Skip to content

Bump picomatch#149

Merged
Pbatch merged 1 commit intomainfrom
dependabot/npm_and_yarn/multi-bf05dc1ecf
Apr 4, 2026
Merged

Bump picomatch#149
Pbatch merged 1 commit intomainfrom
dependabot/npm_and_yarn/multi-bf05dc1ecf

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 26, 2026
edited
Loading

Bumps and picomatch. These dependencies needed to be updated together.
Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 26, 2026
JiwaniZakir
JiwaniZakir reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown

@JiwaniZakir JiwaniZakir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The package-lock.json updates are straightforward — picomatch 2.3.1→2.3.2 and 4.0.3→4.0.4 across all five affected entries (@rollup/pluginutils, root node_modules/picomatch, rollup-plugin-visualizer, tinyglobby, and vite). Worth noting that yarn.lock was also modified, which suggests the project may be using both package managers simultaneously — having both package-lock.json and yarn.lock committed can lead to divergence between the two lockfiles over time if contributors use different package managers. The yarn.lock changes also include several unrelated reorderings (e.g., @babel/core alias consolidation, @esbuild/android-arm and @esbuild/linux-arm block reordering, @tensorflow/tfjs-core alias trimming) that appear to be incidental churn from running yarn rather than being directly related to the picomatch bump — it would be cleaner to separate those or at least confirm they are intentional and don't mask any meaningful dependency changes.

@dependabot
Bump picomatch
799c1a5 
Bumps  and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together.

Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@4.0.3...4.0.4)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@4.0.3...4.0.4)

---
updated-dependencies:
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-bf05dc1ecf branch from 4fc4154 to 799c1a5 Compare April 4, 2026 20:57
@Pbatch Pbatch merged commit 5b8e8d1 into main Apr 4, 2026
@Pbatch Pbatch deleted the dependabot/npm_and_yarn/multi-bf05dc1ecf branch April 4, 2026 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@JiwaniZakir JiwaniZakir JiwaniZakir left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JiwaniZakir @Pbatch