chore(deps): Bump the production group across 1 directory with 9 updates

[dependabot]

Bumps the production group with 9 updates in the / directory:

Package	From	To
@deck.gl/core	9.2.10	9.2.11
@deck.gl/geo-layers	9.2.10	9.2.11
@deck.gl/layers	9.2.10	9.2.11
dompurify	3.3.1	3.3.3
fast-xml-parser	5.4.2	5.5.9
maplibre-gl	5.19.0	5.21.1
marked	17.0.4	17.0.5
commander	13.1.0	14.0.3
@clack/prompts	0.9.1	1.1.0

Updates @deck.gl/core from 9.2.10 to 9.2.11

Release notes

Sourced from @​deck.gl/core's releases.

v9.2.11

• chore: Pin to luma 9.2 & loaders 4.3 (#10062)

Changelog

Sourced from @​deck.gl/core's changelog.

deck.gl [v9.2.11] - Mar 5 2026

• chore: Pin to luma 9.2 & loaders 4.3 (#10062)

Commits

• 35adca6 v9.2.11
• 6b5533f chore: Revert v9.2.11 and update yarn.lock (#10067)
• 4593b61 v9.2.11
• c2bcb81 chore: Pin to luma 9.2 & loaders 4.3 (#10062)
• See full diff in compare view

Updates @deck.gl/geo-layers from 9.2.10 to 9.2.11

Release notes

Sourced from @​deck.gl/geo-layers's releases.

v9.2.11

• chore: Pin to luma 9.2 & loaders 4.3 (#10062)

Changelog

Sourced from @​deck.gl/geo-layers's changelog.

deck.gl [v9.2.11] - Mar 5 2026

• chore: Pin to luma 9.2 & loaders 4.3 (#10062)

Commits

• 35adca6 v9.2.11
• 6b5533f chore: Revert v9.2.11 and update yarn.lock (#10067)
• 4593b61 v9.2.11
• c2bcb81 chore: Pin to luma 9.2 & loaders 4.3 (#10062)
• See full diff in compare view

Updates @deck.gl/layers from 9.2.10 to 9.2.11

Release notes

Sourced from @​deck.gl/layers's releases.

v9.2.11

• chore: Pin to luma 9.2 & loaders 4.3 (#10062)

Changelog

Sourced from @​deck.gl/layers's changelog.

deck.gl [v9.2.11] - Mar 5 2026

• chore: Pin to luma 9.2 & loaders 4.3 (#10062)

Commits

• 35adca6 v9.2.11
• 6b5533f chore: Revert v9.2.11 and update yarn.lock (#10067)
• 4593b61 v9.2.11
• c2bcb81 chore: Pin to luma 9.2 & loaders 4.3 (#10062)
• See full diff in compare view

Updates dompurify from 3.3.1 to 3.3.3

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

Commits

• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• cd85175 Merge branch 'main' of github.com:cure53/DOMPurify
• Additional commits viewable in compare view

Updates fast-xml-parser from 5.4.2 to 5.5.9

Release notes

Sourced from fast-xml-parser's releases.

fix typins and matcher instance in callbacks

combine typings file to avoid configuration changes pass readonly instance of matcher to the call backs to avoid accidental push/pop call

fix bugs of entity parsing and value parsing

fix: entity expansion limits update strnum package to 2.2.0

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.9 / 2026-03-23

• combine typing files

4.5.5 / 2026-03-22

apply fixes from v5 (legacy maintenance branch v4-maintenance)

• support maxEntityCount
• support onDangerousProperty
• support maxNestedTags
• handle prototype pollution
• fix incorrect entity name replacement
• fix incorrect condition for entity expansion

5.5.8 / 2026-03-20

• pass read only matcher in callback

5.5.7 / 2026-03-19

• fix: entity expansion limits
• update strnum package to 2.2.0

5.5.6 / 2026-03-16

• update builder dependency
• fix incorrect regex to replace . in entity name
• fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

• sanitize dangerous tag or attribute name
• error on critical property name
• support onDangerousProperty option

5.5.4 / 2026-03-13

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

• upgrade builder

5.5.2 / 2026-03-11

• update dependency to fix typings

5.5.1 / 2026-03-10

• fix dependency

... (truncated)

Commits

• a8934f9 upgrade strnum
• 23d13e4 combine typing files
• 0c0a7dc update maintenance docs
• a92a665 pass read only matcher in call back
• a21c441 update package detail
• 239b64a check for min value for entity exapantion options
• 61cb666 restrict more properties to be unsafe
• 41abd66 performance improvement of reading DOCTYPE
• 3dfcd20 refactor: performance improvement
• 870043e update release info
• Additional commits viewable in compare view

Updates maplibre-gl from 5.19.0 to 5.21.1

Release notes

Sourced from maplibre-gl's releases.

v5.21.1

🐞 Bug fixes

• Add missing promoteId parameter to geojson worker and refactor communication object (#7320) (by @​HarelM)

v5.21.0

✨ Features and improvements

• Add compatibility for ES2020 (#7283) (by @​claudiobgit)
• Add referrerPolicy option to RequestParameters to allow controlling the referrer policy for tile requests (#7278) (by @​Bingtagui404)
• Wait for the GPU to finish its callstack for rendering benchmarks (#7285) (by @​xavierjs)
• Remove Edge 18 WebP detection workaround; always send Accept: image/webp header for image requests (#7293) (by @​johanrd)
• Remove legacy browser compatibility code targeting IE11 and pre-2016 browsers (#7294) (by @​johanrd)
• Remove legacy DOM.remove() and DOM.mouseButton() wrappers; use native APIs directly (baseline 2015) (#7295) (by @​johanrd)
• Make setTransformRequest accept an async function in addition to a sync function. (#7184) (by @​kikuomax )

🐞 Bug fixes

• Fix incorrect popup location in case of terrain and jumpTo (#7267) (by @​HarelM)
• Fix memory leak in VideoSource: remove playing event listener and pause video on source removal (#7279) (by @​johanrd)
• Fix memory leak where typed array views retained StructArray buffers after GPU upload, preventing garbage collection (#7280) (by @​johanrd)
• Fix raster DEM tiles getting stuck in "reloading" state (#7284) (by @​katemihalikova)
• Fix GeolocateControl leaking a movestart listener on the map after removal, which could also crash if the control was in active tracking state when removed (#7286) (by @​johanrd)
• Cap tile texture reuse pool to prevent unbounded VRAM growth during rapid zoom/pan (#7289) (by @​johanrd)
• Fix Marker click listener not removed on remove(), leaking the handler added in #7028 (#7287) (by @​johanrd)
• Fix Terrain GPU resource leak: free FBO, textures, and meshes when terrain is disabled via setTerrain(null) (#7288) (by @​johanrd)
• Fix guard against partial layout in PauseablePlacement (#7079) (by @​garethbowker)
• Fix missing tile encoding for MLT queryRenderedFeatures (#7056) (by @​dannote and @​ted-piotrowski)
• Fix 3D Tiles example (#7275) (by @​hh-hang)

v5.20.2

🐞 Bug fixes

• Fix update GeoJSON when using diff update by updating geojson-vt package (#7257) (by @​HarelM)

v5.20.1

🐞 Bug fixes

• Fix cannot read properties of undefined (reading 'range') by updating geojson-vt package (#7245) (by @​HarelM)
• Fix a bug where raster-resampling: nearest was not applied as expected (#7247) (by @​yano-h)

v5.20.0

✨ Features and improvements

... (truncated)

Changelog

Sourced from maplibre-gl's changelog.

5.21.1

🐞 Bug fixes

• Add missing promoteId parameter to geojson worker and refactor communication object (#7320) (by @​HarelM)

5.21.0

✨ Features and improvements

• Add compatibility for ES2020 (#7283) (by @​claudiobgit)
• Add referrerPolicy option to RequestParameters to allow controlling the referrer policy for tile requests (#7278) (by @​Bingtagui404)
• Wait for the GPU to finish its callstack for rendering benchmarks (#7285) (by @​xavierjs)
• Remove Edge 18 WebP detection workaround; always send Accept: image/webp header for image requests (#7293) (by @​johanrd)
• Remove legacy browser compatibility code targeting IE11 and pre-2016 browsers (#7294) (by @​johanrd)
• Remove legacy DOM.remove() and DOM.mouseButton() wrappers; use native APIs directly (baseline 2015) (#7295) (by @​johanrd)
• Make setTransformRequest accept an async function in addition to a sync function. (#7184) (by @​kikuomax )

🐞 Bug fixes

• Fix incorrect popup location in case of terrain and jumpTo (#7267) (by @​HarelM)
• Fix memory leak in VideoSource: remove playing event listener and pause video on source removal (#7279) (by @​johanrd)
• Fix memory leak where typed array views retained StructArray buffers after GPU upload, preventing garbage collection (#7280) (by @​johanrd)
• Fix raster DEM tiles getting stuck in "reloading" state (#7284) (by @​katemihalikova)
• Fix GeolocateControl leaking a movestart listener on the map after removal, which could also crash if the control was in active tracking state when removed (#7286) (by @​johanrd)
• Cap tile texture reuse pool to prevent unbounded VRAM growth during rapid zoom/pan (#7289) (by @​johanrd)
• Fix Marker click listener not removed on remove(), leaking the handler added in #7028 (#7287) (by @​johanrd)
• Fix Terrain GPU resource leak: free FBO, textures, and meshes when terrain is disabled via setTerrain(null) (#7288) (by @​johanrd)
• Fix guard against partial layout in PauseablePlacement (#7079) (by @​garethbowker)
• Fix missing tile encoding for MLT queryRenderedFeatures (#7056) (by @​dannote and @​ted-piotrowski)
• Fix 3D Tiles example (#7275) (by @​hh-hang)

5.20.2

🐞 Bug fixes

• Fix update GeoJSON when using diff update by updating geojson-vt package (#7257) (by @​HarelM)

5.20.1

🐞 Bug fixes

• Fix cannot read properties of undefined (reading 'range') by updating geojson-vt package (#7245) (by @​HarelM)
• Fix a bug where raster-resampling: nearest was not applied as expected (#7247) (by @​yano-h)

5.20.0

✨ Features and improvements

... (truncated)

Commits

• 1fe69fd Bump js version to 5.21.1 (#7325)
• 1bf28ae Add missing promoteId parameter to geojson worker (#7320)
• 1557f52 chore(deps-dev): bump canvas from 3.2.1 to 3.2.2 (#7324)
• 73db19a chore(deps-dev): bump @​vitest/eslint-plugin in the vitest group (#7321)
• 9eeb0fd chore(deps-dev): bump rollup from 4.59.1 to 4.60.0 (#7322)
• a5a63bc chore(deps-dev): bump rollup from 4.59.0 to 4.59.1 (#7316)
• a54d7a1 chore(deps): bump github/codeql-action from 4.33.0 to 4.34.1 (#7317)
• a4c8bc8 chore(deps): bump ggilder/codecoverage from 1.3.0 to 1.3.1 (#7318)
• a8cf500 chore(deps-dev): bump devtools-protocol from 0.0.1596832 to 0.0.1602427 (#7312)
• 65766d2 chore(deps-dev): bump puppeteer from 24.39.1 to 24.40.0 (#7313)
• Additional commits viewable in compare view

Updates marked from 17.0.4 to 17.0.5

Release notes

Sourced from marked's releases.

v17.0.5

17.0.5 (2026-03-20)

Bug Fixes

• Fix catastrophic backtracking (ReDoS) in link/reflink label regex (#3918) (4625980)
• prevent quadratic complexity in emStrongLDelim regex (#3906) (c732dd2)
• prevent single-tilde strikethrough false positives (#3910) (5e03369)
• re-assign tokenizer.lexer and renderer.parser at start of each parse call (#3907) (f3a3ec0)
• trim trailing whitespace from lheading text (#3920) (3ea7e88)

Commits

• 811ea59 chore(release): 17.0.5 [skip ci]
• c732dd2 fix: prevent quadratic complexity in emStrongLDelim regex (#3906)
• f3a3ec0 fix: re-assign tokenizer.lexer and renderer.parser at start of each parse cal...
• 4625980 fix: Fix catastrophic backtracking (ReDoS) in link/reflink label regex (#3918)
• 5e03369 fix: prevent single-tilde strikethrough false positives (#3910)
• 288349d test: add heading edge case tests (#3919)
• 3ea7e88 fix: trim trailing whitespace from lheading text (#3920)
• d4c0fe5 chore(deps-dev): Bump esbuild from 0.27.3 to 0.27.4 (#3915)
• 30682c1 chore(deps-dev): Bump undici from 6.23.0 to 6.24.0 (#3914)
• 59752c4 chore(deps-dev): Bump minimatch from 9.0.5 to 9.0.9 (#3913)
• Additional commits viewable in compare view

Updates commander from 13.1.0 to 14.0.3

Release notes

Sourced from commander's releases.

v14.0.3

Added

• Release Policy document (#2462)

Changes

• old major versions now supported for 12 months instead of just previous major version, to give predictable end-of-life date (#2462)
• clarify typing for deprecated callback parameter to .outputHelp() (#2427)
• simple readability improvements to README (#2465)

v14.0.2

Changed

• improve negative number auto-detection test (#2428)
• update (dev) dependencies

v14.0.1

Fixed

• broken markdown link in README (#2369)

Changed

• improve code readability by using optional chaining (#2394)
• use more idiomatic code with object spread instead of Object.assign() (#2395)
• improve code readability using string.endsWith() instead of string.slice() (#2396)
• refactor .parseOptions() to process args array in-place (#2409)
• change private variadic support routines from ._concatValue() to ._collectValue() (change code from array.concat() to array.push()) (#2410)
• update (dev) dependencies

v14.0.0

Added

• support for groups of options and commands in the help using low-level .helpGroup() on Option and Command, and higher -level .optionsGroup() and .commandsGroup() which can be used in chaining way to specify group title for following option s/commands (#2328)
• support for unescaped negative numbers as option-arguments and command-arguments (#2339)
• TypeScript: add parseArg property to Argument class (#2359)

Fixed

• remove bogus leading space in help when option has default value but not a description (#2348)
• .configureOutput() now makes copy of settings instead of modifying in-place, fixing side-effects (#2350)

Changed

• Breaking: Commander 14 requires Node.js v20 or higher
• internal refactor of Help class adding .formatItemList() and .groupItems() methods (#2328)

Changelog

Sourced from commander's changelog.

[14.0.3] (2026-01-31)

Added

• Release Policy document (#2462)

Changes

• old major versions now supported for 12 months instead of just previous major version, to give predictable end-of-life date (#2462)
• clarify typing for deprecated callback parameter to .outputHelp() (#2427)
• simple readability improvements to README (#2465)

[14.0.2] (2025-10-25)

Changed

• improve negative number auto-detection test (#2428)
• update (dev) dependencies

[14.0.1] (2025-09-12)

Fixed

• broken markdown link in README (#2369)

Changed

• improve code readability by using optional chaining (#2394)
• use more idiomatic code with object spread instead of Object.assign() (#2395)
• improve code readability using string.endsWith() instead of string.slice() (#2396)
• refactor .parseOptions() to process args array in-place (#2409)
• change private variadic support routines from ._concatValue() to ._collectValue() (change code from array.concat() to array.push()) (#2410)
• update (dev) dependencies

[14.0.0] (2025-05-18)

Added

• support for groups of options and commands in the help using low-level .helpGroup() on Option and Command, and higher-level .optionsGroup() and .commandsGroup() which can be used in chaining way to specify group title for following options/commands (#2328)
• support for unescaped negative numbers as option-arguments and command-arguments (#2339)
• TypeScript: add parseArg property to Argument class (#2359)

Fixed

• remove bogus leading space in help when option has default value but not a description (#2348)
• .configureOutput() now makes copy of settings instead of modifying in-place, fixing side-effects (#2350)

Changed

• Breaking: Commander 14 requires Node.js v20 or higher

... (truncated)

Commits

• 8247364 14.0.3
• e281fe3 Update docs for 14.0.3 (#2474)
• 7357dda Separate out a more detailed release policy document (#2462)
• b6e2e3a Bump eslint from 9.39.1 to 9.39.2 (#2470)
• d6f63a7 Bump ts-jest from 29.4.5 to 29.4.6 (#2467)
• 2a9768a Bump prettier from 3.6.2 to 3.7.4 (#2466)
• 9211918 docs(README): Tweak formatting, punctuation for clarity (#2465)
• 4208a96 Bump typescript-eslint from 8.46.2 to 8.48.0 (#2458)
• 03308ce Bump eslint-plugin-jest from 29.0.1 to 29.2.1 (#2457)
• 4d2db1f Bump globals from 16.4.0 to 16.5.0 (#2456)
• Additional commits viewable in compare view

Updates @clack/prompts from 0.9.1 to 1.1.0

Release notes

Sourced from @​clack/prompts's releases.

@​clack/prompts@​1.1.0

Minor Changes

• e3333fb: Replaces picocolors with Node.js built-in styleText.

Patch Changes

• c3666e2: destruct limitOption param for better code readability, tweak types definitions
• ba3df8e: Fixes withGuide support in intro, outro, and cancel messages.
• Updated dependencies [e3333fb]
  • @​clack/core@​1.1.0

@​clack/prompts@​1.0.1

Patch Changes

• 6404dc1: Disallows selection of disabled options in autocomplete.
• 86e36d8: Adds withGuide support to select prompt.
• c697439: Fixes line wrapping behavior in autocomplete.
• 0ded19c: Simplifies withGuide option checks.
• 0e4ddc9: Fixes withGuide support in password and path prompts.
• 76550d6: Adds withGuide support to selectKey prompt.
• f9b9953: Adds withGuide support to password prompt.
• 0e93ccb: Adds vertical arrangement option to confirm prompt.
• 4e9ae13: Adds withGuide support to confirm prompt.
• 0256238: Adds withGuide support to spinner prompt.
• Updated dependencies [6404dc1]
• Updated dependencies [2533180]
  • @​clack/core@​1.0.1

@​clack/prompts@​1.0.0

Major Changes

• c713fd5: The package is now distributed as ESM-only. In v0 releases, the package was dual-published as CJS and ESM.

  For existing CJS projects using Node v20+, please see Node's guide on Loading ECMAScript modules using require().

Minor Changes

• 415410b: This adds a custom filter function to autocompleteMultiselect. It could be used, for example, to support fuzzy searching logic.

• 7bc3301: Prompts now have a userInput stored separately from their value.

• 8409f2c: feat: add styleFrame option for spinner

• 2837845: Adds suggestion and path prompts

• 99c3530: Adds format option to the note prompt to allow formatting of individual lines

• 0aaee4c: Added new taskLog prompt for log output which is cleared on success

... (truncated)

Changelog

Sourced from @​clack/prompts's changelog.

1.1.0

Minor Changes

• e3333fb: Replaces picocolors with Node.js built-in styleText.

Patch Changes

• c3666e2: destruct limitOption param for better code readability, tweak types definitions
• ba3df8e: Fixes withGuide support in intro, outro, and cancel messages.
• Updated dependencies [e3333fb]
  • @​clack/core@​1.1.0

1.0.1

Patch Changes

• 6404dc1: Disallows selection of disabled options in autocomplete.
• 86e36d8: Adds withGuide support to select prompt.
• c697439: Fixes line wrapping behavior in autocomplete.
• 0ded19c: Simplifies withGuide option checks.
• 0e4ddc9: Fixes withGuide support in password and path prompts.
• 76550d6: Adds withGuide support to selectKey prompt.
• f9b9953: Adds withGuide support to password prompt.
• 0e93ccb: Adds vertical arrangement option to confirm prompt.
• 4e9ae13: Adds withGuide support to confirm prompt.
• 0256238: Adds withGuide support to spinner prompt.
• Updated dependencies [6404dc1]
• Updated dependencies [2533180]
  • @​clack/core@​1.0.1

1.0.0

Major Changes

• c713fd5: The package is now distributed as ESM-only. In v0 releases, the package was dual-published as CJS and ESM.

  For existing CJS projects using Node v20+, please see Node's guide on Loading ECMAScript modules using require().

Minor Changes

• 415410b: This adds a custom filter function to autocompleteMultiselect. It could be used, for example, to support fuzzy searching logic.

• 7bc3301: Prompts now have a userInput stored separately from their value.

• 8409f2c: feat: add styleFrame option for spinner

• 2837845: Adds suggestion and path prompts

• 99c3530: Adds format option to the note prompt to allow formatting of individual lines

• 0aaee4c: Added new taskLog prompt for log output which is cleared on success

• 729bbb6: Add support for customizable spinner cancel and error messages. Users can now customize these messages either per spinner instance or globally via the updateSettings function to support multilingual CLIs.

  This update also improves the architecture by exposing the core settings to the prompts package, enabling more consistent default message handling across the codebase.

... (truncated)

Commits

• 56edf97 [ci] release (#472)
• ba3df8e fix(prompts): honor withGuide for intro/outro/cancel messages (#474)
• e3333fb refactor(core, prompts): replace picocolors with styleText (#403)
• 594c58a [ci] format
• c3666e2 chore(prompts): destruct limitOption param for better code readability (#457)
• 667572b [ci] release (#456)
• 6404dc1 fix: support disabled options in autocomplete (#466)
• ba10721 [ci] format
• 0e4ddc9 fix: respect withGuide option in password and path prompts (#460)
• 0ded19c chore(prompts): simplify guide option checks (#459)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​clack/prompts since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Thanks for your first PR! A maintainer will review it shortly.
Make sure npm test and forge validate pass.

[alohays]

Closing in favor of a selective upgrade PR. This PR bundles major version bumps (commander 14, @clack/prompts 1.0) with safe patches, causing CI failures. We will cherry-pick the safe patch/minor updates (deck.gl, dompurify, fast-xml-parser, maplibre-gl, marked) into a clean PR and defer the major upgrades for individual evaluation.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml