chore (deps): bump the patch-updates group across 1 directory with 15 updates

[dependabot]

Bumps the patch-updates group with 14 updates in the / directory:

Package	From	To
dompurify	3.4.5	3.4.11
protobufjs	7.6.1	7.6.4
sql-formatter	15.8.0	15.8.2
uuid	14.0.0	14.0.1
@babel/plugin-transform-runtime	7.29.0	7.29.7
@babel/preset-env	7.29.5	7.29.7
@babel/runtime	7.29.2	7.29.7
@codemirror/commands	6.10.3	6.10.4
@codemirror/language	6.12.3	6.12.4
@codemirror/search	6.7.0	6.7.1
@codemirror/view	6.43.0	6.43.3
@puppeteer/browsers	3.0.3	3.0.5
autoprefixer	10.5.0	10.5.2
webpack-dev-server	5.2.4	5.2.5

Updates dompurify from 3.4.5 to 3.4.11

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

• Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
• Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
• Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
• Updated up the linting tool-chain and removed now-redundant lint directives
• Updated the documentation is several spots, README, wiki, etc.
• Bumped several dependencies where possible

DOMPurify 3.4.10

• Refactored codebase for clarity: extracted the public type declarations into types.ts
• Decomposed the three largest sanitizer functions into focused helpers
• Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
• Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
• Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
• Reduced CI cost by running the full three-engine browser suite once per PR
• Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
• Documented the bench and test:happydom scripts in the README
• Completed the Attack Classes & Bypass History wiki page
• Bumped several dependencies where possible

DOMPurify 3.4.9

• Further improved the handling of Trusted Types config options, thanks @​offset
• Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
• Added more test coverage for IN_PLACE and Trusted Types related usage
• Bumped several dependencies where possible
• Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

• Cleaned up the repository root, renamed some and removed unneeded files
• Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
• Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
• Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
• Bumped several dependencies where possible

DOMPurify 3.4.7

• Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
• Removed a problem leading to permanent hook pollution, thanks @​offset
• Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

• Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
• Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
• Added more test coverage for IN_PLACE and general DOM Clobbering attacks
• Bumped several dependencies where possible

Commits

• 0cae518 release: 3.4.11 (#1494)
• 6ee5716 release: 3.4.10 (#1478)
• 5210247 release: 3.4.9 (#1459)
• bcdd828 release: 3.4.8 (#1439)
• ca30f07 release: 3.4.7 (#1414)
• bb7739e release: 3.4.6 (#1394)
• See full diff in compare view

Updates protobufjs from 7.6.1 to 7.6.4

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.6.4

7.6.4 (2026-06-12)

Bug Fixes

• Reconfigure and speed up CI (#2329) (574f761)
• Remove inquire submodule (#2327) (06ddd07)

protobufjs: v7.6.3

7.6.3 (2026-06-09)

Bug Fixes

• Avoid name collisions in generated code (#2311) (78a9576)
• Preserve null conversion behavior for fieldless messages (#2312) (df91652)

protobufjs: v7.6.2

7.6.2 (2026-05-30)

Bug Fixes

• Backport consistency and correctness fixes (#2294) (a92f72e)

Changelog

Sourced from protobufjs's changelog.

7.6.4 (2026-06-12)

Bug Fixes

• Reconfigure and speed up CI (#2329) (574f761)
• Remove inquire submodule (#2327) (06ddd07)

7.6.3 (2026-06-09)

Bug Fixes

• Avoid name collisions in generated code (#2311) (78a9576)
• Preserve null conversion behavior for fieldless messages (#2312) (df91652)

7.6.2 (2026-05-30)

Bug Fixes

• Backport consistency and correctness fixes (#2294) (a92f72e)

Commits

• f8f64ef chore: release protobufjs-v7.x (#2330)
• 574f761 fix: Reconfigure and speed up CI (#2329)
• 06ddd07 fix: Remove inquire submodule (#2327)
• 1d3796d chore: release protobufjs-v7.x (#2317)
• df91652 fix: Preserve null conversion behavior for fieldless messages (#2312)
• 78a9576 fix: Avoid name collisions in generated code (#2311)
• ec90ef9 chore: release protobufjs-v7.x (#2295)
• a92f72e fix: Backport consistency and correctness fixes (#2294)
• See full diff in compare view

Updates sql-formatter from 15.8.0 to 15.8.2

Release notes

Sourced from sql-formatter's releases.

15.8.2

Always keep spaces around - operator in BigQuery (#953) Thanks to @​sarathfrancis90

15.8.1

Fix block-comment placement idempotency issue (#952) Thanks to @​sarathfrancis90

Commits

• 7d58032 Release 15.8.2
• 311c478 fix: keep spaces around - operator in dialects with dashed identifiers (#953)
• 68e8f71 fix: keep spaces around - operator in dialects with dashed identifiers
• f3707ba Release 15.8.1
• b6f936d Turn off verifyDepsBeforeRun
• 502224c Merge branch 'fix-block-comment-idempotency'
• f9304a6 Add Sarath Francis to AUTHORS
• 71c0835 Rewrite comment inside isStandaloneBlockComment()
• 953f228 Reorganize idempotent comment tests
• 54d4cf2 test: cover block comments in more clause positions
• Additional commits viewable in compare view

Updates uuid from 14.0.0 to 14.0.1

Release notes

Sourced from uuid's releases.

v14.0.1

14.0.1 (2026-06-20)

Bug Fixes

• add types condition to node export for moduleResolution bundler (#961) (27ffae5)

Changelog

Sourced from uuid's changelog.

14.0.1 (2026-06-20)

Bug Fixes

• add types condition to node export for moduleResolution bundler (#961) (27ffae5)

Commits

• 7017780 chore(main): release 14.0.1 (#964)
• f2c3e4b chore: fix release-please workflow (#963)
• 27ffae5 fix: add types condition to node export for moduleResolution bundler (#961)
• 664cb31 Remove outdated security contact information (#959)
• d729016 fix(ci): checkout PR head commit in browser workflow (#957)
• 89a5ebc Workflows (#948)
• 196e208 chore: fix workflow (#947)
• 95af448 chore: update workflows (#946)
• 3b57f95 chore: add workflow_dispatch (#944)
• a433096 chore: add 12.x and 13.x maintenance release branches (#941)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates @babel/plugin-transform-runtime from 7.29.0 to 7.29.7

Release notes

Sourced from @​babel/plugin-transform-runtime's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• See full diff in compare view

Updates @babel/preset-env from 7.29.5 to 7.29.7

Release notes

Sourced from @​babel/preset-env's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

Commits

• 4fba754 v7.29.7
• See full diff in compare view

Updates @babel/runtime from 7.29.2 to 7.29.7

Release notes

Sourced from @​babel/runtime's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• See full diff in compare view

Updates @codemirror/commands from 6.10.3 to 6.10.4

Commits

• See full diff in compare view

Updates @codemirror/language from 6.12.3 to 6.12.4

Commits

• See full diff in compare view

Updates @codemirror/search from 6.7.0 to 6.7.1

Commits

• See full diff in compare view

Updates @codemirror/state from 6.6.0 to 6.7.0

Commits

• See full diff in compare view

Updates @codemirror/view from 6.43.0 to 6.43.3

Commits

• See full diff in compare view

Updates @puppeteer/browsers from 3.0.3 to 3.0.5

Release notes

Sourced from @​puppeteer/browsers's releases.

browsers: v3.0.5

3.0.5 (2026-06-22)

🛠️ Fixes

• browsers: add SHA-256 integrity verification for downloaded browser archives (#15093) (65a0a8d)
• browsers: validate channel in CLI launch for system browsers (#15098) (873b993)

browsers: v3.0.4

3.0.4 (2026-05-26)

🛠️ Fixes

• improve progress bar and install (#15042) (51db32a)
• support concurrency in progress bars (#15045) (ab0171d)
• use powershell as fallback to unzip on Windows (#15033) (05f7b18)

🏗️ Refactor

• drop semver (#15029) (058cd5a)
• remove debug dependency (#15023) (94d1e1c)
• remove progress dependency (#15026) (e7d1a14)
• replace tar-fs with modern-tar (#15028) (054afed)

Changelog

Sourced from @​puppeteer/browsers's changelog.

Changelog

Combined changelog for puppeteer and puppeteer-core.

25.2.1 (2026-06-24)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 25.2.0 to 25.2.1

🛠️ Fixes

• regression when using Puppeteer with untrusted sessions (#15150) (801c212)
• roll to Firefox 152.0.2 (#15153) (d2908b2)

25.2.0 (2026-06-22)

🎉 Features

• add page locale emulation (#15075) (c528f65)
• add waitForFunction to webWorkers (#15100) (0bdfa77)
• allow extensions to run over websockets (#15059) (b84d8a1)
• roll to Chrome 150.0.7871.24 (#15126) (b74ed1c)
• roll to Firefox 152.0 (#15125) (87be906)

🛠️ Fixes

• apply allowlist to non-auto-attach sessions (#15136) (5c7a0e0)
• await for Worker script exection (#15099) (dc469b8)
• block service worker registrations (#15135) (d03617c)
• correct screencast frame timing so playback matches real time (#15112) (525b384)
• remove global skipDownload early return to include other configs (#15130) (5b1cb20)
• roll to Firefox 152.0.1 (#15134) (fd12dd6)
• webmcp: invalidate webmcp tools on context destruction (#15068) (8e9c0fa)

Dependencies

... (truncated)

Commits

• 0496143 chore: release main (#15064)
• a7f124c docs: clarify the network allowlist/blocklist implementation (#15148)
• 036503e test: add iframe tests (#15149)
• 2d71ccc chore: fix regression of debug logs (#15147)
• 5b1cb20 fix: remove global skipDownload early return to include other configs (#15130)
• 1106b6e chore(deps): bump the all group in /website with 2 updates (#15143)
• f14e4ad chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 in the all group (#15144)
• 6d120e6 chore(deps): bump node from 40ad9f3 to 032e78d in /docker in the all grou...
• 5c7a0e0 fix: apply allowlist to non-auto-attach sessions (#15136)
• 77c4ffd chore(webmcp): Update WebMCP to Chrome 150 implementation (#15069)
• Additional commits viewable in compare view

Updates autoprefixer from 10.5.0 to 10.5.2

Release notes

Sourced from autoprefixer's releases.

10.5.2

• Moved -webkit-fill-available before -moz-available, so Firefox will use -webkit- version which is closer to stretch.

10.5.1

• Fixed grid-area span reset for overriding areas (by @​puneetdixit200).

Changelog

Sourced from autoprefixer's changelog.

10.5.2

• Moved -webkit-fill-available before -moz-available, so Firefox will use -webkit- version which is closer to stretch.

10.5.1

• Fixed grid-area span reset for overriding areas (by @​puneetdixit200).

Commits

• e99e381 Release 10.5.2 version
• 98de3f5 Move -webkit-fill-available before -moz-available to get a closer to spec res...
• 8fe2513 Release 10.5.1 version
• 60ea651 Update release process
• cbd4a70 Update dependencies
• ffae49f fix: reset grid area spans when overriding areas (#1549)
• d90ad86 Fix CI
• a0f701b Update dependencies
• bb935eb Fix CI
• e63efe4 Move to pnpm 11
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for autoprefixer since your current version.

Updates webpack-dev-server from 5.2.4 to 5.2.5

Release notes

Sourced from webpack-dev-server's releases.

v5.2.5

Patch Changes

• Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.5

Patch Changes

• Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

Commits

• c3ee325 chore(release): new release (#5682)
• 60173be feat: add changeset validation and release workflow (#5680)
• 948d5e6 fix(proxy): match the HMR upgrade path exactly like the ws server (#5678)
• 93e8996 fix: skip HMR websocket path when forwarding upgrades to user-defined proxies...
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack-dev-server since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions