Skip to content

chore(deps): update dependencies#171

Merged
maiis merged 1 commit into
mainfrom
renovate/dependencies
Jul 11, 2026
Merged

chore(deps): update dependencies#171
maiis merged 1 commit into
mainfrom
renovate/dependencies

Conversation

@maiis

@maiis maiis commented Jul 5, 2026

Copy link
Copy Markdown
Owner

This PR contains the following updates:

Package Change Age Confidence
@biomejs/biome (source) 2.5.22.5.3 age confidence
@fastify/helmet 13.0.213.1.0 age confidence
@fastify/multipart 10.0.010.1.0 age confidence
@fastify/static 9.1.39.3.0 age confidence
@types/node (source) 25.9.425.9.5 age confidence
@vitest/coverage-v8 (source) 4.1.94.1.10 age confidence
@vitest/ui (source) 4.1.94.1.10 age confidence
fastify (source) 5.9.05.10.0 age confidence
vite (source) 8.1.38.1.4 age confidence
vitest (source) 4.1.94.1.10 age confidence

Release Notes

biomejs/biome (@​biomejs/biome)

v2.5.3

Compare Source

Patch Changes
  • #​10815 86613d5 Thanks @​WaterWhisperer! - Fixed a parser panic reported in #​10708: Biome now recovers when unsupported CSS Modules @value rules or scoped @keyframes names end at EOF.

  • #​10534 da9b403 Thanks @​Mokto! - Fixed noUnusedVariables false positives in Svelte files: Svelte store subscriptions ($store references in templates now keep the underlying store binding from being flagged), and $bindable() props that are only written to in the script block (write-only is intentional for bindable props) are no longer reported as unused.

  • #​10827 098ba41 Thanks @​Aqu1bp! - Fixed #​10698: The noUnsafeOptionalChaining rule now reports unsafe optional chains wrapped in TypeScript as, satisfies, type assertion, and instantiation expressions, such as new (value?.constructor as Constructor)().

  • #​10773 3c6513d Thanks @​otkrickey! - Fixed #​10772: useVueValidVOn no longer reports a missing handler for v-on directives using a verb modifier (.stop / .prevent) without an expression, e.g. <div @&#8203;click.stop></div>. The rule also accepts the arg-less object syntax <div v-on="$listeners"></div> instead of reporting a missing event name.

  • #​10721 d83c66b Thanks @​minseong0324! - Improved type-aware lint rule inference for built-in globals and indexed function calls. Biome now resolves Error(...), new Error(...), optional Error#stack, and calls through indexed function values such as handlers[0]() more accurately.

  • #​10865 6450276 Thanks @​ematipico! - Fixed #​10845. Biome Language Server no longer goes in deadlock when the scanner is enabled.

  • #​10853 93d8e53 Thanks @​Netail! - Fixed #​10840: Astro shorthand attribute syntax is now correctly being parsed from embedded nodes.

  • #​10820 bba3092 Thanks @​JamBalaya56562! - Fixed #​10619: noProcessEnv now also reports computed (bracket) member access. Previously only dot access was checked, so process["env"] and env["NODE_ENV"] (where env is imported from node:process) were missed. Both static and computed accesses are now reported.

  • #​10835 3447b2f Thanks @​dyc3! - Fixed #​10824: useDomQuerySelector now supports an ignore option for receiver identifiers that should not be reported.

  • #​10875 b12e486 Thanks @​dyc3! - Fixed #​10795: --profile-rules now reports timings for each plugin separately as plugin/<pluginName>, matching the naming used by plugin suppressions, instead of aggregating all plugins under a single plugin/plugin entry.

  • #​10877 d6bc447 Thanks @​ematipico! - Fixed biome-zed#164: Biome no longer inserts stray whitespace when format-on-type runs after closing delimiters such as ), ], and }.

  • #​10867 a21463e Thanks @​dyc3! - Fixed #​10864: Biome no longer crashes when checking or linting HTML files with unquoted attribute values such as <textarea rows=4></textarea>.

fastify/fastify-helmet (@​fastify/helmet)

v13.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: fastify/fastify-helmet@v13.0.2...v13.1.0

fastify/fastify-multipart (@​fastify/multipart)

v10.1.0

Compare Source

What's Changed

Full Changelog: fastify/fastify-multipart@v10.0.0...v10.1.0

fastify/fastify-static (@​fastify/static)

v9.3.0

Compare Source

What's Changed

  • chore: update fastify-plugin dependency to version 6.0.0 by @​Puppo in #​594

New Contributors

Full Changelog: fastify/fastify-static@v9.2.0...v9.3.0

v9.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: fastify/fastify-static@v9.1.3...v9.2.0

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.10

Compare Source

   🐞 Bug Fixes
    View changes on GitHub
fastify/fastify (fastify)

v5.10.0

Compare Source

What's Changed

New Contributors

Full Changelog: fastify/fastify@v5.9.0...v5.10.0

vitejs/vite (vite)

v8.1.4

Compare Source

Features
Bug Fixes
Documentation
Miscellaneous Chores
Code Refactoring
Tests
Build System

Configuration

📅 Schedule: (in timezone Europe/Zurich)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@claude

claude Bot commented Jul 5, 2026

Copy link
Copy Markdown

Code Review: fastify 5.9.0 → 5.10.0

This is a Renovate-generated minor dependency bump. Here's the analysis:

What Changed

Direct dependency:

  • fastify: 5.9.05.10.0

Transitive dependency (indirect, via fastify):

  • fast-json-stringify: 6.3.07.0.0 (major version bump)

Notable Improvements in 5.10.0

  • Performance: Reduced per-request overhead in the request lifecycle (#6831) — a free win for the web server.
  • Bug fix: reply.hijack() now correctly clears socket._meta when onTimeout is registered (#6810).
  • Bug fix: request.port is now correctly derived from request.host (#6680) — relevant if any code reads request.port.
  • Bug fix: ContentType is now used to properly detect json and charset in reply.send (#6830).
  • New feature: Log controller layer introduced (#6580) — opt-in, no breaking change.

fast-json-stringify Major Bump (v6 → v7)

The lock file correctly handles this: @fastify/fast-json-stringify-compiler keeps its own pinned copy of fast-json-stringify@6.3.0, and only the top-level fastify dependency uses v7. This split is expected and intentional — no action needed.

Lock File

The bun.lock changes look correct:

  • fastify entry updated with new hash and updated fast-json-stringify range (^6.0.0^7.0.0).
  • New nested resolution entry added: @fastify/fast-json-stringify-compiler/fast-json-stringify pinned at 6.3.0 to satisfy the compiler's older range.
  • package.json has only the expected single-line change.

Assessment

This is a safe, low-risk update. It's a minor semver bump with no breaking changes, includes a performance improvement, and the lock file is consistent. The project's existing server.test.ts suite should be sufficient to catch any regressions.

Recommendation: ✅ Approve and merge.

@maiis
maiis force-pushed the renovate/dependencies branch from 37c70f9 to e9d7420 Compare July 6, 2026 10:05
@maiis maiis changed the title chore(deps): update dependency fastify to v5.10.0 chore(deps): update dependencies Jul 6, 2026
@claude

claude Bot commented Jul 6, 2026

Copy link
Copy Markdown

Code Review: chore(deps): update dependencies

Overview

This is a routine Renovate-generated dependency update PR bumping four packages:

Package Old New Type
fastify 5.9.0 5.10.0 minor
vitest 4.1.9 4.1.10 patch
@vitest/coverage-v8 4.1.9 4.1.10 patch
@vitest/ui 4.1.9 4.1.10 patch

Analysis

vitest 4.1.10 (patch — low risk)

  • Fixes a browser filesystem access check in builtin commands
  • Fixes a VM module resolve error with encoded URIs and the deps optimizer
  • No breaking changes; straightforward patch update

fastify 5.10.0 (minor — worth noting)

  • Performance improvement: reduced per-request overhead in the request lifecycle — a net positive for the web app
  • Fixes reply.hijack() socket metadata leak when onTimeout is registered
  • Fixes request.port derivation from request.host
  • Introduces a new log controller layer (additive, no breaking changes)
  • Transitively bumps fast-json-stringify from ^6.0.0 to ^7.0.0 — a major version bump of a transitive dep. Fastify manages this intentionally via its own compiler wrapper, and the lock correctly keeps @fastify/fast-json-stringify-compiler pinned to fast-json-stringify@6.3.0 for its own internal use, so both versions coexist safely.

Lock file cleanup
The bun.lock drops ~50 lines of deduplicated vitest/vite sub-entries (rolldown bindings, postcss, etc.). This is expected and correct — vitest 4.1.10 now aligns its internal vite dependency with the top-level vite@8.x already in the project, eliminating the need for separate resolution paths.


Verdict

Safe to merge. All updates are low-risk patch/minor bumps from active, well-maintained projects. No application logic is changed. The fastify transitive dependency restructuring is intentional upstream behavior and is handled correctly in the lock file.

Suggestion: If CI passes (tests + type checks), this can be merged without further review. Enabling automerge for this class of Renovate PRs (patch-level test tooling, minor Fastify bumps with high confidence scores) could reduce maintenance overhead going forward.

@maiis
maiis force-pushed the renovate/dependencies branch from e9d7420 to 3d7234d Compare July 8, 2026 10:05
@claude

claude Bot commented Jul 8, 2026

Copy link
Copy Markdown

Dependency Update Review

PR: chore(deps): update dependencies (Renovate)

Overview

Routine automated patch/minor dependency bumps across 6 packages. All changes are in package.json and bun.lock only — no production code changes.

Package Change Type
@biomejs/biome 2.5.2 → 2.5.3 Patch (bug fixes)
@types/node 25.9.4 → 25.9.5 Patch
@vitest/coverage-v8 4.1.9 → 4.1.10 Patch (bug fixes)
@vitest/ui 4.1.9 → 4.1.10 Patch
fastify 5.9.0 → 5.10.0 Minor (new features + fixes)
vitest 4.1.9 → 4.1.10 Patch (bug fixes)

Notable Changes

fastify 5.9.0 → 5.10.0 is the most significant update here:

  • Internally bumps fast-json-stringify from ^6 to ^7 (major version). The lock file handles this correctly — @fastify/fast-json-stringify-compiler retains its own pinned fast-json-stringify@6.3.0 entry, so there's no conflict.
  • Includes a performance improvement: "reduce per-request overhead in the request lifecycle" — a net positive for the web server.
  • Bug fixes: reply.send content-type detection, request.port derivation from request.host, socket._meta clearing on reply.hijack().
  • New feature: log controller layer — unused here, no action needed.

biome 2.5.2 → 2.5.3 fixes a deadlock in the Language Server and a parser panic on CSS modules — both developer experience improvements with no impact on output.

vitest 4.1.10 fixes a browser filesystem access check and a VM module resolution edge case — neither applies to this project's test setup.

Lock File

The bun.lock simplification is expected: vitest/vite and its nested rolldown@1.0.3 sub-tree are removed (46 lines), as the updated vitest now shares the top-level vite@8.1.3. This is correct behaviour and reduces lock file bloat.

Assessment

Safe to merge. All updates are low-risk with no API-breaking changes for this project. The fastify minor bump brings performance and correctness improvements. No source code or tests are affected. Recommend verifying CI passes (tests + format check) before merging.

@maiis
maiis force-pushed the renovate/dependencies branch from 3d7234d to 0d120ba Compare July 8, 2026 16:05
@claude

claude Bot commented Jul 8, 2026

Copy link
Copy Markdown

Dependency Update Review

Summary: Renovate-generated bump of 9 packages — all patch or minor in package.json, with two noteworthy transitive major bumps in the lock file.


What Changed

Package Change Type
@biomejs/biome 2.5.2 to 2.5.3 patch
@fastify/helmet 13.0.2 to 13.1.0 minor
@fastify/multipart 10.0.0 to 10.1.0 minor
@fastify/static 9.1.3 to 9.2.0 minor
@types/node 25.9.4 to 25.9.5 patch
fastify 5.9.0 to 5.10.0 minor
vitest and @vitest/* 4.1.9 to 4.1.10 patch

Notable highlights

@fastify/multipart 10.0.0 to 10.1.0 — This is the most relevant fix for QuickYNAB. The bug fix (fastify/fastify-multipart#631) addresses busboy holding undelivered parts during parts() iteration — directly related to the CSV file upload flow. Worth verifying with the existing server.test.ts upload tests.

fastify 5.9.0 to 5.10.0 — Includes a performance improvement (reduced per-request lifecycle overhead), a fix for reply.hijack() socket cleanup, and the new log controller layer. All low-risk for this use case.

@fastify/static 9.1.3 to 9.2.0 — Fixes propagation of return value from fastify.errorHandler, which could affect how static file errors surface.


Transitive major bumps (lock file only)

The bun.lock shows two transitive major version jumps that do not appear in package.json:

  • fastify-plugin 5.1.0 to 6.0.0 — Required by the updated @fastify/helmet and @fastify/multipart. The lock file correctly scopes @fastify/rate-limit and @fastify/static to the older fastify-plugin@5.1.0 under their own paths, so there is no version conflict.
  • fast-json-stringify 6.3.0 to 7.0.0 — Pulled in by fastify@5.10.0 which now requires ^7.0.0. The old 6.x version is retained under the @fastify/fast-json-stringify-compiler scope path. This is expected and handled correctly by Bun's lockfile.

Assessment

Safe to merge. The changes are mechanically clean, and the lock file correctly resolves the dual-version scenario for fastify-plugin and fast-json-stringify. No source code changes. The @fastify/multipart bugfix is a meaningful improvement for the upload path.

Recommended: Run bun test before merging to confirm the test suite stays green, particularly server.test.ts which covers the multipart upload endpoint.

@maiis
maiis force-pushed the renovate/dependencies branch from 0d120ba to 053fed3 Compare July 8, 2026 22:06
@claude

claude Bot commented Jul 8, 2026

Copy link
Copy Markdown

Code Review: PR #171 — chore(deps): update dependencies

Overview

This is a Renovate-generated dependency update PR bumping 9 packages across dev, optional, and type dependencies. All changes are limited to package.json and bun.lock — no source code is modified.


Package-by-package assessment

Fastify ecosystem (optional dependencies — runtime impact)

  • fastify 5.9.05.10.0 ✅ — Minor version with performance improvements (perf: reduce per-request overhead in the request lifecycle) and a meaningful bug fix (fix: clear socket._meta on reply.hijack() when onTimeout is registered). Low risk.
  • @fastify/multipart 10.0.010.1.0 ✅ — Contains a notable functional bug fix: "do not end parts() iteration while busboy still holds undelivered parts". This could affect CSV upload reliability under certain conditions. Worth validating file upload behavior after merging.
  • @fastify/helmet 13.0.213.1.0 ✅ — Mostly CI/chore changes. The transitive fastify-plugin dependency bumps from ^5.0.0 to ^6.0.0 (same in @fastify/multipart and @fastify/static). This is consistent across all three plugins and should be safe.
  • @fastify/static 9.1.39.3.0 ✅ — Two minor releases; includes a bug fix for reply.errorHandler propagation and a fastify-plugin@6 bump. Low risk.

Dev tooling (no runtime impact)

  • @biomejs/biome 2.5.22.5.3 ✅ — Patch with linter false-positive fixes and a parser panic fix. Safe.
  • vitest / @vitest/coverage-v8 / @vitest/ui 4.1.94.1.10 ✅ — Bug fixes for browser filesystem access and VM module resolution. Safe.
  • @types/node 25.9.425.9.5 ✅ — Type definitions patch. Safe.

Potential concerns

  1. fastify-plugin major bump (v5 → v6) as a transitive dep: Three Fastify plugins now require fastify-plugin@^6. If any other plugin in the dependency tree still pins fastify-plugin@^5, there could be a version conflict. The lockfile resolves this correctly (Bun deduplicates), but worth confirming CI passes cleanly.

  2. @fastify/multipart busboy fix: The fix for premature iteration ending could change behavior for uploads where busboy held undelivered parts. Since this project uses multipart for CSV uploads, the fix is actually beneficial — but the upload endpoint (server.ts) should be covered by the existing server.test.ts tests.


Checklist

  • Changes limited to package.json and bun.lock
  • All updates are patch or minor versions (no breaking changes expected)
  • Security-relevant package (@fastify/helmet) updated
  • CI tests passing (confirm before merge)

Verdict

Approve and merge. This is a routine, low-risk dependency maintenance PR. The @fastify/multipart busboy bug fix is a net positive for upload reliability. Ensure CI passes before merging.

@maiis
maiis force-pushed the renovate/dependencies branch from 053fed3 to d57647d Compare July 9, 2026 10:05
@claude

claude Bot commented Jul 9, 2026

Copy link
Copy Markdown

Dependency Update Review

PR: chore(deps): update dependencies
Scope: package.json + bun.lock only — no source code changes


Summary of Changes

Package Change Category
fastify 5.9.0 → 5.10.0 runtime (minor)
@fastify/helmet 13.0.2 → 13.1.0 runtime (minor)
@fastify/multipart 10.0.0 → 10.1.0 runtime (minor)
@fastify/static 9.1.3 → 9.3.0 runtime (minor, 2 releases)
@biomejs/biome 2.5.2 → 2.5.3 dev-only (patch)
vitest / @vitest/* 4.1.9 → 4.1.10 dev-only (patch)
vite 8.1.3 → 8.1.4 dev-only (patch)
@types/node 25.9.4 → 25.9.5 dev-only (patch)

Notable Items

@fastify/multipart 10.0.0 → 10.1.0 — most operationally relevant

This release includes a meaningful bug fix: "do not end parts() iteration while busboy still holds undelivered parts". This directly affects the CSV upload flow in server.ts (the request.file() and data.toBuffer() calls). The fix prevents premature iteration ending during multipart parsing, which could have caused silent data truncation under certain upload conditions. This is an improvement.

fastify 5.9.0 → 5.10.0 — dual-version handling in lockfile

Two transitive dependency bumps to be aware of:

  • fast-json-stringify jumps from v6 → v7 at the top level, but the lockfile correctly preserves fast-json-stringify@6.3.0 as a scoped entry under @fastify/fast-json-stringify-compiler, so both versions coexist safely.
  • fastify-plugin jumps from 5.1.0 → 6.0.0. Three plugins updated their peer requirement to v6; @fastify/rate-limit (unchanged) retains its own scoped fastify-plugin@5.1.0. This split is handled correctly by Bun.

@fastify/static 9.1.3 → 9.3.0

Includes a fix: "propagate return value from fastify.errorHandler". Since server.ts doesn't register a custom error handler for static files, behavior is unchanged in practice.

@fastify/helmet 13.0.2 → 13.1.0

CI/infrastructure changes only — no logic changes to security header generation. The CSP configuration in server.ts is unaffected.


Lockfile Analysis

The bun.lock changes are mechanically correct:

  • −111 lines: The vitest-owned vite sub-tree (vite 8.0.16 + rolldown 1.0.3 + 17 platform binaries) is removed because vitest 4.1.10 now satisfies its peer requirement with the top-level vite@8.1.4. This is correct and reduces lockfile bloat.
  • +69 lines: Package hash/version updates plus two new scoped entries for the dual-version scenarios described above.
  • Net reduction of 42 lines is a hygiene improvement.

Security Considerations

No new attack surface is introduced. The @fastify/helmet update is CI-only. The fastify-plugin v6 major bump is an internal plugin interface update with no security posture changes.


Test Coverage

No new tests are needed — this is a pure dependency update with no application logic changes. The key gate is confirming bun test passes, particularly server.test.ts which covers the multipart upload endpoint that benefits from the @fastify/multipart busboy fix.


Verdict

Safe to merge. Routine automated maintenance with no breaking changes. The @fastify/multipart busboy fix is a genuine reliability improvement for CSV uploads.

Pre-merge: Confirm bun test (especially server.test.ts) and bun run format:check pass — a green CI run is sufficient.

Optional follow-up: When @fastify/rate-limit publishes an update adopting fastify-plugin@^6, the scoped lockfile entry for @fastify/rate-limit/fastify-plugin can be removed, fully resolving the dual-version split.


Review generated by Claude Sonnet 4.6

@maiis
maiis merged commit 1412031 into main Jul 11, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant