build(deps): bump the minor-and-patch group across 1 directory with 8 updates

[dependabot]

Bumps the minor-and-patch group with 7 updates in the / directory:

Package	From	To
@anthropic-ai/claude-agent-sdk	0.3.160	0.3.185
imapflow	1.3.5	1.4.2
mailparser	3.9.9	3.9.11
undici	8.3.0	8.5.0
@typescript-eslint/eslint-plugin	8.59.4	8.62.0
eslint	10.4.0	10.5.0
tsx	4.22.3	4.22.4

Updates @anthropic-ai/claude-agent-sdk from 0.3.160 to 0.3.185

Release notes

Sourced from @​anthropic-ai/claude-agent-sdk's releases.

v0.3.185

What's changed

• Updated to parity with Claude Code v2.1.185

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.185
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.185
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.185
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.185

v0.3.183

What's changed

• Updated to parity with Claude Code v2.1.183

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.183
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.183
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.183
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.183

v0.3.181

What's changed

• Added errorCode, canUserPurchaseCredits, and hasChargeableSavedPaymentMethod fields to SDKRateLimitInfo for detecting credits-required rate limits
• Added tool_use_meta.icon_url to assistant messages, populated from MCP server directory metadata
• Fixed SDK-hosted Remote Control sessions dropping file_attachments from inbound user messages

Update

npm install @anthropic-ai/claude-agent-sdk@0.3.181
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.181
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.181
# or
</tr></table> 

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-agent-sdk's changelog.

0.3.185

• Updated to parity with Claude Code v2.1.185

0.3.184

• Updated to parity with Claude Code v2.1.184

0.3.183

• Updated to parity with Claude Code v2.1.183

0.3.182

• Updated to parity with Claude Code v2.1.182

0.3.181

• Added errorCode, canUserPurchaseCredits, and hasChargeableSavedPaymentMethod fields to SDKRateLimitInfo for detecting credits-required rate limits
• Added tool_use_meta.icon_url to assistant messages, populated from MCP server directory metadata
• Fixed SDK-hosted Remote Control sessions dropping file_attachments from inbound user messages

0.3.180

• Updated to parity with Claude Code v2.1.180

0.3.179

• Added optional tool_use_meta sidecar to assistant messages with display-friendly names for tool calls, so SDK consumers can render human-readable labels instead of raw wire names
• Fixed -p mode exiting before a completed background agent's notification was delivered, causing interim text to ship as the final result
• Fixed remote (stream-json) sessions appearing busy for the entire duration of a background workflow — the turn result is now emitted at the turn boundary and the session reports idle while background tasks continue

0.3.178

• Spawn failures on an existing native binary now explain the likely libc mismatch (musl binary on a glibc host) and suggest options.pathToClaudeCodeExecutable
• Permission-denied advisory messages now carry typed denial reasons (safetyCheck, asyncAgent), enabling SDK consumers to programmatically match denial causes
• Fixed UserPromptSubmit hook block feedback not being emitted to the SDK event stream — consumers can now see why a prompt was blocked by a hook instead of a silent hang
• Remote Control workers now send a worker_shutting_down system message on graceful exit so remote clients can show why the session ended
• Fixed MCP server-level specs (mcp__server, mcp__server__*) in disallowedTools being silently ignored — they now correctly remove all tools from the named server

0.3.177

• Updated to parity with Claude Code v2.1.177

0.3.176

• Fixed turn result messages being dropped when multiple turns complete while a background agent or workflow is running
• Fixed background agent, remote agent, and MCP task state not being restored when resuming a session via the SDK

0.3.175

... (truncated)

Commits

• 810e709 chore: Update CHANGELOG.md
• fc84d93 chore: Update CHANGELOG.md
• 4d3840c chore: Update CHANGELOG.md
• 32753ee chore: Update CHANGELOG.md
• 38722be chore: Update CHANGELOG.md
• 12be9e5 chore: Update CHANGELOG.md
• 4bbff4f chore: Update CHANGELOG.md
• e05f10c chore: Update CHANGELOG.md
• 8ef4c3f chore: Update CHANGELOG.md
• 944ab13 chore: Update CHANGELOG.md
• Additional commits viewable in compare view

Updates imapflow from 1.3.5 to 1.4.2

Changelog

Sourced from imapflow's changelog.

1.4.2 (2026-06-19)

Bug Fixes

• bump nodemailer to 9.0.1 (9c46aa9)

1.4.1 (2026-06-15)

Bug Fixes

• ship refreshed dependencies (nodemailer 9, updated toolchain) (e1d36e6)

1.4.0 (2026-06-09)

Features

• add Gmail label search term to the search compiler (4b2d173)

1.3.7 (2026-06-08)

Bug Fixes

• harden FLAGS guard and bring lib to full test coverage (6666bec)

1.3.6 (2026-06-05)

Bug Fixes

• harden STARTTLS upgrade, literal bounds, and connection error paths (35eca81)

Commits

• 03f6831 chore(master): release 1.4.2 [skip-ci] (#361)
• 9c46aa9 fix: bump nodemailer to 9.0.1
• 2a02044 chore(master): release 1.4.1 [skip-ci] (#359)
• e1d36e6 fix: ship refreshed dependencies (nodemailer 9, updated toolchain)
• cb2503a chore: refresh dependencies and align project tooling with EmailEngine
• 5b13151 chore(master): release 1.4.0 [skip-ci] (#358)
• 4b2d173 feat: add Gmail label search term to the search compiler
• c0969c6 chore(master): release 1.3.7 [skip-ci] (#357)
• 6666bec fix: harden FLAGS guard and bring lib to full test coverage
• 02ab7ac chore(master): release 1.3.6 [skip-ci] (#356)
• Additional commits viewable in compare view

Updates mailparser from 3.9.9 to 3.9.11

Changelog

Sourced from mailparser's changelog.

3.9.11 (2026-06-19)

Bug Fixes

• bump nodemailer to 9.0.1 (020f140)

3.9.10 (2026-06-15)

Bug Fixes

• bump dependencies (nodemailer 9, eslint 10.5, prettier 3.8.4) (262ecff)

Commits

• 04116f0 chore(master): release 3.9.11 [skip-ci] (#425)
• 020f140 fix: bump nodemailer to 9.0.1
• b890336 docs: add PGP-signed SECURITY.txt (RFC 9116) [skip ci]
• 705c237 chore(master): release 3.9.10 [skip-ci] (#424)
• 588e483 chore: add CLAUDE.md, security policy and CodeQL workflow, modernize CI
• 262ecff fix: bump dependencies (nodemailer 9, eslint 10.5, prettier 3.8.4)
• See full diff in compare view

Updates undici from 8.3.0 to 8.5.0

Release notes

Sourced from undici's releases.

v8.5.0

⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	8.5.0	32dbf0b3
GHSA-38rv-x7px-6hhq	CVE-2026-9675	High (7.5)	8.5.0	b4c287b3
GHSA-vmh5-mc38-953g	CVE-2026-9697	High (7.4)	8.5.0	42d49559
GHSA-hm92-r4w5-c3mj	CVE-2026-6734	High (7.5)	8.2.0	a516f870
GHSA-pr7r-676h-xcf6	CVE-2026-9678	Moderate (5.9)	8.5.0	cb105d7c
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	8.5.0	5655ea43
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	8.5.0	5655ea43
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	8.5.0	6ea54ef8

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
• Workaround: none — upgrade is required.

WebSocket DoS via cumulative fragment bypass — CVE-2026-9675

GHSA-38rv-x7px-6hhq · CWE-400, CWE-770 Fix: b4c287b3 fix(websocket): enforce max payload size across fragments

Undici validated the size of individual frames but did not track cumulative size across a fragmented message. An attacker could send many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing memory exhaustion. This is a regression introduced in 8.1.0 (the

... (truncated)

Commits

• a0806e1 Bumped v8.5.0 (#5429)
• 8a0392c test: detect available python command in wpt runner (#5427)
• f4045b9 ci: increase Node.js workflow timeout (#5426)
• 363e44f chore: removed repro-h2-pipelining-default.mjs and lint (#5420)
• c5ed787 websocket: handle empty fragments and stream limits
• e114e77 align EventSource with spec (#5418)
• 6df53c5 fix: preserve h2 queue on out-of-order completion (#5410)
• 32dbf0b websocket: limit the number of fragments in a message
• 0d6ecc5 add bodymixin.textStream() (#5416)
• 42d4955 fix: honor requestTls when proxy is SOCKS5
• Additional commits viewable in compare view

Updates @typescript-eslint/eslint-plugin from 8.59.4 to 8.62.0

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.62.0

8.62.0 (2026-06-22)

🚀 Features

• remove redundant package.json "files" (#12444)

🩹 Fixes

• add "files" to rule-schema-to-typescript-types (#12441)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.61.1

8.61.1 (2026-06-15)

🩹 Fixes

• eslint-plugin: [consistent-indexed-object-style] do not remove comments when fixing (#12396, #10577)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive for template literal expressions (#12281)
• eslint-plugin: [no-unnecessary-type-assertion] wrap object literal in parens when removing TSTypeAssertion in arrow body (#12394, #12393)
• eslint-plugin: [no-unnecessary-boolean-literal-compare] fix precedence bug in autofix (#12413)
• eslint-plugin: [no-unnecessary-template-expression] respect ECMAScript line terminators (#12388)

❤️ Thank You

• Anas @​anasm266
• Deftera @​Deftera186
• Kirk Waiblinger @​kirkwaiblinger
• lumir
• Sarath Francis @​sarathfrancis90

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.61.0

8.61.0 (2026-06-08)

🚀 Features

• ast-spec: change type of UnaryExpression.prefix to always true (#12372)
• ast-spec: tighten types of ArrowFunction, YieldExpression, TSTypePredicate (#12373)

... (truncated)

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.62.0 (2026-06-22)

🚀 Features

• remove redundant package.json "files" (#12444)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.61.1 (2026-06-15)

🩹 Fixes

• eslint-plugin: [no-unnecessary-template-expression] respect ECMAScript line terminators (#12388)
• eslint-plugin: [no-unnecessary-boolean-literal-compare] fix precedence bug in autofix (#12413)
• eslint-plugin: [no-unnecessary-type-assertion] wrap object literal in parens when removing TSTypeAssertion in arrow body (#12394, #12393)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive for template literal expressions (#12281)
• eslint-plugin: [consistent-indexed-object-style] do not remove comments when fixing (#12396, #10577)

❤️ Thank You

• Anas @​anasm266
• Deftera @​Deftera186
• Kirk Waiblinger @​kirkwaiblinger
• lumir
• Sarath Francis @​sarathfrancis90

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.61.0 (2026-06-08)

🚀 Features

• ast-spec: change type of UnaryExpression.prefix to always true (#12372)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

... (truncated)

Commits

• 54e2857 chore(release): publish 8.62.0
• 81e4c26 feat: remove redundant package.json "files" (#12444)
• b784054 chore: use stableTypeOrdering compiler option (#12427)
• aaad718 chore(release): publish 8.61.1
• 0cc8f35 fix(eslint-plugin): [no-unnecessary-template-expression] respect ECMAScript l...
• 6f269e2 fix(eslint-plugin): [no-unnecessary-boolean-literal-compare] fix precedence b...
• 1b5d543 fix(eslint-plugin): [no-unnecessary-type-assertion] wrap object literal in pa...
• 565e666 fix(eslint-plugin): [no-unnecessary-type-assertion] avoid false positive for ...
• 204eabc fix(eslint-plugin): [consistent-indexed-object-style] do not remove comments ...
• 16a5b24 chore(release): publish 8.61.0
• Additional commits viewable in compare view

Updates @typescript-eslint/parser from 8.59.4 to 8.62.0

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.62.0

8.62.0 (2026-06-22)

🚀 Features

• remove redundant package.json "files" (#12444)

🩹 Fixes

• add "files" to rule-schema-to-typescript-types (#12441)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.61.1

8.61.1 (2026-06-15)

🩹 Fixes

• eslint-plugin: [consistent-indexed-object-style] do not remove comments when fixing (#12396, #10577)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive for template literal expressions (#12281)
• eslint-plugin: [no-unnecessary-type-assertion] wrap object literal in parens when removing TSTypeAssertion in arrow body (#12394, #12393)
• eslint-plugin: [no-unnecessary-boolean-literal-compare] fix precedence bug in autofix (#12413)
• eslint-plugin: [no-unnecessary-template-expression] respect ECMAScript line terminators (#12388)

❤️ Thank You

• Anas @​anasm266
• Deftera @​Deftera186
• Kirk Waiblinger @​kirkwaiblinger
• lumir
• Sarath Francis @​sarathfrancis90

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.61.0

8.61.0 (2026-06-08)

🚀 Features

• ast-spec: change type of UnaryExpression.prefix to always true (#12372)
• ast-spec: tighten types of ArrowFunction, YieldExpression, TSTypePredicate (#12373)

... (truncated)

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.62.0 (2026-06-22)

🚀 Features

• remove redundant package.json "files" (#12444)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.61.1 (2026-06-15)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.61.0 (2026-06-08)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.60.1 (2026-06-01)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.60.0 (2026-05-25)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 54e2857 chore(release): publish 8.62.0
• 81e4c26 feat: remove redundant package.json "files" (#12444)
• aaad718 chore(release): publish 8.61.1
• 16a5b24 chore(release): publish 8.61.0
• 4f84a69 chore(release): publish 8.60.1
• 1849b53 chore: typecheck using tsgo (#12139)
• f891c29 chore(release): publish 8.60.0
• See full diff in compare view

Updates eslint from 10.4.0 to 10.5.0

Release notes

Sourced from eslint's releases.

v10.5.0

Features

• 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#20973) (Pixel998)
• b565783 feat: report no-with violations at the with keyword (#20971) (Pixel998)
• 2ce032f feat: report max-lines-per-function violations at function head (#20966) (Pixel998)
• 732cb3e feat: report max-nested-callbacks violations at function head (#20967) (Pixel998)
• f9c138a feat: report max-depth violations on keywords (#20943) (Pixel998)
• bdb496c feat: correct max-depth handling for else-if chains (#20944) (Pixel998)
• c296873 feat: update error loc in max-statements to function header (#20907) (Taejin Kim)

Documentation

• 8ae1b5b docs: Update README (GitHub Actions Bot)
• ca7eb90 docs: update Node.js prerequisites to include ICU support (#20962) (Francesco Trotta)
• f99b47a docs: Update README (GitHub Actions Bot)
• acf03d4 docs: clarify precedence of parserOptions over languageOptions (#20926) (sethamus)

Chores

• b18bf58 chore: update ecosystem plugins (#20959) (ESLint Bot)
• c2d1444 refactor: replace areAllSegmentsUnreachable with !isAnySegmentReachable (#20951) (Taejin Kim)
• 243b8c5 chore: enhance config-rule to support oneOf, anyOf, and nested schemas (#20788) (kuldeep kumar)
• 217b2a9 test: add unit tests for ParserService (#20949) (Taejin Kim)
• 72003e7 test: add location information to error messages in max-statements (#20945) (lumir)
• 7797c26 refactor: deduplicate isAnySegmentReachable across rules (#20890) (Taejin Kim)
• 67c46fa chore: update ecosystem plugins (#20938) (ESLint Bot)
• 95d8c7a chore: update dependency @​eslint/json to v2 (#20934) (renovate[bot])
• cf9e496 chore: update @​arethetypeswrong/cli to 0.18.3 (#20933) (Pixel998)
• fb6d396 test: run type tests with TypeScript 7 (#20868) (sethamus)

v10.4.1

Bug Fixes

• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#20930) (Francesco Trotta)
• d4ce898 fix: propagate failures from delegated commands (#20917) (Minh Vu)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#20916) (kuldeep kumar)
• c5bc78b fix: false positive for reference in finally block (#20655) (Tanuj Kanti)
• 27538c0 fix: add missing CodePath and CodePathSegment types (#20853) (Pixel998)

Documentation

• 61b0add docs: remove deprecated rule from related rules of max-params (#20921) (Tanuj Kanti)
• 305d5b9 docs: remove deprecated rules from related rules section (#20911) (Tanuj Kanti)
• 49b0202 docs: fix display: none of ad (#20901) (Tanuj Kanti)
• 9067f94 docs: switch build to Node.js 24 (#20893) (Milos Djermanovic)
• c91b041 docs: Update README (GitHub Actions Bot)
• e349265 docs: clarify semver strings in rule deprecation objects (#20885) (Milos Djermanovic)

Chores

• b0e466b test: add data property to invalid tests cases for rules (#20924) (Tanuj Kanti)
• f78838b test: add CodePath type coverage (#20904) (Pixel998)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#20922) (Francesco Trotta)
• 002942c ci: declare contents:read on update-readme workflow (#20919) (Arpit Jain)
• 64bca24 chore: update ecosystem plugins (#20912) (ESLint Bot)

... (truncated)

Commits

• de3b672 10.5.0
• 362a518 Build: changelog update for 10.5.0
• 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#20973)
• b565783 feat: report no-with violations at the with keyword (#20971)
• 2ce032f feat: report max-lines-per-function violations at function head (#20966)
• 732cb3e feat: report max-nested-callbacks violations at function head (#20967)
• f9c138a feat: report max-depth violations on keywords (#20943)
• 8ae1b5b docs: Update README
• ca7eb90 docs: update Node.js prerequisites to include ICU support (#20962)
• b18bf58 chore: update ecosystem plugins (#20959)
• Additional commits viewable in compare view

Updates tsx from 4.22.3 to 4.22.4

Release notes

Sourced from tsx's releases.

v4.22.4

4.22.4 (2026-05-31)

Bug Fixes

• resolve CommonJS directory requires inside dependencies (#803) (1ce8463)

---

This release is also available on:

• npm package (@​latest dist-tag)

Commits

• 1ce8463 fix: resolve CommonJS directory requires inside dependencies (#803)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: deps. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.