chore(deps): bump the production-dependencies group across 1 directory with 21 updates

[dependabot]

Bumps the production-dependencies group with 21 updates in the / directory:

Package	From	To
@clack/prompts	0.11.0	1.5.1
@floating-ui/dom	1.7.5	1.7.6
@myriaddreamin/rehype-typst	0.6.0	0.7.0
esbuild-sass-plugin	3.6.0	3.7.0
globby	16.1.1	16.2.0
isomorphic-git	1.37.2	1.38.4
lightningcss	1.31.1	1.32.0
minimatch	10.2.2	10.2.5
preact	10.28.4	10.29.2
preact-render-to-string	6.6.6	6.7.0
serve-handler	6.1.6	6.1.7
workerpool	10.0.1	10.0.2
ws	8.19.0	8.21.0
yaml	2.8.2	2.9.0
@quartz-community/types	0d62f52	d342893
@quartz-community/utils	1ad4e4f	ff02040
@types/node	25.3.0	25.9.1
esbuild	0.27.3	0.28.0
prettier	3.8.1	3.8.3
tsx	4.21.0	4.22.4
typescript	5.9.3	6.0.3

Updates @clack/prompts from 0.11.0 to 1.5.1

Release notes

Sourced from @​clack/prompts's releases.

@​clack/prompts@​1.5.1

Patch Changes

• #548 2356e97 Thanks @​43081j! - Remove sourcemaps and enable pretty-ish build output.

• #546 56e9d67 Thanks @​ghostdevv! - docs: add jsdoc for date, limit-options, and messages

• Updated dependencies [2356e97]:

  • @​clack/core@​1.4.1

@​clack/prompts@​1.5.0

Minor Changes

• #543 83428ac Thanks @​florian-lefebvre! - Adds support for Standard Schema validation

  Prompts accept an optional validate() function to validate user input. While a function provides more flexibility and customization over your validation, it can be a bit verbose. To help solve this, there are libraries that provide schema-based validation to make shorthand and type-strict validation substantially easier.

  Libraries following the Standard Schema specification are now natively supported. For example, using Arktype:

  import { text } from '@clack/prompts';
  import { type } from 'arktype';
  const name = await text({
  message: 'Enter your email',
  
  validate: type('string.email').describe('Invalid email'),
  });

Patch Changes

• #542 adb6af9 Thanks @​ghostdevv! - docs: add jsdoc for box, group, and group-multi-select

• #534 3dcb31a Thanks @​MattStypa! - Fixed spaces and uppercase characters in multiline prompt

• #540 3170ed9 Thanks @​ghostdevv! - docs: add jsdoc for autocomplete, confirm, and path prompts

• Updated dependencies [83428ac, 3dcb31a]:

  • @​clack/core@​1.4.0

@​clack/prompts@​1.4.0

Minor Changes

• 284677e: Support scrolling and maxItems option for groupMultiselect, and removes indent when withGuide is set to false

Patch Changes

• aab46a2: docs: add jsdoc for text, password, and multiline prompts
• 54be8d7: Fix line wrapping and overflow computation in group multi-select and other list-like prompts.
• Updated dependencies [54be8d7]

... (truncated)

Changelog

Sourced from @​clack/prompts's changelog.

1.5.1

Patch Changes

• #548 2356e97 Thanks @​43081j! - Remove sourcemaps and enable pretty-ish build output.

• #546 56e9d67 Thanks @​ghostdevv! - docs: add jsdoc for date, limit-options, and messages

• Updated dependencies [2356e97]:

  • @​clack/core@​1.4.1

1.5.0

Minor Changes

• #543 83428ac Thanks @​florian-lefebvre! - Adds support for Standard Schema validation

  Prompts accept an optional validate() function to validate user input. While a function provides more flexibility and customization over your validation, it can be a bit verbose. To help solve this, there are libraries that provide schema-based validation to make shorthand and type-strict validation substantially easier.

  Libraries following the Standard Schema specification are now natively supported. For example, using Arktype:

  import { text } from '@clack/prompts';
  import { type } from 'arktype';
  const name = await text({
  message: 'Enter your email',
  
  validate: type('string.email').describe('Invalid email'),
  });

Patch Changes

• #542 adb6af9 Thanks @​ghostdevv! - docs: add jsdoc for box, group, and group-multi-select

• #534 3dcb31a Thanks @​MattStypa! - Fixed spaces and uppercase characters in multiline prompt

• #540 3170ed9 Thanks @​ghostdevv! - docs: add jsdoc for autocomplete, confirm, and path prompts

• Updated dependencies [83428ac, 3dcb31a]:

  • @​clack/core@​1.4.0

1.4.0

Minor Changes

• 284677e: Support scrolling and maxItems option for groupMultiselect, and removes indent when withGuide is set to false

Patch Changes

... (truncated)

Commits

• 02ae191 [ci] release (#549)
• 56e9d67 docs: add jsdoc for date, limit-options, and messages (#546)
• 030ba4d [ci] release (#539)
• 83428ac feat: standard schema for validation (#543)
• adb6af9 docs: add jsdoc for box, group, and group-multi-select (#542)
• 3170ed9 docs: add jsdoc for autocomplete, confirm, and path prompts (#540)
• 3dcb31a fix: spaces and uppercase characters in multiline input (#534)
• fe2bcd2 [ci] release (#530)
• aab46a2 docs: add jsdoc for text, password, and multiline prompts (#523)
• 54be8d7 fix: trim lines from correct end (#532)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​clack/prompts since your current version.

Updates @floating-ui/dom from 1.7.5 to 1.7.6

Release notes

Sourced from @​floating-ui/dom's releases.

@​floating-ui/dom@​1.7.6

Patch Changes

• fix(types): ensure Platform type contains detectOverflow type
• perf: bundle and runtime improvements
• feat(autoUpdate): allow not passing a floating element
• Update dependencies: @floating-ui/utils@0.2.11, @floating-ui/core@1.7.5

Changelog

Sourced from @​floating-ui/dom's changelog.

1.7.6

Patch Changes

• fix(types): ensure Platform type contains detectOverflow type
• perf: bundle and runtime improvements
• feat(autoUpdate): allow not passing a floating element
• Update dependencies: @floating-ui/utils@0.2.11, @floating-ui/core@1.7.5

Commits

• See full diff in compare view

Updates @myriaddreamin/rehype-typst from 0.6.0 to 0.7.0

Release notes

Sourced from @​myriaddreamin/rehype-typst's releases.

v0.7.0

• Bumped typst to v0.14.2 in Myriad-Dreamin/typst.ts#796, Myriad-Dreamin/typst.ts#811, and Myriad-Dreamin/typst.ts#814

Packages

• (Fix) Resetting before using high-level compile/renderer APIs in Myriad-Dreamin/typst.ts#778
• (Fix) Iterating rects in labelled content in Myriad-Dreamin/typst.ts#783
• (Fix) Correct typing of compile format in Myriad-Dreamin/typst.ts#790
• (Change) Removing createTypstSvgRenderer in Myriad-Dreamin/typst.ts#779
• (Test) Testing renderer initialization in Myriad-Dreamin/typst.ts#791
• (Test) Adding all renderer tests in Myriad-Dreamin/typst.ts#792
• Added set_fonts API in Myriad-Dreamin/typst.ts#780
• Supported compile with root argument in Myriad-Dreamin/typst.ts#781
• Supported query with html target in Myriad-Dreamin/typst.ts#786 and Myriad-Dreamin/typst.ts#788
• Supported load fonts on demand in Myriad-Dreamin/typst.ts#787
• Provided snapshot API in Myriad-Dreamin/typst.ts#777

Compiler

• Implemented typst2hast in Myriad-Dreamin/typst.ts#743

rustdoc-typst-demo (New)

• Added rustdoc-typst-demo in Myriad-Dreamin/typst.ts#725

Package: typst.ts

• (Fix) Fixed race condition in snippet lib in Myriad-Dreamin/typst.ts#725
• (Fix) Respecting wrapper script passed on initialization in Myriad-Dreamin/typst.ts#804
• (Fix) Set PageMerge to default to get merged content for plain SVGs by @​TeddyHuang-00 in Myriad-Dreamin/typst.ts#826
• Added PDF standards supported in typst v0.14 in Myriad-Dreamin/typst.ts#800
• Added pdf tags options in Myriad-Dreamin/typst.ts#803

Package: typst.react

• (Fix) Not using property 'local-fonts', which is missed in Firefox by @​caterpillar-1 in Myriad-Dreamin/typst.ts#724

• feat: add css format to published files in typst.react by @​shipurjan in Myriad-Dreamin/typst.ts#765

Package: typst.vue3

• (Fix) Preventing reinitialization of compiler and renderer options during HMR by @​bryarrow in Myriad-Dreamin/typst.ts#773
• (Fix) Fixed incorrect Typst source code change listener by @​bryarrow in Myriad-Dreamin/typst.ts#767
• Generating ESM and type declarations for publishing in Myriad-Dreamin/typst.ts#776

Package: typst.svelte (New)

• added svelte 5 package by @​AquaBx in Myriad-Dreamin/typst.ts#809

... (truncated)

Commits

• 0501ced docs: clean up release workflow wording (#847)
• 61cd6bd test: skip flaky page label canvas snapshot (#846)
• 98319cc fix: allow npm dry-run release reruns (#845)
• ad8699f fix: add repository metadata for npm provenance (#844)
• d1b5d66 fix: publish npm packages to npm registry (#843)
• fc86b40 fix: make typst.node publish reruns tolerant (#842)
• 750e46c ci: fix release orchestration workflow (#841)
• 1880ef1 ci: add manual trusted publishing release flow (#839)
• 2a8b32d fix: publish was not passed
• e101afc build: bump version to 0.7.0 (#831)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​myriaddreamin/rehype-typst since your current version.

Updates esbuild-sass-plugin from 3.6.0 to 3.7.0

Release notes

Sourced from esbuild-sass-plugin's releases.

v3.7.0 Hasta la vista

Commits

• See full diff in compare view

Updates globby from 16.1.1 to 16.2.0

Release notes

Sourced from globby's releases.

v16.2.0

• Add globalGitignore option 51555b2

---

sindresorhus/globby@v16.1.1...v16.2.0

Commits

• 60e8167 16.2.0
• 51555b2 Add globalGitignore option
• 8d946e2 Fix CI
• See full diff in compare view

Updates isomorphic-git from 1.37.2 to 1.38.4

Release notes

Sourced from isomorphic-git's releases.

v1.38.4

1.38.4 (2026-06-02)

Bug Fixes

• pass credential config username to auth callbacks (#2346) (d9920c5)

v1.38.3

1.38.3 (2026-05-26)

Bug Fixes

• Improve internal error reporting guidance (#2345) (955acf3)

v1.38.2

1.38.2 (2026-05-25)

Bug Fixes

• add bot authoring to release commit (#2329) (328b1ba)
• add Clever Cloud logo to Acknowledgments in README (#2334) (89f441d)

v1.38.1

1.38.1 (2026-05-18)

Bug Fixes

• add cloudflare logo (#2316) (a71a835)

v1.38.0

1.38.0 (2026-05-15)

Bug Fixes

• Fix images in README (#2315) (007951f)

Features

• add refresh option to status and statusMatrix (#2313) (a7420b7)

v1.37.9

1.37.9 (2026-05-15)

... (truncated)

Commits

• d9920c5 fix: pass credential config username to auth callbacks (#2346)
• 955acf3 fix: Improve internal error reporting guidance (#2345)
• 89f441d fix: add Clever Cloud logo to Acknowledgments in README (#2334)
• 328b1ba fix: add bot authoring to release commit (#2329)
• a71a835 fix: add cloudflare logo (#2316)
• a7420b7 feat: add refresh option to status and statusMatrix (#2313)
• 007951f fix: Fix images in README (#2315)
• 6e99054 fix: point "jsdelivr" field to minified browser build (#2312)
• 6972b1e fix: remove duplicated contriobutors (#2311)
• 199714a fix: browser entrypoint not being used in some non-node build contexts (#2309)
• Additional commits viewable in compare view

Updates lightningcss from 1.31.1 to 1.32.0

Release notes

Sourced from lightningcss's releases.

v1.32.0

Added

• Enable custom resolvers to mark imports as external. Resolvers may now return {external: string} to mark an import as external. This will leave the @import in the output CSS instead of bundling it. See the docs for details.
• Allow visitors to add dependencies. Visitors may now be functions which receive an addDependency function as an option. Dependencies may be used by tools that call Lightning CSS such as bundlers to implement file watching or caching. See the docs for details.
• Add mix-blend-mode property support

Fixed

• Output unknown color-scheme keywords as-is instead of normal
• Improved serialization of the rotate property
• keep a single space between functions when formatting transform values
• Fix additionally inserted whitespace in var(--foo,) and env(--foo,)
• Convert the percentage in the scale property or scale() to a number
• update compat data

Commits

• See full diff in compare view

Updates minimatch from 10.2.2 to 10.2.5

Commits

• 693c823 10.2.5
• 7953af1 do not allow .. to consume drive letter on Windows
• 1caf918 lint and format
• 7783ed6 ignore docs
• 6d9b356 update deps etc
• c36addb 10.2.4
• 26b9002 docs: add warning about ReDoS
• 3a0d83b fix partial matching of globstar patterns
• ea94840 10.2.3
• 0873fba update deps
• Additional commits viewable in compare view

Updates preact from 10.28.4 to 10.29.2

Release notes

Sourced from preact's releases.

10.29.2

Fixes

• Fix hydration when we have defaultValue or value on a textarea (#5081, thanks @​JoviDeCroock)

Maintenance

• Add CODEOWNERS for GitHub configuration (v10.x) (#5088, thanks @​JoviDeCroock)
• Fix trusted publishing workflow (#5084, thanks @​JoviDeCroock)
• Trusted publishing (#5072, thanks @​JoviDeCroock)

10.29.1

Fixes

• Create a unique event-clock for each Preact instance on a page. (#5068, thanks @​JoviDeCroock)
• Fix incorrect DOM order with conditional ContextProvider and inner keys (#5067, thanks @​JoviDeCroock)

Maintenance

• fix: Remove postinstall script for playwright setup (#5063, thanks @​rschristian)
• chore: speed up tests by using playwright instead of webdriverio (#5060, thanks @​marvinhagemeister)
• chore: migrate remaining .js -> .jsx files (#5059, thanks @​marvinhagemeister)
• chore: rename .test.js -> .test.jsx when JSX is used (#5058, thanks @​marvinhagemeister)
• Migrate from biome to oxfmt (#5033, thanks @​JoviDeCroock)

10.29.0

Features

• Implement flushSync (#5036, thanks @​JoviDeCroock)

Fixes

• Ensure we reset renderCount (#5017, thanks @​JoviDeCroock)
• undefined prototype (#5041, thanks @​JoviDeCroock)

Performance

• Golf down compat (#5025, thanks @​JoviDeCroock)

Commits

• fce6ed7 10.29.2 (#5091)
• 84581d0 Fix buggy edge case (#5090)
• 5a39554 Add CODEOWNERS for GitHub configuration (#5088)
• 562e0f5 Fix trusted publishing workflow (#5084)
• 3a01255 Trusted publishing (#5072)
• cae8d3a Fix migrations when we have defaultValue or value on a textarea (#5081)
• 4dc9b50 10.29.1 (#5071)
• 0560f9a Create a unique event-clock for each Preact instance on a page. (#5068)
• cda06de Fix incorrect DOM order with conditional ContextProvider and inner keys (#506...
• c859700 fix: Remove postinstall script for playwright setup (#5063)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for preact since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates preact-render-to-string from 6.6.6 to 6.7.0

Release notes

Sourced from preact-render-to-string's releases.

v6.7.0

Minor Changes

• #450 dbc692f Thanks @​JoviDeCroock! - Adjust the comment-marker for streaming to be the same as renderToStringAsync where we use \$s

Patch Changes

• #461 e32a4cd Thanks @​JoviDeCroock! - Reject unsafe namespaced attribute names before normalizing SVG/XML attribute casing.

v6.6.7

Patch Changes

• #457 ce6ef71 Thanks @​lemonmade! - fix: renderToStringAsync produces commas for suspended components with complex children

Changelog

Sourced from preact-render-to-string's changelog.

6.7.0

Minor Changes

• #450 dbc692f Thanks @​JoviDeCroock! - Adjust the comment-marker for streaming to be the same as renderToStringAsync where we use $s

Patch Changes

• #461 e32a4cd Thanks @​JoviDeCroock! - Reject unsafe namespaced attribute names before normalizing SVG/XML attribute casing.

6.6.7

Patch Changes

• #457 ce6ef71 Thanks @​lemonmade! - fix: renderToStringAsync produces commas for suspended components with complex children

Commits

• eb871c8 Merge pull request #460 from preactjs/changeset-release/main
• b22fc16 Version Packages
• 833043b Merge pull request #461 from preactjs/fix-link
• e32a4cd Reject namespaced attribute
• 990307a Merge pull request #458 from preactjs/changesets-based-publishing
• bcd3b0b Pin npm in CI
• 950a59f Add changesets based publishing
• 797a662 Merge pull request #450 from preactjs/id-adjustements
• df713c5 Merge pull request #454 from preactjs/changeset-release/main
• 39da545 Version Packages
• Additional commits viewable in compare view

Updates serve-handler from 6.1.6 to 6.1.7

Release notes

Sourced from serve-handler's releases.

6.1.7

Patches

• Fix: update minimatch to 3.1.5 to resolve security vulnerabilities: #228

Credits

Huge thanks to @​ParakhJaggi for helping!

Commits

• 5158ae7 6.1.7
• 754d1dc fix: update minimatch to 3.1.5 to resolve security vulnerabilities (#228)
• 8b357fa Revert "chore(deps): upgrade minimatch to v10.2.4 (#226)"
• 8df54ef chore(deps): upgrade minimatch to v10.2.4 (#226)
• See full diff in compare view

Updates workerpool from 10.0.1 to 10.0.2

Changelog

Sourced from workerpool's changelog.

2026-04-16, version 10.0.2

• Fix: #542 clean up listeners when abort triggers. Thanks @​joshLong145.

Commits

• eb55e63 chore: publish v10.0.2
• a0d5bc9 chore: update devDependencies
• 19fab44 fix(worker): clean up listeners when abort triggers (#547)
• 106d6a6 chore(deps-dev): bump follow-redirects in /examples/webpack5 (#546)
• 87088cf chore(deps-dev): bump lodash in /examples/webpack5 (#544)
• 50d6512 chore(deps-dev): bump node-forge in /examples/webpack5 (#545)
• 1cb42ce chore(deps-dev): bump vite from 6.4.1 to 6.4.2 in /examples/vite (#543)
• 113dfe7 chore(deps): bump picomatch (#540)
• 4b4ffcd chore(deps): bump picomatch from 4.0.2 to 4.0.4 in /examples/vite (#541)
• 53cad6d chore(deps): bump picomatch from 2.3.1 to 2.3.2 in /examples/webpack5 (#539)
• Additional commits viewable in compare view

Updates ws from 8.19.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• Additional commits viewable in compare view

Updates yaml from 2.8.2 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

• Disable alias resolution with maxAliasCount:0 (#677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#676)

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

Commits

• ddb21b0 2.9.0
• 167365b docs: Clarify that not all errors can be avoided
• 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
• 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
• ccdf743 2.8.4
• f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
• e1a1a77 fix: Handle invalid unicode escapes
• a163ea0 style: Satify Prettier
• b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
• 93c951b chore: Bump JSR version to v2.8.3 (#673)
• Additional commits viewable in compare view

Updates @quartz-community/types from 0d62f52 to d342893

Commits

• d342893 chore: updated dependencies
• d413569 feat: add vfile DataMap augmentation, SimpleSlug, and ValidDateType
• b1dc9ac Update dist outputs
• 861d363 feat: add SortFn and ThemeKey type exports
• 653aece feat: add ContentIndex/ContentDetails types and globals.d.ts for centralized ...
• 5786c30 chore: commit dist/ and remove prepare script
• 22a709b chore: move build tools to devDependencies, shared deps to peerDependencies
• c7df97d feat: add TreeTransform type and treeTransforms field to PageType plugin
• a945040 feat: add PageFrame, PageFrameProps types and frame field to PageType
• See full diff in compare view

Updates @quartz-community/utils from 1ad4e4f to ff02040

Commits

• ff02040 build: rebuild dist
• 37b89c3 fix: match obsidian-importer illegal character filter in slugs
• e09d8b0 build: rebuild dist
• b6aa8b0 test: added regression tests
• 2f2f5da fix: block links resolution casing issues
• 7a43501 build: rebuild dist with transformInternalLink folder-path fix
• 6721918 fix(path): detect folder paths after slugification in transformInternalLink
• 83f824b fix(path): re-export normalizeHastElement from index
• bb5c136 feat(path): add normalizeHastElement for cross-slug HAST rebasing
• 4dda81b feat(path)!: lowercase slugs for Obsidian-parity case-insensitive matching
• Additional commits viewable in compare view

Update...

Description has been truncated