build(deps-dev): bump the bun group across 1 directory with 2 updates

[dependabot]

Bumps the bun group with 2 updates in the / directory: @biomejs/biome and wrangler.

Updates @biomejs/biome from 2.4.16 to 2.5.0

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.0

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

  /* styles.css — .ghost is never used in any importing file */

... (truncated)

Commits

• c0b9832 ci: release (#10499)
• 995c1ff feat(lint): add useFunctionComponentDefinition rule (#10498)
• 311c2b2 fix(biome_configuration): avoid Markdown links in JSON schema descriptions (#...
• 04c3f19 fix: docs and readme (#10584)
• 961f41c refactor(useExportType): improve docs and code (#10569)
• 78075b7 feat(useExportType): add style option (#10561)
• 6642895 feat: rule promotion for v2.5 (#10562)
• 9a5855e feat: noRestrictedDependencies (#10467)
• 608a62f Merge branch 'main' into chore/merge-main-into-next
• 0f29b83 feat(linter): implement useIncludes rule (#10516)
• Additional commits viewable in compare view

Updates wrangler from 4.99.0 to 4.101.0

Release notes

Sourced from wrangler's releases.

wrangler@4.101.0

Minor Changes

• #14276 32f9307 Thanks @​dario-piotrowicz! - Graduate autoconfig from experimental to stable

  The --experimental-autoconfig and --x-autoconfig deploy CLI flags have been replaced with --autoconfig.

  Note that the --autoconfig flag defaults to true and that it can be used to disable Wrangler's auto-configuration logic by setting it to false via --autoconfig=false or --no-autoconfig

• #14287 41f391f Thanks @​edmundhung! - Add per-Worker resource accessors to createTestHarness()

  createTestHarness() now provides methods for accessing configured KV namespaces, R2 buckets, D1 databases, and Durable Object namespaces. Use server.getWorker(name) to access resources scoped to that specific Worker:

  const worker = server.getWorker("api-worker");
  const bucket = await worker.getR2Bucket("BUCKET");
  const db = await worker.getD1Database("DB");

• #14264 21dbc12 Thanks @​dario-piotrowicz! - Suggest Cloudflare skills installation after commands instead of before

  The automatic prompt to install Cloudflare skills for detected AI coding agents no longer runs before every Wrangler command. Instead, Wrangler now suggests installing skills, when appropriate, after some commands complete successfully. Commands that output JSON suppress the suggestion to keep their output clean. The --install-skills flag remains available on all commands to explicitly run the skills installation flow before the command executes, without prompting.

  As before, Wrangler asks the skills installation question at most once. The skills install metadata file is now written before the confirmation prompt is shown, so even if the user interrupts the process (e.g. CTRL+C, closing the terminal) during the prompt, the question is recorded as unanswered and will not reappear on subsequent runs.

• #14042 7e63948 Thanks @​edevil! - Add a --temporary flag that creates and uses a temporary Cloudflare preview account when you have no credentials, instead of starting the OAuth login flow.

  It's registered only on the commands the short-lived account token can serve — Workers (deploy, versions upload, and related commands), KV, D1, Hyperdrive, Queues, and certificate commands — and is for unauthenticated use only: passing it while already authenticated (OAuth, CLOUDFLARE_API_TOKEN, or a global API key) errors rather than silently ignoring the flag. Before provisioning, Wrangler handles Cloudflare's Terms of Service and Privacy Policy (interactive terminals prompt for yes; non-interactive shells print a notice and continue). Wrangler then runs with the short-lived token and prints a claim URL so the account can be claimed before it expires. The cached account is cleared on successful login or logout.

• #14299 035917f Thanks @​petebacondarwin! - Send the login user telemetry event when wrangler login --scopes ... succeeds

  wrangler login was already reporting the login user event when called without --scopes, but the scoped login path returned early before the event could be sent. Both paths now report the event, so successful scoped logins are counted alongside unscoped ones.

Patch Changes

• #14271 27db82c Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260611.1	1.20260612.1

• #14298 2a6a26b Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260612.1	1.20260615.1

... (truncated)

Commits

• 89a753e Version Packages (#14274)
• ee82c76 skip provisioning in asset only projects (#14304)
• 8f574d2 refactor assets, sourcemaps and build options in deploy-helpers (#14309)
• 9a424ed Bump the workerd-and-workers-types group with 2 updates (#14317)
• e6e4b07 Vite plugin support for experimental Build Output API (#14279)
• 208b3bb [wrangler] fix: handle deleted entry point during hot-reload without unhandle...
• ecfdd5a fix(wrangler): preserve asset fallback with routes (#14282)
• 604be26 [wrangler] fix: show clear error for DO migrations on service-worker format W...
• 035917f [wrangler] Send login user metric when --scopes is provided (#14299)
• adfde74 remove deprecated toThrowError assertions (#14302)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions