Bump minimatch, lerna and npm in /bubblewrap

[dependabot]

Bumps minimatch to 3.1.5 and updates ancestor dependencies minimatch, lerna and npm. These dependencies need to be updated together.

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates lerna from 6.5.1 to 9.0.5

Release notes

Sourced from lerna's releases.

v9.0.5

9.0.5 (2026-02-28)

Bug Fixes

• bump minimatch from 3.0.5 to 3.1.4 (#4285) (2e3f99e)
• bump tar from 7.5.7 to 7.5.8 (#4273) (bdffd1d)

v9.0.4

9.0.4 (2026-02-10)

Bug Fixes

• bump tar to 7.5.7, rimraf to 6.1.2, @​npmcli/run-script to 10.0.3 (#4267) (43e3d46)

v9.0.3

9.0.3 (2025-11-27)

Bumped some dependencies to reduce audit warning noise.

NOTE: 9.0.2 does not exist because of a failed release

v9.0.1

9.0.1 (2025-11-14)

Bug Fixes

• expand version range to include nx v22.x (#4242) (0cca286)

v9.0.0

9.0.0 (2025-09-23)

Bug Fixes

• publish: ensure README file names are populated on package.json (#4211) (362875d)

Features

• support OIDC trusted publishing (d51e344)

OIDC trusted publishing is now supported by Lerna with no specification configuration required.

• A new guide has been added: https://lerna.js.org/docs/recipes/oidc-trusted-publishing
• A fully working example repo has been set up here https://github.com/JamesHenry/lerna-v9-oidc-publishing-example

BREAKING CHANGES

After updating we strongly recommend running lerna repair in your project. This will migrate your lerna.json to the latest and greatest and remove any outdated options.

... (truncated)

Changelog

Sourced from lerna's changelog.

9.0.5 (2026-02-28)

Bug Fixes

• bump minimatch from 3.0.5 to 3.1.4 (#4285) (2e3f99e)
• bump tar from 7.5.7 to 7.5.8 (#4273) (bdffd1d)

9.0.4 (2026-02-10)

Bug Fixes

• bump tar to 7.5.7, rimraf to 6.1.2, @​npmcli/run-script to 10.0.3 (#4267) (43e3d46)

9.0.3 (2025-11-27)

Note: Version bump only for package lerna

9.0.2 (2025-11-27)

Note: Version bump only for package lerna

9.0.1 (2025-11-14)

Bug Fixes

• expand version range to include nx v22.x (#4242) (0cca286)

9.0.0 (2025-09-23)

Bug Fixes

• publish: ensure README file names are populated on package.json (#4211) (362875d)

Features

• support OIDC trusted publishing (d51e344)

OIDC trusted publishing is now supported by Lerna with no specification configuration required.

• A new guide has been added: https://lerna.js.org/docs/recipes/oidc-trusted-publishing
• A fully working example repo has been set up here https://github.com/JamesHenry/lerna-v9-oidc-publishing-example

BREAKING CHANGES

After updating we strongly recommend running lerna repair in your project. This will migrate your lerna.json to the latest and greatest and remove any outdated options.

As this is a major release there are a few breaking changes to be aware of, which may or may not affect your lerna repos, depending on how you are using the tool.

• node v18 support is dropped because it is end of life

... (truncated)

Commits

• 85b9d95 chore(misc): publish 9.0.5
• 2e3f99e fix: bump minimatch from 3.0.5 to 3.1.4 (#4285)
• bdffd1d fix: bump tar from 7.5.7 to 7.5.8 (#4273)
• 5f3669c chore(misc): publish 9.0.4
• 43e3d46 fix: bump tar to 7.5.7, rimraf to 6.1.2, @​npmcli/run-script to 10.0.3 (#4267)
• 215ff00 chore(misc): publish 9.0.3
• b1b2166 chore(misc): publish 9.0.2
• 6c1ea96 chore(deps): bump js-yaml from 4.1.0 to 4.1.1 (#4245)
• 9df335a chore(misc): publish 9.0.1
• 0cca286 fix: expand version range to include nx v22.x (#4242)
• Additional commits viewable in compare view

Updates npm from 9.5.1 to 9.9.4

Changelog

Sourced from npm's changelog.

9.9.4 (2024-11-21)

Dependencies

• 080e201 #7930 hosted-git-info@6.1.3 (#7930)
• 401bb86 #7928 tar@6.2.1
• cfb3b77 #7928 cross-spawn@7.0.6
• 6a5f8a8 #7928 debug@4.3.7
• 72df313 #7928 hosted-git-info@6.1.2

9.9.3 (2024-02-26)

Bug Fixes

• 88ea8c7 #7010 set objectMode for search filter stream (@​lukekarrys)
• 8d9d735 #7010 unpublish: bubble up all errors parsing local package.json (#7049) (@​wraithgar)
• e0e75e5 #7010 unpublish bugfixes (#7039) (@​wraithgar)
• 4d59ce1 #7047 reverse direction of SPDX SBOM dep rels (#7047) (@​bdehamer, @​antonbauhofer)
• 878f22b #7008 properly catch missing url opener error (@​wraithgar)
• 91a8eca #7008 properly catch missing url opener error on interactive prompt (@​wraithgar)

Dependencies

• 1968e0e #7010 spdx-license-ids@3.0.17
• d130576 #7010 spdx-exceptions@2.5.0
• 00f28b8 #7010 signal-exit@4.1.0
• 57096c3 #7010 postcss-selector-parser@6.0.15
• 3ce677e #7010 minipass-fetch@3.0.4
• 89757ed #7010 is-core-module@2.13.1
• bc1e841 #7010 socks@2.8.1
• 01f4049 #7010 ignore-walk@6.0.4
• 15f8982 #7010 function-bind@1.1.2
• 88ff949 #7010 cmd-shim@6.0.2
• 3e298f6 #7010 bin-links@4.0.3
• 35a6286 #7010 are-we-there-yet@4.0.2
• aeb28c4 #7010 agentkeepalive@4.5.0
• edc7e23 #7010 @npmcli/query@3.1.0
• 00a3a08 #7010 tar@6.2.0
• 7f424c3 #7010 ssri@10.0.5
• 79b8538 #7010 semver@7.6.0
• b5faf10 #7010 npm-install-checks@6.3.0
• 2c62266 #7010 node-gyp@9.4.1
• cc0516b #7010 minipass@7.0.4
• 651d362 #7010 json-parse-even-better-errors@3.0.1
• 4b239c6 #7010 glob@10.3.10
• 2f65b46 #7010 fs-minipass@3.0.3
• 6c73ddf #7010 diff@5.2.0
• 73ee6cc #7010 ci-info@4.0.0
• 64715a4 #7010 cacache@17.1.4
• workspace: @npmcli/arborist@6.5.1

... (truncated)

Commits

• 64763a3 chore: release 9.9.4
• 080e201 deps: hosted-git-info@6.1.3 (#7930)
• 401bb86 deps: tar@6.2.1
• cfb3b77 deps: cross-spawn@7.0.6
• 6a5f8a8 deps: debug@4.3.7
• 72df313 deps: hosted-git-info@6.1.2
• 4998adf chore: release 9.9.3
• 77fa150 chore(release): do not exclude docs directory from CLI release commits (#7162)
• 1d4c464 chore: @​npmcli/template-oss@​4.21.3
• 88ea8c7 fix: set objectMode for search filter stream
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.