chore(deps-dev): bump the dev-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the dev-dependencies group with 5 updates in the /src directory:

Package	From	To
@biomejs/biome	2.4.15	2.4.16
@nestjs/testing	11.1.23	11.1.24
@vitest/coverage-v8	4.1.7	4.1.8
nx	22.7.2	22.7.5
vitest	4.1.7	4.1.8

Updates @biomejs/biome from 2.4.15 to 2.4.16

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.16

2.4.16

Patch Changes

• #10329 ef764d5 Thanks @​Conaclos! - Fixed an issue where diagnostics showed an incorrect location in Astro files.

• #10363 50aa415 Thanks @​dyc3! - Fixed HTML formatting for a case where comments could cause the formatter to split up a closing tag, which would cause the resulting HTML to be syntactically invalid.

  Input:

  <span
    ><!-- 1
  --><span>a</span
    ><!-- 2
  --><span>b</span
    ><!-- 3
  --></span>

  Output:

    <span
  	  ><!-- 1
  - --> <span>a</span<!-- 2
  - --> ><span>b</span><!-- 3
  + --><span>a</span><!-- 2
  + --><span>b</span><!-- 3
    --></span
    >

• #10465 0c718da Thanks @​dfedoryshchev! - Fixed diagnostics emitted by the noUntrustedLicenses rule.

• #10358 05c2617 Thanks @​dyc3! - Fixed #10356: biome rage --linter now displays rules enabled through linter domains in the enabled rules list.

• #10300 950247c Thanks @​dyc3! - Fixed #10265: Svelte function bindings such as bind:value={get, set} are now parsed more precisely, so noCommaOperator won't emit false positives for that syntax anymore.

• #9786 e71f584 Thanks @​MeGaNeKoS! - Fixed #8480: useDestructuring now provides variableDeclarator and assignmentExpression options to control which contexts enforce destructuring, matching ESLint's prefer-destructuring configuration. Both default to {array: true, object: true}. The diagnostic for object destructuring in assignment expressions now instructs users to wrap the assignment in parentheses.

• #10425 1948b72 Thanks @​sjh9714! - Fixed #10244: The useOptionalChain rule now detects negated guard inequality chains like !foo || foo.bar !== "x".

• #10442 001f94f Thanks @​ematipico! - Fixed #10411: noMisusedPromises no longer causes a stack overflow when a nested function returns an object with shorthand properties that shadow destructured variables from an outer scope.

• #10318 9b1577f Thanks @​dyc3! - Added support for formatter.trailingCommas in overrides. This option was previously available in the top-level formatter configuration but missing from formatter overrides.

• #10319 2e37709 Thanks @​dyc3! - Fixed Vue and Svelte formatting for standalone interpolations in inline elements. Biome now preserves existing newlines in cases like:

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.16

Patch Changes

• #10329 ef764d5 Thanks @​Conaclos! - Fixed an issue where diagnostics showed an incorrect location in Astro files.

• #10363 50aa415 Thanks @​dyc3! - Fixed HTML formatting for a case where comments could cause the formatter to split up a closing tag, which would cause the resulting HTML to be syntactically invalid.

  Input:

  <span
    ><!-- 1
  --><span>a</span
    ><!-- 2
  --><span>b</span
    ><!-- 3
  --></span>

  Output:

    <span
  	  ><!-- 1
  - --> <span>a</span<!-- 2
  - --> ><span>b</span><!-- 3
  + --><span>a</span><!-- 2
  + --><span>b</span><!-- 3
    --></span
    >

• #10465 0c718da Thanks @​dfedoryshchev! - Fixed diagnostics emitted by the noUntrustedLicenses rule.

• #10358 05c2617 Thanks @​dyc3! - Fixed #10356: biome rage --linter now displays rules enabled through linter domains in the enabled rules list.

• #10300 950247c Thanks @​dyc3! - Fixed #10265: Svelte function bindings such as bind:value={get, set} are now parsed more precisely, so noCommaOperator won't emit false positives for that syntax anymore.

• #9786 e71f584 Thanks @​MeGaNeKoS! - Fixed #8480: useDestructuring now provides variableDeclarator and assignmentExpression options to control which contexts enforce destructuring, matching ESLint's prefer-destructuring configuration. Both default to {array: true, object: true}. The diagnostic for object destructuring in assignment expressions now instructs users to wrap the assignment in parentheses.

• #10425 1948b72 Thanks @​sjh9714! - Fixed #10244: The useOptionalChain rule now detects negated guard inequality chains like !foo || foo.bar !== "x".

• #10442 001f94f Thanks @​ematipico! - Fixed #10411: noMisusedPromises no longer causes a stack overflow when a nested function returns an object with shorthand properties that shadow destructured variables from an outer scope.

• #10318 9b1577f Thanks @​dyc3! - Added support for formatter.trailingCommas in overrides. This option was previously available in the top-level formatter configuration but missing from formatter overrides.

• #10319 2e37709 Thanks @​dyc3! - Fixed Vue and Svelte formatting for standalone interpolations in inline elements. Biome now preserves existing newlines in cases like:

... (truncated)

Commits

• 5f4ea56 ci: release (#10326)
• de2a33c fix(core): regression in emitted types (#10478)
• d835303 docs: remove redundant default phrase in useConsistentObjectDefinitions rul...
• 4f1aaf2 fix: incorrect build when using build or test (#10426)
• dc73b6b refactor: make plugins opt-in via feature gate (#10418)
• e71f584 feat(useDestructuring): add options for assignment/declaration and improve di...
• 9b1577f fix(config): support trailingCommas in overrides (#10318)
• See full diff in compare view

Updates @nestjs/testing from 11.1.23 to 11.1.24

Release notes

Sourced from @​nestjs/testing's releases.

v11.1.24 (2026-05-25)

Bug fixes

• core
  • #17009 fix(core): reset dependency-tree cache on metadata changes (@​puneetdixit200)

Enhancements

• core
  • #16997 feat(core): warn on late websocket adapter registration (@​hbinhng)

Dependencies

• platform-ws
  • #17011 chore(deps): bump ws from 8.20.1 to 8.21.0 (@​dependabot[bot])

Committers: 2

• Nguyễn Hải Bình (@​hbinhng)
• Puneet Dixit (@​puneetdixit200)

Commits

• d8a0ab8 chore(release): publish v11.1.24 release
• 2dccece chore: update readmes
• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.7 to 4.1.8

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• See full diff in compare view

Updates nx from 22.7.2 to 22.7.5

Release notes

Sourced from nx's releases.

22.7.5 (2026-05-27)

🩹 Fixes

• core: update tmp to 0.2.6 due to CVE-2026-44705 (#35813)

❤️ Thank You

• Jack Hsu @​jaysoo

22.7.4 (2026-05-25)

🩹 Fixes

• core: update brace-expansion and yaml (#35790)

❤️ Thank You

• Jack Hsu @​jaysoo

22.7.3 (2026-05-22)

🚀 Features

• js: support pnpm 11.2.2 (#35772)

🩹 Fixes

• angular: only add @​oxc-project/runtime on the vitest-analog path (#35734)
• angular-rspack: exclude eslint config from tailwind v4 source scan (#35663)
• core: warn before installing unknown npm packages as preset (#35644)
• core: preserve input order in createNodes plugin results (#35595)
• core: resolve local plugin subpath imports from source (#35631)
• core: treat undefined task parallelism as parallel when scheduling (#35736)
• core: handle object form of bin field in getPrettierPath (#35680)
• core: detect vscode copilot ai agent (#35757)
• core: allow local plugin subpath imports without custom conditions (#35751, #35631)
• dotnet: include Directory.. files in inputs (#35738)
• gradle: add transitive:true to all tasks (#35677)
• gradle: pin generated e2e project toolchain to installed JDK (#35703)
• js: fall back to npm publish when bun publish fails with auth error (#35756)
• linter: improve convert-to-flat-config output fidelity (#35330)
• linter: only rewrite workspace-package peer deps to workspace:* (#35423, #35318, #33417)
• misc: stop inferring projects: 'self' in dependsOn entries (#35686)
• misc: skip $ escaping in file paths on windows (#35692)
• repo: run dotnet restore before publish (#35771)
• repo: run dotnet restore before macos e2e job (#35774)
• rsbuild: infer build outputs from distPath.root directly (#35707)
• rsbuild: lazy-require @​rsbuild/core in plugin so spec mocks work after jest.resetModules (#35707)
• testing: correct yargs-parser import in getJestProjectsAsync (#35672, #35654)

... (truncated)

Commits

• dc849bb fix(core): update brace-expansion and yaml (#35790)
• 8fd1feb fix(core): allow local plugin subpath imports without custom conditions (#35751)
• 22f3c2e fix(core): detect vscode copilot ai agent (#35757)
• 0d18512 fix(misc): skip $ escaping in file paths on windows (#35692)
• 7c1318f fix(core): handle object form of bin field in getPrettierPath (#35680)
• a3acfd6 fix(core): treat undefined task parallelism as parallel when scheduling (#35736)
• c574207 cleanup(core): drop stale @​nrwl dedup TODO in nx report (#35730)
• 0d002ec fix(core): resolve local plugin subpath imports from source (#35631)
• b58ccd8 fix(core): preserve input order in createNodes plugin results (#35595)
• See full diff in compare view

Updates vitest from 4.1.7 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• See full diff in compare view

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nx@​22.7.2 ⏵ 22.7.5			+1
	vitest@​4.1.7 ⏵ 4.1.8
	@​vitest/​coverage-v8@​4.1.7 ⏵ 4.1.8
	@​nestjs/​testing@​11.1.23 ⏵ 11.1.24	+1			+1
	@​biomejs/​biome@​2.4.15 ⏵ 2.4.16	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm nx is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: src/package.json → npm/nx@22.7.5 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/nx@22.7.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report