Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates#436

Merged
mpaulosky merged 6 commits into
devfrom
dependabot/npm_and_yarn/src/Web/npm_and_yarn-4a95add1bb
Jul 7, 2026
Merged

chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates#436
mpaulosky merged 6 commits into
devfrom
dependabot/npm_and_yarn/src/Web/npm_and_yarn-4a95add1bb

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 1 update in the /src/Web directory: js-yaml.

Updates js-yaml from 4.1.1 to 5.2.0

Changelog

Sourced from js-yaml's changelog.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the test set.

Changed

  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named exports.
  • Reduced the set of exported schemas:
    • YAML 1.2 schemas: CORE_SCHEMA (loader default), JSON_SCHEMA, FAILSAFE_SCHEMA.
    • YAML11_SCHEMA, a combination of all YAML 1.1 tags (YAML 1.1 does not specify a schema, only "types").

... (truncated)

Commits
  • c28ed5e 5.2.0 released
  • 125cd5a Add maxAliases option
  • 3105455 Replace maxMergeSeqLengthoption with maxTotalMergeKeys (more robust)
  • 39d00d6 numbers: Drop boxed numbers support, simplify .identify() checks, clarify rou...
  • eb5cb5b fix: round-trip integers that stringify in exponential notation (#771)
  • 89024c4 Update migration info, close #770
  • f1e45cd 5.1.0 released
  • 53b22be Fix constructor coverage
  • a1eaa2b Fix quote style options and restore forceQuotes
  • 0532e7d Add finalizers for immutable collection tags
  • Additional commits viewable in compare view

Updates markdown-it from 14.1.1 to 14.2.0

Changelog

Sourced from markdown-it's changelog.

[14.2.0] - 2026-05-24

Added

  • isPunctCharCode to utilities.

Fixed

  • Don't end HTML comment blocks on a blank line, #1155.
  • Properly recognize astral chars (surrogates) in delimiter scans for emphasis-like markers, #1072. Big thanks to @​tats-u for his global efforts with improving CJK support.
  • Preserve unicode whitespaces when trimm headings/paragraphs, #1074.
  • More strict entities decode to avoid false positives ;, #1096.
  • Restore block parser state on fail in lheading rule, #1131.

Security

  • Fixed poor smartquotes perfomance on > 70k quotes in single block
  • Bumped linkify-it to 5.0.1 with fixed potential perfomance issues.
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

mpaulosky and others added 3 commits July 2, 2026 21:41
#422)

…rceBuilderExtensions (#262)

## Summary

Extracts the inline `WithCommand` clear-data block from `AppHost.cs`
into a new `MongoDbResourceBuilderExtensions` class.

## Changes

- **New**: `src/AppHost/MongoDbResourceBuilderExtensions.cs` — contains
`WithMongoDbDevCommands` public entry point and private
`WithClearDatabaseCommand`
- **Simplified**: `src/AppHost/AppHost.cs` — reduced from ~157 lines to
~30 lines; single `mongo.WithMongoDbDevCommands("myblog")` call

## Testing

All 10 existing tests pass:
- 5 unit tests in `MongoDbClearCommandTests`
- 5 integration tests in `MongoClearDataIntegrationTests`

Closes #259
Working as Sam (Backend/.NET)

Co-authored-by: Boromir <boromir@squad.dev>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>##
Summary

<!-- Describe what this PR does and why. Link the issue it closes. -->

Closes #<!-- issue number -->

## Type of Change

<!-- Check all that apply -->

- [ ] 🐛 Bug fix (non-breaking change that fixes an issue)
- [ ] ✨ Feature (non-breaking change that adds functionality)
- [ ] ♻️ Refactor (no behavior change, code cleanup/restructure)
- [ ] 🧪 Tests (new or updated tests only)
- [ ] 📝 Docs (README, XML docs, comments)
- [ ] ⚙️ Infra/CI (GitHub Actions, Aspire, NuGet, deployment)
- [ ] 🔒 Security (auth, permissions, secrets, headers)
- [ ] 💥 Breaking change (existing behavior changes)

## Domain Affected

<!-- Check all that apply — this determines which reviewers are required
-->

- [ ] 🏗️ Architecture / domain logic / CQRS → **Aragorn required**
- [ ] 🔧 Backend (handlers, repositories, API endpoints, MediatR) → **Sam
required**
- [ ] ⚛️ Frontend (Blazor components, Razor pages, CSS, JS) → **Legolas
required**
- [ ] 🧪 Unit / bUnit / integration tests → **Gimli required**
- [ ] 🧪 E2E / Playwright / Aspire integration tests → **Pippin
required**
- [ ] ⚙️ CI/CD / GitHub Actions / NuGet / Aspire AppHost → **Boromir
required**
- [ ] 🔒 Auth0 / authorization / security-relevant changes → **Gandalf
required**
- [ ] 📝 Docs / README / XML docs → **Frodo required**

## Self-Review Checklist

<!-- Complete before requesting review — incomplete PRs will be returned
-->

### Code Quality

- [ ] I ran `dotnet build MyBlog.slnx --configuration Release` — 0
errors, 0 warnings
- [ ] I ran `dotnet test MyBlog.slnx --configuration Release --no-build`
— all pass
- [ ] No TODO/FIXME left unless tracked in a follow-up issue (link it)
- [ ] No secrets, API keys, or credentials committed

### Architecture

- [ ] New handlers follow the `Command`/`Query`/`Handler`/`Validator`
naming conventions
- [ ] New handlers are `sealed`
- [ ] Domain layer has no references to `Web` or `Persistence.*`
projects
- [ ] `Result<T>` / `ResultErrorCode` used for expected failures (no
exception-driven control flow)
- [ ] DTOs are records in `Domain.DTOs`; Models are in `Domain.Models`
- [ ] No DTO types embedded in Model classes

### Tests

- [ ] New code has corresponding unit tests
- [ ] Integration tests use domain-specific collections
(`[Collection("XxxIntegration")]`)
- [ ] No test compares two `IssueDto.Empty` / `CommentDto.Empty`
instances directly

### Security (check if security-relevant)

- [ ] New endpoints have appropriate `RequireAuthorization` / policy
applied
- [ ] No `MarkupString` used with user-supplied content
- [ ] No user input reflected in MongoDB queries without sanitization

### Merge Readiness

- [ ] Branch is up to date with `main` (no merge conflicts)
- [ ] CI checks are green (do not request review while checks are
pending/failing)
- [ ] PR description is complete — reviewers should not have to ask what
this does

## Screenshots / Evidence

<!-- For UI changes: before/after screenshots. For fixes: evidence the
bug is resolved. -->

## Notes for Reviewers

<!-- Anything you want reviewers to pay special attention to, or context
they need. -->

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Boromir <boromir@squad.dev>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: GitHub Copilot <copilot@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Boromir <lead-organizer@squad.local>
Co-authored-by: mpaulosky <mpaulosky@users.noreply.github.com>
Unblocks PR #427 by harmonizing the remaining conflict hotspots in main.

- .github/workflows/squad-standard-lint-markdown.yml
- .github/workflows/squad-standard-lint-yaml.yml
- tests/AppHost.Tests/Infrastructure/AspireManager.cs

Refs #427

Co-authored-by: mpaulosky <mpaulosky@users.noreply.github.com>
…dates

Bumps the npm_and_yarn group with 1 update in the /src/Web directory: [js-yaml](https://github.com/nodeca/js-yaml).


Updates `js-yaml` from 4.1.1 to 5.2.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...5.2.0)

Updates `markdown-it` from 14.1.1 to 14.2.0
- [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md)
- [Commits](markdown-it/markdown-it@14.1.1...14.2.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 5.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: markdown-it
  dependency-version: 14.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies javascript Pull requests that update javascript code labels Jul 4, 2026
@github-actions github-actions Bot added squad Squad triage inbox — Lead will assign to a member squad:boromir Assigned to Boromir (DevOps / Infra) labels Jul 4, 2026
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🤖 Dependency Update PR

This PR was opened by dependabot[bot] and has been automatically labeled for Boromir (DevOps) to review.

Labels applied:

  • squad:boromir — Assigned to DevOps for dependency updates
  • squad — In triage queue

Dependency and infrastructure updates are owned by the DevOps team.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Test Results Summary

556 tests  ±0   518 ✅ ±0   16s ⏱️ +2s
  6 suites ±0    38 💤 ±0 
  6 files   ±0     0 ❌ ±0 

Results for commit 1de264f. ± Comparison against base commit 1620fcd.

♻️ This comment has been updated with latest results.

@codecov

codecov Bot commented Jul 4, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.73%. Comparing base (bcd1aae) to head (2db3e82).
⚠️ Report is 27 commits behind head on dev.

Additional details and impacted files
@@             Coverage Diff             @@
##              dev     #436       +/-   ##
===========================================
- Coverage   87.49%   76.73%   -10.77%     
===========================================
  Files          71       71               
  Lines        1775     1775               
  Branches      214      214               
===========================================
- Hits         1553     1362      -191     
- Misses        145      336      +191     
  Partials       77       77               

see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mpaulosky
mpaulosky enabled auto-merge (squash) July 4, 2026 16:03
mpaulosky and others added 2 commits July 4, 2026 16:44
#427)

…rceBuilderExtensions (#262)

## Summary

Extracts the inline `WithCommand` clear-data block from `AppHost.cs`
into a new `MongoDbResourceBuilderExtensions` class.

## Changes

- **New**: `src/AppHost/MongoDbResourceBuilderExtensions.cs` — contains
`WithMongoDbDevCommands` public entry point and private
`WithClearDatabaseCommand`
- **Simplified**: `src/AppHost/AppHost.cs` — reduced from ~157 lines to
~30 lines; single `mongo.WithMongoDbDevCommands("myblog")` call

## Testing

All 10 existing tests pass:
- 5 unit tests in `MongoDbClearCommandTests`
- 5 integration tests in `MongoClearDataIntegrationTests`

Closes #259
Working as Sam (Backend/.NET)

Co-authored-by: Boromir <boromir@squad.dev>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>##
Summary

<!-- Describe what this PR does and why. Link the issue it closes. -->

Closes #<!-- issue number -->

## Type of Change

<!-- Check all that apply -->

- [ ] 🐛 Bug fix (non-breaking change that fixes an issue)
- [ ] ✨ Feature (non-breaking change that adds functionality)
- [ ] ♻️ Refactor (no behavior change, code cleanup/restructure)
- [ ] 🧪 Tests (new or updated tests only)
- [ ] 📝 Docs (README, XML docs, comments)
- [ ] ⚙️ Infra/CI (GitHub Actions, Aspire, NuGet, deployment)
- [ ] 🔒 Security (auth, permissions, secrets, headers)
- [ ] 💥 Breaking change (existing behavior changes)

## Domain Affected

<!-- Check all that apply — this determines which reviewers are required
-->

- [ ] 🏗️ Architecture / domain logic / CQRS → **Aragorn required**
- [ ] 🔧 Backend (handlers, repositories, API endpoints, MediatR) → **Sam
required**
- [ ] ⚛️ Frontend (Blazor components, Razor pages, CSS, JS) → **Legolas
required**
- [ ] 🧪 Unit / bUnit / integration tests → **Gimli required**
- [ ] 🧪 E2E / Playwright / Aspire integration tests → **Pippin
required**
- [ ] ⚙️ CI/CD / GitHub Actions / NuGet / Aspire AppHost → **Boromir
required**
- [ ] 🔒 Auth0 / authorization / security-relevant changes → **Gandalf
required**
- [ ] 📝 Docs / README / XML docs → **Frodo required**

## Self-Review Checklist

<!-- Complete before requesting review — incomplete PRs will be returned
-->

### Code Quality

- [ ] I ran `dotnet build MyBlog.slnx --configuration Release` — 0
errors, 0 warnings
- [ ] I ran `dotnet test MyBlog.slnx --configuration Release --no-build`
— all pass
- [ ] No TODO/FIXME left unless tracked in a follow-up issue (link it)
- [ ] No secrets, API keys, or credentials committed

### Architecture

- [ ] New handlers follow the `Command`/`Query`/`Handler`/`Validator`
naming conventions
- [ ] New handlers are `sealed`
- [ ] Domain layer has no references to `Web` or `Persistence.*`
projects
- [ ] `Result<T>` / `ResultErrorCode` used for expected failures (no
exception-driven control flow)
- [ ] DTOs are records in `Domain.DTOs`; Models are in `Domain.Models`
- [ ] No DTO types embedded in Model classes

### Tests

- [ ] New code has corresponding unit tests
- [ ] Integration tests use domain-specific collections
(`[Collection("XxxIntegration")]`)
- [ ] No test compares two `IssueDto.Empty` / `CommentDto.Empty`
instances directly

### Security (check if security-relevant)

- [ ] New endpoints have appropriate `RequireAuthorization` / policy
applied
- [ ] No `MarkupString` used with user-supplied content
- [ ] No user input reflected in MongoDB queries without sanitization

### Merge Readiness

- [ ] Branch is up to date with `main` (no merge conflicts)
- [ ] CI checks are green (do not request review while checks are
pending/failing)
- [ ] PR description is complete — reviewers should not have to ask what
this does

## Screenshots / Evidence

<!-- For UI changes: before/after screenshots. For fixes: evidence the
bug is resolved. -->

## Notes for Reviewers

<!-- Anything you want reviewers to pay special attention to, or context
they need. -->

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Boromir <boromir@squad.dev>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: GitHub Copilot <copilot@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Boromir <lead-organizer@squad.local>
Co-authored-by: mpaulosky <mpaulosky@users.noreply.github.com>
@mpaulosky
mpaulosky changed the base branch from main to dev July 4, 2026 17:54
@mpaulosky
mpaulosky merged commit 53d758e into dev Jul 7, 2026
9 checks passed
@mpaulosky
mpaulosky deleted the dependabot/npm_and_yarn/src/Web/npm_and_yarn-4a95add1bb branch July 7, 2026 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies javascript Pull requests that update javascript code squad:boromir Assigned to Boromir (DevOps / Infra) squad Squad triage inbox — Lead will assign to a member

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant