chore(deps): update npm dependencies updates

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
cypress (source)	15.5.* → 15.15.*
dotenv	17.2.* → 17.4.*
jscpd	4.0.* → 4.2.*
release-it	19.0.* → 19.2.*

---

Release Notes

cypress-io/cypress (cypress)

v15.15.0

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-15-0

v15.14.2

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-14-2

v15.14.1

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-14-1

v15.14.0

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-14-0

v15.13.1

Compare Source

v15.13.0

Compare Source

v15.12.0

Compare Source

v15.11.0

Compare Source

v15.10.0

Compare Source

v15.9.0

Compare Source

v15.8.2

Compare Source

v15.8.1

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-8-1

v15.8.0

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-8-0

v15.7.1

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-7-1

v15.7.0

Compare Source

v15.6.0

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-6-0

motdotla/dotenv (dotenv)

v17.4.2

Compare Source

v17.4.1

Compare Source

v17.4.0

Compare Source

v17.3.1

Compare Source

Changed

• Fix as2 example command in README and update spanish README

v17.3.0

Compare Source

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

v17.2.4

Compare Source

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#​915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

kucherenko/jscpd (jscpd)

v4.2.3

Compare Source

v4.2.2

Compare Source

v4.2.1

Compare Source

v4.2.0

Compare Source

Breaking Changes

• Vue SFC tokenization — .vue files are no longer tokenized as markup. Each block is now dispatched to its own sub-format: <script> → javascript, <script lang="ts"> → typescript, <template> → markup, <style> → css, <style lang="scss"> → scss, <style lang="less"> → less. Clone reports for .vue files now appear under these resolved sub-format names. Any tooling or configuration that relied on .vue clones being reported under markup must be updated.
• --formatsExts users — custom mappings that pointed .vue to markup (e.g. "formatsExts": { "markup": ["vue"] }) will no longer take effect because .vue is handled by the dedicated vue format processor. Remove or update such mappings.

New Features

• Custom tokenizer backend — replaced the prismjs npm package with a self-contained reprism-based grammar engine. ~11.5% faster tokenization on real projects (avg 1126 ms → 997 ms on a 548-file, 223-format scan).
• Cross-format detection — Vue SFC (.vue), Svelte (.svelte), Astro (.astro), and Markdown files are now tokenized per-block/per-section. A <script> block in a .vue file can match a .ts file; a fenced code block in Markdown can match a .py file.
• 223 supported formats — Apex, CFML/ColdFusion, GDScript, Svelte, Astro, and 70+ additional languages added (up from 152). See FORMATS.md.
• Shebang detection — extensionless executable scripts (e.g. /usr/bin/env python3) are auto-detected by their #! shebang line and tokenized in the correct language.
• --store-path — configure a custom directory for the LevelDB cache, eliminating collisions when multiple jscpd processes run in parallel on the same machine.
• --skipComments — shorthand flag for --mode weak, which strips comments before detection.
• --formats-names — map specific filenames (e.g. Makefile, Dockerfile) to a detection format.

Bug Fixes

• Entire-file duplicates silently dropped (@jscpd/core #​728) — RabinKarp flushed the pending clone on a store hit at end-of-file instead of on a miss. Files that are complete copies of each other were undetected. Fixed.
• ReDoS hang on Lisp/Elisp files (@jscpd/tokenizer #​737) — the Lisp string regex /"(?:[^"\\]*|\\.)*"/ could catastrophically backtrack (O(2ⁿ)) on unterminated strings. Replaced with a linear /"(?:[^"\\]|\\[\s\S])*"/ pattern.
• Process crash on malformed package.json (#​739) — readJSONSync threw an unhandled SyntaxError when package.json contained invalid JSON, killing the process. Now emits a warning and continues with an empty config.
• Vue SFC cross-file detection broken — the detector used the file-level format (vue) as the store namespace for all SFC blocks, preventing a <script> block in one .vue file from ever matching a <script> block in another. The namespace now reflects each block's resolved sub-format.
• Vue SFC incorrect column numbers — tokens on the first line of a block carried block-relative column 1 instead of file-absolute column numbers. Fixed in @jscpd/tokenizer.
• 50 dependency security vulnerabilities remediated across the monorepo (Dependabot batches).

Known Limitations

• Malformed SFC blocks (e.g. unclosed tags, invalid attributes) are silently skipped and do not contribute tokens.

---

v4.1.1

Compare Source

v4.1.0

Compare Source

New Features

• AI Reporter — new ai reporter that produces compact, token-efficient clone output specifically designed for feeding results into language models and AI tooling. Use --reporters ai to activate it.
• MCP Server enhancements — the Model Context Protocol server now exposes a jscpd://statistics resource and supports a recheck endpoint so AI agents can trigger a rescan without restarting the process.
• Apex & CFML language support — jscpd can now detect duplicate code in Salesforce Apex and ColdFusion Markup Language (CFML) files (closes #​83, #​619).
• GDScript support — detect copy-paste duplication in Godot Engine GDScript files.
• HTML reporter footer — the HTML report now displays a branded footer with the jscpd version and a sponsor link.
• --noTips flag — suppress the usage-tip messages that appear after a detection run.
• CI: Node.js 22.x / 24.x — continuous integration updated to test against the latest Node.js LTS and current releases.

Performance

• Tokenizer — grammars are now loaded lazily, hot paths are O(n), and the spark-md5 dependency has been removed in favour of a lighter built-in implementation. Startup time and memory usage are noticeably reduced on large codebases.
• Replaced the vendored reprism syntax library with the official prismjs npm package, shrinking the installed footprint.

Bug Fixes

• Restored the correct start.line expectation for weak-mode clone detection.

---

v4.0.9

Compare Source

v4.0.8

Compare Source

v4.0.7

Compare Source

v4.0.6

Compare Source

release-it/release-it (release-it)

v19.2.4

Compare Source

• chore: update dependencies to resolve security vulnerabilities (#​1273) (b45dd1a) - thanks @​Yeom-JinHo!
• Update a few dev deps (cd8acdc)

v19.2.3

Compare Source

• Reuse generated changelog (316dbfa)
• Remove obsolete eslint compat packages/config (f6cc8f3)
• Update remark-preset-webpro and fix broken links (6e6dd4b)

v19.2.2

Compare Source

• Improve getChangelog method (7a56364)

v19.2.1

Compare Source

• Improve commit prompt (b7aca7c)
• Remedy potential edge case in template helper (5c0a6ee)

v19.2.0

Compare Source

• Add option to exit gracefully (e1f825d)
• Update dependencies (424c9f6)
• Auto-format docs (06f41bb)
• fix: add shell mode for npm commands on windows (#​1266) (382e346) - thanks @​julienbenac!
• Feat: Add publishPackageManager config option in NPM plugin to allow using different package manager for publishing (e.g. Bun) (#​1169) (0dafc0b) - thanks @​chrispader!
• Only use --workspaces=false with npm (12bb89c)
• Fix up docs/types a bit (05a5986)
• Format (c9d6ebf)

v19.1.0

Compare Source

• Ignore .npmrc (8ccd060)
• Update lockfile (c4cd2ba)
• Support interactive shell in non-CI mode for 2FA flow (resolve #​1263) (a10b20d)
• Add --workspaces=false to get rid of the null/matches error (14a4907)
• Remove npm config env var warnings (b8c1247)
• doc(readme): add release-it-beautiful-changelog plugin to list of plugins (#​1261) (1b68c21)
• Add 403 to consider resource alive (7969849)

v19.0.6

Compare Source

• Update list of projects using release-it (92b49d3)
• Bump github/codeql-action from 2 to 4 (#​1253) (21309d3) - thanks @​dependabot[bot]!
• Bump actions/setup-node from 5 to 6 (#​1255) (3fbaab1) - thanks @​dependabot[bot]!
• Test in node 24 (7a12b12)
• Upgrade c12 (resolve #​1254) (1f48d03)

---

Configuration

📅 Schedule: (in timezone Europe/Paris)

• Branch creation
  • "before 8am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.