chore(deps): bump the npm_and_yarn group across 2 directories with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the / directory: diff, lodash and minimatch.
Bumps the npm_and_yarn group with 4 updates in the /openmetadata-ui-core-components/src/main/resources/ui directory: lodash, vite, rollup and validator.

Updates diff from 4.0.2 to 4.0.4

Changelog

Sourced from diff's changelog.

v4.0.4 - January 2026

Only change from 4.0.2 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v4.0.3 (deprecated)

Accidental release - do not use.

Commits

• f06f3e4 v4.0.4
• 0179a48 v4.0.3
• 4568cae Backport kpdecker/jsdiff#649
• 4de0ffa Backport kpdecker/jsdiff#647
• See full diff in compare view

Maintainer changes

This version was pushed to npm by explodingcabbage, a new releaser for diff since your current version.

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates vite from 5.4.19 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• See full diff in compare view

Updates rollup from 4.50.0 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

v4.58.0

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

v4.57.1

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)
• #6252: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6253: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6254: Fully include dynamic imports in a try-catch (@​lukastaegert)

... (truncated)

Commits

• ae84695 4.59.0
• b39616e Update audit-resolve
• c60770d Validate bundle stays within output dir (#6275)
• 33f39c1 4.58.0
• b61c408 forward NO_SIDE_EFFECTS annotations to function expressions in variable decla...
• 7f00689 Extend agent instructions
• e7b2b85 chore(deps): lock file maintenance (#6270)
• 2aa5da9 fix(deps): update minor/patch updates (#6267)
• 4319837 chore(deps): update dependency lru-cache to v11 (#6269)
• c3b6b4b chore(deps): update dependency eslint-plugin-unicorn to v63 (#6268)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates validator from 13.15.15 to 13.15.26

Release notes

Sourced from validator's releases.

13.15.26

Fixes, New Locales and Enhancements

• #2535 isHexColor: add require_hashtag option @​Numbers0689
• #2633 isURL: handle possible bypass with URL-encoded content @​WikiRik
• #2634 isIBAN: improve IR locale @​ds1371dani
• Doc fixes and others:
  • #2640 @​WikiRik

New Contributors

• @​ds1371dani made their first contribution in validatorjs/validator.js#2634
• @​Numbers0689 made their first contribution in validatorjs/validator.js#2535

Full Changelog: validatorjs/validator.js@13.15.23...13.15.26

13.15.23

Fixes, New Locales and Enhancements

• Doc fixes and others:
  • #2631 @​WikiRik

Full Changelog: validatorjs/validator.js@13.15.22...13.15.23

13.15.22

Fixes, New Locales and Enhancements

• #2622 isURL: fix regression with hostnames with ports @​mbtools
• #2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #2621 @​mbtools

New Contributors

• @​mbtools made their first contribution in validatorjs/validator.js#2622
• @​koral-- made their first contribution in validatorjs/validator.js#2616

Full Changelog: validatorjs/validator.js@13.15.20...13.15.22

13.15.20

Fixes, New Locales and Enhancements

• #2556 isMobilePhone: add ar-QA locale @​WardKhaddour
• #2576 isAlpha/isAlphanuneric: add Indic locales (ta-IN, te-IN, kn-IN, ml-IN, gu-IN, pa-IN, or-IN) @​avadootharajesh
• #2574 isBase64: improve padding regex @​KrayzeeKev
• #2584 isVAT: improve FR locale @​iamAmer
• #2608 isURL: improve protocol detection. Resolves CVE-2025-56200 @​theofidry
• Doc fixes and others:
  • #2563 @​stoneLeaf
  • #2581 @​camillobruni

... (truncated)

Changelog

Sourced from validator's changelog.

13.15.26

Fixes, New Locales and Enhancements

• #2535 isHexColor: add require_hashtag option @​Numbers0689
• #2633 isURL: handle possible bypass with URL-encoded content @​WikiRik
• #2634 isIBAN: improve IR locale @​ds1371dani
• Doc fixes and others:
  • #2640 @​WikiRik

13.15.23

Fixes, New Locales and Enhancements

• Doc fixes and others:
  • #2631 @​WikiRik

13.15.22

Fixes, New Locales and Enhancements

• #2622 isURL: fix regression with hostnames with ports @​mbtools
• #2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #2621 @​mbtools

13.15.20

Fixes, New Locales and Enhancements

• #2556 isMobilePhone: add ar-QA locale @​WardKhaddour
• #2576 isAlpha/isAlphanuneric: add Indic locales (ta-IN, te-IN, kn-IN, ml-IN, gu-IN, pa-IN, or-IN) @​avadootharajesh
• #2574 isBase64: improve padding regex @​KrayzeeKev
• #2584 isVAT: improve FR locale @​iamAmer
• #2608 isURL: improve protocol detection. Resolves CVE-2025-56200 @​theofidry
• Doc fixes and others:
  • #2563 @​stoneLeaf
  • #2581 @​camillobruni

Commits

• 784e52a docs(matches): add ReDoS note to README (#2640)
• 6531047 fix(isHexColor): add require_hashtag option (#2535)
• f605a9c fix(isURL): handle possible bypass with URL-encoded content (#2633)
• a165ebe fix(isIBAN): improve IR locale (#2634)
• 9113304 fix(build): move to trusted publishing (#2631)
• f2b5c17 maintenance: 2511 release (#2627)
• d457eca fix(isLength): correctly handle Unicode variation selectors (#2616)
• f2e3633 docs: add install instructions to contibution guide (#2621)
• cf40145 fix: URL validation for hostnames with ports (no protocol) (#2622)
• 4af6124 maintenance: 2510 release (#2585)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for validator since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[dependabot]

Superseded by #8.