build(deps): Bump jscpd from 4.2.4 to 5.0.5

[dependabot]

Bumps jscpd from 4.2.4 to 5.0.5.

Release notes

Sourced from jscpd's releases.

Release v5.0.4

New Features

• CLI alignment with jscpd v4: new --absolute, --ignore-case, --formats-exts, --formats-names flags; fixed --threshold, improved --max-size
• Detection and statistics aligned with jscpd for consistent output across Rust and TypeScript versions
• Side-by-side blame comparison in console-full reporter
• Clone list display in console reporter

Bug Fixes

• HTML reporter now outputs jscpd-report.html at the output_dir root
• Resolved all clippy warnings across workspace
• Fixed unique temp dir generation in tests (use as_nanos() instead of subsec_nanos())

Release v4.2.5

Bug Fixes

• JSON reporter duplicate token counts — was always reported as in JSON output; now computed from token positions () (#801).
• Gitignore parent-directory walk — files in parent directories up to the repo root are now read and combined with scan-directory files. Also reads and the global for full parity with Git's ignore resolution (#741).
• Commander v15 migration — CLI option parsing migrated from direct property access (, etc.) to the API required by Commander v8+. The / flag handling was rewritten to use Commander's native negation support instead of inspection.
• Vitest 4.1.0 — bumped from 3.2.4 to address CVE-2026-47429.
• Commander v15 — bumped from v5 to v15, enabling modern Node.js compatibility.
• Pug 3.0.4, node-sarif-builder 4.1.0, nodemon 3.1.14 — dependency bumps for security and compatibility.

Changelog

Sourced from jscpd's changelog.

Changelog

All notable changes to jscpd are documented here. Releases follow Semantic Versioning.

---

5.0.9

New Features

• GitHub Action for jscpd (Rust v5) — jscpd-copy-paste-detector action for GitHub Actions Marketplace. Scan your repo for copy/paste in CI with uses: kucherenko/jscpd/.github/workflows/action.yml@v5

Bug Fixes

• Resolve platform binary resolution when cpd is installed as a nested dependency (e.g. in a project's node_modules via a parent package). The runner now correctly locates the platform-specific binary relative to the installed package rather than assuming a top-level install. Fixes #816

---

5.0.8

Bug Fixes

• Prevent mmap exhaustion crashes when scanning repositories with more files than vm.max_map_count (default 131 072 on Linux). The walker previously held a live Mmap per discovered file; each rayon worker now opens and drops its mapping within the processing closure, capping concurrent mappings to the thread-pool size (typically 8–32). Fixes #813
• Fix --pattern not matching relative paths when the scan root is absolute (e.g. CWD). Patterns like src/**/*.ts now match correctly by comparing against both the relative path and the full absolute path, and bare patterns like *.ts gain a **/ prefix to match at any depth. Fixes #811
• Fix trailing-newline off-by-one in line-count filter: files not ending with \n now count the final line correctly

---

5.0.7

Bug Fixes

• Prevent stack overflow when scanning directories containing deeply-nested JS/TS files (e.g. Bun's test/bundler with 320K+ nested for-loops). OXC's recursive-descent parser allocates one stack frame per AST nesting level; pathological inputs now exceed the default 8 MiB thread stack. Fixed by building a local rayon ThreadPool with 64 MiB stacks instead of using the global pool (which silently fails on re-init)
• Default --max-size to 1mb — files exceeding the limit are skipped at walk time, consistent with jscpd v4's maxSize behavior. This prevents OXC from ever seeing megabyte-scale generated files that would overflow the stack
• --workers N now correctly takes effect on every run() call (previously build_global() silently no-op'd after the first invocation)

---

5.0.6

New Features

• v4 config backward compatibility — .jscpd.json fields path, pattern, ignore, and ignorePattern are now read and applied, matching jscpd v4 behavior
• ignore and ignorePattern are now distinct: ignore matches file-level globs, ignorePattern matches code-level regex patterns (previously conflated)
• .jscpd.json path config support — reads scan directories from the path field, resolving relative paths against the config file's directory
• jscpd npm wrapper package — publishes the same Rust binary under the jscpd name on npm with v5.x versioning
• --exit-code now matches v4 behavior: accepts optional integer value (--exit-code exits 1, --exit-code 2 exits 2); --threshold and --exit-code are now independent
• Performance improvements: memory-mapped file I/O (via memmap2) eliminates heap copies of file contents; SIMD-accelerated line counting (via memchr); parallel detection pipeline uses flat_map to avoid intermediate allocations; JS tokenizer no longer clones source strings before parsing (thanks to @​auterium, #808)

Bug Fixes

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

@dependabot merge

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

This PR upgrades the jscpd dependency from version 4.2.4 to 5.0.5. This is a major version transition that moves the tool to a Rust-based implementation, which may introduce differences in CLI behavior or configuration handling.

While the changes are up to standards according to static analysis, the PR lacks verification tests to ensure that the existing project configuration remains compatible with the new version. This absence of smoke testing for a major infrastructure tool is the primary concern for this update.

About this PR

• The transition to jscpd v5 represents a major architectural change. Although the release notes indicate backward compatibility, the project should verify that the CLI output and configuration parsing have not changed in ways that affect existing workflows.

Test suggestions

• Verify that the jscpd CLI or API still functions correctly with the project's existing configuration files (.jscpd.json).

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that the jscpd CLI or API still functions correctly with the project's existing configuration files (.jscpd.json).

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}