Skip to content

Bump the javascript-dev group across 1 directory with 3 updates#518

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/javascript-dev-bf254ac2ab
Open

Bump the javascript-dev group across 1 directory with 3 updates#518
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/javascript-dev-bf254ac2ab

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown
Contributor

Bumps the javascript-dev group with 3 updates in the / directory: jscpd, less and webpack.

Updates jscpd from 4.2.4 to 4.2.5

Release notes

Sourced from jscpd's releases.

Release v4.2.5

Bug Fixes

  • JSON reporter duplicate token counts — was always reported as in JSON output; now computed from token positions () (#801).
  • Gitignore parent-directory walk — files in parent directories up to the repo root are now read and combined with scan-directory files. Also reads and the global for full parity with Git's ignore resolution (#741).
  • Commander v15 migration — CLI option parsing migrated from direct property access (, etc.) to the API required by Commander v8+. The / flag handling was rewritten to use Commander's native negation support instead of inspection.
  • Vitest 4.1.0 — bumped from 3.2.4 to address CVE-2026-47429.
  • Commander v15 — bumped from v5 to v15, enabling modern Node.js compatibility.
  • Pug 3.0.4, node-sarif-builder 4.1.0, nodemon 3.1.14 — dependency bumps for security and compatibility.
Changelog

Sourced from jscpd's changelog.

4.2.5 — 2026-06-07

Bug Fixes

  • JSON reporter duplicate token countstokens was always reported as 0 in JSON output; now computed from token positions (end.position - start.position) (#801).
  • Gitignore parent-directory walk.gitignore files in parent directories up to the repo root are now read and combined with scan-directory .gitignore files. Also reads .git/info/exclude and the global core.excludesFile for full parity with Git's ignore resolution (#741).
  • Commander v15 migration — CLI option parsing migrated from direct property access (cli.minTokens, etc.) to the cli.opts() API required by Commander v8+. The --no-gitignore / --gitignore flag handling was rewritten to use Commander's native negation support instead of rawArgs inspection.
  • Vitest 4.1.0 — bumped from 3.2.4 to address CVE-2026-47429.
  • Commander v15 — bumped from v5 to v15, enabling modern Node.js compatibility.
  • Pug 3.0.4, node-sarif-builder 4.1.0, nodemon 3.1.14 — dependency bumps for security and compatibility.

4.2.0 — 2026-05-14

Breaking Changes

  • Vue SFC tokenization.vue files are no longer tokenized as markup. Each block is now dispatched to its own sub-format: <script>javascript, <script lang="ts">typescript, \<template>markup, <style>css, <style lang="scss">scss, <style lang="less">less. Clone reports for .vue files now appear under these resolved sub-format names. Any tooling or configuration that relied on .vue clones being reported under markup must be updated.
  • --formatsExts users — custom mappings that pointed .vue to markup (e.g. "formatsExts": { "markup": ["vue"] }) will no longer take effect because .vue is handled by the dedicated vue format processor. Remove or update such mappings.

New Features

  • Custom tokenizer backend — replaced the prismjs npm package with a self-contained reprism-based grammar engine. ~11.5% faster tokenization on real projects (avg 1126 ms → 997 ms on a 548-file, 223-format scan).
  • Cross-format detection — Vue SFC (.vue), Svelte (.svelte), Astro (.astro), and Markdown files are now tokenized per-block/per-section. A <script> block in a .vue file can match a .ts file; a fenced code block in Markdown can match a .py file.
  • 223 supported formats — Apex, CFML/ColdFusion, GDScript, Svelte, Astro, and 70+ additional languages added (up from 152). See https://github.com/kucherenko/jscpd/blob/master/FORMATS.md.
  • Shebang detection — extensionless executable scripts (e.g. /usr/bin/env python3) are auto-detected by their #! shebang line and tokenized in the correct language.
  • --store-path — configure a custom directory for the LevelDB cache, eliminating collisions when multiple jscpd processes run in parallel on the same machine.
  • --skipComments — shorthand flag for --mode weak, which strips comments before detection.
  • --formats-names — map specific filenames (e.g. Makefile, Dockerfile) to a detection format.

Bug Fixes

  • Entire-file duplicates silently dropped (@jscpd/core #728) — RabinKarp flushed the pending clone on a store hit at end-of-file instead of on a miss. Files that are complete copies of each other were undetected. Fixed.
  • ReDoS hang on Lisp/Elisp files (@jscpd/tokenizer #737) — the Lisp string regex /"(?:[^"\\]*|\\.)*"/ could catastrophically backtrack (O(2ⁿ)) on unterminated strings. Replaced with a linear /"(?:[^"\\]|\\[\s\S])*"/ pattern.
  • Process crash on malformed package.json (#739) — readJSONSync threw an unhandled SyntaxError when package.json contained invalid JSON, killing the process. Now emits a warning and continues with an empty config.
  • Vue SFC cross-file detection broken — the detector used the file-level format (vue) as the store namespace for all SFC blocks, preventing a <script> block in one .vue file from ever matching a <script> block in another. The namespace now reflects each block's resolved sub-format.
  • Vue SFC incorrect column numbers — tokens on the first line of a block carried block-relative column 1 instead of file-absolute column numbers. Fixed in @jscpd/tokenizer.
  • 50 dependency security vulnerabilities remediated across the monorepo (Dependabot batches).

Known Limitations

  • Malformed SFC blocks (e.g. unclosed tags, invalid attributes) are silently skipped and do not contribute tokens.

4.1.0 — 2026-05-09

New Features

  • AI Reporter — new ai reporter that produces compact, token-efficient clone output specifically designed for feeding results into language models and AI tooling. Use --reporters ai to activate it.

... (truncated)

Commits

Updates less from 4.6.4 to 4.6.7

Release notes

Sourced from less's releases.

Release v4.6.7

Changes

See CHANGELOG.md for details.

Installation

npm install less@4.6.7

Release v4.6.6

Changes

See CHANGELOG.md for details.

Installation

npm install less@4.6.6

Release v4.6.5

Changes

See CHANGELOG.md for details.

Installation

npm install less@4.6.5
Changelog

Sourced from less's changelog.

v4.6.7 (2026-06-20)

Changes

  • #4457 Fix failing "Request Copilot review" CI job (@​app/copilot-swe-agent)
  • #4451 chore: release v4.6.6 (@​app/github-actions)

v4.6.6 (2026-06-14)

Changes

v4.6.5 (2026-06-13)

Bug Fixes

Maintenance

Commits

Updates webpack from 5.107.2 to 5.108.0

Release notes

Sourced from webpack's releases.

v5.108.0

Minor Changes

  • Treat top-level await and import.meta as ES module markers, matching Node.js syntax detection so no explicit module type is needed. (by @​alexander-akait in #21218)

  • Add a bun target that emits ESM and externalizes bun:* and node.js built-in modules. (by @​alexander-akait in #21248)

  • Support CommonJS reexports via Object.defineProperty value and getter descriptors. (by @​alexander-akait in #21129)

  • Support JSON Schema const when generating CLI flags from a schema. (by @​alexander-akait in #21087)

  • Support JSON Schema if/then/else when generating CLI flags from a schema. (by @​alexander-akait in #21087)

  • Skip import specifiers, require() and import() calls in dead conditional branches gated by inlined imported constants (isDEV ? A : B), evaluated via getCondition. (by @​hai-x in #21136)

  • CSS localIdentName [hash] now resolves to the local ident hash (matching css-loader); use [modulehash] for the module hash. (by @​alexander-akait in #21259)

  • Add CSS parser as option and resolve url() inside HTML style attributes. (by @​alexander-akait in #21157)

  • Add dedicated module classes for all built-in module types. (by @​alexander-akait in #21164)

  • Support .html/.css for the default ./src entry under the html/css experiments. (by @​alexander-akait in #21039)

  • Add defineConfig helper for typed configuration files. (by @​alexander-akait in #21169)

  • Add a deno target (with versions, e.g. deno, deno2, deno1.40) that emits ESM, resolves node.js built-ins via the required node: specifier, and keeps Deno's own import protocols (npm:, jsr:, node:, http(s)://) external. (by @​alexander-akait in #21247)

  • Use module-import for electron externals when the target supports ESM. (by @​alexander-akait in #21184)

  • Add output.environment.logicalAssignment to emit ||= in runtime code when the target supports logical assignment operators. (by @​bjohansebas in #21219)

  • Resolve and rewrite asset URLs inside <iframe srcdoc> in HTML modules. (by @​bjohansebas in #21226)

  • Add HMR support for HTML modules with body/title DOM patching on update. (by @​alexander-akait in #21011)

  • Add css-url html source type extracting url() references from CSS-valued attributes. (by @​alexander-akait in #21250)

  • Add module.parser.html.sources option to disable or customize URL-attribute extraction for HTML modules, with script / script-module / stylesheet / stylesheet-inline types for custom attributes (by @​alexander-akait in #21022)

  • Add module.parser.html.template option to transform HTML module source before parsing. (by @​alexander-akait in #21055)

  • Extract more source URLs in HTML modules (SVG, legacy and obsolete attributes). (by @​alexander-akait in #21241)

  • Inline export default <const> when the default-exported value is a primitive constant. (by @​hai-x in #21189)

  • Support optimization.inlineExports for better tree-shaking. (by @​hai-x in #20973)

  • Re-encode inline hash digests ([contenthash]/[chunkhash]/[fullhash]/[modulehash]) from the full content hash, so they carry full entropy and work under optimization.realContentHash and in dynamically-loaded chunk filenames; also preserve leading zero bytes in base-N digests. (by @​alexander-akait in #21267)

  • Allow tree-shaking unused calls to /*#__NO_SIDE_EFFECTS__*/-annotated (pure) exports across module boundaries. (by @​hai-x in #20907)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.108.0

Minor Changes

  • Treat top-level await and import.meta as ES module markers, matching Node.js syntax detection so no explicit module type is needed. (by @​alexander-akait in #21218)

  • Add a bun target that emits ESM and externalizes bun:* and node.js built-in modules. (by @​alexander-akait in #21248)

  • Support CommonJS reexports via Object.defineProperty value and getter descriptors. (by @​alexander-akait in #21129)

  • Support JSON Schema const when generating CLI flags from a schema. (by @​alexander-akait in #21087)

  • Support JSON Schema if/then/else when generating CLI flags from a schema. (by @​alexander-akait in #21087)

  • Skip import specifiers, require() and import() calls in dead conditional branches gated by inlined imported constants (isDEV ? A : B), evaluated via getCondition. (by @​hai-x in #21136)

  • CSS localIdentName [hash] now resolves to the local ident hash (matching css-loader); use [modulehash] for the module hash. (by @​alexander-akait in #21259)

  • Add CSS parser as option and resolve url() inside HTML style attributes. (by @​alexander-akait in #21157)

  • Add dedicated module classes for all built-in module types. (by @​alexander-akait in #21164)

  • Support .html/.css for the default ./src entry under the html/css experiments. (by @​alexander-akait in #21039)

  • Add defineConfig helper for typed configuration files. (by @​alexander-akait in #21169)

  • Add a deno target (with versions, e.g. deno, deno2, deno1.40) that emits ESM, resolves node.js built-ins via the required node: specifier, and keeps Deno's own import protocols (npm:, jsr:, node:, http(s)://) external. (by @​alexander-akait in #21247)

  • Use module-import for electron externals when the target supports ESM. (by @​alexander-akait in #21184)

  • Add output.environment.logicalAssignment to emit ||= in runtime code when the target supports logical assignment operators. (by @​bjohansebas in #21219)

  • Resolve and rewrite asset URLs inside <iframe srcdoc> in HTML modules. (by @​bjohansebas in #21226)

  • Add HMR support for HTML modules with body/title DOM patching on update. (by @​alexander-akait in #21011)

  • Add css-url html source type extracting url() references from CSS-valued attributes. (by @​alexander-akait in #21250)

  • Add module.parser.html.sources option to disable or customize URL-attribute extraction for HTML modules, with script / script-module / stylesheet / stylesheet-inline types for custom attributes (by @​alexander-akait in #21022)

  • Add module.parser.html.template option to transform HTML module source before parsing. (by @​alexander-akait in #21055)

  • Extract more source URLs in HTML modules (SVG, legacy and obsolete attributes). (by @​alexander-akait in #21241)

  • Inline export default <const> when the default-exported value is a primitive constant. (by @​hai-x in #21189)

  • Support optimization.inlineExports for better tree-shaking. (by @​hai-x in #20973)

  • Re-encode inline hash digests ([contenthash]/[chunkhash]/[fullhash]/[modulehash]) from the full content hash, so they carry full entropy and work under optimization.realContentHash and in dynamically-loaded chunk filenames; also preserve leading zero bytes in base-N digests. (by @​alexander-akait in #21267)

... (truncated)

Commits
  • 322b060 chore(release): new release (#21037)
  • 03a0433 test: run AbstractMethodError and parseJson unit tests under Bun (#21273)
  • e7202b4 chore(deps): bump the dependencies group with 3 updates (#21270)
  • 9a51ee1 fix(html): run the any-other-end-tag fallback for a marker-shielded nobr (#21...
  • a040ac1 test: cap Node jest worker memory and fix harness teardown leaks (#21268)
  • 7c81bde Re-encode inline hash digests ([contenthash]/[chunkhash]/[fullhash]/[moduleha...
  • eefaf44 feat: keep export mangling for modules whose namespace object escapes (#21234)
  • e8f9334 refactor: annotate constructor fields with @​type to improve type coverage (#2...
  • 99671f3 refactor(html): avoid regexp HTML parsing in dependencies; add <iframe srcdoc...
  • ef03f5e feat: inline const for default export (#21189)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the javascript-dev group with 3 updates in the / directory: [jscpd](https://github.com/kucherenko/jscpd/tree/HEAD/rust/jscpd), [less](https://github.com/less/less.js) and [webpack](https://github.com/webpack/webpack).


Updates `jscpd` from 4.2.4 to 4.2.5
- [Release notes](https://github.com/kucherenko/jscpd/releases)
- [Changelog](https://github.com/kucherenko/jscpd/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kucherenko/jscpd/commits/v4.2.5/rust/jscpd)

Updates `less` from 4.6.4 to 4.6.7
- [Release notes](https://github.com/less/less.js/releases)
- [Changelog](https://github.com/less/less.js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/less/less.js/commits/v4.6.7)

Updates `webpack` from 5.107.2 to 5.108.0
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.107.2...v5.108.0)

---
updated-dependencies:
- dependency-name: jscpd
  dependency-version: 4.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: javascript-dev
- dependency-name: less
  dependency-version: 4.6.7
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: javascript-dev
- dependency-name: webpack
  dependency-version: 5.108.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: javascript-dev
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants