build(deps): bump the bun-frontend group across 1 directory with 16 updates by dependabot[bot] · Pull Request #2 · unslothai/unsloth-staging-1

dependabot · 2026-04-06T02:29:26Z

Bumps the bun-frontend group with 16 updates in the /studio/frontend directory:

Package	From	To
@dagrejs/dagre	`2.0.4`	`3.0.0`
@dagrejs/graphlib	`3.0.4`	`4.0.1`
@hugeicons/core-free-icons	`3.3.0`	`4.1.1`
@streamdown/cjk	`1.0.2`	`1.0.3`
@streamdown/code	`1.0.2`	`1.1.1`
lucide-react	`0.577.0`	`1.7.0`
recharts	`3.7.0`	`3.8.1`
shadcn	`3.8.5`	`4.1.2`
streamdown	`2.3.0`	`2.5.0`
@biomejs/biome	`1.9.4`	`2.4.10`
@eslint/js	`9.39.4`	`10.0.1`
@types/node	`24.12.2`	`25.5.2`
eslint	`9.39.4`	`10.2.0`
eslint-plugin-react-refresh	`0.4.26`	`0.5.2`
globals	`16.5.0`	`17.4.0`
typescript	`5.9.3`	`6.0.2`

Updates @dagrejs/dagre from 2.0.4 to 3.0.0

Changelog

Sourced from @dagrejs/dagre's changelog.

[3.0.0] - 2026

Major Improvements: TypeScript Migration

Full TypeScript Rewrite (PR #509): Migrated the entire core codebase from JavaScript to TypeScript for improved type safety, better IDE autocompletion, and easier maintenance.

Native Type Definitions: Removed the need for external @types/dagre packages; high-quality types are now shipped directly with the library.

Modern Build Pipeline: * Replaced JSHint with ESLint for stricter code quality.

Replaced Browserify/Karma with modern bundling and testing tools.

Standardized project indentation to 2 spaces (aligning .eslintrc and .editorconfig).

Refactoring & Fixes

Dependency Cleanup: Removed deprecated dependencies including bower.json and legacy test configurations.

Module Exports: Standardized ESM and CommonJS exports to ensure compatibility with modern bundlers like Webpack 5, Vite, and Rollup.

Internal Logic: Refined internal graph traversal algorithms to utilize TypeScript interfaces, reducing "undefined" runtime errors.

[2.0.0] - Legacy Modernization

Major Changes

Organization Transfer: Formally moved the repository to the @dagrejs GitHub organization.

Package Renaming: Published under the @dagrejs/dagre npm scope.

Dropped Legacy Environments: Discontinued support for extremely old Node.js versions (pre-v10) and legacy browsers that do not support ES6 features.

Fixes

Performance Optimizations: Improved layout calculation speeds for large-scale directed graphs.

Bug Fixes: Resolved edge cases in rank constraints and node spacing that caused overlapping in specific hierarchical layouts.

[1.0.0] - Initial Stable Release

Legacy documentation for versions prior to the @dagrejs migration can be found in the historical archives.

Commits

5bbd601 Copying minor changes from graphlib to dagre release
80e2257 Typo in the release
68cda58 Bumping version and building for release
d17ea43 Merge pull request #509 from wandri/feat-convert-the-package-into-TypeScript
2dcebc1 feat: convert the package into TypeScript
2595d05 Building with graphlib 4.0
0b35778 Merge pull request #508 from meganlee18/meganlee
7c28961 Add missing constraints to layout configuration
9d445b2 Bump version and set as pre-release
See full diff in compare view

Updates @dagrejs/graphlib from 3.0.4 to 4.0.1

Commits

9e8538a Building for release
7d0bcf2 Building for release
0377bff Preparing for release
4917fdb Merge pull request #223 from wandri/master
38f4fbb fix: text in workflow
83a4dc0 fix: lint
cac4eb2 fix: enforce no breaking changes
808bd95 feat: convert the package into typescript
fba5b9f Bump version and set as pre-release
See full diff in compare view

Updates @hugeicons/core-free-icons from 3.3.0 to 4.1.1

Updates @streamdown/cjk from 1.0.2 to 1.0.3

Release notes

Sourced from @streamdown/cjk's releases.

@streamdown/cjk@1.0.3

Patch Changes

6f1ea07: Updated remark-cjk-friendly and remark-cjk-friendly-gfm-strikethrough from v1.x to v2.x. The only breaking change in v2.0.0 is dropping Node.js 16 support, which Streamdown has already dropped (requires Node.js ≥18), so there is no actual impact. The actual code is identical to the latest v1.x release (v2.0.1 only added the ability to import package.json).

Changelog

Sourced from @streamdown/cjk's changelog.

1.0.3

Patch Changes

6f1ea07: Updated remark-cjk-friendly and remark-cjk-friendly-gfm-strikethrough from v1.x to v2.x. The only breaking change in v2.0.0 is dropping Node.js 16 support, which Streamdown has already dropped (requires Node.js ≥18), so there is no actual impact. The actual code is identical to the latest v1.x release (v2.0.1 only added the ability to import package.json).

Commits

15ba1ae Version Packages (#457)
6f1ea07 chore(deps): update remark-cjk-friendly and remark-cjk-friendly-gfm-strikethr...
1102f18 Fix all Biome lint and formatting errors
6b1fc5b streamdown-cjk: 100% test coverage
See full diff in compare view

Updates @streamdown/code from 1.0.2 to 1.1.1

Release notes

Sourced from @streamdown/code's releases.

@streamdown/code@1.1.1

Patch Changes

651873d: Fall back to plain text highlighting when the code block language identifier is unknown or truncated mid-stream, preventing Shiki from throwing on unsupported language names.

@streamdown/code@1.1.0

Minor Changes

01d27e9: Add support for custom Shiki themes via a themes option on createCodePlugin, accepting a [light, dark] pair of bundled theme names or full theme registration objects.

@streamdown/code@1.0.3

Patch Changes

c597336: Use JS engine

Changelog

Sourced from @streamdown/code's changelog.

1.1.1

Patch Changes

651873d: Fall back to plain text highlighting when the code block language identifier is unknown or truncated mid-stream, preventing Shiki from throwing on unsupported language names.

1.1.0

Minor Changes

01d27e9: Add support for custom Shiki themes via a themes option on createCodePlugin, accepting a [light, dark] pair of bundled theme names or full theme registration objects.

1.0.3

Patch Changes

c597336: Use JS engine

Commits

15ba1ae Version Packages (#457)
b9796c8 Improve test coverage
651873d fix(streamdown-code): fall back to plain text for unknown/truncated language ...
90f6bb6 Version Packages (#431)
d5af95b Run linter/formatter
01d27e9 feat: support custom shiki themes in code blocks (#416)
b46781c Version Packages (#397)
1102f18 Fix all Biome lint and formatting errors
ba99223 streamdown-code: 100% test coverage
c597336 Resolves #384
See full diff in compare view

Updates lucide-react from 0.577.0 to 1.7.0

Release notes

Sourced from lucide-react's releases.

Version 1.7.0

What's Changed

fix(lucide-react): Fix dynamic imports by @ericfennis in lucide-icons/lucide#4210

feat(icons): added map-pin-search icon by @TonySullivan in lucide-icons/lucide#4125

New Contributors

@TonySullivan made their first contribution in lucide-icons/lucide#4125

Full Changelog: lucide-icons/lucide@1.6.0...1.7.0

Version 1.6.0

What's Changed

feat(icons): added radio-off icon by @kongsgard in lucide-icons/lucide#4138

New Contributors

@kongsgard made their first contribution in lucide-icons/lucide#4138

Full Changelog: lucide-icons/lucide@1.5.0...1.6.0

Version 1.5.0

What's Changed

feat(icons): added beef-off icon by @jguddas in lucide-icons/lucide#3816

Full Changelog: lucide-icons/lucide@1.4.0...1.5.0

Version 1.4.0

What's Changed

feat(icons): added sport-shoe icon by @Youya-ui in lucide-icons/lucide#3953

New Contributors

@Youya-ui made their first contribution in lucide-icons/lucide#3953

Full Changelog: lucide-icons/lucide@1.3.0...1.4.0

Version 1.3.0

What's Changed

feat(icons): added shield-cog icon by @KnarliX in lucide-icons/lucide#3902

New Contributors

@KnarliX made their first contribution in lucide-icons/lucide#3902

Full Changelog: lucide-icons/lucide@1.2.0...1.3.0

Version 1.2.0

What's Changed

feat(icons): added line-style icon by @dg-ac in lucide-icons/lucide#4030

New Contributors

@dg-ac made their first contribution in lucide-icons/lucide#4030

... (truncated)

Commits

dada0a8 fix(lucide-react): Fix dynamic imports (#4210)
a6e648a fix(lucide-react): correct client directives in RSC files (#4189)
1f010a3 fix(lucide-react): Fixes provider export and RSC render issues (#4175)
484f2c9 docs(version-1): Version 1 website (#4142)
a0e202d feat(packages/angular): add new @lucide/angular package (#3897)
c5b155e Merge branch 'main' of https://github.com/lucide-icons/lucide into next
628d4f9 Merge branch 'main' of https://github.com/lucide-icons/lucide into next
0c6dfeb feat(context-providers): Adding Context providers (#3315)
7327637 Merge branch 'main' of https://github.com/lucide-icons/lucide into next
08bd4b3 Merge branch 'main' of https://github.com/lucide-icons/lucide into next
Additional commits viewable in compare view

Updates recharts from 3.7.0 to 3.8.1

Release notes

Sourced from recharts's releases.

v3.8.1

What's Changed

Bugfixes!

fix(z-index): prevent elements from disappearing during dynamic zIndex transitions by @VIDHITTS in recharts/recharts#7006

fix: prevent tooltip flicker in syncMethod="value" with mismatched data arrays by @roy7 in recharts/recharts#7020

docs: add missing SVG props documentation to PolarGrid #3400 by @ramanverse in recharts/recharts#6987

fix: add cursor prop type to BaseChartProps by @mixelburg in recharts/recharts#7065

fix: restore arrow key navigation when active index is outside zoomed… by @AbishekRaj2007 in recharts/recharts#7086

Add test for ticks spacing by @VIDHITTS in recharts/recharts#7082

fix(Pie): skip minAngle redistribution when no segment needs it by @Harikrushn9118 in recharts/recharts#7097

fix(DefaultLegendContent): use entry.value for aria-label when formatter returns React element by @mixelburg in recharts/recharts#7109

fix(PolarRadiusAxis): update ticks prop type by @PavelVanecek in recharts/recharts#7112

fix: PieChart double padding gap when a data item has value 0 by @Copilot in recharts/recharts#7113

Add boxplot example by @PavelVanecek in recharts/recharts#7130

[fix] Update ticks calculator and domain extension by @PavelVanecek in recharts/recharts#7146

fix: guard against non-function d3-scale exports in getD3ScaleFromType by @tdebarochez in recharts/recharts#7123

fix: stackOffset expand should not override numerical XAxis domain by @SeaL773 in recharts/recharts#7152

fix: resolve keyboard navigation and tooltip issues for Pie charts (#6921) by @olagokemills in recharts/recharts#7140

fix(Tooltip): prevent crash on sparse or undefined payload entries by @Om-Mishra09 in recharts/recharts#7149

fix(RechartsWrapper): prevent ResizeObserver memory leak on ref update by @Om-Mishra09 in recharts/recharts#7161

New Contributors

@AbishekRaj2007 made their first contribution in recharts/recharts#7086

@tdebarochez made their first contribution in recharts/recharts#7123

@SeaL773 made their first contribution in recharts/recharts#7152

@olagokemills made their first contribution in recharts/recharts#7140

Full Changelog: recharts/recharts@v3.8.0...v3.8.1

v3.8.0

What's Changed

We added generics to our data and dataKey props and now you can have your charts validated by TypeScript. See the full guide here: https://recharts.github.io/en-US/guide/typescript/

We are releasing new helper functions and hooks that will allow you to precisely target mouse interactions, and convert coordinates. See the guide here: https://recharts.github.io/en-US/guide/coordinateSystems/

And new functions and hooks:

getRelativeCoordinate - converts mouse events to pixel positions

Convert Data → Pixels:

useXAxisScale - returns a function to convert X data values to pixel positions useYAxisScale - returns a function to convert Y data values to pixel positions useCartesianScale - convenience hook for converting both at once

Pixels → Data:

... (truncated)

Commits

5b10788 chore(deps-dev): bump diff from 8.0.3 to 8.0.4 (#7156)
222396f chore(deps): bump react-router-dom from 7.13.1 to 7.13.2 (#7164)
c2642da chore(deps-dev): bump typescript-eslint from 8.57.1 to 8.57.2 (#7166)
b186929 fix(RechartsWrapper): prevent ResizeObserver memory leak on ref update (#7161)
738f71f fix(Tooltip): prevent crash on sparse or undefined payload entries (#7149)
00daf0b chore(deps-dev): bump rollup from 4.59.0 to 4.60.0 (#7158)
eba4f2a chore(deps-dev): bump marked from 17.0.4 to 17.0.5 (#7157)
201d060 fix: resolve keyboard navigation and tooltip issues for Pie charts (#6921) (#...
670d092 chore(deps-dev): bump flatted from 3.3.3 to 3.4.2 (#7150)
86ca8de fix: stackOffset expand should not override numerical XAxis domain (#7152)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by corkscreewe, a new releaser for recharts since your current version.

Updates shadcn from 3.8.5 to 4.1.2

Release notes

Sourced from shadcn's releases.

shadcn@4.1.2

Patch Changes

#10246 44c09a19b0658cf8e72ac84bbba5b76e05192a0d Thanks @shadcn! - add style luma

shadcn@4.1.1

Patch Changes

#10202 12b49c986fcf7e6db9be7f515df6142f822f2236 Thanks @shadcn! - fix packageManager in package.json

shadcn@4.1.0

Minor Changes

#10115 687f09817b614a3450f0f56779edf367082e1e53 Thanks @shadcn! - add fontHeading to presets

#10115 687f09817b614a3450f0f56779edf367082e1e53 Thanks @shadcn! - add chartColor

shadcn@4.0.8

Patch Changes

#10041 a97ebe54f1824032d8ad00d1d0c079e3dc6f52d7 Thanks @shadcn! - Bundle @antfu/ni and tinyexec to fix missing module error with npx

shadcn@4.0.7

Patch Changes

#9929 f9b365bc7f9d591c995952976711dbdd7b1bc45a Thanks @kapishdima! - add dependency field to registry:font

shadcn@4.0.6

Patch Changes

#10022 7e93eb81ea8160c06c86f98bb6bfeb1ddfd0d237 Thanks @shadcn! - ensure monorepo respect package manager

shadcn@4.0.5

Patch Changes

#9960 5ee456735377158c12cf55eefbe872f7303e1325 Thanks @shadcn! - update handling of init urls

shadcn@4.0.4

Patch Changes

#9957 aa841e35cf405e574123478b46f4058cff0e179a Thanks @shadcn! - fix cache in resolveRegistryBaseConfig

shadcn@4.0.3

Patch Changes

#9950 ce2c3ca688916db4fdb5fe173e9c6902f78696ed Thanks @shadcn! - add support for translucent menu

shadcn@4.0.2

Patch Changes

... (truncated)

Changelog

Sourced from shadcn's changelog.

4.1.2

Patch Changes

#10246 44c09a19b0658cf8e72ac84bbba5b76e05192a0d Thanks @shadcn! - add style luma

4.1.1

Patch Changes

#10202 12b49c986fcf7e6db9be7f515df6142f822f2236 Thanks @shadcn! - fix packageManager in package.json

4.1.0

Minor Changes

#10115 687f09817b614a3450f0f56779edf367082e1e53 Thanks @shadcn! - add fontHeading to presets

#10115 687f09817b614a3450f0f56779edf367082e1e53 Thanks @shadcn! - add chartColor

4.0.8

Patch Changes

#10041 a97ebe54f1824032d8ad00d1d0c079e3dc6f52d7 Thanks @shadcn! - Bundle @antfu/ni and tinyexec to fix missing module error with npx

4.0.7

Patch Changes

#9929 f9b365bc7f9d591c995952976711dbdd7b1bc45a Thanks @kapishdima! - add dependency field to registry:font

4.0.6

Patch Changes

#10022 7e93eb81ea8160c06c86f98bb6bfeb1ddfd0d237 Thanks @shadcn! - ensure monorepo respect package manager

4.0.5

Patch Changes

#9960 5ee456735377158c12cf55eefbe872f7303e1325 Thanks @shadcn! - update handling of init urls

4.0.4

Patch Changes

#9957 aa841e35cf405e574123478b46f4058cff0e179a Thanks @shadcn! - fix cache in resolveRegistryBaseConfig

... (truncated)

Commits

ebf2192 chore(release): version packages (#10247)
44c09a1 feat: luma (#10246)
14bb486 chore(release): version packages (#10203)
12b49c9 fix: packageManager in package.json (#10202)
563d572 chore(release): version packages (#10120)
687f098 feat: chartColor and fontHeading (#10115)
e2d36a3 chore(release): version packages (#10046)
a97ebe5 fix: bundle @antfu/ni to resolve tinyexec missing module error (#10041)
af99d4e chore(release): version packages (#10037)
725ca57 Rename test to clarify non-variable font coverage.
Additional commits viewable in compare view

Updates streamdown from 2.3.0 to 2.5.0

Release notes

Sourced from streamdown's releases.

streamdown@2.5.0

Minor Changes

d6666b6: Add lineNumbers prop to disable line numbers in code blocks

d4ec6c0: Add meta prop to CustomRendererProps. Custom renderers now receive the raw metastring from the code fence (everything after the language identifier, e.g. ```rust {1} title="foo" → meta = '{1} title="foo"'). The prop is optional (meta?: string) and is undefined when no metastring is present. Existing custom renderers are unaffected.

Patch Changes

ac8d839: Add staggered animation-delay to streaming word/character animations so new content cascades in sequentially instead of all animating simultaneously. Configurable via the new stagger option (default 40ms). Set stagger: 0 to restore the previous behavior.

add5374: Enable horizontal scrolling on code blocks so long lines are accessible instead of being clipped by overflow-hidden.

75845c0: Fix unnecessary re-renders of code blocks during streaming updates.

Problem: In streaming mode, when new content arrives (e.g. a paragraph is appended), completed code blocks that haven't changed were still re-rendering. This happened because the Streamdown component used inline object literals as default parameter values for linkSafety ({ enabled: true }). Every time children changed and Streamdown re-rendered, these inline defaults created new references, which caused the contextValue useMemo to recompute a new StreamdownContext object. Since React propagates context changes through memo boundaries, any context consumer inside a memoized Block (such as CodeBlock) would re-render even though the block's own props were unchanged.

Fix: Extract the inline default values for linkSafety into module-level constants (defaultLinkSafetyConfig). This ensures referential stability across renders, so contextValue only recomputes when the actual values change — not just because children updated.

8b1c262: fix: prepend UTF-8 BOM to CSV downloads for Excel compatibility

save() now prepends \uFEFF for text/csv string content so Excel on Windows detects UTF-8 encoding instead of falling back to ANSI.

TableDownloadButton refactored to use save() instead of inline Blob creation, ensuring the public API also gets the BOM fix.

b105c64: Fix custom tag content being prematurely split when content follows the opening tag on the same line and contains double newlines (\n\n). The preprocessor now ensures proper HTML block structure so the parser treats the entire tag as a single unit.

9e6f991: Increase dropdown z-index for table copy and download menus to prevent clipping by surrounding elements.

9c18748: docs: document required CSS custom properties (shadcn/ui design tokens) in README

7b62e9a: Replace Tailwind v4-only *:last: and *:first: variant syntax with [&>*:last-child]: and [&>*:first-child]: arbitrary variants for compatibility with both Tailwind CSS v3 and v4. Fixes caret rendering on every line instead of only the last child in v3.

Updated dependencies [e50b0c4]

Updated dependencies [716a5f0]

remend@1.3.0

streamdown@2.4.0

Minor Changes
5edff75: Clarified Tailwind @source configuration for Streamdown and optional plugins. Updated documentation to keep the global @source for core streamdown only, move plugin @source guidance to plugin docs with examples, and add a caveat to include plugin entries only if installed.
57cd3b5: Add support for custom starting line numbers in code blocks via the startLine meta option.

Code blocks can now specify a starting line number in the meta string:
```js startLine=10

... (truncated)

Changelog

Sourced from streamdown's changelog.

2.5.0

Minor Changes

d6666b6: Add lineNumbers prop to disable line numbers in code blocks

d4ec6c0: Add meta prop to CustomRendererProps. Custom renderers now receive the raw metastring from the code fence (everything after the language identifier, e.g. ```rust {1} title="foo" → meta = '{1} title="foo"'). The prop is optional (meta?: string) and is undefined when no metastring is present. Existing custom renderers are unaffected.

Patch Changes

ac8d839: Add staggered animation-delay to streaming word/character animations so new content cascades in sequentially instead of all animating simultaneously. Configurable via the new stagger option (default 40ms). Set stagger: 0 to restore the previous behavior.

add5374: Enable horizontal scrolling on code blocks so long lines are accessible instead of being clipped by overflow-hidden.

75845c0: Fix unnecessary re-renders of code blocks during streaming updates.

Problem: In streaming mode, when new content arrives (e.g. a paragraph is appended), completed code blocks that haven't changed were still re-rendering. This happened because the Streamdown component used inline object literals as default parameter values for linkSafety ({ enabled: true }). Every time children changed and Streamdown re-rendered, these inline defaults created new references, which caused the contextValue useMemo to recompute a new StreamdownContext object. Since React propagates context changes through memo boundaries, any context consumer inside a memoized Block (such as CodeBlock) would re-render even though the block's own props were unchanged.

Fix: Extract the inline default values for linkSafety into module-level constants (defaultLinkSafetyConfig). This ensures referential stability across renders, so contextValue only recomputes when the actual values change — not just because children updated.

8b1c262: fix: prepend UTF-8 BOM to CSV downloads for Excel compatibility

save() now prepends \uFEFF for text/csv string content so Excel on Windows detects UTF-8 encoding instead of falling back to ANSI.

TableDownloadButton refactored to use save() instead of inline Blob creation, ensuring the public API also gets the BOM fix.

b105c64: Fix custom tag content being prematurely split when content follows the opening tag on the same line and contains double newlines (\n\n). The preprocessor now ensures proper HTML block structure so the parser treats the entire tag as a single unit.

9e6f991: Increase dropdown z-index for table copy and download menus to prevent clipping by surrounding elements.

9c18748: docs: document required CSS custom properties (shadcn/ui design tokens) in README

7b62e9a: Replace Tailwind v4-only *:last: and *:first: variant syntax with [&>*:last-child]: and [&>*:first-child]: arbitrary variants for compatibility with both Tailwind CSS v3 and v4. Fixes caret rendering on every line instead of only the last child in v3.

Updated dependencies [e50b0c4]

Updated dependencies [716a5f0]

remend@1.3.0

2.4.0

Minor Changes
5edff75: Clarified Tailwind @source configuration for Streamdown and optional plugins. Updated documentation to keep the global @source for core streamdown only, move plugin @source guidance to plugin docs with examples, and add a caveat to include plugin entries only if installed.
57cd3b5: Add support for custom starting line numbers in code blocks via the startLine meta option.

Code blocks can now specify a starting line number in the meta string:
```js startLine=10
const x = 1;
```
This renders line numbers beginning at 10 instead of the default 1. The feature works by parsing the startLine=N value from the fenced-code meta string and applying counter-reset: line N-1 to the <code> element.

... (truncated)

Commits

15ba1ae Version Packages (#457)
b752b44 fix(streamdown): move mermaid from devDependencies to dependencies (#466)
90a7b58 Run fix
9e6f991 fix(streamdown): increase dropdown z-index (#463)
d6666b6 feat: add lineNumbers prop to disable line numbers in code blocks (#460)
6a79e04 fix(streamdown): preserve double newlines in literalTagContent tags (#459)
b9796c8 Improve test coverage
6b49db1 Fix polynomial regular expression issue
6d4100a Update utils.test.ts
9f8ed4c Lint fixes
Additional commits viewable in compare view

Updates @biomejs/biome from 1.9.4 to 2.4.10

Release notes

Sourced from @biomejs/biome's releases.

Biome CLI v2.4.10

2.4.10

Patch Changes
#8838 f3a6a6b Thanks @baeseokjae! - Added new lint nursery rule noImpliedEval.

The rule detects implied eval() usage through functions like setTimeout, setInterval, and setImmediate when called with string arguments.
// Invalid
setTimeout("alert('Hello');", 100);
// Valid
setTimeout(() => alert("Hello"), 100);
#9320 93c3b6c Thanks @taberoajorge! - Fixed #7664: noUnusedVariables no longer reports false positives for TypeScript namespace declarations that participate in declaration merging with an exported or used value declaration (const, function, or class) of the same name. The reverse direction is also handled: a value declaration merged with an exported namespace is no longer flagged.

#9630 1dd4a56 Thanks @raashish1601! - Fixed #9629: noNegationElse now keeps ternary branch comments attached to the correct branch when applying its fixer.
#9216 04243b0 Thanks @FrederickStempfle! - Fixed #9061: noProcessEnv now also detects process.env when process is imported from the "process" or "node:process" modules.

Previously, only the global process object was flagged:
import process from "node:process";
// This was not flagged, but now it is:
console.log(process.env.NODE_ENV);
#9692 61b7ec5 Thanks @mkosei! - Fixed Svelte #each destructuring parsing and formatting for nested patterns such as [key, { a, b }].

#9627 06a0f35 Thanks @ematipico! - Fixed #191: Improved the performance of how the Biome Language Server pulls code actions and diagnostics.

Before, code actions were pulled and computed all at once in one request. This approach couldn't work in big files, and caused Biome to stale and have CPU usage spikes up to 100%.

Now, code actions are pulled and computed lazily, and Biome won't choke anymore in big files.

#9643 5bfee36 Thanks @dyc3! - Fixed #9347: useVueValidVBind no longer reports valid object bindings like v-bind="props".

#9627 06a0f35 Thanks @ematipico! - Fixed assist diagnostics being invisible when using --diagnostic-level=error. Enforced assist violations (e.g. useSortedKeys) were filtered out before being promoted to errors, causing biome check to incorrectly return success.

#9695 9856a87 Thanks @dyc3! - Added the new nursery rule noUnsafePlusOperands, which reports + and += operations that use object-like, symbol, unknown, or never operands, or that mix number with bigint.

#9627 06a0f35 Thanks @ematipico! - Fixed duplicate parse errors in check and ci output. When a file had syntax errors, the same parse error was printed twice and the error count was inflated.

#9627 06a0f35 Thanks @ematipico! - Improved the performance of the commands lint and check when they are called with --write.

... (truncated)

Changelog

Sourced from @biomejs/biome's changelog.

2.4.10

Patch Changes
#8838 f3a6a6b Thanks @baeseokjae! - Added new lint nursery rule noImpliedEval.

The rule detects implied eval() usage through functions like setTimeout, setInterval, and setImmediate when called with string arguments.
// Invalid
setTimeout("alert('Hello');", 100);
// Valid
setTimeout(() => alert("Hello"), 100);
#9320 93c3b6c Thanks @taberoajorge! - Fixed #7664: noUnusedVariables no longer reports false positives for TypeScript namespace declarations that participate in declaration merging with an exported or used value declaration (const, function, or class) of the same name. The reverse direction is also handled: a value declaration merged with an exported namespace is no longer flagged.

#9630 1dd4a56 Thanks @raashish1601! - Fixed #9629: noNegationElse now keeps ternary branch comments attached to the correct branch when applying its fixer.
#9216 04243b0 Thanks @FrederickStempfle! - Fixed #9061: noProcessEnv now also detects process.env when process is imported from the "process" or "node:process" modules.

Previously, only the global process object was flagged:
import process from "node:process";
// This was not flagged, but now it is:
console.log(process.env.NODE_ENV);
#9692 61b7ec5 Thanks @mkosei! - Fixed Svelte #each destructuring parsing and formatting for nested patterns such as [key, { a, b }].

#9627

Bumps the bun-frontend group in /studio/frontend with 16 updates: | Package | From | To | | --- | --- | --- | | [@dagrejs/dagre](https://github.com/dagrejs/dagre) | `2.0.4` | `3.0.0` | | [@dagrejs/graphlib](https://github.com/dagrejs/graphlib) | `3.0.4` | `4.0.1` | | @hugeicons/core-free-icons | `3.3.0` | `4.1.1` | | [@streamdown/cjk](https://github.com/vercel/streamdown/tree/HEAD/packages/streamdown-cjk) | `1.0.2` | `1.0.3` | | [@streamdown/code](https://github.com/vercel/streamdown/tree/HEAD/packages/streamdown-code) | `1.0.2` | `1.1.1` | | [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `0.577.0` | `1.7.0` | | [recharts](https://github.com/recharts/recharts) | `3.7.0` | `3.8.1` | | [shadcn](https://github.com/shadcn-ui/ui/tree/HEAD/packages/shadcn) | `3.8.5` | `4.1.2` | | [streamdown](https://github.com/vercel/streamdown/tree/HEAD/packages/streamdown) | `2.3.0` | `2.5.0` | | [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) | `1.9.4` | `2.4.10` | | [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) | `9.39.4` | `10.0.1` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `24.12.2` | `25.5.2` | | [eslint](https://github.com/eslint/eslint) | `9.39.4` | `10.2.0` | | [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.4.26` | `0.5.2` | | [globals](https://github.com/sindresorhus/globals) | `16.5.0` | `17.4.0` | | [typescript](https://github.com/microsoft/TypeScript) | `5.9.3` | `6.0.2` | Updates `@dagrejs/dagre` from 2.0.4 to 3.0.0 - [Release notes](https://github.com/dagrejs/dagre/releases) - [Changelog](https://github.com/dagrejs/dagre/blob/master/changelog.md) - [Commits](dagrejs/dagre@v2.0.4...v3.0.0) Updates `@dagrejs/graphlib` from 3.0.4 to 4.0.1 - [Release notes](https://github.com/dagrejs/graphlib/releases) - [Changelog](https://github.com/dagrejs/graphlib/blob/master/changelog.md) - [Commits](dagrejs/graphlib@v3.0.4...v4.0.1) Updates `@hugeicons/core-free-icons` from 3.3.0 to 4.1.1 Updates `@streamdown/cjk` from 1.0.2 to 1.0.3 - [Release notes](https://github.com/vercel/streamdown/releases) - [Changelog](https://github.com/vercel/streamdown/blob/main/packages/streamdown-cjk/CHANGELOG.md) - [Commits](https://github.com/vercel/streamdown/commits/@streamdown/cjk@1.0.3/packages/streamdown-cjk) Updates `@streamdown/code` from 1.0.2 to 1.1.1 - [Release notes](https://github.com/vercel/streamdown/releases) - [Changelog](https://github.com/vercel/streamdown/blob/main/packages/streamdown-code/CHANGELOG.md) - [Commits](https://github.com/vercel/streamdown/commits/@streamdown/code@1.1.1/packages/streamdown-code) Updates `lucide-react` from 0.577.0 to 1.7.0 - [Release notes](https://github.com/lucide-icons/lucide/releases) - [Commits](https://github.com/lucide-icons/lucide/commits/1.7.0/packages/lucide-react) Updates `recharts` from 3.7.0 to 3.8.1 - [Release notes](https://github.com/recharts/recharts/releases) - [Changelog](https://github.com/recharts/recharts/blob/main/CHANGELOG.md) - [Commits](recharts/recharts@v3.7.0...v3.8.1) Updates `shadcn` from 3.8.5 to 4.1.2 - [Release notes](https://github.com/shadcn-ui/ui/releases) - [Changelog](https://github.com/shadcn-ui/ui/blob/main/packages/shadcn/CHANGELOG.md) - [Commits](https://github.com/shadcn-ui/ui/commits/shadcn@4.1.2/packages/shadcn) Updates `streamdown` from 2.3.0 to 2.5.0 - [Release notes](https://github.com/vercel/streamdown/releases) - [Changelog](https://github.com/vercel/streamdown/blob/main/packages/streamdown/CHANGELOG.md) - [Commits](https://github.com/vercel/streamdown/commits/streamdown@2.5.0/packages/streamdown) Updates `@biomejs/biome` from 1.9.4 to 2.4.10 - [Release notes](https://github.com/biomejs/biome/releases) - [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md) - [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.4.10/packages/@biomejs/biome) Updates `@eslint/js` from 9.39.4 to 10.0.1 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/commits/v10.0.1/packages/js) Updates `@types/node` from 24.12.2 to 25.5.2 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `eslint` from 9.39.4 to 10.2.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v9.39.4...v10.2.0) Updates `eslint-plugin-react-refresh` from 0.4.26 to 0.5.2 - [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases) - [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md) - [Commits](ArnaudBarre/eslint-plugin-react-refresh@v0.4.26...v0.5.2) Updates `globals` from 16.5.0 to 17.4.0 - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](sindresorhus/globals@v16.5.0...v17.4.0) Updates `typescript` from 5.9.3 to 6.0.2 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v5.9.3...v6.0.2) --- updated-dependencies: - dependency-name: "@dagrejs/dagre" dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: bun-frontend - dependency-name: "@dagrejs/graphlib" dependency-version: 4.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: bun-frontend - dependency-name: "@hugeicons/core-free-icons" dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: bun-frontend - dependency-name: "@streamdown/cjk" dependency-version: 1.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: bun-frontend - dependency-name: "@streamdown/code" dependency-version: 1.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: bun-frontend - dependency-name: lucide-react dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: bun-frontend - dependency-name: recharts dependency-version: 3.8.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: bun-frontend - dependency-name: shadcn dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: bun-frontend - dependency-name: streamdown dependency-version: 2.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: bun-frontend - dependency-name: "@biomejs/biome" dependency-version: 2.4.10 dependency-type: direct:development update-type: version-update:semver-major dependency-group: bun-frontend - dependency-name: "@eslint/js" dependency-version: 10.0.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: bun-frontend - dependency-name: "@types/node" dependency-version: 25.5.2 dependency-type: direct:development update-type: version-update:semver-major dependency-group: bun-frontend - dependency-name: eslint dependency-version: 10.2.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: bun-frontend - dependency-name: eslint-plugin-react-refresh dependency-version: 0.5.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: bun-frontend - dependency-name: globals dependency-version: 17.4.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: bun-frontend - dependency-name: typescript dependency-version: 6.0.2 dependency-type: direct:development update-type: version-update:semver-major dependency-group: bun-frontend ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-04-09T10:25:06Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

fix: register unions (str | None) in huggingface_hub strict dataclass validation

…/path/gguf for PR unslothai#5754 Round 11 reviewer findings. Backend lifecycle (P1) * core/inference/diffusion.py _release_other_gpu_owners_for_ diffusion: now re-checks is_export_active() locally before calling _shutdown_subprocess. The route layer already 409s on active exports, but defence-in-depth means direct backend callers (tests, scripts, future routes that forget the higher-level guard) can no longer terminate an in-flight export and corrupt the user's partial output. * routes/inference.py standard chat-load path: the duplicate inline 'if exp_backend.current_checkpoint -> _shutdown_subprocess' block was removed. _release_export_for above already handles settled checkpoints and skips active ones; the inline block was the round 11 #2 asymmetric fix surface. Routing / error mapping (P2) * routes/training.py start_training: except HTTPException: raise was inserted before the broad except Exception: handler so the 409 raised by _raise_if_training_active / _raise_if_export_active reaches the client intact instead of being swallowed into a 500. State publishing (P2) * core/inference/diffusion.py load_model: success path now clears _loading + _pending_* under _lock BEFORE returning self.status(), so the response payload reports the resident pipeline cleanly (no stale is_loading=true / pending_*). The finally block remains idempotent for error / early-raise paths. * core/inference/diffusion.py status(): nulls family / pipeline_class while a swap is in flight (pending_repo set and != active_repo). Previously the response paired pending model B's repo_id with model A's family, producing a combination that never existed. Validation * models/inference.py: DiffusionLoadRequest.repo_id and base_repo length caps bumped from 256 to 1024; gguf_filename bumped from 256 to 512. The earlier caps rejected realistic Studio export paths (deeply nested outputs / exports directories, especially on Windows). Dependencies * pyproject.toml huggingfacenotorch + studio/backend/ requirements/no-torch-runtime.txt: floor gguf at >=0.10.0 to match the diffusers requirement. Unconstrained pin allowed a resolver to install older gguf releases that raise at single-file load time.

P1 #1: ``_release_llama_for()`` now verifies ``llama.unload_model`` did not return False AND that ``is_loaded`` / ``is_active`` / ``loading_model_identifier`` are all cleared after the call. The previous version only treated raised exceptions as failure, so a subprocess refusing to terminate or an in-flight GGUF download let the next workload allocate on top. P1 #2: ``DiffusionBackend._release_other_gpu_owners_for_diffusion`` now raises RuntimeError when ``exp._shutdown_subprocess`` fails on a settled checkpoint. Direct backend callers used to log at debug level and proceed toward diffusion allocation while the export checkpoint still owned VRAM. P1 #3 + P1 #7: ``/images/load`` no longer drops chat + idle export before the cheap backend validation runs. ``DiffusionBackend.load_model`` already calls the strict ``_release_other_gpu_owners_for_diffusion`` and ``_release_chat_backend_for_diffusion`` helpers AFTER family inference and GGUF filename checks pass, so the GPU is still freed before allocation and a malformed payload no longer silently unloads the user's chat / chat-export pair. P1 #4: ``_release_chat_backend_for_diffusion`` now also rejects a post-unload state where ``loading_model_identifier`` is still set, matching the route-level ``_release_llama_for`` strictness. A GGUF download mid-flight before the diffusion handoff used to slip through and end up double-owning VRAM after diffusion allocated. P1 #5: ``_release_diffusion_for`` no longer swallows a post-unload ``status()`` failure as ``after = {}``. Training / chat / export handoffs need proof that the diffusion pipeline released VRAM; the helper now raises HTTP 503 when the verification status call itself raises, so the caller retries. P1 #6: ``DiffusionBackend._release_other_gpu_owners_for_diffusion`` raises RuntimeError when ``get_export_backend()`` itself raises. Direct backend callers used to silently ``return`` here and proceed to GPU allocation without being able to verify export ownership. P1 #8: ``/training/start`` releases settled export BEFORE chat, matching the chat-load helpers. If idle export shutdown fails the user's chat model is preserved instead of being dropped for a training run that never starts. P2 #9: GGUF load-error scrubber also collapses ``local_gguf_path``, the resolved HF cache path passed to ``transformer_cls.from_single_file()``. Without this an exception like ``OSError: cannot load /home/alice/.cache/huggingface/.../flux.gguf`` would leak the operator's filesystem layout through ``last_error`` and ``/images/status``. All 85 diffusion-relevant backend tests pass locally.

P1 #1: ``_release_safetensors_chat_for`` now re-reads ``active_model_name`` and ``loading_models`` after each unload AND runs a final sweep against the initial owned-name set. The previous helper trusted ``unload_model() -> True`` even though the orchestrator can respond ``unloaded`` while still holding weights or a concurrent ``load`` can repopulate the tracker between calls. Per-name and global post-state mismatches now raise HTTP 503 so the caller retries. P1 #2: same post-state guarantee inside ``_release_chat_backend_for_diffusion`` for direct backend callers. ``DiffusionBackend.load_model`` now raises RuntimeError when the safetensors tracker still owns a previously-resident name after the unload, matching the route-level helper. The route layer's existing classifier maps the new wording to HTTP 503. P1 #3: ``DiffusionBackend.load_model`` now preflights the full diffusers repo (or explicit GGUF ``base_repo``) via ``hf_hub_download(filename="model_index.json")`` BEFORE the chat / export unload runs. The GGUF path was already covered by the existing ``hf_hub_download(gguf_filename)`` round-trip; the full-repo path used to skip validation and let a typo / private / gated repo only surface inside ``from_pretrained`` AFTER the user's chat model was already dropped. Local paths are checked structurally (must be a directory containing ``model_index.json``) so we do not network-round-trip for an on-disk miss. Error messages route through ``_display_repo_id`` so an absolute filesystem path does not leak the operator's layout. P1 #6: ``/api/inference/unload`` (the direct chat unload endpoint) now treats ``unload_model() -> False`` AND a leftover state (``is_loaded`` / ``is_active`` / ``loading_model_identifier`` for GGUF, ``active_model_name`` / ``loading_models`` for safetensors) as 503 instead of unconditionally responding ``status="unloaded"``. The UI used to show the model as gone while the backend still owned VRAM. P2 #7: extended the /images/load RuntimeError -> HTTPException marker list with ``still active or loading after unload`` and ``still loading after unload``. Round 18 introduced these exact phrasings on the backend side; without the extension a retryable unload failure was returning HTTP 400 to the user instead of 503. P2 #8: removed the unused ``unsloth_backend = get_inference_backend()`` eager construction in the GGUF chat-load branch. Eager construction made the GGUF-only path needlessly fail or pay startup cost when the safetensors backend was unavailable / lazy; ``_release_safetensors_chat_for`` already handles that case as a no-op. All 85 diffusion-relevant + 98 related backend tests pass locally.

P1 #1: ``_preflight_full_diffusers_repo(effective_base, hf_token)`` now runs for every load mode, including the GGUF-with-auto-base path. Round 19 only preflighted the full repo or an explicit ``base_repo``, so an auto-picked companion that turned out to be gated / private / missing still unloaded the user's chat model before ``from_pretrained`` failed. ``effective_base`` is the same value that feeds every downstream allocation, so preflighting it unconditionally catches all three modes. P1 #2: ``diffusers.GGUFQuantizationConfig`` (which imports the ``gguf`` package at construction time) is now built up front, inside the same try block that surfaces "Re-run Studio setup". Previously the missing-dependency exception fired AFTER ``_release_other_gpu_owners_for_diffusion`` and ``_release_chat_backend_for_diffusion`` had already taken the chat / export models down. The downstream from_single_file call reuses the same ``quant_config`` reference. P1 #4: ``studio/backend/requirements/studio.txt`` now lists ``diffusers>=0.37.0`` and ``gguf>=0.10.0``. These were only in the extras files, so fresh standard Studio installs failed on /images/load with the round 20 P1 #2 dependency error message. P1 #5: ``LoadRequest``, ``UnloadRequest``, and ``ValidateModelRequest`` now apply the same control-character + embedded-HF-token validators that ``DiffusionLoadRequest`` already had. /api/inference/load, /api/inference/validate, and /api/inference/unload used to accept newline / tab / control characters in ``model_path`` (log-line smuggling) and URL-form ``https://hf_xxxxx@huggingface.co/...`` (credential leak through structured log sinks). P2 #6: ``_collapse_local`` in the diffusion load-error scrubber now resolves relative candidates and adds the absolute form to the substring set. A relative ``exports/my-flux`` used to leak ``/mnt/disks/.../exports/my-flux/...`` via downstream library errors because the scrubber only matched the original literal. Replacement is longest-first so a leaf-only context survives. All 85 diffusion-relevant + 35 related model-validation tests pass locally. (P1 #3 cross-workload GPU handoff lock is deferred: deserves a focused design pass across /images/load, /chat/load (both branches), /training/start, and /export/load to pick a lock boundary that does not deadlock against the backend load locks or stall the SSE log stream.)

P1 #1 + #2: ``LoadRequest._no_embedded_hf_tokens`` and ``ValidateModelRequest._no_embedded_hf_tokens`` now cover ``gguf_variant`` in addition to ``model_path``. A caller could pass a variant like ``Q4_K_M-hf_xxxxxxxx`` that flowed into structured log sinks via the GGUF resolver path; the matching ``DiffusionLoadRequest`` validator already covered every string field, so this restores parity. P1 #3: ``/api/inference/unload`` now also matches the llama ``loading_model_identifier`` when picking the GGUF branch. A pending GGUF download (``is_active`` still False, ``loading_model_identifier`` populated) used to fall through to the safetensors branch and respond ``status="unloaded"`` while llama-server kept downloading. P1 #4 + #5: the final safetensors-handoff sweeps (route-level ``_release_safetensors_chat_for`` and backend ``_release_chat_backend_for_diffusion``) now check ``active_model_name`` and ``loading_models`` WITHOUT the initial ``owned_names`` filter. A concurrent ``/load`` that landed AFTER the snapshot was previously ignored, so a chat model that began loading during the unload window let training / export / GGUF chat / diffusion start anyway and race the new chat for VRAM. P2 #6: added ``_preflight_diffusers_subfolder_config`` and invoked it for GGUF loads with a transformer class (``effective_base``, ``"transformer"``). A custom base companion that had ``model_index.json`` but lacked ``transformer/config.json`` previously passed the round 19 preflight, unloaded chat, then failed inside ``from_single_file``. P2 #7: ``_scrub_validation_obj`` in main.py also scrubs string dict KEYS. Pydantic ``string_type`` errors surface ``input`` verbatim, and a malformed payload like ``{"repo_id": {"hf_xxxxx": "owner/repo"}}`` would otherwise leak the token through the 422 response body. All 85 diffusion-relevant + 35 model-validation tests pass locally. Existing fakes for ``hf_hub_download`` updated to accept the new ``subfolder=`` kwarg the round 21 preflight uses. (P1 #3 cross-workload GPU handoff lock from round 20 is still deferred; round 21's P1 #4 / #5 raised the sweep-level guarantee, which closes the most common race without the deadlock risk of holding a process-wide lock across the entire load.)

P1 #1: ``TrainingStartRequest.model_name`` now runs the same control-character and embedded-HF-token validators that the chat and diffusion request models gained in rounds 5 / 15 / 20 / 21. ``/api/training/start`` previously accepted newline / tab / control characters and URL-form ``hf_xxxxx`` tokens that flowed into structured-log sinks via "Loading model %s" lines. P1 #2: ``_run_with_helper`` in ``utils/datasets/llm_assist.py`` now skips the helper GGUF when the diffusion image backend reports loaded / loading. The public chat / training / export routes already do this through ``_release_diffusion_for``, but this dataset-side helper loaded llama-server directly with no diffusion guard, so an Images-page allocation would race the helper for VRAM. New ``_diffusion_image_model_busy`` helper fails closed (treats status() failure as busy) so the resident image model is preserved instead of being overwritten. P1 #3: same ``_diffusion_image_model_busy`` guard added to ``_run_multi_pass_advisor`` (the dataset conversion advisor), which has the same direct llama.cpp load shape. P2 #4: the early "Could not infer a diffusion family" RuntimeError now routes ``repo_id`` through ``_display_repo_id`` before formatting. A local absolute path that did not match any known family used to leak the operator's filesystem layout via the 400 response body, last_error, and log line. All 97 diffusion + training-validation + related tests pass locally.

P1 #1 + #2 + #6: extended the chat / diffusion / training identifier hardening to every export-side request model. ExportCommonOptions (parent of ExportMergedModelRequest / ExportBaseModelRequest / ExportLoRAAdapterRequest) now applies _no_control_chars and _reject_embedded_hf_token to repo_id and base_model_id; ExportGGUFRequest gets the same on its repo_id plus a control-char check on quantization_method; and LoadCheckpointRequest validates checkpoint_path. Previously "/api/export/*" accepted newline-smuggled identifiers and URL-form ``hf_xxxxx`` tokens that flowed into log lines. P1 #3 + #4: ``_run_with_helper`` and ``_run_multi_pass_advisor`` now use a shared ``_gpu_workload_busy_for_helper`` that gates on diffusion (round 22 already), training, AND export. The round 22 guard only checked diffusion, so the dataset helper / advisor could still load llama-server on top of an active training run or a resident export checkpoint. Each step fails closed (unverifiable status counts as busy) so the user's primary workload is preserved. P1 #5: PublishDatasetRequest in models/data_recipe.py also applies the identifier hardening to repo_id; the publish path previously accepted control characters and URL-form tokens. P1 #7-10: added _validate_logged_identifier helper to routes/models.py and applied it to the path / query parameter endpoints that flow into logger.info(...) calls -- ``/config/{model_name}``, ``/check-vision/{model_name}``, ``/check-embedding/{model_name}``, ``/gguf-variants``. Mapped the validator's ValueError to HTTP 422 so the client sees the same shape as a Pydantic validation failure. P2 #11 + #12: ``Loading diffusion model %s`` and ``Diffusion load failed for %s`` log lines route ``repo_id`` / ``effective_base`` through ``_display_repo_id`` (collapses absolute local paths to the leaf, still scrubs HF tokens) instead of plain ``_redact_hf_tokens``. The error path was already collapsed in the user-facing 400 / RuntimeError, but the structured-log lines kept the full path. All 97 diffusion + training-validation + related tests pass locally.

P1 #1: ``_gpu_workload_busy_for_helper`` in ``utils/datasets/llm_assist.py`` now also gates on the GGUF chat backend (llama-server) AND the safetensors chat backend. Round 23 extended it to training + export but missed Chat, so a helper / advisor GGUF could still race a loaded chat model for VRAM. Both checks fail closed when status is unverifiable. P1 #2 / #3 / #4 / #5: re-ordered the route-level GPU-handoff unloads so the diffusion release runs BEFORE the chat releases. A wedged diffusion unload used to fire AFTER chat was already gone, so the user lost both on a single failure. Drop chat last so an earlier failure preserves it. Applied to ``/training/start`` (training.py), ``/export/load`` (export.py), ``/chat/load`` GGUF branch and ``/chat/load`` safetensors branch (routes/inference.py). P1 #7 + P2 #13: ``/delete-finetuned`` body now hardens ``model_path`` and ``gguf_variant`` via the shared ``_validate_logged_identifier`` helper, so control characters and URL-form HF tokens can no longer log-line-smuggle. P1 #8 + #10: ``/delete-cached`` body hardens ``repo_id`` and ``variant`` the same way. P1 #9: ``/download-progress`` ``repo_id`` query parameter is also hardened; the value flows into log lines deep inside ``_get_repo_size_cached`` on lookup failure. P1 #11: ``CheckFormatRequest.dataset_name`` and ``AiAssistMappingRequest.{dataset_name, model_name}`` in ``models/datasets.py`` now apply the same control-char + embedded-HF-token validators, matching every other public request-body model. All 115 diffusion + training-validation + cached_gguf + export + inference model-validation tests pass locally. (P1 #6 native-path-lease enforcement for diffusion local paths and P1 #12 React Compiler frontend lint deferred -- both need focused design / frontend touchups separate from this batch.)

P1 #1: ``_release_llama_for()`` now verifies ``llama.unload_model`` did not return False AND that ``is_loaded`` / ``is_active`` / ``loading_model_identifier`` are all cleared after the call. The previous version only treated raised exceptions as failure, so a subprocess refusing to terminate or an in-flight GGUF download let the next workload allocate on top. P1 #2: ``DiffusionBackend._release_other_gpu_owners_for_diffusion`` now raises RuntimeError when ``exp._shutdown_subprocess`` fails on a settled checkpoint. Direct backend callers used to log at debug level and proceed toward diffusion allocation while the export checkpoint still owned VRAM. P1 #3 + P1 #7: ``/images/load`` no longer drops chat + idle export before the cheap backend validation runs. ``DiffusionBackend.load_model`` already calls the strict ``_release_other_gpu_owners_for_diffusion`` and ``_release_chat_backend_for_diffusion`` helpers AFTER family inference and GGUF filename checks pass, so the GPU is still freed before allocation and a malformed payload no longer silently unloads the user's chat / chat-export pair. P1 #4: ``_release_chat_backend_for_diffusion`` now also rejects a post-unload state where ``loading_model_identifier`` is still set, matching the route-level ``_release_llama_for`` strictness. A GGUF download mid-flight before the diffusion handoff used to slip through and end up double-owning VRAM after diffusion allocated. P1 #5: ``_release_diffusion_for`` no longer swallows a post-unload ``status()`` failure as ``after = {}``. Training / chat / export handoffs need proof that the diffusion pipeline released VRAM; the helper now raises HTTP 503 when the verification status call itself raises, so the caller retries. P1 #6: ``DiffusionBackend._release_other_gpu_owners_for_diffusion`` raises RuntimeError when ``get_export_backend()`` itself raises. Direct backend callers used to silently ``return`` here and proceed to GPU allocation without being able to verify export ownership. P1 #8: ``/training/start`` releases settled export BEFORE chat, matching the chat-load helpers. If idle export shutdown fails the user's chat model is preserved instead of being dropped for a training run that never starts. P2 #9: GGUF load-error scrubber also collapses ``local_gguf_path``, the resolved HF cache path passed to ``transformer_cls.from_single_file()``. Without this an exception like ``OSError: cannot load /home/alice/.cache/huggingface/.../flux.gguf`` would leak the operator's filesystem layout through ``last_error`` and ``/images/status``. All 85 diffusion-relevant backend tests pass locally.

P1 #1: ``_release_safetensors_chat_for`` now re-reads ``active_model_name`` and ``loading_models`` after each unload AND runs a final sweep against the initial owned-name set. The previous helper trusted ``unload_model() -> True`` even though the orchestrator can respond ``unloaded`` while still holding weights or a concurrent ``load`` can repopulate the tracker between calls. Per-name and global post-state mismatches now raise HTTP 503 so the caller retries. P1 #2: same post-state guarantee inside ``_release_chat_backend_for_diffusion`` for direct backend callers. ``DiffusionBackend.load_model`` now raises RuntimeError when the safetensors tracker still owns a previously-resident name after the unload, matching the route-level helper. The route layer's existing classifier maps the new wording to HTTP 503. P1 #3: ``DiffusionBackend.load_model`` now preflights the full diffusers repo (or explicit GGUF ``base_repo``) via ``hf_hub_download(filename="model_index.json")`` BEFORE the chat / export unload runs. The GGUF path was already covered by the existing ``hf_hub_download(gguf_filename)`` round-trip; the full-repo path used to skip validation and let a typo / private / gated repo only surface inside ``from_pretrained`` AFTER the user's chat model was already dropped. Local paths are checked structurally (must be a directory containing ``model_index.json``) so we do not network-round-trip for an on-disk miss. Error messages route through ``_display_repo_id`` so an absolute filesystem path does not leak the operator's layout. P1 #6: ``/api/inference/unload`` (the direct chat unload endpoint) now treats ``unload_model() -> False`` AND a leftover state (``is_loaded`` / ``is_active`` / ``loading_model_identifier`` for GGUF, ``active_model_name`` / ``loading_models`` for safetensors) as 503 instead of unconditionally responding ``status="unloaded"``. The UI used to show the model as gone while the backend still owned VRAM. P2 #7: extended the /images/load RuntimeError -> HTTPException marker list with ``still active or loading after unload`` and ``still loading after unload``. Round 18 introduced these exact phrasings on the backend side; without the extension a retryable unload failure was returning HTTP 400 to the user instead of 503. P2 #8: removed the unused ``unsloth_backend = get_inference_backend()`` eager construction in the GGUF chat-load branch. Eager construction made the GGUF-only path needlessly fail or pay startup cost when the safetensors backend was unavailable / lazy; ``_release_safetensors_chat_for`` already handles that case as a no-op. All 85 diffusion-relevant + 98 related backend tests pass locally.

P1 #1: ``_preflight_full_diffusers_repo(effective_base, hf_token)`` now runs for every load mode, including the GGUF-with-auto-base path. Round 19 only preflighted the full repo or an explicit ``base_repo``, so an auto-picked companion that turned out to be gated / private / missing still unloaded the user's chat model before ``from_pretrained`` failed. ``effective_base`` is the same value that feeds every downstream allocation, so preflighting it unconditionally catches all three modes. P1 #2: ``diffusers.GGUFQuantizationConfig`` (which imports the ``gguf`` package at construction time) is now built up front, inside the same try block that surfaces "Re-run Studio setup". Previously the missing-dependency exception fired AFTER ``_release_other_gpu_owners_for_diffusion`` and ``_release_chat_backend_for_diffusion`` had already taken the chat / export models down. The downstream from_single_file call reuses the same ``quant_config`` reference. P1 #4: ``studio/backend/requirements/studio.txt`` now lists ``diffusers>=0.37.0`` and ``gguf>=0.10.0``. These were only in the extras files, so fresh standard Studio installs failed on /images/load with the round 20 P1 #2 dependency error message. P1 #5: ``LoadRequest``, ``UnloadRequest``, and ``ValidateModelRequest`` now apply the same control-character + embedded-HF-token validators that ``DiffusionLoadRequest`` already had. /api/inference/load, /api/inference/validate, and /api/inference/unload used to accept newline / tab / control characters in ``model_path`` (log-line smuggling) and URL-form ``https://hf_xxxxx@huggingface.co/...`` (credential leak through structured log sinks). P2 #6: ``_collapse_local`` in the diffusion load-error scrubber now resolves relative candidates and adds the absolute form to the substring set. A relative ``exports/my-flux`` used to leak ``/mnt/disks/.../exports/my-flux/...`` via downstream library errors because the scrubber only matched the original literal. Replacement is longest-first so a leaf-only context survives. All 85 diffusion-relevant + 35 related model-validation tests pass locally. (P1 #3 cross-workload GPU handoff lock is deferred: deserves a focused design pass across /images/load, /chat/load (both branches), /training/start, and /export/load to pick a lock boundary that does not deadlock against the backend load locks or stall the SSE log stream.)

P1 #1 + #2: ``LoadRequest._no_embedded_hf_tokens`` and ``ValidateModelRequest._no_embedded_hf_tokens`` now cover ``gguf_variant`` in addition to ``model_path``. A caller could pass a variant like ``Q4_K_M-hf_xxxxxxxx`` that flowed into structured log sinks via the GGUF resolver path; the matching ``DiffusionLoadRequest`` validator already covered every string field, so this restores parity. P1 #3: ``/api/inference/unload`` now also matches the llama ``loading_model_identifier`` when picking the GGUF branch. A pending GGUF download (``is_active`` still False, ``loading_model_identifier`` populated) used to fall through to the safetensors branch and respond ``status="unloaded"`` while llama-server kept downloading. P1 #4 + #5: the final safetensors-handoff sweeps (route-level ``_release_safetensors_chat_for`` and backend ``_release_chat_backend_for_diffusion``) now check ``active_model_name`` and ``loading_models`` WITHOUT the initial ``owned_names`` filter. A concurrent ``/load`` that landed AFTER the snapshot was previously ignored, so a chat model that began loading during the unload window let training / export / GGUF chat / diffusion start anyway and race the new chat for VRAM. P2 #6: added ``_preflight_diffusers_subfolder_config`` and invoked it for GGUF loads with a transformer class (``effective_base``, ``"transformer"``). A custom base companion that had ``model_index.json`` but lacked ``transformer/config.json`` previously passed the round 19 preflight, unloaded chat, then failed inside ``from_single_file``. P2 #7: ``_scrub_validation_obj`` in main.py also scrubs string dict KEYS. Pydantic ``string_type`` errors surface ``input`` verbatim, and a malformed payload like ``{"repo_id": {"hf_xxxxx": "owner/repo"}}`` would otherwise leak the token through the 422 response body. All 85 diffusion-relevant + 35 model-validation tests pass locally. Existing fakes for ``hf_hub_download`` updated to accept the new ``subfolder=`` kwarg the round 21 preflight uses. (P1 #3 cross-workload GPU handoff lock from round 20 is still deferred; round 21's P1 #4 / #5 raised the sweep-level guarantee, which closes the most common race without the deadlock risk of holding a process-wide lock across the entire load.)

P1 #1: ``TrainingStartRequest.model_name`` now runs the same control-character and embedded-HF-token validators that the chat and diffusion request models gained in rounds 5 / 15 / 20 / 21. ``/api/training/start`` previously accepted newline / tab / control characters and URL-form ``hf_xxxxx`` tokens that flowed into structured-log sinks via "Loading model %s" lines. P1 #2: ``_run_with_helper`` in ``utils/datasets/llm_assist.py`` now skips the helper GGUF when the diffusion image backend reports loaded / loading. The public chat / training / export routes already do this through ``_release_diffusion_for``, but this dataset-side helper loaded llama-server directly with no diffusion guard, so an Images-page allocation would race the helper for VRAM. New ``_diffusion_image_model_busy`` helper fails closed (treats status() failure as busy) so the resident image model is preserved instead of being overwritten. P1 #3: same ``_diffusion_image_model_busy`` guard added to ``_run_multi_pass_advisor`` (the dataset conversion advisor), which has the same direct llama.cpp load shape. P2 #4: the early "Could not infer a diffusion family" RuntimeError now routes ``repo_id`` through ``_display_repo_id`` before formatting. A local absolute path that did not match any known family used to leak the operator's filesystem layout via the 400 response body, last_error, and log line. All 97 diffusion + training-validation + related tests pass locally.

P1 #1 + #2 + #6: extended the chat / diffusion / training identifier hardening to every export-side request model. ExportCommonOptions (parent of ExportMergedModelRequest / ExportBaseModelRequest / ExportLoRAAdapterRequest) now applies _no_control_chars and _reject_embedded_hf_token to repo_id and base_model_id; ExportGGUFRequest gets the same on its repo_id plus a control-char check on quantization_method; and LoadCheckpointRequest validates checkpoint_path. Previously "/api/export/*" accepted newline-smuggled identifiers and URL-form ``hf_xxxxx`` tokens that flowed into log lines. P1 #3 + #4: ``_run_with_helper`` and ``_run_multi_pass_advisor`` now use a shared ``_gpu_workload_busy_for_helper`` that gates on diffusion (round 22 already), training, AND export. The round 22 guard only checked diffusion, so the dataset helper / advisor could still load llama-server on top of an active training run or a resident export checkpoint. Each step fails closed (unverifiable status counts as busy) so the user's primary workload is preserved. P1 #5: PublishDatasetRequest in models/data_recipe.py also applies the identifier hardening to repo_id; the publish path previously accepted control characters and URL-form tokens. P1 #7-10: added _validate_logged_identifier helper to routes/models.py and applied it to the path / query parameter endpoints that flow into logger.info(...) calls -- ``/config/{model_name}``, ``/check-vision/{model_name}``, ``/check-embedding/{model_name}``, ``/gguf-variants``. Mapped the validator's ValueError to HTTP 422 so the client sees the same shape as a Pydantic validation failure. P2 #11 + #12: ``Loading diffusion model %s`` and ``Diffusion load failed for %s`` log lines route ``repo_id`` / ``effective_base`` through ``_display_repo_id`` (collapses absolute local paths to the leaf, still scrubs HF tokens) instead of plain ``_redact_hf_tokens``. The error path was already collapsed in the user-facing 400 / RuntimeError, but the structured-log lines kept the full path. All 97 diffusion + training-validation + related tests pass locally.

P1 #1: ``_gpu_workload_busy_for_helper`` in ``utils/datasets/llm_assist.py`` now also gates on the GGUF chat backend (llama-server) AND the safetensors chat backend. Round 23 extended it to training + export but missed Chat, so a helper / advisor GGUF could still race a loaded chat model for VRAM. Both checks fail closed when status is unverifiable. P1 #2 / #3 / #4 / #5: re-ordered the route-level GPU-handoff unloads so the diffusion release runs BEFORE the chat releases. A wedged diffusion unload used to fire AFTER chat was already gone, so the user lost both on a single failure. Drop chat last so an earlier failure preserves it. Applied to ``/training/start`` (training.py), ``/export/load`` (export.py), ``/chat/load`` GGUF branch and ``/chat/load`` safetensors branch (routes/inference.py). P1 #7 + P2 #13: ``/delete-finetuned`` body now hardens ``model_path`` and ``gguf_variant`` via the shared ``_validate_logged_identifier`` helper, so control characters and URL-form HF tokens can no longer log-line-smuggle. P1 #8 + #10: ``/delete-cached`` body hardens ``repo_id`` and ``variant`` the same way. P1 #9: ``/download-progress`` ``repo_id`` query parameter is also hardened; the value flows into log lines deep inside ``_get_repo_size_cached`` on lookup failure. P1 #11: ``CheckFormatRequest.dataset_name`` and ``AiAssistMappingRequest.{dataset_name, model_name}`` in ``models/datasets.py`` now apply the same control-char + embedded-HF-token validators, matching every other public request-body model. All 115 diffusion + training-validation + cached_gguf + export + inference model-validation tests pass locally. (P1 #6 native-path-lease enforcement for diffusion local paths and P1 #12 React Compiler frontend lint deferred -- both need focused design / frontend touchups separate from this batch.)

Four actionable findings from round 30. Skipped P1 #1 / #2 / #3 (huggingface-hub bump in studio.txt / single-env / colab-new) because the live B200 Studio that successfully generated FLUX.2 klein images runs the exact combo the reviewer flags as broken: huggingface_hub 0.36.2 + transformers 4.57.6 + diffusers 0.37.1 Flux2KleinPipeline: True (imports cleanly) The is_offline_mode ImportError only fires with transformers 5.x, and the standard install path pins transformers==4.57.6 via constraints. The round 26 fix bumped no-torch-runtime.txt + pyproject huggingfacenotorch where the --no-deps install path can land on transformers 5.x; that remains the correct surface. 1. core/inference/diffusion.py: preflight transformers + accelerate via importlib.util.find_spec BEFORE any destructive GPU-owner unload. Diffusers can expose stub pipeline classes when transformers / accelerate are missing, so the load used to drop chat first and fail later inside from_pretrained. find_spec keeps existing tests that stub these modules passing because no real module is executed (round 30 P1 #11). 2. models/export.py ExportGGUFRequest.quantization_method: extend the embedded HF token validator to this field too. Round 23 added the control-char guard but not the token guard; the value is forwarded into worker command lines and reflected in error / success text (round 30 P1 #5). 3. models/data_recipe.py SeedInspectUploadRequest: add _no_control_chars + _reject_embedded_hf_token field_validators to filename and to each entry of file_names. Mirrors the sibling SeedInspectRequest.dataset_name hardening (round 30 P1 #6). 4. frontend/src/features/images/images-page.tsx: defer the initial refreshStatus() call via queueMicrotask so the synchronous setRefreshingStatus(true) inside it does not trip the react-hooks/set-state-in-effect lint on mount (round 30 P2 #12). Deferred (need larger surgery / out of scope for this round): P1 #4 native_path_lease for diffusion local-path loads P1 #7-#10 helper/advisor + public-start window mutual lock symmetry Tests: 98 targeted (diffusion + cached_gguf + inference_validation) pass locally; frontend npm run typecheck passes.

Two universal-consensus round-31 reviewer findings. Concurrency: /images/load was leaking the public-load pending counter on any pre-finally HTTPException (round 31 P1 #1, 11/12 votes). _raise_if_helper_advisor_busy("diffusion") published the counter, then _resolve_diffusion_repo_for_request ran outside the clearing try/finally. A request like repo_id="/tmp/model" with no native_path_lease returned 400 and left public_load_pending() true until process restart, permanently blocking AI Assist. Fix mirrors the training / export pattern: track diffusion_load_window_published in an outer try, publish the flag right after the helper-busy check succeeds, and clear in an outer finally that only fires when the flag is set. This also closes round 31 P1 #6: a second request's failure can no longer decrement a still-active first request's counter, because the second request has not yet flipped its own publish flag. Security: _looks_like_local_diffusion_path missed cwd-relative directories (round 31 P1 #2, 8/12 votes). DiffusionBackend. load_model accepts repo_id="exports/my-flux" as a local directory via Path(repo_id).expanduser().is_dir(), but the detector only flagged values starting with /, ~, ./, ../, backslash, or absolute. Tightened the detector to also reject: * weight-file suffixes (.gguf / .safetensors / .bin / .pt / .pth) * non-2-segment values (`owner`, `a/b/c`, `owner/`, `/repo`, `//`) * 2-segment values whose parts are `.` or `..` * 2-segment values that actually resolve to an existing local path under backend CWD (last-resort exists() probe). The existence probe is a minor side-channel for an already- authenticated caller, accepted in exchange for closing the silent bypass of the new lease boundary. Valid Hub ids like unsloth/FLUX.2-klein-base-4B-GGUF, microsoft/Phi-3.5-mini-instruct still pass through unchanged. Skipped (consistent with prior rounds): * R31 P1 #3 (Tauri / native lease enum missing `load-diffusion-model` op): architectural surface; defer until the Images page actually surfaces a local-path picker. * R31 P1 #4-#5, #8: studio.txt / constraints.txt / pyproject hub pins. Live B200 install path with huggingface_hub==0.36.2, transformers==4.57.6, diffusers==0.37.1 imports Flux2KleinPipeline cleanly. The is_offline_mode import error only triggers when transformers 5.x is paired with hub 0.x, which the constraints pin prevents. * R31 P1 #7 (find_spec vs real import): a full transformers import at module load breaks tests that stub huggingface_hub; find_spec is the existing tradeoff. 98 targeted backend tests pass (test_diffusion_routes, test_diffusion_backend, test_inference_model_validation, test_models_get_model_config_case_resolution, test_data_recipe_seed, test_training_raw_support, test_export_log_cursor).

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 6, 2026

dependabot Bot changed the title ~~build(deps): bump the bun-frontend group in /studio/frontend with 16 updates~~ build(deps): bump the bun-frontend group across 1 directory with 16 updates Apr 6, 2026

dependabot Bot force-pushed the dependabot/bun/studio/frontend/bun-frontend-0d2d17d7a5 branch from b9cdb4d to 53cf891 Compare April 6, 2026 18:01

dependabot Bot closed this Apr 9, 2026

dependabot Bot deleted the dependabot/bun/studio/frontend/bun-frontend-0d2d17d7a5 branch April 9, 2026 10:25

danielhanchen pushed a commit that referenced this pull request Apr 12, 2026

Merge pull request #2 from sshah229/fix/import-name-error

d2cd1ff

fix: register unions (str | None) in huggingface_hub strict dataclass validation

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the bun-frontend group across 1 directory with 16 updates#2

build(deps): bump the bun-frontend group across 1 directory with 16 updates#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bun/studio/frontend/bun-frontend-0d2d17d7a5

dependabot Bot commented on behalf of github Apr 6, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github Apr 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

[3.0.0] - 2026

Major Improvements: TypeScript Migration

Refactoring & Fixes

[2.0.0] - Legacy Modernization

Major Changes

Fixes

[1.0.0] - Initial Stable Release

@​streamdown/cjk@​1.0.3

Patch Changes

1.0.3

Patch Changes

@​streamdown/code@​1.1.1

Patch Changes

@​streamdown/code@​1.1.0

Minor Changes

@​streamdown/code@​1.0.3

Patch Changes

1.1.1

Patch Changes

1.1.0

Minor Changes

1.0.3

Patch Changes

Version 1.7.0

What's Changed

New Contributors

Version 1.6.0

What's Changed

New Contributors

Version 1.5.0

What's Changed

Version 1.4.0

What's Changed

New Contributors

Version 1.3.0

What's Changed

New Contributors

Version 1.2.0

What's Changed

New Contributors

v3.8.1

What's Changed

New Contributors

v3.8.0

What's Changed

shadcn@4.1.2

Patch Changes

shadcn@4.1.1

Patch Changes

shadcn@4.1.0

Minor Changes

shadcn@4.0.8

Patch Changes

shadcn@4.0.7

Patch Changes

shadcn@4.0.6

Patch Changes

shadcn@4.0.5

Patch Changes

shadcn@4.0.4

Patch Changes

shadcn@4.0.3

Patch Changes

shadcn@4.0.2

Patch Changes

4.1.2

Patch Changes

4.1.1

Patch Changes

4.1.0

Minor Changes

4.0.8

Patch Changes

4.0.7

Patch Changes

4.0.6

Patch Changes

dependabot Bot commented on behalf of github Apr 6, 2026 •

edited

Loading

`@streamdown/cjk@1`.0.3

`@streamdown/code@1`.1.1

`@streamdown/code@1`.1.0

`@streamdown/code@1`.0.3