fix(deps): update external major (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@redocly/cli	1.34.5 -> 2.0.8			devDependencies	major
actions/checkout	v4 -> v5			action	major
chai (source)	5.3.3 -> 6.0.1			devDependencies	major
diff	7.0.0 -> 8.0.2			dependencies	major
dotenv	16.6.1 -> 17.2.2			devDependencies	major
lint-staged	15.5.2 -> 16.1.6			devDependencies	major
sinon (source)	20.0.0 -> 21.0.0			devDependencies	major

---

Release Notes

Redocly/redocly-cli (@​redocly/cli)

v2.0.8

Compare Source

Patch Changes

• Updated @​redocly/openapi-core to v2.0.8.

v2.0.7

Compare Source

Patch Changes

• Improved Respect verbose logs to display response headers.
• Updated @​redocly/respect-core to v2.0.7.

v2.0.6

Compare Source

Patch Changes

• Fixed an issue where files specified in decorators parameters were not always resolved correctly.
  The resolution logic now properly locates the specified files relative to the config file for info-description-override, media-type-examples-override, operation-description-override, and tag-description-override decorators.
• Improved messaging to clarify when API alias configuration is implicitly applied during linting or bundling by filename.
• Updated the retryAfter property in Respect to use seconds (instead of milliseconds) for consistency with the Arazzo specification.
• Updated @​redocly/openapi-core to v2.0.6.

v2.0.5

Compare Source

Patch Changes

• Fixed an issue where the root config was not properly merged with the apis config.
• Resolved an issue that caused configuration parsing to fail when the config value was set to null.
• Improved join command server handling for specifications with differing servers.
• Updated @​redocly/respect-core to v2.0.5.

v2.0.4

Compare Source

Patch Changes

• Fixed an issue where the openapi config options were ignored when running the build-docs command.
• Ensure externalRefResolver option is correctly passed to nested workflow contexts.
• Updated @​redocly/respect-core to v2.0.4.

v2.0.3

Compare Source

Patch Changes

• Fixed type definitions for Respect input and server options to support both string and string[] values.
• Fixed binary response data in Respect results by properly encoding it as base64.
• Updated @​redocly/respect-core to v2.0.3.

v2.0.2

Compare Source

Patch Changes

• Made executionTimeout parameter optional in the run function exported from respect-core.
• Updated @​redocly/respect-core to v2.0.2.

v2.0.1

Compare Source

Patch Changes

• Fixed an issue where the no-required-schema-properties-undefined rule incorrectly resolved nested $refs relative to the file in which they were defined.
• Fixed an issue where multipart form-data parameters were not properly resolved and evaluated before sending requests.
• Updated @​redocly/openapi-core to v2.0.1.

v2.0.0

Compare Source

Major Changes

• Removed backward compatibility for the spec rule. Use struct instead.
• Removed support for the deprecated apiDefinitions option in the Redocly config. Use apis instead.
  Removed the labels field within the apis section, which was associated with the legacy Redocly API Registry product.
• Removed support for default config file names other than redocly.yaml.
• Removed support for the deprecated features.openapi and features.mockServer configuration options. Use openapi and mockServer directly instead.
• Removed backward compatibility for the deprecated lint and styleguide options in the Redocly config.
  Use rules, decorators and other related options on the root level instead.
• Removed the deprecated disallowAdditionalProperties option support in rules. Use allowAdditionalProperties instead.
• Removed support for the deprecated theme property of Redocly config.
  All the properties of theme are now available in the config root.
• Removed the deprecated path-excludes-patterns and info-license-url rules.
• Removed the deprecated undefined assertion. Use defined instead.
• Removed support for the legacy Redocly API Registry in favor of the new Reunite platform.
  Reunite provides improved API management capabilities and better integration with Redocly's tooling ecosystem.
  Migrated the login and push commands to work exclusively with Reunite.
  Removed the preview-docs command as part of platform modernization.
  Use the preview command instead.
• Removed support for the deprecated referenceDocs option, which was related to the legacy Reference docs product.
• Removed support for the deprecated assert/ prefix in configurable rules. Use rule/ prefix instead.
• Migrated the codebase to ES Modules from CommonJS, bringing improved code organization and better support for modern JavaScript features.
  Update to Node.js version 20.19.0+, 22.12.0+, or 23+.

Minor Changes

• Added x-security extension for Respect that enables secure handling of authentication in Arazzo workflows.
  Use this extension to:

  • Define security schemes at the step level using either predefined schemes or inline definitions
  • Pass values of secrets (passwords, tokens, API keys)
  • Support multiple authentication types including API Key (query, header, or cookie), Basic Authentication, Bearer Token, Digest Authentication, OAuth2, and OpenID Connect
  • Automatically transform security parameters into appropriate HTTP headers or query parameters

• Added environment variable support for CLI arguments using Yargs .env() method to parse environment variables with matching prefixes.

• Added validation for JSON Schema format.

• Extracted nullable validation from the struct rule into a new nullable-type-sibling rule for OpenAPI 3.0. This allows users to disable nullable validation separately from other structural checks.

• Configured the spec ruleset for OpenAPI, AsyncAPI, Arazzo, and Overlay specifications.
  This ruleset is designed to strictly follow the specifications.

• Added the no-duplicated-tag-names rule to check for duplications in the tags field in API descriptions.

• Enabled no-required-schema-properties-undefined, no-schema-type-mismatch, and no-enum-type-mismatch rules for AsyncAPI and Arazzo specifications.
  Adjusted the rules' severities in the recommended and minimal rulesets. Refer to the following table:

  Rule \ Ruleset	recommended	minimal
  no-required-schema-properties-undefined	off -> warn	off -> warn
  no-enum-type-mismatch	error	warn
  no-schema-type-mismatch	warn -> error	off -> warn

• Implemented automatic masking of sensitive fields (such as tokens and passwords) in response bodies to enhance security and prevent accidental exposure of secrets in logs and outputs.

• Added new CLI options for the respect command to improve test execution control.

Patch Changes

• Fixed plugins validation in config files referenced in the extends section.
• Fixed no-undefined-server-variable crash when encountering null values in the server list.
• Refactored @redocly/respect-core to eliminate Node.js-specific dependencies, improving cross-platform compatibility.
• Updated Redoc to v2.5.0.
• Fixed alias detection when using --config from a different folder than the current working directory.
• Resolved an issue where [email protected] injected an unintended message into the output.
• Fixed Redocly CLI to correctly read residency from the Redocly configuration file.
• Improved Respect's error handling when server URLs are missing from both OpenAPI descriptions and CLI options.
• Updated @​redocly/respect-core to v2.0.0.

actions/checkout (actions/checkout)

v5

Compare Source

chaijs/chai (chai)

v6.0.1

Compare Source

What's Changed

• fix: keep function/class names in bundle by @​43081j in #​1701

Full Changelog: chaijs/chai@v6.0.0...v6.0.1

v6.0.0

Compare Source

BREAKING CHANGES

Chai is now bundled into a single file. The lib/*.js files are no longer present, and so any code that imports those files directly will need to change. The only file that can be imported now is ./index.js.

What's Changed

• feat: remove unbundled sources by @​43081j in #​1700

Full Changelog: chaijs/chai@v5.3.2...v6.0.0

kpdecker/jsdiff (diff)

v8.0.2

Compare Source

• #​616 Restored compatibility of diffSentences with old Safari versions. This was broken in 8.0.0 by the introduction of a regex with a lookbehind assertion; these weren't supported in Safari prior to version 16.4.
• #​612 Improved tree shakeability by marking the built CJS and ESM packages with sideEffects: false.

v8.0.1

Compare Source

• #​610 Fixes types for diffJson which were broken by 8.0.0. The new bundled types in 8.0.0 only allowed diffJson to be passed string arguments, but it should've been possible to pass either strings or objects (and now is). Thanks to Josh Kelley for the fix.

v8.0.0

Compare Source

• #​580 Multiple tweaks to diffSentences:
  • tokenization no longer takes quadratic time on pathological inputs (reported as a ReDOS vulnerability by Snyk); is now linear instead
  • the final sentence in the string is now handled the same by the tokenizer regardless of whether it has a trailing punctuation mark or not. (Previously, "foo. bar." tokenized to ["foo.", " ", "bar."] but "foo. bar" tokenized to ["foo.", " bar"] - i.e. whether the space between sentences was treated as a separate token depended upon whether the final sentence had trailing punctuation or not. This was arbitrary and surprising; it is no longer the case.)
  • in a string that starts with a sentence end, like "! hello.", the "!" is now treated as a separate sentence
  • the README now correctly documents the tokenization behaviour (it was wrong before)
• #​581 - fixed some regex operations used for tokenization in diffWords taking O(n^2) time in pathological cases
• #​595 - fixed a crash in patch creation functions when handling a single hunk consisting of a very large number (e.g. >130k) of lines. (This was caused by spreading indefinitely-large arrays to .push() using .apply or the spread operator and hitting the JS-implementation-specific limit on the maximum number of arguments to a function, as shown at https://stackoverflow.com/a/56809779/1709587; thus the exact threshold to hit the error will depend on the environment in which you were running JsDiff.)
• #​596 - removed the merge function. Previously JsDiff included an undocumented function called merge that was meant to, in some sense, merge patches. It had at least a couple of serious bugs that could lead to it returning unambiguously wrong results, and it was difficult to simply "fix" because it was unclear precisely what it was meant to do. For now, the fix is to remove it entirely.
• #​591 - JsDiff's source code has been rewritten in TypeScript. This change entails the following changes for end users:

  • the diff package on npm now includes its own TypeScript type definitions. Users who previously used the @types/diff npm package from DefinitelyTyped should remove that dependency when upgrading JsDiff to v8.

    Note that the transition from the DefinitelyTyped types to JsDiff's own type definitions includes multiple fixes and also removes many exported types previously used for options arguments to diffing and patch-generation functions. (There are now different exported options types for abortable calls - ones with a timeout or maxEditLength that may give a result of undefined - and non-abortable calls.) See the TypeScript section of the README for some usage tips.

  • The Diff object is now a class. Custom extensions of Diff, as described in the "Defining custom diffing behaviors" section of the README, can therefore now be done by writing a class CustomDiff extends Diff and overriding methods, instead of the old way based on prototype inheritance. (I think code that did things the old way should still work, though!)

  • diff/lib/index.es6.js and diff/lib/index.mjs no longer exist, and the ESM version of the library is no longer bundled into a single file.

  • The ignoreWhitespace option for diffWords is no longer included in the type declarations. The effect of passing ignoreWhitespace: true has always been to make diffWords just call diffWordsWithSpace instead, which was confusing, because that behaviour doesn't seem properly described as "ignoring" whitespace at all. The property remains available to non-TypeScript applications for the sake of backwards compatibility, but TypeScript applications will now see a type error if they try to pass ignoreWhitespace: true to diffWords and should change their code to call diffWordsWithSpace instead.

  • JsDiff no longer purports to support ES3 environments. (I'm pretty sure it never truly did, despite claiming to in its README, since even the 1.0.0 release used Array.map which was added in ES5.)

• #​601 - diffJson's stringifyReplacer option behaves more like JSON.stringify's replacer argument now. In particular:
  • Each key/value pair now gets passed through the replacer once instead of twice
  • The key passed to the replacer when the top-level object is passed in as value is now "" (previously, was undefined), and the key passed with an array element is the array index as a string, like "0" or "1" (previously was whatever the key for the entire array was). Both the new behaviours match that of JSON.stringify.
• #​602 - diffing functions now consistently return undefined when called in async mode (i.e. with a callback). Previously, there was an odd quirk where they would return true if the strings being diffed were equal and undefined otherwise.

motdotla/dotenv (dotenv)

v17.2.2

Compare Source

Added

• 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

v17.2.1

Compare Source

Changed

• Fix clickable tip links by removing parentheses (#​897)

v17.2.0

Compare Source

Added

• Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#​889)
• Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})

v17.1.0

Compare Source

Added

• Add additional security and configuration tips to the runtime log (#​884)
• Dim the tips text from the main injection information text

const TIPS = [
  '🔐 encrypt with dotenvx: https://dotenvx.com',
  '🔐 prevent committing .env to code: https://dotenvx.com/precommit',
  '🔐 prevent building .env in docker: https://dotenvx.com/prebuild',
  '🛠️  run anywhere with `dotenvx run -- yourcommand`',
  '⚙️  specify custom .env file path with { path: \'/custom/path/.env\' }',
  '⚙️  enable debug logging with { debug: true }',
  '⚙️  override existing env vars with { override: true }',
  '⚙️  suppress all logs with { quiet: true }',
  '⚙️  write to custom object with { processEnv: myObject }',
  '⚙️  load multiple .env files with { path: [\'.env.local\', \'.env\'] }'
]

v17.0.1

Compare Source

Changed

• Patched injected log to count only populated/set keys to process.env (#​879)

v17.0.0

Compare Source

Changed

• Default quiet to false - informational (file and keys count) runtime log message shows by default (#​875)

lint-staged/lint-staged (lint-staged)

v16.1.6

Compare Source

Patch Changes

• #​1610 e93578e Thanks @​iiroj! - Try to improve terminating of subprocess of tasks by using SIGKILL, and only calling pidtree when the the main task process has a known pid.

v16.1.5

Compare Source

Patch Changes

• #​1608 4e3ce22 Thanks @​srsatt! - Detect the git repo's top-level directory correctly when in a worktree.

v16.1.4

Compare Source

Patch Changes

• #​1604 90b37b0 Thanks @​iiroj! - Add another types field to package.json to make even more sure NPM detects that lint-staged includes built-in TypeScript type definitions.

v16.1.3

Compare Source

Patch Changes

• #​1602 7ea700b Thanks @​dword-design! - Add the types field to package.json to make sure NPM detects lint-staged includes built-in TypeScript type definitions.

v16.1.2

Compare Source

Patch Changes

• #​1570 a7c0c88 Thanks @​ItsNickBarry! - When using --diff-filter with the D option to include deleted staged files, lint-staged no longer tries to stage the deleted files, unless they're no longer deleted. Previously this caused an error from git add like fatal: pathspec 'deleted-file' did not match any files.

• 38f942e Thanks @​iiroj! - Removed an extraneous log entry that printed shouldHidePArtiallyStagedFiles to console output.

v16.1.1

Compare Source

Patch Changes

• #​1565 3686977 Thanks @​iiroj! - Lint-staged now explicitly warns about potential data loss when using --no-stash.

• #​1571 02299a9 Thanks @​iiroj! - Function tasks (introduced in v16.0.0) only received the staged files matching the conpmnfigured glob, instead of all staged files.

• #​1563 bc61c74 Thanks @​iiroj! - This version fixes incorrect behavior where unstaged changes were committed when using the --no-stash option. This happened because --no-stash implied --no-hide-partially-staged, meaning unstaged changes to files which also had other staged changes were added to the commit by lint-staged; this is no longer the case.

  The previous (incorrect) behavior can still be achieved by using both options --no-stash --no-hide-partially-staged at the same time.

v16.1.0

Compare Source

Minor Changes

• #​1536 e729daa Thanks @​iiroj! - A new flag --no-revert has been introduced for when task modifications should be applied to the index before aborting the commit in case of errors. By default, lint-staged will clear all task modifications and revert to the original state.

• #​1550 b27fa3f Thanks @​iiroj! - Lint-staged now ignores symlinks and leaves them out from the list of staged files.

Patch Changes

• #​1558 c37dc38 Thanks @​iiroj! - The minimum required Node.js version is lowered to 20.17 following [email protected].

v16.0.0

Compare Source

Major Changes

• #​1546 158d15c Thanks @​iiroj! - Processes are spawned using nano-spawn instead of execa. If you are using Node.js scripts as tasks, you might need to explicitly run them with node, especially when using Windows:

  {
    "*.js": "node my-js-linter.js"
  }

• #​1546 158d15c Thanks @​iiroj! - The --shell flag has been removed and lint-staged no longer supports evaluating commands directly via a shell. To migrate existing commands, you can create a shell script and invoke it instead. Lint-staged will pass matched staged files as a list of arguments, accessible via "$@​":

sinonjs/sinon (sinon)

v21.0.0

Compare Source

• fd10f13f
  chore!: remove assert.failException property (#​2659) (Morgan Roderick)

  This was used for allowing customisation of the thrown error between
  sandboxes and for customisation for integrations (most likely from the
  days of BusterJS).

  To my knowledge and what I've been able to find on GitHub, this has
  never had any production use by end users.

  BREAKING CHANGE: this removes assert.failException from the API

Released by Morgan Roderick on 2025-06-13.

---

Configuration

📅 Schedule: Branch creation - "after 2pm on Monday" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

This PR will trigger a patch release when merged.

[solaris007]

🎉 This PR is included in version 1.1.15 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀