chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates by dependabot[bot] · Pull Request #273 · mapcomponents/react-map-components-maplibre

dependabot · 2026-04-29T07:14:30Z

Bumps the npm_and_yarn group with 4 updates in the / directory: glob, vite, lodash and jspdf.
Bumps the npm_and_yarn group with 1 update in the /packages/react-maplibre directory: jspdf.

Updates glob from 11.0.3 to 12.0.0

Changelog

Sourced from glob's changelog.

changeglob

13

Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)

Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.

Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

Drop support for node before v20

10.4

Add includeChildMatches: false option

Export the Ignore class

10.3

Add --default -p flag to provide a default pattern

exclude symbolic links to directories when follow and nodir are both set

10.2

Add glob cli

10.1

Return '.' instead of the empty string '' when the current working directory is returned as a match.

Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

2b03cca 12.0.0
d56203d prettier config
bb521e5 Remove --shell option where unsafe to use
2551fb5 11.1.0
47473c0 bin: Do not expose filenames to shell expansion
bc33fe1 skip tilde test on systems that lack tilde expansion
59bf9ca fix notes
dde4fa6 docs(README): add #anchor and improve notes
0559b0e docs: add better links to path-scurry docs
c9773c2 fix: correct typos in README.md
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for glob since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates vite from 7.1.4 to 7.3.2

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

v7.3.1

Please refer to CHANGELOG.md for details.

v7.3.0

Please refer to CHANGELOG.md for details.

v7.2.7

Please refer to CHANGELOG.md for details.

v7.2.6

Please refer to CHANGELOG.md for details.

v7.2.5

Please refer to CHANGELOG.md for details.

Note: 7.2.5 failed to publish so it is skipped on npm

v7.2.4

Please refer to CHANGELOG.md for details.

v7.2.3

Please refer to CHANGELOG.md for details.

v7.2.2

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.1

Please refer to CHANGELOG.md for details.

v7.2.1

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0-beta.1

Please refer to CHANGELOG.md for details.

v7.2.0-beta.0

Please refer to CHANGELOG.md for details.

v7.1.12

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)

backport #22159, apply server.fs check to env transport (#22162) (19db0f2)

check server.fs after stripping query as well (#22160) (f8103cc)

7.3.1 (2026-01-07)

Features

add ignoreOutdatedRequests option to optimizeDeps (#21364) (9d39d37)

7.3.0 (2025-12-15)

Features

deps: update esbuild from ^0.25.0 to ^0.27.0 (#21183) (cff26ec)

7.2.7 (2025-12-08)

Bug Fixes

plugin shortcut support (#21211) (721f163)

7.2.6 (2025-12-01)

7.2.5 (2025-12-01)

Bug Fixes

config: handle shebang properly (#21158) (df5a30d)

deps: update all non-major dependencies (#21146) (a3cd262)

deps: update all non-major dependencies (#21175) (72e398a)

fix external: true merging (#21164) (5ef557a)

shortcuts not rebound after server restart (#21166) (3765f7b)

Performance Improvements

deps: replace debug with obug (#21137) (203a551)

Documentation

clarify manifest.json imports field is JS chunks only (#21136) (46d3077)

Miscellaneous Chores

deps: update rolldown-related dependencies (#21174) (74559c9)

7.2.4 (2025-11-20)

Bug Fixes

revert "perf(deps): replace debug with obug (#21107)" (2d66b7b)

7.2.3 (2025-11-20)

... (truncated)

Commits

cc383e0 release: v7.3.2
09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
f8103cc fix: check server.fs after stripping query as well (#22160)
19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
95e8923 release: v7.3.1
9d39d37 feat: add ignoreOutdatedRequests option to optimizeDeps (#21364)
acf7e05 release: v7.3.0
cff26ec feat(deps): update esbuild from ^0.25.0 to ^0.27.0 (#21183)
317b3b2 release: v7.2.7
721f163 fix: plugin shortcut support (#21211)
Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm

lodash-es: lodash/lodash@4.18.0-es...4.18.1-es

lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd

lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

Add security notice for _.template in threat model and API docs (#6099)

Document lower > upper behavior in _.random (#6115)

Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

lodash.orderby

lodash.tonumber

lodash.trim

lodash.trimend

lodash.sortedindexby

lodash.zipobjectdeep

lodash.unset

lodash.omit

lodash.template

Commits

cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
75535f5 chore: prune stale advisory refs (#6170)
62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
59be2de release(minor): bump to 4.18.0 (#6161)
af63457 fix: broken tests for _.template 879aaa9
1073a76 fix: linting issues
879aaa9 fix: validate imports keys in _.template
fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
b819080 ci: add dist sync validation workflow (#6137)
Additional commits viewable in compare view

Updates jspdf from 3.0.2 to 4.2.1

Release notes

Sourced from jspdf's releases.

v4.2.1

This release fixes two security issues.

What's Changed

Fix HTML Injection in output methods vulnerability.

Fix PDF Object Injection via free text annotation color vulnerability.

Full Changelog: parallax/jsPDF@v4.2.0...v4.2.1

v4.2.0

This release fixes three security issues.

What's Changed

Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton children) vulnerability.

Fix Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions vulnerability.

Fix PDF Object Injection via Unsanitized Input in addJS Method vulnerability.

Add "default" property to export section in package.json by @stefan-schweiger in parallax/jsPDF#3953

New Contributors

@stefan-schweiger made their first contribution in parallax/jsPDF#3953

Full Changelog: parallax/jsPDF@v4.1.0...v4.2.0

v4.1.0

This release fixes several security issues.

What's Changed

Upgrade optional dompurify dependency to 3.3.1 in parallax/jsPDF#3948

Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution vulnerability

Fix Stored XMP Metadata Injection (Spoofing & Integrity Violation) vulnerability

Fix Shared State Race Condition in addJS Method vulnerability

Fix Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder vulnerability

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

v4.0.0

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

v3.0.4

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

[Snyk] Upgrade @babel/runtime from 7.28.3 to 7.28.4 by @MrRio in parallax/jsPDF#3895

fix: cell function now properly accepts align parameter by @vishal-rathod-07 in parallax/jsPDF#3896

Remove duplicated function "ga" from WebPDecoder.js by @jvdp in parallax/jsPDF#3902

Fix font state management issue #3890 by @srikanth-s2003 in parallax/jsPDF#3891

Fix pages property to always return current array reference ( #3898 ) by @Opineppes in parallax/jsPDF#3899

Fix jsPDF + Vite compatibility issue #3851 by @tishajain25 in parallax/jsPDF#3903

... (truncated)

Commits

4562ce8 4.2.1
4155c48 Merge commit from fork
87a40bb Merge commit from fork
b1607a9 Bump minimatch from 3.1.2 to 3.1.5 (#3961)
42ac890 Bump rollup from 2.79.2 to 2.80.0 (#3960)
7af912c 4.2.0
56b46d4 Merge commit from fork
2e5e156 Merge commit from fork
71ad2db Merge commit from fork
885a777 fix: upgrade @babel/runtime from 7.28.4 to 7.28.6 (#3954)
Additional commits viewable in compare view

Updates undici from 7.15.0 to 7.25.0

Release notes

Sourced from undici's releases.

v7.25.0

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

What's Changed

fix: backport 401 stream-backed body fix to v7.x by @mcollina in nodejs/undici#5006

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

What's Changed

docs: update broken links in file "Dispatcher.md" by @samuel871211 in nodejs/undici#4924

doc: remove unused parameter redirectionLimitReached by @samuel871211 in nodejs/undici#4933

test: skip flaky macOS Node 20 cookie fetch cases by @mcollina in nodejs/undici#4932

fix(types): align Response with DOM fetch types by @theamodhshetty in nodejs/undici#4867

fix(types): Fix clone method type declaration to be an instance method rather than instance property by @mistval in nodejs/undici#4925

test: skip IPv6 tests when IPv6 is not available by @mcollina in nodejs/undici#4939

fix: correctly handle multi-value rawHeaders in fetch by @mcollina in nodejs/undici#4938

ignore AGENTS.md by @mcollina in nodejs/undici#4942

New Contributors

@samuel871211 made their first contribution in nodejs/undici#4924

@mistval made their first contribution in nodejs/undici#4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

What's Changed

fix(test): client wasm compatible with clang 22 by @rozzilla in nodejs/undici#4909

fix(mock): improve error message when intercepts are exhausted by @travisbreaks in nodejs/undici#4912

fix(websocket): support open diagnostics over h2 by @mcollina in nodejs/undici#4921

fix: assume http/https scheme for scheme-less proxy env vars by @travisbreaks in nodejs/undici#4914

fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @metalix2 in nodejs/undici#4911

fix: wrap kConnector call in try/catch to prevent client hang by @veeceey in nodejs/undici#4834

docs: clarify fetch and FormData pairing by @mcollina in nodejs/undici#4922

fix: support Connection header with connection-specific header names per RFC 7230 by @mcollina in nodejs/undici#4775

fix: avoid prototype collisions in parseHeaders by @mcollina in nodejs/undici#4923

build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @dependabot[bot] in nodejs/undici#4926

test: auto-init WPT submodule by @mcollina in nodejs/undici#4930

New Contributors

@rozzilla made their first contribution in nodejs/undici#4909

@veeceey made their first contribution in nodejs/undici#4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

... (truncated)

Commits

12d9045 Bumped v7.25.0 (#5025)
7a6f7fe Bumped v7.24.8 (#5020)
1f85ae4 fix: avoid 401 failures for stream-backed request bodies (#4941) (#5006)
c661067 chore: update v7.x maintenance release flow
84f23e2 Bumped v7.24.7 (#4947)
a770b10 ignore AGENTS.md (#4942)
6acd19b fix: correctly handle multi-value rawHeaders in fetch (#4938)
1da1c74 test: skip IPv6 tests when IPv6 is not available (#4939)
04cb773 fix(types): Fix clone method type declaration to be an instance method rather...
5145a7c fix(types): align Response with DOM fetch types (#4867)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.

Updates jspdf from 3.0.2 to 4.2.1

Release notes

Sourced from jspdf's releases.

v4.2.1

This release fixes two security issues.

What's Changed

Fix HTML Injection in output methods vulnerability.

Fix PDF Object Injection via free text annotation color vulnerability.

Full Changelog: parallax/jsPDF@v4.2.0...v4.2.1

v4.2.0

This release fixes three security issues.

What's Changed

Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton children) vulnerability.

Fix Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions vulnerability.

Fix PDF Object Injection via Unsanitized Input in addJS Method vulnerability.

Add "default" property to export section in package.json by @stefan-schweiger in parallax/jsPDF#3953

New Contributors

@stefan-schweiger made their first contribution in parallax/jsPDF#3953

Full Changelog: parallax/jsPDF@v4.1.0...v4.2.0

v4.1.0

This release fixes several security issues.

What's Changed

Upgrade optional dompurify dependency to 3.3.1 in parallax/jsPDF#3948

Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution vulnerability

Fix Stored XMP Metadata Injection (Spoofing & Integrity Violation) vulnerability

Fix Shared State Race Condition in addJS Method vulnerability

Fix Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder vulnerability

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

v4.0.0

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

v3.0.4

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

[Snyk] Upgrade @babel/runtime from 7.28.3 to 7.28.4 by @MrRio in parallax/jsPDF#3895

fix: cell function now properly accepts align parameter by @vishal-rathod-07 in parallax/jsPDF#3896

Remove duplicated function "ga" from WebPDecoder.js by @jvdp in parallax/jsPDF#3902

Fix font state management issue #3890 by @srikanth-s2003 in parallax/jsPDF#3891

Fix pages property to always return current array reference ( #3898 ) by @Opineppes in parallax/jsPDF#3899

Fix jsPDF + Vite compatibility issue #3851 by @tishajain25 in parallax/jsPDF#3903

... (truncated)

Commits

4562ce8 4.2.1
4155c48 Merge commit from fork
87a40bb Merge commit from fork
b1607a9 Bump minimatch from 3.1.2 to 3.1.5 (#3961)
42ac890 Bump rollup from 2.79.2 to 2.80.0 (#3960)
7af912c 4.2.0
56b46d4 Merge commit from fork
2e5e156 Merge commit from fork
71ad2db Merge commit from fork
885a777 fix: upgrade @babel/runtime from 7.28.4 to 7.28.6 (#3954)
Additional commits viewable in compare view

Updates glob from 11.0.3 to 12.0.0

Changelog

Sourced from glob's changelog.

changeglob

13

Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)

Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.

Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

Drop support for node before v20

10.4

Add includeChildMatches: false option

Export the Ignore class

10.3

Add --default -p flag to provide a default pattern

exclude symbolic links to directories when follow and nodir are both set

10.2

Add glob cli

10.1

Return '.' instead of the empty string '' when the current working directory is returned as a match.

Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

2b03cca 12.0.0
d56203d prettier config
bb521e5 Remove --shell option where unsafe to use
2551fb5 11.1.0
47473c0 bin: Do not expose filenames to shell expansion
bc33fe1 skip tilde test on systems that lack tilde expansion
59bf9ca fix notes
dde4fa6 docs(README): add #anchor and improve notes
0559b0e docs: add better links to path-scurry docs
c9773c2 fix: correct typos in README.md
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for glob since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm

lodash-es: lodash/lodash@4.18.0-es...4.18.1-es

lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd

lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

Add security notice for _.template in threat model and API docs (#6099)

Document lower > upper behavior in _.random (#6115)

Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

lodash.orderby

lodash.tonumber

lodash.trim

lodash.trimend

lodash.sortedindexby

lodash.zipobjectdeep

lodash.unset

lodash.omit

lodash.template

Commits

cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
75535f5 chore: prune stale advisory refs (#6170)
62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
59be2de release(minor): bump to 4.18.0 (#6161)
af63457 fix: broken tests for _.template 879aaa9
1073a76 fix: linting issues
879aaa9 fix: validate imports keys in _.template
fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
b819080 ci: add dist sync validation workflow (#6137)
Additional commits viewable in compare view

Updates vite from 7.1.4 to 7.3.2

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

v7.3.1

Please refer to CHANGELOG.md for details.

v7.3.0

Please refer to CHANGELOG.md for details.

v7.2.7

Please refer to CHANGELOG.md for details.

v7.2.6

Please refer to CHANGELOG.md for details.

v7.2.5

Please refer to CHANGELOG.md for details.

Note: 7.2.5 failed to publish so it is skipped on npm

v7.2.4

Please refer to CHANGELOG.md for details.

v7.2.3

Please refer to CHANGELOG.md for details.

v7.2.2

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.1

Please refer to CHANGELOG.md for details.

v7.2.1

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0-beta.1

Please refer to CHANGELOG.md for details.

v7.2.0-beta.0

Please refer to CHANGELOG.md for details.

v7.1.12

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)

backport #22159, apply server.fs check to env transport (#22162) (19db0f2)

check server.fs after stripping query as well (#22160) (f8103cc)

7.3.1 (2026-01-07)

Features

add ignoreOutdatedRequests option to optimizeDeps (#21364) (9d39d37)

7.3.0 (2025-12-15)

Features

deps: update esbuild from ^0.25.0 to ^0.27.0 (#21183) (cff26ec)

7.2.7 (2025-12-08)

Bug Fixes

plugin shortcut support (#21211) (721f163)

7.2.6 (2025-12-01)

7.2.5 (2025-12-01)

Bug Fixes

config: handle shebang properly (#21158) (df5a30d)

deps: update all non-major dependencies (#21146) (a3cd262)

deps:Description has been truncated

…updates Bumps the npm_and_yarn group with 4 updates in the / directory: [glob](https://github.com/isaacs/node-glob), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite), [lodash](https://github.com/lodash/lodash) and [jspdf](https://github.com/parallax/jsPDF). Bumps the npm_and_yarn group with 1 update in the /packages/react-maplibre directory: [jspdf](https://github.com/parallax/jsPDF). Updates `glob` from 11.0.3 to 12.0.0 - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v11.0.3...v12.0.0) Updates `vite` from 7.1.4 to 7.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) Updates `jspdf` from 3.0.2 to 4.2.1 - [Release notes](https://github.com/parallax/jsPDF/releases) - [Changelog](https://github.com/parallax/jsPDF/blob/master/RELEASE.md) - [Commits](parallax/jsPDF@v3.0.2...v4.2.1) Updates `undici` from 7.15.0 to 7.25.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.15.0...v7.25.0) Updates `jspdf` from 3.0.2 to 4.2.1 - [Release notes](https://github.com/parallax/jsPDF/releases) - [Changelog](https://github.com/parallax/jsPDF/blob/master/RELEASE.md) - [Commits](parallax/jsPDF@v3.0.2...v4.2.1) Updates `glob` from 11.0.3 to 12.0.0 - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v11.0.3...v12.0.0) Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) Updates `vite` from 7.1.4 to 7.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) Updates `undici` from 7.15.0 to 7.25.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.15.0...v7.25.0) Updates `jspdf` from 3.0.2 to 4.2.1 - [Release notes](https://github.com/parallax/jsPDF/releases) - [Changelog](https://github.com/parallax/jsPDF/blob/master/RELEASE.md) - [Commits](parallax/jsPDF@v3.0.2...v4.2.1) --- updated-dependencies: - dependency-name: glob dependency-version: 12.0.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: jspdf dependency-version: 4.2.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.25.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: jspdf dependency-version: 4.2.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: glob dependency-version: 12.0.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.25.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: jspdf dependency-version: 4.2.1 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 29, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates#273

chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates#273
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-9d73f8293d

dependabot Bot commented on behalf of github Apr 29, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 29, 2026

changeglob

13

12

11.1

11.0

10.4

10.3

10.2

10.1

v7.3.2

v7.3.1

v7.3.0

v7.2.7

v7.2.6

v7.2.5

v7.2.4

v7.2.3

v7.2.2

plugin-legacy@7.2.1

v7.2.1

plugin-legacy@7.2.0

v7.2.0

v7.2.0-beta.1

v7.2.0-beta.0

v7.1.12

7.3.2 (2026-04-06)

Bug Fixes

7.3.1 (2026-01-07)

Features

7.3.0 (2025-12-15)

Features

7.2.7 (2025-12-08)

Bug Fixes

7.2.6 (2025-12-01)

7.2.5 (2025-12-01)

Bug Fixes

Performance Improvements

Documentation

Miscellaneous Chores

7.2.4 (2025-11-20)

Bug Fixes

7.2.3 (2025-11-20)

4.18.1

Bugs

4.18.0

v4.18.0

Security

Docs

lodash.* modular packages

v4.2.1

What's Changed

v4.2.0

What's Changed

New Contributors

v4.1.0

What's Changed

v4.0.0

v3.0.4

What's Changed

v7.25.0

What's Changed

v7.24.8

What's Changed

v7.24.7

What's Changed

New Contributors

v7.24.6

What's Changed

New Contributors

v4.2.1

What's Changed

v4.2.0

What's Changed

New Contributors

v4.1.0

What's Changed

v4.0.0

v3.0.4

`lodash.*` modular packages

`lodash.*` modular packages