Skip to content

build(deps): bump the npm_and_yarn group across 1 directory with 12 updates#498

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-c51fe08926
Open

build(deps): bump the npm_and_yarn group across 1 directory with 12 updates#498
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-c51fe08926

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 11 updates in the / directory:

Package From To
webpack 5.102.1 5.108.4
webpack-dev-server 4.15.2 5.2.5
@tootallnate/once 2.0.0 removed
fast-uri 3.1.0 3.1.3
flatted 3.3.3 3.4.2
follow-redirects 1.15.11 1.16.0
js-yaml 4.1.0 4.3.0
postcss 8.5.8 8.5.16
protocol-buffers-schema 3.6.0 3.6.1
shell-quote 1.8.3 1.9.0
vite 8.0.2 8.1.3

Updates webpack from 5.102.1 to 5.108.4

Release notes

Sourced from webpack's releases.

v5.108.4

Patch Changes

v5.108.3

Patch Changes

v5.108.2

Patch Changes

v5.108.1

Patch Changes

  • Fix invalid property access for escaped namespace imports with multi-character mangled export names. (by @​xiaoxiaojx in #21280)

  • Add frames to ProfilingPlugin TracingStartedInBrowser event so the trace loads in Chrome DevTools. (by @​alexander-akait in #21269)

v5.108.0

Minor Changes

  • Treat top-level await and import.meta as ES module markers, matching Node.js syntax detection so no explicit module type is needed. (by @​alexander-akait in #21218)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.108.4

Patch Changes

5.108.3

Patch Changes

5.108.2

Patch Changes

5.108.1

Patch Changes

  • Fix invalid property access for escaped namespace imports with multi-character mangled export names. (by @​xiaoxiaojx in #21280)

  • Add frames to ProfilingPlugin TracingStartedInBrowser event so the trace loads in Chrome DevTools. (by @​alexander-akait in #21269)

... (truncated)

Commits
  • bb9ccfd chore(release): new release (#21319)
  • 7639066 fix: invalidate provided-exports cache with lazy barrel (#21326)
  • ae28c54 perf: reduce CPU and memory overhead of the HTML and CSS pipelines (#21332)
  • e6fb547 perf: re-encode the HTML AST as struct-of-arrays behind a path-based visitor ...
  • 5ce1c22 fix(html): resolve asset URLs against <base href> (#21329)
  • 0e43c4a test(html): cover generateError, ignored-source, and null-character parse pat...
  • cebd793 refactor: build export-presence guards from a lazy boolean formula (#21320)
  • c2628cf fix: don't resolve new URL() directory references as modules (#21312)
  • 00d8b2f perf: speed up non-CSS-Modules CSS parsing by skipping unused AST work (#21324)
  • f7a3f6d perf: reduce HTML parser memory and CPU with parser-level skip options (#21323)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack since your current version.


Updates webpack-dev-server from 4.15.2 to 5.2.5

Release notes

Sourced from webpack-dev-server's releases.

v5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

v5.2.4

5.2.4 (2026-05-11)

Bug Fixes

  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

v5.2.3

5.2.3 (2026-01-12)

Bug Fixes

  • add cause for errorObject (#5518) (37b033d)
  • compatibility with event target and universal target and lazy compilation (574026c)
  • overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
  • progress indicator styles (#5557) (41a53a1)
  • upgrade selfsigned to v5

v5.2.2

5.2.2 (2025-06-03)

Bug Fixes

  • "Overlay enabled" false positive (18e72ee)
  • do not crush when error is null for runtime errors (#5447) (309991f)
  • remove unnecessary header X_TEST (#5451) (64a6124)
  • respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

v5.2.1

5.2.1 (2025-03-26)

Security

  • cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
  • requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

  • prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.2.4 (2026-05-11)

Bug Fixes

  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

5.2.3 (2026-01-12)

Bug Fixes

  • add cause for errorObject (#5518) (37b033d)
  • compatibility with event target and universal target and lazy compilation (574026c)
  • overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
  • progress indicator styles (#5557) (41a53a1)
  • upgrade selfsigned to v5

5.2.2 (2025-06-03)

Bug Fixes

  • "Overlay enabled" false positive (18e72ee)
  • do not crush when error is null for runtime errors (#5447) (309991f)
  • remove unnecessary header X_TEST (#5451) (64a6124)
  • respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

5.2.1 (2025-03-26)

Security

  • cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
  • requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

  • prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0 (2024-12-11)

Features

... (truncated)

Commits
  • c3ee325 chore(release): new release (#5682)
  • 60173be feat: add changeset validation and release workflow (#5680)
  • 948d5e6 fix(proxy): match the HMR upgrade path exactly like the ws server (#5678)
  • 93e8996 fix: skip HMR websocket path when forwarding upgrades to user-defined proxies...
  • fd40130 chore(release): 5.2.4
  • ece4f36 chore: update deps (#5661)
  • a216144 ci: fix test (#5658)
  • df073c5 Merge commit from fork
  • b550a70 chore(release): 5.2.3
  • 9704dc5 chore: upgrade selfsigned to v5 and remove node-forge dependency (#5618)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack-dev-server since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Removes @tootallnate/once

Updates fast-uri from 3.1.0 to 3.1.3

Release notes

Sourced from fast-uri's releases.

v3.1.3

⚠️ Security Release

Full Changelog: fastify/fast-uri@v3.1.2...v3.1.3

v3.1.2

⚠️ Security Release

What's Changed

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

Updates flatted from 3.3.3 to 3.4.2

Commits
  • 3bf0909 3.4.2
  • 885ddcc fix CWE-1321
  • 0bdba70 added flatted-view to the benchmark
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • Additional commits viewable in compare view

Updates follow-redirects from 1.15.11 to 1.16.0

Commits
  • 0c23a22 Release version 1.16.0 of the npm package.
  • 844c4d3 Add sensitiveHeaders option.
  • 5e8b8d0 ci: add Node.js 24.x to the CI matrix
  • 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
  • 86dc1f8 Sanitizing input.
  • See full diff in compare view

Updates js-yaml from 4.1.0 to 4.3.0

Changelog

Sourced from js-yaml's changelog.

4.3.0, 3.15.0 - 2026-06-27

Security

  • Backported maxTotalMergeKeys option.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the test set.

Changed

  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named exports.

... (truncated)

Commits
  • 33d05b5 4.3.0 released
  • 663bfab Drop demo publish, to not override new v5 one.
  • 1cb8c7b Add v4-legacy tag for publish
  • 02f27af Restore umd builds back to es5
  • 8be84ed Fix es5 compatibility
  • 59423c6 Replace maxMergeSeqLength option with maxTotalMergeKeys (more robust). Ba...
  • 6842ef6 doc polish
  • 590dbab 4.2.0 released
  • f944dc5 Add package.json funding field
  • f692719 Changelog update
  • Additional commits viewable in compare view

Updates postcss from 8.5.8 to 8.5.16

Release notes

Sourced from postcss's releases.

8.5.16

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Changelog

Sourced from postcss's changelog.

8.5.16

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for postcss since your current version.


Updates protocol-buffers-schema from 3.6.0 to 3.6.1

Commits

Updates qs from 6.13.0 to 6.15.3

Changelog

Sourced from qs's changelog.

6.15.3

  • [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via combine/merge
  • [Fix] utils: respect encoding of surrogate pairs across chunks (#559)
  • [Robustness] parse: throw the arrayLimit error before splitting oversized comma values
  • [Robustness] utils.merge / utils.assign: avoid invoking __proto__ setter when copying own properties
  • [Robustness] utils: enforce arrayLimit consistently across merge's array paths
  • [Perf] utils: make compact O(n) via a side-channel visited-set instead of Array.indexOf
  • [Deps] update side-channel
  • [Dev Deps] update eslint, mock-property, tape
  • [Tests] parse: characterize current lenient handling of unbalanced bracket keys (#558)

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

  • [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
  • [Deps] update @ljharb/eslint-config
  • [Dev Deps] update @ljharb/eslint-config, iconv-lite
  • [Tests] increase coverage

6.15.0

  • [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
  • [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions

... (truncated)

Commits
  • 18d085e v6.15.3
  • c38af42 [Deps] update side-channel
  • adce539 [Dev Deps] update eslint, mock-property, tape
  • 74a0f6a [Robustness] utils: enforce arrayLimit consistently across merge's arra...
  • f4938f5 [Tests] parse: characterize current lenient handling of unbalanced bracket ...
  • 5d5f723 [Perf] utils: make compact O(n) via a side-channel visited-set instead of...
  • 52afe00 [Robustness] parse: throw the arrayLimit error before splitting oversized...
  • 963e538 [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via...
  • 59da434 [Fix] utils: respect encoding of surrogate pairs across chunks
  • 9532969 [Robustness] utils.merge / utils.assign: avoid invoking __proto__ sette...
  • Additional commits viewable in compare view

Updates shell-quote from 1.8.3 to 1.9.0

Changelog

Sourced from shell-quote's changelog.

v1.9.0 - 2026-06-24

Commits

  • [New] add types dca6e21
  • [Dev Deps] update eslint 9aa9e8f
  • [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv) 7ff5488
  • [actions] update workflows 75e8497
  • [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3 cannot stage eslint 10@types/esrecurse 3fb739d
  • [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake abe0163
  • [actions] Windows + node 5/7: install deps with a modern node b4bafa2
  • [Fix] quote: escape leading ~ to prevent shell tilde-expansion 7a76c1a
  • [Dev Deps] update auto-changelog, tape 7184b44
  • [Dev Deps] apparently jackspeak is no longer in the graph 9ba368a

v1.8.4 - 2026-05-22

Commits

  • [Fix] quote: validate object-token shapes 4378a6e
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
  • [Tests] increase coverage 9f3caa3
  • [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
  • [Dev Deps] update @ljharb/eslint-config 699c511
Commits
  • db09fc7 v1.9.0
  • 7ff5488 [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv)
  • b4bafa2 [actions] Windows + node 5/7: install deps with a modern node
  • 3fb739d [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3...
  • abe0163 [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake
  • 7a76c1a [Fix] quote: escape leading ~ to prevent shell tilde-expansion
  • 75e8497 [actions] update workflows
  • dca6e21 [New] add types
  • 9aa9e8f [Dev Deps] update eslint
  • 9ba368a [Dev Deps] apparently jackspeak is no longer in the graph
  • Additional commits viewable in compare view

Updates vite from 8.0.2 to 8.1.3

Release notes

Sourced from vite's releases.

v8.1.3

Please refer to CHANGELOG.md for details.

v8.1.2

Please refer to CHANGELOG.md for details.

v8.1.1

Please refer to CHANGELOG.md for details.

create-vite@8.1.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.1.0

Please refer to CHANGELOG.md for details.

v8.1.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.1.0-beta.0

Please refer to CHANGELOG.md for details.

v8.1.0-beta.0

Please refer to CHANGELOG.md for details.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

v8.0.10

Please refer to CHANGELOG.md for details.

v8.0.9

Please refer to CHANGELOG.md for details.

v8.0.8

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.1.3 (2026-07-02)

Bug Fixes

  • css: inject inlined CSS after the shebang line (#22717) (1534d36)
  • deps: bump es-module-lexer to 2.3.0 (#22838) (7103c3a)
  • preload css for nested dynamic imports (#22759) (2c53054)
  • ssr: correct stacktrace column position for f...

    Description has been truncated

    Summary by CodeRabbit

    • Chores
      • 開発用依存関係を更新し、関連ツールの互換性と安定性を改善しました。
      • 一部の開発環境での動作がより新しいバージョンに対応しました。

    Note
    Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 10, 2026
@coderabbitai

coderabbitai Bot commented Jun 10, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

package.json の devDependencies で、jsdom と webpack-dev-server のバージョン指定が更新されています。

Changes

開発依存関係の更新

Layer / File(s) Summary
開発依存関係のバージョン更新
package.json
jsdom を ^20.0.3 から ^29.1.1 に、webpack-dev-server を ^4.11.1 から ^5.2.5 に更新。

Estimated code review effort: 1 (Trivial) | ~2 minutes

Poem

🐰 ぴょん、ぴょん、更新完了
jsdom も元気に新顔だ
webpack-dev-server も軽やかに
森のビルドは今日も晴れ☀️

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed 依存関係の自動更新であることと、複数パッケージの更新である点を適切に要約しています。
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/npm_and_yarn/npm_and_yarn-c51fe08926

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 55: The package update added jsdom@^29.1.1 which requires a newer Node
and incompatible `@types/jsdom`; update project configuration to pin compatible
versions and Node engine: set engines.node to ">=22.13.0" (or ">=24.0.0" if you
prefer upgrading to 24+), update .nvmrc and CI workflow node-version to match
that same minimum, and upgrade `@types/jsdom` to a release that supports jsdom 29
(remove the old `@types/jsdom`@^21.1.7 entry and replace it with the proper types
package/version for jsdom v29), then run a full TypeScript build with
declaration: true to verify no type/declaration breakages and fix any typing
errors exposed by the new types.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bee7d353-94a9-4f1e-af35-dc241dc90eb0

📥 Commits

Reviewing files that changed from the base of the PR and between 35d26ba and 52df28c.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json

Comment thread package.json
"eslint-plugin-react-hooks": "^7.0.1",
"globals": "^16.5.0",
"jsdom": "^20.0.3",
"jsdom": "^29.1.1",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== package.json dependency versions =="
python - <<'PY'
import json
with open("package.json", "r", encoding="utf-8") as f:
    p=json.load(f)
dev=p.get("devDependencies", {})
print("jsdom:", dev.get("jsdom"))
print("`@types/jsdom`:", dev.get("`@types/jsdom`"))
print("webpack-dev-server:", dev.get("webpack-dev-server"))
print("engines.node:", p.get("engines", {}).get("node"))
PY

echo
echo "== Node version policy declarations in repo =="
fd -HI '(\.nvmrc|\.node-version|\.tool-versions|package\.json|Dockerfile|.*\.ya?ml)$'

echo
echo "== Potential Node-version pins in config/workflows =="
rg -n -C2 'engines"\s*:\s*\{|node-version|setup-node|FROM node:|volta|NODE_VERSION'

echo
echo "== jsdom usage surfaces in tests/source =="
rg -n --type=ts -C2 '\bJSDOM\b|from\s+[\"\x27]jsdom[\"\x27]'

echo
echo "== Typecheck-related scripts (if present) =="
rg -n -C2 '"scripts"\s*:\s*\{|typecheck|tsc'

Repository: geolonia/embed

Length of output: 50512


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== package.json engines / scripts / dep versions around jsdom & webpack-dev-server =="
python - <<'PY'
import json
from pathlib import Path
p=json.loads(Path("package.json").read_text(encoding="utf-8"))
print("engines:", p.get("engines"))
print("devDependencies jsdom:", (p.get("devDependencies") or {}).get("jsdom"))
print("devDependencies `@types/jsdom`:", (p.get("devDependencies") or {}).get("`@types/jsdom`"))
print("devDependencies webpack-dev-server:", (p.get("devDependencies") or {}).get("webpack-dev-server"))
print("scripts:", p.get("scripts", {}))
PY

echo
echo "== .nvmrc =="
if [ -f .nvmrc ]; then cat .nvmrc; else echo "missing .nvmrc"; fi

echo
echo "== workflows/setup-node node-version (build.yml) =="
rg -n "setup-node|node-version|NODE_VERSION" .github/workflows -S || true

echo
echo "== vitest config: environment jsdom =="
rg -n --glob='*vitest.config.*' -S "environment.*jsdom" . || true
rg -n --glob='*vitest.config.*' -S "environment" . || true

echo
echo "== jsdom usage in ts files =="
rg -n --type=ts -C2 "from ['\"]jsdom['\"]|\\bJSDOM\\b" . || true

echo
echo "== webpack-dev-server usage =="
rg -n -S "webpack-dev-server|webpack serve|serve --config" package.json docs -S || true

echo
echo "== tsconfig(s) typing / lib DOM / types =="
fd -e tsconfig -e json -S -t f . -a || true
# Prefer exact files
if [ -f tsconfig.json ]; then echo "--- tsconfig.json ---"; cat tsconfig.json; fi
for f in $(fd -a -t f "tsconfig*.json" .); do echo "--- $f ---"; head -n 200 "$f"; done

echo
echo "== Read vitest.config.ts and src/lib/util.test.ts (if exist) =="
if [ -f vitest.config.ts ]; then cat -n vitest.config.ts; fi
if [ -f src/lib/util.test.ts ]; then cat -n src/lib/util.test.ts; fi

Repository: geolonia/embed

Length of output: 23418


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== package.json engines / scripts / dep versions around jsdom & webpack-dev-server =="
python - <<'PY'
import json
from pathlib import Path
p=json.loads(Path("package.json").read_text(encoding="utf-8"))
print("engines:", p.get("engines"))
dev=p.get("devDependencies") or {}
print("devDependencies jsdom:", dev.get("jsdom"))
print("devDependencies `@types/jsdom`:", dev.get("`@types/jsdom`"))
print("devDependencies webpack-dev-server:", dev.get("webpack-dev-server"))
print("scripts:", p.get("scripts", {}))
PY

echo
echo "== .nvmrc =="
if [ -f .nvmrc ]; then cat .nvmrc; else echo "missing .nvmrc"; fi

echo
echo "== workflows/setup-node node-version (build.yml) =="
rg -n "setup-node|node-version|NODE_VERSION" .github/workflows -S || true

echo
echo "== vitest config: environment jsdom =="
rg -n --glob='*vitest.config.*' -S "environment.*jsdom" . || true
rg -n --glob='*vitest.config.*' -S "environment" . || true

echo
echo "== jsdom usage in ts files =="
rg -n --type=ts -C2 "from ['\"]jsdom['\"]|\\bJSDOM\\b" . || true

echo
echo "== webpack-dev-server usage =="
rg -n -S "webpack-dev-server|webpack serve|serve --config" package.json docs -S || true

echo
echo "== tsconfig(s) DOM typings =="
for f in $(fd -a -t f "tsconfig*.json" .); do
  echo "--- $f (first 220 lines) ---"
  head -n 220 "$f"
done

echo
echo "== Read vitest.config.ts and src/lib/util.test.ts (if exist) =="
if [ -f vitest.config.ts ]; then cat -n vitest.config.ts; fi
if [ -f src/lib/util.test.ts ]; then cat -n src/lib/util.test.ts; fi

Repository: geolonia/embed

Length of output: 22584


🌐 Web query:

jsdom 29.1.1 engines node requirement

💡 Result:

The jsdom version 29.1.1 requires a Node.js version of ^20.19.0 || ^22.13.0 || >=24.0.0, as specified in its package.json engines field [1][2].

Citations:


🌐 Web query:

webpack-dev-server 5.2.4 engines node requirement

💡 Result:

The webpack-dev-server version 5.2.4 requires Node.js version 18.12.0 or higher [1]. While some earlier versions of the package may have specified different engines, this is the requirement noted for this specific release [1].

Citations:


🌐 Web query:

@types/jsdom 21.1.7 compatibility with jsdom 29 types bundled

💡 Result:

The package @types/jsdom version 21.1.7 is not compatible with jsdom version 29.0.0 and above [1][2][3]. JSDom does not bundle its own TypeScript type definitions; it relies on the DefinitelyTyped community to maintain them via the @types/jsdom package [1][4][5]. Using @types/jsdom 21.1.7 with JSDom 29 will result in significant type inaccuracies and build errors [6][7]. JSDom 29, released in March 2026, introduced major changes to its internal implementations (such as CSSOM and resource loading) [3][7], which require the corresponding updates in the type definitions found in @types/jsdom version 28.x and later [1][2][7]. If you are upgrading to JSDom 29, you must also upgrade your @types/jsdom dependency to the latest 28.x version to ensure your type definitions match the JSDom API [1][6][2].

Citations:


jsdom@^29.1.1(55行目)と webpack-dev-server@^5.2.4(66行目)の更新で、Node要件と @types/jsdom を整合させてください。

  • Node: jsdom@29^22.13.0 以上(または >=24 等)が必要。現状 .nvmrc: v22 / GitHub Actions が 22.x なので、22.13 未満を踏む可能性があり engines.node を追加し、.nvmrc と workflow の node-version22.13+(または >=24)に寄せる対応が必要。
  • 型: @types/jsdom@^21.1.7jsdom@29 と不整合なので、@types/jsdom を jsdom 29 に対応する世代へ更新して、宣言生成/ビルド(declaration: true)で破綻しないことを確認してください。
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 55, The package update added jsdom@^29.1.1 which
requires a newer Node and incompatible `@types/jsdom`; update project
configuration to pin compatible versions and Node engine: set engines.node to
">=22.13.0" (or ">=24.0.0" if you prefer upgrading to 24+), update .nvmrc and CI
workflow node-version to match that same minimum, and upgrade `@types/jsdom` to a
release that supports jsdom 29 (remove the old `@types/jsdom`@^21.1.7 entry and
replace it with the proper types package/version for jsdom v29), then run a full
TypeScript build with declaration: true to verify no type/declaration breakages
and fix any typing errors exposed by the new types.

…pdates

Bumps the npm_and_yarn group with 11 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [webpack](https://github.com/webpack/webpack) | `5.102.1` | `5.108.4` |
| [webpack-dev-server](https://github.com/webpack/webpack-dev-server) | `4.15.2` | `5.2.5` |
| [@tootallnate/once](https://github.com/TooTallNate/once) | `2.0.0` | `removed` |
| [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.3` |
| [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` |
| [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.11` | `1.16.0` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.3.0` |
| [postcss](https://github.com/postcss/postcss) | `8.5.8` | `8.5.16` |
| [protocol-buffers-schema](https://github.com/mafintosh/protocol-buffers-schema) | `3.6.0` | `3.6.1` |
| [shell-quote](https://github.com/ljharb/shell-quote) | `1.8.3` | `1.9.0` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.2` | `8.1.3` |



Updates `webpack` from 5.102.1 to 5.108.4
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.102.1...v5.108.4)

Updates `webpack-dev-server` from 4.15.2 to 5.2.5
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v4.15.2...v5.2.5)

Removes `@tootallnate/once`

Updates `fast-uri` from 3.1.0 to 3.1.3
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.3)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

Updates `follow-redirects` from 1.15.11 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

Updates `js-yaml` from 4.1.0 to 4.3.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.3.0)

Updates `postcss` from 8.5.8 to 8.5.16
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.8...8.5.16)

Updates `protocol-buffers-schema` from 3.6.0 to 3.6.1
- [Commits](mafintosh/protocol-buffers-schema@v3.6.0...v3.6.1)

Updates `qs` from 6.13.0 to 6.15.3
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.13.0...v6.15.3)

Updates `shell-quote` from 1.8.3 to 1.9.0
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.3...v1.9.0)

Updates `vite` from 8.0.2 to 8.1.3
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite)

---
updated-dependencies:
- dependency-name: "@tootallnate/once"
  dependency-version:
  dependency-type: indirect
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: indirect
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: indirect
- dependency-name: protocol-buffers-schema
  dependency-version: 3.6.1
  dependency-type: indirect
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
- dependency-name: shell-quote
  dependency-version: 1.8.4
  dependency-type: indirect
- dependency-name: vite
  dependency-version: 8.0.16
  dependency-type: indirect
- dependency-name: webpack
  dependency-version: 5.107.2
  dependency-type: direct:development
- dependency-name: webpack-dev-server
  dependency-version: 5.2.4
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump the npm_and_yarn group across 1 directory with 12 updates build(deps): bump the npm_and_yarn group across 1 directory with 12 updates Jul 7, 2026
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-c51fe08926 branch from 52df28c to d1b9d99 Compare July 7, 2026 04:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants