chore(deps-dev): bump the dev-dependencies group with 8 updates

[dependabot]

Bumps the dev-dependencies group with 8 updates:

Package	From	To
@cyclonedx/cdxgen	12.1.5	12.2.0
@typescript-eslint/eslint-plugin	8.58.2	8.59.0
@typescript-eslint/parser	8.58.2	8.59.0
@vitest/coverage-v8	4.1.4	4.1.5
eslint	10.2.0	10.2.1
markdownlint-cli2	0.22.0	0.22.1
vite	8.0.8	8.0.10
vitest	4.1.4	4.1.5

Updates @cyclonedx/cdxgen from 12.1.5 to 12.2.0

Release notes

Sourced from @​cyclonedx/cdxgen's releases.

Release v12.2.0

The beginning of the cycle where the AI agents write more code than humans.

This release is MINOR and includes a number of changes including BREAKING changes.

The default CycloneDX specification version is now 1.7. Please use --spec-version 1.6 or lower for compatibility with existing platforms.

cdxgen continues to lose weight. We have removed more dependencies such as sqlite3 and jws by rewriting code to make use of native Node modules. cdxgen will now install in more environments with fewer build errors and build dependencies such as gcc or sqlite3 devel packages. Fewer dependencies = less risk.

vscode extensions (*.vsix and default IDE extensions directories) are now supported. Refer to the project types document for all the types supported.

We have added two new commands: cdx-validate and cdx-sign. Both these are feature rich and capable.

Formulation parsers are revamped to support a range of CI/CD workflow configurations. All custom properties are now documented here.

NEW BOM audit feature in preview mode for feedback.

What's Changed

🤖 AI-pair Changes

• Harden pre-generation environment audit and refactor into --env-audit command by @​Copilot in cdxgen/cdxgen#3863
• feat: CI parser registry, formulation rewrite, extended CI fixture coverage, and CycloneDX schema compliance fixes by @​Copilot in cdxgen/cdxgen#3865
• Harden bom-audit rule engine, add package-integrity rules, tests, and documentation by @​Copilot in cdxgen/cdxgen#3867
• Add security policy, threat model, and SLA documentation by @​Copilot in cdxgen/cdxgen#3868
• Enhance CI/CD security rules by @​prabhu in cdxgen/cdxgen#3869
• feat: add VS Code extension support with deep BOM generation and capability extraction by @​Copilot in cdxgen/cdxgen#3870
• cdx-validate command by @​prabhu in cdxgen/cdxgen#3872
• Fix dependsOn: [null] in PHP/Composer BOMs by @​Copilot in cdxgen/cdxgen#3873

🤖 AI-assisted Changes

• Adds config confusion/exfiltration warnings by @​prabhu in cdxgen/cdxgen#3859
• Update pnpm + multiple improvements by @​prabhu in cdxgen/cdxgen#3860
• WIP: pnpm v11 support by @​prabhu in cdxgen/cdxgen#3861
• BOM signers and some tweaks by @​prabhu in cdxgen/cdxgen#3871

📚 Documentation

• docs: Add/update JSDoc comments with correct type information across codebase by @​Copilot in cdxgen/cdxgen#3864
• Make Current key inventory (grouped) an operational policy reference by @​Copilot in cdxgen/cdxgen#3866

New Contributors

• @​Copilot made their first contribution in cdxgen/cdxgen#3862

Full Changelog: cdxgen/cdxgen@v12.1.5...v12.2.0

Commits

• a028187 release label
• 5bfd5f5 package updates
• 81f1d5f Update mcr.microsoft.com/dotnet/sdk:9.0-alpine Docker digest to 93efcdf (#3876)
• 25aa67f Update rust:1.94.1-alpine Docker digest to 77237dd (#3899)
• 189206f Update ruby:4.0.2-slim-trixie Docker digest to 12f002f (#3898)
• 29b8e59 Update ruby:4.0.2-alpine3.22 Docker digest to 303b504 (#3897)
• afeea41 Update ruby:3.4.9-slim-trixie Docker digest to 2a5b7e6 (#3896)
• 4ee8ce9 Update ruby:3.4.9-alpine Docker digest to 8a962e9 (#3895)
• 057bbfc Update registry.suse.com/bci/ruby:2.5 Docker digest to f717eb5 (#3893)
• 7867ce1 Update registry.suse.com/bci/dotnet-sdk Docker tag to v9.0.15 (#3905)
• Additional commits viewable in compare view

Updates @typescript-eslint/eslint-plugin from 8.58.2 to 8.59.0

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• ea9ae4f chore(release): publish 8.59.0
• cfca550 feat(eslint-plugin): [no-unnecessary-type-assertion] report more cases based ...
• 6d599b4 chore(eslint-plugin): switch auto-generated test cases to hand-written in ret...
• 33c8169 chore: fix cspell violations in code blocks (#12167)
• See full diff in compare view

Updates @typescript-eslint/parser from 8.58.2 to 8.59.0

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.59.0 (2026-04-20)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• ea9ae4f chore(release): publish 8.59.0
• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.4 to 4.1.5

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.5

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in vitest-dev/vitest#10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in vitest-dev/vitest#10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in vitest-dev/vitest#10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in vitest-dev/vitest#10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in vitest-dev/vitest#8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in vitest-dev/vitest#10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in vitest-dev/vitest#10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in vitest-dev/vitest#10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9927 and vitest-dev/vitest#10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in vitest-dev/vitest#10154 (6abd5)

    View changes on GitHub

Commits

• e399846 chore: release v4.1.5
• See full diff in compare view

Updates eslint from 10.2.0 to 10.2.1

Release notes

Sourced from eslint's releases.

v10.2.1

Bug Fixes

• 14be92b fix: model generator yield resumption paths in code path analysis (#20665) (sethamus)
• 84a19d2 fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx)
• af764af fix: clarify language and processor validation errors (#20729) (Pixel998)
• e251b89 fix: update eslint (#20715) (renovate[bot])

Documentation

• ca92ca0 docs: reuse markdown-it instance for markdown filter (#20768) (Amaresh S M)
• 57d2ee2 docs: Enable Eleventy incremental mode for watch (#20767) (Amaresh S M)
• c1621b9 docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla)
• 1418d52 docs: Update README (GitHub Actions Bot)
• 39771e6 docs: Update README (GitHub Actions Bot)
• 71e0469 docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar)
• 22119ce docs: clarify scope of for-direction rule with dead code examples (#20723) (Amaresh S M)
• 8f3fb77 docs: document meta.docs.dialects (#20718) (Pixel998)

Chores

• 7ddfea9 chore: update dependency prettier to v3.8.2 (#20770) (renovate[bot])
• fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763) (dependabot[bot])
• 7246f92 test: add tests for SuppressionsService.load() error handling (#20734) (kuldeep kumar)
• 4f34b1e chore: update pnpm/action-setup action to v5 (#20762) (renovate[bot])
• 51080eb test: processor service (#20731) (kuldeep kumar)
• e7e1889 chore: remove stale babel-eslint10 fixture and test (#20727) (kuldeep kumar)
• 4e1a87c test: remove redundant async/await in flat config array tests (#20722) (Pixel998)
• 066eabb test: add rule metadata coverage for languages and docs.dialects (#20717) (Pixel998)

Commits

• 4d1d8f9 10.2.1
• 3e33105 Build: changelog update for 10.2.1
• ca92ca0 docs: reuse markdown-it instance for markdown filter (#20768)
• 7ddfea9 chore: update dependency prettier to v3.8.2 (#20770)
• 57d2ee2 docs: Enable Eleventy incremental mode for watch (#20767)
• c1621b9 docs: fix typos in code-path-analyzer.js (#20700)
• fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763)
• 7246f92 test: add tests for SuppressionsService.load() error handling (#20734)
• 4f34b1e chore: update pnpm/action-setup action to v5 (#20762)
• 1418d52 docs: Update README
• Additional commits viewable in compare view

Updates markdownlint-cli2 from 0.22.0 to 0.22.1

Changelog

Sourced from markdownlint-cli2's changelog.

0.22.1

• Update dependencies

Commits

• 996abf6 Update to version 0.22.1.
• 70b6875 Improve definition of OutputFormatterConfiguration type, minor other type twe...
• 2cf5440 Add additional test case for previous commit fixing dotfile behavior.
• 21c53ed Bump eslint from 10.2.0 to 10.2.1
• b738aa0 Update removeIgnoredFiles use of micromatch to include dotfiles for consisten...
• 24c04f4 Bump junit-report-builder from 5.1.1 to 5.1.2 in /formatter-junit
• 650f208 Bump pnpm/action-setup from 5 to 6
• 726eaab Bump eslint from 10.1.0 to 10.2.0
• 1aa7579 Update indirect playwright dependencies to 1.59.1.
• fee080d Bump @​playwright/test from 1.58.2 to 1.59.1
• Additional commits viewable in compare view

Updates vite from 8.0.8 to 8.0.10

Release notes

Sourced from vite's releases.

v8.0.10

Please refer to CHANGELOG.md for details.

v8.0.9

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.10 (2026-04-23)

Features

• update rolldown to 1.0.0-rc.17 (#22299) (a4d06d9)

Bug Fixes

• hmrClient.logger.debug and hmrClient.logger.error looked different from other HMR logs (#22147) (a4d828f)
• css: show filename in CSS minification warnings for .css?inline (#22292) (83f0a78)
• optimizer: allow user transform.target to override default in optimizeDeps (#22273) (5c7cec6)
• remove format sniffing module resolution from JS resolver (#22297) (b8a21cc)

Code Refactoring

• enable some typecheck rules (#22278) (9437518)
• typecheck client directory (#22284) (40a0847)

8.0.9 (2026-04-20)

Features

• update rolldown to 1.0.0-rc.16 (#22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#22039) (374bb5d)
• deps: update all non-major dependencies (#22219) (4cd0d67)
• deps: update all non-major dependencies (#22268) (c28e9c1)
• detect Deno workspace root (fix #22237) (#22238) (1b793c0)
• dev: handle errors in watchChange hook (#22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#22231) (44c42b9)
• fix reuses wording in dev environment comment (#22173) (9163412)
• fix wording in sass error comment (#22214) (bc5c6a7)
• update build CLI defaults (#22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#22271) (0a3887d)

Commits

• 32c2978 release: v8.0.10
• a4d06d9 feat: update rolldown to 1.0.0-rc.17 (#22299)
• a4d828f fix: hmrClient.logger.debug and hmrClient.logger.error looked different f...
• 83f0a78 fix(css): show filename in CSS minification warnings for .css?inline (#22292)
• b8a21cc fix: remove format sniffing module resolution from JS resolver (#22297)
• 40a0847 refactor: typecheck client directory (#22284)
• 5c7cec6 fix(optimizer): allow user transform.target to override default in optimizeDe...
• 9437518 refactor: enable some typecheck rules (#22278)
• ce729f5 release: v8.0.9
• 605bb97 docs: update build CLI defaults (#22261)
• Additional commits viewable in compare view

Updates vitest from 4.1.4 to 4.1.5

Release notes

Sourced from vitest's releases.

v4.1.5

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in vitest-dev/vitest#10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in vitest-dev/vitest#10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in vitest-dev/vitest#10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in vitest-dev/vitest#10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in vitest-dev/vitest#8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in vitest-dev/vitest#10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in vitest-dev/vitest#10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in vitest-dev/vitest#10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9927 and vitest-dev/vitest#10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in vitest-dev/vitest#10154 (6abd5)

    View changes on GitHub

Commits

• e399846 chore: release v4.1.5
• 7dc6d54 Revert "fix: respect diff config options in soft assertions (#8696)"
• 9787ded fix: respect diff config options in soft assertions (#8696)
• 325463a fix(ast-collect): recognize _vi_import prefix in static test discovery (#10...
• 0e0ff41 feat(coverage): istanbul to support instrumenter option (#10119)
• 663b99f fix: alias agent reporter to minimal (#10157)
• 122c25b fix: fix vi.defineHelper called as object method (#10163)
• 6abd557 feat(api): make test-specification options writable (#10154)
• 596f739 fix: project color label on html reporter (#10142)
• 9423dc0 fix: --project negation excludes browser instances (#10131)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​typescript-eslint/​parser@​8.58.2 ⏵ 8.59.0
	vitest@​4.1.4 ⏵ 4.1.5	+1		+1	+2
	@​vitest/​coverage-v8@​4.1.4 ⏵ 4.1.5				+1
	@​typescript-eslint/​eslint-plugin@​8.58.2 ⏵ 8.59.0	+1		+1
	vite@​8.0.8 ⏵ 8.0.10			+1	+2
	@​cyclonedx/​cdxgen@​12.1.5 ⏵ 12.2.0	+1
	eslint@​10.2.0 ⏵ 10.2.1	+1			+2
	markdownlint-cli2@​0.22.0 ⏵ 0.22.1	+1		+1	+2

View full report

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.