chore(deps): update dependency lint-staged to v16.2.6

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
lint-staged	16.1.2 -> 16.2.6

---

Release Notes

lint-staged/lint-staged (lint-staged)

v16.2.6

Compare Source

Patch Changes

• #​1693 33d4502 Thanks @​Adrian-Baran-GY! - Fix problems with --continue-on-error option, where tasks might have still been killed (SIGINT) when one of them failed.

v16.2.5

Compare Source

Patch Changes

• #​1687 9e02d9d Thanks @​iiroj! - Fix unhandled promise rejection when spawning tasks (instead of the tasks themselves failing). Previously when a task failed to spawn, lint-staged also failed and the backup stash might not have been automatically restored.

v16.2.4

Compare Source

Patch Changes

• #​1682 0176038 Thanks @​iiroj! - Update dependencies, including [email protected] with bug fixes.

• #​1671 581a54e Thanks @​iiroj! - Speed up execution by only importing the yaml depedency if using YAML configuration files.

v16.2.3

Compare Source

Patch Changes

• #​1669 27cd541 Thanks @​iiroj! - When using --fail-on-changes, automatically hidden (partially) unstaged changes are no longer counted to make lint-staged fail.

v16.2.2

Compare Source

Patch Changes

• #​1667 699f95d Thanks @​iiroj! - The backup stash will not be dropped when using --fail-on-changes and there are errors. When reverting to original state is disabled (via --no-revert or --fail-on-changes), hidden (partially) unstaged changes are still restored automatically so that it's easier to resolve the situation manually.

  Additionally, the example for using the backup stash manually now uses the correct backup hash, if available:

  % npx lint-staged --fail-on-changes
  ✔ Backed up original state in git stash (c18d55a3)
  ✔ Running tasks for staged files...
  ✖ Tasks modified files and --fail-on-changes was used!
  ↓ Cleaning up temporary files...
  
  ✖ lint-staged failed because `--fail-on-changes` was used.
  
  Any lost modifications can be restored from a git stash:
  
    > git stash list --format="%h %s"
    c18d55a3 On main: lint-staged automatic backup
    > git apply --index c18d55a3

v16.2.1

Compare Source

Patch Changes

• #​1664 8277b3b Thanks @​iiroj! - The built-in TypeScript types have been updated to more closely match the implementation. Notably, the list of staged files supplied to task functions is readonly string[] and can't be mutated. Thanks @​outslept!

  export default {
  ---  "*": (files: string[]) => void console.log('staged files', files)
  +++  "*": (files: readonly string[]) => void console.log('staged files', files)
  }

• #​1654 70b9af3 Thanks @​iiroj! - This version has been published from GitHub Actions using Trusted Publishing for npm packages.

• #​1659 4996817 Thanks @​iiroj! - Fix searching configuration files when the working directory is a subdirectory of a git repository, and there are package.json files in the working directory. This situation might happen when running lint-staged for a single package in a monorepo.

• #​1654 7021f0a Thanks @​iiroj! - Return the caret semver range (^) to direct dependencies so that future patch and minor versions are allowed. This enables projects to better maintain and deduplicate their own transitive dependencies while not requiring direct updates to lint-staged. This was changed in 16.2.0 after the vulnerability issues with chalk and debug, which were also removed in the same version.

  Given the recent vulnerabilities in the npm ecosystem, it's best to be very careful when updating dependencies.

v16.2.0

Compare Source

Minor Changes

• #​1615 99eb742 Thanks @​iiroj! - Added a new option --fail-on-changes to make lint-staged exit with code 1 when tasks modify any files, making the precommit hook fail. This is similar to the git diff --exit-code option. Using this flag also implies the --no-revert flag which means any changes made by tasks will be left in the working tree after failing, so that they can be manually staged and the commit tried again.

• #​1611 cd05fd3 Thanks @​rlorenzo! - Added a new option --continue-on-error so that lint-staged will run all tasks to completion even if some of them fail. By default, lint-staded will exit early on the first failure.

• #​1637 82fcc07 Thanks @​iiroj! - Internal lint-staged errors are now thrown and visible in the console output. Previously they were caught with the process exit code set to 1, but not logged. This happens when, for example, there's a syntax error in the lint-staged configuration file.

• #​1647 a5ecc06 Thanks @​iiroj! - Remove debug as a dependency due to recent malware issue; read more at debug-js/debug#1005. Because of this, the DEBUG environment variable is no longer supported — use the --debug to enable debugging

• #​1636 8db2717 Thanks @​iiroj! - Added a new option --hide-unstaged so that lint-staged will hide all unstaged changes to tracked files before running tasks. The changes will be applied back after running the tasks. Note that the combination of flags --hide-unstaged --no-hide-partially-staged isn't meaningful and behaves the same as just --hide-unstaged.

  Thanks to @​ItsNickBarry for the idea and initial implementation in #​1552.

• #​1648 7900b3b Thanks @​iiroj! - Remove lilconfig to reduce reliance on third-party dependencies. It was used to find possible config files outside of those tracked in Git, including from the parent directories. This behavior has been moved directly into lint-staged and should work about the same.

Patch Changes

• #​1633 7f9e485 Thanks @​dependabot! - Bumps listr2 from 9.0.3 to 9.0.4.

• #​1626 99d5a9b Thanks @​iiroj! - Due to recent phishing attacks, for example [email protected] was released with malware. To avoid lint-staged's users being at risk the direct dependencies are pinned to exact versions, instead of allowing future patch versions with the caret (^) range.

• #​1588 035bbf2 Thanks @​outslept! - Increase performance by listing staged files and searching for configuration concurrently.

• #​1645 deba3ad Thanks @​iiroj! - Remove chalk as a dependency due to recent malware issue; read more at chalk/chalk#656.

  If you are having trouble with ANSI color codes when using lint-staged, you can try setting either FORCE_COLOR=true or NO_COLOR=true env variables.

v16.1.6

Compare Source

Patch Changes

• #​1610 e93578e Thanks @​iiroj! - Try to improve terminating of subprocess of tasks by using SIGKILL, and only calling pidtree when the the main task process has a known pid.

v16.1.5

Compare Source

Patch Changes

• #​1608 4e3ce22 Thanks @​srsatt! - Detect the git repo's top-level directory correctly when in a worktree.

v16.1.4

Compare Source

Patch Changes

• #​1604 90b37b0 Thanks @​iiroj! - Add another types field to package.json to make even more sure NPM detects that lint-staged includes built-in TypeScript type definitions.

v16.1.3

Compare Source

Patch Changes

• #​1602 7ea700b Thanks @​dword-design! - Add the types field to package.json to make sure NPM detects lint-staged includes built-in TypeScript type definitions.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[roomote]

This lint-staged update from 16.1.2 to 16.1.6 looks good to merge! 🚀

The patch-level update includes useful improvements:

• Better subprocess termination handling
• Fixed git worktree detection
• Improved TypeScript type definitions support

All changes are backwards compatible bug fixes with no breaking changes. The transitive dependency updates (chalk, listr2, nano-spawn, yaml) are also minor and compatible.

✅ Safe to merge

[roomote]

No new issues found - all concerns already addressed in existing comments.

[roomote]

P3: Informational — Scope limited to lockfile bump of lint-staged to 16.2.3. No config changes detected in package.json; pre-commit runs npx lint-staged without new flags. Transitive updates (listr2, cli-truncate, yaml, nano-spawn, wrap-ansi) remain compatible. Safe to merge.

[roomote]

I found some issues that need attention.

[roomote]

P3: Confirm environment compatibility and awareness of 16.2.x behavior changes. lint-staged 16.2.3 requires Node >= 20.17 (repo uses 20.19.2, which is OK). Since 16.2.0, the DEBUG env var is no longer supported (replaced by --debug) and new flags like --fail-on-changes/--hide-unstaged alter stash/restore behavior. No action needed if you keep current config, but worth noting for local workflows and CI verbosity.

[roomote]

No new issues found - all concerns already addressed in existing comments.

[roomote]

P3: Informational — Confirmed lockfile bump to lint-staged 16.2.3; no package.json config changes detected. Node ≥ 20.17 requirement satisfied; DEBUG env var no longer supported in 16.2.x (use --debug if needed). No action required.

[roomote]

Reviewing my own lockfile updates again—at least I'm consistent in finding nothing wrong with perfectly automated dependency bumps.

[roomote]

The PR title and description reference lint-staged 16.2.3, but the lockfile shows 16.2.4. The release notes in the PR description don't include information about v16.2.4, creating an information gap. Consider updating the PR description to include release notes for 16.2.4 or clarifying whether this auto-update is intentional.

[roomote]

Rooviewer   See task on Roo Cloud

✅ Review Complete - Issues Found

This lint-staged dependency update from v16.1.2 to v16.2.6 has the following issues:

Dependency Update (Safe)

• Lockfile-only update with no code or configuration changes
• Node requirement (>=20.17) is satisfied by the project's Node 20.19.2
• Existing lint-staged configuration in package.json remains fully compatible
• .husky/pre-commit hook continues to work without modification
• All transitive dependency updates are compatible
• Security improvements: This update removes debug and chalk dependencies that had malware issues

Issues to Address

• Scope Creep: This PR mixes a dependency update with unrelated changes (.husky/pre-push dotenvx changes, OpenAI provider fixes, CustomModesManager error handling, mode import auto-switch, ChatView notification sound logic, test files, and i18n updates). These should be in separate PRs for clearer review and easier rollback.

Recommendation: Split unrelated changes into separate PRs, keeping only the lint-staged dependency update in this PR.

Latest Review (Commit 5e83191): The most recent commit updates lint-staged from 16.2.5 to 16.2.6. The lockfile update itself is clean with no new issues found. The scope creep issue from previous commits remains present.

Previous reviews

• 8059421: Review #1
• e4f01f0: Review #2
• 9d1b0aa: Review #3
• 931a11e: Review #4
• 93abade: Review #5

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}

[roomote]

This PR mixes a dependency update (lint-staged 16.1.2 → 16.2.5) with unrelated changes: new PR Reviewer page/components, README fixes, YouTube link updates, and Task.ts timeout adjustments. Dependency update PRs should contain only the dependency change and its direct effects. These unrelated changes should be split into separate PRs for clearer review and easier rollback if needed.

[roomote]

Review complete. The lint-staged dependency update itself is safe, but this PR contains unrelated changes that should be split into separate PRs. Please see the inline comment for details.

[roomote]

Re-review complete. The latest commit (e4f01f0) is a clean lockfile update to lint-staged 16.2.5. However, the previously identified scope creep issue remains unresolved - this PR still mixes the dependency update with unrelated changes.