Skip to content

Bump picomatch, @rollup/plugin-commonjs, @rollup/plugin-node-resolve, @rollup/plugin-replace, @web/rollup-plugin-import-meta-assets, fast-glob and lint-staged#1478

Open
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/multi-0b8454160b
Open

Bump picomatch, @rollup/plugin-commonjs, @rollup/plugin-node-resolve, @rollup/plugin-replace, @web/rollup-plugin-import-meta-assets, fast-glob and lint-staged#1478
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/multi-0b8454160b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown

Bumps picomatch to 4.0.4 and updates ancestor dependencies picomatch, @rollup/plugin-commonjs, @rollup/plugin-node-resolve, @rollup/plugin-replace, @web/rollup-plugin-import-meta-assets, fast-glob and lint-staged. These dependencies need to be updated together.

Updates picomatch from 2.2.2 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

4.0.3

What's Changed

New Contributors

Full Changelog: micromatch/picomatch@4.0.2...4.0.3

3.0.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@3.0.1...3.0.2

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

2.3.1

Fixed

  • Fixes bug when a pattern containing an expression after the closing parenthesis (/!(*.d).{ts,tsx}) was incorrectly converted to regexp (9f241ef).

Changed

2.2.3

... (truncated)

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by danez, a new releaser for picomatch since your current version.


Updates @rollup/plugin-commonjs from 17.0.0 to 29.0.3

Changelog

Sourced from @​rollup/plugin-commonjs's changelog.

v29.0.3

2026-05-29

Bugfixes

v29.0.2

2026-03-06

Bugfixes

  • commonjs: conditional exports (#1952)

v29.0.1

2026-03-05

Bugfixes

  • commonjs: correctly replaces shorthand "global" property in object (#1957)

v29.0.0

2025-10-30

Breaking Changes

  • feat!: revert #1909 and add requireNodeBuiltins option (#1937)

v28.0.9

2025-10-24

Bugfixes

  • fix: handle node: builtins with strictRequires: auto (#1930)

v28.0.8

2025-10-16

Bugfixes

  • fix: guard moduleSideEffects for wrapped externals (#1914)

v28.0.7

... (truncated)

Commits
  • 1e4025b chore(release): commonjs v29.0.3
  • 08a5b17 fix(commonjs): make #1868 es5-compatible (#1981)
  • 5800bf3 chore(repo): test migration to vitest. phase 4 (#1978)
  • 2de0d62 chore(release): commonjs v29.0.2
  • ab65325 fix(commonjs): conditional exports (#1952)
  • 7d22981 chore(repo): add rollup-plugin keyword in package.json (#1955)
  • a79ae55 chore(release): commonjs v29.0.1
  • bb41cfd chore(release): commonjs v29.0.1
  • 14ae186 fix(commonjs): correctly replaces shorthand "global" property in object (#1957)
  • c8e78c8 chore(release): commonjs v29.0.0
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​rollup/plugin-commonjs since your current version.


Updates @rollup/plugin-node-resolve from 11.1.0 to 16.0.3

Changelog

Sourced from @​rollup/plugin-node-resolve's changelog.

v16.0.3

2025-10-13

Bugfixes

  • fix: resolve bare targets of package "imports" using export maps; avoid fileURLToPath(null) (#1908)

v16.0.2

2025-10-04

Bugfixes

  • fix: error thrown with empty entry (#1893)

v16.0.1

2025-03-11

Bugfixes

  • fix: add ignoreSideEffectsForRoot to exported interface (#1841)

v16.0.0

2024-12-15

Breaking Changes

  • feat!: set development or production condition (#1823)

v15.3.1

2024-12-15

Updates

  • refactor: replace test with includes (#1787)

v15.3.0

2024-09-23

Features

  • feat: allow preferBuiltins to be a function (#1694)

v15.2.4

... (truncated)

Commits
  • 764910a chore(release): node-resolve v16.0.3
  • 3569720 fix(node-resolve): resolve bare targets of package "imports" using export map...
  • 516ed1d chore(release): node-resolve v16.0.2
  • 7ad5057 fix(node-resolve): error thrown with empty entry (#1893)
  • e1a5ef9 chore(release): node-resolve v16.0.1
  • d455fff fix(node-resolve): add ignoreSideEffectsForRoot to exported interface (#1841)
  • d64f8d6 chore(release): node-resolve v16.0.0
  • ebd0969 feat(node-resolve)!: set development or production condition (#1823)
  • f89ca92 chore(release): node-resolve v15.3.1
  • 4cfc1c3 refactor(pluginutils,node-resolve): replace test with includes (#1787)
  • Additional commits viewable in compare view

Updates @rollup/plugin-replace from 2.3.4 to 6.0.3

Changelog

Sourced from @​rollup/plugin-replace's changelog.

v6.0.3

2025-10-29

Bugfixes

  • fix: update delimiters to respect valid js identifier chars (#1938)

v6.0.2

2024-12-15

Bugfixes

  • fix: add missing types for objectGuards option (#1818)

v6.0.1

2024-09-23

Bugfixes

  • fix: The preventAssignment option is treated as a value to replace (#1768)

v6.0.0

2024-09-23

Breaking Changes

  • fix!: objectGuards doesn't take effects (#1764)

v5.0.7

2024-06-05

Bugfixes

  • fix: add missing sourceMap documentation (#1698)

v5.0.6

2024-06-05

Bugfixes

  • fix: ternary operator replacement (#1712)

v5.0.5

... (truncated)

Commits
  • 8791470 chore(release): replace v5.0.1
  • 3038271 chore(commonjs,yaml,wasm,virtual,url,typescript,sucrase,strip,run,replace,plu...
  • bdc099e chore(release): replace v5.0.0
  • cba9788 fix(replace): prepare for Rollup 3 (#1286)
  • 69146cd chore(repo): central changes for Rollup 3 updates (#1277)
  • 4e85ed7 chore(all): fix lint issues (#1270)
  • 2483b40 chore(repo): correct READMEs, minimatch to picomatch (#1260)
  • 1f0e2cd chore(release): replace v4.0.0
  • 5bae547 fix(replace)!: do not escape delimiters (#1088)
  • 8835dd2 chore(repo): update rollup devDep in all packages (#1115)
  • Additional commits viewable in compare view

Updates @web/rollup-plugin-import-meta-assets from 1.0.6 to 1.0.8

Changelog

Sourced from @​web/rollup-plugin-import-meta-assets's changelog.

1.0.8

Patch Changes

  • 1113fa09: Update @rollup/pluginutils

1.0.7

Patch Changes

  • d3448166: Allow ignoring assets during transformation
Commits
  • 2f1e207 Version Packages
  • 18b3a07 fix(deps): update dependency @​rollup/pluginutils to v5
  • 8b27e18 fix(deps): update dependency magic-string to ^0.30.0
  • 9661d9d Version Packages
  • d344816 feat(rollup-plugin-import-meta-assets): allow transform to skip processing asset
  • See full diff in compare view

Updates fast-glob from 3.2.4 to 3.3.3

Release notes

Sourced from fast-glob's releases.

3.3.3

Full Changelog: mrmlnc/fast-glob@3.3.2...3.3.3

💬 Common

🐛 Bug fixes

  • Apply absolute negative patterns to full path instead of file path (#441, thanks @​webpro)

3.3.2

Full Changelog: mrmlnc/fast-glob@3.3.1...3.3.2

🐛 Bug fixes

  • Handle square brackets as a special character on Windows in escape functions (#425)
  • Keep escaping after brace expansion (#422)

3.3.1

Full Changelog: mrmlnc/fast-glob@3.3.0...3.3.1

This release fixes a regression for cases where the ignore option is used with a string (#403, #404).

The public interface of this package does not support a string as the value for the ignore option since 2018 year (release).

So, in the next major release, we will reintroduce method implementations that do not involve strings in the ignore option.

3.3.0

Full Changelog: mrmlnc/fast-glob@3.2.12...3.3.0

🚀 Improvements

Method aliases

New methods (glob, globSync, globStream) have been added in addition to the current methods (default import, sync, stream), which eliminate the need to rename the method when importing. In addition, an async alias has been added for the default import, which makes it possible to use this packet with ESM.

Method to convert paths to globs

A new method (convertPathToPattern) has been added in this release to convert a path to a pattern. The primary goal is to enable users to avoid processing Windows paths in each location where this package is used by utilities from third-party packages.

See more details in the pull request.

🐛 Bug fixes

  • In the past, we mishandled patterns that contained slashes when the baseNameMatch option was enabled, which went against the documented behavior. (#312)
  • Several problems with matching patterns that contain brace expansion have been resolved. The primary issue solved is when the pattern has duplicate slashes after it is expanded (#394), or the micromatch package does not correctly generate a regular expression (#365).
  • All negative patterns will now have the dot option enabled when matching paths. Previously, the !**/* patterns did not exclude hidden files (start with a dot). (#343)
  • The issue that led to duplicates in the results when overlapping or duplicate patterns were present among the patterns has been fixed. At the moment, we are only talking about leading dot. Other cases are not included. For example, running with the patterns ['./file.md', 'file.md', '*'] will now only include file.md once in the results. (#190)

... (truncated)

Commits
  • 4868789 3.3.3
  • 73be367 Merge pull request #464 from mrmlnc/3.3.3
  • 55c7b33 perf: optimizing the patterns set matching by exiting early
  • ea113fd docs: add information about enumerable properties for the fs option
  • 41e4730 fix: apply absolute negative patterns to full path instead of file path
  • 54ad12d build: fix watch command
  • 7410547 chore: refer to micromatch@4.0.8 to avoid annoying npm audit spam
  • ca61085 build: freeze fdir dependency to avoid tsc issues
  • e60a9f5 3.3.2
  • 8638dc6 fix: escape square braces on Windows platform
  • Additional commits viewable in compare view

Updates lint-staged from 10.5.1 to 17.0.7

Release notes

Sourced from lint-staged's releases.

v17.0.7

Patch Changes

v17.0.6

Patch Changes

  • #1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

  • #1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

  • #1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

  • #1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

v17.0.5

Patch Changes

  • #1792 1f67271 - Correctly set the --max-arg-length default value based on the running platform. This controls how very long lists of staged files are split into multiple chunks.

v17.0.4

Patch Changes

  • #1788 f95c1f8 - Another fix for making sure lint-staged adds task modifications correctly to the commit in the following cases:

    • after editing <file> it is staged with git add <file>, and then committed with git commit
    • after editing <file> it is committed with git commit --all without explicit git add
    • after editing <file> it is committed with git commit <pathspec> without explicit git add

    There's new test cases which actually setup the Git pre_commit hook to run lint-staged and verify them. These issues started in v17.0.0 when trying to improve support for committig without having explicitly staged files.

v17.0.3

Patch Changes

  • #1782 06813f9 Thanks @​iiroj! - Fix lint-staged behavior when implicitly committing files without using git add by either:
    • git commit -am "my commit message" where -a (--all) means to automatically stage all tracked modified and deleted files
    • git commit -m "my commit message" . where . is an example of a pathspec where matching files will be staged

v17.0.2

Patch Changes

v17.0.1

Patch Changes

  • #1776 4a5664b Thanks @​iiroj! - Adjust GitHub Actions workflow so that automatic publishing works with signed commits.

v17.0.0

... (truncated)

Changelog

Sourced from lint-staged's changelog.

17.0.7

Patch Changes

17.0.6

Patch Changes

  • #1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

  • #1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

  • #1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

  • #1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

17.0.5

Patch Changes

  • #1792 1f67271 - Correctly set the --max-arg-length default value based on the running platform. This controls how very long lists of staged files are split into multiple chunks.

17.0.4

Patch Changes

  • #1788 f95c1f8 - Another fix for making sure lint-staged adds task modifications correctly to the commit in the following cases:

    • after editing <file> it is staged with git add <file>, and then committed with git commit
    • after editing <file> it is committed with git commit --all without explicit git add
    • after editing <file> it is committed with git commit <pathspec> without explicit git add

    There's new test cases which actually setup the Git pre_commit hook to run lint-staged and verify them. These issues started in v17.0.0 when trying to improve support for committig without having explicitly staged files.

17.0.3

Patch Changes

  • #1782 06813f9 Thanks @​iiroj! - Fix lint-staged behavior when implicitly committing files without using git add by either:
    • git commit -am "my commit message" where -a (--all) means to automatically stage all tracked modified and deleted files
    • git commit -m "my commit message" . where . is an example of a pathspec where matching files will be staged

17.0.2

Patch Changes

17.0.1

... (truncated)

Commits
  • cd11fec Merge pull request #1807 from lint-staged/changeset-release/main
  • 15a8ee0 chore(changeset): release
  • 797bbd9 Merge pull request #1808 from lint-staged/add-stashing-faq
  • 504e307 docs: add FAQ entry on how stashing works
  • eff5cd1 Merge pull request #1806 from lint-staged/update-tinyexec
  • e692e58 build(deps): update tinyexec@^1.2.4
  • a2dd4ea Merge pull request #1805 from lint-staged/update-github-templates
  • c928519 docs: update GitHub templates
  • 094ba56 Merge pull request #1798 from lint-staged/changeset-release/main
  • 88e19fe chore(changeset): release
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for lint-staged since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

… @rollup/plugin-replace, @web/rollup-plugin-import-meta-assets, fast-glob and lint-staged

Bumps [picomatch](https://github.com/micromatch/picomatch) to 4.0.4 and updates ancestor dependencies [picomatch](https://github.com/micromatch/picomatch), [@rollup/plugin-commonjs](https://github.com/rollup/plugins/tree/HEAD/packages/commonjs), [@rollup/plugin-node-resolve](https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve), [@rollup/plugin-replace](https://github.com/rollup/plugins/tree/HEAD/packages/replace), [@web/rollup-plugin-import-meta-assets](https://github.com/modernweb-dev/web/tree/HEAD/packages/rollup-plugin-import-meta-assets), [fast-glob](https://github.com/mrmlnc/fast-glob) and [lint-staged](https://github.com/lint-staged/lint-staged). These dependencies need to be updated together.


Updates `picomatch` from 2.2.2 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.2.2...4.0.4)

Updates `@rollup/plugin-commonjs` from 17.0.0 to 29.0.3
- [Changelog](https://github.com/rollup/plugins/blob/master/packages/commonjs/CHANGELOG.md)
- [Commits](https://github.com/rollup/plugins/commits/commonjs-v29.0.3/packages/commonjs)

Updates `@rollup/plugin-node-resolve` from 11.1.0 to 16.0.3
- [Changelog](https://github.com/rollup/plugins/blob/master/packages/node-resolve/CHANGELOG.md)
- [Commits](https://github.com/rollup/plugins/commits/node-resolve-v16.0.3/packages/node-resolve)

Updates `@rollup/plugin-replace` from 2.3.4 to 6.0.3
- [Changelog](https://github.com/rollup/plugins/blob/master/packages/replace/CHANGELOG.md)
- [Commits](https://github.com/rollup/plugins/commits/babel-v6.0.3/packages/replace)

Updates `@web/rollup-plugin-import-meta-assets` from 1.0.6 to 1.0.8
- [Release notes](https://github.com/modernweb-dev/web/releases)
- [Changelog](https://github.com/modernweb-dev/web/blob/master/packages/rollup-plugin-import-meta-assets/CHANGELOG.md)
- [Commits](https://github.com/modernweb-dev/web/commits/@web/rollup-plugin-import-meta-assets@1.0.8/packages/rollup-plugin-import-meta-assets)

Updates `fast-glob` from 3.2.4 to 3.3.3
- [Release notes](https://github.com/mrmlnc/fast-glob/releases)
- [Commits](mrmlnc/fast-glob@3.2.4...3.3.3)

Updates `lint-staged` from 10.5.1 to 17.0.7
- [Release notes](https://github.com/lint-staged/lint-staged/releases)
- [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md)
- [Commits](lint-staged/lint-staged@v10.5.1...v17.0.7)

---
updated-dependencies:
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
- dependency-name: "@rollup/plugin-commonjs"
  dependency-version: 29.0.3
  dependency-type: direct:development
- dependency-name: "@rollup/plugin-node-resolve"
  dependency-version: 16.0.3
  dependency-type: direct:development
- dependency-name: "@rollup/plugin-replace"
  dependency-version: 6.0.3
  dependency-type: direct:development
- dependency-name: "@web/rollup-plugin-import-meta-assets"
  dependency-version: 1.0.8
  dependency-type: direct:development
- dependency-name: fast-glob
  dependency-version: 3.3.3
  dependency-type: indirect
- dependency-name: lint-staged
  dependency-version: 17.0.7
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants