Bump the npm-deps group with 5 updates

[dependabot]

Bumps the npm-deps group with 5 updates:

Package	From	To
fallow	2.52.0	2.63.0
animejs	4.3.6	4.4.1
@sveltejs/kit	2.58.0	2.59.0
@lucide/svelte	1.11.0	1.14.0
bits-ui	2.18.0	2.18.1

Updates fallow from 2.52.0 to 2.63.0

Release notes

Sourced from fallow's releases.

v2.63.0 — Monorepo-friendly: contributor PRs + scale-invariant health score

A monorepo-friendly release. Five contributor PRs from @​fmguerreiro clear false positives across Turborepo CI workflows, ESLint flat-configs, Vitest manual mocks, and Next.js dynamic re-exports. The health_score formula is reworked to be scale-invariant so large monorepos no longer score in the B band by default. CSS @import now follows package.json#exports with the style condition (shadcn / Tailwind v4 plugins).

Added

Vitest /__mocks__ virtual specifiers no longer flagged as unlisted dependencies (#265) — @aws-sdk/__mocks__, @sentry/__mocks__, @supabase/__mocks__, etc. are Vitest manual-mock specifiers that don't exist on npm; they used to trigger an unlisted-dependency finding with an "install this package" auto-fix that pointed at a package that doesn't exist. The Vitest plugin now contributes a /__mocks__ package-name suffix via the new Plugin::virtual_package_suffixes() trait method, and the suffix list merges across workspace plugin runs into the root AggregatedPluginResult so monorepos with Vitest only in a workspace's package.json (not the root) get the same suppression. Thanks @​fmguerreiro.

Changed

health_score is now scale-invariant (Closes #260) — The penalty formula previously used absolute counts (unused_dep_count), unweighted averages (avg_cyclomatic), and order-statistics (p90_cyclomatic) that are mathematically incapable of firing at large-monorepo scale: a 50k-LOC monorepo with 200 unused devDependencies and 1500 functions over 60 LOC would score in the B band because the per-dimension caps were saturated and the averages were diluted by clean code in the long tail. The reworked formula switches to scale-invariant aggregators: critical_complexity_pct (functions over a hard CC threshold), maintainability_low_pct (files below the MI threshold), unused_deps_per_k_files, circular_deps_per_k_files, functions_over_60_loc_per_k, coupling_high_pct, and hotspot_top_pct_count (top-percentile hotspots normalized against total_files). Caps on unused_deps and circular_deps raised from 10 to 25. New formula_version: 2 field on HealthScore lets consumers detect the formula change. Older snapshots that lack the scale-invariant fields fall back to the previous aggregators so cached / archived data still scores. Thanks @​OmerGronich for the detailed report including the per-dimension cap analysis.

Fixed

CSS @import 'pkg/subpath.css' resolves through package.json#exports with the style condition (Closes #261) — Bare CSS imports whose target is exposed only through an exports map under the "style" condition (shadcn, daisyui, Tailwind v4 plugins) previously surfaced as unresolved_imports even though the file existed and bundlers resolved it correctly. The CSS / SCSS resolver now consults the package's exports map for the requested subpath before falling back to the node_modules/<pkg>/<file> direct path, picking up { "./tailwind.css": { "style": "./dist/tailwind.css" } } shapes. Thanks @​VidhyaKumar for the report with a complete shadcn 4.6.0 reproduction.

CI YAML scanner stops emitting WARN invalid entry pattern for shell and regex fragments (#262) — GitHub Actions expressions (${{ env.URL }}/api/health), jq -r '.[]' array iterators, and Perl regex shards (grep -oP '(?<=Module )\./[^ ]+') split on whitespace into tokens like }}/api/health, '.[]', and )\./[^ that reached globset::GlobBuilder::new(...).build() and produced 10+ noise warnings on a typical CI repo. A new could_be_file_path negative-only guard rejects tokens whose syntax precludes a Unix path (unbalanced ${{/}}, backslashes, malformed [...]) before they reach globset compilation. Next.js dynamic-route segments (app/[id]/page.tsx, pages/[...slug].ts) remain valid. Thanks @​fmguerreiro.

Next.js dynamic(() => import('./X').then(m => m.X)) lazy-loaded re-exports no longer flagged as duplicate-export (#263) — The Next.js code-splitting idiom where Foo-lazy.tsx exports Foo = dynamic(() => import('./Foo').then(m => m.Foo), { ssr: false }) is semantically a re-export of Foo. find_duplicate_exports now extends re_export_sources with dynamic-import edges that act as re-exports, gated by a wrapper-must-export check that guards against false-negative suppression of legitimate duplicates. Thanks @​fmguerreiro.

ESLint flat-config plugin imports trace through workspace-internal config packages (#266) — Turborepo / Nx monorepos that centralize ESLint config in a workspace package were producing false unused-devdep flags for plugins the shared config imports transitively. The ESLint plugin now walks up node_modules/ ancestors (bounded by MAX_NODE_MODULES_WALK_DEPTH = 8) so packages hoisted to the monorepo root are found from a workspace root, and resolves @scope/pkg/subpath imports via the package's exports map with .js/.mjs/.cjs extension fallback. ESLint also joins the must_parse_workspace_config_when_root_active allowlist so workspace eslint.config.* files still get parsed when root-level ESLint is active. Thanks @​fmguerreiro.

Full Changelog: fallow-rs/fallow@v2.62.0...v2.63.0

v2.62.0 - parallel analyze, incremental churn cache, class-member globs

fallow 2.62.0 ships a parallel analyze stage, an incremental git churn cache, the missing duplication row in the --performance table, and four bug fixes around dynamic imports, class-member globs, and circular-dependency suppression.

Highlights

analyze runs in parallel

The pipeline's analyze stage now schedules its ten independent detectors across rayon worker threads. On a synthetic 24,320-file monorepo the stage drops from ~6.75s to under half a second on a 14-core machine. Real-world fixtures (next.js, preact) show a ~2x speedup with byte-identical output.

Incremental git churn cache

.fallow/churn.bin now records per-commit events keyed by last_indexed_sha. When HEAD advances from the cached SHA, fallow runs git log <cached>..HEAD --numstat and merges the delta instead of re-shelling out for the entire churn window. CI runs that fallow on every push and pre-commit hooks now hit the cache for the bulk of the work, paying only the marginal-commit cost.

usedClassMembers accepts globs

Member strings containing * or ? now compile as glob matchers, so a single rule can cover the entire family of methods a framework dispatches reflectively. "*" matches every member on a heritage-matching class, "enter*" / "*Handler" cover prefix or suffix patterns, and "on*Event" combines both. Designed for parser-generator listeners (ANTLR), code-generated bridges (protoc-ts, openapi-typescript, graphql-codegen), and abstract framework bases. Glob patterns matching zero members emit a WARN so dead allowlist entries surface.

{
  "usedClassMembers": [
    { "extends": "GrammarBaseListener", "members": ["enter*", "exit*"] }
  ]
}

Added

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.63.0] - 2026-05-04

Added

• Vitest /__mocks__ virtual specifiers are no longer flagged as unlisted dependencies. Vitest's manual-mock convention places mock factories at <package>/__mocks__/<module>.ts and some test setups also import directly from @<scope>/__mocks__ paths via package.json#imports aliases or workspace virtual paths. @aws-sdk/__mocks__, @sentry/__mocks__, @supabase/__mocks__, etc. do not exist on npm and previously triggered an unlisted-dependency finding with an "install this package" auto-fix that pointed at a package that does not exist. The Vitest plugin now contributes a /__mocks__ package-name suffix to the new Plugin::virtual_package_suffixes() trait method; specifiers ending in that suffix are suppressed from find_unlisted_dependencies. The suffix list merges across workspace plugin runs into the root AggregatedPluginResult, so monorepos that put Vitest only in a workspace's package.json (not the root) get the same suppression. Thanks @​fmguerreiro for the report and the fix. (#265)

Changed

• health_score is now scale-invariant. The penalty formula previously used absolute counts (unused_dep_count), unweighted averages (avg_cyclomatic), and order-statistics (p90_cyclomatic) that are mathematically incapable of firing at large-monorepo scale: a 50k-LOC monorepo with 200 unused devDependencies and 1500 functions over 60 LOC scored in the B band because the per-dimension caps were saturated and the averages were diluted by clean code in the long tail. The reworked formula switches to scale-invariant aggregators: critical_complexity_pct (functions over a hard CC threshold), maintainability_low_pct (files below the MI threshold), unused_deps_per_k_files, circular_deps_per_k_files, functions_over_60_loc_per_k, coupling_high_pct, and hotspot_top_pct_count (top-percentile hotspots normalized against total_files). Caps on unused_deps and circular_deps raised from 10 to 25, allowing those dimensions to actually contribute at monorepo scale. New formula_version: 2 field on HealthScore lets consumers detect the formula change. Older snapshots that lack the scale-invariant fields fall back to the previous aggregators so cached / archived data still scores. Thanks @​OmerGronich for the detailed report including the per-dimension cap analysis. (Closes #260)

Fixed

• CSS @import 'pkg/subpath.css' resolves through package.json#exports with the style condition. Bare CSS imports whose target is exposed only through an exports map under the "style" condition (the canonical pattern for design-system packages like shadcn, daisyui, and Tailwind v4 plugins) previously surfaced as unresolved_imports even when the file existed and bundlers resolved it correctly. The CSS / SCSS resolver now consults the package's exports map for the requested subpath before falling back to the node_modules/<pkg>/<file> direct path, picking up { "./tailwind.css": { "style": "./dist/tailwind.css" } } shapes that target arbitrary subdirectories. Thanks @​VidhyaKumar for the report with a complete shadcn 4.6.0 reproduction. (Closes #261)
• CI YAML scanner stops emitting WARN invalid entry pattern for shell and regex fragments. GitHub Actions expressions (${{ env.URL }}/api/health), jq -r '.[]' array iterators, and Perl regex shards (grep -oP '(?<=Module )\./[^ ]+') split on whitespace into tokens like }}/api/health, '.[]', and )\./[^ that reached globset::GlobBuilder::new(...).build() and produced 10+ noise warnings on a typical CI repo. A new could_be_file_path negative-only guard rejects tokens whose syntax precludes a Unix path (unbalanced ${{/}}, backslashes, malformed [...]) before they reach globset compilation. The guard runs on cmd.config_args extracted from --config/-c flags and on cmd.file_args via the existing looks_like_file_path path. Next.js dynamic-route segments (app/[id]/page.tsx, pages/[...slug].ts) remain valid. Thanks @​fmguerreiro for the report and the fix. (#262)
• Next.js dynamic(() => import('./X').then(m => m.X)) lazy-loaded re-exports no longer flagged as duplicate-export. The Next.js code-splitting idiom where Foo-lazy.tsx exports Foo = dynamic(() => import('./Foo').then(m => m.Foo), { ssr: false }) is semantically a re-export of Foo, equivalent to export { Foo } from './Foo' (which fallow already does not flag). find_duplicate_exports now extends re_export_sources with dynamic-import edges that act as re-exports: a dynamic import targeting an internal module counts as a re-export only when the wrapper module exports the same shape (Named("X") requires the wrapper to export X; Default requires the wrapper to have a default export). The wrapper-must-export check guards against false negatives where a module dynamically imports something but does not actually re-export it. Thanks @​fmguerreiro for the report and the fix. (#263)
• ESLint flat-config plugin imports trace through workspace-internal config packages. Turborepo / Nx monorepos that centralize ESLint config in a workspace package (packages/eslint-config exporting from index.js) were producing false unused-devdep flags for plugins that the shared config imports transitively. Two cooperating fixes: the ESLint plugin's read_package_entry_for_specifier now walks up start.ancestors() checking node_modules/<pkg>/package.json (bounded by MAX_NODE_MODULES_WALK_DEPTH = 8), so packages hoisted to the monorepo root are found from a workspace root, and resolves @scope/pkg/subpath imports via the package's exports map with .js/.mjs/.cjs extension fallback. must_parse_workspace_config_when_root_active now includes "eslint" so when the root-level ESLint plugin is active, every workspace's eslint.config.* still gets parsed instead of being silently skipped by run_workspace_fast. Thanks @​fmguerreiro for the report and the fix. (#266)

[2.62.0] - 2026-05-02

Added

• usedClassMembers entries accept glob patterns. Member strings containing * or ? now compile as glob matchers, so a single rule can cover the entire family of methods a framework dispatches reflectively. Use "*" to match every member on a heritage-matching class, "enter*" / "*Handler" for prefix or suffix matching, or "on*Event" for combined prefix+suffix. The shape ({ extends?, implements?, members }) is unchanged; exact-string entries still work as before. Glob patterns matching zero members across the codebase emit a WARN so dead allowlist entries surface. Designed for parser-generator listeners (ANTLR), code-generated bridges (protoc-ts, openapi-typescript, graphql-codegen), and abstract framework bases that dispatch on a member-name prefix instead of an enumerated list. Thanks @​OmerGronich for the report. (Closes #254)
• overrides[].rules.circular-dependency: "off" suppresses cycles whose files all match the override glob. Previously circular-dependency was the only rule that ignored per-folder overrides[] entries; you had to disable cycle detection globally or add // fallow-ignore-file circular-dependency to every file in every cycle. Now a cycle is suppressed when every file in the cycle resolves to Severity::Off for circular-dependency via overrides[]. Cycles that touch even one non-overridden file remain reported, preserving real-positive detection on shared modules. Thanks @​OmerGronich for the report. (Closes #255)
• First-class blast-radius and importance sections on fallow coverage analyze. New --blast-radius and --importance flags surface runtime-weighted blast-radius and importance findings in the human output, alongside the existing hot-path / cold-path sections.
• Runtime coverage --top flag. Limits the runtime findings + hot-path display to the top N entries, matching fallow dead-code's top-N flag for parity.

Changed

• analyze stage runs detectors in parallel. The pipeline's analyze stage now schedules its ten independent detectors (unused_files, unused_exports, unused_members, dependency detectors, unresolved_imports, duplicate_exports, boundary_violations, circular_dependencies, etc.) across rayon worker threads instead of serially on a single core. On a synthetic 24,320-file monorepo with realistic barrel files and cross-workspace imports the analyze stage drops from ~6.75s to under half a second on a 14-core machine. Real-world fixtures (next.js, preact) show a ~2x speedup on the analyze stage with byte-identical results. Find-unused-exports and find-unused-members also parallelise their inner module loops via rayon. Thanks @​OmerGronich for the report. (Closes #259)
• Git churn cache is incremental. .fallow/churn.bin now stores per-commit events keyed by last_indexed_sha. When HEAD advances from the cached SHA, fallow runs git log <cached>..HEAD --numstat and merges the delta into the cached state instead of re-shelling out for the entire churn window. CI runs that fallow on every push and pre-commit hooks now hit the cache for the bulk of the work, paying only the marginal-commit cost. The cold path is unchanged. The cache automatically invalidates when the --since window changes or when cache.last_indexed_sha is no longer reachable from the current HEAD (force-push, branch switch). Thanks @​OmerGronich for the report. (Closes #258)
• --performance table includes the duplication stage. The Pipeline Performance table on fallow --performance (combined mode) now prints a duplication: <ms> row alongside the other stages instead of leaving the cost as an easy-to-miss parenthetical in the body output. The dead-code-only and dupes-only timing breakdowns are unchanged. Thanks @​OmerGronich for the report. (Closes #257)

Fixed

• circular-dependency line-level inline directives now actually suppress. // fallow-ignore-next-line circular-dependency on the offending import line previously landed in stale_suppressions and the cycle still appeared in the output, even though fallow dead-code --format json recommended exactly that comment in actions[]. The directive now decrements the cycle count as expected, and IDE/CLI consumers of the recommended actions[] produce working patches instead of silent no-ops. Singular and plural slug aliases (circular-dependency vs circular-dependencies) are now interchangeable across inline directives, rules, and overrides[].rules, so the wrong-form / right-form mismatch between surfaces is resolved. Thanks @​pippenz for the report. (Closes #256)
• Bare () => import('./X') route callbacks credit the default export. Object-literal properties named component, loadChildren, or loadComponent whose value is () => import('./X') (or a function-expression equivalent) now credit the target module's default export as used, even when no .then(m => m.default) is spelled. The control case (.then(m => m.default)) was already covered. Fixes the unused-export false positive on the standard Angular Router (loadChildren: () => import('./feature.routes')) and Vue Router (component: () => import('./View.vue')) lazy-loading shapes. The property-name list is an exact whitelist; other property names with the same shape (e.g. loader, Component) are not credited. Thanks @​OmerGronich for the report. (Closes #253)
• CSS @import 'pkg/subpath.css' resolves through node_modules for both relative and bare specifiers. Tailwind v4 @import 'tailwindcss/theme.css' and @import 'tailwindcss/utilities.css' patterns no longer surface as unresolved imports or as unused-dependency on tailwindcss. The CSS extractor preserves the package subpath, the resolver now probes the npm package's subpath via the standard node_modules walk-up, and the dependency credit flows through the resolved hit.

[2.61.0] - 2026-05-01

Added

• GraphQL document #import edges follow into the module graph. .graphql and .gql files are now discovered as source files, and lines matching #import "./fragment.graphql" (or # import '../shared/fragment.gql') emit SideEffect imports so fragment and schema documents reachable only through GraphQL import comments stay connected. Only relative string specifiers (./, ../) are extracted; package-style imports are left to the resolver. Extensionless relative imports probe .graphql and .gql automatically. Thanks @​lsbyerley for the report. (Closes #250)
• Vitest vi.mock() credits the __mocks__/ sibling. vi.mock('./services/api') now synthesizes a dynamic namespace import of ./services/__mocks__/api, crediting the auto-mock sibling file (and all of its exports) as used so vitest's __mocks__/<file> convention does not surface as unused-file. Handles string-literal sources, expressionless template literals, and the vi.mock(import('./api')) argument form. Path-alias prefixes (@/src/...) are preserved so the importer's tsconfig aliases resolve the synthetic specifier. Bare-package mocks paired with a project-root __mocks__/<pkg>.ts and Jest's jest.mock(...) are intentionally out of scope. Thanks @​boroth for the report. (Closes #251)

Fixed

• Angular 14+ inject() field-initializer DI is recognized. Class fields written private readonly inner = inject(InnerService) (or inject<InnerService>()) now register this.inner -> InnerService so any this.inner.member chain credits member as used on InnerService. Previously every member of an inject()-acquired service consumed only via the field chain was reported as unused-class-member; the legacy constructor-parameter form was unaffected. The inject callee is gated by a named-import check against @angular/core, so a same-named inject from any other module is intentionally ignored. Thanks @​OmerGronich for the report. (Closes #244)
• Playwright POM fixture members consumed only through typed base.extend<T>(...) definitions are now credited. Methods on a Page Object Model class that are referenced exclusively from a Playwright test('name', async ({ adminPage }) => { adminPage.method() }) callback no longer surface as unused-class-members. Fixture definitions accept a named type alias (type MyFixtures = { adminPage: AdminPage }), an inline type literal, or any intersection / parenthesized form thereof; the analyzer correlates each typed fixture with the matching callback-side member access and credits the method on the defining POM class. The base.extend callee is gated against @playwright/test-named imports so the same identifier from any other module is intentionally ignored. Thanks @​vethman for the report. (Closes #246)

... (truncated)

Commits

• 509b5fe chore: release v2.63.0
• 18afe8f ci(githooks): use rustup run nightly cargo miri instead of cargo +nightly
• 1bf581f test(napi): expect json schema version 5
• 9726715 fix(eslint): trace flat-config plugin imports through workspace-internal conf...
• 369054b test(plugins): close coverage and macro gaps from #263 / #265 review
• 49cf01e feat(vitest): recognize mocks specifiers as virtual (#265)
• 1438939 fix(plugins): treat dynamic(import().then(m => m.X)) as re-export (#263)
• 3b35832 fix: repair health score scaling and css style exports
• 371fc4b refactor(scripts): share could_be_file_path with parse_scripts (#264)
• db70a40 fix(scripts): harden CI YAML scanner against shell/regex fragment misclassifi...
• Additional commits viewable in compare view

Updates animejs from 4.3.6 to 4.4.1

Release notes

Sourced from animejs's releases.

v4.4.1

Bug fix

• Fix a regression introduced in 4.4.0 with timeline .call() not triggering properly in some cases.

v4.4.0

Breaking Changes

• Transforms
  • Transforms now follow a fixed render order (perspective > translate > rotate > scale > skew), regardless of the order they are defined in animation parameters:

    // Before: scale rendered first because it was defined first
    animate(el, { scale: 2, translateX: 100 }) // → scale(2) translateX(100px)
    // After: order is always fixed
    animate(el, { scale: 2, translateX: 100 }) // → translate(100px, 0px) scale(2)

  • matrix and matrix3d can no longer be animated directly (they are still preserved when read from inline styles and can be set using transform: 'matrix(...)')
• Function-based values
  • The third argument of function-based value callbacks changed from total (Number) to targets (Array). To migrate, replace total with targets.length:

    // Before
    translateX: (target, index, total) => total * 10
    // After
    translateX: (target, index, targets) => targets.length * 10

  • A fourth argument prevTween is now passed to function-based value callbacks, providing access to the previous sibling tween's computed end value for the same target and property.
• Stagger
  • The stagger callback signature changed to match function-based values: the third argument is now the targets array instead of the total count:

    // Before
    delay: stagger(100, { use: (target, i, total) => total - i })
    // After
    delay: stagger(100, { use: (target, i, targets) => targets.length - i })

New Features

• scrambleText
  • New scrambleText() function-based value to animate text with a character-by-character scramble/reveal effect (learn more: https://animejs.com/documentation/text/scrambletext)
• Stagger
  • New grid: true auto-grid mode that computes a 2D layout from element positions or JS object coordinates ({x, y}) instead of requiring explicit [columns, rows] dimensions
  • The from parameter now accepts [x, y] normalized coordinate arrays (0 to 1) for precise grid origin control
• Timer / Animation / Timeline
  • New priority parameter to control execution order within the engine tick loop
• Transforms
  • Adjacent axis properties are now grouped into CSS shorthand for shorter transform strings:
    • translateX + translateY → translate(x, y)
    • translateX + translateY + translateZ → translate3d(x, y, z)
    • scaleX + scaleY → scale(x, y)

... (truncated)

Commits

• 308c093 4.4.1
• 1578d99 Update README.md
• 53338cb Update README.md
• 4c5c85b 4.4.0
• 8816e43 4.4.0
• See full diff in compare view

Updates @sveltejs/kit from 2.58.0 to 2.59.0

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.59.0

Minor Changes

• feat: support query.batch in requested(...) (#15751)

• breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#15705)

• feat: experimental query.live function (#15705)

Patch Changes

• fix: unwrap Promise in RemoteCommand output type (#15771)

• fix: empty call to .updates() on a command/form invocation means "don't update anything" (#15705)

• fix: form.fields.foo.as('checkbox', default_value) now works (#15752)

• fix: remote forms with default values defined by field.as('text', defaultValue) now correctly reset to the provided default values once submitted (#15753)

• fix: make sure queries always get started correctly (#15705)

• fix: allow plain functions as overrides in updates (#15705)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.59.0

Minor Changes

• feat: support query.batch in requested(...) (#15751)

• breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#15705)

• feat: experimental query.live function (#15705)

Patch Changes

• fix: unwrap Promise in RemoteCommand output type (#15771)

• fix: empty call to .updates() on a command/form invocation means "don't update anything" (#15705)

• fix: form.fields.foo.as('checkbox', default_value) now works (#15752)

• fix: remote forms with default values defined by field.as('text', defaultValue) now correctly reset to the provided default values once submitted (#15753)

• fix: make sure queries always get started correctly (#15705)

• fix: allow plain functions as overrides in updates (#15705)

Commits

• 522ac32 Version Packages (#15769)
• a416bb0 docs: improve description for read config parameter (#15673)
• af248a7 fix: unwrap Promise in RemoteCommand output type (#15771)
• 1c8e573 fix: remote forms with default values defined by `field.as('text', defaultVal...
• 5b28e23 feat: support query.batch in requested (#15751)
• a074dc1 fix: .as('checkbox', value) was completely broken (#15752)
• 055ac24 feat: experimental query.live remote function (#15705)
• c1d3633 chore: fix IDE typescript errors (#15756)
• See full diff in compare view

Updates @lucide/svelte from 1.11.0 to 1.14.0

Release notes

Sourced from @​lucide/svelte's releases.

Version 1.14.0

What's Changed

• feat(icons): added repeat-off icon by @​jguddas in lucide-icons/lucide#3102

Full Changelog: lucide-icons/lucide@1.13.0...1.14.0

Version 1.13.0

What's Changed

• fix(docs): sync URL params with UI state on categories page by @​taimar in lucide-icons/lucide#4111
• feat(icons): add waves-vertical icon by @​jamiemlaw in lucide-icons/lucide#3867

Full Changelog: lucide-icons/lucide@1.12.0...1.13.0

Version 1.12.0

What's Changed

• feat(icon): add folder-bookmark icon by @​swastik7805 in lucide-icons/lucide#4262
• docs(readme): Update readme files by @​ericfennis in lucide-icons/lucide#4320
• feat(icons): added astroid icon by @​whoisBugsbunny in lucide-icons/lucide#4217

Full Changelog: lucide-icons/lucide@1.10.0...1.12.0

Commits

• 50d8af5 docs(readme): Update readme files (#4320)
• See full diff in compare view

Updates bits-ui from 2.18.0 to 2.18.1

Release notes

Sourced from bits-ui's releases.

bits-ui@2.18.1

Patch Changes

• fix(text-selection-layer): snapshot enabled and pointer handlers for listeners (#2041)

• fix(Tooltip): set wrapper pointer-events when hoverable content is disabled (#2041)

• fix(Menu): prevent page scroll-jump on item hover when scroll-padding is set (#2035)

Commits

• 25f8137 Version Packages (#2042)
• 158364e fix(menu): use preventScroll when focusing items on hover and content on item...
• 5a3f7ce fix(Tooltip): pointer event handling (#2041)
• 788fc03 chore: update workflows to Node 24 and latest action versions (#2032)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[asciimoo]

Seems like no supply chain attacks are introduced.