Skip to content

chore(deps): bump the bun-minor-patch group with 4 updates#986

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bun/bun-minor-patch-122045cade
Open

chore(deps): bump the bun-minor-patch group with 4 updates#986
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bun/bun-minor-patch-122045cade

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown
Contributor

Bumps the bun-minor-patch group with 4 updates: @anthropic-ai/claude-agent-sdk, xstate, @biomejs/biome and knip.

Updates @anthropic-ai/claude-agent-sdk from 0.3.195 to 0.3.201

Release notes

Sourced from @​anthropic-ai/claude-agent-sdk's releases.

v0.3.201

What's changed

  • Updated to parity with Claude Code v2.1.201

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.201
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.201
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.201
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.201

v0.3.200

What's changed

  • Added 'manual' as an accepted alias for the 'default' permission mode in SDK inputs
  • Fixed onSetPermissionMode callback not firing for SDK-hosted Remote Control sessions
  • Fixed set_model control request accepting unrecognized model strings; invalid models are now rejected before latching

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.200
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.200
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.200
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.200

v0.3.199

What's changed

  • Added requestId to canUseTool callback options for correlating out-of-band permission responses, and support for returning null to suppress the SDK's automatic control response
  • Added blocked field to workflow_agent progress events indicating when an agent was blocked by the auto-mode safety classifier
  • Added mode:"mask" and per-credential injectHosts to sandbox.credentials settings types for injecting masked credentials into sandboxed commands

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.199
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.199
# or
</tr></table> 

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-agent-sdk's changelog.

0.3.201

  • Updated to parity with Claude Code v2.1.201

0.3.200

  • Added 'manual' as an accepted alias for the 'default' permission mode in SDK inputs
  • Fixed onSetPermissionMode callback not firing for SDK-hosted Remote Control sessions
  • Fixed set_model control request accepting unrecognized model strings; invalid models are now rejected before latching

0.3.199

  • Added requestId to canUseTool callback options for correlating out-of-band permission responses, and support for returning null to suppress the SDK's automatic control response
  • Added blocked field to workflow_agent progress events indicating when an agent was blocked by the auto-mode safety classifier
  • Added mode:"mask" and per-credential injectHosts to sandbox.credentials settings types for injecting masked credentials into sandboxed commands

0.3.198

  • Added a runtime warning when canUseTool is configured alongside allowedTools or bypassPermissions, which shadow the callback
  • Added per-server request_timeout_ms option to mcp_set_servers control request
  • Fixed SDKUserMessage.isSynthetic not being mapped to isMeta on ingestion, which could cause synthetic messages to be treated as real user messages
  • Fixed workflow progress events silently dropping earliest agents from the list while the phase counter remained correct

0.3.197

  • Updated to parity with Claude Code v2.1.197

0.3.196

  • Added prompt_id field to hook input payloads for correlating hook events with OpenTelemetry prompt-level events
  • Fixed control protocol deduplication dropping tool-use IDs after 1000 resolutions, which could cause duplicate tool_result deliveries in long-running sessions
Commits

Updates xstate from 5.32.2 to 5.32.4

Release notes

Sourced from xstate's releases.

xstate@5.32.4

Patch Changes

  • #5589 e913eeb Thanks @​spokodev! - Fixed a bug where targeting a history state that is a direct child of a parallel state would silently do nothing when that parallel state had not been visited yet and the history state had no default target. The machine now enters the parallel state's initial configuration, matching the behavior of history states inside compound states.

    const machine = createMachine({
      initial: 'off',
      states: {
        off: { on: { GO: 'on.hist' } },
        on: {
          type: 'parallel',
          states: {
            regA: { initial: 'a1', states: { a1: {}, a2: {} } },
            regB: { initial: 'b1', states: { b1: {}, b2: {} } },
            hist: { type: 'history', history: 'deep' }
          }
        }
      }
    });
    const actor = createActor(machine).start();
    actor.send({ type: 'GO' });
    actor.getSnapshot().value; // { on: { regA: 'a1', regB: 'b1' } }

xstate@5.32.3

Patch Changes

  • #5575 830db8b Thanks @​JSap0914! - Fixed initialTransition (and transition) throwing "Actor with system ID '...' already exists" when the machine contains an invoke with a systemId.

    Root cause: createInertActorScope used createActor(logic) internally, which eagerly ran getInitialSnapshot during construction and registered any systemId-carrying child actors in the system. When the caller then ran getInitialSnapshot (or transition) via the returned scope, the same system was reused, causing the duplicate-registration error.

    Fix: After creating the internal actor, createInertActorScope now replaces the actor's system reference with a freshly-created system. Child actors spawned by the subsequent caller-driven getInitialSnapshot / transition invocation therefore register into a clean system with no pre-existing entries.

    const machine = createMachine({
      initial: 'idle',
      states: {
        idle: {
          invoke: {
            src: fromPromise(async () => 42),
            systemId: 'myActor' // previously caused: "Actor with system ID 'myActor' already exists"
          }
        }
      }
    });
    // Now works correctly — returns [snapshot, actions] without throwing
    const [snapshot, actions] = initialTransition(machine);

... (truncated)

Commits

Updates @biomejs/biome from 2.5.1 to 2.5.2

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.2

2.5.2

Patch Changes

  • #10595 f458028 Thanks @​pkallos! - Added the option ignoreBooleanCoercion to useNullishCoalescing. When enabled, Biome ignores || and ||= used inside a Boolean() call, where coalescing on falsy values is intentional.

  • #10798 4a32b63 Thanks @​pkallos! - Added the option ignorePrimitives to useNullishCoalescing. When enabled, Biome ignores ||, ||=, and ternary expressions whose non-nullish operands are all primitives the option opts out of. Use true to ignore all primitives, or an object selecting string, number, boolean, or bigint.

  • #10545 f3d4c00 Thanks @​Mokto! - Added the new nursery rule noSvelteUnnecessaryStateWrap, which reports unnecessary $state() wrapping of classes from svelte/reactivity that are already reactive.

    <script>
    import { SvelteMap } from "svelte/reactivity";
    const map = $state(new SvelteMap()); // redundant
    </script>
  • #10752 f62fb8b Thanks @​ematipico! - Fixed #10739. Now the rule useValidAutocomplete correctly flags the autoComplete attribute.

  • #10796 f1b3ab2 Thanks @​ematipico! - Fixed #10768. Improved the performance of the Biome Language Server by cancelling certain in-flight operations when there are fast updates.

  • #10719 aa649b5 Thanks @​minseong0324! - Fixed noMisleadingReturnType false positive on returns that use a widening type assertion: "a" as string is no longer reported as misleading. The rule now also reports a literal-pinning assertion such as false as false, matching the existing as const behavior.

    // No longer flagged (returns are `string`):
    function getValue(b: boolean): string {
      if (b) return "a" as string;
      return "b" as string;
    }
    // Now also reported, like as const (returns false):
    function isReady(): boolean {
    return false as false;
    }

  • #10678 8f073a7 Thanks @​PranavAchar01! - Fixed #7718: Biome now correctly parses CSS nesting selectors when & appears as a trailing sub-selector after a type selector, e.g. h1& { color: red; }.

  • #10756 5ec965a Thanks @​denbezrukov! - Fixed CSS formatter output for selector lists with allowWrongLineComments and // comments after a selector comma. Biome now keeps the selector before the line comment inline instead of breaking it across descendant combinators.

    -.powerPathNavigator
    -  .helm
    -  button.pressedButton, // pressed
    +.powerPathNavigator .helm button.pressedButton, // pressed
     .powerPathNavigator .helm button:active:not(.disabledButton) {
     }

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.2

Patch Changes

  • #10595 f458028 Thanks @​pkallos! - Added the option ignoreBooleanCoercion to useNullishCoalescing. When enabled, Biome ignores || and ||= used inside a Boolean() call, where coalescing on falsy values is intentional.

  • #10798 4a32b63 Thanks @​pkallos! - Added the option ignorePrimitives to useNullishCoalescing. When enabled, Biome ignores ||, ||=, and ternary expressions whose non-nullish operands are all primitives the option opts out of. Use true to ignore all primitives, or an object selecting string, number, boolean, or bigint.

  • #10545 f3d4c00 Thanks @​Mokto! - Added the new nursery rule noSvelteUnnecessaryStateWrap, which reports unnecessary $state() wrapping of classes from svelte/reactivity that are already reactive.

    <script>
    import { SvelteMap } from "svelte/reactivity";
    const map = $state(new SvelteMap()); // redundant
    </script>
  • #10752 f62fb8b Thanks @​ematipico! - Fixed #10739. Now the rule useValidAutocomplete correctly flags the autoComplete attribute.

  • #10796 f1b3ab2 Thanks @​ematipico! - Fixed #10768. Improved the performance of the Biome Language Server by cancelling certain in-flight operations when there are fast updates.

  • #10719 aa649b5 Thanks @​minseong0324! - Fixed noMisleadingReturnType false positive on returns that use a widening type assertion: "a" as string is no longer reported as misleading. The rule now also reports a literal-pinning assertion such as false as false, matching the existing as const behavior.

    // No longer flagged (returns are `string`):
    function getValue(b: boolean): string {
      if (b) return "a" as string;
      return "b" as string;
    }
    // Now also reported, like as const (returns false):
    function isReady(): boolean {
    return false as false;
    }

  • #10678 8f073a7 Thanks @​PranavAchar01! - Fixed #7718: Biome now correctly parses CSS nesting selectors when & appears as a trailing sub-selector after a type selector, e.g. h1& { color: red; }.

  • #10756 5ec965a Thanks @​denbezrukov! - Fixed CSS formatter output for selector lists with allowWrongLineComments and // comments after a selector comma. Biome now keeps the selector before the line comment inline instead of breaking it across descendant combinators.

    -.powerPathNavigator
    -  .helm
    -  button.pressedButton, // pressed
    +.powerPathNavigator .helm button.pressedButton, // pressed
     .powerPathNavigator .helm button:active:not(.disabledButton) {
     }
  • #10757 6232fcd Thanks @​PranavAchar01! - Fixed #8269: the CSS parser now accepts Tailwind @variant and @utility names that start with a digit, such as the 2xl breakpoint.

... (truncated)

Commits

Updates knip from 6.22.0 to 6.24.0

Release notes

Sourced from knip's releases.

Release 6.24.0

  • chore: update year in license (#1833) (32bc844dfd3895884b11fea5ef94bf3fa1974946) - thanks @​trueberryless!
  • ci: pin github actions (#1835) (82a8d0913105a637e9eeccfe3b785be90c873e2a) - thanks @​trueberryless!
  • Assume Node 24+/Bun and remove compilation step (d9ef038429bec06c37fdb520e5c7353c8cae6ce7)
  • Don't report working-directory scripts as unlisted binaries (resolve #1834) (aea7923438f0a8f459458578526f358b02497f77)
  • Add pnpm run lint to CI workflow (ec9aa1cabb58c97b8ecc4815e6cdd6421fe2a89e)
  • feat: add settings for Zed editor to use oxlint and oxfmt (#1836) (111f2e0a17999e3ffdf4c097cd42ba08acd48508) - thanks @​trueberryless!
  • fix: remove format_on_save: true settings from Zed settings to respect user settings (#1838) (dc2a64043035d426eb99a9d1e0eb873d02a09e7d) - thanks @​trueberryless!
  • feat: add Renovate for GitHub actions only (#1839) (ffce88c86f95822ee2a7cf8407e987a3ec79b097) - thanks @​trueberryless!
  • Ignore import() in JSDoc examples (#1844) (6f090f90f04e8202700ed68977faa1dc626ff235) - thanks @​cyphercodes!
  • Don't report types used only in module augmentations as unused (resolve #1843) (7901abd3c4b496f212445bff9768efc9548ded61)
  • Restore CI intent (0d739beab2e224385f449d62d6cc7d904107946e)
  • feat: add less, stylus compilers and astro, svelte, vue import resolution (#1845) (5525759f33a5664e4882aebe239e9c17eeb29f92) - thanks @​trueberryless!
  • Don't report built-in compiler dependencies as unused (3c9d4adf369f0064399d9da7b4f11f0467180bf5)
  • feat: add scss handling to stencil plugin (#1846) (acba6b85ab05f70385228872fafea2b08290d0f6) - thanks @​johnjenkins!
  • fix(reporters): always print the issue-type title for a single group (#1848) (cf997b2408cc0814c2d310d1e8c8680340153fa1) - thanks @​morgan-coded!
  • Export Issue, IssueRecords and IssueType types (resolve #1840) (260f19230f42c9dceaac97d55bf34d17902c5b38)
  • Squeeze every bit of perf out around compilers (bb0eeb6e33d050dab736134b5b692a3d6413f358)

Release 6.23.0

  • feat: add customCss to Starlight plugin (#1828) (f85d96f84a47f10c34df95a5246ee1ddefd95db5) - thanks @​trueberryless!
  • fix: enable vite and vitest plugins when vite-plus is found (#1830) (62e97538fca8dff3d152326b114ffc4b7241a0d2) - thanks @​ghostdevv!
  • feat: add support for @​astrojs/markdoc (#1829) (94e2863308947f19f5e759cc12666952c8f683d7) - thanks @​trueberryless!
  • Support nub (resolve #1831) (8a6050e6a92da81d4875f730f852fb7d9252a018)
  • Don't report optimizeDeps and dedupe deps as unlisted (resolve #1832) (849b5ac230e7a8c103b6e1b1e2ddb333d2da3ca0)
Commits
  • 2979803 Release knip@6.24.0
  • bb0eeb6 Squeeze every bit of perf out around compilers
  • 260f192 Export Issue, IssueRecords and IssueType types (resolve #1840)
  • cf997b2 fix(reporters): always print the issue-type title for a single group (#1848)
  • acba6b8 feat: add scss handling to stencil plugin (#1846)
  • 3c9d4ad Don't report built-in compiler dependencies as unused
  • 5525759 feat: add less, stylus compilers and astro, svelte, vue import resolution (#1...
  • 7901abd Don't report types used only in module augmentations as unused (resolve #1843)
  • 6f090f9 Ignore import() in JSDoc examples (#1844)
  • aea7923 Don't report working-directory scripts as unlisted binaries (resolve #1834)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the bun-minor-patch group with 4 updates: [@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript), [xstate](https://github.com/statelyai/xstate), [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) and [knip](https://github.com/webpro-nl/knip/tree/HEAD/packages/knip).


Updates `@anthropic-ai/claude-agent-sdk` from 0.3.195 to 0.3.201
- [Release notes](https://github.com/anthropics/claude-agent-sdk-typescript/releases)
- [Changelog](https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md)
- [Commits](anthropics/claude-agent-sdk-typescript@v0.3.195...v0.3.201)

Updates `xstate` from 5.32.2 to 5.32.4
- [Release notes](https://github.com/statelyai/xstate/releases)
- [Commits](https://github.com/statelyai/xstate/compare/xstate@5.32.2...xstate@5.32.4)

Updates `@biomejs/biome` from 2.5.1 to 2.5.2
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.5.2/packages/@biomejs/biome)

Updates `knip` from 6.22.0 to 6.24.0
- [Release notes](https://github.com/webpro-nl/knip/releases)
- [Commits](https://github.com/webpro-nl/knip/commits/knip@6.24.0/packages/knip)

---
updated-dependencies:
- dependency-name: "@anthropic-ai/claude-agent-sdk"
  dependency-version: 0.3.201
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: bun-minor-patch
- dependency-name: xstate
  dependency-version: 5.32.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: bun-minor-patch
- dependency-name: "@biomejs/biome"
  dependency-version: 2.5.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: bun-minor-patch
- dependency-name: knip
  dependency-version: 6.24.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: bun-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 4, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 4, 2026 22:03
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 4, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updated@​anthropic-ai/​claude-agent-sdk@​0.3.195 ⏵ 0.3.2017310092 +110070
Updatedknip@​6.22.0 ⏵ 6.24.09910095 +196100
Updated@​biomejs/​biome@​2.5.1 ⏵ 2.5.210010010098 -1100
Updatedxstate@​5.32.2 ⏵ 5.32.4100 +110010098 +1100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: npm @anthropic-ai/claude-agent-sdk under MPL-2.0

License: The package entry has license metadata, but it could not be parsed - This license was not allowed or given any lesser classification by the applicable policy (npm metadata)

License: SEE LICENSE IN README.md - This license classifier is not allowed by the applicable policy (package/package.json)

From: package.jsonnpm/@anthropic-ai/claude-agent-sdk@0.3.201

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@anthropic-ai/claude-agent-sdk@0.3.201. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@github-code-quality

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / unit

The overall coverage remains at 88%, unchanged from the branch.


Code Coverage is in Public Preview. Learn more and provide us with your feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants