]) #​58106
• [e1f12fe737] - meta: ignore mailmap changes in linux ci (Jonas Badalic) #​58356
• [1b78eb1313] - meta: bump actions/setup-node from 4.3.0 to 4.4.0 (dependabot[bot]) #​58111
• [2b8449c39a] - meta: bump actions/setup-python from 5.5.0 to 5.6.0 (dependabot[bot]) #​58107
• [833b70bbc5] - meta: allow penetration testing on live system with prior authorization (Matteo Collina) #​57966
• [c6a88561f5] - meta: bump actions/setup-python from 5.4.0 to 5.5.0 (dependabot[bot]) #​57718
• [9046ef4fb3] - meta: bump peter-evans/create-pull-request from 7.0.7 to 7.0.8 (dependabot[bot]) #​57717
• [46388a4e2a] - meta: bump actions/cache from 4.2.2 to 4.2.3 (dependabot[bot]) #​57715
• [d3970685bd] - meta: bump actions/setup-node from 4.2.0 to 4.3.0 (dependabot[bot]) #​57714
• [47004ef37f] - meta: bump actions/upload-artifact from 4.6.1 to 4.6.2 (dependabot[bot]) #​57713
• [4abe83ec03] - meta: add some clarification to the nomination process (James M Snell) #​57503
• [45e9b88363] - meta: remove collaborator self-nomination (Rich Trott) #​57537
• [d10949b7d8] - meta: edit collaborator nomination process (Antoine du Hamel) #​57483
• [704562fb7a] - meta: move ovflowd to emeritus (Claudio W.) #​57443
• [3f981b8537] - meta: bump codecov/codecov-action from 5.3.1 to 5.4.0 (dependabot[bot]) #​57257
• [7e1ff7b332] - meta: bump ossf/scorecard-action from 2.4.0 to 2.4.1 (dependabot[bot]) #​57253
• [8d4ec412b9] - meta: move RaisinTen back to collaborators, triagers and SEA champion (Darshan Sen) #​57292
• [cc2abb5d17] - meta: bump peter-evans/create-pull-request from 7.0.6 to 7.0.7 (dependabot[bot]) #​57259
• [4fad2b8758] - meta: bump actions/cache from 4.2.0 to 4.2.2 (dependabot[bot]) #​57256
• [5f5bb8b986] - meta: bump actions/upload-artifact from 4.6.0 to 4.6.1 (dependabot[bot]) #​57255
• [e949359a56] - meta: bump actions/setup-python from 5.3.0 to 5.4.0 (dependabot[bot]) #​56867
• [d3c5ad7510] - meta: bump peter-evans/create-pull-request from 7.0.5 to 7.0.6 (dependabot[bot]) #​56866
• [56decfe2d1] - meta: bump codecov/codecov-action from 5.0.7 to 5.3.1 (dependabot[bot]) #​56864
• [52e518444d] - meta: bump actions/cache from 4.1.2 to 4.2.0 (dependabot[bot]) #​56862
• [9cac93d9c3] - meta: bump actions/stale from 9.0.0 to 9.1.0 (dependabot[bot]) #​56860
• [ecf4252f7c] - meta: update last name for jkrems (Jan Martin) #​57006
• [e8beaaaedf] - meta: bump actions/upload-artifact from 4.4.3 to 4.6.0 (dependabot[bot]) #​56861
• [5462c257f8] - meta: bump actions/setup-node from 4.1.0 to 4.2.0 (dependabot[bot]) #​56868
• [89c37891a0] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​56889
• [2a0175c291] - meta: add @​nodejs/url as codeowner (Chengzhong Wu) #​56783
• [c12aae1e78] - meta: bump github/codeql-action from 3.28.18 to 3.29.2 (dependabot[bot]) #​58922
• [4ef09990f1] - meta: bump github/codeql-action from 3.28.16 to 3.28.18 (dependabot[bot]) #​58552
• [889654eb2c] - meta: bump github/codeql-action from 3.28.11 to 3.28.16 (dependabot[bot]) #​58112
• [091e5c1bb9] - meta: bump github/codeql-action from 3.28.10 to 3.28.13 (dependabot[bot]) #​57716
• [01415153de] - meta: bump github/codeql-action from 3.28.8 to 3.28.10 (dependabot[bot]) #​57254
• [72ea8aac34] - meta: bump github/codeql-action from 3.27.5 to 3.28.8 (dependabot[bot]) #​56859
• [99a271e588] - meta: bump step-security/harden-runner from 2.12.0 to 2.12.2 (dependabot[bot]) #​58923
• [b4c4c02490] - meta: bump step-security/harden-runner from 2.11.0 to 2.12.0 (dependabot[bot]) #​58109
• [5361bb9157] - meta: bump step-security/harden-runner from 2.10.4 to 2.11.0 (dependabot[bot]) #​57258
• [28e33acf30] - meta: bump step-security/harden-runner from 2.10.2 to 2.10.4 (dependabot[bot]) #​56863
• [fad773cede] - module: throw error when re-runing errored module jobs (Joyee Cheung) #​58957
• [2531185423] - module: allow cycles in require() in the CJS handling in ESM loader (Joyee Cheung) #​58598
• [ed43b69689] - module: clarify cjs global-like error on ModuleJobSync (Carlos Espa) #​56491
• [6e02db1b12] - module: handle instantiated async module jobs in require(esm) (Joyee Cheung) #​58067
• [badba50d30] - module: fix incorrect formatting in require(esm) cycle error message (haykam821) #​57453
• [939ecf8906] - module: handle cached linked async jobs in require(esm) (Joyee Cheung) #​57187
• [ba7f8a0353] - module: improve error message from asynchronicity in require(esm) (Joyee Cheung) #​57126
• [c1e7fa2586] - module: handle .mjs in .js handler in CommonJS (Joyee Cheung) #​55590
• [41f3dfd21b] - module: fix require.resolve() crash on non-string paths (Aditi) #​56942
• [043dcdd628] - os: fix GetInterfaceAddresses memory lieaky (theanarkh) #​58940
• [9b74e9bfd9] - permission: ignore internalModuleStat on module loading (Rafael Gonzaga) #​55797
• [611a147b45] - readline: fix unresolved promise on abortion (Daniel Venable) #​54030
• [f891ae3421] - repl: avoid deprecated require.extensions in tab completion (baki gul) #​58653
• [7ba44290bf] - repl: fix tab completion not working with computer string properties (Dario Piotrowicz) #​58709
• [eb842048b2] - src: do not format single string argument for THROW_ERR_* (Joyee Cheung) #​57126
• [4f004937ec] - src: fixup errorhandling more in various places (James M Snell) #​57852
• [5daa7fe2e2] - src: fix module buffer allocation (X-BW) #​57738
• [586b1be11b] - src: fix build when using shared simdutf (Antoine du Hamel) #​58407
• [563e61f012] - src: fix possible dereference of null pointer (Eusgor) #​58459
• [cbec07ea0b] - src: fix FIPS init error handling (Tobias Nießen) #​58379
• [80fb80e71b] - src: fix -Wunreachable-code in src/node_api.cc (Shelley Vohr) #​58901
• [5e97719860] - test: skip test-http-imports on macos (Marco Ippolito) #​59745
• [69c43bdfcc] - test: fix internet/test-dns (Michaël Zasso) #​59660
• [6fd58e0338] - tools: update coverage GitHub Actions to fixed version (Rich Trott) #​59512
• [eb7bbce73e] - tools: disable failing coverage jobs (Antoine du Hamel) #​58770
• [65b1669936] - util: fix formatting of objects with built-in Symbol.toPrimitive (Shima Ryuhei) #​57832
• [8a29f13bec] - util: fix parseEnv incorrectly splitting multiple ‘=‘ in value (HEESEUNG) #​57421
• [077d5020c4] - v8: fix missing callback in heap utils destroy (Ruben Bridgewater) #​58846
• [34ae9f8b18] - vm: import call should return a promise in the current context (Chengzhong Wu) #​58309
• [0dd3a8d6d1] - win,build: fix MSVS v17.14 compilation issue (StefanStojanovic) #​58902
• [1b83a2bd2d] - zlib: remove mentions of unexposed Z_TREES constant (Jimmy Leung) #​58371
• [9dc9604502] - zlib: fix pointer alignment (jhofstee) #​57727

npm/cli (npm)

v11.6.0

Compare Source

Features

• bdcc10d #​8359 add support for optional env var replacements in .npmrc (#​8359) (@​aczekajski, @​owlstronaut)

Bug Fixes

• dd4cee9 #​8539 powershell: improve argument parsing (#​8539) (@​alexsch01)
• 5f18557 #​8532 powershell: fix issue with modified InvocationName (#​8532) (@​alexsch01)
• 9e5abf1 #​8529 add redaction to log format egress (#​8529) (@​wraithgar)
• 75ce64a #​8524 revert handle signal exits gracefully (#​8524) (@​owlstronaut)
• 5d82d0b #​8469 ps1 scripts in powershell 5.1 (#​8469) (@​splatteredbits)

Dependencies

• workspace: @npmcli/[email protected]
• workspace: @npmcli/[email protected]
• workspace: [email protected]
• workspace: [email protected]
• workspace: [email protected]
• workspace: [email protected]

colinhacks/zod (zod)

v4.1.5

Compare Source

Commits:

• 530415f Update docs
• b7b081d Update z.function() type to support array input (#​5170)
• 780cf57 4.1.5

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.