chore(deps-dev): bump the dev-dependencies group with 4 updates

[dependabot]

Bumps the dev-dependencies group with 4 updates: eslint, openclaw, typescript-eslint and vitest.

Updates eslint from 10.0.2 to 10.0.3

Release notes

Sourced from eslint's releases.

v10.0.3

Bug Fixes

• e511b58 fix: update eslint (#20595) (renovate[bot])
• f4c9cf9 fix: include variable name in no-useless-assignment message (#20581) (sethamus)
• ee9ff31 fix: update dependency minimatch to ^10.2.4 (#20562) (Milos Djermanovic)

Documentation

• 9fc31b0 docs: Update README (GitHub Actions Bot)
• 4efaa36 docs: add info box for eslint-plugin-eslint-comments (#20570) (DesselBane)
• 23b2759 docs: add v10 migration guide link to Use docs index (#20577) (Pixel998)
• 80259a9 docs: Remove deprecated eslintrc documentation files (#20472) (Copilot)
• 9b9b4ba docs: fix typo in no-await-in-loop documentation (#20575) (Pixel998)
• e7d72a7 docs: document TypeScript 5.3 minimum supported version (#20547) (sethamus)

Chores

• ef8fb92 chore: package.json update for eslint-config-eslint release (Jenkins)
• e8f2104 chore: updates for v9.39.4 release (Jenkins)
• 5cd1604 refactor: simplify isCombiningCharacter helper (#20524) (Huáng Jùnliàng)
• 70ff1d0 chore: eslint-config-eslint require Node ^20.19.0 || ^22.13.0 || >=24 (#20586) (Milos Djermanovic)
• e32df71 chore: update eslint-plugin-eslint-comments, remove legacy-peer-deps (#20576) (Milos Djermanovic)
• 53ca6ee chore: disable eslint-comments/no-unused-disable rule (#20578) (Milos Djermanovic)
• e121895 ci: pin Node.js 25.6.1 (#20559) (Milos Djermanovic)
• efc5aef chore: update tsconfig.json in eslint-config-eslint (#20551) (Francesco Trotta)

Commits

• bfce7ea 10.0.3
• d44ced8 Build: changelog update for 10.0.3
• e511b58 fix: update eslint (#20595)
• ef8fb92 chore: package.json update for eslint-config-eslint release
• e8f2104 chore: updates for v9.39.4 release
• 5cd1604 refactor: simplify isCombiningCharacter helper (#20524)
• 9fc31b0 docs: Update README
• 70ff1d0 chore: eslint-config-eslint require Node ^20.19.0 || ^22.13.0 || >=24 (#20586)
• f4c9cf9 fix: include variable name in no-useless-assignment message (#20581)
• 4efaa36 docs: add info box for eslint-plugin-eslint-comments (#20570)
• Additional commits viewable in compare view

Updates openclaw from 2026.3.2 to 2026.3.13

Release notes

Sourced from openclaw's releases.

openclaw 2026.3.13

This recovery release uses v2026.3.13-1 because GitHub immutable releases do not allow reusing v2026.3.13 after publication.

Important:

• This release exists to recover the broken v2026.3.13 tag/release path.
• The corresponding npm version is still 2026.3.13, not 2026.3.13-1.
• The -1 suffix is for the Git tag and GitHub Release only.

What's Changed

• fix(compaction): use full-session token count for post-compaction sanity check by @​efe-arv in openclaw/openclaw#28347
• fix(telegram): thread media transport policy into SSRF by @​obviyus in openclaw/openclaw#44639
• fix: handle Discord gateway metadata fetch failures by @​jalehman in openclaw/openclaw#44397
• docs: move post-release changelog entries to Unreleased by @​jalehman in openclaw/openclaw#44691
• fix(session): preserve lastAccountId and lastThreadId on session reset by @​Lanfei in openclaw/openclaw#44773
• Updated default model from openai-codex/gpt-5.3-codex to openai-codex/gpt-5.4 in tests. by @​jrrcdev in openclaw/openclaw#44367
• fix: address delivery dedupe review follow-ups by @​frankekn in openclaw/openclaw#44666
• CLI: align xhigh thinking help text by @​frankekn in openclaw/openclaw#44819
• docs: fix changelog credit for xhigh help by @​frankekn in openclaw/openclaw#44874
• fix(agents): drop Anthropic thinking blocks on replay by @​frankekn in openclaw/openclaw#44843
• docs: fix session key :dm: → :direct: by @​Lanfei in openclaw/openclaw#26506
• feat(android): redesign chat settings UI by @​obviyus in openclaw/openclaw#44894
• fix(agents): avoid injecting memory file twice on case-insensitive mounts by @​Lanfei in openclaw/openclaw#26054
• Docker: add OPENCLAW_TZ timezone support by @​Lanfei in openclaw/openclaw#34119
• Android: fix HttpURLConnection leak in TalkModeVoiceResolver by @​Kaneki-x in openclaw/openclaw#43780
• fix(agents): respect explicit user compat overrides for non-native openai-completions by @​cheapestinference in openclaw/openclaw#44432
• test(config): cover requiresOpenAiAnthropicToolPayload in compat schema fixture by @​xingsy97 in openclaw/openclaw#43438
• fix(agents): rephrase session reset prompt to avoid Azure content filter by @​xingsy97 in openclaw/openclaw#43403
• fix(config): add missing params field to agents.list[] validation schema by @​atian8179 in openclaw/openclaw#41171
• fix(android): use Google Code Scanner for onboarding QR by @​obviyus in openclaw/openclaw#45021
• fix: restore web fetch firecrawl config in runtime zod schema by @​stim64045-spec in openclaw/openclaw#42583
• fix(signal): add groups config to Signal channel schema by @​unisone in openclaw/openclaw#27199
• feat(ios): add onboarding welcome pager by @​ngutman in openclaw/openclaw#45054
• small addition to .gitignore by @​Sovtoshi-SC in openclaw/openclaw#42879
• fix(discovery): add missing domain to wideArea Zod config schema by @​ingyukoh in openclaw/openclaw#35615
• fix(ui): keep shared auth on insecure control-ui connects by @​velvet-shark in openclaw/openclaw#45088
• fix: preserve persona and language continuity in compaction summaries by @​keepitmello in openclaw/openclaw#10456
• ui: mobile navigation drawer & theme variant refinements by @​BunsDev in openclaw/openclaw#45107
• fix: resolve target agent workspace for cross-agent subagent spawns by @​moshehbenavraham in openclaw/openclaw#40176
• fix(ollama): hide native reasoning-only output by @​frankekn in openclaw/openclaw#45330
• test: annotate chat abort helper exports by @​frankekn in openclaw/openclaw#45346
• Fix incorrect rendering of brave costs in docs by @​keelanfh in openclaw/openclaw#44989
• security(docker): prevent gateway token leak in Docker build context by @​xingsy97 in openclaw/openclaw#44956
• refactor: remove redundant ?? undefined in Slack probe by @​Cafexss in openclaw/openclaw#44775
• fix(ui): restore chat-new-messages class on scroll pill button by @​Astro-Han in openclaw/openclaw#44856
• fix(windows): suppress visible console windows during restart and process cleanup by @​MoerAI in openclaw/openclaw#44842
• Slack: add opt-in interactive reply directives by @​vincentkoc in openclaw/openclaw#44607
• Docs: describe Slack interactive replies by @​vincentkoc in openclaw/openclaw#45463
• fix(cron): prevent isolated cron nested lane deadlocks by @​vincentkoc in openclaw/openclaw#45459
• Fix updater refresh cwd for service reinstall by @​vincentkoc in openclaw/openclaw#45452

... (truncated)

Changelog

Sourced from openclaw's changelog.

2026.3.13

Changes

• Android/chat settings: redesign the chat settings sheet with grouped device and media sections, refresh the Connect and Voice tabs, and tighten the chat composer/session header for a denser mobile layout. (#44894) Thanks @​obviyus.
• iOS/onboarding: add a first-run welcome pager before gateway setup, stop auto-opening the QR scanner, and show /pair qr instructions on the connect step. (#45054) Thanks @​ngutman.
• Browser/existing-session: add an official Chrome DevTools MCP attach mode for signed-in live Chrome sessions, with docs for chrome://inspect/#remote-debugging enablement and direct backlinks to Chrome’s own setup guides.
• Browser/agents: add built-in profile="user" for the logged-in host browser and profile="chrome-relay" for the extension relay, so agent browser calls can prefer the real signed-in browser without the extra browserSession selector.
• Browser/act automation: add batched actions, selector targeting, and delayed clicks for browser act requests with normalized batch dispatch. Thanks @​vincentkoc.
• Docker/timezone override: add OPENCLAW_TZ so docker-setup.sh can pin gateway and CLI containers to a chosen IANA timezone instead of inheriting the daemon default. (#34119) Thanks @​Lanfei.
• Dependencies/pi: bump @mariozechner/pi-agent-core, @mariozechner/pi-ai, @mariozechner/pi-coding-agent, and @mariozechner/pi-tui to 0.58.0.
• Cron/sessions: add sessionTarget: "current" and session:<id> support so cron jobs can bind to the creating session or a persistent named session instead of only main or isolated. Thanks @​kkhomej33-netizen and @​ImLukeF.
• Telegram/message send: add --force-document so Telegram image and GIF sends can upload as documents without compression. (#45111) Thanks @​thepagent.

Breaking

• BREAKING: Agents now load at most one root memory bootstrap file. MEMORY.md wins; memory.md is only used when MEMORY.md is absent. If you intentionally kept both files and depended on both being injected, merge them before upgrade. This also fixes duplicate memory injection on case-insensitive Docker mounts. (#26054) Thanks @​Lanfei.

Fixes

• Dashboard/chat UI: stop reloading full chat history on every live tool result in dashboard v2 so tool-heavy runs no longer trigger UI freeze/re-render storms while the final event still refreshes persisted history. (#45541) Thanks @​BunsDev.
• Gateway/client requests: reject unanswered gateway RPC calls after a bounded timeout and clear their pending state, so stalled connections no longer leak hanging GatewayClient.request() promises indefinitely.
• Build/plugin-sdk bundling: bundle plugin-sdk subpath entries in one shared build pass so published packages stop duplicating shared chunks and avoid the recent plugin-sdk memory blow-up. (#45426) Thanks @​TarasShyn.
• Ollama/reasoning visibility: stop promoting native thinking and reasoning fields into final assistant text so local reasoning models no longer leak internal thoughts in normal replies. (#45330) Thanks @​xi7ang.
• Android/onboarding QR scan: switch setup QR scanning to Google Code Scanner so onboarding uses a more reliable scanner instead of the legacy embedded ZXing flow. (#45021) Thanks @​obviyus.
• Browser/existing-session: harden driver validation and session lifecycle so transport errors trigger reconnects while tool-level errors preserve the session, and extract shared ARIA role sets to deduplicate Playwright and Chrome MCP snapshot paths. (#45682) Thanks @​odysseus0.
• Browser/existing-session: accept text-only list_pages and new_page responses from Chrome DevTools MCP so live-session tab discovery and new-tab open flows keep working when the server omits structured page metadata.
• Control UI/insecure auth: preserve explicit shared token and password auth on plain-HTTP Control UI connects so LAN and reverse-proxy sessions no longer drop shared auth before the first WebSocket handshake. (#45088) Thanks @​velvet-shark.
• Gateway/session reset: preserve lastAccountId and lastThreadId across gateway session resets so replies keep routing back to the same account and thread after /reset. (#44773) Thanks @​Lanfei.
• macOS/onboarding: avoid self-restarting freshly bootstrapped launchd gateways and give new daemon installs longer to become healthy, so openclaw onboard --install-daemon no longer false-fails on slower Macs and fresh VM snapshots.
• Gateway/status: add openclaw gateway status --require-rpc and clearer Linux non-interactive daemon-install failure reporting so automation can fail hard on probe misses instead of treating a printed RPC error as green.
• macOS/exec approvals: respect per-agent exec approval settings in the gateway prompter, including allowlist fallback when the native prompt cannot be shown, so gateway-triggered system.run requests follow configured policy instead of always prompting or denying unexpectedly. (#13707) Thanks @​sliekens.
• Telegram/media downloads: thread the same direct or proxy transport policy into SSRF-guarded file fetches so inbound attachments keep working when Telegram falls back between env-proxy and direct networking. (#44639) Thanks @​obviyus.
• Telegram/inbound media IPv4 fallback: retry SSRF-guarded Telegram file downloads once with the same IPv4 fallback policy as Bot API calls so fresh installs on IPv6-broken hosts no longer fail to download inbound images.
• Commands/onboarding: split static auth-choice help from the plugin-backed onboarding catalog so openclaw onboard registration no longer pulls provider-wizard imports just to describe --auth-choice. (#47545) Thanks @​vincentkoc.
• Windows/gateway install: bound schtasks calls and fall back to the Startup-folder login item when task creation hangs, so native openclaw gateway install fails fast instead of wedging forever on broken Scheduled Task setups.
• Windows/gateway stop: resolve Startup-folder fallback listeners from the installed gateway.cmd port, so openclaw gateway stop now actually kills fallback-launched gateway processes before restart.
• Windows/gateway status: reuse the installed service command environment when reading runtime status, so startup-fallback gateways keep reporting the configured port and running state in gateway status --json instead of falling back to gateway port unknown.
• Windows/gateway auth: stop attaching device identity on local loopback shared-token and password gateway calls, so native Windows agent replies no longer log stale device signature expired fallback noise before succeeding.
• Discord/gateway startup: treat plain-text and transient /gateway/bot metadata fetch failures as transient startup errors so Discord gateway boot no longer crashes on unhandled rejections. (#44397) Thanks @​jalehman.
• Slack/probe: keep auth.test() bot and team metadata mapping stable while simplifying the probe result path. (#44775) Thanks @​Cafexss.
• Dashboard/chat UI: render oversized plain-text replies as normal paragraphs instead of capped gray code blocks, so long desktop chat responses stay readable without tab-switching refreshes.
• Dashboard/chat UI: restore the chat-new-messages class on the New messages scroll pill so the button uses its existing compact styling instead of rendering as a full-screen SVG overlay. (#44856) Thanks @​Astro-Han.
• Gateway/Control UI: restore the operator-only device-auth bypass and classify browser connect failures so origin and device-identity problems no longer show up as auth errors in the Control UI and web chat. (#45512) thanks @​sallyom.
• macOS/voice wake: stop crashing wake-word command extraction when speech segment ranges come from a different transcript instance.
• Discord/allowlists: honor raw guild_id when hydrated guild objects are missing so allowlisted channels and threads like #maintainers no longer get false-dropped before channel allowlist checks.
• macOS/runtime locator: require Node >=22.16.0 during macOS runtime discovery so the app no longer accepts Node versions that the main runtime guard rejects later. Thanks @​sumleo.
• Agents/custom providers: preserve blank API keys for loopback OpenAI-compatible custom providers by clearing the synthetic Authorization header at runtime, while keeping explicit apiKey and oauth/token config from silently downgrading into fake bearer auth. (#45631) Thanks @​xinhuagu.
• Models/google-vertex Gemini flash-lite normalization: apply existing bare-ID preview normalization to google-vertex model refs and provider configs so google-vertex/gemini-3.1-flash-lite resolves as gemini-3.1-flash-lite-preview. (#42435) thanks @​scoootscooob.
• iMessage/remote attachments: reject unsafe remote attachment paths before spawning SCP, so sender-controlled filenames can no longer inject shell metacharacters into remote media staging. Thanks @​lintsinghua.

... (truncated)

Commits

• See full diff in compare view

Updates typescript-eslint from 8.56.1 to 8.57.0

Release notes

Sourced from typescript-eslint's releases.

v8.57.0

8.57.0 (2026-03-09)

🚀 Features

• eslint-plugin: [no-unnecessary-condition] allow literal loop conditions in for/do loops (#12080)

🩹 Fixes

• eslint-plugin: [strict-void-return] false positives with overloads (#12055)
• eslint-plugin: handle statically analyzable computed keys in prefer-readonly (#12079)
• eslint-plugin: guard against negative paramIndex in no-useless-default-assignment (#12077)
• eslint-plugin: [prefer-promise-reject-errors] add allow TypeOrValueSpecifier to prefer-promise-reject-errors (#12094)
• eslint-plugin: [no-base-to-string] fix false positive for toString with overloads (#12089)
• typescript-estree: switch back to use ts.getModifiers() (#12034)
• typescript-estree: if the template literal is tagged and the text has an invalid escape, cooked will be null (#11355)

❤️ Thank You

• Brad Zacher @​bradzacher
• Brian Schlenker @​bschlenk
• Evyatar Daud @​StyleShit
• fisker Cheung @​fisker
• James Henry @​JamesHenry
• Josh Goldberg
• Kirk Waiblinger @​kirkwaiblinger
• Moses Odutusin @​thebolarin
• Newton Yuan @​NewtonYuan
• SungHyun627 @​SungHyun627
• Younsang Na @​nayounsang

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.57.0 (2026-03-09)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 2c6aeee chore(release): publish 8.57.0
• f696dad chore: use pnpm catalog (#12047)
• a09921e chore: update vitest to 4.x (#12071)
• See full diff in compare view

Updates vitest from 4.0.18 to 4.1.0

Release notes

Sourced from vitest's releases.

v4.1.0

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

   🚀 Features

• Return a disposable from doMock()  -  by @​kirkwaiblinger in vitest-dev/vitest#9332 (e3e65)
• Added chai style assertions  -  by @​ronnakamoto and @​sheremet-va in vitest-dev/vitest#8842 (841df)
• Update to sinon/fake-timers v15 and add setTickMode to timer controls  -  by @​atscott and @​sheremet-va in vitest-dev/vitest#8726 (4b480)
• Expose matcher types  -  by @​sheremet-va in vitest-dev/vitest#9448 (3e4b9)
• Add toTestSpecification to reported tasks  -  by @​sheremet-va in vitest-dev/vitest#9464 (1a470)
• Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module  -  by @​sheremet-va in vitest-dev/vitest#9387 (5db54)
• Track and display expectedly failed tests (.fails) in UI and CLI  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#9476 (77d75)
• Support tags  -  by @​sheremet-va in vitest-dev/vitest#9478 (de7c8)
• Implement aroundEach and aroundAll hooks  -  by @​sheremet-va in vitest-dev/vitest#9450 (2a8cb)
• Stabilize experimental features  -  by @​sheremet-va in vitest-dev/vitest#9529 (b5fd2)
• Accept new or all in --update flag  -  by @​sheremet-va in vitest-dev/vitest#9543 (a5acf)
• Support meta in test options  -  by @​sheremet-va in vitest-dev/vitest#9535 (7d622)
• Support type inference with a new test.extend syntax  -  by @​sheremet-va in vitest-dev/vitest#9550 (e5385)
• Support vite 8 beta, fix type issues in the config with different vite versions  -  by @​sheremet-va in vitest-dev/vitest#9587 (99028)
• Add assertion helper to hide internal stack traces  -  by @​hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9594 (eeb0a)
• Store failure screenshots using artifacts API  -  by @​macarie in vitest-dev/vitest#9588 (24603)
• Allow vitest list to statically collect tests instead of running files to collect them  -  by @​sheremet-va in vitest-dev/vitest#9630 (7a8e7)
• Add --detect-async-leaks  -  by @​AriPerkkio in vitest-dev/vitest#9528 (c594d)
• Implement mockThrow and mockThrowOnce  -  by @​thor-juhasz and @​sheremet-va in vitest-dev/vitest#9512 (61917)
• Support update: "none" and add docs about snapshots behavior on CI  -  by @​hi-ogawa in vitest-dev/vitest#9700 (05f18)
• Support playwright launchOptions with connectOptions  -  by @​hi-ogawa in vitest-dev/vitest#9702 (f0ff1)
• Add page/locator.mark API to enhance playwright trace  -  by @​hi-ogawa in vitest-dev/vitest#9652 (d0ee5)
• api:
  • Support tests starting or ending with test in experimental_parseSpecification  -  by @​jgillick and Jeremy Gillick in vitest-dev/vitest#9235 (2f367)
  • Add filters to createSpecification  -  by @​sheremet-va in vitest-dev/vitest#9336 (c8e6c)
  • Expose runTestFiles as alternative to runTestSpecifications  -  by @​sheremet-va in vitest-dev/vitest#9443 (43d76)
  • Add allowWrite and allowExec options to api  -  by @​sheremet-va in vitest-dev/vitest#9350 (20e00)
  • Allow passing down test cases to toTestSpecification  -  by @​sheremet-va in vitest-dev/vitest#9627 (6f17d)
• browser:
  • Add userEvent.wheel API  -  by @​macarie in vitest-dev/vitest#9188 (66080)
  • Add filterNode option to prettyDOM for filtering browser assertion error output  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#9475 (d3220)
  • Support playwright persistent context  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in vitest-dev/vitest#9229 (f865d)
  • Added detailsPanelPosition option and button  -  by @​shairez in vitest-dev/vitest#9525 (c8a31)
  • Use BlazeDiff instead of pixelmatch  -  by @​macarie in vitest-dev/vitest#9514 (30936)
  • Add findElement and enable strict mode in webdriverio and preview  -  by @​sheremet-va in vitest-dev/vitest#9677 (c3f37)
• cli:
  • Add @​bomb.sh/tab completions  -  by @​AmirSa12 and @​sheremet-va in vitest-dev/vitest#8639 (200f3)
• coverage:
  • Support ignore start/stop ignore hints  -  by @​AriPerkkio in vitest-dev/vitest#9204 (e59c9)
  • Add coverage.changed option to report only changed files  -  by @​kykim00 and @​AriPerkkio in vitest-dev/vitest#9521 (1d939)
• experimental:
  • Add onModuleRunner hook to worker.init  -  by @​sheremet-va in vitest-dev/vitest#9286 (e977f)
  • Option to disable the module runner  -  by @​sheremet-va and @​AriPerkkio in vitest-dev/vitest#9210 (9be61)

... (truncated)

Commits

• 4150b91 chore: release v4.1.0
• 1de0aa2 fix: correctly identify concurrent test during static analysis (#9846)
• c3cac1c fix: use isAgent check, not just TTY, for watch mode (#9841)
• eab68ba chore(deps): update all non-major dependencies (#9824)
• 031f02a fix: allow catch/finally for async assertion (#9827)
• 3e9e096 feat(reporters): add agent reporter to reduce ai agent token usage (#9779)
• 0c2c013 chore: release v4.1.0-beta.6
• 8181e06 fix: hideSkippedTests should not hide test.todo (fix #9562) (#9781)
• a8216b0 fix: manual and redirect mock shouldn't load or transform original module...
• 689a22a fix(browser): types of getCDPSession and cdp() (#9716)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[1bcMax]

@dependabot rebase