Merge pull request #979 from docker/dependabot/npm_and_yarn/postcss-8.5.10

build(deps): bump postcss from 8.5.6 to 8.5.10
Merge pull request #985 from docker/dependabot/npm_and_yarn/fast-xml-builder-1.2.0
2026-05-22 05:08:21 +01:00 · 2026-05-21 19:20:51 +02:00 · 2026-05-21 18:30:33 +02:00 · 2026-05-21 16:07:40 +00:00 · 2026-05-21 16:06:38 +00:00 · 2026-05-21 18:04:19 +02:00
7 changed files with 48 additions and 48 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -35,12 +35,12 @@ jobs:
          node-version: ${{ env.NODE_VERSION }}
      -
        name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
        with:
          languages: javascript-typescript
          build-mode: none
      -
        name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
        with:
          category: "/language:javascript-typescript"
--- a/.github/workflows/pr-assign-author.yml
+++ b/.github/workflows/pr-assign-author.yml
@@ -11,7 +11,7 @@ on:

 jobs:
  run:
-    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@4a17dbaa9ce13920fc5bb8824eb89c16301e5ab2 # v1.7.0
+    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@9ba6e6f9450baf3b1237f8035c1fdc45932510bd # v1.8.0
    permissions:
      contents: read
      pull-requests: write
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -29,7 +29,7 @@ jobs:
          targets: test
      -
        name: Upload coverage
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          files: ./coverage/clover.xml
          token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/update-dist.yml
+++ b/.github/workflows/update-dist.yml
@@ -21,11 +21,13 @@ jobs:
      -
        name: GitHub auth token from GitHub App
        id: docker-read-app
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        with:
          app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
          private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
          owner: docker
+          repositories: login-action
+          permission-contents: write
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -19,7 +19,7 @@ on:

 jobs:
  zizmor:
-    uses: crazy-max/.github/.github/workflows/zizmor.yml@4a17dbaa9ce13920fc5bb8824eb89c16301e5ab2 # v1.7.0
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@9ba6e6f9450baf3b1237f8035c1fdc45932510bd # v1.8.0
    permissions:
      contents: read
      security-events: write
--- a/dist/licenses.txt
+++ b/dist/licenses.txt
@@ -5810,6 +5810,7 @@ The following npm packages may be included in this product:
 - imurmurhash@0.1.4
 - is-gzip@1.0.0
 - isarray@1.0.0
+ - xml-naming@0.1.0

 These packages each contain the following license:

@@ -5851,7 +5852,6 @@ USE OR OTHER DEALINGS IN THE SOFTWARE.
 The following npm packages may be included in this product:

 - brace-expansion@1.1.13
- - brace-expansion@2.0.1
 - brace-expansion@2.0.3

 These packages each contain the following license:
@@ -6188,11 +6188,12 @@ SOFTWARE.

 -----------

-The following npm package may be included in this product:
+The following npm packages may be included in this product:

 - path-expression-matcher@1.2.0
+ - path-expression-matcher@1.5.0

-This package contains the following license:
+These packages each contain the following license:

 MIT License

@@ -6250,7 +6251,7 @@ SOFTWARE.

 The following npm package may be included in this product:

- - fast-xml-builder@1.1.4
+ - fast-xml-builder@1.2.0

 This package contains the following license:

@@ -6378,7 +6379,7 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI

 The following npm package may be included in this product:

- - brace-expansion@5.0.4
+ - brace-expansion@5.0.6

 This package contains the following license:

--- a/yarn.lock
+++ b/yarn.lock
@@ -3295,16 +3295,7 @@ __metadata:
  languageName: node
  linkType: hard

-"brace-expansion@npm:^2.0.1":
-  version: 2.0.1
-  resolution: "brace-expansion@npm:2.0.1"
-  dependencies:
-    balanced-match: "npm:^1.0.0"
-  checksum: 10/a61e7cd2e8a8505e9f0036b3b6108ba5e926b4b55089eeb5550cd04a471fe216c96d4fe7e4c7f995c728c554ae20ddfc4244cad10aef255e72b62930afd233d1
-  languageName: node
-  linkType: hard
-
-"brace-expansion@npm:^2.0.2":
+"brace-expansion@npm:^2.0.1, brace-expansion@npm:^2.0.2":
  version: 2.0.3
  resolution: "brace-expansion@npm:2.0.3"
  dependencies:
@@ -3313,21 +3304,12 @@ __metadata:
  languageName: node
  linkType: hard

-"brace-expansion@npm:^5.0.2":
-  version: 5.0.4
-  resolution: "brace-expansion@npm:5.0.4"
+"brace-expansion@npm:^5.0.2, brace-expansion@npm:^5.0.5":
+  version: 5.0.6
+  resolution: "brace-expansion@npm:5.0.6"
  dependencies:
    balanced-match: "npm:^4.0.2"
-  checksum: 10/cfd57e20d8ded9578149e47ae4d3fff2b2f78d06b54a32a73057bddff65c8e9b930613f0cbcfefedf12dd117151e19d4da16367d5127c54f3bff02d8a4479bb2
-  languageName: node
-  linkType: hard
-
-"brace-expansion@npm:^5.0.5":
-  version: 5.0.5
-  resolution: "brace-expansion@npm:5.0.5"
-  dependencies:
-    balanced-match: "npm:^4.0.2"
-  checksum: 10/f259b2ddf04489da9512ad637ba6b4ef2d77abd4445d20f7f1714585f153435200a53fa6a2e4a5ee974df14ddad4cd16421f6f803e96e8b452bd48598878d0ee
+  checksum: 10/a7acf120fefa79e9d7c9c92898114f57c07596a3920197f3c5917e6a628b04220a5f7f9618c30bdd973a6576a32113b99f9c3f1c8245ccc399dd2a9a718d81d8
  languageName: node
  linkType: hard

@@ -4239,11 +4221,12 @@ __metadata:
  linkType: hard

 "fast-xml-builder@npm:^1.1.4":
-  version: 1.1.4
-  resolution: "fast-xml-builder@npm:1.1.4"
+  version: 1.2.0
+  resolution: "fast-xml-builder@npm:1.2.0"
  dependencies:
-    path-expression-matcher: "npm:^1.1.3"
-  checksum: 10/32937866aaf5a90e69d1f4ee6e15e875248d5b5d2afd70277e9e8323074de4980cef24575a591b8e43c29f405d5f12377b3bad3842dc412b0c5c17a3eaee4b6b
+    path-expression-matcher: "npm:^1.5.0"
+    xml-naming: "npm:^0.1.0"
+  checksum: 10/5948add7796879d03b6c779cbb17f2f203a41cdf23dfaaa4789c65078a36376cd0709a6586701e980e3d244ebd5fdb35db1235ccb5e4fb9e9abfd8c51e7b8813
  languageName: node
  linkType: hard

@@ -5730,13 +5713,20 @@ __metadata:
  languageName: node
  linkType: hard

-"path-expression-matcher@npm:^1.1.3, path-expression-matcher@npm:^1.2.0":
+"path-expression-matcher@npm:^1.2.0":
  version: 1.2.0
  resolution: "path-expression-matcher@npm:1.2.0"
  checksum: 10/eab23babd9a97d6cf4841a99825c3e990b70b2b29ea6529df9fb6a1f3953befbc68e9e282a373d7a75aff5dc6542d05a09ee2df036ff9bfddf5e1627b769875b
  languageName: node
  linkType: hard

+"path-expression-matcher@npm:^1.5.0":
+  version: 1.5.0
+  resolution: "path-expression-matcher@npm:1.5.0"
+  checksum: 10/28303bb9ee6831e6df14c10cd3f3f7b2d7c8d7f788d8bdb7440136fd696064c82a3e264999a0764d28e39f698275fc03a5493bec93c57ef4a22566280367dd64
+  languageName: node
+  linkType: hard
+
 "path-key@npm:^3.1.0":
  version: 3.1.1
  resolution: "path-key@npm:3.1.1"
@@ -5807,13 +5797,13 @@ __metadata:
  linkType: hard

 "postcss@npm:^8.5.6":
-  version: 8.5.6
-  resolution: "postcss@npm:8.5.6"
+  version: 8.5.10
+  resolution: "postcss@npm:8.5.10"
  dependencies:
    nanoid: "npm:^3.3.11"
    picocolors: "npm:^1.1.1"
    source-map-js: "npm:^1.2.1"
-  checksum: 10/9e4fbe97574091e9736d0e82a591e29aa100a0bf60276a926308f8c57249698935f35c5d2f4e80de778d0cbb8dcffab4f383d85fd50c5649aca421c3df729b86
+  checksum: 10/7eac6169e535b63c8412e94d4f6047fc23efa3e9dde804b541940043c831b25f1cd867d83cd2c4371ad2450c8abcb42c208aa25668c1f0f3650d7f72faf711a8
  languageName: node
  linkType: hard

@@ -6487,15 +6477,15 @@ __metadata:
  linkType: hard

 "tar@npm:^7.4.3, tar@npm:^7.5.4":
-  version: 7.5.13
-  resolution: "tar@npm:7.5.13"
+  version: 7.5.15
+  resolution: "tar@npm:7.5.15"
  dependencies:
    "@isaacs/fs-minipass": "npm:^4.0.0"
    chownr: "npm:^3.0.0"
    minipass: "npm:^7.1.2"
    minizlib: "npm:^3.1.0"
    yallist: "npm:^5.0.0"
-  checksum: 10/2bc2b6f0349038a6621dbba1c4522d45752d5071b2994692257113c2050cd23fafc30308f820e5f8ad6fda3f7d7f92adc9a432aa733daa04c42af2061c021c3f
+  checksum: 10/b4cb6acd822159867f81ebda8d765c6941ec8292f1cf2f870d3713f4933c14bf0ed7bf4a92338143c31e8815ca0a1fdd62aa03ddb48a42ae187f7ef696583ffe
  languageName: node
  linkType: hard

@@ -6768,8 +6758,8 @@ __metadata:
  linkType: hard

 "vite@npm:^6.0.0 || ^7.0.0":
-  version: 7.3.1
-  resolution: "vite@npm:7.3.1"
+  version: 7.3.3
+  resolution: "vite@npm:7.3.3"
  dependencies:
    esbuild: "npm:^0.27.0"
    fdir: "npm:^6.5.0"
@@ -6818,7 +6808,7 @@ __metadata:
      optional: true
  bin:
    vite: bin/vite.js
-  checksum: 10/62e48ffa4283b688f0049005405a004447ad38ffc99a0efea4c3aa9b7eed739f7402b43f00668c0ee5a895b684dc953d62f0722d8a92c5b2f6c95f051bceb208
+  checksum: 10/c7fa17bc0aa530313417a28a144edcf910466b936cb192ce2c8cf7d6075e4b8e481b08a55ef71a7486757b03465b054d8c2cb49473d6fc9a0db8ac1dd641edff
  languageName: node
  linkType: hard

@@ -6987,6 +6977,13 @@ __metadata:
  languageName: node
  linkType: hard

+"xml-naming@npm:^0.1.0":
+  version: 0.1.0
+  resolution: "xml-naming@npm:0.1.0"
+  checksum: 10/45abd94ba64a508bda3f4d0b70e49811a3c3542596252c213caf47c858bbe9bba365ebba8eeff68e2a876e22a1bf6855d90cd2019b2f28012cebb167a4df2293
+  languageName: node
+  linkType: hard
+
 "xtend@npm:~4.0.1":
  version: 4.0.2
  resolution: "xtend@npm:4.0.2"
Author	SHA1	Message	Date
CrazyMax	4f5a161ff1	Merge pull request #979 from docker/dependabot/npm_and_yarn/postcss-8.5.10 build(deps): bump postcss from 8.5.6 to 8.5.10	2026-05-21 19:20:51 +02:00
CrazyMax	e15d361870	Merge pull request #985 from docker/dependabot/npm_and_yarn/fast-xml-builder-1.2.0 build(deps): bump fast-xml-builder from 1.1.4 to 1.2.0	2026-05-21 18:30:33 +02:00
github-actions[bot]	9baec518af	chore: update generated content	2026-05-21 16:07:40 +00:00
dependabot[bot]	66b5047e43	build(deps): bump fast-xml-builder from 1.1.4 to 1.2.0 Bumps [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) from 1.1.4 to 1.2.0. - [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md) - [Commits](https://github.com/NaturalIntelligence/fast-xml-builder/compare/v1.1.4...v1.2.0) --- updated-dependencies: - dependency-name: fast-xml-builder dependency-version: 1.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-21 16:06:38 +00:00
CrazyMax	dae8e21ce2	Merge pull request #986 from docker/dependabot/npm_and_yarn/vite-7.3.3 build(deps): bump vite from 7.3.1 to 7.3.3	2026-05-21 18:04:19 +02:00
CrazyMax	0045eaa7a1	Merge pull request #988 from docker/dependabot/github_actions/crazy-max-dot-github-6667ecc476 build(deps): bump the crazy-max-dot-github group with 2 updates	2026-05-21 18:03:53 +02:00
CrazyMax	450ca8c2a5	Merge pull request #990 from docker/dependabot/github_actions/actions/create-github-app-token-3.2.0 build(deps): bump actions/create-github-app-token from 3.1.1 to 3.2.0	2026-05-21 18:03:27 +02:00
CrazyMax	d6726b3526	Merge pull request #991 from docker/dependabot/npm_and_yarn/tar-7.5.15 build(deps): bump tar from 6.2.1 to 7.5.15	2026-05-21 18:03:06 +02:00
CrazyMax	a2ea2dd0f1	Merge pull request #992 from docker/dependabot/github_actions/github/codeql-action-4.35.5 build(deps): bump github/codeql-action from 4.35.2 to 4.35.5	2026-05-21 18:02:36 +02:00
CrazyMax	bd659cc69e	Merge pull request #993 from docker/dependabot/npm_and_yarn/brace-expansion-5.0.6 build(deps): bump brace-expansion from 2.0.1 to 5.0.6	2026-05-21 18:02:14 +02:00
CrazyMax	43261b75b0	Merge pull request #994 from docker/dependabot/github_actions/codecov/codecov-action-6.0.1 build(deps): bump codecov/codecov-action from 6.0.0 to 6.0.1	2026-05-21 18:01:48 +02:00
CrazyMax	745e12c13f	Merge pull request #995 from crazy-max/zizmor-fixes ci: restrict update-dist GitHub App token scope	2026-05-21 14:57:35 +02:00
CrazyMax	5244cbf81d	ci: restrict update-dist GitHub App token scope Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-05-21 14:24:59 +02:00
dependabot[bot]	6778676cba	build(deps): bump codecov/codecov-action from 6.0.0 to 6.0.1 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](`57e3a136b7...e79a6962e0`) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-20 10:36:25 +00:00
github-actions[bot]	24be3e65e6	chore: update generated content	2026-05-18 16:49:16 +00:00
dependabot[bot]	9abe73fe0b	build(deps): bump brace-expansion from 2.0.1 to 5.0.6 Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 2.0.1 to 5.0.6. - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](https://github.com/juliangruber/brace-expansion/compare/v2.0.1...v5.0.6) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-18 16:48:17 +00:00
dependabot[bot]	b45b323e05	build(deps): bump github/codeql-action from 4.35.2 to 4.35.5 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.2 to 4.35.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](`95e58e9a2c...9e0d7b8d25`) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-18 08:04:15 +00:00
dependabot[bot]	963c6a6d1b	build(deps): bump tar from 6.2.1 to 7.5.15 Bumps [tar](https://github.com/isaacs/node-tar) from 6.2.1 to 7.5.15. - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](https://github.com/isaacs/node-tar/compare/v6.2.1...v7.5.15) --- updated-dependencies: - dependency-name: tar dependency-version: 7.5.15 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-15 00:39:58 +00:00
dependabot[bot]	2254f031f7	build(deps): bump actions/create-github-app-token from 3.1.1 to 3.2.0 Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 3.1.1 to 3.2.0. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Changelog](https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md) - [Commits](`1b10c78c78...bcd2ba4921`) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-14 05:52:44 +00:00
dependabot[bot]	d85f62f7d4	build(deps): bump the crazy-max-dot-github group with 2 updates Bumps the crazy-max-dot-github group with 2 updates: [crazy-max/.github/.github/workflows/pr-assign-author.yml](https://github.com/crazy-max/.github) and [crazy-max/.github/.github/workflows/zizmor.yml](https://github.com/crazy-max/.github). Updates `crazy-max/.github/.github/workflows/pr-assign-author.yml` from 1.7.1 to 1.8.0 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](`64a0bfaf6e...9ba6e6f945`) Updates `crazy-max/.github/.github/workflows/zizmor.yml` from 1.7.1 to 1.8.0 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](`64a0bfaf6e...9ba6e6f945`) --- updated-dependencies: - dependency-name: crazy-max/.github/.github/workflows/pr-assign-author.yml dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: crazy-max-dot-github - dependency-name: crazy-max/.github/.github/workflows/zizmor.yml dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: crazy-max-dot-github ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-12 10:55:20 +00:00
dependabot[bot]	604e8e9cf4	build(deps): bump vite from 7.3.1 to 7.3.3 Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.3.1 to 7.3.3. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.3/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.3/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 7.3.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-10 00:38:13 +00:00
CrazyMax	9f4a8ea54e	Merge pull request #980 from docker/dependabot/github_actions/crazy-max-dot-github-a3893cf95f build(deps): bump the crazy-max-dot-github group with 2 updates	2026-04-27 09:36:56 +02:00
dependabot[bot]	6831c7566c	build(deps): bump the crazy-max-dot-github group with 2 updates Bumps the crazy-max-dot-github group with 2 updates: [crazy-max/.github/.github/workflows/pr-assign-author.yml](https://github.com/crazy-max/.github) and [crazy-max/.github/.github/workflows/zizmor.yml](https://github.com/crazy-max/.github). Updates `crazy-max/.github/.github/workflows/pr-assign-author.yml` from 1.7.0 to 1.7.1 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](`4a17dbaa9c...64a0bfaf6e`) Updates `crazy-max/.github/.github/workflows/zizmor.yml` from 1.7.0 to 1.7.1 - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](`4a17dbaa9c...64a0bfaf6e`) --- updated-dependencies: - dependency-name: crazy-max/.github/.github/workflows/pr-assign-author.yml dependency-version: 1.7.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: crazy-max-dot-github - dependency-name: crazy-max/.github/.github/workflows/zizmor.yml dependency-version: 1.7.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: crazy-max-dot-github ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-27 06:08:23 +00:00
dependabot[bot]	599ec30da7	build(deps): bump postcss from 8.5.6 to 8.5.10 Bumps [postcss](https://github.com/postcss/postcss) from 8.5.6 to 8.5.10. - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.10) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.10 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-24 17:40:44 +00:00