Bump the workspace-deps group across 1 directory with 7 updates

[dependabot]

Bumps the workspace-deps group with 7 updates in the / directory:

Package	From	To
eslint	10.3.0	10.4.0
typescript-eslint	8.59.2	8.59.4
astro	6.3.1	6.3.7
puppeteer-core	24.43.0	25.0.4
tinybench	6.0.1	6.0.2
@types/node	25.6.2	25.9.1
@google-cloud/bigquery	8.3.0	8.3.1

Updates eslint from 10.3.0 to 10.4.0

Release notes

Sourced from eslint's releases.

v10.4.0

Features

• 1a45ec5 feat: check sequence expressions in for-direction (#20701) (kuldeep kumar)
• 450040b feat: add includeIgnoreFile() to eslint/config (#20735) (Kirk Waiblinger)

Bug Fixes

• 544c0c3 fix: escape code path DOT labels in debug output (#20866) (Pixel998)
• 6799431 fix: update dependency @​eslint/config-helpers to ^0.6.0 (#20850) (renovate[bot])
• f078fef fix: handle non-array deprecated rule replacements (#20825) (xbinaryx)

Documentation

• 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#20869) (Pavel)
• db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#20865) (Kirk Waiblinger)
• 9084664 docs: Update README (GitHub Actions Bot)
• 9cc7387 docs: Update README (GitHub Actions Bot)
• 3d7b548 docs: Update README (GitHub Actions Bot)
• 191ec3c docs: Update README (GitHub Actions Bot)

Chores

• 6616856 chore: upgrade knip to v6 (#20875) (Pixel998)
• d13b084 ci: ensure auto-created PRs run CI (#20860) (lumir)
• e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#20862) (dependabot[bot])
• d84393d test: add unit tests for SuppressionsService.applySuppressions() (#20863) (kuldeep kumar)
• 24db8cb test: add tests for SuppressionsService.save() (#20802) (kuldeep kumar)
• 2ef0549 chore: update ecosystem plugins (#20857) (github-actions[bot])
• a429791 ci: remove eslint-webpack-plugin types integration test (#20668) (Milos Djermanovic)
• 9e37386 chore: replace recast with range approach in code-sample-minimizer (#20682) (Copilot)
• 0dd1f9f test: disable warning for vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER (#20845) (Francesco Trotta)
• 9da3c7b refactor: remove deprecated meta.language and migrate meta.dialects (#20716) (Pixel998)
• 2099ed1 refactor: add meta.defaultOptions to more rules, enable linting (#20800) (xbinaryx)
• f1dfbc9 chore: update ecosystem plugins (#20836) (github-actions[bot])
• c759413 ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 (#20843) (dependabot[bot])
• 5b817d6 test: add unit tests for lib/shared/ast-utils (#20838) (kuldeep kumar)
• 1c13ae3 test: add unit tests for lib/shared/severity (#20835) (kuldeep kumar)

Commits

• 452c401 10.4.0
• b6417e8 Build: changelog update for 10.4.0
• 6616856 chore: upgrade knip to v6 (#20875)
• d13b084 ci: ensure auto-created PRs run CI (#20860)
• 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#20869)
• e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#20862)
• 544c0c3 fix: escape code path DOT labels in debug output (#20866)
• db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#20865)
• d84393d test: add unit tests for SuppressionsService.applySuppressions() (#20863)
• 9084664 docs: Update README
• Additional commits viewable in compare view

Updates typescript-eslint from 8.59.2 to 8.59.4

Release notes

Sourced from typescript-eslint's releases.

v8.59.4

8.59.4 (2026-05-18)

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#12294)
• project-service: throw error cause in getParsedConfigFileFromTSServer (#12321)
• typescript-eslint: export Compatible* types from typescript-eslint to resolve pnpm TS error (#12340)

❤️ Thank You

• Evyatar Daud @​StyleShit
• Kirk Waiblinger @​kirkwaiblinger
• lumir

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.3

8.59.3 (2026-05-11)

This was a version bump only, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.59.4 (2026-05-18)

🩹 Fixes

• typescript-eslint: export Compatible* types from typescript-eslint to resolve pnpm TS error (#12340)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.3 (2026-05-11)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• ca6ca14 chore(release): publish 8.59.4
• 4b927c6 fix(typescript-eslint): export Compatible* types from typescript-eslint to re...
• 48e13c0 chore(release): publish 8.59.3
• 44f9625 chore(deps): update vitest monorepo to v4.1.5 (#12307)
• See full diff in compare view

Updates astro from 6.3.1 to 6.3.7

Release notes

Sourced from astro's releases.

astro@6.3.7

Patch Changes

• #16821 9c76b12 Thanks @​astrobot-houston! - Fixes request body handling in the Node adapter when req.body is a Buffer, Uint8Array, or ArrayBuffer. Previously, binary body data was incorrectly JSON-stringified (producing {"type":"Buffer","data":[...]}) instead of being passed through directly. This affected libraries like serverless-http that set req.body to a Buffer.

• #16785 de96360 Thanks @​astrobot-houston! - Fixes vite.build.minify, vite.build.sourcemap, and vite.build.rollupOptions.output (e.g. compact) being ignored for client-side builds. These top-level Vite build options are now properly forwarded to the client environment, with environment-specific overrides (vite.environments.client.build.*) taking priority when set.

• #16819 b5dd8f1 Thanks @​astrobot-houston! - Fixes custom elements in MDX files bypassing the renderer pipeline. Custom elements (tags containing hyphens like <my-element>) in .mdx files are now routed through registered renderers for SSR, matching the behavior of .astro files. If no renderer claims the element, it falls back to rendering as raw HTML.

• #16808 765896c Thanks @​ematipico! - Fixes dynamic routes returning 400 Bad Request when the URL contains a literal % character, such as paths built with encodeURIComponent('%?.pdf')

• #16804 90d2aca Thanks @​jp-knj! - Fixes a v6 regression where astro:i18n could not be imported from client <script> blocks.

astro@6.3.6

Patch Changes

• #16774 8f77583 Thanks @​astrobot-houston! - Fixes markdown images with empty alt text (![](https://github.com/withastro/astro/tree/HEAD/packages/astro/blob/HEAD/image.jpg)) in content collections dropping the alt attribute entirely. The alt="" attribute is now correctly preserved in the rendered HTML output, which is important for accessibility (indicating decorative images).

• #16776 3d10b5e Thanks @​matthewp! - Fixes HMR serving stale content when components are passed as props via getStaticPaths()

• #16784 7453860 Thanks @​ematipico! - Improved the printing of the build time if it goes over the 60 seconds.

• #16665 3dbbcee Thanks @​Princesseuh! - Fixes remote SVG sources erroring with dangerouslyProcessSVG after the v6.3 SVG-processing gate. The default Sharp service now resolves the output format from the source up-front when it can (URL extension, data: MIME, ESM metadata), and from the actual buffer at request time when it can't, so SVG sources pass through untouched without needing to set image.dangerouslyProcessSVG: true or an explicit format="svg".

  The error message has also been updated to point at format="svg" as the simpler workaround when an SVG source is encountered without dangerouslyProcessSVG enabled.

• #16777 1754b91 Thanks @​matthewp! - Fixes HMR serving stale content for dynamically imported components through barrel files

• #16730 068d924 Thanks @​harshagarwalnyu! - Fixes an issue where the file() content loader did not generate a valid JSON Schema for collections whose JSON or YAML data is a top-level array instead of an object.

astro@6.3.5

Patch Changes

• #16771 07c8805 Thanks @​ematipico! - Fixes position prop on <Image> and <Picture> components breaking Content Security Policy (CSP).

• #16593 50924ce Thanks @​yanthomasdev! - Improves error messages with more consistent and correct writing.

• #16757 5d661cd Thanks @​astrobot-houston! - Fixes dev server serving stale content when SSR-only modules change (e.g. .astro files outside the project root in a monorepo, or dynamically imported components).

  Previously, the astro:hmr-reload plugin returned an empty array after detecting SSR-only module changes, which prevented Vite's updateModules from propagating the invalidation to the SSR module runner. The runner's evaluated module cache stayed stale, so subsequent requests continued returning old content.

  Now the plugin returns the SSR-only modules so Vite can process them through updateModules, which properly invalidates the module runner's cache and ensures fresh content on the next request.

astro@6.3.4

Patch Changes

• #16723 0f10bfe Thanks @​matthewp! - Adds fetchFile option to experimental.advancedRouting to customize or disable the entrypoint file

  export default defineConfig({

... (truncated)

Changelog

Sourced from astro's changelog.

6.3.7

Patch Changes

• #16821 9c76b12 Thanks @​astrobot-houston! - Fixes request body handling in the Node adapter when req.body is a Buffer, Uint8Array, or ArrayBuffer. Previously, binary body data was incorrectly JSON-stringified (producing {"type":"Buffer","data":[...]}) instead of being passed through directly. This affected libraries like serverless-http that set req.body to a Buffer.

• #16785 de96360 Thanks @​astrobot-houston! - Fixes vite.build.minify, vite.build.sourcemap, and vite.build.rollupOptions.output (e.g. compact) being ignored for client-side builds. These top-level Vite build options are now properly forwarded to the client environment, with environment-specific overrides (vite.environments.client.build.*) taking priority when set.

• #16819 b5dd8f1 Thanks @​astrobot-houston! - Fixes custom elements in MDX files bypassing the renderer pipeline. Custom elements (tags containing hyphens like <my-element>) in .mdx files are now routed through registered renderers for SSR, matching the behavior of .astro files. If no renderer claims the element, it falls back to rendering as raw HTML.

• #16808 765896c Thanks @​ematipico! - Fixes dynamic routes returning 400 Bad Request when the URL contains a literal % character, such as paths built with encodeURIComponent('%?.pdf')

• #16804 90d2aca Thanks @​jp-knj! - Fixes a v6 regression where astro:i18n could not be imported from client <script> blocks.

6.3.6

Patch Changes

• #16774 8f77583 Thanks @​astrobot-houston! - Fixes markdown images with empty alt text (![](https://github.com/withastro/astro/blob/main/packages/astro/image.jpg)) in content collections dropping the alt attribute entirely. The alt="" attribute is now correctly preserved in the rendered HTML output, which is important for accessibility (indicating decorative images).

• #16776 3d10b5e Thanks @​matthewp! - Fixes HMR serving stale content when components are passed as props via getStaticPaths()

• #16784 7453860 Thanks @​ematipico! - Improved the printing of the build time if it goes over the 60 seconds.

• #16665 3dbbcee Thanks @​Princesseuh! - Fixes remote SVG sources erroring with dangerouslyProcessSVG after the v6.3 SVG-processing gate. The default Sharp service now resolves the output format from the source up-front when it can (URL extension, data: MIME, ESM metadata), and from the actual buffer at request time when it can't, so SVG sources pass through untouched without needing to set image.dangerouslyProcessSVG: true or an explicit format="svg".

  The error message has also been updated to point at format="svg" as the simpler workaround when an SVG source is encountered without dangerouslyProcessSVG enabled.

• #16777 1754b91 Thanks @​matthewp! - Fixes HMR serving stale content for dynamically imported components through barrel files

• #16730 068d924 Thanks @​harshagarwalnyu! - Fixes an issue where the file() content loader did not generate a valid JSON Schema for collections whose JSON or YAML data is a top-level array instead of an object.

6.3.5

Patch Changes

• #16771 07c8805 Thanks @​ematipico! - Fixes position prop on <Image> and <Picture> components breaking Content Security Policy (CSP).

• #16593 50924ce Thanks @​yanthomasdev! - Improves error messages with more consistent and correct writing.

• #16757 5d661cd Thanks @​astrobot-houston! - Fixes dev server serving stale content when SSR-only modules change (e.g. .astro files outside the project root in a monorepo, or dynamically imported components).

  Previously, the astro:hmr-reload plugin returned an empty array after detecting SSR-only module changes, which prevented Vite's updateModules from propagating the invalidation to the SSR module runner. The runner's evaluated module cache stayed stale, so subsequent requests continued returning old content.

  Now the plugin returns the SSR-only modules so Vite can process them through updateModules, which properly invalidates the module runner's cache and ensures fresh content on the next request.

6.3.4

Patch Changes

... (truncated)

Commits

• c8e5a94 [ci] release (#16805)
• 9c76b12 fix(node): pass through Buffer and Uint8Array bodies in makeRequestBody inste...
• bd755f8 [ci] format
• b5dd8f1 fix(jsx): route custom elements in MDX through the renderer pipeline for SSR ...
• 1c8dcc8 [ci] format
• de96360 fix(build): respect vite.build.minify, sourcemap, and rollup output options f...
• f4fdb5a [ci] format
• 765896c fix: improver double encoding check (#16808)
• 90d2aca fix: support i18n on the client (#16804)
• 223a843 [ci] release (#16775)
• Additional commits viewable in compare view

Updates puppeteer-core from 24.43.0 to 25.0.4

Release notes

Sourced from puppeteer-core's releases.

puppeteer-core: v25.0.4

25.0.4 (2026-05-18)

🛠️ Fixes

• Throw TargetCloseError when session ID not found (#15002) (611abef)

puppeteer-core: v25.0.3

25.0.3 (2026-05-18)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.2 to 3.0.3

puppeteer-core: v25.0.2

25.0.2 (2026-05-15)

🛠️ Fixes

• update docs text (#14992) (36527b8)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.1 to 3.0.2

puppeteer-core: v25.0.1

25.0.1 (2026-05-13)

🛠️ Fixes

• enabled features should take precedence over disabled features (#14985) (f6fd7c2)
• roll to Chrome 148.0.7778.167 (#14980) (84c46fe)
• roll to Firefox 150.0.3 (#14983) (872f778)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.0 to 3.0.1

... (truncated)

Changelog

Sourced from puppeteer-core's changelog.

25.0.4 (2026-05-18)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 25.0.3 to 25.0.4

🛠️ Fixes

• Throw TargetCloseError when session ID not found (#15002) (611abef)

25.0.3 (2026-05-18)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.2 to 3.0.3

25.0.2 (2026-05-15)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.1 to 3.0.2

🛠️ Fixes

• update docs text (#14992) (36527b8)

... (truncated)

Commits

• 019b49b chore: release main (#15003)
• 611abef fix: Throw TargetCloseError when session ID not found (#15002)
• 272b850 chore(webmcp): Update list tools test with fixed declarative behavior (#15000)
• acb4b9e chore: release main (#14999)
• cce47de fix: fix tar.exe invocation (#14997)
• 2e315b9 chore(deps): bump the all group with 2 updates (#14995)
• 042838f chore(deps): bump node from e989123 to 050bf2b in /docker in the all grou...
• 3aadc38 chore: release main (#14993)
• 36527b8 fix: update docs text (#14992)
• 3ea7bd5 fix: capitalize "Chrome" in troubleshooting.md (#14991)
• Additional commits viewable in compare view

Updates tinybench from 6.0.1 to 6.0.2

Release notes

Sourced from tinybench's releases.

v6.0.2

   🐞 Bug Fixes

• lint: Add promise recommended config and jsdoc check-tag-names rule  -  by @​jerome-benoit (124e4)

    View changes on GitHub

Commits

• 72d7d53 chore: release v6.0.2
• fe73bb8 chore(deps): lock file maintenance (#553)
• 06ed214 chore(deps): update all non-major dependencies (#555)
• ad7f879 chore(deps): update all non-major dependencies (#554)
• 124e4d0 fix(lint): add promise recommended config and jsdoc check-tag-names rule
• ac47e7c chore(deps): update vitest to v4.1.6 and workspace overrides
• 74bcfe9 chore: disable simple-git-hooks build script in allowBuilds
• 93ba1c2 chore(deps): update pnpm to v11 (#550)
• fe0a6f9 build: keep minify with readable output (strip comments, keep whitespace) (#552)
• dcc9499 chore: update pnpm to v11 (#551)
• Additional commits viewable in compare view

Updates @types/node from 25.6.2 to 25.9.1

Commits

• See full diff in compare view

Updates @google-cloud/bigquery from 8.3.0 to 8.3.1

Release notes

Sourced from @​google-cloud/bigquery's releases.

bigquery: v8.3.1

8.3.1 (2026-05-11)

Bug Fixes

• bigquery: Run npm run types in correct directory in owlbot (#8061) (0948b35)
• Bump all node submodules (#8178) (9fd76ef)
• Pin @​sinonjs/fake-timers to unblock build in bigquery (#8121) (374167b)

Changelog

Sourced from @​google-cloud/bigquery's changelog.

8.3.1 (2026-05-11)

Bug Fixes

• bigquery: Run npm run types in correct directory in owlbot (#8061) (0948b35)
• Bump all node submodules (#8178) (9fd76ef)
• Pin @​sinonjs/fake-timers to unblock build in bigquery (#8121) (374167b)

Commits

• 92b328b chore: release main (#8242)
• 0ad39e4 chore: update owlbot configs (#8229)
• 9fd76ef fix: bump all node submodules (#8178)
• 374167b fix: pin @​sinonjs/fake-timers to unblock build in bigquery (#8121)
• 0948b35 fix(bigquery): run npm run types in correct directory in owlbot (#8061)
• ca7959c build: pin packages to sinon 21.0.3 for now to dodge a build error (#8053)
• f6f8d0f chore(main): release bigquery 8.3.0 (#7900)
• 7fad2f6 fix: Unblock the releases on Node Bigquery (#7946)
• e500d40 feat(bigquery): allow the user to ask for skipping parsing rows when querying...
• 51d569e test: trim the unit tests to only capture important cases (#7303)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[cloudflare-workers-and-pages]

Deploying framework-tracker with    Cloudflare Pages

Latest commit:	c673065
Status:	✅  Deploy successful!
Preview URL:	https://48c07c62.framework-tracker.pages.dev
Branch Preview URL:	https://dependabot-npm-and-yarn-work-9ph6.framework-tracker.pages.dev

View logs

[43081j]

looks like its borked because theres 2 copies of puppeteer in there

[gameroman]

looks like its borked because theres 2 copies of puppeteer in there

Will need to wait until GoogleChrome/lighthouse#17019 is merged probably