chore(deps): bump the npm-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the npm-dependencies group with 7 updates in the / directory:

Package	From	To
@types/node	25.9.0	25.9.1
eslint	10.4.0	10.4.1
typescript-eslint	8.59.4	8.60.0
ws	8.20.1	8.21.0
katex	0.16.47	0.17.0
markdown-it	14.1.1	14.2.0
markdown-it-attrs	4.3.1	4.5.0

Updates @types/node from 25.9.0 to 25.9.1

Commits

• See full diff in compare view

Updates eslint from 10.4.0 to 10.4.1

Release notes

Sourced from eslint's releases.

v10.4.1

Bug Fixes

• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#20930) (Francesco Trotta)
• d4ce898 fix: propagate failures from delegated commands (#20917) (Minh Vu)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#20916) (kuldeep kumar)
• c5bc78b fix: false positive for reference in finally block (#20655) (Tanuj Kanti)
• 27538c0 fix: add missing CodePath and CodePathSegment types (#20853) (Pixel998)

Documentation

• 61b0add docs: remove deprecated rule from related rules of max-params (#20921) (Tanuj Kanti)
• 305d5b9 docs: remove deprecated rules from related rules section (#20911) (Tanuj Kanti)
• 49b0202 docs: fix display: none of ad (#20901) (Tanuj Kanti)
• 9067f94 docs: switch build to Node.js 24 (#20893) (Milos Djermanovic)
• c91b041 docs: Update README (GitHub Actions Bot)
• e349265 docs: clarify semver strings in rule deprecation objects (#20885) (Milos Djermanovic)

Chores

• b0e466b test: add data property to invalid tests cases for rules (#20924) (Tanuj Kanti)
• f78838b test: add CodePath type coverage (#20904) (Pixel998)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#20922) (Francesco Trotta)
• 002942c ci: declare contents:read on update-readme workflow (#20919) (Arpit Jain)
• 64bca24 chore: update ecosystem plugins (#20912) (ESLint Bot)
• 6d7c832 chore: ignore fflate updates in renovate (#20908) (Pixel998)
• b2c8638 ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 (#20889) (dependabot[bot])
• a9b8d7f chore: increase maxBuffer for ecosystem tests (#20881) (sethamus)
• b702ead chore: update ecosystem update PR settings (#20884) (Pixel998)
• 507f60e chore: update ecosystem plugins (#20882) (ESLint Bot)
• 92f5c5b test: add unit test for message-count (#20878) (kuldeep kumar)
• df32108 chore: add @​eslint/markdown and typescript-eslint ecosystem tests (#20837) (sethamus)
• 327f91d chore: use includeIgnoreFile internally (#20876) (Kirk Waiblinger)
• f0dc4bd chore: pin fflate@0.8.2 (#20877) (Milos Djermanovic)
• 0f4bd25 ci: run Discord alert for ecosystem test failures (#20873) (Copilot)

Commits

• 4a3d15a 10.4.1
• 43e7e2b Build: changelog update for 10.4.1
• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#20930)
• b0e466b test: add data property to invalid tests cases for rules (#20924)
• d4ce898 fix: propagate failures from delegated commands (#20917)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#20916)
• f78838b test: add CodePath type coverage (#20904)
• 61b0add docs: remove deprecated rule from related rules of max-params (#20921)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#20...
• 002942c ci: declare contents:read on update-readme workflow (#20919)
• Additional commits viewable in compare view

Updates typescript-eslint from 8.59.4 to 8.60.0

Release notes

Sourced from typescript-eslint's releases.

v8.60.0

8.60.0 (2026-05-25)

🚀 Features

• rule-tester: added updates of RuleTester from upstream (#12291)

🩹 Fixes

• playground TS version selector is not working (#12326, #12325)

❤️ Thank You

• Evyatar Daud @​StyleShit
• Vinccool96

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.60.0 (2026-05-25)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• f891c29 chore(release): publish 8.60.0
• See full diff in compare view

Updates ws from 8.20.1 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• See full diff in compare view

Updates katex from 0.16.47 to 0.17.0

Release notes

Sourced from katex's releases.

v0.17.0

0.17.0 (2026-05-22)

Performance Improvements

• simplify defineFunction to avoid destructuring, improve typing (#4222) (fb604e6)

BREAKING CHANGES

• The internal API for __defineFunction changed: you should no longer wrap properties in props.

Changelog

Sourced from katex's changelog.

0.17.0 (2026-05-22)

Performance Improvements

• simplify defineFunction to avoid destructuring, improve typing (#4222) (fb604e6)

BREAKING CHANGES

• The internal API for __defineFunction changed: you should no longer wrap properties in props.

Commits

• 3dec549 chore(release): 0.17.0 [ci skip]
• fb604e6 perf: simplify defineFunction to avoid destructuring, improve typing (#4222)
• 6caa636 refactor: tighten ParseNode types (#4219)
• afed784 docs: make first supportive organizations logos bigger (#4216)
• b02d9ac chore(deps): update dependency webpack-dev-server to v5.2.4 [security] (#4220)
• See full diff in compare view

Updates markdown-it from 14.1.1 to 14.2.0

Changelog

Sourced from markdown-it's changelog.

[14.2.0] - 2026-05-24

Added

• isPunctCharCode to utilities.

Fixed

• Don't end HTML comment blocks on a blank line, #1155.
• Properly recognize astral chars (surrogates) in delimiter scans for emphasis-like markers, #1072. Big thanks to @​tats-u for his global efforts with improving CJK support.
• Preserve unicode whitespaces when trimm headings/paragraphs, #1074.
• More strict entities decode to avoid false positives ;, #1096.
• Restore block parser state on fail in lheading rule, #1131.

Security

• Fixed poor smartquotes perfomance on > 70k quotes in single block
• Bumped linkify-it to 5.0.1 with fixed potential perfomance issues.

Commits

• 829797a 14.2.0 released
• 9ce2087 Fix smartquotes perfomance
• 02e73b8 linkify-it bump
• 68cfb8c fix: don't end HTML comment blocks on a blank line (#1155)
• 1083137 Readme cleanup
• 97c7ca2 Update funding info
• c471b55 Changelog update
• 7769621 isPunctChar => isPunctCharCode
• aa2aa70 fix: always reset parentType in lheading rule (#1131)
• 59955f2 Polish PRs #1072, #1074
• Additional commits viewable in compare view

Updates markdown-it-attrs from 4.3.1 to 4.5.0

Release notes

Sourced from markdown-it-attrs's releases.

v4.5.0

What's Changed

• Fix quoted attribute parsing and triage open issue reproducibility by @​Copilot in arve0/markdown-it-attrs#168
• Add bundled TypeScript type definitions to fix MarkdownIt type incompatibility by @​Copilot in arve0/markdown-it-attrs#170
• Add regression coverage for markdown-it-container attribute propagation edge case by @​Copilot in arve0/markdown-it-attrs#171
• CI workflow cleanup: Linux-only Node matrix, non-duplicating PR triggers, and action version bumps by @​Copilot in arve0/markdown-it-attrs#174
• Fix "end of block" attrs pattern to handle trailing navigation tokens in headings by @​Copilot in arve0/markdown-it-attrs#173

Full Changelog: arve0/markdown-it-attrs@v4.4.0...v4.5.0

v4.4.0

What's Changed

• feat: add ability to filter attribute values by @​treardon17 in arve0/markdown-it-attrs#160
• Fix attribute adding to avoid duplicates by @​cgm616 in arve0/markdown-it-attrs#157

New Contributors

• @​treardon17 made their first contribution in arve0/markdown-it-attrs#160
• @​cgm616 made their first contribution in arve0/markdown-it-attrs#157

Full Changelog: arve0/markdown-it-attrs@v4.3.2...v4.4.0

v4.3.2

What's Changed

• fix: handle null meta on tbody_open for headerless tables (issue #161) by @​Copilot in arve0/markdown-it-attrs#167

New Contributors

• @​Copilot made their first contribution in arve0/markdown-it-attrs#167

Full Changelog: arve0/markdown-it-attrs@v4.3.1...v4.3.2

Commits

• 4f2a6b4 4.5.0
• 038f2f2 Address code review: add depth comment, rename hash to anchorSymbol
• 61a4c64 Fix end-of-block pattern to handle heading attrs with trailing navigation tokens
• a244fd3 Initial plan for fixing heading attrs with trailing navigation tokens
• 6d3c7f3 Update CI triggers and bump workflow actions
• 2a2c8e0 Add minimal GITHUB_TOKEN permissions to CI workflow
• 8a9f96f Update CI matrix to Linux and Node 22/24/26
• 3089651 test: reproducible for issue #111
• 43b35cd Add first-party TypeScript type definitions and test
• e5eef3e initial plan
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.