Bump the development_dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the development_dependencies group with 6 updates in the / directory:

Package	From	To
@nx/eslint-plugin	22.0.2	22.7.5
vitest	4.1.8	4.1.9
@oclif/plugin-plugins	5.4.47	5.4.74
@shopify/cli-hydrogen	11.1.10	11.1.16
@playwright/test	1.60.0	1.61.0
sass	1.100.0	1.101.0

Updates @nx/eslint-plugin from 22.0.2 to 22.7.5

Release notes

Sourced from @​nx/eslint-plugin's releases.

22.7.5 (2026-05-27)

🩹 Fixes

• core: update tmp to 0.2.6 due to CVE-2026-44705 (#35813)

❤️ Thank You

• Jack Hsu @​jaysoo

22.7.4 (2026-05-25)

🩹 Fixes

• core: update brace-expansion and yaml (#35790)

❤️ Thank You

• Jack Hsu @​jaysoo

22.7.3 (2026-05-22)

🚀 Features

• js: support pnpm 11.2.2 (#35772)

🩹 Fixes

• angular: only add @​oxc-project/runtime on the vitest-analog path (#35734)
• angular-rspack: exclude eslint config from tailwind v4 source scan (#35663)
• core: warn before installing unknown npm packages as preset (#35644)
• core: preserve input order in createNodes plugin results (#35595)
• core: resolve local plugin subpath imports from source (#35631)
• core: treat undefined task parallelism as parallel when scheduling (#35736)
• core: handle object form of bin field in getPrettierPath (#35680)
• core: detect vscode copilot ai agent (#35757)
• core: allow local plugin subpath imports without custom conditions (#35751, #35631)
• dotnet: include Directory.. files in inputs (#35738)
• gradle: add transitive:true to all tasks (#35677)
• gradle: pin generated e2e project toolchain to installed JDK (#35703)
• js: fall back to npm publish when bun publish fails with auth error (#35756)
• linter: improve convert-to-flat-config output fidelity (#35330)
• linter: only rewrite workspace-package peer deps to workspace:* (#35423, #35318, #33417)
• misc: stop inferring projects: 'self' in dependsOn entries (#35686)
• misc: skip $ escaping in file paths on windows (#35692)
• repo: run dotnet restore before publish (#35771)
• repo: run dotnet restore before macos e2e job (#35774)
• rsbuild: infer build outputs from distPath.root directly (#35707)
• rsbuild: lazy-require @​rsbuild/core in plugin so spec mocks work after jest.resetModules (#35707)
• testing: correct yargs-parser import in getJestProjectsAsync (#35672, #35654)

... (truncated)

Commits

• a23b7be fix(linter): only rewrite workspace-package peer deps to workspace:* (#35423)
• d84f424 fix(devkit): expand @​nx/devkit/internal re-exports for cherry-picked v23 deep...
• ac81879 fix(repo): revert deep-import rewrites that targeted v23-only @​nx/devkit/inte...
• 091d838 fix(linter): prevent ENOENT crash in getRelativeImportPath for unresolvable p...
• 7168981 chore(linter): bump globals from ^15.9.0 to ^17.0.0 (#35505)
• 4bbd4b1 chore(repo): migrate nx repo to eslint v9 flat config (#35359)
• dc479c5 fix(js): stop generating baseUrl in tsconfig, use ./ prefix for path mappings...
• 887fca4 fix(repo): narrow copy-assets outputs to prevent overlap with build-base (#35...
• a040a93 fix(repo): add copy-assets plugin and migrate all packages from legacy-post-b...
• 732a08c chore(core): build nx to local dist and use nodenext (#34111)
• Additional commits viewable in compare view

Updates vitest from 4.1.8 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

• Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in vitest-dev/vitest#10546 (a5180)
• browser:
  • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10555 (7fb29)
  • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10497 and vitest-dev/vitest#10556 (fbc62)
• mocker:
  • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in vitest-dev/vitest#10548 (2c955)
• pool:
  • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in vitest-dev/vitest#10543 and vitest-dev/vitest#10564 (934b0)

View changes on GitHub

Commits

• a7a61e7 chore: release v4.1.9 (#10598)
• 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
• 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
• a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
• See full diff in compare view

Updates @oclif/plugin-plugins from 5.4.47 to 5.4.74

Release notes

Sourced from @​oclif/plugin-plugins's releases.

5.4.74

Bug Fixes

• deps: bump npm from 11.16.0 to 11.17.0 (#1339) (7744d92)

5.4.73

Bug Fixes

• deps: bump semver from 7.8.1 to 7.8.2 (#1336) (56cc4ad)

5.4.72

Bug Fixes

• deps: bump @​oclif/core from 4.11.3 to 4.11.4 (#1330) (095dccf)

5.4.71

Bug Fixes

• deps: bump npm from 11.15.0 to 11.16.0 (#1333) (a542f0c)

5.4.70

Bug Fixes

• deps: bump semver from 7.8.0 to 7.8.1 (#1334) (aade472)

5.4.69

Bug Fixes

• deps: bump npm from 11.14.1 to 11.15.0 (#1329) (c2fe33b)

5.4.68

Bug Fixes

• deps: bump npm from 11.13.0 to 11.14.1 (#1324) (371a714)

5.4.67

Bug Fixes

• deps: bump fast-xml-builder from 1.1.4 to 1.2.0 (#1316) (b80c9da)

5.4.66

Bug Fixes

• deps: bump fast-uri from 3.1.0 to 3.1.2 (#1317) (a08ba97)

5.4.65

Bug Fixes

• deps: bump @​oclif/core from 4.11.0 to 4.11.1 (#1319) (434e45c)

... (truncated)

Changelog

Sourced from @​oclif/plugin-plugins's changelog.

5.4.74 (2026-06-14)

Bug Fixes

• deps: bump npm from 11.16.0 to 11.17.0 (#1339) (7744d92)

5.4.73 (2026-06-06)

Bug Fixes

• deps: bump semver from 7.8.1 to 7.8.2 (#1336) (56cc4ad)

5.4.72 (2026-05-31)

Bug Fixes

• deps: bump @​oclif/core from 4.11.3 to 4.11.4 (#1330) (095dccf)

5.4.71 (2026-05-30)

Bug Fixes

• deps: bump npm from 11.15.0 to 11.16.0 (#1333) (a542f0c)

5.4.70 (2026-05-30)

Bug Fixes

• deps: bump semver from 7.8.0 to 7.8.1 (#1334) (aade472)

5.4.69 (2026-05-23)

Bug Fixes

• deps: bump npm from 11.14.1 to 11.15.0 (#1329) (c2fe33b)

5.4.68 (2026-05-16)

Bug Fixes

• deps: bump npm from 11.13.0 to 11.14.1 (#1324) (371a714)

5.4.67 (2026-05-09)

Bug Fixes

• deps: bump fast-xml-builder from 1.1.4 to 1.2.0 (#1316) (b80c9da)

5.4.66 (2026-05-09)

... (truncated)

Commits

• ed4483a chore(release): 5.4.74 [skip ci]
• 7744d92 fix(deps): bump npm from 11.16.0 to 11.17.0 (#1339)
• 6a89373 chore(dev-deps): bump prettier from 3.8.3 to 3.8.4 (#1341)
• 72ab95a chore(dev-deps): bump oclif from 4.23.10 to 4.23.14 (#1342)
• abb70fb chore(dev-deps): bump eslint-config-oclif from 6.0.167 to 6.0.169 (#1343)
• b3bb34f chore(dev-deps): bump eslint-config-oclif from 6.0.166 to 6.0.167 (#1335)
• b5f947d chore(release): 5.4.73 [skip ci]
• 56cc4ad fix(deps): bump semver from 7.8.1 to 7.8.2 (#1336)
• f19de14 chore(dev-deps): bump oclif from 4.23.8 to 4.23.10 (#1337)
• b393d5d chore(dev-deps): bump @​oclif/plugin-help from 6.2.49 to 6.2.50 (#1338)
• Additional commits viewable in compare view

Updates @shopify/cli-hydrogen from 11.1.10 to 11.1.16

Release notes

Sourced from @​shopify/cli-hydrogen's releases.

@​shopify/cli-hydrogen@​11.1.16

Patch Changes

• Updated route scaffolding and JS transpilation to import from react-router instead of the deprecated @shopify/remix-oxygen. (#3621) by @​fredericoo

• Fix set-cookie-parser and cookie resolution warnings during dev by using Vite's nested dependency syntax (react-router > dep). These are CJS transitive dependencies of react-router that weren't resolvable by bare name with strict package managers like pnpm. (#3698) by @​fredericoo

@​shopify/cli-hydrogen@​11.1.15

Patch Changes

• Update skeleton template to use @​shopify/cli 3.93.2 (#3699) by @​itsjustriley

@​shopify/cli-hydrogen@​11.1.14

Patch Changes

• Widen React Router peer dependencies from exact versions to caret ranges (^7.12.0). This allows Hydrogen projects to use newer React Router minor versions without peer dependency conflicts, particularly with npm's strict resolver. Hydrogen only uses stable public APIs from React Router, so minor version updates are backwards-compatible. (#3677) by @​fredericoo

• Update Storefront API and Customer Account API from 2026-01 to 2026-04. (#3651) by @​itsjustriley

  Breaking changes

  JSON metafield values limited to 128KB: When using API version 2026-04 or later, the Storefront API limits JSON type metafield writes to 128KB. This limit applies at the API level - Hydrogen passes through to the Storefront API without additional restriction. Apps that used JSON metafields before April 1, 2026 are grandfathered at the existing 2MB limit. Large metafield values continue to be readable by all API versions.

  New features

  New MERCHANDISE_LINE_TRANSFORMERS_RUN_ERROR cart error code: Cart operations (cartCreate, cartLinesAdd, etc.) now return a specific MERCHANDISE_LINE_TRANSFORMERS_RUN_ERROR error code when a Cart Transform Function fails at runtime, instead of the previous generic INVALID error code. If you handle cart errors in your storefront code, you may want to add handling for this new code.

  Changelog links

  • Storefront API 2026-04 changelog
  • Customer Account API 2026-04 changelog

@​shopify/cli-hydrogen@​11.1.13

Patch Changes

• Add Storefront MCP proxy support to enable AI agent integration. Hydrogen now automatically proxies requests to /api/mcp to Shopify's Storefront MCP server, which implements the Model Context Protocol specification. This feature is automatically available when proxyStandardRoutes is enabled in createRequestHandler (the default) — no code changes required. AI assistants like Claude and ChatGPT can connect to Hydrogen storefronts to help customers browse products, manage carts, and access store policies. (#3572) by @​itsjustriley

• Remove redundant Storefront API proxy route from skeleton template. The server now automatically proxies requests to /api/:version/graphql.json via createRequestHandler with proxyStandardRoutes: true (enabled by default since December 2025). (#3572) by @​itsjustriley

  Developers no longer need a manual route file for the tokenless Storefront API. Existing apps with this route can safely delete it - the server-level proxy provides the same functionality with better cookie forwarding and analytics integration.

• GraphQL access denied error is now handled as an expected user error (#3654) by @​lucyxiang

@​shopify/cli-hydrogen@​11.1.11

Patch Changes

• Improve gift card accessibility in Skeleton template (#3518) by @​itsjustriley

• Updated shopify/cli dependencies for cli-hydrogen (#3553) by @​andguy95

... (truncated)

Commits

• See full diff in compare view

Updates @playwright/test from 1.60.0 to 1.61.0

Release notes

Sourced from @​playwright/test's releases.

v1.61.0

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();
// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
id: credentialId,
userHandle,
privateKey,
publicKey,
});
await context.credentials.install();
const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

• apiResponse.securityDetails() and apiResponse.serverAddr() mirror the browser-side response.securityDetails() and response.serverAddr().

Browser and Screencast

• New option artifactsDir in browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.
• New option cursor in screencast.showActions() controls the cursor decoration rendered for pointer actions.
• The onFrame callback in screencast.start() now receives a timestamp of when the frame was presented by the browser.

Test runner

• The testOptions.video option now supports the same set of modes as trace: new 'on-all-retries', 'retain-on-first-failure' and 'retain-on-failure-and-retries' values. See the video modes table for which runs are recorded and kept in each mode.
• Supported expect.soft.poll(...).
• New fullConfig.argv — a snapshot of process.argv from the runner process, handy for reading custom arguments passed after the -- separator.
• New fullConfig.failOnFlakyTests mirrors the config option, so reporters can explain why a flaky run failed.
• testInfo.errors now lists each sub-error of an AggregateError as a separate entry.

... (truncated)

Commits

• 1cc5a90 cherry-pick(#41295): chore: PLAYWRIGHT_TRACING_NO_WEBSOCKET_FRAMES and PLAYWR...
• a6772bd cherry-pick(#41280): Revert "fix(trace-viewer): add keyboard navigation to `N...
• 8133dcf cherry-pick(#41283): docs: add Ubuntu 26.04 and Node.js 26.x to system requir...
• 812432e chore: mark v1.61.0 (#41277)
• ac05145 fix(fetch): report serverAddr and securityDetails for reused sockets (#41267)
• 056efc9 fix(trace-viewer): add keyboard navigation to NetworkFilters component (#41...
• 41f7b9a chore: fixes uncovered by the .NET 1.61 roll (#41266)
• ba50778 fix(mcp): assign caps as array for legacy --vision flag (#41253)
• b8ee5ae docs: release notes for v1.61 (#41261)
• 49c1f69 fix(trace viewer): load trace from a local file (#41263)
• Additional commits viewable in compare view

Updates sass from 1.100.0 to 1.101.0

Release notes

Sourced from sass's releases.

Dart Sass 1.101.0

To install Sass 1.101.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Potentially breaking bug fix: The Node package importer now properly supports resolving import-only variants of Sass files declared in the exports, sass, and style fields of package.json. Previously, these files were ignored even when loaded via @import, so any code relying on loading module-system-only files this way may break.

See the full changelog for changes in earlier releases.

Changelog

Sourced from sass's changelog.

1.101.0

• Potentially breaking bug fix: The Node package importer now properly supports resolving import-only variants of Sass files declared in the exports, sass, and style fields of package.json. Previously, these files were ignored even when loaded via @import, so any code relying on loading module-system-only files this way may break.

Commits

• 63b9922 Load import-only files through package.json exports (#2772)
• c7e9947 Migrate from bufbuild/buf-setup-action to bufbuild/buf-action (#2773)
• 7674a4c Bump postcss from 8.5.13 to 8.5.15 in /pkg/sass-parser (#2774)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.