Skip to content

Bump the npm_and_yarn group across 1 directory with 6 updates#96

Merged
LCSOGthb merged 2 commits into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-80c2104a30
Apr 5, 2026
Merged

Bump the npm_and_yarn group across 1 directory with 6 updates#96
LCSOGthb merged 2 commits into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-80c2104a30

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 5, 2026

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
brace-expansion 1.1.12 1.1.13
minimatch 3.1.2 3.1.5
ajv 6.12.6 6.14.0
flatted 3.3.3 3.4.2
picomatch 2.3.1 2.3.2
picomatch 4.0.3 4.0.4
rollup 4.50.2 4.60.1

Updates brace-expansion from 1.1.12 to 1.1.13

Commits

Updates minimatch from 3.1.2 to 3.1.5

Commits

Updates ajv from 6.12.6 to 6.14.0

Commits

Updates flatted from 3.3.3 to 3.4.2

Commits
  • 3bf0909 3.4.2
  • 885ddcc fix CWE-1321
  • 0bdba70 added flatted-view to the benchmark
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates rollup from 4.50.2 to 4.60.1

Release notes

Sourced from rollup's releases.

v4.60.1

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

v4.60.0

4.60.0

2026-03-22

Features

  • Support source phase imports as long as they are external (#6279)

Pull Requests

v4.59.1

4.59.1

2026-03-21

Bug Fixes

  • Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

4.60.0

2026-03-22

Features

  • Support source phase imports as long as they are external (#6279)

Pull Requests

4.59.1

2026-03-21

Bug Fixes

  • Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 1 directory with 6 updates
6703b19 
Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.12` | `1.1.13` |
| [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` |
| [ajv](https://github.com/ajv-validator/ajv) | `6.12.6` | `6.14.0` |
| [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` |
| [picomatch](https://github.com/micromatch/picomatch) | `4.0.3` | `4.0.4` |
| [rollup](https://github.com/rollup/rollup) | `4.50.2` | `4.60.1` |



Updates `brace-expansion` from 1.1.12 to 1.1.13
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.13)

Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v3.1.5)

Updates `ajv` from 6.12.6 to 6.14.0
- [Release notes](https://github.com/ajv-validator/ajv/releases)
- [Commits](ajv-validator/ajv@v6.12.6...v6.14.0)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `rollup` from 4.50.2 to 4.60.1
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.50.2...v4.60.1)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ajv
  dependency-version: 6.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.60.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 5, 2026
@cloudflare-workers-and-pages
Copy link
Copy Markdown
Contributor

cloudflare-workers-and-pages Bot commented Apr 5, 2026
edited
Loading

Deploying tools with  Cloudflare Pages  Cloudflare Pages

Latest commit: c939c8f
Status: ✅  Deploy successful!
Preview URL: https://54d6102c.tools-eom.pages.dev
Branch Preview URL: https://dependabot-npm-and-yarn-npm-8zuw.tools-eom.pages.dev

View logs

@dependabot dependabot Bot added the javascript Pull requests that update javascript code label Apr 5, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 5, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
tools Ready Ready Preview, Comment Apr 5, 2026 9:09am

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 5, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

@deepsource-io
Copy link
Copy Markdown
Contributor

deepsource-io Bot commented Apr 5, 2026
edited
Loading

DeepSource Code Review

We reviewed changes in 610725b...c939c8f on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
Scala Apr 5, 2026 9:09a.m. Review ↗
Swift Apr 5, 2026 9:09a.m. Review ↗
JavaScript Apr 5, 2026 9:09a.m. Review ↗
Ruby Apr 5, 2026 9:09a.m. Review ↗
C & C++ Apr 5, 2026 9:09a.m. Review ↗
C# Apr 5, 2026 9:09a.m. Review ↗
Rust Apr 5, 2026 9:09a.m. Review ↗
Shell Apr 5, 2026 9:09a.m. Review ↗
Terraform Apr 5, 2026 9:09a.m. Review ↗
Test coverage Apr 5, 2026 9:09a.m. Review ↗
SQL Apr 5, 2026 9:09a.m. Review ↗
Secrets Apr 5, 2026 9:09a.m. Review ↗
Ansible Apr 5, 2026 9:09a.m. Review ↗

@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Apr 5, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes. Give us feedback

codacy-production[bot]
codacy-production Bot reviewed Apr 5, 2026
View reviewed changes
Copy link
Copy Markdown

@codacy-production codacy-production Bot left a comment
edited by LCSOGthb
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR performs an automated update of six dependencies (brace-expansion, minimatch, ajv, flatted, picomatch, and rollup) to address several security vulnerabilities (ReDoS, Prototype Pollution) and performance issues. Codacy results indicate that the PR is up to standards with no new quality issues. However, the update only includes changes to 'package-lock.json'. While this typically occurs when the new versions fall within existing semver ranges, the absence of regression testing for critical components like Rollup and globbing logic (minimatch/picomatch) remains a gap in the validation process.

About this PR

  • No test files were modified or added. For dependency updates addressing CVEs (like ReDoS and Prototype Pollution), it is critical to ensure that the integration remains stable and that the updated libraries do not introduce regressions in existing functionality such as globbing or build caching.
  • The PR only includes changes to 'package-lock.json'. While expected if the existing version ranges in 'package.json' allow for these updates, please confirm that root-level dependencies (e.g., rollup, ajv) do not require explicit version updates or pinning in the primary manifest.

Test suggestions

  • Verify that Rollup 4.60.1 correctly handles side-effect imports and caching without regressions, as per the release fixes.
  • Validate that AJV 6.14.0 correctly enforces the new 'regExp' option to prevent $data exploits via regular expressions.
  • Run path-matching unit tests to ensure the minimatch and picomatch updates (which include ReDoS fixes and recursion limits) do not break existing globbing behavior.
  • Ensure the application's build process works across the new platform-specific optional dependencies added for Rollup (e.g., Loong64, OpenBSD).
Prompt proposal for missing tests 
Consider implementing these tests if applicable:
1. Verify that Rollup 4.60.1 correctly handles side-effect imports and caching without regressions, as per the release fixes.
2. Validate that AJV 6.14.0 correctly enforces the new 'regExp' option to prevent $data exploits via regular expressions.
3. Run path-matching unit tests to ensure the minimatch and picomatch updates (which include ReDoS fixes and recursion limits) do not break existing globbing behavior.
4. Ensure the application's build process works across the new platform-specific optional dependencies added for Rollup (e.g., Loong64, OpenBSD).

🗒️ Improve review quality by adding custom instructions

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 5, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@LCSOGthb LCSOGthb self-assigned this Apr 5, 2026
@LCSOGthb LCSOGthb merged commit d3b25a4 into main Apr 5, 2026
28 of 30 checks passed
@LCSOGthb LCSOGthb deleted the dependabot/npm_and_yarn/npm_and_yarn-80c2104a30 branch April 5, 2026 09:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LCSOGthb LCSOGthb LCSOGthb approved these changes

+1 more reviewer

@codacy-production codacy-production[bot] codacy-production[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@LCSOGthb LCSOGthb

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LCSOGthb