chore: bump @figma/code-connect from 1.4.2 to 1.4.7

[dependabot]

Bumps @figma/code-connect from 1.4.2 to 1.4.7.

Release notes

Sourced from @​figma/code-connect's releases.

Code Connect 1.4.7

Fixed

General

• The --file (-f) option on figma connect publish, unpublish, and parse now accepts multiple files, so you can target several Code Connect files in one command (e.g. figma connect publish --file a.figma.ts b.figma.ts). Previously only a single file path was accepted.
• Tweak retry behavior for publish command to reduce 429s errors
• Shared flags (--verbose, --token, --config, --dir, --file, --out-file, --out-dir, --api-url, --skip-update-check, --exit-on-unreadable-files, --dry-run) now work whether you write them before or after the subcommand name. Previously, only figma connect publish -v toggled verbose mode; figma connect -v publish was silently ignored.

Compose

• Fixed a crash that prevented the Code Connect Gradle plugin from being used with projects on Kotlin 2.3 or newer. The plugin now runs Kotlin source parsing in an isolated worker process, so it no longer ships an embedded Kotlin compiler in the consumer's build environment and cannot conflict with the host project's Kotlin Gradle Plugin across version upgrades.
• Fixed parseCodeConnect / createCodeConnect failing in multi-module Gradle projects when the plugin is applied to more than one subproject. The task now resolves the -PfilePath/-PoutputDir arguments against the root project so every subproject finds the input the CLI wrote at the build root.
• The Code Connect Gradle tasks now work cleanly with Gradle's configuration cache enabled. Previously, enabling --configuration-cache caused an opaque serialization error; the tasks now store and reuse the configuration cache entry as expected.

Code Connect 1.4.5

Fixed

General

• The preview command now prints a clearer single-line message if the preview service is temporarily unavailable, instead of repeating a per-file error.
• figma connect preview now splits requests into smaller chunks when previewing many components at once, so previews of large component libraries no longer fail with “Payload Too Large” errors.

Code Connect 1.4.4

Fixed

General

• Bumped Lodash version from 4.17 to 4.18 to address vulnerability CVE-2021-23337

Storybook

• Storybook files with .ts, .jsx, or .js extensions (e.g. Button.stories.jsx) are now discovered by the CLI. Previously only .stories.tsx files were picked up.

Template files

• --exit-on-unreadable-files is now respected for template files (.figma.ts / .figma.js)
• Fixed batch data not being picked up when rendering Code Connect snippets

Features

General

• Added --force flag to figma connect publish. When Figma already has UI-created Code Connect mappings for one or more nodes, publishing will now show a warning instead of failing silently. Use --force to overwrite those existing mappings with the Code Connect files from your codebase.
• The connect create command can now generates template files.
• Added preview command: you can now run npx figma connect preview {fileUrl} to locally preview a Code Connect file without having to publish it.

Template files

• Added batch template support (.figma.batch.json + .figma.batch.ts). A batch file defines a shared template and an array of component entries, allowing hundreds of similar components (e.g. icons) to be Code Connected without individual template files. Per-entry data is available in the template via figma.batch.

... (truncated)

Changelog

Sourced from @​figma/code-connect's changelog.

Code Connect v1.4.7 (28 May 2026)

Features

General

• The --file (-f) option on figma connect publish, unpublish, and parse now accepts multiple files, so you can target several Code Connect files in one command (e.g. figma connect publish --file a.figma.ts b.figma.ts). Previously only a single file path was accepted.
• Tweak retry behavior for publish command to reduce 429s errors
• Shared flags (--verbose, --token, --config, --dir, --file, --out-file, --out-dir, --api-url, --skip-update-check, --exit-on-unreadable-files, --dry-run) now work whether you write them before or after the subcommand name. Previously, only figma connect publish -v toggled verbose mode; figma connect -v publish was silently ignored.

Compose

• Fixed a crash that prevented the Code Connect Gradle plugin from being used with projects on Kotlin 2.3 or newer. The plugin now runs Kotlin source parsing in an isolated worker process, so it no longer ships an embedded Kotlin compiler in the consumer's build environment and cannot conflict with the host project's Kotlin Gradle Plugin across version upgrades.
• Fixed parseCodeConnect / createCodeConnect failing in multi-module Gradle projects when the plugin is applied to more than one subproject. The task now resolves the -PfilePath/-PoutputDir arguments against the root project so every subproject finds the input the CLI wrote at the build root.
• The Code Connect Gradle tasks now work cleanly with Gradle's configuration cache enabled. Previously, enabling --configuration-cache caused an opaque serialization error; the tasks now store and reuse the configuration cache entry as expected.

Code Connect v1.4.5 (13 May 2026)

Fixed

General

• The preview command now prints a clearer single-line message if the preview service is temporarily unavailable, instead of repeating a per-file error.
• figma connect preview now splits requests into smaller chunks when previewing many components at once, so previews of large component libraries no longer fail with “Payload Too Large” errors.

Code Connect v1.4.4 (22 April 2026)

Fixed

General

• Bumped Lodash version from 4.17 to 4.18 to address vulnerability CVE-2021-23337

Storybook

• Storybook files with .ts, .jsx, or .js extensions (e.g. Button.stories.jsx) are now discovered by the CLI. Previously only .stories.tsx files were picked up.

Template files

• --exit-on-unreadable-files is now respected for template files (.figma.ts / .figma.js)
• Fixed batch data not being picked up when rendering Code Connect snippets

Features

General

• Added --force flag to figma connect publish. When Figma already has UI-created Code Connect mappings for one or more nodes, publishing will now show a warning instead of failing silently. Use --force to overwrite those existing mappings with the Code Connect files from your codebase.
• The connect create command can now generates template files.
• Added preview command: you can now run npx figma connect preview {fileUrl} to locally preview a Code Connect file without having to publish it.

... (truncated)

Commits

• 2071f2d Code Connect v1.4.7
• f04ec24 Code Connect v1.4.6
• 9c3c523 Code Connect v1.4.5
• b858968 Code Connect v1.4.4
• 2404b36 Code Connect v1.4.3
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@figma/code-connect	1.4.7	Unknown	Unknown
npm/brace-expansion	2.1.1	🟢 7.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 4 Found 9/22 approved changesets -- score normalized to 4 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies 🟢 10 all dependencies are pinned Maintained 🟢 10 13 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/brace-expansion	5.0.6	🟢 7.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 4 Found 9/22 approved changesets -- score normalized to 4 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies 🟢 10 all dependencies are pinned Maintained 🟢 10 13 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/es-object-atoms	1.1.2	Unknown	Unknown
npm/hasown	2.0.4	Unknown	Unknown
npm/lodash	4.18.1	🟢 7.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 9 25 out of 26 merged PRs checked by a CI test -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 8 Found 24/30 approved changesets -- score normalized to 8 Contributors 🟢 10 project has 89 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 12 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities ⚠️ 0 97 existing vulnerabilities detected
npm/minimatch	10.2.5	🟢 6.2	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 0 Found 1/28 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 6 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/string-width	8.2.1	🟢 4	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy 🟢 10 security policy file detected Maintained ⚠️ 2 2 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 2 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 3 Found 9/30 approved changesets -- score normalized to 3 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/tinyglobby	0.2.17	Unknown	Unknown
npm/typescript	6.0.3	🟢 8.1	Details Check Score Reason Maintained 🟢 10 27 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 3 7 existing vulnerabilities detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during GetBranch(release-5.9): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations
npm/undici	7.27.0	🟢 8.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 8 binaries present in source code CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 License 🟢 10 license file detected SAST 🟢 9 SAST tool detected but not run on all commits Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 9 1 existing vulnerabilities detected Packaging 🟢 10 packaging workflow detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 74 contributing companies or organizations
npm/ws	8.21.0	🟢 5.5	Details Check Score Reason Code-Review ⚠️ 0 Found 1/29 approved changesets -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 13 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• pnpm-lock.yaml