fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@biomejs/biome (source)	2.3.7 -> 2.3.8
@graphql-codegen/typescript (source)	5.0.5 -> 5.0.6
@graphql-codegen/typescript-resolvers (source)	5.1.3 -> 5.1.4
@types/node (source)	22.19.1 -> 22.19.2
cerbos (source)	^0.47.0 -> ^0.49.0
pkgroll	2.21.3 -> 2.21.4
tsx (source)	4.20.6 -> 4.21.0

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.3.8

Compare Source

Patch Changes

• #​8188 4ca088c Thanks @​ematipico! - Fixed #​7390, where Biome couldn't apply the correct configuration passed via --config-path.

  If you have multiple root configuration files, running any command with --config-path will now apply the chosen configuration file.

• #​8171 79adaea Thanks @​dibashthapa! - Added the new rule noLeakedRender. This rule helps prevent potential leaks when rendering components that use binary expressions or ternaries.

  For example, the following code triggers the rule because the component would render 0:

  const Component = () => {
    const count = 0;
    return <div>{count && <span>Count: {count}</span>}</div>;
  };

• #​8116 b537918 Thanks @​Netail! - Added the nursery rule noDuplicatedSpreadProps. Disallow JSX prop spreading the same identifier multiple times.

  Invalid:

  <div {...props} something="else" {...props} />

• #​8256 f1e4696 Thanks @​cormacrelf! - Fixed a bug where logs were discarded (the kind from --log-level=info etc.). This is a regression introduced after an internal refactor that wasn't adequately tested.

• #​8226 3f19b52 Thanks @​dyc3! - Fixed #​8222: The HTML parser, with Vue directives enabled, can now parse v-slot shorthand syntax, e.g. <template #foo>.

• #​8007 182ecdc Thanks @​brandonmcconnell! - Added support for dollar-sign-prefixed filenames in the useFilenamingConvention rule.

  Biome now allows filenames starting with the dollar-sign (e.g. $postId.tsx) by default to support naming conventions used by frameworks such as TanStack Start for file-based-routing.

• #​8218 91484d1 Thanks @​hirokiokada77! - Added the noMultiStr rule, which disallows creating multiline strings by escaping newlines.

  Invalid:

  const foo =
    "Line 1\n\
  Line 2";

  Valid:

  const foo = "Line 1\nLine 2";
  const bar = `Line 1
  Line 2`;

• #​8225 98ca2ae Thanks @​ongyuxing! - Fixed #​7806: Prefer breaking after the assignment operator for conditional types with generic parameters to match Prettier.

  -type True = unknown extends Type<
  -  "many",
  -  "generic",
  -  "parameters",
  -  "one",
  -  "two",
  -  "three"
  ->
  -  ? true
  -  : false;
  +type True =
  +  unknown extends Type<"many", "generic", "parameters", "one", "two", "three">
  +    ? true
  +    : false;

• #​6765 23f7855 Thanks @​emilyinure! - Fixed #​6569: Allow files to export from themselves with noImportCycles.

  This means the following is now allowed:

  // example.js
  export function example() {
    return 1;
  }
  
  // Re-exports all named exports from the current module under a single namespace
  // and then imports the namespace from the current module.
  // Allows for encapsulating functions/variables into a namespace instead
  // of using a static class.
  export * as Example from "./example.js";
  
  import { Example } from "./example.js";

• #​8214 68c052e Thanks @​hirokiokada77! - Added the noEqualsToNull rule, which enforces the use of === and !== for comparison with null instead of == or !=.

  Invalid:

  foo == null;
  foo != null;

  Valid:

  foo === null;
  foo !== null;

• #​8219 793bb9a Thanks @​dyc3! - Fixed #​8190: The HTML parser will now parse Vue event handlers that contain : correctly, e.g. @update:modelValue="onUpdate".

• #​8259 4a9139b Thanks @​hirokiokada77! - Fixed #​8254: The noParameterAssign rule with propertyAssignment: "deny" was incorrectly reporting an error when a function parameter was used on the right-hand side of an assignment to a local variable's property.

  The rule should only flag assignments that modify the parameter binding or its properties (L-value), not the use of its value.

  Valid:

  (input) => {
    const local = { property: 0 };
    local.property = input;
  };

• #​8201 cd2edd7 Thanks @​Netail! - Added the nursery rule noTernary. Disallow ternary operators.

  Invalid:

  const foo = isBar ? baz : qux;

• #​8172 de98933 Thanks @​JeremyMoeglich! - Fixed #​8145: handling of large hex literals, which previously caused both false positives and false negatives.

  This affects noPrecisionLoss and noConstantMathMinMaxClamp.

• #​8210 7b44e9e Thanks @​Netail! - Corrected rule source reference. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #​8213 e430555 Thanks @​ruidosujeira! - Fixed #​8209: Recognized formatting capability when either range or on-type formatting is supported, not only full-file formatting. This ensures editors and the language server correctly detect formatting support in files like JSONC.

• #​8202 6f49d95 Thanks @​hirokiokada77! - Fixed #​8079: Properly handle name and value metavariables for JsxAttribute GritQL queries.

  The following biome search command no longer throws an error:

  biome search 'JsxAttribute($name, $value) as $attr where { $name <: "style" }'
  

• #​8276 f7e836f Thanks @​hirokiokada77! - Added the noProto rule, which disallows the use of the __proto__ property for getting or setting the prototype of an object.

  Invalid:

  obj.__proto__ = a;
  const b = obj.__proto__;

  Valid:

  const a = Object.getPrototypeOf(obj);
  Object.setPrototypeOf(obj, b);

dotansimha/graphql-code-generator (@​graphql-codegen/typescript)

v5.0.6

Compare Source

Patch Changes

• Updated dependencies [b995ed1]:
  • @​graphql-codegen/visitor-plugin-common@​6.2.1

dotansimha/graphql-code-generator (@​graphql-codegen/typescript-resolvers)

v5.1.4

Compare Source

Patch Changes

• Updated dependencies [b995ed1]:
  • @​graphql-codegen/visitor-plugin-common@​6.2.1
  • @​graphql-codegen/typescript@​5.0.6

cerbos/cerbos (cerbos)

v0.49.0

Compare Source

Cerbos 0.49.0

View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.49.0.html

Changelog

• a9d48db Ability to pipe Hub audit logs to a secondary backend (#​2832)
• 6b9e9db Add policy source for EPDP v2 (#​2840)
• 52c4f78 Add v0.49.0 release notes (#​2839)
• 61ab8a6 Fix error message when upload-git fails (#​2828)
• 347b733 Options to control instrumentation of in-process service (#​2838)
• 4bdc775 changelog entry for role policy DENY intersect fix (#​2833)
• 3885f81 chore(deps): Bump jws from 3.2.2 to 3.2.3 in /npm/test/registry (#​2830)
• fcf3c3b chore(deps): Update GitHub Actions deps (#​2834)
• e36e898 chore(deps): Update Go deps (#​2835)
• 0e08f4c chore(release): Prepare release 0.49.0
• 82108bf chore(version): Bump version to 0.49.0
• c677615 fix: Correctly intersect role policy DENYs for multi-role principals (#​2831)
• 60fac8a fix: Output serialization in the AuthZen response (#​2837)

v0.48.0

Compare Source

Cerbos 0.48.0

View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.48.0.html

Changelog

• 8838f2a Add v0.48.0 release notes (#​2827)
• c02028c Fix free-disk-space action (#​2816)
• 1022dba Implement inspect.RuleTables (#​2818)
• e050e29 Pin cerbos/buf-breaking-action version (#​2819)
• d3133c2 Pin golangci-lint version in CI (#​2811)
• 9de93b8 Remove jlumbroso/free-disk-space action (#​2815)
• fe0a0dd Update verdaccio to 6.2.2 (#​2810)
• dc198e5 Use extractions/setup-crate directly (#​2812)
• 6a966b2 chore(api): Reimplement AuthZen APIs using direct calls to engine (#​2798)
• 883e9ec chore(ci): Add "v" prefix to cosign version (#​2763)
• ed6ac72 chore(ci): Fix cosign version to 2.6.1 (#​2760)
• 72ff0e5 chore(ci): Fix no such host error in e2e tests (#​2775)
• c747b01 chore(ci): Fix release workflow, rename cerbosfunc, update lambda docs (#​2748)
• cc5819f chore(ci): Pin GitHub Action digests (#​2807)
• a8bcd9e chore(ci): Remove -failfast flag when executing E2E tests (#​2776)
• 052aec9 chore(ci): Remove conventional commits requirement (#​2806)
• 6602c25 chore(deps): Bump github.com/opencontainers/runc from 1.2.3 to 1.2.8 (#​2767)
• 0a4e029 chore(deps): Bump golang.org/x/crypto from 0.37.0 to 0.45.0 in /hack/tools/changelog (#​2805)
• 4d99f7c chore(deps): Bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /tools (#​2794)
• 8dd72c7 chore(deps): Pin dependencies (#​2809)
• cb47613 chore(deps): Update GitHub Actions deps (#​2750)
• aa7968c chore(deps): Update GitHub Actions deps (#​2756)
• 60703b8 chore(deps): Update GitHub Actions deps (#​2821)
• 6136f27 chore(deps): Update GitHub Actions deps to v6 (major) (#​2755)
• 3913ce1 chore(deps): Update Go deps (#​2751)
• 81d1746 chore(deps): Update Go deps (#​2772)
• 27656c0 chore(deps): Update Go deps (#​2788)
• dbd2f64 chore(deps): Update Go deps (#​2799)
• afd20ef chore(deps): Update Node.js deps (#​2753)
• ebc6907 chore(deps): Update Node.js deps (#​2789)
• f3872e9 chore(deps): Update Node.js deps (#​2800)
• 9b7fae8 chore(deps): Update Node.js deps (#​2822)
• e805581 chore(deps): Update actions/upload-artifact action to v5 (#​2754)
• 0574697 chore(deps): Update dependency corepack to v0.34.2 (#​2771)
• 019092f chore(deps): Update dependency node to v24 (#​2757)
• 7215630 chore(deps): Update module golang.org/x/crypto to v0.45.0 [SECURITY] (#​2795)
• b21e502 chore(deps): Update sigstore/cosign-installer action to v4 (#​2758)
• 98da70f chore(release): Prepare release 0.48.0
• 15bf74d chore(version): Bump version to 0.48.0
• 71107bc chore: Add just align recipe to sort struct fields (#​2790)
• a702850 chore: Add manifest field to rule table (#​2768)
• 786c7c5 chore: Allow playground to collect engine traces (#​2793)
• d4fceb7 chore: Changelog management (#​2804)
• 6f4fc73 chore: Define rule table config as proto message (#​2765)
• 4d521f1 chore: Fix data race when initializing logging in tests (#​2796)
• b47ba00 chore: Fix issues flagged by gopls (#​2762)
• 4182b49 chore: Implement batch indexing for rules (#​2803)
• 40c3eaf chore: Make copyright header autofixable (#​2808)
• f24865f chore: Mark AuthZEN service as healthy (#​2791)
• 9f59be5 chore: Move engine config to public API (#​2770)
• a08e5ff chore: Move shared deps to build-tag-agnostic file (#​2766)
• d304f1e chore: Return audit trails along with outputs for EPDP (#​2797)
• 6101901 chore: Ruletable generic backends (#​2769)
• b39d0ba chore: Show --api-endpoint flag in cerbosctl hub store help (#​2749)
• 9b76b2b chore: Use cerbos.epdp.v2.Config to configure rule table engine (#​2777)
• c3e6afe docs(api): AuthZEN Authorization API (#​2825)
• 4195a5d docs: Fix upload-git arguments help (#​2759)
• 1a906f5 docs: Remove versioned links from old release notes (#​2779)
• 6075aac enhancement!: Use GetCurrentVersion RPC in upload-git cmd (#​2774)
• 1802724 enhancement: Simplify plan with all operation (#​2817)
• 13cccd5 enhancement: Support for rule table bundles (#​2773)
• 4b25949 feat(api): AuthZen Access Evaluation(s) APIs evaluation strategies (#​2823)
• 48d7402 feat(api): Implement AuthZen AccessEvaluation API (#​2778)
• 81c39aa feat(api): Implement AuthZen AccessEvaluations (Batch) API (#​2792)
• 38c6508 feat(api): Implement AuthZen PDP metadata endpoint (#​2801)
• a36f6bc fix(plan): Remove unnecessary check (#​2826)
• f335bad fix: Sanitise resource kinds in principal policy rules (#​2814)

privatenumber/pkgroll (pkgroll)

v2.21.4

Compare Source

Bug Fixes

• dont resolve .js to .ts in external dependency (03c7283), closes #​141

privatenumber/tsx (tsx)

v4.21.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - "after 9am and before 5pm Monday" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.