chore(deps): consolidate open dependabot updates

[0xisk]

Consolidates all open dependabot PRs into a single, build-verified change.

What's included

Source PR	Update	Status
#106	@biomejs/biome 2.4.15 → 2.4.16	applied
#104	actions-deps group, 7 GitHub Actions updates	applied
#98	typescript ^5.x → ^6.0.3 (root + builder + cli + simulator)	applied
#52	vitest 4.0.15 → 4.0.16	superseded (main is already ^4.1.6)
#37	turbo 2.6.1 → 2.6.3	superseded (main is already ^2.9.14)

#104 covers: harden-runner, actions/checkout, codeql-action, create-github-app-token, setup-node, upload-artifact, verified-bot-commit.

Notes

• TypeScript 6.0 is a major bump. Verified locally: yarn build, yarn types, yarn lint:ci (over packages/), and yarn test all pass.
• Kept @types/node at 25.9.1 in packages/cli. Dependabot chore(deps-dev): bump typescript from 5.9.3 to 6.0.3 #98 had introduced a 25.0.3 typo there.
• chore(deps-dev): bump vitest from 4.0.15 to 4.0.16 #52 and chore(deps-dev): bump turbo from 2.6.1 to 2.6.3 #37 are closed as obsolete — main already carries newer versions, so no change is needed for them.

Closes #106
Closes #104
Closes #98
Closes #52
Closes #37

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow action versions to latest pinned releases for improved security and stability.
  • Upgraded TypeScript to v6.0.3 across all packages.
  • Updated Biome linting tool to v2.4.16.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 756d1c58-7dbd-4540-9f8a-a9b089b906ef

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Updated GitHub Actions workflow pins across CI checks, CodeQL, release, and scorecard workflows. Bumped development dependencies: TypeScript to v6.0.3 across all packages, @biomejs/biome to v2.4.16 in the root package.json, and multiple GitHub Actions to newer versions.

Changes

Dependency and Action Version Bumps

Layer / File(s)	Summary
GitHub Actions workflow action version pins .github/workflows/checks.yml, .github/workflows/codeql.yml, .github/workflows/release-publish.yml, .github/workflows/release.yml, .github/workflows/scorecard.yml	Harden-runner updated from v2.16.1 to v2.19.4, checkout from v6.0.2 to v6.0.3, CodeQL actions to newer v4 pins, create-github-app-token from v3.0.0 to v3.2.0, setup-node from v6.1.0 to v6.4.0, verified-bot-commit from v2.2.1 to v2.3.2, and upload-artifact to v7.0.1.
Development dependency version updates package.json, packages/builder/package.json, packages/cli/package.json, packages/simulator/package.json	TypeScript bumped from v5.9.3 to v6.0.3 across root and all workspace packages. @biomejs/biome updated from v2.4.15 to v2.4.16 in root package.json.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• OpenZeppelin/compact-tools#82: Both PRs update @biomejs/biome devDependency in package.json to similar versions (v2.4.16 vs v2.4.15).

Suggested labels

enhancement

Suggested reviewers

• pepebndc

Poem

🐰 Versions climbing ever high,
Actions pinned for safety's sigh,
TypeScript six and Biome bright,
Dependencies all set just right! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): consolidate open dependabot updates' clearly and concisely describes the main objective of consolidating multiple Dependabot PRs into a single changeset.
Linked Issues check	✅ Passed	The PR successfully addresses core objectives from all linked issues: TypeScript 6.0.3 bumped across packages [#98], @biomejs/biome updated to 2.4.16 [#106], 7 GitHub Actions updated [#104], and appropriately closed obsolete issues #52 and #37.
Out of Scope Changes check	✅ Passed	All changes are strictly within scope: dependency version updates in package.json files and GitHub Actions workflows align directly with the five Dependabot PRs being consolidated; no unrelated code modifications present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/consolidate-dependabot

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/scorecard.yml:
- Line 37: Update the inline comment next to the actions/checkout usage to
reflect the actual version for the pinned commit SHA
df4cb1c069e1874edd31b4311f1884172cec0e10 by changing the comment from "# v4.5.4"
to "# v6.0.3" so the `uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10` line accurately
documents the action version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 10d6c5ae-844a-4588-8dfc-a95f35fdce7b

📥 Commits

Reviewing files that changed from the base of the PR and between 8492388 and f5e1698.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (9)

• .github/workflows/checks.yml
• .github/workflows/codeql.yml
• .github/workflows/release-publish.yml
• .github/workflows/release.yml
• .github/workflows/scorecard.yml
• package.json
• packages/builder/package.json
• packages/cli/package.json
• packages/simulator/package.json