Bump the npm_and_yarn group across 1 directory with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
esbuild	0.15.13	0.25.8
@web/dev-server-esbuild	0.3.3	1.0.4
barely-a-dev-server	0.3.6	0.8.1
braces	3.0.2	3.0.3
ip	1.1.9	removed
@web/test-runner	0.15.0	0.20.2
@open-wc/testing	3.1.7	3.2.2

Updates esbuild from 0.15.13 to 0.25.8

Release notes

Sourced from esbuild's releases.

v0.25.8

• Fix another TypeScript parsing edge case (#4248)

  This fixes a regression with a change in the previous release that tries to more accurately parse TypeScript arrow functions inside the ?: operator. The regression specifically involves parsing an arrow function containing a #private identifier inside the middle of a ?: ternary operator inside a class body. This was fixed by propagating private identifier state into the parser clone used to speculatively parse the arrow function body. Here is an example of some affected code:

  class CachedDict {
    #has = (a: string) => dict.has(a);
    has = window
      ? (word: string): boolean => this.#has(word)
      : this.#has;
  }

• Fix a regression with the parsing of source phase imports

  The change in the previous release to parse source phase imports failed to properly handle the following cases:

  import source from 'bar'
  import source from from 'bar'
  import source type foo from 'bar'

  Parsing for these cases should now be fixed. The first case was incorrectly treated as a syntax error because esbuild was expecting the second case. And the last case was previously allowed but is now forbidden. TypeScript hasn't added this feature yet so it remains to be seen whether the last case will be allowed, but it's safer to disallow it for now. At least Babel doesn't allow the last case when parsing TypeScript, and Babel was involved with the source phase import specification.

v0.25.7

• Parse and print JavaScript imports with an explicit phase (#4238)

  This release adds basic syntax support for the defer and source import phases in JavaScript:

  • defer

    This is a stage 3 proposal for an upcoming JavaScript feature that will provide one way to eagerly load but lazily initialize imported modules. The imported module is automatically initialized on first use. Support for this syntax will also be part of the upcoming release of TypeScript 5.9. The syntax looks like this:

    import defer * as foo from "<specifier>";
    const bar = await import.defer("<specifier>");

    Note that this feature deliberately cannot be used with the syntax import defer foo from "<specifier>" or import defer { foo } from "<specifier>".

  • source

    This is a stage 3 proposal for an upcoming JavaScript feature that will provide another way to eagerly load but lazily initialize imported modules. The imported module is returned in an uninitialized state. Support for this syntax may or may not be a part of TypeScript 5.9 (see this issue for details). The syntax looks like this:

    import source foo from "<specifier>";
    const bar = await import.source("<specifier>");

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2022

This changelog documents all esbuild versions published in the year 2022 (versions 0.14.11 through 0.16.12).

0.16.12

• Loader defaults to js for extensionless files (#2776)

  Certain packages contain files without an extension. For example, the yargs package contains the file yargs/yargs which has no extension. Node, Webpack, and Parcel can all understand code that imports yargs/yargs because they assume that the file is JavaScript. However, esbuild was previously unable to understand this code because it relies on the file extension to tell it how to interpret the file. With this release, esbuild will now assume files without an extension are JavaScript files. This can be customized by setting the loader for "" (the empty string, representing files without an extension) to another loader. For example, if you want files without an extension to be treated as CSS instead, you can do that like this:

  • CLI:

    esbuild --bundle --loader:=css
    

  • JS:

    esbuild.build({
      bundle: true,
      loader: { '': 'css' },
    })

  • Go:

    api.Build(api.BuildOptions{
      Bundle: true,
      Loader: map[string]api.Loader{"": api.LoaderCSS},
    })

  In addition, the "type" field in package.json files now only applies to files with an explicit .js, .jsx, .ts, or .tsx extension. Previously it was incorrectly applied by esbuild to all files that had an extension other than .mjs, .mts, .cjs, or .cts including extensionless files. So for example an extensionless file in a "type": "module" package is now treated as CommonJS instead of ESM.

0.16.11

• Avoid a syntax error in the presence of direct eval (#2761)

  The behavior of nested function declarations in JavaScript depends on whether the code is run in strict mode or not. It would be problematic if esbuild preserved nested function declarations in its output because then the behavior would depend on whether the output was run in strict mode or not instead of respecting the strict mode behavior of the original source code. To avoid this, esbuild transforms nested function declarations to preserve the intended behavior of the original source code regardless of whether the output is run in strict mode or not:

  // Original code
  if (true) {
    function foo() {}
    console.log(!!foo)
    foo = null
    console.log(!!foo)
  }

... (truncated)

Commits

• 8c71947 publish 0.25.8 to npm
• 0508f24 some parsing fixes for source phase imports
• 6e4be2f js parser: recover from bad #private identifiers
• c9c6357 fix #4248: #private ids in arrow fn body in ?:
• 9b42f68 publish 0.25.7 to npm
• 9ba01d1 abs-paths: js api and tests
• ca196c9 fix for parser backtracking crash
• 2979b84 fix #4241: ts arrow function type backtrack (hack)
• 1180410 fix an unused variable warning
• fc3da57 fix #4238: add defer and source import phases
• Additional commits viewable in compare view

Updates @web/dev-server-esbuild from 0.3.3 to 1.0.4

Release notes

Sourced from @​web/dev-server-esbuild's releases.

@​web/dev-server-esbuild@​1.0.4

Patch Changes

• d826727: upgrade esbuild to 0.25.x

@​web/dev-server-esbuild@​1.0.3

Patch Changes

• f506af31: Upgrade esbuild to 0.24.x
• Updated dependencies [fb33d75c]
  • @​web/dev-server-core@​0.7.4

Changelog

Sourced from @​web/dev-server-esbuild's changelog.

1.0.4

Patch Changes

• d826727: upgrade esbuild to 0.25.x

1.0.3

Patch Changes

• f506af31: Upgrade esbuild to 0.24.x
• Updated dependencies [fb33d75c]
  • @​web/dev-server-core@​0.7.4

1.0.2

Patch Changes

• fix: update @​web/dev-server-core

1.0.1

Patch Changes

• e31de569: Update @web/dev-server-rollup to latest version

1.0.0

Major Changes

• 8218a0a5: Update ESBuild to latest version.

  ESBuild has changed how TypeScript decorators are enabled in preparation for JavaScript decorators to land in browsers. ESBuild now requires the experimentalDecorators key to be set to true in the tsconfig.json for TypeScript decorators to be enabled.

  If you are having issues with decorators after updating to this version, try setting the experimentalDecorators key in your tsconfig.json.

Minor Changes

• c185cbaa: Set minimum node version to 18

Patch Changes

• Updated dependencies [c185cbaa]
  • @​web/dev-server-core@​0.7.0

0.4.4

Patch Changes

• ef6b2543: Use split versions for all lit dependencies

... (truncated)

Commits

• 3a6bf8f Version Packages
• d826727 fix: upgrade esbuild to 0.25.x
• 5f4f351 Version Packages
• dc23517 chore: bump esbuild to 0.24.0
• f506af3 chore: upgrade esbuild to 0.20.x
• 03f3c6f Version Packages
• 54d65a4 ci: align reporters across all packages
• 90e4472 ci: use workspaces to run node tests
• 0780a22 Version Packages
• ce40a8f update @​web/dev-server-rollup in more places
• Additional commits viewable in compare view

Updates barely-a-dev-server from 0.3.6 to 0.8.1

Release notes

Sourced from barely-a-dev-server's releases.

v0.8.1

Release notes:

• Add .htm as an HTML extension.

v0.8.0

Release notes:

• Use @cubing/dev-config/esbuild/es2022 under the hood.

v0.7.1

Release notes:

• Bump esbuild peer dep to v0.25.0. This fixes a vulnerability in the esbuild dev server, but note that barely-a-dev-server does not use this server.

v0.7.0

Release notes:

• Introduce a bundleCSS option.

v0.6.3

Release notes:

• Change default target to es2022.

v0.6.2

Release notes:

• Add MIME types for .avif and .jxl.
• Bump the esbuild peer dependency version.

v0.6.1

Release notes:

• Remove a workaround for bun. v1.0.30 or higher is required now.

v0.6.0

Release notes:

• Fix the non-dev invocation of esbuild.
• Rely on esbuild for file globbing.
• Add a temporary workaround for bun compatibility.

v0.5.2

No release notes provided.

v0.5.1

No release notes provided.

v0.5.0

... (truncated)

Commits

• 886e9b8 v0.8.1
• 9e50cc5 Add .htm as an HTML extension.
• d5d62b7 v0.8.0
• 4f56326 Use @cubing/dev-config/esbuild/es2022.
• f73fd4c bun add @cubing/dev-config
• f81c195 Fix up CI to match other projects.
• 42c265e v0.7.1
• 3d63123 Bump esbuild peer dep to v0.25.0 and fix up dev config.
• 28339b3 v0.7.0
• 97983c6 Fix up Makefile and linting.
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Removes ip

Updates @web/test-runner from 0.15.0 to 0.20.2

Release notes

Sourced from @​web/test-runner's releases.

@​web/test-runner@​0.20.2

Patch Changes

• 7aedbaa: Summary Reporter - re-enabled error reporting and made option to disable browser logs and error reporting in this reporter

@​web/test-runner@​0.20.1

Patch Changes

• 24e3290: Improve debug message for test runner uncaught exceptions

  This should make debugging easier. It wasn't very easy to figure out where the errors originated from (because of how the actual uncaught exception only happened with many concurrent builds inside a sandbox environment that is hard to debug).

• Updated dependencies [79b0ba4]

  • @​web/test-runner-chrome@​0.18.1

@​web/test-runner@​0.20.0

Minor Changes

• 86eaa21: Upgrade puppeteer version to v24

Patch Changes

• Updated dependencies [86eaa21]
  • @​web/test-runner-chrome@​0.18.0

@​web/test-runner@​0.19.0

Minor Changes

• b546e8b5: Upgrade puppeteer-core and puppeteer to v23

Patch Changes

• Updated dependencies [b546e8b5]
  • @​web/test-runner-chrome@​0.17.0

@​web/test-runner@​0.18.3

Patch Changes

• 6914f3b6: Show suites names for summaryReporter when flatten option is true

@​web/test-runner@​0.18.2

Patch Changes

• 6a97a691: Unify visual-written representation of skipped tests.

@​web/test-runner@​0.18.1

Patch Changes

... (truncated)

Changelog

Sourced from @​web/test-runner's changelog.

0.20.2

Patch Changes

• 7aedbaa: Summary Reporter - re-enabled error reporting and made option to disable browser logs and error reporting in this reporter

0.20.1

Patch Changes

• 24e3290: Improve debug message for test runner uncaught exceptions

  This should make debugging easier. It wasn't very easy to figure out where the errors originated from (because of how the actual uncaught exception only happened with many concurrent builds inside a sandbox environment that is hard to debug).

• Updated dependencies [79b0ba4]

  • @​web/test-runner-chrome@​0.18.1

0.20.0

Minor Changes

• 86eaa21: Upgrade puppeteer version to v24

Patch Changes

• Updated dependencies [86eaa21]
  • @​web/test-runner-chrome@​0.18.0

0.19.0

Minor Changes

• b546e8b5: Upgrade puppeteer-core and puppeteer to v23

Patch Changes

• Updated dependencies [b546e8b5]
  • @​web/test-runner-chrome@​0.17.0

0.18.3

Patch Changes

• 6914f3b6: Show suites names for summaryReporter when flatten option is true

0.18.2

... (truncated)

Commits

• 9645344 Version Packages
• 61260d5 Turned error reporting back on by default to match old behviour before it was...
• 4fa7523 add back broken error reporting and make log reporting optional
• db00ed5 Version Packages
• 24e3290 refactor: improve debug message for test runner uncaught exceptions
• f00a581 Version Packages
• fcb71cd Version Packages
• 8834ad8 Version Packages
• d5ae228 Version Packages (#2803)
• 9a88d83 Version Packages (#2774)
• Additional commits viewable in compare view

Updates @open-wc/testing from 3.1.7 to 3.2.2

Release notes

Sourced from @​open-wc/testing's releases.

@​open-wc/testing@​3.2.2

Patch Changes

• e94ca9aa: chore(testing): remove unused dependencies"

@​open-wc/testing@​3.2.1

Patch Changes

• 84e38ab1: Use split versions for all lit dependencies
• Updated dependencies [84e38ab1]
  • @​open-wc/testing-helpers@​2.3.1

@​open-wc/testing@​3.1.8

Patch Changes

• 91a5d224: fix(deps): update dependency @​types/chai-dom to v1
• Updated dependencies [077d07eb]
  • @​open-wc/testing-helpers@​2.2.1

Changelog

Sourced from @​open-wc/testing's changelog.

3.2.2

Patch Changes

• e94ca9aa: chore(testing): remove unused dependencies"

3.2.1

Patch Changes

• 84e38ab1: Use split versions for all lit dependencies
• Updated dependencies [84e38ab1]
  • @​open-wc/testing-helpers@​2.3.1

3.2.0

Minor Changes

• 935c8ffe: Drop support for Node@14

Patch Changes

• 3289e0eb: Add oneDefaultPreventedEvent export into testing package and no-side-effect indexes
• Updated dependencies [935c8ffe]
• Updated dependencies [3289e0eb]
• Updated dependencies [80c6ae66]
  • chai-a11y-axe@1.5.0
  • @​open-wc/semantic-dom-diff@​0.20.0
  • @​open-wc/testing-helpers@​2.3.0

3.1.8

Patch Changes

• 91a5d224: fix(deps): update dependency @​types/chai-dom to v1
• Updated dependencies [077d07eb]
  • @​open-wc/testing-helpers@​2.2.1

Commits

• c4debdd Version Packages (#2737)
• e94ca9a chore(testing): remove unused dependencies (#2736)
• d91a621 Version Packages
• 14e4270 feat: new a11y rules (#2686)
• 57ddb3c Version Packages
• 3289e0e fix(testing|testing-helpers): export oneDefaultPreventedEvent through testing...
• 74f51a7 Version Packages
• f077923 fix(deps): update dependency @​types/chai-dom to v1
• See full diff in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates nanoid from 3.3.4 to 3.3.11

Release notes

Sourced from nanoid's releases.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

Changelog

Sourced from nanoid's changelog.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

3.3.7

• Fixed node16 TypeScript support (by Saadi Myftija).

3.3.6

• Fixed package.

3.3.5

• Backport funding information.

Commits

• 37289ce Release 3.3.11 version
• 23690b7 Fix CI
• c147962 Fix RN support
• a83734e Move to manually ESM/CJS dual package
• bb12e8a Release 3.3.10 version
• 8f44264 Fix Expo support
• adf9b0c Release 3.3.9 version
• 1c6f088 Remove dev file from npm package
• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• Additional commits viewable in compare view

Updates ws from 7.5.9 to 7.5.10

Release notes

Sourced from ws's releases.

7.5.10

Bug fixes

• Backported e55e5106 to the 7.x release line (22c28763).

Commits

• d962d70 [dist] 7.5.10
• 22c2876 [security] Fix crash when the Upgrade header cannot be read (#2231)
• See full diff in compare view

Updates rollup from 2.79.1 to 4.46.2

Release notes

Sourced from rollup's releases.

v4.46.2

4.46.2

2025-07-29

Bug Fixes

• Fix in-operator handling for external namespace and when the left side cannot be analyzed (#6041)

Pull Requests

• #6041: Correct the logic of include in BinaryExpression and don't optimize external references away (@​TrickyPi, @​cyyynthia, @​lukastaegert)

v4.46.1

4.46.1

2025-07-28

Bug Fixes

• Do not fail when using the in operator on external namespaces (#6036)

Pull Requests

• #6036: disables optimization for external namespace when using the in operator (@​TrickyPi)

v4.46.0

4.46.0

2025-07-27

Features

• Optimize in checks on namespaces to keep them treeshake-able (#6029)

Pull Requests

• #5991: feat: update linux-loongarch64-gnu (@​wojiushixiaobai, @​lukastaegert)
• #6029: feat: optimize in checks on namespaces to keep them treeshake-able (@​cyyynthia, @​lukastaegert)
• #6033: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)

v4.45.3

4.45.3

2025-07-26

Bug Fixes

• Do not fail build if a const is reassigned but warn instead (#6020)
• Fail with a helpful error message if an exported binding is not defined (#6023)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.46.2

2025-07-29

Bug Fixes

• Fix in-operator handling for external namespace and when the left side cannot be analyzed (#6041)

Pull Requests

• #6041: Correct the logic of include in BinaryExpression and don't optimize external references away (@​TrickyPi, @​cyyynthia, @​lukastaegert)

4.46.1

2025-07-28

Bug Fixes

• Do not fail when using the in operator on external namespaces (#6036)

Pull Requests

• #6036: disables optimization for external namespace when using the in operator (@​TrickyPi)

4.46.0

2025-07-27

Features

• Optimize in checks on namespaces to keep them treeshake-able (#6029)

Pull Requests

• #5991: feat: update linux-loongarch64-gnu (@​wojiushixiaobai, @​lukastaegert)
• #6029: feat: optimize in checks on namespaces to keep them treeshake-able (@​cyyynthia, @​lukastaegert)
• #6033: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)

4.45.3

2025-07-26

Bug Fixes

• Do not fail build if a const is reassigned but warn instead (#6020)
• Fail with a helpful error message if an exported binding is not defined (#6023)

Pull Requests

• #6014: chore(deps): update dependency @​vue/language-server to v3 (@​renovate[bot])

... (truncated)

Commits

• 4e19bad 4.46.2
• 603e046 Correct the logic of include in BinaryExpression and don't optimize external ...
• 244dc20 4.46.1
• 6031a33 disables optimization for external namespace when using the in operator (#6036)
• 09794f1 4.46.0
• 9a8614f feat: optimize in checks on namespaces to keep them treeshake-able (#6029)
• fdd48a9 feat: update linux-loongarch64-gnu (#5991)
• 461b1ac fix(deps): update swc monorepo (major) (#6033)
• d6908c9 4.45.3
• ccdde29 Fix option name
• Additional commits viewable in compare view

Updates tar-fs from 2.1.1 to 3.1.0

Commits

• cb1c571 3.1.0
• 374460e add optional disablement of symlink validation (#119)
• 5bfe6df 3.0.10
• 63e12f9 bare support
• 2ceedf4 3.0.9
• 647447b check windows tweak (#115)
• e4a7a40 3.0.8
• 504ca0f upgrade bare packages
• 1e4cc04 3.0.7
• a1dd7e7 refactor and throw on bad symlink
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[fletchto99]

Closing as this project has been deprecated. Please see the project readme for more information.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml