Skip to content

Bump the development-dependencies group with 5 updates#121

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/development-dependencies-af602c43f1
Open

Bump the development-dependencies group with 5 updates#121
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/development-dependencies-af602c43f1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the development-dependencies group with 5 updates:

Package From To
@graphql-codegen/cli 7.1.2 7.1.3
oxfmt 0.53.0 0.56.0
oxlint 1.68.0 1.71.0
tsdown 0.22.1 0.22.3
vitest 4.1.8 4.1.9

Updates @graphql-codegen/cli from 7.1.2 to 7.1.3

Changelog

Sourced from @​graphql-codegen/cli's changelog.

7.1.3

Patch Changes

  • #10335 3280ace Thanks @​Diluka! - Fix graphql-config loading order to correctly detect codegen projects

    Previously, a graphql-config file like this failed:

    projects:
      default:
        schema: 'default/schema.graphql'
      project1:
        schema: 'project1/schema.graphql'
        extensions:
          codegen:
            generates:
              'project1/__generated__/types.ts':
                plugins: ['typescript']

    This is because the default project doesn't have a codegen extension, which caused previous logic to short circuit before reading project1's config.

    The fix reads every named project first, before reading the default project to exhaustively go through every single project.

Commits

Updates oxfmt from 0.53.0 to 0.56.0

Commits
  • c4be770 release(apps): oxlint v1.71.0 && oxfmt v0.56.0 (#23707)
  • aa79b5b release(apps): oxlint v1.70.0 && oxfmt v0.55.0 (#23442)
  • 9a2788b feat(linter/unicorn): implement prefer-export-from rule (#22935)
  • 44ae845 release(apps): oxlint v1.69.0 && oxfmt v0.54.0 (#23116)
  • dadafe3 docs(oxlint, oxfmt): mention migrate skills in npm READMEs (#22965)
  • f88961a docs(oxfmt): annotate each config option with supported languages (#22953)
  • See full diff in compare view

Updates oxlint from 1.68.0 to 1.71.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

  • 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
  • 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
  • bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
  • 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
  • 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
  • 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
  • ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

  • 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
  • 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
  • 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
  • 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
  • a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
  • ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
  • 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
  • ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
  • e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
  • 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
  • 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
  • fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
  • ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
  • dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
  • 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
  • cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

  • 25d577e language_server: Start tools in parallel (#15500) (Sysix)
  • 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
  • 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
  • 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
  • 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
  • 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

  • 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
  • 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
  • a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
  • 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
  • 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
  • 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.71.0] - 2026-06-22

🚀 Features

  • 0dc2405 linter: Add schema for eslint/no-restricted-properties (#23619) (Sysix)
  • b638d0e linter: Add schema for node/callback-return (#23615) (Sysix)
  • eb8bedc linter: Add schema for import/extensions (#23557) (WaterWhisperer)
  • 46f3625 linter: Implement node/no-sync rule (#23589) (fujitani sora)
  • b01739a linter: Add schema for unicorn/numeric-separators-style (#23554) (Mikhail Baev)
  • 68afd2a linter/node: Implement no-mixed-requires rule (#23539) (fujitani sora)
  • a421215 linter: Add schema for eslint/prefer-destructuring (#23410) (WaterWhisperer)
  • 84438be linter/jsdoc: Added missing options to require-param-description (#23416) (kapobajza)
  • 51910df linter/jsdoc: Add missing options to require-param-type rule (#23418) (kapobajza)
  • e90925f linter/unicorn: Implement prefer-number-coercion rule (#23497) (Shekhu☺️)
  • dd1c866 linter/vue: Implement no-async-in-computed-properties rule (#23493) (bab)
  • b02444e linter: Add schema for react/jsx-no-script-url (#23475) (WaterWhisperer)
  • a8dce46 linter/unicorn: Implement max-nested-calls rule (#23461) (arieleli01212)

🐛 Bug Fixes

  • a303c23 linter/jsx-a11y: Align anchor-is-valid config with upstream (#23446) (camc314)

📚 Documentation

  • b50bf4d linter: Remove manually written options doc for eslint/arrow-body-style (#23490) (Mikhail Baev)

[1.70.0] - 2026-06-15

🚀 Features

  • 2e8bda4 linter/vue: Implement no-dupe-keys rule (#23350) (bab)
  • 1490a0a linter/react: Implement react-compiler rule (#23202) (Boshen)
  • dd560ae linter/unicorn: Implement no-array-fill-with-reference-type rule (#23397) (Mikhail Baev)
  • af36c2f linter: Add schema for react/jsx-curly-brace-presence (#23400) (WaterWhisperer)
  • 47d34a3 linter: Add schema for react/jsx-handler-names (#23393) (WaterWhisperer)
  • f4250d0 linter: Add schema for unicorn/import-style (#23386) (WaterWhisperer)
  • 30c74ce linter: Add schema for jsx_a11y/no-noninteractive-element-to-interactive-role (#23384) (Sysix)
  • cfbe8dc linter: Add schema for jsx_a11y/no-interactive-element-to-noninteractive-role (#23382) (WaterWhisperer)
  • d15b7ff linter: Add schema for typescript/no-restricted-types (#23381) (WaterWhisperer)
  • 028a811 linter: Add schema for jsx-a11y/media-has-caption (#23377) (Sysix)
  • b3b1038 linter: Add schema for jsx-a11y/label-has-associated-control (#23376) (Sysix)
  • 7ada6b2 linter: Add schema for jsx_a11y/no-distracting-elements (#23379) (WaterWhisperer)
  • ee3dd49 linter: Add schema for jsx-a11y/img-redundant-alt (#23374) (Sysix)
  • df5f8dd linter: Add short descriptions to most lint rules. (#23365) (Connor Shea)
  • e3fd735 linter: Add schema for jsx_a11y/alt-text (#23369) (Sysix)
  • 0f2fff4 linter: Add schema for react/exhaustive-deps (#23372) (Mikhail Baev)
  • e3e4e10 linter: Add schema for react_perf/jsx-no-new-object-as-prop (#23368) (Mikhail Baev)
  • 9366d44 linter: Add schema for unicorn/prefer-at (#23366) (WaterWhisperer)
  • f57b55d linter: Add schema for typescript/array-type (#23355) (Sysix)
  • 0dcf912 linter: Add schema for typescript/ban-ts-comment (#23354) (Sysix)

... (truncated)

Commits
  • c4be770 release(apps): oxlint v1.71.0 && oxfmt v0.56.0 (#23707)
  • 0dc2405 feat(linter): add schema for eslint/no-restricted-properties (#23619)
  • b638d0e feat(linter): add schema for node/callback-return (#23615)
  • 6d355ab refactor(linter): remove number_as_object_schema helper (#23614)
  • eb8bedc feat(linter): add schema for import/extensions (#23557)
  • 46f3625 feat(linter): implement node/no-sync rule (#23589)
  • 953c7b3 refactor(linter): make unicorn/numeric-separators-style options u32 (#23558)
  • b01739a feat(linter): add schema for unicorn/numeric-separators-style (#23554)
  • 68afd2a feat(linter/node): implement no-mixed-requires rule (#23539)
  • b08e9f5 refactor(linter): re-enable schema for `jsx_a11y/no-noninteractive-element-in...
  • Additional commits viewable in compare view

Updates tsdown from 0.22.1 to 0.22.3

Release notes

Sourced from tsdown's releases.

v0.22.3

   🚨 Breaking Changes

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub

v0.22.2

   🐞 Bug Fixes

    View changes on GitHub
Commits
  • 472b69e chore: release v0.22.3
  • a2eac3b feat!: drop node 24.0 - 24.10 support
  • 1ba7e12 docs: remove publicPath option from wasm plugin
  • 9f05179 perf(css): skip renderChunk when no CSS has been collected (#967)
  • 742f314 ci: switch deployment branch to release
  • 8e33975 chore: upgrade deps
  • 88900c9 ci: generate docs before void deploy (#970)
  • b587b03 ci: deploy docs to Void (#969)
  • bfc649e fix: inline CI detection
  • 15ac682 chore: release v0.22.2
  • Additional commits viewable in compare view

Updates vitest from 4.1.8 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

View changes on GitHub
Commits
  • a7a61e7 chore: release v4.1.9 (#10598)
  • 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
  • 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
  • a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the development-dependencies group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [@graphql-codegen/cli](https://github.com/dotansimha/graphql-code-generator/tree/HEAD/packages/graphql-codegen-cli) | `7.1.2` | `7.1.3` |
| [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt) | `0.53.0` | `0.56.0` |
| [oxlint](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxlint) | `1.68.0` | `1.71.0` |
| [tsdown](https://github.com/rolldown/tsdown) | `0.22.1` | `0.22.3` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.8` | `4.1.9` |


Updates `@graphql-codegen/cli` from 7.1.2 to 7.1.3
- [Release notes](https://github.com/dotansimha/graphql-code-generator/releases)
- [Changelog](https://github.com/dotansimha/graphql-code-generator/blob/master/packages/graphql-codegen-cli/CHANGELOG.md)
- [Commits](https://github.com/dotansimha/graphql-code-generator/commits/@graphql-codegen/cli@7.1.3/packages/graphql-codegen-cli)

Updates `oxfmt` from 0.53.0 to 0.56.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxfmt/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxfmt_v0.56.0/npm/oxfmt)

Updates `oxlint` from 1.68.0 to 1.71.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxlint/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxlint_v1.71.0/npm/oxlint)

Updates `tsdown` from 0.22.1 to 0.22.3
- [Release notes](https://github.com/rolldown/tsdown/releases)
- [Commits](rolldown/tsdown@v0.22.1...v0.22.3)

Updates `vitest` from 4.1.8 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest)

---
updated-dependencies:
- dependency-name: "@graphql-codegen/cli"
  dependency-version: 7.1.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-dependencies
- dependency-name: oxfmt
  dependency-version: 0.56.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
- dependency-name: oxlint
  dependency-version: 1.71.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
- dependency-name: tsdown
  dependency-version: 0.22.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-dependencies
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 1, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedoxfmt@​0.56.0691008996100
Added@​graphql-codegen/​cli@​7.1.3961007799100
Addedvitest@​4.1.9981007998100
Addedtsdown@​0.22.3981008896100
Addedoxlint@​1.71.0991009296100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.56.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.56.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.56.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.56.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants