chore(deps-dev): bump the dev-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the dev-dependencies group with 10 updates in the / directory:

Package	From	To
@biomejs/biome	2.4.11	2.5.0
@types/luxon	3.7.1	3.7.2
@types/node	24.12.2	24.13.2
esmock	2.7.3	2.7.6
mocha	11.7.5	11.7.6
mockttp	4.3.0	4.4.2
mongodb-memory-server	11.0.1	11.2.0
sinon	21.1.2	22.0.0
testcontainers	11.14.0	12.0.3
typescript	6.0.2	6.0.3

Updates @biomejs/biome from 2.4.11 to 2.5.0

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.0

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

  /* styles.css — .ghost is never used in any importing file */

... (truncated)

Commits

• c0b9832 ci: release (#10499)
• 995c1ff feat(lint): add useFunctionComponentDefinition rule (#10498)
• 311c2b2 fix(biome_configuration): avoid Markdown links in JSON schema descriptions (#...
• 04c3f19 fix: docs and readme (#10584)
• 961f41c refactor(useExportType): improve docs and code (#10569)
• 78075b7 feat(useExportType): add style option (#10561)
• 6642895 feat: rule promotion for v2.5 (#10562)
• 9a5855e feat: noRestrictedDependencies (#10467)
• 608a62f Merge branch 'main' into chore/merge-main-into-next
• 0f29b83 feat(linter): implement useIncludes rule (#10516)
• Additional commits viewable in compare view

Updates @types/luxon from 3.7.1 to 3.7.2

Commits

• See full diff in compare view

Updates @types/node from 24.12.2 to 24.13.2

Commits

• See full diff in compare view

Updates esmock from 2.7.3 to 2.7.6

Release notes

Sourced from esmock's releases.

wildcard-issue resolved

mostly resolves a recently-discovered issue resolving certain wildcard-pattern export keys

• update test-coverage badge to reference "main" branch,
• specify node v24 at build+publish ci-job
• increment eslint and lint-related
• increment resolvewithplus, resolves wildcard-export-related issue. see iambumblehead/resolvewithplus#76 thanks @​AdaptivChris

clerical changes; linting+coverage

src files are unchanged; only clerical changes for linting and coverage tools,

• migrate to eslint 10
• migrate to @​eslint/markdown
• remove c8 test-coverage package, use node's --test-cover

support typescript-modules

• add support for typescript modules, no tests, thanks @​mbrevda,
• add node 25.x to test matrix,
• disable tests using node-ts (seems un-maintained),
• windows tests are disabled for "tests-node", lacking windows env to resolve

Changelog

Sourced from esmock's changelog.

changelog

• 2.7.7 ???
  • update github ci actions
• 2.7.6 May.27.2026
  • update test-coverage badge to reference "main" branch,
  • specify node v24 at build+publish ci-job
  • increment eslint and lint-related
  • increment resolvewithplus, resolves wildcard-export-related issue. see iambumblehead/resolvewithplus#76
• 2.7.5 May.09.2026
  • migrate to eslint 10
  • migrate to @​eslint/markdown
  • remove c8 test-coverage package, use node's --test-cover
• 2.7.4 May.04.2026
  • update tests to resolve tests that began to fail,
  • add suuport for typescript modules, no tests, thanks @​mbrevda,
  • add node 25.x to test matrix,
  • disable tests using node-ts (seems un-maintained),
  • windows tests are disabled for "tests-node", lacking windows env to resolve
• 2.7.3 Sep.12.2025
  • drop node version 18 and 20 from tests.
  • increment some dependencies and reduce audit warnings.
  • restore ava and all other disabled test-runner tests
• 2.7.2 Sep.01.2025
  • increment resolvewithplus, match exact export paths, thanks @​matz3
• 2.7.1 Jul.01.2025
  • added node v24 to test matrix
• 2.7.0 Jan.24.2025
  • update resolver to correctly resolve openai package
  • update typescript-eslint
• 2.6.9 Oct.18.2024
  • added --glob option for rimraf usage removing un-used sources
  • added node v23 to test matrix
  • resolve v23-related error when module.exports is exported
• 2.6.8 Oct.17.2024
  • added pnpm unit-test, thanks @​darcyrush
  • resolve issue for pnpm by escaping '+' char in regexp
  • add log utility function for debugging loader
  • dropped ava and jest from test sequence, node v22 --loader issues
• 2.6.7 Jul.16.2024
  • add swc tests and remove swc caution from README thanks @​Brooooooklyn
  • unpin node 22.1 at test CI and use latest 22.x
• 2.6.6 Jun.15.2024
  • add tsx tests and remove tsx caution from README thanks @​galexite
  • pin node 22.1 at test CI and ignore regressions in new node 22
  • migrate to eslint 9
• 2.6.5 Apr.25.2024
  • add node 22 to ci test pipeline thanks @​aladdin-add
  • use json import syntax with { type: 'json' } for node 22
  • skip node 22 tests on windows-latest ci, where node 22 is in a broken state, see nodejs/node#52682

... (truncated)

Commits

• ba5d2d2 Merge pull request #340 from iambumblehead/fix-changelog-link
• 21dd0b4 fix CHANGELOG.md link
• d0fea76 Merge pull request #339 from iambumblehead/increment-resolvewith-plus
• 08be213 increment resolvewithplus
• 99d4d86 Merge pull request #338 from iambumblehead/increment-eslint-and-related
• 9ce6992 increment eslint and related
• 405b513 Merge pull request #337 from iambumblehead/update-build-ci-job-spec-node-v24
• 3642278 update build+publish ci job spec
• 1b4b287 Merge pull request #336 from iambumblehead/reference-main-branch-test-coverag...
• c17920a reference main branch test-coverage-badge
• Additional commits viewable in compare view

Updates mocha from 11.7.5 to 11.7.6

Release notes

Sourced from mocha's releases.

v11.7.6

11.7.6 (2026-02-14)

🩹 Fixes

• make describe().timeout() work (aafe6fd)
• test: replace wmic usage with native Windows API (#5694) (73ebdfa)

🧹 Chores

• format all code (#5629) (0696784)
• remove Netlify (#5630) (8d01d33)

Changelog

Sourced from mocha's changelog.

11.7.6 (2026-02-14)

🩹 Fixes

• make describe().timeout() work (aafe6fd)
• test: replace wmic usage with native Windows API (#5694) (73ebdfa)

🧹 Chores

• format all code (#5629) (0696784)
• remove Netlify (#5630) (8d01d33)

Commits

• 3765ba0 chore(v11.x): release 11.7.6 (#5632)
• 73ebdfa fix(test): replace wmic usage with native Windows API (#5694)
• aafe6fd fix: make describe().timeout() work
• 0696784 chore: format all code (#5629)
• 8d01d33 chore: remove Netlify (#5630)
• See full diff in compare view

Updates mockttp from 4.3.0 to 4.4.2

Commits

• fd24a08 4.4.2
• feff512 Merge pull request #201 from chimurai/fix-ipv6-bracket-literals
• 43da445 refactor: update test with less ambiguous invalid ipv6 address
• 21bc0b3 fix(url): normalizeHost with ipv6 hostname
• b19b758 Fix bug in TLS event reporting after reset
• 0e03a31 4.4.1
• b71e389 Disable strictSingleValueFields for HTTP/2 responses
• e546ac5 4.4.0
• 4eba266 Add 'response-information' event to listen to 1xx info responses
• 7897012 Fix possible multi-firing events after reconnects
• Additional commits viewable in compare view

Updates mongodb-memory-server from 11.0.1 to 11.2.0

Release notes

Sourced from mongodb-memory-server's releases.

v11.2.0

11.2.0 (2026-05-28)

Dependencies

• yauzl: upgrade to 3.3.1 (#993) (30e206f), closes #992

v11.1.0

11.1.0 (2026-04-29)

Features

• resolveConfig: update default binary version to 8.2.6 (3876fad)
• update default-4.4-binary to 4.4.30 (119ef80)

Dependencies

• follow-redirects: upgrade to 1.16.0 (aed865f)
• mongodb: upgrade to 7.2.0 (b0a8b90)
• tar-stream: upgrade to 3.1.8 (026aa7f)
• yauzl: upgrade to 3.3.0 (ef4f38e)

Dev-Dependencies

• @​types/debug: upgrade to 4.1.13 (f4d5be2)
• @​types/yazl: upgrade to 3.3.1 (c329123)
• commitlint: upgrade to 20.5.2 (7640c9f)
• doctoc: upgrade to 2.4.1 (4443034)
• eslint-plugin-prettier: upgrade to 5.5.5 (f9889c4)
• eslint: upgrade to 10.2.1 (7e40e8c)
• jest: upgrade to 30.3.0 (5f7a6b2)
• lint-staged: upgrade to 16.4.0 (edd1f2d)
• prettier: upgrade to 3.8.3 (95a76d7)
• rimraf: upgrade to 6.1.3 (fddab3d)
• ts-jest: upgrade to 29.4.9 (7ed5a0f)
• typedoc: upgrade to 0.28.19 (acca60d)

Changelog

Sourced from mongodb-memory-server's changelog.

11.2.0 (2026-05-28)

Dependencies

• yauzl: upgrade to 3.3.1 (#993) (30e206f), closes #992

11.1.0 (2026-04-29)

Features

• resolveConfig: update default binary version to 8.2.6 (3876fad)
• update default-4.4-binary to 4.4.30 (119ef80)

Dependencies

• follow-redirects: upgrade to 1.16.0 (aed865f)
• mongodb: upgrade to 7.2.0 (b0a8b90)
• tar-stream: upgrade to 3.1.8 (026aa7f)
• yauzl: upgrade to 3.3.0 (ef4f38e)

Dev-Dependencies

• @​types/debug: upgrade to 4.1.13 (f4d5be2)
• @​types/yazl: upgrade to 3.3.1 (c329123)
• commitlint: upgrade to 20.5.2 (7640c9f)
• doctoc: upgrade to 2.4.1 (4443034)
• eslint-plugin-prettier: upgrade to 5.5.5 (f9889c4)
• eslint: upgrade to 10.2.1 (7e40e8c)
• jest: upgrade to 30.3.0 (5f7a6b2)
• lint-staged: upgrade to 16.4.0 (edd1f2d)
• prettier: upgrade to 3.8.3 (95a76d7)
• rimraf: upgrade to 6.1.3 (fddab3d)
• ts-jest: upgrade to 29.4.9 (7ed5a0f)
• typedoc: upgrade to 0.28.19 (acca60d)

Commits

• d90ae52 release: v11.2.0
• 1342553 release: v11.1.0
• See full diff in compare view

Updates sinon from 21.1.2 to 22.0.0

Changelog

Sourced from sinon's changelog.

22.0.0

• ed911df5 Update Ruby gems (Carl-Erik Kopseng)
• 75a1e5b8 Update to Node 26 (Carl-Erik Kopseng)
• 197d6608 Update documentation on faking timers to reflect the current state of fake-timers (Carl-Erik Kopseng)
• c5ddf80b Update fake-timers@15.4: includes new Temporal API (Carl-Erik Kopseng)
• f4ab02f6 Update updatable packages (Carl-Erik Kopseng)
• 0536afc8 Quality: Global mutable call id can grow unbounded across long-lived processes (#2691) (tuanaiseo)

  • refactor: global mutable call id can grow unbounded across l

  callId is module-scoped and incremented on every invocation. In long-running test runners or embedded usage, this can grow indefinitely and eventually lose integer precision semantics for strict ordering comparisons.

  Affected files: proxy-invoke.js

  Signed-off-by: tuanaiseo 221258316+tuanaiseo@users.noreply.github.com

  • Wrap around for all values that are too high

  ---

  Signed-off-by: tuanaiseo 221258316+tuanaiseo@users.noreply.github.com Co-authored-by: Carl-Erik Kopseng carlerik@gmail.com

• f4f7d93b Perform additional cleanup when calling callThrough() (#2670) (Cyrille)
• 6199e9e4 improve GitHubworkflows by introducing zizmor for monitoring (#2686) (Till!)

  • fix(workflows): fetch-depth is for actions/checkout
  • chore(workflows): update

  • pin all actions to precise commits
  • avoid credential leakage from actions/checkout
  • group action updates going forward
  • add zimor config to ignore "secrets outside env"
  • add job to keep validating workflows

• f7476b59 Use path.normalize() for path normalization (Carl-Erik Kopseng)
• 2c975393 fix: make build and node test scripts cross-platform (laplace young)
• a7692917 fix: isolate walk state from Object prototype (laplace young)
• 66df977a Fix sinon.restore() cascade-restoring sub-sandboxes (#2704) (Charlie Leitheiser)

  The ESM port of createApi (#2683, shipped in 21.1.0) replaced createSandbox: createSandbox with a wrapper that pushes every newly-created sandbox into the root sandbox's fake collection:

... (truncated)

Commits

• 52555af 22.0.0
• ed911df Update Ruby gems
• 75a1e5b Update to Node 26
• 197d660 Update documentation on faking timers to reflect the current state of fake-ti...
• c5ddf80 Update fake-timers@15.4: includes new Temporal API
• f4ab02f Update updatable packages
• 0536afc Quality: Global mutable call id can grow unbounded across long-lived processe...
• f4f7d93 Perform additional cleanup when calling callThrough() (#2670)
• 6199e9e improve GitHubworkflows by introducing zizmor for monitoring (#2686)
• 1519009 Merge #2703: isolate walk state from Object prototype
• Additional commits viewable in compare view

Updates testcontainers from 11.14.0 to 12.0.3

Release notes

Sourced from testcontainers's releases.

v12.0.3

Changes

🐛 Bug Fixes

• Downgrade archiver to restore Jest CJS compatibility @​cristianrgreco (#1366)

📦 Dependency Updates

• Bump testcontainers/sshd image from 1.3.0 to 1.4.0 @​mdelapenya (#1364)

v12.0.2

Changes

🐛 Bug Fixes

• Reset stateful regex log waits between matches @​cristianrgreco (#1352)
• Fix Couchbase service configuration @​cristianrgreco (#1356)
• Configure Azurite custom service ports @​cristianrgreco (#1354)
• Preserve TCP and UDP bindings for the same container port @​cristianrgreco (#1350)
• Apply custom MSSQL startup wait messages @​cristianrgreco (#1351)
• Copy Redpanda runtime assets during build @​cristianrgreco (#1357)
• Fix Redis and Valkey initial data handling @​cristianrgreco (#1355)

📦 Dependency Updates

• Bump the dependencies group across 11 directories with 10 updates @dependabot[bot] (#1362)
• Bump the dependencies group across 1 directory with 27 updates @dependabot[bot] (#1363)
• Bump the dependencies group across 11 directories with 11 updates @dependabot[bot] (#1358)
• Bump the dependencies group across 6 directories with 6 updates @dependabot[bot] (#1349)

v12.0.1

Changes

🐛 Bug Fixes

• Fix Podman image healthcheck detection @​cristianrgreco (#1341)

🧹 Maintenance

• Add npm dependency release age cooldown @​cristianrgreco (#1339)
• Use Docker Hub Redpanda image @​cristianrgreco (#1342)
• Use preinstalled Podman in checks @​cristianrgreco (#1334)
• Simplify affected package checks @​cristianrgreco (#1326)
• Add npm publish dry run workflow @​cristianrgreco (#1333)
• Upgrade build agents from Ubuntu 22.04 to 24.04 @​cristianrgreco (#986)
• Improve module compile checks @​cristianrgreco (#1327)

📦 Dependency Updates

... (truncated)

Commits

• a7fc211 Downgrade archiver to restore Jest CJS compatibility (#1366)
• 79f9707 Bump testcontainers/sshd image from 1.3.0 to 1.4.0 (#1364)
• d4c3ee1 v12.0.2
• 549bfa5 Bump the dependencies group across 11 directories with 10 updates (#1362)
• 6e7b6c8 Bump the dependencies group across 1 directory with 27 updates (#1363)
• 4ad504f Reset stateful regex log waits between matches (#1352)
• a1b87ed Fix Couchbase service configuration (#1356)
• 84aba48 Configure Azurite custom service ports (#1354)
• 1a32238 Preserve protocol-specific port bindings when filtering (#1350)
• 3286470 Apply custom MSSQL wait messages (#1351)
• Additional commits viewable in compare view

Updates typescript from 6.0.2 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).
• fixed issues query for TypeScript 6.0.3 (Stable).

Downloads are available on:

• npm

Commits

• 050880c Bump version to 6.0.3 and LKG
• eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
• ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
• 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions