Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@apollo/client (source)	4.1.7 → 4.1.9
@biomejs/biome (source)	2.4.12 → 2.4.13
@sentry/react (source)	10.49.0 → 10.50.0
@swc/core (source)	1.15.30 → 1.15.32
axios (source)	1.15.1 → 1.15.2
firebase (source, changelog)	12.12.0 → 12.12.1
pnpm (source)	10.33.0 → 10.33.2

---

Release Notes

apollographql/apollo-client (@​apollo/client)

v4.1.9

Compare Source

Patch Changes

• #​13203 099954b Thanks @​copilot-swe-agent! - Remove the workspaces field from the published package.json in dist to avoid Yarn v1 warnings about workspaces requiring private packages.

v4.1.8

Compare Source

Patch Changes

• #​13202 8a51ea6 Thanks @​phryneas! - Ship agent skill for usage with @​tanstack/intent — the skill is now bundled in the npm package under skills/apollo-client/ and discoverable by intent list.
  For more context, see the TanStack Intent QuickStart.

biomejs/biome (@​biomejs/biome)

v2.4.13

Compare Source

Patch Changes

• #​9969 c5eb92b Thanks @​officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

  For example, the following code triggers the rule:

  const a = `${"hello"}`; // can be 'hello'
  const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
  const c = `${"a"}${"b"}`; // can be 'ab'

• #​10037 f785e8c Thanks @​minseong0324! - Fixed #​9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

  class Store {
    get status(): string {
      if (Math.random() > 0.5) return "loading";
      return "idle";
    }
    set status(v: string) {}
  }

• #​10084 5e2f90c Thanks @​jiwon79! - Fixed #​10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

  The following pattern is now considered valid:

  /[a-z\&]/v;

• #​10063 c9ffa16 Thanks @​Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

• #​10035 946b50e Thanks @​Netail! - Fixed #​10032: useIframeSandbox now flags if there's no initializer value.

• #​9865 68fb8d4 Thanks @​dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

  For example, the following snippet triggers the rule:

  const foo = node.innerText;

• #​10023 bd1e74f Thanks @​ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

  For example, the following code triggers the rule:

  import View from "react-native/Libraries/Components/View/View";

• #​9885 3dce737 Thanks @​dyc3! - Added a new nursery rule useDomQuerySelector that prefers querySelector() and querySelectorAll() over older DOM query methods such as getElementById() and getElementsByClassName().

• #​9995 4da9caf Thanks @​siketyan! - Fixed #​9994: Biome now parses nested CSS rules correctly when declarations follow them inside embedded snippets.

• #​10009 b41cc5a Thanks @​Jayllyz! - Fixed #​10004: noComponentHookFactories no longer reports false positives for object methods and class methods.

• #​9988 eabf54a Thanks @​Netail! - Tweaked the diagnostics range for useAltText, useButtonType, useHtmlLang, useIframeTitle, useValidAriaRole & useIfameSandbox to report on the opening tag instead of the full tag.

• #​10043 fc65902 Thanks @​mujpao! - Fixed #​10003: Biome no longer panics when parsing Svelte files containing {#}.

• #​9815 5cc83b1 Thanks @​dyc3! - Added the new nursery rule noLoopFunc. When enabled, it warns when a function declared inside a loop captures outer variables that can change across iterations.

• #​9702 ef470ba Thanks @​ryan-m-walker! - Added the nursery rule useRegexpTest that enforces RegExp.prototype.test() over String.prototype.match() and RegExp.prototype.exec() in boolean contexts. test() returns a boolean directly, avoiding unnecessary computation of match results.

  Invalid

  if ("hello world".match(/hello/)) {
  }

  Valid

  if (/hello/.test("hello world")) {
  }

• #​9743 245307d Thanks @​leetdavid! - Fixed #​2245: Svelte <script> tag language detection when the generics attribute contains > characters (e.g., <script lang="ts" generics="T extends Record<string, unknown>">). Biome now correctly recognizes TypeScript in such script blocks.

• #​10046 0707de7 Thanks @​Conaclos! - Fixed #​10038: organizeImports now sorts imports in TypeScript modules and declaration files.

    declare module "mymodule" {
  -  	import type { B } from "b";
    	import type { A } from "a";
  +  	import type { B } from "b";
    }

• #​10012 94ccca9 Thanks @​ematipico! - Added the nursery rule noReactNativeLiteralColors, which disallows color literals inside React Native styles.

  The rule belongs to the reactNative domain. It reports properties whose name contains color and whose value is a string literal when they appear inside a StyleSheet.create(...) call or inside a JSX attribute whose name contains style.

  // Invalid
  const Hello = () => <Text style={{ backgroundColor: "#FFFFFF" }}>hi</Text>;
  
  const styles = StyleSheet.create({
    text: { color: "red" },
  });

  // Valid
  const red = "#f00";
  const styles = StyleSheet.create({
    text: { color: red },
  });

• #​10005 131019e Thanks @​ematipico! - Added the nursery rule noReactNativeRawText, which disallows raw text outside of <Text> components in React Native.

  The rule belongs to the new reactNative domain.

  // Invalid
  <View>some text</View>
  <View>{'some text'}</View>

  // Valid
  <View>
    <Text>some text</Text>
  </View>

  Additional components can be allowlisted through the skip option:

  {
    "options": {
      "skip": ["Title"]
    }
  }

• #​9911 1603f78 Thanks @​Netail! - Added the nursery rule noJsxLeakedDollar, which flags text nodes with a trailing $ if the next sibling node is a JSX expression. This could be an unintentional mistake, resulting in a '$' being rendered as text in the output.

  Invalid:

  function MyComponent({ user }) {
    return <div>Hello ${user.name}</div>;
  }

• #​9999 f42405f Thanks @​minseong0324! - Fixed noMisleadingReturnType incorrectly flagging functions with reassigned let variables.

• #​10075 295f97f Thanks @​ematipico! - Fixed #9983: Biome now parses functions declared inside Svelte #snippet blocks without throwing errors.

• #​10006 cf4c1c9 Thanks @​minseong0324! - Fixed #​9810: noMisleadingReturnType incorrectly flagging nested object literals with widened properties.

• #​10033 11ddc05 Thanks @​ematipico! - Added the nursery rule useReactNativePlatformComponents that ensures platform-specific React Native components (e.g. ProgressBarAndroid, ActivityIndicatorIOS) are only imported in files with a matching platform suffix. It also reports when Android and iOS components are mixed in the same file.

  The following code triggers the rule when the file does not have an .android.js suffix:

  // file.js
  import { ProgressBarAndroid } from "react-native";

getsentry/sentry-javascript (@​sentry/react)

v10.50.0

Compare Source

swc-project/swc (@​swc/core)

v1.15.32

Compare Source

Bug Fixes

• (es/flow) Fix Flow type-only modules in script transforms (#​11817) (be38316)

• (es/flow) Avoid restoring module context when flow syntax is enabled (#​11819) (3ed7243)

• (es/minifier) Preserve frozen spread registry keys (#​11825) (347181c)

• (es/parser) Align Flow generic arrow JSX disambiguation (#​11821) (28a7fad)

Features

• (es) Add jsc.preserveSymlinks to swc::Options (#​11813) (fe38342)

axios/axios (axios)

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

firebase/firebase-js-sdk (firebase)

v12.12.1: firebase@12.12.1

Compare Source

For more detailed release notes, see Firebase JavaScript SDK Release Notes.

What's Changed

@​firebase/ai@​2.11.1

Patch Changes

• 23ab5b9 #​9817 - Update code execution and URL context features to reflect that they are generally available and no longer public preview.

• 6db5af4 #​9840 (fixes #​9832) - Fix TemplateChatSession type so it does not error on TypeScript build. See Github issue #​9832.

firebase@​12.12.1

Patch Changes

• Updated dependencies [23ab5b9, 6db5af4]:
  • @​firebase/ai@​2.11.1

pnpm/pnpm (pnpm)

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • "before 6:00am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.