deps(deps): bump the major group with 6 updates

[dependabot]

Bumps the major group with 6 updates:

Package	From	To
puppeteer	24.42.0	25.1.0
undici	7.25.0	8.5.0
webtorrent	2.8.5	3.0.16
@vitejs/plugin-react	5.1.4	6.0.2
eslint	9.39.2	10.5.0
typescript	5.9.3	6.0.3

Updates puppeteer from 24.42.0 to 25.1.0

Release notes

Sourced from puppeteer's releases.

puppeteer-core: v25.1.0

25.1.0 (2026-05-26)

🎉 Features

• roll to Chrome 149.0.7827.2 (af1b9be)
• roll to Firefox 151.0 (#15013) (767ea54)

🛠️ Fixes

• roll to Chrome 148.0.7778.178 (#15014) (59764ac)

📄 Documentation

• use ESM and top level await (#15030) (34ecc62)

🏗️ Refactor

• remove debug dependency (#15023) (94d1e1c)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.3 to 3.0.4

puppeteer: v25.1.0

25.1.0 (2026-05-26)

🎉 Features

• roll to Chrome 149.0.7827.2 (af1b9be)

🛠️ Fixes

• improve progress bar and install (#15042) (51db32a)
• support concurrency in progress bars (#15045) (ab0171d)

🏗️ Refactor

• replace cosmiconfig with lilconfig (#15031) (4a1c2ff)

... (truncated)

Changelog

Sourced from puppeteer's changelog.

25.1.0 (2026-05-26)

🎉 Features

• roll to Chrome 149.0.7827.2 (af1b9be)
• roll to Firefox 151.0 (#15013) (767ea54)

🛠️ Fixes

• roll to Chrome 148.0.7778.178 (#15014) (59764ac)

🏗️ Refactor

• remove debug dependency (#15023) (94d1e1c)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.3 to 3.0.4

📄 Documentation

• use ESM and top level await (#15030) (34ecc62)

25.0.4 (2026-05-18)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 25.0.3 to 25.0.4

🛠️ Fixes

• Throw TargetCloseError when session ID not found (#15002) (611abef)

... (truncated)

Commits

• ede6669 chore: release main (#15056)
• 7bc09e7 chore(deps): bump the all group with 5 updates (#15052)
• 8c81170 chore(deps): bump the all group in /website with 3 updates (#15051)
• 09eced5 chore: update lock
• 53b9fda chore(deps): bump the dependencies group with 2 updates (#15049)
• d842411 chore(deps): bump node from 050bf2b to 8530f76 in /docker in the all grou...
• 1d2a569 docs: document read-only Docker directories (#15048)
• ab0171d fix: support concurrency in progress bars (#15045)
• 51db32a fix: improve progress bar and install (#15042)
• d32384b chore(deps): bump qs and express in /website (#15040)
• Additional commits viewable in compare view

Updates undici from 7.25.0 to 8.5.0

Release notes

Sourced from undici's releases.

v8.5.0

What's Changed

• test: absorb h2 stream timeout resets by @​marko1olo in nodejs/undici#5383
• fix: keep idle validation on native timers by @​mcollina in nodejs/undici#5397
• fix: keep idle validation on global timers by @​mcollina in nodejs/undici#5407
• fix(h2): do not rewind kPendingIdx past in-flight requests by @​DucMinhNe in nodejs/undici#5408
• docs: explain request header validation by @​vibhor-aggr in nodejs/undici#5413
• fix: allow h2 post request multiplexing by @​mcollina in nodejs/undici#5391
• fix: reap idle HTTP/2 sessions by @​mcollina in nodejs/undici#5406
• add bodymixin.textStream() by @​KhafraDev in nodejs/undici#5416
• fix: preserve h2 queue on out-of-order completion by @​mcollina in nodejs/undici#5410
• align EventSource with spec by @​KhafraDev in nodejs/undici#5418
• chore: removed repro-h2-pipelining-default.mjs and lint by @​mcollina in nodejs/undici#5420
• ci: extend Windows Node.js workflow timeout by @​mcollina in nodejs/undici#5426
• test: detect available python command in wpt runner by @​mcollina in nodejs/undici#5427

New Contributors

• @​DucMinhNe made their first contribution in nodejs/undici#5408
• @​vibhor-aggr made their first contribution in nodejs/undici#5413

Full Changelog: nodejs/undici@v8.4.1...v8.5.0

v8.4.1

What's Changed

• test: avoid localhost lookup in fetch cookies tests by @​mcollina in nodejs/undici#5363
• fix: prevent race condition between onEnd and onTrailers in HTTP/2 client (#5216) by @​mcollina in nodejs/undici#5343
• fix(dns): skip requests without origin by @​marko1olo in nodejs/undici#5376
• docs: add Getting Started guide by @​AliMahmoudDev in nodejs/undici#5371
• docs: fix code examples that crash at runtime and other inaccuracies by @​AliMahmoudDev in nodejs/undici#5386
• fix: handle paused parser on socket end (issue #5360) by @​mcollina in nodejs/undici#5389
• fix(client): reject pipelined TLS altname errors by @​marko1olo in nodejs/undici#5373
• docs: fix multiple inaccuracies in API documentation by @​AliMahmoudDev in nodejs/undici#5384
• docs: fix remaining broken links in API documentation by @​AliMahmoudDev in nodejs/undici#5342

New Contributors

• @​marko1olo made their first contribution in nodejs/undici#5376

Full Changelog: nodejs/undici@v8.4.0...v8.4.1

v8.4.0

What's Changed

• fix: register connect listener before initiating requests in close-and-destroy test by @​mcollina in nodejs/undici#5272
• test: stabilize tls-cert-leak regression by @​mcollina in nodejs/undici#5306
• fix: replace tspl with native test context in test/examples.js by @​mcollina in nodejs/undici#5300
• http2: remove redundant request stream binding by @​trivikr in nodejs/undici#5302
• test: limit cache-tests workers on Windows by @​mcollina in nodejs/undici#5309
• test: use test context cleanup hooks in parser issue tests by @​mcollina in nodejs/undici#5282
• Add redirect option to strip headers on redirect by @​mcollina in nodejs/undici#5281
• chore(test): fix lint failure by @​aduh95 in nodejs/undici#5316
• chore(ci): use npm ci instead of npm install by @​aduh95 in nodejs/undici#5315

... (truncated)

Commits

• a0806e1 Bumped v8.5.0 (#5429)
• 8a0392c test: detect available python command in wpt runner (#5427)
• f4045b9 ci: increase Node.js workflow timeout (#5426)
• 363e44f chore: removed repro-h2-pipelining-default.mjs and lint (#5420)
• c5ed787 websocket: handle empty fragments and stream limits
• e114e77 align EventSource with spec (#5418)
• 6df53c5 fix: preserve h2 queue on out-of-order completion (#5410)
• 32dbf0b websocket: limit the number of fragments in a message
• 0d6ecc5 add bodymixin.textStream() (#5416)
• 42d4955 fix: honor requestTls when proxy is SOCKS5
• Additional commits viewable in compare view

Updates webtorrent from 2.8.5 to 3.0.16

Release notes

Sourced from webtorrent's releases.

v3.0.16

3.0.16 (2026-05-29)

Bug Fixes

• perf: utp speed (#3068) (668ccdd)

v3.0.15

3.0.15 (2026-05-29)

Bug Fixes

• server path2 (#3067) (6498e62)

v3.0.14

3.0.14 (2026-05-28)

Bug Fixes

• http server encoding (#3064) (9c5b70d)

v3.0.13

3.0.13 (2026-05-27)

Bug Fixes

• deps: update dependency bittorrent-protocol to ^5.0.6 (#3061) (f64f8a0)

v3.0.12

3.0.12 (2026-05-27)

Bug Fixes

• pe tests (#3060) (bc76c3d)

v3.0.11

3.0.11 (2026-05-27)

Bug Fixes

• deps: update dependency ut_pex to v5 (#3058) (47d3b7b)

v3.0.10

3.0.10 (2026-05-26)

... (truncated)

Changelog

Sourced from webtorrent's changelog.

3.0.16 (2026-05-29)

Bug Fixes

• perf: utp speed (#3068) (668ccdd)

3.0.15 (2026-05-29)

Bug Fixes

• server path2 (#3067) (6498e62)

3.0.14 (2026-05-28)

Bug Fixes

• http server encoding (#3064) (9c5b70d)

3.0.13 (2026-05-27)

Bug Fixes

• deps: update dependency bittorrent-protocol to ^5.0.6 (#3061) (f64f8a0)

3.0.12 (2026-05-27)

Bug Fixes

• pe tests (#3060) (bc76c3d)

3.0.11 (2026-05-27)

Bug Fixes

• deps: update dependency ut_pex to v5 (#3058) (47d3b7b)

3.0.10 (2026-05-26)

Bug Fixes

• deps: update dependency torrent-piece to ^4.0.1 (#3059) (f734c27)

3.0.9 (2026-05-26)

... (truncated)

Commits

• 44f782d chore(release): 3.0.16
• 668ccdd fix(perf): utp speed (#3068)
• f122edf chore(release): 3.0.15
• 6498e62 fix: server path2 (#3067)
• 11dac14 chore(release): 3.0.14
• 9c5b70d fix: http server encoding (#3064)
• 3dfb8eb chore(release): 3.0.13
• f64f8a0 fix(deps): update dependency bittorrent-protocol to ^5.0.6 (#3061)
• 9b350cf chore(release): 3.0.12
• bc76c3d fix: pe tests (#3060)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webtorrent since your current version.

Updates @vitejs/plugin-react from 5.1.4 to 6.0.2

Release notes

Sourced from @​vitejs/plugin-react's releases.

plugin-react@6.0.2

Allow all options in reactCompilerPreset (#1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

plugin-react@6.0.1

Expand @rolldown/plugin-babel peer dep range (#1146)

Expanded @rolldown/plugin-babel peer dep range to include ^0.2.0.

plugin-react@6.0.0

Remove Babel Related Features (#1123)

Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it. With that, there are no transform applied that requires Babel. To reduce the installation size of this plugin, babel is no longer a dependency of this plugin and the related features are removed.

If you are using Babel, you can use @rolldown/plugin-babel together with this plugin:

 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
export default defineConfig({
plugins: [


react({



  babel: {



    plugins: ['@babel/plugin-proposal-throw-expressions'],



  },



}),





react(),



babel({



  plugins: ['@babel/plugin-proposal-throw-expressions'],



}),

]
})

For React compiler users, you can use reactCompilerPreset for easier setup with preconfigured filter to improve build performance:

 import { defineConfig } from 'vite'
-import react from '@vitejs/plugin-react'
+import react, { reactCompilerPreset } from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
export default defineConfig({
plugins: [

react({

 babel: {



   plugins: ['babel-plugin-react-compiler'],



</tr></table>

... (truncated)

Changelog

Sourced from @​vitejs/plugin-react's changelog.

6.0.2 (2026-05-14)

Allow all options in reactCompilerPreset (#1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

6.0.1 (2026-03-13)

Expand @rolldown/plugin-babel peer dep range (#1146)

Expanded @rolldown/plugin-babel peer dep range to include ^0.2.0.

6.0.0 (2026-03-12)

6.0.0-beta.0 (2026-03-03)

Remove Babel Related Features (#1123)

Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it. With that, there are no transform applied that requires Babel. To reduce the installation size of this plugin, babel is no longer a dependency of this plugin and the related features are removed.

If you are using Babel, you can use @rolldown/plugin-babel together with this plugin:

 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
export default defineConfig({
plugins: [


react({



  babel: {



    plugins: ['@babel/plugin-proposal-throw-expressions'],



  },



}),





react(),



babel({



  plugins: ['@babel/plugin-proposal-throw-expressions'],



}),

]
})

For React compiler users, you can use reactCompilerPreset for easier setup with preconfigured filter to improve build performance:

 import { defineConfig } from 'vite'
-import react from '@vitejs/plugin-react'
+import react, { reactCompilerPreset } from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
</tr></table>

... (truncated)

Commits

• 6535b55 release: plugin-react@6.0.2
• bf0e43b feat(react): whitelist debugging-options (#1189)
• 3bd1f08 feat: use carets for rolldown versions (#1216)
• 2b8df67 fix(deps): update all non-major dependencies (#1218)
• 8fa9619 fix(deps): update react 19.2.6 (#1211)
• a4296ad fix(deps): update all non-major dependencies (#1209)
• 323ccd7 fix(deps): update all non-major dependencies (#1196)
• a7506e1 chore(deps): update vite 8.0.10 (#1198)
• 02cff2a fix(deps): update all non-major dependencies (#1184)
• 4b9c890 fix(deps): update react 19.2.5 (#1181)
• Additional commits viewable in compare view

Updates eslint from 9.39.2 to 10.5.0

Release notes

Sourced from eslint's releases.

v10.5.0

Features

• 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#20973) (Pixel998)
• b565783 feat: report no-with violations at the with keyword (#20971) (Pixel998)
• 2ce032f feat: report max-lines-per-function violations at function head (#20966) (Pixel998)
• 732cb3e feat: report max-nested-callbacks violations at function head (#20967) (Pixel998)
• f9c138a feat: report max-depth violations on keywords (#20943) (Pixel998)
• bdb496c feat: correct max-depth handling for else-if chains (#20944) (Pixel998)
• c296873 feat: update error loc in max-statements to function header (#20907) (Taejin Kim)

Documentation

• 8ae1b5b docs: Update README (GitHub Actions Bot)
• ca7eb90 docs: update Node.js prerequisites to include ICU support (#20962) (Francesco Trotta)
• f99b47a docs: Update README (GitHub Actions Bot)
• acf03d4 docs: clarify precedence of parserOptions over languageOptions (#20926) (sethamus)

Chores

• b18bf58 chore: update ecosystem plugins (#20959) (ESLint Bot)
• c2d1444 refactor: replace areAllSegmentsUnreachable with !isAnySegmentReachable (#20951) (Taejin Kim)
• 243b8c5 chore: enhance config-rule to support oneOf, anyOf, and nested schemas (#20788) (kuldeep kumar)
• 217b2a9 test: add unit tests for ParserService (#20949) (Taejin Kim)
• 72003e7 test: add location information to error messages in max-statements (#20945) (lumir)
• 7797c26 refactor: deduplicate isAnySegmentReachable across rules (#20890) (Taejin Kim)
• 67c46fa chore: update ecosystem plugins (#20938) (ESLint Bot)
• 95d8c7a chore: update dependency @​eslint/json to v2 (#20934) (renovate[bot])
• cf9e496 chore: update @​arethetypeswrong/cli to 0.18.3 (#20933) (Pixel998)
• fb6d396 test: run type tests with TypeScript 7 (#20868) (sethamus)

v10.4.1

Bug Fixes

• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#20930) (Francesco Trotta)
• d4ce898 fix: propagate failures from delegated commands (#20917) (Minh Vu)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#20916) (kuldeep kumar)
• c5bc78b fix: false positive for reference in finally block (#20655) (Tanuj Kanti)
• 27538c0 fix: add missing CodePath and CodePathSegment types (#20853) (Pixel998)

Documentation

• 61b0add docs: remove deprecated rule from related rules of max-params (#20921) (Tanuj Kanti)
• 305d5b9 docs: remove deprecated rules from related rules section (#20911) (Tanuj Kanti)
• 49b0202 docs: fix display: none of ad (#20901) (Tanuj Kanti)
• 9067f94 docs: switch build to Node.js 24 (#20893) (Milos Djermanovic)
• c91b041 docs: Update README (GitHub Actions Bot)
• e349265 docs: clarify semver strings in rule deprecation objects (#20885) (Milos Djermanovic)

Chores

• b0e466b test: add data property to invalid tests cases for rules (#20924) (Tanuj Kanti)
• f78838b test: add CodePath type coverage (#20904) (Pixel998)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#20922) (Francesco Trotta)
• 002942c ci: declare contents:read on update-readme workflow (#20919) (Arpit Jain)
• 64bca24 chore: update ecosystem plugins (#20912) (ESLint Bot)

... (truncated)

Commits

• de3b672 10.5.0
• 362a518 Build: changelog update for 10.5.0
• 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#20973)
• b565783 feat: report no-with violations at the with keyword (#20971)
• 2ce032f feat: report max-lines-per-function violations at function head (#20966)
• 732cb3e feat: report max-nested-callbacks violations at function head (#20967)
• f9c138a feat: report max-depth violations on keywords (#20943)
• 8ae1b5b docs: Update README
• ca7eb90 docs: update Node.js prerequisites to include ICU support (#20962)
• b18bf58 chore: update ecosystem plugins (#20959)
• Additional commits viewable in compare view

Updates typescript from 5.9.3 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).
• fixed issues query for TypeScript 6.0.3 (Stable).

Downloads are available on:

• npm

TypeScript 6.0

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).

Downloads are available on:

• npm

TypeScript 6.0 Beta

For release notes, check out the release announcement.

• fixed issues query for Typescript 6.0.0 (Beta).

Downloads are available on:

• npm

Commits

• 050880c Bump version to 6.0.3 and LKG
• eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
• ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
• 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
• 607a22a Bump version to 6.0.2 and LKG
• 9e72ab7 🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...
• 35ff23d 🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...
• e175b69 Bump version to 6.0.1-rc and LKG
• af4caac Update LKG
• 8efd7e8 Merge remote-tracking branch 'origin/main' into release-6.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

vu1nz Security Review

0 finding(s) in PR #?

No security issues found.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	webtorrent@​3.0.16
	puppeteer@​25.1.0
	typescript@​6.0.3
	@​vitejs/​plugin-react@​6.0.2
	eslint@​10.5.0
	undici@​8.5.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm rollup under unrecognized license License: unrecognized license - This license was not allowed or given any lesser classification by the applicable policy (package/LICENSE.md) From: pnpm-lock.yaml → npm/@vitejs/plugin-react@6.0.2 → npm/vitest@4.1.8 → npm/rollup@4.62.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup@4.62.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm typescript License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: package.json → npm/typescript@6.0.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@6.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @humanfs/types Location: Package overview From: pnpm-lock.yaml → npm/eslint@10.5.0 → npm/@humanfs/types@0.15.0 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@humanfs/types@0.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report