fix(deps): update all npm non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@ai-sdk/react (source)	^2.0.30 -> ^2.0.60
@babel/plugin-proposal-decorators (source)	^7.27.1 -> ^7.28.0
@biomejs/biome (source)	2.2.2 -> 2.2.5
@csstools/postcss-light-dark-function (source)	^2.0.10 -> ^2.0.11
@github/copilot-language-server	^1.366.0 -> ^1.378.0
@glideapps/glide-data-grid (source)	6.0.4-alpha16 -> 6.0.4-alpha9
@internationalized/date (source)	^3.9.0 -> ^3.10.0
@tailwindcss/postcss (source)	^4.1.12 -> ^4.1.14
@tailwindcss/typography	^0.5.16 -> ^0.5.19
@types/node (source)	^24.3.0 -> ^24.7.0
@types/react (source)	^19.1.12 -> ^19.2.2
@types/react-dom (source)	^19.1.9 -> ^19.2.1
@uiw/react-codemirror (source)	4.25.1 -> 4.25.2
@zed-industries/agent-client-protocol	^0.3.1 -> ^0.4.5
ai (source)	^5.0.30 -> ^5.0.60
humanize-duration	^3.33.0 -> ^3.33.1
jotai	^2.13.1 -> ^2.15.0
jotai-scope (source)	^0.9.3 -> ^0.9.5
katex (source)	^0.16.22 -> ^0.16.23
loro-codemirror	^0.2.0 -> ^0.3.3
loro-crdt (source)	^1.6.0 -> ^1.8.2
lucide-react (source)	^0.542.0 -> ^0.545.0
mermaid	^11.10.1 -> ^11.12.0
msw (source)	^2.11.1 -> ^2.11.3
partysocket (source)	1.1.5 -> 1.1.6
pnpm (source)	10.15.1 -> 10.18.1
react (source)	^19.1.0 -> ^19.2.0
react (source)	^19.1.1 -> ^19.2.0
react-codemirror-merge (source)	4.25.1 -> 4.25.2
react-dom (source)	^19.1.0 -> ^19.2.0
react-dom (source)	^19.1.1 -> ^19.2.0
react-virtuoso (source)	^4.14.0 -> ^4.14.1
sql-formatter	^15.6.6 -> ^15.6.10
stylelint (source)	^16.23.1 -> ^16.25.0
turbo (source)	^2.5.6 -> ^2.5.8
zod (source)	^4.1.11 -> ^4.1.12

---

Release Notes

vercel/ai (@​ai-sdk/react)

v2.0.60

Compare Source

Patch Changes

• ai@​5.0.60

v2.0.59

Compare Source

Patch Changes

• ai@​5.0.59

v2.0.58

Compare Source

Patch Changes

• ai@​5.0.58

v2.0.57

Compare Source

Patch Changes

• Updated dependencies [c319849]
  • ai@​5.0.57

v2.0.56

Compare Source

Patch Changes

• Updated dependencies [b1d8458]
  • ai@​5.0.56

v2.0.55

Compare Source

Patch Changes

• Updated dependencies [85da29e]
  • ai@​5.0.55

v2.0.54

Compare Source

Patch Changes

• bc5ed71: chore: update zod peer depenedency version
• Updated dependencies [bc5ed71]
  • @​ai-sdk/provider-utils@​3.0.10
  • ai@​5.0.54

v2.0.53

Compare Source

Patch Changes

• Updated dependencies [d335191]
  • ai@​5.0.53

v2.0.52

Compare Source

Patch Changes

• Updated dependencies [c56822d]
• Updated dependencies [930399b]
  • ai@​5.0.52

v2.0.51

Compare Source

Patch Changes

• Updated dependencies [27645bb]
  • ai@​5.0.51

v2.0.50

Compare Source

Patch Changes

• ai@​5.0.50

v2.0.49

Compare Source

Patch Changes

• Updated dependencies [17f9872]
  • @​ai-sdk/provider-utils@​3.0.12
  • @​ai-sdk/openai@​2.0.48

v2.0.48

Compare Source

Patch Changes

• Updated dependencies [17f9872]
  • @​ai-sdk/provider-utils@​3.0.12

v2.0.47

Compare Source

Patch Changes

• 99e2a2a: feat(provider/openai): support file and image tool results

v2.0.46

Compare Source

Patch Changes

• 66f69e7: Add 'default' as service tier

v2.0.45

Compare Source

Patch Changes

• 6f0644c: chore: use import * from zod/v4
• 6f0644c: chore: load zod schemas lazily
• Updated dependencies [6f0644c]
• Updated dependencies [6f0644c]
  • @​ai-sdk/provider-utils@​3.0.11

v2.0.44

Compare Source

Patch Changes

• 28215ca: fix(provider/openai): add providerExecuted flag to tool start chunks

v2.0.43

Compare Source

Patch Changes

• fd46da1: feat(provider/openai): add new model IDs gpt-image-1-mini, gpt-5-pro, gpt-5-pro-2025-10-06

v2.0.42

Compare Source

Patch Changes

• Updated dependencies [de5c066]
  • ai@​5.0.42

v2.0.41

Compare Source

Patch Changes

• Updated dependencies [cd91e4b]
  • ai@​5.0.41

v2.0.40

Compare Source

Patch Changes

• 8c74f47: feat(provider/openai): add gpt-5-codex model id
• adca087: feat(provider/openai): local shell tool

v2.0.39

Compare Source

Patch Changes

• 5428a0d: The built in Code Interpreter tool input code is streamed in tool-input-<start/delta/end> chunks.

v2.0.38

Compare Source

Patch Changes

• ai@​5.0.38

v2.0.37

Compare Source

Patch Changes

• 6075c91: feat(provider/openai): only send item references for reasoning when store: true

v2.0.36

Compare Source

Patch Changes

• bc5ed71: chore: update zod peer depenedency version
• Updated dependencies [bc5ed71]
  • @​ai-sdk/provider-utils@​3.0.10

v2.0.35

Compare Source

Patch Changes

• Updated dependencies [99c946a]
  • ai@​5.0.35

v2.0.34

Compare Source

Patch Changes

• ai@​5.0.34

v2.0.33

Compare Source

Patch Changes

• Updated dependencies [a617948]
  • @​ai-sdk/openai@​2.0.33

v2.0.32

Compare Source

Patch Changes

• 1cf857d: fix(provider/openai): remove provider-executed tools from chat completions model
• 01de47f: feat(provider/openai): rework file search tool

v2.0.31

Compare Source

Patch Changes

• bb94467: feat(provider/openai): add maxToolCalls provider option
• 4a2b70e: feat(provider/openai): send item references for provider-executed tool results
• 643711d: feat (provider/openai): provider defined image generation tool support

biomejs/biome (@​biomejs/biome)

v2.2.5

Compare Source

Patch Changes

• #​7597 5c3d542 Thanks @​arendjr! - Fixed #​6432: useImportExtensions now works correctly with aliased paths.

• #​7269 f18dac1 Thanks @​CDGardner! - Fixed #​6648, where Biome's noUselessFragments contained inconsistencies with ESLint for fragments only containing text.

  Previously, Biome would report that fragments with only text were unnecessary under the noUselessFragments rule. Further analysis of ESLint's behavior towards these cases revealed that text-only fragments (<>A</a>, <React.Fragment>B</React.Fragment>, <RenamedFragment>B</RenamedFragment>) would not have noUselessFragments emitted for them.

  On the Biome side, instances such as these would emit noUselessFragments, and applying the suggested fix would turn the text content into a proper JS string.

  // Ended up as: - const t = "Text"
  const t = <>Text</>
  
  // Ended up as: - const e = t ? "Option A" : "Option B"
  const e = t ? <>Option A</> : <>Option B</>
  
  /* Ended up as:
    function someFunc() {
      return "Content desired to be a multi-line block of text."
    }
  */
  function someFunc() {
    return <>
      Content desired to be a multi-line
      block of text.
    <>
  }

  The proposed update was to align Biome's reaction to this rule with ESLint's; the aforementioned examples will now be supported from Biome's perspective, thus valid use of fragments.

  // These instances are now valid and won't be called out by noUselessFragments.
  
  const t = <>Text</>
  const e = t ? <>Option A</> : <>Option B</>
  
  function someFunc() {
    return <>
      Content desired to be a multi-line
      block of text.
    <>
  }

• #​7498 002cded Thanks @​siketyan! - Fixed #​6893: The useExhaustiveDependencies rule now correctly adds a dependency that is captured in a shorthand object member. For example:

  useEffect(() => {
    console.log({ firstId, secondId });
  }, []);

  is now correctly fixed to:

  useEffect(() => {
    console.log({ firstId, secondId });
  }, [firstId, secondId]);

• #​7509 1b61631 Thanks @​siketyan! - Added a new lint rule noReactForwardRef, which detects usages of forwardRef that is no longer needed and deprecated in React 19.

  For example:

  export const Component = forwardRef(function Component(props, ref) {
    return <div ref={ref} />;
  });

  will be fixed to:

  export const Component = function Component({ ref, ...props }) {
    return <div ref={ref} />;
  };

  Note that the rule provides an unsafe fix, which may break the code. Don't forget to review the code after applying the fix.

• #​7520 3f06e19 Thanks @​arendjr! - Added new nursery rule noDeprecatedImports to flag imports of deprecated symbols.

Invalid example

// foo.js
import { oldUtility } from "./utils.js";

// utils.js
/**
 * @​deprecated
 */
export function oldUtility() {}

Valid examples

// foo.js
import { newUtility, oldUtility } from "./utils.js";

// utils.js
export function newUtility() {}

// @​deprecated (this is not a JSDoc comment)
export function oldUtility() {}

• #​7457 9637f93 Thanks @​kedevked! - Added style and requireForObjectLiteral options to the lint rule useConsistentArrowReturn.

  This rule enforces a consistent return style for arrow functions. It can be configured with the following options:

  • style: (default: asNeeded)
    • always: enforces that arrow functions always have a block body.
    • never: enforces that arrow functions never have a block body, when possible.
    • asNeeded: enforces that arrow functions have a block body only when necessary (e.g. for object literals).

style: "always"

Invalid:

const f = () => 1;

Valid:

const f = () => {
  return 1;
};

style: "never"

Invalid:

const f = () => {
  return 1;
};

Valid:

const f = () => 1;

style: "asNeeded"

Invalid:

const f = () => {
  return 1;
};

Valid:

const f = () => 1;

style: "asNeeded" and requireForObjectLiteral: true

Valid:

const f = () => {
  return { a: 1 };
};

• #​7510 527cec2 Thanks @​rriski! - Implements #​7339. GritQL patterns can now use native Biome AST nodes using their PascalCase names, in addition to the existing TreeSitter-compatible snake_case names.

  engine biome(1.0)
  language js(typescript,jsx)
  
  or {
    // TreeSitter-compatible pattern
    if_statement(),
  
    // Native Biome AST node pattern
    JsIfStatement()
  } as $stmt where {
    register_diagnostic(
      span=$stmt,
      message="Found an if statement"
    )
  }
  

• #​7574 47907e7 Thanks @​kedevked! - Fixed 7574. The diagnostic message for the rule useSolidForComponent now correctly emphasizes <For /> and provides a working hyperlink to the Solid documentation.

• #​7497 bd70f40 Thanks @​siketyan! - Fixed #​7320: The useConsistentCurlyBraces rule now correctly detects a string literal including " inside a JSX attribute value.

• #​7522 1af9931 Thanks @​Netail! - Added extra references to external rules to improve migration for the following rules: noUselessFragments & noNestedComponentDefinitions

• #​7597 5c3d542 Thanks @​arendjr! - Fixed an issue where package.json manifests would not be correctly discovered
  when evaluating files in the same directory.

• #​7565 38d2098 Thanks @​siketyan! - The resolver can now correctly resolve .ts, .tsx, .d.ts, .js files by .js extension if exists, based on the file extension substitution in TypeScript.

  For example, the linter can now detect the floating promise in the following situation, if you have enabled the noFloatingPromises rule.

  foo.ts

  export async function doSomething(): Promise<void> {}

  bar.ts

  import { doSomething } from "./foo.js"; // doesn't exist actually, but it is resolved to `foo.ts`
  
  doSomething(); // floating promise!

• #​7542 cadad2c Thanks @​mdevils! - Added the rule noVueDuplicateKeys, which prevents duplicate keys in Vue component definitions.

  This rule prevents the use of duplicate keys across different Vue component options such as props, data, computed, methods, and setup. Even if keys don't conflict in the script tag, they may cause issues in the template since Vue allows direct access to these keys.

  Invalid examples

  <script>
  export default {
    props: ["foo"],
    data() {
      return {
        foo: "bar",
      };
    },
  };
  </script>

  <script>
  export default {
    data() {
      return {
        message: "hello",
      };
    },
    methods: {
      message() {
        console.log("duplicate key");
      },
    },
  };
  </script>

  <script>
  export default {
    computed: {
      count() {
        return this.value * 2;
      },
    },
    methods: {
      count() {
        this.value++;
      },
    },
  };
  </script>

  Valid examples

  <script>
  export default {
    props: ["foo"],
    data() {
      return {
        bar: "baz",
      };
    },
    methods: {
      handleClick() {
        console.log("unique key");
      },
    },
  };
  </script>

  <script>
  export default {
    computed: {
      displayMessage() {
        return this.message.toUpperCase();
      },
    },
    methods: {
      clearMessage() {
        this.message = "";
      },
    },
  };
  </script>

• #​7546 a683acc Thanks @​siketyan! - Internal data for Unicode strings have been updated to Unicode 17.0.

• #​7497 bd70f40 Thanks @​siketyan! - Fixed #​7256: The useConsistentCurlyBraces rule now correctly ignores a string literal with braces that contains only whitespaces. Previously, literals that contains single whitespace were only allowed.

• #​7565 38d2098 Thanks @​siketyan! - The useImportExtensions rule now correctly detects imports with an invalid extension. For example, importing .ts file with .js extension is flagged by default. If you are using TypeScript with neither the allowImportingTsExtensions option nor the rewriteRelativeImportExtensions option, it's recommended to turn on the forceJsExtensions option of the rule.

• #​7581 8653921 Thanks @​lucasweng! - Fixed #​7470: solved a false positive for noDuplicateProperties. Previously, declarations in @container and @starting-style at-rules were incorrectly flagged as duplicates of identical declarations at the root selector.

  For example, the linter no longer flags the display declaration in @container or the opacity declaration in @starting-style.

  a {
    display: block;
    @​container (min-width: 600px) {
      display: none;
    }
  }
  
  [popover]:popover-open {
    opacity: 1;
    @​starting-style {
      opacity: 0;
    }
  }

• #​7529 fea905f Thanks @​qraqras! - Fixed #​7517: the useOptionalChain rule no longer suggests changes for typeof checks on global objects.

  // ok
  typeof window !== "undefined" && window.location;

• #​7476 c015765 Thanks @​ematipico! - Fixed a bug where the suppression action for noPositiveTabindex didn't place the suppression comment in the correct position.

• #​7511 a0039fd Thanks @​arendjr! - Added nursery rule noUnusedExpressions to flag expressions used as a statement that is neither an assignment nor a function call.

Invalid examples

f; // intended to call `f()` instead

function foo() {
  0; // intended to `return 0` instead
}

Valid examples

f();

function foo() {
  return 0;
}

• #​7564 40e515f Thanks @​turbocrime! - Fixed #​6617: improved useIterableCallbackReturn to correctly handle arrow functions with a single-expression void body.

  Now the following code doesn't trigger the rule anymore:

  [].forEach(() => void null);

v2.2.4

Compare Source

Patch Changes

• #​7453 aa8cea3 Thanks @​arendjr! - Fixed #​7242: Aliases specified in
  package.json's imports section now support having multiple targets as part of an array.

• #​7454 ac17183 Thanks @​arendjr! - Greatly improved performance of
  noImportCycles by eliminating allocations.

  In one repository, the total runtime of Biome with only noImportCycles enabled went from ~23s down to ~4s.

• #​7447 7139aad Thanks @​rriski! - Fixes #​7446. The GritQL
  $... spread metavariable now correctly matches members in object literals, aligning its behavior with arrays and function calls.

• #​6710 98cf9af Thanks @​arendjr! - Fixed #​4723: Type inference now recognises
  index signatures and their accesses when they are being indexed as a string.

Example

type BagOfPromises = {
  // This is an index signature definition. It declares that instances of type
  // `BagOfPromises` can be indexed using arbitrary strings.
  [property: string]: Promise<void>;
};

let bag: BagOfPromises = {};
// Because `bag.iAmAPromise` is equivalent to `bag["iAmAPromise"]`, this is
// considered an access to the string index, and a Promise is expected.
bag.iAmAPromise;

• #​7415 d042f18 Thanks @​qraqras! - Fixed #​7212, now the useOptionalChain rule recognizes optional chaining using
  typeof (e.g., typeof foo !== 'undefined' && foo.bar).

• #​7419 576baf4 Thanks @​Conaclos! - Fixed #​7323. noUnusedPrivateClassMembers no longer reports as unused TypeScript
  private members if the rule encounters a computed access on this.

  In the following example, member as previously reported as unused. It is no longer reported.

  class TsBioo {
    private member: number;
  
    set_with_name(name: string, value: number) {
      this[name] = value;
    }
  }

• 351bccd Thanks @​ematipico! - Added the new nursery lint rule
  noJsxLiterals, which disallows the use of string literals inside JSX.

  The rule catches these cases:

  <>
    <div>test</div> {/* test is invalid */}
    <>test</>
    <div>
      {/* this string is invalid */}
      asdjfl test foo
    </div>
  </>

• #​7406 b906112 Thanks @​mdevils! - Fixed an issue (#​6393) where the useHookAtTopLevel rule reported excessive diagnostics for nested hook calls.

  The rule now reports only the offending top-level call site, not sub-hooks of composite hooks.

  // Before: reported twice (useFoo and useBar).
  function useFoo() {
    return useBar();
  }
  function Component() {
    if (cond) useFoo();
  }
  // After: reported once at the call to useFoo().

• #​7461 ea585a9 Thanks @​arendjr! - Improved performance of
  noPrivateImports by eliminating allocations.

  In one repository, the total runtime of Biome with only noPrivateImports enabled went from ~3.2s down to ~1.4s.

• 351bccd Thanks @​ematipico! - Fixed #​7411. The Biome Language Server had a regression where opening an editor with a file already open wouldn't load the project settings correctly.

• #​7142 53ff5ae Thanks @​Netail! - Added the new nursery rule noDuplicateDependencies, which verifies that no dependencies are duplicated between the
  bundledDependencies, bundleDependencies, dependencies, devDependencies, overrides,
  optionalDependencies, and peerDependencies sections.

  For example, the following snippets will trigger the rule:

  {
    "dependencies": {
      "foo": ""
    },
    "devDependencies": {
      "foo": ""
    }
  }

  {
    "dependencies": {
      "foo": ""
    },
    "optionalDependencies": {
      "foo": ""
    }
  }

  {
    "dependencies": {
      "foo": ""
    },
    "peerDependencies": {
      "foo": ""
    }
  }

• 351bccd Thanks @​ematipico! - Fixed #​3824. Now the option CLI
  --color is correctly applied to logging too.

v2.2.3

Compare Source

Patch Changes

• #​7353 4d2b719 Thanks @​JeetuSuthar! - Fixed #​7340: The linter now allows the navigation property for view-transition in CSS.

  Previously, the linter incorrectly flagged navigation: auto as an unknown property. This fix adds navigation to the list of known CSS properties, following the CSS View Transitions spec.

• #​7275 560de1b Thanks @​arendjr! - Fixed #​7268: Files that are explicitly passed as CLI arguments are now correctly ignored if they reside in an ignored folder.

• #​7358 963a246 Thanks @​ematipico! - Fixed #​7085, now the rule noDescendingSpecificity correctly calculates the specificity of selectors when they are included inside a media query.

• #​7387 923674d Thanks @​qraqras! - Fixed #​7381, now the useOptionalChain rule recognizes optional chaining using Yoda expressions (e.g., undefined !== foo && foo.bar).

• #​7316 f9636d5 Thanks @​Conaclos! - Fixed #​7289. The rule useImportType now inlines import type into import { type } when the style option is set to inlineType.

  Example:

  import type { T } from "mod";
  // becomes
  import { type T } from "mod";

• #​7350 bb4d407 Thanks @​siketyan! - Fixed #​7261: two characters ・ (KATAKANA MIDDLE DOT, U+30FB) and ･ (HALFWIDTH KATAKANA MIDDLE DOT, U+FF65) are no longer considered as valid characters in identifiers. Property keys containing these character(s) are now preserved as string literals.

• #​7377 [811f47b](https:

---

Configuration

📅 Schedule: Branch creation - "on the 1st day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
marimo-docs	Ready	Preview	Comment	Oct 11, 2025 0:13am

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.