Skip to content

Bump the npm_and_yarn group across 19 directories with 15 updates#27

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-72bf477b14
Closed

Bump the npm_and_yarn group across 19 directories with 15 updates#27
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-72bf477b14

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 21, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package From To
undici 6.20.1 6.24.0
electron 32.2.1 39.8.5
postcss 8.4.38 8.5.10
@tootallnate/once 3.0.0 3.0.1
brace-expansion 1.1.11 2.1.0
flatted 3.3.1 3.4.2
ip-address 9.0.5 10.2.0
lodash 4.17.21 4.18.1
picomatch 2.3.1 2.3.2

Bumps the npm_and_yarn group with 5 updates in the /build directory:

Package From To
brace-expansion 1.1.11 1.1.14
brace-expansion 2.0.1 2.1.0
lodash 4.17.21 4.18.1
picomatch 2.3.0 2.3.2
@xmldom/xmldom 0.8.10 0.8.13
fast-xml-parser 4.5.0 5.8.0

Bumps the npm_and_yarn group with 2 updates in the /build/npm/gyp directory: brace-expansion and tar.
Bumps the npm_and_yarn group with 1 update in the /extensions directory: picomatch.
Bumps the npm_and_yarn group with 1 update in the /extensions/css-language-features directory: brace-expansion.
Bumps the npm_and_yarn group with 2 updates in the /extensions/git directory: picomatch and @nevware21/ts-utils.
Bumps the npm_and_yarn group with 1 update in the /extensions/github directory: @nevware21/ts-utils.
Bumps the npm_and_yarn group with 1 update in the /extensions/github-authentication directory: @nevware21/ts-utils.
Bumps the npm_and_yarn group with 2 updates in the /extensions/html-language-features directory: brace-expansion and @nevware21/ts-utils.
Bumps the npm_and_yarn group with 2 updates in the /extensions/json-language-features directory: brace-expansion and @nevware21/ts-utils.
Bumps the npm_and_yarn group with 4 updates in the /extensions/markdown-language-features directory: brace-expansion, picomatch, @nevware21/ts-utils and dompurify.
Bumps the npm_and_yarn group with 1 update in the /extensions/media-preview directory: @nevware21/ts-utils.
Bumps the npm_and_yarn group with 1 update in the /extensions/merge-conflict directory: @nevware21/ts-utils.
Bumps the npm_and_yarn group with 1 update in the /extensions/microsoft-authentication directory: @nevware21/ts-utils.
Bumps the npm_and_yarn group with 2 updates in the /extensions/npm directory: brace-expansion and picomatch.
Bumps the npm_and_yarn group with 1 update in the /extensions/simple-browser directory: @nevware21/ts-utils.
Bumps the npm_and_yarn group with 1 update in the /extensions/typescript-language-features directory: @nevware21/ts-utils.
Bumps the npm_and_yarn group with 1 update in the /extensions/vscode-api-tests directory: node-forge.
Bumps the npm_and_yarn group with 4 updates in the /remote directory: undici, @tootallnate/once, ip-address and picomatch.

Updates undici from 6.20.1 to 6.24.0

Release notes

Sourced from undici's releases.

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

v6.23.0

⚠️ Security Release

... (truncated)

Commits
  • 8873c94 Bumped v6.24.0
  • 411bd01 test(websocket): use node:assert for Node 18 compatibility
  • 844bf59 test: fix http2 lint regressions in backport
  • a444e4f test: stabilize h2 and tls-cert-leak under current test runner
  • dc032a1 fix: h2 CI (#4395)
  • 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
  • 7df6442 fix: adapt websocket frame-limit handling for v6 parser
  • 4e0179a fix: reject duplicate content-length and host headers
  • 5a97f08 Fix websocket 64-bit length overflow
  • e43e898 fix: validate upgrade header to prevent CRLF injection
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.


Updates electron from 32.2.1 to 39.8.5

Release notes

Sourced from electron's releases.

electron v39.8.5

Release Notes for v39.8.5

Fixes

  • Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #50493 (Also in 40, 41, 42)
  • Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #50499 (Also in 40, 41, 42)

electron v39.8.4

Release Notes for v39.8.4

Fixes

  • Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)
  • Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400 (Also in 40, 41, 42)
  • Fixed improper focus tracking in BaseWindow on MacOS. #50338 (Also in 40, 41, 42)
  • Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341 (Also in 40, 41, 42)

Other Changes

  • Added support for using a proxy during yarn install. #50349 (Also in 40, 41, 42)
  • Backported fix for 485935305. #50440
  • Backported fix for 489381399. #50443
  • Backported fix for chromium:475877320. #50436
  • Backported fixes for 484751092, 487117772. #50461

electron v39.8.3

Release Notes for v39.8.3

Fixes

  • Added additional ASAR support to additional fs copy methods. #50284 (Also in 40, 41, 42)
  • Fixed user resizing of transparent windows on win32 platform. #50300 (Also in 40, 41, 42)

electron v39.8.2

Release Notes for v39.8.2

Other Changes

  • Backported fix for b/491421267. #50230

electron v39.8.1

Release Notes for v39.8.1

Fixes

  • Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50156 (Also in 38, 40, 41)
  • Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50215 (Also in 40, 41)
  • Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50136 (Also in 40, 41)
  • Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50174 (Also in 38, 40, 41)
  • Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50106 (Also in 40, 41)

... (truncated)

Commits
  • 9d2f8cb refactor: remove dead named-window lookup from guest-window-manager (#50498)
  • 1173004 fix: crash calling OSR shared texture release() after texture GC'd (#50499)
  • be37ade fix: crash in clipboard.readImage() on malformed image data (#50493)
  • 7007907 chore: cherry-pick 3 changes from chromium (#50461)
  • 2c8b6ee chore: cherry-pick fbfb27470bf6 from chromium (#50436)
  • 4c64377 chore: cherry-pick 50b057660b4d from chromium (#50440)
  • 0ef0561 fix: read nodeIntegrationInWorker from per-frame WebPreferences (#50122) (#50...
  • 64373df chore: cherry-pick 074d472db745 from chromium (#50443)
  • 13e4407 fix: don't re-parse URL unnecessarily when handling dialogs (#50400)
  • 16a0385 ci: output build cache hit rate as GHA annotation (#50369)
  • Additional commits viewable in compare view

Updates postcss from 8.4.38 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

8.5.3

8.5.2

8.5.1

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"
</tr></table>

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

8.5.3

8.5.2

8.5.1

8.5 “Duke Alloces”

  • Added Input#document for sources like CSS-in-JS or HTML (by @​romainmenke).

8.4.49

... (truncated)

Commits

Updates @tootallnate/once from 3.0.0 to 3.0.1

Release notes

Sourced from @​tootallnate/once's releases.

v3.0.1

Patch Changes

  • 28dbc5d: Fix promise hang when AbortSignal is aborted
Changelog

Sourced from @​tootallnate/once's changelog.

3.0.1

Patch Changes

  • 28dbc5d: Fix promise hang when AbortSignal is aborted
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tootallnate/once since your current version.


Updates brace-expansion from 1.1.11 to 2.1.0

Release notes

Sourced from brace-expansion's releases.

v2.0.2

  • pkg: publish on tag 2.x 14f1d91
  • fmt ed7780a
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

juliangruber/brace-expansion@v2.0.1...v2.0.2

v1.1.12

  • pkg: publish on tag 1.x c460dbd
  • fmt ccb8ac6
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

Updates flatted from 3.3.1 to 3.4.2

Commits
  • 3bf0909 3.4.2
  • 885ddcc fix CWE-1321
  • 0bdba70 added flatted-view to the benchmark
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • Additional commits viewable in compare view

Updates ip-address from 9.0.5 to 10.2.0

Commits

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates brace-expansion from 1.1.11 to 1.1.14

Release notes

Sourced from brace-expansion's releases.

v2.0.2

  • pkg: publish on tag 2.x 14f1d91
  • fmt ed7780a
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

juliangruber/brace-expansion@v2.0.1...v2.0.2

v1.1.12

  • pkg: publish on tag 1.x c460dbd
  • fmt ccb8ac6
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

Updates brace-expansion from 2.0.1 to 2.1.0

Release notes

Sourced from brace-expansion's releases.

v2.0.2

  • pkg: publish on tag 2.x 14f1d91
  • fmt ed7780a
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

juliangruber/brace-expansion@v2.0.1...v2.0.2

v1.1.12

  • pkg: publish on tag 1.x c460dbd
  • fmt ccb8ac6
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates picomatch from 2.3.0 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.Description has been truncated

Bumps the npm_and_yarn group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [undici](https://github.com/nodejs/undici) | `6.20.1` | `6.24.0` |
| [electron](https://github.com/electron/electron) | `32.2.1` | `39.8.5` |
| [postcss](https://github.com/postcss/postcss) | `8.4.38` | `8.5.10` |
| [@tootallnate/once](https://github.com/TooTallNate/once) | `3.0.0` | `3.0.1` |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.11` | `2.1.0` |
| [flatted](https://github.com/WebReflection/flatted) | `3.3.1` | `3.4.2` |
| [ip-address](https://github.com/beaugunderson/ip-address) | `9.0.5` | `10.2.0` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` |

Bumps the npm_and_yarn group with 5 updates in the /build directory:

| Package | From | To |
| --- | --- | --- |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.11` | `1.1.14` |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `2.0.1` | `2.1.0` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.0` | `2.3.2` |
| [@xmldom/xmldom](https://github.com/xmldom/xmldom) | `0.8.10` | `0.8.13` |
| [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) | `4.5.0` | `5.8.0` |

Bumps the npm_and_yarn group with 2 updates in the /build/npm/gyp directory: [brace-expansion](https://github.com/juliangruber/brace-expansion) and [tar](https://github.com/isaacs/node-tar).
Bumps the npm_and_yarn group with 1 update in the /extensions directory: [picomatch](https://github.com/micromatch/picomatch).
Bumps the npm_and_yarn group with 1 update in the /extensions/css-language-features directory: [brace-expansion](https://github.com/juliangruber/brace-expansion).
Bumps the npm_and_yarn group with 2 updates in the /extensions/git directory: [picomatch](https://github.com/micromatch/picomatch) and [@nevware21/ts-utils](https://github.com/nevware21/ts-utils).
Bumps the npm_and_yarn group with 1 update in the /extensions/github directory: [@nevware21/ts-utils](https://github.com/nevware21/ts-utils).
Bumps the npm_and_yarn group with 1 update in the /extensions/github-authentication directory: [@nevware21/ts-utils](https://github.com/nevware21/ts-utils).
Bumps the npm_and_yarn group with 2 updates in the /extensions/html-language-features directory: [brace-expansion](https://github.com/juliangruber/brace-expansion) and [@nevware21/ts-utils](https://github.com/nevware21/ts-utils).
Bumps the npm_and_yarn group with 2 updates in the /extensions/json-language-features directory: [brace-expansion](https://github.com/juliangruber/brace-expansion) and [@nevware21/ts-utils](https://github.com/nevware21/ts-utils).
Bumps the npm_and_yarn group with 4 updates in the /extensions/markdown-language-features directory: [brace-expansion](https://github.com/juliangruber/brace-expansion), [picomatch](https://github.com/micromatch/picomatch), [@nevware21/ts-utils](https://github.com/nevware21/ts-utils) and [dompurify](https://github.com/cure53/DOMPurify).
Bumps the npm_and_yarn group with 1 update in the /extensions/media-preview directory: [@nevware21/ts-utils](https://github.com/nevware21/ts-utils).
Bumps the npm_and_yarn group with 1 update in the /extensions/merge-conflict directory: [@nevware21/ts-utils](https://github.com/nevware21/ts-utils).
Bumps the npm_and_yarn group with 1 update in the /extensions/microsoft-authentication directory: [@nevware21/ts-utils](https://github.com/nevware21/ts-utils).
Bumps the npm_and_yarn group with 2 updates in the /extensions/npm directory: [brace-expansion](https://github.com/juliangruber/brace-expansion) and [picomatch](https://github.com/micromatch/picomatch).
Bumps the npm_and_yarn group with 1 update in the /extensions/simple-browser directory: [@nevware21/ts-utils](https://github.com/nevware21/ts-utils).
Bumps the npm_and_yarn group with 1 update in the /extensions/typescript-language-features directory: [@nevware21/ts-utils](https://github.com/nevware21/ts-utils).
Bumps the npm_and_yarn group with 1 update in the /extensions/vscode-api-tests directory: [node-forge](https://github.com/digitalbazaar/forge).
Bumps the npm_and_yarn group with 4 updates in the /remote directory: [undici](https://github.com/nodejs/undici), [@tootallnate/once](https://github.com/TooTallNate/once), [ip-address](https://github.com/beaugunderson/ip-address) and [picomatch](https://github.com/micromatch/picomatch).


Updates `undici` from 6.20.1 to 6.24.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.20.1...v6.24.0)

Updates `electron` from 32.2.1 to 39.8.5
- [Release notes](https://github.com/electron/electron/releases)
- [Commits](electron/electron@v32.2.1...v39.8.5)

Updates `postcss` from 8.4.38 to 8.5.10
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.4.38...8.5.10)

Updates `@tootallnate/once` from 3.0.0 to 3.0.1
- [Release notes](https://github.com/TooTallNate/once/releases)
- [Changelog](https://github.com/TooTallNate/once/blob/master/CHANGELOG.md)
- [Commits](TooTallNate/once@3.0.0...v3.0.1)

Updates `brace-expansion` from 1.1.11 to 2.1.0
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v2.1.0)

Updates `flatted` from 3.3.1 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.1...v3.4.2)

Updates `ip-address` from 9.0.5 to 10.2.0
- [Commits](https://github.com/beaugunderson/ip-address/commits)

Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `brace-expansion` from 1.1.11 to 1.1.14
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v2.1.0)

Updates `brace-expansion` from 2.0.1 to 2.1.0
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v2.1.0)

Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `picomatch` from 2.3.0 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `@xmldom/xmldom` from 0.8.10 to 0.8.13
- [Release notes](https://github.com/xmldom/xmldom/releases)
- [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md)
- [Commits](xmldom/xmldom@0.8.10...0.8.13)

Updates `fast-xml-parser` from 4.5.0 to 5.8.0
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v4.5.0...v5.8.0)

Updates `brace-expansion` from 2.0.1 to 2.1.0
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v2.1.0)

Updates `tar` from 6.2.1 to 7.5.15
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.2.1...v7.5.15)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `brace-expansion` from 2.0.1 to 2.1.0
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v2.1.0)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `@nevware21/ts-utils` from 0.10.1 to 0.14.0
- [Release notes](https://github.com/nevware21/ts-utils/releases)
- [Changelog](https://github.com/nevware21/ts-utils/blob/main/CHANGELOG.md)
- [Commits](nevware21/ts-utils@0.10.1...0.14.0)

Updates `@nevware21/ts-utils` from 0.10.1 to 0.14.0
- [Release notes](https://github.com/nevware21/ts-utils/releases)
- [Changelog](https://github.com/nevware21/ts-utils/blob/main/CHANGELOG.md)
- [Commits](nevware21/ts-utils@0.10.1...0.14.0)

Updates `@nevware21/ts-utils` from 0.10.1 to 0.14.0
- [Release notes](https://github.com/nevware21/ts-utils/releases)
- [Changelog](https://github.com/nevware21/ts-utils/blob/main/CHANGELOG.md)
- [Commits](nevware21/ts-utils@0.10.1...0.14.0)

Updates `brace-expansion` from 2.0.1 to 2.1.0
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v2.1.0)

Updates `@nevware21/ts-utils` from 0.10.1 to 0.14.0
- [Release notes](https://github.com/nevware21/ts-utils/releases)
- [Changelog](https://github.com/nevware21/ts-utils/blob/main/CHANGELOG.md)
- [Commits](nevware21/ts-utils@0.10.1...0.14.0)

Updates `brace-expansion` from 2.0.1 to 2.1.0
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v2.1.0)

Updates `@nevware21/ts-utils` from 0.10.1 to 0.14.0
- [Release notes](https://github.com/nevware21/ts-utils/releases)
- [Changelog](https://github.com/nevware21/ts-utils/blob/main/CHANGELOG.md)
- [Commits](nevware21/ts-utils@0.10.1...0.14.0)

Updates `brace-expansion` from 1.1.11 to 1.1.14
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v2.1.0)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `@nevware21/ts-utils` from 0.10.1 to 0.14.0
- [Release notes](https://github.com/nevware21/ts-utils/releases)
- [Changelog](https://github.com/nevware21/ts-utils/blob/main/CHANGELOG.md)
- [Commits](nevware21/ts-utils@0.10.1...0.14.0)

Updates `dompurify` from 3.1.7 to 3.4.0
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.1.7...3.4.0)

Updates `@nevware21/ts-utils` from 0.10.1 to 0.14.0
- [Release notes](https://github.com/nevware21/ts-utils/releases)
- [Changelog](https://github.com/nevware21/ts-utils/blob/main/CHANGELOG.md)
- [Commits](nevware21/ts-utils@0.10.1...0.14.0)

Updates `@nevware21/ts-utils` from 0.10.1 to 0.14.0
- [Release notes](https://github.com/nevware21/ts-utils/releases)
- [Changelog](https://github.com/nevware21/ts-utils/blob/main/CHANGELOG.md)
- [Commits](nevware21/ts-utils@0.10.1...0.14.0)

Updates `@nevware21/ts-utils` from 0.10.1 to 0.14.0
- [Release notes](https://github.com/nevware21/ts-utils/releases)
- [Changelog](https://github.com/nevware21/ts-utils/blob/main/CHANGELOG.md)
- [Commits](nevware21/ts-utils@0.10.1...0.14.0)

Updates `brace-expansion` from 2.0.1 to 2.1.0
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v2.1.0)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `@nevware21/ts-utils` from 0.10.1 to 0.14.0
- [Release notes](https://github.com/nevware21/ts-utils/releases)
- [Changelog](https://github.com/nevware21/ts-utils/blob/main/CHANGELOG.md)
- [Commits](nevware21/ts-utils@0.10.1...0.14.0)

Updates `@nevware21/ts-utils` from 0.10.1 to 0.14.0
- [Release notes](https://github.com/nevware21/ts-utils/releases)
- [Changelog](https://github.com/nevware21/ts-utils/blob/main/CHANGELOG.md)
- [Commits](nevware21/ts-utils@0.10.1...0.14.0)

Updates `node-forge` from 1.3.1 to 1.4.0
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.1...v1.4.0)

Updates `undici` from 6.20.1 to 6.24.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.20.1...v6.24.0)

Updates `@tootallnate/once` from 3.0.0 to 3.0.1
- [Release notes](https://github.com/TooTallNate/once/releases)
- [Changelog](https://github.com/TooTallNate/once/blob/master/CHANGELOG.md)
- [Commits](TooTallNate/once@3.0.0...v3.0.1)

Updates `ip-address` from 9.0.5 to 10.2.0
- [Commits](https://github.com/beaugunderson/ip-address/commits)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.24.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: electron
  dependency-version: 39.8.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.10
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@tootallnate/once"
  dependency-version: 3.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 2.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 2.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@xmldom/xmldom"
  dependency-version: 0.8.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-parser
  dependency-version: 5.8.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 2.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 2.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@nevware21/ts-utils"
  dependency-version: 0.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@nevware21/ts-utils"
  dependency-version: 0.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@nevware21/ts-utils"
  dependency-version: 0.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 2.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@nevware21/ts-utils"
  dependency-version: 0.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 2.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@nevware21/ts-utils"
  dependency-version: 0.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@nevware21/ts-utils"
  dependency-version: 0.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@nevware21/ts-utils"
  dependency-version: 0.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@nevware21/ts-utils"
  dependency-version: 0.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@nevware21/ts-utils"
  dependency-version: 0.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 2.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@nevware21/ts-utils"
  dependency-version: 0.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@nevware21/ts-utils"
  dependency-version: 0.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: node-forge
  dependency-version: 1.4.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 6.24.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@tootallnate/once"
  dependency-version: 3.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 21, 2026
@dependabot @github

dependabot Bot commented on behalf of github May 21, 2026

Copy link
Copy Markdown
Author

Superseded by #28.

@dependabot dependabot Bot closed this May 21, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-72bf477b14 branch May 21, 2026 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants