chore(deps): update non-major dependencies by renovate[bot] · Pull Request #63 · deepnote/deepnote

renovate · 2025-10-27T00:33:28Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Type	Update
@biomejs/biome (source)	`2.2.7` → `2.3.14`	devDependencies	minor
@jupyterlab/nbformat	`4.5.2` → `4.5.3`	dependencies	patch
@jupyterlab/services	`7.5.2` → `7.5.3`	dependencies	patch
@shikijs/cli (source)	`3.21.0` → `3.22.0`	dependencies	minor
@types/node (source)	`22.18.12` → `22.19.10`	devDependencies	minor
@vitest/coverage-v8 (source)	`4.0.5` → `4.0.18`	devDependencies	patch
cleye	`2.0.0` → `2.2.1`	dependencies	minor
commander	`14.0.2` → `14.0.3`	dependencies	patch
cspell (source)	`9.2.2` → `9.6.4`	devDependencies	minor
lint-staged	`16.2.5` → `16.2.7`	devDependencies	patch
node (source)	`22.21.0` → `22.22.0`		minor
ora	`9.0.0` → `9.3.0`	dependencies	minor
pnpm (source)	`10.19.0` → `10.29.2`	packageManager	minor
prettier (source)	`3.6.2` → `3.8.1`	devDependencies	minor
sort-package-json	`3.4.0` → `3.6.1`	devDependencies	minor
tsdown (source)	`0.15.9` → `0.20.3`	devDependencies	minor
tsx (source)	`4.20.6` → `4.21.0`	devDependencies	minor
vite-tsconfig-paths	`6.0.3` → `6.1.0`	devDependencies	minor
vitest (source)	`4.0.5` → `4.0.18`	devDependencies	patch
yaml (source)	`2.8.1` → `2.8.2`	dependencies	patch

Release Notes

biomejs/biome (@biomejs/biome)

`v2.3.14`

Compare Source

Patch Changes

#8921 29e2435 Thanks @siketyan! - Fixed #8759: The useConsistentTypeDefinitions rule no longer converts empty object type declarations into interfaces, as it will conflict with the noEmptyInterface rule and can cause an infinite loop when both rules are enabled.
#8928 ccaeac4 Thanks @taga3s! - Added the nursery rule useGlobalThis. This rule enforces using globalThis over window, self and global.
#8602 9a18daa Thanks @dyc3! - Added the new nursery rule noVueArrowFuncInWatch. This rule forbids using arrow functions in watchers in Vue components, because arrow functions do not give access to the component instance (via this), while regular functions do.
#8905 9b1eea8 Thanks @ryan-m-walker! - Fixed #8428: Improved parsing recovery when encountering qualified rules inside CSS @page at-rule blocks.
#8900 f788cff Thanks @mdevils! - Fixed #8802: useExhaustiveDependencies now correctly suggests dependencies without including callback-scoped variables or method names.

When accessing object properties with a callback-scoped variable, only the object path is suggested:
```
// Now correctly suggests `props.value` instead of `props.value[day]`
useMemo(() => {
  return WeekdayValues.filter((day) => props.value[day]);
}, [props.value]);
```
When calling methods on objects, only the object is suggested as a dependency:
```
// Now correctly suggests `props.data` instead of `props.data.forEach`
useMemo(() => {
  props.data.forEach((item) => console.log(item));
}, [props.data]);
```
#8913 e1e20ea Thanks @dyc3! - Fixed #8363: HTML parser no longer crashes when encountering a < character followed by a digit in text content (e.g., <12 months). The parser now correctly emits an "Unescaped < bracket character" error instead of treating <12 as a tag name and crashing.
#8910 2fb63a4 Thanks @dyc3! - Fixed #8774: Type aliases with generic parameters that have extends constraints now properly indent comments after the equals sign.

Previously, comments after the = in type aliases with extends constraints were not indented:
```
-type A<B, C extends D> = // Some comment
-undefined;
+type A<B, C extends D> =
+    // Some comment
+    undefined;
```
#8916 ea4bd04 Thanks @ryan-m-walker! - Fixed #4013, where comments in member chains caused unnecessary line breaks.
```
// Before
aFunction.b().c.d();

// After
aFunction.b().c.d();
```

#8945 fa66fe3 Thanks @fireairforce! - Fixed #8354: Don't remove quotes when type memeber is new.

// Input:
type X = {
  "new"(): string;
  "foo"(): string;
};

// Format Output:
type X = {
  "new()": string;
  foo(): string;
};

#8927 0ef3da5 Thanks @littleKitchen! - Fixed #8907: useExhaustiveDependencies now correctly recognizes stable hook results (like useState setters and useRef values) when declared with let.
#8931 4561751 Thanks @koshin01! - Added the new nursery rule noRedundantDefaultExport, which flags redundant default exports where the default export references the same identifier as a named export.

#8900 f788cff Thanks @mdevils! - Fixed #8883: useExhaustiveDependencies no longer produces false positives when props are destructured in the function body of arrow function components without parentheses around the parameter.

type Props = { msg: string };

// Arrow function without parentheses around `props`
const Component: React.FC<Props> = (props) => {
  const { msg } = props;
  // Previously, this incorrectly reported `msg` as unnecessary
  useEffect(() => console.log(msg), [msg]);
};

#8861 3531687 Thanks @dyc3! - Added the noDeprecatedMediaType CSS rule to flag deprecated media types like tv and handheld.
#8775 7ea71cd Thanks @igas! - Fixed the noUnnecessararyConditions rule to prevent trigger for optional fallback patterns.
#8860 95f1eea Thanks @dyc3! - Added the nursery rule noHexColors, which flags the use of hexadecimal color codes in CSS and suggests using named colors or RGB/RGBA/HSL/HSLA formats instead.
#8786 d876a38 Thanks @Bertie690! - Added the nursery rule useConsistentMethodSignatures.
Inspired by the similarly named version from typescript-eslint, this rule aims to enforce a consistent style for methods used inside object types and interfaces.

Examples

Invalid code with style set to "property" (the default):

interface Foo {
  method(a: string): void;
}

Invalid code with style set to "method":

type Bar = {
  prop: (a: string) => void;
}

#8864 5e97119 Thanks @dyc3! - Improved the summary provided by biome migrate eslint to be clearer on why rules were not migrated. Biome now specifies a reason when a rule is not migrated, such as being incompatible with the formatter or not implemented yet. This helps users make more informed decisions when migrating their ESLint configurations to Biome.
#8924 99b4cd1 Thanks @tmohammad78! - Fixed #8920: noUnknownFunction now knows about sibling-count, and sibling-index css functions

#8900 f788cff Thanks @mdevils! - Fixed #8885: useExhaustiveDependencies no longer incorrectly reports variables as unnecessary dependencies when they are derived from expressions containing post/pre-increment operators (++/--) or compound assignment operators (+=, -=, etc.).

let renderCount = 0;

export const MyComponent = () => {
  // `count` is now correctly recognized as a required dependency
  // because `renderCount++` can produce different values between renders
  const count = renderCount++;

  useEffect(() => {
    console.log(count);
  }, [count]); // no longer reports `count` as unnecessary
};

#8619 d78e01d Thanks @Netail! - Added the nursery rule useInputName. Require mutation arguments to be called “input”, and the input type to be called Mutation name + “Input”.

Invalid:
```
type Mutation {
  SetMessage(message: String): String
}
```
#8922 871b45e Thanks @siketyan! - Fixed #8829: Revamped the noGlobalDirnameFilename rule to catch many false negatives that have not been reported.

`v2.3.13`

Compare Source

Patch Changes

#8815 f924f23 Thanks @dyc3! - Improved useVueValidVOn to be more closely aligned with the source rule. It will now properly allow modifiers for all possible keyboard events. It should have better performance when there are no violations of the rule as well.

Now treated valid:
```
<div @&#8203;keydown.arrow-down="handler"></div>
<div @&#8203;keydown.a="handler"></div>
<div @&#8203;keydown.b="handler"></div>
<div @&#8203;keydown.27="foo"></div>
```
#8856 85f81f9 Thanks @dyc3! - Fixed #8710: Biome now parses Vue dynamic slot shorthand arguments that use template literals in [].
#8850 2a190e0 Thanks @dyc3! - Fixed #8708: Tailwind @utility directives now parse functional utility names like px-* when Tailwind directives are enabled.
#8863 79386e0 Thanks @dyc3! - Fixed an issue with biome migrate eslint where it couldn't detect rules for CSS, GraphQL, and HTML.
#8771 6f56b6e Thanks @lghuahua! - Fix the --reporter=summary output incorrectly merging and displaying wrong issue counts for different rules. Fixes #8730
#8714 ac3a71f Thanks @Netail! - Added new nursery rule use-consistent-enum-value-type. This rule disallows enums from having both number and string members.

`v2.3.12`

Compare Source

Patch Changes

#8653 047576d Thanks @dyc3! - Added new nursery rule noDuplicateAttributes to forbid duplicate attributes in HTML elements.
#8648 96d09f4 Thanks @BaeSeokJae! - Added a new nursery rule noVueOptionsApi.

Biome now reports Vue Options API usage, which is incompatible with Vue 3.6's Vapor Mode.
This rule detects Options API patterns in <script> blocks, defineComponent(), and createApp() calls,
helping prepare codebases for Vapor Mode adoption.

For example, the following now triggers this rule:
```
<script>
export default {
  data() {
    return { count: 0 };
  },
};
</script>
```
#8832 b08270b Thanks @Exudev! - Fixed #8809, #7985, and #8136: the noSecrets rule no longer reports false positives on common CamelCase identifiers like paddingBottom, backgroundColor, unhandledRejection, uncaughtException, and IngestGatewayLogGroup.

The entropy calculation algorithm now uses "average run length" to distinguish between legitimate CamelCase patterns (which have longer runs of same-case letters) and suspicious alternating case patterns (which have short runs).
#8793 c19fb0e Thanks @TheBaconWizard! - Properly handle parameters metavariables for arrow_function GritQL queries. The following biome search command no longer throws an error:
```
biome search 'arrow_function(parameters=$parameters, body=$body)'
```
#8561 981affb Thanks @wataryooou! - Fixed noUnusedVariables to ignore type parameters declared in ambient contexts such as declare module blocks.
#8817 652cfbb Thanks @dyc3! - Fixed #8765: The HTML parser can now parse directive modifiers with a single colon, e.g. @keydown.:.
#8704 a1914d4 Thanks @Netail! - Added the nursery rule noRootType.
Disallow the usage of specified root types. (e.g. mutation and/or subscription)

Invalid:
```
{
  "options": {
    "disallow": ["mutation"]
  }
}
```
```
type Mutation {
  SetMessage(message: String): String
}
```
#8712 251b47b Thanks @Netail! - Renamed the following GraphQL nursery rules to match the Biome standard:
- useUniqueArgumentNames -> noDuplicateArgumentNames
- useUniqueFieldDefinitionNames -> noDuplicateFieldDefinitionNames
- useUniqueGraphqlOperationName -> noDuplicateGraphqlOperationName
- useUniqueInputFieldNames -> noDuplicateInputFieldNames
- useUniqueVariableNames -> noDuplicateVariableNames
Run the biome migrate --write command to automatically update the configuration file.
#7602 957cd8e Thanks @kedevked! - Added the nursery lint rule useErrorCause.

This rule enforces that errors caught in a catch clause are not rethrown without wrapping them in a new Error object and specifying the original error as the cause. This helps preserve the error’s stack trace and context for better debugging.

It can be configured with the following option:
- requireCatchParameter: (default: true)
  - When true, the rule requires that catch clauses have a parameter. If a throw statement appears inside a catch clause without a parameter, it will be flagged.
Invalid examples:
```
try {
  foo();
} catch {
  throw new Error("fail");
}
```
```
try {
  foo();
} catch (err) {
  throw new Error(err.message);
}
```
Valid examples:
```
try {
  foo();
} catch (err) {
  throw new Error("fail", { cause: err });
}
```
```
try {
  foo();
} catch (error) {
  throw new Error("Something went wrong", { cause: error });
}
```
Valid example when requireCatchParameter is false:

Valid:
```
try {
  foo();
} catch {
  throw new Error("fail");
}
```
#8725 95aba98 Thanks @dyc3! - Fixed #8715: The CSS parser will now recover slightly better if a semicolon is missing from Tailwind's @apply at-rule.
#8616 4ee3bda Thanks @Netail! - Added the nursery rule useLoneAnonymousOperation. Disallow anonymous operations when more than one operation specified in document.

Invalid:
```
query {
  fieldA
}

query B {
  fieldB
}
```
#8624 291c9f2 Thanks @taga3s! - Added the nursery rule useInlineScriptId to the Next.js domain.
This rule enforces id attribute on next/script components with inline content or dangerouslySetInnerHTML.

The following code is invalid:
```
import Script from "next/script";

export default function Page() {
  return (
    <Script>{`console.log('Hello');`}</Script> // must have `id` attribute
  );
}
```

#8767 0d15370 Thanks @mdevils! - Fixed #3512:
useExhaustiveDependencies now properly handles nested destructuring patterns
from hook results.

const [[x, y], setXY] = useState([1, 2]);
useEffect(() => {
  console.log(x, y);
}, [x, y]); // x and y are now correctly recognized as unstable

#8757 17ed9d3 Thanks @Netail! - Added the nursery rule noDivRegex. Disallow equal signs explicitly at the beginning of regular expressions.

Invalid:
```
var f = function () {
  return /=foo/;
};
```
#8836 aab1d17 Thanks @dyc3! - Fixed #7858: Biome now parses Astro files with empty frontmatter blocks.
#8755 3a15c29 Thanks @arturalkaim! - Fixed #6670. The $filename metavariable can now be used in GritQL where clauses to filter matches by filename.
#8821 63e68a1 Thanks @playhardgopro! - Fixed several bugs in Vue conditional rules (useVueValidVIf, useVueValidVElse, and useVueValidVElseIf) related to whitespace handling, newlines, and self-closing tags.
#8767 0d15370 Thanks @mdevils! - Fixed #3685:
useExhaustiveDependencies now properly handles transparent expression
wrappers like non-null assertions and type assertions in dependency comparisons.
```
useMemo(() => Boolean(myObj!.x), [myObj!.x]); // No longer reports incorrect diagnostics
useMemo(() => myObj!.x?.y === true, [myObj!.x?.y]); // Now correctly matches dependencies
```
#8597 f764007 Thanks @Netail! - Added the nursery rule noDuplicateEnumValueNames. Enforce unique enum value names.

Invalid:
```
enum A {
  TEST
  TesT
}
```
#8679 33dfd7c Thanks @ematipico! - Fixed #8678. Now Biome correctly parses components inside Vue, Svelte and Astro files when they have the same name of self-closing elements.
#8617 31a9bfe Thanks @Netail! - Added the nursery rule useLoneExecutableDefinition. Require queries, mutations, subscriptions or fragments to be located in separate files.

Invalid:
```
query Foo {
  id
}

fragment Bar on Baz {
  id
}
```
#8697 8519669 Thanks @Faizanq! - Added the nursery lint rule noExcessiveLinesPerFile to CSS and GraphQL.
#8711 365f7aa Thanks @Netail! - Added new nursery rule noDuplicateEnumValues, which disallows defining an enum with multiple members initialized to the same value.
#8767 0d15370 Thanks @mdevils! - Fixed #5914:
useExhaustiveDependencies now properly handles variables declared in the same
statement.
```
const varA = Math.random(),
  varB = useMemo(() => varA, [varA]); // varA is now correctly recognized as needed
```
#8767 0d15370 Thanks @mdevils! - Fixed #8427:
useExhaustiveDependencies now properly resolves variable references to detect
captured dependencies.
```
const fe = fetchEntity;
useEffect(() => {
  fe(id);
}, [id, fe]); // fe is now correctly detected as needed
```

#8767 0d15370 Thanks @mdevils! - Fixed #8484:
useExhaustiveDependencies now properly handles member access on stable hook
results.

const stableObj = useStable();
useMemo(() => {
  return stableObj.stableValue; // stableObj.stableValue is now correctly recognized as stable
}, []);

#8767 0d15370 Thanks @mdevils! - Fixed #7982:
useExhaustiveDependencies now properly handles callback expressions with type
assertions.

const callback = useCallback(
  (() => {
    return count * 2;
  }) as Function,
  [count], // count is now correctly detected
);

#8766 39eb545 Thanks @Netail! - Fixed #8761: Reverted wrapping the URL of rule descriptions with <>, causing broken URLs in VSCode.
#8767 0d15370 Thanks @mdevils! - Fixed #3080:
useExhaustiveDependencies now properly analyzes captures within referenced
functions passed to hooks.
```
function myEffect() {
  console.log(foo, bar);
}
useEffect(myEffect, [foo, bar]); // foo and bar are now correctly detected
```
#8740 4962ed0 Thanks @Netail! - Extra rule source references. biome migrate eslint should do a bit better detecting rules in your eslint configurations.
#8776 395746f Thanks @codiini! - Fixed #6003: noUselessUndefinedInitialization no longer reports exported variables initialized to undefined. In Svelte 4, this pattern is used to declare optional component props.
#8767 0d15370 Thanks @mdevils! - Fixed #4248:
useExhaustiveDependencies now correctly handles function props passed as
callbacks.
```
const data = React.useMemo(getData, [getData]); // getData is now correctly recognized as needed
```
#8819 bc191ff Thanks @Netail! - Fixed #6567:
noUnknownProperty now ignores unknown properties in at-rules which support descriptors.
#8787 adb652f Thanks @tuyuritio! - Fixed #8777: Add support for :active-view-transition pseudo-class.
#8639 6577e32 Thanks @ohnoah! - Added the nursery lint rule noExcessiveLinesPerFile.
Biome now reports files that exceed a configurable line limit.
```
// maxLines: 2
const a = 1;
const b = 2;
const c = 3;
```
#8753 71b5c6e Thanks @Netail! - Added the nursery rule noExcessiveClassesPerFile. Enforce a maximum number of classes per file.

Invalid:
```
class Foo {}
class Bar {}
```
#8754 d6b2bda Thanks @Netail! - Added the nursery rule noFloatingClasses. Disallow new operators outside of assignments or comparisons.

Invalid:
```
new Date();
```

`v2.3.11`

Compare Source

Patch Changes

#8583 83be210 Thanks @dyc3! - Added the new nursery rule useVueValidTemplateRoot.

This rule validates only root-level <template> elements in Vue single-file components. If the <template> has a src attribute, it must be empty. Otherwise, it must contain content.

Invalid examples:
```
<template src="./foo.html">content</template>
```
```
<template></template>
```
Valid examples:
```
<template>content</template>
```
```
<template src="./foo.html"></template>
```
#8586 df8fe06 Thanks @dyc3! - Added a new nursery rule useVueConsistentVBindStyle. Enforces consistent v-bind style (:prop shorthand vs v-bind:prop longhand). Default prefers shorthand; configurable via rule options.
#8587 9a8c98d Thanks @dyc3! - Added the rule useVueVForKey, which enforces that any element using v-for also specifies a key.

Invalid
```
<li v-for="item in items">{{ item }}</li>
```
Valid
```
<li v-for="item in items" :key="item.id">{{ item }}</li>
```
#8586 df8fe06 Thanks @dyc3! - Added a new nursery rule useVueConsistentVOnStyle. Enforces consistent v-on style (@event shorthand vs v-on:event longhand). Default prefers shorthand; configurable via rule options.
#8583 83be210 Thanks @dyc3! - Added the new nursery rule useVueValidVOnce. Enforces that usages of the v-once directive in Vue.js SFC are valid.
```

<div v-once />


<div v-once:aaa />
<div v-once.bbb />
<div v-once="ccc" />
```
#8498 d80fa41 Thanks @tt-a1i! - Fixed #8494. Extended noUndeclaredEnvVars to support bracket notation (process.env["VAR"], import.meta.env["VAR"]), Bun runtime (Bun.env.VAR, Bun.env["VAR"]), and Deno runtime (Deno.env.get("VAR")).
#8509 574a909 Thanks @ematipico! - Added support for parsing and formatting the Svelte {#await} syntax, when html.experimentalFullSupportEnabled is set to true.
```
-{#await promise  then name }
+{#await promise then name}

-{:catch    name}
+{:catch name}

{/await}
```
#8316 d64e92d Thanks @washbin! - Added the new nursery rule noMultiAssign. This rule helps to prevent multiple chained assignments.

For example, the following code triggers because there are two assignment expressions in the same statement.
```
const a = (b = 0);
```
#8592 a5f59cd Thanks @Netail! - Added the nursery rule useUniqueInputFieldNames. Require fields within an input object to be unique.

Invalid:
```
query A($x: Int, $x: Int) {
  field
}
```
#8524 17a6156 Thanks @JacquesLeupin! - Fixed #8488: Relative plugin paths are now resolved from the configuration file directory, including when configurations are merged (e.g. extends: "//").
#8655 3260ec9 Thanks @JacquesLeupin! - Fixed #8636: Biome's CSS formatter now breaks comma-separated declaration values at top-level commas when wrapping.

#8537 cc3e851 Thanks @dibashthapa! - Fixed #8491: Resolved false positive errors for safe boolean expressions. There are still pending fixes. Head to #8491 (comment) for more details

This new change will check for safe boolean expressions in variable declarations.

For example,

Valid:

let isOne = 1;
let isPositiveNumber = number > 0;

return (
  <div>
    {" "}
    {isOne && "One"} {isPositiveNumber && "Is positive"}
  </div>
);

Invalid:

let emptyStr = "";
let isZero = 0;

return (
  <div>
    {emptyStr && "Empty String"} {isZero && "Number is zero"}{" "}
  </div>
);

#8511 16a9036 Thanks @ematipico! - Improved the diagnostics of the rules useSortedClasses and noUnnecessaryConditions. The diagnostics now state that these rules are a work in progress and link to the relevant GitHub issue.
#8521 a704be9 Thanks @ToBinio! - Added the nursery rule useVueConsistentDefinePropsDeclaration, which enforces consistent defineProps declaration style.

Invalid

<script setup lang="ts">
const props = defineProps({
  kind: { type: String },
});
</script>

Valid

<script setup lang="ts">
const props = defineProps<{
  kind: string;
}>();
</script>

#8595 7c85bf0 Thanks @dyc3! - Fixed #8584: The HTML formatter will preserve whitespace after some elements and embedded expressions, which more closely aligns with Prettier's behavior.
```
- <h1>Hello, {framework}and Svelte!</h1>
+ <h1>Hello, {framework} and Svelte!</h1>
```
#8598 5e85d43 Thanks @Netail! - Added the nursery rule useUniqueFieldDefinitionNames. Require all fields of a type to be unique.

Invalid:
```
type SomeObject {
  foo: String
  foo: String
}
```
#8495 b573d14 Thanks @taga3s! - Fixed #8405: noMisusedPromises now emits warnings/errors when a function returns union types such as T | Promise<T> which is used in conditionals.
```
const a = (): boolean | Promise<boolean> => Promise.resolve(true);
if (a()) {
} // Now correctly flagged
```
#8632 0be7d12 Thanks @Bertie690! - The documentation & rule sources for lint/complexity/noBannedTypes have been updated to fix a few oversights.

In addition to some general typo fixes:
- The rule now recommends Record<keyof any, never> instead of Record<string, never> (the latter of which incorrectly allows symbol-keyed properties).
- The rule mentions an alternate method to enforce object emptiness involving unique symbol-based guards used by type-fest and many other packages:
```
declare const mySym: unique symbol;

// Since this type's only property is an unexported `unique symbol`, nothing that imports it can specify any properties directly
// (as far as excess property checks go)
export type EmptyObject = { [mySym]?: never };
export type IsEmptyObject<T> = T extends EmptyObject ? true : false;
```
The rule's listed sources have been updated as well to reflect the original source rule (ban-types) having been split into 3 separate rules circa April 2024.
#8580 a3a1ad2 Thanks @taga3s! - Added the nursery rule noBeforeInteractiveScriptOutsideDocument to the Next.js domain.
This rule prevents usage of next/script's beforeInteractive strategy outside of pages/_document.js.
#8493 5fc24f4 Thanks @ematipico! - Added support for parsing and formatting the Svelte {#each} syntax, when html.experimentalFullSupportEnabled is set to true.
```
- {#each items   as item  }
+ {#each items as item}

{/each}
```
#8546 0196c0e Thanks @Zaczero! - Hardened union static-member type flattening in edge cases (e.g. unions containing unknown or inferred expression types). This keeps inference conservative and avoids unstable type growth in node = node.parent-style loops.
[#8569](https://redirect.github.com/biomejs/biome/pull/85

Configuration

📅 Schedule: Branch creation - "before 9am on Monday" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

coderabbitai · 2025-10-27T00:33:47Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

📝 Walkthrough

Walkthrough

Dev tooling and metadata were updated: multiple devDependencies bumped (@biomejs/biome 2.2.7→2.3.14, @types/node 22.18.12→22.19.10, @vitest/coverage-v8 4.0.5→4.0.18, vitest 4.0.5→4.0.18, cspell 9.2.2→9.6.4, prettier 3.6.2→3.8.1, sort-package-json 3.4.0→3.6.1, tsdown 0.15.9→0.20.3, lint-staged 16.2.5→16.2.7). Top-level packageManager bumped from pnpm@10.19.0→pnpm@10.29.1. .nvmrc updated Node from 22.21.0→22.22.0. No runtime, exported/public, or control-flow changes.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately describes the changeset: dependency updates across devDependencies, packageManager, and Node runtime versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

codecov · 2025-10-27T00:34:20Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.24%. Comparing base (412679a) to head (2fc8043).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #63   +/-   ##
=======================================
  Coverage   95.24%   95.24%           
=======================================
  Files          25       25           
  Lines         715      715           
  Branches      207      207           
=======================================
  Hits          681      681           
  Misses         34       34

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a4b87b9 and 9e4967d.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

package.json (1 hunks)

🔇 Additional comments (1)

package.json (1)

49-49: lint-staged patch update is safe.

The 16.2.6 bump fixes a bug in --continue-on-error task handling—low risk.

coderabbitai · 2025-10-27T00:36:08Z

package.json

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify biome 2.3.0 compatibility with existing linting/formatting.

The bump to 2.3.0 introduces new lint rules and formatting options (lineEnding: auto, indentScriptAndStyle). Confirm the pipeline passes linting and formatting checks.

🏁 Script executed:

#!/bin/bash # Verify lock file is updated and biome configuration remains compatible # Check if pnpm-lock.yaml exists and contains the updated biome version fd "pnpm-lock.yaml" -x grep -q "@biomejs/biome@2.3.0" && echo "✓ Lock file contains biome 2.3.0" || echo "✗ Lock file may need update" # Check for biome config file and its content fd "biome.json|biome.jsonc" -x cat

Length of output: 3953

Update biome.json schema reference to match 2.3.0 version.

Lock file is properly updated, but the schema URL still references 2.2.7. Update "$schema" in biome.json to https://biomejs.dev/schemas/2.3.0/schema.json to avoid validation mismatches.

Also confirm whether the new formatting options (lineEnding: auto, indentScriptAndStyle) mentioned in the PR should be adopted or remain as-is.

🤖 Prompt for AI Agents

In package.json around line 43 (the Biome dependency bump to 2.3.0), update the "$schema" field in biome.json from the old 2.2.7 URL to https://biomejs.dev/schemas/2.3.0/schema.json so the schema version matches the installed biome package; open biome.json, replace the schema URL accordingly, and then run biome/format or validation to ensure no schema errors. While here, confirm whether to adopt the new formatting options (lineEnding: "auto" and indentScriptAndStyle) by either adding them to biome.json if you want those behaviors or leaving them out to preserve current formatting, and run the formatter to verify the resulting diffs are acceptable.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 454c9b7 and 81f4f99.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

package.json (1 hunks)

🔇 Additional comments (2)

package.json (2)

49-49: Confirm lint-staged 16.2.6 patch resolves --continue-on-error issue.

The patch addresses task failures with the --continue-on-error flag. If your CI/hooks use this flag, verify it now works as expected.

52-52: LGTM.

tsdown 0.15.10 patch is low-risk (rolldown-plugin-dts upgrade, nested index fix).

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 81f4f99 and e517470.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

.nvmrc (1 hunks)
package.json (1 hunks)

🔇 Additional comments (3)

.nvmrc (1)

1-1: LGTM!

Node patch version bump (22.21.0 → 22.21.1) is routine and safe.

package.json (2)

49-49: LGTM!

lint-staged 16.2.5 → 16.2.6 is a patch fix for --continue-on-error task handling. No breaking changes.

52-52: LGTM!

tsdown 0.15.9 → 0.15.11 (per AI summary; PR objectives mention 0.15.10) includes rolldown-plugin-dts upgrade and index file export fixes. Routine patch bump.

coderabbitai · 2025-10-29T04:34:41Z

package.json

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Dependency update approved; schema URL verification required.

@biomejs/biome 2.2.7 → 2.3.1 looks good. However, previous reviews flagged that biome.json's "$schema" URL still referenced 2.2.7. Confirm the schema URL has been updated to match 2.3.1.

🏁 Script executed:

#!/bin/bash # Verify biome.json schema URL matches installed version and lock file is current echo "=== biome.json schema URL ===" fd "biome.json|biome.jsonc" -x grep '"$schema"' || echo "No biome config found" echo -e "\n=== pnpm-lock.yaml @biomejs/biome version ===" grep -A 2 '"@biomejs/biome":' pnpm-lock.yaml | head -5 || echo "biome not found in lock file" echo -e "\n=== Confirm schema matches package.json version ===" SCHEMA=$(fd "biome.json|biome.jsonc" -x grep -oP '(?<=schemas/)[^/]+' || echo "not found") echo "Schema version from biome.json: $SCHEMA (should be 2.3.1)"

Length of output: 247

biome.json schema URL must be updated to 2.3.1.

The schema URL in biome.json is still 2.2.7 but the package is 2.3.1. Update to https://biomejs.dev/schemas/2.3.1/schema.json.

🤖 Prompt for AI Agents

In package.json around line 43, the project depends on "@biomejs/biome": "2.3.1" but the biome.json schema URL still points to 2.2.7; update the schema URL in biome.json to "https://biomejs.dev/schemas/2.3.1/schema.json" so it matches the installed biome version, ensuring the schema version string and path reflect 2.3.1.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e517470 and 8982ea7.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

.nvmrc (1 hunks)
package.json (1 hunks)

🔇 Additional comments (5)

.nvmrc (1)

1-1: Routine patch bump; no concerns.

Node.js 22.21.1 is a patch release with minor fixes and improvements. Safe to update.

package.json (4)

44-44: Approve @types/node patch bump.

Update from 22.18.12 to 22.18.13 is a safe patch with type corrections.

49-49: Approve lint-staged patch bump.

Update from 16.2.5 to 16.2.6 fixes --continue-on-error task handling. No breaking changes.

52-52: Approve tsdown patch bumps.

Updates from 0.15.9 to 0.15.11 include rolldown-plugin-dts upgrade and export path fixes. No concerns.

56-56: Approve pnpm packageManager update.

Bump from 10.19.0 to 10.20.0 is a minor release. Ensure lock file is regenerated with pnpm install or equivalent if needed.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8982ea7 and 1e78a91.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

.nvmrc (1 hunks)
package.json (1 hunks)

🔇 Additional comments (1)

.nvmrc (1)

1-1: Node.js patch bump approved.

Routine runtime update; no issues.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1e78a91 and 32c61f3.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

.nvmrc (1 hunks)
package.json (1 hunks)

🔇 Additional comments (1)

.nvmrc (1)

1-1: Node patch update looks good.

Straightforward patch version bump that aligns with the broader toolchain updates.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 239fb8f and 1e0991c.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

.nvmrc (1 hunks)
package.json (1 hunks)

🔇 Additional comments (1)

.nvmrc (1)

1-1: Node version patch bump is safe.

Straightforward patch version update; no behavioral changes.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1e0991c and e319653.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

.nvmrc (1 hunks)
package.json (1 hunks)

🔇 Additional comments (1)

.nvmrc (1)

1-1: Node.js patch update approved.

Straightforward patch bump (22.21.0 → 22.21.1) aligned with the PR strategy.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e319653 and 57b736a.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

.nvmrc (1 hunks)
package.json (1 hunks)

🔇 Additional comments (3)

package.json (2)

56-56: pnpm version bump is safe.

The packageManager field correctly pins pnpm to 10.20.0 (minor bump from 10.19.0). This ensures consistent builds across environments and includes patch fixes.

43-44: Lock file is properly updated.

All four version bumps are confirmed in pnpm-lock.yaml and maintain non-major semantics (no breaking changes).

.nvmrc (1)

1-1: Node.js patch version aligned with package.json engines constraint.

The .nvmrc update from 22.21.0 to 22.21.1 is a safe patch-level bump and satisfies the engines.node constraint (≥22.14.0) in package.json. No behavioral changes expected.

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Line 57: The package.json packageManager field was updated to "pnpm@10.28.2"
but the lockfile metadata wasn't regenerated; run pnpm using that exact version
to regenerate the lockfile (e.g., install with pnpm v10.28.2 or run `pnpm
install` after switching to 10.28.2) so pnpm-lock.yaml includes the matching
pnpmVersion, then commit the updated lockfile alongside the packageManager
change; reference the packageManager field in package.json and the pnpm lockfile
(pnpm-lock.yaml) when making this fix.

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Around line 43-55: package.json was updated to "@biomejs/biome": "2.3.13" but
biome.json still references the old schema version; update the "$schema" value
in biome.json to "https://biomejs.dev/schemas/2.3.13/schema.json" so the schema
matches the `@biomejs/biome` dependency; locate the $schema key in biome.json and
replace the 2.2.7 URL with the 2.3.13 URL, then run biome lint/validate if
available to confirm compatibility.

coderabbitai · 2026-01-30T10:09:14Z

package.json

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -e echo "=== Checking package.json ===" if [ -f "package.json" ]; then echo "package.json exists" # Extract devDependencies section around the mentioned lines cat -n package.json | sed -n '40,60p' else echo "package.json not found" fi echo "" echo "=== Checking biome.json schema ===" if [ -f "biome.json" ]; then echo "biome.json found:" cat biome.json | head -10 echo "" SCHEMA=$(grep -o '"$schema"[^}]*' biome.json | head -1) echo "Schema entry: $SCHEMA" else echo "biome.json not found" fi

Repository: deepnote/deepnote

Length of output: 1269

Update biome.json schema URL to match @biomejs/biome@2.3.13.

The schema is currently pinned to 2.2.7 but needs 2.3.13:

"$schema": "https://biomejs.dev/schemas/2.3.13/schema.json"

All other devDependency bumps are semver-safe (patch/minor).

🤖 Prompt for AI Agents

In `@package.json` around lines 43 - 55, package.json was updated to "@biomejs/biome": "2.3.13" but biome.json still references the old schema version; update the "$schema" value in biome.json to "https://biomejs.dev/schemas/2.3.13/schema.json" so the schema matches the `@biomejs/biome` dependency; locate the $schema key in biome.json and replace the 2.2.7 URL with the 2.3.13 URL, then run biome lint/validate if available to confirm compatibility.

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Line 57: The packageManager field was updated to "pnpm@10.28.2" but the
lockfile wasn’t regenerated with that pnpm version; run pnpm@10.28.2 locally
(e.g., using pnpm env use 10.28.2 or npx pnpm@10.28.2) and run pnpm install to
regenerate the lockfile so it matches version 10 and includes the GTSA fix for
directories.bin; while doing so, ensure any packages that require
lifecycle/build scripts are added to pnpm.onlyBuiltDependencies (or adjusted per
pnpm v10 behavior) so installs still build needed packages.

coderabbitai · 2026-02-05T10:03:21Z

package.json

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Check lockfile metadata echo "=== pnpm-lock.yaml header ===" head -10 pnpm-lock.yaml

Repository: deepnote/deepnote

Length of output: 260

🌐 Web query:

pnpm 10.28.2 changelog security fix path traversal

💡 Result:

pnpm 10.28.2 includes a security fix for a path traversal issue in the package.json directories.bin field:

Changelog / release notes (v10.28.2): “Security fix: prevent path traversal in directories.bin field.” [1]

What was fixed: pnpm previously used path.join(pkgPath, manifest.directories.bin) without validating the resulting path stayed inside the package root; a malicious package could use values like ../../../../tmp to escape the directory and cause pnpm to chmod 755 arbitrary files (Unix-like systems only). [2]

Tracking IDs: GHSA-v253-rj99-jwpq and CVE-2026-24131; affected versions are pnpm < 10.28.2, patched in >= 10.28.2. [2][3]

Sources: [1] pnpm GitHub release v10.28.2 (github.com), [2] GitHub Security Advisory GHSA-v253-rj99-jwpq (github.com), [3] NVD entry for CVE-2026-24131 (nvd.nist.gov)

Citations:

1: https://github.com/pnpm/pnpm/releases/tag/v10.28.2

2: GHSA-v253-rj99-jwpq

3: https://nvd.nist.gov/vuln/detail/CVE-2026-24131?utm_source=openai

🌐 Web query:

pnpm 10 lifecycle scripts blocking default onlyBuiltDependencies

💡 Result:

In pnpm v10, dependency lifecycle scripts (not your project’s scripts) are blocked by default during pnpm install as a security breaking change. To let specific dependencies run preinstall/install/postinstall, you must explicitly allow them (originally via pnpm.onlyBuiltDependencies). [1][2]

How to allow builds (common options)

Allowlist specific packages (package.json):

{ "pnpm": { "onlyBuiltDependencies": ["esbuild", "sharp"] } }

Only packages listed can run install-time lifecycle scripts; if you don’t configure an allowlist (or related file/list), pnpm defaults to blocking install scripts. [1][2]

Workspace/CI policy file: onlyBuiltDependenciesFile can point to a JSON allowlist file. [2]

Newer preferred config: allowBuilds (introduced later in pnpm v10.x) is a more flexible replacement for onlyBuiltDependencies / ignoredBuiltDependencies. [3]

Restore “old behavior” (unsafe): dangerouslyAllowAllBuilds=true allows all dependency build scripts to run automatically. [2]

Note: This applies to dependencies’ scripts; your project scripts can still run unless you also set ignoreScripts. [2]

Sources: pnpm v10 announcement/discussion [1], pnpm settings docs [2], pnpm 10.26 release notes (adds allowBuilds) [3].

Regenerate lockfile with pnpm 10.28.2. Lockfile is still at version 9.0 and was not regenerated with the version bump.

The security fix for path traversal in directories.bin (GHSA-v253-rj99-jwpq) is valid. Also note that pnpm 10 blocks dependency lifecycle scripts by default; packages needing build scripts must be listed in pnpm.onlyBuiltDependencies.

Run pnpm install using 10.28.2 to regenerate the lockfile.

🤖 Prompt for AI Agents

In `@package.json` at line 57, The packageManager field was updated to "pnpm@10.28.2" but the lockfile wasn’t regenerated with that pnpm version; run pnpm@10.28.2 locally (e.g., using pnpm env use 10.28.2 or npx pnpm@10.28.2) and run pnpm install to regenerate the lockfile so it matches version 10 and includes the GTSA fix for directories.bin; while doing so, ensure any packages that require lifecycle/build scripts are added to pnpm.onlyBuiltDependencies (or adjusted per pnpm v10 behavior) so installs still build needed packages.

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Line 52: The tsdown upgrade to 0.20.2 introduces breaking config changes;
update all four tsdown.config.ts files (cli, convert, reactivity, runtime-core)
to be compatible: verify whether the existing dts: true still works—if not,
migrate to the new dts plugin and replace dts: true with the plugin
configuration; explicitly set fixedExtension (to true/false as appropriate for
node platform) and failOnWarn to the desired value to override new defaults;
rename any debugLogs keys to debug and remove any silent keys, and review
exports-related settings to match the new exports behavior in v0.20.2; finally
run a full build/CI to confirm no failing warnings or extension/output
regressions and adjust configs accordingly.

coderabbitai · 2026-02-06T06:14:30Z

package.json

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash echo "=== Looking for tsdown config files ===" fd -t f "tsdown\.config\.(json|js|ts|mjs)" 2>/dev/null || echo "None found" echo "" echo "=== Checking package.json for tsdown script usage ===" cat -n package.json | grep -A 2 -B 2 "tsdown" echo "" echo "=== Checking for tsdown imports/usage in codebase ===" rg "tsdown" --type ts --type js --type json -g '!node_modules' -A 1 2>/dev/null || echo "None found" echo "" echo "=== Checking npm registry for tsdown versions ===" npm info tsdown 2>/dev/null | head -30 || echo "Could not fetch npm info"

Repository: deepnote/deepnote

Length of output: 3287

🌐 Web query:

tsdown 0.20.2 breaking changes from 0.15.9 changelog

💡 Result:

Breaking changes between tsdown v0.15.9 → v0.20.2

v0.16.0 (Nov 4, 2025)

Config API renames: split Options → UserConfig + InlineConfig (old Options becomes InlineConfig); rename NormalizedUserConfig → UserConfig; rename ResolvedOptions → ResolvedConfig. [1]

Default fixedExtension change (node platform): now defaults to true when platform is node, which can change output extensions to .mjs/.cjs and therefore affect package.json fields like main/module/types/exports/bin. [1]

CLI flag rename: --debug → --debug-logs. [1]

v0.17.0 (Dec 4, 2025)

Native watcher / config loader / CI behavior changes (listed as breaking): Rolldown native watcher; failOnWarn enabled by default in CI; removed unconfig from configLoader; multi-config support for exports/publint/attw. [2]

attw option value rename: attw.profile: "esmOnly" → "esm-only". [2]

v0.18.0 (Dec 15, 2025)

copy plugin behavior rework: “sync behavior of rollup-plugin-copy” (marked breaking). [3]

v0.19.0 (Jan 10, 2026)

Option rename: debugLogs → debug. [4]

Remove deprecated option: silent removed. [4]

devtools options renamed: debug → devtools, and debug.devtools → devtools.ui. [4]

exports behavior/options:

add exports.legacy; remove main & module fields if pure ESM

exports.exclude now excludes extension name

only auto-fill types when exports.legacy is enabled. [4]

v0.20.0-beta.1 (Jan 12, 2026)

dts option removed: upgrade dts plugin and remove dts.resolve. [5]

v0.20.2 (Feb 4, 2026)

Release notes show features/bugfixes only (no “Breaking Changes” section), e.g. rolldown upgrade + option validations/exports ordering fixes. [6]

Sources: [1] v0.16.0 release notes, [2] v0.17.0 release notes, [3] v0.18.0 release notes, [4] v0.19.0 release notes, [5] v0.20.0-beta.1 release notes, [6] v0.20.2 release notes.

🏁 Script executed:

#!/bin/bash echo "=== Checking tsdown config files for deprecated options ===" for file in packages/cli/tsdown.config.ts packages/convert/tsdown.config.ts packages/reactivity/tsdown.config.ts packages/runtime-core/tsdown.config.ts; do if [ -f "$file" ]; then echo "" echo "--- $file ---" cat -n "$file" fi done

Repository: deepnote/deepnote

Length of output: 1154

Config migration required for tsdown 0.15.9 → 0.20.2.

Five minor versions in pre-1.0 semver include substantial breaking changes:

v0.16.0: config API renames, fixedExtension now defaults true for node platform (affects output extensions .mjs/.cjs)

v0.17.0: failOnWarn enabled by default in CI

v0.19.0: debugLogs → debug, silent removed, exports field behavior changed

v0.20.0: dts option handling changed

All 4 tsdown.config.ts files (cli, convert, reactivity, runtime-core) use dts: true and may need updates. Verify whether dts option still works in v0.20.2 or requires migration to dts plugin; confirm fixedExtension and failOnWarn defaults don't break builds.

🤖 Prompt for AI Agents

In `@package.json` at line 52, The tsdown upgrade to 0.20.2 introduces breaking config changes; update all four tsdown.config.ts files (cli, convert, reactivity, runtime-core) to be compatible: verify whether the existing dts: true still works—if not, migrate to the new dts plugin and replace dts: true with the plugin configuration; explicitly set fixedExtension (to true/false as appropriate for node platform) and failOnWarn to the desired value to override new defaults; rename any debugLogs keys to debug and remove any silent keys, and review exports-related settings to match the new exports behavior in v0.20.2; finally run a full build/CI to confirm no failing warnings or extension/output regressions and adjust configs accordingly.

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Around line 43-55: biome.json's $schema version is out of sync with the
installed `@biomejs/biome` (package.json lists 2.3.14); update the schema
reference in biome.json to match (e.g.
"https://biomejs.dev/schemas/2.3.14/schema.json") or point it to the local
package schema ("./node_modules/@biomejs/biome/configuration_schema.json"), then
run the CLI migration to apply any config changes (biome migrate --write) so the
schema and the installed CLI/plugin version align.

coderabbitai · 2026-02-06T10:07:34Z

package.json

+    "@biomejs/biome": "2.3.14",
+    "@types/node": "22.19.8",
+    "@vitest/coverage-v8": "4.0.18",
+    "cspell": "9.6.4",
    "husky": "9.1.7",
    "license-checker-rseidelsohn": "4.4.2",
-    "lint-staged": "16.2.5",
-    "prettier": "3.6.2",
-    "sort-package-json": "3.4.0",
-    "tsdown": "0.15.9",
+    "lint-staged": "16.2.7",
+    "prettier": "3.8.1",
+    "sort-package-json": "3.6.1",
+    "tsdown": "0.20.3",
    "typescript": "5.9.3",
    "vite-tsconfig-paths": "^6.0.0",
-    "vitest": "4.0.5"
+    "vitest": "4.0.18"


⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

npm view "@biomejs/biome@2.3.14" version 2>&1 | head -5

Repository: deepnote/deepnote

Length of output: 67

🏁 Script executed:

npm view "vitest@4.0.18" version 2>&1 | head -5

Repository: deepnote/deepnote

Length of output: 67

🏁 Script executed:

npm view "@vitest/coverage-v8@4.0.18" version 2>&1 | head -5

Repository: deepnote/deepnote

Length of output: 67

🏁 Script executed:

npm view "prettier@3.8.1" version 2>&1 | head -5

Repository: deepnote/deepnote

Length of output: 66

🏁 Script executed:

npm view "typescript@5.9.3" version 2>&1 | head -5

Repository: deepnote/deepnote

Length of output: 66

🏁 Script executed:

# Check if biome.json exists if [ -f "biome.json" ]; then echo "=== biome.json found ===" && head -10 biome.json else echo "=== biome.json not found ===" fi

Repository: deepnote/deepnote

Length of output: 405

🏁 Script executed:

# List files in root to understand context git ls-files | grep -E "^(package\.json|biome\.json|\.npmrc)" | head -20

Repository: deepnote/deepnote

Length of output: 84

🏁 Script executed:

# Check package.json for version history/comments and full devDependencies context sed -n '30,60p' package.json

Repository: deepnote/deepnote

Length of output: 861

🌐 Web query:

vitest 4.0.18 security vulnerabilities CVE

💡 Result:

Vitest 4.0.18: no known CVE security vulnerabilities currently reported as affecting this version (e.g., Snyk shows “No vulnerabilities found in the latest version 4.0.18”). [1]

Relevant recent Vitest CVEs (affect older versions, not 4.0.18):

CVE-2025-24964 (Critical, RCE via CSWSH in Vitest API/WebSocket server) — affected versions are reported as up to/including 3.0.4, patched in 3.0.5 (and also in 1.6.1 and 2.1.9 for those release lines). Therefore 4.0.18 is not affected. [2][3]

CVE-2025-24963 (Path traversal / arbitrary file read in browser mode server handler) — fixed in 2.1.9 and 3.0.4; affected versions are below those fixes, so 4.0.18 is not affected. [4]

Sources: [1] [2] [3] [4]

🌐 Web query:

biome schema version compatibility 2.2.7 2.3.14

💡 Result:

Biome treats the config JSON schema as versioned and expects the $schema version to match the Biome CLI version. If you run Biome 2.3.14 with a config that points at the 2.2.7 schema URL, Biome will report a schema/CLI version mismatch and tell you to run biome migrate (people hit this even for patch bumps like 2.3.0 → 2.3.1). [1], [2]

What to do for 2.2.7 ↔ 2.3.14

If your CLI is 2.3.14, update $schema to the 2.3.14 schema (or run biome migrate --write). Biome explicitly recommends using biome migrate when the schema is outdated. [1]

To avoid chasing schema URL versions entirely, point $schema to the local schema shipped with your installed Biome:

"$schema": "./node_modules/@biomejs/biome/configuration_schema.json" (documented option). [3]

Rule of thumb

Older schema + newer CLI (2.2.7 schema with 2.3.14 CLI): expect a mismatch warning/error until you migrate/update. [1], [2]

Newer schema + older CLI: also risky—your config may contain options the older CLI doesn’t understand; keep schema aligned with the CLI (or use the local schema path). [1], [3]

Sources

Biome issue discussing mismatch detection + recommended fix via biome migrate --write. [1]

Example mismatch report (2.3.1 CLI vs 2.3.0 schema) showing the warning/error. [2]

Official config docs showing the local configuration_schema.json path (and the versioned URL alternative). [3]

Update biome.json schema to match CLI version.

biome.json points to schema 2.2.7 but @biomejs/biome is 2.3.14. Biome enforces schema/CLI alignment and will error on mismatch. Either update $schema to "https://biomejs.dev/schemas/2.3.14/schema.json", run biome migrate --write, or use the local schema path "./node_modules/@biomejs/biome/configuration_schema.json" to avoid manual version chasing.

All devDependency bumps are patch/minor (semver-safe). vitest 4.0.18 has no known CVEs.

🤖 Prompt for AI Agents

In `@package.json` around lines 43 - 55, biome.json's $schema version is out of sync with the installed `@biomejs/biome` (package.json lists 2.3.14); update the schema reference in biome.json to match (e.g. "https://biomejs.dev/schemas/2.3.14/schema.json") or point it to the local package schema ("./node_modules/@biomejs/biome/configuration_schema.json"), then run the CLI migration to apply any config changes (biome migrate --write) so the schema and the installed CLI/plugin version align.

renovate bot added dependencies renovate labels Oct 27, 2025

coderabbitai bot requested changes Oct 27, 2025

View reviewed changes

renovate bot force-pushed the renovate/non-major branch 4 times, most recently from e1d63fb to 81f4f99 Compare October 27, 2025 23:30

coderabbitai bot requested changes Oct 27, 2025

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 81f4f99 to e517470 Compare October 29, 2025 04:32

coderabbitai bot requested changes Oct 29, 2025

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from e517470 to 8982ea7 Compare October 29, 2025 23:57

coderabbitai bot requested changes Oct 30, 2025

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 8982ea7 to 1e78a91 Compare October 30, 2025 16:14

coderabbitai bot requested changes Oct 30, 2025

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 1e78a91 to 32c61f3 Compare October 30, 2025 23:21

coderabbitai bot requested changes Oct 30, 2025

View reviewed changes

renovate bot force-pushed the renovate/non-major branch 4 times, most recently from 239fb8f to 1e0991c Compare October 31, 2025 09:55

coderabbitai bot requested changes Oct 31, 2025

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 1e0991c to e319653 Compare October 31, 2025 11:40

coderabbitai bot requested changes Oct 31, 2025

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from e319653 to 57b736a Compare October 31, 2025 11:49

coderabbitai bot requested changes Oct 31, 2025

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 57b736a to c838298 Compare October 31, 2025 11:55

renovate bot force-pushed the renovate/non-major branch 4 times, most recently from 63ae458 to b92bae4 Compare January 30, 2026 09:36

coderabbitai bot requested changes Jan 30, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from b92bae4 to f8703a9 Compare January 30, 2026 10:05

coderabbitai bot requested changes Jan 30, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch 6 times, most recently from 4d15854 to 984a430 Compare February 5, 2026 09:59

coderabbitai bot requested changes Feb 5, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch 4 times, most recently from 9e33bb6 to a2fee6a Compare February 6, 2026 06:09

coderabbitai bot requested changes Feb 6, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from a2fee6a to 081abd0 Compare February 6, 2026 10:03

coderabbitai bot requested changes Feb 6, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch 7 times, most recently from b67023e to 95e47d8 Compare February 9, 2026 14:41

chore(deps): update non-major dependencies

10aff3a

renovate bot force-pushed the renovate/non-major branch from 95e47d8 to 10aff3a Compare February 10, 2026 02:02

Conversation

renovate bot commented Oct 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v2.3.14

Patch Changes

Examples

v2.3.13

Patch Changes

v2.3.12

Patch Changes

v2.3.11

Patch Changes

Invalid

Valid

Configuration

Uh oh!

coderabbitai bot commented Oct 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Uh oh!

codecov bot commented Oct 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Oct 27, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Oct 29, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jan 30, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Feb 5, 2026

Choose a reason for hiding this comment

How to allow builds (common options)

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Feb 6, 2026

Choose a reason for hiding this comment

renovate bot commented Oct 27, 2025 •

edited

Loading

`v2.3.14`

`v2.3.13`

`v2.3.12`

`v2.3.11`

coderabbitai bot commented Oct 27, 2025 •

edited

Loading

codecov bot commented Oct 27, 2025 •

edited

Loading