Skip to content

Bump the npm_and_yarn group across 1 directory with 9 updates#604

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-f2c66a8352
Open

Bump the npm_and_yarn group across 1 directory with 9 updates#604
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-f2c66a8352

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 5, 2026

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package From To
storybook 8.6.14 8.6.17
diff 5.2.0 5.2.2
lodash 4.17.21 4.17.23
markdown-it 14.1.0 14.1.1
qs 6.14.0 6.14.2
rollup 4.53.3 4.59.0
svgo 2.8.0 2.8.2
webpack 5.103.0 5.105.4

Updates storybook from 8.6.14 to 8.6.17

Release notes

Sourced from storybook's releases.

v8.6.17

8.6.17

  • Harden websocket connection

v8.6.16

8.6.16

  • No-op release. No changes.

v8.6.15

8.6.15

Changelog

Sourced from storybook's changelog.

8.6.17

  • Harden websocket connection

8.6.16

  • No-op release. No changes.
Commits
  • c6e550a Bump version from "8.6.16" to "8.6.17" [skip ci]
  • 9cf9d89 Core: Require token for websocket connections
  • 7e51515 Bump version from "8.6.15" to "8.6.16" [skip ci]
  • 3812b43 Bump version from 8.6.14 to 8.6.15 MANUALLY
  • 4a04cb2 filter env vars from .env files
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for storybook since your current version.


Updates diff from 5.2.0 to 5.2.2

Changelog

Sourced from diff's changelog.

v5.2.2 - January 2026

Only change from 5.2.0 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v5.2.1 (deprecated)

Accidental release - do not use.

Commits

Updates lodash from 4.17.21 to 4.17.23

Commits

Updates markdown-it from 14.1.0 to 14.1.1

Changelog

Sourced from markdown-it's changelog.

[14.1.1] - 2026-01-11

Security

  • Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @​ltduc147 for report.
Commits

Updates qs from 6.14.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect
Commits
  • bdcf0c7 v6.14.2
  • 294db90 [readme] document that addQueryPrefix does not add ? to empty output
  • 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
  • 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
  • cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
  • febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
  • f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
  • fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
  • 1b9a8b4 [actions] fix rebase workflow permissions
  • 2a35775 [meta] fix changelog typo (arrayLengtharrayLimit)
  • Additional commits viewable in compare view

Updates rollup from 4.53.3 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

v4.58.0

4.58.0

2026-02-20

Features

  • Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

v4.57.1

4.57.1

2026-01-30

Bug Fixes

  • Fix heap corruption issue in Windows (#6251)
  • Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

4.58.0

2026-02-20

Features

  • Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

4.57.1

2026-01-30

Bug Fixes

  • Fix heap corruption issue in Windows (#6251)
  • Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

... (truncated)

Commits

Updates svgo from 2.8.0 to 2.8.2

Release notes

Sourced from svgo's releases.

v2.8.2

This is effectively just a re-release of SVGO v2.8.1, but with *.test.js files omitted. It seems something was wrong with the configuration in the v2.8.0 tag and I hadn't noticed it included a few extra files. 😅

We'll deprecate v2.8.1, and I'll include the change log here.

What's Changed

Dependencies

  • Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

  • No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

v2.8.0 v2.8.2 Delta
svgo.browser.js 587.2 kB 589.2 kB ⬆️ 2 kB

Support

SVGO v2 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v2 to v3 and Migration Guide from v3 to v4 which should ease the process.

v2.8.1

Deprecated

This release left *.test.js files in the package, which have been omitted in v2.8.2. Sorry for the noise!

What's Changed

Dependencies

  • Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

  • No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

v2.8.0 v2.8.1 Delta

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by sethiii, a new releaser for svgo since your current version.


Updates vega-functions from 5.18.1 to 6.1.1

Release notes

Sourced from vega-functions's releases.

v6.1.1

Full Changelog: vega/vega@v6.1.0...v6.1.1

v6.1.0

What's Changed

Full Changelog: vega/vega@v6.0.0...v6.1.0

v6.0.0

changes since v5.33.0

monorepo

vega-typings

docs

v5.33.1

What's Changed

Fixes GHSA-7f2v-3qq3-vvjf for v5 releases

Full Changelog: vega/vega@v5.33.0...v5.33.1

v5.33.0

Changes since v5.32.0

docs

v5.32.0

Changes since v5.31.0

... (truncated)

Commits

Updates webpack from 5.103.0 to 5.105.4

Release notes

Sourced from webpack's releases.

v5.105.4

Patch Changes

  • Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @​xiaoxiaojx in #20546)

  • Handle createRequire in expressions. (by @​alexander-akait in #20549)

  • Fixed types for multi stats. (by @​alexander-akait in #20556)

  • Remove empty needless js output for normal css module. (by @​JSerFeng in #20162)

  • Update enhanced-resolve to support new features for tsconfig.json. (by @​alexander-akait in #20555)

  • Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @​hai-x in #20561)

v5.105.3

Patch Changes

  • Context modules now handle rejections correctly. (by @​alexander-akait in #20455)

  • Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @​hai-x in #20535)

  • Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @​hai-x in #20463)

  • Fixed HMR failure for CSS modules with @​import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @​import CSS to work correctly during hot module replacement. (by @​xiaoxiaojx in #20514)

  • Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @​xiaoxiaojx in #20454)

  • Do not crash when a referenced chunk is not a runtime chunk. (by @​alexander-akait in #20461)

  • Fix some types. (by @​alexander-akait in #20412)

  • Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @​hai-x in #20510)

  • Added createRequire support for ECMA modules. (by @​stefanbinoj in #20497)

  • Added category for CJS reexport dependency to fix issues with ECMA modules. (by @​hai-x in #20444)

  • Implement immutable bytes for bytes import attribute to match tc39 spec. (by @​alexander-akait in #20481)

  • Fixed deterministic search for graph roots regardless of edge order. (by @​veeceey in #20452)

v5.105.2

Patch Changes

v5.105.1

Patch Changes

... (truncated)

Changelog

Sourced from webpack's changelog.

5.105.4

Patch Changes

  • Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @​xiaoxiaojx in #20546)

  • Handle createRequire in expressions. (by @​alexander-akait in #20549)

  • Fixed types for multi stats. (by @​alexander-akait in #20556)

  • Remove empty needless js output for normal css module. (by @​JSerFeng in #20162)

  • Update enhanced-resolve to support new features for tsconfig.json. (by @​alexander-akait in #20555)

  • Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @​hai-x in #20561)

5.105.3

Patch Changes

  • Context modules now handle rejections correctly. (by @​alexander-akait in #20455)

  • Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @​hai-x in #20535)

  • Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @​hai-x in #20463)

  • Fixed HMR failure for CSS modules with @​import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @​import CSS to work correctly during hot module replacement. (by @​xiaoxiaojx in #20514)

  • Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @​xiaoxiaojx in #20454)

  • Do not crash when a referenced chunk is not a runtime chunk. (by @​alexander-akait in #20461)

  • Fix some types. (by @​alexander-akait in #20412)

  • Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @​hai-x in #20510)

  • Added createRequire support for ECMA modules. (by @​stefanbinoj in #20497)

  • Added category for CJS reexport dependency to fix issues with ECMA modules. (by @​hai-x in #20444)

  • Implement immutable bytes for bytes import attribute to match tc39 spec. (by @​alexander-akait in #20481)

  • Fixed deterministic search for graph roots regardless of edge order. (by @​veeceey in #20452)

5.105.2

Patch Changes

... (truncated)

Commits
  • 27c13b4 chore(release): new release (#20550)
  • 9b2f41e chore: bump terser plugin (#20569)
  • eafe060 fix: narrow the export presence guard detection (#20561)
  • 75d605c refactor: add AppendOnlyStackedSet iteration support and tests (#20560)
  • afa607d refactor: remove unused code (#20562)
  • 4098902 test: add source files for web-webworker and web-webworker-auto-public-path (...
  • f97be67 refactor: fix duplicated word in Compilation JSDoc (#20547)
  • 9d76fff refactor: add Module.getSourceBasicTypes for basic JS type detection (#20546)
  • a3d7839 fix: types for multi stats (#20556)
  • b8e9b05 fix: update enhanced-resolve to support new features for tsconfig.json (#...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 1 directory with 9 updates
4f8c82f 
Bumps the npm_and_yarn group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [storybook](https://github.com/storybookjs/storybook/tree/HEAD/code/core) | `8.6.14` | `8.6.17` |
| [diff](https://github.com/kpdecker/jsdiff) | `5.2.0` | `5.2.2` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` |
| [markdown-it](https://github.com/markdown-it/markdown-it) | `14.1.0` | `14.1.1` |
| [qs](https://github.com/ljharb/qs) | `6.14.0` | `6.14.2` |
| [rollup](https://github.com/rollup/rollup) | `4.53.3` | `4.59.0` |
| [svgo](https://github.com/svg/svgo) | `2.8.0` | `2.8.2` |
| [webpack](https://github.com/webpack/webpack) | `5.103.0` | `5.105.4` |



Updates `storybook` from 8.6.14 to 8.6.17
- [Release notes](https://github.com/storybookjs/storybook/releases)
- [Changelog](https://github.com/storybookjs/storybook/blob/v8.6.17/CHANGELOG.md)
- [Commits](https://github.com/storybookjs/storybook/commits/v8.6.17/code/core)

Updates `diff` from 5.2.0 to 5.2.2
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v5.2.0...v5.2.2)

Updates `lodash` from 4.17.21 to 4.17.23
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

Updates `markdown-it` from 14.1.0 to 14.1.1
- [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md)
- [Commits](markdown-it/markdown-it@14.1.0...14.1.1)

Updates `qs` from 6.14.0 to 6.14.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.0...v6.14.2)

Updates `rollup` from 4.53.3 to 4.59.0
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.53.3...v4.59.0)

Updates `svgo` from 2.8.0 to 2.8.2
- [Release notes](https://github.com/svg/svgo/releases)
- [Commits](svg/svgo@v2.8.0...v2.8.2)

Updates `vega-functions` from 5.18.1 to 6.1.1
- [Release notes](https://github.com/vega/vega/releases)
- [Commits](https://github.com/vega/vega/commits/v6.1.1)

Updates `webpack` from 5.103.0 to 5.105.4
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.103.0...v5.105.4)

---
updated-dependencies:
- dependency-name: storybook
  dependency-version: 8.6.17
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: diff
  dependency-version: 5.2.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: markdown-it
  dependency-version: 14.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.14.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.59.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: svgo
  dependency-version: 2.8.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vega-functions
  dependency-version: 6.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack
  dependency-version: 5.105.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 5, 2026
@dependabot dependabot bot mentioned this pull request Mar 5, 2026
Closed
@netlify
Copy link

netlify bot commented Mar 5, 2026
edited
Loading

Deploy Preview for upset2 ready!

Name Link
🔨 Latest commit 4f8c82f
🔍 Latest deploy log https://app.netlify.com/projects/upset2/deploys/69a8cdab7156e60008f036bb
😎 Deploy Preview https://deploy-preview-604--upset2.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants