chore: 🤖 bump the major-updates group across 1 directory with 5 updates

[dependabot]

Bumps the major-updates group with 5 updates in the / directory:

Package	From	To
@types/node	24.10.1	25.2.3
glob	11.0.3	13.0.2
global-jsdom	27.0.0	28.0.0
jsdom	27.2.0	28.0.0
putout	40.15.0	41.20.1

Updates @types/node from 24.10.1 to 25.2.3

Commits

• See full diff in compare view

Updates glob from 11.0.3 to 13.0.2

Changelog

Sourced from glob's changelog.

changeglob

13

• Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

• Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

• Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
• Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
• Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

• Drop support for node before v20

10.4

• Add includeChildMatches: false option
• Export the Ignore class

10.3

• Add --default -p flag to provide a default pattern
• exclude symbolic links to directories when follow and nodir are both set

10.2

• Add glob cli

10.1

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

• 2135b0c 13.0.2
• 5254494 ship minified by default, update deps
• 0a603fe remove unused tshy config
• c759f03 13.0.1
• 8354a18 update deps
• ff6e0f5 ci: update action versions
• 1469286 update workflows and formatting/docs
• 3bfb960 13.0.0
• db31a63 Split the CLI out from the main project
• 5493458 ci: remove node 20
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for glob since your current version.

Updates global-jsdom from 27.0.0 to 28.0.0

Changelog

Sourced from global-jsdom's changelog.

{28.0.0} - {2026-02-02}

• Raise minimum jsdom peer dependency to v28

Commits

• See full diff in compare view

Updates jsdom from 27.2.0 to 28.0.0

Release notes

Sourced from jsdom's releases.

Version 28.0.0

• Overhauled resource loading customization. See the new README for details on the new API.
• Added MIME type sniffing to <iframe> and <frame> loads.
• Regression: WebSockets are no longer correctly throttled to one connection per origin. This is a result of the bug at nodejs/undici#4743.
• Fixed decoding of the query components of <a> and <area> elements in non-UTF-8 documents.
• Fixed XMLHttpRequest fetches and WebSocket upgrade requests to be interceptable by the new customizable resource loading. (Except synchronous XMLHttpRequests.)
• Fixed the referrer of a document to be set correctly when redirects are involved; it is now the initiating page, not the last hop in the redirect chain.
• Fixed correctness bugs when passing ArrayBuffers or typed arrays to various APIs, where they would not correctly snapshot the data.
• Fixed require("url").parse() deprecation warning when using WebSockets.
• Fixed <iframe>, <frame>, and <img> (when canvas is installed) to fire load events, not error events, on non-OK HTTP responses.
• Fixed many small issues in XMLHttpRequest.

Version 27.4.0

• Added TextEncoder and TextDecoder.
• Improved decoding of HTML bytes by using the new @exodus/bytes package; it is now much more correct. (ChALkeR)
• Improved decoding of XML bytes to use UTF-8 more often, instead of sniffing for <meta charset> or using the parent frame's encoding.
• Fixed a memory leak when Ranges were used and then the elements referred to by those ranges were removed.

Version 27.3.0

• Improved CSS parsing and CSSOM object APIs via updates to @acemir/cssom. (acemir)

Changelog

Sourced from jsdom's changelog.

28.0.0

• Overhauled resource loading customization. See the new README for details on the new API.
• Added MIME type sniffing to <iframe> and <frame> loads.
• Regression: WebSockets are no longer correctly throttled to one connection per origin. This is a result of the bug at nodejs/undici#4743.
• Fixed decoding of the query components of <a> and <area> elements in non-UTF-8 documents.
• Fixed XMLHttpRequest fetches and WebSocket upgrade requests to be interceptable by the new customizable resource loading. (Except synchronous XMLHttpRequests.)
• Fixed the referrer of a document to be set correctly when redirects are involved; it is now the initiating page, not the last hop in the redirect chain.
• Fixed correctness bugs when passing ArrayBuffers or typed arrays to various APIs, where they would not correctly snapshot the data.
• Fixed require("url").parse() deprecation warning when using WebSockets.
• Fixed <iframe>, <frame>, and <img> (when canvas is installed) to fire load events, not error events, on non-OK HTTP responses.
• Fixed many small issues in XMLHttpRequest.

27.4.0

• Added TextEncoder and TextDecoder.
• Improved decoding of HTML bytes by using the new @exodus/bytes package; it is now much more correct. (ChALkeR)
• Improved decoding of XML bytes to use UTF-8 more often, instead of sniffing for <meta charset> or using the parent frame's encoding.
• Fixed a memory leak when Ranges were used and then the elements referred to by those ranges were removed.

27.3.0

• Improved CSS parsing and CSSOM object APIs via updates to @acemir/cssom. (acemir)

Commits

• 20f614d Version 28.0.0
• 2b65c6a Replace the resource loader API
• 638bd68 Decode <a> and <area> query strings using document's encoding
• 457bd4b Add AGENTS.md (and CLAUDE.md)
• bf1dc15 Mark header-values tests as fail-slow due to Node.js bug
• 92f269e Update dependencies and dev dependencies
• 7d6e667 Improve spec alignment of Headers and header type tests
• 2c29aed Fix Windows-specific task kill timeouts
• d941216 Add failing regression test for animation-name case-sensitivity
• 56a833d Update style benchmark
• Additional commits viewable in compare view

Updates putout from 40.15.0 to 41.20.1

Release notes

Sourced from putout's releases.

putout v41.20.1

🐞 fix

• b491f48c9 @​putout/plugin-putout-config: apply-variables: variables/rename-useless-rename -> variables/remove-useless-rename

🔥 feature

• ec6560e8b putout: @​putout/plugin-parens v5.0.0
• 20b4c40b6 @​putout/plugin-parens: remove-useless-for-params: destructuring
• 39d872f86 @​putout/plugin-remove-useless-escape: z

putout v41.20.0

🐞 fix

• b513eace5 @​putout/plugin-package-json: apply-https-to-repository-url: report
• 1356e6b25 @​putout/processor-filesystem: create: overrides

🔥 feature

• 1db4585e2 putout: @​putout/plugin-remove-useless-array v3.0.0
• 23e2c593f @​putout/plugin-remove-useless-array: drop support of 🐊 < 41
• 3173a7fac putout: @​putout/plugin-remove-useless-push v3.0.0
• 63699a486 @​putout/plugin-remove-useless-push: drop support of 🐊 < 41
• 63dcea59e @​putout/plugin-arguments: remove-empty: add
• 689568a0d @​putout/eslint-config: no-useless-assignment: off
• c526c2b15 @​putout/eslint-config: @​eslint/js v10.0.1
• 05165c640 @​putout/plugin-github: set-message-of-commit-fixes
• 6319d79c0 @​putout/plugin-putout: remove-message-from-no-report-after-transform: add
• bbbc0bcde root: eslint v10.0.0
• 4e8875e15 @​putout/plugin-esm: apply-name-to-imported-file: dynamic
• df86a0714 @​putout/plugin-putout: apply-fixture-name-to-message: report-with-options
• bfe9b0276 @​putout/plugin-esm: apply-default-import: add
• e50123d47 @​putout/plugin-package-json: apply-https-to-repository-url: https: add support

putout v41.19.0

🔥 feature

• 9813f420a @​putout/engine-runner: @​putout/operator-filesystem v11.0.0
• 4dc4cff24 @​putout/operator-find-file-up: @​putout/operator-filesystem v11.0.0
• 556178a68 @​putout/operator-match-files: @​putout/operator-filesystem v11.0.0
• 19a47c2e7 @​putout/operator-rename-files: @​putout/operator-filesystem v11.0.0
• 58baf20f0 @​putout/plugin-filesystem: @​putout/operator-filesystem v11.0.0
• 16987e84b @​putout/test: @​putout/operator-filesystem v11.0.0
• b6b19b655 putout: @​putout/operator-filesystem v11.0.0
• e92161c3e putout: @​putout/processor-filesystem v8.0.0
• b3e1a0cdd @​putout/processor-filesystem: @​putout/operator-filesystem v11.0.0
• 79127f528 @​putout/engine-runner: @​putout/operator-filesystem v10.6.0
• 7dfc7d920 @​putout/operator-filesystem: export: maybe
• 5f79a2227 @​putout/processor-toml: oxfmt v0.28.0

... (truncated)

Commits

• 9419bad chore: putout: v41.20.1
• ec6560e feature: putout: @​putout/plugin-parens v5.0.0
• 03dfe9d chore: @​putout/plugin-parens: v5.0.0
• 20b4c40 feature: @​putout/plugin-parens: remove-useless-for-params: destructuring
• 989a4fb chore: @​putout/plugin-putout-config: v11.13.1
• b491f48 fix: @​putout/plugin-putout-config: apply-variables: variables/rename-useless-...
• 5603dfd chore: @​putout/plugin-remove-useless-escape: v9.2.0
• 39d872f feature: @​putout/plugin-remove-useless-escape: z
• 99e2ea7 chore: putout: v41.20.0
• 1db4585 feature: putout: @​putout/plugin-remove-useless-array v3.0.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint-config-phun-ky@​1.0.26 ⏵ 1.0.33				+1
	glob-bin@​1.1.0
	@​types/​node@​24.10.1 ⏵ 25.2.3
	chroma-js@​3.1.2 ⏵ 3.2.0	+1
	global-jsdom@​27.0.0 ⏵ 28.0.0				+6
	@​release-it/​conventional-changelog@​10.0.2 ⏵ 10.0.5	+1			+4
	eslint@​9.39.1 ⏵ 9.39.2	+4
	jsdom@​27.2.0 ⏵ 28.0.0	-1		+1	+1
	@​phun-ky/​typeof@​2.0.13 ⏵ 2.1.1	+1

View full report

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.40%. Comparing base (8f7cd2e) to head (881b608).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #113   +/-   ##
=======================================
  Coverage   98.40%   98.40%           
=======================================
  Files         108      108           
  Lines        4711     4711           
  Branches      592      592           
=======================================
  Hits         4636     4636           
  Misses         75       75           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.