chore(deps): bump the patch group across 1 directory with 3 updates

[dependabot]

Bumps the patch group with 3 updates in the / directory: hono, @biomejs/biome and @playwright/test.

Updates hono from 4.12.26 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc

---

Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

Commits

• 97c6fe1 4.12.27
• aa92177 Merge commit from fork
• cd3f6f7 Merge commit from fork
• d4853a8 fix(jsx): make merged context-isolation tests pass tsc type check (#5037)
• 6735fea fix(jsx): cast awaitedFallback through unknown to fix Deno type check (#5036)
• fab3b13 Merge commit from fork
• 9f0dadf ci: use npm Staged publishing (#5035)
• See full diff in compare view

Updates @biomejs/biome from 2.5.0 to 2.5.1

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.1

2.5.1

Patch Changes

• #10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

  -@import url("print.css") print,
  -/* comment */
  -screen;
  +@import url("print.css") print, /* comment */ screen;

• #10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

  -    "path": "src\account\setup-passkey.tsx",
  +    "path": "src\\account\\setup-passkey.tsx",

• #10626 5f837df Thanks @​tom-groves! - Fixed #10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLog → noConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

• #10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@html expr} blocks were incorrectly reported as unused.

• #10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

• #10667 d8c3e87 Thanks @​Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.

• #10696 ef2373f Thanks @​ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

• #10705 4ccb410 Thanks @​ematipico! - Fixed #10652. Biome plugins are now properly filtered when using --only and --skip flags.

• #10669 aa0a6eb Thanks @​Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

• #10689 844b1be Thanks @​ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

  If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

• #10695 043fbb5 Thanks @​ematipico! - Fixed #10674. Biome now throws an error when the field level is missing from a rule option.

• #10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

• #10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

• #10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

• #10701 6c2e0d7 Thanks @​ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.1

Patch Changes

• #10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

  -@import url("print.css") print,
  -/* comment */
  -screen;
  +@import url("print.css") print, /* comment */ screen;

• #10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

  -    "path": "src\account\setup-passkey.tsx",
  +    "path": "src\\account\\setup-passkey.tsx",

• #10626 5f837df Thanks @​tom-groves! - Fixed #10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLog → noConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

• #10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@html expr} blocks were incorrectly reported as unused.

• #10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

• #10667 d8c3e87 Thanks @​Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.

• #10696 ef2373f Thanks @​ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

• #10705 4ccb410 Thanks @​ematipico! - Fixed #10652. Biome plugins are now properly filtered when using --only and --skip flags.

• #10669 aa0a6eb Thanks @​Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

• #10689 844b1be Thanks @​ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

  If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

• #10695 043fbb5 Thanks @​ematipico! - Fixed #10674. Biome now throws an error when the field level is missing from a rule option.

• #10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

• #10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

• #10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

• #10701 6c2e0d7 Thanks @​ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

• #10681 888515b Thanks @​Conaclos! - Fixed useExportType that reported useless details in some diagnostics.

... (truncated)

Commits

• ffe7d33 chore: revert
• 564d660 chore: revert
• 0abf1a5 ci: release (#10627)
• 23814f1 chore(biome_configuration): add allowTrailingCommas to json-schema to make VS...
• a0f197e chore: dead and old links (#10668)
• See full diff in compare view

Updates @playwright/test from 1.61.0 to 1.61.1

Release notes

Sourced from @​playwright/test's releases.

v1.61.1

Bug Fixes

• #41365 [Bug]: Expect.Extend matcher with same name as default matcher in same expect instance overrides default matchers implementation to custom matcher
• #41351 [Bug]: Playwright UI mode: apiRequestContext._wrapApiCall reports unexpected number of bytes (same test passes in headed mode)
• #41360 [Bug]: Trace viewer: message times in websockets are downscaled by 1000
• #41311 [Bug]: [Regression]: Sync loader throws "context.conditions?.includes is not a function" on Node 22.15
• #41371 [Regression]: Sync ESM loader (registerHooks) fails to resolve extensionless .ts subpath imports across pnpm workspace symlinks

Commits

• 39e3553 cherry-pick(#41399): fix(test): load require-reached files as commonjs in syn...
• 4328122 chore: mark v1.61.1 (#41404)
• 2c29a94 fix(tracing): stop recording websocket frames outside of chunks (#41398)
• 4324b19 cherry-pick(#41367): fix(test): keep builtin expect matchers on base extend
• 041e7e3 cherry-pick(#41364): fix(har): WebSocket message timestamps should be in mi...
• b8a0fc3 cherry-pick(#41309, #43149): Revert "fix(firefox): treat `navigationCommitted...
• b5a3175 cherry-pick(#41319): fix(loader): support other node versions
• d4724a9 cherry-pick(#41290): feat(docker): add Ubuntu 26.04 (Resolute Raccoon) image
• See full diff in compare view