chore(deps): update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
@biomejs/biome (source)	devDependencies	major	1.9.4 → 2.4.13
@tanstack/react-query (source)	dependencies	minor	5.64.0 → 5.100.5
@types/bun (source)	devDependencies	minor	1.1.16 → 1.3.13
@types/node (source)	devDependencies	major	22.10.5 → 25.6.0
@types/react (source)	devDependencies	minor	19.0.6 → 19.2.14
@types/react-dom (source)	devDependencies	minor	19.0.3 → 19.2.3
connectkit (source)	dependencies	minor	1.8.2 → 1.9.2
namespacelabs/nscloud-checkout-action	action	major	v5 → v8
next (source)	dependencies	major	15.1.4 → 16.2.4
openapi-fetch (source)	dependencies	minor	0.13.4 → 0.17.0
openapi-typescript (source)	devDependencies	minor	7.5.2 → 7.13.0
path-to-regexp	dependencies	minor	8.2.0 → 8.4.2
pino-pretty	dependencies	minor	13.0.0 → 13.1.3
postcss (source)	devDependencies	minor	8.4.49 → 8.5.12
react (source)	dependencies	minor	19.0.0 → 19.2.5
react-dom (source)	dependencies	minor	19.0.0 → 19.2.5
tailwindcss (source)	devDependencies	major	3.4.17 → 4.2.4
typescript (source)	devDependencies	major	5.7.3 → 6.0.3
wagmi (source)	dependencies	major	2.14.7 → 3.6.5

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.13

Compare Source

Patch Changes

• #​9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #​10037 f785e8c Thanks @​minseong0324! - Fixed #​9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #​10084 5e2f90c Thanks @​jiwon79! - Fixed #​10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #​10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #​10035 946b50e Thanks @​Netail! - Fixed #​10032: useIframeSandbox now flags if there's no initializer value.

• #​9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #​10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

  For example, the following code triggers the rule:

  import View from "react-native/Libraries/Components/View/View";

• #​9885 3dce737 Thanks @​dyc3! - Added a new nursery rule useDomQuerySelector that prefers querySelector() and querySelectorAll() over older DOM query methods such as getElementById() and getElementsByClassName().

• #​9995 4da9caf Thanks @​siketyan! - Fixed #​9994: Biome now parses nested CSS rules correctly when declarations follow them inside embedded snippets.

• #​10009 b41cc5a Thanks @​Jayllyz! - Fixed #​10004: noComponentHookFactories no longer reports false positives for object methods and class methods.

• #​9988 eabf54a Thanks @​Netail! - Tweaked the diagnostics range for useAltText, useButtonType, useHtmlLang, useIframeTitle, useValidAriaRole & useIfameSandbox to report on the opening tag instead of the full tag.

• #​10043 fc65902 Thanks @​mujpao! - Fixed #​10003: Biome no longer panics when parsing Svelte files containing {#}.

• #​9815 5cc83b1 Thanks @​dyc3! - Added the new nursery rule noLoopFunc. When enabled, it warns when a function declared inside a loop captures outer variables that can change across iterations.

• #​9702 ef470ba Thanks @​ryan-m-walker! - Added the nursery rule useRegexpTest that enforces RegExp.prototype.test() over String.prototype.match() and RegExp.prototype.exec() in boolean contexts. test() returns a boolean directly, avoiding unnecessary computation of match results.

  Invalid

  if ("hello world".match(/hello/)) {
  }

  Valid

  if (/hello/.test("hello world")) {
  }

• #​9743 245307d Thanks @​leetdavid! - Fixed #​2245: Svelte <script> tag language detection when the generics attribute contains > characters (e.g., <script lang="ts" generics="T extends Record<string, unknown>">). Biome now correctly recognizes TypeScript in such script blocks.

• #​10046 0707de7 Thanks @​Conaclos! - Fixed #​10038: organizeImports now sorts imports in TypeScript modules and declaration files.

    declare module "mymodule" {
  -  	import type { B } from "b";
    	import type { A } from "a";
  +  	import type { B } from "b";
    }

• #​10012 94ccca9 Thanks @​ematipico! - Added the nursery rule noReactNativeLiteralColors, which disallows color literals inside React Native styles.

  The rule belongs to the reactNative domain. It reports properties whose name contains color and whose value is a string literal when they appear inside a StyleSheet.create(...) call or inside a JSX attribute whose name contains style.

  // Invalid
  const Hello = () => <Text style={{ backgroundColor: "#FFFFFF" }}>hi</Text>;
  
  const styles = StyleSheet.create({
    text: { color: "red" },
  });

  // Valid
  const red = "#f00";
  const styles = StyleSheet.create({
    text: { color: red },
  });

• #​10005 131019e Thanks @​ematipico! - Added the nursery rule noReactNativeRawText, which disallows raw text outside of <Text> components in React Native.

  The rule belongs to the new reactNative domain.

  // Invalid
  <View>some text</View>
  <View>{'some text'}</View>

  // Valid
  <View>
    <Text>some text</Text>
  </View>

  Additional components can be allowlisted through the skip option:

  {
    "options": {
      "skip": ["Title"]
    }
  }

• #​9911 1603f78 Thanks @​Netail! - Added the nursery rule noJsxLeakedDollar, which flags text nodes with a trailing $ if the next sibling node is a JSX expression. This could be an unintentional mistake, resulting in a '$' being rendered as text in the output.

  Invalid:

  function MyComponent({ user }) {
    return <div>Hello ${user.name}</div>;
  }

• #​9999 f42405f Thanks @​minseong0324! - Fixed noMisleadingReturnType incorrectly flagging functions with reassigned let variables.

• #​10075 295f97f Thanks @​ematipico! - Fixed #9983: Biome now parses functions declared inside Svelte #snippet blocks without throwing errors.

• #​10006 cf4c1c9 Thanks @​minseong0324! - Fixed #​9810: noMisleadingReturnType incorrectly flagging nested object literals with widened properties.

• #​10033 11ddc05 Thanks @​ematipico! - Added the nursery rule useReactNativePlatformComponents that ensures platform-specific React Native components (e.g. ProgressBarAndroid, ActivityIndicatorIOS) are only imported in files with a matching platform suffix. It also reports when Android and iOS components are mixed in the same file.

  The following code triggers the rule when the file does not have an .android.js suffix:

  // file.js
  import { ProgressBarAndroid } from "react-native";

v2.4.12

Compare Source

Patch Changes

• #​9376 9701a33 Thanks @​dyc3! - Added the nursery/noIdenticalTestTitle lint rule. This rule disallows using the same title for two describe blocks or two test cases at the same nesting level.

  describe("foo", () => {});
  describe("foo", () => {
    // invalid: same title as previous describe block
    test("baz", () => {});
    test("baz", () => {}); // invalid: same title as previous test case
  });

• #​9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for useForOf to better explain the problem, why it matters, and how to fix it.

• #​9916 27dd7b1 Thanks @​Jayllyz! - Added a new nursery rule noComponentHookFactories, that disallows defining React components or custom hooks inside other functions.

  For example, the following snippets trigger the rule:

  function createComponent(label) {
    function MyComponent() {
      return <div>{label}</div>;
    }
    return MyComponent;
  }

  function Parent() {
    function Child() {
      return <div />;
    }
    return <Child />;
  }

• #​9980 098f1ff Thanks @​ematipico! - Fixed #​9941: Biome now emits a warning diagnostic when a file exceed the files.maxSize limit.

• #​9942 9956f1d Thanks @​dyc3! - Fixed #​9918: useConsistentTestIt no longer panics when applying fixes to chained calls such as test.for([])("x", () => {});.

• #​9891 4d9ac51 Thanks @​dyc3! - Improved the noGlobalObjectCalls diagnostic to better explain why calling global objects like Math or JSON is invalid and how to fix it.

• #​9902 3f4d103 Thanks @​ematipico! - Fixed #​9901: the command lint --write is now idempotent when it's run against HTML-ish files that contains scripts and styles.

• #​9891 4d9ac51 Thanks @​dyc3! - Improved the noMultiStr diagnostic to explain why escaped multiline strings are discouraged and what to use instead.

• #​9966 322675e Thanks @​siketyan! - Fixed #​9113: Biome now parses and formats @media and other conditional blocks correctly inside embedded CSS snippets.

• #​9835 f8d49d9 Thanks @​bmish! - The noFloatingPromises rule now detects floating promises through cross-module generic wrapper functions. Previously, patterns like export const fn = trace(asyncFn) — where trace preserves the function signature via a generic <F>(fn: F): F — were invisible to the rule when the wrapper was defined in a different file.

• #​9981 02bd8dd Thanks @​siketyan! - Fixed #​9975: Biome now parses nested CSS selectors correctly inside embedded snippets without requiring an explicit &.

• #​9949 e0ba71d Thanks @​Netail! - Added the nursery rule useIframeSandbox, which enforces the sandbox attribute for iframe tags.

  Invalid:

  <iframe></iframe>

• #​9913 d417803 Thanks @​Netail! - Added the nursery rule noJsxNamespace, which disallows JSX namespace syntax.

  Invalid:

  <ns:testcomponent />

• #​9892 e75d70e Thanks @​dyc3! - Improved the noSelfCompare diagnostic to better explain why comparing a value to itself is suspicious and what to use for NaN checks.

• #​9861 2cff700 Thanks @​dyc3! - Added the new nursery rule useVarsOnTop, which requires var declarations to appear at the top of their containing scope.

  For example, the following code now triggers the rule:

  function f() {
    doSomething();
    var value = 1;
  }

• #​9892 e75d70e Thanks @​dyc3! - Improved the noThenProperty diagnostic to better explain why exposing then can create thenable behavior and how to avoid it.

• #​9892 e75d70e Thanks @​dyc3! - Improved the noShorthandPropertyOverrides diagnostic to explain why later shorthand declarations can unintentionally overwrite earlier longhand properties.

• #​9978 4847715 Thanks @​mdevils! - Fixed #​9744: useExhaustiveDependencies no longer reports false positives for variables obtained via object destructuring with computed keys, e.g. const { [KEY]: key1 } = props.

• #​9892 e75d70e Thanks @​dyc3! - Improved the noRootType diagnostic to better explain that the reported root type is disallowed by project configuration and how to proceed.

• #​9927 7974ab7 Thanks @​dyc3! - Added eslint-plugin-unicorn's no-nested-ternary as a rule source for noNestedTernary

• #​9873 19ff706 Thanks @​minseong0324! - noMisleadingReturnType now checks class methods, object methods, and getters in addition to functions.

• #​9888 362b638 Thanks @​dyc3! - Updated metadata for biome migrate eslint to better reflect which ESLint rules are redundant versus unsupported versus unimplemented.

• #​9892 e75d70e Thanks @​dyc3! - Improved the noAutofocus diagnostic to better explain why autofocus harms accessibility outside allowed modal contexts.

• #​9982 d6bdf4a Thanks @​dyc3! - Improved performance of noMagicNumbers.
  Biome now maps ESLint no-magic-numbers sources more accurately during biome migrate eslint.

• #​9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for noConstantCondition to better explain the problem, why it matters, and how to fix it.

• #​9866 40bd180 Thanks @​dyc3! - Added a new nursery rule noExcessiveSelectorClasses, which limits how many class selectors can appear in a single CSS selector.

• #​9796 f1c1363 Thanks @​dyc3! - Added a new nursery rule useStringStartsEndsWith, which prefers startsWith() and endsWith() over verbose string prefix and suffix checks.

  The rule uses type information, so it only reports on strings and skips array lookups such as items[0] === "a".

• #​9942 9956f1d Thanks @​dyc3! - Fixed the safe fix for noSkippedTests so it no longer panics when rewriting skipped test function names such as xit(), xtest(), and xdescribe().

• #​9874 9e570d1 Thanks @​minseong0324! - Type-aware lint rules now resolve members through Pick<T, K> and Omit<T, K> utility types.

• #​9909 0d0e611 Thanks @​Netail! - Added the nursery rule useReactAsyncServerFunction, which requires React server actions to be async.

  Invalid:

  function serverFunction() {
    "use server";
    // ...
  }

• #​9925 29accb3 Thanks @​ematipico! - Fixed #​9910: added support for parsing member expressions in Svelte directive properties. Biome now correctly parses directives like in:renderer.in|global, use:obj.action, and deeply nested forms like in:a.b.c|global.

• #​9904 e7775a5 Thanks @​ematipico! - Fixed #​9626: noUnresolvedImports no longer reports false positives for named imports from packages that have a corresponding @types/* package installed. For example, import { useState } from "react" with @types/react installed is now correctly recognised.

• #​9942 9956f1d Thanks @​dyc3! - Fixed the safe fix for noFocusedTests so it no longer panics when rewriting focused test function names such as fit() and fdescribe().

• #​9577 c499f46 Thanks @​tt-a1i! - Added the nursery rule useReduceTypeParameter. It flags type assertions on the initial value passed to Array#reduce and Array#reduceRight and recommends using a type parameter instead.

  // before: type assertion on initial value
  arr.reduce((sum, num) => sum + num, [] as number[]);
  
  // after: type parameter on the call
  arr.reduce<number[]>((sum, num) => sum + num, []);

• #​9895 1c8e1ef Thanks @​Netail! - Added extra rule sources from react-xyz. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #​9891 4d9ac51 Thanks @​dyc3! - Improved the noInvalidUseBeforeDeclaration diagnostic to better explain why using a declaration too early is problematic and how to fix it.

• #​9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for noRedeclare to better explain the problem, why it matters, and how to fix it.

• #​9875 a951586 Thanks @​minseong0324! - Type-aware lint rules now resolve members through Partial<T>, Required<T>, and Readonly<T> utility types, preserving optional, readonly, and nullable member flags.

v2.4.11

Compare Source

Patch Changes

• #​9350 4af4a3a Thanks @​dyc3! - Added the new nursery rule useConsistentTestIt in the test domain. The rule enforces consistent use of either it or test for test functions in Jest/Vitest suites, with separate control for top-level tests and tests inside describe blocks.

  Invalid:

  test("should fly", () => {}); // Top-level test using 'test' flagged, convert to 'it'
  
  describe("pig", () => {
    test("should fly", () => {}); // Test inside 'describe' using 'test' flagged, convert to 'it'
  });

• #​9429 a2f3f7e Thanks @​ematipico! - Added the new nursery lint rule useExplicitReturnType. It reports TypeScript functions and methods that omit an explicit return type.

  function toString(x: any) {
    // rule triggered, it doesn't declare a return type
    return x.toString();
  }

• #​9828 9e40844 Thanks @​ematipico! - Fixed #​9484: the formatter no longer panics when formatting files that contain graphql tagged template literals combined with parenthesized expressions.

• #​9886 e7c681e Thanks @​ematipico! - Fixed an issue where, occasionally, some bindings and references were not properly tracked, causing false positives from noUnusedVariables and noUndeclaredVariables in Svelte, Vue, and Astro files.

• #​9760 5b16d18 Thanks @​myx0m0p! - Fixed #​4093: the noDelete rule no longer triggers for delete process.env.FOO, since delete is the documented way to remove environment variables in Node.js.

• #​9799 2af8efd Thanks @​minseong0324! - Added the rule noMisleadingReturnType. The rule detects when a function's return type annotation is wider than what the implementation actually returns.

  // Flagged: `: string` is wider than `"loading" | "idle"`
  function getStatus(b: boolean): string {
    if (b) return "loading";
    return "idle";
  }

• #​9880 7f67749 Thanks @​dyc3! - Improved the diagnostics for useFind to better explain the problem, why it matters, and how to fix it.

• #​9755 bff7bdb Thanks @​ematipico! - Improved performance of fix-all operations (--write). Biome is now smarter when it runs lint rules and assist actions. First, it runs only rules that have code fixes, and then runs the rest of the rules.

• #​8651 aafca2d Thanks @​siketyan! - Add a new lint rule useDisposables for JavaScript, which detects disposable objects assigned to variables without using or await using syntax. Disposable objects that implement the Disposable or AsyncDisposable interface are intended to be disposed of after use. Not disposing them can lead to resource or memory leaks, depending on the implementation.

  Invalid:

  function createDisposable(): Disposable {
    return {
      [Symbol.dispose]() {
        // do something
      },
    };
  }
  
  const disposable = createDisposable();

  Valid:

  function createDisposable(): Disposable {
    return {
      [Symbol.dispose]() {
        // do something
      },
    };
  }
  
  using disposable = createDisposable();

• #​9788 53b8e57 Thanks @​MeGaNeKoS! - Fixed #​7760: Added support for CSS scroll-driven animation timeline-range-name keyframe selectors (cover, contain, entry, exit, entry-crossing, exit-crossing). Biome no longer reports parse errors on keyframes like entry 0% { ... } or exit 100% { ... }.

• #​9728 5085424 Thanks @​mkosei! - Fixed #​9696: Astro frontmatter now correctly parses regular expression literals like /\d{4}/.

• #​9261 16b6c49 Thanks @​ematipico! - Fixed #​8409: CSS formatter now correctly places comments after the colon in property declarations.

  Previously, comments that appeared after the colon in CSS property values were incorrectly moved before the property name:

  [lang]:lang(ja) {
  -  /* system-ui,*/ font-family:
  +  font-family: /* system-ui,*/
      Hiragino Sans,
      sans-serif;
  }

• #​9441 957ea4c Thanks @​soconnor-seeq! - Fixed #​1630: LSP project selection now prefers the most specific project root in nested workspaces.

• #​9878 de6210f Thanks @​ematipico! - Fixed #​9118: noUnusedImports no longer reports false positives for default imports used inside Svelte, Vue and Astro components.

• #​9879 ce7e2b7 Thanks @​dyc3! - Fixed a parser diagnostic's message when vue syntax is disabled so that it no longer references the non-existant html.parser.vue option. This option will become available in 2.5.

• #​9880 7f67749 Thanks @​dyc3! - Improved the diagnostics for useRegexpExec to better explain the problem, why it matters, and how to fix it.

• #​9846 b7134d9 Thanks @​ematipico! - Fixed #​9140: Biome now parses Astro's attribute shorthand inside .astro files. The following snippet no longer reports a parse error:

  ---
  const items = ['a', 'b'];
  ---
  <ul>
    {items.map((item) => <li {item}>row</li>)}
  </ul>

• #​9790 67df09d Thanks @​dyc3! - Fixed #​9781: Trailing comments after a top-level biome-ignore-all format suppression are now preserved instead of being dropped. This applies to JavaScript, CSS, HTML, JSONC, GraphQL, and Grit files.

• #​9745 d87073e Thanks @​ematipico! - Fixed #​9741: the LSP server now correctly returns the organizeImports code action when the client requests it via source.organizeImports.biome in the only filter. Previously, editors with codeAction/resolve support (e.g. Zed) received an empty response because the action was serialized with the wrong kind (source.biome.organizeImports instead of source.organizeImports.biome).

• #​9880 7f67749 Thanks @​dyc3! - Improved the diagnostics for useArraySome to better explain the problem, why it matters, and how to fix it.

• #​9795 1d09f0f Thanks @​dyc3! - Relaxed useExplicitType for trivially inferrable types.

  Type annotations can now be omitted when types are trivially inferrable from:

  • Binary expressions (const sum = 1 + 1)
  • Comparison expressions (const isEqual = 'a' === 'b', const isTest = process.env.NODE_ENV === 'test')
  • Logical expressions (const and = true && false)
  • Class instantiation (const date = new Date())
  • Array literals (const arr = [1, 2, 3])
  • Conditional expressions (const val = true ? 'yes' : 'no')
  • Function calls (const num = Math.random())
  • Parameter defaults - any expression is now allowed (const fn = (max = MAX_ATTEMPTS) => ...)

  Comparison expressions always return boolean, so any operands are now allowed
  (including property access like process.env.NODE_ENV).

  Parameters with default values no longer require type annotations, as TypeScript
  can infer the type from the default value (even when referencing variables).

  Also removed the redundant any type validation from this rule. The any type
  is now only validated by the dedicated noExplicitAny rule, following the
  Single Responsibility Principle.

• #​9809 e8cad58 Thanks @​Netail! - Added the new nursery rule useQwikLoaderLocation, which enforces that Qwik loader functions are declared in the correct location.

• #​9877 fc9d715 Thanks @​ematipico! - Fixed #​9136 and #​9653: noUndeclaredVariables and noUnusedVariables no longer report false positives on several Svelte template constructs that declare or reference bindings in the host grammar:

  • {#snippet name(params)} — the snippet name and its parameters (including object, array, rest, and nested destructuring) are now tracked.
  • {@​render name(args)} — the snippet name used at the render site is now resolved against the snippet declaration.
  • {#each items as item, index (key)} — the item binding (plain identifier or destructured), the optional index, and the optional key expression are now tracked.
  • {@​const name = value} — the declared name is now tracked as a binding and the initializer is analyzed for undeclared references.
  • {@​debug a, b, c} — each debugged identifier is now analyzed and reported if undeclared.
  • Shorthand attributes <img {src} /> — the curly-shorthand attribute is now analyzed as an expression, so undeclared references inside it are reported.

  For example, the following template no longer triggers either rule:

  <script>
  let items = [];
  let total = 0;
  </script>
  
  {#snippet figure(image)}
      <figure>
          <img src={image.src} alt={image.caption} />
          <figcaption>{image.caption}</figcaption>
      </figure>
  {/snippet}
  
  {#each items as item}
      {@&#8203;const price = item.price}
      {@&#8203;render figure(item)}
      <span>{price}</span>
  {/each}
  
  {@&#8203;debug items, total}

• #​9869 78bce77 Thanks @​Netail! - Updated noDuplicateFieldDefinitionNames to also flag duplicate fields within type extensions, interface extensions & input extensions.

• #​9739 0bc2198 Thanks @​dyc3! - Fixed Grit queries that use native Biome AST node names with the native field names that are in our .ungram grammar files. Queries such as JsConditionalExpression(consequent = $cons, alternate = $alt) now compile successfully in biome search and grit plugins.

• #​9811 2dddca3 Thanks @​dyc3! - Updated noImpliedEval to flag new Function() usages, as its a form of indirect eval, and to include no-new-func as a rule source.

• #​9870 ccf9770 Thanks @​Netail! - Marked eslint-qwik-plugin's unused-server as redundant since it was covered by noUnusedVariables.

• #​9701 1417c3b Thanks @​dyc3! - Added the new nursery rule noUselessTypeConversion, which reports redundant primitive conversion patterns such as String(value) when value is already a string.

• #​9248 [49f00a3](https://redirect.github.com/biomejs/biome/commit/49f00a38d64af131178ba4e096155d220

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR updates the following dependencies: @tanstack/react-query from 5.64.0 to 5.64.1, @types/node from 22.10.5 to 22.10.6, and postcss from 8.4.49 to 8.5.0.

Class diagram showing dependency version updates

classDiagram
    class Dependencies {
        +@tanstack/react-query: 5.64.1
        +connectkit: 1.8.2
        +encoding: 0.1.13
        +next: 15.1.4
    }
    class DevDependencies {
        +@types/node: 22.10.6
        +postcss: 8.5.0
        +tailwindcss: 3.4.17
        +typescript: 5.7.3
    }
    note for Dependencies "Updated from @tanstack/react-query 5.64.0"
    note for DevDependencies "Updated from @types/node 22.10.5\nUpdated from postcss 8.4.49"

Loading

File-Level Changes

Change	Details	Files
Updated @tanstack/react-query to fix types for typed query and mutation keys.	Bumped @tanstack/react-query from version 5.64.0 to 5.64.1	package.json
Updated @types/node.	Bumped @types/node from version 22.10.5 to 22.10.6	package.json
Updated postcss.	Bumped postcss from version 8.4.49 to 8.5.0	package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Join our Discord community for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​bun@​1.1.16 ⏵ 1.3.13	+1		+4	+2
	next@​15.1.4 ⏵ 16.2.4	+1	+75	-1	+48
	@​types/​react-dom@​19.0.3 ⏵ 19.2.3			+1
	@​types/​react@​19.0.6 ⏵ 19.2.14
	wagmi@​2.14.7 ⏵ 3.6.4	+2		+3	+2
	@​types/​node@​20.12.14 ⏵ 25.6.0	+1		+1
	postcss@​8.4.49 ⏵ 8.5.10		+2	+1
	tailwindcss@​3.4.17 ⏵ 4.2.4	+5		-2
	react@​19.0.0 ⏵ 19.2.5	+1
	pino-pretty@​13.0.0 ⏵ 13.1.3	+1
	openapi-typescript@​7.5.2 ⏵ 7.13.0	+1		+1
	openapi-fetch@​0.13.4 ⏵ 0.17.0	+1			-3
	@​tanstack/​react-query@​5.64.0 ⏵ 5.100.2			+2	+5
	connectkit@​1.8.2 ⏵ 1.9.2	-1		-4	+6
	typescript@​5.7.3 ⏵ 6.0.3	+1		+1
	react-dom@​19.0.0 ⏵ 19.2.5	+1		+1
	path-to-regexp@​8.2.0 ⏵ 8.4.2		+18	+1
	@​biomejs/​biome@​1.9.4 ⏵ 2.4.13	+8

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm @img/sharp-libvips-darwin-arm64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-darwin-arm64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-darwin-arm64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-darwin-x64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-darwin-x64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-darwin-x64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linux-arm under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linux-arm@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linux-arm@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linux-arm64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linux-arm64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linux-arm64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linux-ppc64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linux-ppc64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linux-ppc64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linux-riscv64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linux-riscv64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linux-riscv64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linux-s390x under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linux-s390x@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linux-s390x@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linux-x64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linux-x64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linux-x64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linuxmusl-arm64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linuxmusl-arm64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linuxmusl-arm64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linuxmusl-x64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linuxmusl-x64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linuxmusl-x64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-wasm32 under LGPL-3.0-or-later License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (npm metadata) License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-wasm32@0.34.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-wasm32@0.34.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-win32-arm64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (npm metadata) License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-win32-arm64@0.34.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-win32-arm64@0.34.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-win32-ia32 under LGPL-3.0-or-later License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (npm metadata) License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-win32-ia32@0.34.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-win32-ia32@0.34.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-win32-x64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (npm metadata) License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-win32-x64@0.34.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-win32-x64@0.34.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm bun-types under LGPL-2.0 License: LGPL-2.0 - The applicable license policy does not permit this license (5) (package/docs/project/license.mdx) From: ? → npm/@types/bun@1.3.13 → npm/bun-types@1.3.13 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bun-types@1.3.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm typescript License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: ? → npm/openapi-typescript@7.13.0 → npm/typescript@5.9.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@5.9.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm typescript License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: package.json → npm/typescript@6.0.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@6.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm @metamask/sdk-analytics Reason: No longer maintained, superseded by @metamask/connect-analytics From: ? → npm/connectkit@1.9.2 → npm/@metamask/sdk-analytics@0.0.5 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-analytics@0.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm @metamask/sdk-install-modal-web Reason: No longer maintained, superseded by https://docs.metamask.io/metamask-connect From: ? → npm/connectkit@1.9.2 → npm/@metamask/sdk-install-modal-web@0.32.1 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-install-modal-web@0.32.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm @metamask/sdk Reason: No longer maintained, superseded by https://docs.metamask.io/metamask-connect From: ? → npm/connectkit@1.9.2 → npm/@metamask/sdk@0.33.1 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk@0.33.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report