chore(deps): bump the npm group across 1 directory with 10 updates

[dependabot]

Bumps the npm group with 10 updates in the /dev/diff directory:

Package	From	To
chalk	5.4.1	5.6.2
dockerode	4.0.6	5.0.0
fs-extra	11.3.0	11.3.5
got	13.0.0	15.0.5
listr2	6.6.1	10.2.1
lodash-es	4.17.21	4.18.1
luxon	3.6.1	3.7.2
pretty-bytes	6.1.1	7.1.0
tar	7.4.3	7.5.16
yargs	17.7.2	18.0.0

Updates chalk from 5.4.1 to 5.6.2

Release notes

Sourced from chalk's releases.

v5.6.2

• Fix vulnerability in 5.6.1, see: chalk/chalk#656

v5.6.0

• Make WezTerm terminal use true color a8f5bf7

---

chalk/chalk@v5.5.0...v5.6.0

v5.5.0

• Make Ghostty terminal use true color (#653) 79ee2d3

---

chalk/chalk@v5.4.1...v5.5.0

Commits

• 5155778 5.6.2
• 5c91505 5.6.0
• a8f5bf7 Make WezTerm terminal use true color
• 67db246 5.5.0
• 79ee2d3 Make Ghostty terminal use true color (#653)
• See full diff in compare view

Updates dockerode from 4.0.6 to 5.0.0

Release notes

Sourced from dockerode's releases.

v5.0.0

What's Changed

• Bump picomatch from 2.3.1 to 2.3.2 by @​dependabot[bot] in apocas/dockerode#826
• Bump protobufjs from 7.3.2 to 7.5.5 by @​dependabot[bot] in apocas/dockerode#828
• Dropped uuid package, bumped minimum node version requirement.

Full Changelog: apocas/dockerode@v4.0.10...v5.0.0

v4.0.10

What's Changed

• Bump js-yaml from 4.1.0 to 4.1.1 by @​dependabot[bot] in apocas/dockerode#820
• fix(readme): update docker api links by @​parishahla in apocas/dockerode#823
• buildkit proto followProgress support by @​davidgamero in apocas/dockerode#824
• Bump minimatch from 5.1.6 to 5.1.9 by @​dependabot[bot] in apocas/dockerode#825

New Contributors

• @​parishahla made their first contribution in apocas/dockerode#823
• @​davidgamero made their first contribution in apocas/dockerode#824

Full Changelog: apocas/dockerode@v4.0.9...v4.0.10

v4.0.9

What's Changed

• Bump tar-fs from 2.1.3 to 2.1.4 by @​dependabot[bot] in apocas/dockerode#814

Full Changelog: apocas/dockerode@v4.0.8...v4.0.9

v4.0.8

What's Changed

• chore: bump tar-fs dependency version to 2.1.3 by @​mevrin-ueat in apocas/dockerode#813

New Contributors

• @​mevrin-ueat made their first contribution in apocas/dockerode#813

Full Changelog: apocas/dockerode@v4.0.7...v4.0.8

v4.0.7

What's Changed

• Bump tar-fs from 2.1.2 to 2.1.3 by @​dependabot in apocas/dockerode#808

Full Changelog: apocas/dockerode@v4.0.6...v4.0.7

Commits

• d8968eb chore: update chai to version 4.5.0 in package.json and package-lock.json
• 62ded54 fix: downgrade chai to 6.2.0 and mocha to 11.7.0
• 3f6f9c4 Update devDependencies: Upgrade chai to 6.2.2 and mocha to 11.7.5
• c37ff26 Merge pull request #828 from apocas/dependabot/npm_and_yarn/protobufjs-7.5.5
• 0f1a049 Bump protobufjs from 7.3.2 to 7.5.5
• c073e27 fix: update version to 5.0.0 and remove uuid dependency
• 8c4b4cd fix: update version to 4.0.12 and downgrade uuid dependency to 10.0.0
• 7e6f694 fix: update version to 4.0.12 and downgrade uuid dependency to 10.0.0
• 8124962 fix: update version to 4.0.11 and bump uuid dependency to 14.0.0
• 7118249 Merge pull request #826 from apocas/dependabot/npm_and_yarn/picomatch-2.3.2
• Additional commits viewable in compare view

Updates fs-extra from 11.3.0 to 11.3.5

Changelog

Sourced from fs-extra's changelog.

11.3.5 / 2026-05-06

• Fix ensureLink*/ensureSymlink* identical file detection on Windows (#1068)
• Fix error handling in timestamp preservation code (#1065, #1069)
• Fix potential file descriptor leak on error in synchronous timestamp preservation code (#1066)

11.3.4 / 2026-03-03

• Fix bug where calling ensureSymlink/ensureSymlinkSync with a relative srcPath would fail if the symlink already existed (#1038, #1064)

11.3.3 / 2025-12-18

• Fix copying symlink when destination is a symlink to the same target (#1019, #1060)

11.3.2 / 2025-09-15

• Fix spurrious UnhandledPromiseRejectionWarning that could occur when calling .copy() in some cases (#1056, #1058)

11.3.1 / 2025-08-05

• Fix case where move/moveSync could incorrectly think files are identical on Windows (#1050)

Commits

• 8a88f58 11.3.5
• 81a1311 Mirror all utimesMillis() tests for utimesMillisSync() (#1070)
• b7ab7f8 Properly handle close errors in utimesMillis*() (#1069)
• 1c248ed Fix file descriptor leak in utimesMillisSync (#1066)
• a4000d6 Ensure all usages of areIdentical receive bigint stats (#1068)
• 1e9c57d Fix error handling in utimesMillis (#1065)
• 353a29b 11.3.4
• 3e65fbe fix(ensureSymlink): resolve relative srcpath correctly when symlink exists (#...
• e2615e5 Fix git URL in package.json (#1062)
• 1de81e9 11.3.3
• Additional commits viewable in compare view

Updates got from 13.0.0 to 15.0.5

Release notes

Sourced from got's releases.

v15.0.5

• Fix: Handle abort signals added by handlers 74e3167

---

sindresorhus/got@v15.0.4...v15.0.5

v15.0.4

• Fix aborting during download progress 11a2202

---

sindresorhus/got@v15.0.3...v15.0.4

v15.0.3

• Fix false ReadError on responses without Content-Length 071ea07

---

sindresorhus/got@v15.0.2...v15.0.3

v15.0.2

• Fix stream cookie jar completion race b170125

---

sindresorhus/got@v15.0.1...v15.0.2

v15.0.1

• Fix init types 20633bc

---

sindresorhus/got@v15.0.0...v15.0.1

v15.0.0

Breaking changes

• Require Node.js 22 b933476
• Remove promise cancel API a06ac6c
  • promise.cancel() is gone. Use the signal option with AbortController instead.
• Remove isStream option c241c6c
  • Use got.stream() directly.
• Use native FormData global 670b228
  • Use the Web API FormData global directly (available in Node.js 18+).
• responseType: 'buffer' returns Uint8Array instead of Buffer 309e36d
  • response.rawBody and promise.buffer() now return a Uint8Array. Buffer is a subclass of Uint8Array, so most code will continue to work, but strict type checks will need updating.
• strictContentLength defaults to true 08e9dff
  • Got now throws a ContentLengthMismatchError by default if Content-Length doesn't match the actual body size. Set {strictContentLength: false} to restore the old behavior.
• retry.enforceRetryRules defaults to true 9bc8dfb

... (truncated)

Commits

• d00d845 15.0.5
• 74e3167 Fix: Handle abort signals added by handlers
• f6a058a 15.0.4
• 11a2202 Fix aborting during download progress
• e9489c1 15.0.3
• 1a1452c Update dependencies
• 071ea07 Fix false ReadError on responses without Content-Length
• b03e6f9 Tweaks
• 552f0fe 15.0.2
• b170125 Fix stream cookie jar completion race
• Additional commits viewable in compare view

Updates listr2 from 6.6.1 to 10.2.1

Commits

• See full diff in compare view

Updates lodash-es from 4.17.21 to 4.18.1

Release notes

Sourced from lodash-es's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates luxon from 3.6.1 to 3.7.2

Changelog

Sourced from luxon's changelog.

3.7.2 (2025-07-09)

• Fix ES6 packaging

3.7.1 (2025-07-09)

• Revert change in ES6 packaging

3.7.0 (2025-07-09)

• Added showZeros option to Duration#toHuman
• Added Duration#removeZeros method.
• Added rounding option to DateTime#toRelative
• Added precision option to ISO formatting methods
• Added signMode option to Duration#toFormat
• Allow escaping single quotes in format strings
• Improve output of Info.months and Info.monthsFormat for ja locale
• Accept lowercase t as a separator in ISO strings
• Accept lowercase z as an offset in ISO strings
• Reject non-finite numbers where previously only NaN was rejected
• Improve the documentation for Interval
• Added a dark theme for the documentation site

Commits

• 4262a38 Version 3.7.2
• 738144d Fix the build ES6 code having the wrong file extension and use it in package....
• 3b2f374 Release version 3.7.1
• c67ee7d Revert "build: use the es6 build for ESM exports (#1707)"
• cfa58a2 Release version 3.7.0
• 7d379cc Fix unsupported signDisplay value
• 4e81ef9 Implement "signMode" on Duration#toFormat
• 5aa55da Improve documentation regarding Interval's half-openness
• b188e10 add dark theme to docs (#1713)
• cf67025 build: use the es6 build for ESM exports (#1707)
• Additional commits viewable in compare view

Updates pretty-bytes from 6.1.1 to 7.1.0

Release notes

Sourced from pretty-bytes's releases.

v7.1.0

• Add fixedWidth option for right-aligned output 73df489
• Add nonBreakingSpace option b637640
• Fix truncation behavior with fraction digits options b64cee5

---

sindresorhus/pretty-bytes@v7.0.1...v7.1.0

v7.0.1

• Fix precision with the binary option (#88) c9fd951

---

sindresorhus/pretty-bytes@v7.0.0...v7.0.1

v7.0.0

Breaking

• Require Node.js 20 13d3727

Improvements

• Add support for BigInt (#85) 386b35a

---

sindresorhus/pretty-bytes@v6.1.1...v7.0.0

Commits

• b7849f7 7.1.0
• 73df489 Add fixedWidth option for right-aligned output
• b64cee5 Fix truncation behavior with fraction digits options
• b637640 Add nonBreakingSpace option
• 3c77fd1 7.0.1
• c9fd951 Fix precision with the binary option (#88)
• 4186190 Fix CI
• 2658a8e 7.0.0
• 13d3727 Require Node.js 20
• 386b35a Add support for BigInt (#85)
• Additional commits viewable in compare view

Updates tar from 7.4.3 to 7.5.16

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• cf21338 7.5.16
• 21a8220 do not apply PAX header fields to meta entries
• 52632cf update project deps
• 302f51f fix inconsequential typo in PENDINGLINKS symbol name
• 55dbb99 remove some uses of mutate-fs
• 87cc309 7.5.15
• 7aef486 fix: regression in pending links detection
• 6244eb3 7.5.14
• 9704d8c stricter protection against hardlinks preempting their targets
• 700734f update workflows and deps
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates yargs from 17.7.2 to 18.0.0

Changelog

Sourced from yargs's changelog.

18.0.0 (2025-05-26)

⚠ BREAKING CHANGES

• command names are not derived from modules passed to command.
• singleton usage of yargs yargs.foo, yargs().argv, has been removed.
• minimum node.js versions now ^20.19.0 || ^22.12.0 || >=23.
• yargs is now ESM first

Features

• commandDir now works with ESM files (#2461) (27eec18)
• locale: adds hebrew translation (#2357) (4266485)
• yargs is now ESM first (d90af45)
• zsh: Add default completion as fallback (#2331) (e02c91b)

Bug Fixes

• addDirectory do not support absolute command dir (#2465) (3a40a78)
• allows ESM modules commands to be extensible using visit option (#2468) (200e1aa)
• browser: fix shims so that yargs continues working in browser context (#2457) (4ae5f57)
• build: address problems with typescript compilation (#2445) (8d72fb3)
• coerce should play well with parser configuration (#2308) (8343c66)
• deps: update dependency yargs-parser to v22 (#2470) (639130d)
• exit after async handler done (#2313) (e326cde)
• handle spaces in bash completion (#2452) (83b7788)
• parser-configuration should work well with generated completion script (#2332) (888db19)
• propagate Dictionary including undefined in value type (#2393) (2b2f7f5)
• zsh: completion no longer requires double tab when using autoloaded (0dd8fe4)

Code Refactoring

• command names are not derived from modules passed to command. (d90af45)
• singleton usage of yargs yargs.foo, yargs().argv, has been removed. (d90af45)

Build System

• minimum node.js versions now ^20.19.0 || ^22.12.0 || >=23. (d90af45)

Commits

• 0bc7255 chore(main): release 18.0.0 (#2325)
• 639130d fix(deps): update dependency yargs-parser to v22 (#2470)
• 200e1aa fix: allows ESM modules commands to be extensible using visit option (#2468)
• 888db19 fix: parser-configuration should work well with generated completion script (...
• 3a40a78 fix: addDirectory do not support absolute command dir (#2465)
• 90e9eca docs: remove to old slack channel (#2466)
• 0dd8fe4 fix(zsh): completion no longer requires double tab when using autoloaded
• 27eec18 feat: commandDir now works with ESM files (#2461)
• f9c72a7 docs: update examples to run from examples folder (#2463)
• e02c91b feat(zsh): Add default completion as fallback (#2331)
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
got	[>= 14.a, < 15]
listr2	[>= 8.a, < 9]
listr2	[>= 7.a, < 8]