chore(deps-dev): bump the dev-dependencies group across 1 directory with 4 updates

[dependabot]

Bumps the dev-dependencies group with 4 updates in the / directory: @typescript-eslint/eslint-plugin, @typescript-eslint/parser, hono and tsx.

Updates @typescript-eslint/eslint-plugin from 8.59.3 to 8.59.4

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.59.4

8.59.4 (2026-05-18)

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#12294)
• project-service: throw error cause in getParsedConfigFileFromTSServer (#12321)
• typescript-eslint: export Compatible* types from typescript-eslint to resolve pnpm TS error (#12340)

❤️ Thank You

• Evyatar Daud @​StyleShit
• Kirk Waiblinger @​kirkwaiblinger
• lumir

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.59.4 (2026-05-18)

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#12294)

❤️ Thank You

• Evyatar Daud @​StyleShit

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• ca6ca14 chore(release): publish 8.59.4
• 4302433 fix(eslint-plugin): [no-floating-promises] stack overflow when using recursiv...
• 10b79f1 chore(deps): update dependency eslint to v10.4.0 (#12339)
• 2a6765d chore: clenaup getAwaitedType from typescript.d.ts (#12302)
• See full diff in compare view

Updates @typescript-eslint/parser from 8.59.3 to 8.59.4

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.59.4

8.59.4 (2026-05-18)

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#12294)
• project-service: throw error cause in getParsedConfigFileFromTSServer (#12321)
• typescript-eslint: export Compatible* types from typescript-eslint to resolve pnpm TS error (#12340)

❤️ Thank You

• Evyatar Daud @​StyleShit
• Kirk Waiblinger @​kirkwaiblinger
• lumir

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.59.4 (2026-05-18)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• ca6ca14 chore(release): publish 8.59.4
• See full diff in compare view

Updates hono from 4.12.18 to 4.12.21

Release notes

Sourced from hono's releases.

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

v4.12.20

What's Changed

• fix(route): preserve the base path of the mounted route() app by @​usualoma in honojs/hono#4942
• fix(jsx): widen jsx and jsxFn children to Child[] by @​ashunar0 in honojs/hono#4947

New Contributors

• @​ashunar0 made their first contribution in honojs/hono#4947

Full Changelog: honojs/hono@v4.12.19...v4.12.20

v4.12.19

What's Changed

• ci: pin GitHub Actions to SHAs by @​yusukebe in honojs/hono#4932
• fix(serveStatic): make options parameter optional in all adapters by @​mixelburg in honojs/hono#4934
• fix(cookie): return the first cookie when there are multiple cookies with the same name by @​usualoma in honojs/hono#4922
• feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @​justinnais in honojs/hono#4913
• feat(cache): key cache entries by configured vary headers by @​usualoma in honojs/hono#4915
• feat(request): add bytes() by @​yusukebe in honojs/hono#4921
• fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @​yusukebe in honojs/hono#4940

New Contributors

• @​justinnais made their first contribution in honojs/hono#4913

Full Changelog: honojs/hono@v4.12.18...v4.12.19

Commits

• a83ddb8 4.12.21
• 6cbb025 Merge commit from fork
• c831020 Merge commit from fork
• 905aedb Merge commit from fork
• 5463db2 Merge commit from fork
• c657a39 4.12.20
• eb2d0c2 fix(jsx): widen jsx and jsxFn children to Child[] (#4947)
• dcabbec fix(route): preserve the base path of the mounted route() app (#4942)
• 7e62bcd 4.12.19
• e2f252a fix(stream): upgrade @hono/node-server to v2 and fix abort handling (#4940)
• Additional commits viewable in compare view

Updates tsx from 4.21.0 to 4.22.3

Release notes

Sourced from tsx's releases.

v4.22.3

4.22.3 (2026-05-19)

Bug Fixes

• decode typed loader source (dce02fc)
• preserve entrypoint with TypeScript preload hooks (68f72f3)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.2

4.22.2 (2026-05-18)

Bug Fixes

• preserve CJS JSON require in ESM hooks (35b700b)
• preserve named exports from CommonJS TypeScript (11de737)
• support module.exports require(esm) interop (cf8f199)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.1

4.22.1 (2026-05-17)

Bug Fixes

• resolve tsconfig path aliases containing a colon (#780) (6979f28)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.0

4.22.0 (2026-05-14)

Features

• upgrade esbuild to 0.28 (#789) (b29f6ee)

---

This release is also available on:

• npm package (@​latest dist-tag)

... (truncated)

Commits

• dce02fc fix: decode typed loader source
• 68f72f3 fix: preserve entrypoint with TypeScript preload hooks
• 69455cf test: cover package exports for ambiguous ESM reexports
• 35b700b fix: preserve CJS JSON require in ESM hooks
• ef807db chore: update testing dependencies
• 3917090 test: document compatibility test taxonomy
• de8113f refactor: centralize Node capability facts
• c1f62db test: consolidate tsconfig path edge coverage
• 4e08174 test: consolidate loader hook coverage
• 674bb30 test: consolidate tsImport commonjs mts coverage
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for tsx since your current version.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
x402trace-dogfood	Ready	Preview, Comment	May 21, 2026 9:59pm