Bump minimatch and @docmd/live in /docmd

[dependabot]

Bumps minimatch and @docmd/live. These dependencies needed to be updated together.
Updates minimatch from 5.1.6 to 5.1.9

Commits

• 4419b6e 5.1.9
• 383ce59 docs: add warning about ReDoS
• b02ef18 fix partial matching of globstar patterns
• e92ae29 5.1.8
• 79e4447 limit recursion for **, improve perf considerably
• 85ec0ff lockfile update
• 647146e lock node version to 14
• 85646c8 5.1.7
• 977c2d8 update CI matrix and actions
• 421ad12 update test expectations for coalesced consecutive stars
• Additional commits viewable in compare view

Updates @docmd/live from 0.4.5 to 0.4.10

Release notes

Sourced from @​docmd/live's releases.

docmd@0.4.10 🛠️ (Stability Fix)

Following our massive architectural overhaul in v0.4.8, we've spent this release hunting down edge cases, perfecting the Single Page Application (SPA) experience, and making our Markdown parser completely bulletproof.

🛠️ Bug Fixes & Improvements

SPA Router & Navigation:

• Fix: Eliminated the "layout dragging" jitter that occurred when navigating to or from pages with heavy elements (like Mermaid diagrams). The router now briefly locks the layout height during DOM swaps for a perfectly stable, native-feeling transition.
• Fix: Resolved 404 Not Found errors for Favicons and Theme CSS that occurred when the SPA navigated between different folder depths (e.g., from / to /content/syntax/).
• Fix: Relative internal Markdown links (e.g., [link](https://github.com/docmd-io/docmd/blob/HEAD/file.md)) now resolve correctly. The parser now intelligently calculates depth traversal to account for docmd's "Clean URLs" folder structure. Fix #62.
• Fix: Hash anchors in internal links (e.g., [link](https://github.com/docmd-io/docmd/blob/HEAD/file.md#section)) are now preserved correctly during the HTML build step.

Mermaid & Plugins:

• Fix: Fixed a critical Mermaid.js crash (Could not find a suitable point for the given distance) that occurred when diagrams were placed inside hidden containers like Tabs or Collapsibles. docmd now uses an advanced in-memory SVG rendering queue that safely waits for the container to become visible before drawing.

Parser & UI:

• Fix: Indented ::: button components inside nested containers (like Cards or Callouts) are no longer mistakenly parsed as <pre><code> blocks by standard Markdown rules.
• Fix: The "Edit this page" link in the footer now accurately points to the original .md source file path rather than the generated .html output path.

📥 Upgrade

npm install -g @docmd/core

Full Changelog: docmd-io/docmd@0.4.9...0.4.10

docmd@0.4.9 🩹 (Security Patch)

v0.4.9 is a critical security and performance hotfix.

This release removes a vulnerable third-party dependency from the Live Editor and replaces it with a faster, native implementation.

🛡️ Security & Fixes

• Security: Removed the serve dependency from the @docmd/live package, resolving multiple high-severity security warnings (CVE-related ReDoS vulnerabilities in serve-handler and ajv).
• Performance: Replaced the third-party server with a lightweight, native Node.js HTTP server. The docmd live command is now faster to boot and significantly smaller to install.
• Maintenance: Bumped all workspace packages to ensure version consistency across the monorepo.

Recommended Action: All users should update to v0.4.9 to clear security audit warnings in their CI/CD pipelines.

📥 Upgrade

npm install -g @docmd/core

Full Changelog: docmd-io/docmd@0.4.8...0.4.9

docmd@0.4.8 🚀 (Stability, UX & SPA Update)

... (truncated)

Commits

• ec8eb17 Release 0.4.10
• a519816 Added dependency vulnerability checkpoint
• bc1cc94 Update pnpm-lock.yaml
• f152a6b Improve Mermaid rendering and theme handling
• eb6f523 Preserve hashes and convert .md links for subfolders
• 38819d4 Improve SPA navigation and sidebar UX
• f82fa4e Update live
• a577bbb Pass isIndex to parser and fix editLink URL
• 7b661d5 Bump 0.4.10
• 8cd7a04 Update pnpm-lock.yaml
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.