fix(deps): update npm - - package.json #1307

renovate · 2025-12-04T05:36:10Z

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@aws-sdk/credential-providers (source)	`^3.940.0` -> `^3.957.0`
@esbuild/darwin-arm64	`^0.27.0` -> `^0.27.2`
@esbuild/darwin-x64	`^0.27.0` -> `^0.27.2`
@esbuild/linux-x64	`0.27.0` -> `0.27.2`
@esbuild/win32-x64	`0.27.0` -> `0.27.2`
@eslint/js (source)	`^9.39.1` -> `^9.39.2`
@primer/octicons-react (source)	`^19.21.0` -> `^19.21.1`
@types/express (source)	`^5.0.5` -> `^5.0.6`
@types/lodash (source)	`^4.17.20` -> `^4.17.21`
@types/node (source)	`^22.19.1` -> `^22.19.3`
@types/validator (source)	`^13.15.9` -> `^13.15.10`
@vitejs/plugin-react (source)	`^5.1.1` -> `^5.1.2`
cypress (source)	`^15.6.0` -> `^15.8.1`
eslint (source)	`^9.39.1` -> `^9.39.2`
express (source)	`^5.1.0` -> `^5.2.1`
fast-check (source)	`^4.3.0` -> `^4.5.2`
isomorphic-git (source)	`^1.35.0` -> `^1.36.1`
jsonwebtoken	`^9.0.2` -> `^9.0.3`
lint-staged	`^16.2.6` -> `^16.2.7`
prettier (source)	`^3.6.2` -> `^3.7.4`
tsx (source)	`^4.20.6` -> `^4.21.0`
typescript-eslint (source)	`^8.46.4` -> `^8.50.1`
validator	`^13.15.23` -> `^13.15.26`
vite (source)	`^7.1.9` -> `^7.3.0`

Release Notes

aws/aws-sdk-js-v3 (@aws-sdk/credential-providers)

`v3.957.0`

Compare Source

3.957.0(2025-12-22)

Chores

move crc64NvmeCrtContainer to '@aws-sdk/crc64-nvme' (#7600) (69196b71)
move e2e tests from cucumber to vitest (#7539) (561b8900)
build: replace lerna partial-tree build with turbo (#7597) (04bdba3e)

Documentation Changes

client-pcs: Change API Reference Documentation for default Mode in Accounting and SlurmRest (966f60ac)

New Features

client-config-service: Added supported resourceTypes for Config from July to November 2025 (2c7dab27)
client-ec2: Adds support for linkedGroupId on the CreatePlacementGroup and DescribePlacementGroups APIs. The linkedGroupId parameter is reserved for future use. (a492f734)
client-guardduty: Make accountIds a required field in GetRemainingFreeTrialDays API to reflect service behavior. (53e59c65)
middleware-flexible-checksums: use CRC64NVME JS implementation if CRT is not available (#7595) (4c6ad409)

Bug Fixes

middleware-flexible-checksums: advise user on InvalidChunkSizeError (#7598) (6fa3b4cc)

For list of updated packages, view updated-packages.md in assets-3.957.0.zip

`v3.956.0`

Compare Source

3.956.0(2025-12-19)

Chores

crc64-nvme: add pure JS CRC64NVME implementation (#7592) (03019927)
codegen:
- differentiate union and struct schema (#7594) (a3f02028)
- update for $unknown union member handling (#7591) (2c738294)
- upgrade smithy to 1.65.0 (#7588) (8e9ad476)

Documentation Changes

supplemental-docs: typo fixes (#7590) (0f23c869)

New Features

clients: update client endpoints as of 2025-12-19 (e0360a8f)
client-wickr: AWS Wickr now provides a suite of admin APIs to allow you to programmatically manage secure communication for Wickr networks at scale. These APIs enable you to automate administrative workflows including user lifecycle management, network configuration, and security group administration. (d105e0ef)
client-arc-region-switch: Automatic Plan Execution Reports allow customers to maintain a concise record of their Region switch Plan executions. This enables customer SREs and leadership to have a clear view of their recovery posture based on the generated reports for their Plan executions. (33dbf8d8)
client-workspaces-web: Add support for WebAuthn under user settings. (a42b84c4)
client-iot: This release adds event-based logging feature that enables granular event logging controls for AWS IoT logs. (bbbf580b)
client-qbusiness: It is a internal bug fix for region expansion (42a80dd7)
client-connect: Adding support for Custom Metrics and Pre-Defined Attributes to GetCurrentMetricData API. (43dab925)
client-emr-serverless: Added JobLevelCostAllocationConfiguration field to enable cost allocation reporting at the job level, providing more granular visibility into EMR Serverless charges (e95db238)

Bug Fixes

ec2-metadata-service: add configurable options for ttl and port precedence (#7584) (184cf70c)
core/protocols: $unknown union member support (#7593) (596fc405)

For list of updated packages, view updated-packages.md in assets-3.956.0.zip

`v3.955.0`

Compare Source

3.955.0(2025-12-18)

Chores

codegen: downgrade spotless to 7.2.1 (#7587) (ef66a21f)
clients: export star from models_N (#7586) (e9b7f20a)

New Features

clients: update client endpoints as of 2025-12-18 (11335218)
client-ec2: This release adds AvailabilityZoneId support for CreateFleet, ModifyFleet, DescribeFleets, RequestSpotFleet, ModifySpotFleetRequests and DescribeSpotFleetRequests APIs. (4d1a66b9)
client-ecs: Adding support for Event Windows via a new ECS account setting "fargateEventWindows". When enabled, ECS Fargate will use the configured event window for patching tasks. Introducing "CapacityOptionType" for CreateCapacityProvider API, allowing support for Spot capacity for ECS Managed Instances. (751c797f)
client-arc-region-switch: New API to list Route 53 health checks created by ARC region switch for a plan in a specific AWS Region using the Region switch Regional data plane. (406035c4)
client-bedrock-agentcore-control: Feature to support header exchanges between Bedrock AgentCore Gateway Targets and client, along with propagating query parameter to the configured targets. (800275ca)
client-appstream: Added support for new operating systems (1) Ubuntu 24.04 Pro LTS on Elastic fleets, and (2) Microsoft Server 2025 on Always-On and On-Demand fleets (a94e6d55)
client-cleanrooms: Adding support for collaboration change requests requiring an approval workflow. Adding support for change requests that grant or revoke results receiver ability and modifying auto approved change types in an existing collaboration. (26987932)
client-artifact: Add support for ListReportVersions API for the calling AWS account. (8247b183)
client-iot: This release adds message batching for the IoT Rules Engine HTTP action. (aa2dc069)
client-sesv2: Amazon SES introduces Email Validation feature which checks email addresses for syntax errors, domain validity, and risky addresses to help maintain deliverability and protect sender reputation. SES also adds resource tagging and ABAC support for EmailTemplates and CustomVerificationEmailTemplates. (7412e741)
client-bedrock-data-automation: Blueprint Optimization (BPO) is a new Amazon Bedrock Data Automation (BDA) capability that improves blueprint inference accuracy using example content assets and ground truth data. BPO works by generating better instructions for fields in the Blueprint using provided data. (3f901e7c)
client-ecr: Adds support for ECR Create On Push (620e820d)
client-opensearch: Amazon OpenSearch Service adds support for warm nodes, enabling new multi-tier architecture. (e574a591)
client-ssm-sap: Added "Stopping" for the HANA Database Status. (393a8516)

For list of updated packages, view updated-packages.md in assets-3.955.0.zip

`v3.954.0`

Compare Source

Note: Version bump only for package @aws-sdk/credential-providers

`v3.953.0`

Compare Source

Features

clients: allow protocol selection by class constructor (#7568) (5c5fd2e)

`v3.952.0`

Compare Source

Bug Fixes

credential-provider-ini: pass requestHandler from client to login provider (#7577) (a0bd362)

evanw/esbuild (@esbuild/darwin-arm64)

`v0.27.2`

Compare Source

Allow import path specifiers starting with #/ (#4361)

Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

This change was contributed by @hybrist.

Automatically add the -webkit-mask prefix (#4357, #4358)

This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

/* Original code */
main {
  mask: url(x.png) center/5rem no-repeat
}

/* Old output (with --target=chrome110) */
main {
  mask: url(x.png) center/5rem no-repeat;
}

/* New output (with --target=chrome110) */
main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
}

This change was contributed by @BPJEnnova.

Additional minification of switch statements (#4176, #4359)

This release contains additional minification patterns for reducing switch statements. Here is an example:

// Original code
switch (x) {
  case 0:
    foo()
    break
  case 1:
  default:
    bar()
}

// Old output (with --minify)
switch(x){case 0:foo();break;case 1:default:bar()}

// New output (with --minify)
x===0?foo():bar();

Forbid using declarations inside switch clauses (#4323)

This is a rare change to remove something that was previously possible. The Explicit Resource Management proposal introduced using declarations. These were previously allowed inside case and default clauses in switch statements. This had well-defined semantics and was already widely implemented (by V8, SpiderMonkey, TypeScript, esbuild, and others). However, it was considered to be too confusing because of how scope works in switch statements, so it has been removed from the specification. This edge case will now be a syntax error. See tc39/proposal-explicit-resource-management#215 and rbuckton/ecma262#14 for details.

Here is an example of code that is no longer allowed:
```
switch (mode) {
  case 'read':
    using readLock = db.read()
    return readAll(readLock)

  case 'write':
    using writeLock = db.write()
    return writeAll(writeLock)
}
```
That code will now have to be modified to look like this instead (note the additional { and } block statements around each case body):
```
switch (mode) {
  case 'read': {
    using readLock = db.read()
    return readAll(readLock)
  }
  case 'write': {
    using writeLock = db.write()
    return writeAll(writeLock)
  }
}
```
This is not being released in one of esbuild's breaking change releases since this feature hasn't been finalized yet, and esbuild always tracks the current state of the specification (so esbuild's previous behavior was arguably incorrect).

`v0.27.1`

Compare Source

Fix bundler bug with var nested inside if (#4348)

This release fixes a bug with the bundler that happens when importing an ES module using require (which causes it to be wrapped) and there's a top-level var inside an if statement without being wrapped in a { ... } block (and a few other conditions). The bundling transform needed to hoist these var declarations outside of the lazy ES module wrapper for correctness. See the issue for details.
Fix minifier bug with for inside try inside label (#4351)

This fixes an old regression from version v0.21.4. Some code was introduced to move the label inside the try statement to address a problem with transforming labeled for await loops to avoid the await (the transformation involves converting the for await loop into a for loop and wrapping it in a try statement). However, it introduces problems for cross-compiled JVM code that uses all three of these features heavily. This release restricts this transform to only apply to for loops that esbuild itself generates internally as part of the for await transform. Here is an example of some affected code:
```
// Original code
d: {
  e: {
    try {
      while (1) { break d }
    } catch { break e; }
  }
}

// Old output (with --minify)
a:try{e:for(;;)break a}catch{break e}

// New output (with --minify)
a:e:try{for(;;)break a}catch{break e}
```

Inline IIFEs containing a single expression (#4354)

Previously inlining of IIFEs (immediately-invoked function expressions) only worked if the body contained a single return statement. Now it should also work if the body contains a single expression statement instead:

// Original code
const foo = () => {
  const cb = () => {
    console.log(x())
  }
  return cb()
}

// Old output (with --minify)
const foo=()=>(()=>{console.log(x())})();

// New output (with --minify)
const foo=()=>{console.log(x())};

The minifier now strips empty finally clauses (#4353)

This improvement means that finally clauses containing dead code can potentially cause the associated try statement to be removed from the output entirely in minified builds:

// Original code
function foo(callback) {
  if (DEBUG) stack.push(callback.name);
  try {
    callback();
  } finally {
    if (DEBUG) stack.pop();
  }
}

// Old output (with --minify --define:DEBUG=false)
function foo(a){try{a()}finally{}}

// New output (with --minify --define:DEBUG=false)
function foo(a){a()}

Allow tree-shaking of the Symbol constructor

With this release, calling Symbol is now considered to be side-effect free when the argument is known to be a primitive value. This means esbuild can now tree-shake module-level symbol variables:

// Original code
const a = Symbol('foo')
const b = Symbol(bar)

// Old output (with --tree-shaking=true)
const a = Symbol("foo");
const b = Symbol(bar);

// New output (with --tree-shaking=true)
const b = Symbol(bar);

eslint/eslint (@eslint/js)

`v9.39.2`

Compare Source

primer/octicons (@primer/octicons-react)

`v19.21.1`

Compare Source

Patch Changes

#1137 97cefc9f Thanks @dependabot! - Bump js-yaml from 3.13.1 to 4.1.1

vitejs/vite-plugin-react (@vitejs/plugin-react)

`v5.1.2`

Compare Source

cypress-io/cypress (cypress)

eslint/eslint (eslint)

`v9.39.2`

Compare Source

dubzzz/fast-check (fast-check)

`v4.5.2`

Compare Source

Attach tarballs to GitHub releases
[Code][Diff]

Fixes

(PR#6416) CI: Extract package version from tarball
(PR#6417) CI: Update GitHub releases at publish time

`v4.5.1`

Compare Source

Rename tarballs before publishing
[Code][Diff]

Fixes

(PR#6413) CI: Rename tarballs before publishing

`v4.5.0`

Compare Source

Add an arbitrary based on a schema definition
[Code][Diff]

Features

(PR#6333) Add entityGraph for schema-based structures
(PR#6336) Take into account the depth in entityGraph
(PR#6340) Add initial pool constraints to entityGraph
(PR#6341) Add strategies to entityGraph
(PR#6342) Allow recursions on many rels for entityGraph
(PR#6343) Tweak unicity of entities produced by entityGraph
(PR#6400) Support inverse relations in entityGraph

Fixes

(PR#6375) Bug: Fix workflow authentication by enabling credential persistence
(PR#6369) CI: Fix vulnerabilities in our GitHub workflows
(PR#6370) CI: Add workflow security audit with zizmor
(PR#6374) CI: Fix vulnerabilities in build-status workflow
(PR#6397) CI: Ignore trusted publishing for pkg-pr-new
(PR#6410) CI: Fix generate-changelog script
(PR#6365) Doc: Release note for version 4.4.0
(PR#6379) Doc: Fix dead links in the documentation
(PR#6378) Doc: Connect AskAI in docsearch from Algolia
(PR#6380) Doc: Update Content-Security-Policy for AskAI
(PR#6367) Doc: Rework JSDoc for entityGraph and related types
(PR#6383) Doc: Enhance entityGraph documentation
(PR#6337) Refactor: Allocate unlinked versions earlier in entityGraph
(PR#6339) Refactor: Split code of entityGraph into sub-helpers
(PR#6345) Refactor: Import all files with an extension
(PR#6398) Script: Ask AIs to be concise when naming PRs
(PR#6389) Test: Replace @ts-ignore with @ts-expect-error

`v4.4.0`

Compare Source

Expose hidden arbitraries and widen capabilities of existing ones from a typing point of view
[Code][Diff]

Features

(PR#6232) Support full PropertyKey in fc.dictionary(...)
(PR#6267) Add fc.map arbitrary
(PR#6040) Add circular option to fc.letrec
(PR#6270) Add fc.set arbitrary
(PR#6334) REVERT-6040: Self-referencing capabilities from letrec

Fixes

(PR#6138) CI: Force OTP at publication time
(PR#6170) CI: Stop running tests against Windows
(PR#6178) CI: Add GH Action to reformat code in PRs or branches
(PR#6205) CI: Add GH Action to add contributors to the project
(PR#6246) CI: Fix PR mode in format-pr workflow
(PR#6184) CI: Add provenance attestation to npm package publishing
(PR#6248) CI: Add workflow to resolve pnpm lock file merge conflicts on PRs
(PR#6251) CI: Restrict Format workflow to PRs
(PR#6253) CI: Fix PR number type in workflows
(PR#6254) CI: Fix PR workflows
(PR#6255) CI: Fix PNPM conflicts workflow
(PR#6256) CI: Scope permissions of PR Format to job
(PR#6257) CI: Scope permissions of PR PNPM to job
(PR#6258) CI: Job level permissions for add contributor
(PR#6269) CI: Add GitHub Action to validate PR titles
(PR#6281) CI: Add back Windows runners for tests
(PR#6280) CI: Add back latest node for tests
(PR#6282) CI: Bump test matrix to Node 24
(PR#6283) CI: Shard tests producing coverage
(PR#6301) CI: Downgrade node in tests
(PR#6300) CI: Enforce trust-policy for pnpm
(PR#6307) CI: Add back latest Node in test matrix
(PR#6136) Doc: Release note for version 4.3.0
(PR#6169) Doc: Preserve links on Sponsors for the website
(PR#6172) Doc: Update CSP to properly display sponsors.svg
(PR#6173) Doc: Update CSP to properly display sponsors.svg
(PR#6174) Doc: Better support of mobile display for sponsors
(PR#6175) Doc: Better accessibility on website
(PR#6192) Doc: Add @traversable/zod-test to ecosystem
(PR#6204) Doc: Add ahrjarrett as doc contributor
(PR#6238) Doc: Add jamesbvaughan as code contributor
(PR#6250) Doc: Add GitHub Copilot instructions for gitmoji PR naming convention
(PR#6180) Doc: Generate llms.txt and related for AI crawlers
(PR#6279) Doc: Add emilianbold as code contributor
(PR#6287) Doc: Fix example in quick start guide
(PR#6288) Doc: Add russbiggs as doc contributor
(PR#6278) Performance: Use Math.imul and shifts in perf-critical paths
(PR#6275) Refactor: Remove unnecessary npm install steps from publish workflows
(PR#6311) Refactor: Factorize letrec implementations
(PR#6318) Refactor: Extract logic building lazy arbs
(PR#6320) Refactor: Iterate on own props array in letrec
(PR#6321) Refactor: Explicit null check in LazyArbitrary
(PR#6277) Script: Fix script updating the documentation for fast-check

isomorphic-git/isomorphic-git (isomorphic-git)

`v1.36.1`

Compare Source

Bug Fixes

In FileSystem.js, special-case the cp command (#2264) (dd54d92)

`v1.36.0`

Compare Source

Features

Support git commands run in submodules (#2090) (8e331cc)

`v1.35.1`

Compare Source

Bug Fixes

fix readTree error (#2248) (24f7cc9)

auth0/node-jsonwebtoken (jsonwebtoken)

`v9.0.3`

Compare Source

updates jws version to 4.0.1.

lint-staged/lint-staged (lint-staged)

`v16.2.7`

Compare Source

Patch Changes

#1711 ef74c8d Thanks @iiroj! - Do not display a "failed to spawn" error message when a task fails normally. This message is reserved for when the task didn't run because spawning it failed.

prettier/prettier (prettier)

`v3.7.4`

Compare Source

diff

LWC: Avoid quote around interpolations (#18383 by @kovsu)

<!-- Input -->
<div foo={bar}>   </div>

<!-- Prettier 3.7.3 (--embedded-language-formatting off) -->
<div foo="{bar}"></div>

<!-- Prettier 3.7.4 (--embedded-language-formatting off) -->
<div foo={bar}></div>

TypeScript: Fix comment inside union type gets duplicated (#18393 by @fisker)

// Input
type Foo = (/** comment */ a | b) | c;

// Prettier 3.7.3
type Foo = /** comment */ (/** comment */ a | b) | c;

// Prettier 3.7.4
type Foo = /** comment */ (a | b) | c;

TypeScript: Fix unstable comment print in union type comments (#18395 by @fisker)

// Input
type X = (A | B) & (
  // comment
  A | B
);

// Prettier 3.7.3 (first format)
type X = (A | B) &
  (// comment
  A | B);

// Prettier 3.7.3 (second format)
type X = (
  | A
  | B // comment
) &
  (A | B);

// Prettier 3.7.4
type X = (A | B) &
  // comment
  (A | B);

`v3.7.3`

Compare Source

diff

API: Fix `prettier.getFileInfo()` change that breaks VSCode extension (#18375 by @fisker)

An internal refactor accidentally broke the VSCode extension plugin loading.

`v3.7.2`

Compare Source

diff

JavaScript: Fix string print when switching quotes (#18351 by @fisker)

// Input
console.log("A descriptor\\'s .kind must be \"method\" or \"field\".")

// Prettier 3.7.1
console.log('A descriptor\\'s .kind must be "method" or "field".');

// Prettier 3.7.2
console.log('A descriptor\\\'s .kind must be "method" or "field".');

JavaScript: Preserve quote for embedded HTML attribute values (#18352 by @kovsu)

// Input
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;

// Prettier 3.7.1
const html = /* HTML */ ` <div class=${styles.banner}></div> `;

// Prettier 3.7.2
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;

TypeScript: Fix comment in empty type literal (#18364 by @fisker)

// Input
export type XXX = {
  // tbd
};

// Prettier 3.7.1
export type XXX = { // tbd };

// Prettier 3.7.2
export type XXX = {
  // tbd
};

`v3.7.1`

Compare Source

diff

API: Fix performance regression in doc printer (#18342 by @fisker)

Prettier 3.7.1 can be very slow when formatting big files, the regression has been fixed.

`v3.7.0`

Compare Source

diff

🔗 Release Notes

privatenumber/tsx (tsx)

`v4.21.0`

Compare Source

typescript-eslint/typescript-eslint (typescript-eslint)