Skip to content

npm: bump release-it from 14.14.3 to 19.0.5#3493

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot-npm_and_yarn-release-it-19.0.5
Open

npm: bump release-it from 14.14.3 to 19.0.5#3493
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot-npm_and_yarn-release-it-19.0.5

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 22, 2025
edited
Loading

Bumps release-it from 14.14.3 to 19.0.5.

Release notes

Sourced from release-it's releases.

Release 19.0.5

  • Add link to release-it-gitea plugin (bf6f1fbb77797ece76c24b47bb1bcd89a9dbd18b)
  • Bump actions/checkout from 4 to 5 (#1243) (e42e7dce72b1469ac1944a6d9eb6b6a8d987a919) - thanks @​dependabot[bot]!
  • Add OIDC publishing docs (#1245) (9933c0d3a3ea7a06513b01863098445552942fce) - thanks @​mceachen!
  • Bump actions/setup-node from 4 to 5 (#1247) (7d9b77fa7ea8f4772257d675036f691982317c08) - thanks @​dependabot[bot]!
  • Auto-format (96181f33ec493a239b32667bfc30f4c8841488f9)
  • Update dependencies (0b907d1cf621572b06663c5acfe989c422d0bf09)
  • Remove redundant knip entry (ca2f7b516585e115e0fbce7c96d0dbc219d2e665)

Release 19.0.4

  • Replace lodash.get with custom get() function and add tests (#1231) (879a2ef69bb245d28cfe4abe4701ceefaadb6bee) - thanks @​AlejandroRM-DEV!
  • fix: set octokit log to {} instead of null (#1237) (6fc696f324897e133a9443064dfc6ef5dd827871) - thanks @​efstathiosntonas!
  • Update dependencies (2195b7935f7bece7e0f49bd13089fc0eb4f671aa)

Release 19.0.3

  • chore: use node's spawn instead of tinyexec dep (#1227) (fccdf6742ed4051fcd6ee11d890b84f7a34e81c4) - thanks @​efstathiosntonas!
  • Minor housekeeping/formatting (1604dc75ac2370a068c28a9119885d3035d372ac)
  • Add default timeout (mainly for tests) (96d8889251e670fc178e891b62a845bb8009f929)
  • docs(gitlab): update token scope requirements and default secure setting (#1229) (9c7d2b331d35ca6131d9e09e343cc8337d4cfc09) - thanks @​AlejandroRM-DEV!
  • Update dependencies (b792c458a146665c17ea7290cae435034b9f3e87)

Release 19.0.2

  • Bump engines.node from 20.9 → 20.12 (resolves #1219) (a012da6a2ac442a6000a2908d6418e25720525fc)
  • Update dependencies (ebfc5a2a5fc518480910bb628ad7f34f065842b4)

Release 19.0.1

  • Don't throw if no config file is found (2cb4a7e414b1ae593d6ea4cb24e508b4e2970826)

Release 19.0.0

  • Update dependencies (cbe2fa6a5be2d61533b309b0069a2589c34ca77e)
  • v18 → v19 (6f8150a740d5bb4e4d24b1c78f61f244da8afb0d)
  • Housekeeping (41dfaaeabc720bf683e4c8daf527db9786a6adfe)

Release 19.0.0-next.5

  • feat: use c12 to replace cosmiconfig (#1212) (23272f88f6fc81628f3649f42d96bb9148c65ef7) - thanks @​aa900031!
  • Fix lint issues (d585942666d543f956c3c78b88ac35e3374e017b)
  • Remove update-notifier (032c993bd288eb82c1fcdf2251820af06defc639)
  • globby → tinygobby (048b2f8664b136d49c6cf2a088fc5f241b694ed0)
  • execa → tinyexec (27fa5b0853a0cb6bd9b299edaee4f7871b1031a0)

Release 19.0.0-next.4

  • fix(json-schema): change addUntrackedFiles to boolean (#1214) (1c5af4012eecf4bcc8a5a6f1857ff02f03125a18) - thanks @​KyleRoss!
  • Add double dash to separate paths from git command (resolves #1210) (06bccd79bedc5959adb755b1e2c6db4b100888d5)
  • fix: parse boolean values from command line (#1215) (d87fd39a68ea8a789916ae1ba2fe3557c3dd658e) - thanks @​mdvorak!
  • Update dependencies (ea3a19356da20acb1e5fb5b181e22d5105018674)

Release 19.0.0-next.3

  • Minor refactors (c4ef03b71ad9ce35b6560ce3efc12a3579f331c9)
  • Update links in gitlab docs (0750f08b3108d4516841eb43476552168fd8f701)
  • Use request.formData (c774a007ea703bc45dbf0386253790651b56e6f4)

... (truncated)

Changelog

Sourced from release-it's changelog.

Changelog

This document lists breaking changes for each major release.

See the GitHub Releases page for detailed changelogs: https://github.com/release-it/release-it/releases

v19 (2025-04-18)

  • No breaking changes (dependency party)

v18 (2025-01-06)

  • Removed support for Node.js v18.

v17 (2023-11-11)

  • Removed support for Node.js v16.

v16 (2023-07-05)

  • Removed support for Node.js v14.

v15 (2022-04-30)

  • Removed support for Node.js v10 and v12.
  • Removed support for GitLab v12.4 and lower.
  • Removed anonymous metrics (and the option to disable it).
  • Programmatic usage and plugins only through ES Module syntax (import)

Use release-it v14 in legacy environments.

v14 (2020-09-03)

  • Removed global property from plugins. Use this.config[key] instead.
  • Removed deprecated npm.access option. Set this in package.json instead.

v13 (2020-03-07)

  • Dropped support for Node v8
  • Dropped support for GitLab v11.6 and lower.
  • Deprecated scripts are removed (in favor of hooks).
  • Removed deprecated --non-interactive (-n) argument. Use --ci instead.
  • Removed old %s and [REV_RANGE] syntax in command substitutions. Use ${version} and ${latestTag} instead.

v12 (2019-05-03)

  • The --follow-tags argument for git push has been moved to the default configuration. This is only a breaking change if git.pushArgs was not empty (it was empty by default).

... (truncated)

Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
npm: bump release-it from 14.14.3 to 19.0.5
70ea72a 
Bumps [release-it](https://github.com/release-it/release-it) from 14.14.3 to 19.0.5.
- [Release notes](https://github.com/release-it/release-it/releases)
- [Changelog](https://github.com/release-it/release-it/blob/main/CHANGELOG.md)
- [Commits](release-it/release-it@14.14.3...19.0.5)

---
updated-dependencies:
- dependency-name: release-it
  dependency-version: 19.0.5
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Sep 22, 2025

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Sep 22, 2025
@auto-assign auto-assign bot requested a review from AlexRogalskiy September 22, 2025 09:14
@dependabot dependabot bot mentioned this pull request Sep 22, 2025
Closed
@socket-security
Copy link

socket-security bot commented Sep 22, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedrepo-link-check@​0.7.3491009181100
Addedchart-csv@​1.0.3621007176100
Addeddeploy-to-gh-pages@​1.3.7731006679100
Added@​changesets/​changelog-github@​0.4.81001006884100
Addedopencollective-postinstall@​2.0.31001007080100
Addedlerna@​4.0.0991007086100
Updatedis-ci@​2.0.0 ⏵ 3.0.11001007281100
Addedchangelog-machine@​1.1.07210010076100
Addedcsvnorm@​1.1.07310010077100
Addedtextlint-rule-alex@​3.0.07310010076100
Added@​cadolabs/​crowdin-cli@​3.0.21731009978100
Added@​commitlint/​cli@​16.3.0991007486100
Addedroadmarks@​1.6.37410010077100
Addedwebtreemap-cli@​2.3.2741009976100
Addeddanger-plugin-spellcheck@​2.1.07510010077100
Added@​bitjson/​npm-scripts-info@​1.0.08910010075100
Addedadr-tools@​2.0.4861007776100
Addedcheck-for-leaks@​1.2.1781009476100
Addedgithub-contributors-list@​1.2.59410010076100
Addedremark-preset-davidtheclark@​0.12.0761008078100
Addedlerna-update-wizard@​1.1.29410010076100
Addedtextlint-rule-common-misspellings@​1.0.186100927770
Addedtextlint@​12.6.1971007791100
Addedimport-conductor@​2.6.17810010079100
Addedtempy@​2.0.010010010078100
Addeddockerfile_lint@​0.3.48310010078100
Addedjsonlint@​1.6.31001009078100
Addedgit-cz@​4.9.010010010078100
Addedyalc@​1.0.0-pre.539810010078100
Addedyaml-lint@​1.7.09910010078100
Addedalex@​9.1.19310010078100
Addedlicense-checker@​25.0.1991001007880
Addedtextlint-rule-write-good@​2.0.0781008482100
See 46 more rows in the dashboard

View full report

@socket-security
Copy link

socket-security bot commented Sep 22, 2025

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
lodash@3.10.1 has a Critical CVE.

CVE: GHSA-jf85-cpcp-j695 Prototype Pollution in lodash (CRITICAL)

Affected versions: < 4.17.12

Patched version: 4.17.12

From: ?npm/jscs@3.0.7npm/lodash@3.10.1

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash@3.10.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

@AlexRogalskiy AlexRogalskiy Awaiting requested review from AlexRogalskiy

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants