deps(npm): bump the npm-minor-patch group across 1 directory with 22 updates

[dependabot]

Bumps the npm-minor-patch group with 18 updates in the /frontend/taskdeck-web directory:

Package	From	To
@tanstack/vue-virtual	3.13.24	3.13.25
axios	1.16.0	1.16.1
dompurify	3.4.2	3.4.5
marked	18.0.3	18.0.4
vue-router	5.0.6	5.0.7
ws	8.20.0	8.21.0
@playwright/test	1.59.1	1.60.0
@storybook/vue3-vite	10.3.6	10.4.1
@types/node	25.6.2	25.9.1
@typescript-eslint/eslint-plugin	8.59.2	8.59.4
@vitejs/plugin-vue	6.0.6	6.0.7
@vitest/coverage-v8	4.1.6	4.1.7
baseline-browser-mapping	2.10.29	2.10.32
eslint	10.3.0	10.4.0
fast-check	4.7.0	4.8.0
postcss	8.5.14	8.5.15
vite	8.0.12	8.0.14
vue-tsc	3.2.8	3.3.2

Updates @tanstack/vue-virtual from 3.13.24 to 3.13.25

Release notes

Sourced from @​tanstack/vue-virtual's releases.

@​tanstack/vue-virtual@​3.13.25

Patch Changes

• Updated dependencies [99355ad, 99355ad, 99355ad, 99355ad, 99355ad, 99355ad, 99355ad]:
  • @​tanstack/virtual-core@​3.15.0

Changelog

Sourced from @​tanstack/vue-virtual's changelog.

3.13.25

Patch Changes

• Updated dependencies [99355ad, 99355ad, 99355ad, 99355ad, 99355ad, 99355ad, 99355ad]:
  • @​tanstack/virtual-core@​3.15.0

Commits

• 949180b ci: Version Packages (#1169)
• See full diff in compare view

Updates axios from 1.16.0 to 1.16.1

Release notes

Sourced from axios's releases.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

• Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
• Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
• CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

• Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
• Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
• XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
• Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
• Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
• URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

• Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
• composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
• AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
• Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
• Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
• Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​hpinmetaverse (#10836)
• @​tommyhgunz14 (#7413)
• @​abhu85 (#10829)
• @​divyanshuraj1095 (#10853)
• @​sagodi97 (#10856)
• @​rkdfx (#10868)
• @​Liuwei1125 (#10866)

Full Changelog

Changelog

Sourced from axios's changelog.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

• Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
• Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
• CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

• Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
• Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
• XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
• Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
• Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
• URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

• Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
• composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
• AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
• Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
• Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
• Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​hpinmetaverse (#10836)
• @​tommyhgunz14 (#7413)
• @​abhu85 (#10829)
• @​divyanshuraj1095 (#10853)
• @​sagodi97 (#10856)
• @​rkdfx (#10868)
• @​Liuwei1125 (#10866)

Full Changelog

Commits

• 1337d6b chore(release): prepare release 1.16.1 (#10877)
• 858a790 fix: remove all caches (#10882)
• 34adfd9 revert: "fix: support URL object as config.url input (#10866)" (#10874)
• 847d89b fix: support URL object as config.url input (#10866)
• 4094886 fix(progress): guard malformed XHR upload events (#10868)
• 44f0c5b chore: change sponsorship link and add Twicsy advertisement (#10869)
• 64e1095 chore: update PR and issue template to use h2 (#10865)
• 3e6b4e1 fix: error unexpected token in fetch JS compatibility issue with Webpack 4 (#...
• c4453ba fix: add the ability to add additional sponsors to the process sponsors scrip...
• caa00a9 fix: https data in cleartext to proxy (#10858)
• Additional commits viewable in compare view

Updates dompurify from 3.4.2 to 3.4.5

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

• Added the selectedcontent element to default allow-list, thanks @​lukewarlow
• Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
• Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
• Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
• Updated demo website and made sure it uses the latest from main
• Updated existing workflows, fuzzer, dependabot, etc., added more tests
• Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

• Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

Commits

• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• See full diff in compare view

Updates marked from 18.0.3 to 18.0.4

Release notes

Sourced from marked's releases.

v18.0.4

18.0.4 (2026-05-19)

Bug Fixes

• cache list indentation regexes (#3969) (a37983f)
• fix cli not reading stdin (#3967) (11adb69)

Commits

• 0a2cd54 chore(release): 18.0.4 [skip ci]
• 11adb69 fix: fix cli not reading stdin (#3967)
• a37983f fix: cache list indentation regexes (#3969)
• d38b8c2 chore(deps-dev): bump eslint from 10.3.0 to 10.4.0 (#3976)
• 7d9b17e chore(docs): fix typo in package links (#3975)
• a7affc3 chore(deps-dev): bump @​semantic-release/release-notes-generator from 14.1.0 t...
• 47d6ba1 chore(deps-dev): bump @​semantic-release/github from 12.0.6 to 12.0.8 (#3972)
• 69257e4 chore(deps-dev): bump eslint from 10.2.1 to 10.3.0 (#3966)
• 1731d38 refactor(test): move task list output coverage to specs (#3963)
• See full diff in compare view

Updates vue-router from 5.0.6 to 5.0.7

Release notes

Sourced from vue-router's releases.

v5.0.7

   🚀 Features

• Upgrade to babel 8  -  by @​posva (8d3e6)
• Make defineParamParser() more intuitive  -  by @​posva (8715b)
• Upgrade @vue/devtools-api  -  by @​posva (87c3a)
• matcher: Hint at params: {} workaround in discarded params warning  -  by @​posva and shanliuling in vuejs/router#2689 (c2b13)
• param-parsers: Add include/exclude options  -  by @​posva (91cde)

   🐞 Bug Fixes

• matcher:
  • Finalize param token before processing escaped colon  -  by @​babu-ch and @​posva in vuejs/router#2654 (20521)
• query:
  • Use Object.create(null) to prevent prototype pollution  -  by @​wdskuki, wdsmini and @​posva in vuejs/router#2661 (be88c)
• resolve:
  • Omit empty optional params from resolved params  -  by @​babu-ch and @​posva in vuejs/router#2434 (1ef09)
• types:
  • Wire RouteNamedMap via generated routes.d.ts  -  by @​posva in vuejs/router#2700 (aef99)
• unplugin:
  • Avoid generating empty routes  -  by @​FrontEndDog and @​posva in vuejs/router#2642 (10a8b)
  • Apply definePage path-param parser overrides  -  by @​posva in vuejs/router#2699 (c8074)
• volar:
  • Drop runtime @vue/language-core import  -  by @​danielroe in vuejs/router#2710 (8af50)

    View changes on GitHub

Commits

• ddd20c3 release: vue-router@5.0.7
• 91cdec3 feat(param-parsers): add include/exclude options
• 8af50c9 fix(volar): drop runtime @vue/language-core import (#2710)
• b840cd6 chore(ci): set least-privilege workflow token permissions (#2708)
• 51c1672 chore(release): use @​clack/prompts
• af77a7c chore: playground param type
• 641200a refactor(param-parsers): simplify defineParamParser
• 9b9896e chore: comments
• d41897b refactor: wip of defineParamParser
• 17d51fb chore: logs
• Additional commits viewable in compare view

Updates ws from 8.20.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• See full diff in compare view

Updates @playwright/test from 1.59.1 to 1.60.0

Release notes

Sourced from @​playwright/test's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates @storybook/vue3-vite from 10.3.6 to 10.4.1

Release notes

Sourced from @​storybook/vue3-vite's releases.

v10.4.1

10.4.1

• Angular: Detect model() signal outputs (type inference + compodoc autodocs + runtime binding) - #34833, thanks @​valentinpalkovic!
• Build: Upgrade type-fest to latest version 5.6.0 - #34791, thanks @​tobiasdiez!
• CLI: Run `npx expo install --fix` after init for Expo projects - #34803, thanks @​ndelangen!
• CLI: Support `peerDependencies` in framework detection for component libraries - #34516, thanks @​zhyd1997!
• Next.js: Add useLinkStatus mock to next/link export mock - #34593, thanks @​philwolstenholme!
• Vue3: Specify a specific version for non-dev dependency - #34794, thanks @​ScopeyNZ!

v10.4.0

10.4.0

AI-assisted setup, change-aware review, and stronger framework support

Storybook 10.4 contains hundreds of fixes and improvements including:

• 🤖 Agentic Setup: New CLI workflow for AI-assisted Storybook setup and onboarding
• 🔍 Change review: Sidebar filtering to highlight new, modified, and related stories based on git changes
• 🧭 Sidebar review tools: Status filtering, URL-persisted filters, and clearer review signals in the sidebar
• ⚛️ TanStack React: New `@storybook/tanstack-react` framework with routing and server function support
• 🧩 React MCP: Faster, more accurate component docgen powered by the TypeScript Language Server
• 📱 React Native: Zero config RN project initialization
• 🤝 Sharing: Easily publish and share your local Storybook with teammates, powered by Chromatic

• A11y: Add aria-live announcements via @​react-aria/live-announcer - #33970, thanks @​copilot-swe-agent!
• A11y: Improve boolean control contrast in forced colors mode - #34204, thanks @​anchmelev!
• Actions: Fix state mutation and keep newest actions when limit reached - #34286, thanks @​Sidnioulz!
• Addon-Docs: Add Reset story button to re-render stories in docs - #34086, thanks @​6810779s!
• Addon-Docs: Avoid rerendering static Source blocks - #34206, thanks @​anchmelev!
• Addon-Vitest: Use Vitest's provide-API for injecting values - #34518, thanks @​JReinhold!
• Agentic Setup: Add --extensive for an extra prompt - #34730, thanks @​Sidnioulz!
• Agentic Setup: Allow failed stories to persist - #34717, thanks @​Sidnioulz!
• Agentic Setup: Keep sample content if users want onboarding - #34704, thanks @​Sidnioulz!
• Agentic Setup: Rework ai-init-opt-in logic - #34739, thanks @​Sidnioulz!
• Angular: Use Story ID for renderer IDs (including standalone stories) - #33982, thanks @​ValentinFunk!
• Automigration: Move RN on-device addons to `deviceAddons` - #34659, thanks @​ndelangen!
• Builder-Vite: Add onModuleGraphChange method - #34323, thanks @​ghengeveld!
• CLI: Add automigrate check for 'storybook' package name conflict - #34290, thanks @​whdjh!
• CLI: Add react-vite to tanstack-react automigration - #34718, thanks @​huang-julien!
• CLI: Change mock event detection - #34586, thanks @​yannbf!
• CLI: Explicitly tell whether smoke tests passed or failed - #34419, thanks @​Sidnioulz!
• CLI: Fix Next.js Vite automigration corrupting configs already using `@storybook/nextjs-vite` - #34249, thanks @​nathanjessen!
• CLI: Fix agentic check - #34678, thanks @​yannbf!
• CLI: Handle minimumReleaseAge conflicts across package managers - #34769, thanks @​JReinhold!
• CLI: Improve package incompatibility detection and warning - #34559, thanks @​copilot-swe-agent!
• CLI: Improve self-healing scoring observability - #34699, thanks @​yannbf!

... (truncated)

Changelog

Sourced from @​storybook/vue3-vite's changelog.

10.4.1

• Angular: Detect model() signal outputs (type inference + compodoc autodocs + runtime binding) - #34833, thanks @​valentinpalkovic!
• Build: Upgrade type-fest to latest version 5.6.0 - #34791, thanks @​tobiasdiez!
• CLI: Run npx expo install --fix after init for Expo projects - #34803, thanks @​ndelangen!
• CLI: Support peerDependencies in framework detection for component libraries - #34516, thanks @​zhyd1997!
• Next.js: Add useLinkStatus mock to next/link export mock - #34593, thanks @​philwolstenholme!
• Vue3: Specify a specific version for non-dev dependency - #34794, thanks @​ScopeyNZ!

10.4.0

AI-assisted setup, change-aware review, and stronger framework support

Storybook 10.4 contains hundreds of fixes and improvements including:

• 🤖 Agentic Setup: New CLI workflow for AI-assisted Storybook setup and onboarding
• 🔍 Change review: Sidebar filtering to highlight new, modified, and related stories based on git changes
• 🧭 Sidebar review tools: Status filtering, URL-persisted filters, and clearer review signals in the sidebar
• ⚛️ TanStack React: New @storybook/tanstack-react framework with routing and server function support
• 🧩 React MCP: Faster, more accurate component docgen powered by the TypeScript Language Server
• 📱 React Native: Zero config RN project initialization
• 🤝 Sharing: Easily publish and share your local Storybook with teammates, powered by Chromatic

• A11y: Add aria-live announcements via @​react-aria/live-announcer - #33970, thanks @​copilot-swe-agent!
• A11y: Improve boolean control contrast in forced colors mode - #34204, thanks @​anchmelev!
• Actions: Fix state mutation and keep newest actions when limit reached - #34286, thanks @​Sidnioulz!
• Addon-Docs: Add Reset story button to re-render stories in docs - #34086, thanks @​6810779s!
• Addon-Docs: Avoid rerendering static Source blocks - #34206, thanks @​anchmelev!
• Addon-Vitest: Use Vitest's provide-API for injecting values - #34518, thanks @​JReinhold!
• Agentic Setup: Add --extensive for an extra prompt - #34730, thanks @​Sidnioulz!
• Agentic Setup: Allow failed stories to persist - #34717, thanks @​Sidnioulz!
• Agentic Setup: Keep sample content if users want onboarding - #34704, thanks @​Sidnioulz!
• Agentic Setup: Rework ai-init-opt-in logic - #34739, thanks @​Sidnioulz!
• Angular: Use Story ID for renderer IDs (including standalone stories) - #33982, thanks @​ValentinFunk!
• Automigration: Move RN on-device addons to deviceAddons - #34659, thanks @​ndelangen!
• Builder-Vite: Add onModuleGraphChange method - #34323, thanks @​ghengeveld!
• CLI: Add automigrate check for 'storybook' package name conflict - #34290, thanks @​whdjh!
• CLI: Add react-vite to tanstack-react automigration - #34718, thanks @​huang-julien!
• CLI: Change mock event detection - #34586, thanks @​yannbf!
• CLI: Explicitly tell whether smoke tests passed or failed - #34419, thanks @​Sidnioulz!
• CLI: Fix Next.js Vite automigration corrupting configs already using @storybook/nextjs-vite - #34249, thanks @​nathanjessen!
• CLI: Fix agentic check - #34678, thanks @​yannbf!
• CLI: Handle minimumReleaseAge conflicts across package managers - #34769, thanks @​JReinhold!
• CLI: Improve package incompatibility detection and warning - #34559, thanks @​copilot-swe-agent!
• CLI: Improve self-healing scoring observability - #34699, thanks @​yannbf!
• CLI: Introduce Agentic Setup workflow - #34297, thanks @​yannbf!
• CLI: Remove extensive prompt option - #34740, thanks @​yannbf!

... (truncated)

Commits

• cc19ae1 Bump version from "10.4.0" to "10.4.1" [skip ci]
• f8c16d1 Bump version from "10.4.0-beta.0" to "10.4.0" [skip ci]
• e02da0b Bump version from "10.4.0-alpha.19" to "10.4.0-beta.0" [skip ci]
• 429fb3e Bump version from "10.4.0-alpha.18" to "10.4.0-alpha.19" [skip ci]
• 488dd08 Bump version from "10.4.0-alpha.17" to "10.4.0-alpha.18" [skip ci]
• f191df7 Bump version from "10.4.0-alpha.16" to "10.4.0-alpha.17" [skip ci]
• a80ca8f Bump version from "10.4.0-alpha.15" to "10.4.0-alpha.16" [skip ci]
• f1363a4 Bump version from "10.4.0-alpha.14" to "10.4.0-alpha.15" [skip ci]
• 5491707 Bump version from "10.4.0-alpha.13" to "10.4.0-alpha.14" [skip ci]
• 3ab0566 Bump version from "10.4.0-alpha.12" to "10.4.0-alpha.13" [skip ci]
• Additional commits viewable in compare view

Updates @types/node from 25.6.2 to 25.9.1

Commits

• See full diff in compare view

Updates @typescript-eslint/eslint-plugin from 8.59.2 to 8.59.4

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.59.4

8.59.4 (2026-05-18)

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#12294)
• project-service: throw error cause in getParsedConfigFileFromTSServer (#12321)
• typescript-eslint: export Compatible* types from typescript-eslint to resolve pnpm TS error (#12340)

❤️ Thank You

• Evyatar Daud @​StyleShit
• Kirk Waiblinger @​kirkwaiblinger
• lumir

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.3

8.59.3 (2026-05-11)

This was a version bump only, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.59.4 (2026-05-18)

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#12294)

❤️ Thank You

• Evyatar Daud @​StyleShit...

  Description has been truncated

[Chris0Jeky]

@dependabot rebase

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.

[Chris0Jeky]

@dependabot recreate

[dependabot]

Looks like this PR is closed. If the branch still exists, you can re-open the PR and then use @dependabot rebase or @dependabot recreate. If the branch was deleted, Dependabot will create a new PR on the next scheduled run, or you can trigger an update from the Dependency graph page.