ci(deps): bump the major-updates group across 1 directory with 2 updates

[dependabot]

Bumps the major-updates group with 2 updates in the / directory: typeorm and jscpd.

Updates typeorm from 0.3.30 to 1.0.0

Release notes

Sourced from typeorm's releases.

1.0.0

TypeORM v1.0 is here! 🥳

👉 For a structured walk-through of the changes in v1.0 — breaking changes, new features, security fixes, and the upgrade path from 0.3.x — see the v1.0 Release Notes.

This release includes breaking changes. See the v1.0 Upgrade Guide

What's Changed

• fix: include joined entity primary keys in pagination subquery by @​mag123c in typeorm/typeorm#11669
• feat(postgres): add support for PostgreSQL indices by @​freePixel in typeorm/typeorm#11318
• refactor!: remove legacy expo driver by @​G0maa in typeorm/typeorm#11860
• fix(cockroachdb): preserve structured query results during txn retry replay by @​naorpeled in typeorm/typeorm#11861
• docs: add version dropdown (stable/dev) to master by @​naorpeled in typeorm/typeorm#11862
• docs: link to queryrunner api docs from top level queryrunner page by @​hughrawlinson in typeorm/typeorm#11869
• feat: add error handling and log warning for ormconfig loading failures by @​Cprakhar in typeorm/typeorm#11871
• refactor: remove shajs by @​G0maa in typeorm/typeorm#11864
• ci: setup pnpm by @​alumni in typeorm/typeorm#11881
• chore(docs): move to PNPM by @​naorpeled in typeorm/typeorm#11884
• feat: add better typing for conditions in increment and decrement of EntityManager by @​OSA413 in typeorm/typeorm#11294
• fix: getPendingMigrations unnecessarily creating migrations table by @​pkuczynski in typeorm/typeorm#11672
• fix: copy cordova query rows affected into query result by @​jacobg in typeorm/typeorm#10873
• fix: resolve nameless TableForeignKey on drop foreign key by @​taichunmin in typeorm/typeorm#10744
• feat(docs): add Kapa.ai widget for AI-powered documentation assistance by @​dlhck in typeorm/typeorm#11891
• fix: virtual property handling in schema builder by @​skyran1278 in typeorm/typeorm#11000
• fix(mongo): correctly process embedded arrays of nested documents by @​mciuchitu in typeorm/typeorm#10940
• feat(postgres): use ADD VALUE when changing enum values if possible by @​janzipek in typeorm/typeorm#10956
• test: add mutation testing and mutation score badge by @​OSA413 in typeorm/typeorm#11253
• fix: change import for process dependency by @​yohannpoli in typeorm/typeorm#11248
• chore(tests): adapt Stryker mutator to pnpm and fix markup in README for badges by @​OSA413 in typeorm/typeorm#11893
• chore(tests): send only mutation score to the Stryker dashboard by @​OSA413 in typeorm/typeorm#11895
• fix: fix working with tables with quotes in the names for postgres and cockroachdb by @​iskalyakin in typeorm/typeorm#10993
• refactor: replace uuid with native Crypto API by @​mag123c in typeorm/typeorm#11769
• fix(mysql): getVersion returning undefined for PolarDB-X 2.0 by @​Missna in typeorm/typeorm#11837
• test: align file names by @​gioboa in typeorm/typeorm#11898
• ci: ensure pull request follow conventional commits spec by @​pkuczynski in typeorm/typeorm#11840
• feat(qodo): enable new review experience by @​naorpeled in typeorm/typeorm#11909
• test: modify tests to confirm ON CONFLICT ON CONSTRAINT on PostgreSQL/CockroachDB by @​Cprakhar in typeorm/typeorm#11908
• feat: add support for installing additional postgres extensions by @​Cprakhar in typeorm/typeorm#11888
• feat: add deferrable support to exclusion decorator to mirror unique and index decorators by @​oGAD31 in typeorm/typeorm#11802
• chore(mutation testing): tweak Stryker for lower resource usage and decrease timeout for slow running mutants by @​OSA413 in typeorm/typeorm#11901
• fix: raw select query with correctly ordered selected columns by @​Cprakhar in typeorm/typeorm#11902
• docs: fix typo 'spass' to 'pass' by @​guoxk-me in typeorm/typeorm#11919
• chore: align master with v0.3 by @​gioboa in typeorm/typeorm#11912
• fix: update child's mpath by @​JoseCToscano in typeorm/typeorm#10844
• test: verify column names when using referencedColumnName in composite relations by @​Cprakhar in typeorm/typeorm#11883
• fix: merging into an entity now respects null values by @​knoid in typeorm/typeorm#11154
• fix: handle re-save of postgres geometric types by @​Cprakhar in typeorm/typeorm#11857
• fix(sqlite): handle simple-enum arrays correctly by @​Cprakhar in typeorm/typeorm#11865
• fix: fix up map objects comparison by @​mgohin in typeorm/typeorm#10990
• feat: support INSERT INTO ... SELECT FROM ... in QueryBuilder by @​Cprakhar in typeorm/typeorm#11896

... (truncated)

Changelog

Sourced from typeorm's changelog.

1.0.0 (2026-05-19)

👉 For a structured walk-through of the changes in v1.0 — breaking changes, new features, security fixes, and the upgrade path from 0.3.x — see the v1.0 Release Notes.

The list below is the set of commits between 0.3.30 and 1.0.0 — fixes already shipped on the 0.3.x line are listed under their respective 0.3.x entries below.

• feat!: drop support for node 16 and 18 (#11382) (349d910), closes #11382

Bug Fixes

• cascade: propagate withDeleted to relation-id loader for many-to-many recover (#12287) (cfba9e7)
• cascade: support cascade remove for OneToMany relations with composite PKs (#12286) (09183c8)
• cli: preserve devDependencies needed by init command in published package (#12281) (c3b771c)
• cockroachdb: preserve structured query results during txn retry replay (#11861) (09db48c)
• codemod: apply find-options select/relations rewrites to .exists() too (#12399) (4461063)
• codemod: correct relation-count guidance and flag loadRelationCountAndMap (#12374) (5de5490)
• codemod: cover ColumnMetadata args.options in column option rewrites (#12400) (7a68cf2)
• codemod: exclude type declarations from build (#12292) (4c645f0)
• codemod: handle aliases, quoted keys, and ObjectProperty variants (#12377) (2d15644)
• codemod: handle lock option objects correctly and increase test coverage (#12353) (b871719)
• codemod: handle typeof type queries and use getStringValue consistently (#12379) (dedea37)
• codemod: harden destructure and DI accessor rewrites for connection to dataSource rename (#12398) (057ddbc)
• codemod: harden scope and type-name detection across more AST shapes (#12394) (9d1fd8d)
• codemod: harden scope, idempotency, and import-strip semantics (#12391) (ed5a19b)
• codemod: recognize typeorm deep-path imports (#12382) (a96b097)
• codemod: rename .connection on EntityMetadata, ColumnMetadata, IndexMetadata (#12383) (8a51e30), closes #12249
• codemod: rewrite typeorm re-exports in barrel files (#12373) (25f0b5f)
• codemod: scope v1 transforms to typeorm imports and skip .d.ts files (#12372) (a34fdb2)
• codemod: track DataSource accessor chains for typed-variable renames (#12385) (14a3132)
• copy cordova query rows affected into query result (#10873) (ad22c10)
• disable global order for aggregate functions (#11925) (2efb2a1)
• do not run npm install during CLI init (#12386) (66aa930)
• docs: add lunr as explicit dependency for pnpm strict hoisting (f4d435e)
• docs: align code style (#12081) (5f6eb4c)
• docs: complete Typesense removal missed during cherry-pick (eb7a5b6)
• docs: update docs pnpm lockfile for new dependencies (4123db9)
• eager load relation strategy (#11326) (5797d97)
• enhance upsert functionality for proper sql generation with table alias (#11915) (42ce630)
• expo: auto-load expo-sqlite driver via loadDependencies() (#12363) (212c8ef)
• fix up change detection with date transformer (#11963) (e3e3c97)
• fix up generated query with .update() (#11993) (fe6c072)
• fix up join attributes inside bracket (#11218) (d233daa)
• fix up map objects comparison (#10990) (f66eee7)
• fix up save with eagerly loaded relation (#11975) (f5cea95)
• fix working with tables with quotes in the names for postgres and cockroachdb (#10993) (e5a8afb)
• handle re-save of postgres geometric types (#11857) (65dea3c)
• handle relation ids in nested embedded entities (#11942) (5237bee)
• include joined entity primary keys in pagination subquery (#11669) (4ffe666)
• make shorten method to properly work with camelCase_aliases (#11283) (8a9a376)
• merging into an entity now respects null values (#11154) (1676484)

... (truncated)

Commits

• cf3f13f docs: restyle version dropdown for v1 release (#12514)
• 6997b23 chore: release v1.0.0 (#12510)
• df09802 fix(cockroachdb): adjust join in loadTables to load correct table columns (#1...
• f5cc456 fix(find-options): allow array values in JsonContains (#12420)
• 9440998 fix(mysql)!: use index identifiers instead of raw SQL in QB.useIndex() (#12...
• a4f26af chore(deps): bump the github-actions-official group with 3 updates (#12483)
• ac2ffc6 chore(deps): bump the github-actions-third-party group with 3 updates (#12484)
• 62948a3 revert: fix up limit with joins (#12478)
• c2b788f ci: pin all GitHub Actions to commit SHAs (#12481)
• 9284c16 fix(security): validate limit() in Update/SoftDelete query builders (#12436)
• Additional commits viewable in compare view

Updates jscpd from 4.2.4 to 5.0.4

Release notes

Sourced from jscpd's releases.

Release v5.0.4

New Features

• CLI alignment with jscpd v4: new --absolute, --ignore-case, --formats-exts, --formats-names flags; fixed --threshold, improved --max-size
• Detection and statistics aligned with jscpd for consistent output across Rust and TypeScript versions
• Side-by-side blame comparison in console-full reporter
• Clone list display in console reporter

Bug Fixes

• HTML reporter now outputs jscpd-report.html at the output_dir root
• Resolved all clippy warnings across workspace
• Fixed unique temp dir generation in tests (use as_nanos() instead of subsec_nanos())

Release v4.2.5

Bug Fixes

• JSON reporter duplicate token counts — was always reported as in JSON output; now computed from token positions () (#801).
• Gitignore parent-directory walk — files in parent directories up to the repo root are now read and combined with scan-directory files. Also reads and the global for full parity with Git's ignore resolution (#741).
• Commander v15 migration — CLI option parsing migrated from direct property access (, etc.) to the API required by Commander v8+. The / flag handling was rewritten to use Commander's native negation support instead of inspection.
• Vitest 4.1.0 — bumped from 3.2.4 to address CVE-2026-47429.
• Commander v15 — bumped from v5 to v15, enabling modern Node.js compatibility.
• Pug 3.0.4, node-sarif-builder 4.1.0, nodemon 3.1.14 — dependency bumps for security and compatibility.

Changelog

Sourced from jscpd's changelog.

Changelog

All notable changes to jscpd are documented here. Releases follow Semantic Versioning.

---

4.2.5 — 2026-06-07

Bug Fixes

• JSON reporter duplicate token counts — tokens was always reported as 0 in JSON output; now computed from token positions (end.position - start.position) (#801).
• Gitignore parent-directory walk — .gitignore files in parent directories up to the repo root are now read and combined with scan-directory .gitignore files. Also reads .git/info/exclude and the global core.excludesFile for full parity with Git's ignore resolution (#741).
• Commander v15 migration — CLI option parsing migrated from direct property access (cli.minTokens, etc.) to the cli.opts() API required by Commander v8+. The --no-gitignore / --gitignore flag handling was rewritten to use Commander's native negation support instead of rawArgs inspection.
• Vitest 4.1.0 — bumped from 3.2.4 to address CVE-2026-47429.
• Commander v15 — bumped from v5 to v15, enabling modern Node.js compatibility.
• Pug 3.0.4, node-sarif-builder 4.1.0, nodemon 3.1.14 — dependency bumps for security and compatibility.

---

4.3.0 — 2026-06-04

Breaking Changes

• Reporter trait signature — the Reporter trait method signature has changed from fn report(&self, statistics: &Statistics) to fn report(&self, ctx: &ReportContext). All custom reporter implementations must be updated to access statistics through ctx.statistics.

  Migration example:

  // Before
  impl Reporter for MyReporter {
      fn report(&self, statistics: &Statistics) {
          println!("Total files: {}", statistics.total.sources);
      }
  }
  // After
  impl Reporter for MyReporter {
  fn report(&self, ctx: &ReportContext) {
  println!("Total files: {}", ctx.statistics.total.sources);
  println!("Execution time: {:?}", ctx.duration);
  }
  }

• Console output format — when using the time reporter (--reporters time), timing information is printed to stdout before the primary reporter output. Scripts that parse jscpd console output may need updating to handle the timing line (format: time: 123.456ms for durations < 1000ms, time: 2.34s for durations >= 1000ms).

New Features

• Time reporter — new time reporter that displays execution timing using a decorator pattern. Activated via --reporters time and wraps the default console reporter unless another primary reporter is specified. Timing output format is adaptive: milliseconds for durations under 1 second (e.g., time: 123.456ms), seconds for longer durations (e.g., time: 2.34s). Matches TypeScript jscpd's time reporter behavior for parity.
• CLI short-form aliases — added 11 short-form aliases matching TypeScript jscpd conventions for frequently-used options:
  • -l for --min-lines

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vineethkrishnan]

Closing this. typeorm ^0.3.30 -> ^1.0.0 is a major bump on the ORM/DB layer, and the app runs migration:run on every boot, so it needs manual migration testing against a real database before we take it. The bundled jscpd 4->5 is dev-only and can come back on its own. Dependabot will re-propose if it regroups.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml