chore(deps): lock file maintenance node dependencies

[ggrossetie]

This PR contains the following updates:

Package	Type	Update	Change
		lockFileMaintenance	All locks refreshed
node (source)	volta	minor	22.21.1 -> 22.22.0
esbuild	devDependencies	patch	0.27.2 -> 0.27.3
bpmn-js	dependencies	minor	18.9.1 -> 18.12.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Release Notes

nodejs/node (node)

v22.22.0: 2026-01-13, Version 22.22.0 'Jod' (LTS), @​marco-ippolito

Compare Source

This is a security release.

Notable Changes

lib:

• (CVE-2025-59465) add TLSSocket default error handler
• (CVE-2025-55132) disable futimes when permission model is enabled
  lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs
  src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks
  src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle
  tls:
• (CVE-2026-21637) route callback exceptions through error handlers

Commits

• [6badf4e6f4] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #​60997
• [37509c3ff0] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#791
• [eb8e41f8db] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [ebbf942a83] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [6b4849583a] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [ddadc31f09] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [d4d9f3915f] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [25d6799df6] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

evanw/esbuild (esbuild)

v0.27.3

Compare Source

• Preserve URL fragments in data URLs (#​4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

• Parse and print CSS @scope rules (#​4322)

  This release includes dedicated support for parsing @scope rules in CSS. These rules include optional "start" and "end" selector lists. One important consequence of this is that the local/global status of names in selector lists is now respected, which improves the correctness of esbuild's support for CSS modules. Minification of selectors inside @scope rules has also improved slightly.

  Here's an example:

  /* Original code */
  @​scope (:global(.foo)) to (:local(.bar)) {
    .bar {
      color: red;
    }
  }
  
  /* Old output (with --loader=local-css --minify) */
  @​scope (:global(.foo)) to (:local(.bar)){.o{color:red}}
  
  /* New output (with --loader=local-css --minify) */
  @​scope(.foo)to (.o){.o{color:red}}

• Fix a minification bug with lowering of for await (#​4378, #​4385)

  This release fixes a bug where the minifier would incorrectly strip the variable in the automatically-generated catch clause of lowered for await loops. The code that generated the loop previously failed to mark the internal variable references as used.

• Update the Go compiler from v1.25.5 to v1.25.7 (#​4383, #​4388)

  This PR was contributed by @​MikeWillCook.

bpmn-io/bpmn-js (bpmn-js)

v18.12.0

Compare Source

• FEAT: activate wheel zoom/scoll on mouseover (#​1008)
• FEAT: prevent keyboard movement for boundary events without host (#​2386)
• FIX: prevent accidental creation of intermediate events during keyboard move (#​1803, #​1876)
• DEPS: update to diagram-js@15.9.0

v18.11.0

Compare Source

• FEAT: add cut action and keyboard shortcut (bpmn-io/diagram-js#1006)
• DEPS: update to diagram-js@15.7.0
• DEPS: update to bpmn-moddle@10.0.0
• DEPS: update to min-dash@5.0.0
• DEPS: update to ids@3.0.0
• DEPS: update to tiny-svg@4.1.4
• DEPS: update to diagram-js-direct-editing@3.3.0
• DEPS: update to min-dom@5.2.0

v18.10.1

Compare Source

• DEPS: update to min-dash@4.2.3
• DEPS: update to tiny-svg@3.1.3

v18.10.0

Compare Source

• FEAT: add ability to duplicate elements (bpmn-io/diagram-js#998)
• DEPS: update to diagram-js@15.5.0

---

Configuration

📅 Schedule: Branch creation - "before 4am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.