build(deps): bump handlebars and @hey-api/openapi-ts in /frontend

[dependabot]

Removes handlebars. It's no longer used after updating ancestor dependency @hey-api/openapi-ts. These dependencies need to be updated together.

Removes handlebars

Updates @hey-api/openapi-ts from 0.55.2 to 0.97.1

Release notes

Sourced from @​hey-api/openapi-ts's releases.

@​hey-api/openapi-ts@​0.95.0

Minor Changes

• plugin(valibot): remove request data schema (#3671) (96f60ad) by @​mrlubos

Validator request schemas

Valibot plugin no longer exports composite request Data schemas. Instead, each layer is exported as a separate schema. If you're using validators with SDKs, you can preserve the composite schema with shouldExtract:

export default {
  input: "hey-api/backend", // sign up at app.heyapi.dev
  output: "src/client",
  plugins: [
    // ...other plugins
    {
      name: "sdk",
      validator: "valibot",
    },
    {
      name: "valibot",
      requests: {
        shouldExtract: true,
      },
    },
  ],
};

• internal: remove plugin.getSymbol() function (#3671) (96f60ad) by @​mrlubos

Removed plugin.getSymbol() function

This function has been removed. You can use plugin.querySymbol() instead. It accepts the same arguments and returns the same result.

• plugin(zod): remove request data schema (#3671) (96f60ad) by @​mrlubos

Validator request schemas

Zod plugin no longer exports composite request Data schemas. Instead, each layer is exported as a separate schema. If you're using validators with SDKs, you can preserve the composite schema with shouldExtract:

export default {
  input: "hey-api/backend", // sign up at app.heyapi.dev
  output: "src/client",
  plugins: [
    // ...other plugins
    {
      name: "sdk",
      validator: "zod",
</tr></table> 

... (truncated)

Changelog

Sourced from @​hey-api/openapi-ts's changelog.

Changelog

2026-04-28

@​hey-api/openapi-ts 0.97.0

⚠️ Breaking

This release has 15 breaking changes. Please review the release notes carefully before upgrading.

Updates

• cli: print file count and generator speed (#3828)
• ⚠️ Breaking: client: resolve runtimeConfigPath relative to the output folder (#3770)

Changed runtimeConfigPath behavior

This was a known, long-standing issue confusing first-time users. Before, defining client runtimeConfigPath value would paste it verbatim to the generated output. This release changes the behavior to resolve relative to the current working directory the same way output path works.

• config: remove --apply flag from Biome post-processor commands (#3812)

Plugins

@​hey-api/client-angular

• ⚠️ Breaking: request and response objects might be undefined (#3814)
• ⚠️ Breaking: respect throwOnError when request validation fails (#3814)

@​hey-api/client-fetch

• ⚠️ Breaking: pass previous result to error interceptors (#3814)
• ⚠️ Breaking: request and response objects might be undefined (#3814)
• ⚠️ Breaking: respect throwOnError when request validation fails (#3814)

@​hey-api/client-ky

• ⚠️ Breaking: pass previous result to error interceptors (#3814)
• ⚠️ Breaking: request and response objects might be undefined (#3814)
• ⚠️ Breaking: respect throwOnError when request validation fails (#3814)
• ⚠️ Breaking: respect ky instance defaults (#3806)

Changed Ky client behavior

The Ky client was updated to be more intuitive. Some Ky options now need to be passed via the kyOptions field and you need to pass undefined to unset an option.

@​hey-api/client-next

• ⚠️ Breaking: request and response objects might be undefined (#3814)
• ⚠️ Breaking: pass previous result to error interceptors (#3814)
• ⚠️ Breaking: respect throwOnError when request validation fails (#3814)

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​hey-api/openapi-ts since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

⚠️ NPM Dependency Update - Manual Review Required

This Dependabot PR updates npm dependencies. Due to recent npm supply chain attacks, this PR requires manual security review before merging.

Security Checklist:

• Review the changed packages for known vulnerabilities
• Check for suspicious postinstall scripts
• Verify package authenticity and maintainer reputation
• Run ./utils/scan-npm-compromise.sh locally
• Review npm audit output

Do not enable auto-merge for this PR.