Bump the npm-dependencies group across 1 directory with 16 updates

[dependabot]

Bumps the npm-dependencies group with 14 updates in the / directory:

Package	From	To
@tailwindcss/cli	4.1.17	4.1.18
esbuild	0.25.12	0.27.2
glob	11.0.3	13.0.0
rollup	4.53.2	4.54.0
@cloudflare/vitest-pool-workers	0.9.14	0.11.1
@eslint/js	9.39.1	9.39.2
@npmcli/arborist	9.1.6	9.1.9
@vitest/coverage-istanbul	3.2.4	4.0.16
@vitest/coverage-v8	3.2.4	4.0.16
eslint	9.39.1	9.39.2
globals	16.5.0	17.0.0
lerna	9.0.0	9.0.3
prettier	3.6.2	3.7.4
vitest	3.2.4	4.0.16

Updates @tailwindcss/cli from 4.1.17 to 4.1.18

Release notes

Sourced from @​tailwindcss/cli's releases.

v4.1.18

Fixed

• Ensure validation of source(…) happens relative to the file it is in (#19274)
• Include filename and line numbers in CSS parse errors (#19282)
• Skip comments in Ruby files when checking for class names (#19243)
• Skip over arbitrary property utilities with a top-level ! in the value (#19243)
• Support environment API in @tailwindcss/vite (#18970)
• Preserve case of theme keys from JS configs and plugins (#19337)
• Write source maps correctly on the CLI when using --watch (#19373)
• Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)
• Improve backwards compatibility for content theme key from JS configs (#19381)
• Upgrade: Handle future and experimental config keys (#19344)
• Try to canonicalize any arbitrary utility to a bare value (#19379)
• Validate candidates similarly to Oxide (#19397)
• Canonicalization: combine text-* and leading-* classes (#19396)
• Correctly handle duplicate CLI arguments (#19416)
• Don’t emit color-mix fallback rules inside @keyframes (#19419)
• CLI: Don't hang when output is /dev/stdout (#19421)

Changelog

Sourced from @​tailwindcss/cli's changelog.

[4.1.18] - 2025-12-11

Fixed

• Ensure validation of source(…) happens relative to the file it is in (#19274)
• Include filename and line numbers in CSS parse errors (#19282)
• Skip comments in Ruby files when checking for class names (#19243)
• Skip over arbitrary property utilities with a top-level ! in the value (#19243)
• Support environment API in @tailwindcss/vite (#18970)
• Preserve case of theme keys from JS configs and plugins (#19337)
• Write source maps correctly on the CLI when using --watch (#19373)
• Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)
• Improve backwards compatibility for content theme key from JS configs (#19381)
• Upgrade: Handle future and experimental config keys (#19344)
• Try to canonicalize any arbitrary utility to a bare value (#19379)
• Validate candidates similarly to Oxide (#19397)
• Canonicalization: combine text-* and leading-* classes (#19396)
• Correctly handle duplicate CLI arguments (#19416)
• Don’t emit color-mix fallback rules inside @keyframes (#19419)
• CLI: Don't hang when output is /dev/stdout (#19421)

[3.4.19] - 2025-12-10

Fixed

• Don’t break sibling-*() functions when used inside calc(…) (#19335)

Commits

• 9b32f7c Release v4.1.18 (#19431)
• 164194d Don’t try reading from pipes or special file descriptors (#19421)
• 563a016 Only use the last value when parsing duplicate cli arguments (#19416)
• 0e8f075 Fix source map generation during when watching files on the CLI (#19373)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by malfaitrobin, a new releaser for @​tailwindcss/cli since your current version.

Updates esbuild from 0.25.12 to 0.27.2

Release notes

Sourced from esbuild's releases.

v0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }
  // Old output (with --minify)
  switch(x){case 0:foo();break;case 1:default:bar()}
  // New output (with --minify)

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }
  // Old output (with --minify)
  switch(x){case 0:foo();break;case 1:default:bar()}

... (truncated)

Commits

• cd83297 publish 0.27.2 to npm
• 2759721 additional tests for switch with break
• fd2b4b3 update release notes
• c8d93a7 fix #4357: -webkit- prefix for mask shorthand (#4358)
• 92ff12c compat table: update @types/node
• a35eceb compat table: fix a type error with the new types
• f598984 fix make compat-table to install dependencies
• f7f6df0 release notes for #4361
• 6f8ec15 fix: allow subpath imports that start with #/ (#4361)
• f7ae61f minify some switch statements to if-else statement
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.

Updates glob from 11.0.3 to 13.0.0

Changelog

Sourced from glob's changelog.

changeglob

13

• Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

• Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

• Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
• Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
• Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

• Drop support for node before v20

10.4

• Add includeChildMatches: false option
• Export the Ignore class

10.3

• Add --default -p flag to provide a default pattern
• exclude symbolic links to directories when follow and nodir are both set

10.2

• Add glob cli

10.1

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

• 3bfb960 13.0.0
• db31a63 Split the CLI out from the main project
• 5493458 ci: remove node 20
• 3f7526c test: fix bin tests on windows (slashes)
• 2b03cca 12.0.0
• d56203d prettier config
• bb521e5 Remove --shell option where unsafe to use
• 2551fb5 11.1.0
• 47473c0 bin: Do not expose filenames to shell expansion
• bc33fe1 skip tilde test on systems that lack tilde expansion
• Additional commits viewable in compare view

Updates rollup from 4.53.2 to 4.54.0

Release notes

Sourced from rollup's releases.

v4.54.0

4.54.0

2025-12-20

Features

• Enable tree-shaking for Symbol.hasInstance, Symbol.dispose and Symbol.asyncDispose properties if unused (#6046)

Bug Fixes

• Ensure that well-known-Symbol-valued properties are not tree-shaken except in select cases (#6046)
• Ensure namespace properties are included when referenced only from a try-catch (#6216)

Pull Requests

• #6046: fix: correctly handle wellknown protocols (@​cyyynthia, @​lukastaegert)
• #6201: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6211: chore(deps): update msys2/setup-msys2 digest to 4f806de (@​renovate[bot], @​lukastaegert)
• #6212: chore(deps): update actions/cache action to v5 (@​renovate[bot])
• #6213: chore(deps): update github artifact actions (major) (@​renovate[bot])
• #6214: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6215: chore(deps): lock file maintenance (@​renovate[bot])
• #6216: fix: include namespace variable paths during try-catch deoptimization (@​schwing)

v4.53.5

4.53.5

2025-12-16

Bug Fixes

• Fix wrong semicolon insertion position when using JSX (#6206)
• Generate spec-compliant sourcemaps when sources content is excluded (#6196)

Pull Requests

• #6196: fix: set sourcesContent to undefined instead of null when excluding sources content (@​TrickyPi)
• #6206: Fix semicolon order in JSX (@​TrickyPi)

v4.53.4

4.53.4

2025-12-15

Bug Fixes

• Ensure Symbol.dispose and Symbol.asyncDispose properties are never removed with (await) using declarations. (#6209)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.54.0

2025-12-20

Features

• Enable tree-shaking for Symbol.hasInstance, Symbol.dispose and Symbol.asyncDispose properties if unused (#6046)

Bug Fixes

• Ensure that well-known-Symbol-valued properties are not tree-shaken except in select cases (#6046)
• Ensure namespace properties are included when referenced only from a try-catch (#6216)

Pull Requests

• #6046: fix: correctly handle wellknown protocols (@​cyyynthia, @​lukastaegert)
• #6201: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6211: chore(deps): update msys2/setup-msys2 digest to 4f806de (@​renovate[bot], @​lukastaegert)
• #6212: chore(deps): update actions/cache action to v5 (@​renovate[bot])
• #6213: chore(deps): update github artifact actions (major) (@​renovate[bot])
• #6214: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6215: chore(deps): lock file maintenance (@​renovate[bot])
• #6216: fix: include namespace variable paths during try-catch deoptimization (@​schwing)

4.53.5

2025-12-16

Bug Fixes

• Fix wrong semicolon insertion position when using JSX (#6206)
• Generate spec-compliant sourcemaps when sources content is excluded (#6196)

Pull Requests

• #6196: fix: set sourcesContent to undefined instead of null when excluding sources content (@​TrickyPi)
• #6206: Fix semicolon order in JSX (@​TrickyPi)

4.53.4

2025-12-15

Bug Fixes

• Ensure Symbol.dispose and Symbol.asyncDispose properties are never removed with (await) using declarations. (#6209)

Pull Requests

• #6185: chore(deps): update dependency @​inquirer/prompts to v8 (@​renovate[bot], @​lukastaegert)
• #6186: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])

... (truncated)

Commits

• 88f1430 4.54.0
• e5e01c1 fix: include namespace variable paths during try-catch deoptimization (#6216)
• 107959c fix: correctly handle wellknown protocols (#6046)
• 160514d chore(deps): lock file maintenance (#6215)
• 59bda58 chore(deps): update msys2/setup-msys2 digest to 4f806de (#6211)
• 9b7ca4d chore(deps): update actions/cache action to v5 (#6212)
• abf1fb5 chore(deps): update github artifact actions (major) (#6213)
• 0dec3ca fix(deps): lock file maintenance minor/patch updates (#6214)
• c3fa50c chore(deps): update dependency lru-cache to v11 (#6201)
• 31bb66e 4.53.5
• Additional commits viewable in compare view

Updates tailwindcss from 4.1.17 to 4.1.18

Release notes

Sourced from tailwindcss's releases.

v4.1.18

Fixed

• Ensure validation of source(…) happens relative to the file it is in (#19274)
• Include filename and line numbers in CSS parse errors (#19282)
• Skip comments in Ruby files when checking for class names (#19243)
• Skip over arbitrary property utilities with a top-level ! in the value (#19243)
• Support environment API in @tailwindcss/vite (#18970)
• Preserve case of theme keys from JS configs and plugins (#19337)
• Write source maps correctly on the CLI when using --watch (#19373)
• Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)
• Improve backwards compatibility for content theme key from JS configs (#19381)
• Upgrade: Handle future and experimental config keys (#19344)
• Try to canonicalize any arbitrary utility to a bare value (#19379)
• Validate candidates similarly to Oxide (#19397)
• Canonicalization: combine text-* and leading-* classes (#19396)
• Correctly handle duplicate CLI arguments (#19416)
• Don’t emit color-mix fallback rules inside @keyframes (#19419)
• CLI: Don't hang when output is /dev/stdout (#19421)

Changelog

Sourced from tailwindcss's changelog.

[4.1.18] - 2025-12-11

Fixed

• Ensure validation of source(…) happens relative to the file it is in (#19274)
• Include filename and line numbers in CSS parse errors (#19282)
• Skip comments in Ruby files when checking for class names (#19243)
• Skip over arbitrary property utilities with a top-level ! in the value (#19243)
• Support environment API in @tailwindcss/vite (#18970)
• Preserve case of theme keys from JS configs and plugins (#19337)
• Write source maps correctly on the CLI when using --watch (#19373)
• Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)
• Improve backwards compatibility for content theme key from JS configs (#19381)
• Upgrade: Handle future and experimental config keys (#19344)
• Try to canonicalize any arbitrary utility to a bare value (#19379)
• Validate candidates similarly to Oxide (#19397)
• Canonicalization: combine text-* and leading-* classes (#19396)
• Correctly handle duplicate CLI arguments (#19416)
• Don’t emit color-mix fallback rules inside @keyframes (#19419)
• CLI: Don't hang when output is /dev/stdout (#19421)

[3.4.19] - 2025-12-10

Fixed

• Don’t break sibling-*() functions when used inside calc(…) (#19335)

Commits

• 9b32f7c Release v4.1.18 (#19431)
• 820d907 Expose candidatesToAst to the language server (#19405)
• 478e959 Don’t emit color-mix fallback rules inside @keyframes (#19419)
• a5f4644 Validate named values in candidate parser (#19397)
• 229121d Canonicalization: combine text-* and leading-* classes (#19396)
• 243615e Handle backwards compatibility for content theme from JS configs (#19381)
• 7642751 Improve compatibility with special default values in JS configs (#19348)
• af48117 remove unnecessary intermediate check
• 9e436f7 Try to canonicalize any arbitrary utility to a bare value (#19379)
• 479b725 Bump Vitest to v4 (#19216)
• Additional commits viewable in compare view

Updates @cloudflare/vitest-pool-workers from 0.9.14 to 0.11.1

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.11.1

Patch Changes

• Updated dependencies [ae1ad22, 171cfd9, 428ae9e, 737c0f4, c0e249e, 472cf72, 3853200]:
  • miniflare@4.20251217.0
  • wrangler@4.56.0

@​cloudflare/vitest-pool-workers@​0.11.0

Minor Changes

• #11533 8d9003e Thanks @​petebacondarwin! - Add support for ctx.exports

  It is now possible to access ctx.exports properties for the main (SELF) worker.

  • Integration tests: in the SELF worker the ctx.exports object now contains the expected stubs to the exported entry-points.
  • Unit tests: the object returned from createExecutionContext() has exports property that exposes the exports of the SELF worker.

  Due to the dynamic nature of Vitest the integration relies upon guessing what the exports of the main Worker are by statically analyzing the Worker source using esbuild. In cases where it is not possible to infer the exports (for example, a wildcard re-export of a virtual module) it is possible to declare these in the vitest-pool-workers config via the additionalExports setting.

Patch Changes

• Updated dependencies [ed42010, 5d085fb, b75b710, 1e9be12, 6b28de1, 6c590a0, 12a63ef, 4201472, 7d8d4a6, 95d81e1, 6c590a0]:
  • wrangler@4.55.0
  • miniflare@4.20251213.0

@​cloudflare/vitest-pool-workers@​0.10.15

Patch Changes

• Updated dependencies [c15e99e, 31c162a, bd5f087, c6dd86f, 235d325, b17797c, b17797c, 41103f5, ea6fbec, bb47e20, 991760d]:
  • wrangler@4.54.0
  • miniflare@4.20251210.0

@​cloudflare/vitest-pool-workers@​0.10.14

Patch Changes

• Updated dependencies [af54c63, 9988cc9, ce295bf, 45480b1, 9514c9a, 94c67e8, ac861f8, 79d30d4, 56e78c8, f550b62]:
  • wrangler@4.53.0
  • miniflare@4.20251202.1

@​cloudflare/vitest-pool-workers@​0.10.13

Patch Changes

• Updated dependencies [59534ba, 7e80340]:
  • miniflare@4.20251202.0
  • wrangler@4.52.1

@​cloudflare/vitest-pool-workers@​0.10.12

Patch Changes

• Updated dependencies [2b4813b, abe49d8, b154de2, f29e699, 5ee3780, 6e63b57, 71ab562, 76f0540, 2342d2f, 5e937c1, 9a1de61, 6b38532, e4ddbc2, 2aec2b4, 695fa25, 504e258, 5a873bb, d25f7e2, 1cfae2d, e7b690b, 1d685cb, edf896d, 2b4813b, c47ad11, a977701, 9eaa9e2]:

... (truncated)

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.11.1

Patch Changes

• Updated dependencies [ae1ad22, 171cfd9, 428ae9e, 737c0f4, c0e249e, 472cf72, 3853200]:
  • miniflare@4.20251217.0
  • wrangler@4.56.0

0.11.0

Minor Changes

• #11533 8d9003e Thanks @​petebacondarwin! - Add support for ctx.exports

  It is now possible to access ctx.exports properties for the main (SELF) worker.

  • Integration tests: in the SELF worker the ctx.exports object now contains the expected stubs to the exported entry-points.
  • Unit tests: the object returned from createExecutionContext() has exports property that exposes the exports of the SELF worker.

  Due to the dynamic nature of Vitest the integration relies upon guessing what the exports of the main Worker are by statically analyzing the Worker source using esbuild. In cases where it is not possible to infer the exports (for example, a wildcard re-export of a virtual module) it is possible to declare these in the vitest-pool-workers config via the additionalExports setting.

Patch Changes

• Updated dependencies [ed42010, 5d085fb, b75b710, 1e9be12, 6b28de1, 6c590a0, 12a63ef, 4201472, 7d8d4a6, 95d81e1, 6c590a0]:
  • wrangler@4.55.0
  • miniflare@4.20251213.0

0.10.15

Patch Changes

• Updated dependencies [c15e99e, 31c162a, bd5f087, c6dd86f, 235d325, b17797c, b17797c, 41103f5, ea6fbec, bb47e20, 991760d]:
  • wrangler@4.54.0
  • miniflare@4.20251210.0

0.10.14

Patch Changes

• Updated dependencies [af54c63, 9988cc9, ce295bf, 45480b1, 9514c9a, 94c67e8, ac861f8, 79d30d4, 56e78c8, f550b62]:
  • wrangler@4.53.0
  • miniflare@4.20251202.1

0.10.13

Patch Changes

• Updated dependencies [59534ba, 7e80340]:
  • miniflare@4.20251202.0
  • wrangler@4.52.1

... (truncated)

Commits

• 6be9321 Version Packages (#11666)
• 8ba87a0 Version Packages (#11602)
• 8d9003e support ctx.exports in vitest-pool-workers (#11533)
• d9eae49 Version Packages (#11538)
• 8672321 Version Packages (#11511)
• 0c71b87 Version Packages (#11503)
• 1b3e10d Version Packages (#11427)
• ed5186e add tests for vitest-pool-workers context exports (#11441)
• f87b057 Version Packages (#11374)
• 86eab8e Version Packages (#11356)
• Additional commits viewable in compare view

Updates @eslint/js from 9.39.1 to 9.39.2

Release notes

Sourced from @​eslint/js's releases.

v9.39.2

Bug Fixes

• 5705833 fix: warn when eslint-env configuration comments are found (#20381) (sethamus)

Build Related

• 506f154 build: add .scss files entry to knip (#20391) (Milos Djermanovic)

Chores

• 7ca0af7 chore: upgrade to @eslint/js@9.39.2 (#20394) (Francesco Trotta)
• c43ce24 chore: package.json update for @​eslint/js release (Jenkins)
• 4c9858e ci: add v9.x-dev branch (#20382) (Milos Djermanovic)

Commits

• c43ce24 chore: package.json update for @​eslint/js release
• See full diff in compare view

Updates @npmcli/arborist from 9.1.6 to 9.1.9

Release notes

Sourced from @​npmcli/arborist's releases.

arborist: v9.1.9

9.1.9 (2025-12-09)

Bug Fixes

• 0765289 #8721 handle ENOTEMPTY errors in moveFile (@​keegancsmith)

arborist: v9.1.8

9.1.8 (2025-11-25)

Bug Fixes

[github-actions]

Thanks for your first pull request! We appreciate your contribution.

[deepsource-io]

Here's the code health analysis summary for commits a56a50c..687e6b3. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
Python	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗
Shell	✅ Success		View Check ↗
Docker	✅ Success		View Check ↗
JavaScript	✅ Success		View Check ↗

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​vitest/​coverage-istanbul@​3.2.4 ⏵ 4.0.16				+2
	@​vitest/​coverage-v8@​3.2.4 ⏵ 4.0.16	+1		-3	+1
	esbuild@​0.25.12 ⏵ 0.27.2
	@​tailwindcss/​cli@​4.1.17 ⏵ 4.1.18
	@​cloudflare/​vitest-pool-workers@​0.9.14 ⏵ 0.11.1
	lerna@​9.0.0 ⏵ 9.0.3	-1			+4
	luxon@​3.7.2
	globals@​16.5.0 ⏵ 17.0.0			+1	-5
	glob@​11.0.3 ⏵ 13.0.0	+1	+16
	eslint@​9.39.1 ⏵ 9.39.2	-3			-1
	@​eslint/​js@​9.39.1 ⏵ 9.39.2
	@​npmcli/​arborist@​9.1.4 ⏵ 9.1.9				-1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm markdown-it is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: package-lock.json → npm/@11ty/eleventy@3.1.2 → npm/markdown-it@14.1.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/markdown-it@14.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm obug Location: Package overview From: package-lock.json → npm/@vitest/coverage-istanbul@4.0.16 → npm/@vitest/coverage-v8@4.0.16 → npm/obug@2.1.1 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/obug@2.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[sentry]

Bug: The vitest upgrade to v4.x is incompatible with the existing configuration, which uses the removed coverage.all option. This will cause test and coverage commands to fail.
_{Severity: CRITICAL | Confidence: High}

🔍 Detailed Analysis

The pull request upgrades vitest to version 4.x, which introduces a breaking change by removing the coverage.all configuration option. The project's Vitest configuration files, such as packages/cfsite/vitest.config.js and vite.config.js, still use all: true within the coverage block. When test or coverage commands like npm run coverage are executed, Vitest v4 will encounter this unrecognized option, leading to a validation error and causing the command to fail. This will break the test suite and prevent coverage reports from being generated.

💡 Suggested Fix

Remove the coverage.all: true option from all Vitest configuration files. To replicate the previous behavior of including all source files in the report, add a coverage.include property with glob patterns that explicitly target all relevant source files.

🤖 Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: packages/cfsite/package.json#L16

Potential issue: The pull request upgrades `vitest` to version 4.x, which introduces a
breaking change by removing the `coverage.all` configuration option. The project's
Vitest configuration files, such as `packages/cfsite/vitest.config.js` and
`vite.config.js`, still use `all: true` within the `coverage` block. When test or
coverage commands like `npm run coverage` are executed, Vitest v4 will encounter this
unrecognized option, leading to a validation error and causing the command to fail. This
will break the test suite and prevent coverage reports from being generated.

_{Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 8095428}

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.