Bump the javascript-dev group across 1 directory with 7 updates

[dependabot]

Bumps the javascript-dev group with 7 updates in the / directory:

Package	From	To
@babel/preset-env	7.29.0	7.29.2
core-js	3.48.0	3.49.0
jscpd	4.0.8	4.0.9
less	4.5.1	4.6.4
less-loader	12.3.0	12.3.2
lodash	4.17.23	4.18.1
webpack	5.105.0	5.106.1

Updates @babel/preset-env from 7.29.0 to 7.29.2

Release notes

Sourced from @​babel/preset-env's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

Commits

• 37d5595 v7.29.2
• 1c0a08d [7.x backport] fix: Properly handle await in finally (#17805)
• 061bf95 [7.x backport] preset-env include/exclude should accept bugfix plugins (#17789)
• See full diff in compare view

Updates core-js from 3.48.0 to 3.49.0

Changelog

Sourced from core-js's changelog.

3.49.0 - 2026.03.16

• Changes v3.48.0...v3.49.0 (373 commits)
• Iterator.range updated following the actual spec version
  • Throw a RangeError on NaN start / end / step
  • Allow null as optionOrStep
• Improved accuracy of Math.{ asinh, atanh } polyfills with big and small values
• Improved accuracy of Number.prototype.toExponential polyfills with big and small values
• Improved performance of atob, btoa, Uint8Array.fromHex, Uint8Array.prototype.setFromHex, and Uint8Array.prototype.toHex, #1503, #1464, #1510, thanks @​johnzhou721
• Minor performance optimization polyfills of methods from Map upsert proposal
• Polyfills of methods from Map upsert proposal from the pure version made generic to make it work with polyfilled and native collections
• Wrap Symbol.for in Symbol.prototype.description polyfill for correct handling of empty string descriptions
• Fixed a modern Safari bug in Array.prototype.includes with sparse arrays and fromIndex
• Fixed one more case (Iterator.prototype.take) of a V8 ~ Chromium < 126 bug
• Forced replacement of Iterator.{ concat, zip, zipKeyed } in the pure version for ensuring proper wrapped Iterator instances as the result
• Fixed proxying .return() on exhausted iterator from some methods of iterator helpers polyfill to the underlying iterator
• Fixed double .return() calling in case of throwing error in this method in the internal iterate helper that affected some polyfills
• Fixed closing iterator on IteratorValue errors in the internal iterate helper that affected some polyfills
• Fixed iterator closing in Array.from polyfill on failure to create array property
• Fixed order of arguments validation in Array.fromAsync polyfill
• Fixed a lack of counter validation on MAX_SAFE_INTEGER in Array.fromAsync polyfill
• Fixed order of arguments validation in Array.prototype.flat polyfill
• Fixed handling strings as iterables in Iterator.{ zip, zipKeyed } polyfills
• Fixed some cases of iterators closing in Iterator.{ zip, zipKeyed } polyfills
• Fixed validation of iterators .next() results an objects in Iterator.{ zip, zipKeyed } polyfills
• Fixed a lack of early error in Iterator.concat polyfill on primitive as an iterator
• Fixed buffer mutation exposure in Iterator.prototype.windows polyfill
• Fixed iterator closing in Set.prototype.{ isDisjointFrom, isSupersetOf } polyfill
• Fixed (updated following the final spec) one more case Set.prototype.difference polyfill with updating this
• Fixed DataView.prototype.setFloat16 polyfill in (0, 1) range
• Fixed order of arguments validation in String.prototype.{ padStart, padEnd } polyfills
• Fixed order of arguments validation in String.prototype.{ startsWith, endsWith } polyfills
• Fixed some cases of Infinity handling in String.prototype.substr polyfill
• Fixed String.prototype.repeat polyfill with a counter exceeding 2 ** 32
• Fixed some cases of chars case in escape polyfill
• Fixed named backreferences in RegExp NCG polyfill
• Fixed some cases of RegExp NCG polyfill in combination with other types of groups
• Fixed some cases of RegExp NCG polyfill in combination with dotAll
• Fixed String.prototype.replace with sticky polyfill, #810, #1514
• Fixed RegExp sticky polyfill with alternation
• Fixed handling of some line terminators in case of multiline + sticky mode in RegExp polyfill
• Fixed .input slicing on result object with RegExp sticky mode polyfill
• Fixed handling of empty groups with global and unicode modes in polyfills
• Fixed URLSearchParam.prototype.delete polyfill with duplicate key-value pairs
• Fixed possible removal of unnecessary entries in URLSearchParam.prototype.delete polyfill with second argument
• Fixed an error in some cases of non-special URLs without a path in the URL polyfill
• Fixed some percent encode cases / character sets in the URL polyfill
• Fixed parsing of non-IPv4 hosts ends in a number in the URL polyfill
• Fixed some cases of '' and null host handling in the URL polyfill
• Fixed host parsing with hostname = host:port in the URL polyfill
• Fixed host inheritance in some cases of file scheme in the URL polyfill

... (truncated)

Commits

• 80adfc4 v3.49.0
• 0ad3e00 fix a modern Safari bug in Array.prototype.includes with sparse arrays and ...
• 853bfa4 update some links
• b4d723f fix a lack of counter validation on MAX_SAFE_INTEGER in Array.fromAsync p...
• e276676 fix parsing of non-IPv4 hosts ends in a number in the URL polyfill
• dd1cfba fix order of arguments validation in String.prototype.{ padStart, padEnd } ...
• b952c5f add an extra protection to configurator
• e490caf Fix for #810 (#1514)
• 10b4e86 drop an unneeded comment
• 28cf2e9 feat: Improve performance of Uint8Array Hex functions (#1510)
• Additional commits viewable in compare view

Updates jscpd from 4.0.8 to 4.0.9

Commits

• See full diff in compare view

Updates less from 4.5.1 to 4.6.4

Release notes

Sourced from less's releases.

Release v4.6.3

Changes

See CHANGELOG.md for details.

Installation

npm install less@4.6.3

Release v4.6.0

Changes

See CHANGELOG.md for details.

Installation

npm install less@4.6.0

Changelog

Sourced from less's changelog.

Change Log

v4.6.0 (2026-03-09)

Bug Fixes

• #4414 Fix pre-existing bugs in tree nodes: selector this binding, atrule parenting, mixin-call error propagation, container/media functionRegistry guard (@​matthew-dean)
• #4408 Fix #4358 Resolve parent selectors in comma-separated pseudo-selector lists (@​matthew-dean)
• #4407 Fix #4331 Exclude CSS at-rule keywords from declarationCall parsing (@​matthew-dean)
• #4389 Fix #4354 Unknown at-rule expression commas (@​puckowski)
• #4404 Fix no-prototype-builtins issues in Ruleset and ToCSSVisitor (@​matthew-dean)
• #4236 Fix import subpath module bug (@​nicolo-ribaudo)
• #4327 Remove duplicate length check from expression.genCSS() (@​nicolo-ribaudo)
• #3791 Handle the lack of optional dependencies (@​nicolo-ribaudo)

Features & Improvements

• #4413 Add JSDoc type annotations for all tree node files (@​matthew-dean)
• #4412 Convert prototype-based tree nodes to ES6 classes (@​matthew-dean)
• #4411 Migrate to native ESM with no build step (@​matthew-dean)
• #4410 Optimize hot paths and fix benchmark infrastructure (@​matthew-dean)
• #4409 Code quality cleanup for container queries and related code (@​matthew-dean)

Deprecation Warnings

• #4402 Add deprecation warnings for features removed in Less 5.x, container query variable name fix, deprecation notice fix (@​matthew-dean, @​puckowski)

Chores

• #4406 Add test for number with underscore parsing (@​matthew-dean)
• #4386 Update README.md copyright (@​matthew-dean)
• #3782 Remove phantom stuff (@​nicolo-ribaudo)
• #3702 Replace deprecated String.prototype.substr() (@​nicolo-ribaudo)
• #4265 Remove redundant return from parsers.blockRuleset() (@​nicolo-ribaudo)
• #4271 Remove unused parsers.entities.propertyCurly() (@​nicolo-ribaudo)

Commits

• See full diff in compare view

Updates less-loader from 12.3.0 to 12.3.2

Release notes

Sourced from less-loader's releases.

v12.3.2

12.3.2 (2026-03-11)

Bug Fixes

• compatibility with ECMA modules less version (#578) (6850f6c)

v12.3.1

12.3.1 (2026-02-05)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#575) (6588093)

Changelog

Sourced from less-loader's changelog.

12.3.2 (2026-03-11)

Bug Fixes

• compatibility with ECMA modules less version (#578) (6850f6c)

12.3.1 (2026-02-05)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#575) (6588093)

Commits

• 4c2051b chore(release): 12.3.2
• 5dd25ec chore(deps): update before release (#579)
• 6850f6c fix: compatibility with ECMA modules less version (#578)
• 8906924 chore(deps): bump minimatch (#577)
• ef02ce4 chore(release): 12.3.1
• 03442c9 chore(deps-dev): bump webpack from 5.100.2 to 5.104.1 (#576)
• 6588093 fix: update peer dependency for @​rspack/core v2 (#575)
• 58f8317 chore(deps): bump js-yaml (#574)
• 983d263 chore(deps): bump lodash from 4.17.21 to 4.17.23 (#573)
• 42fc7a4 docs: update contributing
• Additional commits viewable in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates webpack from 5.105.0 to 5.106.1

Release notes

Sourced from webpack's releases.

v5.106.1

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

v5.106.0

Minor Changes

• Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #20579)

• Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #20449)

  • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
  • Support custom context path for resolving relative imports in virtual modules
  • Add examples demonstrating context usage and filename customization

• Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #20590)

• Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #20694) Additionally, the localIdentName option can now be a function.

• Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #20548)

• Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #20275)

• Added source support for async WASM modules. (by @​magic-akari in #20364)

Patch Changes

• Add a static getSourceBasicTypes method to the Module class to prevent errors across multiple versions. (by @​xiaoxiaojx in #20614)

• Included fragment groups in the conflicting order warning for CSS. (by @​aryanraj45 in #20660)

• Avoid rendering unused top-level __webpack_exports__ declaration when output ECMA module library. (by @​hai-x in #20669)

• Fixed resolving in CSS modules. (by @​alexander-akait in #20771)

• Allow external modules place in async chunks when output ECMA module. (by @​hai-x in #20662)

• Implement deprecate flag in schema for better TypeScript support to show which options are already deprecated by the configuration (by @​bjohansebas in #20432)

• Set .name to "default" for anonymous default export functions and classes per ES spec (by @​xiaoxiaojx in #20773)

• Hash entry chunks after runtime chunks to prevent stale content hash references in watch mode (by @​xiaoxiaojx in #20724)

• Fix multiple bugs and optimizations in CSS modules: correct third code point position in walkCssTokens number detection, fix multiline CSS comment regex, fix swapped :import/:export error message, fix comma callback incorrectly popping balanced stack, fix cache comparison missing array length check, fix match.index mutation side effect, move publicPathAutoRegex to module scope, precompute merged callbacks in consumeUntil, simplify redundant ternary in CssGenerator, fix typo GRID_TEMPLATE_ARES, remove duplicate grid-column-start, and merge duplicate getCompilationHooks calls. (by @​xiaoxiaojx in #20648)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.106.1

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

5.106.0

Minor Changes

• Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #20579)

• Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #20449)

  • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
  • Support custom context path for resolving relative imports in virtual modules
  • Add examples demonstrating context usage and filename customization

• Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #20590)

• Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #20694) Additionally, the localIdentName option can now be a function.

• Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #20548)

• Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #20275)

• Added source support for async WASM modules. (by @​magic-akari in #20364)

Patch Changes

• Add a static getSourceBasicTypes method to the Module class to prevent errors across multiple versions. (by @​xiaoxiaojx in #20614)

• Included fragment groups in the conflicting order warning for CSS. (by @​aryanraj45 in #20660)

• Avoid rendering unused top-level __webpack_exports__ declaration when output ECMA module library. (by @​hai-x in #20669)

• Fixed resolving in CSS modules. (by @​alexander-akait in #20771)

• Allow external modules place in async chunks when output ECMA module. (by @​hai-x in #20662)

• Implement deprecate flag in schema for better TypeScript support to show which options are already deprecated by the configuration (by @​bjohansebas in #20432)

• Set .name to "default" for anonymous default export functions and classes per ES spec (by @​xiaoxiaojx in #20773)

• Hash entry chunks after runtime chunks to prevent stale content hash references in watch mode (by @​xiaoxiaojx in #20724)

... (truncated)

Commits

• a934b9b chore(release): new release (#20808)
• ecb436b fix: use compiler context for CSS modules hash to avoid collisions (#20799)
• c0e8cf4 fix: prevent !important from being renamed in CSS modules (#20798)
• f8d274b fix: anonymous default export name fix-up in ES5 environment (#20796)
• e370b76 chore(deps-dev): bump the dependencies group with 5 updates (#20790)
• 8774a01 chore(release): new release (#20593)
• cc66616 fix: add @deprecated to methods
• 7cdc173 feat: support source phase import for WebAssembly modules (#20364)
• 0b60f1c chore(members): update to match @​webpack/core-wg (#20784)
• 955a68c test: generate snapshots per stats test case (#20785)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions