chore(deps): bump the dependencies group with 9 updates

[dependabot]

Bumps the dependencies group with 9 updates:

Package	From	To
@earendil-works/pi-ai	0.75.3	0.75.5
@types/node	24.12.4	25.9.1
@typescript/native-preview	7.0.0-dev.20260519.1	7.0.0-dev.20260526.1
oxfmt	0.51.0	0.52.0
oxlint	1.66.0	1.67.0
es-toolkit	1.46.1	1.47.0
@zag-js/checkbox	1.40.0	1.41.1
@zag-js/select	1.40.0	1.41.1
markdown-it	14.1.1	14.2.0

Updates @earendil-works/pi-ai from 0.75.3 to 0.75.5

Release notes

Sourced from @​earendil-works/pi-ai's releases.

v0.75.5

New Features

• Cleaner read tool output - Collapsed read tool cards now show only the read line by default, while Ctrl+O still expands the full file content.
• Faster file tools on Windows - Built-in file tools now use async filesystem operations during streaming, and image resizes run off the main TUI thread in a worker.
• More reliable package updates - pi update and git package installs now reconcile pinned git refs and keep package settings intact. See Packages.
• Custom Anthropic-compatible adaptive thinking - Custom provider model configs can opt into adaptive-thinking Claude behavior with compat.forceAdaptiveThinking. See Custom providers and Models.

Added

• Added compat.forceAdaptiveThinking support to custom Anthropic-compatible model configuration docs and validation (#4797 by @​mbazso).
• Added a standard unified patch to edit tool result details for SDK consumers (#4821).

Changed

• Changed collapsed read tool cards to show only the read line until expanded (#4916).
• Replaced the inherited optional koffi dependency for Windows VT input with a tiny vendored native helper, reducing install size while preserving Shift+Tab handling (#4480).
• Changed the root development install documentation to use npm install --ignore-scripts (#4868).

Fixed

• Fixed pi update to reconcile git-pinned packages to their configured ref (#4869).
• Fixed package/resource path handling for Windows and glob/pattern resolution (#4873 by @​mitsuhiko).
• Fixed config pattern matching to resolve patterns from the correct base directory (#4898 by @​haoqixu).
• Fixed theme pickers to list themes by their content name instead of file stem (#4830 by @​Perlence).
• Fixed OpenCode Zen/Go requests to send per-session OpenCode routing headers (#4847).
• Fixed Amazon Bedrock provider loading under strict package managers by inheriting the declared @smithy/node-http-handler dependency from @earendil-works/pi-ai (#4842).
• Fixed inherited Amazon Bedrock Claude requests to send the model output token cap by default, avoiding Bedrock's 4096-token default truncation (#4848).
• Fixed exported session HTML to escape quote characters in attribute values (#4832).
• Fixed GitHub Copilot device-code login to keep opening the verification URL in browser-capable environments while ignoring browser launch failures for headless use (#4788 by @​vegarsti).
• Fixed git package installs to reconcile existing checkouts to the requested ref and update package settings without losing filters (#4870).
• Published a 0.74.2 rescue release that tells Node 20 users to upgrade Node before updating to newer Pi versions (#4876).
• Fixed final bash tool cards to avoid rendering duplicate full-output truncation paths (#4819).
• Fixed bash tool truncation line counts to ignore the trailing newline as an extra output line (#4818).
• Fixed footer home-directory abbreviation to avoid shortening sibling paths that only share the same prefix (#4878).
• Fixed macOS Bun release binaries to resolve the native clipboard sidecar so Ctrl+V image paste can load @mariozechner/clipboard (#4307).
• Fixed coding-agent tools to avoid synchronous filesystem operations during streaming and moved image resizing off the main TUI thread (#4756 by @​mitsuhiko).

v0.75.4

New Features

• Hardened npm install and release path - Pi now ships the CLI with a generated shrinkwrap for transitive dependencies, blocks accidental lockfile changes, verifies dependency pinning and lifecycle-script allowlists in checks, disables lifecycle scripts for self-update and local release installs where supported, and smoke-tests isolated npm and Bun installs before release. See Supply-chain hardening.

Added

• Added interactive update notes after pi update runs, so users can see the installed version's changelog before continuing (#4724 by @​mitsuhiko).
• Exported image resize utilities from the package root for SDK consumers (#4775 by @​xl0).

... (truncated)

Changelog

Sourced from @​earendil-works/pi-ai's changelog.

[0.75.5] - 2026-05-23

Breaking Changes

• Changed OAuthLoginCallbacks to require onDeviceCode and onSelect, so OAuth providers can rely on pi supplying device-code and selection UI callbacks (#4788 by @​vegarsti).

Fixed

• Fixed custom Anthropic-compatible model aliases for adaptive-thinking Claude models by adding compat.forceAdaptiveThinking model metadata and moving built-in adaptive-thinking selection out of provider id substring checks (#4797 by @​mbazso).
• Fixed GitHub Copilot OAuth login to rely on the required device-code callback without a runtime callback availability guard (#4788 by @​vegarsti).
• Fixed Amazon Bedrock provider loading under strict package managers by declaring its direct @smithy/node-http-handler dependency (#4842).
• Fixed Amazon Bedrock Claude requests to send the model output token cap by default, matching Anthropic requests and avoiding Bedrock's 4096-token default truncation (#4848).

[0.75.4] - 2026-05-20

Changed

• Changed source syntax to avoid TypeScript constructs that require JavaScript emit, keeping the package compatible with Node.js strip-only TypeScript checks.
• Removed the package-level development watch scripts now that the root TypeScript check validates strip-only-compatible sources.

Added

• Added first-class OAuth device-code callback metadata, shared polling support, and GitHub Copilot OAuth integration.

Fixed

• Fixed OpenAI-compatible streamSimple() requests to stop sending model-derived default output token caps, avoiding context-window reservation failures on servers such as vLLM while preserving explicit maxTokens and required Anthropic max_tokens handling (#4675).
• Fixed OpenAI prompt cache keys to clamp session-derived values to the 64-character API limit across OpenAI Responses, Chat Completions, Codex Responses, and Azure OpenAI Responses (#4720).

Commits

• 83a227a Update release instructions and generated models
• ea2b70d Release v0.75.5
• b9566fc Audit unreleased changelog entries
• d80bcc3 test(ai): avoid hardcoded Fireworks router id
• 9b62f1f Fix Anthropic eager tool input compat test
• d801d88 Support adaptive thinking for Anthropic-compatible aliases
• 7002c68 fix(ai): declare Bedrock Smithy HTTP handler dependency
• c841a6c Clean up OAuth device-code callbacks
• 11e868b Merge pull request #4788 from earendil-works/refactor-device-code-login
• 1a2a536 chore: update PR prompt template
• Additional commits viewable in compare view

Updates @types/node from 24.12.4 to 25.9.1

Commits

• See full diff in compare view

Updates @typescript/native-preview from 7.0.0-dev.20260519.1 to 7.0.0-dev.20260526.1

Commits

• See full diff in compare view

Updates oxfmt from 0.51.0 to 0.52.0

Changelog

Sourced from oxfmt's changelog.

[0.52.0] - 2026-05-26

🚀 Features

• 16b8058 oxfmt: Support vite-plus/resolveConfig for vite.config.ts (#22454) (leaysgur)

[0.50.0] - 2026-05-15

🐛 Bug Fixes

• 43b9978 formatter/sort_imports: Treat subpath imports as internal (#22440) (leaysgur)

[0.49.0] - 2026-05-11

🚀 Features

• 6e8e818 oxfmt: Experimental .svelte support (#21700) (leaysgur)

[0.45.0] - 2026-04-13

🐛 Bug Fixes

• 50c389b oxfmt: Support .editorconfig quote_type (#20989) (leaysgur)

[0.44.0] - 2026-04-06

🐛 Bug Fixes

• dd2df87 npm: Export package.json for oxlint and oxfmt (#20784) (kazuya kawaguchi)
• 4216380 oxfmt: Support .editorconfig tab_width fallback (#20988) (leaysgur)

[0.43.0] - 2026-03-30

🚀 Features

• 6ef440a oxfmt: Support bool for object style options (#20853) (leaysgur)

[0.42.0] - 2026-03-24

🚀 Features

• 416865a formatter,oxfmt: Add doc comments for JsdocConfig (#20644) (leaysgur)
• 4fec907 formatter: Add JSDoc comment formatting support (#19828) (Dunqing)

[0.40.0] - 2026-03-12

🐛 Bug Fixes

• bc20217 oxlint,oxfmt: Omit useless | null for Option<T> field from schema (#20273) (leaysgur)

... (truncated)

Commits

• 68b455d release(apps): oxlint v1.67.0 && oxfmt v0.52.0 (#22735)
• 16b8058 feat(oxfmt): Support vite-plus/resolveConfig for vite.config.ts (#22454)
• See full diff in compare view

Updates oxlint from 1.66.0 to 1.67.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

• 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
• 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
• bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
• 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
• 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
• 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
• ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

• 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
• 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
• 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
• 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
• a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
• ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
• 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
• ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
• e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
• 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
• 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
• fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
• ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
• dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
• 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
• cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

• 25d577e language_server: Start tools in parallel (#15500) (Sysix)
• 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
• 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
• 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
• 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
• 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

• 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
• 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
• a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
• 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
• 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
• 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.67.0] - 2026-05-26

🚀 Features

• b84941e linter/vue: Implement no-expose-after-await rule (#22675) (bab)
• 98b98c1 linter/vue: Implement no-computed-properties-in-data rule (#22674) (bab)
• 2d4c919 oxlint: Support vite-plus/resolveConfig for vite.config.ts (#22456) (leaysgur)
• 2a60012 linter/vue: Implement require-render-return rule (#22613) (bab)
• 9f227fd linter/vue: Implement no-deprecated-props-default-this rule (#21892) (bab)
• 87f065e linter/vue: Implement return-in-emits-validator rule (#21935) (bab)
• ea0380c linter/unicorn: Implement import-style rule (#22173) (Hao Chen)
• dde40fe linter/vue: Implement no-watch-after-await rule (#22006) (bab)
• a735eb0 linter/vue: Implement valid-next-tick rule (#22531) (bab)
• 6dc615d linter/vue: Implement no-shared-component-data rule (#21842) (bab)
• a656418 linter/vue: Implement valid-define-options rule (#22107) (bab)
• bb6f1b2 linter/vue: Implement require-slots-as-functions rule (#22244) (bab)
• 5fa4774 linter/n: Implement callback-return rule (#22470) (Mikhail Baev)

Commits

• 68b455d release(apps): oxlint v1.67.0 && oxfmt v0.52.0 (#22735)
• b84941e feat(linter/vue): implement no-expose-after-await rule (#22675)
• 98b98c1 feat(linter/vue): implement no-computed-properties-in-data rule (#22674)
• 2d4c919 feat(oxlint): Support vite-plus/resolveConfig for vite.config.ts (#22456)
• 2a60012 feat(linter/vue): implement require-render-return rule (#22613)
• 9f227fd feat(linter/vue): implement no-deprecated-props-default-this rule (#21892)
• 87f065e feat(linter/vue): implement return-in-emits-validator rule (#21935)
• ea0380c feat(linter/unicorn): implement import-style rule (#22173)
• dde40fe feat(linter/vue): implement no-watch-after-await rule (#22006)
• a735eb0 feat(linter/vue): implement valid-next-tick rule (#22531)
• Additional commits viewable in compare view

Updates es-toolkit from 1.46.1 to 1.47.0

Release notes

Sourced from es-toolkit's releases.

v1.47.0

Released on May 25th, 2026.

• Added es-toolkit/server entrypoint with colors namespace for ANSI terminal color utilities. ([#1683])
• Added exec function. ([#1689])
• Added sortKeys to the object entrypoint. ([#1674])
• Added cartesianProduct and combinations to the array entrypoint. ([#1713])
• Added allKeyed to the promise entrypoint. ([#1672])
• Added percentile to the math entrypoint. ([#1710])
• Added an interactive playground page to docs. ([#1720])
• Reorganized docs to introduce a flavor switcher and co-locate compat under /compat/. ([#1699])
• Fixed uniqWith in compat to match lodash's comparator argument order. ([#1729])
• Fixed compat/omitBy to not treat plain objects with numeric length as array-like. ([#1709])

We sincerely thank @​Antoliny0919, @​ATOM00blue, @​dayongkr, @​guesung, @​myeong-jae-hwi, @​raon0211, @​seungrodotlee, and @​Xiaohang0316 for their contributions. We appreciate your great efforts!

Changelog

Sourced from es-toolkit's changelog.

Version v1.47.0

Released on May 25th, 2026.

• Added es-toolkit/server entrypoint with colors namespace for ANSI terminal color utilities. (#1683)
• Added exec function. (#1689)
• Added sortKeys to the object entrypoint. (#1674)
• Added cartesianProduct and combinations to the array entrypoint. (#1713)
• Added allKeyed to the promise entrypoint. (#1672)
• Added percentile to the math entrypoint. (#1710)
• Added an interactive playground page to docs. (#1720)
• Reorganized docs to introduce a flavor switcher and co-locate compat under /compat/. (#1699)
• Fixed uniqWith in compat to match lodash's comparator argument order. (#1729)
• Fixed compat/omitBy to not treat plain objects with numeric length as array-like. (#1709)

We sincerely thank @​Antoliny0919, @​ATOM00blue, @​dayongkr, @​guesung, @​myeong-jae-hwi, @​raon0211, @​seungrodotlee, and @​Xiaohang0316 for their contributions. We appreciate your great efforts!

Commits

• 9f35cf9 v1.47.0
• b73e0bc docs[playground]: add link to playground editor title (#1735)
• a6d40df docs[server]: add localized server docs (#1733)
• ecbdd36 docs[playground]: separate playground page layout (#1732)
• 52ac49c docs(compat): align method chaining guidance across locales (#1731)
• c011690 fix(docs): fix issues in playground page (#1727)
• 03ca6ea fix(uniqWith): match lodash comparator argument order in compat (#1729)
• 8a978e3 build(deps): bump dahlia/submark (#1730)
• 6d3ca81 docs: introduce flavor switcher and co-locate compat under /compat/ (#1699)
• 970ae85 fix: add alt text to VitePress logo (#1722)
• Additional commits viewable in compare view

Updates @zag-js/checkbox from 1.40.0 to 1.41.1

Release notes

Sourced from @​zag-js/checkbox's releases.

@​zag-js/checkbox@​1.41.1

Patch Changes

• Updated dependencies []:
  • @​zag-js/anatomy@​1.41.1
  • @​zag-js/core@​1.41.1
  • @​zag-js/types@​1.41.1
  • @​zag-js/utils@​1.41.1
  • @​zag-js/dom-query@​1.41.1
  • @​zag-js/focus-visible@​1.41.1

Changelog

Sourced from @​zag-js/checkbox's changelog.

1.41.1 - 2026-05-26

Fixed

• Dismissable: Fix layer pointer-events being wiped by frameworks (Svelte, Vue) whose spread updates rewrite the entire style attribute.

• Drawer

  • Fix controlled drawers snapping back to open before the close animation when dismissed via swipe.
  • Fix indent and indent-background snapping back into place after the close animation instead of transitioning in sync.
  • Fix --drawer-swipe-progress jumping to 1 at the start of a dismiss swipe; it now goes smoothly from 0 (at rest) to 1 (fully dismissed).
  • Fix drawer freezing mid-drag on release when its content mounts lazily which left snap points unmeasured.

1.41.0 - 2026-05-22

Added

• Floating Components: Add data-side to placement-aware parts based on the current placement.

  Affected Components: Cascade Select, Color Picker, Combobox, Date Picker, Hover Card, Menu, Popover, Select, Tooltip, Tour.

• Date Input

  • Add hideTimeZone prop. The timeZoneName segment now renders automatically when the value is a ZonedDateTime, and can be hidden via hideTimeZone: true.
  • Arrow navigation and auto-advance after typing now reach read-only focusable segments (e.g. timeZoneName). Typing the final editable segment (e.g. "P" on dayPeriod) advances focus to the trailing read-only segment instead of staying put.

• Splitter

  • Add CSS unit support for defaultSize, minSize, and maxSize. The splitter now accepts px, em, rem, vh, and vw in addition to percentages, and resolves them to percentages after hydration.

  const service = useMachine(splitter.machine, {
    panels: [
      { id: "nav", minSize: "240px", maxSize: "480px" },
      { id: "main", minSize: 30 },
    ],
    defaultSize: ["240px", "60vw"],
  })

  • Add resizeBehavior per panel. Set to "preserve-pixel-size" to keep a panel's pixel size constant when the parent splitter group resizes. Leave at least one panel as "preserve-relative-size" (the default) so the layout can absorb the change.

... (truncated)

Commits

• 1109315 Version Packages (#3146)
• 2e3867d fix(drawer): measure content that mounts lazily behind a Presence wrapper (#3...
• f61de29 fix: drawer transitions
• b39524c refactor: pointer outside handling
• 9056a6a chore(deps): update all non-major dependencies (#3140)
• ea4cbb0 chore: remove unused dependencies
• 05a7779 chore: update dialog examples
• f531192 ci: add fallback tag push to release workflow
• c6cdf7b Version Packages (#3077)
• 56090ce chore: update dependencies and migrate to pnpm v11
• Additional commits viewable in compare view

Updates @zag-js/select from 1.40.0 to 1.41.1

Release notes

Sourced from @​zag-js/select's releases.

@​zag-js/select@​1.41.1

Patch Changes

• Updated dependencies [b39524c]:
  • @​zag-js/dismissable@​1.41.1
  • @​zag-js/anatomy@​1.41.1
  • @​zag-js/core@​1.41.1
  • @​zag-js/types@​1.41.1
  • @​zag-js/collection@​1.41.1
  • @​zag-js/utils@​1.41.1
  • @​zag-js/dom-query@​1.41.1
  • @​zag-js/focus-visible@​1.41.1
  • @​zag-js/popper@​1.41.1

Changelog

Sourced from @​zag-js/select's changelog.

1.41.1 - 2026-05-26

Fixed

• Dismissable: Fix layer pointer-events being wiped by frameworks (Svelte, Vue) whose spread updates rewrite the entire style attribute.

• Drawer

  • Fix controlled drawers snapping back to open before the close animation when dismissed via swipe.
  • Fix indent and indent-background snapping back into place after the close animation instead of transitioning in sync.
  • Fix --drawer-swipe-progress jumping to 1 at the start of a dismiss swipe; it now goes smoothly from 0 (at rest) to 1 (fully dismissed).
  • Fix drawer freezing mid-drag on release when its content mounts lazily which left snap points unmeasured.

1.41.0 - 2026-05-22

Added

• Floating Components: Add data-side to placement-aware parts based on the current placement.

  Affected Components: Cascade Select, Color Picker, Combobox, Date Picker, Hover Card, Menu, Popover, Select, Tooltip, Tour.

• Date Input

  • Add hideTimeZone prop. The timeZoneName segment now renders automatically when the value is a ZonedDateTime, and can be hidden via hideTimeZone: true.
  • Arrow navigation and auto-advance after typing now reach read-only focusable segments (e.g. timeZoneName). Typing the final editable segment (e.g. "P" on dayPeriod) advances focus to the trailing read-only segment instead of staying put.

• Splitter

  • Add CSS unit support for defaultSize, minSize, and maxSize. The splitter now accepts px, em, rem, vh, and vw in addition to percentages, and resolves them to percentages after hydration.

  const service = useMachine(splitter.machine, {
    panels: [
      { id: "nav", minSize: "240px", maxSize: "480px" },
      { id: "main", minSize: 30 },
    ],
    defaultSize: ["240px", "60vw"],
  })

  • Add resizeBehavior per panel. Set to "preserve-pixel-size" to keep a panel's pixel size constant when the parent splitter group resizes. Leave at least one panel as "preserve-relative-size" (the default) so the layout can absorb the change.

... (truncated)

Commits

• 1109315 Version Packages (#3146)
• 2e3867d fix(drawer): measure content that mounts lazily behind a Presence wrapper (#3...
• f61de29 fix: drawer transitions
• b39524c refactor: pointer outside handling
• 9056a6a chore(deps): update all non-major dependencies (#3140)
• ea4cbb0 chore: remove unused dependencies
• 05a7779 chore: update dialog examples
• f531192 ci: add fallback tag push to release workflow
• c6cdf7b Version Packages (#3077)
• 56090ce chore: update dependencies and migrate to pnpm v11
• Additional commits viewable in compare view

Updates markdown-it from 14.1.1 to 14.2.0

Changelog

Sourced from markdown-it's changelog.

[14.2.0] - 2026-05-24

Added

• isPunctCharCode to utilities.

Fixed

• Don't end HTML comment blocks on a blank line, #1155.
• Properly recognize astral chars (surrogates) in delimiter scans for emphasis-like markers, #1072. Big thanks to @​tats-u for his global efforts with improving CJK support.
• Preserve unicode whitespaces when trimm headings/paragraphs, #1074.
• More strict entities decode to avoid false positives ;, #1096.
• Restore block parser state on fail in lheading rule, #1131.

Security

• Fixed poor smartquotes perfomance on > 70k quotes in single block
• Bumped linkify-it to 5.0.1 with fixed potential perfomance issues.

Commits

• 829797a 14.2.0 released
• 9ce2087 Fix smartquotes perfomance
• 02e73b8 linkify-it bump
• 68cfb8c fix: don't end HTML comment blocks on a blank line (#1155)
• 1083137 Readme cleanup
• 97c7ca2 Update funding info
• c471b55 Changelog update
• 7769621 isPunctChar => isPunctCharCode
• aa2aa70 fix: always reset parentType in lheading rule (#1131)
• 59955f2 Polish PRs #1072, #1074
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[clawsweeper]

Codex review: needs changes before merge. Reviewed May 27, 2026, 3:30 AM ET / 07:30 UTC.

Summary
The PR updates root/core dependency manifests and the pnpm lockfile for nine npm package updates, including pi-ai, Node typings, Oxc tooling, Zag checkbox/select, es-toolkit, and markdown-it.

Reproducibility: yes. for the PR defect from source inspection: the PR head lockfile resolves checkbox/select to 1.41.1 while the patched Preact adapter stays 1.40.0. I did not run install or tests because this review is read-only.

Review metrics: 2 noteworthy metrics.

• Dependency batch: 9 package updates. Several runtime, UI, typing, and native tooling packages move together, so compatibility review needs more than a lockfile smoke check.
• Changed files: 3 files affected. The patch is concentrated in two manifests and one large lockfile, making the repair narrow but still dependency-sensitive.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🌊 off-meta tidepool
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Keep the Zag packages lockstep by either holding checkbox/select at 1.40.0 or updating @zag-js/preact and its patch to the same release.
• Keep @types/node on the Node 24 major unless the package runtime floor is intentionally raised.
• Run pnpm -s check and pnpm -C apps/chrome-extension test:chrome after regenerating the lockfile.

Risk before merge

• Merging as-is would put the Chrome extension controls on mixed Zag runtime stacks: checkbox/select 1.41.1 with the patched Preact adapter and its core/type dependencies still at 1.40.0.
• The @types/node bump moves compile-time Node APIs to 25.x while the repository still documents and tests Node 24, so maintainers should confirm that is intentional before merging.

Maintainer options:

1. Fix the Zag version split before merge (recommended)
   Keep @zag-js/checkbox, @zag-js/select, and @zag-js/preact on one compatible release and update or preserve the patch entry so the extension controls use one Zag stack.
2. Accept the dependency split only with explicit proof
   Maintainers could intentionally accept the mixed Zag stack, but that should come with extension-sidepanel proof that checkbox/select controls still build and behave correctly.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Keep @zag-js/checkbox, @zag-js/select, and @zag-js/preact on a single compatible Zag version in apps/chrome-extension/package.json, package.json patchedDependencies, and pnpm-lock.yaml, preserving the existing @zag-js/preact patch or updating it if moving to 1.41.1; keep @types/node aligned with the Node 24 support contract unless the runtime floor is deliberately raised; then run pnpm -s check and pnpm -C apps/chrome-extension test:chrome.

Next step before merge
A narrow automated repair can keep the affected dependency versions aligned and rerun the repository’s existing validation paths.

Security
Cleared: The diff is dependency and lockfile-only, and I found no concrete secrets, CI-permission, lifecycle-script, or third-party execution concern beyond normal dependency-review risk.

Review findings

• [P1] Keep the Zag runtime packages lockstep — pnpm-lock.yaml:113-119
• [P2] Keep Node typings aligned with the supported runtime — package.json:79

Review details

Best possible solution:

Land a regenerated dependency update that keeps Zag checkbox/select/preact and the patchedDependency entry on one compatible release, while preserving the Node 24 support guard unless the runtime floor is intentionally raised.

Do we have a high-confidence way to reproduce the issue?

Yes for the PR defect from source inspection: the PR head lockfile resolves checkbox/select to 1.41.1 while the patched Preact adapter stays 1.40.0. I did not run install or tests because this review is read-only.

Is this the best way to solve the issue?

No; the dependency update should keep the Zag packages on a single compatible version or update the patched adapter and patch together before merge.

Full review comments:

• [P1] Keep the Zag runtime packages lockstep — pnpm-lock.yaml:113-119
  This lockfile resolves @zag-js/checkbox and @zag-js/select to 1.41.1 but leaves the patched @zag-js/preact adapter at 1.40.0. The extension uses those machines with normalizeProps/useMachine from @zag-js/preact, so merging this creates two Zag core/type stacks in the same controls; keep all Zag packages on one version or update the preact patch too.
  Confidence: 0.89
• [P2] Keep Node typings aligned with the supported runtime — package.json:79
  The root and core packages still support Node >=24 and CI runs Node 24, but this bumps @types/node to 25.x. That weakens the existing typecheck guard against accidental Node 25-only APIs; keep the typings on 24.x unless this PR also intentionally raises the runtime floor.
  Confidence: 0.77

Overall correctness: patch is incorrect
Overall confidence: 0.87

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 043def5f6442.

Label changes

Label justifications:

• P2: This is a normal-priority dependency maintenance PR with a bounded compatibility blocker rather than an active production regression.
• merge-risk: 🚨 compatibility: The PR can change extension runtime behavior by mixing Zag package versions and can weaken the Node 24 type-surface guard.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🌊 off-meta tidepool and patch quality is 🧂 unranked krab.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: This is a Dependabot dependency PR, so the external contributor proof gate is not applicable here.

Evidence reviewed

Acceptance criteria:

• pnpm -s check
• pnpm -C apps/chrome-extension test:chrome

What I checked:

• Repository policy read: AGENTS.md was read in full; its monorepo and extension validation guidance informed the suggested repair and validation path. (AGENTS.md:1, 043def5f6442)
• PR surface: The PR changes package.json, packages/core/package.json, and pnpm-lock.yaml only, with 499 additions and 481 deletions. (d08049f5313f)
• Zag version split in PR head: At PR head, the importer resolves @zag-js/checkbox and @zag-js/select to 1.41.1 while @zag-js/preact remains 1.40.0 with the existing patch hash. (pnpm-lock.yaml:111, d08049f5313f)
• Adapter dependency stack remains old: The PR head lockfile keeps @zag-js/preact@1.40.0 depending on @zag-js/core, store, and types 1.40.0 while checkbox/select use 1.41.1 dependencies. (pnpm-lock.yaml:4864, d08049f5313f)
• Current extension uses the mixed Zag packages together: The extension imports checkbox/select machines and normalizeProps/useMachine from @zag-js/preact in the same UI wrappers, so the split is on a live extension control path. (apps/chrome-extension/src/ui/zag-checkbox.tsx:1, 043def5f6442)
• Node 24 support contract: The package still declares node >=24 and CI runs Node 24, while the PR changes both root and core @types/node entries to 25.9.1. (package.json:92, 043def5f6442)

Likely related people:

• Peter Steinberger: Git blame and file history tie the current extension Zag wrappers, package dependency set, patched @zag-js/preact entry, and recent sidepanel work to his commits. (role: recent area contributor; confidence: high; commits: fcf8c8e5e98d, 043def5f6442; files: apps/chrome-extension/package.json, apps/chrome-extension/src/ui/zag-checkbox.tsx, apps/chrome-extension/src/ui/zag-select.tsx)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.