Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@biomejs/biome (source)	2.3.11 → 2.3.12
hono (source)	4.11.4 → 4.11.5
wrangler (source)	4.59.2 → 4.60.0

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.3.12

Compare Source

Patch Changes

• #​8653 047576d Thanks @​dyc3! - Added new nursery rule noDuplicateAttributes to forbid duplicate attributes in HTML elements.

• #​8648 96d09f4 Thanks @​BaeSeokJae! - Added a new nursery rule noVueOptionsApi.

  Biome now reports Vue Options API usage, which is incompatible with Vue 3.6's Vapor Mode.
  This rule detects Options API patterns in <script> blocks, defineComponent(), and createApp() calls,
  helping prepare codebases for Vapor Mode adoption.

  For example, the following now triggers this rule:

  <script>
  export default {
    data() {
      return { count: 0 };
    },
  };
  </script>

• #​8832 b08270b Thanks @​Exudev! - Fixed #​8809, #​7985, and #​8136: the noSecrets rule no longer reports false positives on common CamelCase identifiers like paddingBottom, backgroundColor, unhandledRejection, uncaughtException, and IngestGatewayLogGroup.

  The entropy calculation algorithm now uses "average run length" to distinguish between legitimate CamelCase patterns (which have longer runs of same-case letters) and suspicious alternating case patterns (which have short runs).

• #​8793 c19fb0e Thanks @​TheBaconWizard! - Properly handle parameters metavariables for arrow_function GritQL queries. The following biome search command no longer throws an error:

  biome search 'arrow_function(parameters=$parameters, body=$body)'

• #​8561 981affb Thanks @​wataryooou! - Fixed noUnusedVariables to ignore type parameters declared in ambient contexts such as declare module blocks.

• #​8817 652cfbb Thanks @​dyc3! - Fixed #​8765: The HTML parser can now parse directive modifiers with a single colon, e.g. @keydown.:.

• #​8704 a1914d4 Thanks @​Netail! - Added the nursery rule noRootType.
  Disallow the usage of specified root types. (e.g. mutation and/or subscription)

  Invalid:

  {
    "options": {
      "disallow": ["mutation"]
    }
  }

  type Mutation {
    SetMessage(message: String): String
  }

• #​8712 251b47b Thanks @​Netail! - Renamed the following GraphQL nursery rules to match the Biome standard:

  • useUniqueArgumentNames -> noDuplicateArgumentNames
  • useUniqueFieldDefinitionNames -> noDuplicateFieldDefinitionNames
  • useUniqueGraphqlOperationName -> noDuplicateGraphqlOperationName
  • useUniqueInputFieldNames -> noDuplicateInputFieldNames
  • useUniqueVariableNames -> noDuplicateVariableNames

  Run the biome migrate --write command to automatically update the configuration file.

• #​7602 957cd8e Thanks @​kedevked! - Added the nursery lint rule useErrorCause.

  This rule enforces that errors caught in a catch clause are not rethrown without wrapping them in a new Error object and specifying the original error as the cause. This helps preserve the error’s stack trace and context for better debugging.

  It can be configured with the following option:

  • requireCatchParameter: (default: true)
    • When true, the rule requires that catch clauses have a parameter. If a throw statement appears inside a catch clause without a parameter, it will be flagged.

  Invalid examples:

  try {
    foo();
  } catch {
    throw new Error("fail");
  }

  try {
    foo();
  } catch (err) {
    throw new Error(err.message);
  }

  Valid examples:

  try {
    foo();
  } catch (err) {
    throw new Error("fail", { cause: err });
  }

  try {
    foo();
  } catch (error) {
    throw new Error("Something went wrong", { cause: error });
  }

  Valid example when requireCatchParameter is false:

  Valid:

  try {
    foo();
  } catch {
    throw new Error("fail");
  }

• #​8725 95aba98 Thanks @​dyc3! - Fixed #​8715: The CSS parser will now recover slightly better if a semicolon is missing from Tailwind's @apply at-rule.

• #​8616 4ee3bda Thanks @​Netail! - Added the nursery rule useLoneAnonymousOperation. Disallow anonymous operations when more than one operation specified in document.

  Invalid:

  query {
    fieldA
  }
  
  query B {
    fieldB
  }

• #​8624 291c9f2 Thanks @​taga3s! - Added the nursery rule useInlineScriptId to the Next.js domain.
  This rule enforces id attribute on next/script components with inline content or dangerouslySetInnerHTML.

  The following code is invalid:

  import Script from "next/script";
  
  export default function Page() {
    return (
      <Script>{`console.log('Hello');`}</Script> // must have `id` attribute
    );
  }

• #​8767 0d15370 Thanks @​mdevils! - Fixed #​3512:
  useExhaustiveDependencies now properly handles nested destructuring patterns
  from hook results.

  const [[x, y], setXY] = useState([1, 2]);
  useEffect(() => {
    console.log(x, y);
  }, [x, y]); // x and y are now correctly recognized as unstable

• #​8757 17ed9d3 Thanks @​Netail! - Added the nursery rule noDivRegex. Disallow equal signs explicitly at the beginning of regular expressions.

  Invalid:

  var f = function () {
    return /=foo/;
  };

• #​8836 aab1d17 Thanks @​dyc3! - Fixed #​7858: Biome now parses Astro files with empty frontmatter blocks.

• #​8755 3a15c29 Thanks @​arturalkaim! - Fixed #​6670. The $filename metavariable can now be used in GritQL where clauses to filter matches by filename.

• #​8821 63e68a1 Thanks @​playhardgopro! - Fixed several bugs in Vue conditional rules (useVueValidVIf, useVueValidVElse, and useVueValidVElseIf) related to whitespace handling, newlines, and self-closing tags.

• #​8767 0d15370 Thanks @​mdevils! - Fixed #​3685:
  useExhaustiveDependencies now properly handles transparent expression
  wrappers like non-null assertions and type assertions in dependency comparisons.

  useMemo(() => Boolean(myObj!.x), [myObj!.x]); // No longer reports incorrect diagnostics
  useMemo(() => myObj!.x?.y === true, [myObj!.x?.y]); // Now correctly matches dependencies

• #​8597 f764007 Thanks @​Netail! - Added the nursery rule noDuplicateEnumValueNames. Enforce unique enum value names.

  Invalid:

  enum A {
    TEST
    TesT
  }

• #​8679 33dfd7c Thanks @​ematipico! - Fixed #​8678. Now Biome correctly parses components inside Vue, Svelte and Astro files when they have the same name of self-closing elements.

• #​8617 31a9bfe Thanks @​Netail! - Added the nursery rule useLoneExecutableDefinition. Require queries, mutations, subscriptions or fragments to be located in separate files.

  Invalid:

  query Foo {
    id
  }
  
  fragment Bar on Baz {
    id
  }

• #​8697 8519669 Thanks @​Faizanq! - Added the nursery lint rule noExcessiveLinesPerFile to CSS and GraphQL.

• #​8711 365f7aa Thanks @​Netail! - Added new nursery rule noDuplicateEnumValues, which disallows defining an enum with multiple members initialized to the same value.

• #​8767 0d15370 Thanks @​mdevils! - Fixed #​5914:
  useExhaustiveDependencies now properly handles variables declared in the same
  statement.

  const varA = Math.random(),
    varB = useMemo(() => varA, [varA]); // varA is now correctly recognized as needed

• #​8767 0d15370 Thanks @​mdevils! - Fixed #​8427:
  useExhaustiveDependencies now properly resolves variable references to detect
  captured dependencies.

  const fe = fetchEntity;
  useEffect(() => {
    fe(id);
  }, [id, fe]); // fe is now correctly detected as needed

• #​8767 0d15370 Thanks @​mdevils! - Fixed #​8484:
  useExhaustiveDependencies now properly handles member access on stable hook
  results.

  const stableObj = useStable();
  useMemo(() => {
    return stableObj.stableValue; // stableObj.stableValue is now correctly recognized as stable
  }, []);

• #​8767 0d15370 Thanks @​mdevils! - Fixed #​7982:
  useExhaustiveDependencies now properly handles callback expressions with type
  assertions.

  const callback = useCallback(
    (() => {
      return count * 2;
    }) as Function,
    [count], // count is now correctly detected
  );

• #​8766 39eb545 Thanks @​Netail! - Fixed #​8761: Reverted wrapping the URL of rule descriptions with <>, causing broken URLs in VSCode.

• #​8767 0d15370 Thanks @​mdevils! - Fixed #​3080:
  useExhaustiveDependencies now properly analyzes captures within referenced
  functions passed to hooks.

  function myEffect() {
    console.log(foo, bar);
  }
  useEffect(myEffect, [foo, bar]); // foo and bar are now correctly detected

• #​8740 4962ed0 Thanks @​Netail! - Extra rule source references. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #​8776 395746f Thanks @​codiini! - Fixed #​6003: noUselessUndefinedInitialization no longer reports exported variables initialized to undefined. In Svelte 4, this pattern is used to declare optional component props.

• #​8767 0d15370 Thanks @​mdevils! - Fixed #​4248:
  useExhaustiveDependencies now correctly handles function props passed as
  callbacks.

  const data = React.useMemo(getData, [getData]); // getData is now correctly recognized as needed

• #​8819 bc191ff Thanks @​Netail! - Fixed #​6567:
  noUnknownProperty now ignores unknown properties in at-rules which support descriptors.

• #​8787 adb652f Thanks @​tuyuritio! - Fixed #​8777: Add support for :active-view-transition pseudo-class.

• #​8639 6577e32 Thanks @​ohnoah! - Added the nursery lint rule noExcessiveLinesPerFile.
  Biome now reports files that exceed a configurable line limit.

  // maxLines: 2
  const a = 1;
  const b = 2;
  const c = 3;

• #​8753 71b5c6e Thanks @​Netail! - Added the nursery rule noExcessiveClassesPerFile. Enforce a maximum number of classes per file.

  Invalid:

  class Foo {}
  class Bar {}

• #​8754 d6b2bda Thanks @​Netail! - Added the nursery rule noFloatingClasses. Disallow new operators outside of assignments or comparisons.

  Invalid:

  new Date();

honojs/hono (hono)

v4.11.5

Compare Source

What's Changed

• fix(client): exclude $all from ClientRequest type by @​paveg in #​4611
• refactor(jwks): mark allowedAlgorithms, so the user can pass a `const… by @​nikeee in #​4641
• feat(jwt): export AlgorithmTypes by @​yusukebe in #​4642

New Contributors

• @​paveg made their first contribution in #​4611
• @​nikeee made their first contribution in #​4641

Full Changelog: honojs/hono@v4.11.4...v4.11.5

cloudflare/workers-sdk (wrangler)

v4.60.0

Compare Source

Minor Changes

• #​11113 bba0968 Thanks @​AmirSa12! - Add wrangler complete command for shell completion scripts (bash, zsh, powershell)

  Usage:

  # Bash
  wrangler complete bash >> ~/.bashrc
  
  # Zsh
  wrangler complete zsh >> ~/.zshrc
  
  # Fish
  wrangler complete fish >> ~/.config/fish/completions/wrangler.fish
  
  # PowerShell
  wrangler complete powershell > $PROFILE

  • Uses @bomb.sh/tab library for cross-shell compatibility
  • Completions are dynamically generated from experimental_getWranglerCommands() API

• #​11893 f9e8a45 Thanks @​NuroDev! - wrangler types now generates per-environment TypeScript interfaces when named environments exist in your configuration.

  When your configuration has named environments (an env object), wrangler types now generates both:

  • Per-environment interfaces (e.g., StagingEnv, ProductionEnv) containing only the bindings explicitly declared in each environment, plus inherited secrets
  • An aggregated Env interface with all bindings from all environments (top-level + named environments), where:
    • Bindings present in all environments are required
    • Bindings not present in all environments are optional
    • Secrets are always required (since they're inherited everywhere)
    • Conflicting binding types across environments produce union types (e.g., KVNamespace | R2Bucket)

  However, if your config does not contain any environments, or you manually specify an environment via --env, wrangler types will continue to generate a single interface as before.

  Example:

  Given the following wrangler.jsonc:

  {
  	"name": "my-worker",
  	"kv_namespaces": [
  		{
  			"binding": "SHARED_KV",
  			"id": "abc123",
  		},
  	],
  	"env": {
  		"staging": {
  			"kv_namespaces": [
  				{ "binding": "SHARED_KV", "id": "staging-kv" },
  				{ "binding": "STAGING_CACHE", "id": "staging-cache" },
  			],
  		},
  	},
  }

  Running wrangler types will generate:

  declare namespace Cloudflare {
  	interface StagingEnv {
  		SHARED_KV: KVNamespace;
  		STAGING_CACHE: KVNamespace;
  	}
  	interface Env {
  		SHARED_KV: KVNamespace; // Required: in all environments
  		STAGING_CACHE?: KVNamespace; // Optional: only in staging
  	}
  }
  interface Env extends Cloudflare.Env {}

Patch Changes

• #​12030 614bbd7 Thanks @​jbwcloudflare! - Fix wrangler pages project validate to respect file count limits from CF_PAGES_UPLOAD_JWT

• #​11993 788bf78 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260116.0	1.20260120.0

• #​12039 1375577 Thanks @​dimitropoulos! - Fixed the flag casing for the time period flag for the d1 insights command.

• #​12026 c3407ad Thanks @​dario-piotrowicz! - Fix wrangler setup not automatically selecting workers as the target for new SvelteKit apps

  The Sveltekit adapter:cloudflare adapter now accepts two different targets workers or pages. Since the wrangler auto configuration only targets workers, wrangler should instruct the adapter to use the workers variant. (The auto configuration process would in any case not work if the user were to target pages.)

• Updated dependencies [788bf78, ae108f0]:

  • miniflare@​4.20260120.0
  • @​cloudflare/unenv-preset@​2.11.0
  • @​cloudflare/kv-asset-handler@​0.4.2

v4.59.3

Compare Source

Patch Changes

• #​9396 75386b1 Thanks @​gnekich! - Fix wrangler login with custom callback-host/callback-port

  The Cloudflare OAuth API always requires the redirect_uri to be localhost:8976. However, sometimes the Wrangler OAuth server needed to listen on a different host/port, for example when running from inside a container. We were previously incorrectly setting the redirect_uri to the configured callback host/port, but it needs to be up to the user to map localhost:8976 to the Wrangler OAuth server in the container.

  Example:

  You might run Wrangler inside a docker container like this: docker run -p 8989:8976 <image>, which forwards port 8976 on your host to 8989 inside the container.

  Then inside the container, run wrangler login --callback-host=0.0.0.0 --callback-port=8989

  The OAuth link still has a redirect_uri set tolocalhost:8976. For example https://dash.cloudflare.com/oauth2/auth?...&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&...

  However the redirect to localhost:8976 is then forwarded to the Wrangler OAuth server inside your container, allowing the login to complete.

• #​11925 8e4a0e5 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260114.0	1.20260115.0

• #​11942 133bf95 Thanks @​penalosa! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260115.0	1.20260116.0

• #​11922 93d8d78 Thanks @​dario-piotrowicz! - Improve telemetry errors being sent to Sentry by wrangler init when it delegates to C3 by ensuring that they contain the output of the C3 execution.

• #​11940 69ff962 Thanks @​penalosa! - Show helpful messages for file not found errors (ENOENT)

  When users encounter file not found errors, Wrangler now displays a helpful message with the missing file path and common causes, instead of reporting to Sentry.

• #​11904 22727c2 Thanks @​danielrs! - Fix false positive infinite loop detection for exact path redirects

  Fixed an issue where the redirect validation incorrectly flagged exact path redirects like / /index.html 200 as infinite loops. This was particularly problematic when html_handling is set to "none", where such redirects are valid.

  The fix makes the validation more specific to only block wildcard patterns (like /* /index.html) that would actually cause infinite loops, while allowing exact path matches that are valid in certain configurations.

  Fixes: #​11824

• #​11946 fa39a73 Thanks @​MattieTK! - Fix configFileName returning wrong filename for .jsonc config files

  Previously, users with a wrangler.jsonc config file would see error messages and hints referring to wrangler.json instead of wrangler.jsonc. This was because the configFormat function collapsed both .json and .jsonc files into a single "jsonc" value, losing the distinction between them.

  Now configFormat returns "json" for .json files and "jsonc" for .jsonc files, allowing configFileName to return the correct filename for each format.

• #​11968 4ac7c82 Thanks @​MattieTK! - fix: include version components in command event metrics

  Adds wranglerMajorVersion, wranglerMinorVersion, and wranglerPatchVersion to command events (wrangler command started, wrangler command completed, wrangler command errored). These properties were previously only included in adhoc events.

• #​11940 69ff962 Thanks @​penalosa! - Improve error message when creating duplicate KV namespace

  When attempting to create a KV namespace with a title that already exists, Wrangler now provides a clear, user-friendly error message instead of the generic API error. The new message explains that the namespace already exists and suggests running wrangler kv namespace list to see existing namespaces with their IDs, or choosing a different namespace name.

• #​11962 029531a Thanks @​dario-piotrowicz! - Cache chosen account in memory to avoid repeated prompts

  When users have multiple accounts and no node_modules directory exists for file caching, Wrangler (run via npx and equivalent commands) would prompt for account selection multiple times during a single command. Now the selected account is also stored in process memory, preventing duplicate prompts and potential issues from inconsistent account choices.

• #​11964 d58fbd1 Thanks @​dario-piotrowicz! - Make name the positional argument for wrangler delete instead of script

  The script argument was meaningless for the delete command since it deletes by worker name, not by entry point path. The name argument is now accepted as a positional argument, allowing users to run wrangler delete my-worker instead of wrangler delete --name my-worker. The script argument is now hidden but still accepted for backwards compatibility.

• #​11967 202c59e Thanks @​emily-shen! - chore: update undici

  The following dependency versions have been updated:

  Dependency	From	To
  undici	7.14.0	7.18.2

• #​11940 69ff962 Thanks @​penalosa! - Improve error handling for Vite config transformations

  Replace assertions with proper error handling when transforming Vite configs. When Wrangler encounters a Vite config that uses a function or lacks a plugins array, it now provides clear, actionable error messages instead of crashing with assertion failures. The check function gracefully skips incompatible configs with debug logging.

• Updated dependencies [8e4a0e5, 133bf95, 202c59e, 133bf95, 25e2c60]:

  • miniflare@​4.20260116.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.