NPM: Bump the npm-dependencies group with 3 updates

[dependabot]

Bumps the npm-dependencies group with 3 updates: mermaid, esbuild and stylelint.

Updates mermaid from 11.8.1 to 11.9.0

Release notes

Sourced from mermaid's releases.

[email protected]

Minor Changes

• #6453 5acbd7e Thanks @​sidharthv96! - feat: Add getRegisteredDiagramsMetadata to mermaid, which returns all the registered diagram IDs in mermaid

Patch Changes

• #6738 d90634b Thanks @​shubham-mermaid! - chore: Updated TreeMapDB to use class based approach

• #6510 7a38eb7 Thanks @​sidharthv96! - chore: Move packet diagram out of beta

• #6747 3e3ae08 Thanks @​darshanr0107! - fix: adjust sequence diagram title positioning to prevent overlap with top border in Safari

• #6751 d3e2be3 Thanks @​darshanr0107! - chore: Update MindmapDB to use class based approach

• #6715 637680d Thanks @​Syn3ugar! - fix(timeline): fix loading leftMargin from config

  The timeline.leftMargin config value should now correctly control the size of the left margin, instead of being ignored.

• Updated dependencies [7a38eb7]:

  • @​mermaid-js/parser@​0.6.2

Commits

• 767754f Version Packages
• cff59c5 Merge pull request #6757 from mermaid-js/develop
• 5b241bb Merge pull request #6758 from mermaid-js/fix/certificate-error-for-noteshub
• 7e5e478 add noteshub.app to exclusions for certificate errors
• 9e2cd1a Merge pull request #6738 from mermaid-js/treemap-diagram-to-use-the-new-class...
• abf2227 Merge pull request #6751 from mermaid-js/6750-convert-mindmap-to-class-based-...
• 7db942b Merge pull request #6756 from mzner/chore/update-katex-to-latest-version
• 70041c8 chore: update katex to latest version due to CVE vulnerability
• 77e2703 Merge branch 'develop' into treemap-diagram-to-use-the-new-class-based-approach
• 771801b Updated changeset
• Additional commits viewable in compare view

Updates esbuild from 0.25.6 to 0.25.8

Release notes

Sourced from esbuild's releases.

v0.25.8

• Fix another TypeScript parsing edge case (#4248)

  This fixes a regression with a change in the previous release that tries to more accurately parse TypeScript arrow functions inside the ?: operator. The regression specifically involves parsing an arrow function containing a #private identifier inside the middle of a ?: ternary operator inside a class body. This was fixed by propagating private identifier state into the parser clone used to speculatively parse the arrow function body. Here is an example of some affected code:

  class CachedDict {
    #has = (a: string) => dict.has(a);
    has = window
      ? (word: string): boolean => this.#has(word)
      : this.#has;
  }

• Fix a regression with the parsing of source phase imports

  The change in the previous release to parse source phase imports failed to properly handle the following cases:

  import source from 'bar'
  import source from from 'bar'
  import source type foo from 'bar'

  Parsing for these cases should now be fixed. The first case was incorrectly treated as a syntax error because esbuild was expecting the second case. And the last case was previously allowed but is now forbidden. TypeScript hasn't added this feature yet so it remains to be seen whether the last case will be allowed, but it's safer to disallow it for now. At least Babel doesn't allow the last case when parsing TypeScript, and Babel was involved with the source phase import specification.

v0.25.7

• Parse and print JavaScript imports with an explicit phase (#4238)

  This release adds basic syntax support for the defer and source import phases in JavaScript:

  • defer

    This is a stage 3 proposal for an upcoming JavaScript feature that will provide one way to eagerly load but lazily initialize imported modules. The imported module is automatically initialized on first use. Support for this syntax will also be part of the upcoming release of TypeScript 5.9. The syntax looks like this:

    import defer * as foo from "<specifier>";
    const bar = await import.defer("<specifier>");

    Note that this feature deliberately cannot be used with the syntax import defer foo from "<specifier>" or import defer { foo } from "<specifier>".

  • source

    This is a stage 3 proposal for an upcoming JavaScript feature that will provide another way to eagerly load but lazily initialize imported modules. The imported module is returned in an uninitialized state. Support for this syntax may or may not be a part of TypeScript 5.9 (see this issue for details). The syntax looks like this:

    import source foo from "<specifier>";
    const bar = await import.source("<specifier>");

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.25.8

• Fix another TypeScript parsing edge case (#4248)

  This fixes a regression with a change in the previous release that tries to more accurately parse TypeScript arrow functions inside the ?: operator. The regression specifically involves parsing an arrow function containing a #private identifier inside the middle of a ?: ternary operator inside a class body. This was fixed by propagating private identifier state into the parser clone used to speculatively parse the arrow function body. Here is an example of some affected code:

  class CachedDict {
    #has = (a: string) => dict.has(a);
    has = window
      ? (word: string): boolean => this.#has(word)
      : this.#has;
  }

• Fix a regression with the parsing of source phase imports

  The change in the previous release to parse source phase imports failed to properly handle the following cases:

  import source from 'bar'
  import source from from 'bar'
  import source type foo from 'bar'

  Parsing for these cases should now be fixed. The first case was incorrectly treated as a syntax error because esbuild was expecting the second case. And the last case was previously allowed but is now forbidden. TypeScript hasn't added this feature yet so it remains to be seen whether the last case will be allowed, but it's safer to disallow it for now. At least Babel doesn't allow the last case when parsing TypeScript, and Babel was involved with the source phase import specification.

0.25.7

• Parse and print JavaScript imports with an explicit phase (#4238)

  This release adds basic syntax support for the defer and source import phases in JavaScript:

  • defer

    This is a stage 3 proposal for an upcoming JavaScript feature that will provide one way to eagerly load but lazily initialize imported modules. The imported module is automatically initialized on first use. Support for this syntax will also be part of the upcoming release of TypeScript 5.9. The syntax looks like this:

    import defer * as foo from "<specifier>";
    const bar = await import.defer("<specifier>");

    Note that this feature deliberately cannot be used with the syntax import defer foo from "<specifier>" or import defer { foo } from "<specifier>".

  • source

    This is a stage 3 proposal for an upcoming JavaScript feature that will provide another way to eagerly load but lazily initialize imported modules. The imported module is returned in an uninitialized state. Support for this syntax may or may not be a part of TypeScript 5.9 (see this issue for details). The syntax looks like this:

    import source foo from "<specifier>";

... (truncated)

Commits

• 8c71947 publish 0.25.8 to npm
• 0508f24 some parsing fixes for source phase imports
• 6e4be2f js parser: recover from bad #private identifiers
• c9c6357 fix #4248: #private ids in arrow fn body in ?:
• 9b42f68 publish 0.25.7 to npm
• 9ba01d1 abs-paths: js api and tests
• ca196c9 fix for parser backtracking crash
• 2979b84 fix #4241: ts arrow function type backtrack (hack)
• 1180410 fix an unused variable warning
• fc3da57 fix #4238: add defer and source import phases
• Additional commits viewable in compare view

Updates stylelint from 16.21.1 to 16.22.0

Release notes

Sourced from stylelint's releases.

16.22.0

It adds 3 rule features and fixes 2 bugs.

• Added: messageArgs to color-named (#8663) (@​Mouvedia).
• Added: messageArgs to declaration-property-value-keyword-no-deprecated (#8654) (@​Mouvedia).
• Added: no-descending-specificity report message includes line number of the anchoring selector (#8666) (@​immitsu).
• Fixed: at-rule-no-deprecated false positives for @apply (#8630) (@​Mouvedia).
• Fixed: lightness-notation crash with "number" option and single-digit percentage (#8661) (@​ybiquitous).

Changelog

Sourced from stylelint's changelog.

16.22.0 - 2025-07-18

It adds 3 rule features and fixes 2 bugs.

• Added: messageArgs to color-named (#8663) (@​Mouvedia).
• Added: messageArgs to declaration-property-value-keyword-no-deprecated (#8654) (@​Mouvedia).
• Added: no-descending-specificity report message includes line number of the anchoring selector (#8666) (@​immitsu).
• Fixed: at-rule-no-deprecated false positives for @apply (#8630) (@​Mouvedia).
• Fixed: lightness-notation crash with "number" option and single-digit percentage (#8661) (@​ybiquitous).

Commits

• 9a4e2b2 16.22.0
• ad2630d Prepare 16.22.0 (#8662)
• d9fd12c Document conventions for writing tests (#8672)
• 6e5918e Add no-descending-specificity line number to the referenced selector in mes...
• 8e7ca69 Bump eslint from 9.30.1 to 9.31.0 in the eslint group (#8671)
• 4fbbe12 Bump rollup from 4.44.2 to 4.45.0 (#8670)
• 7cfc5e5 Fix lightness-notation crash with "number" option and single-digit percen...
• 4a7c5e5 Add messageArgs to color-named (#8663)
• 79d7b49 Refactor resolveFilePath() internal utility (#8660)
• 0a5f75b Fix at-rule-no-deprecated false positives for @apply (#8630)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions