fix: bump the version-updates group across 1 directory with 9 updates

[dependabot]

Bumps the version-updates group with 9 updates in the / directory:

Package	From	To
@reduxjs/toolkit	2.9.0	2.9.2
dompurify	3.2.7	3.3.0
@testing-library/jest-dom	6.8.0	6.9.1
commander	14.0.1	14.0.2
esbuild	0.25.10	0.25.11
eslint-plugin-react-refresh	0.4.22	0.4.24
rollup	4.52.3	4.52.5
typescript	5.9.2	5.9.3
typescript-eslint	8.45.0	8.46.2

Updates @reduxjs/toolkit from 2.9.0 to 2.9.2

Release notes

Sourced from @​reduxjs/toolkit's releases.

v2.9.2

This bugfix release fixes a potential internal data leak in SSR environments, improves handling of headers in fetchBaseQuery, improves retry handling for unexpected errors and request aborts, and fixes a longstanding issue with prefetch leaving an unused subscription. We've also shipped a new graphqlRequestBaseQuery release with updated dependencies and better error handling.

Changelog

Internal Subscription Handling

We had a report that a Redux SSR app had internal subscription data showing up across different requests. After investigation, this was a bug introduced by the recent RTKQ perf optimizations, where the internal subscription fields were hoisted outside of the middleware setup and into createApi itself. This meant they existed outside of the per-store-instance lifecycle. We've reworked the logic to ensure the data is per-store again. We also fixed another issue that miscalculated when there was an active request while checking for cache entry cleanup.

Note that no actual app data was leaked in this case, just the internal subscription IDs that RTKQ uses in its own middleware to track the existence of subscriptions per cache entry.

fetchBaseQuery Headers

We've updated fetchBaseQuery to avoid setting content-type in cases where a non-JSONifiable value like FormData is being passed as the request body, so that the browser can set that content type itself. It also now sets the accept header based on the selected responseHandler (JSON or text).

retry Behavior and Cleanup

The retry util now respects the maxRetries option when catching unknown errors in addition to the existing known errors logic. It also now checks the request's AbortSignal and will stop retrying if aborted.

In conjunction with that, dispatching resetApiState will now abort all in-flight requests.

The prefetch util and usePrefetch hook had a long-standing issue where they would create a subscription for a cache entry, but there was no way to clean up that subscription. This meant that the cache entry was effectively permanent. They now initiate the request without adding a subscription. This will fetch the cache entry and leave it in the store for the keepUnusedDataFor period as intended, giving your app time to actually subscribe to the value (such as prefetching the cache entry in a route handler, and then subscribing in a component).

graphqlRequestBaseQuery

We've published @rtk-query/graphql-request-base-query v2.3.2, which updates the graphql-request dep to ^7. We also fixed an issue where the error handling rethrew unknown errors - it now returns {error} as a base query is supposed to.

What's Changed

• Fix potential subscription leakage in SSR environments by @​markerikson in reduxjs/redux-toolkit#5111
• Improve fetchBaseQuery default headers handling by @​markerikson in reduxjs/redux-toolkit#5112
• Respect maxRetries for unexpected errors by @​markerikson in reduxjs/redux-toolkit#5113
• fix: update graphql-request dependency to include version ^7.0.0 by @​eyesfocus in reduxjs/redux-toolkit#4987
• Add retry abort handling and abort on resetApiState by @​markerikson in reduxjs/redux-toolkit#5114
• Don't create subscriptions for prefetch calls by @​markerikson in reduxjs/redux-toolkit#5116

Full Changelog: reduxjs/redux-toolkit@v2.9.1...v2.9.2

v2.9.1

This bugfix release fixes how sorted entity adapters handle duplicate IDs, tweaks the TS types for RTKQ query state cache entries to improve how the data field is handled, and adds better cleanup for long-running listener middleware effects.

What's Changed

• fix(entityAdapter): ensure sorted addMany keeps first occurrence of duplicate ids by @​demyanm in reduxjs/redux-toolkit#5097
• fix(entityAdapter): ensure sorted setMany keeps just unique IDs in state.ids by @​demyanm in reduxjs/redux-toolkit#5107
• fix(types): ensure non-undefined data on isSuccess with exactOptionalPropertyTypes by @​CO0Ki3 in reduxjs/redux-toolkit#5088
• Allow executing effects that have become unsubscribed to be canceled by listenerMiddleware.clearListeners by @​chris-chambers in reduxjs/redux-toolkit#5102

Full Changelog: reduxjs/redux-toolkit@v2.9.0...v2.9.1

Commits

• 32887d7 Release 2.9.2
• 4432629 Don't create subscriptions for prefetch calls (#5116)
• c86d948 Add retry abort handling and abort on resetApiState (#5114)
• 02630d2 fix: update graphql-request dependency to include version ^7.0.0 (#4987)
• 1b95037 Respect maxRetries for unexpected errors (#5113)
• c490b19 Improve fetchBaseQuery default headers handling (#5112)
• 7b7faea Fix potential subscription leakage in SSR environments (#5111)
• fde0be7 Release 2.9.1
• 47e7d81 Release @​rtk-query/codegen-openapi 2.1.0
• b4b7d17 Allow executing effects that have become unsubscribed to be canceled by `list...
• Additional commits viewable in compare view

Updates dompurify from 3.2.7 to 3.3.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

Commits

• 36d1fbc Getting 3.x branch ready for 3.3.0 release (#1157)
• See full diff in compare view

Updates @testing-library/jest-dom from 6.8.0 to 6.9.1

Release notes

Sourced from @​testing-library/jest-dom's releases.

v6.9.1

6.9.1 (2025-10-01)

Bug Fixes

• Fix undefined Node error (nodejs) (#707) (0ff8904)

v6.9.0

6.9.0 (2025-09-30)

Features

• Add .toAppearBefore/.toAppearAfter matcher (#702) (95f870a)

Commits

• 0ff8904 fix: Fix undefined Node error (nodejs) (#707)
• 95f870a feat: Add .toAppearBefore/.toAppearAfter matcher (#702)
• d6663f5 docs: add nossbigg as a contributor for code, and test (#703)
• See full diff in compare view

Updates commander from 14.0.1 to 14.0.2

Release notes

Sourced from commander's releases.

v14.0.2

Changed

• improve negative number auto-detection test (#2428)
• update (dev) dependencies

Changelog

Sourced from commander's changelog.

[14.0.2] (2025-10-25)

Changed

• improve negative number auto-detection test (#2428)
• update (dev) dependencies

Commits

• 0692be5 Prepare for 14.0.2 (#2437)
• 88a348e Bump actions/setup-node from 5 to 6 (#2438)
• 3fe83d6 Bump github/codeql-action from 3 to 4 (#2435)
• 0b7988e Bump globals from 16.3.0 to 16.4.0 (#2429)
• 8005253 Bump typescript-eslint from 8.42.0 to 8.45.0 (#2430)
• 213e679 Bump ts-jest from 29.4.1 to 29.4.4 (#2431)
• 7ede91b Bump jest from 30.1.3 to 30.2.0 (#2432)
• 8c91f34 Bump typescript from 5.9.2 to 5.9.3 (#2433)
• ff1d2ce Improve negative test (#2428)
• 1a6dba5 Clarify deprecated routine (#2427)
• See full diff in compare view

Updates esbuild from 0.25.10 to 0.25.11

Release notes

Sourced from esbuild's releases.

v0.25.11

• Add support for with { type: 'bytes' } imports (#4292)

  The import bytes proposal has reached stage 2.7 in the TC39 process, which means that although it isn't quite recommended for implementation, it's generally approved and ready for validation. Furthermore it has already been implemented by Deno and Webpack. So with this release, esbuild will also add support for this. It behaves exactly the same as esbuild's existing binary loader. Here's an example:

  import data from './image.png' with { type: 'bytes' }
  const view = new DataView(data.buffer, 0, 24)
  const width = view.getInt32(16)
  const height = view.getInt32(20)
  console.log('size:', width + '\xD7' + height)

• Lower CSS media query range syntax (#3748, #4293)

  With this release, esbuild will now transform CSS media query range syntax into equivalent syntax using min-/max- prefixes for older browsers. For example, the following CSS:

  @media (640px <= width <= 960px) {
    main {
      display: flex;
    }
  }

  will be transformed like this with a target such as --target=chrome100 (or more specifically with --supported:media-range=false if desired):

  @media (min-width: 640px) and (max-width: 960px) {
    main {
      display: flex;
    }
  }

Changelog

Sourced from esbuild's changelog.

0.25.11

• Add support for with { type: 'bytes' } imports (#4292)

  The import bytes proposal has reached stage 2.7 in the TC39 process, which means that although it isn't quite recommended for implementation, it's generally approved and ready for validation. Furthermore it has already been implemented by Deno and Webpack. So with this release, esbuild will also add support for this. It behaves exactly the same as esbuild's existing binary loader. Here's an example:

  import data from './image.png' with { type: 'bytes' }
  const view = new DataView(data.buffer, 0, 24)
  const width = view.getInt32(16)
  const height = view.getInt32(20)
  console.log('size:', width + '\xD7' + height)

• Lower CSS media query range syntax (#3748, #4293)

  With this release, esbuild will now transform CSS media query range syntax into equivalent syntax using min-/max- prefixes for older browsers. For example, the following CSS:

  @media (640px <= width <= 960px) {
    main {
      display: flex;
    }
  }

  will be transformed like this with a target such as --target=chrome100 (or more specifically with --supported:media-range=false if desired):

  @media (min-width: 640px) and (max-width: 960px) {
    main {
      display: flex;
    }
  }

Commits

• 6b7c4f2 publish 0.25.11 to npm
• 7295c1a css: also parse media queries in @import rules
• e3991dd css: some adjustments to @import parsing
• 8bb82ca fix #3748, fix #4293: lower css media range syntax
• d8c3f87 css: parse and print media queries
• 6e75bc7 run make update-compat-table
• 8f506d5 fix #4292: support with { type: bytes }
• See full diff in compare view

Updates eslint-plugin-react-refresh from 0.4.22 to 0.4.24

Release notes

Sourced from eslint-plugin-react-refresh's releases.

v0.4.24

• Add "generateImageMetadata", "generateSitemaps" & "generateStaticParams" to allowExportNames in Next config

v0.4.23

• Add "metadata", "generateMetadata" & "generateViewport" to allowExportNames in Next config

Changelog

Sourced from eslint-plugin-react-refresh's changelog.

0.4.24

• Add "generateImageMetadata", "generateSitemaps" & "generateStaticParams" to allowExportNames in Next config

0.4.23

• Add "metadata", "generateMetadata" & "generateViewport" to allowExportNames in Next config

Commits

• 6368815 Add generate{ImageMetadata,Sitemaps,StaticParams} to Next config [publish] (#92)
• 1d436ff More allowExportNames in Next config (fixes #90) [publish]
• See full diff in compare view

Updates rollup from 4.52.3 to 4.52.5

Release notes

Sourced from rollup's releases.

v4.52.5

4.52.5

2025-10-18

Bug Fixes

• Always produce valid UUIDs as debugIds in sourcemaps (#6144)

Pull Requests

• #6135: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6140: chore(deps): update peter-evans/create-or-update-comment action to v5 (@​renovate[bot])
• #6141: chore(deps): update peter-evans/find-comment action to v4 (@​renovate[bot])
• #6142: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6143: chore: eslint enable concurrency option (@​btea)
• #6144: fix: generation of debugIDs with invalid length (@​pablomatiasgomez, @​lukastaegert)
• #6146: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6147: chore(deps): update actions/setup-node action to v6 (@​renovate[bot])

v4.52.4

4.52.4

2025-10-03

Bug Fixes

• Fix an issue where the wrong branch of nullish coalescing was picked (#6133)

Pull Requests

• #6128: Enable npm OIDC publishing (@​lukastaegert)
• #6133: Correct nullish coalescing branch resolution for symbol left value (@​TrickyPi)
• #6134: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

Changelog

Sourced from rollup's changelog.

4.52.5

2025-10-18

Bug Fixes

• Always produce valid UUIDs as debugIds in sourcemaps (#6144)

Pull Requests

• #6135: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6140: chore(deps): update peter-evans/create-or-update-comment action to v5 (@​renovate[bot])
• #6141: chore(deps): update peter-evans/find-comment action to v4 (@​renovate[bot])
• #6142: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6143: chore: eslint enable concurrency option (@​btea)
• #6144: fix: generation of debugIDs with invalid length (@​pablomatiasgomez, @​lukastaegert)
• #6146: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6147: chore(deps): update actions/setup-node action to v6 (@​renovate[bot])

4.52.4

2025-10-03

Bug Fixes

• Fix an issue where the wrong branch of nullish coalescing was picked (#6133)

Pull Requests

• #6128: Enable npm OIDC publishing (@​lukastaegert)
• #6133: Correct nullish coalescing branch resolution for symbol left value (@​TrickyPi)
• #6134: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

Commits

• 55a8fd5 4.52.5
• 58f5a7b fix: generation of debugIDs with invalid length (#6144)
• 0b816b0 chore(deps): lock file maintenance minor/patch updates (#6146)
• a973ed8 chore: eslint enable concurrency option (#6143)
• bfa9e9f chore(deps): update actions/setup-node action to v6 (#6147)
• 69a9336 fix(deps): lock file maintenance minor/patch updates (#6142)
• 88b18b9 chore(deps): update peter-evans/create-or-update-comment action to v5 (#6140)
• c9ab522 chore(deps): update peter-evans/find-comment action to v4 (#6141)
• 01f02bd chore(deps): lock file maintenance minor/patch updates (#6135)
• cd81da7 4.52.4
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Updates typescript from 5.9.2 to 5.9.3

Release notes

Sourced from typescript's releases.

TypeScript 5.9.3

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)
• fixed issues query for Typescript 5.9.3 (Stable).

Downloads are available on:

• npm

Commits

• c63de15 Bump version to 5.9.3 and LKG
• 8428ca4 🤖 Pick PR #62438 (Fix incorrectly ignored dts file fr...) into release-5.9 (#...
• a131cac 🤖 Pick PR #62351 (Add missing Float16Array constructo...) into release-5.9 (#...
• 0424333 🤖 Pick PR #62423 (Revert PR 61928) into release-5.9 (#62425)
• bdb641a 🤖 Pick PR #62311 (Fix parenthesizer rules for manuall...) into release-5.9 (#...
• 0d9b9b9 🤖 Pick PR #61978 (Restructure CI to prepare for requi...) into release-5.9 (#...
• 2dce0c5 Intentionally regress one buggy declaration output to an older version (#62163)
• See full diff in compare view

Updates typescript-eslint from 8.45.0 to 8.46.2

Release notes

Sourced from typescript-eslint's releases.

v8.46.2

8.46.2 (2025-10-20)

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] skip optional chaining when it could change the result (#11702)
• typescript-estree: forbid invalid modifiers in object methods (#11689)

❤️ Thank You

• fisker Cheung @​fisker
• mdm317

You can read about our versioning strategy and releases on our website.

v8.46.1

8.46.1 (2025-10-13)

🩹 Fixes

• ast-spec: cleanup TSLiteralType (#11624)
• eslint-plugin: [prefer-optional-chain] include mixed "nullish comparison style" chains in checks (#11533)
• eslint-plugin: [no-misused-promises] special-case .finally not to report when a promise returning function is provided as an argument (#11667)

❤️ Thank You

• Abraham Guo
• mdm317
• Ronen Amiel

You can read about our versioning strategy and releases on our website.

v8.46.0

8.46.0 (2025-10-06)

🚀 Features

• eslint-plugin: [no-unsafe-member-access] add allowOptionalChaining option (#11659)
• eslint-plugin-internal: [no-dynamic-tests] new internal Lint rule to ban dynamic syntax in generating tests (#11323)
• rule-schema-to-typescript-types: clean up and make public (#11633)
• typescript-eslint: export util types (#10848, #10849)
• typescript-estree: mention file specifics in project service allowDefaultProject error (#11635)
• typescript-estree: private identifiers can only appear on LHS of in expressions (#9232)

🩹 Fixes

• eslint-plugin: [no-floating-promises] remove excess parentheses in suggestions (#11487)
• eslint-plugin: [unbound-method] improve wording around this: void and binding (#11634)
• eslint-plugin: [no-deprecated] ignore deprecated export imports (#11603)
• eslint-plugin: removed error type previously deprecated (#11674)

... (truncated)

Changelog

Sourced from typescript-eslint's changelog.

8.46.2 (2025-10-20)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.46.1 (2025-10-13)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.46.0 (2025-10-06)

🚀 Features

• typescript-eslint: export util types (#10848, #10849)

❤️ Thank You

• Mister-Hope @​Mister-Hope

You can read about our versioning strategy and releases on our website.

Commits

• 55ca033 chore(release): publish 8.46.2
• 3f5fbf6 chore(release): publish 8.46.1
• aec785e chore(release): publish 8.46.0
• 5c1a159 feat(typescript-eslint): export util types (close #10848) (#10849)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.