Skip to content

build(deps): bump jsonata and renovate in /dependencies#28

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dependencies/multi-104cad8ddf
Open

build(deps): bump jsonata and renovate in /dependencies#28
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dependencies/multi-104cad8ddf

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown

Bumps jsonata to 2.2.1 and updates ancestor dependency renovate. These dependencies need to be updated together.

Updates jsonata from 2.0.5 to 2.2.1

Release notes

Sourced from jsonata's releases.

2.2.1 Maintenance Release

This release predominantly contains security related fixes and enhancements, in particular to address https://nvd.nist.gov/vuln/detail/CVE-2026-12208

  • Prevent object prototype pollution (PR #799)
  • Wildcards should not unwrap function objects (PR #800)
  • $append should enforce the sequence guardrail limit (PR #801)
  • Prevent object contructor setting internal flags (PR #802)

2.2.0 Milestone Release

This release predominantly contains security related fixes and enhancements, in particular to address GHSA-86vw-mfpg-wwv9 Thanks to Doruk Tan Öztürk and Arthur Deierlein for their private disclosures.

  • New API to specify resource guardrails on expressions (PR #795)
  • Fix ISO8601 regex pattern (PR #793)
  • Prevent $lookup from accessing object prototype members (PR #794)
  • Enable OIDC publishing to NPM (PR #792)
  • Publish step to be triggered by new version tag (PR #796)

2.1.1 Maintenance Release

  • Fix picture string parsing for $formatNumber (PR #788)
  • Fix $toMillis() with more than 3 digit fractional seconds (PR #782)
  • Fix ?: operator returning wrong result when LHS has array predicate (PR #780)
  • Fix ?? operator with array predicate on LHS (PR #774)
  • Fix function signature for repeating arguments (PR #760)
  • Fix precision fix for $string() function (PR #762)
  • Fix to prevent $formatNumber() getting into an infinite loop (PR #785)

2.1.0 Milestone Release

  • New syntax (?: default operator) supports fallback to RHS if the LHS is Boolean equivalent to false (PR #784)
  • New syntax (?? coalescing operator) supports fallback to RHS if the LHS is non-existent (PR #784)
  • Improve regex generation for DateTime parser (PR #728)
  • Truncate fractional part of numeric argument of $pad function (PR #729)
  • Await array elements (PR #747)
  • Various documentation fixes and improvements

2.0.6 Maintenance Release

  • Protect __evaluate_entry and __evaluate_exit callbacks (PR #700)
  • Add undocumented/private API to hook into when a new frame is created (PR #701)
    • Note this is internal and may change in a future release.
  • Update typescript defintion (PR #704)
  • Chain operator should respect array constructor (PR #714)
Changelog

Sourced from jsonata's changelog.

2.2.1 Maintenance Release

  • Prevent object prototype pollution (PR #799)
  • Wildcards should not unwrap function objects (PR #800)
  • $append should enforce the sequence guardrail limit (PR #801)
  • Prevent object contructor setting internal flags (PR #802)

2.2.0 Milestone Release

  • New API to specify resource guardrails on expressions (PR #795)
  • Fix ISO8601 regex pattern (PR #793)
  • Prevent $lookup from accessing object prototype members (PR #794)
  • Enable OIDC publishing to NPM (PR #792)
  • Publish step to be triggered by new version tag (PR #796)

2.1.1 Maintenance Release

  • Fix picture string parsing for $formatNumber (PR #788)
  • Fix $toMillis() with more than 3 digit fractional seconds (PR #782)
  • Fix ?: operator returning wrong result when LHS has array predicate (PR #780)
  • Fix ?? operator with array predicate on LHS (PR #774)
  • Fix function signature for repeating arguments (PR #760)
  • Fix precision fix for $string() function (PR #762)
  • Fix to prevent $formatNumber() getting into an infinite loop (PR #785)

2.1.0 Milestone Release

  • New syntax (?: default operator) supports fallback to RHS if the LHS is Boolean equivalent to false (PR #784)
  • New syntax (?? coalescing operator) supports fallback to RHS if the LHS is non-existent (PR #784)
  • Improve regex generation for DateTime parser (PR #728)
  • Truncate fractional part of numeric argument of $pad function (PR #729)
  • Await array elements (PR #747)
  • Various documentation fixes and improvements

2.0.6 Maintenance Release

  • Protect __evaluate_entry and __evaluate_exit callbacks (PR #700)
  • Add undocumented/private API to hook into when a new frame is created (PR #701)
    • Note this is internal and may change in a future release.
  • Update typescript defintion (PR #704)
  • Chain operator should respect array constructor (PR #714)
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for jsonata since your current version.


Updates renovate from 38.55.1 to 43.251.3

Release notes

Sourced from renovate's releases.

43.251.3

43.251.3 (2026-07-03)

Bug Fixes

  • terraform: strictly strip ".git" suffix from source URLs (#44350) (834fd2e)

43.251.2

43.251.2 (2026-07-03)

Miscellaneous Chores

  • deps: update dependency nock to v14.0.16 (main) (#44354) (bc2f043)

Build System

  • deps: update dependency ae-cvss-calculator to v1.0.13 (main) (#44355) (55b4257)

43.251.1

43.251.1 (2026-07-03)

Bug Fixes

  • versioning/debian: keep numeric value on dated codename update (#44335) (cb9a5ae)

43.251.0

43.251.0 (2026-07-02)

Features

  • deps: update ghcr.io/renovatebot/base-image docker tag to v13.70.0 (main) (#44351) (c2964c6)

Miscellaneous Chores

  • deps: update dependency tar to v7.5.17 (main) (#44348) (75f8deb)

43.250.0

43.250.0 (2026-07-02)

Features

  • manager/github-actions: support parallel steps (#44341) (a84fb3d)

43.249.7

43.249.7 (2026-07-02)

Bug Fixes

  • manager/custom/jsonata: handle evaluation errors (#44340) (d8e82a2)

... (truncated)

Commits
  • 834fd2e fix(terraform): strictly strip ".git" suffix from source URLs (#44350)
  • 55b4257 build(deps): update dependency ae-cvss-calculator to v1.0.13 (main) (#44355)
  • bc2f043 chore(deps): update dependency nock to v14.0.16 (main) (#44354)
  • cb9a5ae fix(versioning/debian): keep numeric value on dated codename update (#44335)
  • c2964c6 feat(deps): update ghcr.io/renovatebot/base-image docker tag to v13.70.0 (mai...
  • 75f8deb chore(deps): update dependency tar to v7.5.17 (main) (#44348)
  • a84fb3d feat(manager/github-actions): support parallel steps (#44341)
  • d8e82a2 fix(manager/custom/jsonata): handle evaluation errors (#44340)
  • e8af898 chore(deps): update github/codeql-action action to v4.36.3 (main) (#44343)
  • 289e2d2 fix(git): allow overriding GIT_ASKPASS (#44322)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for renovate since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [jsonata](https://github.com/jsonata-js/jsonata) to 2.2.1 and updates ancestor dependency [renovate](https://github.com/renovatebot/renovate). These dependencies need to be updated together.


Updates `jsonata` from 2.0.5 to 2.2.1
- [Release notes](https://github.com/jsonata-js/jsonata/releases)
- [Changelog](https://github.com/jsonata-js/jsonata/blob/master/CHANGELOG.md)
- [Commits](jsonata-js/jsonata@v2.0.5...v2.2.1)

Updates `renovate` from 38.55.1 to 43.251.3
- [Release notes](https://github.com/renovatebot/renovate/releases)
- [Commits](renovatebot/renovate@38.55.1...43.251.3)

---
updated-dependencies:
- dependency-name: jsonata
  dependency-version: 2.2.1
  dependency-type: indirect
- dependency-name: renovate
  dependency-version: 43.251.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Development

Successfully merging this pull request may close these issues.

0 participants