chore(deps): bump the npm-updates group across 1 directory with 10 updates

[dependabot]

Bumps the npm-updates group with 10 updates in the / directory:

Package	From	To
graphql	16.13.2	16.14.0
i18next	26.0.8	26.0.10
kysely	0.28.17	0.29.0
zod	4.4.2	4.4.3
@types/node	24.12.2	24.12.3
jiti	2.6.1	2.7.0
knip	6.11.0	6.12.2
oxfmt	0.47.0	0.48.0
oxlint	1.62.0	1.63.0
vite	8.0.10	8.0.11

Updates graphql from 16.13.2 to 16.14.0

Release notes

Sourced from graphql's releases.

v16.14.0 (2026-05-03)

New Feature 🚀

• #4317 Allow configuration of the ofType introspection depth (@​Nols1000)
• #4521 Add experimental support for directives on directive definitions (@​BoD)

Bug Fix 🐞

• #4652 Fix valueFromAST variable own-property checks (@​abishekgiri)

Docs 📝

• #4706 Fix mistake in GraphQLError guidance (@​benjie)

Committers: 4

• Abishek Kumar Giri(@​abishekgiri)
• Benjie(@​benjie)
• Benoit 'BoD' Lubek(@​BoD)
• Nils-Börge Margotti(@​Nols1000)

Commits

• 57b385b chore(release): v16.14.0 (#4720)
• 85700ed Fix mistake in GraphQLError guidance (#4706)
• 8eb6383 Allow configuration of the ofType introspection depth (#4317)
• ad9c519 Add support for directives on directive definitions (#4521)
• db2987c fix(valueFromAST): restore variable own-property checks (#4652)
• See full diff in compare view

Updates i18next from 26.0.8 to 26.0.10

Release notes

Sourced from i18next's releases.

v26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

v26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

Changelog

Sourced from i18next's changelog.

26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

Commits

• 61eaf5b 26.0.10
• 47fd92f feat: getFixedT 4th-arg scopeNs decouples selector ns-detection from resoluti...
• caf33f6 26.0.9
• eed0146 fix(types): relax unformatted interpolation values to string | number
• 170fb0a Modernize locize.com URLs and refresh UTM tags
• See full diff in compare view

Updates kysely from 0.28.17 to 0.29.0

Release notes

Sourced from kysely's releases.

0.29.0

Hey 👋

This one's a banger! 💥 💥 💥

We got $pickTables, $omitTables compile-time helpers to narrow the world view of downstream queries, cutting down on compilation complexity/time while at it!

const results = await db
  .$pickTables<'person' | 'pet'>() // <----- now `DB` is only { person: {...}, pet: {...} } for following methods.
  .selectFrom('person')
  .innerJoin('pet', 'pet.owner_id', 'person.id')
  .selectAll()
  .execute()
const results = await db
.$omitTables<'toy'>() // <----- now DB doesn't have a "toy" table description for following methods.
.selectFrom('person')
.innerJoin('pet', 'pet.owner_id', 'person.id')
.selectAll()
.execute()

We got a new ReadonlyKysely<DB> helper type that turns your instance into a compile-time readonly instance!

import { Kysely } from 'kysely'
import type { ReadonlyKysely } from 'kysely/readonly'
export const db = new Kysely<Database>({...}) as never as ReadonlyKysely<Database>
db.selectFrom('person').selectAll() // no problem.
db.selectNoFrom(sqlnow().as('now')) // no problem.
db.deleteFrom('person') // compilation error + deprecation!
db.insertInto('person').values({...}) // compilation error + deprecation!
db.mergeInto('person')...  // compilation error + deprecation!
db.updateTable('person').set('first_name', 'Timmy') // compilation error + deprecation!
sql....execute(db) // compilation error!
// etc. etc.

We got a brand new PGlite dialect. With it comes a new supportsMultipleConnections adapter flag that uses a new centralized connection mutex when false - should help simplify all SQLite dialects out here!

import { PGlite } from '@electric-sql/pglite'
import { Kysely, PGliteDialect } from 'kysely'
const db = new Kysely<DB>({
// ...
</tr></table>

... (truncated)

Commits

• 820f722 0.29.0
• 8aed478 chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 (#1813)
• 2bf653c chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#1812)
• c995453 chore(deps): bump github/codeql-action from 3.35.1 to 4.35.4 (#1816)
• 30d1b62 chore(deps-dev): bump @​types/node from 25.6.0 to 25.6.1 (#1815)
• b11e037 chore(deps): bump step-security/harden-runner from 2.17.0 to 2.19.1 (#1814)
• 1e68a0d fix(ci): better-sqlite3 node.js version mismatches since pnpm action bump. ...
• 9e0bfc0 chore: remove npm bump in publish workflow.
• a8133c9 chore: revert better-sqlite3 bump.
• 7f98851 add dependabot.
• Additional commits viewable in compare view

Updates zod from 4.4.2 to 4.4.3

Release notes

Sourced from zod's releases.

v4.4.3

Commits:

• 4c2fa95ce3f3390fbc522324e406b4e9e89b88f9 docs: use Zernio primary wordmark for gold sponsor logo
• 2aeec83eb135e3a83756e973ef44845fc5a455d2 docs: prune lapsed gold sponsors and rebalance logo sizing
• 7391be88ac1ee5cd02057f5ccc012a1f5df4efd0 docs: prune lapsed silver/bronze sponsors and add active ones
• 2c703322a21b4e2b12f33f49ea8430c451a68b4f docs: normalize bronze sponsor logos to github avatar pattern
• 9195250cab0e7950efe39c3926d6c203b4b0a170 docs: remove Mintlify from bronze sponsors (churned)
• b8dffe9e62f17e6571e6249d05cc5102b54d94e4 docs: remove Numeric and Speakeasy (2+ missed monthly cycles)
• 1cab69383fcdeae2a366d5e2a2fc4d8fc765d168 fix(v4): restore catch handling for absent object keys (#5937) (#5939)
• c2be4f819064eed62c7c350a2d399b5faecd15f8 fix(v4): generalize optin/fallback to transform; restore preprocess on absent keys (#5941)
• f3c9ec03ba7a28ae72d25cc295f38674bee0f559 4.4.3
• 1fb56a5c18c27102dbc92260a4007c7732a0ccca docs: document release procedure in AGENTS.md

Commits

• 1fb56a5 docs: document release procedure in AGENTS.md
• f3c9ec0 4.4.3
• c2be4f8 fix(v4): generalize optin/fallback to transform; restore preprocess on absent...
• 1cab693 fix(v4): restore catch handling for absent object keys (#5937) (#5939)
• b8dffe9 docs: remove Numeric and Speakeasy (2+ missed monthly cycles)
• 9195250 docs: remove Mintlify from bronze sponsors (churned)
• 2c70332 docs: normalize bronze sponsor logos to github avatar pattern
• 7391be8 docs: prune lapsed silver/bronze sponsors and add active ones
• 2aeec83 docs: prune lapsed gold sponsors and rebalance logo sizing
• 4c2fa95 docs: use Zernio primary wordmark for gold sponsor logo
• See full diff in compare view

Updates @types/node from 24.12.2 to 24.12.3

Commits

• See full diff in compare view

Updates jiti from 2.6.1 to 2.7.0

Release notes

Sourced from jiti's releases.

v2.7.0

compare changes

🚀 Enhancements

• Add explicit resource management (using/await using) support (#422)
• Support opt-in tsconfigPaths (#427)
• Support virtual modules (#428)
• Add jiti/static subpath (#430)

🔥 Performance

• interopDefault: Add caching to reduce proxy overhead by ~2x (#421)

🩹 Fixes

• require: Passthrough resolve options (#412)
• require: Fallback to transpilation when tryNative fails (#413)
• Fallback for ENAMETOOLONG when evaluating esm (#429)

📦 Build

• Upgrade rspack to v2 (55194fb)
• Experimental rolldown config (8c0243f)

✅ Tests

• Ignore jsx test for bun/cjs (3a744ca)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kricsleo (@​kricsleo)
• Espen Hovlandsdal (@​rexxars)
• Rintaro Itokawa (@​re-taro)
• Matteo Collina (@​mcollina)
• Mario Zechner (@​badlogic)

Changelog

Sourced from jiti's changelog.

v2.7.0

compare changes

🚀 Enhancements

• Add explicit resource management (using/await using) support (#422)
• Support opt-in tsconfigPaths (#427)
• Support virtual modules option (#428)
• Add jiti/static export (#430)

🔥 Performance

• interopDefault: Add caching to reduce proxy overhead by ~2x (#421)

🩹 Fixes

• require: Passthrough resolve options (#412)
• ci: Skip --coverage flag for node 18 (fe264b4)
• require: Fallback to transpilation when tryNative fails (#413)
• Fallback for ENAMETOOLONG when evaluating esm (#429)

📦 Build

• Upgrade rspack (55194fb)
• Experimental rolldown config (8c0243f)

🏡 Chore

• Fix lint issues (4045c7a)
• Update deps (e88ac44)
• Update deps (498e8d7)
• Add missing prettier dep (650bc48)
• Lint (058d91a)
• Init agents.md (c49c54e)
• Update agents.md (4deba16)
• Update deps (08fc868)
• Update tsconfig (8c7822e)
• Update release script (27fe3f2)

✅ Tests

• Ignore jsx test for bun/cjs (3a744ca)
• Update (9ee314f)

🤖 CI

• Update node test matrix (0abda72)

❤️ Contributors

... (truncated)

Commits

• fd3bb28 chore(release): v2.7.0
• 27fe3f2 chore: update release script
• 4fcd2f2 fix: fallback for ENAMETOOLONG when evaluating esm (#429)
• 8c0243f build: experimental rolldown config
• 55194fb build: upgrade rspack
• 0abda72 ci: update node test matrix
• 8c7822e chore: update tsconfig
• 08fc868 chore: update deps
• 5d552e3 feat: add jiti/static export (#430)
• ae790b0 feat: support virtual modules option (#428)
• Additional commits viewable in compare view

Updates knip from 6.11.0 to 6.12.2

Release notes

Sourced from knip's releases.

Release 6.12.2

• Fix symbol reporter file paths with --directory (#1733) (d54074d4f5b9299aecb264897c7369fb81a499fc) - thanks @​cyphercodes!
• fix(webpack): reference TS loaders for .ts/.cts config (close #1732) (f37c5daa5403fdf78e2746fea83ce79e1577eb48)
• fix(serverless-framework): skip functions without handler (close #1735) (616739de3ee9c5c216c0efe098d837bb286c102f)
• ci(integration): disable minimumReleaseAge for test installs (081dfc83039324292ceb1018f73ab2c98fd51ccd)
• ci(snapshots): query — add CreateQueriesOptions to unused types (5dd0b8a15e1c8298b8bad7388a17951a70285f56)

Release 6.12.1

• fix: type-only imports in monorepos (#1715) (de33a2cb020f321f242bfb3884cdd597fb5f868c) - thanks @​lishaduck!
• Bump jiti to ^2.7.0 (#1729) (0fe8dc33dc60b05a814828046aa5207051fc4b6d) - thanks @​re-taro!
• Fix Vercel config detection (#1726) (370236d2e67058fb30c77a5f54d88b9774276eef) - thanks @​jakeleventhal!
• Fix inferred declaration export references (#1728) (4dcd756f0903c1045a7600201243decbc7184715) - thanks @​jakeleventhal!
• Remove stale root watch script (#1731) (2d555a18befc2576539491b5d66799e630689b38) - thanks @​jeffrey-takuma!
• Update sponsorships script/numbers (c3dcc8f4fd923f87baad444c5f8e23fd7be15497)
• Add orgs using knip (78fd581857c0b01fc2ab987bc86d888954e97a71)
• Yolo (7e689bf60b39c6a4af46e8d68e9a6986df0e6f04)

Release 6.12.0

• Use venz light/dark responsive svg img (2354194043354b67ed9463b6998d40a8e8cbab81)
• Fix types/path references (4afc873801bcca933dbc71c47b5557cbab646c6b)
• Move on to pnpm 11 (b1060652e85b8bf9a306135ca12ae22032099889)
• Fix up ecosystem tests (c226a72b8936397dab2fc6d30e27517c257c36ca)
• Add shell binaries to global ignore list (#1716) (ddcf7debd820b9deac9f29d1ed904f340c0ee91e) - thanks @​jakeleventhal!
• Fix declaration export regression and document (resolve #1722) (3a2c22b52cda834b4d8a9956d9089b3dea9422bd)
• Update snapshot after 3a2c22b (8300078b75913d94ef19dbd1990e2073db8541d8)
• Detect babel.plugins/presets in @​vitejs/plugin-react via function-form defineConfig (resolve #1723) (d56ee51c2162c29baf3564ded39639a1a258caa1)
• Lift defineConfig-arg unwrapper to ast-helpers, route findCallArg through it (7195b0a5f0986833a059c5d2cda9697d7d0abbf7)
• Fix PostCSS detection for @​tailwindcss/postcss (#1719) (60f84824eebeece47ec5d2683fe4db9aaa6e7d00) - thanks @​jakeleventhal!
• Allow > inside SFC <script> attribute values (resolve #1714) (9e5501f60150d0521bf7f2aa5a9af8db1285813b)
• Resolve Cypress reporter set per testing type (resolve #1724) (7cc4fc19ea12f4aefb55ef01a0ad5237b2dac8c4)
• Add Vercel config plugin (#1720) (10f97c10cd3203761c6ba2f4ee335c9719d81840) - thanks @​jakeleventhal!
• Direct config hint title to stderr (53236b5f7dc12c2e7e561448c276a0168a6367fc)
• Some light housekeeping (727f842709f2adf9fe7658b6ed1b66b11043d821)
• Fix up ecosystem tests (0db3300e4109cb184520863e98eff6c2c956a717)
• Fix --no-exit-code condition for isTreatConfigHintsAsErrors (f27c3f4a556fdd18bfafb9b270fddc9b12c8033a)
• A friendlier message (aab1e83baaa088b8f8730f03f0d8e6520fa48d64)
• Mark plugin-name fallback binaries as optional in knownBinsOnly mode (c709a5aaa473184d1a73f7cbcb8eaf0d73e072d4)

Commits

• cfb9ac4 Release knip@6.12.2
• 616739d fix(serverless-framework): skip functions without handler (close #1735)
• f37c5da fix(webpack): reference TS loaders for .ts/.cts config (close #1732)
• d54074d Fix symbol reporter file paths with --directory (#1733)
• b255195 Release knip@6.12.1
• 4dcd756 Fix inferred declaration export references (#1728)
• 370236d Fix Vercel config detection (#1726)
• 0fe8dc3 Bump jiti to ^2.7.0 (#1729)
• de33a2c fix: type-only imports in monorepos (#1715)
• 44829fe Release knip@6.12.0
• Additional commits viewable in compare view

Updates oxfmt from 0.47.0 to 0.48.0

Commits

• 5921a25 release(apps): oxlint v1.63.0 && oxfmt v0.48.0 (#22109)
• See full diff in compare view

Updates oxlint from 1.62.0 to 1.63.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

• 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
• 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
• bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
• 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
• 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
• 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
• ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

• 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
• 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
• 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
• 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
• a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
• ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
• 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
• ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
• e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
• 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
• 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
• fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
• ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
• dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
• 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
• cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

• 25d577e language_server: Start tools in parallel (#15500) (Sysix)
• 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
• 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
• 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
• 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
• 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

• 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
• 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
• a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
• 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
• 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
• 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.63.0] - 2026-05-05

📚 Documentation

• cacbc4a linter: Fix jest settings docs. (#22127) (connorshea)

Commits

• 5921a25 release(apps): oxlint v1.63.0 && oxfmt v0.48.0 (#22109)
• cacbc4a docs(linter): Fix jest settings docs. (#22127)
• d177595 chore(linter): Update oxlint-tsgolint peer dependency to the latest release. ...
• See full diff in compare view

Updates vite from 8.0.10 to 8.0.11

Release notes

Sourced from vite's releases.

v8.0.11

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.11 (2026-05-07)

Features

• update rolldown to 1.0.0-rc.18 (#22360) (3f80524)

Bug Fixes

• deps: update all non-major dependencies (#22334) (672c962)
• deps: update all non-major dependencies (#22382) (5c0cfcb)
• glob: align hmr matcher options with glob enumeration (#22306) (30028f9)
• make separate object instance for each environment (#22276) (7c2aa3b)

Documentation

• create-vite: list react-compiler templates in README (#22347) (7c3a61f)
• explain mergeConfig skips null/undefined (#22325) (2151f70)
• mention native config loader in CLI options (#22348) (0420c5d)
• update evan's x handle (640202a)

Miscellaneous Chores

• deps: update dependency tsdown to ^0.21.10 (#22333) (3b51e05)
• deps: update rolldown-related dependencies (#22383) (555ff36)
• deps: update transitive packages to fix npm audit alerts (#22316) (86aee62)

Code Refactoring

• devtools integration (#22312) (3c8bf06)
• remove unnecessary async (#22296) (b31fd35)
• show direct path type in bad character warning (#22339) (0c162e9)

Tests

• create-vite: use short help alias (#22389) (994ab66)

Commits

• 66f3194 release: v8.0.11
• 5c0cfcb fix(deps): update all non-major dependencies (#22382)
• 555ff36 chore(deps): update rolldown-related dependencies (#22383)
• b31fd35 refactor: remove unnecessary async (#22296)
• 3c8bf06 refactor: devtools integration (#22312)
• 7c2aa3b fix: make separate object instance for each environment (#22276)
• 3f80524 feat: update rolldown to 1.0.0-rc.18 (#22360)
• 0c162e9 refactor: show direct path type in bad character warning (#22339)
• 672c962 fix(deps): update all non-major dependencies (#22334)
• 30028f9 fix(glob): align hmr matcher options with glob enumeration (#22306)
• See full diff in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
@types/node	[>= 25.a, < 26]

[eikowagenknecht]

@claude Fix the issues

[claude]

Claude finished @eikowagenknecht's task in 1m 35s —— View job

---

Fixing dependency update issues

• Check CI status for failing checks
• Identified root cause: kysely 0.29.0 moved Migration and Migrator to the kysely/migration subpath
• Fix prepared and committed locally
• Push attempted — blocked (GitHub restricts pushing to Dependabot PRs from Actions)

Root cause: src/services/database/migrations/migrations.ts imports Migration and Migrator from 'kysely', but kysely 0.29.0 requires these to be imported from 'kysely/migration'.

The fix (1-line change in src/services/database/migrations/migrations.ts):

-import type { Kysely, Migration } from "kysely";
-import { Migrator } from "kysely";
+import type { Kysely } from "kysely";
+import type { Migration } from "kysely/migration";
+import { Migrator } from "kysely/migration";

Why I can't push: GitHub prevents the Actions bot from writing to Dependabot PR branches (security policy). You'll need to apply this fix manually.

To apply the fix:

git fetch origin dependabot/npm_and_yarn/main/npm-updates-42533396bc
git checkout dependabot/npm_and_yarn/main/npm-updates-42533396bc
# edit src/services/database/migrations/migrations.ts as shown above
git add src/services/database/migrations/migrations.ts
git commit -m "fix(deps): update kysely imports to use kysely/migration subpath"
git push

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.