chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates by dependabot[bot] · Pull Request #1 · Sawsqr68/plugins

dependabot · 2025-11-12T06:35:17Z

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
pnpm	`8.7.5`	`10.0.0`
graphql	`16.6.0`	`16.8.1`
postcss	`8.4.17`	`8.4.31`
es5-ext	`0.10.62`	`0.10.63`
serialize-javascript	`6.0.1`	`6.0.2`

Updates pnpm from 8.7.5 to 10.0.0

Release notes

Sourced from pnpm's releases.

pnpm 10

Major Changes
Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security. In order to allow lifecycle scripts of specific dependencies, they should be listed in the pnpm.onlyBuiltDependencies field of package.json #8897. For example:
{
  "pnpm": {
    "onlyBuiltDependencies": ["fsevents"]
  }
}
Read pnpm 10.0.0 Blocks Lifecycle Scripts by Default to learn about the motivation of the change.

If you want the old pre v10 behaviour, so you want to allow all dependencies to run postinstall scripts, then add this to your package.json:
{
  "pnpm": {
    "neverBuiltDependencies": []
  }
}
pnpm link behavior updated:

The pnpm link command now adds overrides to the root package.json.

In a workspace: The override is added to the root of the workspace, linking the dependency to all projects in the workspace.

Global linking: To link a package globally, run pnpm link from the package’s directory. Previously, you needed to use pnpm link -g. Related PR: #8653

Secure hashing with SHA256:

Various hashing algorithms have been updated to SHA256 for enhanced security and consistency:

Long paths inside node_modules/.pnpm are now hashed with SHA256.

Long peer dependency hashes in the lockfile now use SHA256 instead of MD5. (This affects very few users since these are only used for long keys.)

The hash stored in the packageExtensionsChecksum field of pnpm-lock.yaml is now SHA256.

The side effects cache keys now use SHA256.

The pnpmfile checksum in the lockfile now uses SHA256 (#8530).

The patch file checksums in the lockfile now use SHA256.

Configuration updates:

manage-package-manager-versions: enabled by default. pnpm now manages its own version based on the packageManager field in package.json by default.

public-hoist-pattern: nothing is hoisted by default. Packages containing eslint or prettier in their name are no longer hoisted to the root of node_modules. Related Issue: #8378

... (truncated)

Changelog

Sourced from pnpm's changelog.

10.0.0

Major Changes
Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security. In order to allow lifecycle scripts of specific dependencies, they should be listed in the pnpm.onlyBuiltDependencies field of package.json #8897. For example:
{
  "pnpm": {
    "onlyBuiltDependencies": ["fsevents"]
  }
}
pnpm link behavior updated:

The pnpm link command now adds overrides to the root package.json.

In a workspace: The override is added to the root of the workspace, linking the dependency to all projects in the workspace.

Global linking: To link a package globally, run pnpm link from the package’s directory. Previously, you needed to use pnpm link -g. Related PR: #8653

Secure hashing with SHA256:

Various hashing algorithms have been updated to SHA256 for enhanced security and consistency:

Long paths inside node_modules/.pnpm are now hashed with SHA256.

Long peer dependency hashes in the lockfile now use SHA256 instead of MD5. (This affects very few users since these are only used for long keys.)

The hash stored in the packageExtensionsChecksum field of pnpm-lock.yaml is now SHA256.

The side effects cache keys now use SHA256.

The pnpmfile checksum in the lockfile now uses SHA256 (#8530).

Configuration updates:

manage-package-manager-versions: enabled by default. pnpm now manages its own version based on the packageManager field in package.json by default.

public-hoist-pattern: nothing is hoisted by default. Packages containing eslint or prettier in their name are no longer hoisted to the root of node_modules. Related Issue: #8378

Upgraded @yarnpkg/extensions to v2.0.3. This may alter your lockfile.

virtual-store-dir-max-length: the default value on Windows has been reduced to 60 characters.

Reduced environment variables for scripts: During script execution, fewer npm_package_* environment variables are set. Only name, version, bin, engines, and config remain. Related Issue: #8552

All dependencies are now installed even if NODE_ENV=production. Related Issue: #8827

Changes to the global store:

Store version bumped to v10.

... (truncated)

Commits

42ecf04 chore(release): 10.0.0
c0c63ef docs: update years
dde650b fix: ensure that recursive pnpm update --latest \<pkg> updates only the spec...
c5080de chore(release): 10.0.0-rc.3
cc3bbc9 fix: don't load side-effects cache for packages that are not allowed to be bu...
12aebe2 docs: README add Bluesky link (#8937)
9591a18 feat: configurational dependencies (#8915)
52204d5 chore: pd should not switch to another version of pnpm (#8930)
c7eefdd fix: pnpm update --filter --latest should only change relevant packages and...
e103abe chore(release): 10.0.0-rc.2
Additional commits viewable in compare view

Updates graphql from 16.6.0 to 16.8.1

Release notes

Sourced from graphql's releases.

v16.8.1 (2023-09-19)

Bug Fix 🐞

#3967 OverlappingFieldsCanBeMergedRule: Fix performance degradation (@AaronMoat)

Committers: 1

Aaron Moat(@AaronMoat)

v16.8.0 (2023-08-14)

New Feature 🚀

#3950 Support fourfold nested lists (@gschulze)

Committers: 1

Gunnar Schulze(@gschulze)

v16.7.1 (2023-06-22)

📢 Big shout out to @phryneas, who managed to reproduce this issue and come up with this fix.

Bug Fix 🐞

#3923 instanceOf: workaround bundler issue with process.env (@IvanGoncharov)

Committers: 1

Ivan Goncharov(@IvanGoncharov)

v16.7.0 (2023-06-21)

New Feature 🚀

#3887 check "globalThis.process" before accessing it (@kettanaito)

Bug Fix 🐞

#3707 Fix crash in node when mixing sync/async resolvers (backport of #3706) (@chrskrchr)

#3838 Fix/invalid error propagation custom scalars (backport for 16.x.x) (@stenreijers)

Committers: 3

Artem Zakharchenko(@kettanaito)

Chris Karcher(@chrskrchr)

Sten Reijers(@stenreijers)

Commits

8a95335 16.8.1
8f4c64e OverlappingFieldsCanBeMergedRule: Fix performance degradation (#3967)
e4f759d 16.8.0
bec1b49 Support fourfold nested lists (#3950)
bf6a9f0 16.7.1
a08aaee instanceOf: workaround bundler issue with process.env (#3923)
1519fda 16.7.0
84bb146 check "globalThis.process" before accessing it (#3887)
076972e Fix/invalid error propagation custom scalars (backport for 16.x.x) (#3838)
4a82557 Fix crash in node when mixing sync/async resolvers (backport of #3706) (#3707)
See full diff in compare view

Updates postcss from 8.4.17 to 8.4.31

Release notes

Sourced from postcss's releases.

8.4.31

Fixed \r parsing to fix CVE-2023-44270.

8.4.30

Improved source map performance (by @romainmenke).

8.4.29

Fixed Node#source.offset (by @idoros).

Fixed docs (by @coliff).

8.4.28

Fixed Root.source.end for better source map (by @romainmenke).

Fixed Result.root types when process() has no parser.

8.4.27

Fixed Container clone methods types.

8.4.26

Fixed clone methods types.

8.4.25

Improve stringify performance (by @romainmenke).

Fixed docs (by @vikaskaliramna07).

8.4.24

Fixed Plugin types.

8.4.23

Fixed warnings in TypeDoc.

8.4.22

Fixed TypeScript support with node16 (by @remcohaszing).

8.4.21

Fixed Input#error types (by @hudochenkov).

8.4.20

Fixed source map generation for childless at-rules like @layer.

8.4.19

Fixed whitespace preserving after AST transformations (by @romainmenke).

8.4.18

Fixed an error on absolute: true with empty sourceContent (by @KingSora).

Changelog

Sourced from postcss's changelog.

8.4.31

Fixed \r parsing to fix CVE-2023-44270.

8.4.30

Improved source map performance (by Romain Menke).

8.4.29

Fixed Node#source.offset (by Ido Rosenthal).

Fixed docs (by Christian Oliff).

8.4.28

Fixed Root.source.end for better source map (by Romain Menke).

Fixed Result.root types when process() has no parser.

8.4.27

Fixed Container clone methods types.

8.4.26

Fixed clone methods types.

8.4.25

Improve stringify performance (by Romain Menke).

Fixed docs (by @vikaskaliramna07).

8.4.24

Fixed Plugin types.

8.4.23

Fixed warnings in TypeDoc.

8.4.22

Fixed TypeScript support with node16 (by Remco Haszing).

8.4.21

Fixed Input#error types (by Aleks Hudochenkov).

8.4.20

Fixed source map generation for childless at-rules like @layer.

8.4.19

Fixed whitespace preserving after AST transformations (by Romain Menke).

8.4.18

Fixed an error on absolute: true with empty sourceContent (by Rene Haas).

Commits

90208de Release 8.4.31 version
58cc860 Fix carrier return parsing
4fff8e4 Improve pnpm test output
cd43ed1 Update dependencies
caa916b Update dependencies
8972f76 Typo
11a5286 Typo
45c5501 Release 8.4.30 version
bc3c341 Update linter
b2be58a Merge pull request #1881 from romainmenke/improve-sourcemap-performance--phil...
Additional commits viewable in compare view

Updates es5-ext from 0.10.62 to 0.10.63

Release notes

Sourced from es5-ext's releases.

0.10.63 (2024-02-23)

Bug Fixes

Do not rely on problematic regex (3551cdd), addresses #201

Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021

Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

Simplify the manifest message (7855319)

Comparison since last release

Changelog

Sourced from es5-ext's changelog.

0.10.63 (2024-02-23)

Bug Fixes

Do not rely on problematic regex (3551cdd), addresses #201

Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021

Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

Simplify the manifest message (7855319)

Commits

de4e03c chore: Release v0.10.63
3fd53b7 chore: Upgrade lint-staged to v13
bf8ed79 chore: Ensure postinstall script does not crash on Windows
2cbbb07 chore: Bump dependencies
22d0416 chore: Bump LICENSE year
a52e957 fix: Support ES2015+ function definitions in function#toStringTokens()
3551cdd fix: Do not rely on problematic regex
7855319 chore: Simplify the manifest message
See full diff in compare view

Updates serialize-javascript from 6.0.1 to 6.0.2

Release notes

Sourced from serialize-javascript's releases.

v6.0.2

fix: serialize URL string contents to prevent XSS (#173) f27d65d

Bump @babel/traverse from 7.10.1 to 7.23.7 (#171) 02499c0

docs: update readme with URL support (#146) 0d88527

chore: update node version and lock file e2a3a91

fix typo (#164) 5a1fa64

yahoo/serialize-javascript@v6.0.1...v6.0.2

Commits

b71ec23 6.0.2
f27d65d fix: serialize URL string contents to prevent XSS (#173)
02499c0 Bump @babel/traverse from 7.10.1 to 7.23.7 (#171)
0d88527 docs: update readme with URL support (#146)
e2a3a91 chore: update node version and lock file
5a1fa64 fix typo (#164)
See full diff in compare view

Updates nanoid from 3.3.4 to 3.3.11

Release notes

Sourced from nanoid's releases.

3.3.11

Fixed React Native support.

3.3.10

Fixed React Native support (by @steida).

3.3.9

Reduced npm package size.

Changelog

Sourced from nanoid's changelog.

3.3.11

Fixed React Native support.

3.3.10

Fixed React Native support (by @steida).

3.3.9

Reduced npm package size.

3.3.8

Fixed a way to break Nano ID by passing non-integer size (by @myndzi).

3.3.7

Fixed node16 TypeScript support (by Saadi Myftija).

3.3.6

Fixed package.

3.3.5

Backport funding information.

Commits

37289ce Release 3.3.11 version
23690b7 Fix CI
c147962 Fix RN support
a83734e Move to manually ESM/CJS dual package
bb12e8a Release 3.3.10 version
8f44264 Fix Expo support
adf9b0c Release 3.3.9 version
1c6f088 Remove dev file from npm package
3044cd5 Release 3.3.8 version
4fe3495 Update size limit
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…dates Bumps the npm_and_yarn group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [pnpm](https://github.com/pnpm/pnpm/tree/HEAD/pnpm) | `8.7.5` | `10.0.0` | | [graphql](https://github.com/graphql/graphql-js) | `16.6.0` | `16.8.1` | | [postcss](https://github.com/postcss/postcss) | `8.4.17` | `8.4.31` | | [es5-ext](https://github.com/medikoo/es5-ext) | `0.10.62` | `0.10.63` | | [serialize-javascript](https://github.com/yahoo/serialize-javascript) | `6.0.1` | `6.0.2` | Updates `pnpm` from 8.7.5 to 10.0.0 - [Release notes](https://github.com/pnpm/pnpm/releases) - [Changelog](https://github.com/pnpm/pnpm/blob/main/pnpm/CHANGELOG.md) - [Commits](https://github.com/pnpm/pnpm/commits/v10.0.0/pnpm) Updates `graphql` from 16.6.0 to 16.8.1 - [Release notes](https://github.com/graphql/graphql-js/releases) - [Commits](graphql/graphql-js@v16.6.0...v16.8.1) Updates `postcss` from 8.4.17 to 8.4.31 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.4.17...8.4.31) Updates `es5-ext` from 0.10.62 to 0.10.63 - [Release notes](https://github.com/medikoo/es5-ext/releases) - [Changelog](https://github.com/medikoo/es5-ext/blob/main/CHANGELOG.md) - [Commits](medikoo/es5-ext@v0.10.62...v0.10.63) Updates `serialize-javascript` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v6.0.1...v6.0.2) Updates `nanoid` from 3.3.4 to 3.3.11 - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](ai/nanoid@3.3.4...3.3.11) --- updated-dependencies: - dependency-name: pnpm dependency-version: 10.0.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: graphql dependency-version: 16.8.1 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: postcss dependency-version: 8.4.31 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: es5-ext dependency-version: 0.10.63 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: serialize-javascript dependency-version: 6.0.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: nanoid dependency-version: 3.3.11 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Nov 12, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates#1

chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates#1
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-04532af503

dependabot bot commented on behalf of github Nov 12, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Nov 12, 2025

pnpm 10

Major Changes

10.0.0

Major Changes

v16.8.1 (2023-09-19)

Bug Fix 🐞

Committers: 1

v16.8.0 (2023-08-14)

New Feature 🚀

Committers: 1

v16.7.1 (2023-06-22)

Bug Fix 🐞

Committers: 1

v16.7.0 (2023-06-21)

New Feature 🚀

Bug Fix 🐞

Committers: 3

8.4.31

8.4.30

8.4.29

8.4.28

8.4.27

8.4.26

8.4.25

8.4.24

8.4.23

8.4.22

8.4.21

8.4.20

8.4.19

8.4.18

8.4.31

8.4.30

8.4.29

8.4.28

8.4.27

8.4.26

8.4.25

8.4.24

8.4.23

8.4.22

8.4.21

8.4.20

8.4.19

8.4.18

0.10.63 (2024-02-23)

Bug Fixes

Maintenance Improvements

0.10.63 (2024-02-23)

Bug Fixes

Maintenance Improvements

v6.0.2

3.3.11

3.3.10

3.3.9

3.3.11

3.3.10

3.3.9

3.3.8

3.3.7

3.3.6

3.3.5

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants