chore(deps): bump the linting group across 1 directory with 2 updates

[dependabot]

Bumps the linting group with 2 updates in the / directory: @biomejs/biome and @commitlint/cli.

Updates @biomejs/biome from 2.4.10 to 2.4.13

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.13

2.4.13

Patch Changes

• #9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #10037 f785e8c Thanks @​minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #10084 5e2f90c Thanks @​jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #10035 946b50e Thanks @​Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.

• #9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.13

Patch Changes

• #9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #10037 f785e8c Thanks @​minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #10084 5e2f90c Thanks @​jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #10035 946b50e Thanks @​Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.

• #9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

  For example, the following code triggers the rule:

... (truncated)

Commits

• e316150 ci: release (#9991)
• 11ddc05 feat(lint): add useReactNativePlatformComponents rule and options (#10033)
• 1603f78 feat(js_analyze): implement noJsxLeakedDollar (#9911)
• c5eb92b feat(linter): add nursery rule noUnnecessaryTemplateExpression (#9969)
• 5cc83b1 feat(lint/js): add noLoopFunc (#9815)
• bd1e74f feat(lint): add react native deep import rule (#10023)
• 68fb8d4 feat(lint/js): add useDomNodeTextContent (#9865)
• 94ccca9 feat(lint): add noReactNativeLiteralColors (#10012)
• 3dce737 feat(lint/js): add useDomQuerySelector (#9885)
• 131019e feat(lint): add noReactNativeRawText (#10005)
• Additional commits viewable in compare view

Updates @commitlint/cli from 20.5.0 to 20.5.2

Release notes

Sourced from @​commitlint/cli's releases.

v20.5.2

20.5.2 (2026-04-25)

Just minor dep updates before the next breaking change

Chore & Docs

• chore: remove codesandbox ci integration by @​escapedcat in conventional-changelog/commitlint#4680
• docs: add Windows UTF-8 encoding note to getting started guide by @​Chessing234 in conventional-changelog/commitlint#4699
• docs: improve parserPreset documentation with examples and options reference by @​Chessing234 in conventional-changelog/commitlint#4700
• docs: fix subject-case rule default from 'always' to 'never' by @​Chessing234 in conventional-changelog/commitlint#4703

New Contributors

• @​Chessing234 made their first contribution in conventional-changelog/commitlint#4699

Full Changelog: conventional-changelog/commitlint@v20.5.1...v20.5.2

v20.5.1

20.5.1 (2026-03-31)

Bug Fixes

• fix(cz-commitlint): add VS16 to single character emojis by @​mrt181 in conventional-changelog/commitlint#4666
• fix(cz-commitlint): handle modifiers correctly by @​mrt181 in conventional-changelog/commitlint#4667

Reverts

• Revert "fix: update dependency global-directory to v5 (#4671)" by @​escapedcat in conventional-changelog/commitlint#4677

Core & co

• chore: deps and CI improvements by @​escapedcat in conventional-changelog/commitlint#4660
• ci: restore push on all branches, avoid duplicate runs by @​escapedcat in conventional-changelog/commitlint#4665

Full Changelog: conventional-changelog/commitlint@v20.5.0...v20.5.1

Changelog

Sourced from @​commitlint/cli's changelog.

20.5.2 (2026-04-25)

Note: Version bump only for package @​commitlint/cli

Commits

• 7fe86b2 v20.5.2
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

✔️ Bundle Size Analysis

Metric	Value
Base	2836.86 KB
PR	2836.86 KB
Diff	0 KB (0%)

Bundle breakdown

140K	dist/auth
80K	dist/automation
4.0K	dist/cli.d.ts
4.0K	dist/cli.d.ts.map
24K	dist/cli.js
16K	dist/cli.js.map
740K	dist/commands
28K	dist/config
4.0K	dist/index.d.ts
4.0K	dist/index.d.ts.map
4.0K	dist/index.js
4.0K	dist/index.js.map
916K	dist/integrations
100K	dist/llm
1.3M	dist/loop
188K	dist/mcp
60K	dist/presets
92K	dist/setup
40K	dist/skills
428K	dist/sources
76K	dist/ui
144K	dist/utils
336K	dist/wizard

[claude]

LGTM, dependabot patch bumps of dev-only lint tooling (biome, commitlint).

Extended reasoning...

Overview

Dependabot patch bumps in pnpm-lock.yaml only: @biomejs/biome 2.4.10 → 2.4.13 and @commitlint/cli 20.5.0 → 20.5.2 (with cascading lockfile updates to transitive deps like rollup, postcss, ajv, global-directory, ini, string-width). Both are dev-only linting tools used in CI/local pre-commit and have no runtime/production footprint.

Security risks

None meaningful. These are patch-level updates of well-known dev tooling published by the upstream maintainers, with no source code changes in this repo. No auth, crypto, or runtime code paths are touched.

Level of scrutiny

Low — lockfile-only change for patch-version dev-dependency bumps. The release notes describe new lint rules and bug fixes; nothing in the changelog suggests breaking behavior, and these tools execute only at lint time, not in shipped artifacts.

Other factors

The bug hunting system found no issues. The only timeline comment is dependabot itself complaining about a missing npm label, which is a config nit unrelated to correctness. Safe to auto-approve.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e9a0ef0c7e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Avoid raising minimum Node patch via commitlint transitive bump

This update switches @commitlint/resolve-extends to 20.5.2, which brings in global-directory@5.0.0 and transitively ini@6.0.0 (Node engine ^20.17.0 || >=22.9.0). Because this repo has engine-strict=true in .npmrc, pnpm install now fails for contributors running Node 20.12–20.16, so the dependency bump silently narrows supported Node 20 patch versions. If that support change is unintended, pinning commitlint or overriding this transitive chain would avoid breaking installs.

Useful? React with 👍 / 👎.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.