fix(deps): update all non-major dependencies for npm

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@biomejs/biome (source)	2.4.7 → 2.4.8
@tailwindcss/vite (source)	4.2.1 → 4.2.2
@tanstack/react-query (source)	5.90.21 → 5.91.0
@tanstack/react-router (source)	1.167.4 → 1.167.5
@tanstack/router-plugin (source)	1.166.13 → 1.166.14
tailwindcss (source)	4.2.1 → 4.2.2
wrangler (source)	4.74.0 → 4.75.0

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.8

Compare Source

Patch Changes

• #​9488 bc709f6 Thanks @​mvanhorn! - Fixed #​9463: the "Biome found a configuration file outside of the current working directory" diagnostic now includes the configuration file path and the working directory, giving users actionable information to debug the issue.

• #​9527 2f8bf80 Thanks @​mdm317! - Fixed #​8959: Fixed TypeScript arrow function formatting when a comment appears after =>.

• #​9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleUpdateWithoutWhere to prevent accidental full-table updates when using Drizzle ORM without a .where() clause.

• #​9531 1302740 Thanks @​ematipico! - Fixed #​9187: Astro frontmatter containing regex literals with quotes (/'/, /"/) or dashes (/---/) no longer causes parse errors.

• #​9535 b630d93 Thanks @​leno23! - Fixed #​9524: remove extra space before > when bracketSameLine is true and the self-closing slash is absent in HTML formatter.

• #​9537 81e6306 Thanks @​ematipico! - Fixed #​9238: The HTML parser no longer incorrectly reports --- inside element content (e.g. <td>---</td>) as an "Unexpected value or character" error.

• #​9532 4b64145 Thanks @​ematipico! - Fixed #​9117: biome check --write no longer falsely reports Svelte and Vue files as changed when html.formatter.indentScriptAndStyle is enabled and the files are already correctly formatted.

• #​9528 61451ef Thanks @​ematipico! - Fixed #​9341: Fixed an LSP crash that could corrupt file content when saving with format-on-save enabled.

• #​9538 794f79c Thanks @​ematipico! - Fixed #​9279: The rule noSubstr now detects .substr() and .substring() calls in all expression contexts, including variable declarations, function arguments, return statements, and arrow function bodies.

• #​9462 c23272c Thanks @​ematipico! - Fixed #​9370: The resolver now correctly prioritizes more specific exports patterns over less specific ones. Previously, a pattern like "./*" could match before "./features/*", causing resolution failures for packages with overlapping subpath patterns.

• #​9515 f85c069 Thanks @​shivamtiwari3! - Fixed #​9506 and #​9479: Biome no longer reports false parse errors on <script type="speculationrules"> and <script type="application/ld+json"> tags. These script types contain non-JavaScript content and are now correctly skipped by the embedded language detector.

• #​9514 7fe43c8 Thanks @​ematipico! - Fixed #​6964: Biome now correctly resolves the .gitignore file relative to vcs.root when configured. Previously, the vcs.root setting was ignored and Biome always looked for the ignore file in the workspace directory.

• #​9521 af39936 Thanks @​ematipico! - Fixed #​9483. Now the rule noRedeclare doesn't panic when it encounters constructor overloads.

• #​9490 60cf024 Thanks @​willfarrell! - Added support for modern CSS properties, pseudo-classes, and pseudo-elements.

  New known properties: dynamic-range-limit, overlay, reading-flow, reading-order, scroll-marker-group, scroll-target-group.

  New pseudo-elements: ::checkmark, ::column, ::picker, ::picker-icon, ::scroll-button, ::scroll-marker, ::scroll-marker-group.

  New pseudo-classes: :active-view-transition-type, :has-slotted, :target-after, :target-before, :target-current.

• #​9526 4d42823 Thanks @​ematipico! - Fixed #​9358 and #​9375. Now attributes that have text expressions such as class={buttonClass()} are correctly tracked in Svelte files.

• #​9520 61f53ee Thanks @​ematipico! - Fixed #​9519. Now noUnusedVariables doesn't flag variables that are used as typeof type.

• #​9487 331dc0d Thanks @​mvanhorn! - Fixed #​9477: source.fixAll.biome no longer sorts imports when source.organizeImports.biome is disabled in editor settings. The organize imports action is now excluded from the fix-all pass unless explicitly requested.

• #​9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleDeleteWithoutWhere to prevent accidental full-table deletes when using Drizzle ORM without a .where() clause.

tailwindlabs/tailwindcss (@​tailwindcss/vite)

v4.2.2

Compare Source

Fixed

• Don't crash when candidates contain prototype properties like row-constructor (#​19725)
• Canonicalize calc(var(--spacing)*…) expressions into --spacing(…) (#​19769)
• Fix crash in canonicalization step when handling utilities containing @property at-rules (e.g. shadow-sm border) (#​19727)
• Skip full reload for server only modules scanned by client CSS when using @tailwindcss/vite (#​19745)
• Add support for Vite 8 in @tailwindcss/vite (#​19790)
• Improve canonicalization for bare values exceeding default spacing scale suggestions (e.g. w-1234 h-1234 → size-1234) (#​19809)
• Fix canonicalization resulting in empty list (e.g. w-5 h-5 size-5 → '' instead of size-5) (#​19812)

TanStack/query (@​tanstack/react-query)

v5.91.0

Compare Source

Minor Changes

• feat: environmentManager (#​10199)

Patch Changes

• Updated dependencies [6fa901b]:
  • @​tanstack/query-core@​5.91.0

TanStack/router (@​tanstack/react-router)

v1.167.5

Compare Source

Patch Changes

• Updated dependencies [5ff4f0b]:
  • @​tanstack/router-core@​1.167.5

TanStack/router (@​tanstack/router-plugin)

v1.166.14

Compare Source

Patch Changes

• Updated dependencies [5ff4f0b]:
  • @​tanstack/router-core@​1.167.5
  • @​tanstack/react-router@​1.167.5
  • @​tanstack/router-generator@​1.166.13

cloudflare/workers-sdk (wrangler)

v4.75.0

Compare Source

Minor Changes

• #​12492 3b81fc6 Thanks @​thomasgauvin! - feat: add wrangler tunnel commands for managing Cloudflare Tunnels

  Adds a new set of commands for managing remotely-managed Cloudflare Tunnels directly from Wrangler:

  • wrangler tunnel create <name> - Create a new Cloudflare Tunnel
  • wrangler tunnel list - List all tunnels in your account
  • wrangler tunnel info <tunnel> - Display details about a specific tunnel
  • wrangler tunnel delete <tunnel> - Delete a tunnel (with confirmation)
  • wrangler tunnel run <tunnel> - Run a tunnel using cloudflared
  • wrangler tunnel quick-start <url> - Start a temporary tunnel (Try Cloudflare)

  The run and quick-start commands automatically download and manage the cloudflared binary, caching it in ~/.wrangler/cloudflared/. Users are prompted before downloading and warned if their PATH-installed cloudflared is outdated. You can override the binary location with the CLOUDFLARED_PATH environment variable.

  All commands are marked as experimental.

Patch Changes

• #​12927 c9b3184 Thanks @​penalosa! - Bump undici from 7.18.2 to 7.24.4

• #​12875 13df6c7 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260312.1	1.20260316.1

• #​12935 df0d112 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260316.1	1.20260317.1

• #​12928 81ee98e Thanks @​petebacondarwin! - Migrate chrome-devtools-patches deployment from Cloudflare Pages to Workers + Assets

  The DevTools frontend is now deployed as a Cloudflare Workers + Assets project instead of a Cloudflare Pages project. This uses wrangler deploy for production deployments and wrangler versions upload for PR preview deployments.

  The inspector proxy origin allowlists in both wrangler and miniflare have been updated to accept connections from the new workers.dev domain patterns, while retaining the legacy pages.dev patterns for backward compatibility.

• #​12835 c600ce0 Thanks @​dario-piotrowicz! - Fix execution freezing on debugger statements when DevTools is not attached

  Previously, wrangler always sent Debugger.enable to the runtime on connection, even when DevTools wasn't open. This caused scripts to freeze on debugger statements. Now Debugger.enable is only sent when DevTools is actually attached, and Debugger.disable is sent when DevTools disconnects to stop the runtime from performing debugging work.

• #​12894 f509d13 Thanks @​gpanders! - Simplify description of --json option

  Remove extraneous adjectives in the description of the --json option.

• #​11888 0a7fef9 Thanks @​staticpayload! - Reject cross-drive module paths in Pages Functions routing

  On Windows, module paths using a different drive letter could be parsed in a way that bypassed the project-root check. These paths are now parsed correctly and rejected when they resolve outside the project.

• Updated dependencies [c9b3184, 13df6c7, df0d112, 81ee98e]:

  • miniflare@​4.20260317.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.