Build(deps-dev): Bump the dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the dependencies group with 7 updates in the / directory:

Package	From	To
@playwright/test	1.60.0	1.61.0
@types/node	24.13.1	25.9.3
@vitest/coverage-v8	4.1.8	4.1.9
fallow	2.89.0	2.98.0
oxfmt	0.51.0	0.55.0
oxlint	1.68.0	1.70.0
vitest	4.1.8	4.1.9

Updates @playwright/test from 1.60.0 to 1.61.0

Release notes

Sourced from @​playwright/test's releases.

v1.61.0

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();
// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
id: credentialId,
userHandle,
privateKey,
publicKey,
});
await context.credentials.install();
const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

• apiResponse.securityDetails() and apiResponse.serverAddr() mirror the browser-side response.securityDetails() and response.serverAddr().

Browser and Screencast

• New option artifactsDir in browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.
• New option cursor in screencast.showActions() controls the cursor decoration rendered for pointer actions.
• The onFrame callback in screencast.start() now receives a timestamp of when the frame was presented by the browser.

Test runner

• The testOptions.video option now supports the same set of modes as trace: new 'on-all-retries', 'retain-on-first-failure' and 'retain-on-failure-and-retries' values. See the video modes table for which runs are recorded and kept in each mode.
• Supported expect.soft.poll(...).
• New fullConfig.argv — a snapshot of process.argv from the runner process, handy for reading custom arguments passed after the -- separator.
• New fullConfig.failOnFlakyTests mirrors the config option, so reporters can explain why a flaky run failed.
• testInfo.errors now lists each sub-error of an AggregateError as a separate entry.

... (truncated)

Commits

• 1cc5a90 cherry-pick(#41295): chore: PLAYWRIGHT_TRACING_NO_WEBSOCKET_FRAMES and PLAYWR...
• a6772bd cherry-pick(#41280): Revert "fix(trace-viewer): add keyboard navigation to `N...
• 8133dcf cherry-pick(#41283): docs: add Ubuntu 26.04 and Node.js 26.x to system requir...
• 812432e chore: mark v1.61.0 (#41277)
• ac05145 fix(fetch): report serverAddr and securityDetails for reused sockets (#41267)
• 056efc9 fix(trace-viewer): add keyboard navigation to NetworkFilters component (#41...
• 41f7b9a chore: fixes uncovered by the .NET 1.61 roll (#41266)
• ba50778 fix(mcp): assign caps as array for legacy --vision flag (#41253)
• b8ee5ae docs: release notes for v1.61 (#41261)
• 49c1f69 fix(trace viewer): load trace from a local file (#41263)
• Additional commits viewable in compare view

Updates @types/node from 24.13.1 to 25.9.3

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.8 to 4.1.9

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.9

🐞 Bug Fixes

• Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in vitest-dev/vitest#10546 (a5180)
• browser:
  • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10555 (7fb29)
  • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10497 and vitest-dev/vitest#10556 (fbc62)
• mocker:
  • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in vitest-dev/vitest#10548 (2c955)
• pool:
  • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in vitest-dev/vitest#10543 and vitest-dev/vitest#10564 (934b0)

View changes on GitHub

Commits

• a7a61e7 chore: release v4.1.9 (#10598)
• See full diff in compare view

Updates fallow from 2.89.0 to 2.98.0

Release notes

Sourced from fallow's releases.

v2.98.0: Angular component IO, Svelte events, Vue/Svelte template complexity

Highlights

This release deepens framework-aware dead-code and complexity analysis across Angular, Vue, and Svelte, and widens React Server Component checks beyond Next.js.

Added

Framework dead-code coverage

• Angular component inputs and outputs. Two new rules, unused-component-input and unused-component-output (both warn), flag an @Input() / signal input() / model() read nowhere in its own component (template or class body) and an @Output() / signal output() that is .emit()-ed nowhere. This is the in-component dead-IO direction no Angular tool covers. Validated at zero false positives on the angular/components monorepo. Requires @angular/core.
• Svelte component events. A new unused-svelte-event rule (warn) flags a Svelte createEventDispatcher event listened to by no component anywhere in the project. This is the cross-file dead-output direction the compiler and svelte-check (single-file or type-only) do not cover. Validated at zero false positives on a large Svelte monorepo. Requires svelte.
• unrendered-component now covers Angular. An @Component whose element selector is rendered in no template, and that is not routed, bootstrapped, or dynamically rendered, is flagged project-wide. Abstains when the project uses any dynamic component-render API. Requires @angular/core.
• unprovided-inject now covers Angular. An InjectionToken injected via inject(TOKEN) or @Inject(TOKEN) that no provider supplies anywhere (a runtime NullInjectorError) is flagged. Scopes to user InjectionToken symbols and abstains on optional injects, package-imported tokens, public-API tokens, and opaque provider graphs. Requires @angular/core.
• unused-component-prop / unused-component-emit now cover the Vue Options API. props: and emits: declared on export default { ... } / defineComponent({ ... }) in a non-<script setup> block are now checked, with usage credited from this.<prop> reads, templates, and this.$emit(...). Abstains on mixins/extends, dynamic access, and opaque shapes.
• unused-server-action now covers inline "use server" body directives. A dead export async function deleteUser() { "use server"; ... } is now reclassified to unused-server-action instead of surfacing as a plain unused-export. Inherits every unused-export abstain. Stays Next-gated and warn-level.

React Server Components beyond Next.js

• misplaced-directive and mixed-client-server-barrel now activate for any RSC bundler. Both rules encode universal RSC semantics, so they now fire for next, waku, @lazarv/react-server, react-server-dom-webpack, react-server-dom-vite, react-server-dom-parcel, and @vitejs/plugin-rsc, not just Next. The Next-specific rules (invalid-client-export, unused-server-action) stay Next-gated on purpose.

Complexity

• Vue and Svelte template control flow now counts toward complexity. fallow health --complexity (and the complexity contribution to the health score and hotspots) now scores a synthetic \<template> entry per .vue / .svelte file from its control flow and bound expressions, the way it already does for Angular templates. The template scan masks <script> and <style> so script complexity is never double-counted. Reuses the existing thresholds and the complexity suppression token; no new rule or flag.

Output

• Framework findings lead with a manual fix action. unused-server-action, unprovided-inject, unused-load-data-key, unrendered-component, unused-component-prop, unused-component-emit, and unused-svelte-event now put a domain-specific manual fix first in JSON actions[] instead of leading with suppression, while keeping the suppress action and the public-API / dynamic-wiring caveats.

Fixed

• Pinia store members consumed through inline storeToRefs(useStore()) are now credited. unused-store-member handles storeToRefs(usePermissionsStore()) and toRefs(...) destructures, including aliased forms, no longer flagging members that are used. Thanks @​Smrtnyk for the report. (Closes #1282.)
• Playwright fixture methods reached through branch-selected aliases are no longer missed. unused-class-members now credits fixture aliases selected by ternaries, if/else, and switch branches, and same-file local fixtures passed into mergeTests(...). Thanks @​vethman for the report. (Closes #1270.)
• React JSX depth is now descriptive context, not cognitive complexity. Deeply nested presentational components with no control flow (skeletons, layout wrappers) no longer surface as high cognitive complexity. Hook density and wide prop interfaces still contribute via hook-density and prop-count. Thanks @​pavle99 for the report. (Closes #1281.)
• Svelte 5's bare <script module> is now recognized as module context. Previously only the Svelte 4 <script context="module"> form was matched, so a Svelte 5 <script module> block was treated as the instance script and its imports were wrongly credited as template-visible, masking genuinely unused imports or exports.

Full Changelog: fallow-rs/fallow@v2.97.0...v2.98.0

v2.97.0: CSS/Tailwind intelligence, framework health, RSC boundaries

v2.97.0 brings a CSS and Tailwind intelligence layer to fallow health, a wave of framework-specific dead-code and health checks across SvelteKit, Vue, Pinia, and Next.js, the Next.js React Server Components boundary suite, and a cross-repo view for Fallow Impact.

CSS and Tailwind intelligence (fallow health --css)

Opt-in CSS analysis that treats your stylesheets as part of the graph:

• Unused Tailwind v4 @theme design tokens. A @theme token whose utility, var() reads, and @apply uses appear nowhere is a dead design token. Heavily gated to stay near-zero-false-positive: Tailwind v4 only, abstains on plugin projects, published-library stylesheets, and partial-scope runs.
• Unused @font-face web fonts, font-size scales authored in mixed length units, and global CSS classes referenced by no in-project markup, plus likely CSS class-name typos in markup.
• Structural CSS analytics (specificity, nesting depth, declaration counts) for a quick stylesheet health read.
• CSS Module class extraction now uses a real CSS parser instead of a regex pass.

These are reported as candidates with read-only verify commands, never gated findings.

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.98.0] - 2026-06-17

Added

• Framework dead-code findings now lead with manual fix actions. unused-server-action, unprovided-inject, unused-load-data-key, unrendered-component, unused-component-prop, unused-component-emit, and unused-svelte-event now put a domain-specific manual fix action first in JSON actions[] instead of leading with suppression only. The actions stay non-auto-fixable and preserve the existing suppress action as the second option, so agents get clearer next steps while public API and dynamic-wiring caveats stay explicit. Human and markdown health output also labels synthetic \<template> rows as template-complexity entries and switches the section wording to "complexity findings" when template or component rollup rows are present. Machine-readable complexity formats keep the canonical \<template> name for compatibility.

• The misplaced-directive and mixed-client-server-barrel rules now cover React Server Components frameworks beyond Next.js. Both rules encode universal RSC semantics, a body-position "use client" / "use server" string is silently ignored by every RSC bundler (not just Next), and a barrel that re-exports both a client module and a server-only module drags directive context across the boundary in any RSC framework. They previously activated only when next was a declared dependency; they now activate for any RSC bundler: next, waku, @lazarv/react-server, react-server-dom-webpack, react-server-dom-vite, react-server-dom-parcel, or @vitejs/plugin-rsc. The two Next-specific rules stay Next-gated on purpose: invalid-client-export keys on Next route-segment config names (getServerSideProps, the route HTTP-method exports) and unused-server-action keys on Next Server Action registration. No config or output change.

• The unused-server-action rule now covers inline "use server" body directives. It previously reclassified only unused exports of a whole "use server" file; an export async function deleteUser() { "use server"; ... } whose action is dead surfaced as a plain unused-export. Such a dead inline Server Action is now reclassified to unused-server-action for precise categorization. The extract layer records the export names of exported functions and const arrows whose body carries an inline "use server" directive, and the reclassifier moves an unused export whose name matches. It inherits every unused-export abstain (entry-point, public-API re-export, whole-object, reachable-reference), so a wired-up action (action={fn}, <form action={fn}>, import-and-call) is never flagged; the marginal surface over unused-export is just the inline directive gate. Stays Next-gated and warn-level, like the file-level case. Validated at zero false positives on real Next App Router projects (vercel ai-chatbot, commerce). Warm extraction caches refresh on upgrade.

• Vue and Svelte template control flow now counts toward complexity health. fallow health --complexity (and the complexity signal in the overall health score and hotspots) now includes a synthetic \<template> entry per .vue / .svelte file, computed from the template's control flow and bound expressions, the same way it already does for Angular templates. Previously only an SFC's <script> functions were scored, so a component with heavy v-if / v-for (Vue) or {#if} / {#each} / {#await} (Svelte) branching, deeply nested logic, or complex bound expressions and {{ }} / { } interpolations read as artificially simple. The template scan masks the <script> and <style> blocks, so script complexity is never double-counted, and nesting depth follows the template's tag/block structure so nested branches weigh more, matching the cyclomatic/cognitive model used everywhere else. This reuses the existing maxCyclomatic / maxCognitive thresholds and the complexity suppression token; there is no new rule, finding type, or flag. Warm extraction caches refresh on upgrade to pick up the new entry.

• The unrendered-component rule now covers Angular. Previously Vue/Svelte only, it now also flags an Angular @Component whose element selector is used in no template anywhere in the project and that is not routed, bootstrapped, or dynamically rendered. This is the project-wide direction @angular-eslint does not cover (its NG8113 is single-component only). It harvests each component's selector, the element-selector tags used across every inline and external (templateUrl) template, route component: / loadComponent references, and bootstrap references, then flags a component whose selector is rendered nowhere. It stays false-positive-safe by abstaining when the component is rendered via its tag, routed (including the bare loadComponent: () => import('./x') default-export lazy form and loadChildren, credited because the lazy target's default export is referenced), bootstrapped, public-API exported, or when the project uses any dynamic component-render API (ViewContainerRef.createComponent / *ngComponentOutlet), which abstains project-wide. Attribute and class selectors and @Directive classes are out of the first cut (element-selector components only). Reuses the existing unrendered-component rule and all its surfaces; no new rule or flag. Validated at zero false positives on the angular-realworld example app.

• fallow now flags Svelte component events that are dispatched but listened to nowhere. A new unused-svelte-event rule (default severity warn) reports a Svelte component that fires a custom event through a createEventDispatcher binding (const dispatch = createEventDispatcher(); dispatch('save')) whose event name is listened to by no component in the project: no <Child on:save> (or event-forwarding on:save) on any rendered instance. This is the cross-file dead-output direction that no Svelte tool covers: the compiler and svelte-check are single-file or type-only, and eslint-plugin-svelte has no project-wide listener check. It reuses fallow's whole-project graph the same way unprovided-inject does: a project-wide set of listened event names (every on:<name> on a component tag, with event forwarding counting as a listen) is built first, then a dispatched event absent from it is flagged. It stays false-positive-safe by over-crediting toward "listened" (a listener on any component credits the name) and by abstaining on the whole component when it cannot see the event name: a dynamic dispatch(<expr>) or a dispatch reference passed elsewhere as a value. on:click and other listeners on lowercase DOM elements are native DOM events, not component events, and are ignored. The rule activates only when svelte is a declared dependency, and reports in human, JSON, SARIF, CodeClimate, compact, and markdown output plus the LSP and MCP. There is no auto-fix (wire a listener or remove the dispatch, a human decision); suppress with // fallow-ignore-next-line unused-svelte-event or set the rule to off. Validated at zero false positives on the Budibase monorepo (215 createEventDispatcher components). The Svelte 5 callback-prop direction (a callback prop the parent never passes) is caller-side and not yet covered.

• unused-component-prop and unused-component-emit now cover the Vue Options API. The two rules previously only inspected <script setup> components; they now also harvest props: and emits: (array and object forms) from export default { ... } and defineComponent({ ... }) in a non-setup <script> block, so a declared Options-API prop read nowhere in its own component, or a declared emit fired nowhere, is flagged the same way. Usage is credited from this.<prop> reads and template references for props, and from this.$emit('<name>') calls and template $emit for emits. It stays false-positive-safe by abstaining on the whole component when a member could be read or fired invisibly to the per-component scan: a mixins: or extends: option (a mixin or base can read a prop or fire an emit), a dynamic this[expr] access, a props/emits value that is an identifier, a spread, or a defineComponent<Type>() type generic, and a setup(props, { emit }) method (its props param and context emit are consumed opaquely). Reported through the same surfaces as the <script setup> rules; no new rule or flag. .vue files only (a defineComponent in a plain .ts file is not yet in scope).

• fallow now flags Angular component inputs that are read nowhere in their component. A new unused-component-input rule (default severity warn) reports an Angular @Input(), signal input() / input.required(), or model() declared on a component (or directive) class that is read by no code in its own component: not in the inline or external templateUrl template, and not anywhere in the class body. This is the in-component dead-input direction that no tool in the Angular ecosystem covers: there is no @angular-eslint rule for it, and the Angular compiler never flags a declared-but-unread @Input (it only checks caller-side binding correctness). A declared input consumed only by a parent binding but never read in its own component IS flagged, because binding it does nothing in-component (it is wired to a dead end). Input names are harvested onto the extraction IR from the decorator form (@Input() foo, @Input({ required: true }) bar), the signal form (input(), input.required()), and model(); usage is credited from every angle so only a genuinely-unread input is flagged: a template reference (inline or external template, the latter through the side-effect edge to the .html), any this.<member> read in the class body, a member-by-name access (which covers the ngOnChanges changes['foo'] pattern), and the inputs: [...] / host: {...} decorator-metadata forms (already credited at extraction). It stays false-positive-safe by abstaining on the whole component when it cannot see all reads: any extends heritage clause (a base class in another file may read the member), a { ...this } spread, and JS-reserved-word names; accessor inputs (@Input() set foo(v) / getters) are skipped per-input since a setter body runs on binding, and an observable-stream output shape is left to the output rule. The rule activates only when @angular/core is a declared dependency, and reports in human, JSON, SARIF, CodeClimate, compact, and markdown output plus the LSP and MCP. There is no auto-fix (wire the input to a real read or remove it, a human decision); suppress with // fallow-ignore-next-line unused-component-input or set the rule to off. Validated at zero false positives on the angular/components monorepo.

• fallow now flags Angular component outputs that are emitted nowhere in their component. A new unused-component-output rule (default severity warn) reports an Angular @Output() or signal output() declared on a component (or directive) class that is .emit()-ed by no code in its own component. This is the output-side sibling of unused-component-input and the in-component dead-output direction that no Angular tooling covers: there is no @angular-eslint rule for a never-emitted output, and the compiler only checks caller-side listener correctness. Output names are harvested onto the extraction IR from the decorator form (only @Output() bar = new EventEmitter()-style initializers are harvested; an observable-stream @Output is treated as an abstain shape) and the signal output() form; usage is credited from a this.<out>.emit(...) call site, a template (event)="x.emit()" handler, and any forwarded this.<out> value read (passed to a function that may emit it), so over-crediting can only suppress a finding, never create one. It abstains on the whole component for any extends heritage clause and for { ...this } spreads; model() outputs are excluded entirely from the output side, since their implicit update: emit is framework-driven. The rule activates only when @angular/core is a declared dependency, and reports in human, JSON, SARIF, CodeClimate, compact, and markdown output plus the LSP and MCP. There is no auto-fix (emit the output or remove it, a human decision); suppress with // fallow-ignore-next-line unused-component-output or set the rule to off. Validated at zero false positives on the angular/components monorepo.

• The unprovided-inject rule now covers Angular. Previously Vue/Svelte only, it now also flags an Angular InjectionToken injected through inject(TOKEN) or an @Inject(TOKEN) constructor parameter that is supplied by no provider anywhere in the project: no { provide: TOKEN, useClass | useValue | useFactory | useExisting } recipe in any providers array, and no self-providing new InjectionToken(..., { factory }) / { providedIn }. At runtime such an inject throws NullInjectorError, which no static tool in the Angular ecosystem catches (there is no @angular-eslint rule, and the compiler does not flag it for non-root tokens). It scopes to user InjectionToken symbols only: a class token (inject(MyService)) is out of scope because it self-provides via providedIn: 'root' and third-party provideX() providers, which would make it false-positive-prone. It stays false-positive-safe by abstaining on an inject(TOKEN, { optional: true }) / @Optional() inject (designed to be unprovided), a token imported from an npm package (the provider may live in the package), a token that is public API of this package (a consumer provides it), and project-wide whenever the provider graph becomes opaque: any importProvidersFrom(...), makeEnvironmentProviders(...), a ...spread in a providers array, or a computed provide: key. The rule activates only when @angular/core is a declared dependency, reuses the existing unprovided-inject rule and all its surfaces (human, JSON, SARIF, CodeClimate, compact, markdown, LSP, MCP), and has no auto-fix (provide the token or remove the inject, a human decision); suppress with // fallow-ignore-next-line unprovided-inject or set the rule to off. Tokens of any type-argument shape are covered, including a primitive-typed (new InjectionToken<string>('FLAG')) or untyped (new InjectionToken('FLAG')) token; a bare string-literal inject key and the provided-never-injected direction are not yet covered. Validated at zero false positives on the angular/components monorepo.

Fixed

• Pinia store members consumed through inline storeToRefs(useStore()) calls are now credited. unused-store-member now treats storeToRefs(usePermissionsStore()) and toRefs(usePermissionsStore()) object destructures the same way as the existing store-local form, including aliased destructures such as const { canCreateEvents: canCreate } = storeToRefs(usePermissionsStore()). The credit stays limited to bare store-factory identifiers or tracked store locals, so unrelated helper calls are not treated as store consumption. Thanks @​Smrtnyk for the report. (Closes #1282.)

• unused-class-members no longer misses Playwright fixture methods reached through branch-selected aliases. Fallow now credits fixture object aliases selected by ternaries, if/else, and switch branches inside Playwright test callbacks, and same-file local fixture tests passed into mergeTests(...) now feed the merged wrapper. The alias tracking is Playwright-only, order-sensitive, and conservative on shadowing or unknown reassignment, so genuinely unused page-object methods still report. Thanks @​vethman for the report. (Closes #1270.)

• React JSX depth is now descriptive context, not cognitive complexity. Deeply nested presentational React and Preact components, such as skeleton tables or layout wrappers with no control flow, no longer surface as high cognitive complexity solely because their JSX tree is deep. Fallow still records react_jsx_max_depth for hotspot context, while hook density and wide prop interfaces continue to contribute to cognitive complexity through hook-density and prop-count. The public jsx-depth contribution kind remains in the schema for compatibility, but current extraction no longer emits it for layout depth. Thanks @​pavle99 for the report. (Closes #1281.)

• Svelte 5's bare <script module> is now recognized as module context. Fallow previously recognized only the Svelte 4 <script context="module"> form, so a Svelte 5 bare <script module> block was treated as the instance script and its imports were wrongly credited as template-visible, which could mask a genuinely unused import or export in a Svelte 5 component. The bare module attribute is now matched (with the same standalone-attribute anchoring as the setup attribute, so a lang or generics attribute containing the substring "module" cannot false-match), and its declarations are scoped as module context like the Svelte 4 form. The extraction cache version is bumped so warm caches refresh on upgrade.

[2.97.0] - 2026-06-16

Added

• fallow health --css now flags unused Tailwind v4 @theme design tokens. A Tailwind v4 @theme token (--color-brand, --radius-card) defines a design token that generates a utility (bg-brand, rounded-card); a token whose utility, var() reads, and @apply uses appear nowhere is a dead design token, the unused-export of the token era, which single-surface tools (the Tailwind compiler, eslint-plugin-tailwindcss) do not catch. The check credits usage from every angle (a *-<name> utility in markup, a clsx / CSS-in-JS string, an @apply body, an arbitrary [--ns-name] value, or a var() read including one @theme token backing another) and is false-negative-leaning by design, so a live token is never flagged. The non-CSS-source search is namespace-qualified (it matches a real -<name> utility suffix, never a bare dictionary word), so a token named brand or card is not credited just because the word appears in a .tsx file. To stay near-zero-false-positive (validated across the Next.js bundle-analyzer, the next-saas-starter, the Tailwind docs site, and shadcn/ui, where it surfaces genuinely-dead shadcn chart-* / sidebar-* tokens at zero false positives), it is heavily gated: it emits only on a Tailwind v4 project (a tailwindcss dependency plus at least one @theme block), abstains entirely on a Tailwind plugin project (@plugin or a config plugins[], whose tokens a plugin can consume invisibly), abstains on a published-library stylesheet (a @theme exported as a package surface is a public token API consumed downstream), and abstains on a partial-scope run. The --breakpoint-* / --container-* variant namespaces and the --<token>--<property> modifier form are excluded from candidacy. These are candidates, never gated findings, each with a read-only, namespace-qualified verify command. Reported in human, markdown, and JSON (css_analytics.unused_theme_tokens).

• fallow health --css now flags unused @font-face web fonts. A font family declared by an @font-face rule (so its font files are downloaded) but applied by no font-family anywhere surfaces as a cleanup candidate, located at the declaring stylesheet. A dead web font is real shipped weight that no per-rule linter catches. To stay near-zero-false-positive (validated against Bootstrap, Excalidraw, reveal.js, Svelte, where it now reports zero false positives), a family is only flagged if its name appears in no CSS font-family AND in no other source either: a font applied from JavaScript or a canvas fontFamily assignment, or referenced from a .scss/.sass theme the parser does not expand, is correctly left alone. Font-family names are matched case-insensitively, per the CSS spec. These are candidates, never gated findings (the family could be set from an inline style or JS), each with a read-only verify command. Reported in human, markdown, and JSON (css_analytics.unused_font_faces).

• fallow health --css now flags a font-size scale authored in mixed length units. When a project's font-size values are split across several units (for example px and rem), the new font_size_unit_mix candidate reports the per-unit breakdown, because mixing fixed px with root-relative rem for type works against user-zoom accessibility. It is advisory and conservatively floored: it stays silent on a consistent scale and on small stylesheets, and only fires once the project plainly has a type scale spread across two or more units, so a single outlier is not flagged. The candidate names the dominant unit to standardize on, framed as "unless this is an intentional migration". Color-notation mixing (hex vs rgb vs hsl) is deliberately not surfaced: the CSS parser canonicalizes every legacy sRGB notation to hex before fallow sees the value, so the authored distinction is already gone. Reported in human, markdown, and JSON (css_analytics.font_size_unit_mix).

• fallow health --css now flags global CSS classes referenced by no in-project markup. A class defined in a plain .css/.scss rule whose literal name appears in no class/className across the project (the CSS analogue of an unused export) surfaces as a cleanup candidate, located at its definition. Dead-CSS detection is notoriously false-positive-prone, so this is heavily gated (validated against Bootstrap, Svelte, Excalidraw, and other real projects, where it produces zero false positives): a class counts as referenced if it is a whole static class token OR a substring of any dynamic class expression (so a class assembled from a ${...} or clsx(...) fragment is never flagged); a stylesheet abstains entirely if it is a published package entry (package.json style/main/sass/exports) or none of its classes are used in-project (a design-system surface consumed elsewhere); and the whole check abstains on preprocessor-dominant projects and on partial-scope runs (--changed-since/--workspace), where a class cannot be proven dead. These are candidates, never gated findings: the class may be applied from an HTML email, server template, CMS, or Markdown the parser never scans, so each carries that disclosure plus a read-only verify command. Reported in human, markdown, and JSON (css_analytics.unreferenced_css_classes).

• fallow health --css now flags likely CSS class-name typos in markup. A static class / className token in JSX/TSX, HTML, or a Vue/Svelte/Astro template that matches no CSS class defined anywhere in the project, but is one edit away from a class that IS defined (className="card-tite" where .card-title exists), surfaces as a candidate with the suggested class. This is the CSS analogue of an unresolved import, applied across the CSS-to-markup boundary that single-file linters and CSS-analytics tools cannot see. The near-miss restriction plus several false-positive guards (validated against Bootstrap, Svelte, Excalidraw, and other real projects) keep it near-zero-false-positive: Tailwind utility classes and unrelated tokens are not one edit from an authored class; numeric-scale families (col-lg-6 vs col-lg-4) and singular/plural pairs (button vs buttons) are excluded because a one-digit or trailing-s difference is a deliberate variation, not a typo; and the check abstains entirely on preprocessor-dominant projects (.scss/.sass/.less outnumbering plain CSS), where generated classes are invisible to the parser and would otherwise look unresolved. CSS Module classes are out of scope (already covered by unused-export detection). These are candidates, never gated findings, and only appear under --css: a token could still be defined in CSS-in-JS or an external stylesheet the parser never sees, so each carries a read-only verify command. Reported in human, markdown, and JSON (css_analytics.unresolved_class_references).

• fallow now flags SvelteKit load() return-object keys that no consumer reads. A new unused-load-data-key rule (default severity warn) reports a key returned from a route load() (in +page.ts / +page.server.ts and the .js variants) that is read by no code: not the sibling +page.svelte's data.<key>, and not any project-wide page.data.<key> (Svelte 5 $app/state) or $page.data.<key> (Svelte 4 $app/stores). A dead returned key still runs its real server-side fetch / DB cost on every request for data nothing renders, and no other static tool catches it: svelte-check types data through the generated $types but never flags an unread returned key (the unused-input direction). It stays false-positive-safe by abstaining whenever it cannot see all consumption: an unharvestable load body (a spread return, a non-literal or multi-branch return, a computed key, a wrapped / re-exported load), a sibling component that passes the whole data object opaquely (data={data}, {...data}, fn(data), const x = data), a +page.server.ts whose universal +page.ts sibling reads or forwards its data param, and any project-wide reflective whole-object read of the page-data store (Object.values(page.data)), which abstains every route. The rule activates only when @sveltejs/kit is a declared dependency, and reports in human, JSON, SARIF, CodeClimate, compact, and markdown output plus the LSP and MCP. There is no auto-fix (a load fetch can have side effects, so removing a key is a human decision); suppress with // fallow-ignore-next-line unused-load-data-key or set the rule to off. Layout loads (+layout.{ts,server.ts}) are not covered yet.

... (truncated)

Commits

• 592deff chore: release v2.98.0
• fcff566 fix(pinia): credit inline storeToRefs members
• 636dd28 ci: add codspeed benchmarks
• b66c18a fix(output): add framework action guidance
• 71af94a chore(deps): bump docker node runtime to 26
• bfdc9ab chore(deps): bump vscode-languageclient in vscode extension
• 822d53c chore(deps-dev): bump @​vscode/test-electron in /editors/vscode
• f59a2d6 chore(vscode): stop committing dist bundle; build fresh in CI/release
• 29e69c2 fix: keep JSX depth descriptive
• fc51fe6 fix(health): score Svelte attribute-binding expressions in template complexit...
• Additional commits viewable in compare view

Updates oxfmt from 0.51.0 to 0.55.0

Changelog

Sourced from oxfmt's changelog.

[0.55.0] - 2026-06-15

🚀 Features

• 9a2788b linter/unicorn: Implement prefer-export-from rule (#22935) (AliceLanniste)

[0.54.0] - 2026-06-08

📚 Documentation

• dadafe3 oxlint, oxfmt: Mention migrate skills in npm READMEs (#22965) (Boshen)
• f88961a oxfmt: Annotate each config option with supported languages (#22953) (leaysgur)

[0.52.0] - 2026-05-26

🚀 Features

• 16b8058 oxfmt: Support vite-plus/resolveConfig for vite.config.ts (#22454) (leaysgur)

[0.50.0] - 2026-05-15

🐛 Bug Fixes

• 43b9978 formatter/sort_imports: Treat subpath imports as internal (#22440) (leaysgur)

[0.49.0] - 2026-05-11

🚀 Features

• 6e8e818 oxfmt: Experimental .svelte support (#21700) (leaysgur)

[0.45.0] - 2026-04-13

🐛 Bug Fixes

• 50c389b oxfmt: Support .editorconfig quote_type (#20989) (leaysgur)

[0.44.0] - 2026-04-06

🐛 Bug Fixes

• dd2df87 npm: Export package.json for oxlint and oxfmt (#20784) (kazuya kawaguchi)
• 4216380 oxfmt: Support .editorconfig tab_width fallback (#20988) (leaysgur)

[0.43.0] - 2026-03-30

🚀 Features

• 6ef440a oxfmt: Support bool for object style options (#20853) (leaysgur)

... (truncated)

Commits

• aa79b5b release(apps): oxlint v1.70.0 && oxfmt v0.55.0 (#23442)
• 9a2788b feat(linter/unicorn): implement prefer-export-from rule (#22935)
• 44ae845 release(apps): oxlint v1.69.0 && oxfmt v0.54.0 (#23116)
• dadafe3 docs(oxlint, oxfmt): mention migrate skills in npm READMEs (#22965)
• f88961a docs(oxfmt): annotate each config option with supported languages (#22953)
• 964a758 release(apps): oxlint v1.68.0 && oxfmt v0.53.0 (#22883)
• 68b455d release(apps): oxlint v1.67.0 && oxfmt v0.52.0 (#22735)
• 16b8058 feat(oxfmt): Support vite-plus/resolveConfig for vite.config.ts (#22454)
• See full diff in compare view

Updates oxlint from 1.68.0 to 1.70.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

• 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
• 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
• bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
• 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
• 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
• 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
• ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

• 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
• 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
• 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
• 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
• a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
• ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
• 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
• ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
• e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
• 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
• 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
• fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
• ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
• dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
• 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
• cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

• 25d577e language_server: Start tools in parallel (#15500) (Sysix)
• 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
• 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
• 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
• 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
• 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

• 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
• 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
• a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
• 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
• 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
• 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codescene-delta-analysis]

No application code in the PR — skipped Code Health checks.

See analysis details in CodeScene

Quality Gate Profile: Custom Configuration
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.