Skip to content

chore(deps): bump the npm-deps group across 1 directory with 9 updates#20

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-8a3361a3e7
Open

chore(deps): bump the npm-deps group across 1 directory with 9 updates#20
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-8a3361a3e7

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 14, 2026

Bumps the npm-deps group with 9 updates in the / directory:

Package From To
@hono/node-server 2.0.0 2.0.1
better-auth 1.6.5 1.6.9
hono 4.12.14 4.12.18
@commitlint/cli 20.5.0 20.5.3
@commitlint/config-conventional 20.5.0 20.5.3
eslint 10.2.0 10.3.0
fallow 2.40.3 2.66.2
globals 17.5.0 17.6.0
tap 21.7.0 21.7.2

Updates @hono/node-server from 2.0.0 to 2.0.1

Release notes

Sourced from @​hono/node-server's releases.

v2.0.1

What's Changed

New Contributors

Full Changelog: honojs/node-server@v2.0.0...v2.0.1

Commits

Updates better-auth from 1.6.5 to 1.6.9

Release notes

Sourced from better-auth's releases.

v1.6.9

better-auth

Bug Fixes

  • Fixed instrumentation resolution in the adapter factory so edge and browser environments correctly use the pure variant (#9340)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​erquhart

Full changelog: v1.6.8...v1.6.9

v1.6.8

better-auth

Bug Fixes

  • Fixed mapProfileToUser fallback for OAuth providers that may omit email from their profile response (#9331)
  • Fixed support for passing id through beforeCreateTeam and beforeCreateInvitation hooks (#9253)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed authorization flows that do not include a state parameter (#9328)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed incompatibility with TypeScript's exactOptionalPropertyTypes compiler option (#9270)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​baptisteArno, @​gustavovalverde, @​ping-maxwell

Full changelog: v1.6.7...v1.6.8

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.9

Patch Changes

  • Updated dependencies [815ecf6]:
    • @​better-auth/core@​1.6.9
    • @​better-auth/drizzle-adapter@​1.6.9
    • @​better-auth/kysely-adapter@​1.6.9
    • @​better-auth/memory-adapter@​1.6.9
    • @​better-auth/mongo-adapter@​1.6.9
    • @​better-auth/prisma-adapter@​1.6.9
    • @​better-auth/telemetry@​1.6.9

1.6.8

Patch Changes

  • #9253 856ab24 Thanks @​baptisteArno! - fix(organization): allow passing id through beforeCreateTeam and beforeCreateInvitation

    Mirrors #4765 for teams and invitations: adapter.createTeam and adapter.createInvitation now pass forceAllowId: true, so ids returned from the respective hooks survive the DB insert.

  • #9331 9aa8e63 Thanks @​gustavovalverde! - fix(oauth): support mapProfileToUser fallback for providers that may omit email

    Social sign-in with OAuth providers that may return no email address (Discord phone-only accounts, Apple subsequent sign-ins, GitHub private emails, Facebook, LinkedIn, and Microsoft Entra ID managed users) can now be unblocked by synthesizing an email inside mapProfileToUser. Rejection logger messages now point at this workaround and at the new "Handling Providers Without Email" docs section.

    Provider profile types now reflect where email can be null or absent:

    • DiscordProfile.email is string | null and optional (absent when the email scope is not granted)
    • AppleProfile.email is optional
    • GithubProfile.email is string | null
    • FacebookProfile.email is optional
    • FacebookProfile.email_verified is optional (Meta's Graph API does not include this field)
    • LinkedInProfile.email is optional
    • LinkedInProfile.email_verified is optional
    • MicrosoftEntraIDProfile.email is optional

    TypeScript consumers who previously dereferenced profile.email directly inside mapProfileToUser will see a compile error that matches the runtime reality; use a nullish-coalescing fallback (profile.email ?? ...) or null-check the field.

    Sign-in still rejects with error=email_not_found (social callback) or error=email_is_missing (Generic OAuth plugin) when neither the provider nor mapProfileToUser produces an email. First-class support for users without an email, keyed on (providerId, accountId) per OpenID Connect Core §5.7, is tracked in #9124.

  • Updated dependencies [9aa8e63]:

    • @​better-auth/core@​1.6.8
    • @​better-auth/drizzle-adapter@​1.6.8
    • @​better-auth/kysely-adapter@​1.6.8
    • @​better-auth/memory-adapter@​1.6.8
    • @​better-auth/mongo-adapter@​1.6.8
    • @​better-auth/prisma-adapter@​1.6.8
    • @​better-auth/telemetry@​1.6.8

1.6.7

... (truncated)

Commits
  • f484269 chore: release v1.6.9 (#9341)
  • fef7dd6 chore: update readme (#9330)
  • b289ac6 chore: release v1.6.8 (#9316)
  • 9aa8e63 fix(oauth): support mapProfileToUser fallback for providers that may omit e...
  • 856ab24 fix(organization): allow passing id through beforeCreateTeam and `beforeCre...
  • f8076d1 chore: release v1.6.7 (#9289)
  • 4f373ee feat(social-providers): accept array of Client IDs for ID token audience (#9292)
  • e1b1cfc fix(oauth2): guard against undefined body when parsing state (#9293)
  • d053a45 fix(phone-number): call callbackOnVerification when updatePhoneNumber is enab...
  • 307196a fix(api): preserve response headers when APIError is thrown (#9211)
  • Additional commits viewable in compare view

Updates hono from 4.12.14 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

... (truncated)

Commits

Updates @commitlint/cli from 20.5.0 to 20.5.3

Release notes

Sourced from @​commitlint/cli's releases.

v20.5.3

20.5.3 (2026-04-30)

Refactor

Docs

New Contributors

Full Changelog: conventional-changelog/commitlint@v20.5.2...v20.5.3

v20.5.2

20.5.2 (2026-04-25)

Just minor dep updates before the next breaking change

Chore & Docs

New Contributors

Full Changelog: conventional-changelog/commitlint@v20.5.1...v20.5.2

v20.5.1

20.5.1 (2026-03-31)

Bug Fixes

Reverts

... (truncated)

Changelog

Sourced from @​commitlint/cli's changelog.

20.5.3 (2026-04-30)

Note: Version bump only for package @​commitlint/cli

20.5.2 (2026-04-25)

Note: Version bump only for package @​commitlint/cli

Commits

Updates @commitlint/config-conventional from 20.5.0 to 20.5.3

Release notes

Sourced from @​commitlint/config-conventional's releases.

v20.5.3

20.5.3 (2026-04-30)

Refactor

Docs

New Contributors

Full Changelog: conventional-changelog/commitlint@v20.5.2...v20.5.3

v20.5.2

20.5.2 (2026-04-25)

Just minor dep updates before the next breaking change

Chore & Docs

New Contributors

Full Changelog: conventional-changelog/commitlint@v20.5.1...v20.5.2

v20.5.1

20.5.1 (2026-03-31)

Bug Fixes

Reverts

... (truncated)

Changelog

Sourced from @​commitlint/config-conventional's changelog.

20.5.3 (2026-04-30)

Note: Version bump only for package @​commitlint/config-conventional

Commits

Updates eslint from 10.2.0 to 10.3.0

Release notes

Sourced from eslint's releases.

v10.3.0

Features

  • 379571a feat: add suggestions for no-unused-private-class-members (#20773) (sethamus)

Bug Fixes

  • b6ae5cf fix: handle unavailable require cache (#20812) (Simon Podlipsky)
  • 6fb3685 fix: rule suggestions cause continuation in class body (#20787) (Milos Djermanovic)

Documentation

  • 32cc7ab docs: fix typos in docs and comments (#20809) (Tanuj Kanti)
  • 7f47937 docs: Update README (GitHub Actions Bot)

Chores

  • d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#20826) (Francesco Trotta)
  • 3ffb14e chore: clean up typos in comments and JSDoc (#20821) (Pixel998)
  • 22eb58a chore: add missing continue-on-error to ecosystem-tests.yml (#20818) (Josh Goldberg ✨)
  • 88bf002 ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#20815) (dependabot[bot])
  • 97c8c33 chore: update ilshidur/action-discord action to v0.4.0 (#20811) (renovate[bot])
  • 2f58136 chore: pin peter-evans/create-pull-request action to 5f6978f (#20810) (renovate[bot])
  • 77add7f chore: add initial ecosystem plugin tests workflow (#19643) (Josh Goldberg ✨)
  • 4023b55 test: Add unit tests for SuppressionsService.prune() (#20797) (kuldeep kumar)
  • 54080da test: add unit tests for ForkContext (#20778) (kuldeep kumar)
  • f0e2bcc test: add unit tests for SuppressionsService.suppress() method (#20765) (kuldeep kumar)
  • a7f0b94 chore: update dependency prettier to v3.8.3 (#20782) (renovate[bot])
  • 7bf93d9 chore: update TypeScript to v6 (#20677) (sethamus)
  • b42dd72 ci: bump pnpm/action-setup from 6.0.0 to 6.0.1 (#20781) (dependabot[bot])
  • 2b252be test: add unit tests for IdGenerator (#20775) (kuldeep kumar)

v10.2.1

Bug Fixes

  • 14be92b fix: model generator yield resumption paths in code path analysis (#20665) (sethamus)
  • 84a19d2 fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx)
  • af764af fix: clarify language and processor validation errors (#20729) (Pixel998)
  • e251b89 fix: update eslint (#20715) (renovate[bot])

Documentation

  • ca92ca0 docs: reuse markdown-it instance for markdown filter (#20768) (Amaresh S M)
  • 57d2ee2 docs: Enable Eleventy incremental mode for watch (#20767) (Amaresh S M)
  • c1621b9 docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla)
  • 1418d52 docs: Update README (GitHub Actions Bot)
  • 39771e6 docs: Update README (GitHub Actions Bot)
  • 71e0469 docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar)
  • 22119ce docs: clarify scope of for-direction rule with dead code examples (#20723) (Amaresh S M)
  • 8f3fb77 docs: document meta.docs.dialects (#20718) (Pixel998)

Chores

  • 7ddfea9 chore: update dependency prettier to v3.8.2 (#20770) (renovate[bot])
  • fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763) (dependabot[bot])
  • 7246f92 test: add tests for SuppressionsService.load() error handling (#20734) (kuldeep kumar)
  • 4f34b1e chore: update pnpm/action-setup action to v5 (#20762) (renovate[bot])

... (truncated)

Commits
  • 7889204 10.3.0
  • 5b69b4f Build: changelog update for 10.3.0
  • d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#20826)
  • b6ae5cf fix: handle unavailable require cache (#20812)
  • 3ffb14e chore: clean up typos in comments and JSDoc (#20821)
  • 6fb3685 fix: rule suggestions cause continuation in class body (#20787)
  • 22eb58a chore: add missing continue-on-error to ecosystem-tests.yml (#20818)
  • 88bf002 ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#20815)
  • 379571a feat: add suggestions for no-unused-private-class-members (#20773)
  • 97c8c33 chore: update ilshidur/action-discord action to v0.4.0 (#20811)
  • Additional commits viewable in compare view

Updates fallow from 2.40.3 to 2.66.2

Release notes

Sourced from fallow's releases.

v2.66.2 - audit works in pre-commit hooks

Bug fixes

  • fallow audit now works inside pre-commit and pre-push hooks. When git runs hooks, it exports ambient repository-state environment variables into the hook subprocess: GIT_INDEX_FILE=.git/index (a relative path), plus GIT_PREFIX and friends. Audit's git worktree add was inheriting those, and the relative GIT_INDEX_FILE failed to resolve from the temporary worktree directory, so worktree creation aborted with could not create a temporary worktree for base ref 'main'. The published workaround was env -u GIT_INDEX_FILE fallow audit; that's no longer necessary.

    Every production git invocation in fallow now strips the documented set of ambient repo-state variables (GIT_DIR, GIT_WORK_TREE, GIT_INDEX_FILE, GIT_OBJECT_DIRECTORY, GIT_COMMON_DIR, GIT_PREFIX) via a shared helper. lint-staged, husky, lefthook, and the pre-commit framework all work transparently. The same robustness applies to churn / hotspot analysis, regression baselines, coverage uploads, init's branch detection, and vital signs. The worktree-creation error also surfaces a hint when an ambient repo-state variable is detected, so users on older fallow versions can self-rescue.

    Thanks @​videvian for the report. (Closes #301)

Full Changelog: fallow-rs/fallow@v2.66.1...v2.66.2

v2.66.1 - Astro scripts, register() loaders, audit base node_modules

Patch release with bug fixes for the Astro extractor, the node:module register() loader hook, fallow audit base-side worktrees, and tsconfig fallback when an extends chain is broken. Also a small cosmetic pass that swaps em-dashes for ASCII punctuation in user-facing CLI output.

Fixes

  • Astro <script src="..."> and inline <script> ESM imports are followed. Astro pages route per-component client code through external <script src="../scripts/foo.ts"> references and inline <script>import '../scripts/bar';</script> ESM bodies; both are bundled into the build output but were surfacing as unused-file. The extractor now scans the post-frontmatter template body for external script and link references and parses inline <script> bodies as TypeScript. Astro only processes a <script> tag when it has zero attributes or only src=, so attributed inline scripts (e.g. is:inline) render as authored without bundling and are intentionally excluded from the import graph to match Astro's own behavior. Thanks @​zaphir for the report. (Closes #295)
  • node:module register() loader specifiers credit their target packages. register('@swc-node/register/esm', pathToFileURL('./')) from node:module (or the bare module builtin) loads a loader by string specifier rather than via a static or dynamic import, so registered packages like @swc-node/register and tsx were surfacing as unused-dependency. Named imports, aliased named imports, and namespace imports (import * as Module from 'node:module'; Module.register(...)) all engage; same-named functions from any other source are skipped. Thanks @​ChrisJr404 for the patch and @​pdeveltere for the report. (Closes #293)
  • fallow audit base-side worktrees see the same node_modules as HEAD. Audit base worktrees lacked node_modules, breaking tsconfig extends chains that point into installed packages and disabling path-alias resolution on the BASE side. The result was spurious Broken tsconfig chain warnings and false-positive attributions on React Native repos whose tsconfig extends ./node_modules/@react-native/typescript-config/tsconfig.json. Fresh, reusable, and ready persistent base worktrees now symlink repo_root/node_modules so the BASE-side analysis sees the same dependency context as HEAD. The audit base snapshot cache version is bumped so prior snapshots captured under the broken behavior are invalidated. Thanks @​iarmankhan for the report. (Closes #292)
  • Local tsconfig paths, baseUrl, and rootDirs stay usable when an extends chain is broken. When a tsconfig's extends target was missing or unparsable, the resolver previously fell back to a no-aliases mode for the entire config, so valid local imports against paths defined in the same tsconfig surfaced as unresolved-import. The graph resolver now keeps the local tsconfig's alias contract alive and only drops the broken-extends parent's contributions, so React Native and Expo projects whose framework base tsconfig is untracked or out of sync continue to resolve their own aliases. Audit base snapshots also compare against the same merged config contract as the current run. Thanks @​M-Hassan-Raza for the patch. (#299)
  • Combined-mode --format json outside a git repository is now exactly one JSON document. When the project root sat outside any git checkout, the hotspot pipeline emitted a structured error blob to stdout and combined mode then appended its normal report on top, so fallow --format json | jq . failed with trailing characters at line 6 column 1. Missing git history is now treated as unavailable hotspot data: stdout stays a single document with empty hotspots, a non-fatal note: hotspot analysis skipped: no git repository found at project root goes to stderr (suppressed by --quiet). Standalone fallow health --hotspots --format json outside a git repo now exits 0 with empty hotspot fields instead of exiting 2 with a JSON error. Thanks @​ChrisJr404 for the patch. (Closes #294)

Cosmetic

  • User-facing CLI output uses ASCII punctuation in place of em-dashes. Rule descriptions in fallow explain, the top-level fallow --help about line, fallow list boundary output, the JSON actions note for refactor-together clone groups, the markdown health metric legend, hotspot stderr notes, the LSP test-only-dep diagnostic, the MCP list_boundaries tool description, and a handful of lower-traffic strings are now em-dash-free. Internal asserts, code comments, and clippy #[expect] reasons are out of scope.

Full Changelog: fallow-rs/fallow@v2.66.0...v2.66.1

v2.66.0 - Prisma generators end-to-end + 82% faster plugin discovery

Highlights

Prisma generator-provider crediting end-to-end (canonical layouts AND custom prisma.config.ts schema paths), an 82% speedup on the plugin-discovery stage for large monorepos, and fallow dupes now actually honors duplicates.* settings from .fallowrc.jsonc.

Performance

Surface Before After Delta
Plugin discovery (Next.js, 21,033 files) 7378 ms 1362 ms -82%
Bare fallow (Next.js, 21,033 files) 9.7 s 3.3 s -66%
fallow audit --gate all (Next.js, 21,033 files) 11.7 s 5.4 s -54%

audit also caches base-branch snapshots and runs HEAD analyses concurrently with base-snapshot computation, and combined-mode fallow now runs check + dupes in parallel via rayon::join.

Added

  • Prisma generator providers credited from schema.prisma. Custom-generator npm packages declared in generator <name> { provider = "<pkg>" } blocks (e.g. prisma-json-types-generator, prisma-erd-generator) are now credited as referenced dependencies instead of surfacing under unused-dependency. Covers prisma/schema.prisma, root schema.prisma, and the multi-file prisma/schema/*.prisma layout. Datasource providers, shell-command form, relative-path form, and commented-out generators are all handled correctly. (Closes #288)
  • Custom Prisma schema paths from prisma.config.ts are honored. The plugin reads the static schema field from prisma.config.{ts,mts,cts,js,mjs,cjs} and the new .config/prisma.{ts,...} Prisma 6 alternate location, resolves it against the project root, marks the configured schema file or folder as always-used, and recursively scans it for generator providers. Layouts where the schema sits outside the canonical prisma/ directory (e.g. db/schema/) are now covered without ignoreDependencies. Thanks @​M-Hassan-Raza for the patch. (#291)
  • VS Code: client-side diagnostic mute and dynamic issue types. Mute diagnostics from the editor without round-tripping through .fallowrc.jsonc; the issue-type list in the LSP filter is populated dynamically from the language server so newly-added kinds appear without an extension release. Thanks @​FunctionDJ for the report. (#287)

Changed

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.66.2] - 2026-05-07

Fixed

  • fallow audit no longer fails when invoked from a pre-commit / pre-push hook. When git runs hooks it exports ambient repo-state environment variables into the hook subprocess (GIT_INDEX_FILE=.git/index as a relative path, plus GIT_PREFIX and friends). Audit's git worktree add was inheriting those, and the relative GIT_INDEX_FILE failed to resolve from the temporary worktree directory, so worktree creation aborted with could not create a temporary worktree for base ref 'main' (workaround was env -u GIT_INDEX_FILE fallow audit). Every production git invocation in fallow now strips the documented set of ambient repo-state vars (GIT_DIR, GIT_WORK_TREE, GIT_INDEX_FILE, GIT_OBJECT_DIRECTORY, GIT_COMMON_DIR, GIT_PREFIX) via a shared helper, so lint-staged, husky, lefthook, and the pre-commit framework all work transparently. The same robustness applies to churn / hotspot, regression baselines, coverage uploads, init's branch detection, and vital signs. The worktree-creation error also surfaces a hint when an ambient repo-state var is detected so users on older fallow versions can self-rescue. Thanks @​videvian for the report. (Closes #301)

[2.66.1] - 2026-05-06

Changed

  • User-facing CLI output uses ASCII punctuation in place of em-dashes. Rule descriptions in fallow explain, the top-level fallow --help about line, fallow list boundary output, the JSON actions note for refactor-together clone groups, the markdown health metric legend, hotspot stderr notes, the LSP test-only-dep diagnostic, the MCP list_boundaries tool description, and a handful of lower-traffic strings are now em-dash-free. Internal asserts, code comments, and clippy #[expect] reasons are out of scope.

Fixed

  • Astro <script src="..."> and inline <script> ESM imports are followed during static analysis. Astro pages route per-component client code through two template-side shapes the extractor previously did not see: external <script src="../scripts/foo.ts"></script> references and inline <script>import '../scripts/bar';</script> ESM bodies. Targets of either form are bundled into the build output but were surfacing as unused-file. The Astro parser now scans the post-frontmatter template body for external script and link references via the shared HTML asset-ref collector, and parses inline <script> bodies as TypeScript to extract their ES module imports. Astro only processes a <script> tag when it has zero attributes or only src= (any other attribute, e.g. is:inline or type="module" with extras, renders as authored without bundling), so attributed inline scripts are intentionally excluded from the import graph to match Astro's own behavior. HTML comments are stripped before scanning, and inline bodies are skipped when a src= attribute is present so external references are never double-counted. Thanks @​zaphir for the report. (Closes #295)
  • node:module register() loader specifiers credit their target packages. register('@swc-node/register/esm', pathToFileURL('./')) from node:module (or the bare module builtin) loads a loader module by string specifier rather than via a static or dynamic import, so registered packages like @swc-node/register and tsx were surfacing as unused-dependency even though Node loads them at startup. The visitor now records the first argument of register(...) calls as a require / dynamic-import specifier when the callee resolves to the register export of node:module / module. Named imports (import { register }), aliased named imports (import { register as reg }), and namespace imports (import * as Module from 'node:module'; Module.register(...)) all engage; same-named functions from any other source are skipped. Template-literal and dotted-call first-argument forms are recognized too. Thanks @​ChrisJr404 for the patch and @​pdeveltere for the report. (Closes #293)
  • fallow audit base-side worktrees see the same node_modules as HEAD. Audit base worktrees lacked node_modules, breaking tsconfig extends chains that point into installed packages and disabling path-alias resolution on the BASE side. The result was spurious Broken tsconfig chain warnings and false-positive attributions on React Native repos whose tsconfig extends ./node_modules/@react-native/typescript-config/tsconfig.json. Fresh, reusable, and ready persistent base worktrees now symlink repo_root/node_modules so the BASE-side analysis sees the same dependency context as HEAD. The audit base snapshot cache version is bumped so prior snapshots captured under the broken behavior are invalidated. Thanks @​iarmankhan for the report. (Closes #292)
  • Local tsconfig paths, baseUrl, and rootDirs stay usable when an extends chain is broken. When a tsconfig's extends target was missing or unparsable, the resolver previously fell back to a no-aliases mode for the entire config, so valid local imports against paths defined in the same tsconfig surfaced as unresolved-import. The graph resolver now keeps the local tsconfig's alias contract alive and only drops the broken-extends parent's contributions, so React Native and Expo projects whose framework base tsconfig is untracked or out of sync continue to resolve their own aliases. Audit base snapshots also compare against the same merged config contract as the current run, with new test coverage for React Native / Expo aliases, config inheritance, project references, cache hits, and import edge shapes. Thanks @​M-Hassan-Raza for the patch. (#299)
  • Combined-mode --format json outside a git repository is now exactly one JSON document. When the project root sat outside any git checkout, the hotspot pipeline emitted a structured {"error": true, "message": "hotspot analysis requires a git repository", ...} blob to stdout and then combined mode appended its normal report on top, so fallow --format json | jq . and any agent / CI parser failed with trailing characters at line 6 column 1. Missing git history is now treated as unavailable hotspot data: stdout stays a single document with empty hotspots, a non-fatal note: hotspot analysis skipped: no git repository found at project root goes to stderr (suppressed by --quiet). Standalone fallow health --hotspots --format json outside a git repo now exits 0 with empty hotspot fields instead of exiting 2 with a JSON error; CI scripts that depended on the old exit-2 signal need to inspect the (now omitted) hotspot_summary field instead. Thanks @​ChrisJr404 for the patch. (Closes #294)

[2.66.0] - 2026-05-06

Added

  • Prisma generator { provider = "..." } blocks credit custom-generator npm packages. The prisma plugin now scans prisma/schema.prisma, root-level schema.prisma, and the multi-file prisma/schema/*.prisma layout for generator <name> { provider = "<pkg>" } blocks and credits each non-built-in provider as a referenced dependency, so packages like prisma-json-types-generator and prisma-erd-generator no longer surface as unused-dependency. datasource providers (postgresql, mysql, etc.), the shell-command form (provider = "node ./gen.js"), and the relative-path form (provider = "./local-generator") are intentionally skipped; line a...

    Description has been truncated

@dependabot
chore(deps): bump the npm-deps group across 1 directory with 9 updates
37e2752 
Bumps the npm-deps group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@hono/node-server](https://github.com/honojs/node-server) | `2.0.0` | `2.0.1` |
| [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.5` | `1.6.9` |
| [hono](https://github.com/honojs/hono) | `4.12.14` | `4.12.18` |
| [@commitlint/cli](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/cli) | `20.5.0` | `20.5.3` |
| [@commitlint/config-conventional](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/config-conventional) | `20.5.0` | `20.5.3` |
| [eslint](https://github.com/eslint/eslint) | `10.2.0` | `10.3.0` |
| [fallow](https://github.com/fallow-rs/fallow) | `2.40.3` | `2.66.2` |
| [globals](https://github.com/sindresorhus/globals) | `17.5.0` | `17.6.0` |
| [tap](https://github.com/tapjs/tapjs) | `21.7.0` | `21.7.2` |



Updates `@hono/node-server` from 2.0.0 to 2.0.1
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.0...v2.0.1)

Updates `better-auth` from 1.6.5 to 1.6.9
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/better-auth@1.6.9/packages/better-auth)

Updates `hono` from 4.12.14 to 4.12.18
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.14...v4.12.18)

Updates `@commitlint/cli` from 20.5.0 to 20.5.3
- [Release notes](https://github.com/conventional-changelog/commitlint/releases)
- [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/cli/CHANGELOG.md)
- [Commits](https://github.com/conventional-changelog/commitlint/commits/v20.5.3/@commitlint/cli)

Updates `@commitlint/config-conventional` from 20.5.0 to 20.5.3
- [Release notes](https://github.com/conventional-changelog/commitlint/releases)
- [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/config-conventional/CHANGELOG.md)
- [Commits](https://github.com/conventional-changelog/commitlint/commits/v20.5.3/@commitlint/config-conventional)

Updates `eslint` from 10.2.0 to 10.3.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.2.0...v10.3.0)

Updates `fallow` from 2.40.3 to 2.66.2
- [Release notes](https://github.com/fallow-rs/fallow/releases)
- [Changelog](https://github.com/fallow-rs/fallow/blob/main/CHANGELOG.md)
- [Commits](fallow-rs/fallow@v2.40.3...v2.66.2)

Updates `globals` from 17.5.0 to 17.6.0
- [Release notes](https://github.com/sindresorhus/globals/releases)
- [Commits](sindresorhus/globals@v17.5.0...v17.6.0)

Updates `tap` from 21.7.0 to 21.7.2
- [Release notes](https://github.com/tapjs/tapjs/releases)
- [Commits](https://github.com/tapjs/tapjs/compare/tap@21.7.0...tap@21.7.2)

---
updated-dependencies:
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: better-auth
  dependency-version: 1.6.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: hono
  dependency-version: 4.12.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: "@commitlint/cli"
  dependency-version: 20.5.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: "@commitlint/config-conventional"
  dependency-version: 20.5.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: eslint
  dependency-version: 10.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: fallow
  dependency-version: 2.66.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: globals
  dependency-version: 17.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: tap
  dependency-version: 21.7.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants