build(deps-dev): bump the npm-development group across 1 directory with 6 updates

[dependabot]

Bumps the npm-development group with 5 updates in the / directory:

Package	From	To
@biomejs/biome	2.4.16	2.5.0
@types/node	25.9.1	25.9.3
@vercel/ncc	0.38.4	0.44.0
@vitest/coverage-v8	4.1.7	4.1.8
fallow	2.80.0	2.96.0

Updates @biomejs/biome from 2.4.16 to 2.5.0

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.0

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

  /* styles.css — .ghost is never used in any importing file */

... (truncated)

Commits

• c0b9832 ci: release (#10499)
• 995c1ff feat(lint): add useFunctionComponentDefinition rule (#10498)
• 311c2b2 fix(biome_configuration): avoid Markdown links in JSON schema descriptions (#...
• 04c3f19 fix: docs and readme (#10584)
• 961f41c refactor(useExportType): improve docs and code (#10569)
• 78075b7 feat(useExportType): add style option (#10561)
• 6642895 feat: rule promotion for v2.5 (#10562)
• 9a5855e feat: noRestrictedDependencies (#10467)
• 608a62f Merge branch 'main' into chore/merge-main-into-next
• 0f29b83 feat(linter): implement useIncludes rule (#10516)
• Additional commits viewable in compare view

Updates @types/node from 25.9.1 to 25.9.3

Commits

• See full diff in compare view

Updates @vercel/ncc from 0.38.4 to 0.44.0

Release notes

Sourced from @​vercel/ncc's releases.

0.44.0

0.44.0 (2026-06-09)

Features

• read permissions pr.yml (#1323) (5ea625e)

0.43.0

0.43.0 (2026-06-09)

Changes

• BREAKING CHANGE: add Node 24 and 26 support, remove 20 (#1318) (#1305)
• switch npm releases to trusted publishing (OIDC) (#1325) (#1327) (#1328) (#1329) (#1330) (#1331) (#1332)
• switch package management to pnpm (#1321)
• fix predictable global cache directory in /tmp enables symlink/hijack risks (#1314)
• reorder extension resolution to prioritise TypeScript over JSON (#1315)
• support TypeScript 6 transpile builds (#1316)

Commits

• 88be21f chore(deps): Bump actions/checkout from 5 to 6 (#1300)
• 5ea625e feat: read permissions pr.yml (#1323)
• a1ff315 feat: remove npm devDependency (#1332)
• 9e077ab feat: add publishConfig to package.json (#1331)
• 7290aa7 feat(ci): upgrade python and remove LLVM LTO flags from MSVC build to fix Nod...
• a428a10 feat: publish using node@24 (#1329)
• 3192116 feat: use canonical package repository metadata (#1328)
• 4461a52 feat: lock semantic-release publish dependencies (#1327)
• e00b2de feat: switch npm releases to trusted publishing (OIDC) (#1325)
• 5f8f509 feat: delete .github/CODEOWNERS (#1324)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​vercel/ncc since your current version.

Updates @vitest/coverage-v8 from 4.1.7 to 4.1.8

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• See full diff in compare view

Updates fallow from 2.80.0 to 2.96.0

Release notes

Sourced from fallow's releases.

v2.96.0: dupes ignores imports by default, Impact moves to user dir, VS Code mute fix

Highlights

This release changes two analysis defaults, relocates Fallow Impact history out of your repo, and fixes the VS Code diagnostic-mute toggle.

Changed

fallow dupes ignores import declarations by default

Token-identical sorted import blocks are a structural property of well-formatted code, not copy-paste, so they no longer surface as clone groups. ignoreImports (opt-in since 2.33.0) now defaults to true.

• Opt out with "ignoreImports": false in config, --no-ignore-imports on fallow dupes, or --dupes-no-ignore-imports on bare fallow. The MCP find_dupes / trace_clone tools accept ignore_imports: false, and the VS Code fallow.duplication.ignoreImports setting controls both directions.
• Scope: ES import declarations only; CommonJS require() and export ... from re-export blocks are still counted.
• Upgraders on a duplicates.threshold gate: the measured duplication percentage drops, so re-baseline against the new numbers (or set "ignoreImports": false to keep the old behavior). Saved duplication baselines should be re-saved; a one-time step-down in duplication trend at the upgrade boundary is expected.

Thanks @​danielo515 for the report (#1224).

Fallow Impact history moved to your user config dir

Enabling Impact (or recording a run) no longer creates a .fallow/ directory or edits the repo's .gitignore. The per-project store moved to <config-dir>/fallow/impact/<key>.json (~/Library/Application Support/fallow/ on macOS, $XDG_CONFIG_HOME/fallow/ on Linux, %APPDATA%\fallow\ on Windows). The store is keyed by repo identity, so any subdirectory or git worktree of a repo shares one history, and nothing is written into the working tree. An existing in-repo .fallow/impact.json is imported once on first run. Impact is now explicitly off in CI.

Added

• fallow impact default on|off turns Impact on once for every project (a user-global opt-in); a per-project enable / disable always wins. The report and the impact MCP tool gain an enabled_source field (project / user / default).
• fallow impact reset [--all] deletes stored history for this project, or with --all every project's history; the user-global default toggle is left untouched. fallow impact now prints the resolved store path and project key.

Fixed

VS Code: "Toggle Hide All Findings" can be undone again

After the extension moved open-file diagnostics to the LSP 3.17 pull path, toggling a mute updated only the push diagnostic collection, which the language server keeps empty for open files once the editor starts pulling. So hiding took effect only on the next edit, un-hiding did nothing visible, and findings stayed hidden through reinstalls and restarts (the muted state persists per workspace). Three fixes:

• Mute toggles now re-pull open documents, so squiggles and Problems entries hide and show instantly.
• Open-file findings no longer render twice after a toggle (pull results are no longer cached into the separate push collection).
• Unchecking "All Fallow Findings" in the Manage Hidden Findings picker now reveals findings instead of silently re-hiding each category.

Thanks @​VariableVince for the report (discussion #287).

Full Changelog: fallow-rs/fallow@v2.95.0...v2.96.0

v2.95.0: Docker image, per-file health thresholds, scoped policy suppressions

Highlights

First-party Docker image

Fallow now ships a checksum-verified Dockerfile for the pinned Linux musl release binary, a source-built contributor Dockerfile, and a copyable Compose example. Projects mount at /workspace with host UID/GID mapping, so .fallow/ caches and reports stay host-owned. The runtime bundles git (for audit base detection) plus Node.js, npm, and Corepack for project dependency installs, and CI now builds the image on Dockerfile changes.

docker build -t fallow:local .
docker run --rm -v "$PWD:/workspace" --user "$(id -u):$(id -g)" fallow:local audit --format json --quiet
</tr></table> 

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.96.0] - 2026-06-13

Changed

• fallow dupes now ignores import declarations by default. Token-identical sorted import blocks are a structural property of well-formatted code, not copy-paste, so they no longer surface as clone groups. ignoreImports (shipped opt-in in 2.33.0) now defaults to true. Opt out with "ignoreImports": false in config, --no-ignore-imports on fallow dupes, or --dupes-no-ignore-imports on bare fallow; the MCP find_dupes / trace_clone tools accept ignore_imports: false, and the VS Code fallow.duplication.ignoreImports setting now controls both directions. Scope: ES import declarations only; CommonJS require() calls and export ... from re-export blocks are still counted (extending coverage to those is queued as #1225).

  Operational notes for upgraders:

  • duplicates.threshold gate users: the measured duplication percentage drops, so a threshold tuned against import-inclusive counts is now effectively looser. Re-baseline against the new numbers, or set "ignoreImports": false to keep the old behavior.
  • Baseline / trend users: import-block clone groups disappear from the next run, so a saved duplication baseline (--save-baseline / --save-regression-baseline) should be re-saved after upgrading, and a one-time step-down in fallow impact / duplication trend at the upgrade boundary is expected, not a real regression.

  Thanks @​danielo515 for the report. (Closes #1224.)

• Fallow Impact history now lives in your user config dir, not in each repo. Enabling Impact (or recording a run) no longer creates a .fallow/ directory or edits the repo's .gitignore; the per-project store moved to <config-dir>/fallow/impact/<key>.json (the same base as telemetry.json: ~/Library/Application Support/fallow/ on macOS, $XDG_CONFIG_HOME/fallow/ on Linux, %APPDATA%\fallow\ on Windows). The store is keyed by repo identity (git rev-parse --git-common-dir), so running fallow impact from any subdirectory or any git worktree of a repo resolves to one shared history, and nothing is ever written into the working tree. Per-finding attribution baselines are namespaced per worktree internally, so concurrent worktrees of one repo no longer prune each other's baseline. An existing in-repo .fallow/impact.json is imported once on first run (the old file is left untouched); a multi-package monorepo with several subdir stores imports whichever subdir runs first. After that one-time import the in-repo file is no longer read, so running an OLDER fallow binary on the same repo after upgrading writes to the legacy file and does not feed the new user store (a transient mixed-version condition). Impact is now also explicitly forced off in CI (previously it was only off because a fresh CI checkout had no store file), so a user-global default cannot start recording on a CI runner.

Added

• fallow impact default on|off turns Impact on once for every project. A single user-global opt-in (stored at <config-dir>/fallow/impact.json) so new projects record without re-enabling each one; a per-project fallow impact enable / disable always wins over the default. The fallow impact --format json report and the impact MCP tool gain an enabled_source field (project / user / default) explaining why tracking is on, and pair with explicit_decision so an agent can tell a never-asked project (offer to enable) from one you deliberately disabled (stay quiet).

• fallow impact reset [--all] deletes stored history. Removes this project's history, or with --all clears every project's history; the user-global default toggle is left untouched so a data wipe does not silently re-disable Impact. fallow impact (human output) now also prints the resolved store path and project key so you can find, inspect, or remove the file directly.

Fixed

• Undoing "Fallow: Toggle Hide All Findings" in VS Code now brings diagnostics back immediately. After the extension moved open-file diagnostics to the LSP 3.17 pull path, toggling a mute (or per-category hide, or "Show All Findings") only re-published the push diagnostic collection, which the language server keeps empty for open files once the editor starts pulling. So hiding took effect only on the next edit, and un-hiding did nothing visible, leaving findings stuck hidden through reinstalls and restarts because the muted state persists per workspace. Mute toggles now also ask VS Code to re-pull open documents, so squiggles and Problems entries hide and show instantly again. Thanks @​VariableVince for the report. (Refs [discussion #287](How can easily toggle problems reported by fallow in VSCode? (Hide squiggly lines) fallow-rs/fallow#287).)

• VS Code no longer renders Fallow squiggles twice after a mute toggle. The pull diagnostic provider owns its own collection, distinct from the push collection the mute filter re-publishes into. Because open-file pull results were cached and then re-published into the push collection on every mute, severity, or baseline change, each open-file finding could render twice (once per collection). Pull results are no longer cached (they are re-fetched on every re-pull), so open files render once.

• Unchecking "All Fallow Findings" in the Manage Hidden Findings picker now reveals findings. While hide-all was active the picker auto-checked every category row, so unchecking the global row and accepting silently re-hid every category individually and findings stayed hidden. Category rows now reflect their real per-category state, so unchecking the global row shows everything (and any genuine per-category hide is preserved).

[2.95.0] - 2026-06-12

Added

• Docker users now have a first-party CLI image recipe. The repo ships a checksum-verified Dockerfile for the pinned Linux musl release binary, a source-built contributor Dockerfile, and a copyable Compose example that mounts projects at /workspace with host UID/GID mapping so .fallow/ caches and reports stay host-owned. The runtime includes git for audit base detection plus Node.js, npm, and Corepack for project dependency installs, and CI now builds the Docker image on Docker-file changes. Thanks @​nic0michael for the Docker Compose starting point. (Closes #1205.)

• Rule-pack policy findings can now be suppressed per rule. Suppression comments accept policy-violation:<pack>/<rule-id> for both fallow-ignore-next-line and fallow-ignore-file, so a waiver can target one rule-pack finding without hiding every policy violation at the same scope. Bare policy-violation remains supported as the family-wide token. Rule-pack names and rule ids now reject ambiguous characters so scoped tokens do not need escaping, stale-suppression output preserves the scoped token, and generated suppress actions prefer the scoped form. (Closes #1180.)

• fallow health now supports per-file threshold overrides for complexity and CRAP. Configure health.thresholdOverrides[] with files globs, optional exact functions, and any of maxCyclomatic, maxCognitive, or maxCrap to raise local ceilings for intentional legacy hotspots while keeping global gates strict. The resolved thresholds flow through health and audit, finding actions use the effective ceiling, and JSON, human, markdown, and compact output report active, stale, and full-run no-match override state so temporary exceptions remain visible. Thanks @​velios for the report. (Closes #1206.)

Fixed

• unused-class-members no longer fires on Playwright page-object methods reached through fixture wrappers. mergeTests(...) wrappers and chained wrapper .extend(...) calls now inherit the fixture definitions from their wrapped Playwright test objects before callback-side member uses are correlated. The extractor records conservative wrapper-alias sentinels for Playwright's named mergeTests import, including aliased named imports, and for .extend(...) calls on fixture wrappers. The analyzer expands those aliases transitively with cycle protection, so page-object methods used through merged or extended fixtures are credited while genuinely unused decorated methods still report. Local functions named mergeTests and unmatched wrapper aliases do not create credit. Thanks @​vethman for the report. (Closes #1210.)

[2.94.0] - 2026-06-12

Added

• Bare fallow now accepts Istanbul coverage inputs for the embedded health pass. The combined default command can now read --coverage / --coverage-root, FALLOW_COVERAGE / FALLOW_COVERAGE_ROOT, and health.coverage / health.coverageRoot so fallow --format json uses the same exact CRAP scoring path as fallow health. Standalone health and bare combined mode resolve each coverage input independently with CLI, then env, then config, then auto-detection precedence. The GitHub Action and GitLab CI default combined runs now forward their coverage inputs to the bare command too. Thanks @​stieglma for the follow-up. (Refs #300.)

• Opt-in telemetry can now count installs instead of runs. When telemetry is enabled, Fallow keeps one anonymous install grouping token in telemetry.json: a freshly random value (never derived from machine, user, repository, project, path, or environment data) minted on fallow telemetry enable or the first upload after FALLOW_TELEMETRY=on, reused unchanged across runs, and deleted by fallow telemetry disable. It is sent only as a private X-Fallow-Install transport header for server-side grouping, never as an event property, so the events Fallow serializes and spools still carry no identifiers. An env-only opt-in stays scoped to the invocation: the lazy mint persists only the token, never a config-level enable. fallow telemetry status reports only whether the token is present (never the token itself); fallow telemetry inspect --example now lists the private transport headers alongside the example payload.

... (truncated)

Commits

• 24a30b1 chore: release v2.96.0
• 5d837a2 docs(impact): drop intra-doc link to cfg(test)-only TEST_FORCE_CI
• 7bed9e4 fix(impact): isolate the CI record-gate in unit tests
• 0f54c7e feat(impact): relocate store to user config dir; global opt-in default
• ee7768c fix(vscode): re-pull open documents on diagnostic mute toggle (#1228)
• 4925a49 feat(dupes): make ignoreImports the default with opt-out (#1226)
• 0fee75b docs(vscode): use canonical 'fallow dead-code' over legacy 'fallow check'
• 12504f5 chore(napi): sync package.json / package-lock / index.js to v2.95.0
• 7efec6d chore: release v2.95.0
• f4d2d51 fix: credit Playwright fixture wrapper members
• Additional commits viewable in compare view

Updates vitest from 4.1.7 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[contextlevy]

🤖 ContextLevy

This PR adds build artifacts and lockfile churn — expect a noisy agent review.

Risk level: 🟡 Medium · ~3.8k estimated context tokens

Added	Finding
+66	dist/index.js Build artifacts are rarely useful agent context.
+3.6k	package-lock.json Lockfiles add bulk context; agents often need dependency names but not every resolved URL.

Estimated worst-case input cost if read by an agent
Illustrative only — agents may not read every changed file. Not billing-grade.

Pricing profile	Est. input cost (±50%)
GPT-5.5	~$0.01–$0.03/session
Kimi K2.6	~$0.00/session

Suggestions

• Commit lockfiles when your team policy requires reproducible installs — just expect higher context cost.
• Keep build output out of version control.
• Consider excluding these paths from agent indexing (tool-agnostic):
• dist/index.js

Many tools honor .gitignore; others support dedicated ignore files such as .cursorignore.

Different models tokenize differently, and agents may not read every changed file. ContextLevy estimates context risk, not exact billing.

ContextLevy runs locally in CI and does not send code to an external API.