Bump the all-dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the all-dependencies group with 6 updates in the / directory:

Package	From	To
@modelcontextprotocol/sdk	1.12.3	1.13.2
dotenv	16.5.0	17.0.0
zod	3.25.64	3.25.67
@biomejs/biome	1.9.4	2.0.6
@types/node	24.0.3	24.0.7
jest	30.0.0	30.0.3

Updates @modelcontextprotocol/sdk from 1.12.3 to 1.13.2

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

1.13.2

What's Changed

• Fix /.well-known/oauth-authorization-server dropping path by @​calclavia in modelcontextprotocol/typescript-sdk#687
• Fallback for /.well-known/oauth-authorization-server dropping path by @​ihrpr in modelcontextprotocol/typescript-sdk#692
• [auth] refactor resource selection to not include resource if PRM is not present by @​pcarleton in modelcontextprotocol/typescript-sdk#693
• fix: skip validation if tool reports error by @​Areo-Joe in modelcontextprotocol/typescript-sdk#655
• feat(shared/auth): support software_statement in OAuthClientMetadata by @​chrisdickinson in modelcontextprotocol/typescript-sdk#696
• Show session id per request in simpleStreamableHttp example server by @​cliffhall in modelcontextprotocol/typescript-sdk#640
• Raw request propagation in tools - passed to callbacks via RequestHandlerExtra by @​KKonstantinov in modelcontextprotocol/typescript-sdk#627
• Update readme file to include a tip to allow mcp-session-id in CORS when using StreamableHTTP by @​Achintha444 in modelcontextprotocol/typescript-sdk#633
• Pr/protocol overwriting transport hooks by @​nichtsam in modelcontextprotocol/typescript-sdk#477
• docs: Add clarifying comments for stateless streamable HTTP endpoints by @​dhodun in modelcontextprotocol/typescript-sdk#542
• Bump formidable from 3.5.2 to 3.5.4 in the npm_and_yarn group across 1 directory by @​dependabot in modelcontextprotocol/typescript-sdk#428
• test(server): add more tests for SSEServerTransport class by @​christian-bromann in modelcontextprotocol/typescript-sdk#391
• Update version of the package to 1.13.2 by @​ihrpr in modelcontextprotocol/typescript-sdk#701

New Contributors 🙏

• @​calclavia made their first contribution in modelcontextprotocol/typescript-sdk#687
• @​Areo-Joe made their first contribution in modelcontextprotocol/typescript-sdk#655
• @​KKonstantinov made their first contribution in modelcontextprotocol/typescript-sdk#627
• @​Achintha444 made their first contribution in modelcontextprotocol/typescript-sdk#633
• @​nichtsam made their first contribution in modelcontextprotocol/typescript-sdk#477
• @​dhodun made their first contribution in modelcontextprotocol/typescript-sdk#542
• @​christian-bromann made their first contribution in modelcontextprotocol/typescript-sdk#391

Full Changelog: modelcontextprotocol/typescript-sdk@1.13.1...1.13.2

1.13.1

What's Changed

• simpleStreamableHttp: fix example code by @​ochafik in modelcontextprotocol/typescript-sdk#660
• build: add watching script targets for build & simple streamable http server by @​ochafik in modelcontextprotocol/typescript-sdk#663
• feat: remove console statements from SDK code by @​ashwin-ant in modelcontextprotocol/typescript-sdk#668
• [auth] adjust default validation for resource parameter in client flow, and server example by @​pcarleton in modelcontextprotocol/typescript-sdk#664
• fix(client/sse): extract protected resource from eventsource 401 by @​chrisdickinson in modelcontextprotocol/typescript-sdk#675
• 1.13.1 by @​ihrpr in modelcontextprotocol/typescript-sdk#683

Full Changelog: modelcontextprotocol/typescript-sdk@1.13.0...1.13.1

1.13.0

🚀 Implementation for Spec revision 2025-06-18

https://github.com/modelcontextprotocol/modelcontextprotocol/releases/tag/2025-06-18

• feat: implement MCP-Protocol-Version header requirement for HTTP transport by @​ochafik in modelcontextprotocol/typescript-sdk#614
• Rename ResourceReference to ResourceTemplateReference by @​ihrpr in modelcontextprotocol/typescript-sdk#619
• Adds _meta to additional interface types by @​ihrpr in modelcontextprotocol/typescript-sdk#630
• Add title to tools, resources, prompts by @​ihrpr in modelcontextprotocol/typescript-sdk#631
• Add support for resource link by @​ihrpr in modelcontextprotocol/typescript-sdk#632
• Include context into completions by @​ihrpr in modelcontextprotocol/typescript-sdk#634

... (truncated)

Commits

• 1e52f38 Merge pull request #701 from modelcontextprotocol/ihrpr/1.13.2
• 9d678ce 1.13.2
• be845dd Merge pull request #391 from christian-bromann/cb/sse-tests
• f76652b Update src/server/sse.test.ts
• 362acfc Update package-lock.json
• 08c767f Merge branch 'main' into cb/sse-tests
• 6e0b699 Merge pull request #428 from modelcontextprotocol/dependabot/npm_and_yarn/npm...
• a783c5a Merge pull request #542 from dhodun/dhodun/add-streamable-http-comments
• 71d309d Merge pull request #477 from nichtsam/pr/protocol-overwriting-transport-hooks
• 909fe5d Merge pull request #633 from Achintha444/main
• Additional commits viewable in compare view

Updates dotenv from 16.5.0 to 17.0.0

Changelog

Sourced from dotenv's changelog.

17.0.0 (2025-06-27)

Changed

• Default quiet to false - informational (file and keys count) runtime log message shows by default (#875)

16.6.1 (2025-06-27)

Changed

• Default quiet to true – hiding the runtime log message (#874)
• NOTICE: 17.0.0 will be released with quiet defaulting to false. Use config({ quiet: true }) to suppress.
• And check out the new dotenvx. As coding workflows evolve and agents increasingly handle secrets, encrypted .env files offer a much safer way to deploy both agents and code together with secure secrets. Simply switch require('dotenv').config() for require('@dotenvx/dotenvx').config().

16.6.0 (2025-06-26)

Added

• Default log helpful message [dotenv@16.6.0] injecting env (1) from .env (#870)
• Use { quiet: true } to suppress
• Aligns dotenv more closely with dotenvx.

Commits

• f28bfd5 17.0.0
• 3348b36 changelog 🪵
• a814691 Merge pull request #875 from motdotla/quiet-true
• e8978b0 mention dotenvx in runtime message to point people to safer .env files
• 661b247 update README with quiet option
• b1d4a78 quiet defaults to false - use quiet: true to suppress info log
• 6acdb0a changelog 🪵
• 076ba3b 16.6.1
• 8867fe0 changelog 🪵
• 424c32d Merge pull request #874 from motdotla/default-quiet-to-true
• Additional commits viewable in compare view

Updates zod from 3.25.64 to 3.25.67

Release notes

Sourced from zod's releases.

v3.25.67

Commits:

• 7afe790d0f459278bc18e8197791db280cac341f Make $ZodLiteralDef generic
• 91274c3e154731205cc6958fd8c2ba5d48503db9 3.25.67
• c22944b029295cc0d33ee1b2273ea64e889528ff Fix race condition

v3.25.66

Commits:

• 2b3e87bcdd399b8f99d53641648db5a764861e1b Update api.ts (#4724)
• 100e9aa874032b49a1091e702213a52decf07521 chore: include zod-validation-error to Ecosystem page (#4722)
• de3517eeb66fc6d901752ee78d4ec97e7f5d9bc6 fix(docs): prevent FOUC on website homepage logo (#4716)
• 222a663732f6f605fd47c9c95bcef602e3d1e188 Change ZodObject default to $strip. Set inst.shape in zod mini
• fb00618f7d2c888fc1a2e207b391619b6d04dc6b 3.25.66

v3.25.65

Commits:

• 65309948ebcf926ee0570315b6254e06f59d01dd Clean up ecosystem
• 131fdbd4ea63abf8d4788855c106e51ef7e83077 fix(docs): Use array as argument of templateLiteral (#4701)
• ed648b132d55a12094b01e1abeae8a6d29b88364 chore: remove deprecated @​types/chalk (#4685)
• 12dd4890e2310ca798dd4193f15372efc2cfd84b Add catchall to zod-mini
• fcb722ae09e6190c87f082db4be556c151dea8b7 Add uuid to changelog
• 8c74035ee6bcf27ab4b4398708b379713cc3eeee 3.25.65

Commits

• c22944b Fix race condition
• 91274c3 3.25.67
• 7afe790 Make $ZodLiteralDef generic
• fb00618 3.25.66
• 222a663 Change ZodObject default to $strip. Set inst.shape in zod mini
• de3517e fix(docs): prevent FOUC on website homepage logo (#4716)
• 100e9aa chore: include zod-validation-error to Ecosystem page (#4722)
• 2b3e87b Update api.ts (#4724)
• 8c74035 3.25.65
• fcb722a Add uuid to changelog
• Additional commits viewable in compare view

Updates @biomejs/biome from 1.9.4 to 2.0.6

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.0.6

2.0.6

Patch Changes

• #6557 fd68458 Thanks @​ematipico! - Fixed a bug where Biome didn't provide all the available code actions when requested by the editor.

• #6511 72623fa Thanks @​Conaclos! - Fixed #6492. The organizeImports assist action no longer duplicates a comment at the start of the file when :BLANK_LINE: precedes the first import group.

• #6557 fd68458 Thanks @​ematipico! - Fixed #6287 where Biome Language Server didn't adhere to the settings.requireConfiguration option when pulling diagnostics and code actions. Note that for this configuration be correctly applied, your editor must support dynamic registration capabilities.

• #6551 0b63b1d Thanks @​Conaclos! - Fixed #6536. useSortedKeys no longer panics in some edge cases where object spreads are involved.

• #6503 9a8fe0f Thanks @​ematipico! - Fixed #6482 where nursery rules that belonged to a domain were incorrectly enabled.

• #6565 e85761c Thanks @​daivinhtran! - Fixed #4677: Now the noUnusedImports rule won't produce diagnostics for types used in JSDoc comment of exports.

• #6166 b8cbd83 Thanks @​mehm8128! - Added the nursery rule noExcessiveLinesPerFunction. This rule restrict a maximum number of lines of code in a function body.

  The following code is now reported as invalid when the limit of maximum lines is set to 2:

  function foo() {
    const x = 0;
    const y = 1;
    const z = 2;
  }

  The following code is now reported as valid when the limit of maximum lines is set to 3:

  const bar = () => {
    const x = 0;
    const z = 2;
  };

• #6553 5f42630 Thanks @​denbezrukov! - Fixed #6547. Now the Biome CSS parser correctly parses @starting-style when it's used inside other at-rules. The following example doesn't raise an error anymore:

  @layer my-demo-layer {
    @starting-style {
      div.showing {
        background-color: red;

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.0.6

Patch Changes

• #6557 fd68458 Thanks @​ematipico! - Fixed a bug where Biome didn't provide all the available code actions when requested by the editor.

• #6511 72623fa Thanks @​Conaclos! - Fixed #6492. The organizeImports assist action no longer duplicates a comment at the start of the file when :BLANK_LINE: precedes the first import group.

• #6557 fd68458 Thanks @​ematipico! - Fixed #6287 where Biome Language Server didn't adhere to the settings.requireConfiguration option when pulling diagnostics and code actions. Note that for this configuration be correctly applied, your editor must support dynamic registration capabilities.

• #6551 0b63b1d Thanks @​Conaclos! - Fixed #6536. useSortedKeys no longer panics in some edge cases where object spreads are involved.

• #6503 9a8fe0f Thanks @​ematipico! - Fixed #6482 where nursery rules that belonged to a domain were incorrectly enabled.

• #6565 e85761c Thanks @​daivinhtran! - Fixed #4677: Now the noUnusedImports rule won't produce diagnostics for types used in JSDoc comment of exports.

• #6166 b8cbd83 Thanks @​mehm8128! - Added the nursery rule noExcessiveLinesPerFunction. This rule restrict a maximum number of lines of code in a function body.

  The following code is now reported as invalid when the limit of maximum lines is set to 2:

  function foo() {
    const x = 0;
    const y = 1;
    const z = 2;
  }

  The following code is now reported as valid when the limit of maximum lines is set to 3:

  const bar = () => {
    const x = 0;
    const z = 2;
  };

• #6553 5f42630 Thanks @​denbezrukov! - Fixed #6547. Now the Biome CSS parser correctly parses @starting-style when it's used inside other at-rules. The following example doesn't raise an error anymore:

  @layer my-demo-layer {
    @starting-style {
      div.showing {
        background-color: red;
      }
    }

... (truncated)

Commits

• a69bbe8 ci: release (#6507)
• 6a24bd9 chore: link packages differently (#6558)
• f62e748 feat(lint): implement noImplicitCoercion rule (#6395)
• e128ea9 feat(lint): no-alert rule (#6355)
• 5705f1a feat(lint): implement useUnifiedTypeSignature rule (#6320)
• a3a3715 feat(linter): implement noUnassignedVariables rule (#6219)
• b8cbd83 feat(biome_js_analyze): implement noExcessiveLinesPerFunction (#6166)
• 09f49ba ci: release (#6467)
• 4209030 chore: update vscode badges (#6468)
• c939e54 chore: fix invalid link in CHANGELOG.md
• Additional commits viewable in compare view

Updates @types/node from 24.0.3 to 24.0.7

Commits

• See full diff in compare view

Updates jest from 30.0.0 to 30.0.3

Release notes

Sourced from jest's releases.

30.0.2

What's Changed

Fixes

• [jest-matcher-utils] Make 'deepCyclicCopyObject' safer by setting descriptors to a null-prototype object (#15689)
• [jest-util] Make garbage collection protection property writable (#15689)

Full Changelog: https://github.com/jestjs/jest/blob/main/CHANGELOG.md

Jest 30.0.1

What's Changed

Features

• [jest-resolver] Implement the defaultAsyncResolver (#15679)

Fixes

• [jest-resolver] Resolve builtin modules correctly (#15683)
• [jest-environment-node, jest-util] Avoid setting globals cleanup protection symbol when feature is off (#15684)

Chore & Maintenance

• [*] Remove and deprecate jest-repl package (#15673)
• [jest-resolver] Replace custom isBuiltinModule with node's isBuiltin (#15685)

New Contributors

• @​vovkasm made their first contribution in jestjs/jest#15687

Full Changelog: https://github.com/jestjs/jest/blob/main/CHANGELOG.md

Changelog

Sourced from jest's changelog.

30.0.3

Fixes

• [jest-config] Fix ESM TS config loading in a CJS project (#15694)
• [jest-core] jest --onlyFailures --listTests now correctly lists only failed tests(#15700)

Features

• [jest-diff] Show non-printable control characters to diffs (#15696)

30.0.2

Fixes

• [jest-matcher-utils] Make 'deepCyclicCopyObject' safer by setting descriptors to a null-prototype object (#15689)
• [jest-util] Make garbage collection protection property writable (#15689)

30.0.1

Features

• [jest-resolver] Implement the defaultAsyncResolver (#15679)

Fixes

• [jest-resolver] Resolve builtin modules correctly (#15683)
• [jest-environment-node, jest-util] Avoid setting globals cleanup protection symbol when feature is off (#15684)

Chore & Maintenance

• [*] Remove and deprecate jest-repl package (#15673)
• [jest-resolver] Replace custom isBuiltinModule with node's isBuiltin (#15685)

Commits

• d4a6c94 v30.0.3
• 393acbf v30.0.2
• 5ce865b v30.0.1
• 469f665 v30.0.0
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[t-kikuc]

Fix lint

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml