Bump the pnpm group across 1 directory with 15 updates

[dependabot]

Bumps the pnpm group with 15 updates in the / directory:

Package	From	To
@dotenvx/dotenvx	1.46.0	1.51.2
@hono/node-server	1.15.0	1.19.7
@scalar/hono-api-reference	0.9.9	0.9.28
@scalar/openapi-to-markdown	0.2.19	0.3.8
@t3-oss/env-core	0.13.8	0.13.10
argon2	0.43.0	0.44.0
hono	4.8.4	4.11.1
jose	6.0.11	6.1.3
radashi	12.6.0	12.7.1
ts-pattern	5.7.1	5.9.0
@biomejs/biome	2.1.1	2.3.9
chalk	5.4.1	5.6.2
rimraf	6.0.1	6.1.2
tsx	4.20.3	4.21.0
typescript	5.8.3	5.9.3

Updates @dotenvx/dotenvx from 1.46.0 to 1.51.2

Release notes

Sourced from @​dotenvx/dotenvx's releases.

v1.51.2

see CHANGELOG

v1.51.1

see CHANGELOG

v1.51.0

see CHANGELOG

v1.50.1

see CHANGELOG

v1.50.0

see CHANGELOG

v1.49.1

see CHANGELOG

v1.49.0

see CHANGELOG

v1.48.4

see CHANGELOG

v1.48.3

see CHANGELOG

v1.48.2

see CHANGELOG

v1.48.1

see CHANGELOG

v1.48.0

see CHANGELOG

v1.47.7

see CHANGELOG

v1.47.6

see CHANGELOG

v1.47.5

see CHANGELOG

v1.47.4

see CHANGELOG

v1.47.3

see CHANGELOG

... (truncated)

Changelog

Sourced from @​dotenvx/dotenvx's changelog.

1.51.2 (2025-12-12)

Changed

• Switch npm publish to use Dotenvx Ops' new Rotation Tokens (ROTs) (#715)

This will allow us to start dogfooding our own solution for third-party API key rotation. Third-party API key rotation would drastically improve security industry wide. Please get in touch if this is interesting to you.

1.51.1 (2025-11-03)

Added

• Add opsOff type information

1.51.0 (2025-09-23)

Added

• Add config({opsOff: true}) options and --ops-off flag for turning off Dotenvx Ops features. (#680)

1.50.1 (2025-09-18)

Removed

• Remove listed command to radar (now ops) (#678)

1.50.0 (2025-09-18)

Added

• Add optional dotenvx ops command (#677)
• Ops is a coming rename of Radar. Radar will become a feature inside ops.
• With dotenvx ops use dotenvx across your team, infrastructure, agents, and more.

 _______________________________________________________________________
|                                                                       |
|  Dotenvx Ops: Commercial Tooling for Dotenvx                          |
|                                                                       |
|  ░▒▓██████▓▒░░▒▓███████▓▒░ ░▒▓███████▓▒░                              |
| ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░                                     |
| ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░                                     |
| ░▒▓█▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓██████▓▒░                               |
| ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░             ░▒▓█▓▒░                              |
| ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░             ░▒▓█▓▒░                              |
|  ░▒▓██████▓▒░░▒▓█▓▒░      ░▒▓███████▓▒░                               |
|                                                                       |
|  Use dotenvx across your team, infrastructure, agents, and more.      |
|                                                                       |
|  Learn more at https://dotenvx.com/ops                                |
</tr></table> 

... (truncated)

Commits

• 996adb4 1.51.2
• 8c55137 Merge pull request #715 from dotenvx/rot-token
• 3466b42 changelog 🪵
• 064fa27 changelog 🪵
• a6a199f switch to publishing via Dotenvx Rotation Token (ROT)
• 882ea84 1.51.1
• 4c77450 changelog 🪵
• 95b65ef adjust note
• 2e8f4d4 Merge pull request #696 from dotenvx/copilot/update-dotenvconfigoptions-type-...
• 6eb5a81 Final verification complete - opsOff type definition added
• Additional commits viewable in compare view

Updates @hono/node-server from 1.15.0 to 1.19.7

Release notes

Sourced from @​hono/node-server's releases.

v1.19.7

What's Changed

• fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @​tshmieldev in honojs/node-server#290
• chore: add configVersion to bun.lock by @​yusukebe in honojs/node-server#291

New Contributors

• @​tshmieldev made their first contribution in honojs/node-server#290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

v1.19.6

What's Changed

• fix(serve-static): fix onFound timing by @​usualoma in honojs/node-server#286

Full Changelog: honojs/node-server@v1.19.5...v1.19.6

v1.19.5

What's Changed

• fix: cancel a readable stream if a writable stream is closed before a readable stream is closed. by @​usualoma in honojs/node-server#280

Full Changelog: honojs/node-server@v1.19.4...v1.19.5

v1.19.4

What's Changed

• fix(serve-static): Add error handling in createStreamBody by @​thongdoan in honojs/node-server#278

New Contributors

• @​thongdoan made their first contribution in honojs/node-server#278

Full Changelog: honojs/node-server@v1.19.3...v1.19.4

v1.19.3

What's Changed

• fix: Refactor promise check for response handling by @​kay-is in honojs/node-server#277

New Contributors

• @​kay-is made their first contribution in honojs/node-server#277

Full Changelog: honojs/node-server@v1.19.2...v1.19.3

v1.19.2

What's Changed

• fix: better handle range parse to avoid NaN error by @​zwpaper in honojs/node-server#276

New Contributors

• @​zwpaper made their first contribution in honojs/node-server#276

Full Changelog: honojs/node-server@v1.19.1...v1.19.2

... (truncated)

Commits

• 0a4826c 1.19.7
• b253386 chore: add configVersion to bun.lock (#291)
• 38e17b5 fix: Fix for hono issue 4563 - incorrect content-length after following symli...
• 3cdef3f 1.19.6
• 3435875 fix(serve-static): fix onFound timing (#286)
• 840c22b 1.19.5
• 4b5a8d1 fix: cancel a readable stream if a writable stream is closed before a readabl...
• a5e7d50 1.19.4
• 0ee7ce1 fix(serve-static): Add error handling in createStreamBody (#278)
• f3156d9 1.19.3
• Additional commits viewable in compare view

Updates @scalar/hono-api-reference from 0.9.9 to 0.9.28

Changelog

Sourced from @​scalar/hono-api-reference's changelog.

0.9.28

Patch Changes

• Updated dependencies []:
  • @​scalar/core@​0.3.26

0.9.27

Patch Changes

• Updated dependencies [daa5df4]:
  • @​scalar/core@​0.3.25

0.9.26

Patch Changes

• Updated dependencies []:
  • @​scalar/core@​0.3.24

0.9.25

Patch Changes

• Updated dependencies []:
  • @​scalar/core@​0.3.23

0.9.24

Patch Changes

• #7241 2377b76 Thanks @​hanspagel! - chore: use "current" not "latest" scalar registry url

• Updated dependencies [2377b76]:

  • @​scalar/core@​0.3.22

0.9.23

Patch Changes

• #7170 5d2a740 Thanks @​renovate! - Bump dependency to patch GHSA-q7jf-gf43-6x6p

• Updated dependencies []:

  • @​scalar/core@​0.3.21

0.9.22

Patch Changes

... (truncated)

Commits

• See full diff in compare view

Updates @scalar/openapi-to-markdown from 0.2.19 to 0.3.8

Changelog

Sourced from @​scalar/openapi-to-markdown's changelog.

0.3.8

Patch Changes

• Updated dependencies [f7c24e4, 4ac6227]:
  • @​scalar/helpers@​0.2.2
  • @​scalar/components@​0.16.8
  • @​scalar/oas-utils@​0.6.8
  • @​scalar/openapi-parser@​0.23.7

0.3.7

Patch Changes

• Updated dependencies [72cd82f, 21aa62e, 72cd82f]:
  • @​scalar/oas-utils@​0.6.7
  • @​scalar/openapi-parser@​0.23.6
  • @​scalar/helpers@​0.2.1
  • @​scalar/openapi-types@​0.5.3
  • @​scalar/types@​0.5.2
  • @​scalar/components@​0.16.7
  • @​scalar/openapi-upgrader@​0.1.6

0.3.6

Patch Changes

• Updated dependencies [9ec8adf]:
  • @​scalar/helpers@​0.2.0
  • @​scalar/oas-utils@​0.6.6
  • @​scalar/components@​0.16.6
  • @​scalar/openapi-parser@​0.23.5

0.3.5

Patch Changes

• #7387 bfd814a Thanks @​geoffgscott! - hotfix: patch exports from build tooling bug

• Updated dependencies [5aa0380, 62b5210, a164d76, bfd814a, 86f028d]:

  • @​scalar/components@​0.16.5
  • @​scalar/openapi-types@​0.5.2
  • @​scalar/helpers@​0.1.3
  • @​scalar/types@​0.5.1
  • @​scalar/oas-utils@​0.6.5
  • @​scalar/openapi-parser@​0.23.4
  • @​scalar/openapi-upgrader@​0.1.5

0.3.4

... (truncated)

Commits

• See full diff in compare view

Updates @t3-oss/env-core from 0.13.8 to 0.13.10

Changelog

Sourced from @​t3-oss/env-core's changelog.

0.13.10

Patch Changes

• #388 a778bf3 Thanks @​juliusmarminge! - add VERCEL_TARGET_ENV to vercel preset

0.13.9

Patch Changes

• #326 5987d5a Thanks @​Abdalrhman-Almarakeby! - update skipValidation flag to skip validation for extended presets

Commits

• aefbe74 chore(release): 📦 version packages (#389)
• a778bf3 feat(preset): add VERCEL_TARGET_ENV (#388)
• 1551e40 update the docs to zod 4 (#382)
• 14b4d0a feat(docs): add standard schema docs (#383)
• 090edb2 chore(release): 📦 version packages (#387)
• 19c5d6f bump valibot
• 5987d5a fix: apply skipValidation to all presets when set on parent (#326)
• 5f68dca feat: improve oxc lint/fmt, add husky hooks to pre-commit and CI/CD (#386)
• 5382c57 init oxc (#384)
• 256f679 chore: bump remaining packagers (#379)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​t3-oss/env-core since your current version.

Updates argon2 from 0.43.0 to 0.44.0

Release notes

Sourced from argon2's releases.

v0.44.0

What's Changed

• Bump node-addon-api from 8.4.0 to 8.5.0 by @​dependabot[bot] in ranisalt/node-argon2#466
• Bump node-gyp from 11.2.0 to 11.3.0 by @​dependabot[bot] in ranisalt/node-argon2#467
• Build system tweaks for reproducible builds by @​threema-danilo in ranisalt/node-argon2#447

Full Changelog: ranisalt/node-argon2@v0.43.1...v0.44.0

v0.43.1

Fixes #456 caused by Typescript 5.7 changing how Buffer types work (see microsoft/TypeScript#59417). FreeBSD ARM64 prebuilds are now available.

What's Changed

• Avoid overriding _FORTIFY_SOURCE if already set by @​threema-danilo in ranisalt/node-argon2#455
• Support FreeBSD ARM64 builds by @​ranisalt in ranisalt/node-argon2#459
• Bump node-addon-api from 8.3.1 to 8.4.0 by @​dependabot[bot] in ranisalt/node-argon2#460
• Bump tar-fs from 2.1.2 to 2.1.3 by @​dependabot[bot] in ranisalt/node-argon2#458

New Contributors

• @​threema-danilo made their first contribution in ranisalt/node-argon2#455

Full Changelog: ranisalt/node-argon2@v0.43.0...v0.43.1

Commits

• cd4eae5 v0.44.0
• 0d88d0d Build system tweaks for reproducible builds
• a6ca2fd Bump @​biomejs/biome from 1.9.4 to 2.1.4
• c33250d Bump node-gyp from 11.2.0 to 11.3.0 (#467)
• e4ff08c Bump node-addon-api from 8.4.0 to 8.5.0 (#466)
• b3de3a2 Potential fix for code scanning alert no. 35: Workflow does not contain permi...
• bcf7232 v0.43.1
• 93fa469 Fix linter formatting
• 6727b44 Upgrade dependencies, revert Typescript to v5.6.3
• e96cf5a Bump tar-fs from 2.1.2 to 2.1.3 (#458)
• Additional commits viewable in compare view

Updates hono from 4.8.4 to 4.11.1

Release notes

Sourced from hono's releases.

v4.11.1

What's Changed

• fix(types): fix app.on method array type inference by @​kosei28 in honojs/hono#4578

Full Changelog: honojs/hono@v4.11.0...v4.11.1

v4.11.0

Release Notes

Hono v4.11.0 is now available!

This release includes new features for the Hono client, middleware improvements, and an important type system fix.

Type System Fix for Middleware

We've fixed a bug in the type system for middleware. Previously, app did not have the correct type with pathless handlers:

const app = new Hono()
  .use(async (c, next) => {
    await next()
  })
  .get('/a', async (c, next) => {
    await next()
  })
  .get((c) => {
    return c.text('Hello')
  })
// app's type was incorrect

This has now been fixed.

Thanks @​kosei28!

Typed URL for Hono Client

You can now pass the base URL as the second type parameter to hc to get more precise URL types:

const client = hc<typeof app, 'http://localhost:8787'>(
  'http://localhost:8787/'
)
const url = client.api.posts.$url()
// url is TypedURL with precise type information
// including protocol, host, and path

... (truncated)

Commits

• 1fbe45b 4.11.1
• 37c3809 fix(types): fix app.on method array type inference (#4578)
• fe278e9 4.11.0
• 0d739b6 Merge pull request #4574 from honojs/next
• 3e12de6 fix(types): replace schema-based path tracking with CurrentPath parameter (#4...
• 6d62638 feat(secure-headers): Add CSP report-to and report-uri directive support (#4555)
• b694129 feat(client): add buildSearchParams option to customize query serialization (...
• d94f4a4 feat(context-storage): Add optional tryGetContext helper to context-storage m...
• 61f473b feat(pretty-json): support force option (#4531)
• 44bb7bb feat(timing): add wrapTime to simplify usage (#4519)
• Additional commits viewable in compare view

Updates jose from 6.0.11 to 6.1.3

Release notes

Sourced from jose's releases.

v6.1.3

Refactor

• avoid export * as for google closure's compiler sake (6303d98), closes #832

v6.1.2

Refactor

• fallback to checking instanceof for CryptoKey (901cd90), closes #765 #803 #821 #827 #828

v6.1.1

Documentation

• add link to RFC9864 (767edde)
• link to ML-DSA for JOSE (ed4252c)
• remove mention of Edge Runtime from the readme (94fdde7)
• update README.md (25098ef)

Refactor

• eliminate named exports in the source code (f6ae30d)
• expose setKeyManagementParameters also on a GeneralEncrypt Recipient (16e6b23)
• faster path for symmetric key checks (a44c2ec)
• improve en/decoding overheads (daee426)

v6.1.0

Features

• support AKP JWKs in calculateJwkThumbprint and calculateJwkThumbprintUri (cf2092a)
• support for the ML-DSA PQC Algorithm Identifiers (25ddce4)

v6.0.13

Refactor

• more readability in ecdhes.ts (84da9de)
• update asn1.ts helpers (b4f8fb3)

v6.0.12

Documentation

• add known caveats to customFetch (02e1f1e)
• mention the apu/apv parameter names in setKeyManagementParameters (6274d5a)
• update compact setKeyManagementParameters (2f44381)
• use GitHub Flavored Markdown for notes and warnings (f6b4ffc)

Refactor

• createPublicKey is not a constructor (61ded78)

... (truncated)

Changelog

Sourced from jose's changelog.

6.1.3 (2025-12-02)

Refactor

• avoid export * as for google closure's compiler sake (6303d98), closes #832

6.1.2 (2025-11-15)

Refactor

• fallback to checking instanceof for CryptoKey (901cd90), closes #765 #803 #821 #827 #828

6.1.1 (2025-11-09)

Documentation

• add link to RFC9864 (767edde)
• link to ML-DSA for JOSE (ed4252c)
• remove mention of Edge Runtime from the readme (94fdde7)
• update README.md (25098ef)

Refactor

• eliminate named exports in the source code (f6ae30d)
• expose setKeyManagementParameters also on a GeneralEncrypt Recipient (16e6b23)
• faster path for symmetric key checks (a44c2ec)
• improve en/decoding overheads (daee426)

6.1.0 (2025-08-27)

Features

• support AKP JWKs in calculateJwkThumbprint and calculateJwkThumbprintUri (cf2092a)
• support for the ML-DSA PQC Algorithm Identifiers (25ddce4)

6.0.13 (2025-08-21)

Refactor

• more readability in ecdhes.ts (84da9de)
• update asn1.ts helpers (b4f8fb3)

6.0.12 (2025-07-15)

... (truncated)

Commits

• ebb8774 chore(release): 6.1.3
• 6303d98 refactor: avoid export * as for google closure's compiler sake
• 39c8805 chore: bump packages
• cf5726e chore: update error message
• 0154775 chore: update threat model
• d015cdf chore: add a threat model
• c5e285e chore: bump packages
• d681315 chore: bump packages
• 4ae1005 chore(deps-dev): bump glob from 11.0.3 to 11.1.0 (#831)
• aaedc25 chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 (#830)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for jose since your current version.

Updates radashi from 12.6.0 to 12.7.1

Release notes

Sourced from radashi's releases.

v12.7.1

Fixed

• Ensure DurationParser static properties can be tree-shaked in b9d7529

v12.7.0

New Functions

Add getOrInsert and getOrInsertComputed functions [→ PR #444](radashi-org/radashi#444)

Access or initialize map entries without boilerplate branching. getOrInsert writes the provided value once, while getOrInsertComputed lazily creates an entry only when it is missing.

• Works with both Map and WeakMap instances
• Returns the stored entry so you can chain additional logic
• Avoids unnecessary factory calls when a key already exists

import * as _ from 'radashi'
const counts = new Map<string, number>()
_.getOrInsert(counts, 'clicks', 1) // => 1
_.getOrInsert(counts, 'clicks', 5) // => 1
_.getOrInsertComputed(counts, 'views', () => 10) // => 10
_.getOrInsertComputed(counts, 'views', () => 0) // => 10

Inspired by TC39's upsert proposal.

🔗 Docs: getOrInsert · getOrInsertComputed / Source: getOrInsert.ts · getOrInsertComputed.ts / Tests: getOrInsert.test.ts · getOrInsertComputed.test.ts

Add isArrayEqual function [→ PR #417](radashi-org/radashi#417)

Compare arrays with Object.is precision. isArrayEqual checks length and element identity, correctly handling tricky cases like NaN, sparse arrays, and the +0/-0 distinction.

• Uses Object.is so NaN matches itself while +0 and -0 stay distinct
• Short-circuits when lengths differ for a fast inequality check
• Leaves the original arrays untouched

import * as _ from 'radashi'
_.isArrayEqual([1, 2, 3], [1, 2, 3]) // => true
_.isArrayEqual([0], [-0]) // => false
_.isArrayEqual([Number.NaN], [Number.NaN]) // => true

🔗 Docs / Source / Tests

... (truncated)

Changelog

Sourced from radashi's changelog.

[radashi@12.7.1] - 2025-11-19

Details

Fixed

• Ensure DurationParser static properties can be tree-shaked in b9d7529

[radashi@12.7.0] - 2025-10-17

Details

Added

• Add identity function in 38e2f37
• Add isArrayEqual function in 095f2b0
• Add isMapEqual and isSetEqual functions in 0fa566a
• Add getOrInsert and getOrInsertComputed in 4675076
• (objectify) Add index parameter to getKey and getValue functions in 1506472
• Add absoluteJitter and proportionalJitter in ebea7d7

Changed

• Preserve tuple type in min/max even with a getter in c72a1c4
• Use identity as default getter for sort in df55a6e

[radashi@12.6.2] - 2025-08-20

Details

Fixed

• (range) Ensure end parameter works when 0 in 9c8ffa0

[radashi@12.6.1] - 2025-08-09

Details

Fixed

• (group) Use Object.create(null) for the returned object in 5db8c37

Commits

• 478e0cd chore(release): 12.7.1
• 763e630 chore: update .cliffignore
• b9d7529 fix: ensure DurationParser static properties can be tree-shaked (#447)
• 0154943 chore(scripts): use dist build for tree-shake-check
• 6207890 chore: add tree-shake-check script
• 6c8276a Revert "feat!: transpile to Node18 syntax (#448)"
• b109d1e feat!: transpile to Node18 syntax (#448)
• f0c9c33 chore(docs): remove unnecessary await in example
• 900f2e8 chore(release): 12.7.0
• 11d932d chore: prepare release notes
• Additional commits viewable in compare view

Updates ts-pattern from 5.7.1 to 5.9.0

Release notes

Sourced from ts-pattern's releases.

v5.9.0

New features

P.record patterns

To match a Record<Key, Value> (an object with consistent key and value types), you can use P.record(keyPattern, valuePattern). It takes a sub-pattern to match against the key, a sub-pattern to match against the value, and will match if all entries in the object match these two sub-patterns.

import { match, P } from 'ts-pattern';
type Input = Record<string, number>;
const input: Input = {
alice: 100,
bob: 85,
charlie: 92,
};
const output = match(input)
.with(P.record(P.string, P.number), (scores) => All user scores)
.with(P.record(P.string, P.string), (names) => All user names)
.otherwise(() => '');
console.log(output);
// => "All user scores"

You can also use P.record with a single argument P.record(valuePattern), which assumes string keys:

const userProfiles = {
  alice: { name: 'Alice', age: 25 },
  bob: { name: 'Bob', age: 30 },
};
const output = match(userProfiles)
.with(
P.record({ name: P.string, age: P.number }),
(profiles) => User profiles with name and age
)
.otherwise(() => 'Different format');
console.log(output);
// => "User profiles with name and age"

When using P.select in record patterns, you can extract all keys or all values as arrays:

... (truncated)

Commits

• 0e15315 fix: remove unused import
• 07fb919 Merge pull request #332 from gvergnaud/gvergnaud/feat-p-record-implementation
• 2b18391 add chainable tests
• b16276a ç5.9.0
• e073980 feat(P.record): Add docs
• 07508ba feat(P.record): add exhaustive checking tests
• fbefc6b deps: update TS and jest
• 4070733 feat(P.record): implementation
• 29fbd3a Merge pull request #317 from timvandam/patch-1
• 2721652 Update README.md
• Additional commits viewable in compare view

Updates @biomejs/biome from 2.1.1 to 2.3.9

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.3.9

2.3.9

Patch Changes

• #8232 84c9e08 Thanks @​ruidosujeira! - Added the nursery rule noScriptUrl.

  This rule disallows the use of javascript: URLs, which are considered a form of eval and can pose security risks such as XSS vulnerabilities.

  <a href="javascript:alert('XSS')">Click me</a>

• #8341 343dc4d Thanks @​arendjr! - Added the nursery rule useAwaitThenable, which enforces that await is only used on Promise values.

  Invalid

  await "value";
  const createValue = () => "value";
  await createValue();

  Caution

  This is a first iteration of the rule, and does not yet detect generic "thenable" values.

• #8034 e7e0f6c Thanks @​Netail! - Added the nursery rule useRegexpExec. Enforce RegExp#exec over String#match if no global flag is provided.

• #8137 d407efb Thanks @​denbezrukov! - Reduced the internal memory used by the Biome formatter.

• #8281 30b046f Thanks @​tylersayshi! - Added the rule useRequiredScripts, which enforces presence of configurable entries in the scripts section of package.json files.

• #8290 d74c8bd Thanks @​dyc3! - The HTML formatter has been updated to match Prettier 3.7's behavior for handling <iframe>'s allow attribute.

  - <iframe allow="layout-animations 'none'; unoptimized-images 'none'; oversized-images 'none'; sync-script 'none'; sync-xhr 'none'; unsized-media 'none';"></iframe>
  + <iframe
  + 	allow="
  + 		layout-animations 'none';
  + 		unoptimized-images 'none';
  + 		oversized-images 'none';
  + 		sync-script 'none';
  + 		sync-xhr 'none';
  + 		unsized-media 'none';
  + 	"
  + ></iframe>

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.3.9

Patch Changes

• #8232 84c9e08 Thanks @​ruidosujeira! - Added the nursery rule noScriptUrl.

  This rule disallows the use of javascript: URLs, which are considered a form of eval and can pose security risks such as XSS vulnerabilities.

  <a href="javascript:alert('XSS')">Click me</a>

• #8341 343dc4d Thanks @​arendjr! - Added the nursery rule useAwaitThenable, which enforces that await is only used on Promise values.

  Invalid

  await "value";
  const createValue = () => "value";
  await createValue();

  Caution

  This is a first iteration of the rule, and does not yet detect generic "thenable" values.

• #8034 e7e0f6c Thanks @​Netail! - Added the nursery rule useRegexpExec. Enforce RegExp#exec over String#match if no global flag is provided.

• #8137 d407efb Thanks @​denbezrukov! - Reduced the internal memory used by the Biome formatter.

• #8281 30b046f Thanks @​tylersayshi! - Added the rule useRequiredScripts, which enforces presence of configurable entries in the scripts section of package.json files.

• #8290 d74c8bd Thanks @​dyc3! - The HTML formatter has been updated to match Prettier 3.7's behavior for handling <iframe>'s allow attribute.

  - <iframe allow...
  Description has been truncated

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Note

Free review on us!

CodeRabbit is offering free reviews until Wed Dec 17 2025 to showcase some of the refinements we've made.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}