chore: bump the dev-dependencies group with 8 updates

[dependabot]

Bumps the dev-dependencies group with 8 updates:

Package	From	To
@modelcontextprotocol/inspector	0.17.5	0.21.1
@types/node	25.0.2	25.3.3
c8	10.1.3	11.0.0
eslint	9.39.2	10.0.2
eslint-plugin-security	3.0.1	4.0.0
lint-staged	16.2.7	16.3.1
lockfile-lint	4.14.1	5.0.0
neostandard	0.12.2	0.13.0

Updates @modelcontextprotocol/inspector from 0.17.5 to 0.21.1

Release notes

Sourced from @​modelcontextprotocol/inspector's releases.

0.21.1

What's Changed

• fix: include server/static in published package files by @​jwoods02 in modelcontextprotocol/inspector#1113
• Remove misleading structured content compatibility warning by @​olaservo in modelcontextprotocol/inspector#1098
• chore: bump version to 0.21.1 by @​Copilot in modelcontextprotocol/inspector#1116

New Contributors

• @​jwoods02 made their first contribution in modelcontextprotocol/inspector#1113

Full Changelog: modelcontextprotocol/inspector@0.21.0...0.21.1

0.21.0

What's Changed

• Bump actions/setup-node from 4 to 6 by @​dependabot[bot] in modelcontextprotocol/inspector#1057
• Bump actions/upload-artifact from 4 to 6 by @​dependabot[bot] in modelcontextprotocol/inspector#1058
• Bump actions/attest-build-provenance from 2 to 3 by @​dependabot[bot] in modelcontextprotocol/inspector#1059
• Bump actions/cache from 4 to 5 by @​dependabot[bot] in modelcontextprotocol/inspector#1060
• Bump actions/github-script from 7 to 8 by @​dependabot[bot] in modelcontextprotocol/inspector#1061
• fix: display tool title field in Inspector UI by @​olaservo in modelcontextprotocol/inspector#1054
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in modelcontextprotocol/inspector#1079
• fix: enhance resolution and enum handling in anyOf schemas by @​Edison-A-N in modelcontextprotocol/inspector#901
• fix: include LICENSE file in published npm packages by @​olaservo in modelcontextprotocol/inspector#1055
• feat(client): display tool annotations in Tools tab by @​olaservo in modelcontextprotocol/inspector#1066
• Bump qs from 6.14.1 to 6.14.2 in the npm_and_yarn group across 1 directory by @​dependabot[bot] in modelcontextprotocol/inspector#1088
• fix: add missing tool result to AppsRenderer by @​infoxicator in modelcontextprotocol/inspector#1075
• Update SECURITY.md to use GitHub Security Advisories by @​localden in modelcontextprotocol/inspector#1097
• oauth: add tenant suffix to oauth flow by @​howardjohn in modelcontextprotocol/inspector#1096
• chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates by @​dependabot[bot] in modelcontextprotocol/inspector#1106
• Manage display of "Run as Task" checkbox on Tools Tab by @​cliffhall in modelcontextprotocol/inspector#1072
• chore: bump version to 0.21.0 by @​Copilot in modelcontextprotocol/inspector#1112

New Contributors

• @​Edison-A-N made their first contribution in modelcontextprotocol/inspector#901
• @​infoxicator made their first contribution in modelcontextprotocol/inspector#1075
• @​localden made their first contribution in modelcontextprotocol/inspector#1097

Full Changelog: modelcontextprotocol/inspector@0.20.0...0.21.0

0.20.0

What's Changed

• Fix async sampling test by @​cliffhall in modelcontextprotocol/inspector#1035
• fix(client): fix dev mode hanging on Windows by @​olaservo in modelcontextprotocol/inspector#1051
• fix(client): circular function calls leads to memory leak by @​dzhulk in modelcontextprotocol/inspector#1049
• Enable Dependabot for GitHub Actions by @​koic in modelcontextprotocol/inspector#1048
• Bump the npm_and_yarn group across 1 directory with 3 updates by @​dependabot[bot] in modelcontextprotocol/inspector#1065
• Fixed test failures induced by MCP SDK update by @​BobDickinson in modelcontextprotocol/inspector#1067
• Add MCP Apps support to Inspector by @​cliffhall in modelcontextprotocol/inspector#1044
• Bump version to 0.20.0 by @​olaservo in modelcontextprotocol/inspector#1070

New Contributors

... (truncated)

Commits

• db0827b chore: bump version to 0.21.1 (#1116)
• 8c7017a Merge pull request #1098 from olaservo/main
• e853652 Merge branch 'main' into main
• bb791cd fix: include server/static in published package files (#1113)
• 1e23d37 Merge pull request #1112 from modelcontextprotocol/copilot/bump-version-to-0-...
• 58478bc chore: bump version to 0.21.0
• 238eadf Initial plan
• c4c6e6b Merge pull request #1072 from cliffhall/hide-run-as-task-if-not-supported
• 92b6c89 Formatting
• f64a7ea Fix review issues from Claude's code review
• Additional commits viewable in compare view

Updates @types/node from 25.0.2 to 25.3.3

Commits

• See full diff in compare view

Updates c8 from 10.1.3 to 11.0.0

Release notes

Sourced from c8's releases.

v11.0.0

11.0.0 (2026-02-22)

⚠ BREAKING CHANGES

• deps: transitive deps require 20 || >=22

Bug Fixes

• deps: pull newer minimatch addressing CVE-2026-26996 (#576) (678eeca)

Changelog

Sourced from c8's changelog.

11.0.0 (2026-02-22)

⚠ BREAKING CHANGES

• deps: transitive deps require 20 || >=22

Bug Fixes

• deps: pull newer minimatch addressing CVE-2026-26996 (#576) (678eeca)

Commits

• ce78df4 chore(main): release 11.0.0 (#577)
• 678eeca fix(deps)!: pull newer minimatch addressing CVE-2026-26996 (#576)
• ec4c5e4 chore: .editorconfig to avoid unintended mods to .snap files (#556)
• See full diff in compare view

Updates eslint from 9.39.2 to 10.0.2

Release notes

Sourced from eslint's releases.

v10.0.2

Bug Fixes

• 2b72361 fix: update ajv to 6.14.0 to address security vulnerabilities (#20537) (루밀LuMir)

Documentation

• 13eeedb docs: link rule type explanation to CLI option --fix-type (#20548) (Mike McCready)
• 98cbf6b docs: update migration guide per Program range change (#20534) (Huáng Jùnliàng)
• 61a2405 docs: add missing semicolon in vars-on-top rule example (#20533) (Abilash)

Chores

• 951223b chore: update dependency @​eslint/eslintrc to ^3.3.4 (#20553) (renovate[bot])
• 6aa1afe chore: update dependency eslint-plugin-jsdoc to ^62.7.0 (#20536) (Milos Djermanovic)

v10.0.1

Bug Fixes

• c87d5bd fix: update eslint (#20531) (renovate[bot])
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir)
• 04c2147 fix: update error message for unused suppressions (#20496) (fnx)
• 38b089c fix: update dependency @​eslint/config-array to ^0.23.1 (#20484) (renovate[bot])

Documentation

• 5b3dbce docs: add AI acknowledgement section to templates (#20431) (루밀LuMir)
• 6f23076 docs: toggle nav in no-JS mode (#20476) (Tanuj Kanti)
• b69cfb3 docs: Update README (GitHub Actions Bot)

Chores

• e5c281f chore: updates for v9.39.3 release (Jenkins)
• 8c3832a chore: update @​typescript-eslint/parser to ^8.56.0 (#20514) (Milos Djermanovic)
• 8330d23 test: add tests for config-api (#20493) (Milos Djermanovic)
• 37d6e91 chore: remove eslint v10 prereleases from eslint-config-eslint deps (#20494) (Milos Djermanovic)
• da7cd0e refactor: cleanup error message templates (#20479) (Francesco Trotta)
• 84fb885 chore: package.json update for @​eslint/js release (Jenkins)
• 1f66734 chore: add eslint to peerDependencies of @eslint/js (#20467) (Milos Djermanovic)

v10.0.0

Breaking Changes

• f9e54f4 feat!: estimate rule-tester failure location (#20420) (ST-DDT)
• a176319 feat!: replace chalk with styleText and add color to ResultsMeta (#20227) (루밀LuMir)
• c7046e6 feat!: enable JSX reference tracking (#20152) (Pixel998)
• fa31a60 feat!: add name to configs (#20015) (Kirk Waiblinger)
• 3383e7e fix!: remove deprecated SourceCode methods (#20137) (Pixel998)
• 501abd0 feat!: update dependency minimatch to v10 (#20246) (renovate[bot])
• ca4d3b4 fix!: stricter rule tester assertions for valid test cases (#20125) (唯然)
• 96512a6 fix!: Remove deprecated rule context methods (#20086) (Nicholas C. Zakas)
• c69fdac feat!: remove eslintrc support (#20037) (Francesco Trotta)
• 208b5cc feat!: Use ScopeManager#addGlobals() (#20132) (Milos Djermanovic)
• a2ee188 fix!: add uniqueItems: true in no-invalid-regexp option (#20155) (Tanuj Kanti)
• a89059d feat!: Program range span entire source text (#20133) (Pixel998)
• 39a6424 fix!: assert 'text' is a string across all RuleFixer methods (#20082) (Pixel998)
• f28fbf8 fix!: Deprecate "always" and "as-needed" options of the radix rule (#20223) (Milos Djermanovic)

... (truncated)

Commits

• 55122d6 10.0.2
• 80f1e29 Build: changelog update for 10.0.2
• 951223b chore: update dependency @​eslint/eslintrc to ^3.3.4 (#20553)
• 13eeedb docs: link rule type explanation to CLI option --fix-type (#20548)
• 6aa1afe chore: update dependency eslint-plugin-jsdoc to ^62.7.0 (#20536)
• 2b72361 fix: update ajv to 6.14.0 to address security vulnerabilities (#20537)
• 98cbf6b docs: update migration guide per Program range change (#20534)
• 61a2405 docs: add missing semicolon in vars-on-top rule example (#20533)
• 0bd5497 10.0.1
• ddb80ef Build: changelog update for 10.0.1
• Additional commits viewable in compare view

Updates eslint-plugin-security from 3.0.1 to 4.0.0

Release notes

Sourced from eslint-plugin-security's releases.

eslint-plugin-security: v4.0.0

4.0.0 (2026-02-19)

⚠ BREAKING CHANGES

• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146)
• switch the recommended config to flat (#118)

Features

• add config recommended-legacy (#132) (13d3f2f)
• Add meta object documentation for all rules (#79) (fb1d9ef)
• detect-bidi-characters rule (#95) (4294d29)
• detect-non-literal-fs-filename: change to track non-top-level require() as well (#105) (d3b1543)
• extend detect non literal fs filename (#92) (08ba476)
• improve detect-child-process rule (#108) (64ae529)
• non-literal-require: support template literals (#81) (208019b)
• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146) (df1b606)
• switch the recommended config to flat (#118) (e20a366)

Bug Fixes

• Add ESLint 10 compatibility for context.sourceCode API change (#186) (7f9ee77)
• add name to recommended flat config (#161) (aa1c8c5)
• Avoid crash when exec() is passed no arguments (7f97815), closes #82 #23
• Avoid TypeError when exec stub is used with no arguments (#97) (9c18f16)
• detect-child-process: false positive for destructuring with exec (#102) (657921a)
• detect-child-process: false positives for destructuring spawn (#103) (fdfe37d)
• Ensure empty eval() doesn't crash detect-eval-with-expression (#139) (8a7c7db)
• Ensure everything works with ESLint v9 (#145) (ac50ab4)
• false positives for static expressions in detect-non-literal-fs-filename, detect-child-process, detect-non-literal-regexp, and detect-non-literal-require (#109) (56102b5)
• generate provenance statement for release (#168) (eb3ee9c)
• Incorrect method name in detect-buffer-noassert. (313c0c6), closes #63 #80
• release-please config (#189) (2443d10)

Changelog

Sourced from eslint-plugin-security's changelog.

4.0.0 (2026-02-19)

⚠ BREAKING CHANGES

• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146)
• switch the recommended config to flat (#118)

Features

• add config recommended-legacy (#132) (13d3f2f)
• Add meta object documentation for all rules (#79) (fb1d9ef)
• detect-bidi-characters rule (#95) (4294d29)
• detect-non-literal-fs-filename: change to track non-top-level require() as well (#105) (d3b1543)
• extend detect non literal fs filename (#92) (08ba476)
• improve detect-child-process rule (#108) (64ae529)
• non-literal-require: support template literals (#81) (208019b)
• requires node ^18.18.0 || ^20.9.0 || >=21.1.0 (#146) (df1b606)
• switch the recommended config to flat (#118) (e20a366)

Bug Fixes

• Add ESLint 10 compatibility for context.sourceCode API change (#186) (7f9ee77)
• add name to recommended flat config (#161) (aa1c8c5)
• Avoid crash when exec() is passed no arguments (7f97815), closes #82 #23
• Avoid TypeError when exec stub is used with no arguments (#97) (9c18f16)
• detect-child-process: false positive for destructuring with exec (#102) (657921a)
• detect-child-process: false positives for destructuring spawn (#103) (fdfe37d)
• Ensure empty eval() doesn't crash detect-eval-with-expression (#139) (8a7c7db)
• Ensure everything works with ESLint v9 (#145) (ac50ab4)
• false positives for static expressions in detect-non-literal-fs-filename, detect-child-process, detect-non-literal-regexp, and detect-non-literal-require (#109) (56102b5)
• generate provenance statement for release (#168) (eb3ee9c)
• Incorrect method name in detect-buffer-noassert. (313c0c6), closes #63 #80
• release-please config (#189) (2443d10)

Commits

• 4b734af chore: release 4.0.0 🚀 (#192)
• 2443d10 fix: release-please config (#189)
• ee73862 chore(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#187)
• ca182d1 chore(deps): bump serialize-javascript and mocha (#184)
• 7f9ee77 fix: Add ESLint 10 compatibility for context.sourceCode API change (#186)
• 99032c3 ci: trusted publishing (#180)
• 5e096f2 ci(ci): add node 24 to test matrix (#176)
• e060aeb ci: migrate to manifest config (#173)
• fc0af81 chore(.eslint-doc-generatorrc): add missing 'use strict' directive (#170)
• f6a29ef chore(package): explicitly declare js module type (#171)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for eslint-plugin-security since your current version.

Updates lint-staged from 16.2.7 to 16.3.1

Release notes

Sourced from lint-staged's releases.

v16.3.1

Patch Changes

• #1729 cd5d762 Thanks @​iiroj! - Remove nano-spawn as a dependency from package.json as it was replaced with tinyexec and is no longer used.

v16.3.0

Minor Changes

• #1698 feda37a Thanks @​iiroj! - Run external processes with tinyexec instead of nano-spawn. nano-spawn replaced execa in lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope tinyexec improves the situation.

• #1699 1346d16 Thanks @​iiroj! - Remove pidtree as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the taskkill command on Windows.

Patch Changes

• #1726 87467aa Thanks @​iiroj! - Incorrect brace expansions like *.{js} (nothing to expand) are detected exhaustively, instead of just a single pass.

Changelog

Sourced from lint-staged's changelog.

16.3.1

Patch Changes

• #1729 cd5d762 Thanks @​iiroj! - Remove nano-spawn as a dependency from package.json as it was replaced with tinyexec and is no longer used.

16.3.0

Minor Changes

• #1698 feda37a Thanks @​iiroj! - Run external processes with tinyexec instead of nano-spawn. nano-spawn replaced execa in lint-staged version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope tinyexec improves the situation.

• #1699 1346d16 Thanks @​iiroj! - Remove pidtree as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the taskkill command on Windows.

Patch Changes

• #1726 87467aa Thanks @​iiroj! - Incorrect brace expansions like *.{js} (nothing to expand) are detected exhaustively, instead of just a single pass.

Commits

• 2a74cd2 chore(changeset): release
• cd5d762 refactor: remove nano-spawn dependency completely
• e342cab build(deps): move nano-spawn to dev
• 9aa2cd7 chore(changeset): release
• 0c387bc test: make long-running task longer because of GitHub Actions slowness
• 87467aa refactor: detect incorrect brace expansion exhaustively
• dceabc6 ci: run npm audit in GitHub Actions
• d0e4c2a build(deps): update dependencies
• 93cf144 docs: add tip about lint-staged.sh
• 9809fee test: adjust integration test logging setup for concurrency
• Additional commits viewable in compare view

Updates lockfile-lint from 4.14.1 to 5.0.0

Release notes

Sourced from lockfile-lint's releases.

lockfile-lint@5.0.0

Major Changes

• 00f595c7b9cad499b86cbc33c3e6492c3b131849 Thanks @​lirantal! - feat: support loading of ESM cosmiconfig files

Changelog

Sourced from lockfile-lint's changelog.

5.0.0

Major Changes

• 00f595c7b9cad499b86cbc33c3e6492c3b131849 Thanks @​lirantal! - feat: support loading of ESM cosmiconfig files

Commits

• 09dabb4 build: update for provenance release
• 3d62d47 chore: new release (#209)
• f65c7b2 feat: add ESM configuration file support (#208)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for lockfile-lint since your current version.

Updates neostandard from 0.12.2 to 0.13.0

Release notes

Sourced from neostandard's releases.

v0.13.0

0.13.0 (2026-02-26)

⚠ BREAKING CHANGES

• Require Node.js ^20.19.0 || ^22.13.0 || >=24 (#339)
• eslint-plugin-import-x is no longer included by default. Projects relying on import-x rules will need to manually install and configure eslint-plugin-import-x. See the "Adding back import checking" section in the README for migration instructions. As an alternative, we recommend using TypeScript's compiler (tsc --noEmit) for import validation, which provides more comprehensive checking.
• update dependency globals to v17 (#335)

🌟 Features

• deps: update dependency globals to ^17.2.0 (#347) (66d504e)
• deps: update dependency typescript-eslint to ^8.54.0 (#348) (2cdd443)
• deps: update dependency typescript-eslint to ^8.56.0 (#357) (fe4ba92)
• remove eslint-plugin-import-x and related dependencies (#330) (248de35)
• Require Node.js ^20.19.0 || ^22.13.0 || >=24 (#339) (ba575f3)
• update dependency globals to v17 (#335) (a856b81)

🩹 Fixes

• deps: update dependency eslint-plugin-n to ^17.23.2 (#303) (76d50ed)
• deps: update dependency find-up to v8 (#324) (d95b6e3)
• deps: update dependency globals to ^17.3.0 (#351) (94ab3ce)
• deps: update dependency peowly to ^1.3.3 (#356) (b873608)
• deps: update dependency typescript-eslint to ^8.53.1 (#322) (6beb36b)

🧹 Chores

• properly apply filter (#336) (bd1ad55)

Changelog

Sourced from neostandard's changelog.

0.13.0 (2026-02-26)

⚠ BREAKING CHANGES

• Require Node.js ^20.19.0 || ^22.13.0 || >=24 (#339)
• eslint-plugin-import-x is no longer included by default. Projects relying on import-x rules will need to manually install and configure eslint-plugin-import-x. See the "Adding back import checking" section in the README for migration instructions. As an alternative, we recommend using TypeScript's compiler (tsc --noEmit) for import validation, which provides more comprehensive checking.
• update dependency globals to v17 (#335)

🌟 Features

• deps: update dependency globals to ^17.2.0 (#347) (66d504e)
• deps: update dependency typescript-eslint to ^8.54.0 (#348) (2cdd443)
• deps: update dependency typescript-eslint to ^8.56.0 (#357) (fe4ba92)
• remove eslint-plugin-import-x and related dependencies (#330) (248de35)
• Require Node.js ^20.19.0 || ^22.13.0 || >=24 (#339) (ba575f3)
• update dependency globals to v17 (#335) (a856b81)

🩹 Fixes

• deps: update dependency eslint-plugin-n to ^17.23.2 (#303) (76d50ed)
• deps: update dependency find-up to v8 (#324) (d95b6e3)
• deps: update dependency globals to ^17.3.0 (#351) (94ab3ce)
• deps: update dependency peowly to ^1.3.3 (#356) (b873608)
• deps: update dependency typescript-eslint to ^8.53.1 (#322) (6beb36b)

🧹 Chores

• properly apply filter (#336) (bd1ad55)

Commits

• cc16b7e chore(main): release 0.13.0 (#337)
• d3af897 chore(dependents): update canary npm data (#346)
• d95b6e3 fix(deps): update dependency find-up to v8 (#324)
• fe4ba92 feat(deps): update dependency typescript-eslint to ^8.56.0 (#357)
• bb772ac chore(deps): update all non-major dev dependencies (#352)
• caed7a7 chore(deps): update dependency npm-run-all2 to v8 (#294)
• 33c7dd8 chore(deps): update dependency installed-check to v10 (#359)
• 94ab3ce fix(deps): update dependency globals to ^17.3.0 (#351)
• b873608 fix(deps): update dependency peowly to ^1.3.3 (#356)
• ba575f3 feat!: Require Node.js ^20.19.0 || ^22.13.0 || >=24 (

[dependabot]

Labels

The following labels could not be found: automerge. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml