Skip to content

Bump the production-dependencies group across 1 directory with 6 updates#145

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-2a5b607760
Open

Bump the production-dependencies group across 1 directory with 6 updates#145
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-2a5b607760

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026

Updates the requirements on @commander-js/extra-typings, @napi-rs/keyring, commander, make-fetch-happen, smol-toml and yaml to permit the latest version.
Updates @commander-js/extra-typings from 14.0.0 to 15.0.0

Release notes

Sourced from @​commander-js/extra-typings's releases.

v15.0.0

@commander-js/extra-typings 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of @commander-js/extra-typings 15 moves version 14 into maintenance. @commander-js/extra-typings 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

Changed

  • Breaking: migrated implementation from CommonJS to ESM (#178)
  • Breaking: peer dependency on Commander 15.0.x which requires Node.js 22.12 or higher
  • update dependencies
  • old major versions now supported for 12 months instead of just previous major version, to give predictable end-of-life date
  • only lone negated option defaults option value to true (matching Commander 15) (#179)
  • now reexporting the global program singleton from Commander rather than creating a separate one

Migration Tips

@commander-js/extra-typings 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, Deno, and TypeScript. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using @commander-js/extra-typings 15 in your environment, one option is stay on version 14 for now. @commander-js/extra-typings 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

Changelog

Sourced from @​commander-js/extra-typings's changelog.

[15.0.0] (2026-05-29)

@commander-js/extra-typings 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of @commander-js/extra-typings 15 moves version 14 into maintenance. @commander-js/extra-typings 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

Changed

  • Breaking: migrated implementation from CommonJS to ESM (#178)
  • Breaking: peer dependency on Commander 15.0.x which requires Node.js 22.12 or higher
  • update dependencies
  • old major versions now supported for 12 months instead of just previous major version, to give predictable end-of-life date
  • only lone negated option defaults option value to true (matching Commander 15) (#179)
  • now reexporting the global program singleton from Commander rather than creating a separate one

Migration Tips

@commander-js/extra-typings 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, Deno, and TypeScript. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using @commander-js/extra-typings 15 in your environment, one option is stay on version 14 for now. @commander-js/extra-typings 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

Commits
  • 5a1af3d Merge develop to main for 15.0.0
  • 4bed262 Merge branch 'main' into develop
  • 73ad76d Update Commander dependency to 15.0.0
  • 06f0b4f Add Changelog entry for move to ESM
  • b8f81f3 Recognise negative then positive combo (#179)
  • 6d0ea59 Switch to esm (#178)
  • 1c37944 Pin GitHub actions with hash (#180)
  • 3df3727 Revert "Recognise negative then positive combo"
  • 48fff8a Recognise negative then positive combo
  • 686c1f3 Update docs and prepare for 15.0.0 (#177)
  • Additional commits viewable in compare view

Updates @napi-rs/keyring to 1.3.0

Release notes

Sourced from @​napi-rs/keyring's releases.

v1.3.0

What's Changed

New Contributors

Full Changelog: Brooooooklyn/keyring-node@v1.2.0...v1.3.0

Commits

Updates commander from 14.0.3 to 15.0.0

Release notes

Sourced from commander's releases.

v15.0.0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

  • show excess command-arguments in error message (#2384)

Fixed

  • Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
  • update example to use compatible character for MINGW64 (#2475)

Changed

  • Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
  • Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
  • dev: switch tests from Jest to node:test test runner (#2463)

Deleted

  • Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

v15.0.0-0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 in May 2026 will move Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

  • show excess command-arguments in error message (#2384)

Fixed

  • Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
  • update example to use compatible character for MINGW64 (#2475)

... (truncated)

Changelog

Sourced from commander's changelog.

[15.0.0] (2026-05-29)

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

  • show excess command-arguments in error message (#2384)

Fixed

  • Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
  • update example to use compatible character for MINGW64 (#2475)

Changed

  • Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
  • Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
  • dev: switch tests from Jest to node:test test runner (#2463)

Deleted

  • Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

[15.0.0-0] (2026-02-22)

(Released as 15.0.0)

Commits

Updates make-fetch-happen to 15.0.6

Release notes

Sourced from make-fetch-happen's releases.

v15.0.6

15.0.6 (2026-05-26)

Bug Fixes

Chores

Changelog

Sourced from make-fetch-happen's changelog.

15.0.6 (2026-05-26)

Bug Fixes

Chores

15.0.5 (2026-03-16)

Bug Fixes

Dependencies

15.0.4 (2026-02-24)

Dependencies

15.0.3 (2025-11-13)

Dependencies

15.0.2 (2025-09-18)

Dependencies

15.0.1 (2025-08-19)

Dependencies

15.0.0 (2025-07-24)

⚠️ BREAKING CHANGES

  • make-fetch-happen now supports node ^20.17.0 || >=22.9.0

Bug Fixes

Dependencies

Chores

14.0.3 (2024-10-21)

Bug Fixes

Dependencies

... (truncated)

Commits

Updates smol-toml to 1.6.1

Release notes

Sourced from smol-toml's releases.

v1.6.1

This release addresses a minor security vulnerability where an attacker-controlled TOML document can exploit an unrestricted recustion and cause a stack overflow error with a document that contains thousands of sucessive commented lines. Security advisory: GHSA-v3rj-xjv7-4jmq

Commits

Updates yaml to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

  • fix: Avoid calling Array.prototype.push.apply() with large source array
  • fix(lexer): Avoid recursive calls that may exhaust the call stack
Commits
  • ddb21b0 2.9.0
  • 167365b docs: Clarify that not all errors can be avoided
  • 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
  • 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
  • ccdf743 2.8.4
  • f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
  • e1a1a77 fix: Handle invalid unicode escapes
  • a163ea0 style: Satify Prettier
  • b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
  • 93c951b chore: Bump JSR version to v2.8.3 (#673)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 4, 2026
@snyk-io
Copy link
Copy Markdown

snyk-io Bot commented Jun 4, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@dependabot
Bump the production-dependencies group across 1 directory with 6 updates
14ca509 
Updates the requirements on [@commander-js/extra-typings](https://github.com/commander-js/extra-typings), [@napi-rs/keyring](https://github.com/Brooooooklyn/keyring-node), [commander](https://github.com/tj/commander.js), [make-fetch-happen](https://github.com/npm/make-fetch-happen), [smol-toml](https://github.com/squirrelchat/smol-toml) and [yaml](https://github.com/eemeli/yaml) to permit the latest version.

Updates `@commander-js/extra-typings` from 14.0.0 to 15.0.0
- [Release notes](https://github.com/commander-js/extra-typings/releases)
- [Changelog](https://github.com/commander-js/extra-typings/blob/main/CHANGELOG.md)
- [Commits](commander-js/extra-typings@v14.0.0...v15.0.0)

Updates `@napi-rs/keyring` to 1.3.0
- [Release notes](https://github.com/Brooooooklyn/keyring-node/releases)
- [Commits](Brooooooklyn/keyring-node@v1.2.0...v1.3.0)

Updates `commander` from 14.0.3 to 15.0.0
- [Release notes](https://github.com/tj/commander.js/releases)
- [Changelog](https://github.com/tj/commander.js/blob/master/CHANGELOG.md)
- [Commits](tj/commander.js@v14.0.3...v15.0.0)

Updates `make-fetch-happen` to 15.0.6
- [Release notes](https://github.com/npm/make-fetch-happen/releases)
- [Changelog](https://github.com/npm/make-fetch-happen/blob/v15.0.6/CHANGELOG.md)
- [Commits](npm/make-fetch-happen@v15.0.3...v15.0.6)

Updates `smol-toml` to 1.6.1
- [Release notes](https://github.com/squirrelchat/smol-toml/releases)
- [Commits](squirrelchat/smol-toml@v1.6.0...v1.6.1)

Updates `yaml` to 2.9.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.8.2...v2.9.0)

---
updated-dependencies:
- dependency-name: "@commander-js/extra-typings"
  dependency-version: 15.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: "@napi-rs/keyring"
  dependency-version: 1.3.0
  dependency-type: direct:production
  dependency-group: production-dependencies
- dependency-name: commander
  dependency-version: 15.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: make-fetch-happen
  dependency-version: 15.0.6
  dependency-type: direct:production
  dependency-group: production-dependencies
- dependency-name: smol-toml
  dependency-version: 1.6.1
  dependency-type: direct:production
  dependency-group: production-dependencies
- dependency-name: yaml
  dependency-version: 2.9.0
  dependency-type: direct:production
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions github-actions Bot force-pushed the dependabot/npm_and_yarn/production-dependencies-2a5b607760 branch from 609d99d to 14ca509 Compare June 4, 2026 00:52
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 4, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​commander-js/​extra-typings@​15.0.010010010088100
Addedcommander@​15.0.010010010090100

View full report

@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Jun 4, 2026

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants