npm: bump release-it from 14.14.3 to 19.0.4

[dependabot]

Bumps release-it from 14.14.3 to 19.0.4.

Release notes

Sourced from release-it's releases.

Release 19.0.4

• Replace lodash.get with custom get() function and add tests (#1231) (879a2ef69bb245d28cfe4abe4701ceefaadb6bee) - thanks @​AlejandroRM-DEV!
• fix: set octokit log to {} instead of null (#1237) (6fc696f324897e133a9443064dfc6ef5dd827871) - thanks @​efstathiosntonas!
• Update dependencies (2195b7935f7bece7e0f49bd13089fc0eb4f671aa)

Release 19.0.3

• chore: use node's spawn instead of tinyexec dep (#1227) (fccdf6742ed4051fcd6ee11d890b84f7a34e81c4) - thanks @​efstathiosntonas!
• Minor housekeeping/formatting (1604dc75ac2370a068c28a9119885d3035d372ac)
• Add default timeout (mainly for tests) (96d8889251e670fc178e891b62a845bb8009f929)
• docs(gitlab): update token scope requirements and default secure setting (#1229) (9c7d2b331d35ca6131d9e09e343cc8337d4cfc09) - thanks @​AlejandroRM-DEV!
• Update dependencies (b792c458a146665c17ea7290cae435034b9f3e87)

Release 19.0.2

• Bump engines.node from 20.9 → 20.12 (resolves #1219) (a012da6a2ac442a6000a2908d6418e25720525fc)
• Update dependencies (ebfc5a2a5fc518480910bb628ad7f34f065842b4)

Release 19.0.1

• Don't throw if no config file is found (2cb4a7e414b1ae593d6ea4cb24e508b4e2970826)

Release 19.0.0

• Update dependencies (cbe2fa6a5be2d61533b309b0069a2589c34ca77e)
• v18 → v19 (6f8150a740d5bb4e4d24b1c78f61f244da8afb0d)
• Housekeeping (41dfaaeabc720bf683e4c8daf527db9786a6adfe)

Release 19.0.0-next.5

• feat: use c12 to replace cosmiconfig (#1212) (23272f88f6fc81628f3649f42d96bb9148c65ef7) - thanks @​aa900031!
• Fix lint issues (d585942666d543f956c3c78b88ac35e3374e017b)
• Remove update-notifier (032c993bd288eb82c1fcdf2251820af06defc639)
• globby → tinygobby (048b2f8664b136d49c6cf2a088fc5f241b694ed0)
• execa → tinyexec (27fa5b0853a0cb6bd9b299edaee4f7871b1031a0)

Release 19.0.0-next.4

• fix(json-schema): change addUntrackedFiles to boolean (#1214) (1c5af4012eecf4bcc8a5a6f1857ff02f03125a18) - thanks @​KyleRoss!
• Add double dash to separate paths from git command (resolves #1210) (06bccd79bedc5959adb755b1e2c6db4b100888d5)
• fix: parse boolean values from command line (#1215) (d87fd39a68ea8a789916ae1ba2fe3557c3dd658e) - thanks @​mdvorak!
• Update dependencies (ea3a19356da20acb1e5fb5b181e22d5105018674)

Release 19.0.0-next.3

• Minor refactors (c4ef03b71ad9ce35b6560ce3efc12a3579f331c9)
• Update links in gitlab docs (0750f08b3108d4516841eb43476552168fd8f701)
• Use request.formData (c774a007ea703bc45dbf0386253790651b56e6f4)
• Add mockFetch for more concise mentoss API (ec1065f4294436befe8a63a3c232fc812cc50934)
• Fix up GitLab urls (11dd73d59e9ee1171eabeda7de12ab0bc2c60330)
• chalk → styleText (cab8f969c3598da7694513d4b04b8266cf51a469)
• Single line in release notes (commit.message → commit.subject) (c709d5c6e3e8aec234e623aefa17553eeb066232)
• Update dependencies (83a8d828fb3e2be6a832273d0fa9def623b19764)
• Remove prettier from eslint config (473b2ee2b16b77ec7bae06133de4a7bb92bb3763)
• Fix lint issue (f1865038ccb3f291a127ec33ea0d818802011f4d)

Release 19.0.0-next.2

... (truncated)

Changelog

Sourced from release-it's changelog.

Changelog

This document lists breaking changes for each major release.

See the GitHub Releases page for detailed changelogs: https://github.com/release-it/release-it/releases

v19 (2025-04-18)

• No breaking changes (dependency party)

v18 (2025-01-06)

• Removed support for Node.js v18.

v17 (2023-11-11)

• Removed support for Node.js v16.

v16 (2023-07-05)

• Removed support for Node.js v14.

v15 (2022-04-30)

• Removed support for Node.js v10 and v12.
• Removed support for GitLab v12.4 and lower.
• Removed anonymous metrics (and the option to disable it).
• Programmatic usage and plugins only through ES Module syntax (import)

Use release-it v14 in legacy environments.

v14 (2020-09-03)

• Removed global property from plugins. Use this.config[key] instead.
• Removed deprecated npm.access option. Set this in package.json instead.

v13 (2020-03-07)

• Dropped support for Node v8
• Dropped support for GitLab v11.6 and lower.
• Deprecated scripts are removed (in favor of hooks).
• Removed deprecated --non-interactive (-n) argument. Use --ci instead.
• Removed old %s and [REV_RANGE] syntax in command substitutions. Use ${version} and ${latestTag} instead.

v12 (2019-05-03)

• The --follow-tags argument for git push has been moved to the default configuration. This is only a breaking change if git.pushArgs was not empty (it was empty by default).

... (truncated)

Commits

• 2c87983 Release 19.0.4
• 2195b79 Update dependencies
• 6fc696f fix: set octokit log to {} instead of null (#1237)
• 879a2ef Replace lodash.get with custom get() function and add tests (#1231)
• 183050c Release 19.0.3
• b792c45 Update dependencies
• 9c7d2b3 docs(gitlab): update token scope requirements and default secure setting (#1229)
• 96d8889 Add default timeout (mainly for tests)
• 1604dc7 Minor housekeeping/formatting
• fccdf67 chore: use node's spawn instead of tinyexec dep (#1227)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	chart-csv@​1.0.3
	@​changesets/​changelog-github@​0.4.8
	deploy-to-gh-pages@​1.3.7
	@​commitlint/​cli@​16.3.0
	changelog-machine@​1.1.0
	csvnorm@​1.1.0
	@​cadolabs/​crowdin-cli@​3.0.21
	danger-plugin-spellcheck@​2.1.0
	cost-of-modules@​1.0.1
	@​bitjson/​npm-scripts-info@​1.0.0
	adr-tools@​2.0.4
	check-for-leaks@​1.2.1
	dockerfile_lint@​0.3.4
	alex@​9.1.1
	browser-sync@​2.29.3
	@​changesets/​write@​0.2.3
	all-contributors-cli@​6.26.1
	conventional-changelog-cli@​2.2.2
	@​commitlint/​config-conventional@​16.2.4
	@​changesets/​cli@​2.29.5
	chromatic@​6.24.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		babel-traverse@6.26.0 has a Critical CVE. CVE: GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (CRITICAL) Affected versions: >= 0 Patched version: No patched versions From: ? → npm/danger-plugin-spellcheck@2.1.0 → npm/babel-traverse@6.26.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/babel-traverse@6.26.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		lodash@2.4.2 has a Critical CVE. CVE: GHSA-jf85-cpcp-j695 Prototype Pollution in lodash (CRITICAL) Affected versions: < 4.17.12 Patched version: 4.17.12 From: ? → npm/dockerfile_lint@0.3.4 → npm/lodash@2.4.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash@2.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		lodash@3.10.1 has a Critical CVE. CVE: GHSA-jf85-cpcp-j695 Prototype Pollution in lodash (CRITICAL) Affected versions: < 4.17.12 Patched version: 4.17.12 From: ? → npm/cost-of-modules@1.0.1 → npm/lodash@3.10.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash@3.10.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		minimist@1.2.0 has a Critical CVE. CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4 Patched version: 1.2.6 From: ? → npm/danger-plugin-spellcheck@2.1.0 → npm/minimist@1.2.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimist@1.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[dependabot]

Superseded by #3493.