chore(deps): bump the npm-major group across 1 directory with 4 updates

[dependabot]

Bumps the npm-major group with 4 updates in the / directory: @commitlint/cli, @commitlint/config-conventional, @release-it/conventional-changelog and release-it.

Updates @commitlint/cli from 20.5.3 to 21.0.0

Release notes

Sourced from @​commitlint/cli's releases.

v21.0.0

Heads-up: --legacy-output is a transitional escape hatch. It will be removed in a future major release. Plan to migrate your parsers / snapshots to the new format during the v21 lifecycle.

21.0.0 (2026-05-08)

Breaking

• chore!: minimum node version v22 by @​escapedcat in #4679
• feat!: show input from a new line by @​knocte in #4727 (adds --legacy-output flag)

Fixes

• fix: widen cz-commitlint inquirer peer dep to support v9–v12 by @​escapedcat in #4682 — closes #4554

Internals (Node 22 cleanup)

• chore: replace dependencies with Node 22 built-ins by @​escapedcat in #4681 — drops glob, fast-glob, import-meta-resolve, minimist, fs-extra
• refactor: replace read-pkg with native fs.readFile + JSON.parse by @​escapedcat in #4742
• chore: update dependency yargs to v18 by @​escapedcat in #4686
• chore: remove cross-env, move env vars to vitest config by @​escapedcat in #4684

Dependency updates

• chore: update dependency @​types/node to v22.19.17 by @​renovate[bot] in #4739
• chore: update dependency @​swc/core to v1.15.33 by @​renovate[bot] in #4743

Full Changelog: conventional-changelog/commitlint@v20.5.3...v21.0.0

Changelog

Sourced from @​commitlint/cli's changelog.

21.0.0 (2026-05-08)

• chore!: minimum node version v22 (#4679) (ac2b3f4), closes #4679

BREAKING CHANGES

• drop node v18 and v20 support

• Bump engines to >=v22 in all 39 package.json files
• Update @​types/node to ^22.0.0
• Update CI matrix to [22, 24]
• Update Ubuntu baseline job to ubuntu:26.04
• Update Dockerfile.ci, .mise.toml, .codesandbox/ci.json
• Update pre-commit hook to use --ignore-engines
• Update README and docs

Co-authored-by: Claude Opus 4.6 (1M context) noreply@anthropic.com

Commits

• f081a8e v21.0.0
• 40d7e36 feat!: show input from a new line (#4727)
• 44c3174 chore: update dependency yargs to v18 #4432 (#4686)
• ac01464 chore: replace dependencies with Node 22 built-ins (#4681)
• ac2b3f4 chore!: minimum node version v22 (#4679)
• See full diff in compare view

Updates @commitlint/config-conventional from 20.5.3 to 21.0.0

Release notes

Sourced from @​commitlint/config-conventional's releases.

v21.0.0

Heads-up: --legacy-output is a transitional escape hatch. It will be removed in a future major release. Plan to migrate your parsers / snapshots to the new format during the v21 lifecycle.

21.0.0 (2026-05-08)

Breaking

• chore!: minimum node version v22 by @​escapedcat in #4679
• feat!: show input from a new line by @​knocte in #4727 (adds --legacy-output flag)

Fixes

• fix: widen cz-commitlint inquirer peer dep to support v9–v12 by @​escapedcat in #4682 — closes #4554

Internals (Node 22 cleanup)

• chore: replace dependencies with Node 22 built-ins by @​escapedcat in #4681 — drops glob, fast-glob, import-meta-resolve, minimist, fs-extra
• refactor: replace read-pkg with native fs.readFile + JSON.parse by @​escapedcat in #4742
• chore: update dependency yargs to v18 by @​escapedcat in #4686
• chore: remove cross-env, move env vars to vitest config by @​escapedcat in #4684

Dependency updates

• chore: update dependency @​types/node to v22.19.17 by @​renovate[bot] in #4739
• chore: update dependency @​swc/core to v1.15.33 by @​renovate[bot] in #4743

Full Changelog: conventional-changelog/commitlint@v20.5.3...v21.0.0

Changelog

Sourced from @​commitlint/config-conventional's changelog.

21.0.0 (2026-05-08)

• chore!: minimum node version v22 (#4679) (ac2b3f4), closes #4679

BREAKING CHANGES

• drop node v18 and v20 support

• Bump engines to >=v22 in all 39 package.json files
• Update @​types/node to ^22.0.0
• Update CI matrix to [22, 24]
• Update Ubuntu baseline job to ubuntu:26.04
• Update Dockerfile.ci, .mise.toml, .codesandbox/ci.json
• Update pre-commit hook to use --ignore-engines
• Update README and docs

Co-authored-by: Claude Opus 4.6 (1M context) noreply@anthropic.com

Commits

• f081a8e v21.0.0
• 44c3174 chore: update dependency yargs to v18 #4432 (#4686)
• ac2b3f4 chore!: minimum node version v22 (#4679)
• See full diff in compare view

Updates @release-it/conventional-changelog from 10.0.6 to 11.0.0

Release notes

Sourced from @​release-it/conventional-changelog's releases.

Release 11.0.0

• Fix repository.url (23d3d9cd50fdb4475b8736273a776541833862c0)
• docs: fix broken links and remove outdated override warning (#138) (344bad3bf2f90618a86d3e38883a5d5eff12aaf1) - thanks @​aarondpn!
• fix: support release-it 20 (#142) (043242693e5c88244a25fbcf0dceafcbf955588f) - thanks @​twk3!
• Update dependencies & bump engines.node (1b746e6b5a26335cf01c314074dcf7e291c260a0)

Commits

• 981e7b0 Release 11.0.0
• 1b746e6 Update dependencies & bump engines.node
• 0432426 fix: support release-it 20 (#142)
• 344bad3 docs: fix broken links and remove outdated override warning (#138)
• 23d3d9c Fix repository.url
• See full diff in compare view

Updates release-it from 19.2.4 to 20.0.1

Release notes

Sourced from release-it's releases.

Release 20.0.1

• fix: allow false as npm config value in types (#1289) (f783e825944cf8114305606116ca61542f0031c6) - thanks @​ahippler!
• Bump actions/checkout from 5 to 6 (#1262) (19921fc2429b314912a139f66ed43ca12475ffd3) - thanks @​dependabot[bot]!
• fix: Replace @​nodeutils/defaults-deep with defu for deep-default merging (#1297) (8616a216ccf2be474732b1aefbe47dce0e6b4eb0) - thanks @​rajnsunny!
• Update dependencies (bee31380a2bbdda7aeaffe7658a3900290a1a181)

Release 20.0.0

• fix: remove leading slashes from owner (#1288) (5585b720e9389fa857ba50f86161245ccb3b9589) - thanks @​driiftkiing!
• Fix write: false guard in npm.bump (resolve #1267) (a2d1b99bfe52fff1b6768f904cae5c4aaa78cfb1)
• Format (f427a85758999073a5ea4f666c6ddb4cd5586d61)

Release 20.0.0-1

• Fix test (56cae4cd441e00a58d3d91fbc15b1503d423a775)
• Update changelog & docs for v20 (509e50b043003f8adf3f347af949819e2954b639)
• Improve guessPreReleaseTag → getRegistryDistTags (a62509e6c7374e3d6898b17ae9ec8c365296fe64)

Release 20.0.0-0

• fix: upgrade undici from 6.23.0 to 7.24.3 to resolve security vulnerabilities (#1285) (cd100eb1368d084f5892a9a2bbad0c14d511125e) - thanks @​nbouvrette!
• Fix Logger.info() on Node.js 25 (#1284) (dcc0b43fc6bb693b3ec176cd8d77bbb40f454164) - thanks @​bidord!
• Update proxy-agent to fix DEP0169 (#1287) (c660ef5f34536988abd203807f53ec3ea5c1c742) - thanks @​risantos!
• Update dependencies (9dc313e29e617af912ace05a5aaa5cc34fdf35a3)
• Fix lint issues (a0522ff8777fc6877bf03f5f441e33561c9dc25b)
• Bump engines.node (5654b9badae6dd08a3d654772d2f280f6b1d84c3)
• Don't roll back if isReleased is set (resolve #1281) (f2a31231f587cb4809415f4eae81a99617177341)
• Fix if not running test using npm (332f40536ec32bbd816f9872bb89bc864ee66136)
• Migrate to @​inquirer/prompts (resolve #1260) (6c21e95c9188e88d41bb30840672cbd5fe99f5b6)
• Pop it (c90c4c97e11da8f90b398f045e5337f8ec5e0439)

Changelog

Sourced from release-it's changelog.

Changelog

This document lists breaking changes for each major release.

See the GitHub Releases page for detailed changelogs: [https://github.com/release-it/release-it/releases][1]

v20 (2026-03-24)

• Upgraded undici from v6 to v7 to resolve security vulnerabilities.
• Upgraded proxy-agent from v6 to v7 to fix DEP0169 (url.parse() deprecation).
• Migrated from deprecated inquirer to @inquirer/prompts.
• Bumped engines.node to minimum Node.js v20.19.0 (was v20.12.0).

v19 (2025-04-18)

• No breaking changes (dependency party)

v18 (2025-01-06)

• Removed support for Node.js v18.

v17 (2023-11-11)

• Removed support for Node.js v16.

v16 (2023-07-05)

• Removed support for Node.js v14.

v15 (2022-04-30)

• Removed support for Node.js v10 and v12.
• Removed support for GitLab v12.4 and lower.
• Removed anonymous metrics (and the option to disable it).
• Programmatic usage and plugins only through ES Module syntax (import)

Use release-it v14 in legacy environments.

v14 (2020-09-03)

• Removed global property from plugins. Use this.config[key] instead.
• Removed deprecated npm.access option. Set this in package.json instead.

v13 (2020-03-07)

• Dropped support for Node v8
• Dropped support for GitLab v11.6 and lower.
• Deprecated scripts are removed (in favor of [hooks][2]).
• Removed deprecated --non-interactive (-n) argument. Use --ci instead.
• Removed old %s and [REV_RANGE] syntax in command substitutions. Use ${version} and ${latestTag} instead.

... (truncated)

Commits

• 55701a0 Release 20.0.1
• bee3138 Update dependencies
• 8616a21 fix: Replace @​nodeutils/defaults-deep with defu for deep-default merging (#1297)
• 19921fc Bump actions/checkout from 5 to 6 (#1262)
• f783e82 fix: allow false as npm config value in types (#1289)
• c03780d Release 20.0.0
• f427a85 Format
• a2d1b99 Fix write: false guard in npm.bump (resolve #1267)
• 5585b72 fix: remove leading slashes from owner (#1288)
• 5a36283 Release 20.0.0-1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: automated, dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🚀 Release Preview

📦 Version Update

Current: 1.0.1 → New: 1.1.0

📋 Changelog

1.1.0 (2026-05-17)

Features

• core: PhaseResult + ScanResult.partial_failure for multi-phase scanners (f0bc4b2), closes #169 #170 #169 #170

Bug Fixes

• cache: distinguish "not cached" from "empty mount" in cache info (#168-M) (d13e592), closes #168-M
• clamav: drop clamav from CACHE_MOUNTS, refine cache-info note (#168-N, #168-M) (180c72c), closes #168-N #168-M
• clamav: redirect freshclam db to /tmp so it can write (#168-N) (05366bc), closes #168-N #168-M
• classify: exit non-zero when git diff itself fails (#168-J) (811daa2), closes #168-J
• cli: correct surface inconsistencies and silence --quiet (issue #168-D) (d7408b6), closes #168-D
• collect: skip per-run timestamp dirs and the latest symlink (#168-L) (e2aa06b), closes #168-L
• docsite: TUI screenshots, nav titles + grouping, orphan pages, regen on bump (#167) (ce1d580)
• engine: cache permanent pull failures so inline retry skips (#168-H followup) (67e1025), closes #168-H
• engine: categorize container-pull failures, skip retry on permanent errors (2d199ce)
• lint-terraform: per-phase PhaseResult, fail loudly when a phase can't run (#169) (c2ae9b3)
• mcp: advertise argus version on initialize (#168-O) (40e6ddd), closes #168-O
• release: derive schema version from version, widen bumper rules for docs (2719900), closes #168-A #167-3 #168 #167
• reporters: de-dup GitLab CC descriptions, JUnit type uses rule id (#168-G) (b76cbd9), closes #168-G #168-G
• reporters: fall back to built-in modules without entry-points (#172) (5c9cc6b)
• report: follow argus-results/latest symlink when -r not specified (#168-K) (d6486de), closes #168-K
• reporting: emit Info row in markdown + --output-vars, sync validator with registry (51757d8), closes #168-E #168-F
• scanners: container surfaces partial-failure when no source configured (#170) (9605356), closes #169
• scanners: precondition errors don't trigger fallback dance (#168-I) (d834c9a), closes #168-I #168-I
• security: flip keep_raw default off, exclude argus-results from scans (92edff5), closes #168
• view: add --path flag as argparse-safe escape hatch (#168-D5) (512f954), closes #168-D5

Dependencies

• deps: bump the npm-major group across 1 directory with 4 updates (bb14329)

Tests

• cover partial-failure paths in models, reporters, and lint-terraform (f902e83), closes #173

Continuous Integration

• gate push-main workflows against chore(release): commits (84bcbd4)

🔍 Version Reference Coverage

✅ Version refs found: 330 across 114 files

All covered by release-it config.

✅ Actions that would be performed

• 📝 Update CHANGELOG.md with new entries
• 🏷️ Create git tag 1.1.0
• 📤 Push changes and tag to repository
• 📦 Create GitHub release

---

This preview is generated by running release-it --dry-run

---

Last updated: 5/17/2026, 3:52:16 PM | Commit: 2cdaee2 | View Run

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!