chore(deps-dev): bump the development-dependencies group across 1 directory with 8 updates

[dependabot]

Bumps the development-dependencies group with 8 updates in the / directory:

Package	From	To
@changesets/changelog-github	0.6.0	0.7.0
@changesets/cli	2.30.0	2.31.0
@stylistic/stylelint-plugin	5.1.0	5.2.0
@types/node	25.5.2	25.9.3
eslint-plugin-jsdoc	62.9.0	63.0.2
pkg-ok	3.0.0	4.0.0
stylelint	17.6.0	17.13.0
undici	8.0.2	8.4.1

Updates @changesets/changelog-github from 0.6.0 to 0.7.0

Release notes

Sourced from @​changesets/changelog-github's releases.

@​changesets/changelog-github@​0.7.0

Minor Changes

• #1255 94578cf Thanks @​Kauhsa! - Added disableThanks option

Commits

• d1ef2d8 Version Packages (#1950)
• 7af5876 Restrict publish job to the npm env (#1972)
• ff767d2 Sync config-file-options documentation with schema.json and source code (#1683)
• 951094b fix: pin 2 unpinned action(s) (#1915)
• 94578cf Added disableThanks option (#1255)
• d87334d Support dark mode banner in readme (#1943)
• 87472a7 Update .vscode/settings.json (#1944)
• 317a373 Disable publish_pr job
• 9cce6db Version Packages (#1897)
• d2121dc Fix npm auth for path-based registries during publish by preserving configure...
• Additional commits viewable in compare view

Updates @changesets/cli from 2.30.0 to 2.31.0

Release notes

Sourced from @​changesets/cli's releases.

@​changesets/cli@​2.31.0

Minor Changes

• #1889 96ca062 Thanks @​mixelburg! - Error on unsupported flags for individual CLI commands and print the matching command usage to make mistakes easier to spot.

• #1873 42943b7 Thanks @​mixelburg! - Respond to --help on all subcommands. Previously, --help was only handled when it was the sole argument; passing it alongside a subcommand (e.g. changeset version --help) would silently execute the command instead. Now --help always exits early and prints per-command usage when a known subcommand is provided, or the general help text otherwise.

Patch Changes

• d2121dc Thanks @​Andarist! - Fix npm auth for path-based registries during publish by preserving configured registry URLs instead of normalizing them.

• #1888 036fdd4 Thanks @​mixelburg! - Fix several changeset version issues with workspace protocol dependencies. Valid explicit workspace: ranges and aliases are no longer rewritten unnecessarily, and workspace path references are handled correctly during versioning.

• #1903 5c4731f Thanks @​Andarist! - Gracefully handle stale npm info data leading to duplicate publish attempts.

• #1867 f61e716 Thanks @​Andarist! - Improved detection for published state of prerelease-only packages without latest dist-tag on GitHub Packages registry.

• Updated dependencies [036fdd4, 036fdd4, 036fdd4]:

  • @​changesets/assemble-release-plan@​6.0.10
  • @​changesets/get-dependents-graph@​2.1.4
  • @​changesets/apply-release-plan@​7.1.1
  • @​changesets/get-release-plan@​4.0.16
  • @​changesets/config@​3.1.4

Commits

• 9cce6db Version Packages (#1897)
• d2121dc Fix npm auth for path-based registries during publish by preserving configure...
• 036fdd4 Fix several changeset version issues with workspace protocol dependencies (...
• 5c4731f Gracefully handle stale npm info data leading to duplicate publish attempts...
• 96ca062 Error on unsupported flags for individual CLI commands (#1889)
• 42943b7 fix(cli): respond to --help on all subcommands (#1873)
• f61e716 Improved detection for published state of prerelease-only packages without ...
• See full diff in compare view

Updates @stylistic/stylelint-plugin from 5.1.0 to 5.2.0

Release notes

Sourced from @​stylistic/stylelint-plugin's releases.

Release v5.2.0

Added

• The declaration-block-semicolon-newline-before rule is now autofixable.

Fixed

• An exception for an empty custom property value has been added to the declaration-block-semicolon-newline-before and declaration-colon-space-after rules: the --custom-prop: ; and --custom-prop:; variants are now considered valid (see #50).

Changelog

Sourced from @​stylistic/stylelint-plugin's changelog.

[5.2.0] — 2026–05–20

Added

• The declaration-block-semicolon-newline-before rule is now autofixable.

Fixed

• An exception for an empty custom property value has been added to the declaration-block-semicolon-newline-before and declaration-colon-space-after rules: the --custom-prop: ; and --custom-prop:; variants are now considered valid (see #50).

Commits

• 19b1128 5.2.0
• 555c336 Add Makefile
• 6734a82 Add more colors to GitHub CI
• 21caa34 Upgrade pnpm to 11 version
• b57ac70 Add integration test for empty custom property
• c9de629 Add an exception to declaration-colon-space-after related to an empty custo...
• b77b3ca Make declaration-block-semicolon-newline-before rule autofixable
• 71b2694 Add an exception to declaration-block-semicolon-newline-before related to a...
• ab47833 Remove pretest hook
• a4146bd Fix pre-commit hook
• Additional commits viewable in compare view

Updates @types/node from 25.5.2 to 25.9.3

Commits

• See full diff in compare view

Updates eslint-plugin-jsdoc from 62.9.0 to 63.0.2

Release notes

Sourced from eslint-plugin-jsdoc's releases.

v63.0.2

63.0.2 (2026-06-06)

Bug Fixes

• allow typedef returns that may be void; fixes #1390 (#1699) (319e84b)

v63.0.1

63.0.1 (2026-06-01)

Bug Fixes

• empty-tags: preserve start and ending delimiters to avoid erros with single-line tags; fixes #1697 (938a1f0)

v63.0.0

63.0.0 (2026-05-20)

Bug Fixes

• require-throws: avoid skipping constructors; fixes #1692 (cacb73e)

chore

• test Node 26; drop 20 (c43043a)

BREAKING CHANGES

• Drop Node 20

Commits

• 50a7fbc chore: update semver and devDeps.
• 6041995 docs: fix in output
• 319e84b fix: allow typedef returns that may be void; fixes #1390 (#1699)
• 938a1f0 fix(empty-tags): preserve start and ending delimiters to avoid erros with s...
• 1f857a9 chore: update jsdoccomment, comment-parser, object-deep-merge, semver, devDeps.
• 3d53b88 docs: fix AST and Selectors links; closes #1691
• a0b05f5 chore(deps): bump minimatch from 3.0.5 to 10.2.5
• 5980856 chore: drop Node 26 for now (until Node/yargs/c8 issue fixed)
• 4a3d194 chore: linting
• dca8a75 chore: update for pnpm 11
• Additional commits viewable in compare view

Updates pkg-ok from 3.0.0 to 4.0.0

Changelog

Sourced from pkg-ok's changelog.

4.0.0

• Require Node 20, 22, or 24

Commits

• c4bf4e9 Merge pull request #173 from abraham/copilot/remove-husky-package
• b5b9ad6 chore: remove husky and pre-commit hook
• 8ed0ae6 Merge pull request #171 from abraham/abraham-patch-1
• 65a7813 Initial plan
• 4ad7c3e npm run format
• 0ecc782 Add GitHub Actions workflow to publish package
• 41718cd Merge pull request #170 from abraham/abraham-patch-1
• cae00cb Bump version from 3.0.0 to 4.0.0
• b24240c Revise Node.js support in CHANGELOG
• e420bf1 Merge pull request #168 from abraham/copilot/update-meow-to-v14
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for pkg-ok since your current version.

Updates stylelint from 17.6.0 to 17.13.0

Release notes

Sourced from stylelint's releases.

17.13.0

It fixes 3 bugs, including a false negative one.

• Fixed: declaration-block-no-duplicate-properties false negatives for interleaved non-consecutive duplicates with ignore: ["consecutive-duplicates(-*)"] (#9324) (@​sarathfrancis90).
• Fixed: selector-max-type false positives for nested selectors (#9319) (@​romainmenke).
• Fixed: selector-type-no-unknown false positives for install (#9308) (@​Mouvedia).

17.12.0

It fixes 3 bugs, including a false negative one.

• Fixed: block-no-empty reported range when using comments (#9294) (@​romainmenke).
• Fixed: declaration-property-value-no-unknown false negatives for custom properties defined in reference files (#9292) (@​romainmenke).
• Fixed: value-keyword-layout-mappings false positives for caption-side (#9293) (@​romainmenke).

17.11.1

It fixes 2 bugs.

• Fixed: node_modules ignore for codeFilename paths containing a dot-prefixed directory (#9282) (@​tuhtah).
• Fixed: declaration-block-no-redundant-longhand-properties range for contiguous redundant longhand properties (#9273) (@​pamelalozano16).

17.11.0

It adds 2 features, including a loader property to referenceFiles: {} for when the order of appearance in the reference styles matters.

• Added: loader to experimental referenceFiles: {} (#9251) (@​romainmenke).
• Added: autofixed to the result object (#8771) (@​Rob--W).

17.10.0

It adds 3 rules and fixes 4 bugs. You can use the *-layout-mappings rules to enforce logical or physical properties, units and keywords.

• Added: selector-no-invalid rule (#9232) (@​jeddy3).
• Added: unit-layout-mappings rule (#9229) (@​jeddy3).
• Added: value-keyword-layout-mappings rule (#9233) (@​jeddy3).
• Fixed: inconsistent error messages when module is not found (#9260) (@​ybiquitous).
• Fixed: property-layout-mappings false negatives for property names in declaration values (#9222) (@​jeddy3).
• Fixed: property-layout-mappings false positives for @page properties (#9223) (@​jeddy3).
• Fixed: selector-pseudo-class-no-unknown false positives for nested webkit-scrollbar part (#9259) (@​rkdfx).

17.9.1

It fixes 4 bugs. We also documented the messageArgs each rule provides to the message configuration property.

• Fixed: ConfigurationError regression for custom syntaxes (#9245) (@​jeddy3).
• Fixed: MD5 hash algorithm to SHA256 for caching (#9241) (@​rkdfx).
• Fixed: property-no-deprecated autofix for page-break-*: always (#9214) (@​rkdfx).
• Fixed: selector-no-deprecated false positives for ::part() (#9227) (@​SaekiTominaga).

17.9.0

It adds 3 new features. Adding the referenceFiles property to your configuration object makes the no-unknown-animations, no-unknown-custom-media and no-unknown-custom-properties rules more useful.

• Added: experimental referenceFiles to configuration object (#9179) (@​jeddy3).
• Added: experimental abortSignal option to Node.js API for cancellation support (#9213) (@​adalinesimonian).

... (truncated)

Changelog

Sourced from stylelint's changelog.

17.13.0 - 2026-06-06

It fixes 3 bugs, including a false negative one.

• Fixed: declaration-block-no-duplicate-properties false negatives for interleaved non-consecutive duplicates with ignore: ["consecutive-duplicates(-*)"] (#9324) (@​sarathfrancis90).
• Fixed: selector-max-type false positives for nested selectors (#9319) (@​romainmenke).
• Fixed: selector-type-no-unknown false positives for install (#9308) (@​Mouvedia).

17.12.0 - 2026-05-20

It fixes 3 bugs, including a false negative one.

• Fixed: block-no-empty reported range when using comments (#9294) (@​romainmenke).
• Fixed: declaration-property-value-no-unknown false negatives for custom properties defined in reference files (#9292) (@​romainmenke).
• Fixed: value-keyword-layout-mappings false positives for caption-side (#9293) (@​romainmenke).

17.11.1 - 2026-05-14

It fixes 2 bugs.

• Fixed: node_modules ignore for codeFilename paths containing a dot-prefixed directory (#9282) (@​tuhtah).
• Fixed: declaration-block-no-redundant-longhand-properties range for contiguous redundant longhand properties (#9273) (@​pamelalozano16).

17.11.0 - 2026-05-05

It adds 2 features, including a loader property to referenceFiles: {} for when the order of appearance in the reference styles matters.

• Added: loader to experimental referenceFiles: {} (#9251) (@​romainmenke).
• Added: autofixed to the result object (#8771) (@​Rob--W).

17.10.0 - 2026-05-03

It adds 3 rules and fixes 4 bugs. You can use the *-layout-mappings rules to enforce logical or physical properties, units and keywords.

• Added: selector-no-invalid rule (#9232) (@​jeddy3).
• Added: unit-layout-mappings rule (#9229) (@​jeddy3).
• Added: value-keyword-layout-mappings rule (#9233) (@​jeddy3).
• Fixed: inconsistent error messages when module is not found (#9260) (@​ybiquitous).
• Fixed: property-layout-mappings false negatives for property names in declaration values (#9222) (@​jeddy3).
• Fixed: property-layout-mappings false positives for @page properties (#9223) (@​jeddy3).
• Fixed: selector-pseudo-class-no-unknown false positives for nested webkit-scrollbar part (#9259) (@​rkdfx).

17.9.1 - 2026-04-27

It fixes 4 bugs. We also documented the messageArgs each rule provides to the message configuration property.

• Fixed: ConfigurationError regression for custom syntaxes (#9245) (@​jeddy3).
• Fixed: MD5 hash algorithm to SHA256 for caching (#9241) (@​rkdfx).
• Fixed: property-no-deprecated autofix for page-break-*: always (#9214) (@​rkdfx).
• Fixed: selector-no-deprecated false positives for ::part() (#9227) (@​SaekiTominaga).

... (truncated)

Commits

• 7fcee2b Release 17.13.0 (#9342)
• 3b7287b Refactor to reuse shared utilities (#9337)
• 8e889c3 Bump lint-staged from 17.0.4 to 17.0.5 (#9334)
• a74aab4 Bump the stylelint-actions group with 5 updates (#9333)
• 74c6448 Fix declaration-block-no-duplicate-properties false negatives for interleav...
• 1cd26ac Skip changeset verification on fork PRs CI (#9331)
• 712b986 Fix vulnerable dependencies via npm audit fix (#9328)
• 27196b7 Fix CI badge in README.md (#9329)
• 179bba2 Refactor to use @import over @typedef for simple imports (#9326)
• 94eab54 Document using our PR template (#9327)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates undici from 8.0.2 to 8.4.1

Release notes

Sourced from undici's releases.

v8.4.1

What's Changed

• test: avoid localhost lookup in fetch cookies tests by @​mcollina in nodejs/undici#5363
• fix: prevent race condition between onEnd and onTrailers in HTTP/2 client (#5216) by @​mcollina in nodejs/undici#5343
• fix(dns): skip requests without origin by @​marko1olo in nodejs/undici#5376
• docs: add Getting Started guide by @​AliMahmoudDev in nodejs/undici#5371
• docs: fix code examples that crash at runtime and other inaccuracies by @​AliMahmoudDev in nodejs/undici#5386
• fix: handle paused parser on socket end (issue #5360) by @​mcollina in nodejs/undici#5389
• fix(client): reject pipelined TLS altname errors by @​marko1olo in nodejs/undici#5373
• docs: fix multiple inaccuracies in API documentation by @​AliMahmoudDev in nodejs/undici#5384
• docs: fix remaining broken links in API documentation by @​AliMahmoudDev in nodejs/undici#5342

New Contributors

• @​marko1olo made their first contribution in nodejs/undici#5376

Full Changelog: nodejs/undici@v8.4.0...v8.4.1

v8.4.0

What's Changed

• fix: register connect listener before initiating requests in close-and-destroy test by @​mcollina in nodejs/undici#5272
• test: stabilize tls-cert-leak regression by @​mcollina in nodejs/undici#5306
• fix: replace tspl with native test context in test/examples.js by @​mcollina in nodejs/undici#5300
• http2: remove redundant request stream binding by @​trivikr in nodejs/undici#5302
• test: limit cache-tests workers on Windows by @​mcollina in nodejs/undici#5309
• test: use test context cleanup hooks in parser issue tests by @​mcollina in nodejs/undici#5282
• Add redirect option to strip headers on redirect by @​mcollina in nodejs/undici#5281
• chore(test): fix lint failure by @​aduh95 in nodejs/undici#5316
• chore(ci): use npm ci instead of npm install by @​aduh95 in nodejs/undici#5315
• docs: clarify formData security considerations by @​mcollina in nodejs/undici#5320
• docs: add EventSource server example by @​Will-thom in nodejs/undici#5321
• fix(core): simplify addAbortListener util by @​aduh95 in nodejs/undici#5317
• build(deps-dev): bump ws from 8.20.0 to 8.21.0 by @​dependabot[bot] in nodejs/undici#5325
• build(deps-dev): bump jsondiffpatch from 0.7.3 to 0.7.6 by @​dependabot[bot] in nodejs/undici#5313
• docs: match undici EoL to node version it's bundled in by @​trivikr in nodejs/undici#5330
• fix: handle all HTTP/2 request stream sync errors by @​mcollina in nodejs/undici#5311
• fix: preserve timeout errors for HTTP/2 requests by @​mcollina in nodejs/undici#5091
• fix(core): normalize autoSelectFamily timeout AggregateError by @​youcefzemmar in nodejs/undici#5329
• chore(core): define kEnumerableProperty atomically by @​aduh95 in nodejs/undici#5332
• chore(core): use regex.exec instead of string.match by @​aduh95 in nodejs/undici#5331
• fix: reset invalid HTTP/2 sessions by @​mcollina in nodejs/undici#5310
• feat(connect): add preferH2 connector option to offer h2 first in ALPN by @​Antamansid in nodejs/undici#5327
• test: fix flaky http2 trailers test by @​mcollina in nodejs/undici#5338
• fix(mock): restore single-arg MockCallHistory.filterCallsByX by @​youcefzemmar in nodejs/undici#5328
• docs: document missing error types in Errors.md by @​cesarvspr in nodejs/undici#5339
• build(deps): bump github/codeql-action from 4.35.3 to 4.36.1 by @​dependabot[bot] in nodejs/undici#5346
• build(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 by @​dependabot[bot] in nodejs/undici#5347
• build(deps): bump uWebSockets.js from v20.67.0 to v20.68.0 in /benchmarks by @​dependabot[bot] in nodejs/undici#5352
• build(deps): bump concurrently from 9.2.1 to 10.0.3 in /benchmarks by @​dependabot[bot] in nodejs/undici#5353
• build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.4 by @​dependabot[bot] in nodejs/undici#5348
• build(deps): bump actions/checkout from 6.0.2 to 6.0.3 by @​dependabot[bot] in nodejs/undici#5351

... (truncated)

Commits

• 04ebc71 Bumped v8.4.1 (#5392)
• 89017ab docs: fix remaining broken links in API documentation (#5342)
• cae3940 docs: fix multiple inaccuracies in API documentation (#5384)
• 01e89e9 fix(client): reject pipelined TLS altname errors (#5373)
• d03fb24 fix: handle paused parser on socket end (issue #5360) (#5389)
• ee59da3 docs: fix code examples that crash at runtime and other inaccuracies (#5386)
• 8464ab7 docs: add Getting Started guide (#5371)
• ba12bb1 fix(dns): skip requests without origin (#5376)
• c07a438 fix: prevent race condition between onEnd and onTrailers in HTTP/2 client (#5...
• a8ea6f2 test: avoid localhost lookup in fetch cookies tests (#5363)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7f84291

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​changesets/​changelog-github@​0.6.0 ⏵ 0.7.0	+1		+1
	npm/​pkg-ok@​4.0.0
	npm/​@​stylistic/​stylelint-plugin@​5.1.0 ⏵ 5.2.0
	npm/​eslint-plugin-jsdoc@​62.9.0 ⏵ 63.0.2
	npm/​@​changesets/​cli@​2.30.0 ⏵ 2.31.0	+1		+1
	npm/​undici@​8.0.2 ⏵ 8.4.1			+1
	npm/​stylelint@​17.6.0 ⏵ 17.13.0				-1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm css-tree is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → npm/stylelint@17.13.0 → npm/css-tree@3.2.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/css-tree@3.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm eslint-plugin-jsdoc is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/eslint-plugin-jsdoc@63.0.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint-plugin-jsdoc@63.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm kind-of is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → npm/stylelint@17.13.0 → npm/kind-of@6.0.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/kind-of@6.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report