chore(deps): update dependency lint-staged to v16.2.1

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
lint-staged	16.1.5 -> 16.2.1

---

Release Notes

lint-staged/lint-staged (lint-staged)

v16.2.1

Compare Source

Patch Changes

• #​1664 8277b3b Thanks @​iiroj! - The built-in TypeScript types have been updated to more closely match the implementation. Notably, the list of staged files supplied to task functions is readonly string[] and can't be mutated. Thanks @​outslept!

  export default {
  ---  "*": (files: string[]) => void console.log('staged files', files)
  +++  "*": (files: readonly string[]) => void console.log('staged files', files)
  }

• #​1654 70b9af3 Thanks @​iiroj! - This version has been published from GitHub Actions using Trusted Publishing for npm packages.

• #​1659 4996817 Thanks @​iiroj! - Fix searching configuration files when the working directory is a subdirectory of a git repository, and there are package.json files in the working directory. This situation might happen when running lint-staged for a single package in a monorepo.

• #​1654 7021f0a Thanks @​iiroj! - Return the caret semver range (^) to direct dependencies so that future patch and minor versions are allowed. This enables projects to better maintain and deduplicate their own transitive dependencies while not requiring direct updates to lint-staged. This was changed in 16.2.0 after the vulnerability issues with chalk and debug, which were also removed in the same version.

  Given the recent vulnerabilities in the npm ecosystem, it's best to be very careful when updating dependencies.

v16.2.0

Compare Source

Minor Changes

• #​1615 99eb742 Thanks @​iiroj! - Added a new option --fail-on-changes to make lint-staged exit with code 1 when tasks modify any files, making the precommit hook fail. This is similar to the git diff --exit-code option. Using this flag also implies the --no-revert flag which means any changes made my tasks will be left in the working tree after failing, so that they can be manually staged and the commit tried again.

• #​1611 cd05fd3 Thanks @​rlorenzo! - Added a new option --continue-on-error so that lint-staged will run all tasks to completion even if some of them fail. By default, lint-staded will exit early on the first failure.

• #​1637 82fcc07 Thanks @​iiroj! - Internal lint-staged errors are now thrown and visible in the console output. Previously they were caught with the process exit code set to 1, but not logged. This happens when, for example, there's a syntax error in the lint-staged configuration file.

• #​1647 a5ecc06 Thanks @​iiroj! - Remove debug as a dependency due to recent malware issue; read more at debug-js/debug#1005. Because of this, the DEBUG environment variable is no longer supported — use the --debug to enable debugging

• #​1636 8db2717 Thanks @​iiroj! - Added a new option --hide-unstaged so that lint-staged will hide all unstaged changes to tracked files before running tasks. The changes will be applied back after running the tasks. Note that the combination of flags --hide-unstaged --no-hide-partially-staged isn't meaningful and behaves the same as just --hide-unstaged.

  Thanks to @​ItsNickBarry for the idea and initial implementation in #​1552.

• #​1648 7900b3b Thanks @​iiroj! - Remove lilconfig to reduce reliance on third-party dependencies. It was used to find possible config files outside of those tracked in Git, including from the parent directories. This behavior has been moved directly into lint-staged and should work about the same.

Patch Changes

• #​1633 7f9e485 Thanks @​dependabot! - Bumps listr2 from 9.0.3 to 9.0.4.

• #​1626 99d5a9b Thanks @​iiroj! - Due to recent phishing attacks, for example chalk@5.6.1 was released with malware. To avoid lint-staged's users being at risk the direct dependencies are pinned to exact versions, instead of allowing future patch versions with the caret (^) range.

• #​1588 035bbf2 Thanks @​outslept! - Increase performance by listing staged files and searching for configuration concurrently.

• #​1645 deba3ad Thanks @​iiroj! - Remove chalk as a dependency due to recent malware issue; read more at chalk/chalk#656.

  If you are having trouble with ANSI color codes when using lint-staged, you can try setting either FORCE_COLOR=true or NO_COLOR=true env variables.

v16.1.6

Compare Source

Patch Changes

• #​1610 e93578e Thanks @​iiroj! - Try to improve terminating of subprocess of tasks by using SIGKILL, and only calling pidtree when the the main task process has a known pid.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

• TypeScript Type Improvements: Updated built-in TypeScript types where staged files parameter is now readonly string[] instead of string[] - this is backward compatible as it only adds read-only constraint
• Security Fixes: Removed vulnerable dependencies chalk and debug due to recent malware issues (chalk@5.6.1 had malware, debug had security vulnerabilities)
• New Features: Added new CLI options (--fail-on-changes, --continue-on-error, --hide-unstaged) but these are optional and don't affect existing usage
• Bug Fixes: Fixed configuration file searching in monorepo subdirectories and improved subprocess termination
• Dependency Updates: Updated transitive dependencies (listr2, cli-truncate, nano-spawn) to latest versions
• Removed Dependencies: Eliminated lilconfig dependency by moving functionality directly into lint-staged

🎯 Impact Scope Investigation

• Usage Locations: lint-staged is used in:
  • package.json:34 as devDependency
  • .husky/pre-commit:1 executed via bunx lint-staged
  • .lintstagedrc.json contains configuration running biome check on all files
• Configuration Impact: No changes required to existing .lintstagedrc.json configuration
• Husky Integration: No changes needed to pre-commit hook setup
• TypeScript Impact: The readonly constraint on file arrays is backward compatible and won't break existing code

💡 Recommended Actions

• Immediate Action: This update is safe to merge immediately
• No Migration Required: Existing configuration and usage patterns remain fully compatible
• Security Benefit: The update removes vulnerable dependencies, improving security posture
• Performance Improvement: Parallel processing improvements and reduced dependency footprint

🔗 Reference Links

• Release Notes v16.2.1
• Release Notes v16.2.0
• Security Advisory - chalk malware
• Security Advisory - debug vulnerability

Generated by koki-develop/claude-renovate-review