build(deps): bump the npm-deps group with 10 updates

[dependabot]

Bumps the npm-deps group with 10 updates:

Package	From	To
dompurify	3.3.2	3.3.3
eslint-plugin-jsdoc	62.7.1	62.8.0
@tony.ganchev/eslint-plugin-header	3.2.6	3.3.1
lint-staged	16.3.2	16.4.0
mailparser	3.9.3	3.9.4
puppeteer	24.37.5	24.39.1
typescript-eslint	8.56.1	8.57.0
undici-types	7.22.0	7.24.3
web-ext	9.4.0	10.0.0
webpack-cli	6.0.1	7.0.0

Updates dompurify from 3.3.2 to 3.3.3

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

Commits

• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• cd85175 Merge branch 'main' of github.com:cure53/DOMPurify
• Additional commits viewable in compare view

Updates eslint-plugin-jsdoc from 62.7.1 to 62.8.0

Release notes

Sourced from eslint-plugin-jsdoc's releases.

v62.8.0

62.8.0 (2026-03-12)

Features

• tsdoc-ruleset: add recommended TSDoc ruleset (a96bc7c)

Commits

• a96bc7c feat(tsdoc-ruleset): add recommended TSDoc ruleset
• 26276d4 chore(deps-dev): bump rollup from 4.57.1 to 4.59.0
• See full diff in compare view

Updates @tony.ganchev/eslint-plugin-header from 3.2.6 to 3.3.1

Release notes

Sourced from @​tony.ganchev/eslint-plugin-header's releases.

v3.3.1

What's Changed

• fix: regression: she-bangs were treated as part of the initial set of line comments thus failing validation.

Full Changelog: tonyganchev/eslint-plugin-header@v3.3.0...v3.3.1

v3.3.0

What's Changed

• feat: support leading comments before header by @​tonyganchev in tonyganchev/eslint-plugin-header#150

Full Changelog: tonyganchev/eslint-plugin-header@v3.2.6...v3.3.0

Changelog

Sourced from @​tony.ganchev/eslint-plugin-header's changelog.

3.3.1

• fix: regression: shebangs were treated as part of the initial line comments.

3.3.0

• feat: support leading comments before header to enable behavior control to frameworks such as Jest.

Commits

• d6c0ebd fix: regression: shebangs were treated as part of the initial line comments.
• 3734540 chore: bump dependencies
• 980f739 devops: remove overrides
• fda6aff devops: bump pnpm
• f1c135a devopsL bump deps
• d107d9d v3.3.0
• 42065cd feat: support leading comments before header (#150)
• c4df953 devops: bump deps
• See full diff in compare view

Updates lint-staged from 16.3.2 to 16.4.0

Release notes

Sourced from lint-staged's releases.

v16.4.0

Minor Changes

• #1739 687fc90 Thanks @​hyperz111! - Replace micromatch with picomatch to reduce dependencies.

v16.3.4

Patch Changes

• #1742 9d6e827 Thanks @​iiroj! - Update dependencies, including tinyexec@1.0.4 to make sure local node_modules/.bin are preferred to global locations (released in tinyexec@1.0.3).

v16.3.3

Patch Changes

• #1740 0109e8d Thanks @​iiroj! - Make sure Git's warning about CRLF line-endings doesn't interfere with creating initial backup stash.

Changelog

Sourced from lint-staged's changelog.

16.4.0

Minor Changes

• #1739 687fc90 Thanks @​hyperz111! - Replace micromatch with picomatch to reduce dependencies.

16.3.4

Patch Changes

• #1742 9d6e827 Thanks @​iiroj! - Update dependencies, including tinyexec@1.0.4 to make sure local node_modules/.bin are preferred to global locations (released in tinyexec@1.0.3).

16.3.3

Patch Changes

• #1740 0109e8d Thanks @​iiroj! - Make sure Git's warning about CRLF line-endings doesn't interfere with creating initial backup stash.

Commits

• 445f9dd chore(changeset): release
• d91be60 docs: update readme to use picomatch
• b392a9f refactor: extract matchFiles and add unit tests
• 687fc90 refactor: replace micromatch with picomatch
• 26dadf9 chore(changeset): release
• 9d6e827 build(deps): update dependencies
• 8aea986 chore(changeset): release
• 0109e8d fix: strip Git CRLF warning from output
• See full diff in compare view

Updates mailparser from 3.9.3 to 3.9.4

Changelog

Sourced from mailparser's changelog.

3.9.4 (2026-03-09)

Bug Fixes

• bump nodemailer to 8.0.2 for unquoted comma-in-display-name parsing (dd71f08)
• filter false values from empty References headers (9884e5d), closes #385
• prevent RFC 2047 encoded-word address fabrication in decodeAddresses (08b800c)

Commits

• db781d3 chore(master): release 3.9.4 [skip-ci]
• 9884e5d fix: filter false values from empty References headers
• dd71f08 fix: bump nodemailer to 8.0.2 for unquoted comma-in-display-name parsing
• 08b800c fix: prevent RFC 2047 encoded-word address fabrication in decodeAddresses
• See full diff in compare view

Updates puppeteer from 24.37.5 to 24.39.1

Release notes

Sourced from puppeteer's releases.

puppeteer-core: v24.39.1

24.39.1 (2026-03-13)

🛠️ Fixes

• roll to Chrome 146.0.7680.72 (#14764) (177e3ed)
• roll to Chrome 146.0.7680.76 (#14777) (0751a83)
• roll to Firefox 148.0.2 (#14763) (e658f4e)

puppeteer: v24.39.1

24.39.1 (2026-03-13)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 24.39.0 to 24.39.1

puppeteer-core: v24.39.0

24.39.0 (2026-03-10)

🎉 Features

• expose Page.hasDevTools (#14758) (5ed7e77)

🛠️ Fixes

• roll to Chrome 146.0.7680.66 (#14752) (60ace04)

puppeteer: v24.39.0

24.39.0 (2026-03-10)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated

... (truncated)

Changelog

Sourced from puppeteer's changelog.

24.39.1 (2026-03-13)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 24.39.0 to 24.39.1

🛠️ Fixes

• roll to Chrome 146.0.7680.72 (#14764) (177e3ed)
• roll to Chrome 146.0.7680.76 (#14777) (0751a83)
• roll to Firefox 148.0.2 (#14763) (e658f4e)

24.39.0 (2026-03-10)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 24.38.0 to 24.39.0

🎉 Features

• expose Page.hasDevTools (#14758) (5ed7e77)

🛠️ Fixes

• roll to Chrome 146.0.7680.66 (#14752) (60ace04)

24.38.0 (2026-03-04)

... (truncated)

Commits

• 749206a chore: release main (#14766)
• 0751a83 fix: roll to Chrome 146.0.7680.76 (#14777)
• ee38f3c chore: update depenecies (#14776)
• 6e3340b test(bidi): fix bidi test "should throw when evaluation triggers reload" (#14...
• e658f4e fix: roll to Firefox 148.0.2 (#14763)
• 7d766f1 chore: mark "console should work for different console API calls with group f...
• 4a3fb4a chore: fix template once more (#14773)
• e80c358 chore: fix template (#14772)
• a2f09cc chore: fix the template (#14771)
• a3e7eb7 chore: add task issue type (#14770)
• Additional commits viewable in compare view

Updates typescript-eslint from 8.56.1 to 8.57.0

Release notes

Sourced from typescript-eslint's releases.

v8.57.0

8.57.0 (2026-03-09)

🚀 Features

• eslint-plugin: [no-unnecessary-condition] allow literal loop conditions in for/do loops (#12080)

🩹 Fixes

• eslint-plugin: [strict-void-return] false positives with overloads (#12055)
• eslint-plugin: handle statically analyzable computed keys in prefer-readonly (#12079)
• eslint-plugin: guard against negative paramIndex in no-useless-default-assignment (#12077)
• eslint-plugin: [prefer-promise-reject-errors] add allow TypeOrValueSpecifier to prefer-promise-reject-errors (#12094)
• eslint-plugin: [no-base-to-string] fix false positive for toString with overloads (#12089)
• typescript-estree: switch back to use ts.getModifiers() (#12034)
• typescript-estree: if the template literal is tagged and the text has an invalid escape, cooked will be null (#11355)

❤️ Thank You

• Brad Zacher @​bradzacher
• Brian Schlenker @​bschlenk
• Evyatar Daud @​StyleShit
• fisker Cheung @​fisker
• James Henry @​JamesHenry
• Josh Goldberg
• Kirk Waiblinger @​kirkwaiblinger
• Moses Odutusin @​thebolarin
• Newton Yuan @​NewtonYuan
• SungHyun627 @​SungHyun627
• Younsang Na @​nayounsang

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.57.0 (2026-03-09)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 2c6aeee chore(release): publish 8.57.0
• f696dad chore: use pnpm catalog (#12047)
• a09921e chore: update vitest to 4.x (#12071)
• See full diff in compare view

Updates undici-types from 7.22.0 to 7.24.3

Release notes

Sourced from undici-types's releases.

v7.24.3

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in nodejs/undici#4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

What's Changed

• fix fetch path logic by @​KhafraDev in nodejs/undici#4890
• remove maxDecompressedMessageSize by @​KhafraDev in nodejs/undici#4891

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

What's Changed

• fix: proto pollution by @​rahulyadav5524 in nodejs/undici#4885

Full Changelog: nodejs/undici@v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
  Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

... (truncated)

Commits

• 9b96516 Bumped v7.24.3
• 7926660 Ignore .githuman
• 9eaa5af fix(h2): TypeError: Cannot read properties of null (reading 'push') in Reques...
• a9bfe21 ignore .pi
• f2e155b Bumped v7.24.2
• 4d2d1af remove maxDecompressedMessageSize (#4891)
• 3a05a4f fix fetch path logic (#4890)
• 23e3cd3 Bumped v7.24.1
• 3aedaa8 remove PLAN.md
• 0d7ec33 fix: proto pollution (#4885)
• Additional commits viewable in compare view

Updates web-ext from 9.4.0 to 10.0.0

Release notes

Sourced from web-ext's releases.

10.0.0 (2026-03-13)

main changes

Important: we now use Node 22 by default.

• Added: web-ext lint now supports Firefox 149 schemas

dependencies

• Updated: dependency addons-linter to 10.1.0 (#3654)

dev dependencies

• Updated: dependency @commitlint/config-conventional to 20.4.4 (#3653)
• Updated: dependency @commitlint/cli to 20.4.4 (#3652)
• Updated: dependency @eslint/eslintrc to 3.3.5 (#3647)
• Updated: dependency @eslint/compat to 2.0.3 (#3646)

Commits

• 97fbb93 10.0.0
• 67d8f26 chore(deps): bump addons-linter from 10.0.0 to 10.1.0 (#3654)
• 573991e chore(deps-dev): bump @​commitlint/config-conventional from 20.4.3 to 20.4.4 (...
• 0e522ee chore(deps-dev): bump @​commitlint/cli from 20.4.3 to 20.4.4 (#3652)
• 2a9f9cd chore(deps): bump addons-linter from 9.9.1 to 10.0.0 (#3650)
• f3f4100 Switch to node 22 (#3644)
• 945a145 chore(deps-dev): bump @​eslint/eslintrc from 3.3.4 to 3.3.5 (#3647)
• 15f5c43 chore(deps-dev): bump @​eslint/compat from 2.0.2 to 2.0.3 (#3646)
• See full diff in compare view

Updates webpack-cli from 6.0.1 to 7.0.0

Release notes

Sourced from webpack-cli's releases.

webpack-cli@7.0.0

Major Changes

• The minimum supported version of Node.js is 20.9.0. (by @​alexander-akait in #4677)

• Use dynamic import to load webpack.config.js, fallback to interpret only when configuration can't be load by dynamic import. Using dynamic imports allows you to take advantage of Node.js's built-in TypeScript support. (by @​alexander-akait in #4677)

• Removed the --node-env argument in favor of the --config-node-env argument. (by @​alexander-akait in #4677)

• The version command only output versions right now. (by @​alexander-akait in #4677)

• Removed deprecated API, no action required unless you use import cli from "webpack-cli";/const cli = require("webpack-cli");. (by @​alexander-akait in #4677)

Patch Changes

• Allow configuration freezing. (by @​alexander-akait in #4677)

• Use graceful shutdown when file system cache is enabled. (by @​alexander-akait in #4677)

• Performance improved. (by @​alexander-akait in #4677)

Changelog

Sourced from webpack-cli's changelog.

7.0.0

Major Changes

• The minimum supported version of Node.js is 20.9.0. (by @​alexander-akait in #4677)

• Use dynamic import to load webpack.config.js, fallback to interpret only when configuration can't be load by dynamic import. Using dynamic imports allows you to take advantage of Node.js's built-in TypeScript support. (by @​alexander-akait in #4677)

• Removed the --node-env argument in favor of the --config-node-env argument. (by @​alexander-akait in #4677)

• The version command only output versions right now. (by @​alexander-akait in #4677)

• Removed deprecated API, no action required unless you use import cli from "webpack-cli";/const cli = require("webpack-cli");. (by @​alexander-akait in #4677)

Patch Changes

• Allow configuration freezing. (by @​alexander-akait in #4677)

• Use graceful shutdown when file system cache is enabled. (by @​alexander-akait in #4677)

• Performance improved. (by @​alexander-akait in #4677)

Commits

• 0b116f7 chore(release): new release (#4679)
• e0b2f07 test: improve
• 5328fcb chore(deps): bump pnpm/action-setup in the dependencies group (#4699)
• 4b6f0e1 chore(deps): update (#4696)
• 47fc332 test: more (#4695)
• a199bc3 test: refactor config format test + more (#4684)
• 20bc478 refactor: code
• 529352d docs: update (#4692)
• a01f01b chore: fix coverage
• e434e98 refactor: make cli faster (#4690)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack-cli since your current version.

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
puppeteer	[>= 21.7.a, < 21.8]
puppeteer	[>= 22.0.a, < 22.1]
puppeteer	[>= 22.1.a, < 22.2]
puppeteer	[>= 22.3.a, < 22.4]
puppeteer	[>= 22.5.a, < 22.6]
puppeteer	[>= 22.6.a, < 22.7]
puppeteer	[>= 22.4.a, < 22.5]
puppeteer	[>= 22.2.a, < 22.3]
puppeteer	[>= 22.7.a, < 22.8]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.