chore(deps)(deps-dev): bump the development-dependencies group across 1 directory with 15 updates

[dependabot]

Bumps the development-dependencies group with 15 updates in the / directory:

Package	From	To
@types/node	20.19.33	20.19.39
prettier	3.8.1	3.8.2
@babel/parser	7.29.0	7.29.2
brace-expansion	1.1.12	1.1.14
minimatch	3.1.3	3.1.5
call-bind	1.0.8	1.0.9
es-abstract	1.24.1	1.24.2
eslint-import-resolver-node	0.3.9	0.3.10
flatted	3.3.3	3.4.2
get-tsconfig	4.13.6	4.13.7
mlly	1.8.0	1.8.2
picomatch	2.3.1	2.3.2
postcss	8.5.6	8.5.9
rollup	4.59.0	4.60.1
tinyglobby	0.2.15	0.2.16

Updates @types/node from 20.19.33 to 20.19.39

Commits

• See full diff in compare view

Updates prettier from 3.8.1 to 3.8.2

Release notes

Sourced from prettier's releases.

3.8.2

• Support Angular v21.2

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.2

diff

Angular: Support Angular v21.2 (#18722, #19034 by @​fisker)

Exhaustive typechecking with @default never;

<!-- Input -->
@switch (foo) {
  @case (1) {}
  @default never;
}
<!-- Prettier 3.8.1 -->
SyntaxError: Incomplete block "default never". If you meant to write the @ character, you should use the "&#64;" HTML entity instead. (3:3)
<!-- Prettier 3.8.2 -->
@​switch (foo) {
@​case (1) {}
@​default never;
}

arrow function and instanceof expressions.

<!-- Input -->
@let fn = (a) =>        a?    1:2;
{{ fn ( a         instanceof b)}}
<!-- Prettier 3.8.1 -->
@​let fn = (a) =>        a?    1:2;
{{ fn ( a         instanceof b)}}
<!-- Prettier 3.8.2 -->
@​let fn = (a) => (a ? 1 : 2);
{{ fn(a instanceof b) }}

Commits

• b31557c Release 3.8.2
• 96bbaed Support Angular v21.2 (#18722)
• 881360b Support default never in Angular v21.2 (#19034)
• 07d6724 Bump Prettier dependency to 3.8.1
• 8b4a53a Clean changelog_unreleased
• See full diff in compare view

Updates @babel/parser from 7.29.0 to 7.29.2

Release notes

Sourced from @​babel/parser's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

Commits

• 37d5595 v7.29.2
• f030ad3 [7.x backport] async x => {} must be in leading pos (#17840)
• See full diff in compare view

Updates brace-expansion from 1.1.12 to 1.1.14

Commits

• 10c05fc 1.1.14
• 1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
• 2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
• 0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• See full diff in compare view

Updates minimatch from 3.1.3 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• See full diff in compare view

Updates call-bind from 1.0.8 to 1.0.9

Changelog

Sourced from call-bind's changelog.

v1.0.9 - 2026-04-09

Commits

• [Fix] correct .length computation when partial args exceed function arity 95c406d
• [Dev Deps] update @ljharb/eslint-config, es-value-fixtures, eslint, for-each, has-strict-mode, npmignore, object-inspect 06a4e21
• [Deps] update call-bind-apply-helpers, es-define-property, get-intrinsic 3fea81e
• [readme] replace runkit CI badge with shields.io check-runs badge 23437d4

Commits

• 8d6a98c v1.0.9
• 95c406d [Fix] correct .length computation when partial args exceed function arity
• 3fea81e [Deps] update call-bind-apply-helpers, es-define-property, get-intrinsic
• 06a4e21 [Dev Deps] update @ljharb/eslint-config, es-value-fixtures, eslint, `fo...
• 23437d4 [readme] replace runkit CI badge with shields.io check-runs badge
• See full diff in compare view

Updates es-abstract from 1.24.1 to 1.24.2

Changelog

Sourced from es-abstract's changelog.

1.24.2 / 2026-04-07

• [Fix] IfAbruptCloseIterator: handle all abrupt completions, not just throw
• [Robustness] use +x instead of Number(x)
• [Robustness] use isFinite/parseInt intrinsics, and isNaN helper
• [Robustness] ensure undefined is undefined
• [patch] add a TODO to remove an unused helper
• [Dev Deps] update @ljharb/eslint-config, npmignore

Commits

• 9c40412 v1.24.2
• 5f9c0c1 [Robustness] use +x instead of Number(x)
• 9cb3440 [Fix] IfAbruptCloseIterator: handle all abrupt completions, not just throw
• 4a61750 [patch] add a TODO to remove an unused helper
• e69f21a [Robustness] use isFinite/parseInt intrinsics, and isNaN helper
• ff03c92 [Robustness] ensure undefined is undefined
• f4fc91c [Dev Deps] update @ljharb/eslint-config, npmignore
• See full diff in compare view

Updates eslint-import-resolver-node from 0.3.9 to 0.3.10

Release notes

Sourced from eslint-import-resolver-node's releases.

no-reassign

Added rule no-reassign, made some mistakes publishing to npm. 😳

Changelog

Sourced from eslint-import-resolver-node's changelog.

v0.3.10 - 2026-04-01

• [deps] update is-core-module, resolve
• [meta] add repository.directory field
• [refactor] avoid hoisting

Commits

• See full diff in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates get-tsconfig from 4.13.6 to 4.13.7

Release notes

Sourced from get-tsconfig's releases.

v4.13.7

4.13.7 (2026-03-22)

Bug Fixes

• parse-tsconfig: preserve files when include is also present (#128) (b09052c)

Commits

• b09052c fix(parse-tsconfig): preserve files when include is also present (#128)
• e64637d ci: add beta branch and simplify release trigger
• 07b4bd4 test(extends): add regression test for include path normalization (#74)
• See full diff in compare view

Updates mlly from 1.8.0 to 1.8.2

Release notes

Sourced from mlly's releases.

v1.8.2

compare changes

🩹 Fixes

• Generic angle bracket parsing (#341)

📖 Documentation

• Fix typo (#333)

❤️ Contributors

• Florian Heuberger (@​Flo0806)
• AngelHdz (@​angelhdzmultimedia)

v1.8.1

compare changes

🩹 Fixes

• Extract variable names ignoring function calls (#336)

❤️ Contributors

• Daniel Roe (@​danielroe)

Changelog

Sourced from mlly's changelog.

v1.8.2

compare changes

🩹 Fixes

• Extract variable names ignoring function calls (#336)
• Generic angle bracket parsing (#341)

📖 Documentation

• Fix typo (#333)

🏡 Chore

• Update deps (12913db)
• Lint (33495f9)
• release: V1.8.1 (ed17783)
• Update deps (1b09363)

❤️ Contributors

• Florian Heuberger (@​Flo0806)
• Pooya Parsa (@​pi0)
• AngelHdz angel.hernandez.12@live.com
• Daniel Roe (@​danielroe)

v1.8.1

compare changes

🩹 Fixes

• Extract variable names ignoring function calls (#336)

🏡 Chore

• Update deps (12913db)
• Lint (33495f9)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Daniel Roe (@​danielroe)

Commits

• c5ce4e5 chore(release): v1.8.2
• abef19c fix: generic angle bracket parsing (#341)
• 1b09363 chore: update deps
• ed17783 chore(release): v1.8.1
• 3f4c751 docs: fix typo (#333)
• 24bd871 chore(deps): update autofix-ci/action digest to 7a166d7 (#334)
• 938cf7e chore(deps): update actions/setup-node action to v6 (#328)
• 915dd32 chore(deps): update actions/checkout action to v6 (#332)
• 33495f9 chore: lint
• 12913db chore: update deps
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates postcss from 8.5.6 to 8.5.9

Release notes

Sourced from postcss's releases.

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

• fe88ac2 Release 8.5.9 version
• c551632 Avoid RegExp when we can use simple JS
• 89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
• 6ceb8a4 Create SECURITY.md
• 02ccae6 Another way to fix CI with .ts ext in tests on old Node.js
• 2c36658 Another way to fix CI with TS on old Node.js
• b906003 Another way to fix CI with old Node.js
• 04d32cd Fix another issue with Node.js 10 on CI
• df86cdf Try to fix Node.js 10 on CI
• 82bec0d Move to oxfmt
• Additional commits viewable in compare view

Updates rollup from 4.59.0 to 4.60.1

Release notes

Sourced from rollup's releases.

v4.60.1

4.60.1

2026-03-30

Bug Fixes

• Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

• #6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (@​littlegrayss, @​TrickyPi)
• #6317: chore(deps): pin dependencies (@​renovate[bot], @​lukastaegert)
• #6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@​renovate[bot], @​lukastaegert)
• #6319: chore(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6320: chore(deps): pin dependency typescript to v5 (@​renovate[bot], @​lukastaegert)
• #6321: chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (@​renovate[bot], @​lukastaegert)
• #6322: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6323: chore(deps): lock file maintenance (@​renovate[bot])
• #6324: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)

v4.60.0

4.60.0

2026-03-22

Features

• Support source phase imports as long as they are external (#6279)

Pull Requests

• #6279: feat: external only Source Phase imports support (@​guybedford, @​lukastaegert)

v4.59.1

4.59.1

2026-03-21

Bug Fixes

• Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

• #6281: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6282: chore(deps): update github artifact actions (major) (@​renovate[bot], @​lukastaegert)
• #6283: chore(deps): update dependency nyc to v18 (@​renovate[bot], @​lukastaegert)
• #6284: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #6285: chore(deps): lock file maintenance (@​renovate[bot])

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.1

2026-03-30

Bug Fixes

• Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

• #6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (@​littlegrayss, @​TrickyPi)
• #6317: chore(deps): pin dependencies (@​renovate[bot], @​lukastaegert)
• #6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@​renovate[bot], @​lukastaegert)
• #6319: chore(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6320: chore(deps): pin dependency typescript to v5 (@​renovate[bot], @​lukastaegert)
• #6321: chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (@​renovate[bot], @​lukastaegert)
• #6322: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6323: chore(deps): lock file maintenance (@​renovate[bot])
• #6324: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)

4.60.0

2026-03-22

Features

• Support source phase imports as long as they are external (#6279)

Pull Requests

• #6279: feat: external only Source Phase imports support (@​guybedford, @​lukastaegert)

4.59.1

2026-03-21

Bug Fixes

• Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

• #6281: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6282: chore(deps): update github artifact actions (major) (@​renovate[bot], @​lukastaegert)
• #6283: chore(deps): update dependency nyc to v18 (@​renovate[bot], @​lukastaegert)
• #6284: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #6285: chore(deps): lock file maintenance (@​renovate[bot])
• #6290: chore(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6291: chore(deps): update dependency @​shikijs/vitepress-twoslash to v4 (@​renovate[bot])
• #6292: chore(deps): lock file maintenance (@​renovate[bot])

... (truncated)

Commits

• ae871d7 4.60.1
• 51f8f60 fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274)...
• ca55406 chore(deps): pin dependency typescript to v5 (#6320)
• fe50d86 chore(deps): pin dependencies (#6317)
• 42785ff chore(deps): update minor/patch updates (#6319)
• 65e82a9 chore(deps): update msys2/setup-msys2 digest to cafece8 (#6318)
• c336205 chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (#6321)
• b25d25e fix(deps): update swc monorepo (major) (#6322)
• 119abdb chore(deps): lock file maintenance (#6324)
• 5598a66 chore(deps): lock file maintenance (#6323)
• Additional commits viewable in compare view

Updates tinyglobby from 0.2.15 to 0.2.16

Release notes

Sourced from tinyglobby's releases.

0.2.16

Fixed

• Upgraded picomatch to 4.0.4, mitigating any potential exposure to CVE-2026-33671 and CVE-2026-33672

Changed

• Overhauled and optimized most internals by @​Torathion
• Ignore patterns are no longer compiled twice by @​webpro

Consider sponsoring if you'd like to support the development of this project and the goal of reaching a lighter and faster ecosystem

Changelog

Sourced from tinyglobby's changelog.

0.2.16

Fixed

• Upgraded picomatch to 4.0.4, mitigating any potential exposure to CVE-2026-33671 and CVE-2026-33672

Changed

• Overhauled and optimized most internals by Torathion
• Ignore patterns are no longer compiled twice by webpro

Commits

• 5779202 release 0.2.16
• 071954f bump deps once more
• e541dde do not import the whole fs module
• 2381b76 fix root being too broad
• 0addeb9 chore(deps): update all non-major dependencies (#191)
• 91ac26c chore(deps): update pnpm/action-setup action to v5 (#192)
• c50558e upgrade picomatch (and everything else)
• 6185175 chore(deps): update dependency picomatch to v4.0.4 [security] (#193)
• 49c2b93 enable pnpm trustPolicy
• bc825c4 chore(deps): update all non-major dependencies (#181)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Assignees

The following users could not be added as assignees: llm-dev-ops/maintainers. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔒 Security Scan Results

Scan Type	Status
Dependency Scan	⚠️ failure
CodeQL Analysis	✅ success
Secret Scan	✅ success
License Check	⚠️ failure
SAST	⚠️ failure

⚠️ Some security scans have warnings or failed. Please review the details.

---

Automated security scanning by GitHub Actions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.