Skip to content

Bump the npm group with 4 updates #2046

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
github-actions merged 1 commit into from
Dec 15, 2025
Merged

Bump the npm group with 4 updates #2046

github-actions merged 1 commit into from
Dec 15, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 15, 2025

Bumps the npm group with 4 updates: @types/node, pnpm, es-iterator-helpers and zod.

Updates @types/node from 25.0.1 to 25.0.2

Commits

Updates pnpm from 10.25.0 to 10.26.0

Release notes

Sourced from pnpm's releases.

pnpm 10.26

Minor Changes

  • Semi-breaking. Block git-hosted dependencies from running prepare scripts unless explicitly allowed in onlyBuiltDependencies #10288.

  • Semi-breaking. Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs #10287.

  • Added a new setting blockExoticSubdeps that prevents the resolution of exotic protocols in transitive dependencies.

    When set to true, direct dependencies (those listed in your root package.json) may still use exotic sources, but all transitive dependencies must be resolved from a trusted source. Trusted sources include the configured registry, local file paths, workspace links, trusted GitHub repositories (node, bun, deno), and custom resolvers.

    This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities.

    Exotic sources are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (git+ssh://...) and direct URL links to tarballs (https://.../package.tgz).

    Related PR: #10265.

  • Added support for allowBuilds, which is a new field that can be used instead of onlyBuiltDependencies and ignoredBuiltDependencies. The new allowBuilds field in your pnpm-workspace.yaml uses a map of package matchers to explicitly allow (true) or disallow (false) script execution. This allows for a single, easy-to-manage source of truth for your build permissions.

    Example Usage. To explicitly allow all versions of esbuild to run scripts and prevent core-js from running them:

    allowBuilds:
  esbuild: true
  core-js: false

    The example above achieves the same result as the previous configuration:

    onlyBuiltDependencies:
  - esbuild
ignoredBuiltDependencies:
  - core-js

    Related PR: #10311

  • Added support for --dry-run to the pack command #10301.

Patch Changes

  • Show deprecation in table/list formats when latest version is deprecated #8658.
  • Remove the injectWorkspacePackages setting from the lockfile on the deploy command #10294.
  • Normalize the tarball URLs before saving them to the lockfile. URLs should not contain default ports, like :80 for http and :443 for https #10273.
  • When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved to package.json #10197.

Platinum Sponsors

... (truncated)

Changelog

Sourced from pnpm's changelog.

10.26.0

Minor Changes

  • Semi-breaking. Block git-hosted dependencies from running prepare scripts unless explicitly allowed in onlyBuiltDependencies #10288.

  • Semi-breaking. Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs #10287.

  • Added a new setting blockExoticSubdeps that prevents the resolution of exotic protocols in transitive dependencies.

    When set to true, direct dependencies (those listed in your root package.json) may still use exotic sources, but all transitive dependencies must be resolved from a trusted source. Trusted sources include the configured registry, local file paths, workspace links, trusted GitHub repositories (node, bun, deno), and custom resolvers.

    This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities.

    Exotic sources are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (git+ssh://...) and direct URL links to tarballs (https://.../package.tgz).

    Related PR: #10265.

  • Added support for allowBuilds, which is a new field that can be used instead of onlyBuiltDependencies and ignoredBuiltDependencies. The new allowBuilds field in your pnpm-workspace.yaml uses a map of package matchers to explicitly allow (true) or disallow (false) script execution. This allows for a single, easy-to-manage source of truth for your build permissions.

    Example Usage. To explicitly allow all versions of esbuild to run scripts and prevent core-js from running them:

    allowBuilds:
  esbuild: true
  core-js: false

    The example above achieves the same result as the previous configuration:

    onlyBuiltDependencies:
  - esbuild
ignoredBuiltDependencies:
  - core-js

    Related PR: #10311

  • Added support for --dry-run to the pack command #10301.

Patch Changes

  • Show deprecation in table/list formats when latest version is deprecated #8658.
  • Remove the injectWorkspacePackages setting from the lockfile on the deploy command #10294.
  • Normalize the tarball URLs before saving them to the lockfile. URLs should not contain default ports, like :80 for http and :443 for https #10273.
  • When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved to package.json #10197.
Commits
  • 244e33b chore(release): 10.26.0
  • 4077539 fix(git-fetcher): block git dependencies from running prepare scripts unless ...
  • See full diff in compare view

Updates es-iterator-helpers from 1.2.1 to 1.2.2

Changelog

Sourced from es-iterator-helpers's changelog.

v1.2.2 - 2025-12-13

Commits

  • [Tests] joint iteration: add missing & passing test262 tests 34258f3
  • [Deps] update call-bound, es-abstract, get-intrinsic e05660b
  • [Tests] Iterator.from, Iterator.prototype.toArray: add missing & passing test262 tests 7831bd6
  • [Dev Deps] update eslint, @ljharb/eslint-config 35ecd14
  • [Fix] IteratorZip: return should close all underlying iterators 5bcab73
  • [Fix] IteratorHelperPrototype: throw TypeError when return() is called re-entrantly 0acdd41
  • [Tests] Iterator.concat: add missing & passing test262 tests 9645f4d
  • [Fix] Iterator.concat: prevent return() from being forwarded multiple times 1271d61
  • [Fix] Iterator.zip: strict mode should return sentinel after all iterators done f4c8b99
  • [Dev Deps] update @es-shims/api, @ljharb/eslint-config, eslint, eslint-plugin-import, has-strict-mode, make-generator-function, npmignore acba233
  • [Deps] update es-abstract, es-set-tostringtag, get-intrinsic, iterator.prototype 06515e7
  • [Dev Deps] update es-value-fixtures, for-each, object-inspect 2afe7a3
  • [Dev Deps] update @ljharb/eslint-config, eslint 18fa1c1
  • [Fix] GeneratorResumeAbrupt: set state to COMPLETED after return completion 10e5e21
  • [Deps] update es-abstract 3469d15
  • [Dev Deps] add missing peer dep a0d780d
Commits
  • d5379b9 v1.2.2
  • a0d780d [Dev Deps] add missing peer dep
  • 3469d15 [Deps] update es-abstract
  • 18fa1c1 [Dev Deps] update @ljharb/eslint-config, eslint
  • 10e5e21 [Fix] GeneratorResumeAbrupt: set state to COMPLETED after return completion
  • 0acdd41 [Fix] IteratorHelperPrototype: throw TypeError when return() is called re...
  • 1271d61 [Fix] Iterator.concat: prevent return() from being forwarded multiple times
  • 5bcab73 [Fix] IteratorZip: return should close all underlying iterators
  • f4c8b99 [Fix] Iterator.zip: strict mode should return sentinel after all iterators ...
  • 35ecd14 [Dev Deps] update eslint, @ljharb/eslint-config
  • Additional commits viewable in compare view

Updates zod from 4.1.13 to 4.2.0

Release notes

Sourced from zod's releases.

v4.2.0

Features

Implement Standard JSON Schema

standard-schema/standard-schema#134

Implement z.fromJSONSchema()

const jsonSchema = {
  type: "object",
  properties: {
    name: { type: "string" },
    age: { type: "number" }
  },
  required: ["name"]
};
const schema = z.fromJSONSchema(jsonSchema);

Implement z.xor()

const schema = z.xor(
  z.object({ type: "user", name: z.string() }),
  z.object({ type: "admin", role: z.string() })
);
// Exactly one of the schemas must match

Implement z.looseRecord()

const schema = z.looseRecord(z.string(), z.number());
// Allows additional properties beyond those defined

Commits:

  • af49c084f66339110d00e37ff71dc7b3b9f2b7ef Update docs for JSON Schema conversion of z.undefined() (#5504)
  • 767f320318986e422f524b939f1a7174544fda2e Add .toJSONSchema() method (#5477)
  • e17dcb63573397063e87d7c7fe10a5a78968181a Add z.fromJSONSchema(), z.looseRecord(), z.xor() (#5534)
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the npm group with 4 updates
5b2467a 
Bumps the npm group with 4 updates: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [pnpm](https://github.com/pnpm/pnpm/tree/HEAD/pnpm), [es-iterator-helpers](https://github.com/es-shims/iterator-helpers) and [zod](https://github.com/colinhacks/zod).


Updates `@types/node` from 25.0.1 to 25.0.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `pnpm` from 10.25.0 to 10.26.0
- [Release notes](https://github.com/pnpm/pnpm/releases)
- [Changelog](https://github.com/pnpm/pnpm/blob/v10.26.0/pnpm/CHANGELOG.md)
- [Commits](https://github.com/pnpm/pnpm/commits/v10.26.0/pnpm)

Updates `es-iterator-helpers` from 1.2.1 to 1.2.2
- [Changelog](https://github.com/es-shims/iterator-helpers/blob/main/CHANGELOG.md)
- [Commits](es-shims/iterator-helpers@v1.2.1...v1.2.2)

Updates `zod` from 4.1.13 to 4.2.0
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](colinhacks/zod@v4.1.13...v4.2.0)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.0.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: pnpm
  dependency-version: 10.26.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: es-iterator-helpers
  dependency-version: 1.2.2
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: zod
  dependency-version: 4.2.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: npm
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Dec 15, 2025
@vercel
Copy link

vercel bot commented Dec 15, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
github-oauth-example Error Error Dec 15, 2025 2:17pm

@github-actions github-actions bot enabled auto-merge (squash) December 15, 2025 14:17
@github-actions github-actions bot merged commit eaca9bd into main Dec 15, 2025
5 of 6 checks passed
@github-actions github-actions bot deleted the dependabot/npm_and_yarn/npm-46603df216 branch December 15, 2025 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

@poad poad

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@poad