[deps]: Update lint-staged to v16.4.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
lint-staged	16.2.3 → 16.4.0

---

Release Notes

lint-staged/lint-staged (lint-staged)

v16.4.0

Compare Source

Minor Changes

• #​1739 687fc90 Thanks @​hyperz111! - Replace micromatch with picomatch to reduce dependencies.

v16.3.4

Compare Source

Patch Changes

• #​1742 9d6e827 Thanks @​iiroj! - Update dependencies, including tinyexec@1.0.4 to make sure local node_modules/.bin are preferred to global locations (released in tinyexec@1.0.3).

v16.3.3

Compare Source

Patch Changes

• #​1740 0109e8d Thanks @​iiroj! - Make sure Git's warning about CRLF line-endings doesn't interfere with creating initial backup stash.

v16.3.2

Compare Source

Patch Changes

• #​1735 2adaf6c Thanks @​iiroj! - Hide the extra cmd window on Windows by spawning tasks without the detached option.

v16.3.1

Compare Source

Patch Changes

• #​1729 cd5d762 Thanks @​iiroj! - Remove nano-spawn as a dependency from package.json as it was replaced with tinyexec and is no longer used.

v16.3.0

Compare Source

Minor Changes

• #​1698 feda37a Thanks @​iiroj! - Run external processes with tinyexec instead of nano-spawn. nano-spawn replaced execa in lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope tinyexec improves the situation.

• #​1699 1346d16 Thanks @​iiroj! - Remove pidtree as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the taskkill command on Windows.

Patch Changes

• #​1726 87467aa Thanks @​iiroj! - Incorrect brace expansions like *.{js} (nothing to expand) are detected exhaustively, instead of just a single pass.

v16.2.7

Compare Source

Patch Changes

• #​1711 ef74c8d Thanks @​iiroj! - Do not display a "failed to spawn" error message when a task fails normally. This message is reserved for when the task didn't run because spawning it failed.

v16.2.6

Compare Source

Patch Changes

• #​1693 33d4502 Thanks @​Adrian-Baran-GY! - Fix problems with --continue-on-error option, where tasks might have still been killed (SIGINT) when one of them failed.

v16.2.5

Compare Source

Patch Changes

• #​1687 9e02d9d Thanks @​iiroj! - Fix unhandled promise rejection when spawning tasks (instead of the tasks themselves failing). Previously when a task failed to spawn, lint-staged also failed and the backup stash might not have been automatically restored.

v16.2.4

Compare Source

Patch Changes

• #​1682 0176038 Thanks @​iiroj! - Update dependencies, including nano-spawn@2.0.0 with bug fixes.

• #​1671 581a54e Thanks @​iiroj! - Speed up execution by only importing the yaml depedency if using YAML configuration files.

---

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying contributing-docs with    Cloudflare Pages

Latest commit:	682f2cc
Status:	✅  Deploy successful!
Preview URL:	https://68e2807f.contributing-docs.pages.dev
Branch Preview URL:	https://renovate-lint-staged-16-x.contributing-docs.pages.dev

View logs

[bitwarden-bot]

Internal tracking:

• ID: PM-33689
• Link: https://bitwarden.atlassian.net/browse/PM-33689

[github-actions]

Checkmarx One – Scan Summary & Details – 85abcef7-1583-4fcd-9cac-850fbd0e75bf

---

New Issues (8)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-33891	Npm-node-forge-1.3.1	details Recommended version: 1.4.0 Description: A Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the "BigInteger.modInverse()" function (inherit... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2026-33894	Npm-node-forge-1.3.1	details Recommended version: 1.4.0 Description: Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 s... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2026-33895	Npm-node-forge-1.3.1	details Recommended version: 1.4.0 Description: Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid s... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2026-33896	Npm-node-forge-1.3.1	details Recommended version: 1.4.0 Description: `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstr... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
5		CVE-2026-4867	Npm-path-to-regexp-0.1.12	details Recommended version: 0.1.13 Description: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a peri... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2026-4926	Npm-path-to-regexp-3.3.0	details Recommended version: 8.4.0 Description: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as "{a}{b}{c}:z". The genera... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-4926	Npm-path-to-regexp-0.1.12	details Recommended version: 0.1.13 Description: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as "{a}{b}{c}:z". The genera... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2026-4926	Npm-path-to-regexp-1.9.0	details Recommended version: 8.4.0 Description: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as "{a}{b}{c}:z". The genera... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package