fix(deps): update npm non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@biomejs/biome (source)	2.4.15 → 2.4.16			devDependencies	patch
@navikt/aksel-icons (source)	^8.10.5 → ^8.11.1			dependencies	minor
@navikt/aksel-icons (source)	8.10.5 → 8.11.1			dependencies	minor
@navikt/aksel-icons (source)	8.10.5 → 8.11.1			devDependencies	minor
@react-router/dev (source)	7.15.1 → 7.16.0			devDependencies	minor	7.17.0
@react-router/express (source)	7.15.1 → 7.16.0			dependencies	minor	7.17.0
@react-router/node (source)	7.15.1 → 7.16.0			dependencies	minor	7.17.0
@rollup/plugin-commonjs (source)	29.0.2 → 29.0.3			devDependencies	patch
@storybook/addon-a11y (source)	10.4.0 → 10.4.2			devDependencies	patch
@storybook/addon-docs (source)	10.4.0 → 10.4.2			devDependencies	patch
@storybook/addon-themes (source)	10.4.0 → 10.4.2			devDependencies	patch
@storybook/addon-vitest (source)	10.4.0 → 10.4.2			devDependencies	patch
@storybook/react-vite (source)	10.4.0 → 10.4.2			devDependencies	patch
@tanstack/react-virtual (source)	^3.13.24 → ^3.14.2			dependencies	minor
@tanstack/react-virtual (source)	3.13.24 → 3.14.2			dependencies	minor
@types/react (source)	19.2.14 → 19.2.16			devDependencies	patch	19.2.17
@types/react (source)	18.3.28 → 18.3.30			devDependencies	patch	18.3.31
@vitest/browser (source)	4.1.6 → 4.1.8			devDependencies	patch
@vitest/browser-playwright (source)	4.1.6 → 4.1.8			devDependencies	patch
@vitest/coverage-v8 (source)	4.1.6 → 4.1.8			devDependencies	patch
morgan	1.10.1 → 1.11.0			dependencies	minor
node (source)	>=24.15.0 → >=24.16.0			engines	minor
pnpm (source)	10.33.4+sha512.1c67b3b359b2d408119ba1ed289f34b8fc3c6873412bec6fd264fbdc82489e510fcbecb9ce9d22dae7f3b76269d8441046014bdca53b9979cd7a561ad631b800 → 10.34.1			packageManager	minor
postcss (source)	8.5.14 → 8.5.15			devDependencies	patch
postcss (source)	^8.5.14 → ^8.5.15			dependencies	patch
react (source)	19.2.6 → 19.2.7			devDependencies	patch
react (source)	19.2.6 → 19.2.7			dependencies	patch
react (source)	^19.2.6 → ^19.2.7			dependencies	patch
react-dom (source)	19.2.6 → 19.2.7			devDependencies	patch
react-dom (source)	19.2.6 → 19.2.7			dependencies	patch
react-dom (source)	^19.2.6 → ^19.2.7			dependencies	patch
react-router (source)	7.15.1 → 7.16.0			dependencies	minor	7.17.0
rolldown (source)	1.0.1 → 1.0.3			devDependencies	patch	1.1.0
rollup (source)	4.60.4 → 4.61.0			devDependencies	minor	4.61.1
storybook (source)	10.4.0 → 10.4.2			devDependencies	patch
storybook-addon-pseudo-states (source)	10.4.0 → 10.4.2			devDependencies	patch
style-dictionary (source)	^5.4.0 → ^5.4.3			dependencies	patch
tsx (source)	4.22.1 → 4.22.4			devDependencies	patch
vite (source)	7.3.3 → 7.3.5			devDependencies	patch
vitest (source)	4.1.6 → 4.1.8			devDependencies	patch

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.16

Compare Source

Patch Changes

• #​10329 ef764d5 Thanks @​Conaclos! - Fixed an issue where diagnostics showed an incorrect location in Astro files.

• #​10363 50aa415 Thanks @​dyc3! - Fixed HTML formatting for a case where comments could cause the formatter to split up a closing tag, which would cause the resulting HTML to be syntactically invalid.

  Input:

  <span
    ><!-- 1
  --><span>a</span
    ><!-- 2
  --><span>b</span
    ><!-- 3
  --></span>

  Output:

    <span
  	  ><!-- 1
  - --> <span>a</span<!-- 2
  - --> ><span>b</span><!-- 3
  + --><span>a</span><!-- 2
  + --><span>b</span><!-- 3
    --></span
    >

• #​10465 0c718da Thanks @​dfedoryshchev! - Fixed diagnostics emitted by the noUntrustedLicenses rule.

• #​10358 05c2617 Thanks @​dyc3! - Fixed #​10356: biome rage --linter now displays rules enabled through linter domains in the enabled rules list.

• #​10300 950247c Thanks @​dyc3! - Fixed #​10265: Svelte function bindings such as bind:value={get, set} are now parsed more precisely, so noCommaOperator won't emit false positives for that syntax anymore.

• #​9786 e71f584 Thanks @​MeGaNeKoS! - Fixed #​8480: useDestructuring now provides variableDeclarator and assignmentExpression options to control which contexts enforce destructuring, matching ESLint's prefer-destructuring configuration. Both default to {array: true, object: true}. The diagnostic for object destructuring in assignment expressions now instructs users to wrap the assignment in parentheses.

• #​10425 1948b72 Thanks @​sjh9714! - Fixed #​10244: The useOptionalChain rule now detects negated guard inequality chains like !foo || foo.bar !== "x".

• #​10442 001f94f Thanks @​ematipico! - Fixed #​10411: noMisusedPromises no longer causes a stack overflow when a nested function returns an object with shorthand properties that shadow destructured variables from an outer scope.

• #​10318 9b1577f Thanks @​dyc3! - Added support for formatter.trailingCommas in overrides. This option was previously available in the top-level formatter configuration but missing from formatter overrides.

• #​10319 2e37709 Thanks @​dyc3! - Fixed Vue and Svelte formatting for standalone interpolations in inline elements. Biome now preserves existing newlines in cases like:

  - <span> {{ value }} </span>
  + <span>
  +   {{ value }}
  + </span>

• #​10365 0a58eb0 Thanks @​Netail! - Fixed #​10361: noUnusedFunctionParameters now mentions the parameter name in the diagnostic.

• #​10439 df6b867 Thanks @​denbezrukov! - Fixed CSS and SCSS formatting for comments around declaration colons so comments between property names, colons, and values stay at the same boundary as Prettier.

   .selector {
  -  color: /* red, */
  -    blue;
  +  color: /* red, */ blue;
   }

• #​10344 b30208c Thanks @​siketyan! - Fixed #10123: Corrected the noReactNativeDeepImports source rule to point to the proper upstream rule, so users can migrate from the original rule correctly.

• #​10328 b59133f Thanks @​dyc3! - Fixed #​10309: Biome no longer adds newlines to Astro frontmatter when linter or assist --write mode is enabled.

navikt/aksel (@​navikt/aksel-icons)

v8.11.1

Compare Source

v8.11.0

Compare Source

Minor Changes

• Icons: New icon Newsletter and NewsletterFill (#​4887)

v8.10.6

Compare Source

remix-run/react-router (@​react-router/dev)

v7.16.0

Compare Source

Minor Changes

• Stabilize future.unstable_trailingSlashAwareDataRequests as future.v8_trailingSlashAwareDataRequests (#​15098)

  • The unstable flag is no longer supported and will error during config resolution

• Log future flag warnings for upcoming React Router v8 flags (#​15029)

  • v8_middleware, v8_splitRouteModules, v8_viteEnvironmentApi, v8_passThroughRequests, v8_trailingSlashAwareDataRequests

Patch Changes

• Updated dependencies:
  • react-router@7.16.0
  • @react-router/node@7.16.0
  • @react-router/serve@7.16.0

remix-run/react-router (@​react-router/express)

v7.16.0

Compare Source

Patch Changes

• Ignore writes after Express responses close (#​15107)

  • Avoid surfacing client disconnects as adapter errors when the response stream has already been destroyed or ended.

• Updated dependencies:

  • react-router@7.16.0
  • @react-router/node@7.16.0

remix-run/react-router (@​react-router/node)

v7.16.0

Compare Source

Patch Changes

• Honor Node writable backpressure in writeReadableStreamToWritable and writeAsyncIterableToWritable (#​15071)

  • Await 'drain' when writable.write() returns false instead of letting chunks accumulate in the writable's internal buffer.
  • Reject (rather than hang) if the writable errors or closes mid-stream.

• Updated dependencies:

  • react-router@7.16.0

rollup/plugins (@​rollup/plugin-commonjs)

v29.0.3

2026-05-29

Bugfixes

• commonjs: make #​1868 es5-compatible (#​1981)

storybookjs/storybook (@​storybook/addon-a11y)

v10.4.2

Compare Source

• Bug: Fix Windows command resolution for non-Node package managers - #​33534, thanks @​copilot-swe-agent!
• Build: Upgrade type-fest to latest version 5.6.0 - #​34791, thanks @​tobiasdiez!
• CSF: Fix parsing of string literal export names - #​34901, thanks @​shilman!
• Publish: Add npm provenance attestations - #​34936, thanks @​copilot-swe-agent!

v10.4.1

Compare Source

• Angular: Detect model() signal outputs (type inference + compodoc autodocs + runtime binding) - #​34833, thanks @​valentinpalkovic!
• Build: Upgrade type-fest to latest version 5.6.0 - #​34791, thanks @​tobiasdiez!
• CLI: Run npx expo install --fix after init for Expo projects - #​34803, thanks @​ndelangen!
• CLI: Support peerDependencies in framework detection for component libraries - #​34516, thanks @​zhyd1997!
• Next.js: Add useLinkStatus mock to next/link export mock - #​34593, thanks @​philwolstenholme!
• Vue3: Specify a specific version for non-dev dependency - #​34794, thanks @​ScopeyNZ!

TanStack/virtual (@​tanstack/react-virtual)

v3.14.2

Compare Source

Patch Changes

• Updated dependencies [c0b84c8, fbf3bdb]:
  • @​tanstack/virtual-core@​3.17.0

v3.14.1

Compare Source

Patch Changes

• Updated dependencies [c746841]:
  • @​tanstack/virtual-core@​3.16.1

v3.14.0

Compare Source

Minor Changes

• Add opt-in direct DOM updates for scroll positioning with directDomUpdates, directDomUpdatesMode, and containerRef. (#​1180)

v3.13.26

Compare Source

Patch Changes

• Updated dependencies [fc992ab]:
  • @​tanstack/virtual-core@​3.16.0

v3.13.25

Compare Source

Patch Changes

• Replace the useReducer(() => ({}), {}) force-rerender pattern with an (#​1168)
  incrementing number counter. Same semantics (every dispatch changes the
  reducer state, forcing a render); zero per-dispatch object allocation.
  Trivial individual cost, but eliminates one steady-state GC source on
  scroll-heavy apps.
• Updated dependencies [99355ad, 99355ad, 99355ad, 99355ad, 99355ad, 99355ad, 99355ad]:
  • @​tanstack/virtual-core@​3.15.0

vitest-dev/vitest (@​vitest/browser)

v4.1.8

Compare Source

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in #​10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in #​10474 (675b4)

    View changes on GitHub

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

expressjs/morgan (morgan)

v1.11.0

Compare Source

===================

• add :pid token

Security Fix:

• Escape control characters in :remote-user token to prevent log injection
  • Fixes CVE-2026-5078 GHSA-4vj7-5mj6-jm8m

nodejs/node (node)

v24.16.0: 2026-05-21, Version 24.16.0 'Krypton' (LTS), @​aduh95

Compare Source

Notable Changes

• [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
• [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
• [9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #​57775
• [40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #​62277
• [d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #​63082
• [aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #​62541
• [6f37f7e240] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #​61098
• [d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #​61747
• [d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #​62820
• [01a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #​60751
• [00705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #​61556

Commits

• [dd72df060d] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #​62509
• [add94f4bc3] - build: track PDL files as inputs in inspector GN build (Robo) #​62888
• [1b1eb9e334] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #​62667
• [8752b604ec] - crypto: deduplicate and canonicalize CryptoKey usages (Filip Skokan) #​62902
• [341947e7fd] - crypto: reject unintended raw key format string input (Filip Skokan) #​62974
• [28a78747fc] - crypto: remove Argon2 KDF derivation from its job setup (Filip Skokan) #​62863
• [16e8c2b54d] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #​62839
• [eeae754a87] - crypto: reject inherited key type names (Jonathan Lopes) #​62875
• [9dd5540325] - crypto: add memory tracking for secureContext openssl objects (Mert Can Altin) #​59051
• [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
• [7597d204c1] - crypto: add support for Ed25519 context parameter (Filip Skokan) #​62474
• [4bf85845da] - debugger: move ProbeInspectorSession and helpers to separate files (Joyee Cheung) #​63013
• [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
• [83e98f77b7] - deps: update corepack to 0.35.0 (Node.js GitHub Bot) #​63375
• [ec8c6b939a] - deps: V8: cherry-pick 657d8de (Guy Bedford) #​62784
• [722c0c3274] - deps: update nghttp3 to 1.14.0 (Node.js GitHub Bot) #​61187
• [5304db93d3] - deps: update nghttp3 to 1.13.1 (Node.js GitHub Bot) #​60046
• [e073b3811d] - deps: update nghttp3 to 1.11.0 (James M Snell) #​59249
• [1d00313fb2] - deps: update ngtcp2 to 1.14.0 (James M Snell) #​59249
• [8b3a4fc18f] - deps: update amaro to 1.1.9 (Node.js GitHub Bot) #​63090
• [62fe0cfcd1] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #​63045
• [137e09c8e9] - deps: update corepack to 0.34.7 (Node.js GitHub Bot) #​62810
• [14a4cb8fbc] - deps: update timezone to 2026b (Node.js GitHub Bot) #​62962
• [3e1036583a] - deps: upgrade npm to 11.13.0 (npm team) #​62898
• [01dfe5961c] - deps: cherry-pick libuv/libuv@439a54b (skooch) #​62881
• [6cd368b10c] - deps: update sqlite to 3.53.0 (Node.js GitHub Bot) #​62699
• [f218a4f553] - deps: update nbytes to 0.1.4 (Node.js GitHub Bot) #​62698
• [b47688524a] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [d202e2d343] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [2faba66341] - deps: update minimatch to 10.2.5 (Node.js GitHub Bot) #​62594
• [fa46c90c5d] - deps: update googletest to d72f9c8 (Node.js GitHub Bot) #​62593
• [099ded5713] - deps: update simdjson to 4.6.1 (Node.js GitHub Bot) #​62592
• [7ce95afe96] - deps: libuv: cherry-pick aabb765 (Santiago Gimeno) #​62561
• [57ef845623] - deps: update icu to 78.3 (Node.js GitHub Bot) #​62324
• [493ac40e12] - deps: update libuv to 1.52.1 (Node.js GitHub Bot) #​61829
• [b39508b368] - deps: update undici to 7.25.0 (Node.js GitHub Bot) #​63011
• [cb67a925e9] - deps: use npm undici@​seven tag in update-undici.sh (Matteo Collina) #​62739
• [aa1e0bc28b] - doc: fix typos and inconsistencies in crypto.md and webcrypto.md (Filip Skokan) #​62828
• [f2a1735ed9] - doc: fix duplicate word "to to" in util.styleText (Daijiro Wachi) #​62917
• [b6378e215c] - doc: fix node-config-schema (Сковорода Никита Андреевич) #​61596
• [233894a9ce] - doc: fix the TypeScript Execute (tsx) project link (David Thornton) #​63093
• [5d97919f8f] - doc: correct diagnostics_channel built-in channel names (Bryan English) #​62995
• [2a9ccc927e] - doc: use mjs/cjs blocks for callbackify null reason example (Daijiro Wachi) #​62884
• [ef413b5358] - doc: fix typo in test.md (Rich Trott) #​62960
• [76f21c5070] - doc: correct typo in PR contribution instructions (Mike McCready) #​62738
• [ca02af1f7d] - doc: fix duplicate word "of of" in postMessageToThread (Daijiro Wachi) #​62917
• [46c99ed526] - doc: fix duplicate word "for for" in compile cache (Daijiro Wachi) #​62917
• [1a60851734] - doc: fix typo in dns.lookup options description (Daijiro Wachi) #​62882
• [169b5ea2ed] - doc: fix Argon2 parameter bounds (Tobias Nießen) #​62868
• [9a3a190f4e] - doc: clarify diffieHellman.generateKeys recomputes same key (Kit Dallege) #​62205
• [0fba9e87d6] - doc: remove Ayase-252 and meixg from triagger team (Antoine du Hamel) #​62841
• [9c700f3446] - doc: clarify dns.lookup() callback signature when all is true (eungi) #​62800
• [6b7280bc17] - doc: add experimental modules lifetime policy (Paolo Insogna) #​62753
• [ce47ea31c9] - doc: clarify process._debugProcess() in Permission Model (Fahad Khan) #​62537
• [ba01633757] - doc: fix typo in devcontainer guide (Rohan Santhosh Kumar) #​62687
• [70b4d5839b] - doc: clarify Backport-PR-URL metadata added automatically (Mike McCready) #​62668
• [8126d1c3eb] - doc: update WPT test runner README.md (Filip Skokan) #​62680
• [978afea4b5] - doc: fix spelling in release announcement guidance (Rohan Santhosh Kumar) #​62663
• [1684ab8ff8] - doc: note non-monotonic clock in crypto.randomUUIDv7 (nabeel378) #​62600
• [86d4f07930] - doc: update bug bounty program (Rafael Gonzaga) #​62590
• [736ed8a08f] - doc: document TransformStream transformer.cancel option (Tom Pereira) #​62566
• [938af9be01] - doc: mention test runner retry attemp is zero based (Moshe Atlow) #​62504
• [94433e450f] - doc,src,test: fix dead inspector help URL (semimikoh) #​62745
• [ddf1f01659] - esm: add ERR_REQUIRE_ESM_RACE_CONDITION (Antoine du Hamel) #​62462
• [4a506acd16] - fs: add followSymlinks option to glob (Matteo Collina) #​62695
• [f4ea495f9b] - fs: restore fs patchability in ESM loader (Joyee Cheung) #​62835
• [63c111cd60] - fs: validate position argument before length === 0 early return (Edy Silva) #​62674
• [9705f628d9] - **(SEMVER-MINOR

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/Oslo)

• Branch creation
  • "before 07:00 on Thursday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: f33a3ab

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

Preview deployments for this pull request:

storybook - 6. Jun 2026 - 00:02

themebuilder - 6. Jun 2026 - 00:02