Skip to content

fix(deps): update external major (major) #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 14, 2025

This PR contains the following updates:

Package Change Age Confidence
@redocly/cli 1.34.5 -> 2.0.2 age confidence
diff 7.0.0 -> 8.0.2 age confidence
dotenv 16.6.1 -> 17.2.1 age confidence
lint-staged 15.5.2 -> 16.1.2 age confidence
sinon (source) 20.0.0 -> 21.0.0 age confidence

Release Notes

Redocly/redocly-cli (@​redocly/cli)

v2.0.2

Compare Source

Patch Changes
  • Made executionTimeout parameter optional in the run function exported from respect-core.
  • Updated @​redocly/respect-core to v2.0.2.

v2.0.1

Compare Source

Patch Changes
  • Fixed an issue where the no-required-schema-properties-undefined rule incorrectly resolved nested $refs relative to the file in which they were defined.
  • Fixed an issue where multipart form-data parameters were not properly resolved and evaluated before sending requests.
  • Updated @​redocly/openapi-core to v2.0.1.

v2.0.0

Compare Source

Major Changes
  • Removed backward compatibility for the spec rule. Use struct instead.
  • Removed support for the deprecated apiDefinitions option in the Redocly config. Use apis instead.
    Removed the labels field within the apis section, which was associated with the legacy Redocly API Registry product.
  • Removed support for default config file names other than redocly.yaml.
  • Removed support for the deprecated features.openapi and features.mockServer configuration options. Use openapi and mockServer directly instead.
  • Removed backward compatibility for the deprecated lint and styleguide options in the Redocly config.
    Use rules, decorators and other related options on the root level instead.
  • Removed the deprecated disallowAdditionalProperties option support in rules. Use allowAdditionalProperties instead.
  • Removed support for the deprecated theme property of Redocly config.
    All the properties of theme are now available in the config root.
  • Removed the deprecated path-excludes-patterns and info-license-url rules.
  • Removed the deprecated undefined assertion. Use defined instead.
  • Removed support for the legacy Redocly API Registry in favor of the new Reunite platform.
    Reunite provides improved API management capabilities and better integration with Redocly's tooling ecosystem.
    Migrated the login and push commands to work exclusively with Reunite.
    Removed the preview-docs command as part of platform modernization.
    Use the preview command instead.
  • Removed support for the deprecated referenceDocs option, which was related to the legacy Reference docs product.
  • Removed support for the deprecated assert/ prefix in configurable rules. Use rule/ prefix instead.
  • Migrated the codebase to ES Modules from CommonJS, bringing improved code organization and better support for modern JavaScript features.
    Update to Node.js version 20.19.0+, 22.12.0+, or 23+.
Minor Changes
  • Added x-security extension for Respect that enables secure handling of authentication in Arazzo workflows.
    Use this extension to:

    • Define security schemes at the step level using either predefined schemes or inline definitions
    • Pass values of secrets (passwords, tokens, API keys)
    • Support multiple authentication types including API Key (query, header, or cookie), Basic Authentication, Bearer Token, Digest Authentication, OAuth2, and OpenID Connect
    • Automatically transform security parameters into appropriate HTTP headers or query parameters
  • Added environment variable support for CLI arguments using Yargs .env() method to parse environment variables with matching prefixes.

  • Added validation for JSON Schema format.

  • Extracted nullable validation from the struct rule into a new nullable-type-sibling rule for OpenAPI 3.0. This allows users to disable nullable validation separately from other structural checks.

  • Configured the spec ruleset for OpenAPI, AsyncAPI, Arazzo, and Overlay specifications.
    This ruleset is designed to strictly follow the specifications.

  • Added the no-duplicated-tag-names rule to check for duplications in the tags field in API descriptions.

  • Enabled no-required-schema-properties-undefined, no-schema-type-mismatch, and no-enum-type-mismatch rules for AsyncAPI and Arazzo specifications.
    Adjusted the rules' severities in the recommended and minimal rulesets. Refer to the following table:

    Rule \ Ruleset recommended minimal
    no-required-schema-properties-undefined off -> warn off -> warn
    no-enum-type-mismatch error warn
    no-schema-type-mismatch warn -> error off -> warn
  • Implemented automatic masking of sensitive fields (such as tokens and passwords) in response bodies to enhance security and prevent accidental exposure of secrets in logs and outputs.

  • Added new CLI options for the respect command to improve test execution control.

Patch Changes
  • Fixed plugins validation in config files referenced in the extends section.
  • Fixed no-undefined-server-variable crash when encountering null values in the server list.
  • Refactored @redocly/respect-core to eliminate Node.js-specific dependencies, improving cross-platform compatibility.
  • Updated Redoc to v2.5.0.
  • Fixed alias detection when using --config from a different folder than the current working directory.
  • Resolved an issue where [email protected] injected an unintended message into the output.
  • Fixed Redocly CLI to correctly read residency from the Redocly configuration file.
  • Improved Respect's error handling when server URLs are missing from both OpenAPI descriptions and CLI options.
  • Updated @​redocly/respect-core to v2.0.0.
kpdecker/jsdiff (diff)

v8.0.2

Compare Source

  • #​616 Restored compatibility of diffSentences with old Safari versions. This was broken in 8.0.0 by the introduction of a regex with a lookbehind assertion; these weren't supported in Safari prior to version 16.4.
  • #​612 Improved tree shakeability by marking the built CJS and ESM packages with sideEffects: false.

v8.0.1

Compare Source

  • #​610 Fixes types for diffJson which were broken by 8.0.0. The new bundled types in 8.0.0 only allowed diffJson to be passed string arguments, but it should've been possible to pass either strings or objects (and now is). Thanks to Josh Kelley for the fix.

v8.0.0

Compare Source

  • #​580 Multiple tweaks to diffSentences:
    • tokenization no longer takes quadratic time on pathological inputs (reported as a ReDOS vulnerability by Snyk); is now linear instead
    • the final sentence in the string is now handled the same by the tokenizer regardless of whether it has a trailing punctuation mark or not. (Previously, "foo. bar." tokenized to ["foo.", " ", "bar."] but "foo. bar" tokenized to ["foo.", " bar"] - i.e. whether the space between sentences was treated as a separate token depended upon whether the final sentence had trailing punctuation or not. This was arbitrary and surprising; it is no longer the case.)
    • in a string that starts with a sentence end, like "! hello.", the "!" is now treated as a separate sentence
    • the README now correctly documents the tokenization behaviour (it was wrong before)
  • #​581 - fixed some regex operations used for tokenization in diffWords taking O(n^2) time in pathological cases
  • #​595 - fixed a crash in patch creation functions when handling a single hunk consisting of a very large number (e.g. >130k) of lines. (This was caused by spreading indefinitely-large arrays to .push() using .apply or the spread operator and hitting the JS-implementation-specific limit on the maximum number of arguments to a function, as shown at https://stackoverflow.com/a/56809779/1709587; thus the exact threshold to hit the error will depend on the environment in which you were running JsDiff.)
  • #​596 - removed the merge function. Previously JsDiff included an undocumented function called merge that was meant to, in some sense, merge patches. It had at least a couple of serious bugs that could lead to it returning unambiguously wrong results, and it was difficult to simply "fix" because it was unclear precisely what it was meant to do. For now, the fix is to remove it entirely.
  • #​591 - JsDiff's source code has been rewritten in TypeScript. This change entails the following changes for end users:
    • the diff package on npm now includes its own TypeScript type definitions. Users who previously used the @types/diff npm package from DefinitelyTyped should remove that dependency when upgrading JsDiff to v8.

      Note that the transition from the DefinitelyTyped types to JsDiff's own type definitions includes multiple fixes and also removes many exported types previously used for options arguments to diffing and patch-generation functions. (There are now different exported options types for abortable calls - ones with a timeout or maxEditLength that may give a result of undefined - and non-abortable calls.) See the TypeScript section of the README for some usage tips.

    • The Diff object is now a class. Custom extensions of Diff, as described in the "Defining custom diffing behaviors" section of the README, can therefore now be done by writing a class CustomDiff extends Diff and overriding methods, instead of the old way based on prototype inheritance. (I think code that did things the old way should still work, though!)

    • diff/lib/index.es6.js and diff/lib/index.mjs no longer exist, and the ESM version of the library is no longer bundled into a single file.

    • The ignoreWhitespace option for diffWords is no longer included in the type declarations. The effect of passing ignoreWhitespace: true has always been to make diffWords just call diffWordsWithSpace instead, which was confusing, because that behaviour doesn't seem properly described as "ignoring" whitespace at all. The property remains available to non-TypeScript applications for the sake of backwards compatibility, but TypeScript applications will now see a type error if they try to pass ignoreWhitespace: true to diffWords and should change their code to call diffWordsWithSpace instead.

    • JsDiff no longer purports to support ES3 environments. (I'm pretty sure it never truly did, despite claiming to in its README, since even the 1.0.0 release used Array.map which was added in ES5.)

  • #​601 - diffJson's stringifyReplacer option behaves more like JSON.stringify's replacer argument now. In particular:
    • Each key/value pair now gets passed through the replacer once instead of twice
    • The key passed to the replacer when the top-level object is passed in as value is now "" (previously, was undefined), and the key passed with an array element is the array index as a string, like "0" or "1" (previously was whatever the key for the entire array was). Both the new behaviours match that of JSON.stringify.
  • #​602 - diffing functions now consistently return undefined when called in async mode (i.e. with a callback). Previously, there was an odd quirk where they would return true if the strings being diffed were equal and undefined otherwise.
motdotla/dotenv (dotenv)

v17.2.1

Compare Source

Changed
  • Fix clickable tip links by removing parentheses (#​897)

v17.2.0

Compare Source

Added
  • Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#​889)
  • Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})

v17.1.0

Compare Source

Added
  • Add additional security and configuration tips to the runtime log (#​884)
  • Dim the tips text from the main injection information text
const TIPS = [
  '🔐 encrypt with dotenvx: https://dotenvx.com',
  '🔐 prevent committing .env to code: https://dotenvx.com/precommit',
  '🔐 prevent building .env in docker: https://dotenvx.com/prebuild',
  '🛠️  run anywhere with `dotenvx run -- yourcommand`',
  '⚙️  specify custom .env file path with { path: \'/custom/path/.env\' }',
  '⚙️  enable debug logging with { debug: true }',
  '⚙️  override existing env vars with { override: true }',
  '⚙️  suppress all logs with { quiet: true }',
  '⚙️  write to custom object with { processEnv: myObject }',
  '⚙️  load multiple .env files with { path: [\'.env.local\', \'.env\'] }'
]

v17.0.1

Compare Source

Changed
  • Patched injected log to count only populated/set keys to process.env (#​879)

v17.0.0

Compare Source

Changed
  • Default quiet to false - informational (file and keys count) runtime log message shows by default (#​875)
lint-staged/lint-staged (lint-staged)

v16.1.2

Compare Source

Patch Changes
  • #​1570 a7c0c88 Thanks @​ItsNickBarry! - When using --diff-filter with the D option to include deleted staged files, lint-staged no longer tries to stage the deleted files, unless they're no longer deleted. Previously this caused an error from git add like fatal: pathspec 'deleted-file' did not match any files.

  • 38f942e Thanks @​iiroj! - Removed an extraneous log entry that printed shouldHidePArtiallyStagedFiles to console output.

v16.1.1

Compare Source

Patch Changes
  • #​1565 3686977 Thanks @​iiroj! - Lint-staged now explicitly warns about potential data loss when using --no-stash.

  • #​1571 02299a9 Thanks @​iiroj! - Function tasks (introduced in v16.0.0) only received the staged files matching the conpmnfigured glob, instead of all staged files.

  • #​1563 bc61c74 Thanks @​iiroj! - This version fixes incorrect behavior where unstaged changes were committed when using the --no-stash option. This happened because --no-stash implied --no-hide-partially-staged, meaning unstaged changes to files which also had other staged changes were added to the commit by lint-staged; this is no longer the case.

    The previous (incorrect) behavior can still be achieved by using both options --no-stash --no-hide-partially-staged at the same time.

v16.1.0

Compare Source

Minor Changes
  • #​1536 e729daa Thanks @​iiroj! - A new flag --no-revert has been introduced for when task modifications should be applied to the index before aborting the commit in case of errors. By default, lint-staged will clear all task modifications and revert to the original state.

  • #​1550 b27fa3f Thanks @​iiroj! - Lint-staged now ignores symlinks and leaves them out from the list of staged files.

Patch Changes

v16.0.0

Compare Source

Major Changes
  • #​1546 158d15c Thanks @​iiroj! - Processes are spawned using nano-spawn instead of execa. If you are using Node.js scripts as tasks, you might need to explicitly run them with node, especially when using Windows:

    {
      "*.js": "node my-js-linter.js"
    }
  • #​1546 158d15c Thanks @​iiroj! - The --shell flag has been removed and lint-staged no longer supports evaluating commands directly via a shell. To migrate existing commands, you can create a shell script and invoke it instead. Lint-staged will pass matched staged files as a list of arguments, accessible via "$@​":

sinonjs/sinon (sinon)

v21.0.0

Compare Source

  • fd10f13f
    chore!: remove assert.failException property (#​2659) (Morgan Roderick)

    This was used for allowing customisation of the thrown error between
    sandboxes and for customisation for integrations (most likely from the
    days of BusterJS).

    To my knowledge and what I've been able to find on GitHub, this has
    never had any production use by end users.

    BREAKING CHANGE: this removes assert.failException from the API

Released by Morgan Roderick on 2025-06-13.


Configuration

📅 Schedule: Branch creation - "after 2pm on Monday" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link

This PR will trigger a patch release when merged.

@renovate renovate bot force-pushed the renovate-major-external-major branch 3 times, most recently from 8cdb9b9 to ead7996 Compare July 26, 2025 23:31
@renovate renovate bot force-pushed the renovate-major-external-major branch from ead7996 to 5041a00 Compare July 29, 2025 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants