build(deps): bump the npm-dependencies group across 1 directory with 8 updates

[dependabot]

Bumps the npm-dependencies group with 8 updates in the / directory:

Package	From	To
@babel/core	7.29.7	8.0.1
fast-xml-parser	5.8.0	5.9.3
js-yaml	4.2.0	5.1.0
smol-toml	1.6.1	1.7.0
@types/node	25.9.2	26.0.0
eslint	10.4.1	10.5.0
eslint-plugin-import-x	4.16.2	4.17.0
globals	17.6.0	17.7.0

Updates @babel/core from 7.29.7 to 8.0.1

Release notes

Sourced from @​babel/core's releases.

v8.0.1 (2026-06-17)

This release includes a breaking change that was in the Babel 8 migration guide's Getting ready section and in the release post, but the actual removal of the feature from the codebase was accidentally not complete.

💥 Breaking Change

• babel-core, babel-plugin-transform-object-rest-spread, babel-plugin-transform-runtime, babel-preset-env, babel-standalone
  • #18079 Actually remove preset-env's useBuiltIns (@​nicolo-ribaudo)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v8.0.0 (2026-06-16)

NOTE: The changelog below is relative to v8.0.0-rc.6. You can find a summary of all the breaking changes shipped in the Babel 8 release line in the migration guide for users and migration guide for plugin developers.

Read the release blog post at http://babeljs.io/blog/2026/06/16/8.0.0!

👓 Spec Compliance

• babel-core
  • #18039 perf: Only extract source map comments at the end of the file (@​liuxingbaoyu)

💥 Breaking Change

• babel-cli, babel-node, babel-plugin-proposal-decorators, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-plugin-transform-modules-commonjs, babel-plugin-transform-object-rest-spread, babel-plugin-transform-parameters, babel-plugin-transform-react-constant-elements, babel-plugin-transform-regenerator, babel-preset-env, babel-register
  • #18069 Fallback to assuming ESM support with modules: auto (@​nicolo-ribaudo)
• babel-plugin-transform-runtime, babel-runtime-corejs3, babel-runtime
  • #18036 Remove corejs exports for @babe/runtime-corejs3 (@​liuxingbaoyu)
• babel-parser
  • #18034 Remove locations: "packed" (@​liuxingbaoyu)

🐛 Bug Fix

• babel-generator
  • #18046 fix(generator): improve new callee parens check (@​JLHwung)
• babel-plugin-transform-modules-systemjs
  • #18032 fix(systemjs): support proto as an export name (@​JLHwung)

📝 Documentation

• #18070 Add EOL date for Babel 7 (end of June 2027) to SECURITY.md (@​nicolo-ribaudo)

🏠 Internal

• #18018 ci: enforce yarn integrity (@​JLHwung)

🏃‍♀️ Performance

• babel-core
  • #18039 perf: Only extract source map comments at the end of the file (@​liuxingbaoyu)

Committers: 6

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• James Garbutt (@​43081j)

... (truncated)

Changelog

Sourced from @​babel/core's changelog.

v8.0.1 (2026-06-17)

💥 Breaking Change

• babel-core, babel-plugin-transform-object-rest-spread, babel-plugin-transform-runtime, babel-preset-env, babel-standalone
  • #18079 Actually remove preset-env's useBuiltIns (@​nicolo-ribaudo)

v8.0.0 (2026-06-16)

👓 Spec Compliance

• babel-core
  • #18039 perf: Only extract source map comments at the end of the file (@​liuxingbaoyu)

💥 Breaking Change

• babel-cli, babel-node, babel-plugin-proposal-decorators, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-plugin-transform-modules-commonjs, babel-plugin-transform-object-rest-spread, babel-plugin-transform-parameters, babel-plugin-transform-react-constant-elements, babel-plugin-transform-regenerator, babel-preset-env, babel-register
  • #18069 Fallback to assuming ESM support with modules: auto (@​nicolo-ribaudo)
• babel-plugin-transform-runtime, babel-runtime-corejs3, babel-runtime
  • #18036 Remove corejs exports for @babe/runtime-corejs3 (@​liuxingbaoyu)
• babel-parser
  • #18034 Remove locations: "packed" (@​liuxingbaoyu)

🐛 Bug Fix

• babel-generator
  • #18046 fix(generator): improve new callee parens check (@​JLHwung)
• babel-plugin-transform-modules-systemjs
  • #18032 fix(systemjs): support proto as an export name (@​JLHwung)

📝 Documentation

• #18070 Add EOL date for Babel 7 (end of June 2027) to SECURITY.md (@​nicolo-ribaudo)

🏠 Internal

• #18018 ci: enforce yarn integrity (@​JLHwung)

🏃‍♀️ Performance

• babel-core
  • #18039 perf: Only extract source map comments at the end of the file (@​liuxingbaoyu)

v8.0.0-rc.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18011 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #17999 fix: improve inputSourceMap URL handling (@​JLHwung)
• babel-core, babel-generator
  • #17992 Preserve original identifier names from input sourcemaps (@​Andarist)

🏠 Internal

• babel-core
  • #17970 Always use native Node.js TS support for config files (@​nicolo-ribaudo)
• babel-compat-data, babel-register
  • #17993 chore: use bundled dts for register and eslint-* (@​JLHwung)
• babel-helper-transform-fixture-test-runner, babel-node

... (truncated)

Commits

• b4be199 v8.0.1
• b68b1cb Actually remove preset-env's useBuiltIns (#18079)
• de007ea Avoid trailing zeroes in Babel 9 generated version (#18078)
• 7dc825a v8.0.0
• b71c35a perf: Only extract source map comments at the end of the file (#18039)
• e74b70d chore: Remove unused file (#18033)
• ae57969 chore: consolidate upwards traversal to empathic (#18030)
• 827d003 Change jest snapshotFormat (#18029)
• 34cf24e Update deps (#18023)
• 73bceef v8.0.0-rc.6
• Additional commits viewable in compare view

Updates fast-xml-parser from 5.8.0 to 5.9.3

Release notes

Sourced from fast-xml-parser's releases.

v5.9.3

What's Changed

• Harden GitHub Actions workflows by @​martincostello in NaturalIntelligence/fast-xml-parser#841
• GitHub Actions workflow fixes by @​martincostello in NaturalIntelligence/fast-xml-parser#844

New Contributors

• @​martincostello made their first contribution in NaturalIntelligence/fast-xml-parser#841

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.2...v5.9.3

v5.9.2

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.1...v5.9.2

v5.9.1

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.0...v5.9.1

update strnum, use is-unsafe

• update strnum to 2.3.0
  • you can set hex, binary, enotation, infinity, unicode
• validate unsafe HTML or XML data in doctype entities unsing 'is-unsafe' library. User can override rules by overriding EntityDecoder.

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

*5.9.3 / 2026-06-19

• update strnum

*5.9.2 / 2026-06-17

• dummy release to test changes in github action

*5.9.1 / 2026-06-17

• dummy release to test release from github action

*5.9.0 / 2026-06-15

• update strnum to 2.3.0
  • you can set hex, binary, enotation, infinity, unicode
• validate unsafe HTML or XML data in doctype entities unsing 'is-unsafe' library. User can override rules by overriding EntityDecoder.

*5.8.0 / 2026-05-12

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is bydeault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change

... (truncated)

Commits

• 93a09f1 5.9.3
• 9c1905e update strnum
• 8d71292 GitHub Actions workflow fixes (#844)
• 784a044 Harden GitHub Actions workflows (#841)
• bf9b81a 5.9.2
• 232abf5 update publish action for better security
• 73411fa update checklist
• d57e33b 5.9.1
• 3be603a testing release from Github
• b6c41ea Add GitHub Actions workflow for npm publishing
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for fast-xml-parser since your current version.

Updates js-yaml from 4.2.0 to 5.1.0

Changelog

Sourced from js-yaml's changelog.

[5.1.0] - 2026-06-23

Added

• Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

• [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

• Added named exports for schemas, tags, parser events and AST utilities.
• Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
• Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
• Added dump() transform option for changing the generated AST before rendering.
• Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
• Added formal data layers (events and AST) for modular data pipelines.
  • Added low-level parser (to events), presenter and visitor APIs.
• Added the YAML Test Suite to the test set.

Changed

• See the migration guide for upgrade notes.
• Rewritten in TypeScript and reorganized the public API around flat named exports.
• Reduced the set of exported schemas:
  • YAML 1.2 schemas: CORE_SCHEMA (loader default), JSON_SCHEMA, FAILSAFE_SCHEMA.
  • YAML11_SCHEMA, a combination of all YAML 1.1 tags (YAML 1.1 does not specify a schema, only "types").
• load/dump default behaviour is now specified exactly via schemas:
  • load uses CORE_SCHEMA, without !!merge by default.
  • dump uses YAML11_SCHEMA + CORE_SCHEMA for the quoting check, to guarantee backward compatibility by default.
• !!set is now loaded as a JavaScript Set.
• Replaced the Type API with a tags API. Similar, but more precise and simpler. See examples for details. Tags can be defined via defineScalarTag(), defineSequenceTag() and defineMappingTag(), or as a spread + override of an existing tag.
• Renamed Schema.extend() to Schema.withTags().
• Expanded YAML 1.2 conformance and improved handling of directives, document markers, block keys, multiline scalars, tag syntax and other things.
• load() now throws on empty input instead of returning undefined.
• Moved browser builds to the js-yaml/browser export.

... (truncated)

Commits

• f1e45cd 5.1.0 released
• 53b22be Fix constructor coverage
• a1eaa2b Fix quote style options and restore forceQuotes
• 0532e7d Add finalizers for immutable collection tags
• 9f00b91 tests: drop the rest of issues tests, move a small fraction of useful checks ...
• 6be5d46 tests: drop not actual or duplicating issue tests (covered in other places)
• a7c9766 Fix !!pairs coverage
• 75148bc 5.0.0 released
• 704b25d Quote document markers followed by whitespace
• 42dea28 Support complex !!pairs keys with realMapTag
• Additional commits viewable in compare view

Updates smol-toml from 1.6.1 to 1.7.0

Release notes

Sourced from smol-toml's releases.

v1.7.0

This version slightly changes the behaviour of stringify: integers beyond the safe range are always emitted as float numbers.

String decode logic has been rewritten, it is a bit faster now and uses a single-pass approach instead of a dual-pass approach as it did previously. The code should be a bit smaller too, though I didn't actually measure that.

The package is now published with source-maps, declaration-maps, and a copy of the original TypeScript source files. This will improve your DX if you're like me and like Ctrl+Click'ing things a lot. ;)

What's Changed

• improve performance of the string decode logic by @​cyyynthia
• fix(stringify): emit integer-valued numbers beyond the safe-integer range as floats by @​spokodev in squirrelchat/smol-toml#56
• publish source-maps, declaration-maps, and original source files by @​cyyynthia
• miscellaneous repository maintenance tasks by @​cyyynthia

New Contributors

• @​spokodev made their first contribution in squirrelchat/smol-toml#56

Full Changelog: squirrelchat/smol-toml@v1.6.1...v1.7.0

Commits

• a62f06f revert: keep using vite 7
• 89aa9a3 chore: remove prepare script
• 17c7974 chore: make devEngine more lax w/ node version
• e5280a3 ci: checkout repo first
• 241c256 chore: version bump
• 0bfe7f4 chore: build cjs with rolldown instead of esbuild
• e0620ab chore: fmt
• 96114cb test: add tests for large integers
• f4537b6 fix: handle missed edge-cases in string parse
• 7b39aed chore: include source files in published package
• Additional commits viewable in compare view

Updates @types/node from 25.9.2 to 26.0.0

Commits

• See full diff in compare view

Updates eslint from 10.4.1 to 10.5.0

Release notes

Sourced from eslint's releases.

v10.5.0

Features

• 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#20973) (Pixel998)
• b565783 feat: report no-with violations at the with keyword (#20971) (Pixel998)
• 2ce032f feat: report max-lines-per-function violations at function head (#20966) (Pixel998)
• 732cb3e feat: report max-nested-callbacks violations at function head (#20967) (Pixel998)
• f9c138a feat: report max-depth violations on keywords (#20943) (Pixel998)
• bdb496c feat: correct max-depth handling for else-if chains (#20944) (Pixel998)
• c296873 feat: update error loc in max-statements to function header (#20907) (Taejin Kim)

Documentation

• 8ae1b5b docs: Update README (GitHub Actions Bot)
• ca7eb90 docs: update Node.js prerequisites to include ICU support (#20962) (Francesco Trotta)
• f99b47a docs: Update README (GitHub Actions Bot)
• acf03d4 docs: clarify precedence of parserOptions over languageOptions (#20926) (sethamus)

Chores

• b18bf58 chore: update ecosystem plugins (#20959) (ESLint Bot)
• c2d1444 refactor: replace areAllSegmentsUnreachable with !isAnySegmentReachable (#20951) (Taejin Kim)
• 243b8c5 chore: enhance config-rule to support oneOf, anyOf, and nested schemas (#20788) (kuldeep kumar)
• 217b2a9 test: add unit tests for ParserService (#20949) (Taejin Kim)
• 72003e7 test: add location information to error messages in max-statements (#20945) (lumir)
• 7797c26 refactor: deduplicate isAnySegmentReachable across rules (#20890) (Taejin Kim)
• 67c46fa chore: update ecosystem plugins (#20938) (ESLint Bot)
• 95d8c7a chore: update dependency @​eslint/json to v2 (#20934) (renovate[bot])
• cf9e496 chore: update @​arethetypeswrong/cli to 0.18.3 (#20933) (Pixel998)
• fb6d396 test: run type tests with TypeScript 7 (#20868) (sethamus)

Commits

• de3b672 10.5.0
• 362a518 Build: changelog update for 10.5.0
• 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#20973)
• b565783 feat: report no-with violations at the with keyword (#20971)
• 2ce032f feat: report max-lines-per-function violations at function head (#20966)
• 732cb3e feat: report max-nested-callbacks violations at function head (#20967)
• f9c138a feat: report max-depth violations on keywords (#20943)
• 8ae1b5b docs: Update README
• ca7eb90 docs: update Node.js prerequisites to include ICU support (#20962)
• b18bf58 chore: update ecosystem plugins (#20959)
• Additional commits viewable in compare view

Updates eslint-plugin-import-x from 4.16.2 to 4.17.0

Release notes

Sourced from eslint-plugin-import-x's releases.

v4.17.0

Minor Changes

• #474 4b2c0c5 Thanks @​regseb! - Support RegExp in the import-x/ignore setting and the ignore option of the no-unresolved rule.

Patch Changes

• #494 1c84235 Thanks @​morgan-coded! - Fixed no-unresolved crashing when case-sensitive path checks encounter EACCES or EPERM on an ancestor directory.

• #481 3e13121 Thanks @​B4nan! - fix: memoize legacyNodeResolve resolver to avoid native memory leak

• #484 9a07009 Thanks @​sairus2k! - Make the extensions rule check Node.js subpath imports (specifiers starting with #, e.g. #utils/helper). Previously parsePath treated a leading # as a URL hash fragment, so the rule skipped extension validation for these imports.

  Note: single-segment subpath imports without a slash (e.g. #dep) are still skipped by the existing external-root-module classification; fixing that is deferred to avoid expanding scope.

• #468 240ed58 Thanks @​silverwind! - Make extensions handle .d.ts correctly

• #479 e3cc7e4 Thanks @​mrginglymus! - fix: strip querystrings and hash fragments when checking for file existence

• #476 fce29b1 Thanks @​nbouvrette! - fix(deps): replace @​package-json/types with an inline minimal type

Changelog

Sourced from eslint-plugin-import-x's changelog.

4.17.0

Minor Changes

• #474 4b2c0c5 Thanks @​regseb! - Support RegExp in the import-x/ignore setting and the ignore option of the no-unresolved rule.

Patch Changes

• #494 1c84235 Thanks @​morgan-coded! - Fixed no-unresolved crashing when case-sensitive path checks encounter EACCES or EPERM on an ancestor directory.

• #481 3e13121 Thanks @​B4nan! - fix: memoize legacyNodeResolve resolver to avoid native memory leak

• #484 9a07009 Thanks @​sairus2k! - Make the extensions rule check Node.js subpath imports (specifiers starting with #, e.g. #utils/helper). Previously parsePath treated a leading # as a URL hash fragment, so the rule skipped extension validation for these imports.

  Note: single-segment subpath imports without a slash (e.g. #dep) are still skipped by the existing external-root-module classification; fixing that is deferred to avoid expanding scope.

• #468 240ed58 Thanks @​silverwind! - Make extensions handle .d.ts correctly

• #479 e3cc7e4 Thanks @​mrginglymus! - fix: strip querystrings and hash fragments when checking for file existence

• #476 fce29b1 Thanks @​nbouvrette! - fix(deps): replace @​package-json/types with an inline minimal type

Commits

• 7578513 chore: release eslint-plugin-import-x (#472)
• e3cc7e4 fix: strip querystrings and hash fragments when checking for file existence (...
• 9a07009 fix: make extensions rule check Node.js subpath imports (#484)
• 3e13121 fix: memoize legacyNodeResolve resolver to avoid native memory leak (#481)
• fce29b1 fix(deps): replace @​package-json/types with an inline minimal type (#476)
• 1c84235 fix: handle access errors during case checks (#494)
• 96222bf chore: drop unused tmp (#487)
• 4b2c0c5 feat: support RegExp in ignore (#474)
• 240ed58 fix: make extensions rule handle .d.ts correctly (#468)
• See full diff in compare view

Updates globals from 17.6.0 to 17.7.0

Release notes

Sourced from globals's releases.

v17.7.0

• Update globals (2026-06-22) (#345) 33b75f9

---

sindresorhus/globals@v17.6.0...v17.7.0

Commits

• a19670c 17.7.0
• 9611620 Update actions (#346)
• 33b75f9 Update globals (2026-06-22) (#345)
• 887dd52 Fix build script (#344)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions