chore(deps): bump the bun group across 1 directory with 13 updates

[dependabot]

Bumps the bun group with 13 updates in the / directory:

Package	From	To
@elysiajs/bearer	1.3.0	1.4.1
@elysiajs/jwt	1.3.1	1.4.0
@sinclair/typebox	0.34.34	0.34.41
chalk	5.4.1	5.6.2
drizzle-orm	0.44.2	0.44.5
elysia	1.3.5	1.4.5
jose	6.0.11	6.1.0
radashi	12.6.0	12.6.2
@biomejs/biome	2.0.6	2.2.4
@types/node	24.0.10	24.4.0
bun-types	1.2.18	1.2.22
typescript	5.8.3	5.9.2
vitepress	1.6.3	1.6.4

Updates @elysiajs/bearer from 1.3.0 to 1.4.1

Release notes

Sourced from @​elysiajs/bearer's releases.

1.4.1

What's changed

Bug fix:

• Fix issue with multiple bearer tokens in query parameters

Full Changelog: elysiajs/elysia-bearer@1.4.0...1.4.1

1.4.0

What's changed

Improvement:

• support Elysia 1.4

Full Changelog: elysiajs/elysia-bearer@1.3.0...1.4.0

Changelog

Sourced from @​elysiajs/bearer's changelog.

1.4.1 - 13 Sep 2025

Bug fix:

• Fix issue with multiple bearer tokens in query parameters

1.3.0-exp.0 - 23 Apr 2025

Change:

• Add support for Elysia 1.3

1.2.0-rc.0 - 23 Dec 2024

Change:

• Add support for Elysia 1.2

1.1.2 - 5 Sep 2024

Feature:

• add provenance publish

1.1.1 - 16 Jul 2024

Change:

• Accept only first bearer query

1.1.0 - 16 Jul 2024

Change:

• Add support for Elysia 1.1

1.1.0-rc.0 - 12 Jul 2024

Change:

• Add support for Elysia 1.1

1.0.2 - 18 Mar 2024

Change:

• Add support for Elysia 1.0

1.0.0 - 16 Mar 2024

Change:

• Add support for Elysia 1.0

1.0.0-rc.0 - 1 Mar 2024

Change:

• Add support for Elysia 1.0

1.0.0-beta.1 - 17 Feb 2024

Change:

• Add support for Elysia 1.0

... (truncated)

Commits

• 22625e5 📘 doc: multiple bearer tokens in query parameters
• 649b104 🧹 chore: bump version
• See full diff in compare view

Updates @elysiajs/jwt from 1.3.1 to 1.4.0

Release notes

Sourced from @​elysiajs/jwt's releases.

1.4.0

What's changed

Improvement:

• support Elysia 1.4

Full Changelog: elysiajs/elysia-jwt@1.3.3...1.4.0

1.3.3

What's Changed

Feature:

• #110 add optional, typed 'options' argument to jwt.verify() and pass to jose jwtVerify() if present by @​jmlow

Bug fix:

• #109 type inconsistencies in JWT payload and improve schema-based inference by @​kimzuni
• #107 correct iat claim handling and expand allowed claim value type by @​kimzuni
• #105 adjust README in regard to the cookie plugin by @​codemusings

New Contributors

• @​jmlow made their first contribution in elysiajs/elysia-jwt#110
• @​kimzuni made their first contribution in elysiajs/elysia-jwt#109
• @​codemusings made their first contribution in elysiajs/elysia-jwt#105

Full Changelog: elysiajs/elysia-jwt@1.3.2...1.3.3

1.3.2

What's Changed

• fix: Resolve various issues with payload, schema, and types by @​victorfrei in elysiajs/elysia-jwt#104

New Contributors

• @​victorfrei made their first contribution in elysiajs/elysia-jwt#104

Full Changelog: elysiajs/elysia-jwt@1.3.1...1.3.2

Changelog

Sourced from @​elysiajs/jwt's changelog.

1.3.3 - 14 Jul 2025

Feature:

• #110 add optional, typed 'options' argument to jwt.verify() and pass to jose jwtVerify() if present

Bug fix:

• #109 type inconsistencies in JWT payload and improve schema-based inference
• #107 correct iat claim handling and expand allowed claim value type
• #105 adjust README in regard to the cookie plugin

1.3.2 - 14 Jul 2025

Bug fix:

• #104 Resolve various issues with payload, schema, and types
• #101 Closes Config exp not encoded in payload
• #23 Closes bug sign args exp type
• #98 Closes verify fails when using schema in Elysia JWT plugin
• #52 Closes iat Type inconsistency
• #36 Closes upgrade dependency "jose" to latest version to fix issues
• #19 Closes Header Parameter is stored in the payload instead of header

Commits

• c1ef884 🧹 chore: bump version
• c6e97f0 📘 doc: typo
• ac0313b 🔧 fix: error
• 964cd55 Merge pull request #108 from kimzuni/fix/nbf-exp-iat-handling
• ad918c4 Merge pull request #105 from codemusings/readme-fix-cookie
• 72dd9a3 Merge branch 'main' into fix/nbf-exp-iat-handling
• 70590fa Merge pull request #109 from kimzuni/fix/jwt-payload-types
• 9ac6676 Merge pull request #110 from jmlow/support-options-for-jwt-verify
• 9078f60 Pull 'await' out of ternary operator
• ce5f397 Add typed 'options' argument to jwt.verify(), then pass to jose verifyJwt()
• Additional commits viewable in compare view

Updates @sinclair/typebox from 0.34.34 to 0.34.41

Commits

• e0ec98c Revision 0.34.41 (#1310)
• 81c3686 Revision 0.34.40 (#1298)
• 16f1d0a Cast: Use Uniform over Reciprocal weighting on Union Select (#1293)
• c54a0f8 Revision 0.34.39 (#1296)
• 60fdafe Revision 0.34.38 (#1285)
• 97e3154 Preserve exact type matches in union conversion (#1282)
• 30cfe89 Revision 0.34.37 (#1278)
• 9783391 Fix: Correctly score nested unions (#1273)
• b40ba2c Revision 0.34.36 (#1276)
• cb3f898 Ecosystem (#1274)
• Additional commits viewable in compare view

Updates chalk from 5.4.1 to 5.6.2

Release notes

Sourced from chalk's releases.

v5.6.2

• Fix vulnerability in 5.6.1, see: chalk/chalk#656

v5.6.0

• Make WezTerm terminal use true color a8f5bf7

---

chalk/chalk@v5.5.0...v5.6.0

v5.5.0

• Make Ghostty terminal use true color (#653) 79ee2d3

---

chalk/chalk@v5.4.1...v5.5.0

Commits

• 5155778 5.6.2
• 5c91505 5.6.0
• a8f5bf7 Make WezTerm terminal use true color
• 67db246 5.5.0
• 79ee2d3 Make Ghostty terminal use true color (#653)
• See full diff in compare view

Updates drizzle-orm from 0.44.2 to 0.44.5

Release notes

Sourced from drizzle-orm's releases.

0.44.5

• Fixed invalid usage of .one() in durable-sqlite session
• Fixed spread operator related crash in sqlite blob columns
• Better browser support for sqlite blob columns
• Improved sqlite blob mapping

0.44.4

• Fix wrong DrizzleQueryError export. thanks @​nathankleyn

0.44.3

• Fixed types of $client for clients created by drizzle function

await db.$client.[...]

• Added the updated_at column to the neon_auth.users_sync table definition.

Commits

• 37d059f v0.44.5 (#4849)
• 33f0374 Upgrade drizzle-zod peerDeps
• 8b8d78e Fix export of DrizzleQueryError (fixes #4618) (#4778)
• 027921f Fixed types of $client for clients created by drizzle function from crede...
• e44d9bb Add updated_at column (#4106)
• ac1dcd9 Fix hakfvec (#4689)
• 5c6b3af Add databaseName and packageName properties for studio (#4683)
• 9895842 Studio transactions (#4664)
• See full diff in compare view

Updates elysia from 1.3.5 to 1.4.5

Release notes

Sourced from elysia's releases.

1.4.5

What's Changed

Improvement:

• soundness for guard, group
• overwrite primitive value if collide (intersectIfObject)

Bug fix:

• standard schema incorrectly validate cookie and coercion
• merge nested guard, group standalone schema properly

Breaking Change:

• no longer coerce type for .model with t.Ref by default

Full Changelog: elysiajs/elysia@1.4.4...1.4.5

1.4.4

What's changed

Bug fix:

• merge schema in GET method
• remove accidental console.log

Full Changelog: elysiajs/elysia@1.4.3...1.4.4

1.4.3

What's changed

Bug fix:

• mapValueError should return all possible value both in dev environment and production environment
• inline lifecycle get method doesn't inherit Singleton

Full Changelog: elysiajs/elysia@1.4.2...1.4.3

1.4.2

What's changed

Bug fix:

• remove debug q from inline handler

Full Changelog: elysiajs/elysia@1.4.1...1.4.2

1.4.1

What's Changed

Bug fix:

• type error for inline Elysia.file

Full Changelog: elysiajs/elysia@1.4.0...1.4.1

1.4.0

... (truncated)

Changelog

Sourced from elysia's changelog.

1.4.5 - 15 Sep 2025

Improvement:

• soundness for guard, group
• overwrite primitive value if collide (intersectIfObject)

Bug fix:

• standard schema incorrectly validate cookie and coercion
• merge nested guard, group standalone schema properly

Breaking Change:

• no longer coerce type for .model with t.Ref by default

1.4.4 - 13 Sep 2025

Bug fix:

• merge schema in GET method
• remove accidental console.log

1.4.3 - 13 Sep 2025

Bug fix:

• mapValueError should return all possible value both in dev environment and production environment
• inline lifecycle get method doesn't inherit Singleton

1.4.2 - 13 Sep 2025

Bug fix:

• remove debug q from inline handler

1.4.1 - 13 Sep 2025

Bug fix:

• type error for inline Elysia.file

1.4.0 - 13 Sep 2025

Feature:

• standard validator
• macro schema, macro extension, macro detail
• lifecycle type soundness
• type inference reduced by ~11%
• #861 missing HEAD method when register route with GET

Improvement

• #861 automatically add HEAD method when defining GET route

Change

• ObjectString/ArrayString no longer produce default value by default due to security reasons
• Cookie now dynamically parse when format is likely JSON
• export fileType for external file type validation for accurate response

Breaking Change

• remove macro v1 due to non type soundness
• remove error function, use status instead
• deprecation notice for response in mapResponse, afterResponse, use responseValue instead

... (truncated)

Commits

• a27b433 Merge pull request #1403 from elysiajs/next
• a964826 🔧 fix: soundness for guard, group
• d6f84eb 🔧 fix: merge multiple nested guard with schema
• ee201e4 🔧 fix: merge multiple nested guard with schema
• d3424c1 🔧 fix: merge multiple nested guard with schema
• f9000e3 🔧 fix: merge multiple nested guard with schema
• 631d292 🔧 fix: merge multiple nested guard with schema
• 55ce809 🔧 fix: use cookie.value to coerce value
• f620038 🔧 fix: elysia no longer coerce type for .model with t.Ref by default
• dee78dc 🔧 fix: cookie
• Additional commits viewable in compare view

Updates jose from 6.0.11 to 6.1.0

Release notes

Sourced from jose's releases.

v6.1.0

Features

• support AKP JWKs in calculateJwkThumbprint and calculateJwkThumbprintUri (cf2092a)
• support for the ML-DSA PQC Algorithm Identifiers (25ddce4)

v6.0.13

Refactor

• more readability in ecdhes.ts (84da9de)
• update asn1.ts helpers (b4f8fb3)

v6.0.12

Documentation

• add known caveats to customFetch (02e1f1e)
• mention the apu/apv parameter names in setKeyManagementParameters (6274d5a)
• update compact setKeyManagementParameters (2f44381)
• use GitHub Flavored Markdown for notes and warnings (f6b4ffc)

Refactor

• createPublicKey is not a constructor (61ded78)
• update asn1.ts helper functions (b2b611c)

Changelog

Sourced from jose's changelog.

6.1.0 (2025-08-27)

Features

• support AKP JWKs in calculateJwkThumbprint and calculateJwkThumbprintUri (cf2092a)
• support for the ML-DSA PQC Algorithm Identifiers (25ddce4)

6.0.13 (2025-08-21)

Refactor

• more readability in ecdhes.ts (84da9de)
• update asn1.ts helpers (b4f8fb3)

6.0.12 (2025-07-15)

Documentation

• add known caveats to customFetch (02e1f1e)
• mention the apu/apv parameter names in setKeyManagementParameters (6274d5a)
• update compact setKeyManagementParameters (2f44381)
• use GitHub Flavored Markdown for notes and warnings (f6b4ffc)

Refactor

• createPublicKey is not a constructor (61ded78)
• update asn1.ts helper functions (b2b611c)

Commits

• 6f3e004 chore(release): 6.1.0
• 25ddce4 feat: support for the ML-DSA PQC Algorithm Identifiers
• cf2092a feat: support AKP JWKs in calculateJwkThumbprint and calculateJwkThumbprintUri
• 2c519cc chore: cleanup after release
• 1e36dd2 chore(release): 6.0.13
• b4f8fb3 refactor: update asn1.ts helpers
• 413fa45 chore: bump packages
• 84da9de refactor: more readability in ecdhes.ts
• 475a3ed chore: npm run format
• b59c547 chore: bump packages
• Additional commits viewable in compare view

Updates radashi from 12.6.0 to 12.6.2

Release notes

Sourced from radashi's releases.

v12.6.2

Fixed

• (range) Ensure end parameter works when 0 in 9c8ffa0

v12.6.1

Fixed

• (group) Use Object.create(null) for the returned object in 5db8c37

Changelog

Sourced from radashi's changelog.

[radashi@12.6.2] - 2025-08-20

Details

Fixed

• (range) Ensure end parameter works when 0 in 9c8ffa0

[radashi@12.6.1] - 2025-08-09

Details

Fixed

• (group) Use Object.create(null) for the returned object in 5db8c37

Commits

• 7d519d3 chore(release): 12.6.2
• 9c8ffa0 fix(range): ensure end parameter works when 0 (#432)
• 2e880d5 chore(release): 12.6.1
• 5db8c37 fix(group): use Object.create(null) for the returned object (#427)
• 53f3e0e chore(docs): mention upperize and lowerize in the mapKeys docs
• 1e3adbd chore: fix build badge in README-pt_br.md
• 4787f81 chore(docs): fix broken link
• 7d40c7d chore: fix typo in mdx file
• 9d7964c chore: fix reference link
• See full diff in compare view

Updates @biomejs/biome from 2.0.6 to 2.2.4

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.2.4

2.2.4

Patch Changes

• #7453 aa8cea3 Thanks @​arendjr! - Fixed #7242: Aliases specified in package.json's imports section now support having multiple targets as part of an array.

• #7454 ac17183 Thanks @​arendjr! - Greatly improved performance of noImportCycles by eliminating allocations.

  In one repository, the total runtime of Biome with only noImportCycles enabled went from ~23s down to ~4s.

• #7447 7139aad Thanks @​rriski! - Fixes #7446. The GritQL $... spread metavariable now correctly matches members in object literals, aligning its behavior with arrays and function calls.

• #6710 98cf9af Thanks @​arendjr! - Fixed #4723: Type inference now recognises index signatures and their accesses when they are being indexed as a string.

  Example

  type BagOfPromises = {
    // This is an index signature definition. It declares that instances of type
    // `BagOfPromises` can be indexed using arbitrary strings.
    [property: string]: Promise<void>;
  };
  let bag: BagOfPromises = {};
  // Because bag.iAmAPromise is equivalent to bag[&quot;iAmAPromise&quot;], this is
  // considered an access to the string index, and a Promise is expected.
  bag.iAmAPromise;

• #7415 d042f18 Thanks @​qraqras! - Fixed #7212, now the useOptionalChain rule recognizes optional chaining using typeof (e.g., typeof foo !== 'undefined' && foo.bar).

• #7419 576baf4 Thanks @​Conaclos! - Fixed #7323. noUnusedPrivateClassMembers no longer reports as unused TypeScript private members if the rule encounters a computed access on this.

  In the following example, member as previously reported as unused. It is no longer reported.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.2.4

Patch Changes

• #7453 aa8cea3 Thanks @​arendjr! - Fixed #7242: Aliases specified in package.json's imports section now support having multiple targets as part of an array.

• #7454 ac17183 Thanks @​arendjr! - Greatly improved performance of noImportCycles by eliminating allocations.

  In one repository, the total runtime of Biome with only noImportCycles enabled went from ~23s down to ~4s.

• #7447 7139aad Thanks @​rriski! - Fixes #7446. The GritQL $... spread metavariable now correctly matches members in object literals, aligning its behavior with arrays and function calls.

• #6710 98cf9af Thanks @​arendjr! - Fixed #4723: Type inference now recognises index signatures and their accesses when they are being indexed as a string.

  Example

  type BagOfPromises = {
    // This is an index signature definition. It declares that instances of type
    // `BagOfPromises` can be indexed using arbitrary strings.
    [property: string]: Promise<void>;
  };
  let bag: BagOfPromises = {};
  // Because bag.iAmAPromise is equivalent to bag[&quot;iAmAPromise&quot;], this is
  // considered an access to the string index, and a Promise is expected.
  bag.iAmAPromise;

• #7415 d042f18 Thanks @​qraqras! - Fixed #7212, now the useOptionalChain rule recognizes optional chaining using typeof (e.g., typeof foo !== 'undefined' && foo.bar).

• #7419 576baf4 Thanks @​Conaclos! - Fixed #7323. noUnusedPrivateClassMembers no longer reports as unused TypeScript private members if the rule encounters a computed access on this.

  In the following example, member as previously reported as unused. It is no longer reported.

  class TsBioo {
    private member: number;
  set_with_name(name: string, value: number) {
  this[name] = value;
  }
  }

... (truncated)

Commits

• 5d212c5 ci: release (#7450)
• 351bccd chore: restore release files
• 32dbfa1 ci: release (#7413)
• 75b6a0d feat(linter): add rule noJsxLiterals (#7248)
• 53ff5ae feat(analyse/json): add noDuplicateDependencies rule (#7142)
• daa4a66 ci: release (#7306)
• 0f38ea6 chore: add new bronze sponsor (#7397)
• 7f53274 docs: safety of useSortedKeys (#6112)
• fad34b9 feat(biome_js_analyze): add UseConsistentArrowReturn rule (#7245)
• 4416573 feat(lint/vue): implement useVueMultiWordComponentNames (#7373)
• Additional commits viewable in compare view

Updates @types/node from 24.0.10 to 24.4.0

Commits

• See full diff in compare view

Updates bun-types from 1.2.18 to 1.2.22

Release notes

Sourced from bun-types's releases.

Bun v1.2.22

To install Bun v1.2.22

curl -fsSL https://bun.sh/install | bash
# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.2.22:

bun upgrade

Read Bun v1.2.22's release notes on Bun's blog

Thanks to 14 contributors!

• @​alii
• @​avarayr
• @​cirospaciari
• @​dylan-conway
• @​jarred-sumner
• @​lydiahallie
• @​markovejnovic
• @​nektro
• @​pfgithub
• @​robobun
• @​samyarkd
• @​sosukesuzuki
• @​taylordotfish
• @​zackradisic

Bun v1.2.21

To install Bun v1.2.21

curl -fsSL https://bun.sh/install | bash
# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

... (truncated)

Commits

• d9551dd fix: AbortController instance is empty with @​types/node>=24.3.1 (#22588)
• 88a0002 feat: Add Redis HGET command (#22579)
• 6611983 Revert "Redis PUB/SUB (#21728)"
• d7ca10e Remove unused function/class names when minifying (#22492)
• dc3c8f7 Redis PUB/SUB (#21728)
• 3ee477f fix: scanner on update, install, remove, uninstall and add, and introduce the...
• 8ec4c0a bun:test: Introduce optional type parameter to make bun:test matchers type-...
• e63608f Fix: Make SQL connection string parsing more sensible (#22260)
• d919a76 @​types/bun: A couple missing properties in AbortSignal & `RegExpConstructor...
• 5b7fd9e node:_http_server: implement Server.prototype.closeIdleConnections (#22234)
• Additional commits viewable in compare view

Updates typescript from 5.8.3 to 5.9.2

Release notes

Sourced from typescript's releases.

TypeScript 5.9

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)

Downloads are available on:

• npm

TypeScript 5.9 RC

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).

Downloads are available on:

• npm

TypeScript 5.9 Beta

For release notes, check out the release announcement.

• fixed issues query for Typescript 5.9.0 (Beta).

Downloads are available on:

• npm

Commits

• be86783 Give more specific errors for verbatimModuleSyntax (#62113)
• 22ef577 LEGO: Pull request from lego/hb_5378966c-b857-470a-8675-daebef4a6da1_20250714...
• d5a414c Don't use noErrorTruncation when printing types with maximumLength set (#...
• f14b5c8 Remove unused and confusing dom.iterable.d.ts file (#62037)
• 2778e84 Restore AbortSignal.abort (#62086)
• 65cb4bd LEGO: Pull request from lego/hb_5378966c-b857-470a-8675-daebef4a6da1_20250710...
• 9e20e03 Clear out checker-level stacks on pop (#62016)
• 87740bc Fix for Issue 61081 (#61221)
• 833a8d4 Fix Symbol completion priority and cursor positioning (#61945)
• 0018c9f LEGO: Pull request from lego/hb_5378966c-b857-470a-8675-daebef4a6da1_20250702...
• Additional commits viewable in compare view

Updates vitepress from 1.6.3 to 1.6.4

Changelog

Sourced from vitepress's changelog.

1.6.4 (2025-08-05)

Commits

• 1fc537b release: v1.6.4
• e7a0ae8 chore: error when trying rolldown-vite with vitepress v1 (#4888)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.