chore(deps-dev): bump the development-minor-and-patch group with 4 updates

[dependabot]

Bumps the development-minor-and-patch group with 4 updates: @types/node, oxfmt, oxlint and vitest.

Updates @types/node from 25.8.0 to 25.9.1

Commits

• See full diff in compare view

Updates oxfmt from 0.50.0 to 0.51.0

Changelog

Sourced from oxfmt's changelog.

Changelog

All notable changes to this package will be documented in this file.

The format is based on Keep a Changelog.

Commits

• 5570206 release(apps): oxlint v1.66.0 && oxfmt v0.51.0 (#22528)
• See full diff in compare view

Updates oxlint from 1.65.0 to 1.66.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

• 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
• 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
• bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
• 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
• 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
• 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
• ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

• 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
• 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
• 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
• 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
• a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
• ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
• 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
• ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
• e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
• 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
• 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
• fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
• ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
• dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
• 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
• cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

• 25d577e language_server: Start tools in parallel (#15500) (Sysix)
• 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
• 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
• 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
• 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
• 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

• 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
• 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
• a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
• 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
• 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
• 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.66.0] - 2026-05-18

🚀 Features

• 0440b0f linter/eslint: Implement id-match rule (#22379) (Vladislav Sayapin)
• 65bf119 linter: Implement react no-object-type-as-default-prop (#22481) (uhyo)
• 2a6ddce linter/eslint: Implement no-implied-eval rule (#22391) (Vladislav Sayapin)
• 625758a linter/vitest: Implement padding-around-after-all-blocks rule (#21788) (kapobajza)
• 37680b0 linter: Implement react no-unstable-nested-components (#22248) (Jovi De Croock)
• d8d9c74 linter: Implement import/newline-after-import rule (#19142) (Ryuya Yanagi)

Commits

• 5570206 release(apps): oxlint v1.66.0 && oxfmt v0.51.0 (#22528)
• 0440b0f feat(linter/eslint): implement id-match rule (#22379)
• 65bf119 feat(linter): implement react no-object-type-as-default-prop (#22481)
• 2a6ddce feat(linter/eslint): implement no-implied-eval rule (#22391)
• 625758a feat(linter/vitest): Implement padding-around-after-all-blocks rule (#21788)
• 37680b0 feat(linter): implement react no-unstable-nested-components (#22248)
• d8d9c74 feat(linter): implement import/newline-after-import rule (#19142)
• See full diff in compare view

Updates vitest from 4.1.6 to 4.1.7

Release notes

Sourced from vitest's releases.

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

Commits

• a09d472 chore: release v4.1.7
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vitest@​4.1.7
	@​types/​node@​25.9.1
	oxfmt@​0.51.0
	oxlint@​1.66.0

View full report

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 25, 2026, 6:28 PM ET / 22:28 UTC.

Summary
The PR refreshes development dependency metadata for @types/node, oxfmt, oxlint, and vitest, with only the oxfmt range changing in package.json and resolved versions changing in pnpm-lock.yaml.

Reproducibility: not applicable. this is an automated dependency-maintenance PR rather than a bug report. The review target is the package metadata diff and dependency-review gate.

Review metrics: 2 noteworthy metrics.

• Changed files: 2 files changed. The patch is confined to package metadata, which keeps the review surface narrow.
• Lockfile churn: 224 additions, 224 deletions. Most of the diff is expected lockfile replacement for updated dev-tool packages and their native optional binaries.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🌊 off-meta tidepool
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• The patch updates dev tools that run in CI and local scripts, so merge should still wait for the repository's dependency-review and CI results even though no source-level defect is visible.

Maintainer options:

1. Decide the mitigation before merge
   Keep the dependency refresh narrow and merge it only after dependency-review and normal CI checks remain clean.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
No ClawSweeper repair lane is needed because the review found no narrow defect for automation to fix.

Security
Cleared: No concrete security or supply-chain defect was found in the package.json and pnpm-lock.yaml dev dependency refresh.

Review details

Best possible solution:

Keep the dependency refresh narrow and merge it only after dependency-review and normal CI checks remain clean.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is an automated dependency-maintenance PR rather than a bug report. The review target is the package metadata diff and dependency-review gate.

Is this the best way to solve the issue?

Yes: a narrow manifest plus lockfile refresh is the maintainable way to apply these dev-tool updates, assuming dependency review and CI remain clean.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ed3d5750ff89.

Label changes

Label changes:

• add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🌊 off-meta tidepool and patch quality is 🦞 diamond lobster.
• remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦞 diamond lobster, so this older rating label is no longer current.

Label justifications:

• P3: This is low-risk automated development dependency maintenance with no source or runtime behavior changes.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🌊 off-meta tidepool and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot-authored maintenance PRs are bot PRs where contributor real-behavior proof is not applicable; dependency review and CI are the relevant gates.

Evidence reviewed

What I checked:

• Repository policy read: AGENTS.md was read in full; it identifies clawpatch as a pnpm/Node 22 TypeScript CLI and calls out package tests/checks plus keeping generated dist edits out of commits. The PR does not touch source or generated dist files. (AGENTS.md:1, ed3d5750ff89)
• Diff surface: The branch changes only package.json and pnpm-lock.yaml, with 225 insertions and 225 deletions total. (package.json:37, 22b80acdcfd6)
• Manifest change: package.json changes only oxfmt from ^0.50.0 to ^0.51.0; scripts, runtime dependencies, package files, engines, and packageManager stay unchanged. (package.json:37, 22b80acdcfd6)
• Lockfile resolutions: The PR lockfile resolves @types/node to 25.9.1, oxfmt to 0.51.0, oxlint to 1.66.0, and vitest to 4.1.7 while leaving zod and TypeScript unchanged. (pnpm-lock.yaml:15, 22b80acdcfd6)
• Dependabot grouping: The repository's dependabot config explicitly groups development minor and patch npm updates, matching the PR title and dependency set. (.github/dependabot.yml:17, ed3d5750ff89)
• Dependency review gate: The repository has a Dependency Review workflow for package.json and pnpm-lock.yaml changes with fail-on-severity set to high, so dependency-review CI is the appropriate merge gate. (.github/workflows/dependency-review.yml:6, ed3d5750ff89)

Likely related people:

• @openclaw/openclaw-secops: CODEOWNERS explicitly routes package.json and pnpm-lock.yaml package integrity surfaces to this team. (role: CODEOWNERS package-integrity reviewer; confidence: high; files: .github/CODEOWNERS, package.json, pnpm-lock.yaml)
• Peter Steinberger: Current blame for the devDependencies block and pnpm-lock.yaml importer metadata points to the v0.4.0 release commit by this author. (role: package setup contributor; confidence: high; commits: cdd58ac59213; files: package.json, pnpm-lock.yaml)
• Vincent Koc: Recent package.json history includes a constrained Crabbox setup change by this author, making them an adjacent package metadata routing candidate. (role: recent package metadata contributor; confidence: medium; commits: 857d854ac8d0; files: package.json)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Clockwork Patch Peep

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: watches the merge queue.
Image traits: location workflow harbor; accessory review stamp; palette pearl, teal, and neon green; mood bright-eyed; pose leaning over a miniature review desk; shell frosted glass shell; lighting tiny status-light glow; background gentle dashboard dots.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Clockwork Patch Peep in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.