Skip to content

chore(deps): update deps:lib-major (major)#687

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/major-deps-lib-major
Open

chore(deps): update deps:lib-major (major)#687
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/major-deps-lib-major

Conversation

@renovate

@renovate renovate Bot commented May 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
concurrently 9.2.110.0.3 age confidence
jscpd (source) 4.0.95.0.9 age confidence
yargs (source) 17.7.218.0.0 age confidence

Release Notes

open-cli-tools/concurrently (concurrently)

v10.0.3

Compare Source

Republish of https://github.com/open-cli-tools/concurrently/releases/tag/v10.0.1 with Trusted Publishing enabled (see #​595)

Full Changelog: open-cli-tools/concurrently@v10.0.2...v10.0.3

v10.0.1

Compare Source

  • Ensure FlowController type is exported - #​594

Full Changelog: open-cli-tools/concurrently@v10.0.0...v10.0.1

v10.0.0

Compare Source

💥 Breaking Changes

  • Dropped support for Node.js <22.0.0.
    Older Node.js version have reached end-of-life, and certain features require new-ish JS APIs.
  • concurrently is now ESM-only.
    It's now possible to require(esm). See here for interoperability.
  • Prefix colors now default to automatic - #​581
    The colors used to default to reset (which does nothing). Concurrently now automatically selects a color, out of the box.
    The list of colors used is not jarring nor carries semantic meaning, and reads well in both dark and light terminal backgrounds.
  • Removed deprecated flags and options
    • CLI flag --name-separator: use commas instead.
    • API option killOthers: use killOthersOn instead.

✨ New Features

  • Support applying modifiers to hex prefix colors (e.g. #ff0000.bold) - #​450
  • Support chalk's color functions in prefixes (e.g. rgb(), hex(), bgRgb(), etc) - #​578
  • Set prefix background color via bg#RRGGBB - #​578
  • Allow shell override via --shell CLI flag/shell API option - #​288, #​589, #​556
    concurrently distinguishes between cmd.exe, powershell, and POSIX-based shells.
  • Manual prefix coloring in templates e.g. [{color}{name}{/color}] - #​583, #​587

🐛 Bug fixes

  • Scope quote normalization to CLI input - #​582, #​585
    It should now also be possible to run commands like "/some/command" foo bar"
  • Don't throw when color doesn't exist - #​580

🔐 Security

Other changes

  • Warn about running on Snap - #​584

New Contributors

Full Changelog: open-cli-tools/concurrently@v9.2.1...v10.0.0

v9.2.3

Compare Source

Full Changelog: open-cli-tools/concurrently@v9.2.2...v9.2.3

kucherenko/jscpd (jscpd)

v5.0.9

Compare Source

New Features
  • GitHub Action for jscpd (Rust v5) — jscpd-copy-paste-detector action for GitHub Actions Marketplace. Scan your repo for copy/paste in CI with uses: kucherenko/jscpd/.github/workflows/action.yml@v5
Bug Fixes
  • Resolve platform binary resolution when cpd is installed as a nested dependency (e.g. in a project's node_modules via a parent package). The runner now correctly locates the platform-specific binary relative to the installed package rather than assuming a top-level install. Fixes #​816

v5.0.8

Compare Source

Bug Fixes
  • Prevent mmap exhaustion crashes when scanning repositories with more files than vm.max_map_count (default 131 072 on Linux). The walker previously held a live Mmap per discovered file; each rayon worker now opens and drops its mapping within the processing closure, capping concurrent mappings to the thread-pool size (typically 8–32). Fixes #​813
  • Fix --pattern not matching relative paths when the scan root is absolute (e.g. CWD). Patterns like src/**/*.ts now match correctly by comparing against both the relative path and the full absolute path, and bare patterns like *.ts gain a **/ prefix to match at any depth. Fixes #​811
  • Fix trailing-newline off-by-one in line-count filter: files not ending with \n now count the final line correctly

v5.0.7

Compare Source

Bug Fixes
  • Prevent stack overflow when scanning directories containing deeply-nested JS/TS files (e.g. Bun's test/bundler with 320K+ nested for-loops). OXC's recursive-descent parser allocates one stack frame per AST nesting level; pathological inputs now exceed the default 8 MiB thread stack. Fixed by building a local rayon ThreadPool with 64 MiB stacks instead of using the global pool (which silently fails on re-init)
  • Default --max-size to 1mb — files exceeding the limit are skipped at walk time, consistent with jscpd v4's maxSize behavior. This prevents OXC from ever seeing megabyte-scale generated files that would overflow the stack
  • --workers N now correctly takes effect on every run() call (previously build_global() silently no-op'd after the first invocation)

v5.0.6

Compare Source

New Features
  • v4 config backward compatibility — .jscpd.json fields path, pattern, ignore, and ignorePattern are now read and applied, matching jscpd v4 behavior
  • ignore and ignorePattern are now distinct: ignore matches file-level globs, ignorePattern matches code-level regex patterns (previously conflated)
  • .jscpd.json path config support — reads scan directories from the path field, resolving relative paths against the config file's directory
  • jscpd npm wrapper package — publishes the same Rust binary under the jscpd name on npm with v5.x versioning
  • --exit-code now matches v4 behavior: accepts optional integer value (--exit-code exits 1, --exit-code 2 exits 2); --threshold and --exit-code are now independent
  • Performance improvements: memory-mapped file I/O (via memmap2) eliminates heap copies of file contents; SIMD-accelerated line counting (via memchr); parallel detection pipeline uses flat_map to avoid intermediate allocations; JS tokenizer no longer clones source strings before parsing (thanks to @​auterium, #​808)
Bug Fixes
  • Fixed --exit-code to match jscpd v4's --exitCode behavior (was boolean, now optional integer)
  • Fixed unique temp dir generation in reporter tests (added PID to prevent race conditions under parallel test runners)

v5.0.5

Compare Source

v5.0.4

Compare Source

New Features
  • CLI alignment with jscpd v4: new --absolute, --ignore-case, --formats-exts, --formats-names flags; fixed --threshold, improved --max-size
  • Detection and statistics aligned with jscpd for consistent output across Rust and TypeScript versions
  • Side-by-side blame comparison in console-full reporter
  • Clone list display in console reporter
Bug Fixes
  • HTML reporter now outputs jscpd-report.html at the output_dir root
  • Resolved all clippy warnings across workspace
  • Fixed unique temp dir generation in tests (use as_nanos() instead of subsec_nanos())

v4.2.5

Compare Source

Bug Fixes
  • JSON reporter duplicate token countstokens was always reported as 0 in JSON output; now computed from token positions (end.position - start.position) (#​801).
  • Gitignore parent-directory walk.gitignore files in parent directories up to the repo root are now read and combined with scan-directory .gitignore files. Also reads .git/info/exclude and the global core.excludesFile for full parity with Git's ignore resolution (#​741).
  • Commander v15 migration — CLI option parsing migrated from direct property access (cli.minTokens, etc.) to the cli.opts() API required by Commander v8+. The --no-gitignore / --gitignore flag handling was rewritten to use Commander's native negation support instead of rawArgs inspection.
  • Vitest 4.1.0 — bumped from 3.2.4 to address CVE-2026-47429.
  • Commander v15 — bumped from v5 to v15, enabling modern Node.js compatibility.
  • Pug 3.0.4, node-sarif-builder 4.1.0, nodemon 3.1.14 — dependency bumps for security and compatibility.

v4.2.4

Compare Source

v4.2.3

Compare Source

v4.2.2

Compare Source

v4.2.1

Compare Source

v4.2.0

Compare Source

Breaking Changes
  • Vue SFC tokenization.vue files are no longer tokenized as markup. Each block is now dispatched to its own sub-format: <script>javascript, <script lang="ts">typescript, <template>markup, <style>css, <style lang="scss">scss, <style lang="less">less. Clone reports for .vue files now appear under these resolved sub-format names. Any tooling or configuration that relied on .vue clones being reported under markup must be updated.
  • --formatsExts users — custom mappings that pointed .vue to markup (e.g. "formatsExts": { "markup": ["vue"] }) will no longer take effect because .vue is handled by the dedicated vue format processor. Remove or update such mappings.
New Features
  • Custom tokenizer backend — replaced the prismjs npm package with a self-contained reprism-based grammar engine. ~11.5% faster tokenization on real projects (avg 1126 ms → 997 ms on a 548-file, 223-format scan).
  • Cross-format detection — Vue SFC (.vue), Svelte (.svelte), Astro (.astro), and Markdown files are now tokenized per-block/per-section. A <script> block in a .vue file can match a .ts file; a fenced code block in Markdown can match a .py file.
  • 223 supported formats — Apex, CFML/ColdFusion, GDScript, Svelte, Astro, and 70+ additional languages added (up from 152). See FORMATS.md.
  • Shebang detection — extensionless executable scripts (e.g. /usr/bin/env python3) are auto-detected by their #! shebang line and tokenized in the correct language.
  • --store-path — configure a custom directory for the LevelDB cache, eliminating collisions when multiple jscpd processes run in parallel on the same machine.
  • --skipComments — shorthand flag for --mode weak, which strips comments before detection.
  • --formats-names — map specific filenames (e.g. Makefile, Dockerfile) to a detection format.
Bug Fixes
  • Entire-file duplicates silently dropped (@jscpd/core #​728) — RabinKarp flushed the pending clone on a store hit at end-of-file instead of on a miss. Files that are complete copies of each other were undetected. Fixed.
  • ReDoS hang on Lisp/Elisp files (@jscpd/tokenizer #​737) — the Lisp string regex /"(?:[^"\\]*|\\.)*"/ could catastrophically backtrack (O(2ⁿ)) on unterminated strings. Replaced with a linear /"(?:[^"\\]|\\[\s\S])*"/ pattern.
  • Process crash on malformed package.json (#​739) — readJSONSync threw an unhandled SyntaxError when package.json contained invalid JSON, killing the process. Now emits a warning and continues with an empty config.
  • Vue SFC cross-file detection broken — the detector used the file-level format (vue) as the store namespace for all SFC blocks, preventing a <script> block in one .vue file from ever matching a <script> block in another. The namespace now reflects each block's resolved sub-format.
  • Vue SFC incorrect column numbers — tokens on the first line of a block carried block-relative column 1 instead of file-absolute column numbers. Fixed in @jscpd/tokenizer.
  • 50 dependency security vulnerabilities remediated across the monorepo (Dependabot batches).
Known Limitations
  • Malformed SFC blocks (e.g. unclosed tags, invalid attributes) are silently skipped and do not contribute tokens.

v4.1.1

Compare Source

v4.1.0

Compare Source

New Features
  • AI Reporter — new ai reporter that produces compact, token-efficient clone output specifically designed for feeding results into language models and AI tooling. Use --reporters ai to activate it.
  • MCP Server enhancements — the Model Context Protocol server now exposes a jscpd://statistics resource and supports a recheck endpoint so AI agents can trigger a rescan without restarting the process.
  • Apex & CFML language support — jscpd can now detect duplicate code in Salesforce Apex and ColdFusion Markup Language (CFML) files (closes #​83, #​619).
  • GDScript support — detect copy-paste duplication in Godot Engine GDScript files.
  • HTML reporter footer — the HTML report now displays a branded footer with the jscpd version and a sponsor link.
  • --noTips flag — suppress the usage-tip messages that appear after a detection run.
  • CI: Node.js 22.x / 24.x — continuous integration updated to test against the latest Node.js LTS and current releases.
Performance
  • Tokenizer — grammars are now loaded lazily, hot paths are O(n), and the spark-md5 dependency has been removed in favour of a lighter built-in implementation. Startup time and memory usage are noticeably reduced on large codebases.
  • Replaced the vendored reprism syntax library with the official prismjs npm package, shrinking the installed footprint.
Bug Fixes
  • Restored the correct start.line expectation for weak-mode clone detection.
yargs/yargs (yargs)

v18.0.0

Compare Source

⚠ BREAKING CHANGES
  • command names are not derived from modules passed to command.
  • singleton usage of yargs yargs.foo, yargs().argv, has been removed.
  • minimum node.js versions now ^20.19.0 || ^22.12.0 || >=23.
  • yargs is now ESM first
Features
Bug Fixes
  • addDirectory do not support absolute command dir (#​2465) (3a40a78)
  • allows ESM modules commands to be extensible using visit option (#​2468) (200e1aa)
  • browser: fix shims so that yargs continues working in browser context (#​2457) (4ae5f57)
  • build: address problems with typescript compilation (#​2445) (8d72fb3)
  • coerce should play well with parser configuration (#​2308) (8343c66)
  • deps: update dependency yargs-parser to v22 (#​2470) (639130d)
  • exit after async handler done (#​2313) (e326cde)
  • handle spaces in bash completion (#​2452) (83b7788)
  • parser-configuration should work well with generated completion script (#​2332) (888db19)
  • propagate Dictionary including undefined in value type (#​2393) (2b2f7f5)
  • zsh: completion no longer requires double tab when using autoloaded (0dd8fe4)
Code Refactoring
  • command names are not derived from modules passed to command. (d90af45)
  • singleton usage of yargs yargs.foo, yargs().argv, has been removed. (d90af45)
Build System
  • minimum node.js versions now ^20.19.0 || ^22.12.0 || &gt;=23. (d90af45)

v17.7.3

Compare Source

Bug Fixes
  • fix: use entry point with file extension for anything that supports exports (#​2514) (c7597e3)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 8am on saturday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Update one or more dependencies version label May 16, 2026
@coveralls

coveralls commented May 16, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Coverage Report for CI Build 26029144964

Coverage remained the same at 95.944%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

Coverage Stats

Coverage Status
Relevant Lines: 8974
Covered Lines: 8634
Line Coverage: 96.21%
Relevant Branches: 1011
Covered Branches: 946
Branch Coverage: 93.57%
Branches in Coverage %: Yes
Coverage Strength: 79.2 hits per line
💛 - Coveralls

@renovate renovate Bot force-pushed the renovate/major-deps-lib-major branch from 95e178e to 5455926 Compare May 18, 2026 10:55
@sonarqubecloud

sonarqubecloud Bot commented May 18, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate Bot force-pushed the renovate/major-deps-lib-major branch from 5455926 to d14f485 Compare May 28, 2026 16:50
@renovate renovate Bot changed the title chore(deps): update dependency yargs to v18 chore(deps): update deps:lib-major to v18 Jun 2, 2026
@renovate renovate Bot force-pushed the renovate/major-deps-lib-major branch from d14f485 to 255f287 Compare June 4, 2026 11:51
@renovate renovate Bot changed the title chore(deps): update deps:lib-major to v18 chore(deps): update deps:lib-major (major) Jun 4, 2026
@renovate renovate Bot force-pushed the renovate/major-deps-lib-major branch from 255f287 to 66509e2 Compare June 8, 2026 01:36
@renovate renovate Bot force-pushed the renovate/major-deps-lib-major branch from 66509e2 to e7509c3 Compare June 9, 2026 06:56
@renovate renovate Bot force-pushed the renovate/major-deps-lib-major branch from e7509c3 to 6dfb76e Compare June 15, 2026 07:02
@renovate renovate Bot force-pushed the renovate/major-deps-lib-major branch from 6dfb76e to bb1a425 Compare June 16, 2026 08:06
@renovate renovate Bot force-pushed the renovate/major-deps-lib-major branch from bb1a425 to dbe481c Compare June 17, 2026 18:44
@renovate renovate Bot force-pushed the renovate/major-deps-lib-major branch from dbe481c to c82485c Compare June 18, 2026 06:11
@renovate renovate Bot force-pushed the renovate/major-deps-lib-major branch from c82485c to 56dd830 Compare June 19, 2026 11:50
@renovate renovate Bot force-pushed the renovate/major-deps-lib-major branch from 56dd830 to 8c6e36f Compare June 20, 2026 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Update one or more dependencies version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@coveralls