Bump the npm_and_yarn group across 11 directories with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the / directory: tar, @apollo/server and dompurify.
Bumps the npm_and_yarn group with 2 updates in the /cypress directory: lodash and brace-expansion.
Bumps the npm_and_yarn group with 7 updates in the /microsite directory:

Package	From	To
tar	6.1.13	6.2.1
yaml	1.10.2	1.10.3
brace-expansion	1.1.11	1.1.13
immutable	4.2.2	4.3.8
picomatch	2.3.1	2.3.2
serialize-javascript	6.0.1	6.0.2
svgo	2.8.0	2.8.2

Bumps the npm_and_yarn group with 1 update in the /packages/backend-common directory: tar.
Bumps the npm_and_yarn group with 1 update in the /packages/cli directory: tar.
Bumps the npm_and_yarn group with 1 update in the /plugins/catalog-graphql directory: @apollo/server.
Bumps the npm_and_yarn group with 1 update in the /plugins/gcalendar directory: dompurify.
Bumps the npm_and_yarn group with 1 update in the /plugins/graphql-backend directory: @apollo/server.
Bumps the npm_and_yarn group with 1 update in the /plugins/microsoft-calendar directory: dompurify.
Bumps the npm_and_yarn group with 1 update in the /plugins/techdocs directory: dompurify.
Bumps the npm_and_yarn group with 7 updates in the /storybook directory:

Package	From	To
lodash	4.17.21	4.18.1
tar	6.1.11	6.2.1
yaml	1.10.2	1.10.3
handlebars	4.7.7	4.7.9
brace-expansion	1.1.11	1.1.13
flatted	3.2.6	3.4.2
picomatch	2.3.1	2.3.2

Updates tar from 6.1.15 to 7.5.11

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• 7bc755d parse root off paths before sanitizing .. parts
• c8cb846 update deps
• 1f0c2c9 7.5.9
• fbb0851 build minified version as default export
• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates @apollo/server from 4.8.1 to 5.5.0

Release notes

Sourced from @​apollo/server's releases.

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

• #8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

• Updated dependencies [ada1200]:
  • @​apollo/server@​5.5.0

@​apollo/server@​5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

@​apollo/server-integration-testsuite@​5.4.0

Patch Changes

• Updated dependencies [d25a5bd]:
  • @​apollo/server@​5.4.0

@​apollo/server@​5.4.0

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

... (truncated)

Changelog

Sourced from @​apollo/server's changelog.

5.5.0

Minor Changes

• #8191 ada1200 Thanks @​glasser! - ⚠️ SECURITY @apollo/server/standalone:

  Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

  (GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

  This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

  If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

  This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

  See advisory GHSA-9q82-xgwf-vj6h for more details.

5.4.0

Minor Changes

• d25a5bd Thanks @​phryneas! - ⚠️ SECURITY @apollo/server/standalone:

  The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

  In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

  If you were not using startStandaloneServer, you were not affected by this vulnerability.

  Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

5.3.0

Minor Changes

• #8062 8e54e58 Thanks @​cristunaranjo! - Allow configuration of graphql execution options (maxCoercionErrors)

  const server = new ApolloServer({
    typeDefs,
    resolvers,
    executionOptions: {
      maxCoercionErrors: 50,
    },

... (truncated)

Commits

• 64c0e1b Version Packages (#8192)
• ada1200 Reject GET requests with a Content-Type other than application/json (#8191)
• ad45d15 Version Packages (#8179)
• d25a5bd Merge commit from fork
• 443e547 fix repository urls
• 28d6d47 Version Packages (#8172)
• 26320bc feat: Allow configuration of graphql validation options #8014
• f2c16a7 bump dependency
• 8e54e58 feat: Allow configuration of graphql execution options(maxCoercionErrors)
• 7be3686 Version Packages (#8163)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​apollo/server since your current version.

Updates dompurify from 2.4.5 to 3.3.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @​elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
• Added better check for animated href attributes, thanks @​llamakko
• Updated and improved the bundled types, thanks @​ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

DOMPurify 3.2.6

• Fixed several typos and removed clutter from our documentation, thanks @​Rotzbua
• Added matrix: as an allowed URI scheme, thanks @​kleinesfilmroellchen
• Added better config hardening against prototype pollution, thanks @​EffectRenan
• Added better handling of attribute removal, thanks @​michalnieruchalski-tiugo
• Added better configuration for aggressive mXSS scrubbing behavior, thanks @​BryanValverdeU
• Removed the script that caused the fake entry CVE-2025-48050

DOMPurify 3.2.5

• Added a check to the mXSS detection regex to be more strict, thanks @​masatokinugawa
• Added ESM type imports in source, removes patch function, thanks @​donmccurdy
• Added script to verify various TypeScript configurations, thanks @​reduckted
• Added more modern browsers to the Karma launchers list
• Added Node 23.x to tested runtimes, removed Node 17.x
• Fixed the generation of source maps, thanks @​reduckted
• Fixed an unexpected behavior with ALLOWED_URI_REGEXP using the 'g' flag, thanks @​hhk-png
• Fixed a few typos in the README file

DOMPurify 3.2.4

• Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
• Added a new feature to allow specific hook removal, thanks @​davecardwell
• Added purify.js and purify.min.js to exports, thanks @​Aetherinox
• Added better logic in case no window object is president, thanks @​yehuya
• Updated some dependencies called out by dependabot

... (truncated)

Commits

• 5e56114 Getting 3.x branch ready for 3.3.2 release (#1208)
• e8c95f4 fix: Fixed the broken package-lock.json
• 9636037 Update package-lock.json
• 5cad4ce Getting 3.x branch ready for 3.3.2 releas (#1205)
• 6fc446a Merge pull request #1175 from cure53/main
• 3b3bf91 Merge branch 'main' of github.com:cure53/DOMPurify
• 9863f41 chore: Preparing 3.3.1 release
• b4e0295 chore: Preparing 3.3.0 release
• 077746b build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1170)
• 4de68bb build(deps): bump actions/checkout from 5 to 6 (#1171)
• Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.13

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates tar from 6.1.13 to 6.2.1

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• 7bc755d parse root off paths before sanitizing .. parts
• c8cb846 update deps
• 1f0c2c9 7.5.9
• fbb0851 build minified version as default export
• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates yaml from 1.10.2 to 1.10.3

Commits

• cfe8f04 1.10.3
• 7abcf45 fix: Catch stack overflow during CST composition
• a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
• a5e83b0 style: Apply updates Prettier rules
• b8ddca0 chore: Refresh lockfile
• 395f892 ci: Use a different (working) submodule checkout
• 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
• See full diff in compare view

Updates brace-expansion from 1.1.11 to 1.1.13

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates immutable from 4.2.2 to 4.3.8

Release notes

Sourced from immutable's releases.

v4.3.8

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

v4.3.7

What's Changed

• Fix issue with slice negative of filtered sequence by @​jdeniau in immutable-js/immutable-js#2006

Full Changelog: immutable-js/immutable-js@v4.3.6...v4.3.7

v4.3.6

What's Changed

• Fix Repeat().equals(undefined) incorrectly returning true by @​butchler in immutable-js/immutable-js#1994

Internals

• change youtube image by @​jdeniau in immutable-js/immutable-js#1973
• Upgrade eslint and ignore no-constructor-return rule for actual constructors by @​jdeniau in immutable-js/immutable-js#1974
• upgrate documentation website to next 14 by @​jdeniau in immutable-js/immutable-js#1975
• start migrating to nextjs app router by @​jdeniau in immutable-js/immutable-js#1976
• upgrade next sitemap by @​jdeniau in immutable-js/immutable-js#1978

New Contributors

• @​butchler made their first contribution in immutable-js/immutable-js#1994

Full Changelog: immutable-js/immutable-js@v4.3.5...v4.3.6

v4.3.5

What's Changed

• Fix Set.fromKeys types with Map constructor in TS 5.0 by @​jdeniau in immutable-js/immutable-js#1971
• upgrade to TS 5.1 by @​jdeniau in immutable-js/immutable-js#1972
• fix dist-stats command by @​jdeniau in immutable-js/immutable-js#1964
• fix Read the Docs link on readme by @​joshding in immutable-js/immutable-js#1970

New Contributors

• @​joshding made their first contribution in immutable-js/immutable-js#1970

Full Changelog: immutable-js/immutable-js@v4.3.4...v4.3.5

4.3.4

What's Changed

• Rollback toJS type due to circular reference error by @​jdeniau in immutable-js/immutable-js#1958

Full Changelog: immutable-js/immutable-js@v4.3.3...v4.3.4

v4.3.3

What's Changed

• [typescript] manage to handle toJS circular reference. #1932 by @​jdeniau

... (truncated)

Changelog

Sourced from immutable's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning. Dates are formatted as YYYY-MM-DD.

Unreleased

5.1.5

• Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

• Migrate some files to TS by @​jdeniau in immutable-js/immutable-js#2125
  • Iterator.ts
  • PairSorting.ts
  • toJS.ts
  • Math.ts
  • Hash.ts
• Extract CollectionHelperMethods and convert to TS by @​jdeniau in immutable-js/immutable-js#2131
• Use npm trusted publishing only to avoid token stealing.

Documentation

• Fix/a11y issues by @​lyannel in immutable-js/immutable-js#2136
• Doc add Map.get signature update by @​borracciaBlu in immutable-js/immutable-js#2138
• fix(doc):minor-issues#2132 by @​JayMeDotDot in immutable-js/immutable-js#2133
• Fix algolia search by @​jdeniau in immutable-js/immutable-js#2135
• Typo in OrderedMap by @​jdeniau in immutable-js/immutable-js#2144

Internal

• chore: Sort all imports and activate eslint import rule by @​jdeniau in immutable-js/immutable-js#2119

5.1.3

TypeScript

• fix: allow readonly map entry constructor by @​septs in immutable-js/immutable-js#2123

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples. We added a page about browser extensions too: https://immutable-js.com/browser-extension/

Internal

... (truncated)

Commits

• 485cbe0 4.3.8
• 6ed4eb6 Merge commit from fork
• 94bcd3c fix new proto key injection
• faeb58b fix Prototype Pollution in mergeDeep, toJS, etc.
• 37ca417 release 4.3.7 (#2007)
• 23daf26 Fix issue with slice negative of filtered sequence (#2006)
• 493afba release 4.3.6 (#1997)
• be3cb9a Fix Repeat(<value>).equals(undefined) incorrectly returning true (#1994)
• d7664bf generate sitemap in path that will be deployed
• f8327b1 upgrade next sitemap (#1978)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for immutable since your current version.

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates serialize-javascript from 6.0.1 to 6.0.2

Release notes

Sourced from serialize-javascript's releases.

v6.0.2

• fix: serialize URL string contents to prevent XSS (#173) f27d65d
• Bump @​babel/traverse from 7.10.1 to 7.23.7 (#171) 02499c0
• docs: update readme with URL support (#146) 0d88527
• chore: update node version and lock file e2a3a91
• fix typo (#164) 5a1fa64

yahoo/serialize-javascript@v6.0.1...v6.0.2

Commits

• b71ec23 6.0.2
• f27d65d fix: serialize URL string contents to prevent XSS (#173)
• 02499c0 Bump @​babel/traverse from 7.10.1 to 7.23.7 (#171)
• 0d88527 docs: update readme with URL support (#146)
• e2a3a91 chore: update node version and lock file
• 5a1fa64 fix typo (#164)
• See full diff in compare view

Updates svgo from 2.8.0 to 2.8.2

Release notes

Sourced from svgo's releases.

v2.8.2

This is effectively just a re-release of SVGO v2.8.1, but with *.test.js files omitted. It seems something was wrong with the configuration in the v2.8.0 tag and I hadn't noticed it included a few extra files. 😅

We'll deprecate v2.8.1, and I'll include the change log here.

What's Changed

Dependencies

• Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

• No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

...

Description has been truncated

	v2.8.0	v2.8.2	Delta
svgo.browser.js	587.2 kB	589.2 kB

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[entelligence-ai-pr-reviews]

EntelligenceAI PR Summary

Broad dependency upgrade across the monorepo targeting security patches and major version updates for several packages.

• tar: bumped from v6 to v7.5.x in backend-common, cli, and lock files
• @apollo/server: bumped from v4 to v5.5.0 in catalog-graphql and graphql-backend plugins, with cascading updates to @apollo/utils.*, @apollo/server-gateway-interface, @graphql-tools/schema, and transitive runtime dependencies
• dompurify: bumped from v2 to v3.3.x in gcalendar, microsoft-calendar, and techdocs plugins
• Transitive upgrades in workspace lock files: brace-expansion, lodash, immutable, minipass, picomatch, serialize-javascript, svgo, yaml, handlebars, flatted
• microsite/yarn.lock: replaces @trysound/sax with sax as transitive dependency of svgo
• storybook/yarn.lock: adds minipass@^5.0.0, removes neo-async resolution alias
• Root yarn.lock adds numerous new transitive dependencies required by Apollo Server v5 and pins legacy Backstage packages for plugin-gitops-profiles

---

Confidence Score: 2/5 - Changes Needed

Not safe to merge — while this PR makes valuable security improvements (tar v6→v7, dompurify v2→v3), the @apollo/server bump from ^4.0.0 to ^5.5.0 in plugins/graphql-backend/package.json and catalog-graphql represents a major breaking change where no corresponding source-level migrations are included to address the changed expressMiddleware signature, context function shape, and plugin API. This creates a high probability of build or runtime failures in the GraphQL backend services. The dependency version increments themselves are straightforward, but shipping a major Apollo Server upgrade without updating the integration code is a recipe for a broken deployment.

Key Findings:

• The @apollo/server major version upgrade (v4→v5) in plugins/graphql-backend/package.json introduces breaking API changes — including the expressMiddleware context function signature and plugin lifecycle hooks — none of which are reflected in updated source files within this PR, meaning the code will almost certainly fail to compile or crash at runtime.
• The same @apollo/server v4→v5 breaking change applies to catalog-graphql, with cascading updates to @apollo/utils.* and @apollo/server-gateway-interface that may have their own API surface changes not accounted for in the plugin integration code.
• The tar v6→v7 and dompurify v2→v3 upgrades appear to be legitimate security patches and are lower risk, as these are typically used as utility dependencies without deep API surface exposure in application code.

Files requiring special attention

• plugins/graphql-backend/package.json
• plugins/catalog-graphql/package.json
• plugins/graphql-backend/src/service/router.ts
• plugins/catalog-graphql/src/service/router.ts

[entelligence-ai-pr-reviews]

Walkthrough

This PR performs a broad dependency upgrade sweep across the monorepo, bumping several packages to newer major versions: tar (v6→v7), @apollo/server (v4→v5), dompurify (v2→v3), and various transitive dependencies (brace-expansion, lodash, immutable, minipass, picomatch, serialize-javascript, svgo, yaml, handlebars, flatted). Lock files across all workspaces are updated accordingly to reflect the new resolved versions and integrity hashes.

Changes

File(s)	Summary
packages/backend-common/package.json
packages/cli/package.json	Bumps tar dependency from ^6.1.12 to ^7.5.13.
plugins/catalog-graphql/package.json
plugins/graphql-backend/package.json	Bumps @apollo/server dependency from ^4.0.0 to ^5.5.0.
plugins/gcalendar/package.json
plugins/microsoft-calendar/package.json
plugins/techdocs/package.json	Bumps dompurify dependency from ^2.x to ^3.3.3.
yarn.lock	Updates resolved versions for @apollo/server (v4→v5.5.0) with cascading updates to @apollo/utils.*, @apollo/server-gateway-interface, @graphql-tools/schema, and transitive replacements (finalhandler, body-parser@2.x, negotiator, uuid@11); upgrades tar to v7.5.11 and dompurify to v3.3.2; adds numerous new transitive dependencies; pins legacy Backstage packages for plugin-gitops-profiles.
cypress/yarn.lock	Bumps brace-expansion (1.1.11→1.1.13) and lodash (4.17.21→4.18.1) with updated integrity hashes.
microsite/yarn.lock	Bumps brace-expansion (→1.1.13), immutable (→4.3.8), minipass (→5.0.0), picomatch (→2.3.2), serialize-javascript (→6.0.2), svgo (→2.8.2), tar (→6.2.1), and yaml (→1.10.3); replaces @trysound/sax@0.2.0 with sax@1.6.0.
storybook/yarn.lock	Bumps brace-expansion (→1.1.13), flatted (→3.4.2), handlebars (→4.7.9), lodash (→4.18.1), picomatch (→2.3.2), tar (→6.2.1), and yaml (→1.10.3); adds minipass@^5.0.0 entry; removes neo-async@^2.6.0 resolution alias.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    title Dependency Architecture Changes: Apollo Server v5 & tar v7 Upgrades

    participant App as Backstage App
    participant GraphQLBackend as graphql-backend plugin
    participant CatalogGraphQL as catalog-graphql plugin
    participant ApolloV5 as "@apollo/server v5"
    participant ApolloV4 as "@apollo/server v4 (removed)"
    participant FinalHandler as "finalhandler v2"
    participant BodyParserV2 as "body-parser v2"
    participant ExpressV4 as "express v4 (removed)"
    participant BackendCommon as "backend-common"
    participant CLI as "packages/cli"
    participant TarV7 as "tar v7"
    participant TarV6 as "tar v6"
    participant MinipassV7 as "minipass v7"
    participant FSMinipass as "@isaacs/fs-minipass v4"

    Note over App, ExpressV4: BEFORE: Apollo Server v4 used Express as HTTP layer
    App->>GraphQLBackend: initialize GraphQL server
    GraphQLBackend->>ApolloV4: create ApolloServer
    ApolloV4->>ExpressV4: mount middleware
    ApolloV4->>ApolloV4: use node-fetch, lru-cache v7
    ApolloV4->>ApolloV4: use @josephg/resolvable, node-abort-controller

    Note over App, FSMinipass: AFTER: Apollo Server v5 uses standalone HTTP handler
    App->>GraphQLBackend: initialize GraphQL server
    GraphQLBackend->>ApolloV5: create ApolloServer (^5.5.0)
    activate ApolloV5
    ApolloV5->>FinalHandler: handle HTTP lifecycle
    ApolloV5->>BodyParserV2: parse request bodies
    ApolloV5->>ApolloV5: use lru-cache v11, uuid v11
    ApolloV5->>ApolloV5: use negotiator v1, whatwg-mimetype v4
    ApolloV5->>ApolloV5: use @graphql-tools/schema v10
    ApolloV5-->>GraphQLBackend: server ready (no Express dependency)
    deactivate ApolloV5

    App->>CatalogGraphQL: initialize catalog GraphQL
    CatalogGraphQL->>ApolloV5: create ApolloServer (^5.5.0)

    Note over BackendCommon, FSMinipass: tar v6 -> v7 upgrade chain
    App->>BackendCommon: extract archive
    BackendCommon->>TarV6: tar ^6.1.12 (old)
    Note over TarV6: uses minipass v4, yallist v4, chownr v2
    App->>BackendCommon: extract archive
    activate BackendCommon
    BackendCommon->>TarV7: tar ^7.5.13 (new)
    activate TarV7
    TarV7->>FSMinipass: @isaacs/fs-minipass v4
    TarV7->>MinipassV7: minipass v7.1.2
    TarV7->>TarV7: yallist v5, chownr v3, minizlib v3
    TarV7-->>BackendCommon: archive extracted
    deactivate TarV7
    deactivate BackendCommon

    App->>CLI: build/package commands
    CLI->>TarV7: tar ^7.5.13 (upgraded from v6)

    Note over App, FSMinipass: Security-motivated plugin version pinning
    participant GitOpsPlugin as "gitops-profiles plugin"
    participant CorePluginAPI as "core-plugin-api (workspace)"

    App->>GitOpsPlugin: load plugin
    GitOpsPlugin->>GitOpsPlugin: pinned @backstage/config@0.1.1
    GitOpsPlugin->>GitOpsPlugin: pinned @backstage/core-components@0.1.0
    GitOpsPlugin->>GitOpsPlugin: pinned @backstage/core-plugin-api@0.1.0
    GitOpsPlugin->>GitOpsPlugin: pinned @backstage/theme@0.1.1

    App->>CorePluginAPI: load core-plugin-api
    CorePluginAPI->>CorePluginAPI: pinned @backstage/config@0.1.1
    CorePluginAPI->>CorePluginAPI: pinned @backstage/version-bridge@0.1.0

    Note over App, FSMinipass: dompurify v2 -> v3 across plugins
    participant TechDocs as "techdocs plugin"
    participant GCalendar as "gcalendar plugin"
    participant MSCalendar as "microsoft-calendar plugin"
    participant DomPurifyV3 as "dompurify v3.3.3"

    TechDocs->>DomPurifyV3: sanitize HTML (upgraded from ^2.2.9)
    GCalendar->>DomPurifyV3: sanitize HTML (upgraded from ^2.3.6)
    MSCalendar->>DomPurifyV3: sanitize HTML (upgraded from ^2.3.6)
    Note over DomPurifyV3: Now requires @types/trusted-types v2

Loading

---

🔗 Cross-Repository Impact Analysis

Enable automatic detection of breaking changes across your dependent repositories. → Set up now

Learn more about Cross-Repository Analysis

What It Does

• Automatically identifies repositories that depend on this code
• Analyzes potential breaking changes across your entire codebase
• Provides risk assessment before merging to prevent cross-repo issues

How to Enable

1. Visit Settings → Code Management
2. Configure repository dependencies
3. Future PRs will automatically include cross-repo impact analysis!

Benefits

• 🛡️ Prevent breaking changes across repositories
• 🔍 Catch integration issues before they reach production
• 📊 Better visibility into your multi-repo architecture

---

[entelligence-ai-pr-reviews]

Correctness: Bumping @apollo/server from ^4.0.0 to ^5.5.0 is a major version upgrade with breaking API changes (e.g., expressMiddleware signature, context function shape, plugin API), but no source files in this PR are updated to reflect those changes, which will likely cause build or runtime failures.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In plugins/graphql-backend/package.json line 33, the @apollo/server dependency is being bumped from ^4.0.0 to ^5.5.0. Apollo Server v5 introduced breaking changes compared to v4, including changes to expressMiddleware, context function signatures, and the plugin API. No TypeScript source files in plugins/graphql-backend/src/ are being updated in this PR to accommodate these breaking changes. Please review the Apollo Server v5 migration guide (https://www.apollographql.com/docs/apollo-server/migration/) and update all usages of Apollo Server APIs in the plugin source code accordingly before merging this dependency bump.

[entelligence-ai-pr-reviews]

Correctness: Bumping @apollo/server from ^4.0.0 to ^5.5.0 is a major version upgrade with breaking API changes (e.g., expressMiddleware signature, context function shape, plugin API), but no source files in this PR are updated to reflect those changes, which will likely cause build or runtime failures.

Affected Locations:

• plugins/graphql-backend/package.json:33-33
• plugins/catalog-graphql/package.json:38-38

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In plugins/graphql-backend/package.json line 33, the @apollo/server dependency is being bumped from ^4.0.0 to ^5.5.0. Apollo Server v5 introduced breaking changes compared to v4, including changes to expressMiddleware, context function signatures, and the plugin API. No TypeScript source files in plugins/graphql-backend/src/ are being updated in this PR to accommodate these breaking changes. Please review the Apollo Server v5 migration guide (https://www.apollographql.com/docs/apollo-server/migration/) and update all usages of Apollo Server APIs in the plugin source code accordingly before merging this dependency bump.

[augmentcode]

🤖 Augment PR Summary

Summary: This PR updates a set of npm/yarn dependencies across multiple workspaces (root, plugins, and packages), primarily as a dependency/security maintenance bump.

Changes:

• Bumped tar to the v7 series in packages/backend-common and packages/cli.
• Bumped @apollo/server from v4 to v5 in the GraphQL-related plugins (catalog-graphql, graphql-backend).
• Bumped dompurify from v2 to v3 in several frontend plugins (calendar plugins, TechDocs).
• Lockfiles were updated accordingly in multiple directories (excluded from this review).

Technical Notes:

• Several of these are major-version upgrades and may change supported Node.js versions and integration entrypoints.
• The Apollo Server upgrade in particular is security-motivated per upstream release notes, but requires validating runtime/framework compatibility.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

tar@7 declares engines: { node: ">=18" }, but this repo’s root package.json currently allows Node 16 || 18; this upgrade can break installs/runs for Node 16 users/CI. Other locations where this applies: packages/cli/package.json:130.

Severity: high

Other Locations

• packages/cli/package.json:130

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

@apollo/server@5 drops Node 16/18 support (Node 20+ only per upstream) and also removes the built-in Express v4 integration import (@apollo/server/express4), which is currently used in plugins/graphql-backend/src/service/router.ts. This dependency bump is therefore very likely to break both runtime Node compatibility and the Express middleware wiring. Other locations where this applies: plugins/catalog-graphql/package.json:36.

Severity: high

Other Locations

• plugins/catalog-graphql/package.json:36

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml