Skip to content

chore(deps):(deps-dev): bump tinyglobby from 0.2.15 to 0.2.16#285

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/tinyglobby-0.2.16
Open

chore(deps):(deps-dev): bump tinyglobby from 0.2.15 to 0.2.16#285
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/tinyglobby-0.2.16

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 13, 2026
edited by cursor Bot
Loading

Bumps tinyglobby from 0.2.15 to 0.2.16.

Release notes

Sourced from tinyglobby's releases.

0.2.16

Fixed

Changed

  • Overhauled and optimized most internals by @​Torathion
  • Ignore patterns are no longer compiled twice by @​webpro

Consider sponsoring if you'd like to support the development of this project and the goal of reaching a lighter and faster ecosystem

Changelog

Sourced from tinyglobby's changelog.

0.2.16

Fixed

Changed

  • Overhauled and optimized most internals by Torathion
  • Ignore patterns are no longer compiled twice by webpro
Commits
  • 5779202 release 0.2.16
  • 071954f bump deps once more
  • e541dde do not import the whole fs module
  • 2381b76 fix root being too broad
  • 0addeb9 chore(deps): update all non-major dependencies (#191)
  • 91ac26c chore(deps): update pnpm/action-setup action to v5 (#192)
  • c50558e upgrade picomatch (and everything else)
  • 6185175 chore(deps): update dependency picomatch to v4.0.4 [security] (#193)
  • 49c2b93 enable pnpm trustPolicy
  • bc825c4 chore(deps): update all non-major dependencies (#181)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Lockfile-only update bumping a dev dependency; runtime/app logic is unchanged, with minimal risk beyond potential build tooling differences.

Overview
Updates the lockfile to bump dev dependency tinyglobby from 0.2.15 to 0.2.16, including its picomatch dependency to ^4.0.4.

Also normalizes several platform-specific optional dependency entries by removing libc metadata (e.g., sharp/libvips, rolldown bindings, lightningcss) without changing their versions.

Reviewed by Cursor Bugbot for commit 78bde54. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
chore(deps):(deps-dev): bump tinyglobby from 0.2.15 to 0.2.16
78bde54 
Bumps [tinyglobby](https://github.com/SuperchupuDev/tinyglobby) from 0.2.15 to 0.2.16.
- [Release notes](https://github.com/SuperchupuDev/tinyglobby/releases)
- [Changelog](https://github.com/SuperchupuDev/tinyglobby/blob/main/CHANGELOG.md)
- [Commits](SuperchupuDev/tinyglobby@0.2.15...0.2.16)

---
updated-dependencies:
- dependency-name: tinyglobby
  dependency-version: 0.2.16
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 13, 2026
cursor[bot]
cursor Bot reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 78bde54. Configure here.

Comment thread package-lock.json
"arm"
],
"dev": true,
"libc": [
Copy link
Copy Markdown

@cursor cursor Bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing libc fields in lockfile breaks Alpine builds

Medium Severity

The libc field has been removed from all native binary packages in package-lock.json (sharp, rolldown, lightningcss — both glibc and musl variants). This project builds on node:24-alpine (musl-based), and without libc filtering, npm ci will attempt to install incompatible glibc native binaries alongside musl ones, causing unnecessary install failures (silently ignored since they're optional), wasted build time, and potential resolution issues. This is an unintentional side effect of regenerating the lockfile — the tinyglobby bump shouldn't have affected these unrelated packages.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 78bde54. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants