Skip to content

chore(deps-dev): bump cross-env from 7.0.3 to 10.1.0 #9120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

chore(deps-dev): bump cross-env from 7.0.3 to 10.1.0 #9120

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 30, 2025
edited
Loading

Bumps cross-env from 7.0.3 to 10.1.0.

Release notes

Sourced from cross-env's releases.

v10.1.0

10.1.0 (2025-09-29)

Features

  • add support for default value syntax (152ae6a)

For example:

"dev:server": "cross-env wrangler dev --port ${PORT:-8787}",

If PORT is already set, use that value, otherwise fallback to 8787.

Learn more about Shell Parameter Expansion

v10.0.0

10.0.0 (2025-07-25)

TL;DR: You should probably not have to change anything if:

  • You're using a modern maintained version of Node.js (v20+ is tested)
  • You're only using the CLI (most of you are as that's the intended purpose)

In this release (which should have been v8 except I had some issues with automated releases 🙈), I've updated all the things and modernized the package. This happened in #261

Was this needed? Not really, but I just thought it'd be fun to modernize this package.

Here's the highlights of what was done.

  • Replace Jest with Vitest for testing
  • Convert all source files from .js to .ts with proper TypeScript types
  • Use zshy for ESM-only builds (removes CJS support)
  • Adopt @​epic-web/config for TypeScript, ESLint, and Prettier
  • Update to Node.js >=20 requirement
  • Remove kcd-scripts dependency
  • Add comprehensive e2e tests with GitHub Actions matrix testing
  • Update GitHub workflow with caching and cross-platform testing
  • Modernize documentation and remove outdated sections
  • Update all dependencies to latest versions
  • Add proper TypeScript declarations and exports

The tool maintains its original functionality while being completely modernized with the latest tooling and best practices

BREAKING CHANGES

  • This is a major rewrite that changes the module format from CommonJS to ESM-only. The package now requires Node.js >=20 and only exports ESM modules (not relevant in most cases).
Commits
  • 152ae6a feat: add support ofr default value syntax
  • bd70d1a chore: upgrade zshy
  • 8e0b190 chore(ci): get coverage
  • 8635e80 fix(release): manually release a major version
  • 3a58f22 chore: fix npmrc registry
  • b70bfff chore(ci): add names to steps and workflows
  • cc5759d fix(release): manually release a major version
  • 080a859 chore: remove publish script
  • 31e5bc7 chore(ci): restore built files
  • 81e9c34 chore(ci): add back semantic-release
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies javascript Pull requests that update Javascript code labels Sep 30, 2025
@dependabot dependabot bot mentioned this pull request Sep 30, 2025
Closed
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from cf43a26 to 63b0601 Compare October 1, 2025 03:08
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from 63b0601 to db249f7 Compare October 1, 2025 03:15
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from db249f7 to 1058058 Compare October 1, 2025 03:21
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from 1058058 to c42eb86 Compare October 1, 2025 12:38
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from c42eb86 to 62d7d08 Compare October 2, 2025 10:40
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from 62d7d08 to 8d7574b Compare October 6, 2025 03:07
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from 8d7574b to 4a35ae3 Compare October 8, 2025 03:08
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from 4a35ae3 to 0af150b Compare October 8, 2025 03:13
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from 0af150b to bda1d66 Compare October 10, 2025 03:08
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from bda1d66 to 94b6f20 Compare October 10, 2025 03:10
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from 94b6f20 to 5f50408 Compare October 10, 2025 03:12
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from 5f50408 to db4d83a Compare October 14, 2025 03:09
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from db4d83a to 84c5f05 Compare October 16, 2025 03:08
@dependabot
chore(deps-dev): bump cross-env from 7.0.3 to 10.1.0
1edda51 
Bumps [cross-env](https://github.com/kentcdodds/cross-env) from 7.0.3 to 10.1.0.
- [Release notes](https://github.com/kentcdodds/cross-env/releases)
- [Changelog](https://github.com/kentcdodds/cross-env/blob/main/CHANGELOG.md)
- [Commits](kentcdodds/cross-env@v7.0.3...v10.1.0)

---
updated-dependencies:
- dependency-name: cross-env
  dependency-version: 10.1.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/cross-env-10.1.0 branch from 84c5f05 to 1edda51 Compare October 16, 2025 13:23
@github-actions GitHub Actions
Copy link
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/cross-env 10.1.0 🟢 4.9
Details
CheckScoreReason
Maintained🟢 1014 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 3Found 11/28 approved changesets -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 4dependency not pinned by hash detected -- score normalized to 4
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 55 existing vulnerabilities detected
npm/@epic-web/invariant 1.0.0 UnknownUnknown
npm/cross-env 10.1.0 🟢 4.9
Details
CheckScoreReason
Maintained🟢 1014 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 3Found 11/28 approved changesets -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 4dependency not pinned by hash detected -- score normalized to 4
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 55 existing vulnerabilities detected

Scanned Files

  • package.json
  • yarn.lock

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions GitHub Actions
Copy link
Contributor

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity Count
🔴 Critical 0
🟠 High 3
🟡 Moderate 5
🟢 Low 4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report 
├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
├─ tmp: �[38;5;37m0.1.0�[39m
│  ├─ ID: �[38;5;220m1106849�[39m
│  ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
│  ├─ Severity: low
│  ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
│  ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
│  ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
│  └─ Recommendation: Upgrade to version 0.2.4 or later
│
└─ validator: �[38;5;37m13.15.15�[39m
   ├─ ID: �[38;5;220m1108959�[39m
   ├─ Issue: validator.js has a URL validation bypass vulnerability in its isURL function
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-9965-vmph-33xx�[39m
   ├─ Severity: moderate
   ├─ Vulnerable Versions: �[38;5;37m<=13.15.15�[39m
   ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
   ├─ Via: validator
   └─ Recommendation: None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@otto-the-bot otto-the-bot otto-the-bot approved these changes

Assignees

No one assigned

Labels

dependencies javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@otto-the-bot