fix(deps): update patch updates (patch)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@anolilab/prettier-config (source)	9.1.0 → 9.1.1
@anolilab/textlint-config (source)	12.1.0 → 12.1.5
@ckeditor/typedoc-plugins (source)	54.3.2 → 54.3.4
cosmiconfig	^9.0.0 → ^9.0.1
dockerode	4.0.9 → 4.0.10
esbuild	0.27.2 → 0.27.4
pkg-pr-new (source)	^0.0.62 → ^0.0.66
publint (source)	0.3.17 → 0.3.18
rimraf	^6.1.2 → ^6.1.3
semver	^7.7.3 → ^7.7.4

---

Release Notes

anolilab/javascript-style-guide (@​anolilab/prettier-config)

v9.1.1

Compare Source

Bug Fixes

• resolve pre-commit hook failures and lint errors across packages (a4707c3)

Miscellaneous Chores

• prettier-config: add .prettierignore (b07d6c3)
• prettier-config: migrate to ESM prettier config and fix bin.ts (970de06)

anolilab/javascript-style-guide (@​anolilab/textlint-config)

v12.1.5

Compare Source

v12.1.4

Compare Source

v12.1.3

Compare Source

Styles

• cs fixes on md files (1262ea8)

v12.1.2

Compare Source

Bug Fixes

• eslint-config: disable css/no-invalid-at-rules for Tailwind CSS … (#​1000) (aa8b26b)

v12.1.1

Compare Source

Miscellaneous Chores

• textlint-config: migrate prettier config to ESM (9b59056)
• textlint-config: simplify .prettierignore (1e8c66f)

Dependencies

• @​anolilab/prettier-config: upgraded to 9.1.1

ckeditor/ckeditor5-dev (@​ckeditor/typedoc-plugins)

v54.3.4

Compare Source

Bug fixes

• build-tools: Always log TypeScript errors, even when the declarations option is not set or false.

• ci: Made ckeditor5-dev-ci-circle-workflow-notifier resilient to unstable CircleCI API responses by adding retries, response shape validation, and clearer hard-fail reasons. Closes ckeditor/ckeditor5#19763.

  The notifier now retries transient API failures up to 5 times with delays, fails fast for non-retryable API errors, and reports when manual workflow verification is required.

Released packages

Check out the Versioning policy guide for more information.

Released packages (summary)

Other releases:

• @​ckeditor/ckeditor5-dev-build-tools: v54.3.3 => v54.3.4
• @​ckeditor/ckeditor5-dev-bump-year: v54.3.3 => v54.3.4
• @​ckeditor/ckeditor5-dev-changelog: v54.3.3 => v54.3.4
• @​ckeditor/ckeditor5-dev-ci: v54.3.3 => v54.3.4
• @​ckeditor/ckeditor5-dev-dependency-checker: v54.3.3 => v54.3.4
• @​ckeditor/ckeditor5-dev-docs: v54.3.3 => v54.3.4
• @​ckeditor/ckeditor5-dev-license-checker: v54.3.3 => v54.3.4
• @​ckeditor/ckeditor5-dev-release-tools: v54.3.3 => v54.3.4
• @​ckeditor/ckeditor5-dev-stale-bot: v54.3.3 => v54.3.4
• @​ckeditor/ckeditor5-dev-tests: v54.3.3 => v54.3.4
• @​ckeditor/ckeditor5-dev-translations: v54.3.3 => v54.3.4
• @​ckeditor/ckeditor5-dev-utils: v54.3.3 => v54.3.4
• @​ckeditor/ckeditor5-dev-web-crawler: v54.3.3 => v54.3.4
• @​ckeditor/typedoc-plugins: v54.3.3 => v54.3.4

v54.3.3

Compare Source

Bug fixes

• tests: Unify error handling in ckeditor5-dev-tests-run-automated and ckeditor5-dev-tests-run-manual to prevent a TypeError when test execution fails.

Other changes

• tests: Unified Chrome launch configuration across headless and headed mode and enforced a 1920x1080 window size for consistent and predictable test results.

Released packages

Check out the Versioning policy guide for more information.

Released packages (summary)

Other releases:

• @​ckeditor/ckeditor5-dev-build-tools: v54.3.2 => v54.3.3
• @​ckeditor/ckeditor5-dev-bump-year: v54.3.2 => v54.3.3
• @​ckeditor/ckeditor5-dev-changelog: v54.3.2 => v54.3.3
• @​ckeditor/ckeditor5-dev-ci: v54.3.2 => v54.3.3
• @​ckeditor/ckeditor5-dev-dependency-checker: v54.3.2 => v54.3.3
• @​ckeditor/ckeditor5-dev-docs: v54.3.2 => v54.3.3
• @​ckeditor/ckeditor5-dev-license-checker: v54.3.2 => v54.3.3
• @​ckeditor/ckeditor5-dev-release-tools: v54.3.2 => v54.3.3
• @​ckeditor/ckeditor5-dev-stale-bot: v54.3.2 => v54.3.3
• @​ckeditor/ckeditor5-dev-tests: v54.3.2 => v54.3.3
• @​ckeditor/ckeditor5-dev-translations: v54.3.2 => v54.3.3
• @​ckeditor/ckeditor5-dev-utils: v54.3.2 => v54.3.3
• @​ckeditor/ckeditor5-dev-web-crawler: v54.3.2 => v54.3.3
• @​ckeditor/typedoc-plugins: v54.3.2 => v54.3.3

cosmiconfig/cosmiconfig (cosmiconfig)

v9.0.1

Compare Source

• Fixed a race condition where multiple instances existing simultaneously could cause cosmiconfig to fail to load TypeScript config files.
• Fixed an issue on Windows where CWD being a short path (e.g. C:\Users\USERNA~1) would cause cosmiconfig to fail to load ESM config files.

apocas/dockerode (dockerode)

v4.0.10

Compare Source

What's Changed

• Bump js-yaml from 4.1.0 to 4.1.1 by @​dependabot[bot] in #​820
• fix(readme): update docker api links by @​parishahla in #​823
• buildkit proto followProgress support by @​davidgamero in #​824
• Bump minimatch from 5.1.6 to 5.1.9 by @​dependabot[bot] in #​825

New Contributors

• @​parishahla made their first contribution in #​823
• @​davidgamero made their first contribution in #​824

Full Changelog: apocas/dockerode@v4.0.9...v4.0.10

evanw/esbuild (esbuild)

v0.27.4

Compare Source

• Fix a regression with CSS media queries (#​4395, #​4405, #​4406)

  Version 0.25.11 of esbuild introduced support for parsing media queries. This unintentionally introduced a regression with printing media queries that use the <media-type> and <media-condition-without-or> grammar. Specifically, esbuild was failing to wrap an or clause with parentheses when inside <media-condition-without-or>. This release fixes the regression.

  Here is an example:

  /* Original code */
  @​media only screen and ((min-width: 10px) or (min-height: 10px)) {
    a { color: red }
  }
  
  /* Old output (incorrect) */
  @​media only screen and (min-width: 10px) or (min-height: 10px) {
    a {
      color: red;
    }
  }
  
  /* New output (correct) */
  @​media only screen and ((min-width: 10px) or (min-height: 10px)) {
    a {
      color: red;
    }
  }

• Fix an edge case with the inject feature (#​4407)

  This release fixes an edge case where esbuild's inject feature could not be used with arbitrary module namespace names exported using an export {} from statement with bundling disabled and a target environment where arbitrary module namespace names is unsupported.

  With the fix, the following inject file:

  import jquery from 'jquery';
  export { jquery as 'window.jQuery' };

  Can now always be rewritten as this without esbuild sometimes incorrectly generating an error:

  export { default as 'window.jQuery' } from 'jquery';

• Attempt to improve API handling of huge metafiles (#​4329, #​4415)

  This release contains a few changes that attempt to improve the behavior of esbuild's JavaScript API with huge metafiles (esbuild's name for the build metadata, formatted as a JSON object). The JavaScript API is designed to return the metafile JSON as a JavaScript object in memory, which makes it easy to access from within a JavaScript-based plugin. Multiple people have encountered issues where this API breaks down with a pathologically-large metafile.

  The primary issue is that V8 has an implementation-specific maximum string length, so using the JSON.parse API with large enough strings is impossible. This release will now attempt to use a fallback JavaScript-based JSON parser that operates directly on the UTF8-encoded JSON bytes instead of using JSON.parse when the JSON metafile is too big to fit in a JavaScript string. The new fallback path has not yet been heavily-tested. The metafile will also now be generated with whitespace removed if the bundle is significantly large, which will reduce the size of the metafile JSON slightly.

  However, hitting this case is potentially a sign that something else is wrong. Ideally you wouldn't be building something so enormous that the build metadata can't even fit inside a JavaScript string. You may want to consider optimizing your project, or breaking up your project into multiple parts that are built independently. Another option could potentially be to use esbuild's command-line API instead of its JavaScript API, which is more efficient (although of course then you can't use JavaScript plugins, so it may not be an option).

v0.27.3

Compare Source

• Preserve URL fragments in data URLs (#​4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

• Parse and print CSS @scope rules (#​4322)

  This release includes dedicated support for parsing @scope rules in CSS. These rules include optional "start" and "end" selector lists. One important consequence of this is that the local/global status of names in selector lists is now respected, which improves the correctness of esbuild's support for CSS modules. Minification of selectors inside @scope rules has also improved slightly.

  Here's an example:

  /* Original code */
  @​scope (:global(.foo)) to (:local(.bar)) {
    .bar {
      color: red;
    }
  }
  
  /* Old output (with --loader=local-css --minify) */
  @​scope (:global(.foo)) to (:local(.bar)){.o{color:red}}
  
  /* New output (with --loader=local-css --minify) */
  @​scope(.foo)to (.o){.o{color:red}}

• Fix a minification bug with lowering of for await (#​4378, #​4385)

  This release fixes a bug where the minifier would incorrectly strip the variable in the automatically-generated catch clause of lowered for await loops. The code that generated the loop previously failed to mark the internal variable references as used.

• Update the Go compiler from v1.25.5 to v1.25.7 (#​4383, #​4388)

  This PR was contributed by @​MikeWillCook.

stackblitz-labs/pkg.pr.new (pkg-pr-new)

v0.0.66

Compare Source

v0.0.65

Compare Source

v0.0.63

Compare Source

publint/publint (publint)

v0.3.18

Compare Source

Patch Changes

• Fix deprecated subpath mapping check crash and make getPkgPathValue from publint/utils return undefined if the path is invalid (ad2aa9c)

isaacs/rimraf (rimraf)

v6.1.3

Compare Source

npm/node-semver (semver)

v7.7.4

Compare Source

Bug Fixes

• a29faa5 #​835 cli: pass options to semver.valid() for loose version validation (#​835) (@​mldangelo)

Documentation

• 1d28d5e #​836 fix typos and update -n CLI option documentation (#​836) (@​mldangelo)

Dependencies

• 120968b #​840 @npmcli/template-oss@4.29.0 (#​840)

Chores

• 44d7130 #​824 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#​824) (@​dependabot[bot])
• 7073576 #​820 reorder parameters in invalid-versions.js test (#​820) (@​reggi)
• 5816d4c #​829 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#​829) (@​dependabot[bot], @​npm-cli-bot)

---

Configuration

📅 Schedule: Branch creation - "after 10:00 before 19:00 every weekday except after 13:00 before 14:00" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Thank you for following the naming conventions! 🙏

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Handlebars.js has JavaScript Injection via AST Type Confusion CVE: GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion (CRITICAL) Affected versions: >= 4.0.0 < 4.7.9 Patched version: 4.7.9 From: pnpm-lock.yaml → npm/@semantic-release/commit-analyzer@13.0.1 → npm/@semantic-release/release-notes-generator@14.1.0 → npm/handlebars@4.7.8 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.7.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​anolilab/​textlint-config@​12.1.0 ⏵ 12.1.5				+1
	@​anolilab/​prettier-config@​9.1.0 ⏵ 9.1.1
	esbuild@​0.27.2 ⏵ 0.27.4			+1
	@​ckeditor/​typedoc-plugins@​54.3.2 ⏵ 54.3.4
	cosmiconfig@​9.0.1
	got@​14.6.6
	dockerode@​4.0.9 ⏵ 4.0.10	+1		+1	+5

View full report