chore(deps): bump the production-dependencies group across 1 directory with 8 updates

[dependabot]

Bumps the production-dependencies group with 8 updates in the / directory:

Package	From	To
@diplodoc/utils	2.1.0	2.2.0
cssfilter	0.0.10	0.0.11
lodash	4.17.23	4.18.1
markdownlint	0.32.1	0.40.0
markdownlint-rule-helpers	0.17.2	0.30.0
sanitize-html	2.17.0	2.17.2
slugify	1.6.6	1.6.9
svgo	3.3.2	3.3.3

Updates @diplodoc/utils from 2.1.0 to 2.2.0

Release notes

Sourced from @​diplodoc/utils's releases.

v2.2.0

2.2.0 (2026-03-26)

Features

• Universal generateID method DOCSTOOLS-5561 (f105a20)

Bug Fixes

• Update infra to v1.13.2 (30430cc)

Changelog

Sourced from @​diplodoc/utils's changelog.

2.2.0 (2026-03-26)

Features

• Universal generateID method DOCSTOOLS-5561 (f105a20)

Bug Fixes

• Update infra to v1.13.2 (30430cc)

Commits

• bd2d574 chore(master): release 2.2.0
• f105a20 feat: Universal generateID method DOCSTOOLS-5561
• 30430cc fix: Update infra to v1.13.2
• 1fa337a chore: Update infra
• 1b8c68c chore: Update deps
• 2780b93 chore: updated lock
• 42e41bf chore: fixed action
• fbe0db4 chore: fixed action
• 86b0a70 chore: npm version update
• 0045977 chore: setting Trusted Publishing
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​diplodoc/utils since your current version.

Updates cssfilter from 0.0.10 to 0.0.11

Commits

• See full diff in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates markdownlint from 0.32.1 to 0.40.0

Changelog

Sourced from markdownlint's changelog.

0.40.0

• Improve MD011/MD013/MD051/MD060
• Update dependencies

0.39.0

• Add MD060/table-column-style
• Improve MD001/MD007/MD009/MD010/MD029/MD033/MD037/MD059
• Add support for reporting violations as severity warning
• Deprecate resultVersion and toString (breaking change)
• Improve type definitions
• Improve demo web page
• Update dependencies

0.38.0

• Add MD059/descriptive-link-text
• Improve MD025/MD027/MD036/MD038/MD041/MD043/MD045/MD051/MD052
• markdown-it parser no longer a production dependency (breaking change)
  • Add markdownItFactory option, remove markdownItPlugins option
• Remove support for end-of-life Node version 18
• Improve performance
• Update dependencies

0.37.4

• Stop using module.createRequire, export resolveModule

0.37.3

• Tweak package.json dependencies to work with pnpm

0.37.2

• Add subpath imports for overriding default bundler behavior
• Improve MD032

0.37.1

• Add support for "browser" condition (as used by webpack)

0.37.0

• Convert module to ECMAScript (breaking change)
  • https://nodejs.org/docs/latest/api/esm.html
  • https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c
• Convert module to named exports (breaking change)

0.36.1

... (truncated)

Commits

• 63fefcb Update to version 0.40.0.
• dc97978 Add scenarios for aligned tables with irregular trailing pipes.
• e645385 Update test repository snapshots.
• 240e27b Update test repository snapshots.
• b3a49a7 Update MD060/table-column-style to rename "heading" to "header" for consisten...
• f6c5369 Update MD060/table-column-style to add aligned_delimiter parameter (fixes #18...
• 8e974f9 Update MD013/line-length default mode to prevent trailing non-whitespace text...
• 6019101 Remove outdated table-column-style suppression from dotnet/docs test repo.
• 9ad696e Add more tests for MD013/line-length edge case behavior.
• d8bf33d Refactor MD013/line-length to simplify length check.
• Additional commits viewable in compare view

Updates markdownlint-rule-helpers from 0.17.2 to 0.30.0

Changelog

Sourced from markdownlint-rule-helpers's changelog.

0.30.0

• Use micromark in MD022/MD026/MD032/MD037/MD045/MD051
• Incorporate micromark-extension-math for math syntax
• Allow custom rules to override information URL
• Update dependencies

0.29.0

• Update micromark parser dependencies for better performance
• Use micromark in MD049/MD050
• Improve MD034/MD037/MD044/MD049/MD050
• Support multiple parsers in demo page
• Remove support for end-of-life Node version 14
• Update dependencies

0.28.2

• Update dependencies for CVE-2023-2251

0.28.1

• Update dependencies

0.28.0

• Introduce micromark parser for better positional data (internal only)
• Use micromark in MD013/MD033/MD034/MD035/MD038/MD044/MD052/MD053
• Simplify file-based test cases
• Unify browser script for demo page
• Update dependencies

0.27.0

• Improve MD011/MD013/MD022/MD031/MD032/MD033/MD034/MD040/MD043/MD051/MD053
• Generate/separate documentation
• Improve documentation
• Update dependencies

0.26.2

• Improve MD037/MD051/MD053

0.26.1

• Improve MD051

0.26.0

• Add MD051/MD052/MD053 for validating link fragments & reference

... (truncated)

Commits

• d641caf Update to version 0.30.0.
• d9de1dd Update MD022/blanks-around-headings to allow specifying a different number of...
• bdc9d35 Bump @​babel/core from 7.22.9 to 7.22.10
• 480df6a Bump @​babel/preset-env from 7.22.9 to 7.22.10
• 36e84a4 Bump eslint-plugin-jsdoc from 46.4.5 to 46.4.6
• 8098410 Update MD022/blanks-around-headings to allow passing -1 for lines_above/lines...
• f079df1 Reimplement MD022/blanks-around-headings using micromark tokens.
• 1eb40d3 Update MD051/link-fragments to not provide error context for multi-line scena...
• ef1bd28 Reimplement MD051/link-fragments using micromark tokens, report reference lin...
• dd73b0a Bump eslint from 8.45.0 to 8.46.0
• Additional commits viewable in compare view

Updates sanitize-html from 2.17.0 to 2.17.2

Changelog

Sourced from sanitize-html's changelog.

2.17.2

Changes

• Upgrade htmlparser2 from 8.x to 10.1.0. This improves security by correctly decoding zero-padded numeric character references (e.g., &[#0000001](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/0000001)) that previously bypassed javascript: URL detection. Also fixes double-encoding of entities inside raw text elements like textarea and option.

2.17.1 (2026-02-18)

Fixes

• Fix unclosed tags (e.g., <hello) returning empty string in escape and recursiveEscape modes. Fixes #706. Thanks to Byeong Hyeon for the fix.

Commits

• 7e607c9 Changelog reconciliation for release (#5359)
• 49d0bb7 Port/sanitize html community contrib (#5337)
• a9ca4ef For release only (#5328)
• bbf3359 Port sanitize html standalone pr (#5323)
• f5f266c Adds changeset (#5209)
• c9aba85 PRO-8756: monorepo workflows (#5179)
• 107bcd2 Pro 8756 monorepo switch (#5177)
• See full diff in compare view

Updates slugify from 1.6.6 to 1.6.9

Changelog

Sourced from slugify's changelog.

v1.6.9 (2026-04-01)

• #171 fix: correct CommonJS export for "module": "node16" + ESM (171) (@​karlhorky)

v1.6.8 (2026-03-13)

• #206 fix: change declare module to namespace in slugify.d.ts (#206) (@​kongvut)
• #202 CI: add Node 24 (#202) (@​stscoundrel)
• #193 Add Node.js 22 to CI & update CI actions (#193) (@​stscoundrel)
• #188 Run CI in Node.js 20 (@​stscoundrel)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by joshuakgoldberg, a new releaser for slugify since your current version.

Updates svgo from 3.3.2 to 3.3.3

Release notes

Sourced from svgo's releases.

v3.3.3

What's Changed

Dependencies

• Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

• No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

	v3.3.2	v3.3.3	Delta
svgo.browser.js	910.9 kB	912.9 kB	⬆️ 2 kB

Support

SVGO v3 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v3 to v4 which should ease the process.

Commits

• bbab162 deps: upgrade to sax v1.5.0
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependabot. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.