chore(deps-dev): bump the development-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the development-dependencies group with 7 updates in the / directory:

Package	From	To
@changesets/changelog-github	0.6.0	0.7.0
@changesets/cli	2.30.0	2.31.0
@types/node	25.5.2	25.6.0
pkg-ok	3.0.0	4.0.0
stylelint	17.6.0	17.11.0
undici	8.0.2	8.2.0
vite	8.0.7	8.0.10

Updates @changesets/changelog-github from 0.6.0 to 0.7.0

Release notes

Sourced from @​changesets/changelog-github's releases.

@​changesets/changelog-github@​0.7.0

Minor Changes

• #1255 94578cf Thanks @​Kauhsa! - Added disableThanks option

Commits

• d1ef2d8 Version Packages (#1950)
• 7af5876 Restrict publish job to the npm env (#1972)
• ff767d2 Sync config-file-options documentation with schema.json and source code (#1683)
• 951094b fix: pin 2 unpinned action(s) (#1915)
• 94578cf Added disableThanks option (#1255)
• d87334d Support dark mode banner in readme (#1943)
• 87472a7 Update .vscode/settings.json (#1944)
• 317a373 Disable publish_pr job
• 9cce6db Version Packages (#1897)
• d2121dc Fix npm auth for path-based registries during publish by preserving configure...
• Additional commits viewable in compare view

Updates @changesets/cli from 2.30.0 to 2.31.0

Release notes

Sourced from @​changesets/cli's releases.

@​changesets/cli@​2.31.0

Minor Changes

• #1889 96ca062 Thanks @​mixelburg! - Error on unsupported flags for individual CLI commands and print the matching command usage to make mistakes easier to spot.

• #1873 42943b7 Thanks @​mixelburg! - Respond to --help on all subcommands. Previously, --help was only handled when it was the sole argument; passing it alongside a subcommand (e.g. changeset version --help) would silently execute the command instead. Now --help always exits early and prints per-command usage when a known subcommand is provided, or the general help text otherwise.

Patch Changes

• d2121dc Thanks @​Andarist! - Fix npm auth for path-based registries during publish by preserving configured registry URLs instead of normalizing them.

• #1888 036fdd4 Thanks @​mixelburg! - Fix several changeset version issues with workspace protocol dependencies. Valid explicit workspace: ranges and aliases are no longer rewritten unnecessarily, and workspace path references are handled correctly during versioning.

• #1903 5c4731f Thanks @​Andarist! - Gracefully handle stale npm info data leading to duplicate publish attempts.

• #1867 f61e716 Thanks @​Andarist! - Improved detection for published state of prerelease-only packages without latest dist-tag on GitHub Packages registry.

• Updated dependencies [036fdd4, 036fdd4, 036fdd4]:

  • @​changesets/assemble-release-plan@​6.0.10
  • @​changesets/get-dependents-graph@​2.1.4
  • @​changesets/apply-release-plan@​7.1.1
  • @​changesets/get-release-plan@​4.0.16
  • @​changesets/config@​3.1.4

Commits

• 9cce6db Version Packages (#1897)
• d2121dc Fix npm auth for path-based registries during publish by preserving configure...
• 036fdd4 Fix several changeset version issues with workspace protocol dependencies (...
• 5c4731f Gracefully handle stale npm info data leading to duplicate publish attempts...
• 96ca062 Error on unsupported flags for individual CLI commands (#1889)
• 42943b7 fix(cli): respond to --help on all subcommands (#1873)
• f61e716 Improved detection for published state of prerelease-only packages without ...
• See full diff in compare view

Updates @types/node from 25.5.2 to 25.6.0

Commits

• See full diff in compare view

Updates pkg-ok from 3.0.0 to 4.0.0

Changelog

Sourced from pkg-ok's changelog.

4.0.0

• Require Node 20, 22, or 24

Commits

• c4bf4e9 Merge pull request #173 from abraham/copilot/remove-husky-package
• b5b9ad6 chore: remove husky and pre-commit hook
• 8ed0ae6 Merge pull request #171 from abraham/abraham-patch-1
• 65a7813 Initial plan
• 4ad7c3e npm run format
• 0ecc782 Add GitHub Actions workflow to publish package
• 41718cd Merge pull request #170 from abraham/abraham-patch-1
• cae00cb Bump version from 3.0.0 to 4.0.0
• b24240c Revise Node.js support in CHANGELOG
• e420bf1 Merge pull request #168 from abraham/copilot/update-meow-to-v14
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for pkg-ok since your current version.

Updates stylelint from 17.6.0 to 17.11.0

Release notes

Sourced from stylelint's releases.

17.11.0

It adds 2 features, including a loader property to referenceFiles: {} for when the order of appearance in the reference styles matters.

• Added: loader to experimental referenceFiles: {} (#9251) (@​romainmenke).
• Added: autofixed to the result object (#8771) (@​Rob--W).

17.10.0

It adds 3 rules and fixes 4 bugs. You can use the *-layout-mappings rules to enforce logical or physical properties, units and keywords.

• Added: selector-no-invalid rule (#9232) (@​jeddy3).
• Added: unit-layout-mappings rule (#9229) (@​jeddy3).
• Added: value-keyword-layout-mappings rule (#9233) (@​jeddy3).
• Fixed: inconsistent error messages when module is not found (#9260) (@​ybiquitous).
• Fixed: property-layout-mappings false negatives for property names in declaration values (#9222) (@​jeddy3).
• Fixed: property-layout-mappings false positives for @page properties (#9223) (@​jeddy3).
• Fixed: selector-pseudo-class-no-unknown false positives for nested webkit-scrollbar part (#9259) (@​rkdfx).

17.9.1

It fixes 4 bugs. We also documented the messageArgs each rule provides to the message configuration property.

• Fixed: ConfigurationError regression for custom syntaxes (#9245) (@​jeddy3).
• Fixed: MD5 hash algorithm to SHA256 for caching (#9241) (@​rkdfx).
• Fixed: property-no-deprecated autofix for page-break-*: always (#9214) (@​rkdfx).
• Fixed: selector-no-deprecated false positives for ::part() (#9227) (@​SaekiTominaga).

17.9.0

It adds 3 new features. Adding the referenceFiles property to your configuration object makes the no-unknown-animations, no-unknown-custom-media and no-unknown-custom-properties rules more useful.

• Added: experimental referenceFiles to configuration object (#9179) (@​jeddy3).
• Added: experimental abortSignal option to Node.js API for cancellation support (#9213) (@​adalinesimonian).
• Added: maxWarnings to configuration object (#9181) (@​mrginglymus).

17.8.0

It adds 3 new rules and 1 configuration property.

• Added: languageOptions.directionality configuration property (#8687) (@​sw1tch3roo).
• Added: property-layout-mappings rule (#8687) (@​sw1tch3roo).
• Added: relative-selector-nesting-notation rule (#8730) (@​sw1tch3roo).
• Added: selector-no-deprecated rule (#8694) (@​immitsu).

17.7.0

It fixes 4 bugs, including clearer problem messages by removing filler words and leading with the problem. We've also released 1.0.0 of create-stylelint to help with first-time Stylelint setup.

• Fixed: clarity of problem messages (#9199) (@​jeddy3).
• Fixed: --print-config CLI flag to hide internal properties (#9194) (@​ybiquitous).
• Fixed: function-url-quotes false positives when URLs have modifiers (#8702) (@​immitsu).
• Fixed: selector-no-qualifying-type false positives for :has() (#9182) (@​romainmenke).

Changelog

Sourced from stylelint's changelog.

17.11.0 - 2026-05-05

It adds 2 features, including a loader property to referenceFiles: {} for when the order of appearance in the reference styles matters.

• Added: loader to experimental referenceFiles: {} (#9251) (@​romainmenke).
• Added: autofixed to the result object (#8771) (@​Rob--W).

17.10.0 - 2026-05-03

It adds 3 rules and fixes 4 bugs. You can use the *-layout-mappings rules to enforce logical or physical properties, units and keywords.

• Added: selector-no-invalid rule (#9232) (@​jeddy3).
• Added: unit-layout-mappings rule (#9229) (@​jeddy3).
• Added: value-keyword-layout-mappings rule (#9233) (@​jeddy3).
• Fixed: inconsistent error messages when module is not found (#9260) (@​ybiquitous).
• Fixed: property-layout-mappings false negatives for property names in declaration values (#9222) (@​jeddy3).
• Fixed: property-layout-mappings false positives for @page properties (#9223) (@​jeddy3).
• Fixed: selector-pseudo-class-no-unknown false positives for nested webkit-scrollbar part (#9259) (@​rkdfx).

17.9.1 - 2026-04-27

It fixes 4 bugs. We also documented the messageArgs each rule provides to the message configuration property.

• Fixed: ConfigurationError regression for custom syntaxes (#9245) (@​jeddy3).
• Fixed: MD5 hash algorithm to SHA256 for caching (#9241) (@​rkdfx).
• Fixed: property-no-deprecated autofix for page-break-*: always (#9214) (@​rkdfx).
• Fixed: selector-no-deprecated false positives for ::part() (#9227) (@​SaekiTominaga).

17.9.0 - 2026-04-23

It adds 3 new features. Adding the referenceFiles property to your configuration object makes the no-unknown-animations, no-unknown-custom-media and no-unknown-custom-properties rules more useful.

• Added: experimental referenceFiles to configuration object (#9179) (@​jeddy3).
• Added: experimental abortSignal option to Node.js API for cancellation support (#9213) (@​adalinesimonian).
• Added: maxWarnings to configuration object (#9181) (@​mrginglymus).

17.8.0 - 2026-04-15

It adds 3 new rules and 1 configuration property.

• Added: languageOptions.directionality configuration property (#8687) (@​sw1tch3roo).
• Added: property-layout-mappings rule (#8687) (@​sw1tch3roo).
• Added: relative-selector-nesting-notation rule (#8730) (@​sw1tch3roo).
• Added: selector-no-deprecated rule (#8694) (@​immitsu).

17.7.0 - 2026-04-12

It fixes 4 bugs, including clearer problem messages by removing filler words and leading with the problem. We've also released 1.0.0 of create-stylelint to help with first-time Stylelint setup.

• Fixed: clarity of problem messages (#9199) (@​jeddy3).

... (truncated)

Commits

• e176acf Release 17.11.0 (#9271)
• 769e791 Require owner review for .npmrc (#9270)
• c0c362c Harden npm install security (#9269)
• 823fdfc Add autofixed to the result object (#8771)
• c19e627 Bump vulnerable dependencies via npm audit fix (#9267)
• 2ce046f Bump string-width from 8.2.0 to 8.2.1 (#9266)
• a895cdd Bump the stylelint-actions group with 4 updates (#9265)
• 1757a82 Configure Dependabot to group Stylelint actions (#9264)
• 34918a4 Add Dependency Review to CI (#9263)
• 70c1f2d Add loader to experimental referenceFiles: {} (#9251)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates undici from 8.0.2 to 8.2.0

Release notes

Sourced from undici's releases.

v8.2.0

What's Changed

• chore: use native addAbortListener by @​trivikr in nodejs/undici#5021
• fix: fix the logic for the UNDICI_NO_WASM_SIMD environment variable by @​ShenHongFei in nodejs/undici#5026
• fix(http2): send body for non-expectsPayload methods with content by @​mcollina in nodejs/undici#5030
• fix(fetch): correct 'navigator' typo to 'navigate' in fetchFinale by @​deepview-autofix in nodejs/undici#5044
• fix(webidl): correct signed integer bounds in ConvertToInt by @​deepview-autofix in nodejs/undici#5038
• fix(fetch): use || for CRLF check in multipart formdata-parser by @​deepview-autofix in nodejs/undici#5049
• fix(websocket): correct argument order in WebSocketStream UTF-8 failure by @​deepview-autofix in nodejs/undici#5050
• fix(pool): propagate useH2c to connector when connections > 1 by @​SAY-5 in nodejs/undici#5031
• fix(cache): return immutable staleAt in milliseconds by @​deepview-autofix in nodejs/undici#5048
• fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing by @​deepview-autofix in nodejs/undici#5041
• fix(cache): evict oldest entries first in SqliteCacheStore prune by @​deepview-autofix in nodejs/undici#5039
• fix(socks5): correctly expand IPv6 '::' compressed notation by @​deepview-autofix in nodejs/undici#5046
• Remove unused func and unnecessary shim by @​tsctx in nodejs/undici#5053
• fix: reject malformed content-length request headers by @​trivikr in nodejs/undici#5060
• fix(request): reject NaN highWaterMark during option validation by @​trivikr in nodejs/undici#5062
• docs: fix broken links in docsify sidebar by @​maruthang in nodejs/undici#5065
• fix(fetch): prefer filename* over filename in multipart form-data by @​maruthang in nodejs/undici#5068
• fix(http2): reject websocket upgrades on non-200 responses by @​trivikr in nodejs/undici#5072
• feat: support username-only proxy authentication in ProxyAgent by @​rossilor95 in nodejs/undici#4935
• build(deps): bump uWebSockets.js from v20.58.0 to v20.64.0 in /benchmarks by @​dependabot[bot] in nodejs/undici#5083
• fix(client-h2): stop double-decrementing kOpenStreams on stream timeout by @​SAY-5 in nodejs/undici#5076
• fix(http2): reject upgrade streams closed before response headers by @​trivikr in nodejs/undici#5069
• fix(http2): allow GET and HEAD request bodies over h2 by @​trivikr in nodejs/undici#5058
• fix(cache): include query in cache key when opts.path is undefined by @​maruthang in nodejs/undici#5081
• fix: avoid premature cleanup of dispatcher in Agent by @​bienzaaron in nodejs/undici#5034
• fix(http2): record ping failures on the socket by @​trivikr in nodejs/undici#5075
• add undici security policy by @​mcollina in nodejs/undici#5056
• fix(mock): make filterCalls AND operator actually intersect results by @​deepview-autofix in nodejs/undici#5045
• fix(socks5): enforce authenticated state before CONNECT by @​trivikr in nodejs/undici#5097
• fix(cache): skip expired sqlite vary entries during lookup by @​trivikr in nodejs/undici#5095
• fix: enforce maxCachedSessions in TLS session cache by @​trivikr in nodejs/undici#5102
• fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly by @​trivikr in nodejs/undici#5099
• fix: handle invalid HTTP/2 connection headers (#4356) by @​mcollina in nodejs/undici#5101
• fix(interceptor): add throwOnMaxRedirect to types and interceptor opts by @​maruthang in nodejs/undici#5066
• fix(websocket): avoid double-closing canceled stream readers by @​colinaaa in nodejs/undici#5105
• fix(cache): persist vary when updating sqlite cache entries by @​trivikr in nodejs/undici#5109
• refactor(h1): track HEAD keep-alive override as boolean by @​trivikr in nodejs/undici#5110
• client: cache llhttp wasm buffer view by @​trivikr in nodejs/undici#5115
• deps: update llhttp to 9.3.1 by @​mcollina in nodejs/undici#5113
• fix(http2): preserve accepted streams after GOAWAY by @​trivikr in nodejs/undici#5090
• fix: reuse parser WeakRef for timeout callbacks by @​trivikr in nodejs/undici#5125
• fix: stop buffering data after SOCKS5 connect by @​trivikr in nodejs/undici#5118
• perf(http2): avoid response header reserialization by @​trivikr in nodejs/undici#5085
• fix(cache): enforce sqlite maxCount after insert by @​trivikr in nodejs/undici#5112
• perf: reduce EventSourceStream parser allocations by @​trivikr in nodejs/undici#5032
• types(dispatcher): use OutgoingHttpHeaders for request headers by @​maruthang in nodejs/undici#5067
• cleanup: delete redundant .gitkeep file by @​shivarm in nodejs/undici#5133
• fix(http2): respect peer max concurrent streams by @​trivikr in nodejs/undici#5135

... (truncated)

Commits

• bf684f7 Bumped v8.2.0 (#5152)
• 0ca054a fix: replace stale pool clients under connection limit (#5145)
• 7af90e9 perf: avoid redundant scans in BalancedPool dispatcher selection (#5146)
• abb9d06 fix: validate H2CClient maxConcurrentStreams option (#5143)
• 72a7591 perf(http2): avoid cloning headers when removing status (#5127)
• 96fd5e9 fix(cache): allow streamed entries at maxEntrySize limit (#5129)
• f41e53f perf: use byteLength property for binary body chunks (#5126)
• bec4961 chore(deps): add lockfile (#5139)
• 86f1242 perf(http2): reduce writeH2 per-request callback allocations (#5138)
• cad3f70 perf(client): parse h1 content-length statelessly (#5124)
• Additional commits viewable in compare view

Updates vite from 8.0.7 to 8.0.10

Release notes

Sourced from vite's releases.

v8.0.10

Please refer to CHANGELOG.md for details.

v8.0.9

Please refer to CHANGELOG.md for details.

v8.0.8

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.10 (2026-04-23)

Features

• update rolldown to 1.0.0-rc.17 (#22299) (a4d06d9)

Bug Fixes

• hmrClient.logger.debug and hmrClient.logger.error looked different from other HMR logs (#22147) (a4d828f)
• css: show filename in CSS minification warnings for .css?inline (#22292) (83f0a78)
• optimizer: allow user transform.target to override default in optimizeDeps (#22273) (5c7cec6)
• remove format sniffing module resolution from JS resolver (#22297) (b8a21cc)

Code Refactoring

• enable some typecheck rules (#22278) (9437518)
• typecheck client directory (#22284) (40a0847)

8.0.9 (2026-04-20)

Features

• update rolldown to 1.0.0-rc.16 (#22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#22039) (374bb5d)
• deps: update all non-major dependencies (#22219) (4cd0d67)
• deps: update all non-major dependencies (#22268) (c28e9c1)
• detect Deno workspace root (fix #22237) (#22238) (1b793c0)
• dev: handle errors in watchChange hook (#22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#22231) (44c42b9)
• fix reuses wording in dev environment comment (#22173) (9163412)
• fix wording in sass error comment (#22214) (bc5c6a7)
• update build CLI defaults (#22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#22271) (0a3887d)

8.0.8 (2026-04-09)

Features

• update rolldown to 1.0.0-rc.15 (#22201) (6baf587)

... (truncated)

Commits

• 32c2978 release: v8.0.10
• a4d06d9 feat: update rolldown to 1.0.0-rc.17 (#22299)
• a4d828f fix: hmrClient.logger.debug and hmrClient.logger.error looked different f...
• 83f0a78 fix(css): show filename in CSS minification warnings for .css?inline (#22292)
• b8a21cc fix: remove format sniffing module resolution from JS resolver (#22297)
• 40a0847 refactor: typecheck client directory (#22284)
• 5c7cec6 fix(optimizer): allow user transform.target to override default in optimizeDe...
• 9437518 refactor: enable some typecheck rules (#22278)
• ce729f5 release: v8.0.9
• 605bb97 docs: update build CLI defaults (#22261)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: b7331ac

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​changesets/​changelog-github@​0.6.0 ⏵ 0.7.0	+1		+1
	undici@​8.0.2 ⏵ 8.2.0	+1		+1
	pkg-ok@​3.0.0 ⏵ 4.0.0			+1	+10
	@​types/​node@​25.5.2 ⏵ 25.6.0
	vite@​8.0.7 ⏵ 8.0.10	+1		+1
	@​changesets/​cli@​2.30.0 ⏵ 2.31.0	+1		+1
	stylelint@​17.6.0 ⏵ 17.11.0				+1

View full report