chore(deps): bump the npm-deps group across 1 directory with 5 updates

[dependabot]

Bumps the npm-deps group with 5 updates in the / directory:

Package	From	To
better-auth	1.6.11	1.6.15
date-fns	4.3.0	4.4.0
hono	4.12.23	4.12.24
eslint	10.4.0	10.4.1
fallow	2.83.0	2.89.0

Updates better-auth from 1.6.11 to 1.6.15

Release notes

Sourced from better-auth's releases.

v1.6.15

better-auth

Bug Fixes

• Fixed the listSessions endpoint to properly enforce fresh-age session checks (#9865)
• Fixed unbanUser, setRole, and adminUpdateUser to return USER_NOT_FOUND instead of a generic 500 when the target user does not exist (#9875)
• Fixed Kysely migration constant import path to restore Kysely 0.28 and 0.29 compatibility (#9811)
• Improved cookie regex character ranges for more accurate cookie parsing (#9879)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Features

• Added POST support to the /oauth2/userinfo endpoint, allowing the access token to be passed in the Authorization header (#9937)

Bug Fixes

• Fixed hooks.before and hooks.after to run correctly when OAuth authorization resumes after sign-in, account selection, or consent (#9919)

For detailed changes, see CHANGELOG

@better-auth/kysely-adapter

Bug Fixes

• Fixed Turbopack build failures by inlining migration table constants, also restoring compatibility with Kysely 0.28 and 0.29 (#9933)

For detailed changes, see CHANGELOG

@better-auth/passkey

Features

• Added automatic resolution of authenticator names from AAGUID, exposing getAuthenticatorName(aaguid) and commonAuthenticatorNames so passkeys can display a friendly provider name like "1Password" or "Google Password Manager" (#9927)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed ERR_SUBJECT_UNCONFIRMED errors caused by clockSkew not being forwarded to samlify's ServiceProvider when validating SAML responses (#9748)

For detailed changes, see CHANGELOG

Contributors

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.15

Patch Changes

• #9875 1012b69 Thanks @​WilsonnnTan! - The admin plugin's unbanUser, setRole and adminUpdateUser endpoints used to call internalAdapter.updateUser without checking that the target user existed, so when the caller passed an unknown id the underlying database error (for example Prisma's P2025) bubbled up as a generic HTTP 500. those endpoints now mirror the existing guard in banUser: look the user up via findUserById, and throw a clean NOT_FOUND (USER_NOT_FOUND) when no row is returned. Closes #9800.

• #9865 ad60333 Thanks @​ping-maxwell! - list-session endpoint now requires a fresh-age session check.

• #9811 0933c05 Thanks @​zeroknowledge0x! - Restore Kysely 0.28 and 0.29 compatibility for SQLite dialect introspection. The dialects now mirror Kysely's stable migration table names locally, avoiding strict ESM build failures in Turbopack without forcing consumers onto Kysely 0.29.

• #9919 b0ddfd3 Thanks @​gustavovalverde! - Run configured hooks through the whole OAuth sign-in flow

  hooks.before / hooks.after configured on the auth instance now run for the OAuth authorization that continues after a user signs in, selects an account, or consents. They were being skipped there.

  Headers or cookies a hooks.before sets before returning its own response are no longer dropped, and a hooks.after that throws an APIError no longer loses either its cookies or the error's headers.

• Updated dependencies []:

  • @​better-auth/core@​1.6.15
  • @​better-auth/drizzle-adapter@​1.6.15
  • @​better-auth/kysely-adapter@​1.6.15
  • @​better-auth/memory-adapter@​1.6.15
  • @​better-auth/mongo-adapter@​1.6.15
  • @​better-auth/prisma-adapter@​1.6.15
  • @​better-auth/telemetry@​1.6.15

1.6.14

Patch Changes

• #9877 2d9781a Thanks @​gustavovalverde! - Restore the normal emailed-invitation flow while documenting the stricter verification posture for organization invitations.

  Client-side listUserInvitations now always requires a verified session email because it enumerates invitation IDs from session.user.email. The requireEmailVerificationOnInvitation option now controls recipient calls that carry an invitation ID (acceptInvitation, rejectInvitation, getInvitation). When unset, Better Auth keeps the emailed-invitation sign-up flow for built-in opaque invitation IDs, including the default generator or advanced.database.generateId: "uuid", and requires verified email when invitation IDs are externally controlled or predictable, such as advanced.database.generateId: "serial" / false or custom ID generation. Apps that expose invitation IDs outside the invited user's mailbox, expose organization invitation lists to members, or require stricter ownership proof should set requireEmailVerificationOnInvitation: true or require verified email before sign-in.

• #9841 5a2d642 Thanks @​bytaesu! - Optional fields (required: false) now accept null, not just omission. The generated input validation previously rejected null even though the column is nullable, so a nullable field could not be cleared by passing null.

• #9845 13abc79 Thanks @​gustavovalverde! - Harden redirect-URI validation across the OAuth provider plugins. isSafeUrlScheme and SafeUrlSchema no longer call URL.canParse, which is absent on some supported runtimes and could throw or silently disable the dangerous-scheme check. They now parse with a try/catch fallback. SafeUrlSchema also rejects redirect URIs that contain a fragment component, per RFC 6749 §3.1.2.

• #9806 9d3450a Thanks @​bytaesu! - getSessionCookie now prefers the __Secure- cookie when both it and a non-secure cookie are present, so the non-secure cookie no longer shadows the current session cookie.

• Updated dependencies [13abc79]:

  • @​better-auth/core@​1.6.14
  • @​better-auth/drizzle-adapter@​1.6.14
  • @​better-auth/kysely-adapter@​1.6.14
  • @​better-auth/memory-adapter@​1.6.14
  • @​better-auth/mongo-adapter@​1.6.14
  • @​better-auth/prisma-adapter@​1.6.14
  • @​better-auth/telemetry@​1.6.14

... (truncated)

Commits

• 03e0e36 chore: release v1.6.15 (#9886)
• b0ddfd3 fix(oauth-provider): run configured hooks when authorize resumes (#9919)
• 1012b69 fix(admin): return USER_NOT_FOUND for missing users before update (#9875)
• ad60333 fix: list-session fresh age session check (#9865)
• e111d63 refactor(cookies): clarify cookie regex ranges (#9879)
• 5038d41 chore: release v1.6.14 (#9846)
• 2d9781a fix(organization): split invitation verification gates (#9877)
• 5a2d642 fix: accept null for optional fields in generated schema (#9841)
• 9d3450a fix(cookies): prefer __Secure- cookie in getSessionCookie (#9806)
• a6f38c7 chore: release v1.6.13 (#9804)
• Additional commits viewable in compare view

Updates date-fns from 4.3.0 to 4.4.0

Release notes

Sourced from date-fns's releases.

v4.4.0

This release revisits the approach to CDN usage and introduces a new package, @date-fns/cdn and deprecates the date-fns CDN scripts. It allowed reducing the zipped package size from 5.83 MB down to 3.96 MB without introducing any breaking changes.

In v5.0.0-alpha.0 where CDN scripts are completely removed from date-fns the change is more significant and brings the zipped package size down to 2.89 MB.

It is just the first step in optimizing the package size. Expect further size reduction in the future v4 and v5 versions.

Changed

• DEPRECATED: The date-fns CDN scripts are now deprecated and will be removed in the next major release. Please switch to the new @date-fns/cdn package for CDN usage.

• Removed CDN source maps to reduce the package size. If you rely on them, please switch to the new @date-fns/cdn package that still includes them.

Commits

• cd53d25 Promote to v4.4.0
• d948ec1 Preserve but deprecate CDN versions for v4, set up v5 with polyfills
• ee65753 Add root mise :format task
• 9f5bdf5 Add positional argument to test/smoke.sh script
• 651ead6 Split CDN bundles into separate @​date-fns/cdn package
• 224c1a2 Deprecate type tests as attw hangs on date-fns package
• 7bb2842 Switch PACKAGE_OUTPUT_PATH to --dist flag in the package build script
• b6ad5ac Add flags to control package build script
• 424a783 Fix docs release after moving to monorepo setup
• See full diff in compare view

Updates hono from 4.12.23 to 4.12.24

Release notes

Sourced from hono's releases.

v4.12.24

What's Changed

• docs(contribution): simplifyAI Usage Policy by @​yusukebe in honojs/hono#4972
• chore: remove @​types/glob by @​rtritto in honojs/hono#4978
• fix(bearer-auth): mention verifyToken in missing-options error message by @​tan7vir in honojs/hono#4987
• refactor(language): Test/improve tests on languages middleware by @​iNeoO in honojs/hono#4980
• fix(utils/ipaddr): expand "::" to eight zero groups by @​youcefzemmar in honojs/hono#4973
• fix: clean up config files trailing comma, stale excludes, typesVersions gaps, jsr paths by @​Mohammad-Faiz-Cloud-Engineer in honojs/hono#4982
• refactor(timing): Test/add test for middleware timing by @​iNeoO in honojs/hono#4991
• fix(utils/ipaddr): render the unspecified address binary as "::" by @​sarathfrancis90 in honojs/hono#4998

Full Changelog: honojs/hono@v4.12.23...v4.12.24

Commits

• 5fdde5a 4.12.24
• c78932d fix(utils/ipaddr): render the unspecified address binary as "::" (#4998)
• 5ef800e refactor(timing): Test/add test for middleware timing (#4991)
• d743bb7 fix: clean up config files trailing comma, stale excludes, typesVersions gaps...
• d22ff9c fix(utils/ipaddr): expand "::" to eight zero groups (#4973)
• 8e2cccc refactor(language): Test/improve tests on languages middleware (#4980)
• 413d3cb fix(bearer-auth): mention verifyToken in missing-options error message (#4987)
• 2cbeadd chore: remove @​types/glob (#4978)
• 9051d3e docs(contribution): simplifyAI Usage Policy (#4972)
• See full diff in compare view

Updates eslint from 10.4.0 to 10.4.1

Release notes

Sourced from eslint's releases.

v10.4.1

Bug Fixes

• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#20930) (Francesco Trotta)
• d4ce898 fix: propagate failures from delegated commands (#20917) (Minh Vu)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#20916) (kuldeep kumar)
• c5bc78b fix: false positive for reference in finally block (#20655) (Tanuj Kanti)
• 27538c0 fix: add missing CodePath and CodePathSegment types (#20853) (Pixel998)

Documentation

• 61b0add docs: remove deprecated rule from related rules of max-params (#20921) (Tanuj Kanti)
• 305d5b9 docs: remove deprecated rules from related rules section (#20911) (Tanuj Kanti)
• 49b0202 docs: fix display: none of ad (#20901) (Tanuj Kanti)
• 9067f94 docs: switch build to Node.js 24 (#20893) (Milos Djermanovic)
• c91b041 docs: Update README (GitHub Actions Bot)
• e349265 docs: clarify semver strings in rule deprecation objects (#20885) (Milos Djermanovic)

Chores

• b0e466b test: add data property to invalid tests cases for rules (#20924) (Tanuj Kanti)
• f78838b test: add CodePath type coverage (#20904) (Pixel998)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#20922) (Francesco Trotta)
• 002942c ci: declare contents:read on update-readme workflow (#20919) (Arpit Jain)
• 64bca24 chore: update ecosystem plugins (#20912) (ESLint Bot)
• 6d7c832 chore: ignore fflate updates in renovate (#20908) (Pixel998)
• b2c8638 ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 (#20889) (dependabot[bot])
• a9b8d7f chore: increase maxBuffer for ecosystem tests (#20881) (sethamus)
• b702ead chore: update ecosystem update PR settings (#20884) (Pixel998)
• 507f60e chore: update ecosystem plugins (#20882) (ESLint Bot)
• 92f5c5b test: add unit test for message-count (#20878) (kuldeep kumar)
• df32108 chore: add @​eslint/markdown and typescript-eslint ecosystem tests (#20837) (sethamus)
• 327f91d chore: use includeIgnoreFile internally (#20876) (Kirk Waiblinger)
• f0dc4bd chore: pin fflate@0.8.2 (#20877) (Milos Djermanovic)
• 0f4bd25 ci: run Discord alert for ecosystem test failures (#20873) (Copilot)

Commits

• 4a3d15a 10.4.1
• 43e7e2b Build: changelog update for 10.4.1
• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#20930)
• b0e466b test: add data property to invalid tests cases for rules (#20924)
• d4ce898 fix: propagate failures from delegated commands (#20917)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#20916)
• f78838b test: add CodePath type coverage (#20904)
• 61b0add docs: remove deprecated rule from related rules of max-params (#20921)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#20...
• 002942c ci: declare contents:read on update-readme workflow (#20919)
• Additional commits viewable in compare view

Updates fallow from 2.83.0 to 2.89.0

Release notes

Sourced from fallow's releases.

v2.89.0: editor intelligence, churn import, and detection fixes

fallow 2.89.0 is an editor-intelligence release. The VS Code extension now surfaces health, complexity, security candidates, runtime coverage, the audit verdict, license management, and a monorepo workspace picker, and it explains complexity inline in the editor. The language server gets a large memory-leak fix, single-pass monorepo analysis, per-file circular-dependency diagnostics, and a references code-lens fix. Alongside the editor work: churn import for non-git VCS, sharper telemetry, more security-candidate categories, and a batch of dependency-detection accuracy fixes.

Telemetry stays opt-in, allowlisted, and off by default.

Editor: VS Code + language server

• Inline complexity, line by line. fallow health --complexity-breakdown adds a contributions[] array to each complexity finding (one entry per decision point: each else if, nested if, && / || / ??, loop, case, catch, ternary, optional-chain), with its source line, the metric it adds to, its weight, and nesting depth. The extension renders a dim +N after each contributing line, a hover with the per-kind breakdown, and a CRAP explanation on the function signature (for example CRAP 420: cyclomatic 20, untested (0% covered). Full test coverage would bring CRAP down to 20.). New settings: fallow.complexity.breakdownEnabled, fallow.complexity.afterText, fallow.complexity.decorationCap. The MCP check_health tool gains a matching complexity_breakdown param. Off by default in CLI/CI output, computed in the existing complexity pass at no measurable cost.
• More of fallow inside the editor. New sidebar views surface health and complexity, security candidates, runtime coverage, and the audit verdict, plus a monorepo workspace picker and in-editor license management.
• A scannable sidebar. Duplicate clones are ordered by impact (total duplicated lines) and labeled by their dominant repeated identifier instead of an opaque Clone #N. Health rows lead with the file for a consistent column, complexity rows show <file>:<line> then the function and its metrics, and file paths middle-truncate so the basename:line stays visible (full path on hover). The complexity critical glyph is the section's flame icon, not an alarming red error mark, because these are heuristic candidates.
• All duplication knobs are exposed. The settings page adds fallow.duplication.minTokens, minLines, skipLocal, crossLanguage, and ignoreImports, and the bare fallow command gains matching combined-mode flags so the extension applies them without a config-file edit.
• Clearer all-clear. A clean run now says the all-clear applies to analyzed JS/TS files, records a short dead-code and duplication summary in the Fallow output channel, and offers to open it. Duplicate-code-only findings no longer collapse into the all-clear path, and the sidebar exposes the diagnostic mute manager from the view title bars.
• License indicator only when relevant. The status-bar license badge is created only when license material is actually present (active, in-grace, or expired, found via $FALLOW_LICENSE, $FALLOW_LICENSE_PATH, or ~/.fallow/license.jwt, checked locally with no fallow call on startup). A machine that never had a license shows nothing. Activating or deactivating a license updates the badge without a reload.
• References code lens fixed. Clicking a "N references" lens no longer throws "argument does not match one of these constraints". The lens now routes through a fallow.showReferences command that converts the language server's JSON arguments into the Uri / Position / Location values VS Code expects.
• Every file in a cycle gets its own squiggly. Each participating file is marked at the exact import that points to the next file, the message rotates to read from the file you are in (standing in b of a → b → c → a reads Circular dependency (3 files): b → c → a → b), and related links jump to each real hop. Every per-file marker carries a shared cycle id in Diagnostic.data so editors and agents can fold the markers back into one cycle. fallow ... --format json gains an additive, optional edges[] array on each circular_dependencies[] entry (one { path, line, col } per hop); always emitted, not required by the schema, so existing consumers and baseline files are unaffected.

The editor improvements that depend on new diagnostics (references lens, per-file circular deps) require the matching fallow-lsp build shipped here.

Performance

• Language server memory leak on dynamic-import patterns fixed. A file with import(`./${x}`) or require(`./${x}`) style imports used to credit every matched target once per pattern, so a file with many such patterns over a large tree accumulated graph symbols proportional to patterns times files, driving fallow-lsp into tens of GB on large React Native / Expo codebases. Each distinct target is now credited at most once per importing file; reachability and output are unchanged. Thanks @​ReallyFloppyPenguin for the detailed report.
• Monorepos analyzed once, not once per package. fallow-lsp previously re-ran the full pipeline for the workspace root and again for every sub-package. The single root pass already walks the whole tree and is workspace-aware, so total work no longer scales with the package count. This also matches the CLI and removes a class of false-positive unused-export findings that came from analyzing a sub-package in isolation. A sub-package's own .fallowrc.json still applies when that folder is opened directly.

Health: change history without git

• --churn-file imports change history. Projects on a non-git VCS (Arc, Mercurial, Perforce) used to see "hotspot analysis skipped: no git repository found". A new global --churn-file <path> flag accepts a normalized fallow-churn/v1 JSON document, and --hotspots, --ownership, and --targets then run their usual recency-weighting, trend, and ownership logic on the imported events. The flag resolves relative to --root, wins over git when both are present, and is exposed on the MCP check_health tool as churn_file. The import is authoritative for the analysis window. Scope: this powers the churn-backed health signals only; audit, impact, and --changed-since still need git for the base tree. Thanks @​albion9919 for the request.

Security candidates

• More dangerous-sink categories. The tainted-sink catalogue gained candidate categories surfaced under fallow security: dynamic module loading, file-system path traversal, HTTP response header injection, more raw-SQL escape hatches (Prisma unsafe raw, Knex raw, sequelize.literal), DOM navigation, source-backed mass assignment, additional SSRF clients, insecure randomness, deprecated cipher constructors, template escape bypass, XPath injection, unsafe Buffer.allocUnsafe, and react-native-webview injected scripts. Each fires only on a non-literal argument; fully-literal calls never fire, and every finding stays a candidate for verification, not a proven vulnerability.
• Framework template HTML injection sinks. Non-literal Svelte {@html ...}, Vue v-html="...", and Angular [innerHTML]="..." bindings now feed the existing dangerous-html candidate flow with source spans. Literal bindings stay quiet; no new schema.

Dependency detection accuracy

• Pino transport targets such as pino({ transport: { target: 'pino-pretty' } }) are credited as runtime references instead of reported unused. Thanks @​MathieuSchaff for the report.
• Package-root resolution such as resolveModuleDir("ffmpeg-static") or require.resolve(`${packageName}/package.json`) with static values no longer reports those packages unused.
• : this fluent chains. Constructor-rooted chains whose intermediate methods declare TypeScript's polymorphic this return type no longer mis-report later methods as unused-class-members.
• Bun default test files (*.test, *_test, *.spec, *_spec) are now test entry points when the Bun plugin is active, scoped by [test].root when present.
• TanStack Router route files no longer surface as duplicate Route exports; the contract export is skipped only for real route files or files referenced by routeTree.gen.*.
• Nuxt UI script-side icon strings like icon: 'i-simple-icons-github' credit their @iconify-json/* collection package via longest-prefix matching.
• Playwright webServer.command template literals such as pnpm build && pnpm exec srvx --port ${PORT} now credit pnpm exec CLI packages.

Telemetry (opt-in, off by default)

• findings_present reports whether an analysis surfaced any findings, decoupled from the exit-code gate. Previously fallow dupes always reported outcome: "success" under its default config, so duplication was invisible in aggregate.
• Workflow split. fallow impact, security, fix, and explain each emit a distinct workflow value instead of collapsing into unknown.
• MCP surface tagging. MCP tool calls are attributed to the mcp surface with a per-tool mcp_tool dimension instead of looking like any other cli_json run. The new fields are optional and additive, with the same privacy posture and consent model. In-process surfaces (LSP, VS Code, N-API, programmatic) still emit nothing.

Other fixes and additions

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.89.0] - 2026-06-05

Fixed

• JSDoc prose examples no longer create false unresolved imports. JSDoc import-type extraction now only follows import("...") expressions inside type-bearing braces, so examples such as await import("./x") or object-literal loader snippets in @example comments are treated as documentation rather than real type imports. Real annotations such as @type {import("./types").Foo} and multiline @returns { import("./types").Foo } keep working. Thanks @​jsgoldman for the patch. (Refs #1010.)
• Framework template HTML injection sinks now appear in fallow security. Non-literal Svelte {@html ...}, Vue v-html="...", and Angular [innerHTML]="..." bindings now feed the existing dangerous-html security candidate flow with source spans on the template or component file. Literal bindings stay quiet, and no new output schema is introduced. Thanks @​BartWaardenburg for the report. (Closes #883.)
• Pino transport targets now credit their runtime dependency packages. Projects using pino({ transport: { target: 'pino-pretty' } }) or the same target inside a simple conditional no longer see the transport package reported as an unused dependency. Fallow now records statically visible Pino transport target strings as runtime package references while keeping unrelated unused dependencies reportable. Thanks @​MathieuSchaff for the report. (Closes #954.)
• Package path resolution now credits the referenced dependency packages. Build scripts that resolve package roots or package manifests, such as resolveModuleDir("ffmpeg-static") or require.resolve(`${packageName}/package.json`) with static package values, no longer report those packages as unused dependencies. Fallow keeps the detection conservative: arbitrary dynamic strings and unrelated package subpaths are still ignored, and unrelated unused dependencies still report. Thanks @​BartWaardenburg for the report. (Closes #952.)
• Constructor-rooted fluent chains now treat : this methods as self-returning. Previously unused-class-members could report later methods in a chain such as new OptionBuilder().addDefault().addFromConfig().addFromCli().build() when the intermediate methods declared TypeScript's polymorphic this return type and returned through a helper call. Fallow now honors the declared this return contract when validating constructor-rooted fluent chains, while still requiring every intermediate method to be proven self-returning. Thanks @​BartWaardenburg for the report. (Closes #953.)
• The VS Code extension now gives clean analysis runs a clearer all-clear. Previously Fallow: Run Analysis ended with only Fallow: no issues found, even when users wanted to know what was actually checked, and the existing diagnostic mute manager was only discoverable if they knew the command name. Clean runs now say the all-clear applies to analyzed JS/TS files, record a short dead-code and duplication summary in the Fallow output channel, and offer to open that channel. Duplicate-code-only findings no longer collapse into the all-clear path, and the Fallow sidebar now exposes the diagnostic mute manager from the analysis view title bars.
• The VS Code status-bar license indicator no longer shows on machines without a license. Previously the Fallow license badge appeared for everyone by default (a neutral Fallow License placeholder, or Fallow: no license once a check ran), surfacing license UI to users who never had a license. The indicator is now created only when license material is actually present (an active, in-grace, or expired license found via $FALLOW_LICENSE, $FALLOW_LICENSE_PATH, or ~/.fallow/license.jwt, checked locally with no fallow call on startup); a machine that never had a license shows nothing at all. Activating a license makes the badge appear without a reload, and deactivating it hides the badge. fallow.license.showStatusBar still turns the indicator off entirely. The expired badge was already limited to machines that had a license, so it is unchanged.
• Bun test files discovered by bun test are now treated as test entry points. The Bun plugin previously kept bunfig.toml preloads reachable but did not model Bun's default test filename discovery, so projects had to add manual entry workarounds for files such as test/**/*.test.ts. Fallow now marks Bun's documented *.test, *_test, *.spec, and *_spec js/jsx/ts/tsx patterns as test entry points when the Bun plugin is active, and [test].root scopes those defaults when present. Existing top-level and [test] preload handling is unchanged. Thanks @​BartWaardenburg for the report. (Closes #951.)
• TanStack Router route files no longer appear as duplicate Route exports. Route modules are required to export framework contract names such as Route, including custom route directories, lazy route files, route-file ignore settings, virtual route config, and nested route dirs referenced by routeTree.gen.*. duplicate-exports now skips those contract exports only when the file matches TanStack Router's route rules or is referenced by the generated route tree, while ordinary duplicate Route exports outside route files still report. Thanks @​BartWaardenburg for the report. (Closes #947.)
• Nuxt UI script-side icon strings now credit their declared Iconify collection packages. Previously a package such as @iconify-json/simple-icons could be reported as unused when the only static reference was in Vue script navigation data like icon: 'i-simple-icons-github'; users had to suppress the dependency even though Nuxt UI resolves it at build time. Fallow now extracts static Vue SFC icon object properties with Nuxt UI i-<collection>-<icon> values and resolves them against declared @iconify-json/* packages with longest-prefix matching, so the intended collection is credited without broad arbitrary string matching. Template-style Iconify strings such as name="jam:github" continue to work as before. Thanks @​BartWaardenburg for the report. (Closes #955.)
• Playwright webServer.command template literals now credit pnpm exec CLI packages. Before, command strings such as pnpm build && pnpm exec srvx --port ${PORT} were skipped when written as template literals, so srvx could still report as an unused dev dependency even though Playwright starts it for e2e tests. After, the Playwright plugin recovers static command text from template literals when it can preserve shell token boundaries, then sends the command through the existing script parser, so pnpm exec srvx credits srvx without changing direct command handling or package-manager script delegation. (Closes #956.)
• Opt-in telemetry now measures whether an analysis actually found anything, which workflow ran, and whether a run came through the MCP server. Three accuracy gaps in the coarse, allowlisted telemetry payload are closed. (1) A new optional findings_present field reports whether an analysis surfaced any findings, decoupled from the exit-code gate; previously fallow dupes always reported outcome: "success" under its default config (the default duplication threshold never gates), so duplication was invisible in aggregate even at 100%. (2) fallow impact, fallow security, fallow fix, and fallow explain each now emit a distinct workflow value instead of collapsing into the unknown catch-all, so per-command usage is answerable. (3) MCP tool calls are now attributed to the mcp integration surface with a per-tool mcp_tool dimension instead of looking like any other cli_json run; the MCP server tags the spawned CLI process (FALLOW_INTEGRATION_SURFACE, FALLOW_MCP_TOOL), so a single, correctly-labeled event is emitted with the same privacy posture and consent model as the CLI. The new fields are optional and additive (telemetry stays off by default and allowlisted; no paths, names, or source). In-process surfaces (LSP, VS Code, N-API, programmatic) still emit no telemetry and are documented as such. (Closes #972, #973, #974.)
• The language server no longer balloons in memory on projects that use dynamic-import patterns. When a file contained import(`./${x}`) or require(`./${x}`) style dynamic imports, the module-graph builder credited every matched target file once per pattern. A file holding many such patterns over a large source tree accumulated a number of internal graph symbols (and their references) proportional to patterns times files, which on large React Native / Expo codebases could drive fallow-lsp into tens of GB of RAM. Each distinct target is now credited at most once per importing file. Reachability and analysis output are unchanged (the duplicate symbols were redundant), and recursive cross-directory matching is preserved. Thanks @​ReallyFloppyPenguin for the detailed report. (Closes #963.)
• The language server now analyzes a monorepo once instead of once per workspace package. Previously fallow-lsp re-ran the full analysis pipeline for the workspace root and again for every discovered sub-package, so overlapping source files were walked once per package and the per-package results accumulated before being deduplicated. The single root pass already walks the whole tree and is workspace-aware (it applies each package's plugin and script configuration), so total analysis work no longer scales with the number of packages. This also brings the editor in line with the CLI: a sub-package analyzed in isolation cannot see cross-package usage and could surface false-positive unused-export findings, which the single-root pass resolves. A sub-package's own .fallowrc.json still applies when that package folder is opened directly as the editor workspace. (Closes #971.)
• fallow audit now reclaims base-snapshot worktree caches whose directory was deleted out from under git. When an external cleanup process (a $TMPDIR reaper, a container restart, a CI cache eviction) removed a reusable base-snapshot worktree directory but left git's admin entry behind, that entry lingered indefinitely as a prunable row in git worktree list. The age-based sweep keyed only on the .last-used sidecar (which survives next to the deleted directory), so it never reclaimed these orphans. The sweep now also detects entries whose directory is gone and reclaims them eagerly, lock-guarded against a concurrent rebuild, on every audit run. This reclaim runs even when age-based GC is disabled (audit.cacheMaxAgeDays = 0 / FALLOW_AUDIT_CACHE_MAX_AGE_DAYS=0), so dead admin entries no longer accumulate.
• Clicking a "N references" Code Lens in VS Code no longer throws an error. The lens routed to the built-in editor.action.showReferences with the language server's JSON arguments (a string URI, a plain position, plain locations), which VS Code rejects with "argument does not match one of these constraints" because that command validates its arguments by type. The lens now routes through a fallow.showReferences command in the extension that converts the arguments into the expected Uri / Position / Location values before delegating to the built-in, so the references panel opens as expected. Requires the matching fallow-lsp build.
• Every file in a circular dependency now gets its own squiggly, anchored under the import that closes the cycle. Previously the language server placed a single diagnostic on the first file of the cycle, and its "related" links pointed at line 0 of the other members, so standing in a file that was part of a cycle showed nothing and the one marker that did appear did not point at any real import. Now each participating file is marked at the exact import statement that points to the next file, the message rotates to read from the file you are in (standing in b of a → b → c → a reads Circular dependency (3 files): b → c → a → b), and the related links jump to each other hop's real location. Every per-file marker carries a shared cycle id in Diagnostic.data so editors and agents can fold the N markers back into one cycle, and suppressing the cycle on any one member (// fallow-ignore-file circular-dependency) still clears all of them. The JSON output gains an additive, optional edges[] array on each circular_dependencies[] entry (one { path, line, col } per hop); it is always emitted by this version but is not required in the schema, so existing consumers and historical baseline files are unaffected. Requires the matching fallow-lsp build.

Added

• fallow health can now explain WHY a function is complex, line by line, and the VS Code extension shows it inline in the editor. Previously fallow reported only the aggregate cyclomatic, cognitive, and CRAP numbers; you could see that a function scored high but not which constructs drove it. A new fallow health --complexity-breakdown flag adds a contributions[] array to each complexity finding in --format json, with one entry per decision point (each else if, nested if, && / || / ??, loop, case, catch, ternary, optional-chain, ...) carrying its source line, the metric it adds to (cyclomatic or cognitive), its weight, and the nesting depth. The VS Code extension renders this inline: a dim +N marker after each contributing line, a hover listing the per-kind breakdown, and a CRAP explanation on the function signature line (for example CRAP 420: cyclomatic 20, untested (0% covered). Full test coverage would bring CRAP down to 20.). New settings: fallow.complexity.breakdownEnabled (default on), fallow.complexity.afterText (the inline tier, default on, hover-only when off), and fallow.complexity.decorationCap (how many findings to decorate, default 200, decoupled from the Health tree's topFindings). The MCP check_health tool gains a matching complexity_breakdown param so agents can pinpoint refactor targets. The breakdown is off by default in CLI/CI output (existing JSON, SARIF, and markdown are unchanged) and is computed during the existing single complexity pass at no measurable analysis cost. One-time note: the incremental cache is invalidated on upgrade (cache version bump), so the first run after upgrading re-parses the project once.
• fallow health can now import change history from a file, so hotspots, ownership, and bus-factor work without git. Projects on a non-git VCS (Yandex Arc, Mercurial, Perforce) previously saw "hotspot analysis skipped: no git repository found". A new global --churn-file <path> flag accepts a normalized fallow-churn/v1 JSON document ({ "schema": "fallow-churn/v1", "events": [{ "path", "timestamp", "author", "added", "deleted" }] }), one entry per changed file per commit, which a small wrapper produces from your VCS log. fallow then runs all the usual recency-weighting, trend, and ownership logic on the imported events unchanged, so --hotspots, --ownership, and --targets light up. The flag resolves relative to --root, wins over git when both are present, and is exposed on the MCP check_health tool as churn_file. The import is authoritative for the analysis window, so --since only labels output and does not filter imported events; the header reads "since imported churn". Timestamps are unix seconds (a millisecond value is rejected with exit 2), and a malformed file is a loud hard error rather than a silent skip. Scope: this powers the churn-backed health signals only; audit, impact, and --changed-since still require git because they need the base revision's tree, not just history. Thanks @​albion9919 for the request. (Closes #980.)
• Local human runs can now nudge stale fallow installs toward the changelog. On successful human output with both stdout and stderr attached to a TTY, fallow reads a user-global cached latest-version answer and prints one concise stderr hint when the running stable version is behind. The hint names its own opt-out inline (silence: FALLOW_UPDATE_CHECK=off) since, unlike the one-time telemetry note, it repeats until you upgrade. Machine formats, quiet runs, CI, and non-TTY agent paths stay byte-identical. The background refresh is best-effort, uses api.fallow.cloud, is throttled, and is suppressed by DO_NOT_TRACK, FALLOW_TELEMETRY_DISABLED, or FALLOW_UPDATE_CHECK=off. (Refs #978.)
• The VS Code extension now exposes every duplication knob used by sidebar analysis. The settings page now includes fa...

  Description has been truncated

[mroderick]

Dependency Upgrade Review: Group PR (5 updates)

Package	From	To	Type	Risk
better-auth	1.6.11	1.6.15	production	Low
date-fns	4.3.0	4.4.0	production	Low
hono	4.12.23	4.12.24	production	Low
eslint	10.4.0	10.4.1	dev	Low
fallow	2.83.0	2.89.0	dev	Low

Also adds engines field (node >= 24.0.0) and bumps kysely (transitive) 0.28.17 → 0.29.2.

Changes by Dependency

better-auth 1.6.11 → 1.6.15 — 4 bug-fix releases. Session cookie refresh, redirect URI validation, Kysely 0.29 compatibility, Google One Tap fix, admin user management error handling. Used via betterAuth(), magicLink, admin — all stable APIs. Compatible

date-fns 4.3.0 → 4.4.0 — CDN scripts deprecated in favour of @date-fns/cdn (irrelevant to npm consumers). Zipped package reduced from 5.83 MB to 3.96 MB. No API changes. Used: format(), formatISO(). Compatible

hono 4.12.23 → 4.12.24 — Patch bump. IPv6 address parsing fix, bearer auth error message, config cleanup. Used extensively as the web framework. Compatible

eslint 10.4.0 → 10.4.1 — Patch bump. Bug fixes only. Dev dependency. Compatible

fallow 2.83.0 → 2.89.0 — Feature release across 6 versions: editor intelligence, health breakdowns, security candidates. Dev dependency. Compatible

Transitive: kysely 0.28.17 → 0.29.2 — better-auth 1.6.15 explicitly supports ^0.28.17 || ^0.29.0. Not directly imported in source code. Handled by better-auth's peer dependency range. Low risk

engines field — "node": ">= 24.0.0". Current runtime is v24.16.0. Satisfied.

Compatibility Assessment

Compatible — all upgrades are safe. Production deps are minor/patch bumps with bug fixes or internal changes only. Dev deps have zero runtime impact.

Test Coverage

99 tests pass on current deps. The code paths using these deps (hono routes, better-auth config, date-fns formatting) are exercised by the test suite.

Confidence Rating

High — no breaking or behavioural changes affecting how the codebase uses any of these packages.

[mroderick]

Approved. See analysis comment above.