Skip to content

Bump glob and lerna #17472

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
deltakosh merged 1 commit into from
Nov 18, 2025
Merged

Bump glob and lerna #17472

deltakosh merged 1 commit into from
Nov 18, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 18, 2025

Bumps glob to 12.0.0 and updates ancestor dependencies glob and lerna. These dependencies need to be updated together.

Updates glob from 10.4.5 to 12.0.0

Changelog

Sourced from glob's changelog.

changeglob

12

  • Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

  • Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
  • Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
  • Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

  • Drop support for node before v20

10.4

  • Add includeChildMatches: false option
  • Export the Ignore class

10.3

  • Add --default -p flag to provide a default pattern
  • exclude symbolic links to directories when follow and nodir are both set

10.2

  • Add glob cli

10.1

  • Return '.' instead of the empty string '' when the current working directory is returned as a match.
  • Add posix: true option to return / delimited paths, even on Windows.

10.0.0

  • No default exports, only named exports

... (truncated)

Commits
  • 2b03cca 12.0.0
  • d56203d prettier config
  • bb521e5 Remove --shell option where unsafe to use
  • 2551fb5 11.1.0
  • 47473c0 bin: Do not expose filenames to shell expansion
  • bc33fe1 skip tilde test on systems that lack tilde expansion
  • 59bf9ca fix notes
  • dde4fa6 docs(README): add #anchor and improve notes
  • 0559b0e docs: add better links to path-scurry docs
  • c9773c2 fix: correct typos in README.md
  • Additional commits viewable in compare view

Updates glob from 11.0.2 to 11.1.0

Changelog

Sourced from glob's changelog.

changeglob

12

  • Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

  • Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
  • Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
  • Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

  • Drop support for node before v20

10.4

  • Add includeChildMatches: false option
  • Export the Ignore class

10.3

  • Add --default -p flag to provide a default pattern
  • exclude symbolic links to directories when follow and nodir are both set

10.2

  • Add glob cli

10.1

  • Return '.' instead of the empty string '' when the current working directory is returned as a match.
  • Add posix: true option to return / delimited paths, even on Windows.

10.0.0

  • No default exports, only named exports

... (truncated)

Commits
  • 2b03cca 12.0.0
  • d56203d prettier config
  • bb521e5 Remove --shell option where unsafe to use
  • 2551fb5 11.1.0
  • 47473c0 bin: Do not expose filenames to shell expansion
  • bc33fe1 skip tilde test on systems that lack tilde expansion
  • 59bf9ca fix notes
  • dde4fa6 docs(README): add #anchor and improve notes
  • 0559b0e docs: add better links to path-scurry docs
  • c9773c2 fix: correct typos in README.md
  • Additional commits viewable in compare view

Updates lerna from 8.2.2 to 9.0.1

Release notes

Sourced from lerna's releases.

v9.0.1

9.0.1 (2025-11-14)

Bug Fixes

  • expand version range to include nx v22.x (#4242) (0cca286)

v9.0.0

9.0.0 (2025-09-23)

Bug Fixes

  • publish: ensure README file names are populated on package.json (#4211) (362875d)

Features

  • support OIDC trusted publishing (d51e344)

OIDC trusted publishing is now supported by Lerna with no specification configuration required.

BREAKING CHANGES

After updating we strongly recommend running lerna repair in your project. This will migrate your lerna.json to the latest and greatest and remove any outdated options.

As this is a major release there are a few breaking changes to be aware of, which may or may not affect your lerna repos, depending on how you are using the tool.

  • node v18 support is dropped because it is end of life

When a node version becomes end of life (EOL) it means that it does not receive any updates or maintenance whatsoever, even if critical security vulnerabilities have been uncovered.

We strongly encourage all folks here to keep up with the maintenance LTS version of Node at an absolute minimum:

https://github.com/nodejs/release#release-schedule

The versions of node supported by lerna are now ^20.19.0 || ^22.12.0 || >=24.0.0.

  • The @​lerna/legacy-package-management package has been formally removed after 2 years of deprecation.

If you are still using lerna add, lerna bootstrap or lerna link commands, please migrate to using your package manager's long-supported workspaces feature. The updated guide should help with this https://lerna.js.org/docs/legacy-package-management**

v8.2.4

8.2.4 (2025-07-27)

Bug Fixes

... (truncated)

Changelog

Sourced from lerna's changelog.

9.0.1 (2025-11-14)

Bug Fixes

  • expand version range to include nx v22.x (#4242) (0cca286)

9.0.0 (2025-09-23)

Bug Fixes

  • publish: ensure README file names are populated on package.json (#4211) (362875d)

Features

  • support OIDC trusted publishing (d51e344)

OIDC trusted publishing is now supported by Lerna with no specification configuration required.

BREAKING CHANGES

After updating we strongly recommend running lerna repair in your project. This will migrate your lerna.json to the latest and greatest and remove any outdated options.

As this is a major release there are a few breaking changes to be aware of, which may or may not affect your lerna repos, depending on how you are using the tool.

  • node v18 support is dropped because it is end of life

When a node version becomes end of life (EOL) it means that it does not receive any updates or maintenance whatsoever, even if critical security vulnerabilities have been uncovered.

We strongly encourage all folks here to keep up with the maintenance LTS version of Node at an absolute minimum:

https://github.com/nodejs/release#release-schedule

The versions of node supported by lerna are now ^20.19.0 || ^22.12.0 || >=24.0.0.

  • The @​lerna/legacy-package-management package has been formally removed after 2 years of deprecation.

If you are still using lerna add, lerna bootstrap or lerna link commands, please migrate to using your package manager's long-supported workspaces feature. The updated guide should help with this https://lerna.js.org/docs/legacy-package-management**

8.2.4 (2025-07-27)

Bug Fixes

8.2.3 (2025-06-29)

Bug Fixes

... (truncated)

Commits
  • 9df335a chore(misc): publish 9.0.1
  • 0cca286 fix: expand version range to include nx v22.x (#4242)
  • 4c547b7 chore: publish v9.0.0
  • d51e344 feat: support OIDC trusted publishing
  • 96095e2 feat!: drop EOL node 18, modernize dependencies, node now "^20.19.0 || ^22.12...
  • cf0f8e0 feat!: remove @​lerna/legacy-package-management after 2 years of deprecation
  • a53a6dd refactor: use native object spreading (#4216)
  • d2ced36 chore: update uuid to v11 (#4213)
  • 61e4bc2 chore(misc): publish 8.2.4
  • 8211512 fix: remove all remaining lodash usage (#4207)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump glob and lerna
cd88414 
Bumps [glob](https://github.com/isaacs/node-glob) to 12.0.0 and updates ancestor dependencies [glob](https://github.com/isaacs/node-glob) and [lerna](https://github.com/lerna/lerna/tree/HEAD/packages/lerna). These dependencies need to be updated together.


Updates `glob` from 10.4.5 to 12.0.0
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v10.4.5...v12.0.0)

Updates `glob` from 11.0.2 to 11.1.0
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v10.4.5...v12.0.0)

Updates `lerna` from 8.2.2 to 9.0.1
- [Release notes](https://github.com/lerna/lerna/releases)
- [Changelog](https://github.com/lerna/lerna/blob/main/packages/lerna/CHANGELOG.md)
- [Commits](https://github.com/lerna/lerna/commits/v9.0.1/packages/lerna)

---
updated-dependencies:
- dependency-name: glob
  dependency-version: 12.0.0
  dependency-type: direct:development
- dependency-name: glob
  dependency-version: 11.1.0
  dependency-type: indirect
- dependency-name: lerna
  dependency-version: 9.0.1
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Nov 18, 2025
@bjsplat
Copy link
Collaborator

bjsplat commented Nov 18, 2025

Please make sure to label your PR with "bug", "new feature" or "breaking change" label(s).
To prevent this PR from going to the changelog marked it with the "skip changelog" label.

@bjsplat
Copy link
Collaborator

bjsplat commented Nov 18, 2025

Reviewer - this PR has made changes to one or more package.json files.

@bjsplat
Copy link
Collaborator

bjsplat commented Nov 18, 2025

Snapshot stored with reference name:
refs/pull/17472/merge

Test environment:
https://snapshots-cvgtc2eugrd3cgfd.z01.azurefd.net/refs/pull/17472/merge/index.html

To test a playground add it to the URL, for example:

https://snapshots-cvgtc2eugrd3cgfd.z01.azurefd.net/refs/pull/17472/merge/index.html#WGZLGJ#4600

Links to test babylon tools with this snapshot:

https://playground.babylonjs.com/?snapshot=refs/pull/17472/merge
https://sandbox.babylonjs.com/?snapshot=refs/pull/17472/merge
https://gui.babylonjs.com/?snapshot=refs/pull/17472/merge
https://nme.babylonjs.com/?snapshot=refs/pull/17472/merge

To test the snapshot in the playground with a playground ID add it after the snapshot query string:

https://playground.babylonjs.com/?snapshot=refs/pull/17472/merge#BCU1XR#0

@bjsplat
Copy link
Collaborator

bjsplat commented Nov 18, 2025

Interaction tests

https://snapshots-cvgtc2eugrd3cgfd.z01.azurefd.net/refs/pull/17472/merge/testResults/interactionplaywright/index.html

@bjsplat
Copy link
Collaborator

bjsplat commented Nov 18, 2025

Devhost visualization test reporter:

https://snapshots-cvgtc2eugrd3cgfd.z01.azurefd.net/refs/pull/17472/merge/testResults/devhostplaywright/index.html

@bjsplat
Copy link
Collaborator

bjsplat commented Nov 18, 2025

Visualization tests for WebGPU

https://snapshots-cvgtc2eugrd3cgfd.z01.azurefd.net/refs/pull/17472/merge/testResults/webgpuplaywright/index.html

@bjsplat
Copy link
Collaborator

bjsplat commented Nov 18, 2025

WebGL2 visualization test reporter:

https://snapshots-cvgtc2eugrd3cgfd.z01.azurefd.net/refs/pull/17472/merge/testResults/webgl2playwright/index.html

@deltakosh deltakosh merged commit a1ce234 into master Nov 18, 2025
20 checks passed
@deltakosh deltakosh deleted the dependabot/npm_and_yarn/multi-9c39654c66 branch November 18, 2025 17:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deltakosh deltakosh deltakosh approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bjsplat @deltakosh