fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending	OpenSSF
@agentclientprotocol/sdk	^0.4.9 → ^0.29.0			dependencies	minor
@biomejs/biome (source)	2.4.9 → 2.5.1			devDependencies	minor
@types/node (source)	24.12.0 → 24.13.2			devDependencies	minor
crate-ci/typos	v1.43.0 → v1.47.2			action	minor
pnpm (source)	10.28.2 → 10.34.4			packageManager	minor
vite (source)	7.3.1 → 7.3.5			devDependencies	patch	7.3.6
zustand	5.0.12 → 5.0.14			dependencies	patch

---

Release Notes

agentclientprotocol/typescript-sdk (@​agentclientprotocol/sdk)

v0.29.0

Compare Source

Features

• unstable: Add support for request cancellation (#​195) (d5197f9)

v0.28.1

Compare Source

Bug Fixes

• Expose peer contexts from app connections (#​190) (d657310)

v0.28.0

Compare Source

Features

• schema: Update to schema v1.14.0 (#​185) (3c619a7)

v0.27.1

Compare Source

Bug Fixes

• node-adapter: Cap HTTP request body size (#​186) (3832d4c)
• node-adapter: harden Node adapter request parsing (220eae6)

v0.27.0

Compare Source

This is a big release! We have rewritten the SDK to have a more ergonomic design for creating new agents and clients. You can read more in the Migration Guide for how to migrate.

For now, you will still have the old interfaces available to ease the migration, but they are deprecated and will be removed in a future release.

Features

• Experimental Streamable HTTP & WebSocket Transport (#​155) (d6a3d88)
• New SDK design (see MIGRATION_0.26_0.27.md) (#​181) (87e2df3)

v0.26.0

Compare Source

Features

• schema: Update to v1.13.7 of the schema (#​179) (34885b6)

v0.25.1

Compare Source

Bug Fixes

• cleanup zod generation (#​170) (be44483)
• Zod type inference errors (#​177) (d9fafa2)

v0.25.0

Compare Source

Features

• schema: stabilize deleteSession (#​168) (2cc77af)

v0.24.0

Compare Source

Features

• Add resilient schema deserialization (#​167) (5864e73)
• schema: Stabilize addl dirs and remove unstable model selectors (#​165) (fa6e302)

v0.23.0

Compare Source

Features

• schema: Stabilize logout and update schema to v0.13.4 (#​163) (cfd900a)

v0.22.1

Compare Source

Bug Fixes

• Event ordering (#​153) (7b63226)

v0.22.0

Compare Source

Features

• unstable: Add session delete handling (#​152) (f9384f5)
• Update schema to v0.13.2 (#​150) (b15960b)

v0.21.1

Compare Source

Bug Fixes

• emit .js extensions in generated schema barrel for nodenext consumers (#​146) (63b96db)

v0.21.0

Compare Source

Features

• unstable: Add providers/* support (#​138) (e234c21)

v0.20.0

Compare Source

Features

• Stabilize closeSession and resumeSession (#​132) (806d307)

v0.19.2

Compare Source

Bug Fixes

• Avoid event loop timing causing out of order messages (#​130) (8f514f3)

v0.19.1

Compare Source

Bug Fixes

• avoid spurious unhandledRejection when transport fails mid-sendRequest (#​122) (b6b2cb4)
• Flush decoder state at end of NDJSON stream (#​119) (4e1b07a)
• Use TypeScript private keyword instead of ES #private fields (#​127) (c6e6ee2)

v0.19.0

Compare Source

Features

• unstable: Initial unstable elicitation support (#​113) (bf259e9)

v0.18.2

Compare Source

Bug Fixes

• propagate input stream errors through ndJsonStream (#​111) (f57a8d1)

v0.18.1

Compare Source

Bug Fixes

• Handle ACP connection transport failures cleanly (#​103) (028ee3f)

v0.18.0

Compare Source

Features

• unstable: Add initial additionalDirectories and NES support (#​104) (43cde3b)

v0.17.1

Compare Source

Bug Fixes

• Make sure we use zod/v4 path for imports (#​99) (e632d3b)

v0.17.0

Compare Source

Features

• schema: Update schema to 0.11.3 (#​88) (0fe246e)

v0.16.1

Compare Source

Bug Fixes

• unstable: Fixes for session/close capabilities (#​85) (e8721b7)

v0.16.0

Compare Source

Features

• add unstable session/close (#​81) (2c9bc77)
• Stabilize unstable_listSessions to listSessions (#​84) (9e89bbc)

v0.15.0

Compare Source

Features

• Update to 0.11.0 of the schema (#​79) (2763d63)

Bug Fixes

• use npx.cmd on Windows in client example (#​68) (fdc7815)

v0.14.1

Compare Source

Bug Fixes

• inconsistent bigint vs number in zod and schema (#​66) (5e3c342)

v0.14.0

Compare Source

Features

• Stabilize Session Config Options (#​64) (15806a2)

v0.13.1

Compare Source

Bug Fixes

• schema: Update to schema v0.10.7 (#​58) (ade1b68)

v0.13.0

Compare Source

Features

• (breaking) no more auto underscoring of extension methods (#​55) (ec4b095)
• add unstable session config option handling (#​56) (ec7bb47)
• Update to 0.10.6 of the schema (#​53) (766964e)

v0.12.0

Compare Source

Features

• unstable: add list sessions method (#​47) (2efd404)
• Update to 0.10.4 of the schema (#​49) (6c44fb2)

v0.11.0

Compare Source

Features

• unstable: add resumeSession support (#​41) (721c450)

v0.10.0

Compare Source

Features

• Update to 0.10.2 of the schema (#​39) (0773dde)

v0.9.0

Compare Source

Features

• Update to 0.10.1 of the schema (#​36) (210392b)
• Unstable: add unstable forkSession support (#​37) (16262ef
  )

v0.8.0

Compare Source

Features

• Update to 0.10 of the schema (#​31) (f026432)

v0.7.0

Compare Source

Features

• Update to v0.9.1 of the schema (#​28) (6166944)

v0.6.0

Compare Source

Updates to the latest version of the ACP JSON Schema, v0.8.0

This update provides much improved schema interfaces. The migration should be minimal because in TypeScript the interfaces should be functionally equivalent. But there may be some areas where the types are now more informative to the compiler and will hopefully help you catch errors earlier.

v0.5.1

Compare Source

• Add ability for agents and clients to provide information about their implementation
• Fix incorrectly serialized _meta field on SetSessionModeResponse

v0.5.0

Compare Source

• Provide access to an AbortSignal and closed promise on connections so you can wait for the connection to close and handle any other cleanup tasks you need for a graceful shutdown. #​11
• Allow for more customization of error messages: #​12
• Update to latest ACP JSON Schema: #​10

biomejs/biome (@​biomejs/biome)

v2.5.1

Compare Source

Patch Changes

• #​10722 f8a303d Thanks @​denbezrukov! - Fixed CSS formatter output for comments between import media queries.

  -@​import url("print.css") print,
  -/* comment */
  -screen;
  +@​import url("print.css") print, /* comment */ screen;

• #​10738 9fdc560 Thanks @​JamBalaya56562! - Fixed #​9899: the json and json-pretty reporters now escape backslashes in a diagnostic's location.path. Previously, paths containing backslashes (such as Windows-style paths) were emitted unescaped, producing invalid JSON.

  -    "path": "src\account\setup-passkey.tsx",
  +    "path": "src\\account\\setup-passkey.tsx",

• #​10626 5f837df Thanks @​tom-groves! - Fixed #​10625: biome migrate no longer emits an invalid trailing comma when a renamed rule (such as noConsoleLog → noConsole) is the last member of its rule group. Previously this produced malformed output that aborted the migration of a strict-JSON biome.json with a parsing error.

• #​10535 c245f9d Thanks @​Mokto! - Fixed a false positive in noUnusedVariables for Svelte files where variables referenced inside {@​html expr} blocks were incorrectly reported as unused.

• #​10668 a0f197e Thanks @​Netail! - The biome init command has been updated to include a more up-to-date URL to the first-party extensions page.

• #​10667 d8c3e87 Thanks @​Netail! - Fixed #​10664: useErrorCause now correctly detects a shorthand property.

• #​10696 ef2373f Thanks @​ematipico! - Fixed #​9566. Improved how the Biome Language Server loads multiple configuration files inside a workspace.

• #​10705 4ccb410 Thanks @​ematipico! - Fixed #​10652. Biome plugins are now properly filtered when using --only and --skip flags.

• #​10669 aa0a6eb Thanks @​Netail! - Fixed #​10651: useInlineScriptId now correctly trims trivia to detect if an id attribute has been set.

• #​10689 844b1be Thanks @​ematipico! - Fixed #​10658. The issue was caused by the "Go-to definition" editor feature, which was enabled by default. The feature is now disabled by default. To work, the feature triggers the scanner to build the module graph. This caused memory leak issues in cases where Biome starts in the home directory to modify files.

  If you relied on this new feature, you must now turn on using the [editor settings] of the extension e.g. Zed and VSCode.

• #​10695 043fbb5 Thanks @​ematipico! - Fixed #​10674. Biome now throws an error when the field level is missing from a rule option.

• #​10712 5941df2 Thanks @​Conaclos! - Improved the diagnostic and the documentation of useFlatMap.

• #​10615 23814f1 Thanks @​qwertycxz! - Improved the DX the JSON schema when it's used by certain code editors like VSCode.

• #​10688 ec69489 Thanks @​ematipico! - Fixed a bug where the Biome Daemon did not correctly shut down when the editor was closed during an in-progress operation, especially while scanning.

• #​10701 6c2e0d7 Thanks @​ematipico! - Fixed #​10694. The Biome Language Server no longer prints an error when the user hovers a variable imported from node_modules.

• #​10681 888515b Thanks @​Conaclos! - Fixed useExportType that reported useless details in some diagnostics.

• #​10220 3694a13 Thanks @​theBGuy! - Fixed useAnchorContent false positive for <a> elements used as render prop values (e.g. render={<a href="..." />}), a pattern where the receiving component renders its children inside the anchor element.

• #​10702 98823fb Thanks @​ematipico! - Fixed #​10612. The Biome parser now correctly parses processing instructions. The following SVG doesn't throw errors anymore:

  <?xml version="1.0" encoding="UTF-8" ?>
  
  <svg></svg>

v2.5.0

Compare Source

Minor Changes

• #​9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #​9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #​9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #​9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

  /* styles.css — .ghost is never used in any importing file */
  .button {
    color: blue;
  }
  .ghost {
    color: red;
  }

  /* App.jsx */
  import "./styles.css";
  export default () => <div className="button" />;

• #​9546 6567efa Thanks @​nhedger! - Added a biome upgrade command for standalone installations. It upgrades Homebrew installs with brew upgrade biome, updates manually installed binaries from the latest GitHub release, and tells npm users to upgrade with their package manager instead.

• #​9716 701767a Thanks @​faizkhairi! - Added the HTML version of the useHeadingContent rule. The rule now enforces that heading elements (h1-h6) have content accessible to screen readers in HTML, Vue, Svelte, and Astro files.

  <!-- Invalid: empty heading -->
  <h1></h1>
  
  <!-- Invalid: heading hidden from screen readers -->
  <h1 aria-hidden="true">invisible content</h1>
  
  <!-- Valid: heading with text content -->
  <h1>heading</h1>
  
  <!-- Valid: heading with accessible name -->
  <h1 aria-label="Screen reader content"></h1>

• #​9582 f437ef8 Thanks @​rahuld109! - Added the HTML version of the useKeyWithMouseEvents rule. The rule now enforces that onmouseover is accompanied by onfocus and onmouseout is accompanied by onblur in HTML, Vue, Svelte, and Astro files.

  <!-- Invalid: onmouseover without onfocus -->
  <div onmouseover="handleMouseOver()"></div>
  
  <!-- Valid: onmouseover paired with onfocus -->
  <div onmouseover="handleMouseOver()" onfocus="handleFocus()"></div>

• #​9275 1fdbcee Thanks @​ff1451! - Added the new assist action useSortedTypeFields, which sorts the fields of GraphQL object types, interface types and input object types alphabetically, e.g. name, age, id becomes age, id, name.

• #​10561 78075b7 Thanks @​Conaclos! - Added a new style option to useExportType,
  which enforces a style for exporting types.
  This is the same option as the one provided by useImportType.

• #​8987 d16e32b Thanks @​DerTimonius! - Ported the useValidAnchor rule to HTML. This rule enforces that all anchors are valid and that they are navigable elements.

• #​9533 4d251d4 Thanks @​ematipico! - The init command now prints the Biome logo.

• #​10069 0eb9310 Thanks @​Netail! - Added the HTML lint rule noStaticElementInteractions, which enforces that static, visible elements (such as <div>) that have click handlers use the valid role attribute.

  Invalid:

  <div onclick="myFunction()"></div>

• #​9134 2a43488 Thanks @​ematipico! - Added the assist action useSortedPackageJson.

  This action organizes package.json fields according to the same conventions as the popular sort-package-json tool.

• #​9309 7daa18b Thanks @​Bertie690! - The allowDoubleNegation option has been added to noImplicitCoercions to allow ignoring double negations inside code.

  With the option enabled, the following example is considered valid and is ignored by the rule:

  const truthy = !!value;

• #​9700 894f3fb Thanks @​ematipico! - The Biome Language server now supports the "go-to definition" feature.

  When the cursor of the mouse is hovering an entity (variable, CSS class, type, etc.), and the command CTRL + click is triggered, the editor jumps to where this entity is defined, if the language server can find it.

  Here's what Biome is able to resolve:

  • Variables and types used in JavaScript modules, defined in the same file or imported from another module.
  • JSX Components used in JavaScript modules, defined in the same file or imported from another module.
  • CSS classes used in JSX and HTML-ish files (Vue, Svelte and Astro), and defined in CSS files.
  • Components used in HTML-ish files and defined in other HTML-ish.
  • Variables used in HTML-ish files and defined in the same file or imported from another module (JavaScript or HTML-ish).

• #​10070 bae0710 Thanks @​Conaclos! - Added the :STYLE: group matcher for organizeImports that matches style imports.

  For example, the following configuration...

  {
    "assist": {
      "actions": {
        "source": {
          "organizeImports": {
            "level": "on",
            "options": {
              "groups": ["**", "!:STYLE:"],
              "sortBareImports": true
            }
          }
        }
      }
    }
  }

  ...places style imports last:

  - import "./style.css"
    import A from "./a.js"
  + import "./style.css"

• #​9170 e3107de Thanks @​mdrobny! - Added bundleDependencies option to NoUndeclaredDependencies rule.

  This rule now supports imports of packages that are defined only in bundleDependencies and bundledDependencies arrays.

• #​9547 01f8473 Thanks @​mujpao! - Added new assist rule useSortedAttributes for HTML, porting the existing JSX rule. This rule enforces sorted HTML attributes.

  Invalid

  <input type="text" id="name" name="name" />

• #​9366 2ca1117 Thanks @​dyc3! - Added the html.parser.vue configuration option. When enabled, it adds support for the parsing of Vue in .html files. Most Vue users don't need to enable this option since Vue files typically use the .vue extension, but it can be useful for projects that embed Vue syntax in regular HTML files.

• #​9073 74b20ee Thanks @​chocky335! - Added support for applying GritQL plugin rewrites as code actions. GritQL plugins that use the rewrite operator (=>) now produce fixable diagnostics for JavaScript, CSS, and JSON files. By default, plugin rewrites are treated as unsafe fixes and require --write --unsafe to apply. Plugin authors can pass fix_kind = "safe" to register_diagnostic() to mark a fix as safe, allowing it to be applied with just --write.

  Example plugin (useConsoleInfo.grit):

  language js
  
  `console.log($msg)` as $call where {
      register_diagnostic(span = $call, message = "Use console.info instead of console.log.", severity = "warn", fix_kind = "safe"),
      $call => `console.info($msg)`
  }
  

  Running biome check --write applies safe rewrites. Unsafe rewrites (the default, or fix_kind = "unsafe") still require --write --unsafe.

• #​9384 f4c9edc Thanks @​Conaclos! - Added the sortBareImports option to organizeImports,
  which allows bare imports to be sorted within other imports when set to false.

  {
    "assist": {
      "actions": {
        "source": {
          "organizeImports": {
            "level": "on",
            "options": { "sortBareImports": true }
          }
        }
      }
    }
  }

  - import "b";
    import "a";
  + import "b";
    import { A } from "a";
  + import "./file";
    import { Local } from "./file";
  - import "./file";

• #​8731 e7872bf Thanks @​siketyan! - Added the watch mode (--watch) to the CLI for check/format/lint commands. By enabling this option, Biome will re-run the check automatically when any file in the workspace has changed after the first run.

• #​10106 9b35f78 Thanks @​ematipico! - Biome can now format and lint .svg files.

• #​9967 e9b6c17 Thanks @​dyc3! - Added HTML support for noExcessiveLinesPerFile. Biome now reports HTML files that exceed the configured line limit, including when skipBlankLines is enabled.

• #​9491 b3eb63c Thanks @​IxxyDev! - Added the HTML lint rule noAriaUnsupportedElements. This rule enforces that elements that do not support ARIA roles, states, and properties (meta, html, script, style) do not have role or aria-* attributes.

  <!-- Invalid: meta does not support aria attributes -->
  <meta charset="UTF-8" role="meta" />

• #​9306 afd57a6 Thanks @​viraxslot! - Added the noNoninteractiveTabindex lint rule for HTML. This rule enforces that tabindex is not used on non-interactive elements, as it can cause usability issues for keyboard users.

  <div tabindex="0">Invalid: non-interactive element</div>
  `

• #​9276 6d041d9 Thanks @​IxxyDev! - Added the HTML lint rule noRedundantRoles. This rule enforces that explicit role attributes are not the same as the implicit/default role of an HTML element. It supports HTML, Vue, Svelte, and Astro files.

  <!-- Invalid: role="button" is redundant on <button> -->
  <button role="button"></button>

• #​9813 69aadc2 Thanks @​ematipico! - Added a new linter configuration called preset. With the new option, users can enable different kinds of rules at once.

  The following presets are available:

  • "recommended": it enables all Biome-recommended rules, or recommended rules of a group;
  • "all": it enables all Biome rules, or enables all rules of a group;
  • "none": it disables all Biome rules, or disable all rules of a group.

  You can enable recommended rules:

  {
    "linter": {
      "rules": {
        "preset": "recommended"
      }
    }
  }

  You can enable all rules at once:

  {
    linter: {
      rules: {
        preset: "all", // enables all rules
      },
    },
  }

  Or enable all rules for a group:

  {
    linter: {
      rules: {
        style: {
          preset: "all", // enables all rules in the style group
        },
      },
    },
  }

  This new option, however, doesn't affect how nursery rules work. Nursery rules must be enabled singularly, due to their nature.

  This new option is meant to replace recommended, so make sure to run the migrate command.

• #​10022 3422d71 Thanks @​Netail! - Added the HTML lint rule noNoninteractiveElementToInteractiveRole, which enforces that interactive ARIA roles are not assigned to non-interactive HTML elements.

  Invalid:

  <h1 role="checkbox"></h1>

• #​8396 13785fc Thanks @​apple-yagi! - Biome now supports pnpm catalogs (default and named) when resolving dependencies for linting. This behavior is opt-i

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

 ERR_PNPM_NO_MATURE_MATCHING_VERSION  Version 0.29.0 (released 4 days ago) of @agentclientprotocol/sdk does not meet the minimumReleaseAge constraint

This error happened while installing a direct dependency of /tmp/renovate/repos/github/marimo-team/use-acp

The latest release of @agentclientprotocol/sdk is "1.0.0". Published at 6/24/2026

If you need the full list of all 45 published versions run "pnpm view @agentclientprotocol/sdk versions".

If you want to install the matched version ignoring the time it was published, you can add the package name to the minimumReleaseAgeExclude setting. Read more about it: https://pnpm.io/settings#minimumreleaseageexclude