chore(deps): bump the npm_and_yarn group across 5 directories with 21 updates

[dependabot]

Bumps the npm_and_yarn group with 18 updates in the / directory:

Package	From	To
lodash	4.17.21	4.18.1
minimatch	3.0.5	3.1.4
tar	6.2.1	7.5.15
@npmcli/arborist	7.5.4	9.5.0
@npmcli/run-script	8.1.0	10.0.4
libnpmpublish	9.0.9	11.1.3
npm-registry-fetch	17.1.0	19.1.1
pacote	18.0.6	21.5.0
libnpmaccess	8.0.6	10.0.3
@babel/plugin-transform-modules-systemjs	7.24.1	7.29.4
brace-expansion	1.1.11	5.0.6
axios	1.7.5	1.16.1
fast-uri	3.0.3	3.1.2
file-type	17.1.6	21.3.4
@swc/cli	0.3.12	0.8.1
flatted	3.3.1	3.4.2
picomatch	2.3.1	4.0.4
yaml	1.10.2	1.10.3

Bumps the npm_and_yarn group with 2 updates in the /packages/legacy-package-management directory: minimatch and tar.
Bumps the npm_and_yarn group with 2 updates in the /packages/legacy-structure/commands/create directory: minimatch and tar.
Bumps the npm_and_yarn group with 2 updates in the /packages/lerna directory: minimatch and tar.
Bumps the npm_and_yarn group with 1 update in the /website directory: webpack-dev-server.

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates minimatch from 3.0.5 to 3.1.4

Commits

• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• 9c31b2d update test expectations for coalesced consecutive stars
• 46fe687 coalesce consecutive non-globstar * characters
• 5a9ccbd [meta] update publishConfig.tag to legacy-v3
• Additional commits viewable in compare view

Updates tar from 6.2.1 to 7.5.15

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• 87cc309 7.5.15
• 7aef486 fix: regression in pending links detection
• 6244eb3 7.5.14
• 9704d8c stricter protection against hardlinks preempting their targets
• 700734f update workflows and deps
• d6611ae 7.5.13
• 119c401 fix(extract): prevent raced symlink writes outside cwd
• 2a294d3 7.5.12
• 01082a4 fix: reject top promise on floating addFilesAsync rejections
• dd1c36a linting
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates @npmcli/arborist from 7.5.4 to 9.5.0

Release notes

Sourced from @​npmcli/arborist's releases.

arborist: v9.5.0

9.5.0 (2026-05-06)

Features

• 20fb6a0 #9312 arborist: add lockfileString() for in-memory lockfile generation (@​ljharb)

Bug Fixes

• c3ea2cf #9315 arborist: clean up orphan top-level symlinks in linked strategy (#9315) (@​github-actions[bot], @​manzoorwanijk)
• 3298369 #9303 arborist: ignore hidden entries in global update (#9299) (@​Grynn)
• e19b349 #9301 prefer existing tree nodes for peerOptional deps (#9249) (#9283) (@​everett1992)
• e7805c3 #9254 arborist: propagate overrides through Link nodes to targets (#9198) (@​manzoorwanijk)

arborist: v9.4.3

9.4.3 (2026-04-22)

Bug Fixes

• 7cd45c6 #9253 arborist: handle npm link with install-strategy=linked (@​manzoorwanijk)
• 7e3a66e #9238 arborist: do not install inert optional extraneous shared dependencies (#9238) (@​github-actions[bot], @​lovell)
• cff9ce9 #9237 pass _isRoot context where missing (#9237) (@​github-actions[bot])

arborist: v9.4.2

9.4.2 (2026-03-18)

Bug Fixes

• 21ea382 #9110 arborist: resolve sibling override sets via common ancestor (#9110) (@​manzoorwanijk)
• 51365b1 #9107 arborist: update store symlinks when hash changes in linked strategy (#9107) (@​manzoorwanijk)
• 8e0a731 #9108 arborist: skip linked actual tree diff in package-lock-only mode (#9108) (@​manzoorwanijk)

arborist: v9.4.1

9.4.1 (2026-03-10)

Bug Fixes

• 5b7c0cc #9096 arborist: exclude store nodes from :root > * in linked strategy (#9096) (@​manzoorwanijk)
• 3b70a9d #9097 arborist: simplify rootDeclaredDeps initialization (#9097) (@​manzoorwanijk)
• c7702d0 #9094 arborist: fix non-idempotent linked install with workspace projects (#9094) (@​manzoorwanijk)
• 1a744b5 #9081 arborist: omit root dev deps in linked strategy when shared with workspaces (#9081) (@​manzoorwanijk)
• ff51827 #9076 arborist: do not hoist undeclared workspaces in linked strategy (#9076) (@​manzoorwanijk)
• 1206f8b #9069 consolidate isolated node/link attributes (#9069) (@​wraithgar)
• a774fb7 #9066 arborist: respect --omit flag in linked install strategy (#9066) (@​manzoorwanijk)
• 8614b2a #9031 arborist: avoid full reinstall on subsequent linked strategy runs (#9031) (@​manzoorwanijk)
• 16fbe13 #9030 resolve relative file: dependencies correctly with install-strategy=linked (#9030) (@​manzoorwanijk)
• 983742b #9055 isolated mode code cleanup (#9055) (@​wraithgar)
• a29aeee #9028 arborist: retry bin-links on Windows EPERM (#9028) (@​manzoorwanijk)
• 10d5302 #9051 arborist: unwrap Link nodes in legacyPeerDeps for linked strategy (#9051) (@​manzoorwanijk)
• 94bfef5 #9044 audit: exclude locally linked packages from vulnerability audit (#9044) (@​lucas-gomes-santana)
• 26fa40e #9041 fix workspace-filtered install with linked strategy (@​owlstronaut)

arborist: v9.4.0

9.4.0 (2026-02-25)

Features

• 4fcd352 #9017 add :type(registry) to query selector syntax (#9017) (@​wraithgar)

Bug Fixes

• 880ecb7 #9013 arborist: skip postinstall on store links in linked strategy (#9013) (@​manzoorwanijk)
• 07e6edd #9025 save libc field to package-lock.json (@​owlstronaut)
• a2154cd #8996 linked strategy fixes for scoped packages, aliases, and peer deps (#8996) (@​manzoorwanijk)

... (truncated)

Changelog

Sourced from @​npmcli/arborist's changelog.

9.5.0 (2023-02-14)

Features

• 79bfd03 #6153 audit signatures verifies attestations (@​feelepxyz)
• 5fc6473 add provenance attestation (@​bdehamer)

Bug Fixes

• 53f75a4 #6158 gracefully fallback from auth-type=web (#6158) (@​MylesBorins)
• ed59aae #6162 refactor error reporting in audit command (@​bdehamer)

Dependencies

• fad0473 minipass@4.0.3
• 678c6bf minimatch@6.2.0
• 9b4b366 ci-info@3.8.0
• d20ee2a pacote@15.1.0
• Workspace: libnpmpublish@7.1.0
• Workspace: libnpmteam@5.0.3

9.4.2 (2023-02-07)

Bug Fixes

• d02da52 #6142 revert install-links default back to false (#6142) (@​nlf)

Documentation

• 6ea2cd7 #6134 update references to OTP to be accurate (#6134) (@​MylesBorins)

Dependencies

• cb6713d #6143 rebuild package-lock (#6143)
• 8200f4f #6133 ignore-walk@6.0.1
• d43f881 map-workspaces@3.0.2
• 99457f1 minimatch@6.1.6
• f4c8c62 init-package-json@5.0.0
• 3c6615f npm-user-validate@2.0.0
• 10445ca remove mkdirp
• ab82492 node-gyp@9.3.1
• 74c5cbb minipass@4.0.2
• 1138038 make-fetch-happen@11.0.3
• c1ccfa1 glob@8.1.0
• 3dc17ce fs-minipass@3.0.1
• 5c84a99 ci-info@3.7.1
• fc5332f read@2.0.0
• Workspace: @npmcli/arborist@6.2.2
• Workspace: @npmcli/config@6.1.3
• Workspace: libnpmdiff@5.0.10

... (truncated)

Commits

• e7284b6 chore: release 9.4.2
• 66dd0d6 chore: template-oss@4.11.4 (#6144)
• d43f881 deps: map-workspaces@3.0.2
• 4bf4c22 chore(deps): nock@13.3.0
• 5bb0d15 chore(deps): tap@16.3.4
• 99457f1 deps: minimatch@6.1.6
• 4c5bd6e chore: lint and refactor arborist test setup fixtures
• 12ec7ee fix: remove unused package.json scripts
• bdf079d chore: release 9.4.1
• 721fe3f deps: read-package-json-fast@3.0.2
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by owlstronaut, a new releaser for @​npmcli/arborist since your current version.

Updates @npmcli/run-script from 8.1.0 to 10.0.4

Release notes

Sourced from @​npmcli/run-script's releases.

v10.0.4

10.0.4 (2026-02-26)

Bug Fixes

• eb64ee9 #259 show a warning when a delimiter is present in the path (@​MRagunandhan24)

Dependencies

• 891cddd #260 remove which (#260)

Chores

• cc71505 #259 template-oss-apply (@​owlstronaut)
• 47b11aa #258 postinstall for dependabot template-oss PR (@​npm-cli-bot)
• 525dd60 #258 bump @​npmcli/template-oss from 4.28.1 to 4.29.0 (@​dependabot[bot])

v10.0.3

10.0.3 (2025-11-13)

Dependencies

• 5d563f2 #253 bump node-gyp from 11.5.0 to 12.1.0 (#253) (@​dependabot[bot])
• 870617f #252 bump which from 5.0.0 to 6.0.0 (#252) (@​dependabot[bot])

Chores

• 459b0d4 #250 bump @​npmcli/template-oss from 4.27.1 to 4.28.0 (#250) (@​dependabot[bot], @​npm-cli-bot)

v10.0.2

10.0.2 (2025-10-24)

Dependencies

• 1709ff7 #247 bump @​npmcli/promise-spawn from 8.0.3 to 9.0.0 (#247) (@​dependabot[bot])

Chores

• 1ae56c0 #248 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#248) (@​dependabot[bot])

v10.0.1

10.0.1 (2025-10-23)

Dependencies

• 796de97 #245 bump @​npmcli/node-gyp from 4.0.0 to 5.0.0 (#245) (@​dependabot[bot])
• a35bc34 #244 bump proc-log from 5.0.0 to 6.0.0 (#244) (@​dependabot[bot])

Chores

• 7ce2c09 #243 bump @​npmcli/template-oss from 4.26.0 to 4.27.1 (#243) (@​dependabot[bot], @​npm-cli-bot)

v10.0.0

10.0.0 (2025-09-02)

⚠️ BREAKING CHANGES

• run-script now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• e0eea71 #239 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• fb8aed9 #239 @npmcli/package-json@7.0.0

Chores

• 795e49e #234 postinstall workflow updates (#234) (@​owlstronaut)
• 0d78e0c #236 bump @​npmcli/template-oss from 4.24.4 to 4.25.0 (#236) (@​dependabot[bot], @​npm-cli-bot)

v9.1.0

9.1.0 (2025-03-07)

Features

• 21694f2 #230 use nodeGyp option (#230) (@​wraithgar, @​legobeat)

... (truncated)

Changelog

Sourced from @​npmcli/run-script's changelog.

10.0.4 (2026-02-26)

Bug Fixes

• eb64ee9 #259 show a warning when a delimiter is present in the path (@​MRagunandhan24)

Dependencies

• 891cddd #260 remove which (#260)

Chores

• cc71505 #259 template-oss-apply (@​owlstronaut)
• 47b11aa #258 postinstall for dependabot template-oss PR (@​npm-cli-bot)
• 525dd60 #258 bump @​npmcli/template-oss from 4.28.1 to 4.29.0 (@​dependabot[bot])

10.0.3 (2025-11-13)

Dependencies

• 5d563f2 #253 bump node-gyp from 11.5.0 to 12.1.0 (#253) (@​dependabot[bot])
• 870617f #252 bump which from 5.0.0 to 6.0.0 (#252) (@​dependabot[bot])

Chores

• 459b0d4 #250 bump @​npmcli/template-oss from 4.27.1 to 4.28.0 (#250) (@​dependabot[bot], @​npm-cli-bot)

10.0.2 (2025-10-24)

Dependencies

• 1709ff7 #247 bump @​npmcli/promise-spawn from 8.0.3 to 9.0.0 (#247) (@​dependabot[bot])

Chores

• 1ae56c0 #248 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#248) (@​dependabot[bot])

10.0.1 (2025-10-23)

Dependencies

• 796de97 #245 bump @​npmcli/node-gyp from 4.0.0 to 5.0.0 (#245) (@​dependabot[bot])
• a35bc34 #244 bump proc-log from 5.0.0 to 6.0.0 (#244) (@​dependabot[bot])

Chores

• 7ce2c09 #243 bump @​npmcli/template-oss from 4.26.0 to 4.27.1 (#243) (@​dependabot[bot], @​npm-cli-bot)

10.0.0 (2025-09-02)

⚠️ BREAKING CHANGES

• run-script now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• e0eea71 #239 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• fb8aed9 #239 @npmcli/package-json@7.0.0

Chores

• 795e49e #234 postinstall workflow updates (#234) (@​owlstronaut)
• 0d78e0c #236 bump @​npmcli/template-oss from 4.24.4 to 4.25.0 (#236) (@​dependabot[bot], @​npm-cli-bot)

9.1.0 (2025-03-07)

Features

• 21694f2 #230 use nodeGyp option (#230) (@​wraithgar, @​legobeat)

Chores

• fea1ba3 #229 bump @​npmcli/template-oss from 4.23.4 to 4.23.5 (#229) (@​dependabot[bot], @​npm-cli-bot)

9.0.2 (2024-12-04)

Dependencies

• 74f7e7a #227 node-gyp@11.0.0 (#227)

... (truncated)

Commits

• 08ad35e chore: release 10.0.4 (#261)
• cc71505 chore: template-oss-apply
• eb64ee9 fix: show a warning when a delimiter is present in the path
• 47b11aa chore: postinstall for dependabot template-oss PR
• 525dd60 chore: bump @​npmcli/template-oss from 4.28.1 to 4.29.0
• 891cddd deps: remove which (#260)
• 2d9a829 chore: bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#255)
• 9c30731 chore: release 10.0.3 (#254)
• 5d563f2 deps: bump node-gyp from 11.5.0 to 12.1.0 (#253)
• 870617f deps: bump which from 5.0.0 to 6.0.0 (#252)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​npmcli/run-script since your current version.

Updates libnpmpublish from 9.0.9 to 11.1.3

Release notes

Sourced from libnpmpublish's releases.

libnpmpublish: v10.0.2

10.0.2 (2026-03-04)

Dependencies

• bdeabff #9056 ci-info@4.4.0

Chores

• 72cc7de #9056 template-oss@4.29.0 (@​wraithgar)
• 15e545b #8384 @npmcli/template-oss@4.24.4 (#8384) (@​wraithgar)
• fb5a9f2 #8378 @npmcli/template-oss@4.24.3 (@​wraithgar)

Changelog

Sourced from libnpmpublish's changelog.

11.1.3 (2025-11-19)

Dependencies

• 8cc9f70 #8723 ssri@13.0.0
• 05ac7a7 #8723 proc-log@6.0.0

11.1.2 (2025-10-08)

Dependencies

• fa7cc6f #8662 ci-info@4.3.1 (#8662)
• b05461b #8663 @sigstore/sign@4.0.1 (#8663)

Chores

• 5e0909b #8620 fix spelling in workspaces (#8620) (@​jsoref)

11.1.1 (2025-09-23)

Dependencies

• bf6b686 #8576 npm-package-arg@13.0.0
• a2bdecc #8576 sigstore@4.0.0
• 1149971 #8576 npm-registry-fetch@19.0.0
• ceae674 #8576 @npmcli/package-json@7.0.1

Chores

• 402a0ab #8576 @npmcli/template-oss@4.25.1 (@​wraithgar)

11.1.0 (2025-07-24)

Features

• 1cce318 #8336 adds support for oidc publish (#8336) (@​reggi)

Chores

• 3f60b5f #8383 @npmcli/template-oss@4.24.4 (#8383) (@​wraithgar)
• 01f8cc6 #8381 @npmcli/template-oss@4.24.3 (#8381) (@​wraithgar)

11.0.1 (2025-06-11)

Bug Fixes

• 71cb65b #8317 libnpmpublish: Remove dependence on deprecated library (@​owlstronaut)

Dependencies

• dda6f87 #8317 @npmcli/package-json@6.2.0
• bc08ac7 #8317 remove normalize-package-data

11.0.0 (2024-12-16)

Features

• a7bfc6d #7972 trigger release process (#7972) (@​wraithgar)

Chores

• a07f4e0 #7976 @npmcli/template-oss@4.23.6 (@​wraithgar)

11.0.0-pre.0 (2024-11-26)

⚠️ BREAKING CHANGES

• Attestations made by ...

  Description has been truncated

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.