deps(deps): bump the all-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the all-dependencies group with 10 updates in the / directory:

Package	From	To
@cloudflare/workers-types	4.20260118.0	4.20260131.0
@types/bun	1.3.6	1.3.8
globals	17.0.0	17.3.0
hono	4.11.4	4.11.7
prettier	3.8.0	3.8.1
srcpack	0.1.7	0.1.15
typescript-eslint	8.53.1	8.54.0
vitepress	2.0.0-alpha.15	2.0.0-alpha.16
vitepress-mermaid-renderer	1.1.7	1.1.8
zod	4.3.5	4.3.6

Updates @cloudflare/workers-types from 4.20260118.0 to 4.20260131.0

Commits

• See full diff in compare view

Updates @types/bun from 1.3.6 to 1.3.8

Commits

• See full diff in compare view

Updates globals from 17.0.0 to 17.3.0

Release notes

Sourced from globals's releases.

v17.3.0

• Update globals (2026-02-01) (#336) 295fba9

---

sindresorhus/globals@v17.2.0...v17.3.0

v17.2.0

• jasmine: Add throwUnless and throwUnlessAsync globals (#335) 97f23a7

---

sindresorhus/globals@v17.1.0...v17.2.0

v17.1.0

• Add webpack and rspack globals (#333) 65cae73

---

sindresorhus/globals@v17.0.0...v17.1.0

Commits

• 5edc602 17.3.0
• 295fba9 Update globals (2026-02-01) (#336)
• 8176ac7 17.2.0
• 97f23a7 jasmine: Add throwUnless and throwUnlessAsync globals (#335)
• 7a2f354 17.1.0
• 65cae73 Add webpack and rspack globals (#333)
• 3efe5aa Remove script transform (#332)
• See full diff in compare view

Updates hono from 4.11.4 to 4.11.7

Release notes

Sourced from hono's releases.

v4.11.7

Security Release

This release includes security fixes for multiple vulnerabilities in Hono and related middleware. We recommend upgrading if you are using any of the affected components.

Components

IP Restriction Middleware

Fixed an IPv4 address validation bypass that could allow IP-based access control to be bypassed under certain configurations.

Cache Middleware

Fixed an issue where responses marked with Cache-Control: private or no-store could be cached, potentially leading to information disclosure on some runtimes.

Serve Static Middleware (Cloudflare Workers adapter)

Fixed an issue that could allow unintended access to internal asset keys when serving static files with user-controlled paths.

hono/jsx ErrorBoundary

Fixed a reflected Cross-Site Scripting (XSS) issue in the ErrorBoundary component that could occur when untrusted strings were rendered without proper escaping.

Recommendation

Users are encouraged to upgrade to this release, especially if they:

• Use IP Restriction Middleware
• Use Cache Middleware on Deno, Bun, or Node.js
• Use Serve Static Middleware with user-controlled paths on Cloudflare Workers
• Render untrusted data inside ErrorBoundary components

Security Advisories & CVEs

• IP Restriction Middleware – IPv4 address validation bypass

  • Advisory: GHSA-r354-f388-2fhh
  • CVE: CVE-2026-24398

• Cache Middleware ignores Cache-Control: private

  • Advisory: GHSA-6wqw-2p9w-4vw4
  • CVE: CVE-2026-24472

• Serve Static Middleware (Cloudflare Workers adapter) – Arbitrary key read

  • Advisory: GHSA-w332-q679-j88p
  • CVE: CVE-2026-24473

• hono/jsx ErrorBoundary – Cross-Site Scripting (XSS)

  • Advisory: GHSA-9r54-q6cx-xmh5
  • CVE: Pending

... (truncated)

Commits

• f7d272a 4.11.7
• 2cf6004 Merge commit from fork
• cf9a78d Merge commit from fork
• edbf6ee Merge commit from fork
• 12c5117 Merge commit from fork
• 7343487 4.11.6
• b6e5a97 feat(bun): export getBunServer (#4626)
• 2a9cd95 fix(sse): handle \r and \r\n line endings in writeSSE (#4644)
• 8078bbf docs: align CODE_OF_CONDUCT.md wording with Contributor Covenant (#4630)
• a5be555 refactor: use unique symbol for more accurate typing. (#4651)
• Additional commits viewable in compare view

Updates prettier from 3.8.0 to 3.8.1

Release notes

Sourced from prettier's releases.

3.8.1

• Include available printers in plugin type declarations (#18706 by @​porada)

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.1

diff

Include available printers in plugin type declarations (#18706 by @​porada)

// Input
import * as prettierPluginEstree from "prettier/plugins/estree";
// Prettier 3.8.0
// Property 'printers' does not exist on type 'typeof import("prettier/plugins/estree")'. ts(2339)
prettierPluginEstree.printers.estree; //=> any
// Prettier 3.8.1
prettierPluginEstree.printers.estree; //=> Printer
prettierPluginEstree.printers["estree-json"]; //=> Printer

Commits

• 90983f4 Release 3.8.1
• 57f702f Include available printers in plugin type declarations (#18706)
• bece827 Revert change in release script
• 82a4ab2 Bump Prettier dependency to 3.8.0
• 5213ee4 Clean changelog_unreleased
• f95ad0f Comment out finished steps
• b2034e8 Fix release script
• 5824b15 Release 3.8.0
• 0433601 Add blog post for v3.8.0 (#18639)
• c45fef1 Fix LWC attribute with --embedded-language-formatting off (#18383)
• See full diff in compare view

Updates srcpack from 0.1.7 to 0.1.15

Release notes

Sourced from srcpack's releases.

v0.1.15

External Pattern Support

Patterns referencing parent directories (../) now skip .gitignore filtering since it only applies to files within the working directory.

// srcpack.config.ts
export default {
  bundles: {
    context: {
      include: [
        "src/**/*.ts",           // Respects .gitignore
        "../shared/utils/**/*",  // Skips .gitignore (external)
      ],
    },
  },
};

Full Changelog: kriasoft/srcpack@v0.1.14...v0.1.15

v0.1.14

What's Changed

• ci: add npm publish workflow by @​koistya in kriasoft/srcpack#7

Full Changelog: kriasoft/srcpack@v0.1.13...v0.1.14

v0.1.10

New Features

Prompt Option

Prepend instructions or file content to bundles for LLM context:

export default defineConfig({
  bundles: {
    review: {
      include: "src/**/*",
      prompt: "./prompts/review.md",  // load from file
    },
    analyze: {
      include: "lib/**/*",
      prompt: "Analyze this code for performance issues.",  // inline
    },
  },
});

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for srcpack since your current version.

Updates typescript-eslint from 8.53.1 to 8.54.0

Release notes

Sourced from typescript-eslint's releases.

v8.54.0

8.54.0 (2026-01-26)

🚀 Features

• eslint-plugin-internal: add prefer-tsutils-methods rule (#11974, #11625)
• scope-manager: support ScopeManager#addGlobals (#11914)
• typescript-estree: add shortcut methods to ParserServicesWithTypeInformation (#11965, #11955)

🩹 Fixes

• eslint-plugin: [no-unused-private-class-members] private destructured class member is defined but used (#11785)
• eslint-plugin: [no-unnecessary-type-assertion] check both base constraint and actual type for non-null assertions (#11967, #11559)
• scope-manager: fix catch clause scopes def.name (#11982)
• scope-manager: prevent misidentification of "use strict" directives (#11995)
• utils: handle missing FlatESLint and LegacyESLint (#11958)

❤️ Thank You

• Brad Zacher @​bradzacher
• fnx @​DMartens
• Francesco Trotta
• Josh Goldberg
• MinJae @​Ju-MINJAE
• Minyeong Kim @​minyeong981
• overlookmotel
• Yuya Yoshioka @​YuyaYoshioka
• 김현수 @​Kimsoo0119

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.54.0 (2026-01-26)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

Commits

• d423e57 chore(release): publish 8.54.0
• See full diff in compare view

Updates vitepress from 2.0.0-alpha.15 to 2.0.0-alpha.16

Release notes

Sourced from vitepress's releases.

v2.0.0-alpha.16

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vitepress's changelog.

2.0.0-alpha.16 (2026-01-31)

Bug Fixes

• always log error when failed to fetch page (66cf64e)
• theme: add fallback for heroImageSlotExists (#5076) (f119b18)
• theme: align badges in h1 and h2 (#5087) (closes #5063) (b200865)
• theme: highlight active link in mobile nav menu (#5086) (closes #5068, closes #5074) (923aa90)
• theme: overflow clip is buggy on safari (8ed6ea0), closes #5050 #5039 #5027
• theme: remove margin between code groups and blocks in markdown containers (a28e171), closes #5099

Features

• theme: upgrade DocSearch to 4.5 with sidepanel (#5092) (0d646a6)
• theme: use @layer __vitepress_base to wrap the styles in base.css (#4905) (f8d8c0d)

Commits

• 949e9b1 release: v2.0.0-alpha.16
• 0d646a6 feat(theme): upgrade DocSearch to 4.5 with sidepanel (#5092)
• d4796a0 docs: add vitepress-plugin-typesense npm link (#5100)
• a28e171 fix(theme): remove margin between code groups and blocks in markdown containers
• f8d8c0d feat(theme): use @layer __vitepress_base to wrap the styles in base.css (#4...
• 923aa90 fix(theme): highlight active link in mobile nav menu (#5086) (closes #5068, c...
• b200865 fix(theme): align badges in h1 and h2 (#5087) (closes #5063)
• f119b18 fix(theme): add fallback for heroImageSlotExists (#5076)
• 66cf64e fix: always log error when failed to fetch page
• 8ed6ea0 fix(theme): overflow clip is buggy on safari
• Additional commits viewable in compare view

Updates vitepress-mermaid-renderer from 1.1.7 to 1.1.8

Release notes

Sourced from vitepress-mermaid-renderer's releases.

1.1.8

Full Changelog: sametcn99/vitepress-mermaid-renderer@1.1.7...1.1.8

Changelog

Sourced from vitepress-mermaid-renderer's changelog.

1.1.8

• Updated Dependencies: Updated dependencies to their latest versions.
• Added Documentation Project to Repo: Added a dedicated documentation project within the repository to provide comprehensive guides and examples for users.

1.1.6

• Updated Dependencies: Updated dependencies to their latest versions.
• Download Diagrams: Users can now download diagrams directly from the toolbar.
• New Toolbar Button: Added a download button to the toolbar (disabled by default). Enable it via setToolbar({ desktop: { buttons: { download: 'enabled' } } }).
• Export Formats: Support for svg, png, and jpg formats. Configure the preferred format using the new downloadFormat option in MermaidToolbarOptions (default: "svg").

1.1.5

Basic

• No more manual import "vitepress-mermaid-renderer/dist/style.css"; styles are injected automatically when the renderer boots.
• setToolbar() lets you toggle every button per mode, move the toolbar to any corner, decide whether the zoom percentage stays visible, and hide the built-in VitePress language badge when you prefer a cleaner frame.
• Mobile gained optional zoomIn/zoomOut buttons (disabled by default) so touch users can zoom without relying on gestures, and the toolbar now disappears entirely when all controls are off.
• Tooling has been refreshed (Vite, Vue, lockfiles, etc.) to match the latest VitePress ecosystem.

Added

• Introduced a dedicated toolbar.ts module that models all toolbar controls, resolves per-mode overrides, and adds the new showLanguageLabel flag plus opt-in mobile zoomIn/zoomOut buttons.
• Exposed MermaidRenderer#setToolbar() and plumbed toolbar data through <MermaidDiagram> and <MermaidControls>, enabling consumers to fully customize button states, placement, zoom readouts, and whether the original VitePress language badge should remain.
• Added a styleManager that injects the package CSS exactly once on the client and declared *.css?inline modules so TypeScript understands the new import pattern.

Changed

• MermaidRenderer now initializes itself on construction, listens for DOM readiness, and uses a scoped MutationObserver plus exponential backoff retries to re-render diagrams after VitePress navigations or late content loads. Manual initialize()/renderMermaidDiagrams() calls are no longer needed.
• Wrapper cleanup now strips VitePress’ default “mermaid” corner label when showLanguageLabel is disabled, preventing duplicate badges inside the rendered container.
• <MermaidControls> renders desktop/mobile toolbars conditionally, applies per-mode position classes, and respects the resolved button states (including the newly optional mobile zoom controls) so unused chrome never appears.
• <MermaidDiagram> centralizes all mouse/touch handlers, manages fullscreen against the outer container, and resolves incoming toolbar props before passing them down to the controls.
• Package entrypoint immediately injects styles, exports createMermaidRenderer (also as the default export), and drops the SSR no-op shim plus the previous component/composable re-exports so no unnecessary modules are importable from the package root anymore.
• Internal helpers that callers never needed (e.g., manual initialize() or setConfig() handles) are now private behind createMermaidRenderer, reducing the accidental public API surface.
• Core renderer and toolbar functions now carry JSDoc comments so TypeScript-aware editors surface clearer intellisense and usage hints.
• Documentation now highlights Bun installation, updates the quick-start snippet for the new API, and ships a concise toolbar option table so every toggleable control is discoverable at a glance.
• The example VitePress theme config configures the toolbar (including hiding the language label) and no longer calls initialize() manually; the bundled test project consumes the freshly packed 1.0.20 tarball.
• Updated CSS to support per-corner positioning classes, fullscreen transitions tied to the container, and better spacing for the zoom readout in mobile layouts.
• Bumped dev dependencies (e.g., vite@7.2.1, vue@3.5.23) and refreshed both lockfiles to pick up the latest patches.

Fixed

• Added guards that prevent re-render attempts from looping on already-processed nodes by ignoring existing .mermaid-wrapper roots and batching mutation callbacks.
• Ensured the mobile toolbar hides entirely when every control is disabled, eliminating empty floating containers.

Commits

• 2b9404a bump vitepress-mermaid-renderer dependency to version 1.1.8
• ee5e922 Published 1.1.8 with updated dependencies and added documentation project
• ad8df7a Add Buy Me a Coffee username for sponsorship
• 48a6a80 Add CONTRIBUTING.md file with contribution guidelines
• 06fd05c Create SECURITY.md
• ce94a9c Add Contributor Covenant Code of Conduct
• 0e83fb3 Update issue templates
• See full diff in compare view

Updates zod from 4.3.5 to 4.3.6

Release notes

Sourced from zod's releases.

v4.3.6

Commits:

• 9977fb0868432461de265a773319e80a90ba3e37 Add brand.dev to sponsors
• f4b7bae3468f6188b8f004e007d722148fc91d77 Update pullfrog.yml (#5634)
• 251d7163a0ac7740fee741428d913e3c55702ace Clean up workflow_call
• edd4132466da0f5065a8e051b599d01fdd1081d8 fix: add missing User-agent to robots.txt and allow all (#5646)
• 85db85e9091d0706910d60c7eb2e9c181edd87bd fix: typo in codec.test.ts file (#5628)
• cbf77bb12bdfda2e054818e79001f5cb3798ce76 Avoid non null assertion (#5638)
• dfbbf1c1ae0c224b8131d80ddf0a264262144086 Avoid re-exported star modules (#5656)
• 762e911e5773f949452fd6dd4e360f2362110e8e Generalize numeric key handling
• ca3c8629c0c2715571f70b44c2433cad3db7fe4e v4.3.6

Commits

• ca3c862 v4.3.6
• 762e911 Generalize numeric key handling
• dfbbf1c Avoid re-exported star modules (#5656)
• cbf77bb Avoid non null assertion (#5638)
• 85db85e fix: typo in codec.test.ts file (#5628)
• edd4132 fix: add missing User-agent to robots.txt and allow all (#5646)
• 251d716 Clean up workflow_call
• f4b7bae Update pullfrog.yml (#5634)
• 9977fb0 Add brand.dev to sponsors
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.54%. Comparing base (aaa14ca) to head (aa36dd0).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #111   +/-   ##
=======================================
  Coverage   82.54%   82.54%           
=======================================
  Files          79       79           
  Lines        6399     6399           
=======================================
  Hits         5282     5282           
  Misses       1117     1117           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.