Bump the npm_and_yarn group across 1 directory with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
npm	5.10.0	11.9.0
ajv	6.12.0	6.14.0
copy-props	2.0.4	2.0.5
decode-uri-component	0.2.0	0.2.2
es5-ext	0.10.53	0.10.64
path-parse	1.0.6	1.0.7

Updates npm from 5.10.0 to 11.9.0

Release notes

Sourced from npm's releases.

v11.9.0

11.9.0 (2026-02-04)

Features

• f5f6cf7 #8943 config: add --allow-git (@​wraithgar)

Bug Fixes

• 2242f25 #8952 webauth: improve error messages around webauth in non-TTY (#8952) (@​Andarist)

Dependencies

• 332c9f3 #8960 glob@13.0.1
• eca02c7 #8960 minimatch@10.1.2 @isaacs/brace-expansion@5.0.1
• b3f8475 #8951 minipass-fetch@5.0.1
• 924171b #8951 is-cidr@6.0.2
• 4404002 #8951 ci-info@4.4.0
• b65af73 #8951 lru-cache@11.2.5
• 164c355 #8951 tar@7.5.7
• a74a19c #8951 node-gyp@12.2.0
• e0bc212 #8943 pacote@21.1.0

Chores

• 4a82a8f #8951 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.2.0
• workspace: @npmcli/config@10.6.0
• workspace: libnpmdiff@8.1.0
• workspace: libnpmexec@10.2.0
• workspace: libnpmfund@7.0.14
• workspace: libnpmpack@9.1.0

v11.8.0

11.8.0 (2026-01-21)

Features

• 545e861 #8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

• c2f784d #8859 preserve serialNumber UUID in CycloneDX SBOM output #8837 (#8859) (@​saksham-malhotra-27)
• f2c3af7 #8840 more intuitive byte formatting boundaries for rounding (#8840) (@​watilde)

Documentation

• 3474ec3 #8866 fix typo/logic error in npm-dedupe docs (#8866) (@​Schweinepriester)
• 5552e46 #8797 npm-install: explain package-lock.json behavior (#8797) (@​MaxBlack-dev, Max Black)

Dependencies

• f478ca0 #8919 postcss-selector-parser@7.1.1
• 2b6a71f #8919 path-scurry@2.0.1
• 19096f2 #8919 sigstore@4.1.0
• e7f5d1e #8919 lru-cache@11.2.4
• 9e756ae #8919 ip-address@10.1.0
• f951820 #8919 common-ancestor-path@2.0.0
• 7a949ad #8919 @sigstore/verify@3.1.0
• 6979ce1 #8919 @sigstore/sign@4.1.0
• b4a6a41 #8919 @sigstore/core@3.1.0
• dc8a8e8 #8919 @sigstore/tuf@4.0.1
• be221ea #8919 validate-npm-package-name@7.0.2
• 149823d #8919 diff@8.0.3
• 32b2001 #8919 tar@7.5.4

Chores

... (truncated)

Changelog

Sourced from npm's changelog.

11.9.0 (2026-02-04)

Features

• f5f6cf7 #8943 config: add --allow-git (@​wraithgar)

Bug Fixes

• 2242f25 #8952 webauth: improve error messages around webauth in non-TTY (#8952) (@​Andarist)

Dependencies

• 332c9f3 #8960 glob@13.0.1
• eca02c7 #8960 minimatch@10.1.2 @isaacs/brace-expansion@5.0.1
• b3f8475 #8951 minipass-fetch@5.0.1
• 924171b #8951 is-cidr@6.0.2
• 4404002 #8951 ci-info@4.4.0
• b65af73 #8951 lru-cache@11.2.5
• 164c355 #8951 tar@7.5.7
• a74a19c #8951 node-gyp@12.2.0
• e0bc212 #8943 pacote@21.1.0

Chores

• 4a82a8f #8951 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.2.0
• workspace: @npmcli/config@10.6.0
• workspace: libnpmdiff@8.1.0
• workspace: libnpmexec@10.2.0
• workspace: libnpmfund@7.0.14
• workspace: libnpmpack@9.1.0

11.8.0 (2026-01-21)

Features

• 545e861 #8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

• c2f784d #8859 preserve serialNumber UUID in CycloneDX SBOM output #8837 (#8859) (@​saksham-malhotra-27)
• f2c3af7 #8840 more intuitive byte formatting boundaries for rounding (#8840) (@​watilde)

Documentation

• 3474ec3 #8866 fix typo/logic error in npm-dedupe docs (#8866) (@​Schweinepriester)
• 5552e46 #8797 npm-install: explain package-lock.json behavior (#8797) (@​MaxBlack-dev, Max Black)

Dependencies

• f478ca0 #8919 postcss-selector-parser@7.1.1
• 2b6a71f #8919 path-scurry@2.0.1
• 19096f2 #8919 sigstore@4.1.0
• e7f5d1e #8919 lru-cache@11.2.4
• 9e756ae #8919 ip-address@10.1.0
• f951820 #8919 common-ancestor-path@2.0.0
• 7a949ad #8919 @sigstore/verify@3.1.0
• 6979ce1 #8919 @sigstore/sign@4.1.0
• b4a6a41 #8919 @sigstore/core@3.1.0
• dc8a8e8 #8919 @sigstore/tuf@4.0.1
• be221ea #8919 validate-npm-package-name@7.0.2
• 149823d #8919 diff@8.0.3
• 32b2001 #8919 tar@7.5.4

Chores

• 8f599df #8919 pin jsdom to 27.0.0 (@​wraithgar)
• f4f1161 #8919 dev dependency updates (@​wraithgar)

... (truncated)

Commits

• 417daa7 chore: release 11.9.0
• 332c9f3 deps: glob@13.0.1
• eca02c7 deps: minimatch@10.1.2 @​isaacs/brace-expansion@​5.0.1
• 2242f25 fix(webauth): improve error messages around webauth in non-TTY (#8952)
• b3f8475 deps: minipass-fetch@5.0.1
• 4a82a8f chore: dev dependency updates
• 924171b deps: is-cidr@6.0.2
• 4404002 deps: ci-info@4.4.0
• b65af73 deps: lru-cache@11.2.5
• 164c355 deps: tar@7.5.7
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by gar, a new releaser for npm since your current version.

Updates ajv from 6.12.0 to 6.14.0

Release notes

Sourced from ajv's releases.

v6.12.6

Fix performance issue of "url" format.

v6.12.5

Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

v6.12.4

Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

v6.12.3

Pass schema object to processCode function Option for strictNumbers (@​issacgerges, #1128) Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

v6.12.2

Removed post-install script

v6.12.1

Docs and dependency updates

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• fe59143 6.12.6
• d580d3e Merge pull request #1298 from ajv-validator/fix-url
• fd36389 fix: regular expression for "url" format
• Additional commits viewable in compare view

Updates chownr from 1.0.1 to 3.0.0

Commits

• 8b9800a 3.0.0
• 222a6d5 modernize
• 8d35541 chore: add copyright year to license
• 8ad52b1 remove FUNDING.yml (coming from .github repo now)
• cf9ac45 funding
• 6573bba update tap
• 800f7e3 chore: add copyright year to license
• 0c447f8 ci: chores
• f9f9d86 2.0.0
• fc69315 drop support for EOL node versions
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates copy-props from 2.0.4 to 2.0.5

Commits

• See full diff in compare view

Updates decode-uri-component from 0.2.0 to 0.2.2

Release notes

Sourced from decode-uri-component's releases.

v0.2.2

• Prevent overwriting previously decoded tokens 980e0bf

SamVerschueren/decode-uri-component@v0.2.1...v0.2.2

v0.2.1

• Switch to GitHub workflows 76abc93
• Fix issue where decode throws - fixes #6 746ca5d
• Update license (#1) 486d7e2
• Tidelift tasks a650457
• Meta tweaks 66e1c28

SamVerschueren/decode-uri-component@v0.2.0...v0.2.1

Commits

• a0eea46 0.2.2
• 980e0bf Prevent overwriting previously decoded tokens
• 3c8a373 0.2.1
• 76abc93 Switch to GitHub workflows
• 746ca5d Fix issue where decode throws - fixes #6
• 486d7e2 Update license (#1)
• a650457 Tidelift tasks
• 66e1c28 Meta tweaks
• See full diff in compare view

Updates es5-ext from 0.10.53 to 0.10.64

Release notes

Sourced from es5-ext's releases.

0.10.64 (2024-02-27)

Bug Fixes

• Revert update to postinstall script meant to fix Powershell issue, as it's a regression for some Linux terminals (c2e2bb9)

---

Comparison since last release

0.10.63 (2024-02-23)

Bug Fixes

• Do not rely on problematic regex (3551cdd), addresses #201
• Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021
• Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

• Simplify the manifest message (7855319)

---

Comparison since last release

0.10.62 (2022-08-02)

Maintenance Improvements

• Manifest improvements:
  • (#190) (b8dc53f)
  • (c51d552)

---

Comparison since last release

0.10.61 (2022-04-20)

Bug Fixes

• Ensure postinstall script does not error (a0be4fd)

Maintenance Improvements

• Bump dependencies (d7e0a61)

---

Comparison since last release

0.10.60 (2022-04-07)

Maintenance Improvements

• Improve postinstall script configuration (ab6b121)

---

... (truncated)

Changelog

Sourced from es5-ext's changelog.

0.10.64 (2024-02-27)

Bug Fixes

• Revert update to postinstall script meant to fix Powershell issue, as it's a regression for some Linux terminals (c2e2bb9)

0.10.63 (2024-02-23)

Bug Fixes

• Do not rely on problematic regex (3551cdd), addresses #201
• Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021
• Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

• Simplify the manifest message (7855319)

0.10.62 (2022-08-02)

Maintenance Improvements

• Manifest improvements:
  • (#190) (b8dc53f)
  • (c51d552)

0.10.61 (2022-04-20)

Bug Fixes

• Ensure postinstall script does not error (a0be4fd)

Maintenance Improvements

• Bump dependencies (d7e0a61)

0.10.60 (2022-04-07)

Maintenance Improvements

• Improve postinstall script configuration (ab6b121)

0.10.59 (2022-03-17)

Maintenance Improvements

• Improve manifest wording (#122) (eb7ae59)
• Update data in manifest (3d2935a)

0.10.58 (2022-03-11)

... (truncated)

Commits

• f76b03d chore: Release v0.10.64
• 2881acd chore: Bump dependencies
• c2e2bb9 fix: Revert update meant to fix Powershell issue, as it's a regression
• 16f2b72 docs: Fix date in the changelog
• de4e03c chore: Release v0.10.63
• 3fd53b7 chore: Upgrade lint-staged to v13
• bf8ed79 chore: Ensure postinstall script does not crash on Windows
• 2cbbb07 chore: Bump dependencies
• 22d0416 chore: Bump LICENSE year
• a52e957 fix: Support ES2015+ function definitions in function#toStringTokens()
• Additional commits viewable in compare view

Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.

Updates http-cache-semantics from 3.8.1 to 4.2.0

Commits

• See full diff in compare view

Updates lodash from 3.10.1 to 4.17.15

Release notes

Sourced from lodash's releases.

4.0.0

lodash v4.0.0

2015 was big year! Lodash became the most depended on npm package, passed 1 billion downloads, & its v3 release saw massive adoption!

The year was also one of collaboration, as discussions began on merging Lodash & Underscore. Much of Lodash v4 is proofing out the ideas from those discussions. Lodash v4 would not be possible without the collaboration & contributions of the Underscore core team. In the spirit of merging our teams have blended with several members contributing to both libraries.

For 2016 & lodash v4.0.0 we wanted to cut loose, push forward, & take things up a notch!

Modern only

With v4 we’re breaking free from old projects, old environments, & dropping old IE < 9 support!

4 kB Core

Lodash’s kitchen-sink size will continue to grow as new methods & functionality are added. However, we now offer a 4 kB (gzipped) core build that’s compatible with Backbone v1.2.4 for folks who want Lodash without lugging around the kitchen sink.

More ES6

We’ve continued to embrace ES6 with methods like _.isSymbol, added support for cloning & comparing array buffers, maps, sets, & symbols, converting iterators to arrays, & iterable _(…).

In addition, we’ve published an es-build & pulled babel-plugin-lodash into core to make tree-shaking a breeze.

More Modular

Pop quiz! 📣

What category path does the bindAll method belong to? Is it

A) require('lodash/function/bindAll') B) require('lodash/utility/bindAll') C) require('lodash/util/bindAll')

Don’t know? Well, with v4 it doesn’t matter because now module paths are as simple as

var bindAll = require('lodash/bindAll');

We’ve also reduced module complexity making it easier to create smaller bundles. This has helped Lodash adoption with libraries like Async & Redux!

1st Class FP

With v3 we introduced lodash-fp. We learned a lot & with v4 we decided to pull it into core.

Now you can get immutable, auto-curried, iteratee-first, data-last methods as simply as

var _ = require('lodash/fp');
var object = { 'a': 1 };
</tr></table> 

... (truncated)

Commits

• ddfd9b1 Bump to v4.17.15.
• b185fce Rebuild lodash and docs.
• be87d30 Bump to v4.17.14.
• a6fe6b1 Rebuild lodash and docs.
• e371828 Bump to v4.17.13.
• 357e899 Rebuild lodash and docs.
• fd9a062 Bump to v4.17.12.
• e77d681 Rebuild lodash and docs.
• 629d186 Update OpenJS references.
• 2406eac Fix minified build.
• Additional commits viewable in compare view

Updates npm-registry-fetch from 1.1.1 to 19.1.1

Release notes

Sourced from npm-registry-fetch's releases.

v19.1.1

19.1.1 (2025-11-13)

Dependencies

• 360ec4e #282 @npmcli/redact@4.0.0
• c703622 #282 minipass-fetch@5.0.0
• 61662d9 #282 ssri@13.0.0
• 4ab8c96 #282 proc-log@6.0.0

Chores

• 10ecc6a #282 @npmcli/eslint-config@6.0.0 (@​wraithgar)
• 139321c #282 @npmcli/template-oss@4.28.0 (@​wraithgar)

v19.1.0

19.1.0 (2025-10-28)

Features

• d8074d6 #280 add signal opt (#280) (@​clemgbld)

v19.0.0

19.0.0 (2025-07-24)

⚠️ BREAKING CHANGES

• npm-registry-fetch now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• 364c6c0 #277 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• a94aa45 #277 npm-package-arg@13.0.0
• 743188b #277 make-fetch-happen@15.0.0

Chores

• 563fda6 #277 cacache@20.0.0 (@​owlstronaut)
• d5519d6 #277 template-oss apply fix (@​owlstronaut)
• 894f3a7 #277 @npmcli/template-oss@4.25.0 (@​owlstronaut)

v18.0.2

18.0.2 (2024-10-16)

Bug Fixes

• 8044781 #273 log cache hits distinct from fetch (#273) (@​mbtools)

Chores

• 99b99d2 #269 bump cacache from 18.0.4 to 19.0.1 (#269) (@​dependabot[bot])
• bd3f7d1 #272 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#272) (@​dependabot[bot], @​npm-cli-bot)

v18.0.1

18.0.1 (2024-10-02)

Dependencies

• ad9139a #270 bump make-fetch-happen@14.0.0

v18.0.0

18.0.0 (2024-09-26)

⚠️ BREAKING CHANGES

• npm-registry-fetch now supports node ^18.17.0 || >=20.5.0

Bug Fixes

• 93d71a6 #264 align to npm 10 node engine range (@​reggi)

Dependencies

... (truncated)

Changelog

Sourced from npm-registry-fetch's changelog.

19.1.1 (2025-11-13)

Dependencies

• 360ec4e #282 @npmcli/redact@4.0.0
• c703622 #282 minipass-fetch@5.0.0
• 61662d9 #282 ssri@13.0.0
• 4ab8c96 #282 proc-log@6.0.0

Chores

• 10ecc6a #282 @npmcli/eslint-config@6.0.0 (@​wraithgar)
• 139321c #282 @npmcli/template-oss@4.28.0 (@​wraithgar)

19.1.0 (2025-10-28)

Features

• d8074d6 #280 add signal opt (#280) (@​clemgbld)

19.0.0 (2025-07-24)

⚠️ BREAKING CHANGES

• npm-registry-fetch now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• 364c6c0 #277 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• a94aa45 #277 npm-package-arg@13.0.0
• 743188b #277 make-fetch-happen@15.0.0

Chores

• 563fda6 #277 cacache@20.0.0 (@​owlstronaut)
• d5519d6 #277 template-oss apply fix (@​owlstronaut)
• 894f3a7 #277 @npmcli/template-oss@4.25.0 (@​owlstronaut)

18.0.2 (2024-10-16)

Bug Fixes

• 8044781 #273 log cache hits distinct from fetch (#273) (@​mbtools)

Chores

• 99b99d2 #269 bump cacache from 18.0.4 to 19.0.1 (#269) (@​dependabot[bot])
• bd3f7d1 #272 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#272) (@​dependabot[bot], @​npm-cli-bot)

18.0.1 (2024-10-02)

Dependencies

• ad9139a #270 bump make-fetch-happen@14.0.0

18.0.0 (2024-09-26)

⚠️ BREAKING CHANGES

• npm-registry-fetch now supports node ^18.17.0 || >=20.5.0

Bug Fixes

• 93d71a6 #264 align to npm 10 node engine range (@​reggi)

Dependencies

• 78aa620 #266 bump minizlib from 2.1.2 to 3.0.1 (#266)
• 842f324 #264 proc-log@5.0.0
• b394f34 #264 npm-package-arg@12.0.0
• c2b986a #264 minipass-fetch@4.0.0
• 351e1f4 #264 @npmcli/redact@3.0.0

Chores

... (truncated)

Commits

• 844230f chore: release 19.1.1 (#283)
• 10ecc6a chore: @​npmcli/eslint-config@​6.0.0
• 139321c chore: @​npmcli/template-oss@​4.28.0
• 360ec4e deps: @​npmcli/redact@​4.0.0
• c703622 deps: minipass-fetch@5.0.0
• 61662d9 deps: ssri@13.0.0
• 4ab8c96 deps: proc-log@6.0.0
• f45ac32 chore: release 19.1.0 (#281)
• d8074d6 feat: add signal opt (#280)
• a50fb07 chore: release 19.0.0 (#278)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for npm-registry-fetch since your current version.

Updates npm-user-validate from 1.0.0 to 4.0.0

Release notes

Sourced from npm-user-validate's releases.

v4.0.0

4.0.0 (2025-10-22)

⚠️ BREAKING CHANGES

• npm-user-validate now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• b0ac0b9 #88 align to npm 11 node engine range (#88) (@​owlstronaut)

Chores

• 93b35f4 #82 postinstall workflow updates (#82) (@​owlstronaut)
• 404eb52 #87 bump @​npmcli/template-oss from 4.26.0 to 4.27.1 (#87) (@​dependabot[bot], @​npm-cli-bot)

v3.0.0

3.0.0 (2024-09-03)

⚠️ BREAKING CHANGES

• npm-user-validate now supports node ^18.17.0 || >=20.5.0

Bug Fixes

• 5495eff #77 align to npm 10 node engine range (@​hashtagchris)

Chores

• 4ad3de2 #77 run template-oss-apply (@​hashtagchris)
• 4ef1235 #75 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])

[acquia-stalebot-platauto]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Please remove the stale label to avoid it being closed. Thank you for your contributions. More info: https://github.com/acquia/devops-github-administration/blob/main/docs/operations_related_to_repositories.md#acquia-stale-bot