chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
flatted	3.3.3	3.4.2
handlebars	4.7.8	4.7.9
lodash	4.17.21	4.18.0
minimatch	3.1.2	3.1.5
picomatch	2.3.1	2.3.2
tar	6.2.1	removed

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.18.0

Release notes

Sourced from lodash's releases.

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• 0783181 docs(random): document lower > upper case (#6115)
• 35bb1d9 docs: add security notice for _.template in threat model and API docs (#6099)
• 62b439f doc: fix quotes in compact jsdoc (#6090)
• Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Removes tar

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[billyjbryant]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

Git-Assure Report

Repository analyzed on: 2026-03-31

Risk Rating: Low (Score: 7)

GitHub Repository Analysis: billyjbryant/git-assure

Project Description

A comprehensive analysis tool for evaluating GitHub repositories. Git-Assure assesses sustainability and security risks, generating detailed reports to help you make informed decisions about the repositories you depend on.

View Full README

Sustainability Assessment

Metric	Value
Number of Contributors	3
Avg. Contributor Account Age	9.6 years
Project Age	349 days (Created on 4/15/2025)
Recent Commits	30 commits found in the last 100
Last Activity	0 days ago (3/31/2026)
Contributing Guidelines	✅ Present
Long-Lived PRs (>90 days)	0
Long-Lived Issues (>180 days)	0

Security Assessment

Metric	Value
Security Policy	✅ Present
Code Complexity	Potentially moderate complexity (based on size).
Last Update	3/31/2026

License Information

Metric	Value
License	MIT License
License Risk	Low

Dependency Analysis

Metric	Value
Dependency Files	✅ Found
Total Dependencies	29
Major Version Outdated	⚠️ 10
Minor Version Outdated	ℹ️ 2
Vulnerability Alerts	❌ Disabled/Not Available
High Severity Vulnerabilities	N/A
Medium Severity Vulnerabilities	N/A
Low Severity Vulnerabilities	N/A
Vulnerability Source	N/A

Outdated Dependencies

Package	Current Version	Latest Version	Update Urgency
@actions/core	1.11.1	3.0.0	🔴 High
@actions/github	8.0.1	9.0.0	🔴 High
semver	7.7.3	7.7.4	🟡 Low
@octokit/rest	21.1.1	22.0.1	🔴 High
@semantic-release/npm	12.0.1	13.1.5	🔴 High
@types/jest	29.5.14	30.0.0	🔴 High
@types/node	22.14.1	25.5.0	🔴 High
@types/semver	7.7.0	7.7.1	🟡 Low
@typescript-eslint/eslint-plugin	8.30.1	8.58.0	🟠 Medium
@typescript-eslint/parser	8.30.1	8.58.0	🟠 Medium
@vercel/ncc	0.38.3	0.38.4	🟡 Low
conventional-changelog-conventionalcommits	8.0.0	9.3.1	🔴 High
eslint	9.24.0	10.1.0	🔴 High
eslint-config-prettier	10.1.2	10.1.8	🟡 Low
eslint-plugin-jest	28.11.0	29.15.1	🔴 High
jest	29.7.0	30.3.0	🔴 High

Top Dependencies

Package	Version
@actions/core	1.11.1
@actions/github	8.0.1
semver	7.7.3
@octokit/rest	21.1.1
@semantic-release/changelog	6.0.3
@semantic-release/git	10.0.1
@semantic-release/npm	12.0.1
@types/jest	29.5.14
@types/node	22.14.1
@types/semver	7.7.0
@typescript-eslint/eslint-plugin	8.30.1
@typescript-eslint/parser	8.30.1
@vercel/ncc	0.38.3
conventional-changelog-conventionalcommits	8.0.0
eslint	9.24.0
eslint-config-prettier	10.1.2
eslint-plugin-jest	28.11.0
eslint-plugin-node	11.1.0
husky	9.1.7
jest	29.7.0

Development Quality

Metric	Value
Dependency Management	✅ Present
Test Coverage	✅ Tests Found
CI/CD Setup	✅ Present
Code Quality Tools	✅ Present
Documentation	✅ Basic

Community Health

Metric	Value
Stars	2
Forks	0
Watchers	2
Open Issues	1
Average Response Time	N/A

Release Practices

Metric	Value
Formal Releases	✅ (5 found)
Latest Release	319 days ago (5/15/2025)
Semantic Versioning	✅ Used

Risk Summary

Risk Score: 7 (Low)

Risk Factors Identified

• Relatively low number of contributors.
• Relatively young project.
• Low community interest (few stars).
• Repository has dependencies but vulnerability alerts are not enabled.
• Many dependencies are severely outdated (10 major versions behind).

Notes

• Code complexity assessment is based on repository size only
• Security assessment is limited by the public GitHub API
• Test coverage is based on directory presence, not actual coverage metrics
• Dependency vulnerability detection requires a GitHub token with appropriate permissions
• This analysis provides a snapshot and should not be considered a definitive security audit

---

This analysis was performed automatically by Git-Assure