Build(deps): bump the npm_and_yarn group across 1 directory with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the /graphql-bench directory:

Package	From	To
tsup	8.3.0	8.3.5
@grpc/grpc-js	1.14.3	1.14.4
@tootallnate/once	2.0.0	2.0.1
lodash	4.17.21	4.17.23
qs	6.14.1	6.15.0
rollup	4.55.1	4.62.2
shell-quote	1.8.3	1.8.4

Updates tsup from 8.3.0 to 8.3.5

Release notes

Sourced from tsup's releases.

v8.3.5

   🐞 Bug Fixes

• Run experimentalDts only once  -  by @​aryaemami59 in egoist/tsup#1236 (fddd4)

    View changes on GitHub

v8.3.4

No significant changes

    View changes on GitHub

v8.3.3

No significant changes

    View changes on GitHub

v8.3.1

   🚀 Features

• Add es2024 target  -  by @​sxzz (4c8cd)

   🐞 Bug Fixes

• Support TS 5.6 for svelte  -  by @​sxzz (28b9c)
• Add neutral value to platform options in schema.json  -  by @​venables in egoist/tsup#982 (a03db)
• Wider restriction for target option  -  by @​odanado in egoist/tsup#1118 (1979b)
• Add terser value to minify option in schema.json  -  by @​damienbutt in egoist/tsup#991 (34951)
• Change newlineKind to lf for experimentalDts  -  by @​aryaemami59 in egoist/tsup#1234 (4584b)
• Enable rollup output.compact when minify is enabled  -  by @​hyrious in egoist/tsup#1232 (9cc86)
• Support Node16 and NodeNext module resolution in experimentalDts  -  by @​aryaemami59 in egoist/tsup#1225 (41c98)

    View changes on GitHub

Commits

• cd03e1e chore: release v8.3.5
• fddd451 fix: run experimentalDts only once (#1236)
• 21b1193 chore: release v8.3.4
• 580e03d ci: fix release workflow
• 01b38f2 chore: release v8.3.3
• 4f5b71e ci: fix release workflow
• e80dad6 chore: release v8.3.2
• f4af79a ci: fix release workflow (#1241)
• 4b72d61 chore: release v8.3.1
• 41c98ff fix: support Node16 and NodeNext module resolution in experimentalDts (...
• Additional commits viewable in compare view

Updates @grpc/grpc-js from 1.14.3 to 1.14.4

Release notes

Sourced from @​grpc/grpc-js's releases.

@​grpc/grpc-js 1.14.4

• Fix a bug that could cause servers to crash when handling malformed requests (advisory GHSA-5375-pq7m-f5r2)
• Fix a bug that could cause clients and servers to crash when handling malformed compressed messages (advisory GHSA-99f4-grh7-6pcq)

Commits

• a380735 Merge pull request #3052 from murgatroid99/grpc-js_1.14.4
• 5b8d37b Merge commit from fork
• 6a97456 Merge commit from fork
• e5e0b1d grpc-js: Bump version to 1.14.4
• 5029a26 Make compression error a static string
• 2fe55fd Fix crashes when receiving malformed compressed data
• 234f917 Fix server crash when handling invalid requests
• acef8d4 Merge pull request #3043 from murgatroid99/rbac_types_change_fix_1.14
• 4f3c58f grpc-js-xds: Update RBAC code to handle Node type change, pin @​types/node
• See full diff in compare view

Updates @tootallnate/once from 2.0.0 to 2.0.1

Release notes

Sourced from @​tootallnate/once's releases.

v2.0.1

Patch Changes

• a1e5e2d: Fix promise hang when AbortSignal is aborted

Changelog

Sourced from @​tootallnate/once's changelog.

2.0.1

Patch Changes

• a1e5e2d: Fix promise hang when AbortSignal is aborted

Commits

• bcbb21d ci: fix OIDC publishing — Node 24, npm latest, provenance
• dc24387 Version Packages (2.x) (#12)
• b8a6f80 CI: test all Node versions on Linux only
• dabcc0f ci: drop EOL Node.js 14.x/16.x, add 22.x
• b464efc Update CI: modern Node versions, fix macOS ARM64 compat
• a1e5e2d Fix promise hang when AbortSignal is aborted
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tootallnate/once since your current version.

Updates esbuild from 0.23.1 to 0.24.2

Release notes

Sourced from esbuild's releases.

v0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

v0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

  // The following code now transforms to "return true;\n"
  console.log(esbuild.transformSync(
    `return process.env['SOME-TEST-VAR']`,
    { define: { 'process.env["SOME-TEST-VAR"]': 'true' } },
  ))

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

  // The following code now transforms to "return true;\n"
  console.log(esbuild.transformSync(
    `return process.env['SOME-TEST-VAR']`,
    { define: { 'process.env["SOME-TEST-VAR"]': 'true' } },

... (truncated)

Commits

• 745abd9 publish 0.24.2 to npm
• 79fd0b0 skip nulls in source map finalization (#4011)
• 4b9322f source map: avoid null entry for 0-length parts
• 199a0d3 close #4013: credit to @​sapphi-red for the fix
• 947f99f fix #4010, fix #4012: import.meta regression
• de9598f publish 0.24.1 to npm
• 15d56ca emit null source mappings for empty chunk content
• 8d98f6f fix #3985: entryPoint metadata for copy loader
• 0db1b82 fix #3998: avoid outbase in identifier names
• 7236472 close #3974: add support for netbsd on arm64
• Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates qs from 6.14.1 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

Commits

• d9b4c66 v6.15.0
• cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
• 88e1563 [Fix] duplicates option should not apply to bracket notation keys
• 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
• 85cc8ca v6.12.5
• ffc12aa v6.11.4
• 0506b11 [actions] update reusable workflows
• 6a37faf [actions] update reusable workflows
• 8e8df5a [Fix] fix regressions from robustness refactor
• d60bab3 v6.10.7
• Additional commits viewable in compare view

Updates rollup from 4.55.1 to 4.62.2

Release notes

Sourced from rollup's releases.

v4.62.2

4.62.2

2026-06-19

Bug Fixes

• Do not add spurious side-effect-free external imports to chunks when using minChunkSize (#6411)

Pull Requests

• #6411: Skip side-effect-free external imports when hoisting is disabled (@​morgan-coded, @​lukastaegert)
• #6416: refactor(rust/parser_ast): extract property AstConverter write buffer kind logic to new method (@​fabianbernhart, @​lukastaegert)

v4.62.1

4.62.1

2026-06-19

Bug Fixes

• Preserve multipart file extensions when deconflicting output chunks (#6408)
• Fix an issue where getLogFilter would match additional logs (#6415)

Pull Requests

• #6393: Use import attributes for importing JSON (@​selfisekai, @​lukastaegert)
• #6408: fix: insert conflict numbers before first extension in multi-extension filenames (@​LeSingh1, @​lukastaegert)
• #6415: fix: advance value past wildcard prefix before suffix check in getLogFilter (@​JSap0914, @​lukastaegert)
• #6417: chore(deps): update msys2/setup-msys2 digest to 66cd2cc (@​renovate[bot])
• #6418: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6419: chore(deps): update dependency eslint-plugin-unicorn to v66 (@​renovate[bot])
• #6420: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

v4.62.0

4.62.0

2026-06-13

Features

• Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

• #6374: Extract the static dependencies imported by manual chunks into separate chunks (@​TrickyPi, @​lukastaegert)
• #6405: fix(deps): update minor/patch updates (@​renovate[bot])
• #6406: chore(deps): pin dependency concurrently to v9 (@​renovate[bot], @​lukastaegert)
• #6407: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6409: chore(deps): update minor/patch updates to v6.2.0 (@​renovate[bot])

... (truncated)

Changelog

Sourced from rollup's changelog.

4.62.2

2026-06-19

Bug Fixes

• Do not add spurious side-effect-free external imports to chunks when using minChunkSize (#6411)

Pull Requests

• #6411: Skip side-effect-free external imports when hoisting is disabled (@​morgan-coded, @​lukastaegert)
• #6416: refactor(rust/parser_ast): extract property AstConverter write buffer kind logic to new method (@​fabianbernhart, @​lukastaegert)

4.62.1

2026-06-19

Bug Fixes

• Preserve multipart file extensions when deconflicting output chunks (#6408)
• Fix an issue where getLogFilter would match additional logs (#6415)

Pull Requests

• #6393: Use import attributes for importing JSON (@​selfisekai, @​lukastaegert)
• #6408: fix: insert conflict numbers before first extension in multi-extension filenames (@​LeSingh1, @​lukastaegert)
• #6415: fix: advance value past wildcard prefix before suffix check in getLogFilter (@​JSap0914, @​lukastaegert)
• #6417: chore(deps): update msys2/setup-msys2 digest to 66cd2cc (@​renovate[bot])
• #6418: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6419: chore(deps): update dependency eslint-plugin-unicorn to v66 (@​renovate[bot])
• #6420: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

4.62.0

2026-06-13

Features

• Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

• #6374: Extract the static dependencies imported by manual chunks into separate chunks (@​TrickyPi, @​lukastaegert)
• #6405: fix(deps): update minor/patch updates (@​renovate[bot])
• #6406: chore(deps): pin dependency concurrently to v9 (@​renovate[bot], @​lukastaegert)
• #6407: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6409: chore(deps): update minor/patch updates to v6.2.0 (@​renovate[bot])
• #6410: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6412: fix(deps): update minor/patch updates (@​renovate[bot])
• #6413: chore(deps): update dependency eslint-plugin-unicorn to v65 (@​renovate[bot])

... (truncated)

Commits

• 8faa187 4.62.2
• a38a795 refactor(rust/parser_ast): extract property AstConverter write buffer kind lo...
• 6cc5c31 Skip side-effect-free external imports when hoisting is disabled (#6411)
• caacf70 4.62.1
• d1e8297 Add missing ignore
• 1ba1fc2 fix: insert conflict numbers before first extension in multi-extension filena...
• 532bd0a Use import attributes for importing JSON (#6393)
• 2cd8194 fix: advance value past wildcard prefix before suffix check in getLogFilter (...
• dfac590 fix(deps): update minor/patch updates (#6418)
• 1d6db3d chore(deps): update dependency eslint-plugin-unicorn to v66 (#6419)
• Additional commits viewable in compare view

Updates shell-quote from 1.8.3 to 1.8.4

Changelog

Sourced from shell-quote's changelog.

v1.8.4 - 2026-05-22

Commits

• [Fix] quote: validate object-token shapes 4378a6e
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
• [Tests] increase coverage 9f3caa3
• [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
• [Dev Deps] update @ljharb/eslint-config 699c511

Commits

• ff166e2 v1.8.4
• 4378a6e [Fix] quote: validate object-token shapes
• 22ebec0 [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, `npmig...
• 9f3caa3 [Tests] increase coverage
• 3344a04 [readme] replace runkit CI badge with shields.io check-runs badge
• 699c511 [Dev Deps] update @ljharb/eslint-config
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'Rust Benchmark'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 2.

Benchmark suite	Current: 3d3b58c	Previous: 9823ef7	Ratio
lotr_graph/num_edges	4 ns/iter (± 0)	0 ns/iter (± 0)	+∞
lotr_graph/num_nodes	5 ns/iter (± 0)	1 ns/iter (± 0)	5
lotr_graph/has_node_nonexisting	5 ns/iter (± 0)	2 ns/iter (± 0)	2.50
lotr_graph/graph_latest	3 ns/iter (± 0)	0 ns/iter (± 0)	+∞
lotr_graph_materialise/materialize	8014417 ns/iter (± 46463)	1564816 ns/iter (± 35303)	5.12
lotr_graph_window_100/num_nodes	13 ns/iter (± 0)	5 ns/iter (± 0)	2.60
lotr_graph_window_100_materialise/materialize	8014375 ns/iter (± 65462)	1669150 ns/iter (± 10700)	4.80
lotr_graph_window_10/has_node_existing	135 ns/iter (± 10)	62 ns/iter (± 11)	2.18
lotr_graph_window_10_materialise/materialize	3392825 ns/iter (± 17952)	971980 ns/iter (± 4278)	3.49
lotr_graph_subgraph_10pc/has_node_nonexisting	5 ns/iter (± 0)	2 ns/iter (± 0)	2.50
lotr_graph_subgraph_10pc_materialise/materialize	2133901 ns/iter (± 20749)	334634 ns/iter (± 1287)	6.38
lotr_graph_subgraph_10pc_windowed/has_node_existing	139 ns/iter (± 10)	62 ns/iter (± 14)	2.24
lotr_graph_subgraph_10pc_windowed_materialise/materialize	1258396 ns/iter (± 10137)	230399 ns/iter (± 2617)	5.46
lotr_graph_window_50_layered/num_edges_temporal	144501 ns/iter (± 3372)	70121 ns/iter (± 7586)	2.06
lotr_graph_window_50_layered/has_node_existing	379 ns/iter (± 22)	129 ns/iter (± 12)	2.94
lotr_graph_window_50_layered/has_node_nonexisting	5 ns/iter (± 0)	2 ns/iter (± 0)	2.50
lotr_graph_window_50_layered/graph_latest	83560 ns/iter (± 1220)	36649 ns/iter (± 916)	2.28
lotr_graph_window_50_layered_materialise/materialize	29880348 ns/iter (± 411962)	3488825 ns/iter (± 24948)	8.56
lotr_graph_persistent_window_50_layered/num_edges_temporal	587137 ns/iter (± 8190)	192686 ns/iter (± 1569)	3.05
lotr_graph_persistent_window_50_layered/has_node_existing	422 ns/iter (± 364)	174 ns/iter (± 83)	2.43
lotr_graph_persistent_window_50_layered/has_node_nonexisting	5 ns/iter (± 0)	2 ns/iter (± 0)	2.50
lotr_graph_persistent_window_50_layered/graph_latest	123771 ns/iter (± 2110)	57549 ns/iter (± 4809)	2.15
lotr_graph_persistent_window_50_layered_materialise/materialize	51068031 ns/iter (± 529313)	5298035 ns/iter (± 147912)	9.64

This comment was automatically generated by workflow using github-action-benchmark.