Skip to content

chore(deps): update all non-major dependencies#222

Merged
DecimalTurn merged 2 commits into
latestfrom
renovate/all-minor-patch
Jun 15, 2026
Merged

chore(deps): update all non-major dependencies#222
DecimalTurn merged 2 commits into
latestfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
@types/node (source) 24.12.424.13.2 age confidence devDependencies minor
actions/checkout v6.0.2v6.0.3 age confidence action patch
js-yaml 4.1.14.2.0 age confidence devDependencies minor
npm-run-all2 9.0.19.0.2 age confidence devDependencies patch
oxlint (source) 1.67.01.69.0 age confidence devDependencies minor
rollup (source) 4.60.44.61.1 age confidence devDependencies minor 4.62.0

Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

nodeca/js-yaml (js-yaml)

v4.2.0

Compare Source

Added
  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better
    exception instead of RangeError on stack overflow.
  • Added maxMergeSeqLength (20) loader option. Not a problem after merge fix,
    but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.
Changed
  • Stop resolving numbers with underscores as numeric scalars, #​627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.
Fixed
  • Fix parsing of properties on the first implicit block mapping key, #​62.
  • Fix trailing whitespace handling when folding flow scalar lines, #​307.
  • Reject top-level block scalars without content indentation, #​280.
  • Ensure numbers survive round-trip, #​737.
  • Fix test coverage for issue #​221.
  • Fix flow scalar trailing whitespace folding, #​307.
  • Fix digits in YAML named tag handles.
Security
  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated
    elements (makes sense for malformed files > 10K).
bcomnes/npm-run-all2 (npm-run-all2)

v9.0.2

Compare Source

Merged
  • fix: update Node.js version requirements #232
  • Upgrade: Bump codecov/codecov-action from 6 to 7 #233
  • fix: bump shell-quote to ^1.8.4 #236
  • Upgrade: Bump pidtree from 0.6.1 to 1.0.0 #234
oxc-project/oxc (oxlint)

v1.69.0

Compare Source

🚀 Features
🐛 Bug Fixes
📚 Documentation
  • dadafe3 oxlint, oxfmt: Mention migrate skills in npm READMEs (#​22965) (Boshen)

v1.68.0

Compare Source

🚀 Features
  • e4b1f46 linter/typescript: Implement method-signature-style rule (#​22679) (Mikhail Baev)
  • bc462ca linter/vue: Implement no-reserved-component-names rule (#​22741) (bab)
  • ef9e751 linter/vue: Implement component-definition-name-casing rule (#​22818) (bab)
  • d67f51a linter/vue: Implement require-prop-type-constructor rule (#​22708) (bab)
  • 8422e8b linter/jsdoc: Implement require-yields-description rule (#​22805) (Mikhail Baev)
  • fe93f97 linter/eslint: Implement prefer-named-capture-group rule (#​22759) (Sebastian Poxhofer)
rollup/rollup (rollup)

v4.61.1

Compare Source

2026-06-04

Bug Fixes
  • Avoid extraneous newlines when adding headers via plugins (#​6403)
  • Fix a rare issue where starting Rollup would hang on Windows (#​6404)
Pull Requests

v4.61.0

Compare Source

2026-06-01

Features
  • Sort entry modules to make chunk hashes deterministic (#​6391)
Pull Requests

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@socket-security

socket-security Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​types/​node@​24.13.21001008196100
Addedjs-yaml@​4.2.08910010086100
Addednpm-run-all2@​9.0.29910010092100
Updatedoxlint@​1.67.0 ⏵ 1.69.099 +110092 +196 +1100
Addedrollup@​4.61.19710010099100

View full report

@socket-security

socket-security Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm js-yaml is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/js-yaml@4.2.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from a4c7e25 to 8bcfae0 Compare June 13, 2026 01:51
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 8bcfae0 to 7695062 Compare June 14, 2026 21:16
@DecimalTurn
fix(specs): handle js-yaml 4.2.0 underscore-number and maxDepth changes
a9877c0 
js-yaml 4.2.0 fixed two non-standard behaviors:
- Numbers with underscores (e.g. 1_000) are now correctly parsed as
  strings per YAML 1.2 spec, but spec-tests YAML fixtures use TOML
  number notation. Add expandYAMLNumbers() to convert these back.
- A maxDepth option (default 100) was added for DOS protection,
  which breaks deeply nested YAML fixtures like
  qa-table-inline-nested-1000. Pass maxDepth: 2000 to load().
- Date objects must be passed through as-is to preserve Jest's
  toEqual comparison with OffsetDateTime instances.
@DecimalTurn DecimalTurn merged commit 0058dd3 into latest Jun 15, 2026
14 checks passed
@DecimalTurn DecimalTurn deleted the renovate/all-minor-patch branch June 15, 2026 05:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DecimalTurn