chore(deps): bump the npm-deps group across 1 directory with 10 updates

[dependabot]

Bumps the npm-deps group with 10 updates in the / directory:

Package	From	To
@hono/node-server	2.0.0	2.0.4
better-auth	1.6.5	1.6.11
better-sqlite3	12.9.0	12.10.0
date-fns	4.1.0	4.3.0
hono	4.12.14	4.12.23
pg	8.20.0	8.21.0
eslint	10.2.0	10.4.0
fallow	2.40.3	2.83.0
globals	17.5.0	17.6.0
tap	21.7.0	21.7.4

Updates @hono/node-server from 2.0.0 to 2.0.4

Release notes

Sourced from @​hono/node-server's releases.

v2.0.4

What's Changed

• fix: stub ws types to prevent them leaking in public types by @​BlankParticle in honojs/node-server#359

Full Changelog: honojs/node-server@v2.0.3...v2.0.4

v2.0.3

What's Changed

• chore(ci): update GitHub Actions versions by @​BlankParticle in honojs/node-server#352
• docs: Align the ServeStaticOptions comment with the current spec by @​kakkokari-gtyih in honojs/node-server#356
• fix: preserve headers mutated after raw Response construction by @​abdulmunimjemal in honojs/node-server#357

New Contributors

• @​kakkokari-gtyih made their first contribution in honojs/node-server#356
• @​abdulmunimjemal made their first contribution in honojs/node-server#357

Full Changelog: honojs/node-server@v2.0.2...v2.0.3

v2.0.2

What's Changed

• fix(serve-static): stop using file birthtime for Date header by @​usualoma in honojs/node-server#350
• fix: handle serveStatic stream fallback backpressure by @​usualoma in honojs/node-server#351

Full Changelog: honojs/node-server@v2.0.1...v2.0.2

v2.0.1

What's Changed

• fix: forward Hono response headers during WebSocket upgrade by @​gentamura in honojs/node-server#346

New Contributors

• @​gentamura made their first contribution in honojs/node-server#346

Full Changelog: honojs/node-server@v2.0.0...v2.0.1

Commits

• 9e1cdee 2.0.4
• b4ca622 fix: stub ws types to prevent them leaking in public types (#359)
• 9d87987 2.0.3
• 9463250 fix: preserve headers mutated after raw Response construction (#357)
• cee5e81 docs: Align the ServeStaticOption command with the current specification (#...
• 4aa0650 chore(ci): update GitHub Actions versions (#352)
• 808159c 2.0.2
• 1a9748e fix: handle serveStatic stream fallback backpressure (#351)
• 54d1bcd fix(serve-static): stop using file birthtime for Date header (#350)
• 9138a80 2.0.1
• Additional commits viewable in compare view

Updates better-auth from 1.6.5 to 1.6.11

Release notes

Sourced from better-auth's releases.

v1.6.11

better-auth

Bug Fixes

• Added an error code to the change-email-disabled response to help clients identify the rejection reason (#8948)
• Fixed access-control role statement types so predefined organization roles expose only their configured permissions in TypeScript (#9507)
• Fixed the anonymous plugin to correctly call onLinkAccount when email verification triggers auto sign-in (#9548)
• Fixed device authorization to bind pending codes to the verifying session, preventing any authenticated user from approving or denying another user's device code (#9573)
• Fixed a race condition in the magic-link plugin that allowed concurrent requests to mint multiple sessions from the same single-use token (#9572)
• Fixed the oidc-provider and mcp plugins to require client_secret for confidential clients on refresh token grants and use constant-time secret comparison (#9576)
• Hardened oidc-provider and mcp plugins to follow OAuth 2.1: removed "none" from advertised signing algorithms, defaulted plain PKCE off, and rejected incomplete PKCE parameters (#9575)
• Fixed an invitation takeover vulnerability by enabling requireEmailVerificationOnInvitation by default and extending the verification gate to getInvitation and listUserInvitations (#9577)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed a race condition in the OAuth authorization-code grant that allowed concurrent token-exchange requests to mint multiple token sets from the same authorization code
• Fixed a race condition in OAuth refresh-token rotation that allowed concurrent requests to fork refresh token families, and added a unique constraint on oauthRefreshToken.token
• Fixed OAuth account linking to require a verified local email before linking an OAuth identity to a local account (#9578)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed an invalid import list in the instrumentation module (#9582)
• Widened advanced.ipAddress.ipv6Subnet to accept any valid IPv6 prefix length (0-128) instead of a narrow set of values (#9545)

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

• Fixed session cleanup to run when admin, anonymous, or SCIM operations delete a user (#9162)
• Fixed generateSCIMToken to reject providerId values that collide with built-in account providers, preventing tokens from authenticating against unintended accounts (#9579)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SSO provider registration to require an org admin or owner role, preventing any organization member from registering providers (#9220)
• Fixed an SSRF vulnerability by validating user-supplied OIDC endpoint URLs against a public-routable host allowlist at provider registration and update (#9574)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.11

Patch Changes

• #9568 0cbddb8 Thanks @​gustavovalverde! - Add internalAdapter.consumeVerificationValue(identifier): atomically consume a verification row keyed by identifier. The first concurrent caller receives the row; later racers receive null. Backed by a new DBAdapter.consumeOne primitive implemented natively per adapter (memory, mongo, drizzle, kysely, prisma), with a transaction(findMany + delete) factory fallback. SecondaryStorage.getAndDelete is added as an optional companion; Redis ships it via an atomic Lua get-and-delete operation for compatibility with Redis versions before 6.2.

• #9162 a26333b Thanks @​ping-maxwell! - fix: cleanup sessions when admin, anonymous, or SCIM deletes a user

• #9573 99a254a Thanks @​gustavovalverde! - fix(device-authorization): require verify-time ownership claim for approve/deny

  Pending device codes were not bound to the user who entered the code on the verification page until approval, leaving a window where any authenticated user could approve or deny another user's pending code by knowing the user_code. GET /device now claims the pending row for the calling session, and POST /device/approve and POST /device/deny require the calling session to match the claimed owner. Custom verification pages must be served to an authenticated session for the flow to succeed.

• #8948 ee93485 Thanks @​ping-maxwell! - fix: add error code to change-email-disabled

• #9572 5f09d56 Thanks @​gustavovalverde! - Fix race condition in the magic-link plugin's verify handler that allowed two concurrent requests to mint two sessions from the same single-use token. The handler now consumes the verification row atomically via internalAdapter.consumeVerificationValue, so a given magic link mints at most one session regardless of concurrency. The allowedAttempts option is retained for backward compatibility but no longer multiplies successful redemptions; tokens are single-use. The second-redeem error code changes from ATTEMPTS_EXCEEDED to INVALID_TOKEN (the token no longer exists after consumption).

• b4bc65a Thanks @​gustavovalverde! - Fix race condition in the OAuth authorization-code grant: two concurrent token-exchange requests sharing the same code could both pass the find step before either delete completed and each mint an independent access/refresh/id token set. The authorization_code handler in @better-auth/oauth-provider, plus the legacy oidc-provider and mcp plugins in better-auth, now consume the verification row atomically via internalAdapter.consumeVerificationValue. The first caller mints tokens; concurrent racers receive invalid_grant (RFC 6749 §5.2). Malformed-verification-value branches in @better-auth/oauth-provider previously returned a project-specific invalid_verification code; those are now invalid_grant so spec-compliant clients can branch on the standard code.

• #9578 da7e50b Thanks @​gustavovalverde! - handleOAuthUserInfo (used by every social provider, generic-oauth, oauth-proxy, SSO OIDC and SAML, and idToken sign-in) implicitly linked a returning OAuth identity into a local user row whenever the IdP's email_verified claim was true or the provider was trusted. The local row's own emailVerified flag was read only to flip it after linking, never as a precondition. POST /sign-up/email creates rows with emailVerified: false for any caller, so an attacker who pre-registered a victim's email at the application could wait for the legitimate user's first OAuth sign-in: the IdP's verified claim was treated as ownership proof, and the victim's IdP identity was linked into the attacker-owned row.

  The implicit-link gate now requires dbUser.user.emailVerified === true in addition to the provider trust check by default. A new account.accountLinking.requireLocalEmailVerified option (default true) is the public surface for this gate. Apps whose users sign up via OAuth without verifying their email locally can opt back into the legacy behavior with account: { accountLinking: { requireLocalEmailVerified: false } }; understand the takeover risk before doing so. The option is @deprecated; a FIXME at each gate site points at the next-minor follow-up on next that drops the option and makes the gate unconditional.

  The one-tap plugin honored its own copy of the gate and was updated identically: requireLocalEmailVerified and accountLinking.disableImplicitLinking both apply on /one-tap/callback. The email_verified claim from the Google ID token is now normalized via toBoolean so a string "false" is treated as falsy.

  Test fixtures across admin, oidc-provider, mcp, generic-oauth, last-login-method, and oauth-provider suites now mark users emailVerified: true via a databaseHooks.user.create.before hook (or the disableTestUser opt-in on the oauth-provider RP) so the suites continue to exercise their role/flow logic rather than the new gate.

• #9507 a1c9f3c Thanks @​GautamBytes! - Preserve exact access-control role statement types so predefined organization roles expose only their configured permissions in TypeScript.

• #9577 23094a6 Thanks @​gustavovalverde! - The organization plugin's invitation recipient endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations) treated invitation.email.toLowerCase() === session.user.email.toLowerCase() as proof that the calling user owned the invited address. A session-authenticated user whose email matched but was never verified passed the gate, so anyone who could pre-register an unverified account at a victim's email could accept invitations addressed to that email. The requireEmailVerificationOnInvitation opt-in option closed the gap only when explicitly enabled and did not protect getInvitation or listUserInvitations at all.

  The gate is now applied on all four recipient endpoints and the requireEmailVerificationOnInvitation option default flips from false to true so existing apps are secure by default. Apps that intentionally accept invitations from unverified accounts can keep the legacy permissive behavior with organization({ requireEmailVerificationOnInvitation: false }), but they should understand the takeover risk before doing so. Server-side calls to listUserInvitations with ctx.query.email and no session continue to bypass the gate (the caller is trusted).

  The option is @deprecated. The next-minor release on next removes it entirely and makes the gate unconditional.

• #9548 142b86c Thanks @​dipan-ck! - anonymous plugin now correctly calls onLinkAccount when email verification triggers auto sign-in

• #9576 1f2ff42 Thanks @​gustavovalverde! - fix(oidc-provider, mcp): authenticate confidential clients on refresh_token grant and harden secret comparison

  Refresh-token grants on the legacy oidc-provider and mcp plugins now require the registered client_secret from confidential clients, matching the authorization_code path. Public clients (where code_verifier substitutes for the secret on the auth-code grant) continue to skip secret validation. Secret comparisons across both plugins now use constant-time equality. The /mcp/token endpoint no longer emits a wildcard CORS Access-Control-Allow-Origin: * header.

  These plugins are deprecated in favor of @better-auth/oauth-provider, which is unaffected. New deployments should adopt the replacement; this patch keeps existing deployments protected while migrating.

• #9575 699b09a Thanks @​gustavovalverde! - fix(oidc-provider, mcp): drop "none" from advertised signing algorithms, default allowPlainCodeChallengeMethod to false, and reject missing PKCE method

  The legacy oidc-provider and mcp plugins now follow OAuth 2.1 (RFC 9700) on three protocol gates:

  • id_token_signing_alg_values_supported (oidc-provider, mcp) and resource_signing_alg_values_supported (mcp) no longer include "none". Relying parties that negotiate from this list will no longer be steered toward unsigned tokens.
  • allowPlainCodeChallengeMethod defaults to false. Callers who need plain PKCE must opt in explicitly.
  • Under the secure default the authorize endpoint no longer silently rewrites a missing code_challenge_method to "plain" before the allowlist check. A request that provides code_challenge without code_challenge_method is now rejected with invalid_request; the inverse case (code_challenge_method without code_challenge) is also rejected so no inconsistent PKCE state is persisted on the authorization code record.

  Non-breaking for callers who never relied on "none" advertisement or the plain default. Callers who explicitly set allowPlainCodeChallengeMethod: true keep plain on the allowlist and retain the legacy "missing method defaults to plain" behavior for backward compatibility, so existing integrations that opted into plain PKCE continue to work. The next-minor on next will drop both the plain allowlist entry and this fallback; until then, the option is the single explicit knob for legacy behavior. Migrate to @better-auth/oauth-provider for the canonical, spec-aligned implementation.

... (truncated)

Commits

• f41514e chore: release v1.6.11 (#9532)
• 699b09a fix(oidc-provider, mcp): drop "none" alg, default plain PKCE off, reject miss...
• b4bc65a Merge commit from fork
• a1c9f3c fix(access): preserve exact role statement types (#9507)
• da7e50b fix(oauth): block OAuth linking to unverified local accounts (#9578)
• 23094a6 fix(organization): default-on requireEmailVerificationOnInvitation & extend...
• 1f2ff42 fix(oidc-provider, mcp): authenticate confidential clients on refresh_token g...
• 5f09d56 fix(magic-link): consume verification token atomically on verify (#9572)
• 99a254a fix(device-authorization): bind approval to verifier session (#9573)
• 0cbddb8 refactor(db): rename claimOne adapter primitive to consumeOne (#9568)
• Additional commits viewable in compare view

Updates better-sqlite3 from 12.9.0 to 12.10.0

Release notes

Sourced from better-sqlite3's releases.

v12.10.0

What's Changed

• Update SQLite to version 3.53.1 by @​JoshuaWise in WiseLibs/better-sqlite3#1467
• Add support for Node.js v26 prebuilds and remove EOL builds (Node.js v20, v23) by @​m4heshd in WiseLibs/better-sqlite3#1468
• Temporarily rollback support for Electron v42 prebuilds by @​m4heshd in WiseLibs/better-sqlite3#1470
• Enable percentile functions by @​Maxime-J in WiseLibs/better-sqlite3#1447

Full Changelog: WiseLibs/better-sqlite3@v12.9.1...v12.10.0

v12.9.1

⚠️CAUTION: NOT A VIABLE RELEASE

Electron v39+ prebuilds are not building successfully at the moment. Stick to v12.9.0 for now.

What's Changed

• Enable percentile functions by @​Maxime-J in WiseLibs/better-sqlite3#1447
• Add support for electron v42 prebuilds by @​m4heshd in WiseLibs/better-sqlite3#1466

New Contributors

• @​Maxime-J made their first contribution in WiseLibs/better-sqlite3#1447

Full Changelog: WiseLibs/better-sqlite3@v12.9.0...v12.9.1

Commits

• d8885f9 12.10.0
• 3f89324 Temporarily rollback support for Electron v42 prebuilds (#1470)
• a640028 Add support for Node.js v26 prebuilds and remove EOL builds (#1468)
• a69f03c Update SQLite to version 3.53.1 (#1467)
• d116f32 12.9.1
• 04d9b65 Add support for electron v42 prebuilds (#1466)
• ef7d940 Enable percentile functions (#1447)
• See full diff in compare view

Updates date-fns from 4.1.0 to 4.3.0

Release notes

Sourced from date-fns's releases.

v4.3.0

Kudos to @​ImRodry and @​puneetdixit200 for their contributions.

Fixed

• Fixed missing modularized optimization fallback (for Next.js and others). See #4193.

• Fixed pt locale first day of week to be Sunday. See #4195 by @​ImRodry.

• Fixed zh-CN, zh-HK, and zh-TW locale month parsing for October, November, and December. See #4194 by @​puneetdixit200.

v4.2.1

Fixed

• Fixed type definitions missing in v4.2.0 due to TypeScript misconfiguration.

v4.2.0

This is a minor release in all senses, it only includes documentation updates (first of many) that points to the new You Don't Need date-fns* page.

* Not really

Changed

• Added Temporal API references to the JSDoc annotations of add, addBusinessDays, and addDays.

Commits

• f95bcf1 (docs): Add missing tsx dependency
• baaca11 Add //pkgs/core:release/docs task
• 8aa0373 Update docs website secrets location in scripts
• c7ad6eb Promote to v4.3.0
• da8c548 Add change log entry for Chinese locale fix (#4194)
• f8d8fa8 Split Chinese locale tests (#4194)
• b9c5865 Fix Chinese locale month parsing (#4194)
• 39d1e14 Add pt fix change log entry (#4195)
• f3f1963 Fix pt locale first day of week to be Sunday (#4195)
• cd6ebda Add basic AGENTS.md
• Additional commits viewable in compare view

Updates hono from 4.12.14 to 4.12.23

Release notes

Sourced from hono's releases.

v4.12.23

What's Changed

• fix(serve-static): normalize all backslashes in file paths, not just the first in honojs/hono#4962
• feat(context): export the Context class publicly by @​BlankParticle in honojs/hono#4543
• docs(contribution): add AI Usage Policy by @​yusukebe in honojs/hono#4970
• feat(compress): add contentTypeFilter option and COMPRESSIBLE_CONTENT_TYPE_REGEX re-export by @​na-trium-144 in honojs/hono#4961
• fix(utils/ipaddr): do not compress a single 0 group to :: by @​yusukebe in honojs/hono#4971

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

• chore: update vitest to v4 and cleanups by @​BlankParticle in honojs/hono#4952
• fix(mime): specify charset parameter per MIME type instead of mechanical detection by @​renatograsso10 in honojs/hono#4912
• fix(compress): respect Accept-Encoding when encoding option is set by @​LeSingh1 in honojs/hono#4951
• fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @​ATOM00blue in honojs/hono#4955
• feat: add msgpack as a compressible content type by @​na-trium-144 in honojs/hono#4957

New Contributors

• @​renatograsso10 made their first contribution in honojs/hono#4912
• @​LeSingh1 made their first contribution in honojs/hono#4951
• @​ATOM00blue made their first contribution in honojs/hono#4955
• @​na-trium-144 made their first contribution in honojs/hono#4957

Full Changelog: honojs/hono@v4.12.21...v4.12.22

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

... (truncated)

Commits

• 83bfb3b 4.12.23
• bcd290a fix(utils/ipaddr): do not compress a single 0 group to :: (#4971)
• c968177 feat(compress): add contentTypeFilter option and `COMPRESSIBLE_CONTENT_TYPE_R...
• 0265a54 docs(contribution): add AI Usage Policy (#4970)
• c84c5d2 feat(context): export the Context class publicly (#4543)
• 82dad62 fix(serve-static): normalize all backslashes in file paths, not just the firs...
• 2f01b77 4.12.22
• 6bc0dff feat: add msgpack as a compressible content type (#4957)
• 7e0555d fix(deno): echo negotiated WebSocket subprotocol in upgrade response (#4955)
• f0ed246 fix(compress): respect Accept-Encoding when encoding option is set (#4951)
• Additional commits viewable in compare view

Updates pg from 8.20.0 to 8.21.0

Changelog

Sourced from pg's changelog.

pg@8.21.0

• Handle SASL SCRAM server error responses properly.
• Add support for node@26.
• Add scramMaxIterations config option.
• Add client.getTransactionStatus() method.

Commits

• 544b1ce Publish
• cc03fa5 Add scramMaxIterations option to limit SCRAM iteration count (#3677)
• f776327 Remove compatibility code for unsupported versions of Node (<16) (#3678)
• f252870 cleanup: pg utils (#3675)
• c8da6ab Assorted test cleanup (#3673)
• fa47e73 fix: Client#end callback being called multiple times when first is no-op (#...
• 88a7e60 cleanup: Move declaration to more natural place
• 2095247 cleanup: Combine duplicated code in Client#query and avoid unneeded early n...
• 0ac3edd fix: apply SASLprep (RFC 4013) to passwords before SCRAM-SHA-256 PBKDF2 (#3669)
• be880d4 Assorted test fixes and cleanup (#3672)
• Additional commits viewable in compare view

Updates eslint from 10.2.0 to 10.4.0

Release notes

Sourced from eslint's releases.

v10.4.0

Features

• 1a45ec5 feat: check sequence expressions in for-direction (#20701) (kuldeep kumar)
• 450040b feat: add includeIgnoreFile() to eslint/config (#20735) (Kirk Waiblinger)

Bug Fixes

• 544c0c3 fix: escape code path DOT labels in debug output (#20866) (Pixel998)
• 6799431 fix: update dependency @​eslint/config-helpers to ^0.6.0 (#20850) (renovate[bot])
• f078fef fix: handle non-array deprecated rule replacements (#20825) (xbinaryx)

Documentation

• 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#20869) (Pavel)
• db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#20865) (Kirk Waiblinger)
• 9084664 docs: Update README (GitHub Actions Bot)
• 9cc7387 docs: Update README (GitHub Actions Bot)
• 3d7b548 docs: Update README (GitHub Actions Bot)
• 191ec3c docs: Update README (GitHub Actions Bot)

Chores

• 6616856 chore: upgrade knip to v6 (#20875) (Pixel998)
• d13b084 ci: ensure auto-created PRs run CI (#20860) (lumir)
• e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#20862) (dependabot[bot])
• d84393d test: add unit tests for SuppressionsService.applySuppressions() (#20863) (kuldeep kumar)
• 24db8cb test: add tests for SuppressionsService.save() (#20802) (kuldeep kumar)
• 2ef0549 chore: update ecosystem plugins (#20857) (github-actions[bot])
• a429791 ci: remove eslint-webpack-plugin types integration test (#20668) (Milos Djermanovic)
• 9e37386 chore: replace recast with range approach in code-sample-minimizer (#20682) (Copilot)
• 0dd1f9f test: disable warning for vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER (#20845) (Francesco Trotta)
• 9da3c7b refactor: remove deprecated meta.language and migrate meta.dialects (#20716) (Pixel998)
• 2099ed1 refactor: add meta.defaultOptions to more rules, enable linting (#20800) (xbinaryx)
• f1dfbc9 chore: update ecosystem plugins (#20836) (github-actions[bot])
• c759413 ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 (#20843) (dependabot[bot])
• 5b817d6 test: add unit tests for lib/shared/ast-utils (#20838) (kuldeep kumar)
• 1c13ae3 test: add unit tests for lib/shared/severity (#20835) (kuldeep kumar)

v10.3.0

Features

• 379571a feat: add suggestions for no-unused-private-class-members (#20773) (sethamus)

Bug Fixes

• b6ae5cf fix: handle unavailable require cache (#20812) (Simon Podlipsky)
• 6fb3685 fix: rule suggestions cause continuation in class body (#20787) (Milos Djermanovic)

Documentation

• 32cc7ab docs: fix typos in docs and comments (#20809) (Tanuj Kanti)
• 7f47937 docs: Update README (GitHub Actions Bot)

Chores

• d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#20826) (Francesco Trotta)
• 3ffb14e chore: clean up typos in comments and JSDoc (#20821) (Pixel998)

... (truncated)

Commits

• 452c401 10.4.0
• b6417e8 Build: changelog update for 10.4.0
• 6616856 chore: upgrade knip to v6 (#20875)
• d13b084 ci: ensure auto-created PRs run CI (#20860)
• 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#20869)
• e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#20862)
• 544c0c3 fix: escape code path DOT labels in debug output (#20866)
• db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#20865)
• d84393d test: add unit tests for SuppressionsService.applySuppressions() (#20863)
• 9084664 docs: Update README
• Additional commits viewable in compare view

Updates fallow from 2.40.3 to 2.83.0

Release notes

Sourced from fallow's releases.

v2.83.0: line-move-tolerant runtime-coverage baselines, Nuxt auto-imports, more framework plugins

Runtime coverage

• Cross-surface function identity. Runtime coverage now adopts the fallow-cov-protocol v2 FunctionIdentity (a fallow:fn:<hash> join key over file, name, and start line). One value identifies a function across findings, hot paths, blast-radius, and importance entries, and across V8 / Istanbul / oxc producers (columns are excluded from the hash). Old artifacts without an identity keep working via the existing path/name/line fallback. (Closes #506)
• Baselines survive line moves. Function identities can now carry a source_hash: a content digest of the function body that excludes position. Runtime-coverage baselines match on it in addition to stable_id and the legacy id, so a function that moves to a different line but is otherwise unedited stays suppressed; editing the body re-surfaces it for review. (Closes #742)

Framework support

• Nuxt components referenced only by template tag are now tracked. A new auto_imports plugin capability synthesizes a real graph edge from <MyComponent />-style tags to their component files (directory-prefixed PascalCase, <Lazy...>, .client/.server/.global). Additive by default; opt into autoImports: true to report genuinely-unreferenced convention components as unused. Thanks @​Hal-Spidernight for the detailed proposal. (Closes #704)
• New built-in plugins: Contentlayer, Obsidian, WXT, Varlock, OpenNext Cloudflare, and browser-extension (WebExtension / Chrome MV2+MV3 manifests) projects no longer report their config files, entrypoints, and manifest-declared runtime files as unused.

Fixes

• ignoreUnresolvedImports config field accepts import-specifier globs to suppress expected unresolved-import findings. Thanks @​OmerGronich. (Closes #726)
• tsdown .mts / .cts config files are treated as entry points. Thanks @​eojoel. (Closes #744)
• fallow audit no longer emits spurious Nuxt/Astro prerequisite warnings on its base pass (#705).
• Workspace packages without an exports map resolve missing prebuild output back to source. (Closes #725)
• File health scores surface high CRAP-risk files even when their Maintainability Index is not the lowest. (Closes #554)
• POSIX-rooted paths from Linux tooling stay absolute on Windows. (Closes #614)
• GitHub Action: artifacts-dir writes generated files outside the repository root. Thanks @​Guria. (Closes #735)

Notes

stable_id values use the reconciled cross-producer recipe shared by the CLI, the fallow-cov sidecar, and cloud aggregation. Runtime-coverage baselines written on a previous version re-baseline once.

Full Changelog: fallow-rs/fallow@v2.82.0...v2.83.0

v2.82.0: framework plugins, quieter output, safer fixes

Highlights

A broad framework-plugin release: ng-packagr Angular libraries, electron-vite, Playwright webServer, SvelteKit remote functions, k6, Supabase Edge Functions, Mintlify, and Iconify icon packages all stop producing false unused findings out of the box. Plus quieter JSON output, smarter fallow fix, and a binary-verification model that no longer relies on npm install scripts.

Features

Framework plugins

• Angular ng-packagr libraries: lib.entryFile from ng-package.json / ng-package.prod.json (default src/public_api.ts) is now a package entry point, resolved relative to the config directory, so the l...

  Description has been truncated

[mroderick]

Dependency Upgrade Review: npm-deps group (10 packages)

Verdict: Approve and merge

Confidence: High

PR Scope

Dependency-only — only and modified. No code changes.

Packages Updated

Package	From	To	Risk
	2.0.0	2.0.4	Low
	1.6.5	1.6.11	Low (security fixes)
	12.9.0	12.10.0	Low
	4.1.0	4.3.0	Low
	4.12.14	4.12.23	Low (security fixes)
	8.20.0	8.21.0	Low
	10.2.0	10.4.0	Low
	2.40.3	2.83.0	Low
	17.5.0	17.6.0	Low
	21.7.0	21.7.4	Low

Key Changes

** 1.6.5 → 1.6.11** (patch/security):

• Fixes OAuth account linking to unverified local accounts (prevents account takeover)
• Fixes race condition in magic link token verification
• Fixes organization invitation verification gate

** 4.12.14 → 4.12.23** (patch/security):

• Security fixes in v4.12.21: cookie injection sanitization, JWT middleware scheme validation, IP restriction bypass, prefix stripping

** 12.9.0 → 12.10.0**: SQLite 3.53.1, Node.js v26 support
** 8.20.0 → 8.21.0**: SASL SCRAM error handling, Node.js v26 support
** 4.1.0 → 4.3.0**: Chinese locale parsing fixes, Portuguese first-day-of-week fix

Usage in Repository

• : Core auth (), test helpers ()
• : Web framework in all routes ()
• : Local dev/test database (, )
• : PostgreSQL pool for production/CI ()
• : Date formatting in components (, )

Critical Finding: Main Branch is Broken

Current is broken — tests fail with because imports from , but 1.6.5 does not export this path. This PR upgrade to 1.6.11 fixes the export.

Compatibility Assessment

Compatible. All updated APIs remain backward compatible for this codebase's usage patterns. The security fixes are non-breaking for this app's configuration.

Test Coverage

• Local tests: 99/99 tests pass
• Lint:

lint
eslint . passes

• Prettier:

prettier:check
prettier --check '**/*.{js,css,md,yml}'

Checking formatting...
All matched files use Prettier code style! passes

• Tests cover all dependency-usage paths: auth flows (magic links, OAuth, sessions), admin, health, profile, routing

Confidence Rating

High — All tests pass, lint/formatting pass, the upgrade fixes the currently broken test suite on , and changes are primarily security patches and bug fixes with no breaking changes affecting this codebase.

[mroderick]

Dependency Upgrade Review: npm-deps group (10 packages)

Verdict: Approve and merge

Confidence: High

PR Scope

Dependency-only — only package.json and package-lock.json modified. No code changes.

Packages Updated

Package	From	To	Risk
@hono/node-server	2.0.0	2.0.4	Low
better-auth	1.6.5	1.6.11	Low (security fixes)
better-sqlite3	12.9.0	12.10.0	Low
date-fns	4.1.0	4.3.0	Low
hono	4.12.14	4.12.23	Low (security fixes)
pg	8.20.0	8.21.0	Low
eslint	10.2.0	10.4.0	Low
fallow	2.40.3	2.83.0	Low
globals	17.5.0	17.6.0	Low
tap	21.7.0	21.7.4	Low

Key Changes

better-auth 1.6.5 → 1.6.11 (patch/security):

• Fixes OAuth account linking to unverified local accounts (prevents account takeover)
• Fixes race condition in magic link token verification
• Fixes organization invitation verification gate

hono 4.12.14 → 4.12.23 (patch/security):

• Security fixes in v4.12.21: cookie injection sanitization, JWT middleware scheme validation, IP restriction bypass, app.mount() prefix stripping

better-sqlite3 12.9.0 → 12.10.0: SQLite 3.53.1, Node.js v26 support
pg 8.20.0 → 8.21.0: SASL SCRAM error handling, Node.js v26 support
date-fns 4.1.0 → 4.3.0: Chinese locale parsing fixes, Portuguese first-day-of-week fix

Usage in Repository

• better-auth: Core auth (src/auth.js), test helpers (test/helpers/test-instance.js)
• hono: Web framework in all routes (src/app/routes/*)
• better-sqlite3: Local dev/test database (src/auth.js, test/helpers/test-instance.js)
• pg: PostgreSQL pool for production/CI (src/auth.js)
• date-fns: Date formatting in components (src/app/components/profile.js, admin.js)

Critical Finding: Main Branch is Broken

Current main is broken — tests fail with ERR_PACKAGE_PATH_NOT_EXPORTED because test/helpers/test-instance.js imports getMigrations from better-auth/db/migration, but better-auth 1.6.5 does not export this path. This PR upgrade to 1.6.11 fixes the export.

Compatibility Assessment

Compatible. All updated APIs remain backward compatible for this codebase's usage patterns. The security fixes are non-breaking for this app's configuration.

Test Coverage

• Local tests: 99/99 tests pass
• Lint: npm run lint passes
• Prettier: npm run prettier:check passes
• Tests cover all dependency-usage paths: auth flows (magic links, OAuth, sessions), admin, health, profile, routing

Confidence Rating

High — All tests pass, lint/formatting pass, the upgrade fixes the currently broken test suite on main, and changes are primarily security patches and bug fixes with no breaking changes affecting this codebase.