build(deps): bump the npm_and_yarn group across 1 directory with 16 updates

[dependabot]

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package	From	To
rollup	2.28.2	2.80.0
@babel/traverse	7.11.5	7.29.7
decode-uri-component	0.2.0	0.2.2
flatted	2.0.2	3.4.2
ini	1.3.5	1.3.8
js-yaml	3.14.0	removed
json-schema	0.2.3	0.4.0
y18n	4.0.0	4.0.3
y18n	5.0.1	5.0.8
shell-quote	1.7.2	1.8.4

Updates rollup from 2.28.2 to 2.80.0

Release notes

Sourced from rollup's releases.

v.2.79.2

2.79.2

2024-09-26

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

Changelog

Sourced from rollup's changelog.

2.80.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6277)

Pull Requests

• #6277: Validate bundle stays within output dir (@​lukastaegert)

2.79.2

2024-09-26

Bug Fixes

• Resolve CVE-2024-43788 (#5677)

Pull Requests

• #5677: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (@​fabianszabo)

2.79.1

2022-09-22

Bug Fixes

• Avoid massive performance degradation when creating thousands of chunks (#4643)

Pull Requests

• #4639: fix: typo docs and contributors link in CONTRIBUTING.md (@​takurinton)
• #4641: Update type definition of resolveId (@​ivanjonas)
• #4643: Improve performance of chunk naming collision check (@​lukastaegert)

2.79.0

2022-08-31

Features

• Add amd.forceJsExtensionForImports to enforce using .js extensions for relative AMD imports (#4607)

Pull Requests

• #4607: add option to keep extensions for amd (@​wh1tevs)

... (truncated)

Commits

• d17ae15 2.80.0
• d6dee5e Validate bundle stays within output dir (#6277)
• c9bd03d 2.79.2
• 48aef33 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677)
• 69ff418 2.79.1
• 04dce1b Update changelog
• 159137e fix: typo docs and contributors link in CONTRIBUTING.md (#4639)
• e1392b3 Update type definition of resolveId (#4641)
• 7836357 Improve performance of chunk naming collision check (#4643)
• 71d20c9 Reduce permissions for repl-artefacts.yml workflow (#4630)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates @babel/traverse from 7.11.5 to 7.29.7

Release notes

Sourced from @​babel/traverse's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• aa8394e v7.29.0
• 84366a8 fix(traverse): provide a hub when traversing a File or Program and no parentP...
• 229eb45 [7.x backport] fix: Rename switch discriminant references when body creates s...
• d7f4008 v7.28.6
• 905bc22 fix: lint errors in main branch (#17612)
• a03e2b6 fix: path.evaluate correctly returns confident (#17584)
• aac2c37 chore: Use Gulpfile.mts (#17579)
• 65c4a6b [Babel 8] fix: Improve traverse types (#17574)
• 99dcba5 chore: enable some ts-eslint rules (#17592)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/traverse since your current version.

Updates braces from 2.3.2 to 1.8.5

Changelog

Sourced from braces's changelog.

[2.3.2] - 2018-04-08

• start refactoring
• cover sets
• better range handling

[2.3.1] - 2018-02-17

• Remove unnecessary escape in Regex. (#14)

[2.3.0] - 2017-10-19

• minor code reorganization
• optimize regex
• expose maxLength option

[2.2.1] - 2017-05-30

• don't condense when braces contain extglobs

[2.2.0] - 2017-05-28

• ensure word boundaries are preserved
• fixes edge case where extglob characters precede a brace pattern

[2.1.1] - 2017-04-27

• use snapdragon-node
• handle edge case
• optimizations, lint

[2.0.4] - 2017-04-11

• pass opts to compiler
• minor optimization in create method
• re-write parser handlers to remove negation regex

[2.0.3] - 2016-12-10

• use split-string
• clear queue at the end
• adds sequences example
• add unit tests

[2.0.2] - 2016-10-21

• fix comma handling in nested extglobs

[2.0.1] - 2016-10-20

... (truncated)

Commits

• See full diff in compare view

Updates decode-uri-component from 0.2.0 to 0.2.2

Release notes

Sourced from decode-uri-component's releases.

v0.2.2

• Prevent overwriting previously decoded tokens 980e0bf

SamVerschueren/decode-uri-component@v0.2.1...v0.2.2

v0.2.1

• Switch to GitHub workflows 76abc93
• Fix issue where decode throws - fixes #6 746ca5d
• Update license (#1) 486d7e2
• Tidelift tasks a650457
• Meta tweaks 66e1c28

SamVerschueren/decode-uri-component@v0.2.0...v0.2.1

Commits

• a0eea46 0.2.2
• 980e0bf Prevent overwriting previously decoded tokens
• 3c8a373 0.2.1
• 76abc93 Switch to GitHub workflows
• 746ca5d Fix issue where decode throws - fixes #6
• 486d7e2 Update license (#1)
• a650457 Tidelift tasks
• 66e1c28 Meta tweaks
• See full diff in compare view

Updates flatted from 2.0.2 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates ini from 1.3.5 to 1.3.8

Commits

• a2c5da8 1.3.8
• af5c6bb Do not use Object.create(null)
• 8b648a1 don't test where our devdeps don't even work
• c74c8af 1.3.7
• 024b8b5 update deps, add linting
• 032fbaf Use Object.create(null) to avoid default object property hazards
• 2da9039 1.3.6
• cfea636 better git push script, before publish instead of after
• 56d2805 do not allow invalid hazardous string as section name
• See full diff in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for ini since your current version.

Removes js-yaml

Updates json-schema from 0.2.3 to 0.4.0

Commits

• f6f6a3b Use a little more robust method of checking instances
• ef60987 Update version
• b62f1da Protect against constructor modification, #84
• fb427cd Link to json-schema-org repository in addition to site, fixes #54
• 22f1461 Don't allow proto property to be used for schema default/coerce, fixes #84
• c52a27c Get basic test to pass
• b3f42b3 Add security policy
• 3b0cec3 Update version
• c28470f Update readme to acknowledge the state of the package
• 7dff9cd Merge pull request #81 from hodovani/patch-1
• Additional commits viewable in compare view

Updates json5 from 1.0.1 to 1.0.2

Release notes

Sourced from json5's releases.

v1.0.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)

Changelog

Sourced from json5's changelog.

Unreleased [code, diff]

v2.2.3 [code, diff]

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0 [code, diff]

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

... (truncated)

Commits

• a62db1e 1.0.2
• e0c23fe docs: update CHANGELOG for v1.0.2
• 62a6540 fix: add proto to objects and arrays
• See full diff in compare view

Updates lodash from 4.17.20 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates minimatch from 3.0.4 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates minimist from 1.2.5 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

• [Fix] Fix long option followed by single dash [#17](https://github.com/minimistjs/minimist/issues/17)
• [Tests] Remove duplicate test [#12](https://github.com/minimistjs/minimist/issues/12)
• [Fix] opt.string works with multiple aliases [#10](https://github.com/minimistjs/minimist/issues/10)

Fixed

• [Fix] Fix long option followed by single dash (#17) [#15](https://github.com/minimistjs/minimist/issues/15)
• [Tests] Remove duplicate test (#12) [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] Fix long option followed by single dash [#15](https://github.com/minimistjs/minimist/issues/15)
• [Fix] opt.string works with multiple aliases (#10) [#9](https://github.com/minimistjs/minimist/issues/9)
• [Fix] Fix handling of short option with non-trivial equals [#5](https://github.com/minimistjs/minimist/issues/5)
• [Tests] Remove duplicate test [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] opt.string works with multiple aliases [#9](https://github.com/minimistjs/minimist/issues/9)

Commits

• Merge tag 'v0.2.3' a026794
• [eslint] fix indentation and whitespace 5368ca4
• [eslint] fix indentation and whitespace e5f5067
• [eslint] more cleanup 62fde7d
• [eslint] more cleanup 36ac5d0
• [meta] add auto-changelog 73923d2
• [actions] add reusable workflows d80727d
• [eslint] add eslint; rules to enable later are warnings 48bc06a
• [eslint] fix indentation 34b0f1c
• [readme] rename and add badges 5df0fe4
• [Dev Deps] switch from covert to nyc a48b128
• [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
• [meta] create FUNDING.yml; add funding in package.json 3639e0c
• [meta] use npmignore to autogenerate an npmignore file be2e038
• Only apps should have lockfiles 282b570
• isConstructorOrProto adapted from PR ef9153f
• [Dev Deps] update @ljharb/eslint-config, aud 098873c
• [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
• [meta] add safe-publish-latest 4b927de
• [Tests] add aud in posttest b32d9bd
• [meta] update repo URLs f9fdfc0
• [actions] Avoid 0.6 tests due to build failures ba92fe6
• [Dev Deps] update tape 950eaa7
• [Dev Deps] add missing npmignore dev dep 3226afa
• Merge tag 'v0.2.2' 980d7ac

v1.2.7 - 2022-10-10

Commits

... (truncated)

Commits

• 6901ee2 v1.2.8
• a026794 Merge tag 'v0.2.3'
• c0b2661 v0.2.3
• 63b8fee [Fix] Fix long option followed by single dash (#17)
• 72239e6 [Tests] Remove duplicate test (#12)
• 34b0f1c [eslint] fix indentation
• 3226afa [Dev Deps] add missing npmignore dev dep
• 098873c [Dev Deps] update @ljharb/eslint-config, aud
• 9ec4d27 [Fix] Fix long option followed by single dash
• ba92fe6 [actions] Avoid 0.6 tests due to build failures
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for minimist since your current version.

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.

Updates picomatch from 2.2.2 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

2.3.1

Fixed

• Fixes bug when a pattern containing an expression after the closing parenthesis (/!(*.d).{ts,tsx}) was incorrectly converted to regexp (9f241ef).

Changed

• Some documentation improvements (f81d236, 421e0e7).

2.2.3

Fixed

• Do not skip pattern seperator for square brackets (fb08a30).
• Set negatedExtGlob also if it does not span the whole pattern (032e3f5).

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• 5467a5a 2.3.1
• 9f241ef Merge pull request #102 from micromatch/ISSUE-93_incorrect_extglob_expanding
• ac3cb66 fix: support stars in negation extglobs with expression after closing parenth...
• 719d348 Merge pull request #85 from XhmikosR/codeql
• ac74e57 Merge pull request #91 from XhmikosR/patch-1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by danez, a new releaser for picomatch since your current version.

Updates postcss from 7.0.35 to 7.0.39

Release notes

Sourced from postcss's releases.

7.0.39

• Reduce package size.
• Backport nanocolors to picocolors migration.

7.0.38

• Update Processor#version.

7.0.37

• Backport chalk to nanocolors migration.

7.0.36

• Backport ReDoS vulnerabilities from PostCSS 8.

Changelog

Sourced from postcss's changelog.

7.0.39

• Reduce package size.
• Backport nanocolors to picocolors migration.

7.0.38

• Update Processor#version.

7.0.37

• Backport chalk to nanocolors migration.

7.0.36

• Backport ReDoS vulnerabilities from PostCSS 8.

Commits

• e17c1ef Release 7.0.39 version
• 6791bd3 Reduce npm package
• 44c581a Replace nanocolors with picocolors
• 8ba21fd Remove eslint-ci
• 3994c4a Release 7.0.38 version
• 6944e1d Remove development keys from package.json
• 4dd0af0 Release 7.0.37 version
• 8408eb4 Add compilation step
• 0c68063 Move tests to GitHub Actions
• 98b61ba Replace chalk to nanocolors
• Additional commits viewable in compare view

Updates y18n from 4.0.0 to 4.0.3

Changelog

Sourced from y18n's changelog.

4.0.3 (2021-04-07)

Bug Fixes

• release: 4.x.x should not enforce Node 10 (#126) (1e21a53)

4.0.1 (2020-11-30)

Bug Fixes

• address prototype pollution issue (#108) (a9ac604)

Commits

• 0aa97c5 chore: release 4.x.x (#128)
• a8e7f04 build(release-please): configure branch properly (#127)
• 1e21a53 fix(release): 4.x.x should not enforce Node 10 (#126)
• 8dc7580 docs: update CHANGELOG
• 7de58ca fix: address prototype pollution issue
• See full diff in compare view

Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for y18n since your current version.

Updates y18n from 5.0.1 to 5.0.8

Changelog

Sourced from y18n's changelog.

4.0.3 (2021-04-07)

Bug Fixes

• release: 4.x.x should not enforce Node 10 (#126) (1e21a53)

4.0.1 (2020-11-30)

Bug Fixes

• address prototype pollution issue (#108) (a9ac604)

Commits

• 0aa97c5 chore: release 4.x.x (#128)
• a8e7f04 build(release-please): configure branch properly (#127)
• 1e21a53 fix(release): 4.x.x should not enforce Node 10 (#126)
• 8dc7580 docs: update CHANGELOG
• 7de58ca fix: address prototype pollution issue
• See full diff in compare view

Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for y18n since your current version.

Updates shell-quote from 1.7.2 to 1.8.4

Changelog

Sourced from shell-quote's changelog.

v1.8.4 - 2026-05-22

Commits

• [Fix] quote: validate object-token shapes 4378a6e
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
• [Tests] increase coverage 9f3caa3
• [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
• [Dev Deps] update @ljharb/eslint-config 699c511

v1.8.3 - 2025-06-01

Fixed

• [Fix] remove unnecessary backslash escaping in single quotes [#15](https://github.com/ljharb/shell-quote/issues/15)

v1.8.2 - 2024-11-27

Fixed

• [Fix] quote: preserve empty strings [#18](https://github.com/ljharb/shell-quote/issues/18)

Commits

• [meta] fix changelog tags 0fb9fd8
• [actions] split out node 10-20, and 20+ 819bd84
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape fc56408
• [actions] update npm for windows tests fdeb0fd
• [Dev Deps] update @ljharb/eslint-config, aud, tape b8a4a3b
• [actions] prevent node 14 on ARM mac from failing 9eecafc
• [meta] exclude more files from the package 4044e7f
• [Tests] replace aud with npm audit 8cfdbd8
• [meta] add missing engines.node 843820e
• [Dev Deps] add missing peer dep 4c3b88d
• [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 80322ed

v1.8.1 - 2023-04-07

Fixed

• [Fix] parse: preserve whitespace in comments [#6](https://github.com/ljharb/shell-quote/issues/6)
• [Fix] properly support the escape option [#5](https://github.com/ljharb/shell-quote/issues/5)

Description has been truncated