chore(deps): bump the bun-minor-patch group across 1 directory with 5 updates

[dependabot]

Bumps the bun-minor-patch group with 5 updates in the / directory:

Package	From	To
@anthropic-ai/claude-agent-sdk	0.3.177	0.3.186
@statelyai/inspect	0.7.1	0.7.2
xstate	5.32.1	5.32.2
@biomejs/biome	2.5.0	2.5.1
knip	6.16.1	6.18.0

Updates @anthropic-ai/claude-agent-sdk from 0.3.177 to 0.3.186

Release notes

Sourced from @​anthropic-ai/claude-agent-sdk's releases.

v0.3.186

What's changed

• Added agent_id field to can_use_tool control requests — background agents now forward permission prompts to canUseTool instead of auto-denying, and stdin stays open while background tasks are running
• Added ReadMcpResourceDirTool tool type to SDK schemas — MCP resource directory listing is now a dedicated tool instead of a fallback inside ReadMcpResourceTool
• Added rewind_conversation control request for rewinding a conversation to a previous point with durable resume anchor support

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.186
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.186
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.186
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.186

v0.3.185

What's changed

• Updated to parity with Claude Code v2.1.185

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.185
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.185
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.185
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.185

v0.3.183

What's changed

• Updated to parity with Claude Code v2.1.183

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.183
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.183
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.183
# or
</tr></table> 

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-agent-sdk's changelog.

0.3.186

• Added agent_id field to can_use_tool control requests — background agents now forward permission prompts to canUseTool instead of auto-denying, and stdin stays open while background tasks are running
• Added ReadMcpResourceDirTool tool type to SDK schemas — MCP resource directory listing is now a dedicated tool instead of a fallback inside ReadMcpResourceTool
• Added rewind_conversation control request for rewinding a conversation to a previous point with durable resume anchor support

0.3.185

• Updated to parity with Claude Code v2.1.185

0.3.184

• Updated to parity with Claude Code v2.1.184

0.3.183

• Updated to parity with Claude Code v2.1.183

0.3.182

• Updated to parity with Claude Code v2.1.182

0.3.181

• Added errorCode, canUserPurchaseCredits, and hasChargeableSavedPaymentMethod fields to SDKRateLimitInfo for detecting credits-required rate limits
• Added tool_use_meta.icon_url to assistant messages, populated from MCP server directory metadata
• Fixed SDK-hosted Remote Control sessions dropping file_attachments from inbound user messages

0.3.180

• Updated to parity with Claude Code v2.1.180

0.3.179

• Added optional tool_use_meta sidecar to assistant messages with display-friendly names for tool calls, so SDK consumers can render human-readable labels instead of raw wire names
• Fixed -p mode exiting before a completed background agent's notification was delivered, causing interim text to ship as the final result
• Fixed remote (stream-json) sessions appearing busy for the entire duration of a background workflow — the turn result is now emitted at the turn boundary and the session reports idle while background tasks continue

0.3.178

• Spawn failures on an existing native binary now explain the likely libc mismatch (musl binary on a glibc host) and suggest options.pathToClaudeCodeExecutable
• Permission-denied advisory messages now carry typed denial reasons (safetyCheck, asyncAgent), enabling SDK consumers to programmatically match denial causes
• Fixed UserPromptSubmit hook block feedback not being emitted to the SDK event stream — consumers can now see why a prompt was blocked by a hook instead of a silent hang
• Remote Control workers now send a worker_shutting_down system message on graceful exit so remote clients can show why the session ended
• Fixed MCP server-level specs (mcp__server, mcp__server__*) in disallowedTools being silently ignored — they now correctly remove all tools from the named server

Commits

• 42f6772 chore: Update CHANGELOG.md
• 810e709 chore: Update CHANGELOG.md
• fc84d93 chore: Update CHANGELOG.md
• 4d3840c chore: Update CHANGELOG.md
• 32753ee chore: Update CHANGELOG.md
• 38722be chore: Update CHANGELOG.md
• See full diff in compare view

Updates @statelyai/inspect from 0.7.1 to 0.7.2

Release notes

Sourced from @​statelyai/inspect's releases.

v0.7.2

Patch Changes

• #56 816a1a1 Thanks @​davidkpiano! - Remove the uuid dependency in favor of the platform-native crypto.randomUUID(), clearing CVE-2026-41907 flagged by downstream security scanners. A #uuid subpath import resolves to node:crypto in Node and the global crypto in browser/worker environments.

Changelog

Sourced from @​statelyai/inspect's changelog.

0.7.2

Patch Changes

• #56 816a1a1 Thanks @​davidkpiano! - Remove the uuid dependency in favor of the platform-native crypto.randomUUID(), clearing CVE-2026-41907 flagged by downstream security scanners. A #uuid subpath import resolves to node:crypto in Node and the global crypto in browser/worker environments.

Commits

• d72a7fc Merge pull request #57 from statelyai/changeset-release/main
• b7292cb Version Packages
• 9a2584a Merge pull request #56 from statelyai/davidkpiano/uuid-fix
• aefc757 Don't use baseUrl
• 816a1a1 Fix UUID issue
• See full diff in compare view

Updates xstate from 5.32.1 to 5.32.2

Release notes

Sourced from xstate's releases.

xstate@5.32.2

Patch Changes

• #5548 8a53531 Thanks @​JSap0914! - fix(core): fall back to wildcard event descriptors when an exact descriptor's guard fails

  When a state has both an exact event descriptor (e.g. "foo.bar") and a matching wildcard descriptor (e.g. "foo.*"), transitions from the exact descriptor are now tried first; if all their guards fail, matching wildcard descriptor transitions are tried as fallback. Previously, the presence of an exact match would prevent any wildcard fallback from being considered, leaving the machine in its current state when the exact descriptor's guard failed.

Commits

• 229d976 Version Packages (#5550)
• 8a53531 fix(core): fall back to wildcard descriptors when exact guard fails (#5548)
• c35cb81 Version Packages (#5541)
• 28c9961 [@​xstate/store] Add store effect trigger (#5537)
• See full diff in compare view

Updates @biomejs/biome from 2.5.0 to 2.5.1

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.1

2.5.1

Patch Changes

• #10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

  -@import url("print.css") print,
  -/* comment */
  -screen;
  +@import url("print.css") print, /* comment */ screen;

• #10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

  -    "path": "src\account\setup-passkey.tsx",
  +    "path": "src\\account\\setup-passkey.tsx",

• #10626 5f837df Thanks @​tom-groves! - Fixed #10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLog → noConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

• #10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@html expr} blocks were incorrectly reported as unused.

• #10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

• #10667 d8c3e87 Thanks @​Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.

• #10696 ef2373f Thanks @​ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

• #10705 4ccb410 Thanks @​ematipico! - Fixed #10652. Biome plugins are now properly filtered when using --only and --skip flags.

• #10669 aa0a6eb Thanks @​Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

• #10689 844b1be Thanks @​ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

  If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

• #10695 043fbb5 Thanks @​ematipico! - Fixed #10674. Biome now throws an error when the field level is missing from a rule option.

• #10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

• #10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

• #10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

• #10701 6c2e0d7 Thanks @​ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.1

Patch Changes

• #10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

  -@import url("print.css") print,
  -/* comment */
  -screen;
  +@import url("print.css") print, /* comment */ screen;

• #10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

  -    "path": "src\account\setup-passkey.tsx",
  +    "path": "src\\account\\setup-passkey.tsx",

• #10626 5f837df Thanks @​tom-groves! - Fixed #10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLog → noConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

• #10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@html expr} blocks were incorrectly reported as unused.

• #10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

• #10667 d8c3e87 Thanks @​Netail! - Fixed #10664: useErrorCause now correctly detects a shorthand property.

• #10696 ef2373f Thanks @​ematipico! - Fixed #9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

• #10705 4ccb410 Thanks @​ematipico! - Fixed #10652. Biome plugins are now properly filtered when using --only and --skip flags.

• #10669 aa0a6eb Thanks @​Netail! - Fixed #10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

• #10689 844b1be Thanks @​ematipico! - Fixed #10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

  If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

• #10695 043fbb5 Thanks @​ematipico! - Fixed #10674. Biome now throws an error when the field level is missing from a rule option.

• #10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

• #10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

• #10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

• #10701 6c2e0d7 Thanks @​ematipico! - Fixed #10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

• #10681 888515b Thanks @​Conaclos! - Fixed useExportType that reported useless details in some diagnostics.

... (truncated)

Commits

• ffe7d33 chore: revert
• 564d660 chore: revert
• 0abf1a5 ci: release (#10627)
• 23814f1 chore(biome_configuration): add allowTrailingCommas to json-schema to make VS...
• a0f197e chore: dead and old links (#10668)
• See full diff in compare view

Updates knip from 6.16.1 to 6.18.0

Release notes

Sourced from knip's releases.

Release 6.18.0

• Update dependencies (pin oxc-resolver) (7dda4eccc65c6d61ef2546442eb752b2a73edab9)
• Resolve tsconfig paths for non-TS importers independent of oxc ownership (3b71565e72107d43cbd6d2ddec7ab2fbbf65c001)
• Format (64865f8247b8956def52f1a387234562fbddd667)
• Fix false positive for Vitest mocks (#1802) (ec93e2013deb53902b406463b30fa6386445f9c9) - thanks @​remcohaszing!
• Mark npx-run binaries optional unless --no-install (resolve #1803) (203c31e1b2bd77eb9c94f82121f353fbf0671c67)
• Ignore pnpm [WARN] lines in ecosystem snapshots (392835a39b9429a3d85d712025da4c6531b8ece6)
• Update slonik snapshot (62d802bf8d53d7790f6322f481a290e09812cbcc)
• Update Jest entry patterns for Jest 30 (#1808) (d2caeddf32ba99ca12e5c26e891b7974392f981a) - thanks @​gwagjiug!
• Report stale workspaces configuration keys as configuration hints (#1807) (9083c16b3313fbebf5cb3cd11cadf45ac773bc3d) - thanks @​WooWan!

Release 6.17.2

• Fix up jest plugin (63dbd653b6e1be08a36401f5f728b351ab69e81b)
• Detect coverage provider from bare vitest --coverage flag (#1800) (dc11d9fc5458e6e1f734013eb82403eab07af2c1) - thanks @​WooWan!
• Don't disable configuration hints in workspace-scoped runs (#1791) (8ce1ec8160a786dad90903e43c3ef646ffba9464) - thanks @​WooWan!
• Detect react-email v6 packages from non-numeric version ranges (resolve #1798) (27a1caeb1bff6abcccd7140c7e92e4a57197ad47)
• Discover workspaces included after a negated pattern (resolve #1797) (630e152f6f687d9404cc25ffa01f0d49737d9229)

Release 6.17.1

• Remove ignoreBinaries w/ tar (b13d0ca1ce0a201b7e66f725039d9f346b4d424e)
• Wrap up docs/refs (29f3e46cc765a70643bcf2ef96e940ff371f39c6)
• Update dependencies (7b2f3458176110900204fa49e50650ac50d1f4db)
• Fix up vscode-languageclient imports (820c2335ca63f329f862eb8ec5c264bd8d5f09eb)

Release 6.17.0

• chore(mcp): add package metadata links (#1783) (e3d93b930) - thanks @​sh962214-hub!
• fix(capacitor): detect iOS platform with Swift Package Manager (#1787) (e6cc533a8) - thanks @​jthrilly!
• Support ignoreIssues per workspace (resolve #1782) (15a329a05)
• Add commitlint.config.mts (resolve #1784) (fa8eb6da8)
• Treat scoped and tilde SCSS imports as packages (resolve #1786) (98aa9623e)
• Add followCursor setting for Imports/Exports views (resolve #1788) (67a0be89f)
• Flag undeclared sibling imports in published workspaces (resolve #1792) (aeabff789)
• Fix type-check errors in vscode-knip (12f266e94)
• Note Markdown formatting with pnpm remark (bdffeec0d)
• Bump some doc-related dependencies (333419303)
• Update vscode-knip tool descriptions (be341788c)
• Overhaul docs (55e3f3bda)
• Improve mcp guidance (67483f0ac)
• Fix repeated --fix-type arg (9bb0512ca)
• Resolve module paths from selected tsconfig (resolve #1794) (1c2f39833)
• Update sanity snapshot (4ebce9c50)
• Add tar to globally ignored binaries (resolve #1796) (8c028e5fb)

Commits

• 7bfd556 Release knip@6.18.0
• 9083c16 Report stale workspaces configuration keys as configuration hints (#1807)
• d2caedd Update Jest entry patterns for Jest 30 (#1808)
• 203c31e Mark npx-run binaries optional unless --no-install (resolve #1803)
• ec93e20 Fix false positive for Vitest mocks (#1802)
• 64865f8 Format
• 3b71565 Resolve tsconfig paths for non-TS importers independent of oxc ownership
• 7dda4ec Update dependencies (pin oxc-resolver)
• 4198053 Release knip@6.17.2
• 630e152 Discover workspaces included after a negated pattern (resolve #1797)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-code-quality]

Code Coverage Overview

Languages: TypeScript

TypeScript / unit

The overall coverage remains at 88%, unchanged from the main branch.

---

_{Code Coverage is in Public Preview. Learn more and provide us with your feedback.}