Skip to content

chore(deps-dev): bump the npm_and_yarn group across 1 directory with 6 updates#1

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-55b582f797
Open

chore(deps-dev): bump the npm_and_yarn group across 1 directory with 6 updates#1
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-55b582f797

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 7, 2026

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
grunt 0.4.5 1.6.1
bower 1.2.8 1.8.14
shelljs 0.1.4 0.10.0
karma 0.11.14 6.4.4
marked 0.2.10 18.0.0
lodash 1.3.1 4.18.1

Updates grunt from 0.4.5 to 1.6.1

Release notes

Sourced from grunt's releases.

v1.6.1

  • Changelog updates 72f6f03
  • Merge pull request #1755 from gruntjs/rm-dep 8d4c183
  • Add recursive 1c7d483
  • Merge pull request #1756 from gruntjs/downgrade-glob 2d4fd38
  • Downgrade glob 902db7c
  • Fix syntax 494f243
  • remove mkdirp b01389e
  • remove dep on rimraf and mkdirp 0072510

gruntjs/grunt@v1.6.0...v1.6.1

v1.6.0

  • Merge pull request #1750 from gruntjs/dep-update-jan28 2805dc3
  • README updates 3f1e423
  • Bump to 16 8fd096d
  • Update more deps 42c5f95
  • Bump eslint and node version 1d88050

gruntjs/grunt@v1.5.3...v1.6.0

v1.5.3

  • Merge pull request #1745 from gruntjs/fix-copy-op 572d79b
  • Patch up race condition in symlink copying. 58016ff
  • Merge pull request #1746 from JamieSlome/patch-1 0749e1d
  • Create SECURITY.md 69b7c50

gruntjs/grunt@v1.5.2...v1.5.3

v1.5.2

  • Update Changelog 7f15fd5
  • Merge pull request #1743 from gruntjs/cleanup-link b0ec6e1
  • Clean up link handling 433f91b

gruntjs/grunt@v1.5.1...v1.5.2

v1.5.1

  • Merge pull request #1742 from gruntjs/update-symlink-test ad22608
  • Fix symlink test 0652305

gruntjs/grunt@v1.5.0...v1.5.1

v1.5.0

  • Updated changelog b2b2c2b
  • Merge pull request #1740 from gruntjs/update-deps-22-10 3eda6ae
  • Update testing matrix 47d32de
  • More updates 2e9161c
  • Remove console log 04b960e
  • Update dependencies, tests... aad3d45
  • Merge pull request #1736 from justlep/main fdc7056

... (truncated)

Changelog

Sourced from grunt's changelog.

v1.6.1 date: 2023-01-31 changes: - Downgrades to glob 7 for Windows compatability - Removes mkdirp and rimraf in favour of node.js APIs. v1.6.0 date: 2023-01-28 changes: - Requires node.js 16+. - template.date now uses dateformat ~4.6.2. - other dependency updates such as glob, rimraf, etc. v1.5.3 date: 2022-04-23 changes: - Patch up race condition in symlink copying. v1.5.2 date: 2022-04-12 changes: - Unlink symlinks when copy destination is a symlink. v1.5.1 date: 2022-04-11 changes: - Fixed symlink destination handling. v1.5.0 date: 2022-04-10 changes: - Updated dependencies. - Add symlink handling for copying files. v1.4.1 date: 2021-05-24 changes: - Fix --preload option to be a known option - Switch to GitHub Actions v1.4.0 date: 2021-04-21 changes: - Security fixes in production and dev dependencies - Liftup/Liftoff upgrade breaking change. Update your scripts to use --preload instead of --require. Ref: gulpjs/liftoff@e7a969d. v1.3.0 date: 2020-08-18 changes: - Switch to use safeLoad for loading YML files via file.readYAML. - Upgrade legacy-log to ~3.0.0. - Upgrade legacy-util to ~2.0.0. v1.2.1 date: 2020-07-07 changes: - Remove path-is-absolute dependency. (PR: gruntjs/grunt#1715) v1.2.0

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by vladikoff, a new releaser for grunt since your current version.


Updates bower from 1.2.8 to 1.8.14

Release notes

Sourced from bower's releases.

v1.8.12

  • Properly bundle all dependencies of Bower within package

v1.8.10

v1.8.8

Fix security issue connected to extracting .tar.gz archives

This bug allows to write arbitrary file on filesystem when Bower extracts malicious package

Needlessly to say, please upgrade

v1.8.7

Fixes side effect of fix from v1.8.6 that caused improper permissions for extracted folders

bower/bower#2532

v1.8.6

Fix Zip Slip Vulnerability of decompress-zip package: https://snyk.io/research/zip-slip-vulnerability

Note: v1.8.5 has been unpublished because of missing files

v1.8.4

  • Fixes release 1.8.3 by publishing with npm@3 instead of npm@5 (to include lib/node_modules)

v1.8.3

  • 451c60e Do not store resolutions if --save is not used, fixes #2344 (#2508)
  • 50ee729 Allow to disable shorthand resolver (#2507)
  • bb17839 Allow shallow cloning when source is a ssh protocol (#2506)
  • 5a6ae54 Add support for Arrays in Environment Variable replacement (#2411)
  • 74af42c Only replace last @ after (if any) last / with # (#2395)
  • 💯Make tests work on Windows / Linux / OSX on node versions 0.10 / 0.12 / 4 / 6 / 8 / 9
  • 💅Format source code with prettier

v1.8.2

Migrate registry url from http://bower.herokuapp.com to https://registry.bower.io

It is so we leverage CDN and offload Heroku instance reducing costs.

v1.8.0

  • Download tar archives from GitHub when possible (#2263)
    • Change default shorthand resolver for github from git:// to https://
  • Fix ssl handling by not setting GIT_SSL_NO_VERIFY=false (#2361)
  • Allow for removing components with url instead of name (#2368)
  • Show in warning message location of malformed bower.json (#2357)
  • Improve handling of non-semver versions in git resolver (#2316)
  • Fix handling of cached releases pluginResolverFactory (#2356)

... (truncated)

Changelog

Sourced from bower's changelog.

Changelog

Newer releases

Please see: https://github.com/bower/bower/releases

1.8.0 - 2016-11-07

  • Download tar archives from GitHub when possible (#2263)
    • Change default shorthand resolver for github from git:// to https://
  • Fix ssl handling by not setting GIT_SSL_NO_VERIFY=false (#2361)
  • Allow for removing components with url instead of name (#2368)
  • Show in warning message location of malformed bower.json (#2357)
  • Improve handling of non-semver versions in git resolver (#2316)
  • Fix handling of cached releases pluginResolverFactory (#2356)
  • Allow to type the entire version when conflict occured (#2243)
  • Allow owner/reponame shorthand for registering components (#2248)
  • Allow single-char repo names and package names (#2249)
  • Make bower version no longer honor version in bower.json (#2232)
  • Add postinstall hook (#2252)
  • Allow for @ instead of # for install and info commands (#2322)
  • Upgrade all bundled modules

1.7.9 - 2016-04-05

  • Show warnings for invalid bower.json fields
  • Update bower-json
    • Less strict validation on package name (allow spaces, slashes, and "@")

1.7.8 - 2016-04-04

  • Don't ask for git credentials in non-interactive session, fixes #956 #1009
  • Prevent swallowing exceptions with programmatic api, fixes #2187
  • Update graceful-fs to 4.x in all dependences, fixes nodejs/node#5213
  • Resolve pluggable resolvers using cwd and fallback to global modules, fixes #1919
  • Upgrade handlebars to 4.0.5, closes #2195
  • Replace all % chatacters in defined scripts, instead of only first one, fixes #2174
  • Update opn package to fix issues with "bower open" command on Windows
  • Update bower-config
    • Do not interpolate environment variables in script hooks, fixes bower/config#47
  • Update bower-json
    • Validate package name more strictly and allow only latin letters, dots, dashes and underscores
  • Add support for "save" and "save-exact" in .bowerrc, #2161

1.7.7 - 2016-01-27

Revert locations of all files while still packaging node_modules.

It's because people are depending on internals of bower, like bower/lib/renderers/StandardRenderer. We want to preserve this

... (truncated)

Commits
  • d765b2b Bump to 1.8.14
  • ca23b46 Run CI only on node 6+
  • 7f26c5b Fix bug unauthenticated git protocol in GitHubResolver (#2612)
  • 4b5722f Update README.md
  • 557c1cd Fix mode for bin/bower
  • 74560b7 Fix child process execution
  • 2905791 Fix running bower on non-windows
  • dfdda3f Merge remote-tracking branch 'origin/master'
  • fa36814 Bump to 1.8.13
  • f19bc34 Make sure correct git/svn binary is always used
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by sheerun, a new releaser for bower since your current version.


Updates shelljs from 0.1.4 to 0.10.0

Release notes

Sourced from shelljs's releases.

v0.10.0

What's Changed

New Contributors

Full Changelog: shelljs/shelljs@v0.9.2...v0.10.0

v0.9.2

What's Changed

Full Changelog: shelljs/shelljs@v0.9.1...v0.9.2

v0.9.1

What's Changed

Full Changelog: shelljs/shelljs@v0.9.0...v0.9.1

v0.9.0

What's Changed

... (truncated)

Changelog

Sourced from shelljs's changelog.

Change Log

v0.8.5 (2022-01-13)

Full Changelog

This was a small security fix for #1058.

v0.8.4 (2020-04-24)

Full Changelog

Small patch release to fix a circular dependency warning in node v14. See #973.

v0.8.3 (2018-11-13)

Full Changelog

Closed issues:

  • Shelljs print stderr to console even if exec-only "silent" is true #905
  • refactor: remove common.state.tempDir #902
  • Can't suppress stdout for echo #899
  • exec() doesn't apply the arguments correctly #895
  • shell.exec('npm pack') painfully slow #885
  • shelljs.exec cannot find app.asar/node_modules/shelljs/src/exec-child.js #881
  • test infra: mocks and skipOnWin conflict #862
  • Support for shell function completion on IDE #859
  • echo command shows options in stdout #855
  • silent does not always work #851
  • Appveyor installs the latest npm, instead of the latest compatible npm #844
  • Force symbolic link (ln -sf) does not overwrite/recreate existing destination #830
  • inconsistent result when trying to echo to a file #798
  • Prevent require()ing executable-only files #789
  • Cannot set property to of [object String] which has only a getter #752
  • which() should check executability before returning a value #657
  • Bad encoding experience #456
  • phpcs very slow #440
  • Error shown when triggering a sigint during shelljs.exec if process.on sigint is defined #254
  • .to\(file\) does not mute STDIO output #146
  • Escaping shell arguments to exec() #143
  • Allow multiple string arguments for exec() #103
  • cp does not recursively copy from readonly location #98
  • Handling permissions errors on file I/O #64

Merged pull requests:

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by nfischer, a new releaser for shelljs since your current version.


Updates karma from 0.11.14 to 6.4.4

Release notes

Sourced from karma's releases.

v6.4.4

6.4.4 (2024-07-29)

v6.4.3

6.4.3 (2024-02-24)

Bug Fixes

  • add build commits for patch release (d7f2d69)

v6.4.2

6.4.2 (2023-04-21)

Bug Fixes

v6.4.1

6.4.1 (2022-09-19)

Bug Fixes

v6.4.0

6.4.0 (2022-06-14)

Features

  • support SRI verification of link tags (dc51a2e)
  • support SRI verification of script tags (6a54b1c)

v6.3.20

6.3.20 (2022-05-13)

Bug Fixes

  • prefer IPv4 addresses when resolving domains (e17698f), closes #3730

v6.3.19

6.3.19 (2022-04-19)

Bug Fixes

... (truncated)

Changelog

Sourced from karma's changelog.

6.4.4 (2024-07-29)

6.4.3 (2024-02-24)

Bug Fixes

  • add build commits for patch release (d7f2d69)

6.4.2 (2023-04-21)

Bug Fixes

6.4.1 (2022-09-19)

Bug Fixes

6.4.0 (2022-06-14)

Features

  • support SRI verification of link tags (dc51a2e)
  • support SRI verification of script tags (6a54b1c)

6.3.20 (2022-05-13)

Bug Fixes

  • prefer IPv4 addresses when resolving domains (e17698f), closes #3730

6.3.19 (2022-04-19)

Bug Fixes

  • client: error out when opening a new tab fails (099b85e)

6.3.18 (2022-04-13)

Bug Fixes

... (truncated)

Commits
  • 84f85e7 chore(release): 6.4.4 [skip ci]
  • a4d1284 build(deps-dev): bump ws from 6.2.1 to 6.2.3
  • d8cf806 chore(release): 6.4.3 [skip ci]
  • d7f2d69 fix: add build commits for patch release
  • 85a2eeb build(deps-dev): bump decode-uri-component from 0.2.0 to 0.2.2
  • 0bffce2 build(deps): updated socket.io version to fix security issues with socket.io-...
  • 86667ab build(deps): bump follow-redirects from 1.11.0 to 1.15.4
  • 450fdfd docs: Add deprecation notice to Karma README
  • 9de3c00 chore(release): 6.4.2 [skip ci]
  • c6a4271 fix: few typos
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by karmarunnerbot, a new releaser for karma since your current version.


Updates marked from 0.2.10 to 18.0.0

Release notes

Sourced from marked's releases.

v18.0.0

18.0.0 (2026-04-07)

Bug Fixes

  • Bump typescript from 5.9.3 to 6.0.2 (#3934) (e8efc51)
  • prevent GFM table tokens from greedily capturing trailing newlines (#3926) (40f2665)
  • prevent heading and def tokens from greedily capturing multiple newlines (#3925) (b379e3e)
  • trim blank lines from block tokens (#3939) (b70895f)

BREAKING CHANGES

  • trim trailing blank lines from block tokens
  • update Typescript to v6

v17.0.6

17.0.6 (2026-04-05)

Bug Fixes

  • avoid race condition in async parallel parse/parseInline with hooks (#3924) (6e96fa7)
  • cli: honor positional input file (#3922) (a1c2617)
  • cli: use file URL for config import (#3923) (73e1f3f)

v17.0.5

17.0.5 (2026-03-20)

Bug Fixes

  • Fix catastrophic backtracking (ReDoS) in link/reflink label regex (#3918) (4625980)
  • prevent quadratic complexity in emStrongLDelim regex (#3906) (c732dd2)
  • prevent single-tilde strikethrough false positives (#3910) (5e03369)
  • re-assign tokenizer.lexer and renderer.parser at start of each parse call (#3907) (f3a3ec0)
  • trim trailing whitespace from lheading text (#3920) (3ea7e88)

v17.0.4

17.0.4 (2026-03-04)

Bug Fixes

  • prevent ReDoS in inline link regex title group (#3902) (46fb9b8)

v17.0.3

17.0.3 (2026-02-17)

... (truncated)

Commits
  • 28954e0 chore(release): 18.0.0 [skip ci]
  • b70895f fix: trim blank lines from block tokens (#3939)
  • 40f2665 fix: prevent GFM table tokens from greedily capturing trailing newlines (#3926)
  • b379e3e fix: prevent heading and def tokens from greedily capturing multiple newlines...
  • e8efc51 fix: Bump typescript from 5.9.3 to 6.0.2 (#3934)
  • 71e5ae3 chore(deps-dev): Bump esbuild from 0.27.4 to 0.28.0 (#3940)
  • b436e82 chore(deps-dev): Bump eslint from 10.1.0 to 10.2.0 (#3941)
  • e07037e chore(release): 17.0.6 [skip ci]
  • 6e96fa7 fix: avoid race condition in async parallel parse/parseInline with hooks (#3924)
  • 73e1f3f fix(cli): use file URL for config import (#3923)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for marked since your current version.


Updates lodash from 1.3.1 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

4.0.0

lodash v4.0.0

... (truncated)

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps-dev): bump the npm_and_yarn group across 1 directory with …
cb6a278 
…6 updates

Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [grunt](https://github.com/gruntjs/grunt) | `0.4.5` | `1.6.1` |
| [bower](https://github.com/bower/bower) | `1.2.8` | `1.8.14` |
| [shelljs](https://github.com/shelljs/shelljs) | `0.1.4` | `0.10.0` |
| [karma](https://github.com/karma-runner/karma) | `0.11.14` | `6.4.4` |
| [marked](https://github.com/markedjs/marked) | `0.2.10` | `18.0.0` |
| [lodash](https://github.com/lodash/lodash) | `1.3.1` | `4.18.1` |



Updates `grunt` from 0.4.5 to 1.6.1
- [Release notes](https://github.com/gruntjs/grunt/releases)
- [Changelog](https://github.com/gruntjs/grunt/blob/main/CHANGELOG)
- [Commits](gruntjs/grunt@v0.4.5...v1.6.1)

Updates `bower` from 1.2.8 to 1.8.14
- [Release notes](https://github.com/bower/bower/releases)
- [Changelog](https://github.com/bower/bower/blob/master/CHANGELOG.md)
- [Commits](bower/bower@v1.2.8...1.8.14)

Updates `shelljs` from 0.1.4 to 0.10.0
- [Release notes](https://github.com/shelljs/shelljs/releases)
- [Changelog](https://github.com/shelljs/shelljs/blob/main/CHANGELOG.md)
- [Commits](shelljs/shelljs@v0.1.4...v0.10.0)

Updates `karma` from 0.11.14 to 6.4.4
- [Release notes](https://github.com/karma-runner/karma/releases)
- [Changelog](https://github.com/karma-runner/karma/blob/master/CHANGELOG.md)
- [Commits](karma-runner/karma@v0.11.14...v6.4.4)

Updates `marked` from 0.2.10 to 18.0.0
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](markedjs/marked@v0.2.10...v18.0.0)

Updates `lodash` from 1.3.1 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@1.3.1...4.18.1)

---
updated-dependencies:
- dependency-name: grunt
  dependency-version: 1.6.1
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: bower
  dependency-version: 1.8.14
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: shelljs
  dependency-version: 0.10.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: karma
  dependency-version: 6.4.4
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: marked
  dependency-version: 18.0.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants