Bump the npm-deps group with 6 updates

[dependabot]

Bumps the npm-deps group with 6 updates:

Package	From	To
fallow	2.32.1	2.41.0
prettier	3.8.2	3.8.3
svelte	5.55.3	5.55.4
typescript	6.0.2	6.0.3
vite	8.0.8	8.0.9
bits-ui	2.17.3	2.18.0

Updates fallow from 2.32.1 to 2.41.0

Release notes

Sourced from fallow's releases.

v2.41.0 — Multi-workspace selection with globs and negation

Highlights

• --workspace now accepts multiple patterns with comma-separated values, globs matched against both package name AND workspace path, and !-prefixed negation.

Added

• --workspace accepts multiple patterns with globs and ! negation. The global -w / --workspace flag is no longer limited to a single exact package name; it now accepts:

  • Comma-separated values: -w web,admin
  • Repeated flags: -w web -w admin
  • Glob patterns matched against BOTH the `package.json` name AND the workspace path relative to the repo root: -w 'apps/*', -w '@scope/*'
  • !-prefixed negations: -w '!apps/legacy'
  • Mixed: -w 'apps/*,!apps/legacy'

  Combinations follow gitignore-style rules: positive-only includes matches, negative-only starts from all workspaces and removes matches, mixed applies positives then subtracts negatives. Literal package names that contain glob metacharacters (e.g. `web-[staging]`) are handled by an exact-name short-circuit so they still match without any quoting dance. Single-value usage (-w my-package) stays fully back-compatible. Propagated through `dead-code`, `health` (including hotspots, coverage sidecar, large-function analysis), `flags`, `audit`, and the combined pipeline. MCP `workspace` param keeps its `Option` shape so existing agent integrations continue to work; docstrings document the new syntax. Unmatched positive patterns are collected into a single "no workspaces matched patterns: 'X', 'Y'. Available: a, b, ..." error (exit 2) rather than one error per miss, and the available-workspaces list caps at 10 names for large monorepos. The "all workspaces excluded" error splits Included vs Excluded so a typo in a negation pattern is immediately visible. Closes knip issue #1441.

Upgrading

No breaking changes. Existing `--workspace ` usage continues to work unchanged. To take advantage of the new forms, quote patterns with `!` or glob characters so your shell does not expand them (single quotes in bash; `!` triggers history expansion and double quotes are not enough).

Full Changelog: fallow-rs/fallow@v2.40.3...v2.41.0

v2.40.3: fix sidecar discovery for npm-installed @​fallow-cli/fallow-cov

Fixed

• Sidecar discovery now finds the real signed binary instead of the Node wrapper. Every v2.40.0 / v2.40.1 / v2.40.2 user who ran fallow health --production-coverage for the first time after npm install @fallow-cli/fallow-cov hit Error: Sidecar binary at .../node_modules/.bin/fallow-cov is missing its signature file ... The fallow CLI refuses to spawn an unsigned sidecar. (exit code 4).

What was happening

node_modules/.bin/fallow-cov is a Node wrapper script that re-execs the real binary in the platform subpackage (e.g. @fallow-cli/fallow-cov-darwin-arm64/fallow-cov). The real binary ships with an adjacent .sig file; the wrapper has no .sig next to it. The Phase 2.5 signature gate looked at the wrapper path and correctly refused to spawn an unsigned binary, even though the signed one was sitting right there in the platform subdirectory.

The fix

Sidecar discovery now walks up ancestors looking for node_modules/@fallow-cli/fallow-cov-*/fallow-cov first (matching whichever platform subpackage npm's optionalDependencies filter installed), then falls back to node_modules/.bin/fallow-cov for non-npm-optionalDependency layouts. FALLOW_COV_BIN / FALLOW_COV_BINARY_PATH env-var overrides still take precedence.

Upgrade

Patch-only; no behavior changes outside the sidecar discovery path. If you were running v2.40.0..v2.40.2 with FALLOW_COV_BINARY_PATH=... as a workaround, you can drop it after upgrading to v2.40.3.

Found via end-to-end smoke test of fallow@2.40.2 + @fallow-cli/fallow-cov@0.1.5.

Full Changelog: fallow-rs/fallow@v2.40.2...v2.40.3

v2.40.1: rotate sidecar signing pubkey

Fixed

• Rotated BINARY_SIGNING_VERIFY_KEY to match the Ed25519 key pair now deployed in the sidecar release pipeline.

The first two fallow-rs/fallow-cloud sidecar release tags (sidecar-v0.1.0, sidecar-v0.1.1) failed in CI because the ED25519_BINARY_SIGNING_PRIVATE_KEY GitHub secret had been set with a malformed gh secret set --body - invocation, which gh interprets as the literal string - rather than reading the seed from stdin. Recovering the original seed was not possible (write-only secrets, local env scrubbed after write), so a fresh key pair was provisioned across Fly (staged), the GitHub Actions secret (validated via workflow_dispatch), and the GitHub Actions variable. This release updates the compiled-in verify key so v2.40.1+ CLI binaries accept signatures produced by the new signing key.

... (truncated)

Changelog

Sourced from fallow's changelog.

Changelog

All notable changes to fallow are documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Fixed

• dupes now respects --workspace and --changed-workspaces scoping. Previously fallow dupes --workspace X returned every clone group in the repo, as did combined mode (fallow --workspace X / fallow --changed-workspaces REF). The workspace flag was wired into check and health but not dupes, so in a monorepo every duplication report spanned the whole project regardless of scope. Surfaced during the post-ship end-to-end test of --changed-workspaces on next.js, where combined mode reported 4780 clone groups despite a narrow scope. Fixed by adding workspace / changed_workspaces to DupesOptions, a new filter_by_workspaces pass that retains clone groups with at least one instance under any selected workspace root (rebuilding clone families, mirrored-directory detection, and duplication stats from the survivors), and wiring it through the standalone fallow dupes, combined, and fallow audit entry points. No schema changes; reported duplication_percentage now reflects the scoped slice instead of the whole repo.

Added

• --changed-workspaces <REF>: git-derived monorepo CI scoping. New global flag that auto-detects which workspaces contain any file changed since the given git ref (e.g. origin/main, HEAD~1) and scopes output to that set. Removes the need for CI jobs to hand-maintain a --workspace a,b,c list as the package graph evolves. Reuses the existing --workspace filter path end-to-end, so dead-code, health (complexity + hotspots + coverage), flags, audit, and the combined pipeline all respect the derived scope identically. Mutually exclusive with --workspace: validated at the CLI layer with a targeted error. Unlike --changed-since, a missing ref or non-git directory is a hard error (exit 2) rather than a silent full-scope fallback. The flag's entire purpose is to narrow CI scope, so quietly widening back to the whole monorepo would defeat the optimization. When git succeeds but no tracked workspace file changed (e.g. a root-only lockfile bump), the scope is empty and the pipeline exits 0 with no issues reported. Shipped with unit tests on the mapping logic and an end-to-end integration test suite that builds a real monorepo, commits changes, and exercises the happy path, the conflict error, the hard-error ref failure, the no-workspaces error, and the root-only no-op. Closes knip PR #1455 parity gap.

Added

• --workspace accepts multiple patterns with globs and ! negation. The global -w / --workspace flag is no longer limited to a single exact package name; it now accepts comma-separated values (-w web,admin), repeated flags (-w web -w admin), glob patterns matched against BOTH the package.json name AND the workspace path relative to the repo root (-w 'apps/*', -w '@scope/*'), and !-prefixed negations (-w '!apps/legacy'). Combinations follow gitignore-style rules: positive-only includes matches, negative-only starts from all workspaces and removes matches, mixed applies positives then subtracts negatives. Literal package names that happen to contain glob metacharacters (e.g. web-[staging]) are handled by an exact-name short-circuit so they still match without any quoting dance. Single-value usage (-w my-package) stays fully back-compatible. Propagated through dead-code, health (including hotspots, coverage sidecar, large-function analysis), flags, audit, and the combined pipeline. MCP workspace param keeps its Option<String> shape so existing agent integrations continue to work; docstrings document the new syntax. Unmatched positive patterns are collected into a single "no workspaces matched patterns: 'X', 'Y'. Available: a, b, ..." error (exit 2) rather than one error per miss, and the available-workspaces list caps at 10 names for large monorepos. The "all workspaces excluded" error splits Included vs Excluded so a typo in a negation pattern is immediately visible. Closes knip issue #1441.

Fixed

• Sidecar discovery now prefers the real platform binary over the Node wrapper. After npm install @fallow-cli/fallow-cov, node_modules/.bin/fallow-cov is a Node wrapper script that re-execs the real binary in the platform subpackage (e.g. @fallow-cli/fallow-cov-darwin-arm64/fallow-cov). The wrapper path has no adjacent .sig file, so the Phase 2.5 signature verification gate refused to spawn with Sidecar binary at ... is missing its signature file (exit 4) even though the signed binary and its .sig were sitting right next to each other in the platform subdirectory. Discovery now walks up ancestors looking for node_modules/@fallow-cli/fallow-cov-*/fallow-cov first, then falls back to the .bin wrapper for non-npm-optionalDependency layouts. Every v2.40.0 / v2.40.1 / v2.40.2 user running fallow health --production-coverage for the first time hit this; FALLOW_COV_BINARY_PATH=... worked around it but the happy path should not require an env var. Found via Phase 2.5 end-to-end smoke test against sidecar-v0.1.5.

[2.40.2] - 2026-04-17

Fixed

• super.method() calls now credit the parent class's method as used. Base-class methods only invoked via super.method() from subclasses were silently dropped by the AST visitor and surfaced as false-positive unused-class-member findings. A class_super_stack now tracks the nearest enclosing class's extends identifier while walking the class body; super.<member> expressions emit a member access against that identifier, and the existing local_to_imported resolver in find_unused_members maps it back to the parent's export name. Object-literal super (no enclosing class on the stack) is correctly dropped, and nested class expressions respect their own frame. Verified against svelte (13 false positives eliminated, each traced to a real super.<member> call in source) and vite (-2 false positives); zero new findings introduced on any benchmark fixture. Closes #130.

[2.40.1] - 2026-04-17

Fixed

• BINARY_SIGNING_VERIFY_KEY rotated to match the key pair now deployed in the sidecar release pipeline. The first two fallow-rs/fallow-cloud sidecar release tags (sidecar-v0.1.0, sidecar-v0.1.1) failed in CI because the ED25519_BINARY_SIGNING_PRIVATE_KEY GitHub secret had been set with a malformed gh secret set --body - invocation that stored the literal - rather than reading the seed from stdin. Recovering the original seed was not possible (write-only secrets, local env scrubbed after write), so a fresh key pair was provisioned across Fly (staged), GitHub Actions secret (validated via workflow_dispatch), and GitHub Actions variable. This commit updates the compiled-in verify key so v2.40.1+ CLI binaries accept signatures produced by the new signing key. v2.40.0 remains safe -- no sidecar binaries were ever published under the broken configuration (sidecar-v0.1.0 / sidecar-v0.1.1 reached neither npm nor the GitHub release assets), so no user-visible regression to undo. First real signed sidecar will ship against v2.40.1 + sidecar-v0.1.2.

[2.40.0] - 2026-04-17

Added

• Scoped usedClassMembers rules -- usedClassMembers entries may now be either a plain member name (global suppression, as before) OR a scoped object with extends / implements constraints. Framework-invoked method names that are too common to globally suppress (e.g. TypeORM MigrationInterface.up / down, ag-Grid agInit, Web Components connectedCallback) can be scoped so they only suppress on classes matching the specified heritage clause. Plain string entries keep their previous semantics; schema is a backward-compatible superset. New UsedClassMemberRule / ScopedUsedClassMemberRule types exposed in schema.json and plugin-schema.json. Thanks @​M-Hassan-Raza (#129).
• FALLOW_COV_BINARY_PATH env var -- second explicit-override slot for the production-coverage sidecar binary, ordered between FALLOW_COV_BIN and project-local lookup. Required for air-gapped enterprise installs, Linux distro-packaged sidecars, and Docker multi-user setups where ~/.fallow/bin is not writable. Missing-file returns a clear error instead of silently falling through to auto-discovery, matching FALLOW_COV_BIN's explicit-beats-implicit semantics.
• Ed25519 signature verification on every sidecar spawn -- the fallow-cov production-coverage sidecar binary must ship with an adjacent <binary>.sig file. fallow health --production-coverage verifies the signature against a compiled-in public key (BINARY_SIGNING_VERIFY_KEY) before executing the sidecar and fails hard (exit code 4) on any of: missing .sig file, wrong signature length, or invalid signature. Strict from day one -- no warn-and-run, no opt-out env var. Hardens the sidecar supply chain across npm mirrors, air-gapped installs, and ad-hoc binary placement. Error messages direct users to npm install @fallow-cli/fallow-cov.

Fixed

• fallow license non-Unix stub no longer fails clippy under rust 1.95 -- the #[cfg(not(unix))] permission-set stub returns Result<(), String> to mirror the Unix variant's signature, which rust 1.95's unnecessary_wraps flags. Added an explicit #[allow] with a reason.

[2.39.0] - 2026-04-17

... (truncated)

Commits

• 974bb63 chore: release v2.41.0
• 7e371c2 feat(cli): --workspace accepts multiple patterns with globs and negation
• de7ea45 chore: release v2.40.3
• cfaa0ed fix(cli): prefer @​fallow-cli/fallow-cov-<platform>/fallow-cov over .bin wrapper
• 667f678 ci: temporarily disable heavy workflows to conserve CI minutes
• 6f2d860 chore: release v2.40.2
• 5d433b3 fix(extract): credit super.method() calls to parent class
• 1419e2d chore: release v2.40.1
• 0d19245 feat(cli): rotate BINARY_SIGNING_VERIFY_KEY to fix sidecar-v0.1.0/0.1.1 failure
• 987d9e2 chore: release v2.40.0
• Additional commits viewable in compare view

Updates prettier from 3.8.2 to 3.8.3

Release notes

Sourced from prettier's releases.

3.8.3

• SCSS: Prevent trailing comma in if() function (prettier/prettier#18471 by @​kovsu)

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.3

diff

SCSS: Prevent trailing comma in if() function (#18471 by @​kovsu)

// Input
$value: if(sass(false): 1; else: -1);
// Prettier 3.8.2
$value: if(
sass(false): 1; else: -1,
);
// Prettier 3.8.3
$value: if(sass(false): 1; else: -1);

Commits

• d7108a7 Release 3.8.3
• 177f908 Prevent trailing comma in SCSS if() function (#18471)
• 1cd4066 Release @​prettier/plugin-oxc@​0.1.4
• a8700e2 Update oxc-parser to v0.125.0
• 752157c Fix tests
• 053fd41 Bump Prettier dependency to 3.8.2
• 904c636 Clean changelog_unreleased
• dc1f7fc Update dependents count
• See full diff in compare view

Updates svelte from 5.55.3 to 5.55.4

Release notes

Sourced from svelte's releases.

svelte@5.55.4

Patch Changes

• fix: never mark a child effect root as inert (#18111)

• fix: reset context after waiting on blockers of @const expressions (#18100)

• fix: keep flushing new eager effects (#18102)

Changelog

Sourced from svelte's changelog.

5.55.4

Patch Changes

• fix: never mark a child effect root as inert (#18111)

• fix: reset context after waiting on blockers of @const expressions (#18100)

• fix: keep flushing new eager effects (#18102)

Commits

• 7fddfbd Version Packages (#18105)
• 671fc2e fix: never mark a child effect root as inert (#18111)
• 0ed8c28 fix: reset context after waiting on blockers of @const expressions (#18100)
• 273f1a8 fix: keep flushing new eager effects (#18102)
• See full diff in compare view

Updates typescript from 6.0.2 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).
• fixed issues query for TypeScript 6.0.3 (Stable).

Downloads are available on:

• npm

Commits

• 050880c Bump version to 6.0.3 and LKG
• eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
• ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
• 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
• See full diff in compare view

Updates vite from 8.0.8 to 8.0.9

Release notes

Sourced from vite's releases.

v8.0.9

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.9 (2026-04-20)

Features

• update rolldown to 1.0.0-rc.16 (#22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#22039) (374bb5d)
• deps: update all non-major dependencies (#22219) (4cd0d67)
• deps: update all non-major dependencies (#22268) (c28e9c1)
• detect Deno workspace root (fix #22237) (#22238) (1b793c0)
• dev: handle errors in watchChange hook (#22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#22231) (44c42b9)
• fix reuses wording in dev environment comment (#22173) (9163412)
• fix wording in sass error comment (#22214) (bc5c6a7)
• update build CLI defaults (#22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#22271) (0a3887d)

Commits

• ce729f5 release: v8.0.9
• 605bb97 docs: update build CLI defaults (#22261)
• c28e9c1 fix(deps): update all non-major dependencies (#22268)
• 0a3887d chore(deps): update dependency dotenv-expand to v13 (#22271)
• 868f141 fix(bundled-dev): reject requests to HMR patch files in non potentially trust...
• 3ec9cda fix: skip fallback sourcemap generation for ?raw imports (#22148)
• 3f24533 fix(optimizer): handle more chars that will be sanitized (#22208)
• 1b793c0 fix: detect Deno workspace root (fix #22237) (#22238)
• fc08bda fix(dev): handle errors in watchChange hook (#22188)
• 374bb5d fix(css): use unique key for cssEntriesMap to prevent same-basename collision...
• Additional commits viewable in compare view

Updates bits-ui from 2.17.3 to 2.18.0

Release notes

Sourced from bits-ui's releases.

bits-ui@2.18.0

Minor Changes

• feat(Select): Add <Select.Value/> component (#2026)

• feat(PinInput): add bindable inputRef on PinInput.Root (#2028)

Commits

• 8435594 Version Packages (#2030)
• d0b1547 feat(Select): Add \<Select.Value/> component (#2026)
• 243a7b9 feat(PinInput): expose inputRef bindable prop (#2028)
• 793c0f0 docs: Fix closing tag for Tooltip component (Svelte Transitions) (#2025)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions