chore(deps-dev): bump the development-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the development-dependencies group with 10 updates in the / directory:

Package	From	To
@biomejs/biome	2.3.11	2.4.0
@playwright/test	1.57.0	1.58.2
@testing-library/react	16.3.1	16.3.2
@vitejs/plugin-react	5.1.2	5.1.4
@vitest/coverage-v8	4.0.17	4.0.18
@vitest/ui	4.0.17	4.0.18
axios	1.13.2	1.13.5
jsdom	27.4.0	28.1.0
nock	14.0.10	14.0.11
vitest	4.0.17	4.0.18

Updates @biomejs/biome from 2.3.11 to 2.4.0

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.0

2.4.0

Minor Changes

• #8964 0353fa0 Thanks @​dyc3! - Added ignore option to the useHookAtTopLevel rule.

  You can now specify function names that should not be treated as hooks, even if they follow the use* naming convention.

  Example configuration:

  {
    "linter": {
      "rules": {
        "correctness": {
          "useHookAtTopLevel": {
            "options": {
              "ignore": ["useDebounce", "useCustomUtility"]
            }
          }
        }
      }
    }
  }

• #8769 d0358b0 Thanks @​rahuld109! - Added the rule useAnchorContent for HTML to enforce that anchor elements have accessible content for screen readers. The rule flags empty anchors, anchors with only whitespace, and anchors where all content is hidden with aria-hidden. Anchors with aria-label or title attributes providing a non-empty accessible name are considered valid.

• #8742 6340ce6 Thanks @​rahuld109! - Added the rule useMediaCaption to the HTML language. Enforces that audio and video elements have a track element with kind="captions" for accessibility. Muted videos are allowed without captions.

• #8621 d11130b Thanks @​Netail! - Added support for multiple reporters, and the ability to save reporters on arbitrary files.

  Combine two reporters in CI

  If you run Biome on GitHub, take advantage of the reporter and still see the errors in console, you can now use both reporters:

  biome ci --reporter=default --reporter=github

  Save reporter output to a file

  With the new --reporter-file CLI option, it's now possible to save the output of all reporters to a file. The file is a path, so you can pass a relative or an absolute path:

  biome ci --reporter=rdjson --reporter-file=/etc/tmp/report.json
  biome ci --reporter=summary --reporter-file=./reports/file.txt

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.0

Minor Changes

• #8964 0353fa0 Thanks @​dyc3! - Added ignore option to the useHookAtTopLevel rule.

  You can now specify function names that should not be treated as hooks, even if they follow the use* naming convention.

  Example configuration:

  {
    "linter": {
      "rules": {
        "correctness": {
          "useHookAtTopLevel": {
            "options": {
              "ignore": ["useDebounce", "useCustomUtility"]
            }
          }
        }
      }
    }
  }

• #8769 d0358b0 Thanks @​rahuld109! - Added the rule useAnchorContent for HTML to enforce that anchor elements have accessible content for screen readers. The rule flags empty anchors, anchors with only whitespace, and anchors where all content is hidden with aria-hidden. Anchors with aria-label or title attributes providing a non-empty accessible name are considered valid.

• #8742 6340ce6 Thanks @​rahuld109! - Added the rule useMediaCaption to the HTML language. Enforces that audio and video elements have a track element with kind="captions" for accessibility. Muted videos are allowed without captions.

• #8621 d11130b Thanks @​Netail! - Added support for multiple reporters, and the ability to save reporters on arbitrary files.

  Combine two reporters in CI

  If you run Biome on GitHub, take advantage of the reporter and still see the errors in console, you can now use both reporters:

  biome ci --reporter=default --reporter=github

  Save reporter output to a file

  With the new --reporter-file CLI option, it's now possible to save the output of all reporters to a file. The file is a path, so you can pass a relative or an absolute path:

  biome ci --reporter=rdjson --reporter-file=/etc/tmp/report.json
  biome ci --reporter=summary --reporter-file=./reports/file.txt

... (truncated)

Commits

• bf6e5f9 ci: release (#9045)
• e014336 feat: promote rules for v2.4 (#9011)
• 7e33fd5 Merge remote-tracking branch 'origin/main' into next
• df21006 ci: release (#8973)
• 6ebf6c6 feat(lint): add nursery rule noUselessReturn (#9029)
• 043b67c feat(lint/js): add noNestedPromises (#9019)
• 26d8367 docs: correct default value for useEditorconfig schema setting (#9025)
• dc1f94e feat(assist): add noDuplicateClasses assist action (#8623)
• 0353fa0 feat(useHookAtTopLevel): add ignore option (#8964)
• 3a38d5c ci: release (#8888)
• Additional commits viewable in compare view

Updates @playwright/test from 1.57.0 to 1.58.2

Release notes

Sourced from @​playwright/test's releases.

v1.58.2

Highlights

#39121 fix(trace viewer): make paths via stdin work #39129 fix: do not force swiftshader on chromium mac

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

v1.58.1

Highlights

#39036 fix(msedge): fix local network permissions #39037 chore: update cft download location #38995 chore(webkit): disable frame sessions on fronzen builds

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

v1.58.0

📣 Playwright CLI+SKILLs 📣

We are adding a new token-efficient CLI mode of operation to Playwright with the skills located at playwright-cli. This brings the long-awaited official SKILL-focused CLI mode to our story and makes it more coding agent-friendly.

It is the first snapshot with the essential command set (which is already larger than the original MCP!), but we expect it to grow rapidly. Unlike the token use, that one we expect to go down since snapshots are no longer forced into the LLM!

Timeline

If you're using merged reports, the HTML report Speedboard tab now shows the Timeline:

UI Mode and Trace Viewer Improvements

• New 'system' theme option follows your OS dark/light mode preference
• Search functionality (Cmd/Ctrl+F) is now available in code editors
• Network details panel has been reorganized for better usability
• JSON responses are now automatically formatted for readability

Thanks to @​cpAdm for contributing these improvements!

Miscellaneous

browserType.connectOverCDP() now accepts an isLocal option. When set to true, it tells Playwright that it runs on the same host as the CDP server, enabling file system optimizations.

Breaking Changes ⚠️

• Removed _react and _vue selectors. See locators guide for alternatives.

... (truncated)

Commits

• ce480a9 cherry-pick(#39171): devops: add ubuntu-22.04-arm bot
• e40c137 chore: mark v1.58.2 (#39155)
• 50b7296 cherry-pick(#39152): chore: fix execSync inheriting stdio
• f3dcf50 cherry-pick(#39129): fix: do not force swiftshader on chromium mac
• 8684e08 cherry-pick(#39121): fix(trace viewer): make paths via stdin work
• 97bc385 cherry-pick(#38995): chore(webkit): disable frame sessions on fronzen builds
• ad625fe chore: mark v1.58.1 (#39055)
• f07234d cherry-pick(#39036): fix(msedge): fix local network permissions (#39053)
• ab8136c cherry-pick(#39037): chore: update cft download location (#39052)
• aa6ffeb cherry-pick(#39014): docs: add 1.58 release notes for Java, Python, and C#
• Additional commits viewable in compare view

Updates @testing-library/react from 16.3.1 to 16.3.2

Release notes

Sourced from @​testing-library/react's releases.

v16.3.2

16.3.2 (2026-01-19)

Bug Fixes

• Update 'onCaughtError' type inference in 'RenderOptions' to work with React v19 (#1438) (f32bd1b)

Commits

• f32bd1b fix: Update 'onCaughtError' type inference in 'RenderOptions' to work with Re...
• See full diff in compare view

Updates @vitejs/plugin-react from 5.1.2 to 5.1.4

Release notes

Sourced from @​vitejs/plugin-react's releases.

plugin-react@5.1.4

Fix canSkipBabel not accounting for babel.overrides (#1098)

When configuring babel.overrides without top-level plugins or presets, Babel was incorrectly skipped. The canSkipBabel function now checks for overrides.length to ensure override configurations are processed.

plugin-react@5.1.3

No release notes provided.

Changelog

Sourced from @​vitejs/plugin-react's changelog.

5.1.4 (2026-02-10)

Fix canSkipBabel not accounting for babel.overrides (#1098)

When configuring babel.overrides without top-level plugins or presets, Babel was incorrectly skipped. The canSkipBabel function now checks for overrides.length to ensure override configurations are processed.

5.1.3 (2026-02-02)

Commits

• f066114 release: plugin-react@5.1.4
• e299dca fix(plugin-react): canSkipBabel not checking babel.overrides (#1098)
• 12ffadc fix(deps): update all non-major dependencies (#1103)
• cf0cb8a release: plugin-react@5.1.3
• 99e480c fix(deps): update all non-major dependencies (#1090)
• 77f5e42 fix(deps): update react 19.2.4 (#1084)
• e327da4 fix(deps): update all non-major dependencies (#1083)
• 3d3dbc2 chore: add metadata for vite-plugin-registry (#1078)
• 58dfb9d fix(deps): update all non-major dependencies (#1066)
• fefad3d fix(deps): update all non-major dependencies (#1048)
• Additional commits viewable in compare view

Updates @vitest/coverage-v8 from 4.0.17 to 4.0.18

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.0.18

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in vitest-dev/vitest#9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in vitest-dev/vitest#9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in vitest-dev/vitest#9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in vitest-dev/vitest#9472 (22543)

    View changes on GitHub

Commits

• 4d3e3c6 chore: release v4.0.18
• See full diff in compare view

Updates @vitest/ui from 4.0.17 to 4.0.18

Release notes

Sourced from @​vitest/ui's releases.

v4.0.18

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in vitest-dev/vitest#9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in vitest-dev/vitest#9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in vitest-dev/vitest#9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in vitest-dev/vitest#9472 (22543)

    View changes on GitHub

Commits

• 4d3e3c6 chore: release v4.0.18
• 2254356 fix(ui): process artifact attachments when generating HTML reporter (#9472)
• See full diff in compare view

Updates axios from 1.13.2 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates jsdom from 27.4.0 to 28.1.0

Release notes

Sourced from jsdom's releases.

Version 28.1.0

• Added blob.text(), blob.arrayBuffer(), and blob.bytes() methods.
• Improved getComputedStyle() to account for CSS specificity when multiple rules apply. (asamuzaK)
• Improved synchronous XMLHttpRequest performance by using a persistent worker thread, avoiding ~400ms of setup overhead on every synchronous request after the first one.
• Improved performance of node.getRootNode(), node.isConnected, and event.dispatchEvent() by caching the root node of document-connected trees.
• Fixed getComputedStyle() to correctly handle !important priority. (asamuzaK)
• Fixed document.getElementById() to return the first element in tree order when multiple elements share the same ID.
• Fixed <svg> elements to no longer incorrectly proxy event handlers to the Window.
• Fixed FileReader event timing and fileReader.result state to more closely follow the spec.
• Fixed a potential hang when synchronous XMLHttpRequest encountered dispatch errors.
• Fixed compatibility with environments where Node.js's built-in fetch() has been used before importing jsdom, by working around undici v6/v7 incompatibilities.

Version 28.0.0

• Overhauled resource loading customization. See the new README for details on the new API.
• Added MIME type sniffing to <iframe> and <frame> loads.
• Regression: WebSockets are no longer correctly throttled to one connection per origin. This is a result of the bug at nodejs/undici#4743.
• Fixed decoding of the query components of <a> and <area> elements in non-UTF-8 documents.
• Fixed XMLHttpRequest fetches and WebSocket upgrade requests to be interceptable by the new customizable resource loading. (Except synchronous XMLHttpRequests.)
• Fixed the referrer of a document to be set correctly when redirects are involved; it is now the initiating page, not the last hop in the redirect chain.
• Fixed correctness bugs when passing ArrayBuffers or typed arrays to various APIs, where they would not correctly snapshot the data.
• Fixed require("url").parse() deprecation warning when using WebSockets.
• Fixed <iframe>, <frame>, and <img> (when canvas is installed) to fire load events, not error events, on non-OK HTTP responses.
• Fixed many small issues in XMLHttpRequest.

Changelog

Sourced from jsdom's changelog.

28.1.0

• Added blob.text(), blob.arrayBuffer(), and blob.bytes() methods.
• Improved getComputedStyle() to account for CSS specificity when multiple rules apply. (asamuzaK)
• Improved synchronous XMLHttpRequest performance by using a persistent worker thread, avoiding ~400ms of setup overhead on every synchronous request after the first one.
• Improved performance of node.getRootNode(), node.isConnected, and event.dispatchEvent() by caching the root node of document-connected trees.
• Fixed getComputedStyle() to correctly handle !important priority. (asamuzaK)
• Fixed document.getElementById() to return the first element in tree order when multiple elements share the same ID.
• Fixed <svg> elements to no longer incorrectly proxy event handlers to the Window.
• Fixed FileReader event timing and fileReader.result state to more closely follow the spec.
• Fixed a potential hang when synchronous XMLHttpRequest encountered dispatch errors.
• Fixed compatibility with environments where Node.js's built-in fetch() has been used before importing jsdom, by working around undici v6/v7 incompatibilities.

28.0.0

• Overhauled resource loading customization. See the new README for details on the new API.
• Added MIME type sniffing to <iframe> and <frame> loads.
• Regression: WebSockets are no longer correctly throttled to one connection per origin. This is a result of the bug at nodejs/undici#4743.
• Fixed decoding of the query components of <a> and <area> elements in non-UTF-8 documents.
• Fixed XMLHttpRequest fetches and WebSocket upgrade requests to be interceptable by the new customizable resource loading. (Except synchronous XMLHttpRequests.)
• Fixed the referrer of a document to be set correctly when redirects are involved; it is now the initiating page, not the last hop in the redirect chain.
• Fixed correctness bugs when passing ArrayBuffers or typed arrays to various APIs, where they would not correctly snapshot the data.
• Fixed require("url").parse() deprecation warning when using WebSockets.
• Fixed <iframe>, <frame>, and <img> (when canvas is installed) to fire load events, not error events, on non-OK HTTP responses.
• Fixed many small issues in XMLHttpRequest.

Commits

• 12949b5 Version 28.1.0
• ce4c58f Apply CSS specificity when computing styles
• 7ed55a0 Skip single-byte-decoder encoding tests on Node 20
• f3b1973 Generalize node version conditions in test expectations
• 853c596 Rewrite getElementById ID caching for tree-order correctness
• 5fbfde6 Fix potential sync XHR worker hang from unhandled dispatch errors
• 82df38f Cache the root node for document-connected trees
• ed7c5c0 Add documentation comment to create-event-accessor.js
• b4562e9 Simplify Window.js installEventHandlers
• 7da340f Centralize "determine the target of an event handler"
• Additional commits viewable in compare view

Updates nock from 14.0.10 to 14.0.11

Release notes

Sourced from nock's releases.

v14.0.11

14.0.11 (2026-02-09)

Bug Fixes

• migrate to npm OIDC (#2940) (113dcac)
• restore github actions write permissions (#2941) (a4cb6b8)
• update @mswjs/interceptors to fix a memory leak (#2938) (025db76)
• upgrade semantic-release (#2943) (db0b280)

Commits

• db0b280 fix: upgrade semantic-release (#2943)
• bc78af4 Add write permission for contents in CI workflow (#2942)
• a4cb6b8 fix: restore github actions write permissions (#2941)
• 113dcac fix: migrate to npm OIDC (#2940)
• 025db76 fix: update @mswjs/interceptors to fix a memory leak (#2938)
• e7418da chore(deps): bump actions/setup-node from 4 to 6 (#2924)
• 2d4a5cc chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2
• 4f7e385 chore: upgrade interceptors
• 5177a33 chore(deps): bump serialize-javascript and mocha (#2848)
• 93611a2 chore(deps-dev): bump prettier from 3.2.5 to 3.6.2 (#2883)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for nock since your current version.

Updates vitest from 4.0.17 to 4.0.18

Release notes

Sourced from vitest's releases.

v4.0.18

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in vitest-dev/vitest#9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in vitest-dev/vitest#9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in vitest-dev/vitest#9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in vitest-dev/vitest#9472 (22543)

    View changes on GitHub

Commits

• 4d3e3c6 chore: release v4.0.18
• ea837de feat(experimental): add onModuleRunner hook to worker.init (#9286)
• e057281 fix: use meta.url in createRequire (#9441)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.