Bump the npm_and_yarn group across 1 directory with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
@babel/runtime-corejs3	7.17.2	7.29.2
ajv	8.10.0	8.18.0
brace-expansion	1.1.11	1.1.13
diff	4.0.2	4.0.4
flatted	2.0.2	3.4.2
minimatch	3.1.2	3.1.5

Updates @babel/runtime-corejs3 from 7.17.2 to 7.29.2

Release notes

Sourced from @​babel/runtime-corejs3's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

... (truncated)

Commits

• 37d5595 v7.29.2
• 1c0a08d [7.x backport] fix: Properly handle await in finally (#17805)
• aa8394e v7.29.0
• 0053db6 Update polyfill packages (#17727)
• 68e1577 [Babel 7] Improve generator performance (#17642)
• d7f4008 v7.28.6
• 35055e3 v7.28.4
• 18d88b8 Improve @​babel/core typings (#17471)
• ef155f5 v7.28.3
• cac0ff4 v7.28.2
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​babel/runtime-corejs3 since your current version.

Updates ajv from 8.10.0 to 8.18.0

Release notes

Sourced from ajv's releases.

v8.18.0

What's Changed

• feat: allow tree-shaking by adding "sideEffects": false to package.json by @​josdejong in ajv-validator/ajv#2480
• fix: #2482 Infinity and NaN serialise to null by @​jasoniangreen in ajv-validator/ajv#2487
• fix: small grammatical error in managing-schemas.md by @​monteiro-renato in ajv-validator/ajv#2508
• fix: typos in schema-language.md by @​monteiro-renato in ajv-validator/ajv#2507
• fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @​epoberezkin in ajv-validator/ajv#2586

New Contributors

• @​josdejong made their first contribution in ajv-validator/ajv#2480
• @​monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

v8.17.1

What's Changed

• bump version to 8.17.1 by @​jasoniangreen in ajv-validator/ajv#2472

Full Changelog: ajv-validator/ajv@v8.17.0...v8.17.1

Plus everything in 8.17.0 which failed to release

The only functional change is to switch from uri-js (which is no longer supported), to fast-uri. This is the second attempt and the team on fast-uri have been really helpful addressing the issues we found last time.

Revert "Revert fast-uri change (ajv-validator/ajv#2444)" by @​gurgunday in ajv-validator/ajv#2448 fix: ignore new eslint error for @​typescript-eslint/no-extraneous-class by @​jasoniangreen in ajv-validator/ajv#2455 docs: clarify behaviour of addVocabulary by @​jasoniangreen in ajv-validator/ajv#2454 docs: refactor to improve legibility by @​blottn in ajv-validator/ajv#2432 Fix grammatical typo in managing-schemas.md by @​wetneb in ajv-validator/ajv#2305 docs: Fix broken strict-mode link by @​alexanderjsx in ajv-validator/ajv#2459 feat: add test for encoded refs and bump fast-uri by @​jasoniangreen in ajv-validator/ajv#2449 fix: changes for @​typescript-eslint/array-type rule by @​jasoniangreen in ajv-validator/ajv#2467 fixes ajv-validator/ajv#2217 - clarify custom keyword naming by @​jasoniangreen in ajv-validator/ajv#2457

v8.17.0

What's Changed

The only functional change is to switch from uri-js (which is no longer supported), to fast-uri. This is the second attempt and the team on fast-uri have been really helpful addressing the issues we found last time.

• Revert "Revert fast-uri change (#2444)" by @​gurgunday in ajv-validator/ajv#2448
• fix: ignore new eslint error for @​typescript-eslint/no-extraneous-class by @​jasoniangreen in ajv-validator/ajv#2455
• docs: clarify behaviour of addVocabulary by @​jasoniangreen in ajv-validator/ajv#2454
• docs: refactor to improve legibility by @​blottn in ajv-validator/ajv#2432
• Fix grammatical typo in managing-schemas.md by @​wetneb in ajv-validator/ajv#2305
• docs: Fix broken strict-mode link by @​alexanderjsx in ajv-validator/ajv#2459
• feat: add test for encoded refs and bump fast-uri by @​jasoniangreen in ajv-validator/ajv#2449
• fix: changes for @​typescript-eslint/array-type rule by @​jasoniangreen in ajv-validator/ajv#2467
• fixes #2217 - clarify custom keyword naming by @​jasoniangreen in ajv-validator/ajv#2457

... (truncated)

Commits

• 142ce84 8.18.0
• 720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
• 82735a1 fix: typos in schema-language.md (#2507)
• b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
• 69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
• f06766f feat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...
• 9050ba1 bump version to 8.17.1 (#2472)
• f7831b4 fixes #2217 - clarify custom keyword naming (#2457)
• a523784 fix: changes for @​typescript-eslint/array-type rule (#2467)
• 595fe58 feat: add test for encoded refs and bump fast-uri (#2449)
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.13

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates diff from 4.0.2 to 4.0.4

Changelog

Sourced from diff's changelog.

v4.0.4 - January 2026

Only change from 4.0.2 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v4.0.3 (deprecated)

Accidental release - do not use.

Commits

• f06f3e4 v4.0.4
• 0179a48 v4.0.3
• 4568cae Backport kpdecker/jsdiff#649
• 4de0ffa Backport kpdecker/jsdiff#647
• See full diff in compare view

Maintainer changes

This version was pushed to npm by explodingcabbage, a new releaser for diff since your current version.

Updates flatted from 2.0.2 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates js-yaml from 3.14.1 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.
• Added replacer option (similar to option in JSON.stringify), #339.
• Custom Tag can now handle all tags or multiple tags with the same prefix, #385.

Fixed

... (truncated)

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• 2cef47b 4.1.0 released
• 810b149 dist rebuild
• 2b5620e Export built-in types, type override now preserves order
• Additional commits viewable in compare view

Updates json5 from 2.2.0 to 2.2.3

Release notes

Sourced from json5's releases.

v2.2.3

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

Changelog

Sourced from json5's changelog.

v2.2.3 [code, diff]

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

Commits

• c3a7524 2.2.3
• 94fd06d docs: update CHANGELOG for v2.2.3
• 3b8cebf docs(security): use GitHub security advisories
• f0fd9e1 docs: publish a security policy
• 6a91a05 docs(template): bug -> bug report
• 14f8cb1 2.2.2
• 10cc7ca docs: update CHANGELOG for v2.2.2
• 7774c10 fix: add proto to objects and arrays
• edde30a Readme: slight tweak to intro
• 97286f8 Improve example in readme
• Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates semver from 5.7.1 to 7.7.4

Release notes

Sourced from semver's releases.

v7.7.4

7.7.4 (2026-01-16)

Bug Fixes

• a29faa5 #835 cli: pass options to semver.valid() for loose version validation (#835) (@​mldangelo)

Documentation

• 1d28d5e #836 fix typos and update -n CLI option documentation (#836) (@​mldangelo)

Dependencies

• 120968b #840 @npmcli/template-oss@4.29.0 (#840)

Chores

• 44d7130 #824 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#824) (@​dependabot[bot])
• 7073576 #820 reorder parameters in invalid-versions.js test (#820) (@​reggi)
• 5816d4c #829 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#829) (@​dependabot[bot], @​npm-cli-bot)

v7.7.3

7.7.3 (2025-10-06)

Bug Fixes

• e37e0ca #813 faster paths for compare (#813) (@​H4ad)
• 2471d75 #811 x-range build metadata support (i529015)

Chores

• 8f05c87 #807 bump @​npmcli/template-oss from 4.25.0 to 4.25.1 (#807) (@​dependabot[bot], @​owlstronaut)

v7.7.2

7.7.2 (2025-05-12)

Bug Fixes

• fcafb61 #780 add missing 'use strict' directives (#780) (@​Fdawgs)
• c99f336 #781 prerelease identifier starting with digits (#781) (@​mbtools)

Chores

• c760403 #784 template-oss-apply for workflow permissions (#784) (@​wraithgar)
• 2677f2a #778 bump @​npmcli/template-oss from 4.23.6 to 4.24.3 (#778) (@​dependabot[bot], @​npm-cli-bot)

v7.7.1

7.7.1 (2025-02-03)

Bug Fixes

• af761c0 #764 inc: fully capture prerelease identifier (#764) (@​wraithgar)

v7.7.0

7.7.0 (2025-01-29)

Features

• 0864b3c #753 add "release" inc type (#753) (@​mbtools)

Bug Fixes

• d588e37 #755 diff: fix prerelease to stable version diff logic (#755) (@​eminberkayd, berkay.daglar)
• 8a34bde #754 add identifier validation to inc() (#754) (@​mbtools)

Documentation

• 67e5478 #756 readme: added missing period for consistency (#756) (@​shaymolcho)
• 868d4bb #749 clarify comment about obsolete prefixes (#749) (@​mbtools, @​ljharb)

Chores

• 145c554 #741 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])
• 753e02b #747 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#747) (@​dependabot[bot], @​npm-cli-bot)
• 0b812d5 #744 postinstall for dependabot template-oss PR (@​hashtagchris)

... (truncated)

Changelog

Sourced from semver's changelog.

7.7.4 (2026-01-16)

Bug Fixes

• a29faa5 #835 cli: pass options to semver.valid() for loose version validation (#835) (@​mldangelo)

Documentation

• 1d28d5e #836 fix typos and update -n CLI option documentation (#836) (@​mldangelo)

Dependencies

• 120968b #840 @npmcli/template-oss@4.29.0 (#840)

Chores

• 44d7130 #824 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#824) (@​dependabot[bot])
• 7073576 #820 reorder parameters in invalid-versions.js test (#820) (@​reggi)
• 5816d4c #829 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#829) (@​dependabot[bot], @​npm-cli-bot)

7.7.3 (2025-10-06)

Bug Fixes

• e37e0ca #813 faster paths for compare (#813) (@​H4ad)
• 2471d75 #811 x-range build metadata support (i529015)

Chores

• 8f05c87 #807 bump @​npmcli/template-oss from 4.25.0 to 4.25.1 (#807) (@​dependabot[bot], @​owlstronaut)

7.7.2 (2025-05-12)

Bug Fixes

• fcafb61 #780 add missing 'use strict' directives (#780) (@​Fdawgs)
• c99f336 #781 prerelease identifier starting with digits (#781) (@​mbtools)

Chores

• c760403 #784 template-oss-apply for workflow permissions (#784) (@​wraithgar)
• 2677f2a #778 bump @​npmcli/template-oss from 4.23.6 to 4.24.3 (#778) (@​dependabot[bot], @​npm-cli-bot)

7.7.1 (2025-02-03)

Bug Fixes

• af761c0 #764 inc: fully capture prerelease identifier (#764) (@​wraithgar)

7.7.0 (2025-01-29)

Features

• 0864b3c #753 add "release" inc type (#753) (@​mbtools)

Bug Fixes

• d588e37 #755 diff: fix prerelease to stable version diff logic (#755) (@​eminberkayd, berkay.daglar)
• 8a34bde #754 add identifier validation to inc() (#754) (@​mbtools)

Documentation

• 67e5478 #756 readme: added missing period for consistency (#756) (@​shaymolcho)
• 868d4bb #749 clarify comment about obsolete prefixes (#749) (@​mbtools, @​ljharb)

Chores

• 145c554 #741 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])
• 753e02b #747 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#747) (@​dependabot[bot], @​npm-cli-bot)
• 0b812d5 #744 postinstall for dependabot template-oss PR (@​hashtagchris)

7.6.3 (2024-07-16)

Bug Fixes

• 73a3d79 #726 optimize Range parsing and formatting (#726) (@​jviide)

... (truncated)

Commits

• 5993c2e chore: release 7.7.4 (#839)
• 120968b deps: @​npmcli/template-oss@​4.29.0 (#840)
• a29faa5 fix(cli): pass options to semver.valid() for loose version validation (#835)
• 1d28d5e docs: fix typos and update -n CLI option documentation (#836)
• 5816d4c chore: bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#829)
• ab9e28a chore: bump @​npmcli/template-oss from 4.27.1 to 4.28.0 (#827)
• 44d7130 chore: bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#824)
• 7073576 chore: reorder parameters in invalid-versions.js test (#820)
• 16a35f5 chore: bump @​npmcli/template-oss from 4.26.0 to 4.27.1 (#823)
• 3a3459d chore: bump @​npmcli/template-oss from 4.25.1 to 4.26.0 (#818)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for semver since your current version.

Updates word-wrap from 1.2.3 to 1.2.5

Release notes

Sourced from word-wrap's releases.

1.2.5

Changes:

Reverts default value for options.indent to two spaces ' '.

Full Changelog: jonschlinkert/word-wrap@1.2.4...1.2.5

1.2.4

What's Changed

• Remove default indent by @​mohd-akram in jonschlinkert/word-wrap#24
• 🔒fix: CVE 2023 26115 (2) by @​OlafConijn in jonschlinkert/word-wrap#41
• 🔒 fix: CVE-2023-26115 by @​aashutoshrathi in jonschlinkert/word-wrap#33
• chore: publish workflow by @​OlafConijn in jonschlinkert/word-wrap#42

New Contributors

• @​mohd-akram made their first contribution in jonschlinkert/word-wrap#24
• @​OlafConijn made their first contribution in jonschlinkert/word-wrap#41
• @​aashutoshrathi made their first contribution in jonschlinkert/word-wrap#33

Full Changelog: jonschlinkert/word-wrap@1.2.3...1.2.4

Commits

• 207044e 1.2.5
• 9894315 revert default indent
• f64b188 run verb to generate README
• 03ea082 Merge pull request #42 from jonschlinkert/chore/publish-workflow
• 420dce9 Merge pull request #41 from jonschlinkert/fix/CVE-2023-26115-2
• bfa694e Update .github/workflows/publish.yml
• ace0b3c chore: bump version to 1.2.4
• 6fd7275 chore: add publish workflow
• 30d6daf chore: fix test
• 655929c chore: remove package-lock
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.