chore(deps): update npm-dev - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@tailwindcss/postcss (source)	4.2.4 → 4.3.1
@types/node (source)	25.6.0 → 25.9.4
@types/react (source)	19.2.14 → 19.2.17
@typescript-eslint/eslint-plugin (source)	8.59.2 → 8.61.1
@typescript-eslint/parser (source)	8.59.2 → 8.61.1
eslint (source)	10.3.0 → 10.5.0
eslint-config-next (source)	16.2.4 → 16.2.9
eslint-plugin-prettier	5.5.5 → 5.5.6
postcss (source)	8.5.14 → 8.5.15
prettier (source)	3.8.3 → 3.8.4
tailwindcss (source)	4.2.4 → 4.3.1

---

Release Notes

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.3.1

Compare Source

Added

• Add --silent option to suppress output in @tailwindcss/cli (#​20100)

Fixed

• Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#​20028)
• Canonicalization: don't crash when plugin utilities throw for unsupported values (#​20052)
• Allow @apply to be used with CSS mixins (#​19427)
• Ensure not-* correctly negates @container queries, including style(…) queries (#​20059)
• Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#​20080)
• Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#​20103)
• Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#​20027)
• Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)] → px-[calc(1rem+0)]) (#​20127)
• Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px] → left-[99999px], not left-24999.75) (#​20130)
• Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#​20137)
• Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#​20139)
• Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#​20198)
• Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#​19588)
• Allow @variant to be used inside addBase (#​19480)
• Ensure @source globs with symlinks are preserved (#​20203)
• Ensure later @source rules can re-include files excluded by earlier @source not rules (#​20203)
• Upgrade: don't migrate empty class rules to invalid @utility rules (#​20205)
• Ensure transitions between inset-shadow-none and other inset shadows work correctly (#​20208)
• Ensure explicitly referenced @source directories are scanned even when ignored by git (#​20214)
• Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#​20217)
• Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)] → w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#​20221)
• Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#​20228)

Changed

• Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#​20196)
• Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#​20196)

v4.3.0

Compare Source

Added

• Add @container-size utility (#​18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#​19981, #​20019)
• Add scrollbar-gutter-* utilities (#​20018)
• Add zoom-* utilities (#​20020)
• Add tab-* utilities (#​20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#​19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#​19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#​19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#​19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#​19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#​19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#​19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#​19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#​19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#​19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#​19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#​19918)
• Allow multiple @utility definitions with the same name but different value types (#​19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#​19707)
• Ensure start and end legacy utilities without values do not generate CSS (#​20003)
• Ensure --value(…) is required in functional @utility definitions (#​20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#​20011)

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.61.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-unnecessary-template-expression] respect ECMAScript line terminators (#​12388)
• eslint-plugin: [no-unnecessary-boolean-literal-compare] fix precedence bug in autofix (#​12413)
• eslint-plugin: [no-unnecessary-type-assertion] wrap object literal in parens when removing TSTypeAssertion in arrow body (#​12394, #​12393)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive for template literal expressions (#​12281)
• eslint-plugin: [consistent-indexed-object-style] do not remove comments when fixing (#​12396, #​10577)

❤️ Thank You

• Anas @​anasm266
• Deftera @​Deftera186
• Kirk Waiblinger @​kirkwaiblinger
• lumir
• Sarath Francis @​sarathfrancis90

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.61.0

Compare Source

🚀 Features

• ast-spec: change type of UnaryExpression.prefix to always true (#​12372)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-shadow] correct rule to match ESLint v10 handling (#​12182)
• eslint-plugin: respect ECMAScript line terminators in ts-comment rules (#​12352)

❤️ Thank You

• lumir
• Nevette Bailey @​nevette-bailey

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.0

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.4

Compare Source

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#​12294)

❤️ Thank You

• Evyatar Daud @​StyleShit

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.3

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.61.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.61.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.4

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.3

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

eslint/eslint (eslint)

v10.5.0

Compare Source

Features

• 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#​20973) (Pixel998)
• b565783 feat: report no-with violations at the with keyword (#​20971) (Pixel998)
• 2ce032f feat: report max-lines-per-function violations at function head (#​20966) (Pixel998)
• 732cb3e feat: report max-nested-callbacks violations at function head (#​20967) (Pixel998)
• f9c138a feat: report max-depth violations on keywords (#​20943) (Pixel998)
• bdb496c feat: correct max-depth handling for else-if chains (#​20944) (Pixel998)
• c296873 feat: update error loc in max-statements to function header (#​20907) (Taejin Kim)

Documentation

• 8ae1b5b docs: Update README (GitHub Actions Bot)
• ca7eb90 docs: update Node.js prerequisites to include ICU support (#​20962) (Francesco Trotta)
• f99b47a docs: Update README (GitHub Actions Bot)
• acf03d4 docs: clarify precedence of parserOptions over languageOptions (#​20926) (sethamus)

Chores

• b18bf58 chore: update ecosystem plugins (#​20959) (ESLint Bot)
• c2d1444 refactor: replace areAllSegmentsUnreachable with !isAnySegmentReachable (#​20951) (Taejin Kim)
• 243b8c5 chore: enhance config-rule to support oneOf, anyOf, and nested schemas (#​20788) (kuldeep kumar)
• 217b2a9 test: add unit tests for ParserService (#​20949) (Taejin Kim)
• 72003e7 test: add location information to error messages in max-statements (#​20945) (lumir)
• 7797c26 refactor: deduplicate isAnySegmentReachable across rules (#​20890) (Taejin Kim)
• 67c46fa chore: update ecosystem plugins (#​20938) (ESLint Bot)
• 95d8c7a chore: update dependency @​eslint/json to v2 (#​20934) (renovate[bot])
• cf9e496 chore: update @​arethetypeswrong/cli to 0.18.3 (#​20933) (Pixel998)
• fb6d396 test: run type tests with TypeScript 7 (#​20868) (sethamus)

v10.4.1

Compare Source

Bug Fixes

• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#​20930) (Francesco Trotta)
• d4ce898 fix: propagate failures from delegated commands (#​20917) (Minh Vu)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#​20916) (kuldeep kumar)
• c5bc78b fix: false positive for reference in finally block (#​20655) (Tanuj Kanti)
• 27538c0 fix: add missing CodePath and CodePathSegment types (#​20853) (Pixel998)

Documentation

• 61b0add docs: remove deprecated rule from related rules of max-params (#​20921) (Tanuj Kanti)
• 305d5b9 docs: remove deprecated rules from related rules section (#​20911) (Tanuj Kanti)
• 49b0202 docs: fix display: none of ad (#​20901) (Tanuj Kanti)
• 9067f94 docs: switch build to Node.js 24 (#​20893) (Milos Djermanovic)
• c91b041 docs: Update README (GitHub Actions Bot)
• e349265 docs: clarify semver strings in rule deprecation objects (#​20885) (Milos Djermanovic)

Chores

• b0e466b test: add data property to invalid tests cases for rules (#​20924) (Tanuj Kanti)
• f78838b test: add CodePath type coverage (#​20904) (Pixel998)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#​20922) (Francesco Trotta)
• 002942c ci: declare contents:read on update-readme workflow (#​20919) (Arpit Jain)
• 64bca24 chore: update ecosystem plugins (#​20912) (ESLint Bot)
• 6d7c832 chore: ignore fflate updates in renovate (#​20908) (Pixel998)
• b2c8638 ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 (#​20889) (dependabot[bot])
• a9b8d7f chore: increase maxBuffer for ecosystem tests (#​20881) (sethamus)
• b702ead chore: update ecosystem update PR settings (#​20884) (Pixel998)
• 507f60e chore: update ecosystem plugins (#​20882) (ESLint Bot)
• 92f5c5b test: add unit test for message-count (#​20878) (kuldeep kumar)
• df32108 chore: add @​eslint/markdown and typescript-eslint ecosystem tests (#​20837) (sethamus)
• 327f91d chore: use includeIgnoreFile internally (#​20876) (Kirk Waiblinger)
• f0dc4bd chore: pin fflate@​0.8.2 (#​20877) (Milos Djermanovic)
• 0f4bd25 ci: run Discord alert for ecosystem test failures (#​20873) (Copilot)

v10.4.0

Compare Source

Features

• 1a45ec5 feat: check sequence expressions in for-direction (#​20701) (kuldeep kumar)
• 450040b feat: add includeIgnoreFile() to eslint/config (#​20735) (Kirk Waiblinger)

Bug Fixes

• 544c0c3 fix: escape code path DOT labels in debug output (#​20866) (Pixel998)
• 6799431 fix: update dependency @​eslint/config-helpers to ^0.6.0 (#​20850) (renovate[bot])
• f078fef fix: handle non-array deprecated rule replacements (#​20825) (xbinaryx)

Documentation

• 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#​20869) (Pavel)
• db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#​20865) (Kirk Waiblinger)
• 9084664 docs: Update README (GitHub Actions Bot)
• 9cc7387 docs: Update README (GitHub Actions Bot)
• 3d7b548 docs: Update README (GitHub Actions Bot)
• 191ec3c docs: Update README (GitHub Actions Bot)

Chores

• 6616856 chore: upgrade knip to v6 (#​20875) (Pixel998)
• d13b084 ci: ensure auto-created PRs run CI (#​20860) (lumir)
• e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#​20862) (dependabot[bot])
• d84393d test: add unit tests for SuppressionsService.applySuppressions() (#​20863) (kuldeep kumar)
• 24db8cb test: add tests for SuppressionsService.save() (#​20802) (kuldeep kumar)
• 2ef0549 chore: update ecosystem plugins (#​20857) (github-actions[bot])
• a429791 ci: remove eslint-webpack-plugin types integration test (#​20668) (Milos Djermanovic)
• 9e37386 chore: replace recast with range approach in code-sample-minimizer (#​20682) (Copilot)
• 0dd1f9f test: disable warning for vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER (#​20845) (Francesco Trotta)
• 9da3c7b refactor: remove deprecated meta.language and migrate meta.dialects (#​20716) (Pixel998)
• 2099ed1 refactor: add meta.defaultOptions to more rules, enable linting (#​20800) (xbinaryx)
• f1dfbc9 chore: update ecosystem plugins (#​20836) (github-actions[bot])
• c759413 ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 (#​20843) (dependabot[bot])
• 5b817d6 test: add unit tests for lib/shared/ast-utils (#​20838) (kuldeep kumar)
• 1c13ae3 test: add unit tests for lib/shared/severity (#​20835) (kuldeep kumar)

vercel/next.js (eslint-config-next)

v16.2.9

Compare Source

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Compare Source

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#​93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#​93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#​93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#​93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#​93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#​93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#​93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#​94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#​94050)
• [backport] Propagate adapter preferred regions (#​94200)
• [16.2.x] Don't drop FormData entries (#​94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#​94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

Compare Source

[!NOTE]
This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#​92231)
• Fix fallback route params case in app-page handler (#​91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#​91541)
• Patch setHeader for direct route handlers (#​93101)
• Include deployment id in cacheHandlers keys (#​93453)
• Fix double-encoding of URL pathname parts in client param parsing (#​93491)

v16.2.5

Compare Source

[!NOTE]
This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#​92231)
• Fix fallback route params case in app-page handler (#​91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#​91541)
• Patch setHeader for direct route handlers (#​93101)
• Include deployment id in cacheHandlers keys (#​93453)
• Fix double-encoding of URL pathname parts in client param parsing (#​93491)

prettier/eslint-plugin-prettier (eslint-plugin-prettier)

v5.5.6

Compare Source

Patch Changes

• #​791 b5c96a3 Thanks @​JounQin! - chore: bump all (dev)Dependencies

postcss/postcss (postcss)

v8.5.15

Compare Source

• Fixed declaration parsing performance (by @​homanp).

prettier/prettier (prettier)

v3.8.4

Compare Source

diff

Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#​17746 by @​byplayer)

Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.

<!-- Input -->
- a

  - b

- c

  - d

<!-- Prettier 3.8.3 -->
- a
  - b
- c
  - d

<!-- Prettier 3.8.4 -->
- a

  - b

- c

  - d

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 4am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.