Bump the npm_and_yarn group across 2 directories with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the /skills/qortex-brand/templates/slides directory: esbuild and vite.
Bumps the npm_and_yarn group with 1 update in the /skills/qortex-brand/templates/email directory: mjml.

Updates esbuild from 0.21.5 to 0.27.7

Release notes

Sourced from esbuild's releases.

v0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }
  // New output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  __publicField(this, "x", x);
  __publicField(this, "y", 2);
  }
  }

v0.27.5

• Fix for an async generator edge case (#4401, #4417)

  Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:

  async function* inner() { yield 1; yield 2 }
  async function* outer() { yield* inner() }
  let gen = outer()
  for await (let x of [gen.next(), gen.next()]) console.log(x)

  Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

  This fix was contributed by @​2767mr.

• Fix a regression when metafile is enabled (#4420, #4418)

  This release fixes a regression introduced by the previous release. When metafile: true was enabled in esbuild's JavaScript API, builds with build errors were incorrectly throwing an error about an empty JSON string instead of an object containing the build errors.

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

... (truncated)

Commits

• 2025c9f publish 0.27.7 to npm
• c6b586e fix typo in Makefile for @esbuild/win32-x64
• 9785e14 publish 0.27.6 to npm
• b169d8c Revert "update go 1.25.7 => 1.26.1"
• 7ac8762 run make update-compat-table
• 8b5ff53 remove an incorrect else
• e955268 fix #4421: lower generated class fields if needed
• a5a2500 ci: move make test-old-ts
• b71e7ac omit go's buildvcs for more reproducible builds
• 7406b09 organize make platform-all output in Makefile
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for esbuild since your current version.

Updates unhead from 1.11.20 to 2.1.15

Release notes

Sourced from unhead's releases.

v2.1.15

No significant changes

    View changes on GitHub

v2.1.14

   🐞 Bug Fixes

• Scope alternate link dedupeKey by href when type is used  -  by @​harlan-zw in unjs/unhead#760 (10846)

    View changes on GitHub

v2.1.13

   🐞 Bug Fixes

• schema-org: Normalize target to array before merging potentialAction  -  by @​harlan-zw and Claude Opus 4.6 (1M context) in unjs/unhead#709 (22ac9)

    View changes on GitHub

v2.1.12

   🐞 Bug Fixes

• Harden prototype pollution  -  by @​harlan-zw (a6ed9)
• Case insensitive attr dedupe  -  by @​harlan-zw (3146b)

    View changes on GitHub

v2.1.11

    ⚠️ Security

• Fixed XSS bypass in useHeadSafe via attribute name injection (GHSA-g5xx-pwrp-g3fv). Users handling untrusted input with useHeadSafe should upgrade immediately.

   🐞 Bug Fixes

• addons,schema-org: Permissive peer dependencies  -  by @​harlan-zw (4c5d1)

    View changes on GitHub

v2.1.10

   🐞 Bug Fixes

• solid-js: Correct peerDependency version  -  by @​tyeporter in unjs/unhead#671 (64e17)

    View changes on GitHub

v2.1.9

   🐞 Bug Fixes

• schema-org: Nuxt test utils compat bug  -  by @​harlan-zw (ef838)

... (truncated)

Commits

• b4817ec chore: release v2.1.15
• db86730 chore(release): use 2x dist-tag instead of v2 (#763)
• 64d8bf4 chore: release v2.1.14
• f7263be chore: publish v2 packages under @​v2 dist-tag (#761)
• 10846b5 fix: scope alternate link dedupeKey by href when type is used (#760)
• 6a16082 chore: release v2.1.13
• 9d2e1f4 Merge commit from fork
• 20a19e0 chore: release v2.1.12
• 3146b90 fix: case insensitive attr dedupe
• a6ed9f9 fix: harden prototype pollution
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for unhead since your current version.

Updates vite from 5.4.21 to 7.3.3

Release notes

Sourced from vite's releases.

v7.3.3

Please refer to CHANGELOG.md for details.

v7.3.2

Please refer to CHANGELOG.md for details.

v7.3.1

Please refer to CHANGELOG.md for details.

v7.3.0

Please refer to CHANGELOG.md for details.

v7.2.7

Please refer to CHANGELOG.md for details.

v7.2.6

Please refer to CHANGELOG.md for details.

v7.2.5

Please refer to CHANGELOG.md for details.

Note: 7.2.5 failed to publish so it is skipped on npm

v7.2.4

Please refer to CHANGELOG.md for details.

v7.2.3

Please refer to CHANGELOG.md for details.

v7.2.2

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.1

Please refer to CHANGELOG.md for details.

v7.2.1

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0-beta.1

Please refer to CHANGELOG.md for details.

v7.2.0-beta.0

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

7.3.3 (2026-05-07)

Bug Fixes

• avoid destructure lowering for newer safari (#22346) (5ab51c0)

7.3.2 (2026-04-06)

Bug Fixes

• avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)
• backport #22159, apply server.fs check to env transport (#22162) (19db0f2)
• check server.fs after stripping query as well (#22160) (f8103cc)

7.3.1 (2026-01-07)

Features

• add ignoreOutdatedRequests option to optimizeDeps (#21364) (9d39d37)

7.3.0 (2025-12-15)

Features

• deps: update esbuild from ^0.25.0 to ^0.27.0 (#21183) (cff26ec)

7.2.7 (2025-12-08)

Bug Fixes

• plugin shortcut support (#21211) (721f163)

7.2.6 (2025-12-01)

7.2.5 (2025-12-01)

Bug Fixes

• config: handle shebang properly (#21158) (df5a30d)
• deps: update all non-major dependencies (#21146) (a3cd262)
• deps: update all non-major dependencies (#21175) (72e398a)
• fix external: true merging (#21164) (5ef557a)
• shortcuts not rebound after server restart (#21166) (3765f7b)

Performance Improvements

• deps: replace debug with obug (#21137) (203a551)

Documentation

• clarify manifest.json imports field is JS chunks only (#21136) (46d3077)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#21174) (74559c9)

7.2.4 (2025-11-20)

... (truncated)

Commits

• ca31424 release: v7.3.3
• 5ab51c0 fix: avoid destructure lowering for newer safari (#22346)
• cc383e0 release: v7.3.2
• 09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• f8103cc fix: check server.fs after stripping query as well (#22160)
• 19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
• 95e8923 release: v7.3.1
• 9d39d37 feat: add ignoreOutdatedRequests option to optimizeDeps (#21364)
• acf7e05 release: v7.3.0
• cff26ec feat(deps): update esbuild from ^0.25.0 to ^0.27.0 (#21183)
• Additional commits viewable in compare view

Updates vite-plugin-static-copy from 1.0.6 to 4.1.0

Release notes

Sourced from vite-plugin-static-copy's releases.

vite-plugin-static-copy@4.1.0

Minor Changes

• #251 7672842 Thanks @​sapphi-red! - Add name property to the rename object form and allow rename functions to return a RenameObject. The name property replaces the file's basename (filename + extension), and can be combined with stripBase to both flatten directory structure and rename the file in one step. Rename functions can now return { name, stripBase } objects instead of only strings, making it easier to declaratively control output paths from dynamic rename logic.

  // node_modules/lib/dist/index.js → vendor/lib.js
  { src: 'node_modules/lib/dist/index.js', dest: 'vendor', rename: { name: 'lib.js', stripBase: true } }
  // src/pages/events/test.html → dist/events/index.html
  { src: 'src/pages/**/*.html', dest: 'dist/', rename: { stripBase: 2, name: 'index.html' } }

vite-plugin-static-copy@4.0.1

Patch Changes

• #249 c6bf44c Thanks @​sapphi-red! - Fix absolute dest paths being nested under the output directory

  When dest was an absolute path and the source file had a directory component (structured output), the path was incorrectly converted to a relative path, causing files to be nested under the build output directory instead of being copied to the specified absolute path.

  { src: 'foo/foo.txt', dest: '/home/user/my-repo/bar' }

  Before: /home/user/my-repo/dist/home/user/my-repo/bar/foo/foo.txt After: /home/user/my-repo/bar/foo/foo.txt

• #247 d3af79e Thanks @​sapphi-red! - Fix rename.stripBase to work correctly with ../ paths

  Previously, stripBase counted .. as directory segments, causing incorrect output paths when copying from parent directories.

  { src: '../../src/pages/**/*.html', dest: 'dist/', rename: { stripBase: 2 } }

  Before: dist/src/pages/events/test.html After: dist/events/test.html

  { src: '../../src/pages/**/*.html', dest: 'dist/', rename: { stripBase: true } }

  Before: dist/src/pages/events/test.html After: dist/test.html

vite-plugin-static-copy@4.0.0

Major Changes

• #235 b2edc86 Thanks @​sapphi-red! - Simplify glob behavior and always preserve directory structure.

... (truncated)

Changelog

Sourced from vite-plugin-static-copy's changelog.

4.1.0

Minor Changes

• #251 7672842 Thanks @​sapphi-red! - Add name property to the rename object form and allow rename functions to return a RenameObject. The name property replaces the file's basename (filename + extension), and can be combined with stripBase to both flatten directory structure and rename the file in one step. Rename functions can now return { name, stripBase } objects instead of only strings, making it easier to declaratively control output paths from dynamic rename logic.

  // node_modules/lib/dist/index.js → vendor/lib.js
  { src: 'node_modules/lib/dist/index.js', dest: 'vendor', rename: { name: 'lib.js', stripBase: true } }
  // src/pages/events/test.html → dist/events/index.html
  { src: 'src/pages/**/*.html', dest: 'dist/', rename: { stripBase: 2, name: 'index.html' } }

4.0.1

Patch Changes

• #249 c6bf44c Thanks @​sapphi-red! - Fix absolute dest paths being nested under the output directory

  When dest was an absolute path and the source file had a directory component (structured output), the path was incorrectly converted to a relative path, causing files to be nested under the build output directory instead of being copied to the specified absolute path.

  { src: 'foo/foo.txt', dest: '/home/user/my-repo/bar' }

  Before: /home/user/my-repo/dist/home/user/my-repo/bar/foo/foo.txt After: /home/user/my-repo/bar/foo/foo.txt

• #247 d3af79e Thanks @​sapphi-red! - Fix rename.stripBase to work correctly with ../ paths

  Previously, stripBase counted .. as directory segments, causing incorrect output paths when copying from parent directories.

  { src: '../../src/pages/**/*.html', dest: 'dist/', rename: { stripBase: 2 } }

  Before: dist/src/pages/events/test.html After: dist/events/test.html

  { src: '../../src/pages/**/*.html', dest: 'dist/', rename: { stripBase: true } }

  Before: dist/src/pages/events/test.html After: dist/test.html

4.0.0

Major Changes

... (truncated)

Commits

• e95cd6e chore: update versions (#253)
• 7672842 feat: add name property to RenameObject and allow RenameFunc to return ...
• 7ae0134 chore: update versions (#248)
• de515fa chore(deps): update dependency typescript to v6 (#245)
• fe392e1 chore(deps): update all non-major dependencies (#244)
• c6bf44c fix: handle absolute path dest correctly (#249)
• 9ca2d6a test: add test case with nested src and rename.stripBase: true (#250)
• d3af79e fix: rename.stripBase with parent relative path (#247)
• 8b3f810 chore: update versions (#236)
• 9766e42 refactor!: drop Node 18, 20, 21, 23 support (#238)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vite-plugin-static-copy since your current version.

Updates mjml from 4.18.0 to 5.0.0

Release notes

Sourced from mjml's releases.

v5.0.0

Upgrade Guide

These are the changes users need to actively consider when upgrading to MJML 5.x.x from MJML 4.x (and early MJML 5 alphas):

Highlights

• Replaced legacy html-minifier and js-beautify with htmlnano + cssnano. [breaking change]
• Added templating syntax sanitization (runs before PostCSS and is restored afterwards)
• Safer, stricter handling of mj-include and ignoreIncludes [breaking change]
• Restructured outer HTML: the <body> tag is now driven by mj-body, not the global skeleton. [breaking change]
• mjml-browser build/minification pipeline updated
• Better attribute consistency across components (including more flexible border-radius). [breaking change]
• Migration helper removed [breaking change]
• Updated toolchain: Node 20/22/24 in CI. Removed Node 16/18 [breaking change]

---

HTML/CSS minification & formatting

What changed

• HTML minification now uses htmlnano instead of html-minifier.
• CSS minification now uses cssnano presets wired via mjml-core.
• Minification options can be added via .mjmlconfig.js

Impact [potential breaking changes]

• Generated HTML is more aggressively minified. If you rely on exact formatting (e.g. diffing raw HTML, parsing by regex, or checking snapshots), you may see changes.
• Some obscure html-minifier specific options used in custom tooling will no longer apply; options are now expressed as htmlnano/cssnano configs.
• Template tags may error in PostCSS (see Template syntax handling and sanitization below)
• Fixes this issue: mjmlio/mjml#2589

What to do

• Review any automation that assumes pretty‑printed HTML (tests, diffs, CI snapshot comparisons).
• If you previously passed minify/beautify flags or custom minifier options, re‑map them to the new htmlnano/cssnano config.

Notes

• cssnano uses lite preset by default. Due to this issue: mjmlio/mjml#2919. default preset can be used if your fonts don’t contain numerals

More detail: (mjmlio/mjml#2858)

---

Template syntax handling and sanitization (PostCSS)

What changed

• Template syntax (e.g. {{ }}) is now sanitized before PostCSS and with syntax restored post-processing.

Impact

• A CssSyntaxError error will occur when applying CSS minification to files with some template syntax
• Fixes this issue: mjmlio/mjml#2858

... (truncated)

Commits

• ddb2335 v5.0.0
• 9aac8c6 v5.0.0-beta.2
• 1dfbc95 v5.0.0-beta.1
• 65e81da v5.0.0-alpha.11
• 74f3577 Merge pull request #3045 from mjmlio/bugfix/3018-mjml5-ignoreIncludes-allowIn...
• b8e6a60 Merge pull request #3044 from mjmlio/bugfix/attributes-adding-updating-for-co...
• 2eb56d7 feature(includes): implemented tighter controls
• 591fd1e bugfix(ignoreIncludes): updated test files
• 6b22a67 feature(ignoreIncludes): added option for includePath
• 9b7991f bugfix(border-radius): accept string input
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.