chore(deps-dev): bump the tooling group across 1 directory with 5 updates

[dependabot]

Bumps the tooling group with 5 updates in the / directory:

Package	From	To
turbo	2.9.6	2.9.9
typescript	5.9.3	6.0.3
@types/node	20.19.39	25.6.0
eslint	9.39.4	10.3.0
eslint-config-next	15.5.15	16.2.5

Updates turbo from 2.9.6 to 2.9.9

Release notes

Sourced from turbo's releases.

Turborepo v2.9.9

What's Changed

Changelog

• release(turborepo): 2.9.8 by @​github-actions[bot] in vercel/turborepo#12700
• fix: Remove Unix parent death watchdogs by @​anthonyshew in vercel/turborepo#12699
• release(turborepo): 2.9.9-canary.1 by @​github-actions[bot] in vercel/turborepo#12705
• fix: Scope repo index prefixes to Git root by @​anthonyshew in vercel/turborepo#12706
• release(turborepo): 2.9.9-canary.2 by @​github-actions[bot] in vercel/turborepo#12708
• ci: Harden non-release GitHub Actions by @​anthonyshew in vercel/turborepo#12707
• docs: Add pnpm workspace flag (-w) to Oxc setup docs by @​mattjoll in vercel/turborepo#12655
• fix: Harden OG image signatures by @​anthonyshew in vercel/turborepo#12709
• fix: Scope release npm publishing credentials by @​anthonyshew in vercel/turborepo#12710
• ci: Harden release workflows by @​anthonyshew in vercel/turborepo#12711
• release(turborepo): 2.9.9-canary.3 by @​github-actions[bot] in vercel/turborepo#12712
• fix: Harden docs security endpoints by @​anthonyshew in vercel/turborepo#12713
• ci: Harden internal GitHub Actions by @​anthonyshew in vercel/turborepo#12714
• ci: Harden release workflow handling by @​anthonyshew in vercel/turborepo#12715
• fix: Preserve lockfiles during dry-run conversion by @​anthonyshew in vercel/turborepo#12717
• ci: Fix LSP workflow container matrix by @​anthonyshew in vercel/turborepo#12718

New Contributors

• @​mattjoll made their first contribution in vercel/turborepo#12655

Full Changelog: vercel/turborepo@v2.9.8...v2.9.9

Turborepo v2.9.9-canary.4

What's Changed

Changelog

• release(turborepo): 2.9.9-canary.3 by @​github-actions[bot] in vercel/turborepo#12712
• fix: Harden docs security endpoints by @​anthonyshew in vercel/turborepo#12713
• ci: Harden internal GitHub Actions by @​anthonyshew in vercel/turborepo#12714
• ci: Harden release workflow handling by @​anthonyshew in vercel/turborepo#12715

Full Changelog: vercel/turborepo@v2.9.9-canary.3...v2.9.9-canary.4

Turborepo v2.9.9-canary.3

What's Changed

Changelog

• release(turborepo): 2.9.9-canary.2 by @​github-actions[bot] in vercel/turborepo#12708
• ci: Harden non-release GitHub Actions by @​anthonyshew in vercel/turborepo#12707
• docs: Add pnpm workspace flag (-w) to Oxc setup docs by @​mattjoll in vercel/turborepo#12655
• fix: Harden OG image signatures by @​anthonyshew in vercel/turborepo#12709
• fix: Scope release npm publishing credentials by @​anthonyshew in vercel/turborepo#12710

... (truncated)

Commits

• 6041700 publish 2.9.9 to registry
• ac55ec9 ci: Fix LSP workflow container matrix (#12718)
• 3192551 fix: Preserve lockfiles during dry-run conversion (#12717)
• f89f3bd ci: Harden release workflow handling (#12715)
• cbe31ef ci: Harden internal GitHub Actions (#12714)
• 56eefcc fix: Harden docs security endpoints (#12713)
• 6f35176 release(turborepo): 2.9.9-canary.3 (#12712)
• 709c9d4 ci: Harden release workflows (#12711)
• 382f305 fix: Scope release npm publishing credentials (#12710)
• 76d26f8 fix: Harden OG image signatures (#12709)
• Additional commits viewable in compare view

Updates typescript from 5.9.3 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).
• fixed issues query for TypeScript 6.0.3 (Stable).

Downloads are available on:

• npm

TypeScript 6.0

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).

Downloads are available on:

• npm

TypeScript 6.0 Beta

For release notes, check out the release announcement.

• fixed issues query for Typescript 6.0.0 (Beta).

Downloads are available on:

• npm

Commits

• 050880c Bump version to 6.0.3 and LKG
• eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
• ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
• 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
• 607a22a Bump version to 6.0.2 and LKG
• 9e72ab7 🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...
• 35ff23d 🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...
• e175b69 Bump version to 6.0.1-rc and LKG
• af4caac Update LKG
• 8efd7e8 Merge remote-tracking branch 'origin/main' into release-6.0
• Additional commits viewable in compare view

Updates @types/node from 20.19.39 to 25.6.0

Commits

• See full diff in compare view

Updates eslint from 9.39.4 to 10.3.0

Release notes

Sourced from eslint's releases.

v10.3.0

Features

• 379571a feat: add suggestions for no-unused-private-class-members (#20773) (sethamus)

Bug Fixes

• b6ae5cf fix: handle unavailable require cache (#20812) (Simon Podlipsky)
• 6fb3685 fix: rule suggestions cause continuation in class body (#20787) (Milos Djermanovic)

Documentation

• 32cc7ab docs: fix typos in docs and comments (#20809) (Tanuj Kanti)
• 7f47937 docs: Update README (GitHub Actions Bot)

Chores

• d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#20826) (Francesco Trotta)
• 3ffb14e chore: clean up typos in comments and JSDoc (#20821) (Pixel998)
• 22eb58a chore: add missing continue-on-error to ecosystem-tests.yml (#20818) (Josh Goldberg ✨)
• 88bf002 ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#20815) (dependabot[bot])
• 97c8c33 chore: update ilshidur/action-discord action to v0.4.0 (#20811) (renovate[bot])
• 2f58136 chore: pin peter-evans/create-pull-request action to 5f6978f (#20810) (renovate[bot])
• 77add7f chore: add initial ecosystem plugin tests workflow (#19643) (Josh Goldberg ✨)
• 4023b55 test: Add unit tests for SuppressionsService.prune() (#20797) (kuldeep kumar)
• 54080da test: add unit tests for ForkContext (#20778) (kuldeep kumar)
• f0e2bcc test: add unit tests for SuppressionsService.suppress() method (#20765) (kuldeep kumar)
• a7f0b94 chore: update dependency prettier to v3.8.3 (#20782) (renovate[bot])
• 7bf93d9 chore: update TypeScript to v6 (#20677) (sethamus)
• b42dd72 ci: bump pnpm/action-setup from 6.0.0 to 6.0.1 (#20781) (dependabot[bot])
• 2b252be test: add unit tests for IdGenerator (#20775) (kuldeep kumar)

v10.2.1

Bug Fixes

• 14be92b fix: model generator yield resumption paths in code path analysis (#20665) (sethamus)
• 84a19d2 fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx)
• af764af fix: clarify language and processor validation errors (#20729) (Pixel998)
• e251b89 fix: update eslint (#20715) (renovate[bot])

Documentation

• ca92ca0 docs: reuse markdown-it instance for markdown filter (#20768) (Amaresh S M)
• 57d2ee2 docs: Enable Eleventy incremental mode for watch (#20767) (Amaresh S M)
• c1621b9 docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla)
• 1418d52 docs: Update README (GitHub Actions Bot)
• 39771e6 docs: Update README (GitHub Actions Bot)
• 71e0469 docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar)
• 22119ce docs: clarify scope of for-direction rule with dead code examples (#20723) (Amaresh S M)
• 8f3fb77 docs: document meta.docs.dialects (#20718) (Pixel998)

Chores

• 7ddfea9 chore: update dependency prettier to v3.8.2 (#20770) (renovate[bot])
• fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763) (dependabot[bot])
• 7246f92 test: add tests for SuppressionsService.load() error handling (#20734) (kuldeep kumar)
• 4f34b1e chore: update pnpm/action-setup action to v5 (#20762) (renovate[bot])

... (truncated)

Commits

• 7889204 10.3.0
• 5b69b4f Build: changelog update for 10.3.0
• d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#20826)
• b6ae5cf fix: handle unavailable require cache (#20812)
• 3ffb14e chore: clean up typos in comments and JSDoc (#20821)
• 6fb3685 fix: rule suggestions cause continuation in class body (#20787)
• 22eb58a chore: add missing continue-on-error to ecosystem-tests.yml (#20818)
• 88bf002 ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#20815)
• 379571a feat: add suggestions for no-unused-private-class-members (#20773)
• 97c8c33 chore: update ilshidur/action-discord action to v0.4.0 (#20811)
• Additional commits viewable in compare view

Updates eslint-config-next from 15.5.15 to 16.2.5

Release notes

Sourced from eslint-config-next's releases.

v16.2.5

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)

... (truncated)

Commits

• 766148f v16.2.5
• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• ed7d2ce v16.2.1
• c5c94df v16.2.0
• 3683192 v16.2.0-canary.104
• 6689814 v16.2.0-canary.103
• ad66dbc v16.2.0-canary.102
• b856498 v16.2.0-canary.101
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for eslint-config-next since your current version.

[satyakwok]

@dependabot rebase

[dependabot]

Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

[satyakwok]

Closing — grouped tooling bump produces ESLint 'Converting circular structure to JSON' internal error, caused by cross-package incompatibility in the bumped versions. Will reopen when Dependabot groups the eslint config plugins coherently.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml