build(deps): bump the dependencies group across 1 directory with 12 updates

[dependabot]

Bumps the dependencies group with 12 updates in the / directory:

Package	From	To
@google/genai	2.3.0	2.6.0
openai	6.38.0	6.39.0
shiki	4.0.2	4.1.0
@types/node	25.8.0	25.9.1
@typescript/native-preview	7.0.0-dev.20260516.1	7.0.0-dev.20260523.1
@vitest/coverage-v8	4.1.6	4.1.7
devtools-protocol	0.0.1629771	0.0.1634055
oxfmt	0.50.0	0.51.0
oxlint	1.65.0	1.66.0
puppeteer-core	25.0.2	25.0.4
tsx	4.22.0	4.22.3
vitest	4.1.6	4.1.7

Updates @google/genai from 2.3.0 to 2.6.0

Release notes

Sourced from @​google/genai's releases.

v2.6.0

2.6.0 (2026-05-21)

Features

• add enable_prompt_injection_detection for Computer Use feature for the Gemini API. (f780f3c)
• Add budget_exceeded status (1e97bd0)
• Add gemini-3.5-flash (1e97bd0)
• add new fields (b78eeee)

v2.5.0

2.5.0 (2026-05-20)

Features

• Add Gemini 3.5 Flash model to options (fcf26e3)

v2.4.0

2.4.0 (2026-05-17)

Features

• support Agent and Environment APIs. (b0d9d2b)

Bug Fixes

• output_text for turns that don't end with text. (1a3d94f)

Changelog

Sourced from @​google/genai's changelog.

2.6.0 (2026-05-21)

Features

• add enable_prompt_injection_detection for Computer Use feature for the Gemini API. (f780f3c)
• Add budget_exceeded status (1e97bd0)
• Add gemini-3.5-flash (1e97bd0)
• add new fields (b78eeee)

2.5.0 (2026-05-20)

Features

• Add Gemini 3.5 Flash model to options (fcf26e3)

2.4.0 (2026-05-17)

Features

• support Agent and Environment APIs. (b0d9d2b)

Bug Fixes

• output_text for turns that don't end with text. (1a3d94f)

Commits

• a631549 chore(main): release 2.6.0 (#1623)
• f780f3c feat: add enable_prompt_injection_detection for Computer Use feature for th...
• b78eeee feat: add new fields
• 1e97bd0 feat: Add budget_exceeded status
• 2cb1814 chore(main): release 2.5.0 (#1616)
• f06e3a2 chore: update comment in BatchJobOutputInfo to unblock javadoc generation
• fcf26e3 feat: Add Gemini 3.5 Flash model to options
• b252753 chore: Cleanup
• dbe4484 chore(main): release 2.4.0 (#1604)
• b0d9d2b feat: support Agent and Environment APIs.
• Additional commits viewable in compare view

Updates openai from 6.38.0 to 6.39.0

Release notes

Sourced from openai's releases.

v6.39.0

6.39.0 (2026-05-21)

Full Changelog: v6.38.0...v6.39.0

Features

• api: api update (33ea11f)
• api: manual updates (c210b09)
• api: manual updates (92df9dc)
• api: update OpenAPI spec or Stainless config (c7c0f52)

Bug Fixes

• types: allow runtime fetch options (8f5003d)
• typescript: upgrade tsc-multi so that it works with Node 26 (068f9c6)

Chores

• api: docs updates (9d43adb)
• tests: remove redundant File import (5465bbe)

Changelog

Sourced from openai's changelog.

6.39.0 (2026-05-21)

Full Changelog: v6.38.0...v6.39.0

Features

• api: api update (33ea11f)
• api: manual updates (c210b09)
• api: manual updates (92df9dc)
• api: update OpenAPI spec or Stainless config (c7c0f52)

Bug Fixes

• types: allow runtime fetch options (8f5003d)
• typescript: upgrade tsc-multi so that it works with Node 26 (068f9c6)

Chores

• api: docs updates (9d43adb)
• tests: remove redundant File import (5465bbe)

Commits

• 2002111 release: 6.39.0
• d6dc9b7 feat(api): manual updates
• 7444892 feat(api): api update
• f5db3f1 fix(types): allow runtime fetch options
• 33b391a chore(api): docs updates
• bfe3016 fix(typescript): upgrade tsc-multi so that it works with Node 26
• 3320b20 chore(tests): remove redundant File import
• 3250890 feat(api): manual updates
• d9fbf39 feat(api): update OpenAPI spec or Stainless config
• 8a8436e codegen metadata
• Additional commits viewable in compare view

Updates shiki from 4.0.2 to 4.1.0

Release notes

Sourced from shiki's releases.

v4.1.0

   🐞 Bug Fixes

• twoslash: Forward tsModule to createTwoslasher  -  by @​arthurfiorette in shikijs/shiki#1271 (be89a)

    View changes on GitHub

Commits

• c809af9 chore: release v4.1.0
• 95371cb chore: lint
• See full diff in compare view

Updates @types/node from 25.8.0 to 25.9.1

Commits

• See full diff in compare view

Updates @typescript/native-preview from 7.0.0-dev.20260516.1 to 7.0.0-dev.20260523.1

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.6 to 4.1.7

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

Commits

• a09d472 chore: release v4.1.7
• See full diff in compare view

Updates devtools-protocol from 0.0.1629771 to 0.0.1634055

Commits

• e47d08c Roll protocol to r1634055
• 357026f Roll protocol to r1632630
• See full diff in compare view

Updates oxfmt from 0.50.0 to 0.51.0

Changelog

Sourced from oxfmt's changelog.

Changelog

All notable changes to this package will be documented in this file.

The format is based on Keep a Changelog.

Commits

• 5570206 release(apps): oxlint v1.66.0 && oxfmt v0.51.0 (#22528)
• See full diff in compare view

Updates oxlint from 1.65.0 to 1.66.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

• 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
• 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
• bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
• 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
• 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
• 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
• ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

• 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
• 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
• 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
• 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
• a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
• ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
• 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
• ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
• e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
• 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
• 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
• fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
• ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
• dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
• 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
• cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

• 25d577e language_server: Start tools in parallel (#15500) (Sysix)
• 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
• 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
• 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
• 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
• 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

• 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
• 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
• a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
• 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
• 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
• 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.66.0] - 2026-05-18

🚀 Features

• 0440b0f linter/eslint: Implement id-match rule (#22379) (Vladislav Sayapin)
• 65bf119 linter: Implement react no-object-type-as-default-prop (#22481) (uhyo)
• 2a6ddce linter/eslint: Implement no-implied-eval rule (#22391) (Vladislav Sayapin)
• 625758a linter/vitest: Implement padding-around-after-all-blocks rule (#21788) (kapobajza)
• 37680b0 linter: Implement react no-unstable-nested-components (#22248) (Jovi De Croock)
• d8d9c74 linter: Implement import/newline-after-import rule (#19142) (Ryuya Yanagi)

Commits

• 5570206 release(apps): oxlint v1.66.0 && oxfmt v0.51.0 (#22528)
• 0440b0f feat(linter/eslint): implement id-match rule (#22379)
• 65bf119 feat(linter): implement react no-object-type-as-default-prop (#22481)
• 2a6ddce feat(linter/eslint): implement no-implied-eval rule (#22391)
• 625758a feat(linter/vitest): Implement padding-around-after-all-blocks rule (#21788)
• 37680b0 feat(linter): implement react no-unstable-nested-components (#22248)
• d8d9c74 feat(linter): implement import/newline-after-import rule (#19142)
• See full diff in compare view

Updates puppeteer-core from 25.0.2 to 25.0.4

Release notes

Sourced from puppeteer-core's releases.

puppeteer-core: v25.0.4

25.0.4 (2026-05-18)

🛠️ Fixes

• Throw TargetCloseError when session ID not found (#15002) (611abef)

puppeteer-core: v25.0.3

25.0.3 (2026-05-18)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.2 to 3.0.3

Changelog

Sourced from puppeteer-core's changelog.

25.0.4 (2026-05-18)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 25.0.3 to 25.0.4

🛠️ Fixes

• Throw TargetCloseError when session ID not found (#15002) (611abef)

25.0.3 (2026-05-18)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.2 to 3.0.3

Commits

• 019b49b chore: release main (#15003)
• 611abef fix: Throw TargetCloseError when session ID not found (#15002)
• 272b850 chore(webmcp): Update list tools test with fixed declarative behavior (#15000)
• acb4b9e chore: release main (#14999)
• cce47de fix: fix tar.exe invocation (#14997)
• 2e315b9 chore(deps): bump the all group with 2 updates (#14995)
• 042838f chore(deps): bump node from e989123 to 050bf2b in /docker in the all grou...
• See full diff in compare view

Updates tsx from 4.22.0 to 4.22.3

Release notes

Sourced from tsx's releases.

v4.22.3

4.22.3 (2026-05-19)

Bug Fixes

• decode typed loader source (dce02fc)
• preserve entrypoint with TypeScript preload hooks (68f72f3)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.2

4.22.2 (2026-05-18)

Bug Fixes

• preserve CJS JSON require in ESM hooks (35b700b)
• preserve named exports from CommonJS TypeScript (11de737)
• support module.exports require(esm) interop (cf8f199)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.1

4.22.1 (2026-05-17)

Bug Fixes

• resolve tsconfig path aliases containing a colon (#780) (6979f28)

---

This release is also available on:

• npm package (@​latest dist-tag)

Commits

• dce02fc fix: decode typed loader source
• 68f72f3 fix: preserve entrypoint with TypeScript preload hooks
• 69455cf test: cover package exports for ambiguous ESM reexports
• 35b700b fix: preserve CJS JSON require in ESM hooks
• ef807db chore: update testing dependencies
• 3917090 test: document compatibility test taxonomy
• de8113f refactor: centralize Node capability facts
• c1f62db test: consolidate tsconfig path edge coverage
• 4e08174 test: consolidate loader hook coverage
• 674bb30 test: consolidate tsImport commonjs mts coverage
• Additional commits viewable in compare view

Updates vitest from 4.1.6 to 4.1.7

Release notes

Sourced from vitest's releases.

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

Commits

• a09d472 chore: release v4.1.7
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[clawsweeper]

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-23 19:25 UTC / May 23, 2026, 3:25 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This Dependabot PR updates package.json and pnpm-lock.yaml for 12 npm dependency bumps, including OpenAI/Gemini SDKs, Puppeteer/CDP, Shiki, Vitest, tsx, oxfmt/oxlint, and tsgo.

Reproducibility: not applicable. this is a dependency update PR, not a bug report with a failing reproduction path. The relevant check is dependency-diff review plus CI and optional live provider/browser smoke validation.

PR rating
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Summary: The patch is a normal focused dependency update with green CI and no definite correctness defect, while grouped runtime/browser dependency risk still calls for ordinary maintainer judgment.

Rank-up moves:

• Run targeted OpenAI/Gemini live smokes with real keys if maintainers want provider coverage.
• Run browser smoke coverage if maintainers want stronger confidence for Puppeteer/CDP changes.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: This is a Dependabot bot PR, so the external contributor real-behavior-proof gate does not apply; CI and maintainer smoke validation are the relevant signals.

Risk before merge

• The grouped SDK/browser/toolchain update can regress live OpenAI/Gemini API calls or browser automation in ways the green unit/CI matrix may not fully exercise.
• The OpenAI and Gemini SDK bumps sit under credential-bearing provider paths, so maintainers should be comfortable with provider smoke coverage or intentionally accept the routine dependency risk.

Maintainer options:

1. Run targeted provider and browser smokes (recommended)
   Use the green CI result plus selected OpenAI/Gemini live tests and browser smoke coverage as the merge gate for this grouped SDK and Puppeteer/CDP update.
2. Merge on green CI only
   Maintainers can accept the ordinary grouped-dependency risk if the current CI matrix is enough confidence for this repo's release cadence.
3. Split if a smoke fails
   If provider, browser, formatter, or test-tooling validation regresses, recreate the update as narrower dependency PRs so the failing package can be isolated.

Next step before merge
No automated repair is indicated; a maintainer should decide whether green CI alone is enough or whether to run provider/browser smokes before merging the grouped update.

Security
Cleared: No concrete security or supply-chain regression was found in the manifest/lockfile-only diff.

Review details

Best possible solution:

Land the dependency update after green CI and any maintainer-selected provider/browser smokes; split or drop any dependency that shows a targeted regression.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a dependency update PR, not a bug report with a failing reproduction path. The relevant check is dependency-diff review plus CI and optional live provider/browser smoke validation.

Is this the best way to solve the issue?

Yes, with validation: Dependabot is the repository's configured maintenance path, and the patch is limited to the manifest and lockfile. The safer merge path is to pair green CI with maintainer-selected provider/browser smokes because runtime SDK and browser deps are grouped together.

Label justifications:

• P3: This is routine dependency maintenance with no confirmed user-facing regression or urgent security fix.
• merge-risk: 🚨 compatibility: The PR changes locked runtime and toolchain package versions that existing installs will pick up after merge.
• merge-risk: 🚨 auth-provider: The OpenAI and Gemini SDK bumps sit under provider client paths used for API calls, model routing, and credentials.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and The patch is a normal focused dependency update with green CI and no definite correctness defect, while grouped runtime/browser dependency risk still calls for ordinary maintainer judgment.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot PR, so the external contributor real-behavior-proof gate does not apply; CI and maintainer smoke validation are the relevant signals.

What I checked:

• PR diff scope: The branch changes only package.json and pnpm-lock.yaml; package.json pins the tsgo, coverage, devtools-protocol, and oxfmt versions plus the devtools-protocol override while the lockfile resolves the full dependency group. (package.json:90, 2647e0598b4e)
• Runtime provider dependency usage: Current main imports the OpenAI SDK in the default provider client path, so the openai bump can affect real API calls, routing, and credential-bearing requests. (src/oracle/client.ts:1, 7c8b483619a5)
• Gemini dependency usage: Current main imports @google/genai in the Gemini adapter, so the @google/genai bump is also a runtime provider SDK change. (src/oracle/gemini.ts:1, 7c8b483619a5)
• Browser dependency usage: Current main imports puppeteer-core in browser tooling and devtools-protocol types in browser types, so the lockfile changes can affect browser automation paths. (scripts/browser-tools.ts:17, 7c8b483619a5)
• CI status: GitHub check-runs for the PR head show ubuntu, macOS, Windows, and GitGuardian checks completed successfully. (2647e0598b4e)
• Dependabot grouping policy: The repository's Dependabot configuration groups all npm package updates under the dependencies group, matching the shape of this PR. (.github/dependabot.yml:7, 7c8b483619a5)

Likely related people:

• steipete: The package manifest, Dependabot configuration, CI workflow, and provider/browser source paths in current main trace to Peter Steinberger's v0.13.0 release commit. (role: repository owner and package/provider history owner; confidence: high; commits: abb7c9a7d9c8; files: package.json, pnpm-lock.yaml, .github/dependabot.yml)
• dependabot[bot]: The current main lockfile already contains a recent Dependabot dependency bump, and this PR follows the repository's configured grouped npm update path. (role: recent dependency automation actor; confidence: medium; commits: 7c8b483619a5, 2647e0598b4e; files: package.json, pnpm-lock.yaml)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7c8b483619a5.