chore(deps): update npm dependencies updates (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jscpd (source)	4.0.* → 5.0.*
nodemon (source)	2.0.15 → 3.1.14
release-it	19.0.* → 20.2.*

---

Release Notes

kucherenko/jscpd (jscpd)

v5.0.9

Compare Source

New Features

• GitHub Action for jscpd (Rust v5) — jscpd-copy-paste-detector action for GitHub Actions Marketplace. Scan your repo for copy/paste in CI with uses: kucherenko/jscpd/.github/workflows/action.yml@v5

Bug Fixes

• Resolve platform binary resolution when cpd is installed as a nested dependency (e.g. in a project's node_modules via a parent package). The runner now correctly locates the platform-specific binary relative to the installed package rather than assuming a top-level install. Fixes #​816

v5.0.8

Compare Source

Bug Fixes

• Prevent mmap exhaustion crashes when scanning repositories with more files than (default 131 072 on Linux). The walker previously held a live per discovered file; each rayon worker now opens and drops its mapping within the processing closure, capping concurrent mappings to the thread-pool size (typically 8–32). Fixes #​813
• Fix not matching relative paths when the scan root is absolute (e.g. CWD). Patterns like now match correctly by comparing against both the relative path and the full absolute path, and bare patterns like gain a prefix to match at any depth. Fixes #​811

v5.0.7

Compare Source

Bug Fixes

• Prevent stack overflow when scanning directories containing deeply-nested JS/TS files (e.g. Bun's with 320K+ nested for-loops). OXC's recursive-descent parser allocates one stack frame per AST nesting level; pathological inputs now exceed the default 8 MiB thread stack. Fixed by building a local rayon with 64 MiB stacks instead of using the global pool (which silently fails on re-init)
• Default to — files exceeding the limit are skipped at walk time, consistent with jscpd v4's behavior. This prevents OXC from ever seeing megabyte-scale generated files that would overflow the stack
• now correctly takes effect on every call (previously silently no-op'd after the first invocation)

v5.0.6

Compare Source

New Features

• v4 config backward compatibility — fields , , , and are now read and applied, matching jscpd v4 behavior
• and are now distinct: matches file-level globs, matches code-level regex patterns (previously conflated)
• path config support — reads scan directories from the field, resolving relative paths against the config file's directory
• npm wrapper package — publishes the same Rust binary under the name on npm with v5.x versioning
• now matches v4 behavior: accepts optional integer value ( exits 1, exits 2); and are now independent
• Performance improvements: memory-mapped file I/O (via ) eliminates heap copies of file contents; SIMD-accelerated line counting (via ); parallel detection pipeline uses to avoid intermediate allocations; JS tokenizer no longer clones source strings before parsing (thanks to @​auterium, #​808)

Bug Fixes

• Fixed to match jscpd v4's behavior (was boolean, now optional integer)
• Fixed unique temp dir generation in reporter tests (added PID to prevent race conditions under parallel test runners)

v5.0.5

Compare Source

v5.0.4

Compare Source

New Features

• CLI alignment with jscpd v4: new --absolute, --ignore-case, --formats-exts, --formats-names flags; fixed --threshold, improved --max-size
• Detection and statistics aligned with jscpd for consistent output across Rust and TypeScript versions
• Side-by-side blame comparison in console-full reporter
• Clone list display in console reporter

Bug Fixes

• HTML reporter now outputs jscpd-report.html at the output_dir root
• Resolved all clippy warnings across workspace
• Fixed unique temp dir generation in tests (use as_nanos() instead of subsec_nanos())

v4.2.5

Compare Source

Bug Fixes

• JSON reporter duplicate token counts — tokens was always reported as 0 in JSON output; now computed from token positions (end.position - start.position) (#​801).
• Gitignore parent-directory walk — .gitignore files in parent directories up to the repo root are now read and combined with scan-directory .gitignore files. Also reads .git/info/exclude and the global core.excludesFile for full parity with Git's ignore resolution (#​741).
• Commander v15 migration — CLI option parsing migrated from direct property access (cli.minTokens, etc.) to the cli.opts() API required by Commander v8+. The --no-gitignore / --gitignore flag handling was rewritten to use Commander's native negation support instead of rawArgs inspection.
• Vitest 4.1.0 — bumped from 3.2.4 to address CVE-2026-47429.
• Commander v15 — bumped from v5 to v15, enabling modern Node.js compatibility.
• Pug 3.0.4, node-sarif-builder 4.1.0, nodemon 3.1.14 — dependency bumps for security and compatibility.

---

v4.2.4

Compare Source

v4.2.3

Compare Source

v4.2.2

Compare Source

v4.2.1

Compare Source

v4.2.0

Compare Source

Breaking Changes

• Vue SFC tokenization — .vue files are no longer tokenized as markup. Each block is now dispatched to its own sub-format: <script> → javascript, <script lang="ts"> → typescript, <template> → markup, <style> → css, <style lang="scss"> → scss, <style lang="less"> → less. Clone reports for .vue files now appear under these resolved sub-format names. Any tooling or configuration that relied on .vue clones being reported under markup must be updated.
• --formatsExts users — custom mappings that pointed .vue to markup (e.g. "formatsExts": { "markup": ["vue"] }) will no longer take effect because .vue is handled by the dedicated vue format processor. Remove or update such mappings.

New Features

• Custom tokenizer backend — replaced the prismjs npm package with a self-contained reprism-based grammar engine. ~11.5% faster tokenization on real projects (avg 1126 ms → 997 ms on a 548-file, 223-format scan).
• Cross-format detection — Vue SFC (.vue), Svelte (.svelte), Astro (.astro), and Markdown files are now tokenized per-block/per-section. A <script> block in a .vue file can match a .ts file; a fenced code block in Markdown can match a .py file.
• 223 supported formats — Apex, CFML/ColdFusion, GDScript, Svelte, Astro, and 70+ additional languages added (up from 152). See FORMATS.md.
• Shebang detection — extensionless executable scripts (e.g. /usr/bin/env python3) are auto-detected by their #! shebang line and tokenized in the correct language.
• --store-path — configure a custom directory for the LevelDB cache, eliminating collisions when multiple jscpd processes run in parallel on the same machine.
• --skipComments — shorthand flag for --mode weak, which strips comments before detection.
• --formats-names — map specific filenames (e.g. Makefile, Dockerfile) to a detection format.

Bug Fixes

• Entire-file duplicates silently dropped (@jscpd/core #​728) — RabinKarp flushed the pending clone on a store hit at end-of-file instead of on a miss. Files that are complete copies of each other were undetected. Fixed.
• ReDoS hang on Lisp/Elisp files (@jscpd/tokenizer #​737) — the Lisp string regex /"(?:[^"\\]*|\\.)*"/ could catastrophically backtrack (O(2ⁿ)) on unterminated strings. Replaced with a linear /"(?:[^"\\]|\\[\s\S])*"/ pattern.
• Process crash on malformed package.json (#​739) — readJSONSync threw an unhandled SyntaxError when package.json contained invalid JSON, killing the process. Now emits a warning and continues with an empty config.
• Vue SFC cross-file detection broken — the detector used the file-level format (vue) as the store namespace for all SFC blocks, preventing a <script> block in one .vue file from ever matching a <script> block in another. The namespace now reflects each block's resolved sub-format.
• Vue SFC incorrect column numbers — tokens on the first line of a block carried block-relative column 1 instead of file-absolute column numbers. Fixed in @jscpd/tokenizer.
• 50 dependency security vulnerabilities remediated across the monorepo (Dependabot batches).

Known Limitations

• Malformed SFC blocks (e.g. unclosed tags, invalid attributes) are silently skipped and do not contribute tokens.

---

v4.1.1

Compare Source

v4.1.0

Compare Source

New Features

• AI Reporter — new ai reporter that produces compact, token-efficient clone output specifically designed for feeding results into language models and AI tooling. Use --reporters ai to activate it.
• MCP Server enhancements — the Model Context Protocol server now exposes a jscpd://statistics resource and supports a recheck endpoint so AI agents can trigger a rescan without restarting the process.
• Apex & CFML language support — jscpd can now detect duplicate code in Salesforce Apex and ColdFusion Markup Language (CFML) files (closes #​83, #​619).
• GDScript support — detect copy-paste duplication in Godot Engine GDScript files.
• HTML reporter footer — the HTML report now displays a branded footer with the jscpd version and a sponsor link.
• --noTips flag — suppress the usage-tip messages that appear after a detection run.
• CI: Node.js 22.x / 24.x — continuous integration updated to test against the latest Node.js LTS and current releases.

Performance

• Tokenizer — grammars are now loaded lazily, hot paths are O(n), and the spark-md5 dependency has been removed in favour of a lighter built-in implementation. Startup time and memory usage are noticeably reduced on large codebases.
• Replaced the vendored reprism syntax library with the official prismjs npm package, shrinking the installed footprint.

Bug Fixes

• Restored the correct start.line expectation for weak-mode clone detection.

---

v4.0.9

Compare Source

v4.0.8

Compare Source

v4.0.7

Compare Source

New Features

• jscpd-server — a new jscpd-server package ships a RESTful HTTP API for code-duplication detection. Ideal for CI pipelines, IDE plugins, and services that need on-demand analysis without spinning up a CLI process.
• GitHub Actions example — an example_github_action.yml starter workflow is included in the repository.

Bug Fixes

• Ignore patterns defined in configuration files are now applied correctly (the path-matching bug in resolveIgnorePattern has been fixed).
• Importing jscpd as a Node.js module no longer auto-executes the CLI entry point.
• Fixed an invalid documentation link.

---

v4.0.6

Compare Source

Bug Fixes

• Dependency and lock-file updates to address security advisories.

---

remy/nodemon (nodemon)

v3.1.14

Compare Source

Bug Fixes

• get watch working on windows (cfebe2f), closes #​2270

v3.1.13

Compare Source

Bug Fixes

• TypeScript definition for 'restart' args (5c03715), closes #​2265

v3.1.12

Compare Source

Bug Fixes

• bump minimatch (9376af3), closes #​2267

v3.1.11

Compare Source

v3.1.10

Compare Source

Bug Fixes

• update types and jsdocs (#​2232) (297c7c7), closes #​2231

v3.1.9

Compare Source

Bug Fixes

• maintain backward support for exitcrash (9c9de6e)

v3.1.8

Compare Source

Bug Fixes

• types updated (cb91187)

v3.1.7

Compare Source

Bug Fixes

• types for export on ESModule (#​2211) (9b0606a)

v3.1.6

Compare Source

Bug Fixes

• watch nested paths (11fcaaa), closes #​2216

v3.1.5

Compare Source

Bug Fixes

• add missing ignore option to type defintion of config (#​2224) (254c2ab)

v3.1.4

Compare Source

Bug Fixes

• ensure local env have priority (6020968), closes #​2209

v3.1.3

Compare Source

Bug Fixes

• cast the nodemon function as Nodemon type (eaa1d54), closes #​2206

v3.1.2

Compare Source

Bug Fixes

• Type exports correctly (#​2207) (789663c), closes #​2206

v3.1.1

Compare Source

Bug Fixes

• add types to help with required nodemon usage (#​2204) (cd27c0b)

v3.1.0

Compare Source

Features

• Enable nodemon to monitor file removal (#​2182) (02d216f)

v3.0.3

Compare Source

Bug Fixes

• use node when using --import (d3ee86e), closes #​2157

v3.0.2

Compare Source

Bug Fixes

• bump debug out of vuln range (533ad9c), closes #​2146

v3.0.1

Compare Source

Bug Fixes

• restore default ext watch behaviour (95bee00), closes #​2124 #​1957

v3.0.0

Compare Source

Bug Fixes

• also watch cjs (86d5f40)
• node@​10 support back in (af3b9e2)
• semver vuln dep (6bb8766), closes #​2119

Features

• always use polling on IBM i (3b58104)

BREAKING CHANGES

• official support for node@​8 dropped.

However there's no function being used in semver that breaks node 8,
so it's technically still possible to run with node 8, but it will
no longer be supported (or tested in CI).

v2.0.22

Compare Source

Bug Fixes

• remove ts mapping if loader present (f7816e4), closes #​2083

v2.0.21

Compare Source

Bug Fixes

• remove ts mapping if loader present (1468397), closes #​2083

v2.0.20

Compare Source

Bug Fixes

• remove postinstall script (e099e91)

v2.0.19

Compare Source

Bug Fixes

• Replace update notifier with simplified deps (#​2033) (176c4a6), closes #​1961 #​2028

v2.0.18

Compare Source

Bug Fixes

• revert update-notifier forcing esm (1b3bc8c)

v2.0.17

Compare Source

Bug Fixes

• bump update-notifier to v6.0.0 (#​2029) (0144e4f)
• update packge-lock (27e91c3)

v2.0.16

Compare Source

Bug Fixes

• support windows by using path.delimiter (e26aaa9)

release-it/release-it (release-it)

v20.2.0

Compare Source

• Print staged-packages approval URL after stage publish (244d811)
• Capture the stage id for the approval message (2476065)

v20.1.0

Compare Source

• feat: add --quiet flag to hide release previews (#​1274) (ecefe44) - thanks @​Yeom-JinHo!
• fix: ensure release body is an empty string instead of null (#​1303) (5cc5ebd) - thanks @​driiftkiing!
• Add 'Accept-Encoding' header to GitLab API requests (#​1301) (14a478e) - thanks @​KlausDerKleber!
• Support npm staged publishing (npm.stage) (aa20f56)
• Run tests on Node 26 (29f079b)
• Use draft flow for immutable releases with assets (resolve #​1295) (c63b4e4)
• Publish interactively under --only-version so passkey 2FA works (resolve #​1234) (4ebb66e)
• Format docs/npm.md (a2a262c)
• Dogfoodin' (0cb51a9)

v20.0.1

Compare Source

• fix: allow false as npm config value in types (#​1289) (f783e82) - thanks @​ahippler!
• Bump actions/checkout from 5 to 6 (#​1262) (19921fc) - thanks @​dependabot[bot]!
• fix: Replace @​nodeutils/defaults-deep with defu for deep-default merging (#​1297) (8616a21) - thanks @​rajnsunny!
• Update dependencies (bee3138)

v20.0.0

Compare Source

• fix: remove leading slashes from owner (#​1288) (5585b72) - thanks @​driiftkiing!
• Fix write: false guard in npm.bump (resolve #​1267) (a2d1b99)
• Format (f427a85)

v19.2.4

Compare Source

• chore: update dependencies to resolve security vulnerabilities (#​1273) (b45dd1a) - thanks @​Yeom-JinHo!
• Update a few dev deps (cd8acdc)

v19.2.3

Compare Source

• Reuse generated changelog (316dbfa)
• Remove obsolete eslint compat packages/config (f6cc8f3)
• Update remark-preset-webpro and fix broken links (6e6dd4b)

v19.2.2

Compare Source

• Improve getChangelog method (7a56364)

v19.2.1

Compare Source

• Improve commit prompt (b7aca7c)
• Remedy potential edge case in template helper (5c0a6ee)

v19.2.0

Compare Source

• Add option to exit gracefully (e1f825d)
• Update dependencies (424c9f6)
• Auto-format docs (06f41bb)
• fix: add shell mode for npm commands on windows (#​1266) (382e346) - thanks @​julienbenac!
• Feat: Add publishPackageManager config option in NPM plugin to allow using different package manager for publishing (e.g. Bun) (#​1169) (0dafc0b) - thanks @​chrispader!
• Only use --workspaces=false with npm (12bb89c)
• Fix up docs/types a bit (05a5986)
• Format (c9d6ebf)

v19.1.0

Compare Source

• Ignore .npmrc (8ccd060)
• Update lockfile (c4cd2ba)
• Support interactive shell in non-CI mode for 2FA flow (resolve #​1263) (a10b20d)
• Add --workspaces=false to get rid of the null/matches error (14a4907)
• Remove npm config env var warnings (b8c1247)
• doc(readme): add release-it-beautiful-changelog plugin to list of plugins (#​1261) (1b68c21)
• Add 403 to consider resource alive (7969849)

v19.0.6

Compare Source

• Update list of projects using release-it (92b49d3)
• Bump github/codeql-action from 2 to 4 (#​1253) (21309d3) - thanks @​dependabot[bot]!
• Bump actions/setup-node from 5 to 6 (#​1255) (3fbaab1) - thanks @​dependabot[bot]!
• Test in node 24 (7a12b12)
• Upgrade c12 (resolve #​1254) (1f48d03)

---

Configuration

📅 Schedule: (in timezone Europe/Paris)

• Branch creation
  • "before 8am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.