Bump the development group across 1 directory with 14 updates

[dependabot]

Bumps the development group with 14 updates in the / directory:

Package	From	To
@changesets/changelog-github	0.5.2	0.7.0
@changesets/cli	2.29.8	2.31.0
markdownlint-cli	0.46.0	0.48.0
vitest-browser-react	2.0.2	2.2.0
node-html-parser	6.1.13	7.1.0
@faker-js/faker	7.6.0	10.4.0
@playwright/test	1.58.2	1.60.0
lodash	4.17.21	4.18.1
@types/lodash	4.17.21	4.17.24
uuid	11.1.0	14.0.0
@tailwindcss/browser	4.2.1	4.3.0
@types/estree	1.0.8	1.0.9
prettier	3.7.1	3.8.3
unist-util-visit	5.0.0	5.1.0

Updates @changesets/changelog-github from 0.5.2 to 0.7.0

Release notes

Sourced from @​changesets/changelog-github's releases.

@​changesets/changelog-github@​0.7.0

Minor Changes

• #1255 94578cf Thanks @​Kauhsa! - Added disableThanks option

@​changesets/changelog-github@​0.6.0

Minor Changes

• #1850 fd0bc2e Thanks @​mixelburg! - Linkify issue references in changelog entries.

Patch Changes

• #1810 27fd8f4 Thanks @​hirasso! - Replace deprecated String.prototype.trimRight with String.prototype.trimEnd

• Updated dependencies [d4b8ad8, e462d89]:

  • @​changesets/get-github-info@​0.8.0

Commits

• d1ef2d8 Version Packages (#1950)
• 7af5876 Restrict publish job to the npm env (#1972)
• ff767d2 Sync config-file-options documentation with schema.json and source code (#1683)
• 951094b fix: pin 2 unpinned action(s) (#1915)
• 94578cf Added disableThanks option (#1255)
• d87334d Support dark mode banner in readme (#1943)
• 87472a7 Update .vscode/settings.json (#1944)
• 317a373 Disable publish_pr job
• 9cce6db Version Packages (#1897)
• d2121dc Fix npm auth for path-based registries during publish by preserving configure...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​changesets/changelog-github since your current version.

Updates @changesets/cli from 2.29.8 to 2.31.0

Release notes

Sourced from @​changesets/cli's releases.

@​changesets/cli@​2.31.0

Minor Changes

• #1889 96ca062 Thanks @​mixelburg! - Error on unsupported flags for individual CLI commands and print the matching command usage to make mistakes easier to spot.

• #1873 42943b7 Thanks @​mixelburg! - Respond to --help on all subcommands. Previously, --help was only handled when it was the sole argument; passing it alongside a subcommand (e.g. changeset version --help) would silently execute the command instead. Now --help always exits early and prints per-command usage when a known subcommand is provided, or the general help text otherwise.

Patch Changes

• d2121dc Thanks @​Andarist! - Fix npm auth for path-based registries during publish by preserving configured registry URLs instead of normalizing them.

• #1888 036fdd4 Thanks @​mixelburg! - Fix several changeset version issues with workspace protocol dependencies. Valid explicit workspace: ranges and aliases are no longer rewritten unnecessarily, and workspace path references are handled correctly during versioning.

• #1903 5c4731f Thanks @​Andarist! - Gracefully handle stale npm info data leading to duplicate publish attempts.

• #1867 f61e716 Thanks @​Andarist! - Improved detection for published state of prerelease-only packages without latest dist-tag on GitHub Packages registry.

• Updated dependencies [036fdd4, 036fdd4, 036fdd4]:

  • @​changesets/assemble-release-plan@​6.0.10
  • @​changesets/get-dependents-graph@​2.1.4
  • @​changesets/apply-release-plan@​7.1.1
  • @​changesets/get-release-plan@​4.0.16
  • @​changesets/config@​3.1.4

@​changesets/cli@​2.30.0

Minor Changes

• #1840 057cca2 Thanks @​wotan-allfather! - Add --since flag to add command

  The add command now supports a --since flag that allows you to specify which branch, tag, or git ref to use when detecting changed packages. This is useful for gitflow workflows where you have multiple target branches and the baseBranch config option doesn't cover all use cases.

  Example: changeset add --since=develop

  If not provided, the command falls back to the baseBranch value in your .changeset/config.json.

• #1845 2b4a66a Thanks @​Andarist! - Delegate OTP prompting to the package manager instead of handling it in-process. This allows Changesets to use the package manager's native web auth support.

• #1774 667fe5a Thanks @​bluwy! - Support importing custom commit option ES module. Previously, it used require() which only worked for CJS modules, however now it uses import() which supports both CJS and ES modules.

• #1839 73b1809 Thanks @​leochiu-a! - Add a --message (-m) flag to changeset add (and default changeset) so the changeset summary can be provided from the command line. When --message is present, the summary prompt is skipped while the final confirmation step is kept.

• #1806 0e8e01e Thanks @​luisadame! - Changeset CLI can now be run from the nested directories in the project, where the .changeset directory has to be found in one of the parent directories

Patch Changes

• #1849 9dc3230 Thanks @​Andarist! - Compute the terminal's size lazily to avoid spurious stderr output in non-interactive mode

• #1857 2a73025 Thanks @​mixelburg! - Fix confusing prompt labels when entering changeset summary after external editor fallback

• #1842 6df3a5e Thanks @​RodrigoHamuy! - Allow private packages to depend on skipped packages without requiring them to also be skipped. Private packages are not published to npm, so it is safe for them to have dependencies on ignored or unversioned packages.

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​changesets/cli since your current version.

Updates markdownlint-cli from 0.46.0 to 0.48.0

Release notes

Sourced from markdownlint-cli's releases.

v0.48.0

• Update all dependencies via Dependabot

v0.47.0

• Add output and exit code support for warnings
• Update markdownlint dependency to 0.40.0
  • Improve MD011/MD013/MD051/MD060
• Update all dependencies via Dependabot

Commits

• e72a3ca Bump version 0.48.0
• 02c6132 Delete and recreate package-lock.json via "npm install".
• 800b47c Bump ava from 6.4.1 to 7.0.0
• e6eb97c Bump minimatch
• 61da922 Bump tar from 7.5.7 to 7.5.9
• 3731696 Bump minimatch from 10.2.0 to 10.2.2
• d60f5af Bump minimatch from 10.1.2 to 10.2.0
• 587b174 Bump markdown-it from 14.1.0 to 14.1.1
• c3bfec9 Bump minimatch from 10.1.1 to 10.1.2
• 1fba958 Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1
• Additional commits viewable in compare view

Updates vitest-browser-react from 2.0.2 to 2.2.0

Release notes

Sourced from vitest-browser-react's releases.

v2.2.0

   🚀 Features

• Add createRootOptions to ComponentRenderOptions  -  by @​nstepien in vitest-community/vitest-browser-react#53 (8803d)
• Expose page.renderHook  -  by @​sheremet-va in vitest-community/vitest-browser-react#54 (38389)

    View changes on GitHub

v2.1.0

   🚀 Features

• Integrate trace mark with render  -  by @​hi-ogawa and Claude Opus 4.6 in vitest-community/vitest-browser-react#47 (2b983)

   🐞 Bug Fixes

• Update links to api documentation  -  by @​nilshartmann in vitest-community/vitest-browser-react#48 (91885)

    View changes on GitHub

v2.0.5

   🐞 Bug Fixes

• Avoid act warnings  -  by @​sheremet-va in vitest-community/vitest-browser-react#46 (76a27)

    View changes on GitHub

v2.0.4

   🐞 Bug Fixes

• Inject a consistent testid  -  by @​sheremet-va in vitest-community/vitest-browser-react#45 (f5c88)

    View changes on GitHub

v2.0.3

   🐞 Bug Fixes

• Use a simple counter for act  -  by @​ocavue in vitest-community/vitest-browser-react#43 (8b122)
• Attach a stable testid to default baseElement and container  -  by @​nizans in vitest-community/vitest-browser-react#44 (e8acb)
  • Warning: If you are using snapshots with container, update to Vitest 4.0.18 to avoid rendering injected data-testid attribute.

    View changes on GitHub

Commits

• 8de0ed7 chore: release v2.2.0
• 3838945 feat: expose page.renderHook (#54)
• 8803d53 feat: add createRootOptions to ComponentRenderOptions (#53)
• fa58d74 chore: release v2.1.0
• 2b9835d feat: integrate trace mark with render (#47)
• 91885dd fix: update links to api documentation (#48)
• 2ab4b71 chore: release v2.0.5
• 76a2765 fix: avoid act warnings (#46)
• df16d16 chore: release v2.0.4
• f5c883a fix: inject a consistent testid (#45)
• Additional commits viewable in compare view

Updates node-html-parser from 6.1.13 to 7.1.0

Release notes

Sourced from node-html-parser's releases.

v7.1.0

7.1.0 (2026-03-03)

Features

• add option closeAllOnClosing (44c900a), closes #294
• add preserveTagNesting option to maintain invalid HTML nesting #295 (d604652)

Bug Fixes

• add missing dev dependency: yarn (8679d32)

v7.0.2

7.0.2 (2026-01-07)

Bug Fixes

• #227 (51528c4)
• #294 Closing tag is missing but valid HTML is still not parseable (950865f)
• add missing dev dependency: yarn (6d73ea3)
• test valid.js (a81fc46)

v7.0.1

7.0.1 (2024-12-26)

Bug Fixes

• upgrade node version (efd77ff)

Changelog

Sourced from node-html-parser's changelog.

7.1.0 (2026-03-03)

Features

• add option closeAllOnClosing (44c900a), closes #294
• add preserveTagNesting option to maintain invalid HTML nesting #295 (d604652)

Bug Fixes

• add missing dev dependency: yarn (8679d32)

7.0.2 (2026-01-07)

Bug Fixes

• #227 (51528c4)
• #294 Closing tag is missing but valid HTML is still not parseable (950865f)
• add missing dev dependency: yarn (6d73ea3)
• test valid.js (a81fc46)

7.0.1 (2024-12-26)

Bug Fixes

• upgrade node version (efd77ff)

7.0.0 (2024-12-26)

⚠ BREAKING CHANGES

• fix #277, for that change estarget to es6

Features

• fix #277, for that change estarget to es6 (432a3e7)

Bug Fixes

• add tests for #227 (5856ee2)

6.1.14 (2024-05-14)

Bug Fixes

... (truncated)

Commits

• ea54b3a chore(release): 7.1.0
• 3e17619 Merge pull request #303 from thomome/htmlElement-matches
• 405ccb2 Merge pull request #299 from ig3/close-tags
• 8c26d86 fixed readme return type
• c1098fc added tests
• 13c0b1b added matches method to HTMLElement
• d604652 feat: add preserveTagNesting option to maintain invalid HTML nesting #295
• c4cc706 Merge branch 'main' into close-tags
• eac4de9 Revert addition of yarn as a dependency
• f7a190c chore(release): 7.0.2
• Additional commits viewable in compare view

Updates @faker-js/faker from 7.6.0 to 10.4.0

Release notes

Sourced from @​faker-js/faker's releases.

v10.4.0

What's Changed

• feat(locale): add Norwegian (nb_NO) country definition by @​TomSchrier in faker-js/faker#3714
• refactor(docs): share refreshable code logic by @​ST-DDT in faker-js/faker#3739
• feat(locale): add Japanese cat breed definitions by @​atzzCokeK in faker-js/faker#3716
• feat(food): add plant-based dish variety by @​stuckvgn in faker-js/faker#3745
• fix(locales): correct typos and capitalization in es_MX street names by @​quserforgitp in faker-js/faker#3737
• feat(locale): add Japanese bear definitions by @​atzzCokeK in faker-js/faker#3720
• feat: fi locale phone numbers by @​andeke07 in faker-js/faker#3747
• refactor(hacker): use helpers.fake() instead of helpers.mustache() in phrase() by @​atzzCokeK in faker-js/faker#3736
• chore(deps): update all non-major dependencies by @​renovate[bot] in faker-js/faker#3752
• chore(deps): update dependency @​vitest/eslint-plugin to v1.6.9 by @​renovate[bot] in faker-js/faker#3749
• chore(deps): update eslint by @​renovate[bot] in faker-js/faker#3751
• feat(locale): add Japanese cattle breed definitions by @​atzzCokeK in faker-js/faker#3717
• feat(locale): add Japanese bird definitions by @​atzzCokeK in faker-js/faker#3719
• feat(locale): add Japanese fish definitions by @​atzzCokeK in faker-js/faker#3721
• chore(deps): lock file maintenance by @​renovate[bot] in faker-js/faker#3738
• chore(deps): update devdependencies by @​renovate[bot] in faker-js/faker#3750
• chore(deps): update all non-major dependencies by @​renovate[bot] in faker-js/faker#3754
• refactor(locale): filter and cleanup PersonEntryDefintions data by @​ST-DDT in faker-js/faker#3266
• feat(locale): add Japanese horse breed definitions by @​atzzCokeK in faker-js/faker#3718
• docs: migrate vitepress from v1 to v2.0.0-alpha.17 by @​Shinigami92 in faker-js/faker#3757
• chore(deps): update devdependencies by @​renovate[bot] in faker-js/faker#3755
• chore(deps): lock file maintenance by @​renovate[bot] in faker-js/faker#3756
• chore(deps): update mcr.microsoft.com/devcontainers/typescript-node:24 docker digest to 3ff0e3f by @​renovate[bot] in faker-js/faker#3762
• chore(deps): update eslint by @​renovate[bot] in faker-js/faker#3763
• chore(deps): update devdependencies by @​renovate[bot] in faker-js/faker#3764
• chore(deps): update vitest by @​renovate[bot] in faker-js/faker#3765
• chore(deps): update pnpm/action-setup action to v5 by @​renovate[bot] in faker-js/faker#3766
• chore(deps): update all non-major dependencies by @​renovate[bot] in faker-js/faker#3767
• chore(deps): lock file maintenance by @​renovate[bot] in faker-js/faker#3758
• chore(release): 10.4.0 by @​fakerjs-bot in faker-js/faker#3768

New Contributors

• @​stuckvgn made their first contribution in faker-js/faker#3745
• @​quserforgitp made their first contribution in faker-js/faker#3737
• @​andeke07 made their first contribution in faker-js/faker#3747

Full Changelog: faker-js/faker@v10.3.0...v10.4.0

v10.3.0

What's Changed

• chore(deps): lock file maintenance by @​renovate[bot] in faker-js/faker#3689
• fix(location): state name to 'Trøndelag' for nb_NO by @​Nilhenrik in faker-js/faker#3691
• fix(locale): remove empty string from Hebrew lorem words by @​erezcor in faker-js/faker#3698
• test: add custom matcher "toStartWith" by @​xDivisionByZerox in faker-js/faker#3700
• feat(person): sexType can return 'generic' by @​ST-DDT in faker-js/faker#3259
• refactor(locale): normalize system locale data by @​xDivisionByZerox in faker-js/faker#3702
• feat(locale): add Japanese suffix definitions for person module by @​atzzCokeK in faker-js/faker#3704
• feat(locale): add Japanese job definitions for person module by @​atzzCokeK in faker-js/faker#3705

... (truncated)

Changelog

Sourced from @​faker-js/faker's changelog.

10.4.0 (2026-03-23)

New Locales

• locale: add Japanese bear definitions (#3720) (2a4b15c)
• locale: add Japanese bird definitions (#3719) (dc31ff8)
• locale: add Japanese cat breed definitions (#3716) (54af8a8)
• locale: add Japanese cattle breed definitions (#3717) (c2c7342)
• locale: add Japanese fish definitions (#3721) (15fc361)
• locale: add Japanese horse breed definitions (#3718) (e02536e)
• locale: add Norwegian (nb_NO) country definition (#3714) (614b4e9)

Features

• fi locale phone numbers (#3747) (7afa8b5)
• food: add plant-based dish variety (#3745) (41edf49)

Changed Locales

• locale: filter and cleanup PersonEntryDefintions data (#3266) (67defc8)

Bug Fixes

• locales: correct typos and capitalization in es_MX street names (#3737) (2b32c28)

10.3.0 (2026-02-06)

New Locales

• locale: add Japanese dog definition (#3715) (76c9df1)
• locale: add Japanese color definitions (#3707) (bbbb215)
• locale: add Japanese food module (#3706) (71d55c0)
• locale: add Japanese internet definitions (#3708) (184a709)
• locale: add Japanese job definitions for person module (#3705) (e7f3ccd)
• locale: add Japanese suffix definitions for person module (#3704) (45ad7d8)
• locale: add Norwegian (nb_NO) continent definitions (#3712) (c0f0f23)
• locale: add Norwegian (nb_NO) direction definition (#3713) (43b18fa)
• locale: add Norwegian (nb_NO) sex definitions (#3710) (76063f2)
• locale: add Norwegian (nb_NO) vehicle definition (#3732) (d1c32b0)

Features

• locales: add Norwegian (nb_NO) zodiac sign definitions (#3711) (e306542)
• person: sexType can return 'generic' (#3259) (0e099a1)

... (truncated)

Commits

• b8abfc6 chore(release): 10.4.0 (#3768)
• 7108155 chore(deps): lock file maintenance (#3758)
• 5e6cf2b chore(deps): update all non-major dependencies (#3767)
• 91c944b chore(deps): update pnpm/action-setup action to v5 (#3766)
• cb18595 chore(deps): update vitest (#3765)
• af25d6b chore(deps): update devdependencies (#3764)
• 2e72c27 chore(deps): update eslint (#3763)
• 9a18091 chore(deps): update mcr.microsoft.com/devcontainers/typescript-node:24 docker...
• aa7b6c0 chore(deps): lock file maintenance (#3756)
• 89ba345 chore(deps): update devdependencies (#3755)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​faker-js/faker since your current version.

Updates @playwright/test from 1.58.2 to 1.60.0

Release notes

Sourced from @​playwright/test's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: v...

  Description has been truncated

[changeset-bot]

⚠️ No Changeset found

Latest commit: 21316cf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.