Skip to content

build(deps): bump the npm_and_yarn group across 5 directories with 10 updates#16

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/backend/npm_and_yarn-ebad5c0d04
Open

build(deps): bump the npm_and_yarn group across 5 directories with 10 updates#16
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/backend/npm_and_yarn-ebad5c0d04

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 20, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 2 updates in the /backend directory: minimatch and tar.
Bumps the npm_and_yarn group with 3 updates in the /common directory: minimatch, tar and lodash.
Bumps the npm_and_yarn group with 3 updates in the /exporter directory: minimatch, tar and lodash.
Bumps the npm_and_yarn group with 8 updates in the /frontend directory:

Package From To
minimatch 3.1.2 3.1.5
lodash 4.17.21 4.17.23
svgo 2.8.0 2.8.2
storybook 10.0.4 10.2.10
js-yaml 4.1.0 4.1.1
qs 6.14.0 6.15.0
rollup 4.53.3 4.59.0
undici 7.16.0 7.24.5

Bumps the npm_and_yarn group with 3 updates in the /frontend/text-editor directory: minimatch, rollup and flatted.

Updates minimatch from 3.1.2 to 3.1.5

Commits

Updates tar from 7.5.2 to 7.5.12

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates minimatch from 3.1.2 to 3.1.5

Commits

Updates tar from 7.5.2 to 7.5.12

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates lodash from 4.17.21 to 4.17.23

Commits

Updates minimatch from 5.1.6 to 5.1.9

Commits

Updates tar from 7.5.2 to 7.5.12

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates lodash from 4.17.21 to 4.17.23

Commits

Updates minimatch from 3.1.2 to 3.1.5

Commits

Updates lodash from 4.17.21 to 4.17.23

Commits

Updates svgo from 2.8.0 to 2.8.2

Release notes

Sourced from svgo's releases.

v2.8.2

This is effectively just a re-release of SVGO v2.8.1, but with *.test.js files omitted. It seems something was wrong with the configuration in the v2.8.0 tag and I hadn't noticed it included a few extra files. 😅

We'll deprecate v2.8.1, and I'll include the change log here.

What's Changed

Dependencies

  • Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

  • No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

v2.8.0 v2.8.2 Delta
svgo.browser.js 587.2 kB 589.2 kB ⬆️ 2 kB

Support

SVGO v2 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v2 to v3 and Migration Guide from v3 to v4 which should ease the process.

v2.8.1

Deprecated

This release left *.test.js files in the package, which have been omitted in v2.8.2. Sorry for the noise!

What's Changed

Dependencies

  • Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

  • No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

v2.8.0 v2.8.1 Delta

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by sethiii, a new releaser for svgo since your current version.


Updates storybook from 10.0.4 to 10.2.10

Release notes

Sourced from storybook's releases.

v10.2.10

10.2.10

v10.2.9

10.2.9

v10.2.8

10.2.8

v10.2.7

10.2.7

v10.2.6

10.2.6

v10.2.5

10.2.5

v10.2.4

10.2.4

... (truncated)

Changelog

Sourced from storybook's changelog.

10.2.10

10.2.9

10.2.8

10.2.7

10.2.6

10.2.5

10.2.4

10.2.3

... (truncated)

Commits
  • c812573 Bump version from "10.2.9" to "10.2.10" [skip ci]
  • fd275fb Merge pull request #33820 from storybookjs/harden-websocket-security
  • 4cdde82 Bump version from "10.2.8" to "10.2.9" [skip ci]
  • 719b6ca Bump version from "10.2.7" to "10.2.8" [skip ci]
  • 78f274b Merge pull request #33773 from storybookjs/valentin/add-exit-telemetry
  • 0ca7278 Merge pull request #33766 from storybookjs/norbert/share-channel-events
  • 1c96212 Merge pull request #33783 from storybookjs/copilot/add-expo-telemetry-patch-l...
  • 8d687ec Bump version from "10.2.6" to "10.2.7" [skip ci]
  • 711e245 Merge pull request #33776 from LouisLau-art/fix/loglevel-flag-works
  • 3802165 Merge pull request #33284 from ia319/bug/33281-dynamic-title-select
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates qs from 6.14.0 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

  • [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
  • [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect
Commits
  • d9b4c66 v6.15.0
  • cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
  • 88e1563 [Fix] duplicates option should not apply to bracket notation keys
  • 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
  • 85cc8ca v6.12.5
  • ffc12aa v6.11.4
  • 0506b11 [actions] update reusable workflows
  • 6a37faf [actions] update reusable workflows
  • 8e8df5a [Fix] fix regressions from robustness refactor
  • d60bab3 v6.10.7
  • Additional commits viewable in compare view

Updates rollup from 4.53.3 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

v4.58.0

4.58.0

2026-02-20

Features

  • Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

v4.57.1

4.57.1

2026-01-30

Bug Fixes

  • Fix heap corruption issue in Windows (#6251)
  • Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

4.58.0

2026-02-20

Features

  • Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

4.57.1

2026-01-30

Bug Fixes

  • Fix heap corruption issue in Windows (#6251)
  • Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

... (truncated)

Commits

Updates undici from 7.16.0 to 7.24.5

Release notes

Sourced from undici's releases.

v7.24.5

What's Changed

New Contributors

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

What's Changed

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

What's Changed

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

What's Changed

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

What's Changed

Full Changelog: nodejs/undici@v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

... (truncated)

Commits

… updates

Bumps the npm_and_yarn group with 2 updates in the /backend directory: [minimatch](https://github.com/isaacs/minimatch) and [tar](https://github.com/isaacs/node-tar).
Bumps the npm_and_yarn group with 3 updates in the /common directory: [minimatch](https://github.com/isaacs/minimatch), [tar](https://github.com/isaacs/node-tar) and [lodash](https://github.com/lodash/lodash).
Bumps the npm_and_yarn group with 3 updates in the /exporter directory: [minimatch](https://github.com/isaacs/minimatch), [tar](https://github.com/isaacs/node-tar) and [lodash](https://github.com/lodash/lodash).
Bumps the npm_and_yarn group with 8 updates in the /frontend directory:

| Package | From | To |
| --- | --- | --- |
| [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` |
| [svgo](https://github.com/svg/svgo) | `2.8.0` | `2.8.2` |
| [storybook](https://github.com/storybookjs/storybook/tree/HEAD/code/core) | `10.0.4` | `10.2.10` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` |
| [qs](https://github.com/ljharb/qs) | `6.14.0` | `6.15.0` |
| [rollup](https://github.com/rollup/rollup) | `4.53.3` | `4.59.0` |
| [undici](https://github.com/nodejs/undici) | `7.16.0` | `7.24.5` |

Bumps the npm_and_yarn group with 3 updates in the /frontend/text-editor directory: [minimatch](https://github.com/isaacs/minimatch), [rollup](https://github.com/rollup/rollup) and [flatted](https://github.com/WebReflection/flatted).


Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v3.1.5)

Updates `tar` from 7.5.2 to 7.5.12
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.2...v7.5.12)

Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v3.1.5)

Updates `tar` from 7.5.2 to 7.5.12
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.2...v7.5.12)

Updates `lodash` from 4.17.21 to 4.17.23
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

Updates `minimatch` from 5.1.6 to 5.1.9
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v3.1.5)

Updates `tar` from 7.5.2 to 7.5.12
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.2...v7.5.12)

Updates `lodash` from 4.17.21 to 4.17.23
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v3.1.5)

Updates `lodash` from 4.17.21 to 4.17.23
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

Updates `svgo` from 2.8.0 to 2.8.2
- [Release notes](https://github.com/svg/svgo/releases)
- [Commits](svg/svgo@v2.8.0...v2.8.2)

Updates `storybook` from 10.0.4 to 10.2.10
- [Release notes](https://github.com/storybookjs/storybook/releases)
- [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md)
- [Commits](https://github.com/storybookjs/storybook/commits/v10.2.10/code/core)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `qs` from 6.14.0 to 6.15.0
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.0...v6.15.0)

Updates `rollup` from 4.53.3 to 4.59.0
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.53.3...v4.59.0)

Updates `undici` from 7.16.0 to 7.24.5
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.16.0...v7.24.5)

Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v3.1.5)

Updates `rollup` from 4.53.3 to 4.59.0
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.53.3...v4.59.0)

Updates `flatted` from 3.3.1 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.1...v3.4.2)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 5.1.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: svgo
  dependency-version: 2.8.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: storybook
  dependency-version: 10.2.10
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.15.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.59.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 7.24.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.59.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants