Bump the npm_and_yarn group across 1 directory with 25 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: gatsby and brace-expansion.

Updates gatsby from 3.15.0 to 4.25.7

Release notes

Sourced from gatsby's releases.

gatsby-source-wordpress@7.13.5 and 6 more...

2024-08-26

Updated packages

• gatsby-source-wordpress@7.13.5
• gatsby-remark-responsive-iframe@6.13.2
• gatsby-remark-prismjs@7.13.2
• gatsby-remark-images@7.13.2
• gatsby-remark-images@6.13.2
• gatsby-remark-graphviz@5.13.2
• gatsby-remark-copy-linked-files@6.13.2
• gatsby-plugin-offline@6.13.3

What's Changed

• fix: pin cheerio (#39066) by @​gatsbybot in gatsbyjs/gatsby#39069

See full release notes: gatsbyjs/gatsby#39070

v4.24

Welcome to gatsby@4.24.0 release (September 2022 #2)

Key highlights of this release:

• Gatsby 5 Alpha
• Updating File System Routes on data changes

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.23

Welcome to gatsby@4.23.0 release (September 2022 #1)

Key highlights of this release:

• Open RFCs

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.22

Welcome to gatsby@4.22.0 release (August 2022 #3)

Key highlights of this release:

... (truncated)

Commits

• db5eb18 chore(release): Publish
• fc22f4b fix(gatsby): don't serve codeframes for files outside of compilation (#38059)...
• 8889bfe chore(release): Publish
• d3d5fd0 fix(gatsby-source-wordpress): prevent inconsistent schema customization (#377...
• 5bdef4a fix(gatsby): don't block event loop during inference (#37780) (#37801)
• 50e3f94 chore(release): Publish
• 3f8477d chore: Update get-unowned-packages script to use npm 9 syntax
• dcf88ed fix(gatsby-plugin-sharp): don't serve static assets that are not result of cu...
• 3be4a80 chore(release): Publish
• 98c4d27 feat(gatsby): add initial webhook body env var to bootstrap context (#37478) ...
• Additional commits viewable in compare view

Updates gatsby-plugin-sharp from 3.15.0 to 5.15.0

Release notes

Sourced from gatsby-plugin-sharp's releases.

gatsby@5.15.0

What's Changed

• fix: support node 22 by @​serhalp in gatsbyjs/gatsby#39349
• fix(gatsby): update socket.io to address vulnerable subdeps by @​serhalp in gatsbyjs/gatsby#39352

Node.js 22

This release formally introduces Node.js 22 support, which is officially tested and supported going forward.

If you wish to use Node.js 22 with Gatsby, we highly recommend using the latest 22.x release, as there are known issues with some older 22.x versions that Gatsby is unable to work around at this time.

⚠️ Known Issue: gatsby develop fails with Node.js 22.7.0, 22.8.0, and 22.9.0

There is a critical bug in Node.js (nodejs/node#55145?) affecting versions 22.7.0, 22.8.0, and 22.9.0 that causes gatsby develop to fail with the error reported in gatsbyjs/gatsby#39068.

👉🏼 To avoid this, use Node.js 22.10.0 or later. (You can also use 22.6.0 or earlier.)

⚠️ Known Issue: Page loads may hang in dev with experimental DEV_SSR enabled and Node.js ≥22.14.0 (or ≥20.19.0)

This will not affect most users.

A change landed in Node.js 20.19.0 and 22.14.0 results in requests to the gatsby develop dev server to occasionally hang for 15 seconds. This can only occur if you have opted in to the experimental DEV_SSR flag.

👉🏼 To avoid this, disable the experimental DEV_SSR flag. (You can also downgrade to Node.js 22.13.1 or earlier, 20.18.3 or earlier, or 18.x.)

New Contributors

Thank you!

• @​pajosieg made their first contribution in gatsbyjs/gatsby#39169
• @​johnmurphy01 made their first contribution in gatsbyjs/gatsby#39324
• @​shrisoundharyaa made their first contribution in gatsbyjs/gatsby#39286

Full Changelog: https://github.com/gatsbyjs/gatsby/compare/gatsby@5.14.6...gatsby@5.15.0

gatsby@5.14.6

2025-08-06

What's Changed

• fix: don't treat timestamps as dynamic paths (#39340) by @​gatsbybot in gatsbyjs/gatsby#39341
• fix: use forked devcert to avoid pulling transitive deps from its @types/* deps (#39343) by @​gatsbybot in gatsbyjs/gatsby#39345
  • This fixes npm install errors/warnings with Node.js 18 that look like error glob@11.0.3: The engine "node" is incompatible with this module. Expected version "20 || >=22". Got "18.6.0"

Full Changelog: https://github.com/gatsbyjs/gatsby/compare/gatsby@5.14.5...gatsby@5.14.6

gatsby@5.14.5

2025-06-19

... (truncated)

Changelog

Sourced from gatsby-plugin-sharp's changelog.

5.15.0 (2025-08-27)

🧾 Release notes

Note: Version bump only for package gatsby-plugin-sharp

5.14.0 (2024-11-06)

🧾 Release notes

Bug Fixes

• update dependency fs-extra to ^11.2.0 #38727 (cb33fe5)
• update dependency async to ^3.2.5 for gatsby-plugin-sharp #38721 (a30811a)

5.13.1 (2024-01-23)

Note: Version bump only for package gatsby-plugin-sharp

5.13.0 (2023-12-18)

🧾 Release notes

Chores

• upgrade sharp to latest v0.32.6 #38374 (ca15ef3)

5.12.3 (2023-10-26)

Note: Version bump only for package gatsby-plugin-sharp

5.12.2 (2023-10-20)

Note: Version bump only for package gatsby-plugin-sharp

5.12.1 (2023-10-09)

Chores

• upgrade sharp to latest v0.32.6 #38374 #38617 (f1a4107)

5.12.0 (2023-08-24)

🧾 Release notes

Bug Fixes

• update dependency semver to ^7.5.3 #38296 (11e64e2)

5.11.0 (2023-06-15)

... (truncated)

Commits

• e3d0717 chore(release): Publish
• baa1b8e chore(release): Publish next
• 17baffb chore(release): Publish next pre-minor
• 5f44fcd chore(changelogs): update changelogs (#39156)
• 2c75bc5 chore(changelogs): update changelogs (#38821)
• 94b2482 chore(release): Publish next
• 196618a chore(release): Publish next
• cb33fe5 fix(deps): update dependency fs-extra to ^11.2.0 (#38727)
• a30811a fix(deps): update dependency async to ^3.2.5 for gatsby-plugin-sharp (#38721)
• 4f8c065 chore(changelogs): update changelogs (#38769)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by serhalp-netlify, a new releaser for gatsby-plugin-sharp since your current version.

Updates gatsby-transformer-remark from 3.2.0 to 6.15.0

Release notes

Sourced from gatsby-transformer-remark's releases.

gatsby@5.15.0

What's Changed

• fix: support node 22 by @​serhalp in gatsbyjs/gatsby#39349
• fix(gatsby): update socket.io to address vulnerable subdeps by @​serhalp in gatsbyjs/gatsby#39352

Node.js 22

This release formally introduces Node.js 22 support, which is officially tested and supported going forward.

If you wish to use Node.js 22 with Gatsby, we highly recommend using the latest 22.x release, as there are known issues with some older 22.x versions that Gatsby is unable to work around at this time.

⚠️ Known Issue: gatsby develop fails with Node.js 22.7.0, 22.8.0, and 22.9.0

There is a critical bug in Node.js (nodejs/node#55145?) affecting versions 22.7.0, 22.8.0, and 22.9.0 that causes gatsby develop to fail with the error reported in gatsbyjs/gatsby#39068.

👉🏼 To avoid this, use Node.js 22.10.0 or later. (You can also use 22.6.0 or earlier.)

⚠️ Known Issue: Page loads may hang in dev with experimental DEV_SSR enabled and Node.js ≥22.14.0 (or ≥20.19.0)

This will not affect most users.

A change landed in Node.js 20.19.0 and 22.14.0 results in requests to the gatsby develop dev server to occasionally hang for 15 seconds. This can only occur if you have opted in to the experimental DEV_SSR flag.

👉🏼 To avoid this, disable the experimental DEV_SSR flag. (You can also downgrade to Node.js 22.13.1 or earlier, 20.18.3 or earlier, or 18.x.)

New Contributors

Thank you!

• @​pajosieg made their first contribution in gatsbyjs/gatsby#39169
• @​johnmurphy01 made their first contribution in gatsbyjs/gatsby#39324
• @​shrisoundharyaa made their first contribution in gatsbyjs/gatsby#39286

Full Changelog: https://github.com/gatsbyjs/gatsby/compare/gatsby@5.14.6...gatsby@5.15.0

gatsby@5.14.6

2025-08-06

What's Changed

• fix: don't treat timestamps as dynamic paths (#39340) by @​gatsbybot in gatsbyjs/gatsby#39341
• fix: use forked devcert to avoid pulling transitive deps from its @types/* deps (#39343) by @​gatsbybot in gatsbyjs/gatsby#39345
  • This fixes npm install errors/warnings with Node.js 18 that look like error glob@11.0.3: The engine "node" is incompatible with this module. Expected version "20 || >=22". Got "18.6.0"

Full Changelog: https://github.com/gatsbyjs/gatsby/compare/gatsby@5.14.5...gatsby@5.14.6

gatsby@5.14.5

2025-06-19

... (truncated)

Changelog

Sourced from gatsby-transformer-remark's changelog.

6.15.0 (2025-08-27)

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

6.14.0 (2024-11-06)

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

6.13.1 (2024-01-23)

Note: Version bump only for package gatsby-transformer-remark

6.13.0 (2023-12-18)

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

6.12.3 (2023-10-26)

Note: Version bump only for package gatsby-transformer-remark

6.12.2 (2023-10-20)

Note: Version bump only for package gatsby-transformer-remark

6.12.1 (2023-10-09)

Note: Version bump only for package gatsby-transformer-remark

6.12.0 (2023-08-24)

🧾 Release notes

Bug Fixes

• update dependency sanitize-html to ^2.11.0 for gatsby-transformer-remark #38315 (87a3412)

6.11.0 (2023-06-15)

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

6.10.0 (2023-05-16)

... (truncated)

Commits

• e3d0717 chore(release): Publish
• 17baffb chore(release): Publish next pre-minor
• 5f44fcd chore(changelogs): update changelogs (#39156)
• 2c75bc5 chore(changelogs): update changelogs (#38821)
• 94b2482 chore(release): Publish next
• 196618a chore(release): Publish next
• 4f8c065 chore(changelogs): update changelogs (#38769)
• eed07f3 chore(release): Publish next pre-minor
• 26871b8 chore(release): Publish next
• 9a26700 chore(changelogs): update changelogs (#38667)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by serhalp-netlify, a new releaser for gatsby-transformer-remark since your current version.

Updates prismjs from 1.29.0 to 1.30.0

Release notes

Sourced from prismjs's releases.

v1.30.0

What's Changed

• check that currentScript is set by a script tag by @​lkuechler in PrismJS/prism#3863

New Contributors

• @​lkuechler made their first contribution in PrismJS/prism#3863

Full Changelog: PrismJS/prism@v1.29.0...v1.30.0

Changelog

Sourced from prismjs's changelog.

Prism Changelog

Commits

• 76dde18 Release 1.30.0
• 93cca40 npm pkg fix
• 99c5ca9 Add release script
• 8e8b935 check that currentScript is set by a script tag (#3863)
• f894dc2 Fix logo in the footer
• ac38dce Delete CNAME
• 9b5b09a Enable CORS
• See full diff in compare view

Maintainer changes

This version was pushed to npm by dmitrysharabin, a new releaser for prismjs since your current version.

Updates postcss from 8.4.47 to 8.5.6

Release notes

Sourced from postcss's releases.

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"

Thanks to Sponsors

This release was possible thanks to our community.

If your company wants to support the sustainability of front-end infrastructure or wants to give some love to PostCSS, you can join our supporters by:

• Tidelift with a Spotify-like subscription model supporting all projects from your lock file.
• Direct donations at GitHub Sponsors or Open Collective.

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

• Added Input#document for sources like CSS-in-JS or HTML (by @​romainmenke).

8.4.49

• Fixed custom syntax without source.offset (by @​romainmenke).

8.4.48

• Fixed position calculation in error/warnings methods (by @​romainmenke).

Commits

• 91d6eb5 Release 8.5.6 version
• 65ffc55 Update dependencies
• ecd20eb Fix ContainerWithChildren to allow discriminating the node type by comparing ...
• c181597 Release 8.5.5 version
• c5523fb Update dependencies
• 2e3450c refactor: import should be listed before require (#2052)
• 4d720bd Update EM text
• 6cb4a66 Release 8.5.4 version
• ec5c1e0 Update dependencies
• e85e938 Fix code format
• Additional commits viewable in compare view

Updates ansi-html from 0.0.7 to 0.0.9

Commits

• See full diff in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates braces from 2.3.2 to 3.0.3

Changelog

Sourced from braces's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

[3.0.0] - 2018-04-08

v3.0 is a complete refactor, resulting in a faster, smaller codebase, with fewer deps, and a more accurate parser and compiler.

Breaking Changes

• The undocumented .makeRe method was removed
• Require Node.js >= 8.3

Non-breaking changes

• Caching was removed

Commits

• See full diff in compare view

Updates browserslist from 4.14.2 to 4.25.4

Release notes

Sourced from browserslist's releases.

4.25.4

• Fixed Windows support for custom stats (by @​torgeilo).

4.25.3

• Fixed ReDoS (by @​ericcornelissen).

4.25.2

• Fixed Node.js --permission support (by @​broofa).

4.25.1

• Updated Firefox ESR.

4.25.0

• Added cover 95% in browserslist-config-mycompany stats query support.

4.24.5

• Fixed support ESM shared config.
• Fixed docs (by Alexander Pushkov & マルコメ).

4.24.4

• Improved performance by using caching better (by @​thoughtspile).

4.24.3

• Updated Firefox ESR (by @​fpapado).

4.24.2

• Clarify outdated caniuse-lite warning text.

4.24.1

• Added months since last caniuse-lite update to the warning (by @​mezhnin).

4.24.0

• Added browserslist.findConfigFile() helper (by @​JLHwung).

4.23.3

• Fixed >= query for ios (by @​syi0808).

4.23.2

• Updated Firefox ESR.

4.23.1

• Fixed feature query with mobile to desktop when caniuse lags (by @​steverep).

4.23.0

• Added BROWSERSLIST_ROOT_PATH (by @​teleclimber).

Changelog

Sourced from browserslist's changelog.

4.25.4

• Fixed Windows support for custom stats (by @​torgeilo).

4.25.3

• Fixed ReDoS (by @​ericcornelissen).

4.25.2

• Fixed Node.js --permission support (by @​broofa).

4.25.1

• Updated Firefox ESR.

4.25.0

• Added cover 95% in browserslist-config-mycompany stats query support.

4.24.5

• Fixed support ESM shared config.
• Fixed docs (by Alexander Pushkov & マルコメ).

4.24.4

• Improved performance by using caching better (by @​thoughtspile).

4.24.3

• Updated Firefox ESR (by @​fpapado).

4.24.2

• Clarify outdated caniuse-lite warning text.

4.24.1

• Added months since last caniuse-lite update to the warning (by @​mezhnin).

4.24.0

• Added browserslist.findConfigFile() helper (by @​JLHwung).

4.23.3

• Fixed >= query for ios (by @​syi0808).

4.23.2

• Updated Firefox ESR.

4.23.1

• Fixed feature query with mobile to desktop when caniuse lags (by @​steverep).

4.23.0

• Added BROWSERSLIST_ROOT_PATH (by @​teleclimber).

4.22.3

• Fixed white spaces support in supports query (@​g-plane).
• Fixed shared config like @company/package/browserslist-config (@​boucodes).

... (truncated)

Commits

• 631dd17 Release 4.25.4 version
• fa33a90 Add tool to update CI actions
• eff0e9f Update dependencies
• 51319b8 Merge pull request #902 from torgeilo/loadstats-windows-path-bug
• b6a25c6 Fix loadStat creating a non-working module path on Windows
• e13f918 Release 4.25.3 version
• 7e6db9f Update dependencies
• c331c95 Fix ReDoS
• c7b27ec Release 4.25.2 version
• 506b14a Fix test coverage
• Additional commits viewable in compare view

Updates cross-fetch from 3.1.4 to 3.2.0

Release notes

Sourced from cross-fetch's releases.

v3.2.0

What's Changed

FEATURES

• Upgraded node-fetch from 2.6.12 to 2.7.0. Please refer to node-fetch release notes for features and bug fixes.
• Upgraded whatwg-fetch from 3.0.0 to 3.6.20. Please refer to whatwg-fetch release notes for features and bug fixes.

v3.1.8

What's Changed

• Restored caret range to node-fetch version for automatic feature and fix updates.

Full Changelog: lquixada/cross-fetch@v3.1.7...v3.1.8

v3.1.7

What's Changed

• Updated node-fetch version to 2.6.12

Full Changelog: lquixada/cross-fetch@v3.1.6...v3.1.7

v3.1.6

What's Changed

• Updated node-fetch version to 2.6.11
• Added caret range to node-fetch version for automatic feature and fix updates.

Full Changelog: lquixada/cross-fetch@v3.1.5...v3.1.6

v3.1.5

What's Changed

• chore: updated node-fetch version to 2.6.7 by @​dlafreniere in lquixada/cross-fetch#124

New Contributors

• @​dlafreniere made their first contribution in lquixada/cross-fetch#124

Full Changelog: lquixada/cross-fetch@v3.1.4...v3.1.5

Changelog

Sourced from cross-fetch's changelog.

3.2.0 (2024-12-21)

Features

• updated node-fetch to 2.7.0 (#191) (ebf44c3)

Bug Fixes

• updated whatwg-fetch to 3.6.20 (#198) (fbbecc8)

3.1.8 (2023-07-02)

Bug Fixes

• restored caret on node-fetch version (6669927)

3.1.7 (2023-07-01)

3.1.6 (2023-05-14)

Features

• allowed minor and patch update of node-fetch (#132) (425395b), closes #129

Bug Fixes

• fixed ESTree.StaticBlock error (a66f21b)

Commits

• c6f6f83 chore(release): 3.2.0
• d704d0a chore: fixed prepublishOnly script
• 312d047 refactor: improved Makefile
• d1f85aa refactor: improved Makefile (#199)
• 1555cee refactor: improved make command reliability
• fbbecc8 fix: updated whatwg-fetch to 3.6.20 (#198)
• ebf44c3 feat: updated node-fetch to 2.7.0 (#191)
• c8736f5 chore: changed default node version to 16
• f34b605 chore: updated action/setup-node to v4 and hmarr/debug-action to v3
• f991e47 chore: updated action/checkout and action/cache to v4
• Additional commits viewable in compare view

Updates engine.io from 4.1.2 to 6.2.1

Release notes

Sourced from engine.io's releases.

engine.io-parser@5.2.3

Bug Fixes

• do not expose the TransformStream type (f9cb983)

Commits

• See full diff in compare view

Updates immer from 8.0.1 to 9.0.21

Release notes

Sourced from immer's releases.

v9.0.21

9.0.21 (2023-03-23)

Bug Fixes

• ensure type exports is first in package.json export declaration (#1018) (b6ccd0f)

v9.0.20

9.0.20 (2023-03-23)

Bug Fixes

• patching maps failed when using number keys (#1025) (dd83e2e)

v9.0.19

9.0.19 (2023-01-27)

Bug Fixes

• don't freeze drafts returned from produce if they were passed in as draft (#917) (46867f8)
• produce results should never be frozen when returned from nested produces, to prevent 'hiding' drafts. Fixes #935 (a810960)
• release and publish from 'main' rather than 'master' branch (82acc40)
• revert earlier fix (#990) for recursive types (#1014) (3eeb331)
• Upgrade Github actions to Node 16 attempt 1 (9d4ea93)
• Upgrade Github actions to Node 16 attempt 2 (082eecd)

v9.0.18

9.0.18 (2023-01-15)

Bug Fixes

• Preserve insertion order of Sets, fixes #819 (#976) (b3eeb69)
• unnecessarily recursive Draft type (#990) (b9eae1d)

v9.0.17

9.0.17 (2023-01-02)

Bug Fixes

• special case NaN in setter (#912) (5721bb7)

v9.0.16

9.0.16 (2022-10-22)

... (truncated)

Commits

• 7c15339 chore(deps): bump loader-utils from 2.0.0 to 2.0.4 in /website (#1026)
• f07ec9d chore(deps): bump @​sideway/formula from 3.0.0 to 3.0.1 in /website (#1027)
• b6ccd0f fix: ensure type exports is first in package.json export declaration (#1018)
• 385837d chore(deps): bump http-cache-semantics from 4.1.0 to 4.1.1 in /website (#1017)
• e1696b7 chore(deps): bump webpack from 5.75.0 to 5.76.1 in /website (#1024)
• dd83e2e fix: patching maps failed when using number keys (#1025)
• 082eecd fix: Upgrade Github actions to Node 16 attempt 2
• 9d4ea93 fix: Upgrade Github actions to Node 16 attempt 1
• 82acc40 fix: release and publish from 'main' rather than 'master' branch
• 3eeb331 fix: revert earlier fix (#990) for recursive types (#1014)
• Additional commits viewable in compare view

Updates micromatch from 3.1.10 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

4.0.4

• fix: Update picomatch to fix regression #179 (8becb55)

4.0.3

• Enforce newer version of picomatch with bugfixes

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

[4.0.1 - 4.0.5]

[4.0.0] - 2019-03-20

Added

• Adds support for options.onMatch. See the readme for details
• Adds support for options.onIgnore. See the readme for details
• Adds support for options.onResult. See the readme for details

Breaking changes

• Require Node.js >= 8.6
• Removed support for passing an array of brace patterns to micromatch.braces().
• To strictly enforce closing brackets (for {, [, and (), you must now use strictBrackets=true instead of strictErrors.
• cache - caching and all related options and methods have been removed
• options.unixify was renamed to options.windows
• options.nodupes Was removed. Duplicates are always removed by default. You can override this with custom behavior by using the onMatch, onResult and onIgnore functions.
• options.snapdragon was removed, as snapdragon is no longer used.
• options.sourcemap was removed, as snapdragon is no longer used, which provided sourcemap support.

[3.0.0] - 2017-04-11

Complete overhaul, with 36,000+ new unit tests validated against actual output generated by Bash and minimatch. More specifically, 35,000+ of the tests:

• micromatch results are directly compared to bash results
• in rare cases, when micromatch and bash disagree, micromatch's results are compared to minimatch's results
• micromatch is much more accurate than minimatch, so there were cases where I had to make assumptions. I'll try to document these.

This refactor introduces a parser and compiler that are supersets of more granular parsers and compilers from other sub-modules. Each of these sub-modules has a singular responsibility and focuses on a certain type of matching that aligns with a specific part of the Bash "expansion" API.

These sub-modules work like plugins to seamlessly create the micromatch parser/compiler, so that strings are parsed in one pass, an AST is created, then a new string is generated by the compiler.

... (truncated)

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9aDescription has been truncated

  Note
  Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
substrate-docs	Error			Sep 10, 2025 9:47pm