Skip to content

chore(deps): bump neotraverse from 0.6.18 to 1.0.1#4230

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/neotraverse-1.0.1
Open

chore(deps): bump neotraverse from 0.6.18 to 1.0.1#4230
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/neotraverse-1.0.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor

Bumps neotraverse from 0.6.18 to 1.0.1.

Release notes

Sourced from neotraverse's releases.

neotraverse@1.0.1

Patch Changes

  • 90e854d: Add /safe to readme

neotraverse@1.0.0

Major Changes

  • 7f7d18a: # 1.0 — the functional API is now the default

    neotraverse 1.0 makes the tree-shakeable functional API the main export and demotes the class-based API to a thin, deprecated, opt-in import. The functions, their behaviour, the security hardening, and the performance work from 0.7 are unchanged — the entry points moved.

    ⚠️ Breaking changes

    0.7 1.0
    import traverse from 'neotraverse' (classic default) import traverse from 'neotraverse/legacy'
    import { Traverse } from 'neotraverse' import { Traverse } from 'neotraverse/modern'
    import { map, clone, … } from 'neotraverse/modern' import { map, clone, … } from 'neotraverse'
    • The root export (neotraverse) is now functional-onlymap, clone, merge, diff, get/set, walk, sanitize, and the rest of the helpers, plus the TraverseOptions / TraverseContext / TraverseNodeType types. No default export, no Traverse class.
    • neotraverse/modern now exports ONLY the deprecated Traverse class (and the TraverseContext / TraverseOptions types its signatures use). The functional helpers it used to re-export move to the root. The class is also trimmed to the same method set as the legacy Traverse (get/has/set/map/forEach/reduce/paths/nodes/clone) — a deprecated API should not gain new powers. It will be removed in v2.
    • neotraverse/legacy is unchanged: the classic traverse-compatible drop-in (ES2015, CJS + ESM). require('neotraverse') (CommonJS) still resolves here. The legacy build intentionally will not receive the modern security/performance work — it stays byte-for-byte behaviour-compatible with the original traverse.
    • No more minified build. The package ships unminified ESM only; consumers minify in their own bundler. The export map is simpler as a result (no production/development conditions, no dist/min).

    Internal

    • The functional implementation is split across small modules at the package root (utils/clone/context/path/ops) instead of one large file; the legacy build lives under src/legacy/. dist/modern.js reuses the root build's shared chunk instead of re-bundling the functional API. No change to what consumers import.

Minor Changes

  • 7f7d18a: # neotraverse/safe: a stack-safe, memory-bounded traversal core

    A new opt-in entry point, neotraverse/safe. It is a companion to the default functional API (not a replacement), for input that is deep, untrusted, huge, or only partially consumed.

    The default neotraverse walk is recursive, which is why it is fast, but a recursive walker overflows the call stack on deep enough input. neotraverse/safe runs on an iterative engine, so it traverses arbitrarily deep trees that crash a recursive walker. Measured: the default overflows past ~2,000 levels; /safe handles 200,000+. It is also lazy and copy-on-write.

    What it ships (twelve exports)

    • visit: a lazy iterator of Visit records that composes with native ES2025 iterator helpers (.filter / .map / .find / .take / .toArray, Map.groupBy, for-of + break), prunes with v.skip(), and matches a glob pattern.
    • transform / transformAsync: copy-on-write rewriting. Untouched subtrees are shared with the input, and transform(x, () => {}) === x. Edits are branded commands (replace / remove / skip / stop) returned from a destructurable edit factory, including a pattern-keyed rules record form.
    • get / set / has: one path family (dot string, JSON Pointer, or key array), template-literal typed, with copy-on-write set.
    • clone / equal / merge / diff / patch / resolveRefs: structural ops. merge adds array strategies (concat / union / by) and per-pattern at overrides.

    The honest trade-off

    /safe is not a universal upgrade. On a full eager scan it runs at roughly 0.8x the default (still about 4x faster than the original traverse), and materializing a whole tree costs a little more memory. It wins on stack safety, on early-exit and streaming memory (about 6x less on a filter then take chain), and on copy-on-write edits.

    Requires Node 22+ or evergreen browsers (it uses native ES2025 iterator helpers). See the guide: https://neotraverse.puruvj.dev/guide/safe

Changelog

Sourced from neotraverse's changelog.

1.0.1

Patch Changes

  • 90e854d: Add /safe to readme

1.0.0

Major Changes

  • 7f7d18a: # 1.0 — the functional API is now the default

    neotraverse 1.0 makes the tree-shakeable functional API the main export and demotes the class-based API to a thin, deprecated, opt-in import. The functions, their behaviour, the security hardening, and the performance work from 0.7 are unchanged — the entry points moved.

    ⚠️ Breaking changes

    0.7 1.0
    import traverse from 'neotraverse' (classic default) import traverse from 'neotraverse/legacy'
    import { Traverse } from 'neotraverse' import { Traverse } from 'neotraverse/modern'
    import { map, clone, … } from 'neotraverse/modern' import { map, clone, … } from 'neotraverse'
    • The root export (neotraverse) is now functional-onlymap, clone, merge, diff, get/set, walk, sanitize, and the rest of the helpers, plus the TraverseOptions / TraverseContext / TraverseNodeType types. No default export, no Traverse class.
    • neotraverse/modern now exports ONLY the deprecated Traverse class (and the TraverseContext / TraverseOptions types its signatures use). The functional helpers it used to re-export move to the root. The class is also trimmed to the same method set as the legacy Traverse (get/has/set/map/forEach/reduce/paths/nodes/clone) — a deprecated API should not gain new powers. It will be removed in v2.
    • neotraverse/legacy is unchanged: the classic traverse-compatible drop-in (ES2015, CJS + ESM). require('neotraverse') (CommonJS) still resolves here. The legacy build intentionally will not receive the modern security/performance work — it stays byte-for-byte behaviour-compatible with the original traverse.
    • No more minified build. The package ships unminified ESM only; consumers minify in their own bundler. The export map is simpler as a result (no production/development conditions, no dist/min).

    Internal

    • The functional implementation is split across small modules at the package root (utils/clone/context/path/ops) instead of one large file; the legacy build lives under src/legacy/. dist/modern.js reuses the root build's shared chunk instead of re-bundling the functional API. No change to what consumers import.

Minor Changes

  • 7f7d18a: # neotraverse/safe: a stack-safe, memory-bounded traversal core

    A new opt-in entry point, neotraverse/safe. It is a companion to the default functional API (not a replacement), for input that is deep, untrusted, huge, or only partially consumed.

    The default neotraverse walk is recursive, which is why it is fast, but a recursive walker overflows the call stack on deep enough input. neotraverse/safe runs on an iterative engine, so it traverses arbitrarily deep trees that crash a recursive walker. Measured: the default overflows past ~2,000 levels; /safe handles 200,000+. It is also lazy and copy-on-write.

    What it ships (twelve exports)

    • visit: a lazy iterator of Visit records that composes with native ES2025 iterator helpers (.filter / .map / .find / .take / .toArray, Map.groupBy, for-of + break), prunes with v.skip(), and matches a glob pattern.
    • transform / transformAsync: copy-on-write rewriting. Untouched subtrees are shared with the input, and transform(x, () => {}) === x. Edits are branded commands (replace / remove / skip / stop) returned from a destructurable edit factory, including a pattern-keyed rules record form.
    • get / set / has: one path family (dot string, JSON Pointer, or key array), template-literal typed, with copy-on-write set.
    • clone / equal / merge / diff / patch / resolveRefs: structural ops. merge adds array strategies (concat / union / by) and per-pattern at overrides.

    The honest trade-off

    /safe is not a universal upgrade. On a full eager scan it runs at roughly 0.8x the default (still about 4x faster than the original traverse), and materializing a whole tree costs a little more memory. It wins on stack safety, on early-exit and streaming memory (about 6x less on a filter then take chain), and on copy-on-write edits.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for neotraverse since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [neotraverse](https://github.com/PuruVJ/neotraverse/tree/HEAD/packages/neotraverse) from 0.6.18 to 1.0.1.
- [Release notes](https://github.com/PuruVJ/neotraverse/releases)
- [Changelog](https://github.com/PuruVJ/neotraverse/blob/main/packages/neotraverse/CHANGELOG.md)
- [Commits](https://github.com/PuruVJ/neotraverse/commits/neotraverse@1.0.1/packages/neotraverse)

---
updated-dependencies:
- dependency-name: neotraverse
  dependency-version: 1.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants