chore(deps): bump the patch-updates group across 1 directory with 6 updates by dependabot[bot] · Pull Request #1183 · yearn/yearn.fi

dependabot · 2026-04-13T11:23:59Z

Bumps the patch-updates group with 6 updates in the / directory:

Package	From	To
@headlessui/react	`2.2.9`	`2.2.10`
@tanstack/react-virtual	`3.13.18`	`3.13.24`
react	`19.2.4`	`19.2.5`
react-dom	`19.2.4`	`19.2.5`
@biomejs/biome	`2.4.0`	`2.4.13`
postcss	`8.5.6`	`8.5.12`

Updates @headlessui/react from 2.2.9 to 2.2.10

Release notes

Sourced from @headlessui/react's releases.

@headlessui/react@v2.2.10

Fixed

Don’t render <Portal> while hydrating (#3825)

Fix passing props on Fragment error due to Symbol(react.lazy) (#3873)

Changelog

Sourced from @headlessui/react's changelog.

[2.2.10] - 2026-04-07

Fixed

Don’t render <Portal> while hydrating (#3825)

Fix passing props on Fragment error due to Symbol(react.lazy) (#3873)

Commits

d13526d 2.2.10 - @headlessui/react
b0dcd8f Handle props on Fragment error due to Symbol(react.lazy) (#3873)
7baca70 Don’t render \<Portal>s while hydrating (#3825)
5ef7395 Add RefProp to props (#3823)
See full diff in compare view

Updates @tanstack/react-virtual from 3.13.18 to 3.13.24

Release notes

Sourced from @tanstack/react-virtual's releases.

@tanstack/react-virtual@3.13.24

Patch Changes

Updated dependencies [97a204d]:

@tanstack/virtual-core@3.14.0

@tanstack/react-virtual@3.13.23

Patch Changes

Updated dependencies [7ece2d5]:

@tanstack/virtual-core@3.13.23

@tanstack/react-virtual@3.13.22

Patch Changes

Updated dependencies [54d771a, d3416c3]:

@tanstack/virtual-core@3.13.22

@tanstack/react-virtual@3.13.21

Patch Changes

Updated dependencies [be89e29]:

@tanstack/virtual-core@3.13.21

@tanstack/react-virtual@3.13.20

Patch Changes

Updated dependencies [ff83e94]:

@tanstack/virtual-core@3.13.20

@tanstack/react-virtual@3.13.19

Patch Changes

Updated dependencies [843109c]:

@tanstack/virtual-core@3.13.19

Changelog

Sourced from @tanstack/react-virtual's changelog.

3.13.24

Patch Changes

Updated dependencies [97a204d]:

@tanstack/virtual-core@3.14.0

3.13.23

Patch Changes

Updated dependencies [7ece2d5]:

@tanstack/virtual-core@3.13.23

3.13.22

Patch Changes

Updated dependencies [54d771a, d3416c3]:

@tanstack/virtual-core@3.13.22

3.13.21

Patch Changes

Updated dependencies [be89e29]:

@tanstack/virtual-core@3.13.21

3.13.20

Patch Changes

Updated dependencies [ff83e94]:

@tanstack/virtual-core@3.13.20

3.13.19

Patch Changes

Updated dependencies [843109c]:

@tanstack/virtual-core@3.13.19

Commits

c3d4cd4 ci: Version Packages (#1157)
9394e13 ci: Version Packages (#1149)
7ece2d5 fix(virtual-core): remove incorrect elementsCache cleanup using getItemKey (#...
c2f1c39 ci: Version Packages (#1139)
fc3c733 perf(virtual-core): skip sync DOM reads during normal scrolling (#1144)
c4da5cb ci: Version Packages (#1137)
be89e29 fix(virtual-core): smooth scrolling for dynamic item sizes (#1108)
d2a9995 ci: Version Packages (#1136)
ff83e94 fix(virtual-core): early return in _measureElement for disconnected nodes (#1...
e0e4dcd ci: Version Packages (#1131)
See full diff in compare view

Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

Add more cycle protections (#36236 by @eps1lon and @unstubbable)

Commits

23f4f9f 19.2.5
See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

Add more cycle protections (#36236 by @eps1lon and @unstubbable)

Commits

23f4f9f 19.2.5
See full diff in compare view

Updates @biomejs/biome from 2.4.0 to 2.4.13

Release notes

Sourced from @biomejs/biome's releases.

Biome CLI v2.4.13

2.4.13

Patch Changes
#9969 c5eb92b Thanks @officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

For example, the following code triggers the rule:
const a = `${"hello"}`; // can be 'hello'
const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
const c = `${"a"}${"b"}`; // can be 'ab'
#10037 f785e8c Thanks @minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.
class Store {
  get status(): string {
    if (Math.random() > 0.5) return "loading";
    return "idle";
  }
  set status(v: string) {}
}
#10084 5e2f90c Thanks @jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

The following pattern is now considered valid:
/[a-z\&]/v;
#10063 c9ffa16 Thanks @Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

#10035 946b50e Thanks @Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.
#9865 68fb8d4 Thanks @dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

For example, the following snippet triggers the rule:
const foo = node.innerText;
#10023 bd1e74f Thanks @ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

... (truncated)

Changelog

Sourced from @biomejs/biome's changelog.

2.4.13

Patch Changes
#9969 c5eb92b Thanks @officialasishkumar! - Added the nursery rule noUnnecessaryTemplateExpression, which disallows template literals that only contain string literal expressions. These can be replaced with a simpler string literal.

For example, the following code triggers the rule:
const a = `${"hello"}`; // can be 'hello'
const b = `${"prefix"}_suffix`; // can be 'prefix_suffix'
const c = `${"a"}${"b"}`; // can be 'ab'
#10037 f785e8c Thanks @minseong0324! - Fixed #9810: noMisleadingReturnType no longer reports false positives on a getter with a matching setter in the same namespace.
class Store {
  get status(): string {
    if (Math.random() > 0.5) return "loading";
    return "idle";
  }
  set status(v: string) {}
}
#10084 5e2f90c Thanks @jiwon79! - Fixed #10034: noUselessEscapeInRegex no longer flags escapes of ClassSetReservedPunctuator characters (&, !, #, %, ,, :, ;, <, =, >, @, `, ~) inside v-flag character classes as useless. These characters are reserved as individual code points in v-mode, so the escape is required.

The following pattern is now considered valid:
/[a-z\&]/v;
#10063 c9ffa16 Thanks @Netail! - Added extra rule sources from ESLint CSS. biome migrate eslint should do a bit better detecting rules in your eslint configurations.

#10035 946b50e Thanks @Netail! - Fixed #10032: useIframeSandbox now flags if there's no initializer value.
#9865 68fb8d4 Thanks @dyc3! - Added the new nursery rule useDomNodeTextContent, which prefers textContent over innerText for DOM node text access and destructuring.

For example, the following snippet triggers the rule:
const foo = node.innerText;
#10023 bd1e74f Thanks @ematipico! - Added a new nursery rule noReactNativeDeepImports that disallows deep imports from the react-native package. Internal paths like react-native/Libraries/... are not part of the public API and may change between versions.

For example, the following code triggers the rule:

... (truncated)

Commits

e316150 ci: release (#9991)
11ddc05 feat(lint): add useReactNativePlatformComponents rule and options (#10033)
1603f78 feat(js_analyze): implement noJsxLeakedDollar (#9911)
c5eb92b feat(linter): add nursery rule noUnnecessaryTemplateExpression (#9969)
5cc83b1 feat(lint/js): add noLoopFunc (#9815)
bd1e74f feat(lint): add react native deep import rule (#10023)
68fb8d4 feat(lint/js): add useDomNodeTextContent (#9865)
94ccca9 feat(lint): add noReactNativeLiteralColors (#10012)
3dce737 feat(lint/js): add useDomQuerySelector (#9885)
131019e feat(lint): add noReactNativeRawText (#10005)
Additional commits viewable in compare view

Updates postcss from 8.5.6 to 8.5.12

Release notes

Sourced from postcss's releases.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

9bc81c4 Release 8.5.12 version
85c4d7d Another try to fix coverage
94484ca Try to fix coverage
c64b748 Load only .map source maps
aaec7b7 Avoid throwing JSON parsing errors for non-JSON source maps
233fb26 Mention original author of the solution
2502f75 Release 8.5.11 version
5ca1901 Speed up parsing many nested brackets
42b5337 Update dependencies
7e36e15 Cache node.raws locally in Stringifier hot methods
Additional commits viewable in compare view

vercel · 2026-04-13T11:24:03Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
yearnfi	Ready	Preview, Comment	Apr 27, 2026 0:26am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
yearnfi-nextjs	Ignored	Preview	Apr 27, 2026 0:26am

github-actions · 2026-04-13T11:24:15Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package

Version

Score

Details

npm/@biomejs/biome

2.4.13

Unknown

npm/@headlessui/react

2.2.10

🟢 4.6

Details

Check	Score	Reason
Maintained	🟢 4	4 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 4
Code-Review	🟢 4	Found 12/30 approved changesets -- score normalized to 4
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@tanstack/react-virtual

3.13.24

Unknown

npm/postcss

8.5.12

🟢 6

Details

Check	Score	Reason
Maintained	🟢 10	29 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	⚠️ 1	Found 3/30 approved changesets -- score normalized to 1
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 10	all dependencies are pinned
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 3	branch protection is not maximal on development and all release branches
SAST	🟢 6	SAST tool is not run on all commits -- score normalized to 6

npm/react

19.2.5

🟢 6.6

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 9	Found 27/30 approved changesets -- score normalized to 9
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 2	badge detected: InProgress
License	🟢 10	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Signed-Releases	⚠️ -1	no releases found
Binary-Artifacts	🟢 9	binaries present in source code
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 2	SAST tool is not run on all commits -- score normalized to 2

npm/react-dom

19.2.5

🟢 6.6

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 9	Found 27/30 approved changesets -- score normalized to 9
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 2	badge detected: InProgress
License	🟢 10	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Signed-Releases	⚠️ -1	no releases found
Binary-Artifacts	🟢 9	binaries present in source code
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 2	SAST tool is not run on all commits -- score normalized to 2

Scanned Files

package.json

socket-security · 2026-04-13T11:24:52Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Vulnerability	Quality	Maintenance
@tanstack/react-virtual@3.13.18 ⏵ 3.13.24				^-1
postcss@8.5.6 ⏵ 8.5.12		⁺²
@headlessui/react@2.2.9 ⏵ 2.2.10	⁺¹		⁺¹
react@19.2.4 ⏵ 19.2.5
react-dom@19.2.4 ⏵ 19.2.5
@biomejs/biome@2.4.0 ⏵ 2.4.13	⁺¹

View full report

…pdates Bumps the patch-updates group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@headlessui/react](https://github.com/tailwindlabs/headlessui/tree/HEAD/packages/@headlessui-react) | `2.2.9` | `2.2.10` | | [@tanstack/react-virtual](https://github.com/TanStack/virtual/tree/HEAD/packages/react-virtual) | `3.13.18` | `3.13.24` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.4` | `19.2.5` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.4` | `19.2.5` | | [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) | `2.4.0` | `2.4.13` | | [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.12` | Updates `@headlessui/react` from 2.2.9 to 2.2.10 - [Release notes](https://github.com/tailwindlabs/headlessui/releases) - [Changelog](https://github.com/tailwindlabs/headlessui/blob/main/packages/@headlessui-react/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/headlessui/commits/@headlessui/react@v2.2.10/packages/@headlessui-react) Updates `@tanstack/react-virtual` from 3.13.18 to 3.13.24 - [Release notes](https://github.com/TanStack/virtual/releases) - [Changelog](https://github.com/TanStack/virtual/blob/main/packages/react-virtual/CHANGELOG.md) - [Commits](https://github.com/TanStack/virtual/commits/@tanstack/react-virtual@3.13.24/packages/react-virtual) Updates `react` from 19.2.4 to 19.2.5 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.5/packages/react) Updates `react-dom` from 19.2.4 to 19.2.5 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.5/packages/react-dom) Updates `@biomejs/biome` from 2.4.0 to 2.4.13 - [Release notes](https://github.com/biomejs/biome/releases) - [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md) - [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.4.13/packages/@biomejs/biome) Updates `postcss` from 8.5.6 to 8.5.12 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.6...8.5.12) --- updated-dependencies: - dependency-name: "@biomejs/biome" dependency-version: 2.4.11 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: "@headlessui/react" dependency-version: 2.2.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: "@tanstack/react-virtual" dependency-version: 3.13.23 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: postcss dependency-version: 8.5.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: react dependency-version: 19.2.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: react-dom dependency-version: 19.2.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: patch-updates ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 13, 2026

vercel Bot deployed to Preview – yearnfi April 13, 2026 11:25 View deployment

dependabot Bot force-pushed the dependabot/bun/patch-updates-afa921fa3e branch from 281e568 to 0249447 Compare April 20, 2026 12:07

vercel Bot deployed to Preview – yearnfi April 20, 2026 12:09 View deployment

dependabot Bot force-pushed the dependabot/bun/patch-updates-afa921fa3e branch from 0249447 to aa9ed5b Compare April 27, 2026 12:24

vercel Bot deployed to Preview – yearnfi April 27, 2026 12:26 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the patch-updates group across 1 directory with 6 updates#1183

chore(deps): bump the patch-updates group across 1 directory with 6 updates#1183
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/bun/patch-updates-afa921fa3e

dependabot Bot commented on behalf of github Apr 13, 2026 •

edited

Loading

Uh oh!

vercel Bot commented Apr 13, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 13, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Apr 13, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

@​headlessui/react@​v2.2.10

Fixed

[2.2.10] - 2026-04-07

Fixed

@​tanstack/react-virtual@​3.13.24

Patch Changes

@​tanstack/react-virtual@​3.13.23

Patch Changes

@​tanstack/react-virtual@​3.13.22

Patch Changes

@​tanstack/react-virtual@​3.13.21

Patch Changes

@​tanstack/react-virtual@​3.13.20

Patch Changes

@​tanstack/react-virtual@​3.13.19

Patch Changes

3.13.24

Patch Changes

3.13.23

Patch Changes

3.13.22

Patch Changes

3.13.21

Patch Changes

3.13.20

Patch Changes

3.13.19

Patch Changes

19.2.5 (April 8th, 2026)

React Server Components

19.2.5 (April 8th, 2026)

React Server Components

Biome CLI v2.4.13

2.4.13

Patch Changes

2.4.13

Patch Changes

8.5.12

8.5.11

8.5.10

8.5.9

8.5.8

8.5.7

8.5.12

8.5.11

8.5.10

8.5.9

8.5.8

8.5.7

Uh oh!

vercel Bot commented Apr 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Apr 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Dependency Review

OpenSSF Scorecard

Scanned Files

Uh oh!

socket-security Bot commented Apr 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Apr 13, 2026 •

edited

Loading

`@headlessui/react@v2`.2.10

`@tanstack/react-virtual@3`.13.24

`@tanstack/react-virtual@3`.13.23

`@tanstack/react-virtual@3`.13.22

`@tanstack/react-virtual@3`.13.21

`@tanstack/react-virtual@3`.13.20

`@tanstack/react-virtual@3`.13.19

vercel Bot commented Apr 13, 2026 •

edited

Loading

github-actions Bot commented Apr 13, 2026 •

edited

Loading

socket-security Bot commented Apr 13, 2026 •

edited

Loading