build(deps): bump the npm-deps group with 11 updates

[dependabot]

Bumps the npm-deps group with 11 updates:

Package	From	To
dompurify	3.4.5	3.4.7
squire-rte	2.4.5	2.4.6
eslint	10.4.0	10.4.1
googleapis	172.0.0	173.0.0
lint-staged	17.0.5	17.0.7
mailparser	3.9.8	3.9.9
pdfjs-dist	5.7.284	6.0.227
puppeteer	25.0.4	25.1.0
typescript-eslint	8.59.4	8.60.0
web-ext	10.2.0	10.3.0
webpack-cli	7.0.2	7.0.3

Updates dompurify from 3.4.5 to 3.4.7

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.7

• Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
• Removed a problem leading to permanent hook pollution, thanks @​offset
• Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

• Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
• Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
• Added more test coverage for IN_PLACE and general DOM Clobbering attacks
• Bumped several dependencies where possible

Commits

• ca30f07 release: 3.4.7 (#1414)
• bb7739e release: 3.4.6 (#1394)
• See full diff in compare view

Updates squire-rte from 2.4.5 to 2.4.6

Changelog

Sourced from squire-rte's changelog.

[2.4.6] - 2026-05-26

Fixed

• Fix IndexSizeError when pressing Delete after a stale squire-selection-start/squire-selection-end bookmark marker was left in the DOM (e.g. via setHTML, pasted HTML, or an unpaired save/restore cycle). Any straggler markers are now swept on each bookmark read, and the range is only reconstructed when the start marker actually precedes the end marker in document order.

Changed

• styleToSemantic now sets font-family, font-size and color via the element style property rather than serialising them into a style attribute string, avoiding the security risks of CSS parsing.

Commits

• See full diff in compare view

Updates eslint from 10.4.0 to 10.4.1

Release notes

Sourced from eslint's releases.

v10.4.1

Bug Fixes

• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#20930) (Francesco Trotta)
• d4ce898 fix: propagate failures from delegated commands (#20917) (Minh Vu)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#20916) (kuldeep kumar)
• c5bc78b fix: false positive for reference in finally block (#20655) (Tanuj Kanti)
• 27538c0 fix: add missing CodePath and CodePathSegment types (#20853) (Pixel998)

Documentation

• 61b0add docs: remove deprecated rule from related rules of max-params (#20921) (Tanuj Kanti)
• 305d5b9 docs: remove deprecated rules from related rules section (#20911) (Tanuj Kanti)
• 49b0202 docs: fix display: none of ad (#20901) (Tanuj Kanti)
• 9067f94 docs: switch build to Node.js 24 (#20893) (Milos Djermanovic)
• c91b041 docs: Update README (GitHub Actions Bot)
• e349265 docs: clarify semver strings in rule deprecation objects (#20885) (Milos Djermanovic)

Chores

• b0e466b test: add data property to invalid tests cases for rules (#20924) (Tanuj Kanti)
• f78838b test: add CodePath type coverage (#20904) (Pixel998)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#20922) (Francesco Trotta)
• 002942c ci: declare contents:read on update-readme workflow (#20919) (Arpit Jain)
• 64bca24 chore: update ecosystem plugins (#20912) (ESLint Bot)
• 6d7c832 chore: ignore fflate updates in renovate (#20908) (Pixel998)
• b2c8638 ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 (#20889) (dependabot[bot])
• a9b8d7f chore: increase maxBuffer for ecosystem tests (#20881) (sethamus)
• b702ead chore: update ecosystem update PR settings (#20884) (Pixel998)
• 507f60e chore: update ecosystem plugins (#20882) (ESLint Bot)
• 92f5c5b test: add unit test for message-count (#20878) (kuldeep kumar)
• df32108 chore: add @​eslint/markdown and typescript-eslint ecosystem tests (#20837) (sethamus)
• 327f91d chore: use includeIgnoreFile internally (#20876) (Kirk Waiblinger)
• f0dc4bd chore: pin fflate@0.8.2 (#20877) (Milos Djermanovic)
• 0f4bd25 ci: run Discord alert for ecosystem test failures (#20873) (Copilot)

Commits

• 4a3d15a 10.4.1
• 43e7e2b Build: changelog update for 10.4.1
• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#20930)
• b0e466b test: add data property to invalid tests cases for rules (#20924)
• d4ce898 fix: propagate failures from delegated commands (#20917)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#20916)
• f78838b test: add CodePath type coverage (#20904)
• 61b0add docs: remove deprecated rule from related rules of max-params (#20921)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#20...
• 002942c ci: declare contents:read on update-readme workflow (#20919)
• Additional commits viewable in compare view

Updates googleapis from 172.0.0 to 173.0.0

Release notes

Sourced from googleapis's releases.

googleapis: v173.0.0

173.0.0 (2026-05-28)

⚠ BREAKING CHANGES

• This release has breaking changes.

Features

• run the generator (#3920) (08443b4)

Commits

• 9e92f53 chore: release main (#3923)
• 08443b4 feat: run the generator (#3920)
• See full diff in compare view

Updates lint-staged from 17.0.5 to 17.0.7

Release notes

Sourced from lint-staged's releases.

v17.0.7

Patch Changes

• #1806 e692e58 - Update dependency tinyexec@^1.2.4.

v17.0.6

Patch Changes

• #1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

• #1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

• #1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

• #1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

Changelog

Sourced from lint-staged's changelog.

17.0.7

Patch Changes

• #1806 e692e58 - Update dependency tinyexec@^1.2.4.

17.0.6

Patch Changes

• #1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

• #1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

• #1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

• #1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

Commits

• cd11fec Merge pull request #1807 from lint-staged/changeset-release/main
• 15a8ee0 chore(changeset): release
• 797bbd9 Merge pull request #1808 from lint-staged/add-stashing-faq
• 504e307 docs: add FAQ entry on how stashing works
• eff5cd1 Merge pull request #1806 from lint-staged/update-tinyexec
• e692e58 build(deps): update tinyexec@^1.2.4
• a2dd4ea Merge pull request #1805 from lint-staged/update-github-templates
• c928519 docs: update GitHub templates
• 094ba56 Merge pull request #1798 from lint-staged/changeset-release/main
• 88e19fe chore(changeset): release
• Additional commits viewable in compare view

Updates mailparser from 3.9.8 to 3.9.9

Changelog

Sourced from mailparser's changelog.

3.9.9 (2026-05-29)

Bug Fixes

• bumped deps (7a83b91)

Commits

• 25a0e6d chore(master): release 3.9.9 [skip-ci] (#422)
• 7a83b91 fix: bumped deps
• See full diff in compare view

Updates pdfjs-dist from 5.7.284 to 6.0.227

Release notes

Sourced from pdfjs-dist's releases.

v6.0.227

PDF.js 6.0 is a major release that contains a number of API changes, features and bugfixes.

The complete list of changes in this release is shown below. If you're upgrading to PDF.js 6.0 we recommend checking the changes prefixed with [api-minor] and [api-major] since those might require updates to your code.

Changes since v5.7.284

• Bump the stable version in pdfjs.config by @​timvandermeij in mozilla/pdf.js#21177
• Improve the performances of "gulp lint" by @​calixteman in mozilla/pdf.js#21169
• Convert Catalog.prototype.getPageIndex to an asynchronous method by @​Snuffleupagus in mozilla/pdf.js#21181
• Split integration tests into per-browser jobs by @​calixteman in mozilla/pdf.js#21179
• Bump actions/setup-node from 6.3.0 to 6.4.0 by @​dependabot[bot] in mozilla/pdf.js#21182
• Split the unit/font tests into per-browser jobs by @​timvandermeij in mozilla/pdf.js#21183
• Send 'Terminate' to the worker when destroy races the load-time handshake (bug 1942304) by @​calixteman in mozilla/pdf.js#21175
• Collect worker-side coverage for browser unit tests by @​calixteman in mozilla/pdf.js#21178
• Fix HCM colors for the views-manager massive unselect button (bug 2035551) by @​calixteman in mozilla/pdf.js#21187
• Use Istanbul instrumentation for unittestcli code coverage by @​calixteman in mozilla/pdf.js#21189
• Add an abstract readBlock method in the DecodeStream class by @​Snuffleupagus in mozilla/pdf.js#21190
• Move unittestcli coverage collection to ci.yml by @​timvandermeij in mozilla/pdf.js#21191
• Fix the intermittent test failure 'performs a search in a text containing some Hangul syllables' by @​calixteman in mozilla/pdf.js#21193
• Slighty improve codecov stuff in gh actions by @​calixteman in mozilla/pdf.js#21194
• Improve error handling in the PDFFindController.prototype.#extractText method by @​Snuffleupagus in mozilla/pdf.js#21197
• Wait for the first page to be ready in the reorganize pages integration tests by @​timvandermeij in mozilla/pdf.js#21186
• Simplify the nextChunk handling in the DecryptStream class by @​Snuffleupagus in mozilla/pdf.js#21198
• Shorten how intersectors are added to the grid in the Intersector constructor by @​Snuffleupagus in mozilla/pdf.js#21200
• Optimize memory usage in the unit tests by @​timvandermeij in mozilla/pdf.js#21195
• Remove obsolete pdfBug: true flag in the image caching unit test by @​timvandermeij in mozilla/pdf.js#21203
• Add some colors in the logs in order to easily see failures and add a summary of the failures at the end by @​calixteman in mozilla/pdf.js#21192
• Improve performance of the "caches image resources at the document/page level as expected (issue 11878)" unit-test by @​Snuffleupagus in mozilla/pdf.js#21206
• Use a reduced test-case for the "caches image resources at the document/page level as expected (issue 11878)" unit-test by @​Snuffleupagus in mozilla/pdf.js#21207
• Fix free highlight on pages without images (bug 2035530) by @​calixteman in mozilla/pdf.js#21196
• l10n: Update locale files by @​sync-l10n-for-pdf-js[bot] in mozilla/pdf.js#21208
• [api-major] Update the minimum supported browsers, and remove no longer needed polyfills by @​Snuffleupagus in mozilla/pdf.js#21152
• [api-minor] Use the ImageDecoder by default on Chrome by @​calixteman in mozilla/pdf.js#20961
• Bump library version to 6.0 by @​Snuffleupagus in mozilla/pdf.js#21209
• Optimize runtime of the find controller unit tests by @​timvandermeij in mozilla/pdf.js#21210
• Don't provide unused /DecodeParms when initializing JpxStream by @​Snuffleupagus in mozilla/pdf.js#21211
• Remove the CompilerOutput.prototype.finalData getter, and a few other font improvements (PR 21053 follow-up) by @​Snuffleupagus in mozilla/pdf.js#21214
• Replace a loop with TypedArray.prototype.set() in the compileFDSelect method by @​Snuffleupagus in mozilla/pdf.js#21215
• Remove the unused raw field from the CFFCharset class by @​Snuffleupagus in mozilla/pdf.js#21216
• Replace TrueTypeTableBuilder and CompilerOutput with a single class by @​Snuffleupagus in mozilla/pdf.js#21220
• Add an abstract WasmImage class, that JBig2CCITTFaxImage and JpxImage inherit from by @​Snuffleupagus in mozilla/pdf.js#21225
• Clear the text layer container when cancelling rendering by @​calixteman in mozilla/pdf.js#21219
• Run unit-tests in Node.js version 26 by @​Snuffleupagus in mozilla/pdf.js#21224
• A couple of small tweaks of the getPdfFilenameFromUrl helper by @​Snuffleupagus in mozilla/pdf.js#21222
• Include the external/ folder in the coverage report for gulp unittestcli by @​Snuffleupagus in mozilla/pdf.js#21226
• Tweak the WasmImage implementation a little bit (PR 21225 follow-up) by @​Snuffleupagus in mozilla/pdf.js#21229
• Bump ip-address from 10.1.0 to 10.2.0 by @​dependabot[bot] in mozilla/pdf.js#21232
• Make sure the focus moves on the first page of the added pdf after a merge (bug 2034827) by @​calixteman in mozilla/pdf.js#21223
• Place new annotations on the correct page when extracting pages (bug 2027682) by @​calixteman in mozilla/pdf.js#21228
• Improve soft mask composition performance (bug 2033095) by @​calixteman in mozilla/pdf.js#21235

... (truncated)

Commits

• 241dbab Merge pull request #21355 from Snuffleupagus/INTERNAL_EVT
• 74db085 Re-factor how "internal" EventBus listeners are handled in the viewer
• 19d95c8 Merge pull request #21285 from timvandermeij/puppeteer-25
• b9b7661 Upgrade Puppeteer to version 25.1.0
• e7f951d Merge pull request #21357 from timvandermeij/fix-browser-test-exit-code
• 8d5fe52 Fix missing non-zero exit code for failure cases in test.mjs
• 80c8e62 Merge pull request #21308 from calixteman/bug2036265
• c7a32c3 Merge pull request #21343 from calixteman/issue9437
• 3fe3321 Merge pull request #21334 from calixteman/merge_images
• 3e76bfd Merge pull request #21354 from mozilla/update-locales
• Additional commits viewable in compare view

Updates puppeteer from 25.0.4 to 25.1.0

Release notes

Sourced from puppeteer's releases.

puppeteer-core: v25.1.0

25.1.0 (2026-05-26)

🎉 Features

• roll to Chrome 149.0.7827.2 (af1b9be)
• roll to Firefox 151.0 (#15013) (767ea54)

🛠️ Fixes

• roll to Chrome 148.0.7778.178 (#15014) (59764ac)

📄 Documentation

• use ESM and top level await (#15030) (34ecc62)

🏗️ Refactor

• remove debug dependency (#15023) (94d1e1c)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.3 to 3.0.4

puppeteer: v25.1.0

25.1.0 (2026-05-26)

🎉 Features

• roll to Chrome 149.0.7827.2 (af1b9be)

🛠️ Fixes

• improve progress bar and install (#15042) (51db32a)
• support concurrency in progress bars (#15045) (ab0171d)

🏗️ Refactor

• replace cosmiconfig with lilconfig (#15031) (4a1c2ff)

... (truncated)

Changelog

Sourced from puppeteer's changelog.

25.1.0 (2026-05-26)

🎉 Features

• roll to Chrome 149.0.7827.2 (af1b9be)
• roll to Firefox 151.0 (#15013) (767ea54)

🛠️ Fixes

• roll to Chrome 148.0.7778.178 (#15014) (59764ac)

🏗️ Refactor

• remove debug dependency (#15023) (94d1e1c)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.3 to 3.0.4

📄 Documentation

• use ESM and top level await (#15030) (34ecc62)

Commits

• ede6669 chore: release main (#15056)
• 7bc09e7 chore(deps): bump the all group with 5 updates (#15052)
• 8c81170 chore(deps): bump the all group in /website with 3 updates (#15051)
• 09eced5 chore: update lock
• 53b9fda chore(deps): bump the dependencies group with 2 updates (#15049)
• d842411 chore(deps): bump node from 050bf2b to 8530f76 in /docker in the all grou...
• 1d2a569 docs: document read-only Docker directories (#15048)
• ab0171d fix: support concurrency in progress bars (#15045)
• 51db32a fix: improve progress bar and install (#15042)
• d32384b chore(deps): bump qs and express in /website (#15040)
• Additional commits viewable in compare view

Updates typescript-eslint from 8.59.4 to 8.60.0

Release notes

Sourced from typescript-eslint's releases.

v8.60.0

8.60.0 (2026-05-25)

🚀 Features

• rule-tester: added updates of RuleTester from upstream (#12291)

🩹 Fixes

• playground TS version selector is not working (#12326, #12325)

❤️ Thank You

• Evyatar Daud @​StyleShit
• Vinccool96

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.60.0 (2026-05-25)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• f891c29 chore(release): publish 8.60.0
• See full diff in compare view

Updates web-ext from 10.2.0 to 10.3.0

Release notes

Sourced from web-ext's releases.

10.3.0 (2026-05-28)

main changes

None

dependencies

• Updated: dependency tmp to 0.2.6 (#3724)

others

• chore(deps): bump addons-linter to 10.6.0 (#3725)
• chore(ci): add cooldown setting to dependabot (#3722)

Commits

• 3196463 10.3.0
• b8a5771 chore(deps): bump addons-linter to 10.6.0 (#3725)
• 9aa48c3 chore(deps): bump tmp from 0.2.5 to 0.2.6 (#3724)
• df647a5 chore(ci): add cooldown setting to dependabot (#3722)
• See full diff in compare view

Updates webpack-cli from 7.0.2 to 7.0.3

Release notes

Sourced from webpack-cli's releases.

webpack-cli@7.0.3

Patch Changes

• Improved CLI startup performance and reduced memory usage. (by @​alexander-akait in #4765)

• Reduced CLI startup CPU and memory usage by caching schema-derived argument metadata, registering only the options present in the arguments, and reading config directories once during default-config discovery. (by @​alexander-akait in #4760)

• Replace the fastest-levenshtein dependency with a small in-tree implementation used for command/option "did you mean" suggestions. (by @​alexander-akait in #4762)

Changelog

Sourced from webpack-cli's changelog.

7.0.3

Patch Changes

• Improved CLI startup performance and reduced memory usage. (by @​alexander-akait in #4765)

• Reduced CLI startup CPU and memory usage by caching schema-derived argument metadata, registering only the options present in the arguments, and reading config directories once during default-config discovery. (by @​alexander-akait in #4760)

• Replace the fastest-levenshtein dependency with a small in-tree implementation used for command/option "did you mean" suggestions. (by @​alexander-akait in #4762)

Commits

• 5fb92f3 chore(release): new release (#4711)
• 00347ed perf(webpack-cli): allocate Levenshtein buffer lazily (#4765)
• 1b40b72 chore: update ejs (#4764)
• 2bbb639 refactor(webpack-cli): replace fastest-levenshtein with in-tree implementatio...
• a467d6e chore(deps): bump the dependencies group across 1 directory with 10 updates (...
• 183d0e6 perf(webpack-cli): cache schema arguments and use map lookups for options (#4...
• 5b33f70 chore(deps-dev): bump sass-loader from 16.0.8 to 17.0.0 (#4756)
• 59f362a chore(deps): bump qs and express (#4758)
• eaffa0b chore(deps): bump codecov/codecov-action in the dependencies group (#4757)
• b3498b6 chore(deps): bump the dependencies group with 3 updates (#4754)
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
puppeteer	[>= 21.7.a, < 21.8]
pdfjs-dist	[>= 4.0.a, < 4.1]
puppeteer	[>= 22.0.a, < 22.1]
puppeteer	[>= 22.1.a, < 22.2]
puppeteer	[>= 22.3.a, < 22.4]
puppeteer	[>= 22.5.a, < 22.6]
puppeteer	[>= 22.6.a, < 22.7]
puppeteer	[>= 22.4.a, < 22.5]
puppeteer	[>= 22.2.a, < 22.3]
puppeteer	[>= 22.7.a, < 22.8]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions