ci(deps): bump the major-updates group across 1 directory with 4 updates

[dependabot]

Bumps the major-updates group with 4 updates in the / directory: js-yaml, typeorm, @types/node and jscpd.

Updates js-yaml from 4.2.0 to 5.0.0

Changelog

Sourced from js-yaml's changelog.

[5.0.0] - 2026-06-20

Added

• Added named exports for schemas, tags, parser events and AST utilities.
• Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
• Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
• Added dump() transform option for changing the generated AST before rendering.
• Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
• Added formal data layers (events and AST) for modular data pipelines.
  • Added low-level parser (to events), presenter and visitor APIs.
• Added the YAML Test Suite to the test set.

Changed

• See the migration guide for upgrade notes.
• Rewritten in TypeScript and reorganized the public API around flat named exports.
• Reduced the set of exported schemas:
  • YAML 1.2 schemas: CORE_SCHEMA (loader default), JSON_SCHEMA, FAILSAFE_SCHEMA.
  • YAML11_SCHEMA, a combination of all YAML 1.1 tags (YAML 1.1 does not specify a schema, only "types").
• load/dump default behaviour is now specified exactly via schemas:
  • load uses CORE_SCHEMA, without !!merge by default.
  • dump uses YAML11_SCHEMA + CORE_SCHEMA for the quoting check, to guarantee backward compatibility by default.
• !!set is now loaded as a JavaScript Set.
• Replaced the Type API with a tags API. Similar, but more precise and simpler. See examples for details. Tags can be defined via defineScalarTag(), defineSequenceTag() and defineMappingTag(), or as a spread + override of an existing tag.
• Renamed Schema.extend() to Schema.withTags().
• Expanded YAML 1.2 conformance and improved handling of directives, document markers, block keys, multiline scalars, tag syntax and other things.
• load() now throws on empty input instead of returning undefined.
• Moved browser builds to the js-yaml/browser export.
• Deprecated the loadAll signature with an iterator (still works, but is a candidate for removal).

Removed

• Removed deprecated safeLoad(), safeLoadAll() and safeDump() exports.
• Removed DEFAULT_SCHEMA and the nested types export.
• Removed loader options onWarning, legacy and listener.
• Removed dumper options styles, replacer, noCompatMode, condenseFlow, quotingType and forceQuotes. Renamed noArrayIndent to seqNoIndent. Formatting and representation are now configured through presenter options,

... (truncated)

Commits

• 75148bc 5.0.0 released
• 704b25d Quote document markers followed by whitespace
• 42dea28 Support complex !!pairs keys with realMapTag
• 6cf374e Fix dumping strings that collide with YAML markers
• 65b8d94 Clarify !!omap/!!pairs support
• 33e3640 Move tagname helpers to common/ and remove unused exports
• 4dd582b Cleanup export types
• 39b3792 Add types export
• 0cd01e9 docs: update for v5
• c5a61a4 Fix presenter coverage
• Additional commits viewable in compare view

Updates typeorm from 0.3.30 to 1.0.0

Release notes

Sourced from typeorm's releases.

1.0.0

TypeORM v1.0 is here! 🥳

👉 For a structured walk-through of the changes in v1.0 — breaking changes, new features, security fixes, and the upgrade path from 0.3.x — see the v1.0 Release Notes.

This release includes breaking changes. See the v1.0 Upgrade Guide

What's Changed

• fix: include joined entity primary keys in pagination subquery by @​mag123c in typeorm/typeorm#11669
• feat(postgres): add support for PostgreSQL indices by @​freePixel in typeorm/typeorm#11318
• refactor!: remove legacy expo driver by @​G0maa in typeorm/typeorm#11860
• fix(cockroachdb): preserve structured query results during txn retry replay by @​naorpeled in typeorm/typeorm#11861
• docs: add version dropdown (stable/dev) to master by @​naorpeled in typeorm/typeorm#11862
• docs: link to queryrunner api docs from top level queryrunner page by @​hughrawlinson in typeorm/typeorm#11869
• feat: add error handling and log warning for ormconfig loading failures by @​Cprakhar in typeorm/typeorm#11871
• refactor: remove shajs by @​G0maa in typeorm/typeorm#11864
• ci: setup pnpm by @​alumni in typeorm/typeorm#11881
• chore(docs): move to PNPM by @​naorpeled in typeorm/typeorm#11884
• feat: add better typing for conditions in increment and decrement of EntityManager by @​OSA413 in typeorm/typeorm#11294
• fix: getPendingMigrations unnecessarily creating migrations table by @​pkuczynski in typeorm/typeorm#11672
• fix: copy cordova query rows affected into query result by @​jacobg in typeorm/typeorm#10873
• fix: resolve nameless TableForeignKey on drop foreign key by @​taichunmin in typeorm/typeorm#10744
• feat(docs): add Kapa.ai widget for AI-powered documentation assistance by @​dlhck in typeorm/typeorm#11891
• fix: virtual property handling in schema builder by @​skyran1278 in typeorm/typeorm#11000
• fix(mongo): correctly process embedded arrays of nested documents by @​mciuchitu in typeorm/typeorm#10940
• feat(postgres): use ADD VALUE when changing enum values if possible by @​janzipek in typeorm/typeorm#10956
• test: add mutation testing and mutation score badge by @​OSA413 in typeorm/typeorm#11253
• fix: change import for process dependency by @​yohannpoli in typeorm/typeorm#11248
• chore(tests): adapt Stryker mutator to pnpm and fix markup in README for badges by @​OSA413 in typeorm/typeorm#11893
• chore(tests): send only mutation score to the Stryker dashboard by @​OSA413 in typeorm/typeorm#11895
• fix: fix working with tables with quotes in the names for postgres and cockroachdb by @​iskalyakin in typeorm/typeorm#10993
• refactor: replace uuid with native Crypto API by @​mag123c in typeorm/typeorm#11769
• fix(mysql): getVersion returning undefined for PolarDB-X 2.0 by @​Missna in typeorm/typeorm#11837
• test: align file names by @​gioboa in typeorm/typeorm#11898
• ci: ensure pull request follow conventional commits spec by @​pkuczynski in typeorm/typeorm#11840
• feat(qodo): enable new review experience by @​naorpeled in typeorm/typeorm#11909
• test: modify tests to confirm ON CONFLICT ON CONSTRAINT on PostgreSQL/CockroachDB by @​Cprakhar in typeorm/typeorm#11908
• feat: add support for installing additional postgres extensions by @​Cprakhar in typeorm/typeorm#11888
• feat: add deferrable support to exclusion decorator to mirror unique and index decorators by @​oGAD31 in typeorm/typeorm#11802
• chore(mutation testing): tweak Stryker for lower resource usage and decrease timeout for slow running mutants by @​OSA413 in typeorm/typeorm#11901
• fix: raw select query with correctly ordered selected columns by @​Cprakhar in typeorm/typeorm#11902
• docs: fix typo 'spass' to 'pass' by @​guoxk-me in typeorm/typeorm#11919
• chore: align master with v0.3 by @​gioboa in typeorm/typeorm#11912
• fix: update child's mpath by @​JoseCToscano in typeorm/typeorm#10844
• test: verify column names when using referencedColumnName in composite relations by @​Cprakhar in typeorm/typeorm#11883
• fix: merging into an entity now respects null values by @​knoid in typeorm/typeorm#11154
• fix: handle re-save of postgres geometric types by @​Cprakhar in typeorm/typeorm#11857
• fix(sqlite): handle simple-enum arrays correctly by @​Cprakhar in typeorm/typeorm#11865
• fix: fix up map objects comparison by @​mgohin in typeorm/typeorm#10990
• feat: support INSERT INTO ... SELECT FROM ... in QueryBuilder by @​Cprakhar in typeorm/typeorm#11896

... (truncated)

Changelog

Sourced from typeorm's changelog.

1.0.0 (2026-05-19)

👉 For a structured walk-through of the changes in v1.0 — breaking changes, new features, security fixes, and the upgrade path from 0.3.x — see the v1.0 Release Notes.

The list below is the set of commits between 0.3.30 and 1.0.0 — fixes already shipped on the 0.3.x line are listed under their respective 0.3.x entries below.

• feat!: drop support for node 16 and 18 (#11382) (349d910), closes #11382

Bug Fixes

• cascade: propagate withDeleted to relation-id loader for many-to-many recover (#12287) (cfba9e7)
• cascade: support cascade remove for OneToMany relations with composite PKs (#12286) (09183c8)
• cli: preserve devDependencies needed by init command in published package (#12281) (c3b771c)
• cockroachdb: preserve structured query results during txn retry replay (#11861) (09db48c)
• codemod: apply find-options select/relations rewrites to .exists() too (#12399) (4461063)
• codemod: correct relation-count guidance and flag loadRelationCountAndMap (#12374) (5de5490)
• codemod: cover ColumnMetadata args.options in column option rewrites (#12400) (7a68cf2)
• codemod: exclude type declarations from build (#12292) (4c645f0)
• codemod: handle aliases, quoted keys, and ObjectProperty variants (#12377) (2d15644)
• codemod: handle lock option objects correctly and increase test coverage (#12353) (b871719)
• codemod: handle typeof type queries and use getStringValue consistently (#12379) (dedea37)
• codemod: harden destructure and DI accessor rewrites for connection to dataSource rename (#12398) (057ddbc)
• codemod: harden scope and type-name detection across more AST shapes (#12394) (9d1fd8d)
• codemod: harden scope, idempotency, and import-strip semantics (#12391) (ed5a19b)
• codemod: recognize typeorm deep-path imports (#12382) (a96b097)
• codemod: rename .connection on EntityMetadata, ColumnMetadata, IndexMetadata (#12383) (8a51e30), closes #12249
• codemod: rewrite typeorm re-exports in barrel files (#12373) (25f0b5f)
• codemod: scope v1 transforms to typeorm imports and skip .d.ts files (#12372) (a34fdb2)
• codemod: track DataSource accessor chains for typed-variable renames (#12385) (14a3132)
• copy cordova query rows affected into query result (#10873) (ad22c10)
• disable global order for aggregate functions (#11925) (2efb2a1)
• do not run npm install during CLI init (#12386) (66aa930)
• docs: add lunr as explicit dependency for pnpm strict hoisting (f4d435e)
• docs: align code style (#12081) (5f6eb4c)
• docs: complete Typesense removal missed during cherry-pick (eb7a5b6)
• docs: update docs pnpm lockfile for new dependencies (4123db9)
• eager load relation strategy (#11326) (5797d97)
• enhance upsert functionality for proper sql generation with table alias (#11915) (42ce630)
• expo: auto-load expo-sqlite driver via loadDependencies() (#12363) (212c8ef)
• fix up change detection with date transformer (#11963) (e3e3c97)
• fix up generated query with .update() (#11993) (fe6c072)
• fix up join attributes inside bracket (#11218) (d233daa)
• fix up map objects comparison (#10990) (f66eee7)
• fix up save with eagerly loaded relation (#11975) (f5cea95)
• fix working with tables with quotes in the names for postgres and cockroachdb (#10993) (e5a8afb)
• handle re-save of postgres geometric types (#11857) (65dea3c)
• handle relation ids in nested embedded entities (#11942) (5237bee)
• include joined entity primary keys in pagination subquery (#11669) (4ffe666)
• make shorten method to properly work with camelCase_aliases (#11283) (8a9a376)
• merging into an entity now respects null values (#11154) (1676484)

... (truncated)

Commits

• cf3f13f docs: restyle version dropdown for v1 release (#12514)
• 6997b23 chore: release v1.0.0 (#12510)
• df09802 fix(cockroachdb): adjust join in loadTables to load correct table columns (#1...
• f5cc456 fix(find-options): allow array values in JsonContains (#12420)
• 9440998 fix(mysql)!: use index identifiers instead of raw SQL in QB.useIndex() (#12...
• a4f26af chore(deps): bump the github-actions-official group with 3 updates (#12483)
• ac2ffc6 chore(deps): bump the github-actions-third-party group with 3 updates (#12484)
• 62948a3 revert: fix up limit with joins (#12478)
• c2b788f ci: pin all GitHub Actions to commit SHAs (#12481)
• 9284c16 fix(security): validate limit() in Update/SoftDelete query builders (#12436)
• Additional commits viewable in compare view

Updates @types/node from 25.9.2 to 26.0.0

Commits

• See full diff in compare view

Updates jscpd from 4.2.4 to 5.0.11

Release notes

Sourced from jscpd's releases.

Release v5.0.10

cpd (Rust) v5.0.10

Bug Fixes

• Emit scan-root-relative paths in all reporters when absolute: false (or the default). Previously, jscpd /abs/path from a different CWD left absolute paths in SARIF/JSON/XML/HTML/CSV/Markdown/console output, and Windows/macOS path canonicalization could leave \\?\ or ./ prefixes. Paths are now normalized against the canonicalized scan root (with CWD fallback) and stripped of any leading ./ or .\\ component. Fixes #827
• Fix --skip-local to match jscpd v4 TypeScript semantics: it now filters clones where both fragments are under the same scan root, instead of only skipping clones in the same parent directory

Refactoring

• DRY duplication in reporters: extract shared helpers (print_clone_header, print_clone_locations, print_snippet, write_report_file, report statistics, test fixtures, etc.) into cpd-reporter/src/shared.rs. Console, console-full, CSV, JSON, HTML, Markdown, silent, XML, and SARIF reporters now reuse the same implementation, reducing the monorepo's reported duplication ratio from 5.0% to 0.56% and fixing a latent --absolute path relativization bug in the same pass
• Move blame enrichment from gitoxide to git blame --porcelain; capture elapsed time after blame so timing includes blame work
• Resolve needless_borrow clippy warnings in CSV and Markdown reporters

Documentation

• Add Nix and Homebrew install instructions to Rust READMEs. #818
• Update project homepage URLs to https://jscpd.dev in all Cargo.toml and npm package.json files, add curl install method to READMEs, clean up outdated badges
• Remove defunct Universal Analytics tracking pixels from all READMEs

Published Packages

• cpd-core@0.1.5 on crates.io
• cpd-finder@0.1.8 on crates.io
• cpd-reporter@0.1.7 on crates.io
• cpd-tokenizer@0.1.6 on crates.io
• jscpd@5.0.10 on crates.io
• cpd@5.0.10 on npm
• jscpd@5.0.10 on npm
• cpd-darwin-arm64@5.0.10 on npm
• cpd-darwin-x64@5.0.10 on npm
• cpd-linux-x64-gnu@5.0.10 on npm
• cpd-linux-arm64-gnu@5.0.10 on npm
• cpd-linux-x64-musl@5.0.10 on npm
• cpd-windows-x64-msvc@5.0.10 on npm

Install

npm install -g cpd
# or
npm install -g jscpd
# or
cargo install jscpd

v5.0.9

New Features

• GitHub Action for jscpd (Rust v5) — jscpd-copy-paste-detector action for GitHub Actions Marketplace. Scan your repo for copy/paste in CI with uses: kucherenko/jscpd/.github/workflows/action.yml@v5

... (truncated)

Changelog

Sourced from jscpd's changelog.

5.0.11

New Features

• Razor (.razor) support — new tokenizer for Razor files in the Rust backend (thanks to @​chrisc-onaorg in #829)

Dependencies

• cpd-core bumped to 0.1.6, cpd-tokenizer bumped to 0.1.7

---

5.0.10

Bug Fixes

• Emit scan-root-relative paths in all reporters when absolute: false. Fixes #827
• Fix --skip-local to match jscpd v4 TypeScript semantics

Refactoring

• DRY duplication in reporters: extract shared helpers into cpd-reporter/src/shared.rs
• Move blame enrichment from gitoxide to git blame --porcelain

---

5.0.9

New Features

• GitHub Action for jscpd (Rust v5) — jscpd-copy-paste-detector action for GitHub Actions Marketplace. Scan your repo for copy/paste in CI with uses: kucherenko/jscpd/.github/workflows/action.yml@v5

Bug Fixes

• Resolve platform binary resolution when cpd is installed as a nested dependency (e.g. in a project's node_modules via a parent package). The runner now correctly locates the platform-specific binary relative to the installed package rather than assuming a top-level install. Fixes #816

---

5.0.8

Bug Fixes

• Prevent mmap exhaustion crashes when scanning repositories with more files than vm.max_map_count (default 131 072 on Linux). The walker previously held a live Mmap per discovered file; each rayon worker now opens and drops its mapping within the processing closure, capping concurrent mappings to the thread-pool size (typically 8–32). Fixes #813
• Fix --pattern not matching relative paths when the scan root is absolute (e.g. CWD). Patterns like src/**/*.ts now match correctly by comparing against both the relative path and the full absolute path, and bare patterns like *.ts gain a **/ prefix to match at any depth. Fixes #811
• Fix trailing-newline off-by-one in line-count filter: files not ending with \n now count the final line correctly

---

5.0.7

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions