fix(deps): update all dependencies by renovate[bot] · Pull Request #20 · ProverCoderAI/openapi-effect

renovate · 2026-02-21T13:44:04Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Type	Update
@biomejs/biome (source)	`^2.4.4` → `^2.4.15`	devDependencies	patch
@changesets/changelog-github (source)	`^0.5.2` → `^0.7.0`	devDependencies	minor
@changesets/cli (source)	`^2.29.8` → `^2.31.0`	devDependencies	minor
@effect/cli (source)	`^0.73.2` → `^0.75.1`	dependencies	minor
@effect/cluster (source)	`^0.56.4` → `^0.58.2`	dependencies	minor
@effect/experimental (source)	`^0.58.0` → `^0.60.0`	dependencies	minor
@effect/platform (source)	`^0.94.5` → `^0.96.1`	dependencies	minor
@effect/platform-node (source)	`^0.104.1` → `^0.106.0`	dependencies	minor
@effect/printer (source)	`^0.47.0` → `^0.49.0`	dependencies	minor
@effect/printer-ansi (source)	`^0.47.0` → `^0.49.0`	dependencies	minor
@effect/rpc (source)	`^0.73.2` → `^0.75.1`	dependencies	minor
@effect/sql (source)	`^0.49.0` → `^0.51.1`	dependencies	minor
@effect/typeclass (source)	`^0.38.0` → `^0.40.0`	dependencies	minor
@effect/vitest (source)	`^0.27.0` → `^0.29.0`	devDependencies	minor
@effect/workflow (source)	`^0.16.0` → `^0.18.1`	dependencies	minor
@eslint-community/eslint-plugin-eslint-comments	`^4.6.0` → `^4.7.1`	devDependencies	minor
@eslint/compat (source)	`2.0.2` → `2.1.0`	devDependencies	minor
@eslint/eslintrc	`3.3.3` → `3.3.5`	devDependencies	patch
@prover-coder-ai/eslint-plugin-suggest-members	`^0.0.25` → `^0.0.26`	devDependencies	patch
@types/node (source)	`^24.10.13` → `^24.12.4`	devDependencies	minor
@typescript-eslint/eslint-plugin (source)	`^8.56.0` → `^8.59.4`	devDependencies	minor
@typescript-eslint/parser (source)	`^8.56.0` → `^8.59.4`	devDependencies	minor
@vitest/coverage-v8 (source)	`^4.0.18` → `^4.1.6`	devDependencies	minor
@vitest/eslint-plugin	`^1.6.9` → `^1.6.17`	devDependencies	patch
actions/upload-artifact	`v6` → `v7`	action	major
effect (source)	`^3.19.18` → `^3.21.2`	dependencies	minor
eslint (source)	`^10.0.1` → `^10.4.0`	devDependencies	minor
eslint-plugin-simple-import-sort	`^12.1.1` → `^13.0.0`	devDependencies	major
eslint-plugin-sonarjs (source)	`^4.0.0` → `^4.0.3`	devDependencies	patch
eslint-plugin-unicorn	`^63.0.0` → `^64.0.0`	devDependencies	major
globals	`^17.3.0` → `^17.6.0`	devDependencies	minor
jscpd	`^4.0.8` → `^4.2.3`	devDependencies	minor
node	`24.13.1` → `24.15.0`	uses-with	minor
pnpm (source)	`10.30.1` → `11.1.3`	packageManager	major
pnpm/action-setup	`v4` → `v6`	action	major
pnpm/action-setup	`v3` → `v6`	action	major
ts-morph	`^27.0.2` → `^28.0.0`	dependencies	major
typescript (source)	`^5.9.3` → `^6.0.3`	devDependencies	major
typescript-eslint (source)	`^8.56.0` → `^8.59.4`	devDependencies	minor
vite (source)	`^7.3.1` → `^8.0.13`	devDependencies	major
vitest (source)	`^4.0.18` → `^4.1.6`	devDependencies	minor

cc @skulidropek

Release Notes

biomejs/biome (@biomejs/biome)

`v2.4.15`

Compare Source

Patch Changes

#9394 ba3480e Thanks @dyc3! - Added the nursery rule useTestHooksInOrder in the test domain. The rule enforces that Jest/Vitest lifecycle hooks (beforeAll, beforeEach, afterEach, afterAll) are declared in the order they execute, making test setup and teardown easier to reason about.
#10254 e0a54cc Thanks @dyc3! - Added a new nursery rule useVueNextTickPromise, which enforces Promise syntax when using Vue nextTick.

For example, the following snippet triggers the rule:
```
import { nextTick } from "vue";

nextTick(() => {
  updateDom();
});
```
#10219 64aee45 Thanks @dyc3! - Added a new nursery rule noVueVOnNumberValues, that disallows deprecated number modifiers on Vue v-on directives.

For example, the following snippet triggers the rule:
```
<input @&#8203;keyup.13="submit" />
```
#10195 7b8d4e1 Thanks @dyc3! - Added the new nursery rule useVueValidVFor, which validates Vue v-for directives and reports invalid aliases, missing component keys, and keys that do not use iteration variables.
#10238 1110256 Thanks @dyc3! - Added the recommended nursery rule noVueImportCompilerMacros, which disallows importing Vue compiler macros such as defineProps from vue because they are automatically available.
#10201 1a08f89 Thanks @realknove! - Fixed #10193: style/useReadonlyClassProperties no longer reports class properties as readonly-able when they are assigned inside arrow callbacks nested in class property initializers.
#9574 3bd2b6a Thanks @Conaclos! - Fixed #9530. The diagnostics of organizeImports are now more detailed and more precise. They are also better at localizing where the issue is.
#10205 a704a6c Thanks @Conaclos! - Fixed #10185. `organizeImports now errors when it encounters an unknown predefined group.

The following configuration is now reported as invalid because :INEXISTENT: is an unknown predefined group.
```
{
  "assist": {
    "actions": {
      "source": {
        "organizeImports": { "options": { "groups": [":INEXISTENT:"] } }
      }
    }
  }
}
```
#10052 b565bed Thanks @minseong0324! - Improved noMisleadingReturnType: it now flags union annotations whose extra variants are never returned, and suggests the narrower type (e.g. string | null → string).

These functions are now reported because null and number are included in the return annotations but never returned:
```
function getUser(): string | null {
  return "hello";
} // null is never returned
function getCode(): string | number {
  return "hello";
} // number is never returned
```
#10213 ac30057 Thanks @dyc3! - Fixed #9450: HTML and Vue element formatting now preserves child line breaks when an element contains another element child on its own line, instead of collapsing the child element onto the same line.
#10275 9ee6c03 Thanks @solithcy! - Fixed #10274: Svelte templates with missing expressions no longer parsed as HtmlBogusElement
#10143 56798a7 Thanks @minseong0324! - noMisleadingReturnType now detects misleading return type annotations when object literal properties are initialized with as const.

This function is now reported because the return annotation widens a property initialized with as const:
```
function f(): { value: string } {
  return { value: "text" as const };
}
```
#10143 56798a7 Thanks @minseong0324! - noUselessTypeConversion now detects redundant conversions on object literal properties initialized with as const.

This conversion is now reported because message.value is inferred as a string literal:
```
const message = { value: "text" as const };
String(message.value);
```
#9807 0ae5840 Thanks @dyc3! - Added the new nursery rule useThisInClassMethods, based on ESLint's class-methods-use-this.

The rule now reports instance methods, getters, setters, and function-valued instance fields that do not use this, and biome migrate eslint preserves the supported ignoreMethods, ignoreOverrideMethods, and ignoreClassesWithImplements options.

Invalid:
```
class Foo {
  bar() {
    // does not use `this`, invalid
    console.log("Hello Biome");
  }
}
```
#10258 e7b18f7 Thanks @ematipico! - Improved linter performance by narrowing the query nodes for several lint rules, reducing how often they are evaluated.
#10273 04e22a1 Thanks @dyc3! - Fixed #10271: The HTML parser now correctly parses of as text content when in text contexts.
#9838 83f7385 Thanks @dyc3! - Added the nursery rule noBaseToString, which reports stringification sites that fall back to Object's default "[object Object]" formatting. The rule also supports the ignoredTypeNames option.
#10143 56798a7 Thanks @minseong0324! - useExhaustiveSwitchCases now checks switch statements over object literal properties initialized with as const.

This switch is now reported because status.kind is inferred as the string literal "ready" but no case handles it:
```
const status = { kind: "ready" as const };
switch (status.kind) {
}
```
#10143 56798a7 Thanks @minseong0324! - useStringStartsEndsWith now detects string index comparisons on object literal properties initialized with as const.

This comparison is now reported because message.value is inferred as a string literal:
```
const message = { value: "hello" as const };
message.value[0] === "h";
```

`v2.4.14`

Compare Source

Patch Changes

#9393 491b171 Thanks @dyc3! - Added the nursery rule useTestHooksOnTop in the test domain. The rule flags lifecycle hooks (beforeEach, beforeAll, afterEach, afterAll) that appear after test cases in the same block, enforcing that hooks are defined before any test case.
#10157 eefc5ab Thanks @dyc3! - Fixed #7882: The HTML parser will now emit better diagnostics when it encounters a void element with a closing tag, such as <br></br>. Previously, the parser would emit multiple diagnostics with conflicting advice. Now it emits a single diagnostic that clearly states that void elements should not have closing tags.
#10054 0e9f569 Thanks @minseong0324! - noMisleadingReturnType no longer misses widening from concrete object types, class instances, object literals, tuples, functions, and regular expressions to : object.

A function annotated : object returning an object literal:
```
function f(): object {
  return { retry: true };
}
```
#10116 53269eb Thanks @jiwon79! - Fixed #6201: noUselessEscapeInRegex no longer flags an escaped backslash followed by - as a useless escape. Patterns like /[\\-]/ are now considered valid because the second \ is the escaped backslash, not an unnecessary escape of the trailing dash.
#10092 33d8543 Thanks @Conaclos! - Fixed #9097: organizeImports no longer adds a blank line between a never-matched group and a matched group.

Given the following organizeImports options:
```
{
  "groups": [":NODE:", ":BLANK_LINE:", ":PACKAGE:", ":BLANK_LINE:", ":PATH:"]
}
```
The following code...
```
// Comment
import "package";
import "./file.js";
```
...was organized as:
```
+
  // Comment
  import "package";
+
  import "./file.js";
```
A blank line was added even though the group ':NODE:' doesn't match any imports here.
:BLANK_LINE: between never-matched groups and matched groups are now ignored.
The code is now organized as:
```
  // Comment
  import "package";
+
  import "./file.js";
```
#10138 a10b6c1 Thanks @dyc3! - Fixed Vue v-for handling for noUndeclaredVariables and noUnusedVariables. Biome now recognizes variables declared by v-for directives and references to iterated values in Vue templates.
#10115 d428d76 Thanks @minseong0324! - noMisleadingReturnType no longer reports false positives when a union return type's boolean variant is covered by both true and false returns.
#9922 7acf1e0 Thanks @dyc3! - Added the new nursery rule noReactStringRefs, which disallows legacy React string refs such as ref="hello" and this.refs.hello.

Biome also reports template-literal refs such as ref={`hello`}, so React code can consistently migrate to callback refs, createRef(), or useRef().
#10010 f3e76ab Thanks @dyc3! - Fixed a bug in the LSP file watcher registration so Biome now watches .biome.json and .biome.jsonc configuration files and reloads workspace settings when they change.
#10176 8a40ef8 Thanks @dyc3! - Fixed #10011: The noThisInStatic rule no longer reports this when it is used as the constructor target in new this(...), which is required for inherited static factory methods.
#10163 6867e96 Thanks @jiwon79! - Fixed #9884: The useSortedAttributes auto-fix no longer corrupts source code when both an outer JSX element and a nested JSX-valued attribute have unsorted attributes in the same pass. Multiple unsorted groups separated by spread or shorthand attributes within the same JSX element are now reported as a single diagnostic.
#10079 d29dd19 Thanks @Damix48! - Fixed false positive in noAssignInExpressions for Svelte {@const} blocks. Assignments in {@const name = value} are now correctly recognized as declarations rather than accidental assignments in expressions.
#10080 5d8fdac Thanks @Damix48! - Fixed parsing of closing parentheses in Svelte {#each} block key expressions. Biome now correctly parses method calls and other parenthesised expressions used as keys.

For example, the following snippets are now parsed correctly:
```
{#each numbers as number, index (number.toString())}
  <p>{number}</p>
{/each}

{#each numbers as number (key(number))}
  <p>{number}</p>
{/each}
```
#10140 e7024b9 Thanks @solithcy! - Fixed #10135: Biome no longer crashes on missing Svelte template expressions.

The following code snippet longer panics:
```
{#if }
 <p>^ this would previously crash</p>
{/if}
{@&#8203;const }
<p>    ^ this would also crash</p>
```
#10111 7818009 Thanks @jiwon79! - Fixed #9997: noDuplicateSelectors no longer reports false positives for selectors inside @scope queries. Biome now treats @scope as a separate at-rule context, like @media, @supports, @container, and @starting-style.

The following snippet is no longer flagged as a duplicate:
```
.Example {
  padding: 0;
}

@&#8203;scope (.theme-dark) {
  .Example {
    color: white;
  }
}
```
#9926 d62b331 Thanks @dyc3! - Added the nursery lint rule useMathMinMax, which prefers Math.min() and Math.max() over equivalent ternary comparisons.

For example, this code:
```
const min = a < b ? a : b;
```
is much more readable when rewritten as:
```
const min = Math.min(a, b);
```
#10115 d428d76 Thanks @minseong0324! - useExhaustiveSwitchCases now flags missing true/false cases for boolean discriminants, including when boolean is a union variant.
#10125 a55a0b6 Thanks @bmish! - Fixed a resolver bug where packages that define a typed entry point through package.json's main field but omit types were ignored during type-aware resolution. Type-aware rules such as noFloatingPromises can now inspect imports from those packages.
#10117 895e809 Thanks @denizdogan! - Added support for the corner-shape family of CSS properties and the superellipse()/squircle() value functions, so noUnknownProperty and noUnknownFunction no longer flag them as unknown.

New known properties: corner-shape, corner-block-end-shape, corner-block-start-shape, corner-bottom-left-shape, corner-bottom-right-shape, corner-bottom-shape, corner-end-end-shape, corner-end-start-shape, corner-inline-end-shape, corner-inline-start-shape, corner-left-shape, corner-right-shape, corner-start-end-shape, corner-start-start-shape, corner-top-left-shape, corner-top-right-shape, corner-top-shape.

New known value functions: superellipse(), squircle().
#8620 8df8f73 Thanks @dyc3! - Fixed #8062: Added support for parsing Vue v-for directives more accurately.
#10191 aa055cd Thanks @guney! - Now the rule noStaticElementInteractions doesn't trigger custom elements.
#9757 2c62594 Thanks @dyc3! - Fixed #9099: the HTML formatter collapsing non-text children (inline elements, Svelte expressions, comments) onto a single line when the source had them on separate lines. Biome now preserves the user's intended line breaks for exclusively non-text children.

For example, the following Svelte snippet is now preserved instead of being collapsed to <div>{name}</div>:
```
<div>
  {name}
</div>
```
Similarly, HTML elements like <span> inside a <div> are now preserved when written on their own line:
```
<div>
  <span>text</span>
</div>
```
#10105 e7c1a6d Thanks @jiwon79! - Fixed #10039: useReadonlyClassProperties now detects unreassigned private members in class expressions and export default classes, not only in class declarations.

The following patterns are now correctly flagged:
```
const AnonClass = class {
  #prop = 123;
  constructor() {
    console.log(this.#prop);
  }
};

export default class {
  #prop = 123;
  constructor() {
    console.log(this.#prop);
  }
}
```
#10141 46a77d0 Thanks @minseong0324! - Improved noUnnecessaryConditions to detect conditions that are always truthy because they check built-in global class instances such as Date, Map, Set, WeakMap, and Error.
#10178 7b05a89 Thanks @dyc3! - Fixed #10177: The HTML parser no longer reports lowercase html or doctype text as invalid after void elements such as <br>.
#10155 0d4595d Thanks @jiwon79! - Fixed #10045: the CSS formatter no longer compounds indentation inside nested functional pseudo-classes such as :not(:where(...)), :is(:where(...)), and similar combinations. The same fix also removes one level of unnecessary indentation that was added inside any pseudo-class function whose argument list wrapped onto multiple lines, including :nth-child(... of ...), ::part(...), and :active-view-transition-type(...).
The following snippet is now correctly formatted, matching Prettier.
```
input:not(
  :where(
    [type="submit"],
    [type="checkbox"],
    [type="radio"],
    [type="button"],
    [type="reset"]
  )
) {
  inline-size: 100%;
}
```
#10112 6f0251e Thanks @dyc3! - Fixed #10110: Biome's parser now accepts surrogate code points in JavaScript string \u{...} escapes.
#10141 46a77d0 Thanks @minseong0324! - Improved noMisleadingReturnType to detect object return annotations that hide built-in global class instances such as Date, Map, Set, WeakMap, and Error.
#10083 4a664c1 Thanks @ematipico! - Added two new options to noShadow, both defaulting to true to match typescript-eslint's behavior.

Fixed #9482: Added ignoreFunctionTypeParameterNameValueShadow option. When enabled, parameter names inside function type annotations (e.g. (options: unknown) => void) are not flagged as shadowing outer variables.

Fixed #7812: Added ignoreTypeValueShadow option. When enabled, a value binding that shares its name with a type-only declaration (type alias or interface) is not flagged, since types and values occupy separate namespaces in TypeScript.
#9286 52695cf Thanks @Hugo-Polloli! - Fixed #6316: Biome now resolves Svelte $store references to the underlying store binding in semantic analysis, preventing false noUndeclaredVariables diagnostics when the store is declared.
#10188 ae659dd Thanks @dyc3! - Added a new nursery rule noExcessiveNestedCallbacks, which disallows callbacks nested deeper than the configured maximum.
#9757 2c62594 Thanks @dyc3! - Fixed #9450: the HTML formatter now correctly preserves multiline formatting for nested <template> elements (e.g. <template #body>) when the source has children on separate lines. Previously, the children were collapsed onto a single line.
```
 <template>
   <UModal>
-    <template #body> <p>content</p> </template>
+    <template #body>
+      <p>content</p>
+    </template>
   </UModal>
 </template>
```
#10118 c6edcb4 Thanks @Netail! - Fixed #10024: biome migrate eslint correctly migrates eslint rules that belong to multiple Biome rules.

`v2.4.13`

Compare Source

Patch Changes

#9969 c5eb92b Thanks @officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

For example, the following code triggers the rule:
```
const a = `${"hello"}`; // can be 'hello'
const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
const c = `${"a"}${"b"}`; // can be 'ab'
```

#10037 f785e8c Thanks @minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.

class Store {
  get status(): string {
    if (Math.random() > 0.5) return "loading";
    return "idle";
  }
  set status(v: string) {}
}

#10084 5e2f90c Thanks @jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

The following pattern is now considered valid:
```
/[a-z\&]/v;
```
#10063 c9ffa16 Thanks @Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.
#10035 946b50e Thanks @Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.
#9865 68fb8d4 Thanks @dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

For example, the following snippet triggers the rule:
```
const foo = node.innerText;
```
#10023 bd1e74f Thanks @ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

For example, the following code triggers the rule:
```
import View from "react-native/Libraries/Components/View/View";
```
#9885 3dce737 Thanks @dyc3! - Added a new nursery rule useDomQuerySelector that prefers querySelector() and querySelectorAll() over older DOM query methods such as getElementById() and getElementsByClassName().
#9995 4da9caf Thanks @siketyan! - Fixed #9994: Biome now parses nested CSS rules correctly when declarations follow them inside embedded snippets.
#10009 b41cc5a Thanks @Jayllyz! - Fixed #10004: noComponentHookFactories no longer reports false positives for object methods and class methods.
#9988 eabf54a Thanks @Netail! - Tweaked the diagnostics range for useAltText, useButtonType, useHtmlLang, useIframeTitle, useValidAriaRole & useIfameSandbox to report on the opening tag instead of the full tag.
#10043 fc65902 Thanks @mujpao! - Fixed #10003: Biome no longer panics when parsing Svelte files containing {#}.
#9815 5cc83b1 Thanks [@&#82

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

coderabbitai · 2026-05-14T12:31:27Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

📝 Walkthrough

Walkthrough

Bump CI action versions, pin pnpm to 11.1.2 in root and app, and update Changesets plus many app dependencies/devDependencies (Effect stack, TypeScript tooling, linting, testing, and build tools).

Changes

Toolchain and dependency upgrades

Layer / File(s)	Summary
GitHub Actions versions `.github/actions/setup/action.yml`, `.github/workflows/checking-dependencies.yml`, `.github/workflows/snapshot.yml`	pnpm action bumped to `@v6` in composite and workflow; `actions/setup-node` Node input updated to `24.15.0`; artifact upload action bumped to `actions/upload-artifact@v7`.
pnpm version pins `package.json`, `packages/app/package.json`	Workspace and app `packageManager` updated from `pnpm@10.30.1` to `pnpm@11.1.2`.
Dependency and toolchain upgrades `package.json`, `packages/app/package.json`	Root Changesets packages (`@changesets/changelog-github`, `@changesets/cli`) bumped; app package `dependencies` and `devDependencies` refreshed (Effect packages, ts-morph, Biome/ESLint, TypeScript tooling, Vitest/Vite, etc.).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

Dependency Dashboard effect-template#10: Overlaps pnpm/action-setup, pnpm pinning, and tooling/version updates.
Dependency Dashboard eslint-plugin-suggest-members#2: Matches workflow and pnpm/tooling bumps in CI and manifests.
Dependency Dashboard #1: Mirrors the same workflow and package.json version updates.
Dependency Dashboard dist-deps-prune#2: Contains similar dependency/version bump changes (pnpm, actions, packages).
Dependency Dashboard context-doc#5: Renovate-style workflow and package pin bumps align with that issue.
Dependency Dashboard effect-eslint-template#6: Shares pnpm and ESLint/Biome/tooling dependency updates.

Poem

🐇 I nudged a YAML line, made pnpm climb to eleven,
Actions hum a newer tune, workflows light as heaven.
Packages refreshed, linters wake and play,
Tests tiptoe cleaner paths, building through the day.
✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(deps): update all dependencies' directly matches the changeset, which updates dependencies across multiple configuration files and package manifests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description is a standard Renovate-generated dependency update with a comprehensive table of package changes, release notes, and configuration details.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

Create stacked PR
Commit on current branch

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch renovate/all

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/setup/action.yml:
- Line 13: The workflow currently uses a mutable tag "pnpm/action-setup@v6";
replace that with an immutable full commit SHA (40-hex) for pnpm/action-setup to
pin the action (e.g., "pnpm/action-setup@<full-commit-sha>"). Locate the "uses:
pnpm/action-setup@v6" entry in the action.yml and update it to the exact commit
SHA from the pnpm/action-setup repository, verify the SHA is full-length (40
characters) and that the workflow still runs correctly after the change.

In @.github/workflows/checking-dependencies.yml:
- Line 15: Replace the mutable tag reference "uses: pnpm/action-setup@v6" with
an immutable pin to the full commit SHA for the pnpm/action-setup action (e.g.,
"uses: pnpm/action-setup@<full-commit-sha>"); locate the occurrences of
"pnpm/action-setup@v6" in the workflow and update them to the corresponding
release commit SHA from the action's repository, then verify the workflow runs
successfully.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 4cd2e52a-a23f-4849-8bc7-20b25e799703

📥 Commits

Reviewing files that changed from the base of the PR and between 6b3e168 and 373422e.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

.github/actions/setup/action.yml
.github/workflows/checking-dependencies.yml
.github/workflows/snapshot.yml
package.json
packages/app/package.json

coderabbitai · 2026-05-14T12:34:25Z

  steps:
    - name: Install pnpm
-      uses: pnpm/action-setup@v3
+      uses: pnpm/action-setup@v6


⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Verify mutable action refs under .github (tag-based refs like `@v1/`@v6). # Expected: no matches after SHA pinning. rg -n --iglob '*.yml' --iglob '*.yaml' 'uses:\s*[^@[:space:]]+@v[0-9]+(\.[0-9]+){0,2}\b' .github

Repository: ProverCoderAI/openapi-effect

Length of output: 1009

Pin pnpm/action-setup to an immutable commit SHA.

Line 13 uses a mutable tag (@v6). Please pin to a full-length commit SHA to reduce supply-chain risk and avoid policy breaks in hardened org settings.

🔒 Suggested change

- uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@<full-length-commit-sha> # v6.x

Reference: https://docs.github.com/actions/security-guides/security-hardening-for-github-actions

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/actions/setup/action.yml at line 13, The workflow currently uses a mutable tag "pnpm/action-setup@v6"; replace that with an immutable full commit SHA (40-hex) for pnpm/action-setup to pin the action (e.g., "pnpm/action-setup@<full-commit-sha>"). Locate the "uses: pnpm/action-setup@v6" entry in the action.yml and update it to the exact commit SHA from the pnpm/action-setup repository, verify the SHA is full-length (40 characters) and that the workflow still runs correctly after the change.

coderabbitai · 2026-05-14T12:34:25Z

    steps:
      - uses: actions/checkout@v6
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@v6


⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Verify mutable action refs under .github (tag-based refs like `@v1/`@v6). # Expected: no matches after SHA pinning. rg -n --iglob '*.yml' --iglob '*.yaml' 'uses:\s*[^@[:space:]]+@v[0-9]+(\.[0-9]+){0,2}\b' .github

Repository: ProverCoderAI/openapi-effect

Length of output: 1009

Pin pnpm/action-setup to a commit SHA instead of a mutable tag.

Line 15 uses @v6, which is a mutable tag reference. Per GitHub's security hardening guidelines, action references should be pinned to full commit SHAs to ensure immutability and prevent unintended updates from tag rewrites.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/checking-dependencies.yml at line 15, Replace the mutable tag reference "uses: pnpm/action-setup@v6" with an immutable pin to the full commit SHA for the pnpm/action-setup action (e.g., "uses: pnpm/action-setup@<full-commit-sha>"); locate the occurrences of "pnpm/action-setup@v6" in the workflow and update them to the corresponding release commit SHA from the action's repository, then verify the workflow runs successfully.

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 6: The package.json currently sets "packageManager": "pnpm@11.1.2" but
pnpm v11 requires config and environment changes; run the recommended codemod
(pnpx codemod run pnpm-v10-to-v11) and then: move any settings under the
package.json "pnpm" field into pnpm-workspace.yaml, strip .npmrc to only
auth/registry entries, update .nvmrc and CI to Node.js 22+ to match pnpm v11,
rename any environment variables from npm_config_* to pnpm_config_ and manually
review remaining envs, and rename or invoke scripts named
clean/setup/deploy/rebuild using pnpm pm to avoid shadowing built-ins.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 78ded05a-1811-4eac-8349-84f29cb8618e

📥 Commits

Reviewing files that changed from the base of the PR and between 6898c52 and 57c74f4.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

.github/actions/setup/action.yml
.github/workflows/checking-dependencies.yml
.github/workflows/snapshot.yml
package.json
packages/app/package.json

🚧 Files skipped from review as they are similar to previous changes (4)

.github/actions/setup/action.yml
.github/workflows/checking-dependencies.yml
.github/workflows/snapshot.yml
packages/app/package.json

coderabbitai · 2026-05-17T12:25:00Z

  "private": true,
  "description": "Monorepo workspace for effect-template",
-  "packageManager": "pnpm@10.30.1",
+  "packageManager": "pnpm@11.1.2",


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

pnpm 11 breaking changes and migration guide

💡 Result:

pnpm 11 is a major release that introduces significant breaking changes, security-first defaults, and architectural improvements [1]. The official migration guide is available at https://pnpm.io/11.x/migration [2]. Key Breaking Changes and Migration Steps Configuration Changes pnpm 11 significantly changes how configuration is handled [3][1]: - Configuration is no longer read from the pnpm field in package.json; move these settings to pnpm-workspace.yaml [3][2]. -.npmrc files are now restricted to auth and registry settings only [3][1]. All other settings (e.g., hoist-pattern, node-linker) must be moved to pnpm-workspace.yaml using camelCase keys [3][2]. - npm_config_* environment variables are no longer supported; rename them to pnpm_config_* [3][1]. - pnpm no longer reads npm's global config at $PREFIX/etc/npmrc [1]. Dependency and Script Management - Build-dependency settings (onlyBuiltDependencies, neverBuiltDependencies, etc.) are consolidated into a single allowBuilds map in pnpm-workspace.yaml [3][1]. - Package manager strictness settings are collapsed into a single pmOnFail setting [3][2]. - Script names now shadow built-in commands [3]. If you have scripts named clean, setup, deploy, or rebuild, pnpm will execute your script instead of the built-in command; use pnpm pm to access the built-in version [3]. - pnpm install -g (with no arguments) is no longer supported; use pnpm add -g instead [3][1]. Environment and Infrastructure - Node.js 18, 19, 20, and 21 are no longer supported; Node.js 22+ is required [1]. - pnpm is now distributed as pure ESM [1]. - Global installs are now isolated using a global-virtual-store, preventing interference between global packages [1]. Security and New Features - Minimum Release Age: By default, pnpm 11 blocks the installation of package versions published within the last 24 hours to mitigate supply chain attacks [4][5][6]. - Exotic Subdependencies: pnpm 11 blocks dependencies resolved from non-standard sources (e.g., Git repositories or direct tarball URLs) by default [4][6]. - Native Publish: The npm CLI fallback for publishing has been removed in favor of a native implementation [1]. - Store Index: The store index has been migrated from a JSON-per-package format to a single SQLite database for improved performance [1][5]. Migration Tooling The pnpm team provides a codemod to automate many of these changes [2]. You can run it in your project directory: pnpx codemod run pnpm-v10-to-v11 [2] For changes that cannot be automated, such as environment variable updates, manual review is required [3][2].

Citations:

1: https://pnpm.io/blog/releases/11.0

2: https://pnpm.io/11.x/migration

3: https://pnpm.io/migration

4: https://gbhackers.com/pnpm-11-enables-default-release-age-guard/

5: https://cyberpress.org/pnpm-blocks-supply-attacks/

6: https://undercodenews.com/pnpm-11-reinvents-javascript-security-a-new-era-for-dependency-protection/

🌐 Web query:

pnpm 11.1.2 release notes and security advisories

💡 Result:

As of May 17, 2026, pnpm version 11.1.2 is the latest release [1]. Release Notes for pnpm 11.1.2 Specific release notes for version 11.1.2 were not explicitly detailed in the provided search results, as it is a very recent patch release [1]. However, it follows the major 11.1.0 and 11.1.1 releases, which introduced several significant features and fixes [2][3][4]: - New Commands: Added pnpm audit signatures (to verify ECDSA registry signatures), pnpm bugs (to open package bug trackers), and pnpm owner (to manage package owners) [3][4]. - Named Registries: Added support for installing packages from arbitrary named registries, including a built-in gh: prefix for the GitHub Packages npm registry [3][4]. - CI Improvements: Introduced the --no-runtime flag (config: runtime=false) to skip installing runtime entries (e.g., Node.js) in CI environments [3][4]. - Fixes: Version 11.1.1 included fixes for installability validation in workspace projects, resolved issues with pnpm add for named registries, and updated @zkochan/cmd-shim to improve compatibility with Git Bash on Windows [2]. Security Advisories There are no specific security advisories listed for version 11.1.2. Users should monitor the official pnpm GitHub Security Advisories page for any future disclosures [5]. Recent security-related updates in the pnpm 11 series include: - Minimum Release Age: pnpm 11 introduced a default Minimum Release Age of 24 hours (1440 minutes), which prevents the installation of newly published package versions to mitigate supply chain attacks [6][7][8]. - Enhanced Auditing: pnpm audit now queries the registry's bulk security advisories endpoint and filters by GitHub Advisory ID (GHSA) rather than CVE identifiers [9]. - Security Hardening: pnpm 11 requires Node.js 22+ and is distributed as pure ESM [10][11]. It also includes improved control over lifecycle scripts via the allowBuilds model [7][8]. For the most up-to-date information, always check the official pnpm releases page on GitHub and the security advisories section [12][5].

Citations:

1: https://www.npmjs.com/package/pnpm?activeTab=versions

2: https://github.com/pnpm/pnpm/releases/tag/v11.1.1

3: https://pnpm.io/blog/releases/11.1

4: https://newreleases.io/project/npm/pnpm/release/11.1.0

5: https://github.com/pnpm/pnpm/security/advisories

6: https://gbhackers.com/pnpm-11-enables-default-release-age-guard/

7: https://undercodenews.com/pnpm-11-reinvents-javascript-security-a-new-era-for-dependency-protection/

8: https://pnpm.io/supply-chain-security

9: https://pnpm.io/cli/audit

10: https://github.com/pnpm/pnpm/releases/tag/v11.0.0

11: https://pnpm.io/blog/releases/11.0

12: https://github.com/pnpm/pnpm/releases

Review pnpm 11 migration requirements before merging.

This major version upgrade introduces breaking changes that require configuration updates and environment adjustments:

Configuration files: Settings in package.json's pnpm field must move to pnpm-workspace.yaml. Update .npmrc to contain only auth and registry settings.

Node.js requirement: pnpm 11 requires Node.js 22+. Verify your project's .nvmrc and CI configuration specify a compatible version.

Environment variables: Any npm_config_* variables must be renamed to pnpm_config_*.

Script behavior: Scripts named clean, setup, deploy, or rebuild now shadow built-in commands; use pnpm pm to access built-in versions.

Run the migration codemod to automate configuration changes:

pnpx codemod run pnpm-v10-to-v11

Refer to https://pnpm.io/11.x/migration for the complete migration guide. Manual review is needed for environment variable updates that the codemod cannot automate.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@package.json` at line 6, The package.json currently sets "packageManager": "pnpm@11.1.2" but pnpm v11 requires config and environment changes; run the recommended codemod (pnpx codemod run pnpm-v10-to-v11) and then: move any settings under the package.json "pnpm" field into pnpm-workspace.yaml, strip .npmrc to only auth/registry entries, update .nvmrc and CI to Node.js 22+ to match pnpm v11, rename any environment variables from npm_config_* to pnpm_config_ and manually review remaining envs, and rename or invoke scripts named clean/setup/deploy/rebuild using pnpm pm to avoid shadowing built-ins.

renovate Bot assigned skulidropek Feb 21, 2026

renovate Bot requested a review from skulidropek February 21, 2026 13:44

renovate Bot force-pushed the renovate/all branch from 61f06bc to 4c58bf8 Compare February 23, 2026 22:47

renovate Bot changed the title ~~fix(deps): update dependency effect to ^3.19.19~~ fix(deps): update all dependencies Feb 23, 2026

renovate Bot force-pushed the renovate/all branch 9 times, most recently from 52aba09 to 16d549f Compare March 2, 2026 17:40

renovate Bot force-pushed the renovate/all branch 10 times, most recently from f240877 to 3c2e51f Compare March 9, 2026 23:06

renovate Bot force-pushed the renovate/all branch 7 times, most recently from 9456c54 to 0ff8d9f Compare March 17, 2026 14:38

renovate Bot force-pushed the renovate/all branch 11 times, most recently from f6ffc04 to eb3d5b5 Compare April 13, 2026 21:12

renovate Bot force-pushed the renovate/all branch 9 times, most recently from 9d72488 to 723d284 Compare April 21, 2026 22:03

renovate Bot force-pushed the renovate/all branch 6 times, most recently from 6ff8486 to 4c77644 Compare April 24, 2026 02:39

coderabbitai Bot requested changes May 14, 2026

View reviewed changes

coderabbitai Bot requested changes May 17, 2026

View reviewed changes

fix(deps): update all dependencies

0536f81

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update all dependencies#20

fix(deps): update all dependencies#20
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all

renovate Bot commented Feb 21, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot commented May 14, 2026 •

edited

Loading

Reviews paused

Walkthrough

Changes

Estimated code review effort

Possibly related issues

Poem

Uh oh!

coderabbitai Bot left a comment

Uh oh!

coderabbitai Bot May 14, 2026

Uh oh!

coderabbitai Bot May 14, 2026

Uh oh!

coderabbitai Bot left a comment

Uh oh!

coderabbitai Bot May 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

renovate Bot commented Feb 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v2.4.15

Patch Changes

v2.4.14

Patch Changes

v2.4.13

Patch Changes

Configuration

Uh oh!

coderabbitai Bot commented May 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Estimated code review effort

Possibly related issues

Poem

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 14, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 14, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 17, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate Bot commented Feb 21, 2026 •

edited

Loading

`v2.4.15`

`v2.4.14`

`v2.4.13`

coderabbitai Bot commented May 14, 2026 •

edited

Loading