Bump the npm_and_yarn group across 1 directory with 4 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the /chittyid directory: @anthropic-ai/claude-code, ws, postcss and qs.

Updates @anthropic-ai/claude-code from 2.1.75 to 2.1.84

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.84

What's changed

• Added PowerShell tool for Windows as an opt-in preview. Learn more at https://code.claude.com/docs/en/tools-reference#powershell-tool
• Added ANTHROPIC_DEFAULT_{OPUS,SONNET,HAIKU}_MODEL_SUPPORTS env vars to override effort/thinking capability detection for pinned default models for 3p (Bedrock, Vertex, Foundry), and _MODEL_NAME/_DESCRIPTION to customize the /model picker label
• Added CLAUDE_STREAM_IDLE_TIMEOUT_MS env var to configure the streaming idle watchdog threshold (default 90s)
• Added TaskCreated hook that fires when a task is created via TaskCreate
• Added WorktreeCreate hook support for type: "http" — return the created worktree path via hookSpecificOutput.worktreePath in the response JSON
• Added allowedChannelPlugins managed setting for team/enterprise admins to define a channel plugin allowlist
• Added x-client-request-id header to API requests for debugging timeouts
• Added idle-return prompt that nudges users returning after 75+ minutes to /clear, reducing unnecessary token re-caching on stale sessions
• Deep links (claude-cli://) now open in your preferred terminal instead of whichever terminal happens to be first in the detection list
• Rules and skills paths: frontmatter now accepts a YAML list of globs
• MCP tool descriptions and server instructions are now capped at 2KB to prevent OpenAPI-generated servers from bloating context
• MCP servers configured both locally and via claude.ai connectors are now deduplicated — the local config wins
• Background bash tasks that appear stuck on an interactive prompt now surface a notification after ~45 seconds
• Token counts ≥1M now display as "1.5m" instead of "1512.6k"
• Global system-prompt caching now works when ToolSearch is enabled, including for users with MCP tools configured
• Fixed voice push-to-talk: holding the voice key no longer leaks characters into the text input, and transcripts now insert at the correct position
• Fixed up/down arrow keys being unresponsive when a footer item is focused
• Fixed Ctrl+U (kill-to-line-start) being a no-op at line boundaries in multiline input, so repeated Ctrl+U now clears across lines
• Fixed null-unbinding a default chord binding (e.g. "ctrl+x ctrl+k": null) still entering chord-wait mode instead of freeing the prefix key
• Fixed mouse events inserting literal "mouse" text into transcript search input
• Fixed workflow subagents failing with API 400 when the outer session uses --json-schema and the subagent also specifies a schema
• Fixed missing background color behind certain emoji in user message bubbles on some terminals
• Fixed the "allow Claude to edit its own settings for this session" permission option not sticking for users with Edit(.claude) allow rules
• Fixed a hang when generating attachment snippets for large edited files
• Fixed MCP tool/resource cache leak on server reconnect
• Fixed a startup performance issue where partial clone repositories (Scalar/GVFS) triggered mass blob downloads
• Fixed native terminal cursor not tracking the text input caret, so IME composition (CJK input) now renders inline and screen readers can follow the input position
• Fixed spurious "Not logged in" errors on macOS caused by transient keychain read failures
• Fixed cold-start race where core tools could be deferred without their bypass active, causing Edit/Write to fail with InputValidationError on typed parameters
• Improved detection for dangerous removals of Windows drive roots (C:\, C:\Windows, etc.)
• Improved interactive startup by ~30ms by running setup() in parallel with slash command and agent loading
• Improved startup for claude "prompt" with MCP servers — the REPL now renders immediately instead of blocking until all servers connect
• Improved Remote Control to show a specific reason when blocked instead of a generic "not yet enabled" message
• Improved p90 prompt cache rate
• Reduced scroll-to-top resets in long sessions by making the message window immune to compaction and grouping changes
• Reduced terminal flickering when animated tool progress scrolls above the viewport
• Changed issue/PR references to only become clickable links when written as owner/repo#123 — bare [#123](https://github.com/anthropics/claude-code/issues/123) is no longer auto-linked
• Slash commands unavailable for the current auth setup (/voice, /mobile, /chrome, /upgrade, etc.) are now hidden instead of shown
• [VSCode] Added rate limit warning banner with usage percentage and reset time
• Stats screenshot (Ctrl+S in /stats) now works in all builds and is 16× faster

v2.1.83

What's changed

• Added managed-settings.d/ drop-in directory alongside managed-settings.json, letting separate teams deploy independent policy fragments that merge alphabetically
• Added CwdChanged and FileChanged hook events for reactive environment management (e.g., direnv)
• Added sandbox.failIfUnavailable setting to exit with an error when sandbox is enabled but cannot start, instead of running unsandboxed

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

2.1.84

• Added PowerShell tool for Windows as an opt-in preview. Learn more at https://code.claude.com/docs/en/tools-reference#powershell-tool
• Added ANTHROPIC_DEFAULT_{OPUS,SONNET,HAIKU}_MODEL_SUPPORTS env vars to override effort/thinking capability detection for pinned default models for 3p (Bedrock, Vertex, Foundry), and _MODEL_NAME/_DESCRIPTION to customize the /model picker label
• Added CLAUDE_STREAM_IDLE_TIMEOUT_MS env var to configure the streaming idle watchdog threshold (default 90s)
• Added TaskCreated hook that fires when a task is created via TaskCreate
• Added WorktreeCreate hook support for type: "http" — return the created worktree path via hookSpecificOutput.worktreePath in the response JSON
• Added allowedChannelPlugins managed setting for team/enterprise admins to define a channel plugin allowlist
• Added x-client-request-id header to API requests for debugging timeouts
• Added idle-return prompt that nudges users returning after 75+ minutes to /clear, reducing unnecessary token re-caching on stale sessions
• Deep links (claude-cli://) now open in your preferred terminal instead of whichever terminal happens to be first in the detection list
• Rules and skills paths: frontmatter now accepts a YAML list of globs
• MCP tool descriptions and server instructions are now capped at 2KB to prevent OpenAPI-generated servers from bloating context
• MCP servers configured both locally and via claude.ai connectors are now deduplicated — the local config wins
• Background bash tasks that appear stuck on an interactive prompt now surface a notification after ~45 seconds
• Token counts ≥1M now display as "1.5m" instead of "1512.6k"
• Global system-prompt caching now works when ToolSearch is enabled, including for users with MCP tools configured
• Fixed voice push-to-talk: holding the voice key no longer leaks characters into the text input, and transcripts now insert at the correct position
• Fixed up/down arrow keys being unresponsive when a footer item is focused
• Fixed Ctrl+U (kill-to-line-start) being a no-op at line boundaries in multiline input, so repeated Ctrl+U now clears across lines
• Fixed null-unbinding a default chord binding (e.g. "ctrl+x ctrl+k": null) still entering chord-wait mode instead of freeing the prefix key
• Fixed mouse events inserting literal "mouse" text into transcript search input
• Fixed workflow subagents failing with API 400 when the outer session uses --json-schema and the subagent also specifies a schema
• Fixed missing background color behind certain emoji in user message bubbles on some terminals
• Fixed the "allow Claude to edit its own settings for this session" permission option not sticking for users with Edit(.claude) allow rules
• Fixed a hang when generating attachment snippets for large edited files
• Fixed MCP tool/resource cache leak on server reconnect
• Fixed a startup performance issue where partial clone repositories (Scalar/GVFS) triggered mass blob downloads
• Fixed native terminal cursor not tracking the text input caret, so IME composition (CJK input) now renders inline and screen readers can follow the input position
• Fixed spurious "Not logged in" errors on macOS caused by transient keychain read failures
• Fixed cold-start race where core tools could be deferred without their bypass active, causing Edit/Write to fail with InputValidationError on typed parameters
• Improved detection for dangerous removals of Windows drive roots (C:\, C:\Windows, etc.)
• Improved interactive startup by ~30ms by running setup() in parallel with slash command and agent loading
• Improved startup for claude "prompt" with MCP servers — the REPL now renders immediately instead of blocking until all servers connect
• Improved Remote Control to show a specific reason when blocked instead of a generic "not yet enabled" message
• Improved p90 prompt cache rate
• Reduced scroll-to-top resets in long sessions by making the message window immune to compaction and grouping changes
• Reduced terminal flickering when animated tool progress scrolls above the viewport
• Changed issue/PR references to only become clickable links when written as owner/repo#123 — bare [#123](https://github.com/anthropics/claude-code/issues/123) is no longer auto-linked
• Slash commands unavailable for the current auth setup (/voice, /mobile, /chrome, /upgrade, etc.) are now hidden instead of shown
• [VSCode] Added rate limit warning banner with usage percentage and reset time
• Stats screenshot (Ctrl+S in /stats) now works in all builds and is 16× faster

2.1.83

• Added managed-settings.d/ drop-in directory alongside managed-settings.json, letting separate teams deploy independent policy fragments that merge alphabetically
• Added CwdChanged and FileChanged hook events for reactive environment management (e.g., direnv)
• Added sandbox.failIfUnavailable setting to exit with an error when sandbox is enabled but cannot start, instead of running unsandboxed
• Added disableDeepLinkRegistration setting to prevent claude-cli:// protocol handler registration
• Added CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1 to strip Anthropic and cloud provider credentials from subprocess environments (Bash tool, hooks, MCP stdio servers)

... (truncated)

Commits

• a0d9b87 chore: Update CHANGELOG.md
• a542f1b chore: Update CHANGELOG.md
• cada21c chore: Update CHANGELOG.md
• 6aadfbd chore: Update CHANGELOG.md
• 1653669 chore: Update CHANGELOG.md
• 5e34f19 chore: Update CHANGELOG.md
• a3d9426 chore: Update CHANGELOG.md
• 079dc85 chore: Update CHANGELOG.md
• 420a188 chore: Update CHANGELOG.md
• 48b1c6c chore: Update CHANGELOG.md
• See full diff in compare view

Updates ws from 8.18.0 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

• Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

• Added the closeTimeout option (#2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• 3ee5349 [api] Convert the isServer and maxPayload parameters to options
• 91707b4 [doc] Add missing space
• 8b55319 [pkg] Update eslint to version 10.0.1
• Additional commits viewable in compare view

Updates postcss from 8.5.8 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

Changelog

Sourced from postcss's changelog.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

Commits

• eae46db Release 8.5.15 version
• 79508ff Update CI actions
• b128e21 Speed up declaration parsing by avoiding creating new array on each token
• 9825dca Fix code format
• 55789c8 Update dependencies
• 84fbbe9 Install older pnpm action for old Node.js
• 9f860bd Revert pnpm action for old Node.js
• 0877198 Update CI actions
• b2d1a33 Fix linter warnings
• 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
• Additional commits viewable in compare view

Updates qs from 6.14.2 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (#530)
• [readme] fix grammar (#550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

Commits

• 9aca407 v6.15.2
• 5e33d33 [Dev Deps] update @ljharb/eslint-config
• 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
• a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
• e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
• 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
• 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
• 96755ab [readme] fix grammar
• a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
• 3f5e1c5 v6.15.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	chittychronicle	fc3252c	May 30 2026, 05:49 PM