⬆️ Updates @vercel/ncc to ~> 0.38.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@vercel/ncc	~>0.27.0 -> ~> 0.38.0

---

Release Notes

vercel/ncc (@​vercel/ncc)

v0.38.2

Compare Source

Bug Fixes

• deps: update webpack to v5.94.0, terser to v5.33.0 (#​1213) (158a1fd), closes #​1193 #​1194 #​1177 #​1204 #​1195

Huge thanks to @​theoludwig 🎉

v0.38.1

Compare Source

Bug Fixes

• sourcemap sources removes webpack path (#​1122) (ce5984e), closes #​1011 #​1121

v0.38.0

Compare Source

Features

• Log minification error when --debug (#​1102) (e2779f4)

v0.37.0

Compare Source

Features

• add support for TypeScript 5.0's array extends in tsconfig (#​1105) (f898f8e)

v0.36.1

Compare Source

Bug Fixes

• add missing pr title lint action (#​1032) (c2d03cf)
• add ncc --version and ncc --help (#​1030) (d38b619)

v0.36.0

Compare Source

Bug Fixes

• gitignore should include release.config.js (#​1016) (44e2eac)
• node 18 by update source-map used by Terser to 0.7.4 (#​999) (2f69f83)

Features

• add semantic-release to autopublish (#​1015) (be3405d), closes #​1000

v0.34.0

Compare Source

Changes

Add support for TS 4.7

• Chore(deps-dev): bump ts-loader from 8.3.0 to 9.3.0: #​921
• Chore(deps-dev): bump express from 4.17.1 to 4.18.1: #​917
• Chore: add memory-fs to the devDependencies: #​927

Credits

Huge thanks to @​stscoundrel and @​shogo82148 for helping!

v0.33.4

Compare Source

Changes

• Fix: Add missing variable declaration: #​773
• Chore: add windows to CI: #​896
• Chore: bump webpack-asset-relocator-loader to 1.7.2: #​912
• Chore(deps-dev): bump vm2 from 3.9.4 to 3.9.6: #​872
• Chore(deps): bump url-parse from 1.5.3 to 1.5.7: #​875
• Chore(deps): bump url-parse from 1.5.7 to 1.5.10: #​879
• Chore(deps-dev): bump stripe from 8.167.0 to 8.205.0: #​882
• Chore(deps-dev): bump typescript from 4.4.2 to 4.6.2: #​881
• Chore(deps-dev): bump twilio from 3.66.1 to 3.75.0: #​884
• Chore(deps): bump actions/setup-node from 2 to 3: #​880
• Chore(deps-dev): bump graphql from 15.5.1 to 15.8.0: #​885
• Chore: replace deprecated String.prototype.substr(): #​894
• Chore(deps): bump actions/checkout from 2 to 3: #​902
• Chore(deps-dev): bump @​azure/cosmos from 3.12.3 to 3.15.1: #​905
• Chore(deps-dev): bump stripe from 8.205.0 to 8.214.0: #​906
• Chore(deps-dev): bump @​google-cloud/bigquery from 5.7.0 to 5.12.0: #​903
• Chore(deps-dev): bump tsconfig-paths from 3.10.1 to 3.14.1: #​904

Credits

Huge thanks to @​CommanderRoot for helping!

v0.33.3

Compare Source

Patches

• Fix: bump license-webpack-plugin: #​871
• Chore(deps): bump follow-redirects from 1.14.7 to 1.14.8: #​870

v0.33.2

Compare Source

Patches

• Fix: use sha256 instead of deprecated md5 for hash algorithm: #​868
• Fix: typo in build script: #​835
• Chore(test) Add Node.js 16 to CI: #​801
• Chore(deps): bump nodemailer from 6.5.0 to 6.7.2: #​833
• Chore(deps-dev): bump terser from 5.7.1 to 5.10.0: #​840
• Chore(deps-dev): bump passport from 0.4.1 to 0.5.2: #​839
• Chore(deps-dev): bump sequelize from 6.6.5 to 6.12.4: #​843
• Chore(deps-dev): bump analytics-node from 5.0.0 to 6.0.0: #​838
• Chore(deps): bump follow-redirects from 1.14.5 to 1.14.7: #​846
• Chore(deps): bump cached-path-relative from 1.0.2 to 1.1.0: #​854
• Chore(deps-dev): bump license-webpack-plugin from 2.3.20 to 4.0.1: #​859
• Chore(deps): bump simple-get from 3.1.0 to 3.1.1: #​864
• Chore(deps-dev): bump aws-sdk from 2.1024.0 to 2.1068.0: #​867

Credits

Huge thanks to @​shakefu for helping!

v0.33.1

Compare Source

Patches

• Allow configuring mainFields for nccing browser modules: #​832

v0.33.0

Compare Source

Minor Changes

• Chore(deps-dev): bump @​vercel/webpack-asset-relocator-loader: #​826
• Fix: Fix source maps: #​818
• Feat: Allow using matches from externals for regex matching: #​825

Patches

• Chore(deps-dev): bump koa from 2.13.1 to 2.13.4: #​822
• Chore(deps-dev): bump mariadb from 2.5.4 to 2.5.5: #​823

Credits

Huge thanks to @​fenix20113 for helping!

v0.32.0

Compare Source

Changes

• Feat: bump to [email protected]: #​809
• Docs: add debug command description: #​800
• Chore(deps): bump object-path from 0.11.7 to 0.11.8: #​778
• Chore(deps): bump tmpl from 1.0.4 to 1.0.5: #​779
• Chore(deps-dev): bump vm2 from 3.9.3 to 3.9.4: #​795
• Chore(deps-dev): bump axios from 0.21.1 to 0.21.2: #​810
• Chore(deps-dev): bump aws-sdk from 2.958.0 to 2.1024.0: #​812
• Chore(deps-dev): bump webpack from 5.61.0 to 5.62.1: #​813
• Chore(deps): bump passport-oauth2 from 1.5.0 to 1.6.1: #​811
• Chore(deps): bump url-parse from 1.5.1 to 1.5.3: #​815

Credits

Huge thanks to @​fireairforce and @​jesec for helping!

v0.31.1

Compare Source

Patches

• Fix tsconfig.json detection: #​770

v0.31.0

Compare Source

Changes

• Fix compilerOptions from tsconfig.json: #​766
• Bump typescript to 4.4.2: #​767
• Chore(deps-dev): bump graceful-fs from 4.2.6 to 4.2.8: #​761
• Chore(deps): bump tar from 4.4.15 to 4.4.19: #​763
• Chore(deps): bump object-path from 0.11.5 to 0.11.7: #​764

v0.30.0

Compare Source

Changes

• Major: Change asset builds to opt-in with new option --asset-builds: #​756
• Chore: bump typescript from 3.9.9 to 4.3.5: #​739
• Chore: bump codecov to 3.8.3: #​752

Description

Previous, fs.readFile('./asset.js') would compile asset.js instead of including as an asset.

With this release, the default behavior has been changed to include asset.js as an asset only.

If you want the old behavior, you can use the --asset-builds option.

Credits

Huge thanks to @​guybedford for helping!

v0.29.2

Compare Source

Patches

• Fix: ensure nested builds of __nccwpck_require__: #​751

Credits

Huge thanks to @​guybedford for helping!

v0.29.1

Compare Source

Patches

• Fix: add stringify-loader: #​742
• Fix: package.json asset type module setting: #​733
• Chore(deps): update dependencies: #​736
• Chore(deps): bump tar from 4.4.13 to 4.4.15: #​743
• Chore(deps): bump path-parse from 1.0.6 to 1.0.7: #​745
• Chore(deps-dev): bump pdfkit from 0.12.1 to 0.12.3: #​740

Credits

Huge thanks to @​guybedford, @​mmorel-35, and @​jpcloureiro for helping!

v0.29.0

Compare Source

Changes

• Major: output ESM for .mjs or type=module builds: #​720
• Feat: update to [email protected]: #​718
• Feat: update to [email protected]: #​723
• Feat: update to [email protected]: #​724
• Chore: bump set-getter from 0.1.0 to 0.1.1: #​719
• Fix: typo in readme: #​712

Credits

Huge thanks to @​rethab and @​guybedford for helping!

v0.28.6

Compare Source

Patches

• Fix: Update to [email protected]: #​707
• Fix: Update ts-loader to fix webpack warning: #​710
• Deps: Bump hosted-git-info from 2.8.8 to 2.8.9: #​708

Credits

Huge thanks to @​adriencohen and @​huozhi for helping!

v0.28.5

Compare Source

Patches

• Fix: handle terser error: #​703
• Fix: treat compilation.errors as a set: #​705
• Fix: unify target arg description, add transpile-only arg to readme: #​702

Credits

Huge thanks to @​guybedford and @​Simek for helping!

v0.28.4

Compare Source

Patches

• Fix: Adjust caching to use hashes: #​698
• Fix: support top-level await: #​700
• Fix: publish should build without cache: #​701
• Chore: redis from 2.8.0 to 3.1.1: #​699
• Chore: Bump ssri from 6.0.1 to 6.0.2: #​695
• Chore: rename master to main: #​694

Credits

Huge thanks to @​guybedford for helping!

v0.28.3

Compare Source

Patches

• Fix: lock license plugin version: #​692

Credits

Huge thanks to @​huozhi for helping!

v0.28.2

Compare Source

Patches

• Fix: unknown compiler option incremental: #​685
• Fix: replace .npmignore with "files" prop: #​688

Credits

Huge thanks to @​Songkeys for helping!

v0.28.1

Compare Source

Patches

• Fix: Rebuild bundle to fix #​684
• Deps: Bump codecov to 3.8.1: #​683

v0.28.0

Compare Source

Minor Changes

• Feat: exports conditions semantics: #​665
• Feat: imports support, webpack upgrade: #​672
• Feat: Support Regexp externals: #​654
• Fix: TS interop test and fix: #​671
• Fix: Upgrade local TS: #​674
• Chore: Interop test case: #​667
• Chore: add console output when minifying fails: #​648
• Chore: Add Node.js 14 to CI: #​659
• Docs: Fix out [file] → out [dir]: #​675
• Deps: Update to [email protected]: #​681
• Deps: Update to [email protected]: #​664
• Deps: Update to [email protected]: #​658
• Deps: Update to [email protected]: #​682
• Deps: Upgrade to [email protected]: #​673
• Deps: Update to [email protected]: #​662
• Deps: Upgrade to [email protected]: #​669
• Deps: Bump socket.io from 2.2.0 to 2.4.0: #​645
• Deps: Bump pug from 2.0.3 to 3.0.1: #​656
• Deps: Bump elliptic from 6.5.3 to 6.5.4: #​657
• Deps: Bump msgpack5 from 4.2.1 to 4.5.1: #​660
• Deps: Bump y18n from 3.2.1 to 3.2.2: #​678

Credits

Huge thanks to @​guybedford, @​Songkeys, @​adriencohen, and @​huozhi for helping!

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge, however this is not possible so it has been raised as a PR instead.

---

• Branch has one or more failed status checks

[github-actions]

Thanks for the PR!

This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.

[github-actions]

Thanks for opening an issue! Make sure you've followed CONTRIBUTING.md.

[github-actions]

Hello from PR Helper

Is your PR ready for review and processing? Mark the PR ready by including #pr-ready in a comment.

If you still have work to do, even after marking this ready. Put the PR on hold by including #pr-onhold in a comment.

[mergify]

This pull request has merge conflicts that must be resolved before it can be merged. @renovate[bot] please rebase it. https://rook.io/docs/rook/master/development-flow.html#updating-your-fork

[viezly]

Pull request by bot. No need to analyze

[socket-security]

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: @vercel/[email protected]

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Bin script shell injection	npm	6.14.11	Bin Script: which	@semantic-release/[email protected], @semantic-release/[email protected], @semantic-release/[email protected], @semantic-release/[email protected], @semantic-release/[email protected], @semantic-release/[email protected], [email protected] via package.json

Next steps

What is bin script shell injection?

This package re-exports a well known shell command via an npm bin script. This is possibly a supply chain attack

Packages should not export bin scripts which conflict with well known shell commands

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore [email protected]