Update all non-major dependencies

[keldaan-ag]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@biomejs/biome (source)	2.4.9 → 2.4.10			devDependencies	patch
@colyseus/monitor	0.17.7 → 0.17.8			dependencies	patch
@colyseus/sdk	0.17.35 → 0.17.36			dependencies	patch
discord.js (source)	14.25.1 → 14.26.0			dependencies	minor
dotenv	17.3.1 → 17.4.0			dependencies	minor
esbuild	^0.27.0 → ^0.28.0			devDependencies	minor
fast-xml-parser	5.5.9 → 5.5.10			dependencies	patch
i18next-http-backend	3.0.2 → 3.0.4			dependencies	patch
knip (source)	6.0.6 → 6.2.0			devDependencies	minor
phaser3-rex-plugins (source)	1.80.19 → 1.80.20			dependencies	patch
renovatebot/github-action	v46.1.6 → v46.1.7			action	patch

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.10

Compare Source

Patch Changes

• #​8838 f3a6a6b Thanks @​baeseokjae! - Added new lint nursery rule noImpliedEval.

  The rule detects implied eval() usage through functions like setTimeout, setInterval, and setImmediate when called with string arguments.

  // Invalid
  setTimeout("alert('Hello');", 100);
  
  // Valid
  setTimeout(() => alert("Hello"), 100);

• #​9320 93c3b6c Thanks @​taberoajorge! - Fixed #​7664: noUnusedVariables no longer reports false positives for TypeScript namespace declarations that participate in declaration merging with an exported or used value declaration (const, function, or class) of the same name. The reverse direction is also handled: a value declaration merged with an exported namespace is no longer flagged.

• #​9630 1dd4a56 Thanks @​raashish1601! - Fixed #​9629: noNegationElse now keeps ternary branch comments attached to the correct branch when applying its fixer.

• #​9216 04243b0 Thanks @​FrederickStempfle! - Fixed #​9061: noProcessEnv now also detects process.env when process is imported from the "process" or "node:process" modules.

  Previously, only the global process object was flagged:

  import process from "node:process";
  // This was not flagged, but now it is:
  console.log(process.env.NODE_ENV);

• #​9692 61b7ec5 Thanks @​mkosei! - Fixed Svelte #each destructuring parsing and formatting for nested patterns such as [key, { a, b }].

• #​9627 06a0f35 Thanks @​ematipico! - Fixed #​191: Improved the performance of how the Biome Language Server pulls code actions and diagnostics.

  Before, code actions were pulled and computed all at once in one request. This approach couldn't work in big files, and caused Biome to stale and have CPU usage spikes up to 100%.

  Now, code actions are pulled and computed lazily, and Biome won't choke anymore in big files.

• #​9643 5bfee36 Thanks @​dyc3! - Fixed #​9347: useVueValidVBind no longer reports valid object bindings like v-bind="props".

• #​9627 06a0f35 Thanks @​ematipico! - Fixed assist diagnostics being invisible when using --diagnostic-level=error. Enforced assist violations (e.g. useSortedKeys) were filtered out before being promoted to errors, causing biome check to incorrectly return success.

• #​9695 9856a87 Thanks @​dyc3! - Added the new nursery rule noUnsafePlusOperands, which reports + and += operations that use object-like, symbol, unknown, or never operands, or that mix number with bigint.

• #​9627 06a0f35 Thanks @​ematipico! - Fixed duplicate parse errors in check and ci output. When a file had syntax errors, the same parse error was printed twice and the error count was inflated.

• #​9627 06a0f35 Thanks @​ematipico! - Improved the performance of the commands lint and check when they are called with --write.

• #​9627 06a0f35 Thanks @​ematipico! - Fixed --diagnostic-level not fully filtering diagnostics. Setting --diagnostic-level=error now correctly excludes warnings and infos from both the output and the summary counts.

• #​9623 13b3261 Thanks @​ematipico! - Fixed #​9258: --skip no longer causes suppressions/unused warnings for suppression comments targeting skipped rules or domains.

• #​9631 599dd04 Thanks @​raashish1601! - Fixed #​9625: experimentalEmbeddedSnippetsEnabled no longer crashes when a file mixes formatable CSS-in-JS templates with tagged templates that the embedded formatter can't currently delegate, such as a styled-components interpolation returning `css```.

colyseus/colyseus (@​colyseus/monitor)

v0.17.8: @​colyseus/monitor v0.17.8

• Allow editing and deleting room state values from the monitor panel
• Replace react-json-edit and react18-json-view with json-edit-react
• Redesigned UI: stat cards, cleaner layout, better spacing

monitor-update.mp4

discordjs/discord.js (discord.js)

v14.26.0

Compare Source

Bug Fixes

• Remove manage messages check for pinnable (#​11453) (1a0da18)
• DJSError: Differentiate error type (#​11295) (f5b3f84)

Features

• Allow partial DMChannel without client user (#​11462) (45bd430)
• Modal radio group and checkbox components for v14 (#​11437) (b42e499)

Refactor

• DJSError: Prefer this.constructor.name (#​11294) (e32f0c1)

Typings

• BroadcastEval overload order (#​11422) (16d70b9)

motdotla/dotenv (dotenv)

v17.4.0

Compare Source

Added

• Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

• Tighten up logs: ◇ injecting env (14) from .env (#​1003)

evanw/esbuild (esbuild)

v0.28.0

Compare Source

• Add support for with { type: 'text' } imports (#​4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#​4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

v0.27.7

Compare Source

• Fix lowering of define semantics for TypeScript parameter properties (#​4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  
  // Old output (with --loader=ts --target=es2021)
  class Foo {
    constructor(x = 1) {
      this.x = x;
      __publicField(this, "y", 2);
    }
    x;
  }
  
  // New output (with --loader=ts --target=es2021)
  class Foo {
    constructor(x = 1) {
      __publicField(this, "x", x);
      __publicField(this, "y", 2);
    }
  }

v0.27.5

Compare Source

• Fix for an async generator edge case (#​4401, #​4417)

  Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:

  async function* inner() { yield 1; yield 2 }
  async function* outer() { yield* inner() }
  let gen = outer()
  for await (let x of [gen.next(), gen.next()]) console.log(x)

  Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

  This fix was contributed by @​2767mr.

• Fix a regression when metafile is enabled (#​4420, #​4418)

  This release fixes a regression introduced by the previous release. When metafile: true was enabled in esbuild's JavaScript API, builds with build errors were incorrectly throwing an error about an empty JSON string instead of an object containing the build errors.

• Use define semantics for TypeScript parameter properties (#​4421)

  Parameter properties are a TypeScript-specific code generation feature that converts constructor parameters into class fields when they are prefixed by certain keywords. When "useDefineForClassFields": true is present in tsconfig.json, the TypeScript compiler automatically generates class field declarations for parameter properties. Previously esbuild didn't do this, but esbuild will now do this starting with this release:

  // Original code
  class Foo {
    constructor(public x: number) {}
  }
  
  // Old output (with --loader=ts)
  class Foo {
    constructor(x) {
      this.x = x;
    }
  }
  
  // New output (with --loader=ts)
  class Foo {
    constructor(x) {
      this.x = x;
    }
    x;
  }

• Allow es2025 as a target in tsconfig.json (#​4432)

  TypeScript recently added es2025 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2025"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v5.5.10: performance improvment, increase entity expansion default limit

Compare Source

• increase default entity explansion limit as many projects demand for that

maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,

• performance improvement
  • reduce calls to toString
  • early return when entities are not present
  • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

i18next/i18next-http-backend (i18next-http-backend)

v3.0.4

Compare Source

• use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator i18next#2420

webpro-nl/knip (knip)

v6.2.0: Release 6.2.0

Compare Source

• Support tilde-prefixed scoped package names (e.g. @​~private/pkg) (#​1656) (947893d) - thanks @​MatissJanis!
• fix(storybook): mark vitest coverage deps as optional when addon-vitest is used (#​1654) (06e88d4) - thanks @​brick-pixel!
• Deduplicate module graph queue to avoid redundant file processing (#​1657) (e34d3b0) - thanks @​MatissJanis!
• Export KnipConfiguration type for dynamic config use cases (resolve #​1634) (4a64e0e)
• Release knip@​6.2.0 (d8c0161)

v6.1.1: Release 6.1.1

Compare Source

• Handle absolute Vitest test roots (#​1650) (898a412) - thanks @​filipw01!
• Fix reference types regex to allow extra attributes (resolve #​1649) (1d5f943)
• Update docs (close #​1614, close #​1615) (f1ac529)
• Release knip@​6.1.1 (fcfdabe)

v6.1.0: Release 6.1.0

Compare Source

• Add knip.nodeRuntimePath setting (resolve #​1643) (65e943c)
• Swap Astro sharp detection to match default behavior (#​1559) (84968bb)
• feat: stencil plugin (#​1644) (d5d20e5) - thanks @​johnjenkins!
• Enable metro plugin when expo is installed (#​1600) (14bc9d7) - thanks @​DaniFoldi!
• Resolve jsPlugins dependencies in oxlint plugin (#​1576) (e11c962) - thanks @​nikolailehbrink!
• Wrap up oxlint jsPlugins support (209a9f7)
• Update dependencies (close #​1646) (869020f)
• Fix config hint filePath edge case (e79c302)
• Rename oxlint config file in fixtures (5630204)

rexrainbow/phaser3-rex-notes (phaser3-rex-plugins)

v1.80.20

Compare Source

renovatebot/github-action (renovatebot/github-action)

v46.1.7

Compare Source

Documentation

• update references to renovatebot/github-action to v46.1.6 (3afa29f)

Miscellaneous Chores

• deps: update dependency typescript-eslint to v8.57.1 (3a47fac)
• deps: update node.js to v24.14.1 (28bb013)

Build System

• deps: lock file maintenance (be2fc08)

Continuous Integration

• deps: update ghcr.io/renovatebot/renovate docker tag to v43.86.1 (8795f0b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.86.2 (9853f69)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.87.0 (f43553b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.87.1 (266e52c)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.0 (15d8db4)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.1 (b711f08)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.2 (06c1ac0)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.3 (4509fbc)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.4 (8dd874b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.5 (908aecf)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.6 (1a40ecc)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.8 (82662d1)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.91.1 (40328d7)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.91.4 (977b086)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.91.5 (398a399)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.91.6 (a416aeb)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.92.1 (8c59289)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.95.0 (5312d97)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.96.0 (6016202)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.98.0 (d4812c2)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.99.0 (47f20b6)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.99.1 (dadfa2f)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 6am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.