build(deps): bump the minor-and-patch group across 1 directory with 5 updates

[dependabot]

Bumps the minor-and-patch group with 5 updates in the / directory:

Package	From	To
ajv	8.18.0	8.20.0
@anthropic-ai/claude-agent-sdk	0.2.92	0.2.123
@biomejs/biome	2.4.10	2.4.13
@types/bun	1.3.11	1.3.13
lefthook	2.1.4	2.1.6

Updates ajv from 8.18.0 to 8.20.0

Release notes

Sourced from ajv's releases.

v8.20.0

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in ajv-validator/ajv#2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in ajv-validator/ajv#2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

v8.19.0

What's Changed

• fix prototype pollution via format keyword using $data ref by @​epoberezkin in ajv-validator/ajv#2607

Full Changelog: ajv-validator/ajv@v8.18.0...v8.19.0

Commits

• 0fba0b8 8.20.0
• 9caf8d6 fix: add ES2022.RegExp for RegExpIndicesArray; fixes ajv-validator/ajv#2603 (...
• 2065350 fix: add support for node 22/24, drop node 16/21 (#2580)
• 154b58d 8.19.0
• e8d2bdc test/fix prototype pollution via $data ref with format keyword (#2607)
• See full diff in compare view

Updates @anthropic-ai/claude-agent-sdk from 0.2.92 to 0.2.123

Release notes

Sourced from @​anthropic-ai/claude-agent-sdk's releases.

v0.2.123

What's changed

• Updated to parity with Claude Code v2.1.123

Update

npm install @anthropic-ai/claude-agent-sdk@0.2.123
# or
yarn add @anthropic-ai/claude-agent-sdk@0.2.123
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.2.123
# or
bun add @anthropic-ai/claude-agent-sdk@0.2.123

v0.2.122

What's changed

• Updated to parity with Claude Code v2.1.122

Update

npm install @anthropic-ai/claude-agent-sdk@0.2.122
# or
yarn add @anthropic-ai/claude-agent-sdk@0.2.122
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.2.122
# or
bun add @anthropic-ai/claude-agent-sdk@0.2.122

v0.2.121

What's changed

• Added updatedToolOutput to PostToolUseHookSpecificOutput for replacing tool output on all tools. updatedMCPToolOutput is deprecated.

Update

npm install @anthropic-ai/claude-agent-sdk@0.2.121
# or
yarn add @anthropic-ai/claude-agent-sdk@0.2.121
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.2.121
# or
bun add @anthropic-ai/claude-agent-sdk@0.2.121

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-agent-sdk's changelog.

0.2.123

• Updated to parity with Claude Code v2.1.123

0.2.122

• Updated to parity with Claude Code v2.1.122

0.2.121

• Added updatedToolOutput to PostToolUseHookSpecificOutput for replacing tool output on all tools. updatedMCPToolOutput is deprecated.

0.2.120

• Added skills option (string[] | 'all') to control which Skills are loaded into the main session, matching the Python SDK

0.2.119

• Added forwardSubagentText option to stream subagent text deltas to SDK consumers
• excludeDynamicSections now keeps static auto-memory instructions in the cacheable system-prompt block; only the per-user memory directory path and per-machine environment values are relocated to the first user message
• Long-running SDK sessions now reconnect claude.ai-proxied MCP servers after a transport-stream abort
• SessionStore.append() failures are now retried up to 3 times with short backoff before the batch is dropped and mirror_error is emitted

0.2.118

• Added Options.managedSettings for embedders to pass policy-tier settings to the spawned CLI in-memory, honored below IT-controlled managed sources

0.2.117

• Updated to parity with Claude Code v2.1.117

0.2.116

• Updated to parity with Claude Code v2.1.116

0.2.115

• Updated to parity with Claude Code v2.1.115

0.2.114

• Updated to parity with Claude Code v2.1.114

0.2.113

• Changed the SDK to spawn a native Claude Code binary (via a per-platform optional dependency) instead of bundled JavaScript
• Added sessionStore option (alpha) to query() and session helpers for mirroring session transcripts to external storage, with SessionStore/SessionKey/SessionStoreEntry types, InMemorySessionStore reference implementation, and importSessionToStore() for migrating existing sessions
• Added deleteSession() for removing a session from disk or a SessionStore
• Added SDKMirrorErrorMessage (subtype: 'mirror_error') to the SDKMessage union — emitted when a sessionStore.append() batch fails
• Breaking: options.env once again replaces process.env for the CLI subprocess instead of overlaying it. To add or override individual variables, pass env: { ...process.env, MY_VAR: "x" }

... (truncated)

Commits

• 38cd292 chore: Update CHANGELOG.md
• 5f07f15 chore: Update CHANGELOG.md
• 49b6b0e chore: Update CHANGELOG.md
• 2b1ffcc chore: Update CHANGELOG.md
• 48de067 chore: Update CHANGELOG.md
• 76d1dec chore: Update CHANGELOG.md
• e1721a4 chore: Update CHANGELOG.md
• b3623dc chore: Update CHANGELOG.md
• b917684 chore: Update CHANGELOG.md
• f9b4a29 chore: Update CHANGELOG.md
• Additional commits viewable in compare view

Updates @biomejs/biome from 2.4.10 to 2.4.13

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.13

2.4.13

Patch Changes

• #9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #10037 f785e8c Thanks @​minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #10084 5e2f90c Thanks @​jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #10035 946b50e Thanks @​Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.

• #9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.13

Patch Changes

• #9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #10037 f785e8c Thanks @​minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #10084 5e2f90c Thanks @​jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #10035 946b50e Thanks @​Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.

• #9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

  For example, the following code triggers the rule:

... (truncated)

Commits

• e316150 ci: release (#9991)
• 11ddc05 feat(lint): add useReactNativePlatformComponents rule and options (#10033)
• 1603f78 feat(js_analyze): implement noJsxLeakedDollar (#9911)
• c5eb92b feat(linter): add nursery rule noUnnecessaryTemplateExpression (#9969)
• 5cc83b1 feat(lint/js): add noLoopFunc (#9815)
• bd1e74f feat(lint): add react native deep import rule (#10023)
• 68fb8d4 feat(lint/js): add useDomNodeTextContent (#9865)
• 94ccca9 feat(lint): add noReactNativeLiteralColors (#10012)
• 3dce737 feat(lint/js): add useDomQuerySelector (#9885)
• 131019e feat(lint): add noReactNativeRawText (#10005)
• Additional commits viewable in compare view

Updates @types/bun from 1.3.11 to 1.3.13

Commits

• See full diff in compare view

Updates lefthook from 2.1.4 to 2.1.6

Release notes

Sourced from lefthook's releases.

v2.1.6

Changelog

• bf73ea2f1ea5468c9af7a6f06b5ef8cd43e66040 fix(packaging): do not pipe stdout and stderr (#1382)
• 04da00697cd8a6241023c1962feb720eeaa62698 fix(windows): normalize lefthook path for sh script (#1383)
• de9597a1bf456d2cf0fbcb8816858b6e5cf6b609 fix: log full scoped name for skipped jobs (#1291)
• eb3e70dbbd2442200ec8ff2140a3ee9daa7d9e70 fix: normalize root to always include trailing slash before path replacement (#1381)
• f90f3f570ef9227ddf345a79cec687dac41a5d31 fix: skip pty allocation when stdout is not a terminal (#1393)

v2.1.5

Changelog

• afac466157f88b5a5f9d03eb28acc90b095a4b5d chore(golangci-lint): upgrade to 2.11.4 (#1362)
• f8e73b947e2eefd6950d6a19c20bbde19070809d chore: fix golangci-lint version lookup
• 4564da343b1497f73f8a82f6104e1b5903f8a081 chore: move golangci-lint version to .tool-versions (#1349)
• 236a5bd07c650aaa882963d68ab5e5e654a47681 chore: small cleanup (#1370)
• 5ddf2206dd23e826c5434392e034fa7db523cd3d deps: April 2026 (#1375)
• e26c719f5a85e8ff35871e9724649714d6f05c13 fix: git repository merge issue (#1372)
• 3503a3b102c2b41c298e1e7dc6549181508518a6 fix: prevent lefthook run from overwriting global hooks (#1371)
• f3fc175f6c638fd54ab49b8d7c060898f936c934 fix: use pre-push stdin for push file detection (#1368)

Changelog

Sourced from lefthook's changelog.

2.1.6 (2026-04-16)

• fix: normalize lefthook path for sh script (#1383) by @​AndrewKahr
• fix: normalize root to always include trailing slash before path replacement (#1381) by @​Copilot
• fix: skip pty allocation when stdout is not a terminal (#1393) by @​technicalpickles
• docs: upgrade docmd (#1391) by @​mrexox
• fix: log full scoped name for skipped jobs (#1291) by @​scop
• fix: do not pipe stdout and stderr (#1382) by @​mrexox

2.1.5 (2026-04-06)

• deps: April 2026 (#1375) by @​mrexox
• docs: update documentation and docs for claude (#1373) by @​mrexox
• fix: git repository merge issue (#1372) by @​mrexox
• fix: use pre-push stdin for push file detection (#1368) by @​supitsdu
• chore: small cleanup (#1370) by @​mrexox
• fix: prevent lefthook run from overwriting global hooks (#1371) by @​ivy
• chore: upgrade to 2.11.4 (#1362) by @​scop
• chore: fix golangci-lint version lookup by @​mrexox
• chore: move golangci-lint version to .tool-versions (#1349) by @​scop

Commits

• 679ce27 2.1.6: fixes for Windows and AI tools execution
• 04da006 fix(windows): normalize lefthook path for sh script (#1383)
• eb3e70d fix: normalize root to always include trailing slash before path replacemen...
• f90f3f5 fix: skip pty allocation when stdout is not a terminal (#1393)
• 1481e9d docs: upgrade docmd (#1391)
• de9597a fix: log full scoped name for skipped jobs (#1291)
• bf73ea2 fix(packaging): do not pipe stdout and stderr (#1382)
• 4cec579 2.1.5: prevent overwriting global hooks and fix pre-push for sha256 repos
• 5ddf220 deps: April 2026 (#1375)
• 0c16199 docs: update documentation and docs for claude (#1373)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions