chore(deps): bump the npm_and_yarn group with 7 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates:

Package	From	To
@babel/traverse	7.16.3	7.26.9
axios	1.6.2	1.8.2
esbuild	0.24.2	0.25.0
vite	6.0.11	6.2.1
follow-redirects	1.15.4	1.15.9
serialize-javascript	6.0.1	6.0.2
ws	8.11.0	8.18.1

Updates @babel/traverse from 7.16.3 to 7.26.9

Release notes

Sourced from @​babel/traverse's releases.

v7.26.9 (2025-02-14)

🐛 Bug Fix

• babel-types
  • #17103 fix: Definition for TSPropertySignature.kind (@​liuxingbaoyu)
• babel-generator, babel-types
  • #17062 Print TypeScript optional/definite in ClassPrivateProperty (@​jamiebuilds-signal)

🏠 Internal

• babel-types
  • #17130 Use .ts files with explicit reexports to solve name conflicts (@​nicolo-ribaudo)
• babel-core
  • #17127 Do not depend on @types/gensync in Babel 7 (@​nicolo-ribaudo)

Committers: 5

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Jamie Kyle (@​jamiebuilds-signal)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu

v7.26.8 (2025-02-08)

🏠 Internal

• babel-preset-env
  • #17097 Update dependency babel-plugin-polyfill-corejs3 to ^0.11.0

v7.26.7 (2025-01-24)

Thanks @​branchseer and @​tquetano-netflix for your first PRs!

🐛 Bug Fix

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #17086 Make "object without properties" helpers ES6-compatible (@​tquetano-netflix)
• babel-plugin-transform-typeof-symbol
  • #17085 fix: Correctly handle typeof in arrow functions (@​liuxingbaoyu)
• babel-parser
  • #17079 Respect ranges option in estree method value (@​JLHwung)
• babel-core
  • #17052 Do not try to parse .ts configs as JSON if natively supported (@​nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #17050 fix: correctly resolve references to non-constant enum members (@​branchseer)
• babel-plugin-transform-typescript, babel-traverse, babel-types
  • #17025 fix: Remove type-only import x = y.z (@​liuxingbaoyu)

Committers: 6

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• Tony Quetano (@​tquetano-netflix)

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.26.9 (2025-02-14)

🐛 Bug Fix

• babel-types
  • #17103 fix: Definition for TSPropertySignature.kind (@​liuxingbaoyu)
• babel-generator, babel-types
  • #17062 Print TypeScript optional/definite in ClassPrivateProperty (@​jamiebuilds-signal)

🏠 Internal

• babel-types
  • #17130 Use .ts files with explicit reexports to solve name conflicts (@​nicolo-ribaudo)
• babel-core
  • #17127 Do not depend on @types/gensync in Babel 7 (@​nicolo-ribaudo)

v7.26.7 (2025-01-24)

🐛 Bug Fix

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #17086 Make "object without properties" helpers ES6-compatible (@​tquetano-netflix)
• babel-plugin-transform-typeof-symbol
  • #17085 fix: Correctly handle typeof in arrow functions (@​liuxingbaoyu)
• babel-parser
  • #17079 Respect ranges option in estree method value (@​JLHwung)
• babel-core
  • #17052 Do not try to parse .ts configs as JSON if natively supported (@​nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #17050 fix: correctly resolve references to non-constant enum members (@​branchseer)
• babel-plugin-transform-typescript, babel-traverse, babel-types
  • #17025 fix: Remove type-only import x = y.z (@​liuxingbaoyu)

v7.26.6 (2025-01-13)

🐛 Bug Fix

• babel-plugin-transform-nullish-coalescing-operator
  • #17061 fix: Chaining nullish coalescing operators output size regression (@​liuxingbaoyu)

v7.26.5 (2025-01-10)

👓 Spec Compliance

• babel-parser
  • #17011 Allow the dynamic import.defer() form of import defer (@​babel-bot)

🐛 Bug Fix

• babel-plugin-transform-block-scoped-functions
  • #17024 chore: Avoid calling isInStrictMode in Babel 7 (@​liuxingbaoyu)
• babel-plugin-transform-typescript
  • #17026 fix: Correctly generate exported const enums in namespace (@​liuxingbaoyu)
• babel-parser
  • #17045 [estree] Unify method type parameters handling (@​JLHwung)
  • #17013 fix: Correctly set position for @(a.b)() (@​liuxingbaoyu)
  • #16996 [estree] Adjust the start loc of class methods with type params (@​nicolo-ribaudo)
• babel-generator, babel-parser, babel-plugin-transform-flow-strip-types, babel-types

... (truncated)

Commits

• 64bca7b v7.26.9
• 4cf5c9e [babel 8] Use @babel/types for parser's return type (#17117)
• 5315446 [babel 8] Remove babel 7-specific imports (#17111)
• 0593941 v7.26.8
• e02b0ff [Babel 8] Create TSTemplateLiteralType (#17066)
• 2d95140 v7.26.7
• ad572fd fix: Remove type-only import x = y.z (#17025)
• 74181cf v7.26.5
• d35794e [Babel 8] Create TSEnumBody for TSEnumDeclaration (#16979)
• cd24cc0 chore: Update TS 5.7 (#17053)
• Additional commits viewable in compare view

Updates axios from 1.6.2 to 1.8.2

Release notes

Sourced from axios's releases.

Release v1.8.2

Release notes:

Bug Fixes

• http-adapter: add allowAbsoluteUrls to path building (#6810) (fb8eec2)

Contributors to this release

• Fasoro-Joseph Alexander

Release v1.8.1

Release notes:

Bug Fixes

• utils: move generateString to platform utils to avoid importing crypto module into client builds; (#6789) (36a5a62)

Contributors to this release

• Dmitriy Mozgovoy

Release v1.8.0

Release notes:

Bug Fixes

• examples: application crashed when navigating examples in browser (#5938) (1260ded)
• missing word in SUPPORT_QUESTION.yml (#6757) (1f890b1)
• utils: replace getRandomValues with crypto module (#6788) (23a25af)

Features

• Add config for ignoring absolute URLs (#5902) (#6192) (32c7bcc)

Reverts

• Revert "chore: expose fromDataToStream to be consumable (#6731)" (#6732) (1317261), closes #6731 #6732

BREAKING CHANGES

• code relying on the above will now combine the URLs instead of prefer request URL

• feat: add config option for allowing absolute URLs

• fix: add default value for allowAbsoluteUrls in buildFullPath

• fix: typo in flow control when setting allowAbsoluteUrls

Contributors to this release

... (truncated)

Changelog

Sourced from axios's changelog.

1.8.2 (2025-03-07)

Bug Fixes

• http-adapter: add allowAbsoluteUrls to path building (#6810) (fb8eec2)

Contributors to this release

• Fasoro-Joseph Alexander

1.8.1 (2025-02-26)

Bug Fixes

• utils: move generateString to platform utils to avoid importing crypto module into client builds; (#6789) (36a5a62)

Contributors to this release

• Dmitriy Mozgovoy

1.8.0 (2025-02-25)

Bug Fixes

• examples: application crashed when navigating examples in browser (#5938) (1260ded)
• missing word in SUPPORT_QUESTION.yml (#6757) (1f890b1)
• utils: replace getRandomValues with crypto module (#6788) (23a25af)

Features

• Add config for ignoring absolute URLs (#5902) (#6192) (32c7bcc)

Reverts

• Revert "chore: expose fromDataToStream to be consumable (#6731)" (#6732) (1317261), closes #6731 #6732

BREAKING CHANGES

• code relying on the above will now combine the URLs instead of prefer request URL

• feat: add config option for allowing absolute URLs

• fix: add default value for allowAbsoluteUrls in buildFullPath

... (truncated)

Commits

• a9f7689 chore(release): v1.8.2 (#6812)
• fb8eec2 fix(http-adapter): add allowAbsoluteUrls to path building (#6810)
• 9812045 chore(sponsor): update sponsor block (#6804)
• 72acf75 chore(sponsor): update sponsor block (#6794)
• 2e64afd chore(release): v1.8.1 (#6800)
• 36a5a62 fix(utils): move generateString to platform utils to avoid importing crypto...
• cceb7b1 chore(release): v1.8.0 (#6795)
• 23a25af fix(utils): replace getRandomValues with crypto module (#6788)
• 32c7bcc feat: Add config for ignoring absolute URLs (#5902) (#6192)
• 4a3e26c chore(config): adjust rollup config to preserve license header to minified Ja...
• Additional commits viewable in compare view

Updates esbuild from 0.24.2 to 0.25.0

Release notes

Sourced from esbuild's releases.

v0.25.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.24.0 or ~0.24.0. See npm's documentation about semver for more information.

• Restrict access to esbuild's development server (GHSA-67mh-4wv8-2f99)

  This change addresses esbuild's first security vulnerability report. Previously esbuild set the Access-Control-Allow-Origin header to * to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information in the report.

  Starting with this release, CORS will now be disabled, and requests will now be denied if the host does not match the one provided to --serve=. The default host is 0.0.0.0, which refers to all of the IP addresses that represent the local machine (e.g. both 127.0.0.1 and 192.168.0.1). If you want to customize anything about esbuild's development server, you can put a proxy in front of esbuild and modify the incoming and/or outgoing requests.

  In addition, the serve() API call has been changed to return an array of hosts instead of a single host string. This makes it possible to determine all of the hosts that esbuild's development server will accept.

  Thanks to @​sapphi-red for reporting this issue.

• Delete output files when a build fails in watch mode (#3643)

  It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.

• Fix correctness issues with the CSS nesting transform (#3620, #3877, #3933, #3997, #4005, #4037, #4038)

  This release fixes the following problems:

  • Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using :is() to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.

    /* Original code */
    .parent {
      > .a,
      > .b1 > .b2 {
        color: red;
      }
    }
    /* Old output (with --supported:nesting=false) */
    .parent > :is(.a, .b1 > .b2) {
    color: red;
    }
    /* New output (with --supported:nesting=false) */
    .parent > .a,
    .parent > .b1 > .b2 {
    color: red;
    }

    Thanks to @​tim-we for working on a fix.

  • The & CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered && to have the same specificity as &. With this release, this should now work correctly:

    /* Original code (color should be red) */

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

Commits

• e9174d6 publish 0.25.0 to npm
• c27dbeb fix hosts in plugin-tests.js
• 6794f60 fix hosts in node-unref-tests.js
• de85afd Merge commit from fork
• da1de1b fix #4065: bitwise operators can return bigints
• f4e9d19 switch case liveness: default is always last
• 7aa47c3 fix #4028: minify live/dead switch cases better
• 22ecd30 minify: more constant folding for strict equality
• 4cdf03c fix #4053: reordering of .tsx in node_modules
• dc71977 fix #3692: 0 now picks a random ephemeral port
• Additional commits viewable in compare view

Updates vite from 6.0.11 to 6.2.1

Release notes

Sourced from vite's releases.

create-vite@6.2.1

Please refer to CHANGELOG.md for details.

v6.2.1

Please refer to CHANGELOG.md for details.

create-vite@6.2.0

Please refer to CHANGELOG.md for details.

v6.2.0

Please refer to CHANGELOG.md for details.

v6.2.0-beta.1

Please refer to CHANGELOG.md for details.

v6.2.0-beta.0

Please refer to CHANGELOG.md for details.

create-vite@6.1.1

Please refer to CHANGELOG.md for details.

v6.1.1

Please refer to CHANGELOG.md for details.

create-vite@6.1.0

Please refer to CHANGELOG.md for details.

v6.1.0

Please refer to CHANGELOG.md for details.

v6.1.0-beta.2

Please refer to CHANGELOG.md for details.

v6.1.0-beta.1

Please refer to CHANGELOG.md for details.

v6.1.0-beta.0

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.2.1 (2025-03-07)

• refactor: remove isBuild check from preAliasPlugin (#19587) (c9e086d), closes #19587
• refactor: restore endsWith usage (#19554) (6113a96), closes #19554
• refactor: use applyToEnvironment in internal plugins (#19588) (f678442), closes #19588
• fix(css): stabilize css module hashes with lightningcss in dev mode (#19481) (92125b4), closes #19481
• fix(deps): update all non-major dependencies (#19555) (f612e0f), closes #19555
• fix(reporter): fix incorrect bundle size calculation with non-ASCII characters (#19561) (437c0ed), closes #19561
• fix(sourcemap): combine sourcemaps with multiple sources without matched source (#18971) (e3f6ae1), closes #18971
• fix(ssr): named export should overwrite export all (#19534) (2fd2fc1), closes #19534
• feat: add *?url&no-inline type and warning for .json?inline / .json?no-inline (#19566) (c0d3667), closes #19566
• test: add glob import test case (#19516) (aa1d807), closes #19516
• test: convert config playground to unit tests (#19568) (c0e68da), closes #19568
• test: convert resolve-config playground to unit tests (#19567) (db5fb48), closes #19567
• perf: flush compile cache after 10s (#19537) (6c8a5a2), closes #19537
• chore(css): move environment destructuring after condition check (#19492) (c9eda23), closes #19492
• chore(html): remove unnecessary value check (#19491) (797959f), closes #19491

6.2.0 (2025-02-25)

• fix(deps): update all non-major dependencies (#19501) (c94c9e0), closes #19501
• fix(worker): string interpolation in dynamic worker options (#19476) (07091a1), closes #19476
• chore: use unicode cross icon instead of x (#19497) (5c70296), closes #19497

6.2.0-beta.1 (2025-02-21)

• fix(css): temporary add ?. after this.getModuleInfo in vite:css-post (#19478) (12b0b8a), closes #19478

6.2.0-beta.0 (2025-02-21)

• feat: show mode on server start and add env debugger (#18808) (c575b82), closes #18808
• feat: use host url to open browser (#19414) (f6926ca), closes #19414
• feat(css): allow scoping css to importers exports (#19418) (3ebd838), closes #19418
• chore: bump esbuild to 0.25.0 (#19389) (73987f2), closes #19389

6.1.1 (2025-02-19)

• fix: ensure .[cm]?[tj]sx? static assets are JS mime (#19453) (e7ba55e), closes #19453
• fix: ignore *.ipv4 address in cert (#19416) (973283b), closes #19416
• fix(css): run rewrite plugin if postcss plugin exists (#19371) (bcdb51a), closes #19371
• fix(deps): bump tsconfck (#19375) (746a583), closes #19375
• fix(deps): update all non-major dependencies (#19392) (60456a5), closes #19392

... (truncated)

Commits

• d8461b5 release: v6.2.0
• c94c9e0 fix(deps): update all non-major dependencies (#19501)
• 5c70296 chore: use unicode cross icon instead of x (#19497)
• 07091a1 fix(worker): string interpolation in dynamic worker options (#19476)
• e01573a release: v6.2.0-beta.1
• 12b0b8a fix(css): temporary add ?. after this.getModuleInfo in vite:css-post (#...
• d686252 release: v6.2.0-beta.0
• 3ebd838 feat(css): allow scoping css to importers exports (#19418)
• f6926ca feat: use host url to open browser (#19414)
• c575b82 feat: show mode on server start and add env debugger (#18808)
• Additional commits viewable in compare view

Updates follow-redirects from 1.15.4 to 1.15.9

Commits

• e4e55c7 Release version 1.15.9 of the npm package.
• 31a1abf Attempt much more gentle detection.
• d2aaa97 Fix url field.
• 62558f0 Release version 1.15.8 of the npm package.
• a8d1cee Return subtlety.
• 458ca8e Fix native URL test for Node 20.
• ca49e44 Handle KeepAlive connections in tests.
• f3711d7 Test on Node 20 and 22.
• fda0faf Fix typo.
• 760757f Release version 1.15.7 of the npm package.
• Additional commits viewable in compare view

Updates serialize-javascript from 6.0.1 to 6.0.2

Release notes

Sourced from serialize-javascript's releases.

v6.0.2

• fix: serialize URL string contents to prevent XSS (#173) f27d65d
• Bump @​babel/traverse from 7.10.1 to 7.23.7 (#171) 02499c0
• docs: update readme with URL support (#146) 0d88527
• chore: update node version and lock file e2a3a91
• fix typo (#164) 5a1fa64

yahoo/serialize-javascript@v6.0.1...v6.0.2

Commits

• b71ec23 6.0.2
• f27d65d fix: serialize URL string contents to prevent XSS (#173)
• 02499c0 Bump @​babel/traverse from 7.10.1 to 7.23.7 (#171)
• 0d88527 docs: update readme with URL support (#146)
• e2a3a91 chore: update node version and lock file
• 5a1fa64 fix typo (#164)
• See full diff in compare view

Updates ws from 8.11.0 to 8.18.1

Release notes

Sourced from ws's releases.

8.18.1

Bug fixes

• The length of the UNIX domain socket paths in the tests has been shortened to make them work when run via CITGM (021f7b8b).

8.18.0

Features

• Added support for Blob (#2229).

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
</tr></table>

... (truncated)

Commits

• b92745a [dist] 8.18.1
• b3d9747 [doc] Fix nit
• 021f7b8 [test] Shorten the path lengths
• b9ca55b [pkg] Update eslint-config-prettier to version 10.0.1
• c798dd4 [doc] Fix typo (#2271)
• 6861472 [ci] Test on node 23
• 019f28f [minor] Improve JSDoc-inferred types (#2242)
• bfe1b2a [doc] Remove unnecessary period (#2240)
• f7dc469 [doc] Fix the type of the data argument
• 976c53c [dist] 8.18.0
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[tbouffard]

⚠️ As mentioned several times, this breaks the unit tests when coverage is enabled:

• #3285 (comment) (February 2025)
• #3273 (February 2025)
• #3254 (January 2025)
• #3170 (comment) (October 2024)
• #3166 (comment) (September 2024)
• #3165 (comment) (September 2024)
• #3151 (comment) (August 2024)
• #2933 (review) (October 2023)

As this is an update for transitive development dependencies, I suggest to ignore this update.
The dependencies which use this updated package should be in charge to do the update, not the bpmn-visualization build.

Important

The problem occurred also in #3278 which found a solution to fix it.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml