⬆️ Bump the dependencies group with 4 updates

[dependabot]

Bumps the dependencies group with 4 updates: @biomejs/biome, @modelcontextprotocol/sdk, @tanstack/react-query and vite.

Updates @biomejs/biome from 2.4.8 to 2.4.9

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.9

2.4.9

Patch Changes

• #9315 085d324 Thanks @​ematipico! - Added a new nursery CSS rule noDuplicateSelectors, that disallows duplicate selector lists within the same at-rule context.

  For example, the following snippet triggers the rule because the second selector and the first selector are the same:

  /* First selector */
  .x .y .z {
  }
  /* Second selector */
  .x {
  .y {
  .z {
  }
  }
  }

• #9567 b7ab931 Thanks @​ematipico! - Fixed #7211: useOptionalChain now detects negated logical OR chains. The following code is now considered invalid:

  !foo || !foo.bar;

• #8670 607ebf9 Thanks @​tt-a1i! - Fixed #8345: useAdjacentOverloadSignatures no longer reports false positives for static and instance methods with the same name. Static methods and instance methods are now treated as separate overload groups.

  class Kek {
    static kek(): number {
      return 0;
    }
    another(): string {
      return "";
    }
    kek(): number {
      return 1;
    } // no longer reported as non-adjacent
  }

• #9476 97b80a8 Thanks @​masterkain! - Fixed [#9475](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome/issues/9475): Fixed a panic when Biome analyzed ambient TypeScript modules containing class constructor, getter, or setter signatures that reference local type aliases. Biome now handles these declarations without crashing during semantic analysis.

• #9553 0cd5298 Thanks @​dyc3! - Fixed a bug where enabling the rules of a whole group, would enable rules that belonged to a domain under the same group.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.9

Patch Changes

• #9315 085d324 Thanks @​ematipico! - Added a new nursery CSS rule noDuplicateSelectors, that disallows duplicate selector lists within the same at-rule context.

  For example, the following snippet triggers the rule because the second selector and the first selector are the same:

  /* First selector */
  .x .y .z {
  }
  /* Second selector */
  .x {
  .y {
  .z {
  }
  }
  }

• #9567 b7ab931 Thanks @​ematipico! - Fixed #7211: useOptionalChain now detects negated logical OR chains. The following code is now considered invalid:

  !foo || !foo.bar;

• #8670 607ebf9 Thanks @​tt-a1i! - Fixed #8345: useAdjacentOverloadSignatures no longer reports false positives for static and instance methods with the same name. Static methods and instance methods are now treated as separate overload groups.

  class Kek {
    static kek(): number {
      return 0;
    }
    another(): string {
      return "";
    }
    kek(): number {
      return 1;
    } // no longer reported as non-adjacent
  }

• #9476 97b80a8 Thanks @​masterkain! - Fixed [#9475](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome/issues/9475): Fixed a panic when Biome analyzed ambient TypeScript modules containing class constructor, getter, or setter signatures that reference local type aliases. Biome now handles these declarations without crashing during semantic analysis.

• #9553 0cd5298 Thanks @​dyc3! - Fixed a bug where enabling the rules of a whole group, would enable rules that belonged to a domain under the same group.

  For example, linter.rules.correctness = "error" no longer enables React- or Qwik-specific correctness rules unless linter.domains.react, linter.domains.qwik, or an explicit rule config also enables them, or their relative dependencies are installed.

... (truncated)

Commits

• ad37526 ci: release (#9620)
• eb57e3a chore: use npmx.dev badge (#9614)
• e168494 feat(linter): add rule noUntrustedLicenses (#9474)
• 085d324 feat(css): add noDuplicateSelectors (#9315)
• 4d050df feat(analyze): implement noInlineStyles (#9534)
• 723798b feat: apply fix to use consistent method signatures (#9544)
• See full diff in compare view

Updates @modelcontextprotocol/sdk from 1.27.1 to 1.28.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.28.0

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #580) by @​antogyn in modelcontextprotocol/typescript-sdk#757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in modelcontextprotocol/typescript-sdk#1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in modelcontextprotocol/typescript-sdk#1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in modelcontextprotocol/typescript-sdk#1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in modelcontextprotocol/typescript-sdk#1738
• chore: bump version to 1.28.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1746

New Contributors

• @​antogyn made their first contribution in modelcontextprotocol/typescript-sdk#757
• @​tiluckdave made their first contribution in modelcontextprotocol/typescript-sdk#1596
• @​poteat made their first contribution in modelcontextprotocol/typescript-sdk#1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

Commits

• a056569 chore: bump version to 1.28.0 (#1746)
• 897bc25 fix(server/auth): RFC 8252 loopback port relaxation (#1738)
• 398dc70 fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller c...
• 93640d3 fix: reject plain JSON Schema objects passed as inputSchema (#1596)
• 4cbcec0 [v1.x backport] Default to client_secret_basic when server omits token_endpoi...
• c9b58d1 feat: use scopes_supported from resource metadata by default (fixes #580) (#757)
• 351e124 docs: add links to hosted V1 and V2 API reference docs
• See full diff in compare view

Updates @tanstack/react-query from 5.95.0 to 5.95.2

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.95.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.95.2
  • @​tanstack/react-query@​5.95.2

@​tanstack/react-query-next-experimental@​5.95.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.95.2

@​tanstack/react-query-persist-client@​5.95.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.95.2
  • @​tanstack/react-query@​5.95.2

@​tanstack/react-query@​5.95.2

Patch Changes

• Updated dependencies [cd5a35b]:
  • @​tanstack/query-core@​5.95.2

@​tanstack/react-query-devtools@​5.95.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.95.1
  • @​tanstack/react-query@​5.95.1

@​tanstack/react-query-next-experimental@​5.95.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.95.1

@​tanstack/react-query-persist-client@​5.95.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.95.1
  • @​tanstack/react-query@​5.95.1

@​tanstack/react-query@​5.95.1

Patch Changes

• Updated dependencies [1f1775c]:

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.95.2

Patch Changes

• Updated dependencies [cd5a35b]:
  • @​tanstack/query-core@​5.95.2

5.95.1

Patch Changes

• Updated dependencies [1f1775c]:
  • @​tanstack/query-core@​5.95.1

Commits

• 1047cdc ci: Version Packages (#10326)
• cd5a35b fix/nodejs timeout (#10325)
• 5806444 ci: Version Packages (#10324)
• See full diff in compare view

Updates vite from 8.0.2 to 8.0.3

Release notes

Sourced from vite's releases.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.3 (2026-03-26)

Features

• update rolldown to 1.0.0-rc.12 (#22024) (84164ef)

Bug Fixes

• html: cache unfiltered CSS list to prevent missing styles across entries (#22017) (5464190)
• module-runner: handle non-ascii characters in base64 sourcemaps (#21985) (77c95bf)
• module-runner: skip re-import if the runner is closed (#22020) (ee2c2cd)
• optimizer: scan is not resolving sub path import if used in a glob import (#22018) (ddfe20d)
• ssr: ssrTransform incorrectly rewrites meta identifier inside import.meta when a binding named meta exists (#22019) (cff5f0c)

Miscellaneous Chores

• deps: bump picomatch from 4.0.3 to 4.0.4 (#22027) (7e56003)

Tests

• html: add tests for getCssFilesForChunk (#22016) (43fbbf9)

Commits

• 6a34ac3 fix(deps): update all non-major dependencies (#21096)
• 02ceaec chore(deps): update dependency @​rollup/plugin-commonjs to v29 (#21099)
• 572aaca release: v7.2.2
• 728c8ee fix: revert "refactor: use fs.cpSync (#21019)" (#21081)
• a532e68 release: v7.2.1
• 82d2d6c fix(worker): some worker asset was missing (#21074)
• f83264f refactor(build): rename indexOfMatchInSlice to findPreloadMarker (#21054)
• 8293de0 release: v7.2.0
• 2833c55 fix(types): add undefined to optional properties for exactOptionalProperties ...
• e3a6a83 chore(deps): update rolldown-related dependencies (#21047)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[Robdel12]

Hmm need to remove the MCP dep.