build(deps): bump the npm_and_yarn group across 1 directory with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: lodash and semantic-release.

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates semantic-release from 17.4.7 to 25.0.3

Release notes

Sourced from semantic-release's releases.

v25.0.3

25.0.3 (2026-01-30)

Bug Fixes

• deps: remove deprecated semver-diff (#3980) (f404124)

v25.0.2

25.0.2 (2025-11-07)

Bug Fixes

• deps: update dependency read-package-up to v12 (#3935) (1494cb9)

v25.0.1

25.0.1 (2025-10-19)

Bug Fixes

• deps: update to the latest version of the npm plugin to add trusted publishing support (fad173e), closes semantic-release/npm#958

v25.0.1-beta.3

25.0.1-beta.3 (2025-10-19)

Bug Fixes

• deps: update to latest npm plugin (a96aced)

v25.0.1-beta.2

25.0.1-beta.2 (2025-10-19)

Bug Fixes

• deps: update to the stable version of the npm plugin to add trusted publishing support (fad173e), closes semantic-release/npm#958

v25.0.1-beta.1

25.0.1-beta.1 (2025-10-16)

Bug Fixes

• deps: update to the beta of the npm plugin (c770748), closes semantic-release/npm#958

... (truncated)

Commits

• f404124 fix(deps): remove deprecated semver-diff (#3980)
• fef7e34 docs: warn against using registry-url in setup-node (#4024)
• 699d470 chore(deps): update dependency lockfile-lint to v5 (#4022)
• c7c6f7a chore(deps): update dependency tempy to v3.1.2 (#4021)
• 1ce5088 ci(action): update github/codeql-action action to v4.32.0 (#4019)
• 9bb0d87 chore(deps): lock file maintenance (#4016)
• 490171c chore(deps): update npm to v11.8.0 (#4015)
• f6411e9 chore(deps): update dependency prettier to v3.8.1 (#4014)
• c71c576 chore(deps): update dependency publint to v0.3.17 (#4013)
• 989e18c chore(deps): update dependency tempy to v3.1.1 (#4012)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for semantic-release since your current version.

Updates @octokit/plugin-paginate-rest from 2.21.3 to 14.0.0

Release notes

Sourced from @​octokit/plugin-paginate-rest's releases.

v14.0.0

14.0.0 (2025-10-31)

Features

• add immutable releases, enterprise team membership, enterprise team organization endpoints (413e899)

BREAKING CHANGES

• Remove GET /projects/{project_id}/columns
• Remove GET /enterprises/{enterprise}/secret-scanning/alerts

v13.2.1

13.2.1 (2025-10-20)

Bug Fixes

• deps: update @octokit/types (#698) (ba56fbc)

v13.2.0

13.2.0 (2025-09-29)

Features

• new Projects v2 endpoints, new code scanning dismissal endpoints, many other endpoints (#690) (0e236cb)

v13.1.1

13.1.1 (2025-06-27)

Bug Fixes

• handle url in response when using pagination with compareCommits (#686) (8e5da25)

v13.1.0

13.1.0 (2025-06-16)

Features

• add paginatantion support for compareCommits and compareCommitsWithBasehead (#678) (6d8ea8a)

v13.0.1

13.0.1 (2025-05-25)

... (truncated)

Commits

• 413e899 feat: add immutable releases, enterprise team membership, enterprise team org...
• 3d311d6 chore(deps): update dependency @​types/node to v24 (#701)
• ba56fbc fix(deps): update @octokit/types (#698)
• 80745be ci(action): update actions/checkout action to v5 (#687)
• 0e236cb feat: new Projects v2 endpoints, new code scanning dismissal endpoints, many ...
• bf19e3e chore(deps): update dependency prettier to v3.6.2 (#685)
• 4f9fc56 ci(action): update actions/setup-node action to v5 (#688)
• 8e5da25 fix: handle url in response when using pagination with compareCommits (#686)
• 6d8ea8a feat: add paginatantion support for compareCommits and `compareCommitsWith...
• 8ec2713 fix(deps): update @octokit/types - no new paginated endpoints (#680)
• Additional commits viewable in compare view

Updates @octokit/request from 5.6.3 to 10.0.8

Release notes

Sourced from @​octokit/request's releases.

v10.0.8

10.0.8 (2026-02-20)

Bug Fixes

• use json-with-bigint instead of built-in JSON methods in order to properly support int64's (#798) (f13f5d9)

v10.0.7

10.0.7 (2025-11-13)

Bug Fixes

• readme: properly structure the options for custom agent (#786) (f17c1c1), closes #785

v10.0.6

10.0.6 (2025-10-30)

Bug Fixes

• deps: update dependency @​octokit/types to v16 (#783) (1aeac56)

v10.0.5

10.0.5 (2025-09-29)

Bug Fixes

• deps: update octokit deps (#772) (30f83b6)

v10.0.4

10.0.4 (2025-09-29)

Bug Fixes

• deps: update dependency @​octokit/types to v15 (#775) (ad78b4c)

v10.0.3

10.0.3 (2025-06-20)

Bug Fixes

• pkg: unreplaced version number in dist-bundle/ (#765) (5b181af)

v10.0.2

10.0.2 (2025-05-20)

... (truncated)

Commits

• f13f5d9 fix: use json-with-bigint instead of built-in JSON methods in order to prop...
• 9ba6ae0 Document that unsuccessful HTTP status code result in an exception (#795)
• 7160b82 chore(deps): replace glob with tinyglobby (#791)
• ab8018b ci(action): update peter-evans/create-or-update-comment action to v5 (#776)
• fb916e4 build(deps): bump vite from 6.3.4 to 6.4.1 (#780)
• e1eb769 chore(deps): update dependency esbuild to ^0.27.0 (#784)
• f17c1c1 fix(readme): properly structure the options for custom agent (#786)
• ea46fa9 ci(action): update github/codeql-action action to v4 (#778)
• 8166d28 chore(deps): update vitest monorepo to v4 (major) (#781)
• 1aeac56 fix(deps): update dependency @​octokit/types to v16 (#783)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​octokit/request since your current version.

Updates @octokit/request-error from 2.1.0 to 7.1.0

Release notes

Sourced from @​octokit/request-error's releases.

v7.1.0

7.1.0 (2025-11-13)

Features

• inherit options from base Error class to add support for the cause property (#535/#536) (2ea2780)

v7.0.2

7.0.2 (2025-10-30)

Bug Fixes

• deps: update dependency @​octokit/types to v16 (#533) (e5a75ef)

v7.0.1

7.0.1 (2025-09-29)

Bug Fixes

• deps: update dependency @​octokit/types to v15 (#522) (4a453f2)

v7.0.0

7.0.0 (2025-05-20)

Continuous Integration

• stop testing against NodeJS v18 (#512) (8eee0c1)

BREAKING CHANGES

• Drop support for NodeJS v18

• build: set minimal node version in build script to v20

• ci: stop testing against NodeJS v18

v6.1.8

6.1.8 (2025-04-10)

Bug Fixes

• deps: update dependency @​octokit/types to v14 (#505) (ab4ea7b)

v6.1.7

... (truncated)

Commits

• 2ea2780 feat: inherit options from base Error class to add support for the cause ...
• ac7b309 chore(deps): update vitest monorepo to v4 (major) (#531)
• dadc76d ci(action): update peter-evans/create-or-update-comment action to v5 (#525)
• f57f2e6 build(deps): lock file maintenance (#534)
• e5a75ef fix(deps): update dependency @​octokit/types to v16 (#533)
• e5d5de2 chore(deps): update dependency @​types/node to v24 (#532)
• 8cc127b ci(action): update actions/setup-node action to v6 (#529)
• b3a876b build(deps): lock file maintenance (#527)
• cf1817b ci(action): update github/codeql-action action to v4 (#528)
• 61f1e87 chore(deps): update dependency tinybench to v5 (#519)
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates marked from 2.1.3 to 15.0.12

Release notes

Sourced from marked's releases.

v15.0.12

15.0.12 (2025-05-20)

Bug Fixes

• use esbuild for accurate sourcemaps (#3670) (7a6b2d7)

v15.0.11

15.0.11 (2025-04-25)

Bug Fixes

• fix image alt text rendered to match common mark (#3668) (2c0e47a)

v15.0.10

15.0.10 (2025-04-23)

Bug Fixes

• fix non-breaking space in link url (#3667) (e071e25)

v15.0.9

15.0.9 (2025-04-21)

Bug Fixes

• fix link url with no closing parenthesis (#3664) (72b6373)

v15.0.8

15.0.8 (2025-04-07)

Bug Fixes

• fix emstrong inside escaped backticks (#3652) (721dc58)

v15.0.7

15.0.7 (2025-02-10)

Bug Fixes

• fix table rendered as heading (#3612) (9ae87de)

v15.0.6

15.0.6 (2025-01-06)

... (truncated)

Commits

• b4eb83b chore(release): 15.0.12 [skip ci]
• 7a6b2d7 fix: use esbuild for accurate sourcemaps (#3670)
• 9b8b111 chore(deps-dev): Bump semantic-release from 24.2.3 to 24.2.4 (#3690)
• d04a040 chore(deps-dev): Bump rollup from 4.40.2 to 4.41.0 (#3692)
• 5672651 chore(deps-dev): Bump eslint from 9.26.0 to 9.27.0 (#3691)
• 89818b2 chore(deps-dev): Bump undici from 6.21.1 to 6.21.3 (#3684)
• 2516064 chore(deps-dev): Bump rollup from 4.40.1 to 4.40.2 (#3681)
• ed78e7f chore(deps-dev): Bump @​arethetypeswrong/cli from 0.17.4 to 0.18.1 (#3682)
• 9fcb8bb chore(deps-dev): Bump eslint from 9.25.1 to 9.26.0 (#3680)
• f455d41 chore(deps-dev): Bump rollup from 4.40.0 to 4.40.1 (#3678)
• Additional commits viewable in compare view

Updates minimatch from 3.0.4 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates npm from 7.24.2 to 11.11.1

Release notes

Sourced from npm's releases.

v11.11.1

11.11.1 (2026-03-10)

Bug Fixes

• a9d242b #9099 include all subcommands on main command help (#9099) (@​wraithgar)
• 29b8407 #9087 unwrap comments and lines meant for output (#9087) (@​wraithgar)
• b56986a #9095 ls: suppress false UNMET DEPENDENCYs in linked strategy (#9095) (@​manzoorwanijk)
• 76c76e5 #9083 ci: don't error on optional deps in the lockfile (#9083) (@​wraithgar)
• a29aeee #9028 arborist: retry bin-links on Windows EPERM (#9028) (@​manzoorwanijk)
• 6565eeb #9045 bypass packument cache to prevent ETARGET errors after publish (#9045) (@​Jadu07)

Documentation

• 3b96929 #9074 scripts: remove mention of obsolete root user behavior (#9074) (@​mohd-akram)
• 16ac4e0 #9054 fix workspace cross-dependency documentation (@​owlstronaut)

Dependencies

• 075ae23 #9086 tar@7.5.11
• 13fa40d #9086 pacote@21.5.0
• bf7ea2b #9060 brace-expansion@5.0.4
• 2000d2c #9060 minimatch@10.2.4
• d86b260 #9060 tar@7.5.10
• dff1853 #9060 @npmcli/run-script@10.0.4
• 93c3365 #9060 write-file-atomic@7.0.1

Chores

• d1996a7 #9060 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.4.1
• workspace: libnpmdiff@8.1.4
• workspace: libnpmexec@10.2.4
• workspace: libnpmfund@7.0.18
• workspace: libnpmpack@9.1.4

v11.11.0

11.11.0 (2026-02-25)

Features

• 4fcd352 #9017 add :type(registry) to query selector syntax (#9017) (@​wraithgar)
• e1b21f0 #8909 adds circleci to trust command (#8909) (@​owlstronaut)
• 9a33ad0 #8925 adds circleci to oidc (#8925) (@​owlstronaut)

Bug Fixes

• 4426411 #9026 npm audit signatures for keyless attestation registries (#9026) (@​ajayk)
• 658b323 #9010 handle legacy licenses array in sbom output (#9010) (@​JNC4)

Documentation

• 143f8cd #9007 docs shouldn't wrap yaml description (#9007) (@​owlstronaut)

Dependencies

• 7798b6e #9027 @gar/promise-retry@1.0.2
• 4838864 #9027 balanced-match@4.0.4
• 0c200dd #9027 brace-expansion@5.0.3
• f0606bb #9027 spdx-license-ids@3.0.23
• d43f350 #9027 make-fetch-happen@15.0.4
• 4d0918a #9027 @npmcli/git@7.0.2
• 8912ca7 #9027 minipass-fetch@5.0.2
• 450ff35 #9027 npm-packlist@10.0.4
• 20ef5a5 #9027 pacote@21.4.0
• 60f332c #9008 remove promise-retry

... (truncated)

Changelog

Sourced from npm's changelog.

11.11.1 (2026-03-10)

Bug Fixes

• a9d242b #9099 include all subcommands on main command help (#9099) (@​wraithgar)
• 29b8407 #9087 unwrap comments and lines meant for output (#9087) (@​wraithgar)
• b56986a #9095 ls: suppress false UNMET DEPENDENCYs in linked strategy (#9095) (@​manzoorwanijk)
• 76c76e5 #9083 ci: don't error on optional deps in the lockfile (#9083) (@​wraithgar)
• a29aeee #9028 arborist: retry bin-links on Windows EPERM (#9028) (@​manzoorwanijk)
• 6565eeb #9045 bypass packument cache to prevent ETARGET errors after publish (#9045) (@​Jadu07)

Documentation

• 3b96929 #9074 scripts: remove mention of obsolete root user behavior (#9074) (@​mohd-akram)
• 16ac4e0 #9054 fix workspace cross-dependency documentation (@​owlstronaut)

Dependencies

• 075ae23 #9086 tar@7.5.11
• 13fa40d #9086 pacote@21.5.0
• bf7ea2b #9060 brace-expansion@5.0.4
• 2000d2c #9060 minimatch@10.2.4
• d86b260 #9060 tar@7.5.10
• dff1853 #9060 @npmcli/run-script@10.0.4
• 93c3365 #9060 write-file-atomic@7.0.1

Chores

• d1996a7 #9060 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.4.1
• workspace: libnpmdiff@8.1.4
• workspace: libnpmexec@10.2.4
• workspace: libnpmfund@7.0.18
• workspace: libnpmpack@9.1.4

11.11.0 (2026-02-25)

Features

• 4fcd352 #9017 add :type(registry) to query selector syntax (#9017) (@​wraithgar)
• e1b21f0 #8909 adds circleci to trust command (#8909) (@​owlstronaut)
• 9a33ad0 #8925 adds circleci to oidc (#8925) (@​owlstronaut)

Bug Fixes

• 4426411 #9026 npm audit signatures for keyless attestation registries (#9026) (@​ajayk)
• 658b323 #9010 handle legacy licenses array in sbom output (#9010) (@​JNC4)

Documentation

• 143f8cd #9007 docs shouldn't wrap yaml description (#9007) (@​owlstronaut)

Dependencies

• 7798b6e #9027 @gar/promise-retry@1.0.2
• 4838864 #9027 balanced-match@4.0.4
• 0c200dd #9027 brace-expansion@5.0.3
• f0606bb #9027 spdx-license-ids@3.0.23
• d43f350 #9027 make-fetch-happen@15.0.4
• 4d0918a #9027 @npmcli/git@7.0.2
• 8912ca7 #9027 minipass-fetch@5.0.2
• 450ff35 #9027 npm-packlist@10.0.4
• 20ef5a5 #9027 pacote@21.4.0
• 60f332c #9008 remove promise-retry
• cb8b9c7 #9008 add @gar/promise-retry@1.0.0
• workspace: @npmcli/arborist@9.4.0

... (truncated)

Commits

• 8afa3bd chore: release 11.11.1
• a9d242b fix: include all subcommands on main command help (#9099)
• 5b7c0cc fix(arborist): exclude store nodes from :root > * in linked strategy (#9096)
• 3b70a9d fix(arborist): simplify rootDeclaredDeps initialization (#9097)
• 29b8407 fix: unwrap comments and lines meant for output (#9087)
• b56986a fix(ls): suppress false UNMET DEPENDENCYs in linked strategy (#9095)
• c7702d0 fix(arborist): fix non-idempotent linked install with workspace projects (#9094)
• 075ae23 deps: tar@7.5.11
• 13fa40d deps: pacote@21.5.0
• 76c76e5 fix(ci): don't error on optional deps in the lockfile (#9083)
• Additional commits viewable in compare view

Updates diff from 5.0.0 to 8.0.3

Changelog

Sourced from diff's changelog.

8.0.3

• #631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).
• #635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.
• #641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.
• #647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

8.0.2

• #616 Restored compatibility of diffSentences with old Safari versions. This was broken in 8.0.0 by the introduction of a regex with a lookbehind assertion; these weren't supported in Safari prior to version 16.4.
• #612 Improved tree shakeability by marking the built CJS and ESM packages with sideEffects: false.

8.0.1

• #610 Fixes types for diffJson which were broken by 8.0.0. The new bundled types in 8.0.0 only allowed diffJson to be passed string arguments, but it should've been possible to pass either strings or objects (and now is). Thanks to Josh Kelley for the fix.

8.0.0

• #580 Multiple tweaks to diffSentences:
  • tokenization no longer takes quadratic time on pathological inputs (reported as a ReDOS vulnerability by Snyk); is now linear instead
  • the final sentence in the string is now handled the same by the tokenizer regardless of whether it has a trailing punctuation mark or not. (Previously, "foo. bar." tokenized to ["foo.", " ", "bar."] but "foo. bar" tokenized to ["foo.", " bar"] - i.e. whether the space between sentences was treated as a separate token depended upon whether the final sentence had trailing punctuation or not. This was arbitrary and surprising; it is no longer the case.)
  • in a string that starts with a sentence end, like "! hello.", the "!" is now treated as a separate sentence
  • the README now correctly documents the tokenization behaviour (it was wrong before)
• #581 - fixed some regex operations used for tokenization in diffWords taking O(n^2) time in pathological cases
• #595 - fixed a crash in patch creation functions when handling a single hunk consisting of a very large number (e.g. >130k) of lines. (This was caused by spreading indefinitely-large arrays to .push() using .apply or the spread operator and hitting the JS-implementation-specific limit on the maximum number of arguments to a function, as shown at https://stackoverflow.com/a/56809779/1709587; thus the exact threshold to hit the error will depend on the environment in which you were running JsDiff.)
• #596 - removed the merge function. Previously JsDiff included an undocumented function called merge that was meant to, in some sense, merge patches. It had at least a couple of serious bugs that could lead to it returning unambiguously wrong results, and it was difficult to simply "fix" because it was unclear precisely what it was meant to do. For now, the fix is to remove it entirely.