chore(deps): bump the npm-minor-patch group with 3 updates

[dependabot]

Bumps the npm-minor-patch group with 3 updates: @resq-sw/analytics, elysia-rate-limit and @biomejs/biome.

Updates @resq-sw/analytics from 0.3.0 to 0.4.0

Release notes

Sourced from @​resq-sw/analytics's releases.

@​resq-sw/analytics@​0.4.0

@​resq-sw/analytics

0.3.0

Minor Changes

... (truncated)

Changelog

Sourced from @​resq-sw/analytics's changelog.

0.4.0

Minor Changes

• #91 be1d05e Thanks @​WomB0ComB0! - Add ResQ-specific helpers shared across the three TS surfaces (landing, research, viz):

  • RESQ_SUBDOMAIN_ALLOWLIST — readonly string[] of resq.software, research.resq.software, viz.resq.software. Pass to AnalyticsConfig.ga4.domains for cross-domain linker setup.
  • GA4_ID_PATTERN / sanitizeGa4Id(id) — strict /^G-[A-Z0-9]{6,32}$/ validator that returns the ID when valid or null otherwise. Use before interpolating an env-var-sourced GA4 ID into an inline <script> body — closes CodeQL js/bad-code-sanitization and prevents </script> / line-terminator escapes.
  • resolveResqCookieDomain(host) — returns ".resq.software" only when host actually belongs to the registrable root, otherwise undefined. Use in browser code that reads window.location.hostname so preview / localhost deployments don't get their cookie rejected with a domain mismatch.

  Centralizing these means adding a fourth subdomain or tightening the GA4-ID format becomes a single version bump instead of three coordinated edits across consumer repos Copyright 2026 ResQ Systems, Inc.

  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

  http://www.apache.org/licenses/LICENSE-2.0
  

  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -->

@​resq-sw/analytics

Commits

• 8cd8b48 chore: version packages (#93)
• be1d05e docs: comprehensive JSDoc + READMEs + ResQ analytics helpers (#91)
• 4cfd702 chore(deps): bump the bun-minor-patch group across 1 directory with 14 update...
• fcf34e4 ci(docs): disable bun runtime cache in api-docs workflow (#79)
• See full diff in compare view

Updates elysia-rate-limit from 4.6.1 to 4.6.2

Release notes

Sourced from elysia-rate-limit's releases.

v4.6.2

Patch Changes

• f088ef4: Fix cases where user ableto bypass rate limit if duration were set to 0 or NaN
• cb2811f: Support dynamic duration as a function
• a54821d: Add fail-closed error handling to dynamic duration and max configuration functions to prevent unhandled promise rejections and bypasses.
• 2ce04e3: Ensure Retry-After header correctly aligns with RateLimit-Reset rather than dynamically recalculating the duration of the rejected request.
• 3a9a100: Ensure unique plugin seeds for dynamic max and duration configurations to prevent Elysia from incorrectly deduplicating distinct rate limiter instances.
• 50e695b: Implement high-water mark logic for dynamic duration to prevent attackers from spoofing shorter window expirations by intentionally opening shorter windows.

Changelog

Sourced from elysia-rate-limit's changelog.

4.6.2

Patch Changes

• f088ef4: Fix cases where user ableto bypass rate limit if duration were set to 0 or NaN
• cb2811f: Support dynamic duration as a function
• a54821d: Add fail-closed error handling to dynamic duration and max configuration functions to prevent unhandled promise rejections and bypasses.
• 2ce04e3: Ensure Retry-After header correctly aligns with RateLimit-Reset rather than dynamically recalculating the duration of the rejected request.
• 3a9a100: Ensure unique plugin seeds for dynamic max and duration configurations to prevent Elysia from incorrectly deduplicating distinct rate limiter instances.
• 50e695b: Implement high-water mark logic for dynamic duration to prevent attackers from spoofing shorter window expirations by intentionally opening shorter windows.

Commits

• 6accc12 Version Packages (#80)
• fcdc2c8 ci: run tests on build
• 3a9a100 fix : Ensure unique plugin seeds for dynamic max and duration configurations ...
• f088ef4 fix: Rate Limit Bypass
• 50e695b fix : Implement high-water mark logic for dynamic duration to prevent attacke...
• a54821d fix : Add fail-closed error handling to dynamic duration and max configuratio...
• 2ce04e3 fix : Ensure Retry-After header correctly aligns with RateLimit-Reset rather ...
• cb2811f feat: support dynamic duration as a function (#79)
• See full diff in compare view

Updates @biomejs/biome from 2.4.14 to 2.4.15

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.15

2.4.15

Patch Changes

• #9394 ba3480e Thanks @​dyc3! - Added the nursery rule useTestHooksInOrder in the test domain. The rule enforces that Jest/Vitest lifecycle hooks (beforeAll, beforeEach, afterEach, afterAll) are declared in the order they execute, making test setup and teardown easier to reason about.

• #10254 e0a54cc Thanks @​dyc3! - Added a new nursery rule useVueNextTickPromise, which enforces Promise syntax when using Vue nextTick.

  For example, the following snippet triggers the rule:

  import { nextTick } from "vue";
  nextTick(() => {
  updateDom();
  });

• #10219 64aee45 Thanks @​dyc3! - Added a new nursery rule noVueVOnNumberValues, that disallows deprecated number modifiers on Vue v-on directives.

  For example, the following snippet triggers the rule:

  <input @keyup.13="submit" />

• #10195 7b8d4e1 Thanks @​dyc3! - Added the new nursery rule useVueValidVFor, which validates Vue v-for directives and reports invalid aliases, missing component keys, and keys that do not use iteration variables.

• #10238 1110256 Thanks @​dyc3! - Added the recommended nursery rule noVueImportCompilerMacros, which disallows importing Vue compiler macros such as defineProps from vue because they are automatically available.

• #10201 1a08f89 Thanks @​realknove! - Fixed #10193: style/useReadonlyClassProperties no longer reports class properties as readonly-able when they are assigned inside arrow callbacks nested in class property initializers.

• #9574 3bd2b6a Thanks @​Conaclos! - Fixed #9530. The diagnostics of organizeImports are now more detailed and more precise. They are also better at localizing where the issue is.

• #10205 a704a6c Thanks @​Conaclos! - Fixed #10185. `organizeImports now errors when it encounters an unknown predefined group.

  The following configuration is now reported as invalid because :INEXISTENT: is an unknown predefined group.

  {
    "assist": {
      "actions": {
        "source": {
          "organizeImports": { "options": { "groups": [":INEXISTENT:"] } }
        }
      }
    }
  }

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.15

Patch Changes

• #9394 ba3480e Thanks @​dyc3! - Added the nursery rule useTestHooksInOrder in the test domain. The rule enforces that Jest/Vitest lifecycle hooks (beforeAll, beforeEach, afterEach, afterAll) are declared in the order they execute, making test setup and teardown easier to reason about.

• #10254 e0a54cc Thanks @​dyc3! - Added a new nursery rule useVueNextTickPromise, which enforces Promise syntax when using Vue nextTick.

  For example, the following snippet triggers the rule:

  import { nextTick } from "vue";
  nextTick(() => {
  updateDom();
  });

• #10219 64aee45 Thanks @​dyc3! - Added a new nursery rule noVueVOnNumberValues, that disallows deprecated number modifiers on Vue v-on directives.

  For example, the following snippet triggers the rule:

  <input @keyup.13="submit" />

• #10195 7b8d4e1 Thanks @​dyc3! - Added the new nursery rule useVueValidVFor, which validates Vue v-for directives and reports invalid aliases, missing component keys, and keys that do not use iteration variables.

• #10238 1110256 Thanks @​dyc3! - Added the recommended nursery rule noVueImportCompilerMacros, which disallows importing Vue compiler macros such as defineProps from vue because they are automatically available.

• #10201 1a08f89 Thanks @​realknove! - Fixed #10193: style/useReadonlyClassProperties no longer reports class properties as readonly-able when they are assigned inside arrow callbacks nested in class property initializers.

• #9574 3bd2b6a Thanks @​Conaclos! - Fixed #9530. The diagnostics of organizeImports are now more detailed and more precise. They are also better at localizing where the issue is.

• #10205 a704a6c Thanks @​Conaclos! - Fixed #10185. `organizeImports now errors when it encounters an unknown predefined group.

  The following configuration is now reported as invalid because :INEXISTENT: is an unknown predefined group.

  {
    "assist": {
      "actions": {
        "source": {
          "organizeImports": { "options": { "groups": [":INEXISTENT:"] } }
        }
      }
    }
  }

... (truncated)

Commits

• 9dd3271 ci: release (#10210)
• 7b8d4e1 feat(lint/html/vue): add useVueValidVFor (#10195)
• ba3480e feat(lint/js): add useTestHooksInOrder (#9394)
• e0a54cc feat(lint/js/vue): add useVueNextTickPromise (#10254)
• 1110256 feat(lint/vue): add noVueImportCompilerMacros (#10238)
• 7f7419c fix: grammar in extends docstring (#10263)
• 0ae5840 feat(lint/js): add useThisForClassMethods (#9807)
• 83f7385 feat(lint/js): add noBaseToString (#9838)
• 64aee45 feat(lint/html/vue): add noVueVOnNumberValues (#10219)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	resq-landing	ead2cc0	May 15 2026, 11:40 AM

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​resq-sw/​analytics@​0.4.0
	elysia-rate-limit@​4.6.1 ⏵ 4.6.2	+1		+1	+4
	@​biomejs/​biome@​2.4.14 ⏵ 2.4.15	+1			+1

View full report