chore(deps): bump the npm_and_yarn group across 2 directories with 15 updates

[dependabot]

Bumps the npm_and_yarn group with 14 updates in the / directory:

Package	From	To
esbuild	0.24.2	0.25.0
vite	5.4.11	5.4.21
vitest	2.1.8	2.1.9
@eslint/plugin-kit	0.2.5	0.2.8
@octokit/endpoint	10.1.2	10.1.4
@octokit/plugin-paginate-rest	11.3.6	11.6.0
@octokit/request-error	6.1.6	6.1.8
@octokit/request	9.1.4	9.2.4
brace-expansion	1.1.11	1.1.12
js-yaml	4.1.0	4.1.1
lodash	4.17.21	4.17.23
tar-fs	2.1.1	2.1.4
tar	7.4.3	7.5.9
undici	5.28.4	5.29.0

Bumps the npm_and_yarn group with 1 update in the /test/node/test/a directory: semver.

Updates esbuild from 0.24.2 to 0.25.0

Release notes

Sourced from esbuild's releases.

v0.25.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.24.0 or ~0.24.0. See npm's documentation about semver for more information.

• Restrict access to esbuild's development server (GHSA-67mh-4wv8-2f99)

  This change addresses esbuild's first security vulnerability report. Previously esbuild set the Access-Control-Allow-Origin header to * to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information in the report.

  Starting with this release, CORS will now be disabled, and requests will now be denied if the host does not match the one provided to --serve=. The default host is 0.0.0.0, which refers to all of the IP addresses that represent the local machine (e.g. both 127.0.0.1 and 192.168.0.1). If you want to customize anything about esbuild's development server, you can put a proxy in front of esbuild and modify the incoming and/or outgoing requests.

  In addition, the serve() API call has been changed to return an array of hosts instead of a single host string. This makes it possible to determine all of the hosts that esbuild's development server will accept.

  Thanks to @​sapphi-red for reporting this issue.

• Delete output files when a build fails in watch mode (#3643)

  It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.

• Fix correctness issues with the CSS nesting transform (#3620, #3877, #3933, #3997, #4005, #4037, #4038)

  This release fixes the following problems:

  • Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using :is() to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.

    /* Original code */
    .parent {
      > .a,
      > .b1 > .b2 {
        color: red;
      }
    }
    /* Old output (with --supported:nesting=false) */
    .parent > :is(.a, .b1 > .b2) {
    color: red;
    }
    /* New output (with --supported:nesting=false) */
    .parent > .a,
    .parent > .b1 > .b2 {
    color: red;
    }

    Thanks to @​tim-we for working on a fix.

  • The & CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered && to have the same specificity as &. With this release, this should now work correctly:

    /* Original code (color should be red) */

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

Commits

• e9174d6 publish 0.25.0 to npm
• c27dbeb fix hosts in plugin-tests.js
• 6794f60 fix hosts in node-unref-tests.js
• de85afd Merge commit from fork
• da1de1b fix #4065: bitwise operators can return bigints
• f4e9d19 switch case liveness: default is always last
• 7aa47c3 fix #4028: minify live/dead switch cases better
• 22ecd30 minify: more constant folding for strict equality
• 4cdf03c fix #4053: reordering of .tsx in node_modules
• dc71977 fix #3692: 0 now picks a random ephemeral port
• Additional commits viewable in compare view

Updates vite from 5.4.11 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

... (truncated)

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Updates vitest from 2.1.8 to 2.1.9

Release notes

Sourced from vitest's releases.

v2.1.9

This release includes security patches for:

• Browser mode serves arbitrary files | CVE-2025-24963
• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v2 - by @​hi-ogawa in vitest-dev/vitest#7318
• (backport #7340 to v2) restrict served files from /__screenshot-error - by @​hi-ogawa in vitest-dev/vitest#7343

    View changes on GitHub

Commits

• c9e59a0 chore: release v2.1.9
• e0fe1d8 fix: backport #7317 to v2 (#7318)
• See full diff in compare view

Updates @eslint/plugin-kit from 0.2.5 to 0.2.8

Release notes

Sourced from @​eslint/plugin-kit's releases.

plugin-kit: v0.2.8

0.2.8 (2025-04-01)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.12.0 to ^0.13.0

plugin-kit: v0.2.7

0.2.7 (2025-02-21)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.11.0 to ^0.12.0

plugin-kit: v0.2.6

0.2.6 (2025-01-31)

Bug Fixes

• CommonJS types in all packages (#148) (c91866c)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.10.0 to ^0.11.0

Changelog

Sourced from @​eslint/plugin-kit's changelog.

0.2.8 (2025-04-01)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.12.0 to ^0.13.0

0.2.7 (2025-02-21)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.11.0 to ^0.12.0

0.2.6 (2025-01-31)

Bug Fixes

• CommonJS types in all packages (#148) (c91866c)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.10.0 to ^0.11.0

Commits

• 1615a01 chore: release main (#174)
• 6199b6e docs: Update README sponsors
• 1f9c609 docs: Update README sponsors
• 473c962 docs: Update README sponsors
• a48aa6a docs: Update README sponsors
• 49d1d20 docs: Update README sponsors
• 3e9b0eb chore: release main (#157)
• d4a04b9 docs: Update README sponsors
• 94eefd0 docs: Update README sponsors
• a57dd45 docs: Update README sponsors
• Additional commits viewable in compare view

Updates @octokit/endpoint from 10.1.2 to 10.1.4

Release notes

Sourced from @​octokit/endpoint's releases.

v10.1.4

10.1.4 (2025-04-10)

Bug Fixes

• deps: update dependency @​octokit/types to v14 (#523) (ca8c366)

v10.1.3

10.1.3 (2025-02-13)

Bug Fixes

• Fix a ReDos vulnerability, reported by @​DayShift (6c9c5be)

Commits

• ca8c366 fix(deps): update dependency @​octokit/types to v14 (#523)
• 7b9a884 maint: cleanup package.json and use Node LTS instead of v16 (#519)
• bcc0f97 build(deps): bump vite from 6.1.0 to 6.2.5 (#522)
• 255c59d ci(action): update actions/create-github-app-token action to v2 (#521)
• adeee3e chore(deps): update dependency prettier to v3.5.3 (#518)
• ea60e07 chore(deps): update dependency semantic-release-plugin-update-version-in-file...
• 8f43346 chore(deps): update dependency prettier to v3.5.2 (#517)
• 2209b07 chore(deps): update dependency prettier to v3.5.1 (#513)
• d6cf1ad fix: linting issues breaking ci (#514)
• 6c9c5be Merge commit from fork
• Additional commits viewable in compare view

Updates @octokit/plugin-paginate-rest from 11.3.6 to 11.6.0

Release notes

Sourced from @​octokit/plugin-paginate-rest's releases.

v11.6.0

11.6.0 (2025-03-18)

Features

• new /orgs/{org}/issue-types, /orgs/{org}/issue-types/{issue_type_id} enpoints (#666) (1f44b54)

v11.5.0

11.5.0 (2025-03-18)

Features

• new GET /orgs/{org}/actions/hosted-runners, GET /orgs/{org}/actions/runner-groups/{runner_group_id}/hosted-runners, GET /orgs/{org}/rulesets/{ruleset_id}/history, GET /orgs/{org}/settings/network-configurations, GET /repos/{owner}/{repo}/rulesets/{ruleset_id}/history endpoints (#649) (ef30a05)

v11.4.4-cjs.2

11.4.4-cjs.2 (2025-02-26)

[!IMPORTANT] This is a special release to backport newer changes to CJS and address a ReDos vulnerability

Bug Fixes

• deps: update @octokit/plugin-rest-endpoint-methods (2c70eaf)

v11.4.4-cjs.1

11.4.4-cjs.1 (2025-02-26)

[!IMPORTANT] This is a special release to backport newer changes to CJS and address a ReDos vulnerability

Bug Fixes

• release: set prerelease flag for correct channel (ce534d9) See octokit/plugin-paginate-rest.js@v11.3.1...v11.4.4-cjs.1 for the full comparision

Reverts

• Revert "docs(README): update examples to use ESM (#611)" (1389b71)
• Revert "feat: package is now ESM (#596)" (64ba6f4)
• Revert "fix(pkg): add default fallback and types export (#612)" (27a8552)

v11.4.3

... (truncated)

Commits

• 1f44b54 feat: new /orgs/{org}/issue-types, `/orgs/{org}/issue-types/{issue_type_id}...
• ef30a05 feat: new GET /orgs/{org}/actions/hosted-runners, `GET /orgs/{org}/actions/...
• fbadb74 chore(deps): update dependency prettier to v3.5.3 (#665)
• 1c297ca chore(deps): update dependency semantic-release-plugin-update-version-in-file...
• 60d26d9 chore(deps): update dependency prettier to v3.5.2 (#664)
• 9a51aad fix(types): correct pagination return type for data which is an array (#662)
• 8b8c500 fix(types): add back the pagination keys (#653)
• 41876f4 chore(deps): update dependency prettier to v3.5.1 (#658)
• 7d1fade fix: mitigate ReDos issues & linting issues (#659)
• bb6c4f9 Merge commit from fork
• Additional commits viewable in compare view

Updates @octokit/request-error from 6.1.6 to 6.1.8

Release notes

Sourced from @​octokit/request-error's releases.

v6.1.8

6.1.8 (2025-04-10)

Bug Fixes

• deps: update dependency @​octokit/types to v14 (#505) (ab4ea7b)

v6.1.7

6.1.7 (2025-02-13)

Bug Fixes

• ReDos regex vulnerability, reported by @​DayShift (d558320874a4bc8d356babf1079e6f0056a59b9e)

Commits

• ab4ea7b fix(deps): update dependency @​octokit/types to v14 (#505)
• 7eba3d2 chore(deps): update dependency tinybench to v4 (#501)
• 549624b build(deps): bump vite from 6.2.2 to 6.2.5 (#504)
• 11c1adc build(deps): lock file maintenance (#502)
• de5f24d chore(deps): update dependency prettier to v3.5.3 (#499)
• ef66347 build(deps): lock file maintenance (#500)
• 787201d build(deps): lock file maintenance (#498)
• 5ab6a76 chore(deps): update dependency prettier to v3.5.2 (#497)
• f8f8c4a build(deps): lock file maintenance (#496)
• eee2491 chore(deps): update dependency prettier to v3.5.1 (#493)
• Additional commits viewable in compare view

Updates @octokit/request from 9.1.4 to 9.2.4

Release notes

Sourced from @​octokit/request's releases.

v9.2.4

9.2.4 (2025-06-20)

Bug Fixes

• pkg: unreplaced version number in dist-bundle/ (#765) (afa9d09)

v9.2.3

9.2.3 (2025-04-10)

Bug Fixes

• deps: update dependency @​octokit/types to v14 (#753) (7d576b0)

v9.2.2

9.2.2 (2025-02-14)

Bug Fixes

• deps: update dependency @​octokit/request-error to v6.1.7 [security] (#740) (4b2f485)

v9.2.1

9.2.1 (2025-02-13)

Bug Fixes

• mitigate ReDos vulnerabilities & lint (#738) (6bb29ba)

v9.2.0

9.2.0 (2025-01-16)

Features

• correctly parse response bodies as JSON where the Content-Type is application/scim+json (#731) (00bf316)

Commits

• afa9d09 fix(pkg): unreplaced version number in dist-bundle/ (#765)
• 3773e64 ci: replace OCTOKITBOT_PROJECT_ACTION_TOKEN and OCTOKITBOT_PAT with a tok...
• 7d576b0 fix(deps): update dependency @​octokit/types to v14 (#753)
• c9bfc37 build(deps): bump vite from 6.1.0 to 6.2.5 (#750)
• f7b9616 ci(prettier): use Node LTS instead of Node 16 (#748)
• 1955847 chore(deps): update dependency prettier to v3.5.3 (#745)
• b71107b chore(deps): update dependency semantic-release-plugin-update-version-in-file...
• c855943 chore(deps): update dependency prettier to v3.5.2 (#743)
• 4b2f485 fix(deps): update dependency @​octokit/request-error to v6.1.7 [security] (#740)
• 0320a42 chore(deps): update dependency prettier to v3.5.1 (#737)
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates tar-fs from 2.1.1 to 2.1.4

Commits

• f421a23 2.1.4
• c412fa1 refactor to same pattern as v3
• 4b7e868 2.1.3
• 266194b hardlink tweak from main
• d97731b 2.1.2
• fd1634e symlink tweak from main
• See full diff in compare view

Updates tar from 7.4.3 to 7.5.9

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• 1f0c2c9 7.5.9
• fbb0851 build minified version as default export
• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• d18e4e1 fix: do not write linkpaths through symlinks
• 4a37eb9 7.5.7
• f4a7aa9 fix: properly sanitize hard links containing ..
• 394ece6 7.5.6
• 7d4cc17 fix race puting a Link ahead of its target File
• 26ab904 7.5.5
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates undici from 5.28.4 to 5.29.0

Release notes

Sourced from undici's releases.

v5.29.0

What's Changed

• Fix tests in v5.x for Node 20 by @​mcollina in nodejs/undici#4104
• Removed clients with unrecoverable errors from the Pool nodejs/undici#4088

Full Changelog: nodejs/undici@v5.28.5...v5.29.0

v5.28.5

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: nodejs/undici@v5.28.4...v5.28.5

Commits

• 9528f68 Bumped v5.29.0
• f1d75a4 increase timeout for redirect test
• 2d31ed6 remove fuzzing tests
• 6b36d49 fix redirect test in Node v16
• 648dd8f more fix for the wpt runner on Windows
• a0516ba don't use internal header state for cookies (#3295)
• 87ce4af fix test/client for node 20
• c2c8fd5 fix: accept v20 SSL specific error for alpn selection in http/2
• 82200bd [v6.x] fix wpts on windows (#4093)
• 47546fa test: fix windows wpt (#4050)
• Additional commits viewable in compare view

Updates semver from 7.3.2 to 7.5.2

Release notes

Sourced from semver's releases.

v7.5.2

7.5.2 (2023-06-15)

Bug Fixes

• 58c791f #566 diff when detecting major change from prerelease (#566) (@​lukekarrys)
• 5c8efbc #565 preserve build in raw after inc (#565) (@​lukekarrys)
• 717534e #564 better handling of whitespace (#564) (@​lukekarrys)

v7.5.1

7.5.1 (2023-05-12)

Bug Fixes

• d30d25a #559 show type on invalid semver error (#559) (@​tjenkinson)

v7.5.0

7.5.0 (2023-04-17)

Features

• 503a4e5 #548 allow identifierBase to be false (#548) (@​lsvalina)

Bug Fixes

• e219bb4 #552 throw on bad version with correct error message (#552) (@​wraithgar)
• fc2f3df #546 incorrect results from diff sometimes with prerelease versions (#546) (@​tjenkinson)
• 2781767 #547 avoid re-instantiating SemVer during diff compare (#547) (@​macno)

v7.4.0

7.4.0 (2023-04-10)

Features

• 113f513 #532 identifierBase parameter for .inc (#532) (@​wraithgar, @​b-bly)
• 48d8f8f #530 export new RELEASE_TYPES constant (@​hcharley)

Bug Fixes

• 940723d #538 intersects with v0.0.0 and v0.0.0-0 (#538) (@​wraithgar)
• aa516b5 #535 faster parse options (#535) (@​H4ad)
• 61e6ea1 #536 faster cache key factory for range (#536) (@​H4ad)
• f8b8b61 #541 optimistic parse (#541) (@​H4ad)
• 796cbe2 #533 semver.diff prerelease to release recognition (#533) (@​wraithgar, @​dominique-blockchain)
• 3f222b1 #537 reuse comparators on subset (

[dependabot]

Superseded by #4.