chore(deps): bump the all-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the all-dependencies group with 5 updates in the / directory:

Package	From	To
commander	12.1.0	14.0.2
conf	12.0.0	15.0.2
zod	3.25.76	4.3.5
@biomejs/biome	1.9.4	2.3.11
oxlint	0.16.12	1.38.0

Updates commander from 12.1.0 to 14.0.2

Release notes

Sourced from commander's releases.

v14.0.2

Changed

• improve negative number auto-detection test (#2428)
• update (dev) dependencies

v14.0.1

Fixed

• broken markdown link in README (#2369)

Changed

• improve code readability by using optional chaining (#2394)
• use more idiomatic code with object spread instead of Object.assign() (#2395)
• improve code readability using string.endsWith() instead of string.slice() (#2396)
• refactor .parseOptions() to process args array in-place (#2409)
• change private variadic support routines from ._concatValue() to ._collectValue() (change code from array.concat() to array.push()) (#2410)
• update (dev) dependencies

v14.0.0

Added

• support for groups of options and commands in the help using low-level .helpGroup() on Option and Command, and higher -level .optionsGroup() and .commandsGroup() which can be used in chaining way to specify group title for following option s/commands (#2328)
• support for unescaped negative numbers as option-arguments and command-arguments (#2339)
• TypeScript: add parseArg property to Argument class (#2359)

Fixed

• remove bogus leading space in help when option has default value but not a description (#2348)
• .configureOutput() now makes copy of settings instead of modifying in-place, fixing side-effects (#2350)

Changed

• Breaking: Commander 14 requires Node.js v20 or higher
• internal refactor of Help class adding .formatItemList() and .groupItems() methods (#2328)

v13.1.0

Added

• support a pair of long option flags to allow a memorable shortened flag, like .option('--ws, --workspace') (#2312)

v13.0.0

Added

• support multiple calls to .parse() with default settings (#2299)
• add .saveStateBeforeParse() and .restoreStateBeforeParse() for use by subclasses (#2299)
• style routines like styleTitle() to add color to help using .configureHelp() or Help subclass (#2251)

... (truncated)

Changelog

Sourced from commander's changelog.

[14.0.2] (2025-10-25)

Changed

• improve negative number auto-detection test (#2428)
• update (dev) dependencies

[14.0.1] (2025-09-12)

Fixed

• broken markdown link in README (#2369)

Changed

• improve code readability by using optional chaining (#2394)
• use more idiomatic code with object spread instead of Object.assign() (#2395)
• improve code readability using string.endsWith() instead of string.slice() (#2396)
• refactor .parseOptions() to process args array in-place (#2409)
• change private variadic support routines from ._concatValue() to ._collectValue() (change code from array.concat() to array.push()) (#2410)
• update (dev) dependencies

[14.0.0] (2025-05-18)

Added

• support for groups of options and commands in the help using low-level .helpGroup() on Option and Command, and higher-level .optionsGroup() and .commandsGroup() which can be used in chaining way to specify group title for following options/commands (#2328)
• support for unescaped negative numbers as option-arguments and command-arguments (#2339)
• TypeScript: add parseArg property to Argument class (#2359)

Fixed

• remove bogus leading space in help when option has default value but not a description (#2348)
• .configureOutput() now makes copy of settings instead of modifying in-place, fixing side-effects (#2350)

Changed

• Breaking: Commander 14 requires Node.js v20 or higher
• internal refactor of Help class adding .formatItemList() and .groupItems() methods (#2328)

[13.1.0] (2025-01-21)

Added

• support a pair of long option flags to allow a memorable shortened flag, like .option('--ws, --workspace') (#2312)

[13.0.0] (2024-12-30)

Added

... (truncated)

Commits

• 0692be5 Prepare for 14.0.2 (#2437)
• 88a348e Bump actions/setup-node from 5 to 6 (#2438)
• 3fe83d6 Bump github/codeql-action from 3 to 4 (#2435)
• 0b7988e Bump globals from 16.3.0 to 16.4.0 (#2429)
• 8005253 Bump typescript-eslint from 8.42.0 to 8.45.0 (#2430)
• 213e679 Bump ts-jest from 29.4.1 to 29.4.4 (#2431)
• 7ede91b Bump jest from 30.1.3 to 30.2.0 (#2432)
• 8c91f34 Bump typescript from 5.9.2 to 5.9.3 (#2433)
• ff1d2ce Improve negative test (#2428)
• 1a6dba5 Clarify deprecated routine (#2427)
• Additional commits viewable in compare view

Updates conf from 12.0.0 to 15.0.2

Release notes

Sourced from conf's releases.

v15.0.2

• Fix build 6287608

---

sindresorhus/conf@v15.0.1...v15.0.2

v15.0.1

• Fix handling of legacy decryption (#204) ce28bd6

---

sindresorhus/conf@v15.0.0...v15.0.1

v15.0.0

There are no known breaking changes, but it's a major release since it contains a large refactor, and that introduces risk.

• Add .appendToArray() method a1dbf86
• Fix constructor validation preventing migrations from fixing invalid schema data a1b43e6
• Fix clear() method to emit single change event 9b83a9d
• Fix store setter to preserve internal migration data ceefe13

---

sindresorhus/conf@v14.0.0...v15.0.0

v14.0.0

Breaking

• Require Node.js 20 b8cc931

Improvements

• Add TypeScript type definitions for dot notation property access (#200) 83cb242

---

sindresorhus/conf@v13.1.0...v14.0.0

v13.1.0

• Add rootSchema and ajvOptions options (#196) 2819caa
• Add TypeScript overload for .delete() to fix dot-notation typing (#197) 8fdcdd7

sindresorhus/conf@v13.0.1...v13.1.0

v13.0.1

• Fix validation being incorrectly run before schema change (#194) 529e762

sindresorhus/conf@v13.0.0...v13.0.1

... (truncated)

Commits

• 2d7fb50 15.0.2
• 6287608 Fix build
• 4e97628 15.0.1
• ce28bd6 Fix handling of legacy decryption (#204)
• dd46c07 15.0.0
• 9daa616 Tweaks
• 6f61627 Add FAQ about async migrations
• a1b43e6 Fix constructor validation preventing migrations from fixing invalid schema data
• 653a2b0 Add example of loading package.json
• fa88c95 Add a code comment
• Additional commits viewable in compare view

Updates zod from 3.25.76 to 4.3.5

Release notes

Sourced from zod's releases.

v4.3.5

Commits:

• 21afffdb42ccab554036312e33fed0ea3cb8f982 [Docs] Update migration guide docs for deprecation of message (#5595)
• e36743e513aadb307b29949a80d6eb0dcc8fc278 Improve mini treeshaking
• 0cdc0b8597999fd9ca99767b912c1e82c1ff2d6c 4.3.5

v4.3.4

Commits:

• 1a8bea3b474eada6f219c163d0d3ad09fadabe72 Add integration tests
• e01cd02b2f23d7e9078d3813830b146f8a2258b4 Support patternProperties for looserecord (#5592)
• 089e5fbb0f58ce96d2c4fb34cd91724c78df4af5 Improve looseRecord docs
• decef9c418d9a598c3f1bada06891ba5d922c5cd Fix lint
• 9443aab00d44d5d5f4a7eada65fc0fc851781042 Drop iso time in fromJSONSchema
• 66bda7491a1b9eab83bdeec0c12f4efc7290bd48 Remove .refine() from ZodMiniType
• b4ab94ca608cd5b581bfc12b20dd8d95b35b3009 4.3.4

v4.3.3

Commits:

• f3b2151959d215d405f54dff3c7ab3bf1fd887ca v4.3.3

v4.3.2

Commits:

• bf96635d243118de6e4f260077aa137453790bf6 Loosen strictObjectinside intersection (#5587)
• f71dc0182ab0f0f9a6be6295b07faca269e10179 Remove Juno (#5590)
• 0f41e5a12a43e6913c9dcb501b2b5136ea86500d 4.3.2

v4.3.1

Commits:

• 0fe88407a4149c907929b757dc6618d8afe998fc allow non-overwriting extends with refinements. 4.3.1

v4.3.0

This is Zod's biggest release since 4.0. It addresses several of Zod's longest-standing feature requests.

z.fromJSONSchema()

Convert JSON Schema to Zod (#5534, #5586)

You can now convert JSON Schema definitions directly into Zod schemas. This function supports JSON Schema "draft-2020-12", "draft-7", "draft-4", and OpenAPI 3.0.

import * as z from "zod";
const schema = z.fromJSONSchema({
type: "object",
properties: {
</tr></table>

... (truncated)

Commits

• 0cdc0b8 4.3.5
• e36743e Improve mini treeshaking
• 21afffd [Docs] Update migration guide docs for deprecation of message (#5595)
• b4ab94c 4.3.4
• 66bda74 Remove .refine() from ZodMiniType
• 9443aab Drop iso time in fromJSONSchema
• decef9c Fix lint
• 089e5fb Improve looseRecord docs
• e01cd02 Support patternProperties for looserecord (#5592)
• 1a8bea3 Add integration tests
• Additional commits viewable in compare view

Updates @biomejs/biome from 1.9.4 to 2.3.11

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.3.11

2.3.11

Patch Changes

• #8583 83be210 Thanks @​dyc3! - Added the new nursery rule useVueValidTemplateRoot.

  This rule validates only root-level \<template> elements in Vue single-file components. If the \<template> has a src attribute, it must be empty. Otherwise, it must contain content.

  Invalid examples:

  \<template src="./foo.html">content</template>

  \<template></template>

  Valid examples:

  \<template>content</template>

  \<template src="./foo.html"></template>

• #8586 df8fe06 Thanks @​dyc3! - Added a new nursery rule useVueConsistentVBindStyle. Enforces consistent v-bind style (:prop shorthand vs v-bind:prop longhand). Default prefers shorthand; configurable via rule options.

• #8587 9a8c98d Thanks @​dyc3! - Added the rule useVueVForKey, which enforces that any element using v-for also specifies a key.

  Invalid

  <li v-for="item in items">{{ item }}</li>

  Valid

  <li v-for="item in items" :key="item.id">{{ item }}</li>

• #8586 df8fe06 Thanks @​dyc3! - Added a new nursery rule useVueConsistentVOnStyle. Enforces consistent v-on style (@event shorthand vs v-on:event longhand). Default prefers shorthand; configurable via rule options.

• #8583 83be210 Thanks @​dyc3! - Added the new nursery rule useVueValidVOnce. Enforces that usages of the v-once directive in Vue.js SFC are valid.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.3.11

Patch Changes

• #8583 83be210 Thanks @​dyc3! - Added the new nursery rule useVueValidTemplateRoot.

  This rule validates only root-level \<template> elements in Vue single-file components. If the \<template> has a src attribute, it must be empty. Otherwise, it must contain content.

  Invalid examples:

  \<template src="./foo.html">content</template>

  \<template></template>

  Valid examples:

  \<template>content</template>

  \<template src="./foo.html"></template>

• #8586 df8fe06 Thanks @​dyc3! - Added a new nursery rule useVueConsistentVBindStyle. Enforces consistent v-bind style (:prop shorthand vs v-bind:prop longhand). Default prefers shorthand; configurable via rule options.

• #8587 9a8c98d Thanks @​dyc3! - Added the rule useVueVForKey, which enforces that any element using v-for also specifies a key.

  Invalid

  <li v-for="item in items">{{ item }}</li>

  Valid

  <li v-for="item in items" :key="item.id">{{ item }}</li>

• #8586 df8fe06 Thanks @​dyc3! - Added a new nursery rule useVueConsistentVOnStyle. Enforces consistent v-on style (@event shorthand vs v-on:event longhand). Default prefers shorthand; configurable via rule options.

• #8583 83be210 Thanks @​dyc3! - Added the new nursery rule useVueValidVOnce. Enforces that usages of the v-once directive in Vue.js SFC are valid.

  <!-- Valid -->

... (truncated)

Commits

• 1550e73 ci: release (#8507)
• a3a27a7 feat(analyze/html/vue): add useVueVapor rule (#8644)
• 9a8c98d feat(analyze/html/vue): add useVueVForKey (#8587)
• ab9af9a feat: no-jsx-props-bind (#7410)
• df8fe06 feat(analyze/html/vue): add v-bind/v-on style rules (#8586)
• 83be210 feat(analyze/html/vue): add a few more simple vue lint rules (#8583)
• a3a1ad2 feat(biome_js_analyze): port noBeforeInteractiveScriptOutsideDocument from ...
• 9dd9ca7 feat(graphql_analyze): implement useUniqueArgumentNames (#8591)
• 5e85d43 feat(graphql_analyze): implement useUniqueFieldDefinitionNames (#8598)
• a5f59cd feat(graphql_analyze): implement useUniqueInputFieldNames (#8592)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​biomejs/biome since your current version.

Updates oxlint from 0.16.12 to 1.38.0

Release notes

Sourced from oxlint's releases.

oxlint v1.26.0

[1.26.0] - 2025-11-05

🚀 Features

• 6f4a50c linter: Implement react/state-in-constructor rule (#15329) (Mikhail Baev)
• 230e34c linter/plugins: Allow js plugins to access settings (#14724) (Arsh)
• 8d69661 allocator: Add Address::from_ref method (#15318) (overlookmotel)
• 798216b language_server: Respect disable directives for type-aware rules (#15170) (Sysix)
• 7a00691 linter/no-deprecated: Add rule (#15272) (camc314)
• ab065a9 tsgolint: Improve diagnostic messages with file reference (#15274) (camc314)
• 26f24d5 linter: Permit comments in .oxlintrc.json via json schema file (#15249) (Martin Leduc)
• 979ec04 linter: Pretty print tsgolint internal diagnostics (#15131) (camc314)
• 682dca2 parser: Add more helps to parser errors (#15186) (sapphi-red)

🐛 Bug Fixes

• 40231a6 linter/plugins, napi/parser: Add parent field to FormalParameterRest and TSParameterProperty in TS type defs (#15337) (overlookmotel)
• 861508a linter/plugins: Make parent fields in TS type defs non-optional (#15336) (overlookmotel)
• e0edaef language-server: Disable tsgolint test on big endian (#15331) (camc314)
• 1d09cc9 linter/no-unused-private-class-members: Fix false positive in conditional expressino (#15319) (camc314)
• 7f079ab ast/estree: Fix raw transfer deserializer for AssignmentTargetPropertyIdentifier (#15304) (overlookmotel)
• 56c6627 linter/plugins: Resolve JS plugins only with conditions Node.js supports (#15248) (sapphi-red)
• d6996d0 linter: Fix JSON schema to deny additional properties for categories enum. (#15257) (Connor Shea)
• 9304f9f linter: Fix JSON schema to deny additional properties for plugins enum. (#15259) (Connor Shea)
• 6a884d3 linter: Return error diagnostics if tsgolint fails (#15229) (camc314)
• 86cfae1 language-server: Log error if tsgolint fails to run (#15228) (camc314)
• f376e61 linter: Bundle @typescript-eslint/scope-manager (#15210) (Arsh)
• 377e904 linter: Ignore script tag in code comment (#15202) (Liang Mi)
• b26900c linter: Improve diagnostic for react/button-has-type. (#15200) (Connor Shea)
• 80a187c linter: Add offset for parsing error in partial loading files (#15075) (Liang Mi)
• af257da linter/no-unused-vars: False positive with member expressions in sequence expressions (#15190) (magic-akari)
• 1f365c8 vscode/test: Make formatting test less flaky (#15120) (camc314)

🚜 Refactor

• 636e7ed linter/plugins: Shorten ScopeManager code (#15335) (overlookmotel)
• a7cf856 ast/estree: Shorten raw transfer deserializer for AssignmentTargetPropertyIdentifier (#15303) (overlookmotel)
• 90146ab linter/react: Simplify is_react_hook (#15310) (overlookmotel)
• 778b0b6 language_server: Remove ServerLinterDiagnostics (#15169) (Sysix)
• 10732e8 language_server: Backend checks the correct LintOptions::Run (#15166) (Sysix)
• e70a37f language_server: Use LintRunner (#14472) (Sysix)
• 5501ed2 language_server: Send in memory source text to tsgolint (#14733) (Sysix)
• f452007 linter/no-unwanted-polyfillio: Add security warning for compromised domains (#15207) (shulaoda)
• 27b4f36 diagnostic: Remove path from sender (#15130) (camc314)

📚 Documentation

• a7d9f1d linter/plugins: Reformat and clarify ScopeManager JSDoc comments (#15333) (overlookmotel)
• 69e61d4 linter/plugins: Update comment (#15293) (overlookmotel)

... (truncated)

Changelog

Sourced from oxlint's changelog.

Changelog

All notable changes to this package will be documented in this file.

The format is based on Keep a Changelog.

[1.37.0] - 2026-01-05

💥 BREAKING CHANGES

• f7da875 oxlint: [BREAKING] Remove oxc_language_server binary (#17457) (Boshen)

📚 Documentation

• 7e5fc90 linter: Update list of plugins that are reserved. (#17516) (connorshea)

[1.35.0] - 2025-12-22

🚀 Features

• 9e624c9 linter/react: Add version to ReactPluginSettings (#17169) (camc314)

[1.34.0] - 2025-12-19

🚀 Features

• a0f74a0 linter/config: Allow aliasing plugin names to allow names the same as builtin plugins (#15569) (Cameron)

🐛 Bug Fixes

• 005ec25 linter: Permit $schema .oxlintrc.json struct (#17060) (Copilot)
• d446c43 linter: Prevent extra fields from being present on oxlint config file (#16874) (connorshea)

[1.30.0] - 2025-11-24

🚀 Features

• 595867a oxlint: Generate markdownDescription fields for oxlint JSON schema. (#15959) (connorshea)

[1.29.0] - 2025-11-17

🚀 Features

• 84de1ca oxlint,oxfmt: Allow comments and also commas for vscode-json-ls (#15612) (leaysgur)

[1.26.0] - 2025-11-05

🚀 Features

• 26f24d5 linter: Permit comments in .oxlintrc.json via json schema file (#15249) (Martin Leduc)

... (truncated)

Commits

• f3767ea release(apps): oxlint v1.38.0 && oxfmt v0.23.0 (#17709)
• 186a347 release(apps): oxlint v1.37.0 && oxfmt v0.22.0 (#17662)
• 7e5fc90 docs(linter): Update list of plugins that are reserved. (#17516)
• f7da875 feat(oxlint)!: remove oxc_language_server binary (#17457)
• 8e83df2 release(apps): oxlint v1.36.0 && oxfmt v0.21.0 (#17448)
• 1307b7b release(apps): oxlint v1.35.0 && oxfmt v0.20.0 (#17260)
• 98c9337 refactor(linter): Improvements for react version setting. (#17195)
• 9e624c9 feat(linter/react): add version to ReactPluginSettings (#17169)
• a96d0d5 chore(oxlint): bump min tsgolint pkg version to 0.10.0 (#17146)
• 86298e8 chore(deps): update dependency oxfmt to ^0.19.0 (#16602)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for oxlint since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml