chore(deps): bump the npm-dependencies group with 8 updates

[dependabot]

Bumps the npm-dependencies group with 8 updates:

Package	From	To
@biomejs/biome	2.3.11	2.3.12
@types/node	25.0.9	25.0.10
@vitest/coverage-v8	4.0.17	4.0.18
@pinia/colada	0.21.1	0.21.2
@pinia/colada-nuxt	0.3.0	0.3.1
lucide-vue-next	0.562.0	0.563.0
nuxt	4.2.2	4.3.0
vue	3.5.26	3.5.27

Updates @biomejs/biome from 2.3.11 to 2.3.12

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.3.12

2.3.12

Patch Changes

• #8653 047576d Thanks @​dyc3! - Added new nursery rule noDuplicateAttributes to forbid duplicate attributes in HTML elements.

• #8648 96d09f4 Thanks @​BaeSeokJae! - Added a new nursery rule noVueOptionsApi.

  Biome now reports Vue Options API usage, which is incompatible with Vue 3.6's Vapor Mode. This rule detects Options API patterns in <script> blocks, defineComponent(), and createApp() calls, helping prepare codebases for Vapor Mode adoption.

  For example, the following now triggers this rule:

  <script>
  export default {
    data() {
      return { count: 0 };
    },
  };
  </script>

• #8832 b08270b Thanks @​Exudev! - Fixed #8809, #7985, and #8136: the noSecrets rule no longer reports false positives on common CamelCase identifiers like paddingBottom, backgroundColor, unhandledRejection, uncaughtException, and IngestGatewayLogGroup.

  The entropy calculation algorithm now uses "average run length" to distinguish between legitimate CamelCase patterns (which have longer runs of same-case letters) and suspicious alternating case patterns (which have short runs).

• #8793 c19fb0e Thanks @​TheBaconWizard! - Properly handle parameters metavariables for arrow_function GritQL queries. The following biome search command no longer throws an error:

  biome search 'arrow_function(parameters=$parameters, body=$body)'

• #8561 981affb Thanks @​wataryooou! - Fixed noUnusedVariables to ignore type parameters declared in ambient contexts such as declare module blocks.

• #8817 652cfbb Thanks @​dyc3! - Fixed #8765: The HTML parser can now parse directive modifiers with a single colon, e.g. @keydown.:.

• #8704 a1914d4 Thanks @​Netail! - Added the nursery rule noRootType. Disallow the usage of specified root types. (e.g. mutation and/or subscription)

  Invalid:

  {
    "options": {
      "disallow": ["mutation"]
    }

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.3.12

Patch Changes

• #8653 047576d Thanks @​dyc3! - Added new nursery rule noDuplicateAttributes to forbid duplicate attributes in HTML elements.

• #8648 96d09f4 Thanks @​BaeSeokJae! - Added a new nursery rule noVueOptionsApi.

  Biome now reports Vue Options API usage, which is incompatible with Vue 3.6's Vapor Mode. This rule detects Options API patterns in <script> blocks, defineComponent(), and createApp() calls, helping prepare codebases for Vapor Mode adoption.

  For example, the following now triggers this rule:

  <script>
  export default {
    data() {
      return { count: 0 };
    },
  };
  </script>

• #8832 b08270b Thanks @​Exudev! - Fixed #8809, #7985, and #8136: the noSecrets rule no longer reports false positives on common CamelCase identifiers like paddingBottom, backgroundColor, unhandledRejection, uncaughtException, and IngestGatewayLogGroup.

  The entropy calculation algorithm now uses "average run length" to distinguish between legitimate CamelCase patterns (which have longer runs of same-case letters) and suspicious alternating case patterns (which have short runs).

• #8793 c19fb0e Thanks @​TheBaconWizard! - Properly handle parameters metavariables for arrow_function GritQL queries. The following biome search command no longer throws an error:

  biome search 'arrow_function(parameters=$parameters, body=$body)'

• #8561 981affb Thanks @​wataryooou! - Fixed noUnusedVariables to ignore type parameters declared in ambient contexts such as declare module blocks.

• #8817 652cfbb Thanks @​dyc3! - Fixed #8765: The HTML parser can now parse directive modifiers with a single colon, e.g. @keydown.:.

• #8704 a1914d4 Thanks @​Netail! - Added the nursery rule noRootType. Disallow the usage of specified root types. (e.g. mutation and/or subscription)

  Invalid:

  {
    "options": {
      "disallow": ["mutation"]
    }
  }

... (truncated)

Commits

• fd33f86 ci: release (#8671)
• a53fc75 chore: update sponsors (#8844)
• 4ee3bda feat(graphql_analyze): implement useLoneAnonymousOperation (#8616)
• 71b5c6e feat(js_analyze): implement noExcessiveClassesPerFile (#8753)
• d6b2bda feat(js_analyze): implement noFloatingClasses (#8754)
• 17ed9d3 feat(js_analyze): implement noDivRegex (#8757)
• 291c9f2 feat(biome_js_analyze): port useInlineScriptId from Next.js (#8624)
• 96d09f4 feat(lint): add noVueOptionsApi rule (#8648)
• 39eb545 fix(biome_configuration): revert URL brackets (#8766)
• 365f7aa feat(js_analyze): implement noDuplicateEnumValues (#8711)
• Additional commits viewable in compare view

Updates @types/node from 25.0.9 to 25.0.10

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.0.17 to 4.0.18

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.0.18

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in vitest-dev/vitest#9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in vitest-dev/vitest#9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in vitest-dev/vitest#9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in vitest-dev/vitest#9472 (22543)

    View changes on GitHub

Commits

• 4d3e3c6 chore: release v4.0.18
• See full diff in compare view

Updates @pinia/colada from 0.21.1 to 0.21.2

Changelog

Sourced from @​pinia/colada's changelog.

0.21.2 (2026-01-20)

Bug Fixes

• correct GC time display for prefetched queries (#464) (80e2c5a)
• query: gc prefetched queries (ba1e90c)

Commits

• fb825ab release: @​pinia/colada@​0.21.2 @​pinia/colada-devtools@​0.4.2
• 9305f79 fix: handle mutations created before devtools
• bc50168 refactor: migrate to vue-router 5 (#466)
• 20dbec2 chore(deps): update dependency unplugin-icons to v23 (#468)
• 8832be2 chore(deps): update all non-major dependencies (#467)
• eeab2e4 fix: distinguish refetch and invalidate behavior in devtools (#465)
• 80e2c5a fix: correct GC time display for prefetched queries (#464)
• ba1e90c fix(query): gc prefetched queries
• 5e30f0f chore: add labels
• fa4c0e8 chore: rename to issue-436 to match correct issue number (#463)
• Additional commits viewable in compare view

Updates @pinia/colada-nuxt from 0.3.0 to 0.3.1

Release notes

Sourced from @​pinia/colada-nuxt's releases.

@​pinia/colada-nuxt@​0.3.1

   🚀 Features

• Add more auto imports  -  by @​posva (4280c)

    View changes on GitHub

Changelog

Sourced from @​pinia/colada-nuxt's changelog.

0.3.1 (2024-02-03)

Bug Fixes

• useMutation: options (23eccb1)

Commits

• a575d53 release: @​pinia/colada-nuxt@​0.3.1
• 5c06642 docs: fix wrong params
• 65a6998 docs: fix dead link
• fd13bd0 build: oxfmt everything
• 4280c17 feat: add more auto imports
• 02194ba docs: better nuxt migration guide
• fb825ab release: @​pinia/colada@​0.21.2 @​pinia/colada-devtools@​0.4.2
• 9305f79 fix: handle mutations created before devtools
• bc50168 refactor: migrate to vue-router 5 (#466)
• 20dbec2 chore(deps): update dependency unplugin-icons to v23 (#468)
• Additional commits viewable in compare view

Updates lucide-vue-next from 0.562.0 to 0.563.0

Release notes

Sourced from lucide-vue-next's releases.

Version 0.563.0

What's Changed

aria-hidden is by default added to icons components in all packages. This was already added to lucide-react before. Making icons accessible, you can add an aria-label or a title. See docs about accessibility.

All changes

• chore(dev): Enable ligatures in font build configuration by @​dcxo in lucide-icons/lucide#3876
• chore(repo): add Android to brand stopwords by @​karsa-mistmere in lucide-icons/lucide#3895
• fix(site): add missing titles and a title template by @​taimar in lucide-icons/lucide#3920
• fix(site): unify and improve the styling of input fields by @​taimar in lucide-icons/lucide#3919
• fix(icons): changed star-off icon by @​jguddas in lucide-icons/lucide#3952
• fix(icons): changed tickets-plane icon by @​jguddas in lucide-icons/lucide#3928
• fix(icons): changed monitor-off icon by @​jguddas in lucide-icons/lucide#3962
• fix(icons): changed lasso icon by @​jguddas in lucide-icons/lucide#3961
• fix(icons): changed cloud-off icon by @​jguddas in lucide-icons/lucide#3942
• docs(site): added lucide-web-components third-party package by @​midesweb in lucide-icons/lucide#3948
• chore(deps-dev): bump preact from 10.27.2 to 10.27.3 by @​dependabot[bot] in lucide-icons/lucide#3955
• feat(icon): add globe-x icon with metadata by @​Muhammad-Aqib-Bashir in lucide-icons/lucide#3827
• fix(icons): changed waypoints icon by @​karsa-mistmere in lucide-icons/lucide#3990
• fix(icons): changed bookmark icon by @​jguddas in lucide-icons/lucide#2906
• fix(icons): changed message-square-dashed icon by @​jguddas in lucide-icons/lucide#3959
• fix(icons): changed cloudy icon by @​jguddas in lucide-icons/lucide#3966
• fix(github-actions): resolved spelling mistake in gh issue close command by @​jguddas in lucide-icons/lucide#4000
• Update LICENSE by @​alxgraphy in lucide-icons/lucide#4009
• feat(packages): Added aria-hidden fallback for decorative icons to all packages by @​ericfennis in lucide-icons/lucide#3604
• chore(deps): bump lodash from 4.17.21 to 4.17.23 by @​dependabot[bot] in lucide-icons/lucide#4020
• chore(deps): bump lodash-es from 4.17.21 to 4.17.23 by @​dependabot[bot] in lucide-icons/lucide#4019
• Suggest anchoring to a specific lucide version when using a cdn by @​drago1520 in lucide-icons/lucide#3727
• feat(docs): upgraded backers block by @​karsa-mistmere in lucide-icons/lucide#4014
• fix(site): hide native search input clear "X" icon by @​epifaniofrancisco in lucide-icons/lucide#3933
• feat(icons): added printer-x icon by @​lt25106 in lucide-icons/lucide#3941

New Contributors

• @​dcxo made their first contribution in lucide-icons/lucide#3876
• @​midesweb made their first contribution in lucide-icons/lucide#3948
• @​alxgraphy made their first contribution in lucide-icons/lucide#4009
• @​drago1520 made their first contribution in lucide-icons/lucide#3727
• @​lt25106 made their first contribution in lucide-icons/lucide#3941

Full Changelog: lucide-icons/lucide@0.562.0...0.563.0

Commits

• 67c0485 feat(scripts): added helper script to automatically update OpenCollective bac...
• b6ed43d feat(packages): Added aria-hidden fallback for decorative icons to all packag...
• See full diff in compare view

Updates nuxt from 4.2.2 to 4.3.0

Release notes

Sourced from nuxt's releases.

v4.3.0

4.3.0 is the next minor release.

Nuxt 4.3 brings powerful new features for layouts, caching, and developer experience – plus significant performance improvements under the hood.

📣 Some News

Extended v3 Support

Early this month, I opened a discussion to find out how the upgrade had gone from v3 to v4. I was really pleased to hear how well it had gone for most people.

Having said that, we're committed to making sure no one gets left behind. And so we will continue to provide security updates and critical bug fix releases beyond the previously announced end-of-life date of January 31, 2026, meaning Nuxt v3 will meet its end-of-life on July 31, 2026.

[!TIP] As usual, today also brings a minor release for v3, with many of the same improvements backported from v4.3.

Preparing for Nuxt 5

We're closer than ever to the releases of Nuxt v5 and Nitro v3. In the coming weeks, the main branch of the Nuxt repository will begin receiving initial commits for Nuxt 5. However, it's still business as usual.

• Continue making pull requests to the main branch
• We'll backport changes to the 4.x and 3.x branches

Keep an eye out on the Upgrade Guide – we'll be adding details about how you can already start migrating your projects to prepare for Nuxt v4 with future.compatibilityVersion: 5.

🗂️ Route Rule Layouts

But that's enough about the future. We have a lot of good things for you today!

First, you can now set layouts directly in route rules using the new appLayout property (#31092). This provides a centralized, declarative way to manage layouts across your application without scattering definePageMeta calls throughout your pages.

export default defineNuxtConfig({
  routeRules: {
    '/admin/**': { appLayout: 'admin' },
    '/dashboard/**': { appLayout: 'dashboard' },
    '/auth/**': { appLayout: 'minimal' }
  }
})

This might be useful for:

• Admin panels with a shared layout across many routes
• Marketing pages that need a different layout from the app

[!TIP] Plus, you can pass props to layouts now! See the setPageLayout improvements below.

📦 ISR/SWR Payload Extraction

... (truncated)

Commits

• b5bd7d9 v4.3.0
• fd7a4b0 fix(nuxt): ensure we inline styles for hydrate-never components (#34132)
• 2723020 fix(nuxt): add typeFrom support for imports.d.ts template exports (#34135)
• 8d4f9ba fix(nuxt): force flush useAsyncData debounced execute post watcher flush (#...
• 567a1c6 fix(nuxt): validate placeholder/fallback tags + warn about placeholder/fallba...
• f136022 chore(deps): update all non-major dependencies (main) (#34110)
• 888f0f4 fix(nuxt): add documentation link to server builder error message (#34122)
• d19f1a8 fix(nuxt): force remount suspense when navigating after pending (#33991)
• f3d5bc5 fix(nuxt): decode client-side pathname for non-ASCII route aliases (#34043)
• 37763a5 fix(nuxt): rerender NuxtPage when nested NuxtLayout has explicitly disabl...
• Additional commits viewable in compare view

Updates vue from 3.5.26 to 3.5.27

Release notes

Sourced from vue's releases.

v3.5.27

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

Changelog

Sourced from vue's changelog.

3.5.27 (2026-01-19)

Bug Fixes

• compile-sfc: correctly handle variable shadowing in for loop for defineProps destructuring. (#14296) (6a1bb50), closes #14294
• compiler-sfc: handle indexed access types in declare global blocks (#14260) (e4091fe), closes #14236
• compiler-sfc: use correct scope when resolving indexed access types from external files (#14297) (f0f0a21), closes #14292
• reactivity: collection iteration should inherit iterator instance methods (#12644) (3c8b2fc), closes #12615
• runtime-core: skip patching reserved props for custom elements (#14275) (19cc7e2), closes #14274
• server-renderer: use ssrRenderClass helper for className attribute (#14327) (a4708f3)
• ssr: handle v-bind modifiers during render attrs (#14263) (c2f5964), closes #14262

Commits

• aa9af1d release: v3.5.27
• 35c3608 Revert "fix(runtime-core): resolve kebab-case slot names from in-DOM template...
• 7e554bf fix(runtime-core): resolve kebab-case slot names from in-DOM templates (#14302)
• 0596a5f types(jsx): improve autocomplete type (#14237)
• 19cc7e2 fix(runtime-core): skip patching reserved props for custom elements (#14275)
• c2f5964 fix(ssr): handle v-bind modifiers during render attrs (#14263)
• 3c8b2fc fix(reactivity): collection iteration should inherit iterator instance method...
• e4091fe fix(compiler-sfc): handle indexed access types in declare global blocks (#14260)
• 6a1bb50 fix(compile-sfc): correctly handle variable shadowing in for loop for `define...
• f0f0a21 fix(compiler-sfc): use correct scope when resolving indexed access types from...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions