Update Dependencies (February 2026)

[cmoesel]

This PR updates dependency libraries to their latest versions. It also addresses npm audit reported vulnerabilities to the extent possible. Note, however, that some vulnerabilities currently have no available patch releases.

Note that some updated dependencies required corresponding changes to code and/or tests:

• eslint: needed to update eslint config and fix new eslint violations
• prettier: needed to fix new prettier violations
• typescript: needed to fix new typescript compiler violations
• luxon: needed to update fromObject calls to use new function signature
• @lhncbc/ucum-lhc: needed to update or skip tests that used custom UCUM units with spaces

To test: Verify that all tests continue to pass and ensure the library works as it did before. Note that since @lhncbc/ucum-lhc now throws when custom units contain invalid characters, we might see "regressions" when executing CQL that uses invalid custom UCUM units.

Submitter:

• This pull request describes why these changes were made
• Code diff has been done and been reviewed (it does not contain: additional white space, not applicable code changes, debug statements, etc.)
• Tests are included and test edge cases
• Tests have been run locally and pass
• Code coverage has not gone down and all code touched or added is covered.
• Code passes lint and prettier (hint: use npm run test:plus to run tests, lint, and prettier)
• All dependent libraries are appropriately updated or have a corresponding PR related to this change
• cql4browsers.js built with npm run build:browserify if source changed.

Reviewer:

Name: @hossenlopp

• Code is maintainable and reusable, reuses existing code and infrastructure where appropriate, and accomplishes the task’s purpose
• The tests appropriately test the new code, including edge cases
• You have tried to break the code

[codecov-commenter]

Codecov Report

❌ Patch coverage is 89.47368% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.58%. Comparing base (eb9d796) to head (643c359).

Files with missing lines	Patch %	Lines
src/datatypes/datetime.ts	84.61%	0 Missing and 2 partials ⚠️
src/datatypes/clinical.ts	90.90%	1 Missing ⚠️
src/util/util.ts	0.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #356      +/-   ##
==========================================
+ Coverage   87.55%   87.58%   +0.02%     
==========================================
  Files          52       52              
  Lines        4596     4607      +11     
  Branches     1295     1297       +2     
==========================================
+ Hits         4024     4035      +11     
  Misses        359      359              
  Partials      213      213              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cmoesel]

Note that the npm audit failure is expected. There is nothing we can do at the moment.

Also note that although Codecov says 4 lines in my changes are missing coverage, I could only find one line in the report -- and it wasn't new; it was a constructor that used to be all on one line but prettier split it across three. So it doesn't actually represent new or changed code at all.

[hossenlopp]

Looks good and has a completely clean regression run in fqm-e.

[hossenlopp]

Good catch on all of these. They weren't actually doing the assertion before...

[cmoesel]

Thanks. Although chances are pretty good that I'm the one who made the mistakes in the first place!

[cmoesel]

Force-merging this since the npm audit issues are currently not resolvable.