chore(deps): bump picomatch, @nx/eslint, @nx/js, @nx/node and @nx/vite

[dependabot]

Bumps picomatch to 4.0.4 and updates ancestor dependencies picomatch, @nx/eslint, @nx/js, @nx/node and @nx/vite. These dependencies need to be updated together.

Updates picomatch from 4.0.2 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

4.0.3

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144

New Contributors

• @​Jason3S made their first contribution in micromatch/picomatch#144

Full Changelog: micromatch/picomatch@4.0.2...4.0.3

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

4.0.3

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144

New Contributors

• @​Jason3S made their first contribution in micromatch/picomatch#144

Full Changelog: micromatch/picomatch@4.0.2...4.0.3

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates @nx/eslint from 21.3.5 to 22.6.4

Release notes

Sourced from @​nx/eslint's releases.

22.6.4 (2026-04-01)

🚀 Features

• misc: update nx init telemetry meta from CSV to JSON format (#35076)
• nx-dev: add conditional blog/changelog proxy in edge function (#35043)

🩹 Fixes

• core: validate bundler option for Angular presets in create-nx-workspace (#35074)
• core: handle "." and absolute paths as workspace name in CNW (#35083, #1)
• core: pin version of axios (#35093)
• core: preserve sibling dependency inputs in native hashing (#35071)
• core: sandbox exclusions, multi-line typeof import detection, global ensurePackage mock (#35056)
• core: no-interactive should disable prompts during migrate (#35106)
• gradle: increase project graph timeout defaults (#35058)
• js: recognize tsgo in dependency-checks lint rule (#35048)
• js: narrow tsc build-base outputs to only tsc-produced file types (#35041)
• js: include tsbuildinfo in narrowed tsc build-base outputs (#35086, #35041)
• js: use explicit nx/bin/nx path in start-local-registry (#35127)
• misc: handle non-interactive mode and add template shorthand names for CNW (#35045)
• react: force Vite 7 when using React Router in framework mode (#35101)
• react-native: use vite's transformWithEsbuild instead of direct esbuild import (5771eb3346)
• repo: pass env vars into docker builds in publish workflow (#35060)
• repo: bump picomatch from 4.0.2 to 4.0.4 (#35081, #35068)
• repo: fixup lock-threads failing with resource inaccessible message (#35005)
• repo: fix lockfile (b070e23445)
• repo: re-enable Cypress HMR e2e tests after upstream tapable fix (#35105, #34969, #20693)
• repo: disable ts-jest diagnostics for workspace-plugin tests (b013f93dca)
• vite: update vitest and plugin-react-swc versions for vite 8 compat (#35062)
• vite: bump sass version for vue/nuxt presets for Vite 8 compat (#35073)
• webpack: bump postcss-loader to ^8.2.1 to eliminate transitive yaml@1.x CVE (#35028, #35025)

❤️ Thank You

• Colum Ferry @​Coly010
• Craigory Coppola @​AgentEnder
• FrozenPandaz @​FrozenPandaz
• Jack Hsu @​jaysoo
• Jason Jean @​FrozenPandaz
• Leosvel Pérez Espinosa @​leosvelperez
• Miroslav Jonaš @​meeroslav
• Robert Sidzinka

22.6.3 (2026-03-27)

🚀 Features

• misc: a/b test cloud prompt copy in create-nx-workspace (#35039)

... (truncated)

Commits

• dbd2ace fix(linter): prepend framework configs before baseConfig in flat config gener...
• fae1dd4 fix(linter): use root config to determine ESLint class in plugin (#34900)
• b269f95 fix(linter): convert project-level eslint configs and log when skipped (#34899)
• ea5810e fix(linter): use native nx.configs in convert-to-flat-config for Nx plugins (...
• 94cc841 cleanup(linter): reuse ESLint instance across child projects in plugin (#34645)
• 31dad41 fix(linter): support eslint v10 (#34534)
• e3eedf9 docs(misc): update the docs to use more direct language (#34264)
• 0fe39b2 fix(linter): delete override block when update returns undefined in replaceOv...
• 9fb5a6c fix(linter): handle variable references in replaceOverride (#34026)
• 8b83502 feat(linter): add bulk suppression support for ESLint v9.24.0+ (#32184)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nx/eslint since your current version.

Updates @nx/js from 21.3.5 to 22.6.4

Release notes

Sourced from @​nx/js's releases.

22.6.4 (2026-04-01)

🚀 Features

• misc: update nx init telemetry meta from CSV to JSON format (#35076)
• nx-dev: add conditional blog/changelog proxy in edge function (#35043)

🩹 Fixes

• core: validate bundler option for Angular presets in create-nx-workspace (#35074)
• core: handle "." and absolute paths as workspace name in CNW (#35083, #1)
• core: pin version of axios (#35093)
• core: preserve sibling dependency inputs in native hashing (#35071)
• core: sandbox exclusions, multi-line typeof import detection, global ensurePackage mock (#35056)
• core: no-interactive should disable prompts during migrate (#35106)
• gradle: increase project graph timeout defaults (#35058)
• js: recognize tsgo in dependency-checks lint rule (#35048)
• js: narrow tsc build-base outputs to only tsc-produced file types (#35041)
• js: include tsbuildinfo in narrowed tsc build-base outputs (#35086, #35041)
• js: use explicit nx/bin/nx path in start-local-registry (#35127)
• misc: handle non-interactive mode and add template shorthand names for CNW (#35045)
• react: force Vite 7 when using React Router in framework mode (#35101)
• react-native: use vite's transformWithEsbuild instead of direct esbuild import (5771eb3346)
• repo: pass env vars into docker builds in publish workflow (#35060)
• repo: bump picomatch from 4.0.2 to 4.0.4 (#35081, #35068)
• repo: fixup lock-threads failing with resource inaccessible message (#35005)
• repo: fix lockfile (b070e23445)
• repo: re-enable Cypress HMR e2e tests after upstream tapable fix (#35105, #34969, #20693)
• repo: disable ts-jest diagnostics for workspace-plugin tests (b013f93dca)
• vite: update vitest and plugin-react-swc versions for vite 8 compat (#35062)
• vite: bump sass version for vue/nuxt presets for Vite 8 compat (#35073)
• webpack: bump postcss-loader to ^8.2.1 to eliminate transitive yaml@1.x CVE (#35028, #35025)

❤️ Thank You

• Colum Ferry @​Coly010
• Craigory Coppola @​AgentEnder
• FrozenPandaz @​FrozenPandaz
• Jack Hsu @​jaysoo
• Jason Jean @​FrozenPandaz
• Leosvel Pérez Espinosa @​leosvelperez
• Miroslav Jonaš @​meeroslav
• Robert Sidzinka

22.6.3 (2026-03-27)

🚀 Features

• misc: a/b test cloud prompt copy in create-nx-workspace (#35039)

... (truncated)

Commits

• 44abcb2 fix(js): use explicit nx/bin/nx path in start-local-registry (#35127)
• aacfa7c fix(js): include tsbuildinfo in narrowed tsc build-base outputs (#35086)
• 32c4a02 chore(repo): fix critical handlebars and underscore vulnerabilities in npm au...
• 9acaee8 fix(js): narrow tsc build-base outputs to only tsc-produced file types (#35041)
• 9a18bc0 fix(js): recognize tsgo in dependency-checks lint rule (#35048)
• 9a743d3 fix(js): add {projectRoot} prefix to d.ts fileset in typescript plugin (#35037)
• b611b98 fix(js): add input on .d.ts files within dependency projects (#34968)
• 583335b fix(js): pass configName to typecheck command in TS plugin (#34989)
• 1fac893 fix(core): set windowsHide: true on all child process spawns (#34894)
• 9c2b5e2 fix(js): preserve tsconfig fields in typescript plugin cache (#34908)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nx/js since your current version.

Updates @nx/node from 21.3.5 to 22.6.4

Release notes

Sourced from @​nx/node's releases.

22.6.4 (2026-04-01)

🚀 Features

• misc: update nx init telemetry meta from CSV to JSON format (#35076)
• nx-dev: add conditional blog/changelog proxy in edge function (#35043)

🩹 Fixes

• core: validate bundler option for Angular presets in create-nx-workspace (#35074)
• core: handle "." and absolute paths as workspace name in CNW (#35083, #1)
• core: pin version of axios (#35093)
• core: preserve sibling dependency inputs in native hashing (#35071)
• core: sandbox exclusions, multi-line typeof import detection, global ensurePackage mock (#35056)
• core: no-interactive should disable prompts during migrate (#35106)
• gradle: increase project graph timeout defaults (#35058)
• js: recognize tsgo in dependency-checks lint rule (#35048)
• js: narrow tsc build-base outputs to only tsc-produced file types (#35041)
• js: include tsbuildinfo in narrowed tsc build-base outputs (#35086, #35041)
• js: use explicit nx/bin/nx path in start-local-registry (#35127)
• misc: handle non-interactive mode and add template shorthand names for CNW (#35045)
• react: force Vite 7 when using React Router in framework mode (#35101)
• react-native: use vite's transformWithEsbuild instead of direct esbuild import (5771eb3346)
• repo: pass env vars into docker builds in publish workflow (#35060)
• repo: bump picomatch from 4.0.2 to 4.0.4 (#35081, #35068)
• repo: fixup lock-threads failing with resource inaccessible message (#35005)
• repo: fix lockfile (b070e23445)
• repo: re-enable Cypress HMR e2e tests after upstream tapable fix (#35105, #34969, #20693)
• repo: disable ts-jest diagnostics for workspace-plugin tests (b013f93dca)
• vite: update vitest and plugin-react-swc versions for vite 8 compat (#35062)
• vite: bump sass version for vue/nuxt presets for Vite 8 compat (#35073)
• webpack: bump postcss-loader to ^8.2.1 to eliminate transitive yaml@1.x CVE (#35028, #35025)

❤️ Thank You

• Colum Ferry @​Coly010
• Craigory Coppola @​AgentEnder
• FrozenPandaz @​FrozenPandaz
• Jack Hsu @​jaysoo
• Jason Jean @​FrozenPandaz
• Leosvel Pérez Espinosa @​leosvelperez
• Miroslav Jonaš @​meeroslav
• Robert Sidzinka

22.6.3 (2026-03-27)

🚀 Features

• misc: a/b test cloud prompt copy in create-nx-workspace (#35039)

... (truncated)

Commits

• cb6452c fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch)...
• e3eedf9 docs(misc): update the docs to use more direct language (#34264)
• 2bd8ef3 feat(js): bump swc to latest versions (#34215)
• 6f85b83 cleanup(repo): format all files (#33902)
• 62c13c5 feat(misc): support prettier v3 (#33898)
• 3db0fb2 fix(node): use @​swc/helpers instead of tslib when compiler is swc (#33885)
• 7f6db63 fix(node): sourceMaps option to sourceMap in webpack config (#33333)
• cac7f6c fix(node): set generatePackageJson:false for TS Solution workspaces (#33606)
• 50cf84f chore(repo): update nx to 22.1.0-rc.2 (#33464)
• 62d0ad7 chore(repo): rename jest.config.ts to jest.config.cts to be compat with Node ...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nx/node since your current version.

Updates @nx/vite from 21.6.6 to 22.6.4

Release notes

Sourced from @​nx/vite's releases.

22.6.4 (2026-04-01)

🚀 Features

• misc: update nx init telemetry meta from CSV to JSON format (#35076)
• nx-dev: add conditional blog/changelog proxy in edge function (#35043)

🩹 Fixes

• core: validate bundler option for Angular presets in create-nx-workspace (#35074)
• core: handle "." and absolute paths as workspace name in CNW (#35083, #1)
• core: pin version of axios (#35093)
• core: preserve sibling dependency inputs in native hashing (#35071)
• core: sandbox exclusions, multi-line typeof import detection, global ensurePackage mock (#35056)
• core: no-interactive should disable prompts during migrate (#35106)
• gradle: increase project graph timeout defaults (#35058)
• js: recognize tsgo in dependency-checks lint rule (#35048)
• js: narrow tsc build-base outputs to only tsc-produced file types (#35041)
• js: include tsbuildinfo in narrowed tsc build-base outputs (#35086, #35041)
• js: use explicit nx/bin/nx path in start-local-registry (#35127)
• misc: handle non-interactive mode and add template shorthand names for CNW (#35045)
• react: force Vite 7 when using React Router in framework mode (#35101)
• react-native: use vite's transformWithEsbuild instead of direct esbuild import (5771eb3346)
• repo: pass env vars into docker builds in publish workflow (#35060)
• repo: bump picomatch from 4.0.2 to 4.0.4 (#35081, #35068)
• repo: fixup lock-threads failing with resource inaccessible message (#35005)
• repo: fix lockfile (b070e23445)
• repo: re-enable Cypress HMR e2e tests after upstream tapable fix (#35105, #34969, #20693)
• repo: disable ts-jest diagnostics for workspace-plugin tests (b013f93dca)
• vite: update vitest and plugin-react-swc versions for vite 8 compat (#35062)
• vite: bump sass version for vue/nuxt presets for Vite 8 compat (#35073)
• webpack: bump postcss-loader to ^8.2.1 to eliminate transitive yaml@1.x CVE (#35028, #35025)

❤️ Thank You

• Colum Ferry @​Coly010
• Craigory Coppola @​AgentEnder
• FrozenPandaz @​FrozenPandaz
• Jack Hsu @​jaysoo
• Jason Jean @​FrozenPandaz
• Leosvel Pérez Espinosa @​leosvelperez
• Miroslav Jonaš @​meeroslav
• Robert Sidzinka

22.6.3 (2026-03-27)

🚀 Features

• misc: a/b test cloud prompt copy in create-nx-workspace (#35039)

... (truncated)

Commits

• 4adc90f fix(react): force Vite 7 when using React Router in framework mode (#35101)
• 316e070 fix(vite): update vitest and plugin-react-swc versions for vite 8 compat (#35...
• c96a9d4 fix(vite): add support for Vite 8 (#34850)
• 1fac893 fix(core): set windowsHide: true on all child process spawns (#34894)
• 6ee7091 Revert "feat(js): add deps-sync generator (#34407)" (#34888)
• 1367d2a fix(vite): pin vitest v4 to ~4.0.x to fix Yarn Classic resolution failure (#3...
• 8d71d5b feat(js): add deps-sync generator (#34407)
• fb8884e fix(vitest): handle zoneless Angular apps in vitest configuration generator (...
• 42f623e fix(vite): skip root-relative paths in nxViteTsPaths resolveId (#34694)
• 1e1a8a7 fix(vite): isPreview=true for Vite Preview server (#34597)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@           Coverage Diff           @@
##             main      #69   +/-   ##
=======================================
  Coverage   96.38%   96.38%           
=======================================
  Files          13       13           
  Lines        1301     1301           
  Branches      191      190    -1     
=======================================
  Hits         1254     1254           
  Misses         47       47           

Flag	Coverage Δ
unittests	96.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud