Skip to content

Bump the npm_and_yarn group across 1 directory with 16 updates#2

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/npm_and_yarn-237181ec8a
Open

Bump the npm_and_yarn group across 1 directory with 16 updates#2
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/npm_and_yarn-237181ec8a

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 9, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 16 updates in the / directory:

Package From To
@sentry/browser 7.51.2 7.119.1
lodash 4.17.21 4.18.1
qs 6.11.1 6.14.2
swiper 8.3.2 12.1.2
postcss 8.4.23 8.5.10
webpack 5.88.2 5.104.1
@adobe/css-tools 4.3.1 4.4.4
@babel/plugin-transform-modules-systemjs 7.22.11 7.29.4
@babel/runtime 7.22.11 7.29.2
braces 3.0.2 3.0.3
flatted 3.2.7 3.4.2
immutable 4.3.4 4.3.8
js-yaml 4.1.0 4.1.1
path-to-regexp 1.8.0 1.9.0
picomatch 2.3.1 2.3.2
ws 7.5.9 7.5.10

Updates @sentry/browser from 7.51.2 to 7.119.1

Changelog

Sourced from @​sentry/browser's changelog.

7.119.1

  • fix(browser/v7): Ensure wrap() only returns functions (#13838 backport)

Work in this release contributed by @​legobeat. Thank you for your contribution!

7.119.0

  • backport(tracing): Report dropped spans for transactions (#13343)

7.118.0

  • fix(v7/bundle): Ensure CDN bundles do not overwrite window.Sentry (#12579)

7.117.0

  • feat(browser/v7): Publish browserprofling CDN bundle (#12224)
  • fix(v7/publish): Add v7 tag to @sentry/replay (#12304)

7.116.0

  • build(craft): Publish lambda layer under its own name for v7 (#12098) (#12099)

This release publishes a new AWS Lambda layer under the name SentryNodeServerlessSDKv7 that users still running v7 can use instead of pinning themselves to SentryNodeServerlessSDK:235.

7.115.0

  • feat(v7): Add support for global onUnhandled Error/Promise for Bun (#11959)
  • fix(replay/v7): Fix user activity not being updated in start() (#12003)
  • ref(api): Remove lastEventId deprecation warnings (#12042)

7.114.0

Important Changes

  • fix(browser/v7): Continuously record CLS (#11935)

This release fixes a bug that caused the cumulative layout shift (CLS) web vital not to be reported in a majority of the cases where it should have been reported. With this change, the CLS web vital should now always be reported for pageloads with layout shift. If a pageload did not have layout shift, no CLS web vital should be reported.

Please note that upgrading the SDK to this version may cause data in your dashboards to drastically change.

Other Changes

  • build(aws-lambda/v7): Turn off lambda layer publishing (#11875)
  • feat(v7): Add tunnel support to multiplexed transport (#11851)
  • fix(opentelemetry-node): support HTTP_REQUEST_METHOD attribute (#11929)
  • fix(react/v7): Fix react router v4/v5 span names (#11940)

... (truncated)

Commits

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates qs from 6.11.1 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

  • [New] parse: add throwOnParameterLimitExceeded option (#517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
  • [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

  • [Robustness] avoid .push, use void
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [actions] fix rebase workflow permissions

6.13.1

  • [Fix] stringify: avoid a crash when a filter key is null
  • [Fix] utils.merge: functions should not be stringified into keys
  • [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
  • [Fix] stringify: ensure a non-string filter does not crash
  • [Refactor] use __proto__ syntax instead of Object.create for null objects
  • [Refactor] misc cleanup

... (truncated)

Commits
  • bdcf0c7 v6.14.2
  • 294db90 [readme] document that addQueryPrefix does not add ? to empty output
  • 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
  • 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
  • cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
  • febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
  • f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
  • fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
  • 1b9a8b4 [actions] fix rebase workflow permissions
  • 2a35775 [meta] fix changelog typo (arrayLengtharrayLimit)
  • Additional commits viewable in compare view

Updates swiper from 8.3.2 to 12.1.2

Release notes

Sourced from swiper's releases.

v12.1.2

No release notes provided.

v12.1.1

Bug Fixes

  • a11y: fix focus in virtual mode enabled (3055008), closes #8147
  • core: avoid double-subtracting offsets in centerInsufficientSlides (#8158) (60b0052)
  • core: prevent duplicate module initialization in constructor (#8155) (#8156) (07738a2)
  • types: support boolean as a11y value (#8157) (6bf76d5)

v12.1.0

Bug Fixes

  • autoplay: broken custom delay percentages with pause/resume (#8133) (0afecde)
  • core: Don't use data-swiper-slide-index for realIndex when virtual module is enabled (#8142) (bd957f8)
  • core: Escape all CSS selector special characters (d35f41a), closes #8135
  • core: support slidesOffsetBefore and slidesOffsetAfert in cssMode (45b98d0), closes #7926
  • fix lazy preloader removal error in react in vue (332f5c7), closes #8149
  • thumbs: update slide classes on virtual swiper update (#8141) (9752771)
  • types: Add autoScroll to thumbs.update type signature (#8146) (5d91e6e)
  • zoom: initialize gesture state after programmatic zoom (#8112) (71e9511)

Features

  • keyboard: add support for custom speed parameter in keyboard navigation (#8148) (7a4a0e5)
  • new snapToSlideEdge parameter (de3131f), closes #8021 #4780

v12.0.3

Bug Fixes

  • element: fixed reference to nav arrows SVG (0b17ecf), closes #8115

Features

  • core: add 'getRotateFix' export to effect utils (c97ae5d), closes #8114

v12.0.2

Features

  • navigation: add styles for when buttons set before slider (4588c57), closes #8085
  • navigation: new addIcons parameter to add SVG icons to nav buttons (b955b0c), closes #8088 #8087

v12.0.1

Bug Fixes

  • navigation: tweak nav styles when adjacent (98440d9)

v12.0.0

Bug Fixes

... (truncated)

Changelog

Sourced from swiper's changelog.

Changelog

12.1.4 (2026-04-29)

Bug Fixes

  • remove redundant aria-disabled=false from swiper nav button (#8176) (6730929)

Features

  • package: add TS declarations for CSS files (ea3081b), closes #8055
  • react: expose isFullyVisible in SwiperSlide render props (#8175) (3af0002)

12.1.3 (2026-03-24)

Bug Fixes

  • core: use virtual slides count in onResize when virtual mode is enabled (#8163) (4400083)
  • grid: round down slidesPerView before calculating number of slides (#8172) (49a55ab)

Features

  • element: add navigation button slots (cc82241)

12.1.1 (2026-02-13)

Bug Fixes

  • a11y: fix focus in virtual mode enabled (3055008), closes #8147
  • core: avoid double-subtracting offsets in centerInsufficientSlides (#8158) (60b0052)
  • core: prevent duplicate module initialization in constructor (#8155) (#8156) (07738a2)
  • types: support boolean as a11y value (#8157) (6bf76d5)

12.1.0 (2026-01-28)

Bug Fixes

  • autoplay: broken custom delay percentages with pause/resume (#8133) (0afecde)
  • core: Don't use data-swiper-slide-index for realIndex when virtual module is enabled (#8142) (bd957f8)
  • core: Escape all CSS selector special characters (d35f41a), closes #8135
  • core: support slidesOffsetBefore and slidesOffsetAfert in cssMode (45b98d0), closes #7926
  • fix lazy preloader removal error in react in vue (332f5c7), closes #8149
  • thumbs: update slide classes on virtual swiper update (#8141) (9752771)
  • types: Add autoScroll to thumbs.update type signature (#8146) (5d91e6e)
  • zoom: initialize gesture state after programmatic zoom (#8112) (71e9511)

Features

  • keyboard: add support for custom speed parameter in keyboard navigation (#8148) (7a4a0e5)
  • new snapToSlideEdge parameter (de3131f), closes #8021 #4780

... (truncated)

Commits
  • 2fd88b7 12.1.2
  • d3e6633 fix prototype pollution bypass in extend() util
  • 70c48c1 12.1.1
  • 3055008 fix(a11y): fix focus in virtual mode enabled
  • 60b0052 fix(core): avoid double-subtracting offsets in centerInsufficientSlides (#8158)
  • 6bf76d5 fix(types): support boolean as a11y value (#8157)
  • 07738a2 fix(core): prevent duplicate module initialization in constructor (#8155) (#8...
  • 3a1777a 12.1.0
  • 3bc6cfe 12.1.0
  • 45b98d0 fix(core): support slidesOffsetBefore and slidesOffsetAfert in cssMode
  • Additional commits viewable in compare view

Updates postcss from 8.4.23 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

8.5.3

8.5.2

8.5.1

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"
</tr></table>

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

8.5.3

8.5.2

8.5.1

8.5 “Duke Alloces”

  • Added Input#document for sources like CSS-in-JS or HTML (by @​romainmenke).

8.4.49

... (truncated)

Commits

Updates webpack from 5.88.2 to 5.104.1

Release notes

Sourced from webpack's releases.

v5.104.1

5.104.1

Patch Changes

  • 2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
  • c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

v5.104.0

5.104.0

Minor Changes

  • d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
  • d3dd841: Enhance import.meta.env to support object access.
  • 4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
  • 04cd530: Handle more at-rules for CSS modules.
  • cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
  • d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
  • 5983843: Provide a stable runtime function variable __webpack_global__.
  • d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

  • 22c48fb: Added module existence check for informative error message in development mode.
  • 50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
  • d3dd841: Support universal lazy compilation.
  • d3dd841: Fixed module library export definitions when multiple runtimes.
  • d3dd841: Fixed CSS nesting and CSS custom properties parsing.
  • d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
  • aab1da9: Fixed bugs for css/global type.
  • d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
  • d3dd841: Handle nested __webpack_require__.
  • 728ddb7: The speed of identifier parsing has been improved.
  • 0f8b31b: Improve types.
  • d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
  • 2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
  • d3dd841: Serialize HookWebpackError.
  • d3dd841: Added ability to use built-in properties in dotenv and define plugin.
  • 3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
  • d3dd841: Reduce collision for local indent name in CSS.
  • d3dd841: Remove CSS link tags when CSS imports are removed.

v5.103.0

Features

  • Added DotenvPlugin and top level dotenv option to enable this plugin
  • Added WebpackManifestPlugin
  • Added support the ignoreList option in devtool plugins
  • Allow to use custom javascript parse function

... (truncated)

Changelog

Sourced from webpack's changelog.

5.104.1

Patch Changes

  • 2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
  • c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

5.104.0

Minor Changes

  • d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
  • d3dd841: Enhance import.meta.env to support object access.
  • 4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
  • 04cd530: Handle more at-rules for CSS modules.
  • cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
  • d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
  • 5983843: Provide a stable runtime function variable __webpack_global__.
  • d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

  • 22c48fb: Added module existence check for informative error message in development mode.
  • 50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
  • d3dd841: Support universal lazy compilation.
  • d3dd841: Fixed module library export definitions when multiple runtimes.
  • d3dd841: Fixed CSS nesting and CSS custom properties parsing.
  • d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
  • aab1da9: Fixed bugs for css/global type.
  • d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
  • d3dd841: Handle nested __webpack_require__.
  • 728ddb7: The speed of identifier parsing has been improved.
  • 0f8b31b: Improve types.
  • d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
  • 2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
  • d3dd841: Serialize HookWebpackError.
  • d3dd841: Added ability to use built-in properties in dotenv and define plugin.
  • 3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
  • d3dd841: Reduce collision for local indent name in CSS.
  • d3dd841: Remove CSS link tags when CSS imports are removed.
Commits
  • 24e3c2d chore(release): new release (#20253)
  • 2efd21b fix(re-exports): reexports runtime calculation should not accessing `__WEBPAC...
  • c510070 fix(security): userinfo bypass vulnerability in HttpUriPlugin allowedUris
  • 4b0501c ci: fix release (#20252)
  • 0c213ce ci: use \<@&1450591255485743204> over @here for discord notificationw
  • 5bf8bc5 refactor: types for benchmarks and tests
  • 505a5e7 chore(release): new release (#20188)
  • 0c06680 refactor: update eslint configuration
  • 2eb0d6a ci: release announcement (#20238)
  • b2b2459 ci: cancel in progress (#20239)
  • Additional commits viewable in compare view
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates @adobe/css-tools from 4.3.1 to 4.4.4

Changelog

Sourced from @​adobe/css-tools's changelog.

[4.4.4] - 2025-07-22

Changed

  • Switch from yarn to npm for package management
  • Switch from eslint to biome for code formatting and linting
  • Reformat codebase to comply with biome recommendations
  • Switch from webpack to rollup for bundling

Fixed

  • Fix module exports to ensure proper compatibility with bundlers
  • Add validation check to prevent future export issues

[4.4.3] - 2025-05-15

Security

  • Fix polynomial regular expression vulnerability on uncontrolled data
  • Refactor code to enable GitHub security static analysis

Performance

  • Improve parsing performance with minor optimizations
  • Replace regex patterns with string search (indexOf-based) for better performance

Added

  • Add new utility functions with comprehensive unit tests
  • Add improved formatting for CSS Grid template areas (#283 by @​jogibear9988)

Fixed

  • Fix TypeScript error with ConstructorParameters in Parcel bundler (#444)

[4.4.2] - 2025-02-12

Fixed

  • Fix regular expression for parsing quoted values in parentheses

[4.4.0] - 2024-06-05

Added

  • Add support for CSS @starting-style at-rule (#319)

[4.3.3] - 2024-01-24

Changed

  • Update package export configuration (#271)

[4.3.2] - 2023-11-28

Security

Fixed

... (truncated)

Commits

Updates @babel/plugin-transform-modules-systemjs from 7.22.11 to 7.29.4

Release notes

Sourced from @​babel/plugin-transform-modules-systemjs's releases.

v7.29.4 (2026-05-05)

🐛 Bug Fix

  • babel-plugin-transform-modules-systemjs
    • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

v7.29.3 (2026-04-30)

👓 Spec Compliance

🐛 Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
    • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
  • babel-register
  • babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env

💅 Polish

📝 Documentation

🏃‍♀️ Performance

  • babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-transform-json-modules

Committers: 4

v7.29.2 (2026-03-16)

👓 Spec Compliance

  • babel-parser

🐛 Bug Fix

  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • babel-preset-env

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/plugin-transform-modules-systemjs since your current version.


Updates @babel/runtime from 7.22.11 to 7.29.2

Release notes

Sourced from @​babel/runtime's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

  • babel-parser

🐛 Bug Fix

  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • babel-preset-env
    • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

Committers: 2

v7.29.1 (2026-02-04)

🐛 Bug Fix

Committers: 2

  • Huáng Jùnliàng (

Bumps the npm_and_yarn group with 16 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@sentry/browser](https://github.com/getsentry/sentry-javascript) | `7.51.2` | `7.119.1` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` |
| [qs](https://github.com/ljharb/qs) | `6.11.1` | `6.14.2` |
| [swiper](https://github.com/nolimits4web/Swiper) | `8.3.2` | `12.1.2` |
| [postcss](https://github.com/postcss/postcss) | `8.4.23` | `8.5.10` |
| [webpack](https://github.com/webpack/webpack) | `5.88.2` | `5.104.1` |
| [@adobe/css-tools](https://github.com/adobe/css-tools) | `4.3.1` | `4.4.4` |
| [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) | `7.22.11` | `7.29.4` |
| [@babel/runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-runtime) | `7.22.11` | `7.29.2` |
| [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` |
| [flatted](https://github.com/WebReflection/flatted) | `3.2.7` | `3.4.2` |
| [immutable](https://github.com/immutable-js/immutable-js) | `4.3.4` | `4.3.8` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` |
| [path-to-regexp](https://github.com/pillarjs/path-to-regexp) | `1.8.0` | `1.9.0` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` |
| [ws](https://github.com/websockets/ws) | `7.5.9` | `7.5.10` |



Updates `@sentry/browser` from 7.51.2 to 7.119.1
- [Release notes](https://github.com/getsentry/sentry-javascript/releases)
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/7.119.1/CHANGELOG.md)
- [Commits](getsentry/sentry-javascript@7.51.2...7.119.1)

Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `qs` from 6.11.1 to 6.14.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.11.1...v6.14.2)

Updates `swiper` from 8.3.2 to 12.1.2
- [Release notes](https://github.com/nolimits4web/Swiper/releases)
- [Changelog](https://github.com/nolimits4web/swiper/blob/master/CHANGELOG.md)
- [Commits](nolimits4web/swiper@v8.3.2...v12.1.2)

Updates `postcss` from 8.4.23 to 8.5.10
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.4.23...8.5.10)

Updates `webpack` from 5.88.2 to 5.104.1
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.88.2...v5.104.1)

Updates `@adobe/css-tools` from 4.3.1 to 4.4.4
- [Changelog](https://github.com/adobe/css-tools/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/adobe/css-tools/commits)

Updates `@babel/plugin-transform-modules-systemjs` from 7.22.11 to 7.29.4
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.4/packages/babel-plugin-transform-modules-systemjs)

Updates `@babel/runtime` from 7.22.11 to 7.29.2
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.2/packages/babel-runtime)

Updates `braces` from 3.0.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

Updates `flatted` from 3.2.7 to 3.4.2
- [Commits](WebReflection/flatted@v3.2.7...v3.4.2)

Updates `immutable` from 4.3.4 to 4.3.8
- [Release notes](https://github.com/immutable-js/immutable-js/releases)
- [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md)
- [Commits](immutable-js/immutable-js@v4.3.4...v4.3.8)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `path-to-regexp` from 1.8.0 to 1.9.0
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](pillarjs/path-to-regexp@v1.8.0...v1.9.0)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `ws` from 7.5.9 to 7.5.10
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@7.5.9...7.5.10)

---
updated-dependencies:
- dependency-name: "@sentry/browser"
  dependency-version: 7.119.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.14.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: swiper
  dependency-version: 12.1.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.10
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: webpack
  dependency-version: 5.104.1
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@adobe/css-tools"
  dependency-version: 4.4.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@babel/plugin-transform-modules-systemjs"
  dependency-version: 7.29.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@babel/runtime"
  dependency-version: 7.29.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-version: 3.0.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: immutable
  dependency-version: 4.3.8
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: path-to-regexp
  dependency-version: 1.9.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 7.5.10
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Area: UI dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants