Bump the npm-minor group across 1 directory with 6 updates

[dependabot]

Bumps the npm-minor group with 6 updates in the / directory:

Package	From	To
semver	7.7.4	7.8.0
@eslint/compat	2.0.5	2.1.0
@types/node	20.19.39	20.19.41
nock	14.0.12	14.0.15
typescript-eslint	8.59.2	8.59.3
yaml	2.8.4	2.9.0

Updates semver from 7.7.4 to 7.8.0

Release notes

Sourced from semver's releases.

v7.8.0

7.8.0 (2026-05-08)

Features

• 0d0a0a2 #855 Add truncate function (#855) (@​pjohnmeyer, @​owlstronaut)

Bug Fixes

• 3905343 #859 Warn when defaulting to --inc=patch in CLI (@​pjohnmeyer)

Documentation

• c368af6 #853 fix typos in documentation (#853) (@​ankitkumar572005)
• 37776c3 #846 fix BNF grammar to distinguish prerelease from build identifiers (#846) (@​abhu85, @​claude)

Chores

• 9542e09 #860 template-oss-apply (@​owlstronaut)
• 937bc2c #860 template-oss-apply@5.0.0 (@​owlstronaut)
• 6946fef #852 bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#852) (@​dependabot[bot], @​npm-cli-bot)

Changelog

Sourced from semver's changelog.

7.8.0 (2026-05-08)

Features

• 0d0a0a2 #855 Add truncate function (#855) (@​pjohnmeyer, @​owlstronaut)

Bug Fixes

• 3905343 #859 Warn when defaulting to --inc=patch in CLI (@​pjohnmeyer)

Documentation

• c368af6 #853 fix typos in documentation (#853) (@​ankitkumar572005)
• 37776c3 #846 fix BNF grammar to distinguish prerelease from build identifiers (#846) (@​abhu85, @​claude)

Chores

• 9542e09 #860 template-oss-apply (@​owlstronaut)
• 937bc2c #860 template-oss-apply@5.0.0 (@​owlstronaut)
• 6946fef #852 bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#852) (@​dependabot[bot], @​npm-cli-bot)

Commits

• efa4be6 chore: release 7.8.0 (#847)
• 9542e09 chore: template-oss-apply
• 937bc2c chore: template-oss-apply@5.0.0
• 3905343 fix: Warn when defaulting to --inc=patch in CLI
• 0d0a0a2 feat: Add truncate function (#855)
• c368af6 docs: fix typos in documentation (#853)
• 6946fef chore: bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#852)
• 37776c3 docs: fix BNF grammar to distinguish prerelease from build identifiers (#846)
• See full diff in compare view

Updates @eslint/compat from 2.0.5 to 2.1.0

Release notes

Sourced from @​eslint/compat's releases.

compat: v2.1.0

2.1.0 (2026-05-08)

Features

• Add new includeIgnoreFile() to config-helpers (#430) (9b51352)

migrate-config: v2.1.0

2.1.0 (2026-05-08)

Features

• Add new includeIgnoreFile() to config-helpers (#430) (9b51352)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/config-helpers bumped from ^0.5.5 to ^0.6.0

migrate-config: v2.0.7

2.0.7 (2026-05-01)

Bug Fixes

• update espree to the latest (#437) (a8ff72f)

migrate-config: v2.0.6

2.0.6 (2026-04-08)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/compat bumped from ^2.0.4 to ^2.0.5
  • devDependencies
    • @​eslint/core bumped from ^1.2.0 to ^1.2.1

Changelog

Sourced from @​eslint/compat's changelog.

2.1.0 (2026-05-08)

Features

• Add new includeIgnoreFile() to config-helpers (#430) (9b51352)

Commits

• b894953 chore: release main (#446)
• 334038d docs: Update README sponsors
• 9b51352 feat: Add new includeIgnoreFile() to config-helpers (#430)
• 70b6997 docs: Update README sponsors
• 35b6b94 chore: update TypeScript to v6 (#417)
• 7807d71 docs: Update README sponsors
• 57001ea docs: Update README sponsors
• 0b62133 docs: Update README sponsors
• See full diff in compare view

Updates @types/node from 20.19.39 to 20.19.41

Commits

• See full diff in compare view

Updates nock from 14.0.12 to 14.0.15

Release notes

Sourced from nock's releases.

v14.0.15

14.0.15 (2026-05-07)

Bug Fixes

• Revert "fix(backport): apply body delay before the response end" (#2973) (de5450c), closes #2969

v14.0.14

14.0.14 (2026-04-30)

Bug Fixes

• backport: apply body delay before the response end (#2969) (215cd2a)

v14.0.13

14.0.13 (2026-04-20)

Bug Fixes

• types: align Definition with runtime; add rawHeaders, drop headers (#2955) (07fbfab)

Commits

• de5450c fix: Revert "fix(backport): apply body delay before the response end" (#2973)
• 215cd2a fix(backport): apply body delay before the response end (#2969)
• 07fbfab fix(types): align Definition with runtime; add rawHeaders, drop headers (#2955)
• fe2c3ea chore(deps-dev): bump lodash-es from 4.17.23 to 4.18.1 (#2961)
• ee49b4f chore(deps-dev): bump flatted from 3.2.5 to 3.4.2
• 11bf183 chore(deps-dev): bump undici from 6.23.0 to 6.24.1 (#2954)
• 6b80154 chore(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#2960)
• 4cbf6cc chore(deps): bump tar and npm (#2952)
• See full diff in compare view

Updates typescript-eslint from 8.59.2 to 8.59.3

Release notes

Sourced from typescript-eslint's releases.

v8.59.3

8.59.3 (2026-05-11)

This was a version bump only, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.59.3 (2026-05-11)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 48e13c0 chore(release): publish 8.59.3
• 44f9625 chore(deps): update vitest monorepo to v4.1.5 (#12307)
• See full diff in compare view

Updates yaml from 2.8.4 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

Commits

• ddb21b0 2.9.0
• 167365b docs: Clarify that not all errors can be avoided
• 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
• 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
• See full diff in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
@types/node	[>= 25.a, < 26]
@types/node	[>= 24.a, < 25]
@types/node	[>= 22.a, < 23]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Pushed a commit to rebuild the Action. Please mark the PR as ready for review to trigger PR checks.

[Copilot]

Pull request overview

This Dependabot PR updates a small set of npm dependencies (and corresponding lockfile entries) used by the CodeQL Action and its pr-checks workspace, keeping tooling and test dependencies current.

Changes:

• Bump semver to ^7.8.0.
• Bump dev tooling dependencies: @eslint/compat, @types/node, nock, and typescript-eslint.
• Bump yaml in the pr-checks workspace to ^2.9.0 and refresh package-lock.json accordingly.

Show a summary per file

File	Description
pr-checks/package.json	Updates yaml and @types/node for the pr-checks workspace tooling scripts.
package.json	Updates root dependency/devDependency versions for semver, linting/tooling, and test mocking.
package-lock.json	Refreshes resolved versions/integrities to match the bumped dependencies across the workspace.
lib/entry-points.js	Generated output update corresponding to the dependency changes (not reviewed).

Copilot's findings

• Files reviewed: 2/4 changed files
• Comments generated: 0