Bump the npm-minor-patch group across 1 directory with 7 updates

[dependabot]

Bumps the npm-minor-patch group with 7 updates in the / directory:

Package	From	To
dotenv	17.4.1	17.4.2
@vscode/vsce	3.7.1	3.8.0
prettier	3.8.1	3.8.3
sinon	21.0.2	21.1.2
@types/sinon	21.0.0	21.0.1
ts-loader	9.5.4	9.5.7
webpack	5.105.4	5.106.2

Updates dotenv from 17.4.1 to 17.4.2

Changelog

Sourced from dotenv's changelog.

17.4.2 (2026-04-12)

Changed

• Improved skill files - tightened up details (#1009)

Commits

• f116f70 17.4.2
• 3a81612 fix visual order of faq
• 13f55a8 Merge branch 'skill'
• 4bbbf73 reorganize faq
• c3da64b Merge pull request #1009 from motdotla/skill
• 6f743b1 update source
• fc2c624 update skill
• 972315b Tighten up skill
• 2795fce reorganize faq
• d5495d4 adjust skill
• Additional commits viewable in compare view

Updates @vscode/vsce from 3.7.1 to 3.8.0

Release notes

Sourced from @​vscode/vsce's releases.

v3.8.0

Changes:

• #1258: fix: run npm audit fix
• #1255: Bump brace-expansion
• #1253: Bump picomatch from 2.3.1 to 2.3.2
• #1252: Bump yauzl from 2.10.0 to 3.2.1
• #1250: Bump underscore from 1.13.1 to 1.13.8
• #1249: Bump minimatch
• #1243: Bump markdown-it from 14.1.0 to 14.1.1
• #1244: Bump qs from 6.14.1 to 6.14.2
• #1239: Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1
• #1238: Bump lodash from 4.17.21 to 4.17.23

• #1234: Bump qs from 6.11.0 to 6.14.1
• #1233: Return non-zero exit code when signature verification fails
• #1232: Audit npm package
• #1228: Bump jws

This list of changes was auto generated.

v3.7.2-13

Changes:

• #1258: fix: run npm audit fix

This list of changes was auto generated.

v3.7.2-12

Changes:

• #1255: Bump brace-expansion

This list of changes was auto generated.

v3.7.2-11

Changes:

• #1253: Bump picomatch from 2.3.1 to 2.3.2

This list of changes was auto generated.

... (truncated)

Commits

• cbdd401 fix: run npm audit fix to update package-lock.json (#1258)
• 13c5fa8 Merge pull request #1255 from microsoft/dependabot/npm_and_yarn/multi-580a7c2f10
• c6f98dc Bump brace-expansion
• 01da009 Bump picomatch from 2.3.1 to 2.3.2 (#1253)
• bb899fa Merge pull request #1252 from microsoft/dependabot/npm_and_yarn/yauzl-3.2.1
• 3f4fa96 Bump yauzl from 2.10.0 to 3.2.1
• 72f3196 Merge pull request #1250 from microsoft/dependabot/npm_and_yarn/underscore-1....
• c651312 Bump underscore from 1.13.1 to 1.13.8
• 82cd05b Merge pull request #1249 from microsoft/dependabot/npm_and_yarn/multi-3189fdc835
• f8e9271 Bump minimatch
• Additional commits viewable in compare view

Updates prettier from 3.8.1 to 3.8.3

Release notes

Sourced from prettier's releases.

3.8.3

• SCSS: Prevent trailing comma in if() function (prettier/prettier#18471 by @​kovsu)

🔗 Changelog

3.8.2

• Support Angular v21.2

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.3

diff

SCSS: Prevent trailing comma in if() function (#18471 by @​kovsu)

// Input
$value: if(sass(false): 1; else: -1);
// Prettier 3.8.2
$value: if(
sass(false): 1; else: -1,
);
// Prettier 3.8.3
$value: if(sass(false): 1; else: -1);

3.8.2

diff

Angular: Support Angular v21.2 (#18722, #19034 by @​fisker)

Exhaustive typechecking with @default never;

<!-- Input -->
@switch (foo) {
  @case (1) {}
  @default never;
}
<!-- Prettier 3.8.1 -->
SyntaxError: Incomplete block "default never". If you meant to write the @ character, you should use the "&#64;" HTML entity instead. (3:3)
<!-- Prettier 3.8.2 -->
@​switch (foo) {
@​case (1) {}
@​default never;
}

arrow function and instanceof expressions.

</tr></table> 

... (truncated)

Commits

• d7108a7 Release 3.8.3
• 177f908 Prevent trailing comma in SCSS if() function (#18471)
• 1cd4066 Release @​prettier/plugin-oxc@​0.1.4
• a8700e2 Update oxc-parser to v0.125.0
• 752157c Fix tests
• 053fd41 Bump Prettier dependency to 3.8.2
• 904c636 Clean changelog_unreleased
• dc1f7fc Update dependents count
• b31557c Release 3.8.2
• 96bbaed Support Angular v21.2 (#18722)
• Additional commits viewable in compare view

Updates sinon from 21.0.2 to 21.1.2

Changelog

Sourced from sinon's changelog.

21.1.2

• 53817f7d Upgrade to ESLint 10 and new shared config (#2696) (Carl-Erik Kopseng)

  • Upgrade to ESLint 10 and new shared config
  • Update deps

• d7a682e0 fix: move npm-run-all to devDeps (#2694) (Avi Vahl)

  used only during dev, and caused a considerable dep count jump downstream

• 5b8720ec use latest shared eslint-config (Carl-Erik Kopseng)

Released by Carl-Erik Kopseng on 2026-04-11.

21.1.1

• 3c8b023b Update deps (Carl-Erik Kopseng)
• 2eabf5da fix(#2692): Remove ESM-only supports-color as it breaks CJS exports (#2693) (Carl-Erik Kopseng)

  • fix(#2692): Remove ESM-only supports-color as it breaks CJS exports

Released by Carl-Erik Kopseng on 2026-04-10.

21.1.0

• 0a5526c5 updated deps (Carl-Erik Kopseng)
• 5262204f fix: build artifacts before running bundled tests (Carl-Erik Kopseng)
• 819bb64b Migration to ECMAScript modules (ESM) (#2683) (Carl-Erik Kopseng)

  This allowed us to finally consume ESM-only dependencies and has broken us free from some CJS shackes. Now produce the same API surface for CJS consumers, as well, by generating ./lib

  • Modern ignores 😁
  • test: add distribution harness
  • test: verify packed cjs and esm entrypoints
  • test: lock distribution api manifest
  • test: smoke test built pkg artifacts
  • docs: require contract tests for package migration
  • test: guard esm migration regressions
  • docs: require contract gate for esm migration
  • build: generate cjs lib from esm source entries
  • refactor: port root api surface to esm
  • build: clean port of root api to esm
  • docs: include implementation plans
  • fix: align lint and smoke tests with esm migration
  • refactor: complete esm port of all core components
  • refactor: finalize esm migration with sandbox and naming fixes
  • fix: finish esm migration stabilization

... (truncated)

Commits

• c9ee063 21.1.2
• 53817f7 Upgrade to ESLint 10 and new shared config (#2696)
• d7a682e fix: move npm-run-all to devDeps (#2694)
• 5b8720e use latest shared eslint-config
• 40f9d6b 21.1.1
• 3c8b023 Update deps
• 2eabf5d fix(#2692): Remove ESM-only supports-color as it breaks CJS exports (#2693)
• 30cf67e 21.1.0
• 0a5526c updated deps
• 5262204 fix: build artifacts before running bundled tests
• Additional commits viewable in compare view

Updates @types/sinon from 21.0.0 to 21.0.1

Commits

• See full diff in compare view

Updates ts-loader from 9.5.4 to 9.5.7

Release notes

Sourced from ts-loader's releases.

v9.5.7

• fix: TS5011 errors with TypeScript 6.0: transpileModule called with rootDir: undefined #1678 - thanks @​julioz and @​errorx666
• feat: migrate to trusted publishing - thanks @​johnnyreilly

Skipping 9.5.5-9.5.6 due to publishing issues

Changelog

Sourced from ts-loader's changelog.

9.5.7

• fix: TS5011 errors with TypeScript 6.0: transpileModule called with rootDir: undefined #1678 - thanks @​julioz and @​errorx666
• feat: migrate to trusted publishing - thanks @​johnnyreilly

Skipping 9.5.5-9.5.6 due to publishing issues

Commits

• 4a60de4 chore: trusted publishing attempt 3
• b03b4aa chore: version bump
• 2421dcf fix: trusted publishing by changing respository.url in package.json
• f84480f fix: TS5011 errors with TypeScript 6.0: transpileModule called with rootDir: ...
• 0cef777 feat: migrate to trusted publishing (#1680)
• a0cfb39 docs: add AGENTS.md / CLAUDE.md
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for ts-loader since your current version.

Updates webpack from 5.105.4 to 5.106.2

Release notes

Sourced from webpack's releases.

v5.106.2

Patch Changes

• CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #20838)

• Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #20801)

• Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #20821)

• Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #20823)

• Migrate from mime-types to mime-db. (by @​alexander-akait in #20812)

• Handle @charset at-rules in CSS modules. (by @​alexander-akait in #20831)

• Marked all experimental options in types. (by @​alexander-akait in #20814)

v5.106.1

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

v5.106.0

Minor Changes

• Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #20579)

• Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #20449)

  • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
  • Support custom context path for resolving relative imports in virtual modules
  • Add examples demonstrating context usage and filename customization

• Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #20590)

• Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #20694) Additionally, the localIdentName option can now be a function.

• Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #20548)

• Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #20275)

• Added source support for async WASM modules. (by @​magic-akari in #20364)

Patch Changes

• Add a static getSourceBasicTypes method to the Module class to prevent errors across multiple versions. (by @​xiaoxiaojx in #20614)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.106.2

Patch Changes

• CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #20838)

• Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #20801)

• Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #20821)

• Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #20823)

• Migrate from mime-types to mime-db. (by @​alexander-akait in #20812)

• Handle @charset at-rules in CSS modules. (by @​alexander-akait in #20831)

• Marked all experimental options in types. (by @​alexander-akait in #20814)

5.106.1

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

5.106.0

Minor Changes

• Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #20579)

• Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #20449)

  • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
  • Support custom context path for resolving relative imports in virtual modules
  • Add examples demonstrating context usage and filename customization

• Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #20590)

• Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #20694) Additionally, the localIdentName option can now be a function.

• Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #20548)

• Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #20275)

• Added source support for async WASM modules. (by @​magic-akari in #20364)

... (truncated)

Commits

• 0d7e3e0 chore(release): new release (#20815)
• d5df118 chore(deps): bump actions/cache in the dependencies group (#20839)
• 5f0874b fix: make asset modules available in JS when referenced from CSS and lazy JS ...
• b63ab37 chore(deps): bump test/test262-cases in the dependencies group (#20792)
• 313dfc5 ci: improve time for windows (#20840)
• a553f61 test: update test262 (#20841)
• 1ef747c fix: CSS @​import should inherit parent's exportType over parser config (#20838)
• 485d4ce chore(deps): update open-cli (#20834)
• 46042b9 chore(deps): no outdated strip-ansi (#20835)
• 8c7700b fix: handle @charset at-rules in CSS modules
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions