Skip to content

Bump minimatch and webpack#4

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-e1cf20b1d3
Open

Bump minimatch and webpack#4
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-e1cf20b1d3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Removes minimatch. It's no longer used after updating ancestor dependency webpack. These dependencies need to be updated together.

Removes minimatch

Updates webpack from 4.30.0 to 5.108.4

Release notes

Sourced from webpack's releases.

v5.108.4

Patch Changes

v5.108.3

Patch Changes

v5.108.2

Patch Changes

v5.108.1

Patch Changes

  • Fix invalid property access for escaped namespace imports with multi-character mangled export names. (by @​xiaoxiaojx in #21280)

  • Add frames to ProfilingPlugin TracingStartedInBrowser event so the trace loads in Chrome DevTools. (by @​alexander-akait in #21269)

v5.108.0

Minor Changes

  • Treat top-level await and import.meta as ES module markers, matching Node.js syntax detection so no explicit module type is needed. (by @​alexander-akait in #21218)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.108.4

Patch Changes

5.108.3

Patch Changes

5.108.2

Patch Changes

5.108.1

Patch Changes

  • Fix invalid property access for escaped namespace imports with multi-character mangled export names. (by @​xiaoxiaojx in #21280)

  • Add frames to ProfilingPlugin TracingStartedInBrowser event so the trace loads in Chrome DevTools. (by @​alexander-akait in #21269)

... (truncated)

Commits
  • bb9ccfd chore(release): new release (#21319)
  • 7639066 fix: invalidate provided-exports cache with lazy barrel (#21326)
  • ae28c54 perf: reduce CPU and memory overhead of the HTML and CSS pipelines (#21332)
  • e6fb547 perf: re-encode the HTML AST as struct-of-arrays behind a path-based visitor ...
  • 5ce1c22 fix(html): resolve asset URLs against <base href> (#21329)
  • 0e43c4a test(html): cover generateError, ignored-source, and null-character parse pat...
  • cebd793 refactor: build export-presence guards from a lazy boolean formula (#21320)
  • c2628cf fix: don't resolve new URL() directory references as modules (#21312)
  • 00d8b2f perf: speed up non-CSS-Modules CSS parsing by skipping unused AST work (#21324)
  • f7a3f6d perf: reduce HTML parser memory and CPU with parser-level skip options (#21323)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Removes [minimatch](https://github.com/isaacs/minimatch). It's no longer used after updating ancestor dependency [webpack](https://github.com/webpack/webpack). These dependencies need to be updated together.


Removes `minimatch`

Updates `webpack` from 4.30.0 to 5.108.4
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v4.30.0...v5.108.4)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version:
  dependency-type: indirect
- dependency-name: webpack
  dependency-version: 5.108.4
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 17, 2026
@joostfaassen

Copy link
Copy Markdown
Member

🤖 Dependabot PR processing skill — risk assessment

Acting on behalf of Joost Faassen.

Decision

Do not merge automatically — assessed risk: high

What changed

Title Bump minimatch and webpack
Semver major (4.30.05.108.4)
Files (2) package-lock.json, package.json
Diff size +2243 / −2999

Why this was not merged automatically

  1. This looks like a major semver jump (4.30.05.108.4).
  2. Major dependency upgrades can introduce breaking API or runtime changes.
  3. Left open for human review.

Checks considered

  • Pull request is mergeable with a clean merge state
  • No failing / timed-out / cancelled required checks observed
  • Diff inspected for manifests/lockfiles only vs unexpected paths
  • Package/path screened against sensitive dependency patterns

Automated assessment by the Dependabot PR processing skill. Detail stays in this comment; the merge commit message is kept short on purpose.

1 similar comment
@joostfaassen

Copy link
Copy Markdown
Member

🤖 Dependabot PR processing skill — risk assessment

Acting on behalf of Joost Faassen.

Decision

Do not merge automatically — assessed risk: high

What changed

Title Bump minimatch and webpack
Semver major (4.30.05.108.4)
Files (2) package-lock.json, package.json
Diff size +2243 / −2999

Why this was not merged automatically

  1. This looks like a major semver jump (4.30.05.108.4).
  2. Major dependency upgrades can introduce breaking API or runtime changes.
  3. Left open for human review.

Checks considered

  • Pull request is mergeable with a clean merge state
  • No failing / timed-out / cancelled required checks observed
  • Diff inspected for manifests/lockfiles only vs unexpected paths
  • Package/path screened against sensitive dependency patterns

Automated assessment by the Dependabot PR processing skill. Detail stays in this comment; the merge commit message is kept short on purpose.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant