Bump the npm_and_yarn group across 1 directory with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
esbuild	0.14.54	0.25.4
@web/dev-server-esbuild	0.3.3	1.0.4
ip	1.1.9	removed
@open-wc/testing	3.1.7	3.2.2
@web/dev-server	0.1.35	0.4.6
@web/test-runner	0.15.0	0.20.1
koa	2.13.4	2.16.1

Updates esbuild from 0.14.54 to 0.25.4

Release notes

Sourced from esbuild's releases.

v0.25.4

• Add simple support for CORS to esbuild's development server (#4125)

  Starting with version 0.25.0, esbuild's development server is no longer configured to serve cross-origin requests. This was a deliberate change to prevent any website you visit from accessing your running esbuild development server. However, this change prevented (by design) certain use cases such as "debugging in production" by having your production website load code from localhost where the esbuild development server is running.

  To enable this use case, esbuild is adding a feature to allow Cross-Origin Resource Sharing (a.k.a. CORS) for simple requests. Specifically, passing your origin to the new cors option will now set the Access-Control-Allow-Origin response header when the request has a matching Origin header. Note that this currently only works for requests that don't send a preflight OPTIONS request, as esbuild's development server doesn't currently support OPTIONS requests.

  Some examples:

  • CLI:

    esbuild --servedir=. --cors-origin=https://example.com
    

  • JS:

    const ctx = await esbuild.context({})
    await ctx.serve({
      servedir: '.',
      cors: {
        origin: 'https://example.com',
      },
    })

  • Go:

    ctx, _ := api.Context(api.BuildOptions{})
    ctx.Serve(api.ServeOptions{
      Servedir: ".",
      CORS: api.CORSOptions{
        Origin: []string{"https://example.com"},
      },
    })

  The special origin * can be used to allow any origin to access esbuild's development server. Note that this means any website you visit will be able to read everything served by esbuild.

• Pass through invalid URLs in source maps unmodified (#4169)

  This fixes a regression in version 0.25.0 where sources in source maps that form invalid URLs were not being passed through to the output. Version 0.25.0 changed the interpretation of sources from file paths to URLs, which means that URL parsing can now fail. Previously URLs that couldn't be parsed were replaced with the empty string. With this release, invalid URLs in sources should now be passed through unmodified.

• Handle exports named __proto__ in ES modules (#4162, #4163)

  In JavaScript, the special property name __proto__ sets the prototype when used inside an object literal. Previously esbuild's ESM-to-CommonJS conversion didn't special-case the property name of exports named __proto__ so the exported getter accidentally became the prototype of the object literal. It's unclear what this affects, if anything, but it's better practice to avoid this by using a computed property name in this case.

  This fix was contributed by @​magic-akari.

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2022

This changelog documents all esbuild versions published in the year 2022 (versions 0.14.11 through 0.16.12).

0.16.12

• Loader defaults to js for extensionless files (#2776)

  Certain packages contain files without an extension. For example, the yargs package contains the file yargs/yargs which has no extension. Node, Webpack, and Parcel can all understand code that imports yargs/yargs because they assume that the file is JavaScript. However, esbuild was previously unable to understand this code because it relies on the file extension to tell it how to interpret the file. With this release, esbuild will now assume files without an extension are JavaScript files. This can be customized by setting the loader for "" (the empty string, representing files without an extension) to another loader. For example, if you want files without an extension to be treated as CSS instead, you can do that like this:

  • CLI:

    esbuild --bundle --loader:=css
    

  • JS:

    esbuild.build({
      bundle: true,
      loader: { '': 'css' },
    })

  • Go:

    api.Build(api.BuildOptions{
      Bundle: true,
      Loader: map[string]api.Loader{"": api.LoaderCSS},
    })

  In addition, the "type" field in package.json files now only applies to files with an explicit .js, .jsx, .ts, or .tsx extension. Previously it was incorrectly applied by esbuild to all files that had an extension other than .mjs, .mts, .cjs, or .cts including extensionless files. So for example an extensionless file in a "type": "module" package is now treated as CommonJS instead of ESM.

0.16.11

• Avoid a syntax error in the presence of direct eval (#2761)

  The behavior of nested function declarations in JavaScript depends on whether the code is run in strict mode or not. It would be problematic if esbuild preserved nested function declarations in its output because then the behavior would depend on whether the output was run in strict mode or not instead of respecting the strict mode behavior of the original source code. To avoid this, esbuild transforms nested function declarations to preserve the intended behavior of the original source code regardless of whether the output is run in strict mode or not:

  // Original code
  if (true) {
    function foo() {}
    console.log(!!foo)
    foo = null
    console.log(!!foo)
  }

... (truncated)

Commits

• 218d29e publish 0.25.4 to npm
• e66cd0b dev server: simple support for CORS requests (#4171)
• 8bf3368 js api: validate some options as arrays of strings
• 1e7375a js api: simplify comma-separated array validation
• 5f5964d release notes for #4163
• adb5284 fix: handle __proto__ as a computed property in exports and add tests for s...
• 0aa9f7b fix #4169: keep invalid source map URLs unmodified
• 5959289 add additional guards for #4114 when using :is()
• 677910b publish 0.25.3 to npm
• a41040e fix #4110: support custom non-IP host values
• Additional commits viewable in compare view

Updates @web/dev-server-esbuild from 0.3.3 to 1.0.4

Release notes

Sourced from @​web/dev-server-esbuild's releases.

@​web/dev-server-esbuild@​1.0.4

Patch Changes

• d826727: upgrade esbuild to 0.25.x

@​web/dev-server-esbuild@​1.0.3

Patch Changes

• f506af31: Upgrade esbuild to 0.24.x
• Updated dependencies [fb33d75c]
  • @​web/dev-server-core@​0.7.4

Changelog

Sourced from @​web/dev-server-esbuild's changelog.

1.0.4

Patch Changes

• d826727: upgrade esbuild to 0.25.x

1.0.3

Patch Changes

• f506af31: Upgrade esbuild to 0.24.x
• Updated dependencies [fb33d75c]
  • @​web/dev-server-core@​0.7.4

1.0.2

Patch Changes

• fix: update @​web/dev-server-core

1.0.1

Patch Changes

• e31de569: Update @web/dev-server-rollup to latest version

1.0.0

Major Changes

• 8218a0a5: Update ESBuild to latest version.

  ESBuild has changed how TypeScript decorators are enabled in preparation for JavaScript decorators to land in browsers. ESBuild now requires the experimentalDecorators key to be set to true in the tsconfig.json for TypeScript decorators to be enabled.

  If you are having issues with decorators after updating to this version, try setting the experimentalDecorators key in your tsconfig.json.

Minor Changes

• c185cbaa: Set minimum node version to 18

Patch Changes

• Updated dependencies [c185cbaa]
  • @​web/dev-server-core@​0.7.0

0.4.4

Patch Changes

• ef6b2543: Use split versions for all lit dependencies

... (truncated)

Commits

• 3a6bf8f Version Packages
• d826727 fix: upgrade esbuild to 0.25.x
• 5f4f351 Version Packages
• dc23517 chore: bump esbuild to 0.24.0
• f506af3 chore: upgrade esbuild to 0.20.x
• 03f3c6f Version Packages
• 54d65a4 ci: align reporters across all packages
• 90e4472 ci: use workspaces to run node tests
• 0780a22 Version Packages
• ce40a8f update @​web/dev-server-rollup in more places
• Additional commits viewable in compare view

Removes ip

Updates @open-wc/testing from 3.1.7 to 3.2.2

Release notes

Sourced from @​open-wc/testing's releases.

@​open-wc/testing@​3.2.2

Patch Changes

• e94ca9aa: chore(testing): remove unused dependencies"

@​open-wc/testing@​3.2.1

Patch Changes

• 84e38ab1: Use split versions for all lit dependencies
• Updated dependencies [84e38ab1]
  • @​open-wc/testing-helpers@​2.3.1

@​open-wc/testing@​3.1.8

Patch Changes

• 91a5d224: fix(deps): update dependency @​types/chai-dom to v1
• Updated dependencies [077d07eb]
  • @​open-wc/testing-helpers@​2.2.1

Changelog

Sourced from @​open-wc/testing's changelog.

3.2.2

Patch Changes

• e94ca9aa: chore(testing): remove unused dependencies"

3.2.1

Patch Changes

• 84e38ab1: Use split versions for all lit dependencies
• Updated dependencies [84e38ab1]
  • @​open-wc/testing-helpers@​2.3.1

3.2.0

Minor Changes

• 935c8ffe: Drop support for Node@14

Patch Changes

• 3289e0eb: Add oneDefaultPreventedEvent export into testing package and no-side-effect indexes
• Updated dependencies [935c8ffe]
• Updated dependencies [3289e0eb]
• Updated dependencies [80c6ae66]
  • chai-a11y-axe@1.5.0
  • @​open-wc/semantic-dom-diff@​0.20.0
  • @​open-wc/testing-helpers@​2.3.0

3.1.8

Patch Changes

• 91a5d224: fix(deps): update dependency @​types/chai-dom to v1
• Updated dependencies [077d07eb]
  • @​open-wc/testing-helpers@​2.2.1

Commits

• c4debdd Version Packages (#2737)
• e94ca9a chore(testing): remove unused dependencies (#2736)
• d91a621 Version Packages
• 14e4270 feat: new a11y rules (#2686)
• 57ddb3c Version Packages
• 3289e0e fix(testing|testing-helpers): export oneDefaultPreventedEvent through testing...
• 74f51a7 Version Packages
• f077923 fix(deps): update dependency @​types/chai-dom to v1
• See full diff in compare view

Updates @web/dev-server from 0.1.35 to 0.4.6

Release notes

Sourced from @​web/dev-server's releases.

@​web/dev-server@​0.4.6

Patch Changes

• 39ff6ffb: replace ip dependency due to security bug CVE-2024-29415

@​web/dev-server@​0.4.5

Patch Changes

• fix: update @​web/dev-server-core

@​web/dev-server@​0.4.4

Patch Changes

• d2dbb7b1: fix: sb windows path

@​web/dev-server@​0.4.3

Patch Changes

• e657791f: Vulnerability fix in ip package. For more info, see:

  • GHSA-78xj-cgh5-2h22
  • indutny/node-ip#136

@​web/dev-server-hmr@​0.4.1

Patch Changes

• fix: update @​web/dev-server-core

@​web/dev-server-import-maps@​0.2.1

Patch Changes

• fix: update @​web/dev-server-core

Changelog

Sourced from @​web/dev-server's changelog.

0.4.6

Patch Changes

• 39ff6ffb: replace ip dependency due to security bug CVE-2024-29415

0.4.5

Patch Changes

• fix: update @​web/dev-server-core

0.4.4

Patch Changes

• d2dbb7b1: fix: sb windows path

0.4.3

Patch Changes

• e657791f: Vulnerability fix in ip package. For more info, see:

  • GHSA-78xj-cgh5-2h22
  • indutny/node-ip#136

0.4.2

Patch Changes

• 649edc2b: Add option to modify chokidar watchOptions with @​web/dev-server
• Updated dependencies [649edc2b]
  • @​web/dev-server-core@​0.7.1

0.4.1

Patch Changes

• e31de569: Update @web/dev-server-rollup to latest version

0.4.0

Minor Changes

• c185cbaa: Set minimum node version to 18

Patch Changes

... (truncated)

Commits

• 50adf1c Version Packages
• 39ff6ff fix: replace ip dependency due to security bug CVE-2024-29415
• 03f3c6f Version Packages
• 553d0c7 Version Packages
• 9dd1013 Update puppeteer to version 22.0.0
• 5b00600 Version Packages
• e657791 fix: remove vulnerability by updating ip package
• 6a1ed05 Version Packages
• fa46b6c feat: Add option to modify chokidar watchOptions with @​web/dev-server
• 90e4472 ci: use workspaces to run node tests
• Additional commits viewable in compare view

Updates @web/test-runner from 0.15.0 to 0.20.1

Release notes

Sourced from @​web/test-runner's releases.

@​web/test-runner@​0.20.1

Patch Changes

• 24e3290: Improve debug message for test runner uncaught exceptions

  This should make debugging easier. It wasn't very easy to figure out where the errors originated from (because of how the actual uncaught exception only happened with many concurrent builds inside a sandbox environment that is hard to debug).

• Updated dependencies [79b0ba4]

  • @​web/test-runner-chrome@​0.18.1

@​web/test-runner@​0.20.0

Minor Changes

• 86eaa21: Upgrade puppeteer version to v24

Patch Changes

• Updated dependencies [86eaa21]
  • @​web/test-runner-chrome@​0.18.0

@​web/test-runner@​0.19.0

Minor Changes

• b546e8b5: Upgrade puppeteer-core and puppeteer to v23

Patch Changes

• Updated dependencies [b546e8b5]
  • @​web/test-runner-chrome@​0.17.0

@​web/test-runner@​0.18.3

Patch Changes

• 6914f3b6: Show suites names for summaryReporter when flatten option is true

@​web/test-runner@​0.18.2

Patch Changes

• 6a97a691: Unify visual-written representation of skipped tests.

@​web/test-runner@​0.18.1

Patch Changes

• Updated dependencies [4cc90648]
  • @​web/test-runner-chrome@​0.16.0

@​web/test-runner-chrome@​0.18.1

... (truncated)

Changelog

Sourced from @​web/test-runner's changelog.

0.20.1

Patch Changes

• 24e3290: Improve debug message for test runner uncaught exceptions

  This should make debugging easier. It wasn't very easy to figure out where the errors originated from (because of how the actual uncaught exception only happened with many concurrent builds inside a sandbox environment that is hard to debug).

• Updated dependencies [79b0ba4]

  • @​web/test-runner-chrome@​0.18.1

0.20.0

Minor Changes

• 86eaa21: Upgrade puppeteer version to v24

Patch Changes

• Updated dependencies [86eaa21]
  • @​web/test-runner-chrome@​0.18.0

0.19.0

Minor Changes

• b546e8b5: Upgrade puppeteer-core and puppeteer to v23

Patch Changes

• Updated dependencies [b546e8b5]
  • @​web/test-runner-chrome@​0.17.0

0.18.3

Patch Changes

• 6914f3b6: Show suites names for summaryReporter when flatten option is true

0.18.2

Patch Changes

• 6a97a691: Unify visual-written representation of skipped tests.

0.18.1

... (truncated)

Commits

• db00ed5 Version Packages
• 24e3290 refactor: improve debug message for test runner uncaught exceptions
• f00a581 Version Packages
• fcb71cd Version Packages
• 8834ad8 Version Packages
• d5ae228 Version Packages (#2803)
• 9a88d83 Version Packages (#2774)
• 6914f3b fix(test-runner): show suites for summaryReporter({ flatten: true }) (#2773)
• 03f3c6f Version Packages
• 43eb130 fix(test-runner): unify visual-written representation of skipped tests
• Additional commits viewable in compare view

Updates koa from 2.13.4 to 2.16.1

Release notes

Sourced from koa's releases.

v2.16.1

fix: don't render redirect values in anchor ref

2.16.0

This is a backported release to fix core underlying issue with HEAD requests when using http2.createSecureServer. See discussion at koajs/koa#1593 and koajs/koa#1547.

• fix missing cleanup, if response socket is no longer writeable (issue 1547) (koajs/koa#1593) 399cb6b0dd2104224c0ef0ce8e92f84e4f7faf42

2.15.4

Full Changelog: koajs/koa@2.15.3...2.15.4

Fix: avoid redos on host and protocol getter, see GHSA-593f-38f6-jp5m

Commits

• ba14822 2.16.1
• 2ff6c3f 2.16.0
• 3d51d03 ci: allow codecov to fail
• eb84d89 fix: don't render redirect values in anchor ref
• 5f294bb Merge commit from fork
• 77cbf2e Release 2.15.3
• 1fad597 fix: require URL from 'url' module (#1809)
• ddbff30 Release 2.15.2
• 94e8def fix: handle upper case protocol like HTTP or HTTPS (#1806)
• 549455d Release 2.15.1
• Additional commits viewable in compare view

Updates ws from 7.5.9 to 7.5.10

Release notes

Sourced from ws's releases.

7.5.10

Bug fixes

• Backported e55e5106 to the 7.x release line (22c28763).

Commits

• d962d70 [dist] 7.5.10
• 22c2876 [security] Fix crash when the Upgrade header cannot be read (#2231)
• See full diff in compare view

Updates rollup from 2.79.1 to 4.41.0

Release notes

Sourced from rollup's releases.

v4.41.0

4.41.0

2025-05-18

Features

• Detect named exports in more dynamic import scenarios (#5954)

Pull Requests

• #5949: ci: use node 24 (@​btea, @​lukastaegert)
• #5951: chore(deps): update dependency pretty-bytes to v7 (@​renovate[bot])
• #5952: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #5953: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5954: enhance tree-shaking for dynamic imports (@​TrickyPi, @​renovate[bot], @​lukastaegert)
• #5957: chore(deps): update dependency lint-staged to v16 (@​renovate[bot], @​lukastaegert)
• #5958: fix(deps): update rust crate swc_compiler_base to v20 (@​renovate[bot], @​lukastaegert)
• #5959: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #5960: Use spawn to run CLI tests (@​lukastaegert)

v4.40.2

4.40.2

2025-05-06

Bug Fixes

• Create correct IIFE/AMD/UMD bundles when using a mutable default export (#5934)
• Fix execution order when using top-level await for dynamic imports with inlineDynamicImports (#5937)
• Throw when the output is watched in watch mode (#5939)

Pull Requests

• #5934: fix(exports): avoid "exports is not defined" ReferenceError (@​dasa)
• #5937: consider TLA imports have higher execution priority (@​TrickyPi)
• #5939: fix: watch mode input should not be an output subpath (@​btea)
• #5940: chore(deps): update dependency vite to v6.3.4 [security] (@​renovate[bot])
• #5941: chore(deps): update dependency eslint-plugin-unicorn to v59 (@​renovate[bot])
• #5942: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5943: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])

v4.40.1

4.40.1

2025-04-28

Bug Fixes

• Limit hash size for asset file names to the supported 21 (#5921)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.41.0

2025-05-18

Features

• Detect named exports in more dynamic import scenarios (#5954)

Pull Requests

• #5949: ci: use node 24 (@​btea, @​lukastaegert)
• #5951: chore(deps): update dependency pretty-bytes to v7 (@​renovate[bot])
• #5952: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #5953: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5954: enhance tree-shaking for dynamic imports (@​TrickyPi, @​renovate[bot], @​lukastaegert)
• #5957: chore(deps): update dependency lint-staged to v16 (@​renovate[bot], @​lukastaegert)
• #5958: fix(deps): update rust crate swc_compiler_base to v20 (@​renovate[bot], @​lukastaegert)
• #5959: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #5960: Use spawn to run CLI tests (@​lukastaegert)

4.40.2

2025-05-06

Bug Fixes

• Create correct IIFE/AMD/UMD bundles when using a mutable default export (#5934)
• Fix execution order when using top-level await for dynamic imports with inlineDynamicImports (#5937)
• Throw when the output is watched in watch mode (#5939)

Pull Requests

• #5934: fix(exports): avoid "exports is not defined" ReferenceError (@​dasa)
• #5937: consider TLA imports have higher execution priority (@​TrickyPi)
• #5939: fix: watch mode input should not be an output subpath (@​btea)
• #5940: chore(deps): update dependency vite to v6.3.4 [security] (@​renovate[bot])
• #5941: chore(deps): update dependency eslint-plugin-unicorn to v59 (@​renovate[bot])
• #5942: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5943: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])

4.40.1

2025-04-28

Bug Fixes

• Limit hash size for asset file names to the supported 21 (#5921)
• Do not inline user-defined entry chunks or chunks with explicit file name (#5923)
• Avoid top-level-await cycles when non-entry chunks use top-level await (#5930)
• Expose package.json via exports (#5931)

... (truncated)

Commits

• 0928185 4.41.0
• 2491b31 ci: use node 24 (#5949)
• 7759f56 Use spawn to run CLI tests (#5960)
• dd29577 fix(deps): update rust crate swc_compiler_base to v20 (#5958)
• fff335f enhance tree-shaking for dynamic imports (#5954)
• 9cf84fc fix(deps): lock file maintenance minor/patch updates (#5959)
• a4e6535 chore(deps): update dependency lint-staged to v16 (#5957)
• 7536ffb fix(deps): update swc monorepo (major) (#5952)
• 2b68f89 chore(deps): update dependency pretty-bytes to v7 (#5951)
• f630e32 chore(deps): lock file maintenance minor/patch updates (#5953)
• Additional commits viewable in compare view

Updates tar-fs from 2.1.1 to 3.0.8

Commits

• e4a7a40 3.0.8
• 504ca0f upgrade bare packages
• 1e4cc04 3.0.7
• a1dd7e7 refactor and throw on bad symlink
• 7ce355d Create SECURITY.md
• 3082593 3.0.6
• c3ad7bc Add fix for early stream closure via pipeline (#109)
• 8d561e6 3.0.5
• 6b2c386 no need for mkdirp now and bare
• 30ce1ce 3.0.4
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[jonrohan]

@dependabot ignore @open-wc/testing

[dependabot]

OK, I won't notify you about @open-wc/testing again, unless you unignore it.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml