chore(deps): bump the npm-minor-patch group with 3 updates

[dependabot]

Bumps the npm-minor-patch group with 3 updates: graphql, msw and vitest.

Updates graphql from 16.12.0 to 16.14.0

Release notes

Sourced from graphql's releases.

v16.14.0 (2026-05-03)

New Feature 🚀

• #4317 Allow configuration of the ofType introspection depth (@​Nols1000)
• #4521 Add experimental support for directives on directive definitions (@​BoD)

Bug Fix 🐞

• #4652 Fix valueFromAST variable own-property checks (@​abishekgiri)

Docs 📝

• #4706 Fix mistake in GraphQLError guidance (@​benjie)

Committers: 4

• Abishek Kumar Giri(@​abishekgiri)
• Benjie(@​benjie)
• Benoit 'BoD' Lubek(@​BoD)
• Nils-Börge Margotti(@​Nols1000)

v16.13.2 (2026-03-24)

Docs 📝

• #4611 add dev mode docs (@​yaacovCR)

Polish 💅

• #4631 Use Object.create(null) over {} to avoid prototype issues - v16 (@​benjie)

Internal 🏠

• #4626 backport: internal: streamline release process (#4615) (@​yaacovCR)

Committers: 2

• Benjie(@​benjie)
• Yaacov Rydzinski (@​yaacovCR)

v16.13.1 (2026-03-04)

First 16.x.x release with trusted publishing and provenance, see: https://docs.npmjs.com/trusted-publishers for additional information.

Docs 📝

• #4433 docs: move migrate from express graphql guide to graphqlJS docs (@​sarahxsanders)

Internal 🏠

• #4608 internal: backport new release flow from 17.x.x (@​yaacovCR)
• #4610 internal: pin node version for release action (@​yaacovCR)

Committers: 2

• Sarah Sanders(@​sarahxsanders)
• Yaacov Rydzinski (@​yaacovCR)

16.13.0

... (truncated)

Commits

• 57b385b chore(release): v16.14.0 (#4720)
• 85700ed Fix mistake in GraphQLError guidance (#4706)
• 8eb6383 Allow configuration of the ofType introspection depth (#4317)
• ad9c519 Add support for directives on directive definitions (#4521)
• db2987c fix(valueFromAST): restore variable own-property checks (#4652)
• 123e958 chore(release): v16.13.2 (#4632)
• 13f130d Use Object.create(null) over {} to avoid prototype issues - v16 (#4631)
• 6ca59e1 backport: internal: streamline release process (#4615) (#4626)
• df8c53f docs: dev mode for v17 (#4611)
• 3b5c3f9 internal: pin node version for release action (#4610)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for graphql since your current version.

Updates msw from 2.12.8 to 2.14.6

Release notes

Sourced from msw's releases.

v2.14.6 (2026-05-11)

Bug Fixes

• defineNetwork: prevent event forwarding manually (#2740) (ccb40e08e3ef1dd80da217f74a1093be260a3f51) @​kettanaito

v2.14.5 (2026-05-08)

Bug Fixes

• ws: remove all frame listeners on client closure (#2739) (91a5d4131ceae9250acc40e0fa44b3c64f030d3e) @​kettanaito

v2.14.4 (2026-05-07)

Bug Fixes

• add finalize API for handler cleanup (#2738) (a288f5452970da6537ff31fce6b7f99eb620e563) @​kettanaito

v2.14.3 (2026-05-04)

Bug Fixes

• prevent frame abort listener leak (#2737) (c4567d2a398fb3315cebea4b66e9b79022ad569c) @​kettanaito

v2.14.2 (2026-04-29)

Bug Fixes

• export the NetworkApi type (#2734) (f0c03214b59f906ca8e92e3f0bb5d08fdf7d6f5e) @​kettanaito

v2.14.1 (2026-04-29)

Bug Fixes

• export default handler controllers (#2733) (f8dc874a236a4bd376c23cce9dd55ed59b8279e2) @​kettanaito

v2.14.0 (2026-04-29)

Features

• support ws.onUpgrade for handling connection upgrades (#2732) (e00e4d693db34884a316f659b8dcfb507cd79dce) @​kettanaito

Bug Fixes

• do not clone user-provided responses (#2731) (6953307c8061626d31a3651e69d47c885c0e4b76) @​kettanaito
• HttpResponse: forward cookies only when response is used (#2728) (30668e68f403535636bfb8dc12c64299d9c1c6e6) @​kettanaito

v2.13.6 (2026-04-24)

Bug Fixes

... (truncated)

Commits

• 2befc51 chore(release): v2.14.6
• ccb40e0 fix(defineNetwork): prevent event forwarding manually (#2740)
• c07e09b chore(release): v2.14.5
• 91a5d41 fix(ws): remove all frame listeners on client closure (#2739)
• d697485 chore(release): v2.14.4
• a288f54 fix: add finalize API for handler cleanup (#2738)
• de18888 chore(release): v2.14.3
• c4567d2 fix: prevent frame abort listener leak (#2737)
• 4bc4a5c chore(release): v2.14.2
• f0c0321 fix: export the NetworkApi type (#2734)
• Additional commits viewable in compare view

Updates vitest from 4.0.18 to 4.1.7

Release notes

Sourced from vitest's releases.

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in vitest-dev/vitest#10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in vitest-dev/vitest#10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in vitest-dev/vitest#10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in vitest-dev/vitest#10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in vitest-dev/vitest#8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in vitest-dev/vitest#10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in vitest-dev/vitest#10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in vitest-dev/vitest#10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9927 and vitest-dev/vitest#10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in vitest-dev/vitest#10154 (6abd5)

    View changes on GitHub

v4.1.4

   🚀 Experimental Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in vitest-dev/vitest#10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in vitest-dev/vitest#10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in vitest-dev/vitest#9668 (d4fbb)

... (truncated)

Commits

• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
• 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
• e399846 chore: release v4.1.5
• 7dc6d54 Revert "fix: respect diff config options in soft assertions (#8696)"
• 9787ded fix: respect diff config options in soft assertions (#8696)
• 325463a fix(ast-collect): recognize _vi_import prefix in static test discovery (#10...
• 0e0ff41 feat(coverage): istanbul to support instrumenter option (#10119)
• 663b99f fix: alias agent reporter to minimal (#10157)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[wyre-projects-bot]

Auto-approved by Dependabot janitor: patch/minor update, CI green.