chore(deps): update npm dependencies updates

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
create-next-app (source)	15.5.6 → 15.5.18
cypress (source)	15.5.* → 15.15.*
jscpd	4.0.* → 4.2.*
release-it	19.0.* → 19.2.*

---

Release Notes

vercel/next.js (create-next-app)

v15.5.18

Compare Source

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.16

Compare Source

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.15

Compare Source

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#​91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#​90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

v15.5.12

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

• fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

v15.5.11

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#​85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#​89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#​82340)
• Turbopack: support pattern into exports field (#​82757)
• NFT tracing fixes (#​84155 and #​85323)
• Turbopack: validate CSS without computing all paths (#​83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#​89129)

Credits

Huge thanks to @​timneutkens, @​mischnic, @​ztanner, and @​wyattjoh for helping!

v15.5.10

Compare Source

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

v15.5.9

Compare Source

Please see the Next.js Security Update for information about this security patch.

v15.5.8

Compare Source

v15.5.7

Compare Source

Please see CVE-2025-66478 for additional details about this release.

cypress-io/cypress (cypress)

v15.15.0

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-15-0

v15.14.2

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-14-2

v15.14.1

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-14-1

v15.14.0

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-14-0

v15.13.1

Compare Source

v15.13.0

Compare Source

v15.12.0

Compare Source

v15.11.0

Compare Source

v15.10.0

Compare Source

v15.9.0

Compare Source

v15.8.2

Compare Source

v15.8.1

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-8-1

v15.8.0

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-8-0

v15.7.1

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-7-1

v15.7.0

Compare Source

v15.6.0

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-6-0

kucherenko/jscpd (jscpd)

v4.2.3

Compare Source

v4.2.2

Compare Source

v4.2.1

Compare Source

v4.2.0

Compare Source

Breaking Changes

• Vue SFC tokenization — .vue files are no longer tokenized as markup. Each block is now dispatched to its own sub-format: <script> → javascript, <script lang="ts"> → typescript, <template> → markup, <style> → css, <style lang="scss"> → scss, <style lang="less"> → less. Clone reports for .vue files now appear under these resolved sub-format names. Any tooling or configuration that relied on .vue clones being reported under markup must be updated.
• --formatsExts users — custom mappings that pointed .vue to markup (e.g. "formatsExts": { "markup": ["vue"] }) will no longer take effect because .vue is handled by the dedicated vue format processor. Remove or update such mappings.

New Features

• Custom tokenizer backend — replaced the prismjs npm package with a self-contained reprism-based grammar engine. ~11.5% faster tokenization on real projects (avg 1126 ms → 997 ms on a 548-file, 223-format scan).
• Cross-format detection — Vue SFC (.vue), Svelte (.svelte), Astro (.astro), and Markdown files are now tokenized per-block/per-section. A <script> block in a .vue file can match a .ts file; a fenced code block in Markdown can match a .py file.
• 223 supported formats — Apex, CFML/ColdFusion, GDScript, Svelte, Astro, and 70+ additional languages added (up from 152). See FORMATS.md.
• Shebang detection — extensionless executable scripts (e.g. /usr/bin/env python3) are auto-detected by their #! shebang line and tokenized in the correct language.
• --store-path — configure a custom directory for the LevelDB cache, eliminating collisions when multiple jscpd processes run in parallel on the same machine.
• --skipComments — shorthand flag for --mode weak, which strips comments before detection.
• --formats-names — map specific filenames (e.g. Makefile, Dockerfile) to a detection format.

Bug Fixes

• Entire-file duplicates silently dropped (@jscpd/core #​728) — RabinKarp flushed the pending clone on a store hit at end-of-file instead of on a miss. Files that are complete copies of each other were undetected. Fixed.
• ReDoS hang on Lisp/Elisp files (@jscpd/tokenizer #​737) — the Lisp string regex /"(?:[^"\\]*|\\.)*"/ could catastrophically backtrack (O(2ⁿ)) on unterminated strings. Replaced with a linear /"(?:[^"\\]|\\[\s\S])*"/ pattern.
• Process crash on malformed package.json (#​739) — readJSONSync threw an unhandled SyntaxError when package.json contained invalid JSON, killing the process. Now emits a warning and continues with an empty config.
• Vue SFC cross-file detection broken — the detector used the file-level format (vue) as the store namespace for all SFC blocks, preventing a <script> block in one .vue file from ever matching a <script> block in another. The namespace now reflects each block's resolved sub-format.
• Vue SFC incorrect column numbers — tokens on the first line of a block carried block-relative column 1 instead of file-absolute column numbers. Fixed in @jscpd/tokenizer.
• 50 dependency security vulnerabilities remediated across the monorepo (Dependabot batches).

Known Limitations

• Malformed SFC blocks (e.g. unclosed tags, invalid attributes) are silently skipped and do not contribute tokens.

---

v4.1.1

Compare Source

v4.1.0

Compare Source

New Features

• AI Reporter — new ai reporter that produces compact, token-efficient clone output specifically designed for feeding results into language models and AI tooling. Use --reporters ai to activate it.
• MCP Server enhancements — the Model Context Protocol server now exposes a jscpd://statistics resource and supports a recheck endpoint so AI agents can trigger a rescan without restarting the process.
• Apex & CFML language support — jscpd can now detect duplicate code in Salesforce Apex and ColdFusion Markup Language (CFML) files (closes #​83, #​619).
• GDScript support — detect copy-paste duplication in Godot Engine GDScript files.
• HTML reporter footer — the HTML report now displays a branded footer with the jscpd version and a sponsor link.
• --noTips flag — suppress the usage-tip messages that appear after a detection run.
• CI: Node.js 22.x / 24.x — continuous integration updated to test against the latest Node.js LTS and current releases.

Performance

• Tokenizer — grammars are now loaded lazily, hot paths are O(n), and the spark-md5 dependency has been removed in favour of a lighter built-in implementation. Startup time and memory usage are noticeably reduced on large codebases.
• Replaced the vendored reprism syntax library with the official prismjs npm package, shrinking the installed footprint.

Bug Fixes

• Restored the correct start.line expectation for weak-mode clone detection.

---

v4.0.9

Compare Source

v4.0.8

Compare Source

v4.0.7

Compare Source

v4.0.6

Compare Source

release-it/release-it (release-it)

v19.2.4

Compare Source

• chore: update dependencies to resolve security vulnerabilities (#​1273) (b45dd1a) - thanks @​Yeom-JinHo!
• Update a few dev deps (cd8acdc)

v19.2.3

Compare Source

• Reuse generated changelog (316dbfa)
• Remove obsolete eslint compat packages/config (f6cc8f3)
• Update remark-preset-webpro and fix broken links (6e6dd4b)

v19.2.2

Compare Source

• Improve getChangelog method (7a56364)

v19.2.1

Compare Source

• Improve commit prompt (b7aca7c)
• Remedy potential edge case in template helper (5c0a6ee)

v19.2.0

Compare Source

• Add option to exit gracefully (e1f825d)
• Update dependencies (424c9f6)
• Auto-format docs (06f41bb)
• fix: add shell mode for npm commands on windows (#​1266) (382e346) - thanks @​julienbenac!
• Feat: Add publishPackageManager config option in NPM plugin to allow using different package manager for publishing (e.g. Bun) (#​1169) (0dafc0b) - thanks @​chrispader!
• Only use --workspaces=false with npm (12bb89c)
• Fix up docs/types a bit (05a5986)
• Format (c9d6ebf)

v19.1.0

Compare Source

• Ignore .npmrc (8ccd060)
• Update lockfile (c4cd2ba)
• Support interactive shell in non-CI mode for 2FA flow (resolve #​1263) (a10b20d)
• Add --workspaces=false to get rid of the null/matches error (14a4907)
• Remove npm config env var warnings (b8c1247)
• doc(readme): add release-it-beautiful-changelog plugin to list of plugins (#​1261) (1b68c21)
• Add 403 to consider resource alive (7969849)

v19.0.6

Compare Source

• Update list of projects using release-it (92b49d3)
• Bump github/codeql-action from 2 to 4 (#​1253) (21309d3) - thanks @​dependabot[bot]!
• Bump actions/setup-node from 5 to 6 (#​1255) (3fbaab1) - thanks @​dependabot[bot]!
• Test in node 24 (7a12b12)
• Upgrade c12 (resolve #​1254) (1f48d03)

---

Configuration

📅 Schedule: (in timezone Europe/Paris)

• Branch creation
  • "before 8am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.