Skip to content

chore(deps): bump the npm_and_yarn group across 2 directories with 10 updates #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): bump the npm_and_yarn group across 2 directories with 10 updates #18

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Dec 8, 2025

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package From To
rollup 4.9.2 4.22.4
vite 5.0.10 5.4.21
vitest 1.1.1 1.6.1
glob 10.3.10 10.5.0
zx 7.2.3 8.8.5

Bumps the npm_and_yarn group with 2 updates in the /config directory: glob and zx.

Updates rollup from 4.9.2 to 4.22.4

Release notes

Sourced from rollup's releases.

v4.22.4

4.22.4

2024-09-21

Bug Fixes

  • Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

v4.22.3

4.22.3

2024-09-21

Bug Fixes

  • Ensure that mutations in modules without side effects are observed while properly handling transitive dependencies (#5669)

Pull Requests

v4.22.2

4.22.2

2024-09-20

Bug Fixes

  • Revert fix for side effect free modules until other issues are investigated (#5667)

Pull Requests

v4.22.1

4.22.1

2024-09-20

Bug Fixes

  • Revert #5644 "stable chunk hashes" while issues are being investigated

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.22.4

2024-09-21

Bug Fixes

  • Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

4.22.3

2024-09-21

Bug Fixes

  • Ensure that mutations in modules without side effects are observed while properly handling transitive dependencies (#5669)

Pull Requests

4.22.2

2024-09-20

Bug Fixes

  • Revert fix for side effect free modules until other issues are investigated (#5667)

Pull Requests

4.22.1

2024-09-20

Bug Fixes

  • Revert #5644 "stable chunk hashes" while issues are being investigated

Pull Requests

... (truncated)

Commits

Updates vite from 5.0.10 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

v5.4.18

Please refer to CHANGELOG.md for details.

v5.4.17

Please refer to CHANGELOG.md for details.

v5.4.16

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

5.4.20 (2025-09-08)

5.4.19 (2025-04-30)

5.4.18 (2025-04-10)

5.4.17 (2025-04-03)

5.4.16 (2025-03-31)

5.4.15 (2025-03-24)

5.4.14 (2025-01-21)

... (truncated)

Commits

Updates vitest from 1.1.1 to 1.6.1

Release notes

Sourced from vitest's releases.

v1.6.1

This release includes security patches for:

   🐞 Bug Fixes

    View changes on GitHub
Commits
Maintainer changes

This version was pushed to npm by vitestbot, a new releaser for vitest since your current version.


Updates glob from 10.3.10 to 10.5.0

Changelog

Sourced from glob's changelog.

changeglob

13

  • Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

  • Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

  • Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
  • Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
  • Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

  • Drop support for node before v20

10.4

  • Add includeChildMatches: false option
  • Export the Ignore class

10.3

  • Add --default -p flag to provide a default pattern
  • exclude symbolic links to directories when follow and nodir are both set

10.2

  • Add glob cli

10.1

  • Return '.' instead of the empty string '' when the current working directory is returned as a match.
  • Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

Updates zx from 7.2.3 to 8.8.5

Release notes

Sourced from zx's releases.

8.8.5 — Temporary Reservoir

This release fixes the issue, when zx flushes external node_modules on linking #1348 #1349 #1355

Also [email protected] arrives here.

8.8.4 — Flange Coupling

It's time. This release updates zx internals to make the ps API and related methods ProcessPromise.kill(), kill() work on Windows systems without wmic. #1344 webpod/ps#15

  1. WMIC will be missing in Windows 11 25H2 (kernel >= 26000)
  2. The windows-latest label in GitHub Actions will migrate from Windows Server 2022 to Windows Server 2025 beginning September 2, 2025 and finishing by September 30, 2025.

https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/#windows-latest-image-label-migration

8.8.3 — Sealing Gasket

Continues #1339 to prevent injections via Proxy input or custom toString() manipulations.

8.8.2 — Leaking Valve

Fixes potential cmd injection via kill() method for Windows platform. #1337 #1339. Affects the versions range 8.7.1...8.8.1.

8.8.1 — Turbo Flush

We keep improving the projects internal infra to bring more stability, safety and performance for artifacts.

Featfixes

  • Applied flags filtration for CLI-driven deps install #1308
  • Added kill() event logging #1312
  • Set SIGTERM as kill() fallback signal #1313
  • Allowed stdio() arg be an array #1311
const p = $({halt: true})`cmd`
p.stdio([stream, 'ignore', 'pipe'])

Enhancements

8.8.0 — Pressure Tested

This release enhances the coherence between the ProcessPromise and the Streams API, eliminating the need for certain script-level workarounds.

✨ New Features

unpipe() — Selectively stop piping

You can now call .unpipe() to stop data transfer from a source to a destination without closing any of the pair. #1302

</tr></table>

... (truncated)

Commits

Updates next from 14.0.4 to 14.2.33

Commits
  • 5a97b40 v14.2.33
  • cb88824 backport(v14): omit searchParam data from FlightRouterState before transport ...
  • 89ee561 v14.2.32
  • 6a974ad [backport v14]: fix router handling when setting a location response header (...
  • 55f7662 v14.2.31
  • 5dd68a5 [backport v14]: fix(next/image): improve and simplify detect-content-type (#8...
  • bcc7c65 [backport v14]: fix(next/image): fix image-optimizer.ts headers (#82114) (#82...
  • 243072b v14.2.30
  • f523d4a [backport]: config.allowedDevOrigins (#80410)
  • ca92115 v14.2.29
  • Additional commits viewable in compare view

Updates @babel/helpers from 7.23.7 to 7.28.4

Release notes

Sourced from @​babel/helpers's releases.

v7.28.4 (2025-09-05)

Thanks @​gwillen and @​mrginglymus for your first PRs!

🏠 Internal

Committers: 5

v7.28.3 (2025-08-14)

👓 Spec Compliance

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

🐛 Bug Fix

💅 Polish

  • babel-plugin-transform-regenerator, babel-plugin-transform-runtime

📝 Documentation

🏠 Internal

🔬 Output optimization

  • babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

Committers: 5

... (truncated)

Changelog

Sourced from @​babel/helpers's changelog.

v7.28.4 (2025-09-05)

🏠 Internal

v7.28.3 (2025-08-14)

👓 Spec Compliance

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

🐛 Bug Fix

💅 Polish

  • babel-plugin-transform-regenerator, babel-plugin-transform-runtime

📝 Documentation

🏠 Internal

🔬 Output optimization

  • babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

v7.28.2 (2025-07-24)

🐛 Bug Fix

  • babel-types
  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

v7.28.1 (2025-07-12)

🐛 Bug Fix

  • babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator

📝 Documentation

... (truncated)

Commits

Updates base-x from 3.0.9 to 3.0.11

Commits

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

  • pkg: publish on tag 1.x c460dbd
  • fmt ccb8ac6
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

Updates webpack from 5.89.0 to 5.103.0

Release notes

Sourced from webpack's releases.

v5.103.0

Features

  • Added DotenvPlugin and top level dotenv option to enable this plugin
  • Added WebpackManifestPlugin
  • Added support the ignoreList option in devtool plugins
  • Allow to use custom javascript parse function
  • Added import.meta.env support for environment variables
  • Added support for import.meta.dirname and import.meta.filename
  • Added support import.defer() for statistical path
  • Handle import.meta.main
  • Added suport to setup named exports for JSON modules and disable usage named export for import file from "./file.json" with { type: "json" }
  • Added support __dirname/__filename/import.meta.dirname/import.meta.filename for universal target
  • [CSS] Added the exportType option with link (by default), "text" and css-style-sheet values
  • [CSS] Added support for composes properties

Fixes

  • The dependOn chunk must be loaded before the common chunk
  • Return to namespace import when the external request includes a specific export
  • No runtime extra runtime code for module libraries
  • Delay HMR accept dependencies to preserve import attributes
  • Properly handle external presets for universal target
  • Fixed incorrect identifier of import binding for module externals
  • Fixed when defer import and dynamic default export mixed
  • Reduce generated output when globalThis supported
  • Fixed loading async modules in defer import
  • Reexport module for default import when no used exports for systemjs library
  • Rename HarmonyExportDependencyParserPlugin exported id to CompatibilityPlugin tagged id
  • Handle __dirname and __filename for ES modules
  • Rename single nested __webpack_export__ and __webpack_require__ in already bundled code
  • [Types] webpack function type
  • [Types] NormalModule type
  • [Types] Multi compiler configuration type
  • [Types] Fixed regression in custom hashDigest type
  • [CSS] No extra runtime for initial chunk
  • [CSS] Fixed a lot of CSS modules bugs

v5.102.1

Fixes

  • Supported extends with env for browserslist
  • Supported JSONP fragment format for web workers.
  • Fixed dynamic import support in workers using browserslist.
  • Fixed default defer import mangling.
  • Fixed default import of commonjs externals for SystemJS format.
  • Fixed context modules to the same file with different import attributes.
  • Fixed typescript types.
  • Improved import.meta warning messages to be more clear when used directly.
  • [CSS] Fixed CC_UPPER_U parsing (E -> U) in tokenizer.

... (truncated)

Commits
  • e021948 chore(release): 5.103.0
  • 1dc6967 chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 (#20130)
  • 077417f fix(css): many css modules bugs (#20129)
  • 7722518 chore: fix script (#20128)
  • 688a7f9 test: no runtime requirements for module library (#20127)
  • 04fe5a1 refactor: pkg.pr.new publish (#20093)
  • 27c05c7 fix: return to namespace import when the external request includes a specific...
  • 067cc60 refactor: no runtime requirements for module library (#20096)
  • d4208ba fix: delay HMR accept dependencies to preserve import attributes (#20124)
  • 102e1a4 feat(css): added css-style-sheet to exportType for CSSStyleSheet return (#20104)
  • Additional commits viewable in compare view

Updates glob from 10.3.10 to 10.5.0

Changelog

Sourced from glob's changelog.

changeglob

13

  • Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

  • Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

  • Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
  • Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
  • Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

  • Drop support for node before v20

10.4

  • Add includeChildMatches: false option
  • Export the Ignore class

10.3

  • Add --default -p flag to provide a default pattern
  • exclude symbolic links to directories when follow and nodir are both set

10.2

  • Add glob cli

10.1

  • Return '.' instead of the empty string '' when the current working directory is returned as a match.
  • Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

Updates zx from 7.2.3 to 8.8.5

Release notes

Sourced from zx's releases.

8.8.5 — Temporary Reservoir

This release fixes the issue, when zx flushes external node_modules on linking #1348 #1349 #1355

Also [email protected] arrives here.

8.8.4 — Flange Coupling

It's time. This release updates zx internals to make the ps API and related methods ProcessPromise.kill(), kill() work on Windows systems without wmic. #1344 webpod/ps#15

  1. WMIC will be missing in Windows 11 25H2 (kernel >= 26000)
  2. The windows-latest label in GitHub Actions will migrate from Windows Server 2022 to Windows Server 2025 beginning September 2, 2025 and finishing by September 30, 2025.

https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/#windows-latest-image-label-migration

8.8.3 — Sealing Gasket

Continues #1339 to prevent injections via Proxy input or custom toString() manipulations.

8.8.2 — Leaking Valve

Fixes potential cmd injection via kill() method for Windows platform. #1337 #1339. Affects the versions range 8.7.1...8.8.1.

8.8.1 — Turbo Flush

We keep improving the projects internal infra to bring more stability, safety and performance for artifacts.

Featfixes

  • Applied flags filtration for CLI-driven deps install #1308
  • Added kill() event logging #1312
  • Set SIGTERM as kill() fallback signal #1313
  • Allowed stdio() arg be an array #1311
const p = $({halt: true})`cmd`
p.stdio([stream, 'ignore', 'pipe'])

Enhancements

8.8.0 — Pressure Tested

This release enhances the coherence between the ProcessPromise and the Streams API, eliminating the need for certain script-level workarounds.

✨ New Features

unpipe() — Selectively stop piping

You can now call .unpipe() to stop data transfer from a source to a destination without closing any of the pair. #1302

</tr></table>

... (truncated)

Commits

@dependabot
chore(deps): bump the npm_and_yarn group across 2 directories with 10…
318275d 
… updates

Bumps the npm_and_yarn group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [rollup](https://github.com/rollup/rollup) | `4.9.2` | `4.22.4` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `5.0.10` | `5.4.21` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `1.1.1` | `1.6.1` |
| [glob](https://github.com/isaacs/node-glob) | `10.3.10` | `10.5.0` |
| [zx](https://github.com/google/zx) | `7.2.3` | `8.8.5` |

Bumps the npm_and_yarn group with 2 updates in the /config directory: [glob](https://github.com/isaacs/node-glob) and [zx](https://github.com/google/zx).


Updates `rollup` from 4.9.2 to 4.22.4
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.9.2...v4.22.4)

Updates `vite` from 5.0.10 to 5.4.21
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v5.4.21/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v5.4.21/packages/vite)

Updates `vitest` from 1.1.1 to 1.6.1
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v1.6.1/packages/vitest)

Updates `glob` from 10.3.10 to 10.5.0
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v10.3.10...v10.5.0)

Updates `zx` from 7.2.3 to 8.8.5
- [Release notes](https://github.com/google/zx/releases)
- [Commits](google/zx@7.2.3...8.8.5)

Updates `next` from 14.0.4 to 14.2.33
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v14.0.4...v14.2.33)

Updates `@babel/helpers` from 7.23.7 to 7.28.4
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.28.4/packages/babel-helpers)

Updates `base-x` from 3.0.9 to 3.0.11
- [Commits](cryptocoinjs/base-x@v3.0.9...v3.0.11)

Updates `brace-expansion` from 1.1.11 to 1.1.12
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12)

Updates `webpack` from 5.89.0 to 5.103.0
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](webpack/webpack@v5.89.0...v5.103.0)

Updates `glob` from 10.3.10 to 10.5.0
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v10.3.10...v10.5.0)

Updates `zx` from 7.2.3 to 8.8.5
- [Release notes](https://github.com/google/zx/releases)
- [Commits](google/zx@7.2.3...8.8.5)

---
updated-dependencies:
- dependency-name: rollup
  dependency-version: 4.22.4
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 5.4.21
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 1.6.1
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: glob
  dependency-version: 10.5.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: zx
  dependency-version: 8.8.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 14.2.33
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@babel/helpers"
  dependency-version: 7.28.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: base-x
  dependency-version: 3.0.11
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack
  dependency-version: 5.103.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: glob
  dependency-version: 10.5.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: zx
  dependency-version: 8.8.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Dec 8, 2025
@dependabot dependabot bot mentioned this pull request Dec 8, 2025
Closed
@semanticdiff-com
Copy link

semanticdiff-com bot commented Dec 8, 2025
edited
Loading

Review changes with  SemanticDiff

Changed Files
File Status
  package.json  1% smaller
  config/package.json  0% smaller
  pnpm-lock.yaml Unsupported file format

@snyk-io
Copy link

snyk-io bot commented Dec 8, 2025

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant