chore(deps-dev): bump the dev-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the dev-dependencies group with 10 updates in the / directory:

Package	From	To
@biomejs/biome	2.4.16	2.5.1
@types/node	25.9.1	25.9.4
esbuild	0.25.12	0.28.1
gitnexus	1.6.6	1.6.8
turbo	2.9.16	2.9.18
vitest	4.1.8	4.1.9
concurrently	9.2.1	9.2.3
electron	42.4.0	42.5.0
vite	7.3.2	7.3.5
@types/vscode	1.120.0	1.125.0

Updates @biomejs/biome from 2.4.16 to 2.5.1

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.1

2.5.1

Patch Changes

• #10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

  -@import url("print.css") print,
  -/* comment */
  -screen;
  +@import url("print.css") print, /* comment */ screen;

• #10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

  -    "path": "src\account\setup-passkey.tsx",
  +    "path": "src\\account\\setup-passkey.tsx",

• #10626 5f837df Thanks @​tom-groves! - Fixed #10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLog → noConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

• #10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@html expr} blocks were incorrectly reported as unused.

• #10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

• #10667 d8c3e87 Thanks @​Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.

• #10696 ef2373f Thanks @​ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

• #10705 4ccb410 Thanks @​ematipico! - Fixed #10652. Biome plugins are now properly filtered when using --only and --skip flags.

• #10669 aa0a6eb Thanks @​Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

• #10689 844b1be Thanks @​ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

  If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

• #10695 043fbb5 Thanks @​ematipico! - Fixed #10674. Biome now throws an error when the field level is missing from a rule option.

• #10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

• #10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

• #10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

• #10701 6c2e0d7 Thanks @​ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.1

Patch Changes

• #10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

  -@import url("print.css") print,
  -/* comment */
  -screen;
  +@import url("print.css") print, /* comment */ screen;

• #10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

  -    "path": "src\account\setup-passkey.tsx",
  +    "path": "src\\account\\setup-passkey.tsx",

• #10626 5f837df Thanks @​tom-groves! - Fixed #10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLog → noConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

• #10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@html expr} blocks were incorrectly reported as unused.

• #10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

• #10667 d8c3e87 Thanks @​Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.

• #10696 ef2373f Thanks @​ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

• #10705 4ccb410 Thanks @​ematipico! - Fixed #10652. Biome plugins are now properly filtered when using --only and --skip flags.

• #10669 aa0a6eb Thanks @​Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

• #10689 844b1be Thanks @​ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

  If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

• #10695 043fbb5 Thanks @​ematipico! - Fixed #10674. Biome now throws an error when the field level is missing from a rule option.

• #10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

• #10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

• #10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

• #10701 6c2e0d7 Thanks @​ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

• #10681 888515b Thanks @​Conaclos! - Fixed useExportType that reported useless details in some diagnostics.

... (truncated)

Commits

• ffe7d33 chore: revert
• 564d660 chore: revert
• 0abf1a5 ci: release (#10627)
• 23814f1 chore(biome_configuration): add allowTrailingCommas to json-schema to make VS...
• a0f197e chore: dead and old links (#10668)
• c0b9832 ci: release (#10499)
• 995c1ff feat(lint): add useFunctionComponentDefinition rule (#10498)
• 311c2b2 fix(biome_configuration): avoid Markdown links in JSON schema descriptions (#...
• 04c3f19 fix: docs and readme (#10584)
• 961f41c refactor(useExportType): improve docs and code (#10569)
• Additional commits viewable in compare view

Updates @types/node from 25.9.1 to 25.9.4

Commits

• See full diff in compare view

Updates esbuild from 0.25.12 to 0.28.1

Release notes

Sourced from esbuild's releases.

v0.28.1

• Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

  This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

  Thanks to @​dellalibera for reporting this issue.

• Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

  The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

  Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

  Thanks to @​sondt99 for reporting this issue.

• Avoid inlining using and await using declarations (#4482)

  Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

  // Original code
  {
    using x = new Resource()
    x.activate()
  }
  // Old output (with --minify)
  new Resource().activate();
  // New output (with --minify)
  {using e=new Resource;e.activate()}

• Fix module evaluation when an error is thrown (#4461, #4467)

  If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

• Fix some edge cases around the new operator (#4477)

  Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()
  // Old output
  new foo()bar();
  new (foo())?.bar();

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2025

This changelog documents all esbuild versions published in the year 2025 (versions 0.25.0 through 0.27.2).

0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }

... (truncated)

Commits

• bb9db84 publish 0.28.1 to npm
• 9ff053e security: add integrity checks to the Deno API
• 0a9bf21 enforce non-negative size in gzip parser
• e2a1a71 security: forbid \\ in local dev server requests
• 83a2cbf fix #4482: don't inline using declarations
• 308ad74 fix #4471: renaming of nested var declarations
• f013f5f fix some typos
• aafd6e4 chore: fix some minor issues in comments (#4462)
• 15300c3 follow up: cjs evaluation fixes
• 1bda0c3 fix #4461, fix #4467: esm evaluation fixes
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for esbuild since your current version.

Updates gitnexus from 1.6.6 to 1.6.8

Release notes

Sourced from gitnexus's releases.

v1.6.8

GitNexus v1.6.8

The Program Dependence Graph release. Opt-in PDG-backed impact analysis and taint tracking, built out across every supported language — plus multi-branch indexing, private-repo cloning, and a streamable-HTTP MCP server.

✨ Highlights

• 🎯 PDG-backed impact analysis — impact gains an opt-in mode: 'pdg' that runs statement-level and inter-procedural program slicing for a far more precise blast radius, validated by a mutation oracle. The default call-graph mode is unchanged. (#2227)
• 🧬 A full Program Dependence Graph substrate — control-flow graphs, reaching-definitions data dependence, and control dependence (post-dominators + a Ferrante-style CDG) now exist for every supported language. All of it is opt-in behind --pdg; a default analyze run stays byte-identical. (#2197, #2160, #2188, #2211)
• 🔬 Taint analysis — intra-procedural tracking over the PDG plus inter-procedural taint via function summaries propagated over resolved CALLS edges. (#2164, #2179)
• 🌿 Multi-branch indexing — analyze and query a repository per branch, each stored under its own subdirectory, with the primary-branch layout untouched. (#2137)
• 🔐 Private repositories — clone private GitHub repos with a PAT, with Azure DevOps Server support. (#2223)
• 🔌 MCP gains a trace tool and an HTTP server — shortest call path between two symbols, and gitnexus mcp --http over Streamable HTTP (with legacy SSE). (#2173, #2141)

---

🚀 Added

• PDG-backed impact analysis (opt-in) — impact gains a mode: 'pdg' that runs statement-level and inter-procedural program slicing for far more precise blast radius, with resolved-callee-id soundness and validation by a mutation oracle; the default call-graph mode is unchanged (#2227)
• Program Dependence Graph substrate across the language matrix — a control-flow-graph layer landed for TS/JS (#2099) and was extended to PDG/CFG visitors for every supported language (#2197); on top of it an intra-procedural REACHING_DEF data-dependence layer (#2160), value-position branches (if/when/switch/match/try used as expressions) modeled as control dependence (#2211), and full control dependence via post-dominators + a Ferrante-style CDG (#2188). All layers are opt-in behind --pdg; a default analyze run stays byte-identical (#2082, #2085, #2205, #2207, #2195)
• Taint analysis — intra-procedural taint tracking over the PDG (#2164) plus inter-procedural taint via function summaries propagated over resolved CALLS edges (#2179) (#2083, #2084)
• Multi-branch indexing and branch-scoped querying — analyze and query a repository per branch, with each branch stored under its own subdirectory and the primary branch layout left unchanged (#2137, #2106)
• Private GitHub repos via PAT + Azure DevOps Server support — gitnexus analyze can clone private GitHub repositories with a personal access token and supports Azure DevOps Server remotes (#2223, #2076, #2210)
• MCP trace tool — returns the shortest call path between two symbols (#2173)
• MCP HTTP server — gitnexus mcp --http exposes the server over Streamable HTTP with legacy SSE transport support (#2141)
• HTTP route extraction — Java Spring route annotations are now extracted into Route nodes (#2078), and the HTTP method is persisted on each Route node (#2234, #2138)
• gitnexus analyze circular import cycle check (#2166)
• gitnexus analyze embeddings flags — --embeddings-baseurl, --embeddings-model, --embeddings-auth-token, and --embeddings-dims to point analyze at a custom embeddings provider (#2140)
• gitnexus setup coding-agent integration selection — choose which coding-agent integrations to install during setup (#2168)
• C++ CUDA source extensions parsed — .cu/.cuh files are now ingested (#2213)

🐛 Fixed

• impact() / route_map under-reporting blast radius — name-resolution gaps that caused callers and routes to be dropped are fixed, with ambiguous symbols reported per-candidate (#2136, #2129, #1858, #1852)
• Single-ancestor method override detection in the MRO processor (#2199)
• MCP query / cypher parameter names — renamed so Claude Code can invoke them, while still accepting the legacy parameter (#2186)
• C++ overload resolution — homogeneous braced-init overloads are now ranked (#2214), deleted overload winners are suppressed (#2094), and the C++ hook layer handles pack-base comments and missing hook overrides (#2247)
• Large-repo analyze crash — the pipeline now survives non-cloneable worker results instead of aborting (#2135, #2112)
• Embeddings — onnxruntime-common resolves under pnpm-strict / pnpm dlx installs (#2139, #307), and the VECTOR index is created via conn.query rather than the prepared-statement path that silently skipped it (#2114)
• Vendored tree-sitter grammars — loaded from vendor/ by absolute path so analyze finds them regardless of CWD (#2144, #2111)
• Registry wipe on transient I/O errors prevented — a failed read no longer clears the repository registry (#2124)
• Server roots resolve from GITNEXUS_HOME — clone, upload, and mapping roots honor the configured home directory (#2229)
• Wiki generation keeps the graph DB pinned so it is not evicted mid-generation (#2232)
• Group sync pins repositories so large groups resolve their cross-repo links (#2191)
• Web viewer — a chat-only mode for large projects prevents the WebUI from hanging (#2185, #2178), and the broken Browse-for-folder control was replaced with an upload directory picker (#1850)
• Hooks — the augment CLI child is wrapped in the orphan guard (#2169), db-lock probe subprocesses are bounded and gated behind a hook slot (#2165), and the MCP-owned-DB augment-skip diagnostic is silenced for strict hook runners (#2134, #2163, #1913)
• Docker image ships runtime-needed published assets — hooks/ and skills/ are copied into the image so gitnexus analyze no longer crashes with MODULE_NOT_FOUND (#2132, #2130)
• gitnexus analyze preserves trailing spaces in git roots (#2192)
• Write-route origin guard scoped to the server's own bound host (#2172)
• Impact PDG Mutation Report workflow — fixed three latent oracle bugs (dist-CLI invocation under Node ≥ 22.18 type-stripping, undeclared @babel/* deps, and a recall-gated check filter) so the mutation oracle CI runs green (#2258)

... (truncated)

Changelog

Sourced from gitnexus's changelog.

[1.6.8] - 2026-06-20

Added

• PDG-backed impact analysis (opt-in) — impact gains a mode: 'pdg' that runs statement-level and inter-procedural program slicing for far more precise blast radius, with resolved-callee-id soundness and validation by a mutation oracle; the default call-graph mode is unchanged (#2227)
• Program Dependence Graph substrate across the language matrix — a control-flow-graph layer landed for TS/JS (#2099) and was extended to PDG/CFG visitors for every supported language (#2197); on top of it an intra-procedural REACHING_DEF data-dependence layer (#2160), value-position branches (if/when/switch/match/try used as expressions) modeled as control dependence (#2211), and full control dependence via post-dominators + a Ferrante-style CDG (#2188). All layers are opt-in behind --pdg; a default analyze run stays byte-identical (#2082, #2085, #2205, #2207, #2195)
• Taint analysis — intra-procedural taint tracking over the PDG (#2164) plus inter-procedural taint via function summaries propagated over resolved CALLS edges (#2179) (#2083, #2084)
• Multi-branch indexing and branch-scoped querying — analyze and query a repository per branch, with each branch stored under its own subdirectory and the primary branch layout left unchanged (#2137, #2106)
• Private GitHub repos via PAT + Azure DevOps Server support — gitnexus analyze can clone private GitHub repositories with a personal access token and supports Azure DevOps Server remotes (#2223, #2076, #2210)
• MCP trace tool — returns the shortest call path between two symbols (#2173)
• MCP HTTP server — gitnexus mcp --http exposes the server over Streamable HTTP with legacy SSE transport support (#2141)
• HTTP route extraction — Java Spring route annotations are now extracted into Route nodes (#2078), and the HTTP method is persisted on each Route node (#2234, #2138)
• gitnexus analyze circular import cycle check (#2166)
• gitnexus analyze embeddings flags — --embeddings-baseurl, --embeddings-model, --embeddings-auth-token, and --embeddings-dims to point analyze at a custom embeddings provider (#2140)
• gitnexus setup coding-agent integration selection — choose which coding-agent integrations to install during setup (#2168)
• C++ CUDA source extensions parsed — .cu/.cuh files are now ingested (#2213)

Fixed

• impact() / route_map under-reporting blast radius — name-resolution gaps that caused callers and routes to be dropped are fixed, with ambiguous symbols reported per-candidate (#2136, #2129, #1858, #1852)
• Single-ancestor method override detection in the MRO processor (#2199)
• MCP query / cypher parameter names — renamed so Claude Code can invoke them, while still accepting the legacy parameter (#2186)
• C++ overload resolution — homogeneous braced-init overloads are now ranked (#2214), deleted overload winners are suppressed (#2094), and the C++ hook layer handles pack-base comments and missing hook overrides (#2247)
• Large-repo analyze crash — the pipeline now survives non-cloneable worker results instead of aborting (#2135, #2112)
• Embeddings — onnxruntime-common resolves under pnpm-strict / pnpm dlx installs (#2139, #307), and the VECTOR index is created via conn.query rather than the prepared-statement path that silently skipped it (#2114)
• Vendored tree-sitter grammars — loaded from vendor/ by absolute path so analyze finds them regardless of CWD (#2144, #2111)
• Registry wipe on transient I/O errors prevented — a failed read no longer clears the repository registry (#2124)
• Server roots resolve from GITNEXUS_HOME — clone, upload, and mapping roots honor the configured home directory (#2229)
• Wiki generation keeps the graph DB pinned so it is not evicted mid-generation (#2232)
• Group sync pins repositories so large groups resolve their cross-repo links (#2191)
• Web viewer — a chat-only mode for large projects prevents the WebUI from hanging (#2185, #2178), and the broken Browse-for-folder control was replaced with an upload directory picker (#1850)
• Hooks — the augment CLI child is wrapped in the orphan guard (#2169), db-lock probe subprocesses are bounded and gated behind a hook slot (#2165), and the MCP-owned-DB augment-skip diagnostic is silenced for strict hook runners (#2134, #2163, #1913)
• Docker image ships runtime-needed published assets — hooks/ and skills/ are copied into the image so gitnexus analyze no longer crashes with MODULE_NOT_FOUND (#2132, #2130)
• gitnexus analyze preserves trailing spaces in git roots (#2192)
• Write-route origin guard scoped to the server's own bound host (#2172)
• Impact PDG Mutation Report workflow — fixed three latent oracle bugs (dist-CLI invocation under Node ≥ 22.18 type-stripping, undeclared @babel/* deps, and a recall-gated check filter) so the mutation oracle CI runs green (#2258)

Changed

• tree-sitter readiness/summary CI hardened — readiness and grammar-update workflows aligned on a shared manifest (#2187, #858), readiness summary counts kept current (#2196), and the summary now fails on parse drift (#2246)
• Devcontainer simplified — Dockerfile and devcontainer.json no longer pin version args for the AI CLIs (#2174)

Performance

• Graph-DB emit/persistence — cut overall emit/persistence wall time (#2215) and overlap node COPY with relationship emit (#2226) (#2203)
• PDG/CFG emit — streaming/chunked PDG graph emit for full-kernel-scale repos (#2216, #2202) and an SSA-sparse reaching-defs solver replacing the dense-set worklist (#2212, #2201)
• Hook db-lock scan — cmdline-first on Linux, dropping the lsof fallback (#2183, #2180)

Chore / Dependencies

... (truncated)

Commits

• 2210697 chore: release v1.6.8 (#2260)
• 2399671 fix(impact-pdg): make the Impact PDG Mutation Report workflow pass (3 latent ...
• 78b4077 feat(impact): opt-in PDG-backed impact mode - statement + inter-procedural sl...
• a691dcb feat(routes): persist HTTP method on Route nodes (#2138 part 1/2) (#2234)
• bb78c72 chore(deps)(deps-dev): bump vitest from 4.1.8 to 4.1.9 in /gitnexus (#2249)
• fff0118 fix(cpp-hooks): handle pack-base comments and missing hook overrides (#2247)
• 16e6ad6 fix(server): resolve clone/upload/mapping roots from GITNEXUS_HOME (#2229)
• 4d9318e chore(deps)(deps): bump hono from 4.12.23 to 4.12.26 in /gitnexus (#2244)
• 78e5ff3 fix(wiki): keep graph DB pinned during generation (#2232)
• 72876ab fix(cpp): rank homogeneous braced-init overloads (#2214)
• Additional commits viewable in compare view

Install script changes

This version modifies postinstall script that runs during installation. Review the package contents before updating.

Updates turbo from 2.9.16 to 2.9.18

Release notes

Sourced from turbo's releases.

Turborepo v2.9.18

What's Changed

Changelog

• release(turborepo): 2.9.17 by @​github-actions[bot] in vercel/turborepo#13047
• ci: Fetch version.txt via API in docs alias failure notification by @​anthonyshew in vercel/turborepo#13050
• fix: Harden cache archive symlink restore by @​anthonyshew in vercel/turborepo#13051
• chore: Remove web UI mode by @​anthonyshew in vercel/turborepo#13052
• fix: Harden query server file access by @​anthonyshew in vercel/turborepo#13053
• fix: Confine prune patch paths by @​anthonyshew in vercel/turborepo#13054
• fix: Prevent git argument injection in SCM refs by @​anthonyshew in vercel/turborepo#13055
• fix: Strip special mode bits from cache restore by @​anthonyshew in vercel/turborepo#13056
• fix: Contain incremental cache outputs by @​anthonyshew in vercel/turborepo#13057
• fix(turborepo): Normalize Windows daemon path hash by @​Balance8 in vercel/turborepo#13020
• fix: Preserve vt100 cell byte counts by @​anthonyshew in vercel/turborepo#13058
• fix: Separate artifact signature fields by @​anthonyshew in