chore(deps): (deps): bump the production group across 1 directory with 10 updates

[dependabot]

Bumps the production group with 8 updates in the / directory:

Package	From	To
@esbuild/aix-ppc64	0.27.7	0.28.0
@types/estree	1.0.8	1.0.9
es-module-lexer	1.7.0	2.1.0
lru-cache	11.3.6	11.5.0
magicast	0.5.2	0.5.3
node-abi	3.91.0	3.92.0
semver	7.7.4	7.8.0
tar	7.5.14	7.5.15

Updates @esbuild/aix-ppc64 from 0.27.7 to 0.28.0

Release notes

Sourced from @​esbuild/aix-ppc64's releases.

v0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

Changelog

Sourced from @​esbuild/aix-ppc64's changelog.

0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

Commits

• 6a794df publish 0.28.0 to npm
• 64ee0ea fix #4435: support with { type: text } imports
• ef65aee fix sort order in snapshots_packagejson.txt
• 1a26a8e try to fix test-old-ts, also shuffle CI tasks
• 556ce6c use '' instead of null to omit build hashes
• 8e675a8 ci: allow missing binary hashes for tests
• 7067763 Reapply "update go 1.25.7 => 1.26.1"
• 39473a9 fix #4343: integrity check for binary download
• See full diff in compare view

Updates @types/estree from 1.0.8 to 1.0.9

Commits

• See full diff in compare view

Updates brace-expansion from 5.0.5 to 5.0.6

Commits

• 46317b5 5.0.6
• c0b095b Merge commit from fork
• ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
• See full diff in compare view

Updates es-module-lexer from 1.7.0 to 2.1.0

Release notes

Sourced from es-module-lexer's releases.

2.1.0

What's Changed

• Always exclude dyn import attributes from specifier range by @​nicolo-ribaudo in guybedford/es-module-lexer#197
• fix: handle new of conflict cases by @​guybedford in guybedford/es-module-lexer#195

New Contributors

• @​nicolo-ribaudo made their first contribution in guybedford/es-module-lexer#197

Full Changelog: guybedford/es-module-lexer@2.0.0...2.1.0

2.0.0

What's Changed

• feat: support import attribute item parsing by @​guybedford in guybedford/es-module-lexer#194
• breaking: remove import assertions by @​guybedford in guybedford/es-module-lexer#191
• fix: global reference by @​guybedford in guybedford/es-module-lexer#193

Full Changelog: guybedford/es-module-lexer@1.7.0...2.0.0

Commits

• 5fb11e1 2.1.0
• cc29c5b fix: handle new of conflict cases (#195)
• 4a35138 Always exclude dyn import attributes from specifier range (#197)
• 0603c6f 2.0.0
• 066ce56 feat: support import attribute item parsing (#194)
• fd6f6ab breaking: remove import assertions (#191)
• e21f663 fix: global reference (#193)
• See full diff in compare view

Updates lru-cache from 11.3.6 to 11.5.0

Changelog

Sourced from lru-cache's changelog.

cringe lorg

11.5

• Add backgroundFetchSize option, defaulting to 1, to set an effective size for provisional background fetch objects while in flight, if they do not shadow an existing stale entry.

11.4

• Add cache property to status objects, in order to differentiate which cache is emitting the metric or trace.
• Several small bugs regarding fetch behavior edge cases.
  • onInsert does not fire for background fetch internal promises.
  • dispose() and disposeAfter() now fire for the stale value left behind when an in-process background fetch is pre-empted by eviction.
  • fetchMethod that returns a non-Promise value is handled correctly.
  • No Error is created, or abort() signaled, when a background fetch promise is resolved. (Presumably the implementation is done by that point.)

11.3

• Add observability features, expand the coverage of LRUCache.Status objects.

11.2

• Add the perf option to specify performance, Date, or any other object with a now() method that returns a number.

11.1

• Add the onInsert method

11.0

• Drop support for node less than v20

10.4

• Accidental minor update, should've been patch.

10.3

• add forceFetch() method
• set disposeReason to 'expire' when it's the result of a TTL

... (truncated)

Commits

• 0adc7a5 11.5.0
• 4708153 add backgroundFetchSize option
• 9bed6db formatting changelog
• cd8f37b test: loosen test on onInsert
• c440996 11.4.0
• fdab191 changelog 11.4
• fbd958d add cache to status type
• 451737c fix several bugs related to background fetch edge cases
• 425dd43 update deps
• See full diff in compare view

Updates magicast from 0.5.2 to 0.5.3

Release notes

Sourced from magicast's releases.

v0.5.3

   🚀 Features

• Add await expression support  -  by @​Jack-sh1 in unjs/magicast#157 (b1124)

    View changes on GitHub

Commits

• 8d4fed0 chore: release v0.5.3
• b87cb34 chore: update deps and lint
• b112424 feat: add await expression support (#157)
• See full diff in compare view

Updates node-abi from 3.91.0 to 3.92.0

Release notes

Sourced from node-abi's releases.

v3.92.0

3.92.0 (2026-05-06)

Features

• update ABI registry (#289) (d8a52dc)

Commits

• d8a52dc feat: update ABI registry (#289)
• See full diff in compare view

Updates postcss from 8.5.14 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

Changelog

Sourced from postcss's changelog.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

Commits

• eae46db Release 8.5.15 version
• 79508ff Update CI actions
• b128e21 Speed up declaration parsing by avoiding creating new array on each token
• 9825dca Fix code format
• 55789c8 Update dependencies
• 84fbbe9 Install older pnpm action for old Node.js
• 9f860bd Revert pnpm action for old Node.js
• 0877198 Update CI actions
• b2d1a33 Fix linter warnings
• 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
• Additional commits viewable in compare view

Updates semver from 7.7.4 to 7.8.0

Release notes

Sourced from semver's releases.

v7.8.0

7.8.0 (2026-05-08)

Features

• 0d0a0a2 #855 Add truncate function (#855) (@​pjohnmeyer, @​owlstronaut)

Bug Fixes

• 3905343 #859 Warn when defaulting to --inc=patch in CLI (@​pjohnmeyer)

Documentation

• c368af6 #853 fix typos in documentation (#853) (@​ankitkumar572005)
• 37776c3 #846 fix BNF grammar to distinguish prerelease from build identifiers (#846) (@​abhu85, @​claude)

Chores

• 9542e09 #860 template-oss-apply (@​owlstronaut)
• 937bc2c #860 template-oss-apply@5.0.0 (@​owlstronaut)
• 6946fef #852 bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#852) (@​dependabot[bot], @​npm-cli-bot)

Changelog

Sourced from semver's changelog.

7.8.0 (2026-05-08)

Features

• 0d0a0a2 #855 Add truncate function (#855) (@​pjohnmeyer, @​owlstronaut)

Bug Fixes

• 3905343 #859 Warn when defaulting to --inc=patch in CLI (@​pjohnmeyer)

Documentation

• c368af6 #853 fix typos in documentation (#853) (@​ankitkumar572005)
• 37776c3 #846 fix BNF grammar to distinguish prerelease from build identifiers (#846) (@​abhu85, @​claude)

Chores

• 9542e09 #860 template-oss-apply (@​owlstronaut)
• 937bc2c #860 template-oss-apply@5.0.0 (@​owlstronaut)
• 6946fef #852 bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#852) (@​dependabot[bot], @​npm-cli-bot)

Commits

• efa4be6 chore: release 7.8.0 (#847)
• 9542e09 chore: template-oss-apply
• 937bc2c chore: template-oss-apply@5.0.0
• 3905343 fix: Warn when defaulting to --inc=patch in CLI
• 0d0a0a2 feat: Add truncate function (#855)
• c368af6 docs: fix typos in documentation (#853)
• 6946fef chore: bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#852)
• 37776c3 docs: fix BNF grammar to distinguish prerelease from build identifiers (#846)
• See full diff in compare view

Updates tar from 7.5.14 to 7.5.15

Commits

• 87cc309 7.5.15
• 7aef486 fix: regression in pending links detection
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions