Skip to content

chore(deps): bump the npm-deps group with 5 updates#39

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-31c30ee11d
Open

chore(deps): bump the npm-deps group with 5 updates#39
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-31c30ee11d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 25, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-deps group with 5 updates:

Package From To
@hono/node-server 2.0.4 2.0.5
better-auth 1.6.16 1.6.19
hono 4.12.25 4.12.26
eslint 10.4.1 10.5.0
fallow 2.92.1 2.99.0

Updates @hono/node-server from 2.0.4 to 2.0.5

Release notes

Sourced from @​hono/node-server's releases.

v2.0.5

Security Fix

Fixed a security issue in Serve Static Middleware where prefix-mounted middleware could be bypassed on Windows. This only affects applications running on Windows that use Serve Static Middleware. Affected users are encouraged to upgrade to this version.

See GHSA-frvp-7c67-39w9 for details.

Commits

Updates better-auth from 1.6.16 to 1.6.19

Release notes

Sourced from better-auth's releases.

v1.6.19

better-auth

Features

  • Added support for pre-binding device codes to a specific user in the device authorization plugin (#9995)

Bug Fixes

  • Fixed headerless session checks (#10053)
  • Fixed cookie cache fallback lookup (#9348)
  • Fixed sendVerificationEmail errors not being surfaced to the client (#8863)
  • Fixed auth client return types not being emitted correctly in TypeScript declaration builds (#10071)
  • Fixed session and account cache cookies being silently dropped when near the browser's per-cookie size limit by splitting them into chunks (#10088)
  • Fixed single-use verification flows (such as magic-link) hanging on connection-limited database adapters by reusing active transactions (#10070)
  • Fixed the domain not being included when clearing cross-subdomain cookies in the last-login-method plugin (#9319)
  • Fixed the oauth-popup plugin leaking internal OAuth state keys into additionalData (#10067)
  • Reverted the headerless session check fix (#10074)

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Fixed the generate command not handling a directory path passed to --output (#9564)
  • Fixed array additionalField default values not being serialized correctly in the Drizzle schema generator (#10048)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Fixed password reset tokens not working with the Drizzle MySQL adapter after being consumed (#10081)

For detailed changes, see CHANGELOG

@better-auth/mongo-adapter

Bug Fixes

  • Fixed guarded state transitions (token rotation, revocation, two-factor backup-code regeneration, device-code claiming, and organization invitation acceptance) failing on Prisma and on MongoDB servers older than 5.0 (#10086)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.19

Patch Changes

  • #10088 de4aa52 Thanks @​bytaesu! - Session and account cache cookies near the browser's per-cookie size limit (for example with a long cookiePrefix or many cached fields) are now split into chunks instead of being silently dropped by the browser. A cache too large to fit even when chunked is skipped with a warning rather than failing the request, so reads fall back to the database.

  • #9995 b4b0266 Thanks @​ElGauchooooo! - The device authorization plugin now accepts an optional user_id when issuing a device code via /device/code, pre-binding the code to that user. Only the bound user can approve or deny the code, so a publicly visible user code can no longer be claimed by someone else.

  • #10086 5bd5e1c Thanks @​gustavovalverde! - Refresh-token rotation and token revocation, two-factor backup-code regeneration, device-code claiming, and organization invitation acceptance now work on Prisma. Concurrent or repeat requests in these flows could previously return an error on Prisma instead of the expected result.

    On MongoDB servers older than 5.0, these flows and other guarded value updates (rate-limit window resets, API-key refills) no longer fail with an empty-update error.

    @better-auth/core: incrementOne now reports a clear error when called with no increment and no set.

  • #9319 581f827 Thanks @​ping-maxwell! - fix(last-login-method): include domain when clearing cross-subdomain cookies

  • #10067 8407885 Thanks @​bytaesu! - The oauth-popup plugin now ignores internal OAuth state fields passed through its additionalData parameter, so additionalData only ever carries your own custom values.

  • #9555 c1a8a64 Thanks @​ChrisMGeo! - Fix invalid OpenAPI output for Better Auth callback, session, and passkey routes so client generators can consume the schema.

  • #10071 635f190 Thanks @​gustavovalverde! - Auth clients exported from wrapper packages can now be emitted in TypeScript declaration builds without extra type annotations.

  • #10070 a787e0b Thanks @​gustavovalverde! - Single-use verification flows no longer hang on database adapters that use a one-connection pool. This fixes magic-link verification and similar token checks in connection-limited serverless database setups.

  • #9348 c2f718f Thanks @​ping-maxwell! - fix: cookie cache fallback lookup

  • #8863 7d18175 Thanks @​ping-maxwell! - sendVerificationEmail was invoked via runInBackgroundOrAwait, which could defer work when advanced.backgroundTasks.handler is configured (so the handler could return 200 before the email callback finished) and, in the default path, caught and logged errors without rethrowing. User callbacks that throw APIError (e.g. 429 from a rate limiter) were therefore not reliably reflected in the HTTP response (better-auth/better-auth#8757).

    Now we await sendVerificationEmailFn so failures surface to the client with the correct status. The unauthenticated /send-verification-email path enforces a constant-time floor (500 ms) so that the response duration does not reveal whether the email belongs to a real unverified user.

  • Updated dependencies [0895993, 5bd5e1c, a787e0b]:

    • @​better-auth/drizzle-adapter@​1.6.19
    • @​better-auth/core@​1.6.19
    • @​better-auth/mongo-adapter@​1.6.19
    • @​better-auth/kysely-adapter@​1.6.19
    • @​better-auth/memory-adapter@​1.6.19
    • @​better-auth/prisma-adapter@​1.6.19
    • @​better-auth/telemetry@​1.6.19

1.6.18

Patch Changes

  • #9315 9ef7240 Thanks @​GautamBytes! - fix OpenAPI requestBody generation for intersected and default-wrapped body schemas

  • #9583 b21a5f7 Thanks @​GautamBytes! - Fix plugin-provided client methods and additional session fields not being inferred in composite monorepos.

  • Updated dependencies [b21a5f7]:

    • @​better-auth/core@​1.6.18
    • @​better-auth/drizzle-adapter@​1.6.18

... (truncated)

Commits
  • ac4d81d chore: release v1.6.19 (#10034)
  • 1e69725 docs: clarify stateless Cognito token refresh (#10092)
  • de4aa52 fix(cookies): chunk session and account cookies near the browser size limit (...
  • 5bd5e1c fix: make guarded state transitions portable on Prisma (#10086)
  • 36f345b revert: fix: allow headerless get session checks (#10053) (#10074)
  • 635f190 fix(client): name auth client return types (#10071)
  • d009dae fix: allow headerless get session checks (#10053)
  • 8407885 fix(oauth-popup): filter internal state keys from additionalData (#10067)
  • c2f718f fix: cookie cache fallback lookup (#9348)
  • 581f827 fix(last-login-method): include domain when clearing cross-subdomain cookies ...
  • Additional commits viewable in compare view

Updates hono from 4.12.25 to 4.12.26

Release notes

Sourced from hono's releases.

v4.12.26

What's Changed

Full Changelog: honojs/hono@v4.12.25...v4.12.26

Commits
  • 27b7992 4.12.26
  • d29982c chore: replace arg and glob with Bun native APIs in build script
  • 16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
  • c574cf1 ci: publish to npm from CI with OIDC trusted publishing (#5028)
  • e50df01 fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding (#5...
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.


Updates eslint from 10.4.1 to 10.5.0

Release notes

Sourced from eslint's releases.

v10.5.0

Features

  • 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#20973) (Pixel998)
  • b565783 feat: report no-with violations at the with keyword (#20971) (Pixel998)
  • 2ce032f feat: report max-lines-per-function violations at function head (#20966) (Pixel998)
  • 732cb3e feat: report max-nested-callbacks violations at function head (#20967) (Pixel998)
  • f9c138a feat: report max-depth violations on keywords (#20943) (Pixel998)
  • bdb496c feat: correct max-depth handling for else-if chains (#20944) (Pixel998)
  • c296873 feat: update error loc in max-statements to function header (#20907) (Taejin Kim)

Documentation

  • 8ae1b5b docs: Update README (GitHub Actions Bot)
  • ca7eb90 docs: update Node.js prerequisites to include ICU support (#20962) (Francesco Trotta)
  • f99b47a docs: Update README (GitHub Actions Bot)
  • acf03d4 docs: clarify precedence of parserOptions over languageOptions (#20926) (sethamus)

Chores

  • b18bf58 chore: update ecosystem plugins (#20959) (ESLint Bot)
  • c2d1444 refactor: replace areAllSegmentsUnreachable with !isAnySegmentReachable (#20951) (Taejin Kim)
  • 243b8c5 chore: enhance config-rule to support oneOf, anyOf, and nested schemas (#20788) (kuldeep kumar)
  • 217b2a9 test: add unit tests for ParserService (#20949) (Taejin Kim)
  • 72003e7 test: add location information to error messages in max-statements (#20945) (lumir)
  • 7797c26 refactor: deduplicate isAnySegmentReachable across rules (#20890) (Taejin Kim)
  • 67c46fa chore: update ecosystem plugins (#20938) (ESLint Bot)
  • 95d8c7a chore: update dependency @​eslint/json to v2 (#20934) (renovate[bot])
  • cf9e496 chore: update @​arethetypeswrong/cli to 0.18.3 (#20933) (Pixel998)
  • fb6d396 test: run type tests with TypeScript 7 (#20868) (sethamus)
Commits

Updates fallow from 2.92.1 to 2.99.0

Release notes

Sourced from fallow's releases.

v2.99.0: opt-in suppression reasons

This release adds opt-in suppression hygiene and fixes three reported issues across detection accuracy, the editor extension, and catalog support.

Features

Require a documented reason on suppressions

A new opt-in require-suppression-reason rule lets teams enforce that every suppression carries a written justification. Suppression comments and @expected-unused JSDoc tags can now take a trailing -- <reason>:

// fallow-ignore-next-line unused-export -- public compatibility export
export const legacyHelper = () => {};
// fallow-ignore-file -- generated route map

The reason text is parsed, cached, and carried through to suppression hygiene reporting. The default is off, so existing suppressions are unaffected. Set rules.require-suppression-reason to "warn" or "error" and any fallow-ignore-* comment or @expected-unused tag without a reason surfaces as a missing-suppression-reason finding so the team can backfill it. Reported across human, JSON, SARIF, CodeClimate, audit, and baseline output plus the LSP and editors. Thanks @​codingthat for the request. (Closes #1302)

Bug fixes

  • Nested same-file schema values no longer false-positive as unused. When an exported value is composed into another reachable exported schema in the same file (for example Schema.Array(Foo)), the child value is now credited through the parent, while unrelated unused sibling schemas still report. Thanks @​danielo515 for the report. (Closes #1304)

  • The VS Code / VS Codium extension no longer shows inflated totals on startup. On a cold start the extension could consume the LSP's first workspace analysis before any document had opened, leaving a stale, too-high count until the next edit. Startup analysis now waits for the first opened document, and a save-triggered analysis queues behind an in-flight startup run instead of being dropped. Thanks @​codingthat for the report. (Closes #1303)

  • Catalog rules now read Bun catalogs from the root package.json. Bun workspaces that declare catalog entries under workspaces.catalog / workspaces.catalogs (or Bun's top-level catalog / catalogs form) now get the same unresolved-catalog-references, unused-catalog-entries, and empty-catalog-groups coverage as pnpm workspaces. Fallow still prefers pnpm-workspace.yaml when present. Thanks @​codingthat for the report. (Closes #1301)

Full Changelog: fallow-rs/fallow@v2.98.0...v2.99.0

v2.98.0: Angular component IO, Svelte events, Vue/Svelte template complexity

Highlights

This release deepens framework-aware dead-code and complexity analysis across Angular, Vue, and Svelte, and widens React Server Component checks beyond Next.js.

Added

Framework dead-code coverage

  • Angular component inputs and outputs. Two new rules, unused-component-input and unused-component-output (both warn), flag an @Input() / signal input() / model() read nowhere in its own component (template or class body) and an @Output() / signal output() that is .emit()-ed nowhere. This is the in-component dead-IO direction no Angular tool covers. Validated at zero false positives on the angular/components monorepo. Requires @angular/core.
  • Svelte component events. A new unused-svelte-event rule (warn) flags a Svelte createEventDispatcher event listened to by no component anywhere in the project. This is the cross-file dead-output direction the compiler and svelte-check (single-file or type-only) do not cover. Validated at zero false positives on a large Svelte monorepo. Requires svelte.
  • unrendered-component now covers Angular. An @Component whose element selector is rendered in no template, and that is not routed, bootstrapped, or dynamically rendered, is flagged project-wide. Abstains when the project uses any dynamic component-render API. Requires @angular/core.
  • unprovided-inject now covers Angular. An InjectionToken injected via inject(TOKEN) or @Inject(TOKEN) that no provider supplies anywhere (a runtime NullInjectorError) is flagged. Scopes to user InjectionToken symbols and abstains on optional injects, package-imported tokens, public-API tokens, and opaque provider graphs. Requires @angular/core.
  • unused-component-prop / unused-component-emit now cover the Vue Options API. props: and emits: declared on export default { ... } / defineComponent({ ... }) in a non-<script setup> block are now checked, with usage credited from this.<prop> reads, templates, and this.$emit(...). Abstains on mixins/extends, dynamic access, and opaque shapes.
  • unused-server-action now covers inline "use server" body directives. A dead export async function deleteUser() { "use server"; ... } is now reclassified to unused-server-action instead of surfacing as a plain unused-export. Inherits every unused-export abstain. Stays Next-gated and warn-level.

React Server Components beyond Next.js

  • misplaced-directive and mixed-client-server-barrel now activate for any RSC bundler. Both rules encode universal RSC semantics, so they now fire for next, waku, @lazarv/react-server, react-server-dom-webpack, react-server-dom-vite, react-server-dom-parcel, and @vitejs/plugin-rsc, not just Next. The Next-specific rules (invalid-client-export, unused-server-action) stay Next-gated on purpose.

Complexity

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.99.0] - 2026-06-18

Added

  • A new opt-in require-suppression-reason rule lets teams require a documented reason on every suppression. Suppression comments and @expected-unused JSDoc tags can now carry a trailing -- <reason>, for example // fallow-ignore-next-line unused-export -- public compatibility export or // fallow-ignore-file -- generated route map. The reason text is parsed, cached, and carried through to stale-suppression reporting. With the rule enabled (set rules.require-suppression-reason to warn or error; the default is off, so existing suppressions are unaffected), a suppression that has no reason surfaces as a missing-suppression-reason finding so the team can backfill it. Reported across human, JSON, SARIF, CodeClimate, audit, and baseline output plus the LSP and editors. Thanks @​codingthat for the request. (Closes #1302.)

Fixed

  • Nested same-file schema values no longer report as unused when a reachable exported value depends on them. Effect Schema projects commonly pair export const Foo = Schema... with export type Foo = Schema.Schema.Type<typeof Foo>, then compose that value into another exported schema through Schema.Array(Foo). Fallow now walks reachable same-file exported value initializers so the child schema value is credited through the parent schema, while unrelated unused sibling schemas still report. Thanks @​danielo515 for the report. (Closes #1304.)

  • The VS Code / VS Codium extension no longer shows inflated totals on startup. On a cold editor start the extension could consume the LSP's first workspace analysis before any document had opened, rendering a stale, too-high issue count until the next edit. Startup analysis now waits for the first opened document, and a save-triggered analysis queues behind an in-flight startup run instead of being dropped. Thanks @​codingthat for the report. (Closes #1303.)

  • Catalog rules now read Bun catalogs from root package.json. Bun workspaces that declare catalog entries under workspaces.catalog / workspaces.catalogs (or Bun's accepted top-level catalog / catalogs form) now get the same unresolved-catalog-references, unused-catalog-entries, and empty-catalog-groups coverage as pnpm workspaces with pnpm-workspace.yaml. Fallow still prefers pnpm-workspace.yaml when it exists, preserving existing pnpm behavior. Thanks @​codingthat for the report. (Closes #1301.)

[2.98.0] - 2026-06-17

Added

  • Framework dead-code findings now lead with manual fix actions. unused-server-action, unprovided-inject, unused-load-data-key, unrendered-component, unused-component-prop, unused-component-emit, and unused-svelte-event now put a domain-specific manual fix action first in JSON actions[] instead of leading with suppression only. The actions stay non-auto-fixable and preserve the existing suppress action as the second option, so agents get clearer next steps while public API and dynamic-wiring caveats stay explicit. Human and markdown health output also labels synthetic \<template> rows as template-complexity entries and switches the section wording to "complexity findings" when template or component rollup rows are present. Machine-readable complexity formats keep the canonical \<template> name for compatibility.

  • The misplaced-directive and mixed-client-server-barrel rules now cover React Server Components frameworks beyond Next.js. Both rules encode universal RSC semantics, a body-position "use client" / "use server" string is silently ignored by every RSC bundler (not just Next), and a barrel that re-exports both a client module and a server-only module drags directive context across the boundary in any RSC framework. They previously activated only when next was a declared dependency; they now activate for any RSC bundler: next, waku, @lazarv/react-server, react-server-dom-webpack, react-server-dom-vite, react-server-dom-parcel, or @vitejs/plugin-rsc. The two Next-specific rules stay Next-gated on purpose: invalid-client-export keys on Next route-segment config names (getServerSideProps, the route HTTP-method exports) and unused-server-action keys on Next Server Action registration. No config or output change.

  • The unused-server-action rule now covers inline "use server" body directives. It previously reclassified only unused exports of a whole "use server" file; an export async function deleteUser() { "use server"; ... } whose action is dead surfaced as a plain unused-export. Such a dead inline Server Action is now reclassified to unused-server-action for precise categorization. The extract layer records the export names of exported functions and const arrows whose body carries an inline "use server" directive, and the reclassifier moves an unused export whose name matches. It inherits every unused-export abstain (entry-point, public-API re-export, whole-object, reachable-reference), so a wired-up action (action={fn}, <form action={fn}>, import-and-call) is never flagged; the marginal surface over unused-export is just the inline directive gate. Stays Next-gated and warn-level, like the file-level case. Validated at zero false positives on real Next App Router projects (vercel ai-chatbot, commerce). Warm extraction caches refresh on upgrade.

  • Vue and Svelte template control flow now counts toward complexity health. fallow health --complexity (and the complexity signal in the overall health score and hotspots) now includes a synthetic \<template> entry per .vue / .svelte file, computed from the template's control flow and bound expressions, the same way it already does for Angular templates. Previously only an SFC's <script> functions were scored, so a component with heavy v-if / v-for (Vue) or {#if} / {#each} / {#await} (Svelte) branching, deeply nested logic, or complex bound expressions and {{ }} / { } interpolations read as artificially simple. The template scan masks the <script> and <style> blocks, so script complexity is never double-counted, and nesting depth follows the template's tag/block structure so nested branches weigh more, matching the cyclomatic/cognitive model used everywhere else. This reuses the existing maxCyclomatic / maxCognitive thresholds and the complexity suppression token; there is no new rule, finding type, or flag. Warm extraction caches refresh on upgrade to pick up the new entry.

  • The unrendered-component rule now covers Angular. Previously Vue/Svelte only, it now also flags an Angular @Component whose element selector is used in no template anywhere in the project and that is not routed, bootstrapped, or dynamically rendered. This is the project-wide direction @angular-eslint does not cover (its NG8113 is single-component only). It harvests each component's selector, the element-selector tags used across every inline and external (templateUrl) template, route component: / loadComponent references, and bootstrap references, then flags a component whose selector is rendered nowhere. It stays false-positive-safe by abstaining when the component is rendered via its tag, routed (including the bare loadComponent: () => import('./x') default-export lazy form and loadChildren, credited because the lazy target's default export is referenced), bootstrapped, public-API exported, or when the project uses any dynamic component-render API (ViewContainerRef.createComponent / *ngComponentOutlet), which abstains project-wide. Attribute and class selectors and @Directive classes are out of the first cut (element-selector components only). Reuses the existing unrendered-component rule and all its surfaces; no new rule or flag. Validated at zero false positives on the angular-realworld example app.

  • fallow now flags Svelte component events that are dispatched but listened to nowhere. A new unused-svelte-event rule (default severity warn) reports a Svelte component that fires a custom event through a createEventDispatcher binding (const dispatch = createEventDispatcher(); dispatch('save')) whose event name is listened to by no component in the project: no <Child on:save> (or event-forwarding on:save) on any rendered instance. This is the cross-file dead-output direction that no Svelte tool covers: the compiler and svelte-check are single-file or type-only, and eslint-plugin-svelte has no project-wide listener check. It reuses fallow's whole-project graph the same way unprovided-inject does: a project-wide set of listened event names (every on:<name> on a component tag, with event forwarding counting as a listen) is built first, then a dispatched event absent from it is flagged. It stays false-positive-safe by over-crediting toward "listened" (a listener on any component credits the name) and by abstaining on the whole component when it cannot see the event name: a dynamic dispatch(<expr>) or a dispatch reference passed elsewhere as a value. on:click and other listeners on lowercase DOM elements are native DOM events, not component events, and are ignored. The rule activates only when svelte is a declared dependency, and reports in human, JSON, SARIF, CodeClimate, compact, and markdown output plus the LSP and MCP. There is no auto-fix (wire a listener or remove the dispatch, a human decision); suppress with // fallow-ignore-next-line unused-svelte-event or set the rule to off. Validated at zero false positives on the Budibase monorepo (215 createEventDispatcher components). The Svelte 5 callback-prop direction (a callback prop the parent never passes) is caller-side and not yet covered.

  • unused-component-prop and unused-component-emit now cover the Vue Options API. The two rules previously only inspected <script setup> components; they now also harvest props: and emits: (array and object forms) from export default { ... } and defineComponent({ ... }) in a non-setup <script> block, so a declared Options-API prop read nowhere in its own component, or a declared emit fired nowhere, is flagged the same way. Usage is credited from this.<prop> reads and template references for props, and from this.$emit('<name>') calls and template $emit for emits. It stays false-positive-safe by abstaining on the whole component when a member could be read or fired invisibly to the per-component scan: a mixins: or extends: option (a mixin or base can read a prop or fire an emit), a dynamic this[expr] access, a props/emits value that is an identifier, a spread, or a defineComponent<Type>() type generic, and a setup(props, { emit }) method (its props param and context emit are consumed opaquely). Reported through the same surfaces as the <script setup> rules; no new rule or flag. .vue files only (a defineComponent in a plain .ts file is not yet in scope).

  • fallow now flags Angular component inputs that are read nowhere in their component. A new unused-component-input rule (default severity warn) reports an Angular @Input(), signal input() / input.required(), or model() declared on a component (or directive) class that is read by no code in its own component: not in the inline or external templateUrl template, and not anywhere in the class body. This is the in-component dead-input direction that no tool in the Angular ecosystem covers: there is no @angular-eslint rule for it, and the Angular compiler never flags a declared-but-unread @Input (it only checks caller-side binding correctness). A declared input consumed only by a parent binding but never read in its own component IS flagged, because binding it does nothing in-component (it is wired to a dead end). Input names are harvested onto the extraction IR from the decorator form (@Input() foo, @Input({ required: true }) bar), the signal form (input(), input.required()), and model(); usage is credited from every angle so only a genuinely-unread input is flagged: a template reference (inline or external template, the latter through the side-effect edge to the .html), any this.<member> read in the class body, a member-by-name access (which covers the ngOnChanges changes['foo'] pattern), and the inputs: [...] / host: {...} decorator-metadata forms (already credited at extraction). It stays false-positive-safe by abstaining on the whole component when it cannot see all reads: any extends heritage clause (a base class in another file may read the member), a { ...this } spread, and JS-reserved-word names; accessor inputs (@Input() set foo(v) / getters) are skipped per-input since a setter body runs on binding, and an observable-stream output shape is left to the output rule. The rule activates only when @angular/core is a declared dependency, and reports in human, JSON, SARIF, CodeClimate, compact, and markdown output plus the LSP and MCP. There is no auto-fix (wire the input to a real read or remove it, a human decision); suppress with // fallow-ignore-next-line unused-component-input or set the rule to off. Validated at zero false positives on the angular/components monorepo.

  • fallow now flags Angular component outputs that are emitted nowhere in their component. A new unused-component-output rule (default severity warn) reports an Angular @Output() or signal output() declared on a component (or directive) class that is .emit()-ed by no code in its own component. This is the output-side sibling of unused-component-input and the in-component dead-output direction that no Angular tooling covers: there is no @angular-eslint rule for a never-emitted output, and the compiler only checks caller-side listener correctness. Output names are harvested onto the extraction IR from the decorator form (only @Output() bar = new EventEmitter()-style initializers are harvested; an observable-stream @Output is treated as an abstain shape) and the signal output() form; usage is credited from a this.<out>.emit(...) call site, a template (event)="x.emit()" handler, and any forwarded this.<out> value read (passed to a function that may emit it), so over-crediting can only suppress a finding, never create one. It abstains on the whole component for any extends heritage clause and for { ...this } spreads; model() outputs are excluded entirely from the output side, since their implicit update: emit is framework-driven. The rule activates only when @angular/core is a declared dependency, and reports in human, JSON, SARIF, CodeClimate, compact, and markdown output plus the LSP and MCP. There is no auto-fix (emit the output or remove it, a human decision); suppress with // fallow-ignore-next-line unused-component-output or set the rule to off. Validated at zero false positives on the angular/components monorepo.

  • The unprovided-inject rule now covers Angular. Previously Vue/Svelte only, it now also flags an Angular InjectionToken injected through inject(TOKEN) or an @Inject(TOKEN) constructor parameter that is supplied by no provider anywhere in the project: no { provide: TOKEN, useClass | useValue | useFactory | useExisting } recipe in any providers array, and no self-providing new InjectionToken(..., { factory }) / { providedIn }. At runtime such an inject throws NullInjectorError, which no static tool in the Angular ecosystem catches (there is no @angular-eslint rule, and the compiler does not flag it for non-root tokens). It scopes to user InjectionToken symbols only: a class token (inject(MyService)) is out of scope because it self-provides via providedIn: 'root' and third-party provideX() providers, which would make it false-positive-prone. It stays false-positive-safe by abstaining on an inject(TOKEN, { optional: true }) / @Optional() inject (designed to be unprovided), a token imported from an npm package (the provider may live in the package), a token that is public API of this package (a consumer provides it), and project-wide whenever the provider graph becomes opaque: any importProvidersFrom(...), makeEnvironmentProviders(...), a ...spread in a providers array, or a computed provide: key. The rule activates only when @angular/core is a declared dependency, reuses the existing unprovided-inject rule and all its surfaces (human, JSON, SARIF, CodeClimate, compact, markdown, LSP, MCP), and has no auto-fix (provide the token or remove the inject, a human decision); suppress with // fallow-ignore-next-line unprovided-inject or set the rule to off. Tokens of any type-argument shape are covered, including a primitive-typed (new InjectionToken<string>('FLAG')) or untyped (new InjectionToken('FLAG')) token; a bare string-literal inject key and the provided-never-injected direction are not yet covered. Validated at zero false positives on the angular/components monorepo.

Fixed

  • Pinia store members consumed through inline storeToRefs(useStore()) calls are now credited. unused-store-member now treats storeToRefs(usePermissionsStore()) and toRefs(usePermissionsStore()) object destructures the same way as the existing store-local form, including aliased destructures such as const { canCreateEvents: canCreate } = storeToRefs(usePermissionsStore()). The credit stays limited to bare store-factory identifiers or tracked store locals, so unrelated helper calls are not treated as store consumption. Thanks @​Smrtnyk for the report. (Closes #1282.)

  • unused-class-members no longer misses Playwright fixture methods reached through branch-selected aliases. Fallow now credits fixture object aliases selected by ternaries, if/else, and switch branches inside Playwright test callbacks, and same-file local fixture tests passed into mergeTests(...) now feed the merged wrapper. The alias tracking is Playwright-only, order-sensitive, and conservative on shadowing or unknown reassignment, so genuinely unused page-object methods still report. Thanks @​vethman for the report. (Closes #1270.)

  • React JSX depth is now descriptive context, not cognitive complexity. Deeply nested presentational React and Preact components, such as skeleton tables or layout wrappers with no control flow, no longer surface as high cognitive complexity solely because their JSX tree is deep. Fallow still records react_jsx_max_depth for hotspot context, while hook density and wide prop interfaces continue to contribute to cognitive complexity through hook-density and prop-count. The public jsx-depth contribution kind remains in the schema for compatibility, but current extraction no longer emits it for layout depth. Thanks @​pavle99 for the report. (Closes #1281.)

  • Svelte 5's bare <script module> is now recognized as module context. Fallow previously recognized only the Svelte 4 <script context="module"> form, so a Svelte 5 bare <script module> block was treated as the instance script and its imports were wrongly credited as template-visible, which could mask a genuinely unused import or export in a Svelte 5 component. The bare module attribute is now matched (with the same standalone-attribute anchoring as the setup attribute, so a lang or generics attribute containing the substring "module" cannot false-match), and its declarations are scoped as module context like the Svelte 4 form. The extraction cache version is bumped so warm caches refresh on upgrade.

[2.97.0] - 2026-06-16

... (truncated)

Commits
  • c2be0d5 chore: release v2.99.0
  • 6f18036 ci(codspeed): harden benchmark workflow
  • a1c5876 fix: restore green CI for suppression-reasons tests
  • 44cbb23 fix(review): harden final follow-up edges
  • df6ab20 fix: track CodSpeed benchmark fixture
  • cf96273 chore: harden CodSpeed benchmarks
  • 67cc903 ci: run full codspeed suite on main
  • 9b1f454 chore: add analyzer follow-up tooling
  • 4a5c292 fix(catalog): support Bun package.json catalogs
  • 23d02bb fix(unused-exports): credit same-file schema value deps
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the npm-deps group with 5 updates
61ccd8a 
Bumps the npm-deps group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [@hono/node-server](https://github.com/honojs/node-server) | `2.0.4` | `2.0.5` |
| [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.16` | `1.6.19` |
| [hono](https://github.com/honojs/hono) | `4.12.25` | `4.12.26` |
| [eslint](https://github.com/eslint/eslint) | `10.4.1` | `10.5.0` |
| [fallow](https://github.com/fallow-rs/fallow) | `2.92.1` | `2.99.0` |


Updates `@hono/node-server` from 2.0.4 to 2.0.5
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.4...v2.0.5)

Updates `better-auth` from 1.6.16 to 1.6.19
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.19/packages/better-auth)

Updates `hono` from 4.12.25 to 4.12.26
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.25...v4.12.26)

Updates `eslint` from 10.4.1 to 10.5.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.4.1...v10.5.0)

Updates `fallow` from 2.92.1 to 2.99.0
- [Release notes](https://github.com/fallow-rs/fallow/releases)
- [Changelog](https://github.com/fallow-rs/fallow/blob/main/CHANGELOG.md)
- [Commits](fallow-rs/fallow@v2.92.1...v2.99.0)

---
updated-dependencies:
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: better-auth
  dependency-version: 1.6.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: hono
  dependency-version: 4.12.26
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: eslint
  dependency-version: 10.5.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: fallow
  dependency-version: 2.99.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants