chore(deps): update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
@biomejs/biome (source)	devDependencies	major	1.9.4 → 2.4.14
@tanstack/react-query (source)	dependencies	minor	5.64.0 → 5.100.9
@types/bun (source)	devDependencies	minor	1.1.16 → 1.3.13
@types/node (source)	devDependencies	major	22.10.5 → 25.6.0
@types/react (source)	devDependencies	minor	19.0.6 → 19.2.14
@types/react-dom (source)	devDependencies	minor	19.0.3 → 19.2.3
connectkit (source)	dependencies	minor	1.8.2 → 1.9.2
namespacelabs/nscloud-checkout-action	action	major	v5 → v8
next (source)	dependencies	major	15.1.4 → 16.2.5
openapi-fetch (source)	dependencies	minor	0.13.4 → 0.17.0
openapi-typescript (source)	devDependencies	minor	7.5.2 → 7.13.0
path-to-regexp	dependencies	minor	8.2.0 → 8.4.2
pino-pretty	dependencies	minor	13.0.0 → 13.1.3
postcss (source)	devDependencies	minor	8.4.49 → 8.5.14
react (source)	dependencies	minor	19.0.0 → 19.2.6
react-dom (source)	dependencies	minor	19.0.0 → 19.2.6
tailwindcss (source)	devDependencies	major	3.4.17 → 4.2.4
typescript (source)	devDependencies	major	5.7.3 → 6.0.3
wagmi (source)	dependencies	major	2.14.7 → 3.6.9

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.14

Compare Source

Patch Changes

• #​9393 491b171 Thanks @​dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.

• #​10157 eefc5ab Thanks @​dyc3! - Fixed #​7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.

• #​10054 0e9f569 Thanks @​minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

  A function annotated : object returning an object literal:

  function f(): object {
    return { retry: true };
  }

• #​10116 53269eb Thanks @​jiwon79! - Fixed #​6201: noUselessEscapeInRegex no longer flags an escaped backslash followed by - as a useless escape. Patterns like /[\\-]/ are now considered valid because the second \ is the escaped backslash, not an unnecessary escape of the trailing dash.

• #​10092 33d8543 Thanks @​Conaclos! - Fixed #​9097: organizeImports no longer adds a blank line between a never-matched group and a matched group.

  Given the following organizeImports options:

  {
    "groups": [":NODE:", ":BLANK_LINE:", ":PACKAGE:", ":BLANK_LINE:", ":PATH:"]
  }

  The following code...

  // Comment
  import "package";
  import "./file.js";

  ...was organized as:

  +
    // Comment
    import "package";
  +
    import "./file.js";

  A blank line was added even though the group ':NODE:' doesn't match any imports here.
  :BLANK_LINE: between never-matched groups and matched groups are now ignored.
  The code is now organized as:

    // Comment
    import "package";
  +
    import "./file.js";

• #​10138 a10b6c1 Thanks @​dyc3! - Fixed Vue v-for handling for noUndeclaredVariables and noUnusedVariables. Biome now recognizes variables declared by v-for directives and references to iterated values in Vue templates.

• #​10115 d428d76 Thanks @​minseong0324! - noMisleadingReturnType no longer reports false positives when a union return type's boolean variant is covered by both true and false returns.

• #​9922 7acf1e0 Thanks @​dyc3! - Added the new nursery rule noReactStringRefs, which disallows legacy React string refs such as ref="hello" and this.refs.hello.

  Biome also reports template-literal refs such as ref={`hello`}, so React code can consistently migrate to callback refs, createRef(), or useRef().

• #​10010 f3e76ab Thanks @​dyc3! - Fixed a bug in the LSP file watcher registration so Biome now watches .biome.json and .biome.jsonc configuration files and reloads workspace settings when they change.

• #​10176 8a40ef8 Thanks @​dyc3! - Fixed #​10011: The noThisInStatic rule no longer reports this when it is used as the constructor target in new this(...), which is required for inherited static factory methods.

• #​10163 6867e96 Thanks @​jiwon79! - Fixed #​9884: The useSortedAttributes auto-fix no longer corrupts source code when both an outer JSX element and a nested JSX-valued attribute have unsorted attributes in the same pass. Multiple unsorted groups separated by spread or shorthand attributes within the same JSX element are now reported as a single diagnostic.

• #​10079 d29dd19 Thanks @​Damix48! - Fixed false positive in noAssignInExpressions for Svelte {@​const} blocks. Assignments in {@​const name = value} are now correctly recognized as declarations rather than accidental assignments in expressions.

• #​10080 5d8fdac Thanks @​Damix48! - Fixed parsing of closing parentheses in Svelte {#each} block key expressions. Biome now correctly parses method calls and other parenthesised expressions used as keys.

  For example, the following snippets are now parsed correctly:

  {#each numbers as number, index (number.toString())}
    <p>{number}</p>
  {/each}
  
  {#each numbers as number (key(number))}
    <p>{number}</p>
  {/each}

• #​10140 e7024b9 Thanks @​solithcy! - Fixed #​10135: Biome no longer crashes on missing Svelte template expressions.

  The following code snippet longer panics:

  {#if }
   <p>^ this would previously crash</p>
  {/if}
  {@&#8203;const }
  <p>    ^ this would also crash</p>

• #​10111 7818009 Thanks @​jiwon79! - Fixed #​9997: noDuplicateSelectors no longer reports false positives for selectors inside @scope queries. Biome now treats @scope as a separate at-rule context, like @media, @supports, @container, and @starting-style.

  The following snippet is no longer flagged as a duplicate:

  .Example {
    padding: 0;
  }
  
  @​scope (.theme-dark) {
    .Example {
      color: white;
    }
  }

• #​9926 d62b331 Thanks @​dyc3! - Added the nursery lint rule useMathMinMax, which prefers Math.min() and Math.max() over equivalent ternary comparisons.

  For example, this code:

  const min = a < b ? a : b;

  is much more readable when rewritten as:

  const min = Math.min(a, b);

• #​10115 d428d76 Thanks @​minseong0324! - useExhaustiveSwitchCases now flags missing true/false cases for boolean discriminants, including when boolean is a union variant.

• #​10125 a55a0b6 Thanks @​bmish! - Fixed a resolver bug where packages that define a typed entry point through package.json's main field but omit types were ignored during type-aware resolution. Type-aware rules such as noFloatingPromises can now inspect imports from those packages.

• #​10117 895e809 Thanks @​denizdogan! - Added support for the corner-shape family of CSS properties and the superellipse()/squircle() value functions, so noUnknownProperty and noUnknownFunction no longer flag them as unknown.

  New known properties: corner-shape, corner-block-end-shape, corner-block-start-shape, corner-bottom-left-shape, corner-bottom-right-shape, corner-bottom-shape, corner-end-end-shape, corner-end-start-shape, corner-inline-end-shape, corner-inline-start-shape, corner-left-shape, corner-right-shape, corner-start-end-shape, corner-start-start-shape, corner-top-left-shape, corner-top-right-shape, corner-top-shape.

  New known value functions: superellipse(), squircle().

• #​8620 8df8f73 Thanks @​dyc3! - Fixed #​8062: Added support for parsing Vue v-for directives more accurately.

• #​10191 aa055cd Thanks @​guney! - Now the rule noStaticElementInteractions doesn't trigger custom elements.

• #​9757 2c62594 Thanks @​dyc3! - Fixed #​9099: the HTML formatter collapsing non-text children (inline elements, Svelte expressions, comments) onto a single line when the source had them on separate lines. Biome now preserves the user's intended line breaks for exclusively non-text children.

  For example, the following Svelte snippet is now preserved instead of being collapsed to <div>{name}<!-- comment --></div>:

  <div>
    {name}<!-- comment -->
  </div>

  Similarly, HTML elements like <span> inside a <div> are now preserved when written on their own line:

  <div>
    <span>text</span>
  </div>

• #​10105 e7c1a6d Thanks @​jiwon79! - Fixed #​10039: useReadonlyClassProperties now detects unreassigned private members in class expressions and export default classes, not only in class declarations.

  The following patterns are now correctly flagged:

  const AnonClass = class {
    #prop = 123;
    constructor() {
      console.log(this.#prop);
    }
  };
  
  export default class {
    #prop = 123;
    constructor() {
      console.log(this.#prop);
    }
  }

• #​10141 46a77d0 Thanks @​minseong0324! - Improved noUnnecessaryConditions to detect conditions that are always truthy because they check built-in global class instances such as Date, Map, Set, WeakMap, and Error.

• #​10178 7b05a89 Thanks @​dyc3! - Fixed #​10177: The HTML parser no longer reports lowercase html or doctype text as invalid after void elements such as <br>.

• #​10155 0d4595d Thanks @​jiwon79! - Fixed #​10045: the CSS formatter no longer compounds indentation inside nested functional pseudo-classes such as :not(:where(...)), :is(:where(...)), and similar combinations. The same fix also removes one level of unnecessary indentation that was added inside any pseudo-class function whose argument list wrapped onto multiple lines, including :nth-child(... of ...), ::part(...), and :active-view-transition-type(...).
  The following snippet is now correctly formatted, matching Prettier.

  input:not(
    :where(
      [type="submit"],
      [type="checkbox"],
      [type="radio"],
      [type="button"],
      [type="reset"]
    )
  ) {
    inline-size: 100%;
  }

• #​10112 6f0251e Thanks @​dyc3! - Fixed #​10110: Biome's parser now accepts surrogate code points in JavaScript string \u{...} escapes.

• #​10141 46a77d0 Thanks @​minseong0324! - Improved noMisleadingReturnType to detect object return annotations that hide built-in global class instances such as Date, Map, Set, WeakMap, and Error.

• #​10083 4a664c1 Thanks @​ematipico! - Added two new options to noShadow, both defaulting to true to match typescript-eslint's behavior.

  Fixed #​9482: Added ignoreFunctionTypeParameterNameValueShadow option. When enabled, parameter names inside function type annotations (e.g. (options: unknown) => void) are not flagged as shadowing outer variables.

  Fixed #​7812: Added ignoreTypeValueShadow option. When enabled, a value binding that shares its name with a type-only declaration (type alias or interface) is not flagged, since types and values occupy separate namespaces in TypeScript.

• #​9286 52695cf Thanks @​Hugo-Polloli! - Fixed #​6316: Biome now resolves Svelte $store references to the underlying store binding in semantic analysis, preventing false noUndeclaredVariables diagnostics when the store is declared.

• #​10188 ae659dd Thanks @​dyc3! - Added a new nursery rule noExcessiveNestedCallbacks, which disallows callbacks nested deeper than the configured maximum.

• #​9757 2c62594 Thanks @​dyc3! - Fixed #​9450: the HTML formatter now correctly preserves multiline formatting for nested <template> elements (e.g. <template #body>) when the source has children on separate lines. Previously, the children were collapsed onto a single line.

   <template>
     <UModal>
  -    <template #body> <p>content</p> </template>
  +    <template #body>
  +      <p>content</p>
  +    </template>
     </UModal>
   </template>

• #​10118 c6edcb4 Thanks @​Netail! - Fixed #​10024: biome migrate eslint correctly migrates eslint rules that belong to multiple Biome rules.

v2.4.13

Compare Source

Patch Changes

• #​9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #​10037 f785e8c Thanks @​minseong0324! - Fixed #​9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #​10084 5e2f90c Thanks @​jiwon79! - Fixed #​10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #​10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #​10035 946b50e Thanks @​Netail! - Fixed #​10032: useIframeSandbox now flags if there's no initializer value.

• #​9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #​10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

  For example, the following code triggers the rule:

  import View from "react-native/Libraries/Components/View/View";

• #​9885 3dce737 Thanks @​dyc3! - Added a new nursery rule useDomQuerySelector that prefers querySelector() and querySelectorAll() over older DOM query methods such as getElementById() and getElementsByClassName().

• #​9995 4da9caf Thanks @​siketyan! - Fixed #​9994: Biome now parses nested CSS rules correctly when declarations follow them inside embedded snippets.

• #​10009 b41cc5a Thanks @​Jayllyz! - Fixed #​10004: noComponentHookFactories no longer reports false positives for object methods and class methods.

• #​9988 eabf54a Thanks @​Netail! - Tweaked the diagnostics range for useAltText, useButtonType, useHtmlLang, useIframeTitle, useValidAriaRole & useIfameSandbox to report on the opening tag instead of the full tag.

• #​10043 fc65902 Thanks @​mujpao! - Fixed #​10003: Biome no longer panics when parsing Svelte files containing {#}.

• #​9815 5cc83b1 Thanks @​dyc3! - Added the new nursery rule noLoopFunc. When enabled, it warns when a function declared inside a loop captures outer variables that can change across iterations.

• #​9702 ef470ba Thanks @​ryan-m-walker! - Added the nursery rule useRegexpTest that enforces RegExp.prototype.test() over String.prototype.match() and RegExp.prototype.exec() in boolean contexts. test() returns a boolean directly, avoiding unnecessary computation of match results.

  Invalid

  if ("hello world".match(/hello/)) {
  }

  Valid

  if (/hello/.test("hello world")) {
  }

• #​9743 245307d Thanks @​leetdavid! - Fixed #​2245: Svelte <script> tag language detection when the generics attribute contains > characters (e.g., <script lang="ts" generics="T extends Record<string, unknown>">). Biome now correctly recognizes TypeScript in such script blocks.

• #​10046 0707de7 Thanks @​Conaclos! - Fixed #​10038: organizeImports now sorts imports in TypeScript modules and declaration files.

    declare module "mymodule" {
  -  	import type { B } from "b";
    	import type { A } from "a";
  +  	import type { B } from "b";
    }

• #​10012 94ccca9 Thanks @​ematipico! - Added the nursery rule noReactNativeLiteralColors, which disallows color literals inside React Native styles.

  The rule belongs to the reactNative domain. It reports properties whose name contains color and whose value is a string literal when they appear inside a StyleSheet.create(...) call or inside a JSX attribute whose name contains style.

  // Invalid
  const Hello = () => <Text style={{ backgroundColor: "#FFFFFF" }}>hi</Text>;
  
  const styles = StyleSheet.create({
    text: { color: "red" },
  });

  // Valid
  const red = "#f00";
  const styles = StyleSheet.create({
    text: { color: red },
  });

• #​10005 131019e Thanks @​ematipico! - Added the nursery rule noReactNativeRawText, which disallows raw text outside of <Text> components in React Native.

  The rule belongs to the new reactNative domain.

  // Invalid
  <View>some text</View>
  <View>{'some text'}</View>

  // Valid
  <View>
    <Text>some text</Text>
  </View>

  Additional components can be allowlisted through the skip option:

  {
    "options": {
      "skip": ["Title"]
    }
  }

• #​9911 1603f78 Thanks @​Netail! - Added the nursery rule noJsxLeakedDollar, which flags text nodes with a trailing $ if the next sibling node is a JSX expression. This could be an unintentional mistake, resulting in a '$' being rendered as text in the output.

  Invalid:

  function MyComponent({ user }) {
    return <div>Hello ${user.name}</div>;
  }

• #​9999 f42405f Thanks @​minseong0324! - Fixed noMisleadingReturnType incorrectly flagging functions with reassigned let variables.

• #​10075 295f97f Thanks @​ematipico! - Fixed #9983: Biome now parses functions declared inside Svelte #snippet blocks without throwing errors.

• #​10006 cf4c1c9 Thanks @​minseong0324! - Fixed #​9810: noMisleadingReturnType incorrectly flagging nested object literals with widened properties.

• #​10033 11ddc05 Thanks @​ematipico! - Added the nursery rule useReactNativePlatformComponents that ensures platform-specific React Native components (e.g. ProgressBarAndroid, ActivityIndicatorIOS) are only imported in files with a matching platform suffix. It also reports when Android and iOS components are mixed in the same file.

  The following code triggers the rule when the file does not have an .android.js suffix:

  // file.js
  import { ProgressBarAndroid } from "react-native";

v2.4.12

Compare Source

Patch Changes

• #​9376 9701a33 Thanks @​dyc3! - Added the nursery/noIdenticalTestTitle lint rule. This rule disallows using the same title for two describe blocks or two test cases at the same nesting level.

  describe("foo", () => {});
  describe("foo", () => {
    // invalid: same title as previous describe block
    test("baz", () => {});
    test("baz", () => {}); // invalid: same title as previous test case
  });

• #​9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for useForOf to better explain the problem, why it matters, and how to fix it.

• #​9916 27dd7b1 Thanks @​Jayllyz! - Added a new nursery rule noComponentHookFactories, that disallows defining React components or custom hooks inside other functions.

  For example, the following snippets trigger the rule:

  function createComponent(label) {
    function MyComponent() {
      return <div>{label}</div>;
    }
    return MyComponent;
  }

  function Parent() {
    function Child() {
      return <div />;
    }
    return <Child />;
  }

• #​9980 098f1ff Thanks @​ematipico! - Fixed #​9941: Biome now emits a warning diagnostic when a file exceed the files.maxSize limit.

• #​9942 9956f1d Thanks @​dyc3! - Fixed #​9918: useConsistentTestIt no longer panics when applying fixes to chained calls such as test.for([])("x", () => {});.

• #​9891 4d9ac51 Thanks @​dyc3! - Improved the noGlobalObjectCalls diagnostic to better explain why calling global objects like Math or JSON is invalid and how to fix it.

• #​9902 3f4d103 Thanks @​ematipico! - Fixed #​9901: the command lint --write is now idempotent when it's run against HTML-ish files that contains scripts and styles.

• #​9891 4d9ac51 Thanks @​dyc3! - Improved the noMultiStr diagnostic to explain why escaped multiline strings are discouraged and what to use instead.

• #​9966 322675e Thanks @​siketyan! - Fixed #​9113: Biome now parses and formats @media and other conditional blocks correctly inside embedded CSS snippets.

• #​9835 f8d49d9 Thanks @​bmish! - The noFloatingPromises rule now detects floating promises through cross-module generic wrapper functions. Previously, patterns like export const fn = trace(asyncFn) — where trace preserves the function signature via a generic <F>(fn: F): F — were invisible to the rule when the wrapper was defined in a different file.

• #​9981 02bd8dd Thanks @​siketyan! - Fixed #​9975: Biome now parses nested CSS selectors correctly inside embedded snippets without requiring an explicit &.

• #​9949 e0ba71d Thanks @​Netail! - Added the nursery rule useIframeSandbox, which enforces the sandbox attribute for iframe tags.

  Invalid:

  <iframe></iframe>

• #​9913 d417803 Thanks @​Netail! - Added the nursery rule noJsxNamespace, which disallows JSX namespace syntax.

  Invalid:

  <ns:testcomponent />

• #​9892 e75d70e Thanks @​dyc3! - Improved the noSelfCompare diagnostic to better explain why comparing a value to itself is suspicious and what to use for NaN checks.

• #​9861 2cff700 Thanks @​dyc3! - Added the new nursery rule useVarsOnTop, which requires var declarations to appear at the top of their containing scope.

  For example, the following code now triggers the rule:

  function f() {
    doSomething();
    var value = 1;
  }

• #​9892 e75d70e Thanks @​dyc3! - Improved the noThenProperty diagnostic to better explain why exposing then can create thenable behavior and how to avoid it.

• #​9892 e75d70e Thanks @​dyc3! - Improved the noShorthandPropertyOverrides diagnostic to explain why later shorthand declarations can unintentionally overwrite earlier longhand properties.

• #​9978 4847715 Thanks @​mdevils! - Fixed #​9744: useExhaustiveDependencies no longer reports false positives for variables obtained via object destructuring with computed keys, e.g. const { [KEY]: key1 } = props.

• #​9892 e75d70e Thanks @​dyc3! - Improved the noRootType diagnostic to better explain that the reported root type is disallowed by project configuration and how to proceed.

• #​9927 7974ab7 Thanks @​dyc3! - Added eslint-plugin-unicorn's no-nested-ternary as a rule source for noNestedTernary

• #​9873 19ff706 Thanks @​minseong0324! - noMisleadingReturnType now checks class methods, object methods, and getters in addition to functions.

• #​9888 362b638 Thanks @​dyc3! - Updated metadata for biome migrate eslint to better reflect which ESLint rules are redundant versus unsupported versus unimplemented.

• #​9892 e75d70e Thanks @​dyc3! - Improved the noAutofocus diagnostic to better explain why autofocus harms accessibility outside allowed modal contexts.

• #​9982 d6bdf4a Thanks @​dyc3! - Improved performance of noMagicNumbers.
  Biome now maps ESLint no-magic-numbers sources more accurately during biome migrate eslint.

• #​9889 7ae83f2 Thanks @​dyc3! - Improved the diagnostics for noConstantCondition to better explain the problem, why it matters, and how to fix it.

• #​9866 40bd180 Thanks @​dyc3! - Added a new nursery rule noExcessiveSelectorClasses, which limits how many class selectors can appear in a single CSS selector.

• #​9796 f1c1363 Thanks @​dyc3! - Added a new nursery rule useStringStartsEndsWith, which prefers startsWith() and endsWith() over verbose string prefix and suffix checks.

  The rule uses type information, so it only reports on strings and skips array lookups such as items[0] === "a".

• #​9942 9956f1d Thanks @​dyc3! - Fixed the safe fix for noSkippedTests so it no longer panics when rewriting skipped test function names such as xit(), xtest(), and xdescribe().

• #​9874 9e570d1 Thanks @​minseong0324! - Type-aware lint rules now resolve members through Pick<T, K> and Omit<T, K> utility types.

• #​9909 0d0e611 Thanks @​Netail! - Added the nursery rule useReactAsyncServerFunction, which requires React server actions to be async.

  Invalid:

  function serverFunction() {
    "use server";
    // ...
  }

• #​9925 29accb3 Thanks @​ematipico! - Fixed #​9910: added support for parsing member expressions in Svelte directive properties. Biome now correctly parses directives like in:renderer.in|global, use:obj.action, and deeply nested forms like in:a.b.c|global.

• #​9904 [e7775a5](https://redirect.github.com/biomejs/biome/commit/e7775a5c7f26bc808302e6646

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR updates the following dependencies: @tanstack/react-query from 5.64.0 to 5.64.1, @types/node from 22.10.5 to 22.10.6, and postcss from 8.4.49 to 8.5.0.

Class diagram showing dependency version updates

classDiagram
    class Dependencies {
        +@tanstack/react-query: 5.64.1
        +connectkit: 1.8.2
        +encoding: 0.1.13
        +next: 15.1.4
    }
    class DevDependencies {
        +@types/node: 22.10.6
        +postcss: 8.5.0
        +tailwindcss: 3.4.17
        +typescript: 5.7.3
    }
    note for Dependencies "Updated from @tanstack/react-query 5.64.0"
    note for DevDependencies "Updated from @types/node 22.10.5\nUpdated from postcss 8.4.49"

Loading

File-Level Changes

Change	Details	Files
Updated @tanstack/react-query to fix types for typed query and mutation keys.	Bumped @tanstack/react-query from version 5.64.0 to 5.64.1	package.json
Updated @types/node.	Bumped @types/node from version 22.10.5 to 22.10.6	package.json
Updated postcss.	Bumped postcss from version 8.4.49 to 8.5.0	package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Join our Discord community for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​bun@​1.1.16 ⏵ 1.3.13	+1		+4	+2
	next@​15.1.4 ⏵ 16.2.4	+1	+75	-1	+48
	@​types/​react-dom@​19.0.3 ⏵ 19.2.3			+1
	@​types/​react@​19.0.6 ⏵ 19.2.14
	wagmi@​2.14.7 ⏵ 3.6.4	+2		+3	+2
	@​types/​node@​20.12.14 ⏵ 25.6.0	+1		+1
	postcss@​8.4.49 ⏵ 8.5.10		+2	+1
	tailwindcss@​3.4.17 ⏵ 4.2.4	+5		-2
	react@​19.0.0 ⏵ 19.2.5	+1
	pino-pretty@​13.0.0 ⏵ 13.1.3	+1
	openapi-typescript@​7.5.2 ⏵ 7.13.0	+1		+1
	openapi-fetch@​0.13.4 ⏵ 0.17.0	+1			-3
	@​tanstack/​react-query@​5.64.0 ⏵ 5.100.2			+2	+5
	connectkit@​1.8.2 ⏵ 1.9.2	-1		-4	+6
	typescript@​5.7.3 ⏵ 6.0.3	+1		+1
	react-dom@​19.0.0 ⏵ 19.2.5	+1		+1
	path-to-regexp@​8.2.0 ⏵ 8.4.2		+18	+1
	@​biomejs/​biome@​1.9.4 ⏵ 2.4.13	+8

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm @img/sharp-libvips-darwin-arm64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-darwin-arm64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-darwin-arm64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-darwin-x64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-darwin-x64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-darwin-x64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linux-arm under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linux-arm@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linux-arm@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linux-arm64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linux-arm64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linux-arm64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linux-ppc64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linux-ppc64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linux-ppc64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linux-riscv64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linux-riscv64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linux-riscv64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linux-s390x under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linux-s390x@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linux-s390x@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linux-x64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linux-x64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linux-x64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linuxmusl-arm64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linuxmusl-arm64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linuxmusl-arm64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-libvips-linuxmusl-x64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: LGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-libvips-linuxmusl-x64@1.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-libvips-linuxmusl-x64@1.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-wasm32 under LGPL-3.0-or-later License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (npm metadata) License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-wasm32@0.34.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-wasm32@0.34.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-win32-arm64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (npm metadata) License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-win32-arm64@0.34.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-win32-arm64@0.34.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-win32-ia32 under LGPL-3.0-or-later License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (npm metadata) License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-win32-ia32@0.34.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-win32-ia32@0.34.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @img/sharp-win32-x64 under LGPL-3.0-or-later License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (npm metadata) License: LGPL-3.0-or-later - the applicable license policy does not allow this license (4) (package/package.json) From: ? → npm/next@16.2.4 → npm/@img/sharp-win32-x64@0.34.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@img/sharp-win32-x64@0.34.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm bun-types under LGPL-2.0 License: LGPL-2.0 - The applicable license policy does not permit this license (5) (package/docs/project/license.mdx) From: ? → npm/@types/bun@1.3.13 → npm/bun-types@1.3.13 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bun-types@1.3.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm typescript License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: ? → npm/openapi-typescript@7.13.0 → npm/typescript@5.9.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@5.9.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm typescript License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: package.json → npm/typescript@6.0.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@6.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm @metamask/sdk-analytics Reason: No longer maintained, superseded by @metamask/connect-analytics From: ? → npm/connectkit@1.9.2 → npm/@metamask/sdk-analytics@0.0.5 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-analytics@0.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm @metamask/sdk-install-modal-web Reason: No longer maintained, superseded by https://docs.metamask.io/metamask-connect From: ? → npm/connectkit@1.9.2 → npm/@metamask/sdk-install-modal-web@0.32.1 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-install-modal-web@0.32.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm @metamask/sdk Reason: No longer maintained, superseded by https://docs.metamask.io/metamask-connect From: ? → npm/connectkit@1.9.2 → npm/@metamask/sdk@0.33.1 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk@0.33.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report