🚨 [security] [spiderpromises3] Update snyk 1.639.0 → 1.1299.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ snyk (1.639.0 → 1.1299.0) · Repo

Security Advisories 🚨

🚨 Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or DEBUG/TRACE mode

Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. Container Registry credentials provided via environment variables or command line arguments can be exposed when executing Snyk CLI in DEBUG or DEBUG/TRACE mode.

The issue affects the following Snyk commands:

1. When snyk container test or snyk container monitor commands are run against a container registry, with debug mode enabled, the container registry credentials may be written into the local Snyk CLI debug log. This only happens with credentials specified in environment variables (SNYK_REGISTRY_USERNAME and SNYK_REGISTRY_PASSWORD), or in the CLI (--password/-p and --username/-u).

2. When snyk auth command is executed with debug mode enabled AND the log level is set to TRACE, the Snyk access / refresh credential tokens used to connect the CLI to Snyk may be written into the local CLI debug logs.

3. When snyk iac test is executed with a Remote IAC Custom rules bundle, debug mode enabled, AND the log level is set to TRACE, the docker registry token may be written into the local CLI debug logs.

🚨 snyk Code Injection vulnerability

The package snyk before 1.1064.0 is vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable.

NOTE: This issue is independent of the one reported in CVE-2022-40764, and upgrading to a fixed version for this addresses that issue as well.

The affected IDE plugins and versions are:

• VS Code - Affected: <=1.8.0, Fixed: 1.9.0
• IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48
• Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31
• Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions
• Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions

🚨 Snyk plugins vulnerable to Command Injection

The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for CVE-2022-40764. A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted files. In most cases, an attacker positioned to control the command line arguments to the Snyk CLI would already be positioned to execute arbitrary commands. However, this could be abused in specific scenarios, such as continuous integration pipelines, where developers can control the arguments passed to the Snyk CLI to leverage this component as part of a wider attack against an integration/build pipeline. This issue has been addressed in the latest Snyk Docker images available at https://hub.docker.com/r/snyk/snyk as of 2022-11-29. Images downloaded and built prior to that date should be updated. The issue has also been addressed in the Snyk TeamCity CI/CD plugin as of version v20221130.093605.

🚨 Snyk CLI affected by Command Injection vulnerability

Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 37 commits:

• Merge pull request #6148 from snyk/dotkas/final-cherry-picks
• chore: skip sbom reachability user journey test
• fix: Fix reduced configuration cache usage
• chore(ci): update CICD experimental_cli_download_base_url parameter
• fix: upgrade to go 1.24.6
• Merge pull request #6140 from snyk/dotkas/more-cherrypicks
• fix: conforming the way we take precedence of auth config values
• Merge pull request #6129 from snyk/dotkas/cherry-picks-for-release-candidate
• fix: fixing host auto-detection bug in snyk auth
• feat: add linux static experimental binary
• chore: update release notes
• chore: automatic integration of language server 2b91030231735d5dd2f429a629af70f739212f12
• fix: display error details for all project scans on failing targets
• fix: Use snyk-code-0006 for sast consistently
• fix: adapt input directory handling to preserve whitespaces
• chore: preserve original exit code
• chore: automatic integration of language server 5d3370cf004d2013013987810b0e76fb9ccb75e7
• fix: resolve project assets file path dynamically
• fix: Increase tolerance for invalid input directories
• chore: automatic integration of language server 1a23ca41eefbfb6685deb48bde6363ba69d946b6
• Merge pull request #6113 from snyk/tmp/1755517843-release-candidate
• chore: updating release notes
• Merge branch 'release-candidate' into tmp/1755517843-release-candidate
• docs: update release notes
• Merge pull request #6112 from snyk/fix/CVE-2025-8959
• fix(dependency): Fix CVE-2025-8959 by upgrading go-getter
• Merge pull request #6107 from snyk/chore/automatic-upgrade-of-ls
• chore: automatic integration of language server 26a722dfc7be7d0b2b1714c82b2f736a8453e8d8
• Merge pull request #6106 from snyk/chore/support_integration_arg
• chore: add --integration-name argument
• Merge pull request #6102 from snyk/dotkas/consolidate-secrets
• chore: unify Github SA secrets
• Merge pull request #6087 from snyk/chore/CLI-1006_iaw_uses_org_settings
• chore: iaw uses org settings instead of a feature flag
• Merge pull request #6101 from snyk/feat/update-cli-extension-os-flows
• Merge pull request #6104 from snyk/release/1.1298
• fix: sbom test --reachability without git context

↗️ boolean (indirect, 3.1.2 → 3.2.0) · Repo · Changelog

Release Notes

3.2.0 (from changelog)

Features

• Introduce isBooleanable function. (#341) (e2ecfb3)

3.1.4 (from changelog)

Bug Fixes

• Downgrade workflows to Node 14. (#319) (072b068)
• Rollback versions and remove engines field. (#318) (145dfcf)

3.1.3 (from changelog)

Bug Fixes

• bump path-parse from 1.0.6 to 1.0.7 (#316) (0817f9d)

Does any of this look wrong? Please let us know.

↗️ global-agent (indirect, 2.2.0 → 3.0.0) · Repo

Release Notes

3.0.0

3.0.0 (2021-07-23)

Bug Fixes

• remove unused core-js dependency to shrink the package by 80+% (ee7d160)

BREAKING CHANGES

• Shouldn't be a breaking change. Bumping major version as a precaution.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 2 commits:

• fix: remove unused core-js dependency to shrink the package by 80+%
• Remove core-js, since it's currently unused

↗️ globalthis (indirect, 1.0.2 → 1.0.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 23 commits:

• v1.0.4
• [Dev Deps] add missing `npmignore` dep
• [actions] remove redundant finisher
• [Refactor] use `gopd`
• [Deps] update `define-properties`
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `aud`, `tape`
• [Deps] update `define-properties`
• [Dev Deps] update `aud`, `tape`
• [actions] update rebase action to use reusable workflow
• v1.0.3
• [Tests] nycignore `dist`
• [Fix] `globalThis` should be writable
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `tape`
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader
• [readme] add github actions/codecov badges
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `auto-changelog`, `tape`
• [Dev Deps] update `aud`, `eslint`, `tape`
• [actions] use `node/install` instead of `node/run`; use `codecov` action
• [meta] use `prepublishOnly` script for npm 7+
• [meta] gitignore coverage output

↗️ semver (indirect, 6.3.0 → 7.7.2) · Repo · Changelog

Security Advisories 🚨

🚨 semver vulnerable to Regular Expression Denial of Service

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

🚨 semver vulnerable to Regular Expression Denial of Service

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sprintf-js (indirect, 1.1.2 → 1.1.3) · Repo · Changelog

Release Notes

1.1.3 (from changelog)

• fix LICENSE name

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• Merge pull request #227 from alexei/feat-new_release
• fix: update deps, bump version for a new release
• Merge pull request #226 from alexei/fix-licensing
• fix(license): update license name in README
• Merge pull request #212 from BigBlueHat/patch-1
• Make bower.json declaration match LICENSE
• Merge pull request #197 from alexei/fix-typo
• fix: typo
• Merge pull request #195 from timgates42/bugfix_typo_precede
• Update CONTRIBUTORS.md
• docs: Fix simple typo, preceed -> precede

⁉️ type-fest (downgrade, 0.21.3 → 0.13.1) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Sorry, we couldn't find anything useful about this release.

🆕 @​sentry-internal/tracing (added, 7.120.4)

🆕 @​sentry/core (added, 7.120.4)

🆕 @​sentry/integrations (added, 7.120.4)

🆕 @​sentry/node (added, 7.120.4)

🆕 @​sentry/types (added, 7.120.4)

🆕 @​sentry/utils (added, 7.120.4)

🆕 define-data-property (added, 1.1.4)

🆕 es-define-property (added, 1.0.1)

🆕 es-errors (added, 1.3.0)

🆕 gopd (added, 1.2.0)

🆕 has-property-descriptors (added, 1.0.2)

🆕 localforage (added, 1.10.0)

🗑️ @​arcanis/slice-ansi (removed)

🗑️ @​deepcode/dcignore (removed)

🗑️ @​nodelib/fs.scandir (removed)

🗑️ @​nodelib/fs.stat (removed)

🗑️ @​nodelib/fs.walk (removed)

🗑️ @​octetstream/promisify (removed)

🗑️ @​open-policy-agent/opa-wasm (removed)

🗑️ @​sindresorhus/is (removed)

🗑️ @​snyk/child-process (removed)

🗑️ @​snyk/cli-interface (removed)

🗑️ @​snyk/cloud-config-parser (removed)

🗑️ @​snyk/cocoapods-lockfile-parser (removed)

🗑️ @​snyk/code-client (removed)

🗑️ @​snyk/composer-lockfile-parser (removed)

🗑️ @​snyk/dep-graph (removed)

🗑️ @​snyk/docker-registry-v2-client (removed)

🗑️ @​snyk/fast-glob (removed)

🗑️ @​snyk/fix (removed)

🗑️ @​snyk/fix-pipenv-pipfile (removed)

🗑️ @​snyk/fix-poetry (removed)

🗑️ @​snyk/gemfile (removed)

🗑️ @​snyk/glob-parent (removed)

🗑️ @​snyk/graphlib (removed)

🗑️ @​snyk/inquirer (removed)

🗑️ @​snyk/java-call-graph-builder (removed)

🗑️ @​snyk/mix-parser (removed)

🗑️ @​snyk/rpm-parser (removed)

🗑️ @​snyk/snyk-cocoapods-plugin (removed)

🗑️ @​snyk/snyk-docker-pull (removed)

🗑️ @​snyk/snyk-hex-plugin (removed)

🗑️ @​szmarczak/http-timer (removed)

🗑️ @​types/cacheable-request (removed)

🗑️ @​types/debug (removed)

🗑️ @​types/emscripten (removed)

🗑️ @​types/flat-cache (removed)

🗑️ @​types/graphlib (removed)

🗑️ @​types/http-cache-semantics (removed)

🗑️ @​types/js-yaml (removed)

🗑️ @​types/keyv (removed)

🗑️ @​types/lodash (removed)

🗑️ @​types/lodash.chunk (removed)

🗑️ @​types/lodash.omit (removed)

🗑️ @​types/lodash.union (removed)

🗑️ @​types/minimatch (removed)

🗑️ @​types/node (removed)

🗑️ @​types/responselike (removed)

🗑️ @​types/sarif (removed)

🗑️ @​types/semver (removed)

🗑️ @​types/treeify (removed)

🗑️ @​types/uuid (removed)

🗑️ @​yarnpkg/core (removed)

🗑️ @​yarnpkg/fslib (removed)

🗑️ @​yarnpkg/json-proxy (removed)

🗑️ @​yarnpkg/libzip (removed)

🗑️ @​yarnpkg/lockfile (removed)

🗑️ @​yarnpkg/parsers (removed)

🗑️ @​yarnpkg/pnp (removed)

🗑️ @​yarnpkg/shell (removed)

🗑️ abbrev (removed)

🗑️ aggregate-error (removed)

🗑️ ansi-align (removed)

🗑️ ansi-escapes (removed)

🗑️ ansi-regex (removed)

🗑️ ansicolors (removed)

🗑️ any-promise (removed)

🗑️ archy (removed)

🗑️ argparse (removed)

🗑️ array-differ (removed)

🗑️ array-union (removed)

🗑️ arrify (removed)

🗑️ asap (removed)

🗑️ async (removed)

🗑️ axios (removed)

🗑️ balanced-match (removed)

🗑️ base64-js (removed)

🗑️ binjumper (removed)

🗑️ bl (removed)

🗑️ bottleneck (removed)

🗑️ boxen (removed)

🗑️ brace-expansion (removed)

🗑️ braces (removed)

🗑️ browserify-zlib (removed)

🗑️ buffer (removed)

🗑️ buffer-from (removed)

🗑️ cacheable-lookup (removed)

🗑️ cacheable-request (removed)

🗑️ camelcase (removed)

🗑️ chardet (removed)

🗑️ child-process (removed)

🗑️ chownr (removed)

🗑️ ci-info (removed)

🗑️ clean-stack (removed)

🗑️ cli-boxes (removed)

🗑️ cli-cursor (removed)

🗑️ cli-spinner (removed)

🗑️ cli-spinners (removed)

🗑️ cli-width (removed)

🗑️ clipanion (removed)

🗑️ clone (removed)

🗑️ clone-response (removed)

🗑️ concat-map (removed)

🗑️ configstore (removed)

🗑️ core-js (removed)

🗑️ cross-spawn (removed)

🗑️ crypto-random-string (removed)

🗑️ decompress-response (removed)

🗑️ defaults (removed)

🗑️ defer-to-connect (removed)

🗑️ del (removed)

🗑️ diff (removed)

🗑️ dir-glob (removed)

🗑️ docker-modem (removed)

🗑️ dockerfile-ast (removed)

🗑️ dot-prop (removed)

🗑️ dotnet-deps-parser (removed)

🗑️ duplexer3 (removed)

🗑️ duplexify (removed)

🗑️ elfy (removed)

🗑️ email-validator (removed)

🗑️ emoji-regex (removed)

🗑️ end-of-stream (removed)

🗑️ endian-reader (removed)

🗑️ escape-goat (removed)

🗑️ esprima (removed)

🗑️ event-loop-spinner (removed)

🗑️ execa (removed)

🗑️ external-editor (removed)

🗑️ fast-glob (removed)

🗑️ fastq (removed)

🗑️ figures (removed)

🗑️ fill-range (removed)

🗑️ follow-redirects (removed)

🗑️ fs-constants (removed)

🗑️ fs-minipass (removed)

🗑️ fs.realpath (removed)

🗑️ get-stream (removed)

🗑️ glob (removed)

🗑️ glob-parent (removed)

🗑️ global-dirs (removed)

🗑️ globby (removed)

🗑️ got (removed)

🗑️ graceful-fs (removed)

🗑️ grapheme-splitter (removed)

🗑️ gunzip-maybe (removed)

🗑️ has-yarn (removed)

🗑️ hosted-git-info (removed)

🗑️ http-cache-semantics (removed)

🗑️ http2-wrapper (removed)

🗑️ iconv-lite (removed)

🗑️ ieee754 (removed)

🗑️ ignore (removed)

🗑️ import-lazy (removed)

🗑️ imurmurhash (removed)

🗑️ indent-string (removed)

🗑️ inflight (removed)

🗑️ ini (removed)

🗑️ is (removed)

🗑️ is-ci (removed)

🗑️ is-deflate (removed)

🗑️ is-docker (removed)

🗑️ is-extglob (removed)

🗑️ is-fullwidth-code-point (removed)

🗑️ is-glob (removed)

🗑️ is-gzip (removed)

🗑️ is-installed-globally (removed)

🗑️ is-interactive (removed)

🗑️ is-npm (removed)

🗑️ is-number (removed)

🗑️ is-obj (removed)

🗑️ is-path-cwd (removed)

🗑️ is-path-inside (removed)

🗑️ is-stream (removed)

🗑️ is-unicode-supported (removed)

🗑️ is-wsl (removed)

🗑️ is-yarn-global (removed)

🗑️ isarray (removed)

🗑️ isexe (removed)

🗑️ js-yaml (removed)

🗑️ json-buffer (removed)

🗑️ json-file-plus (removed)

🗑️ jszip (removed)

🗑️ keyv (removed)

🗑️ latest-version (removed)

🗑️ lodash (removed)

🗑️ lodash.assign (removed)

🗑️ lodash.chunk (removed)

🗑️ lodash.clone (removed)

🗑️ lodash.clonedeep (removed)

🗑️ lodash.constant (removed)

🗑️ lodash.find (removed)

🗑️ lodash.findindex (removed)

🗑️ lodash.findkey (removed)

🗑️ lodash.flatmap (removed)

🗑️ lodash.flattendeep (removed)

🗑️ lodash.get (removed)

🗑️ lodash.groupby (removed)

🗑️ lodash.has (removed)

🗑️ lodash.invert (removed)

🗑️ lodash.isboolean (removed)

🗑️ lodash.isempty (removed)

🗑️ lodash.isequal (removed)

🗑️ lodash.isfunction (removed)

🗑️ lodash.isnumber (removed)

🗑️ lodash.isobject (removed)

🗑️ lodash.isplainobject (removed)

🗑️ lodash.isstring (removed)

🗑️ lodash.isundefined (removed)

🗑️ lodash.keys (removed)

🗑️ lodash.last (removed)

🗑️ lodash.omit (removed)

🗑️ lodash.orderby (removed)

🗑️ lodash.set (removed)

🗑️ lodash.size (removed)

🗑️ lodash.sortby (removed)

🗑️ lodash.sum (removed)

🗑️ lodash.topairs (removed)

🗑️ lodash.transform (removed)

🗑️ lodash.union (removed)

🗑️ lodash.uniq (removed)

🗑️ lodash.upperfirst (removed)

🗑️ lodash.values (removed)

🗑️ log-symbols (removed)

🗑️ lowercase-keys (removed)

🗑️ lru-cache (removed)

🗑️ macos-release (removed)

🗑️ make-dir (removed)

🗑️ merge2 (removed)

🗑️ micromatch (removed)

🗑️ mimic-fn (removed)

🗑️ mimic-response (removed)

🗑️ minimatch (removed)

🗑️ minipass (removed)

🗑️ minizlib (removed)

🗑️ ms (removed)

🗑️ multimatch (removed)

🗑️ mute-stream (removed)

🗑️ needle (removed)

🗑️ nice-try (removed)

🗑️ node.extend (removed)

🗑️ normalize-url (removed)

🗑️ npm-run-path (removed)

🗑️ object-hash (removed)

🗑️ once (removed)

🗑️ onetime (removed)

🗑️ open (removed)

🗑️ ora (removed)

🗑️ os-name (removed)

🗑️ os-tmpdir (removed)

🗑️ p-cancelable (removed)

🗑️ p-finally (removed)

🗑️ p-limit (removed)

🗑️ p-map (removed)

🗑️ p-try (removed)

🗑️ package-json (removed)

🗑️ pako (removed)

🗑️ parse-link-header (removed)

🗑️ path-is-absolute (removed)

🗑️ path-key (removed)

🗑️ path-type (removed)

🗑️ peek-stream (removed)

🗑️ picomatch (removed)

🗑️ pluralize (removed)

🗑️ prepend-http (removed)

🗑️ prettier (removed)

🗑️ pretty-bytes (removed)

🗑️ process-nextick-args (removed)

🗑️ progress (removed)

🗑️ promise (removed)

🗑️ promise-deferred (removed)

🗑️ promise-fs (removed)

🗑️ promise-queue (removed)

🗑️ promiseback (removed)

🗑️ proxy-from-env (removed)

🗑️ pseudomap (removed)

🗑️ pump (removed)

🗑️ pumpify (removed)

🗑️ pupa (removed)

🗑️ queue (removed)

🗑️ queue-microtask (removed)

🗑️ quick-lru (removed)

🗑️ rc (removed)

🗑️ registry-auth-token (removed)

🗑️ registry-url (removed)

🗑️ resolve-alpn (removed)

🗑️ responselike (removed)

🗑️ restore-cursor (removed)

🗑️ reusify (removed)

🗑️ rimraf (removed)

🗑️ run-async (removed)

🗑️ run-parallel (removed)

🗑️ rxjs (removed)

🗑️ sax (removed)

🗑️ semver-diff (removed)

🗑️ set-immediate-shim (removed)

🗑️ shebang-command (removed)

🗑️ shebang-regex (removed)

🗑️ signal-exit (removed)

🗑️ slash (removed)

🗑️ snyk-config (removed)

🗑️ snyk-cpp-plugin (removed)

🗑️ snyk-docker-plugin (removed)

🗑️ snyk-go-parser (removed)

🗑️ snyk-go-plugin (removed)

🗑️ snyk-gradle-plugin (removed)

🗑️ snyk-module (removed)

🗑️ snyk-mvn-plugin (removed)

🗑️ snyk-nodejs-lockfile-parser (removed)

🗑️ snyk-nuget-plugin (removed)

🗑️ snyk-paket-parser (removed)

🗑️ snyk-php-plugin (removed)

🗑️ snyk-poetry-lockfile-parser (removed)

🗑️ snyk-policy (removed)

🗑️ snyk-python-plugin (removed)

🗑️ snyk-resolve (removed)

🗑️ snyk-resolve-deps (removed)

🗑️ snyk-sbt-plugin (removed)

🗑️ snyk-tree (removed)

🗑️ snyk-try-require (removed)

🗑️ source-map (removed)

🗑️ source-map-support (removed)

🗑️ split-ca (removed)

🗑️ ssh2 (removed)

🗑️ ssh2-streams (removed)

🗑️ stream-buffers (removed)

🗑️ stream-shift (removed)

🗑️ stream-to-array (removed)

🗑️ stream-to-promise (removed)

🗑️ streamsearch (removed)

🗑️ string-width (removed)

🗑️ strip-ansi (removed)

🗑️ strip-eof (removed)

🗑️ strip-json-comments (removed)

🗑️ tar (removed)

🗑️ tar-stream (removed)

🗑️ temp-dir (removed)

🗑️ tempy (removed)

🗑️ then-fs (removed)

🗑️ through (removed)

🗑️ through2 (removed)

🗑️ tmp (removed)

🗑️ to-readable-stream (removed)

🗑️ to-regex-range (removed)

🗑️ toml (removed)

🗑️ tree-kill (removed)

🗑️ treeify (removed)

🗑️ tslib (removed)

🗑️ tunnel (removed)

🗑️ typedarray-to-buffer (removed)

🗑️ unique-string (removed)

🗑️ upath (removed)

🗑️ update-notifier (removed)

🗑️ url-parse-lax (removed)

🗑️ utf8 (removed)

🗑️ vscode-languageserver-types (removed)

🗑️ wcwidth (removed)

🗑️ which (removed)

🗑️ widest-line (removed)

🗑️ windows-release (removed)

🗑️ wrap-ansi (removed)

🗑️ wrappy (removed)

🗑️ write-file-atomic (removed)

🗑️ xdg-basedir (removed)

🗑️ xml-js (removed)

🗑️ xml2js (removed)

🗑️ xmlbuilder (removed)

🗑️ xtend (removed)

🗑️ yallist (removed)

🗑️ yaml (removed)

🗑️ yaml-js (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #5044.