chore(deps): bump liquidjs from 9.6.2 to 10.25.5 in /packages/shopify

[dependabot]

Bumps liquidjs from 9.6.2 to 10.25.5.

Release notes

Sourced from liquidjs's releases.

v10.25.5

10.25.5 (2026-04-07)

Bug Fixes

• enforce root containment for renderFile/parseFile lookups (#870) (f41c1fc)
• null date should return empty (#868) (#872) (4f9a499)
• rounding negative away from zero when half (#873) (1cdf10b)

v10.25.4

10.25.4 (2026-04-07)

Bug Fixes

• sort and sort_natural filters bypass ownPropertyOnly (#869) (e743da0)

v10.25.3

10.25.3 (2026-04-06)

Bug Fixes

• precise memoryLimit for string replace (abc058b)
• use realpath for fs.contains (#867) (529dd67)

v10.25.2

10.25.2 (2026-03-25)

Bug Fixes

• handle undefined replacement argument in replace filter (#864) (0ad2b11)

v10.25.1

10.25.1 (2026-03-22)

Bug Fixes

• mem limiter for invalid ranges (95ddefc)
• treat args for replace_first as literal (35d5230)

v10.25.0

10.25.0 (2026-03-07)

Bug Fixes

... (truncated)

Changelog

Sourced from liquidjs's changelog.

10.25.5 (2026-04-07)

Bug Fixes

• enforce root containment for renderFile/parseFile lookups (#870) (f41c1fc)
• null date should return empty (#868) (#872) (4f9a499)
• rounding negative away from zero when half (#873) (1cdf10b)

10.25.4 (2026-04-07)

Bug Fixes

• sort and sort_natural filters bypass ownPropertyOnly (#869) (e743da0)

10.25.3 (2026-04-06)

Bug Fixes

• precise memoryLimit for string replace (abc058b)
• use realpath for fs.contains (#867) (529dd67)

10.25.2 (2026-03-25)

Bug Fixes

• handle undefined replacement argument in replace filter (#864) (0ad2b11)

10.25.1 (2026-03-22)

Bug Fixes

• mem limiter for invalid ranges (95ddefc)
• treat args for replace_first as literal (35d5230)

10.25.0 (2026-03-07)

Bug Fixes

• path traversal vulnerability, #851 (#855) (3cd024d)

Features

• export error types, resolving #837 (#840) (71aa1b1)

... (truncated)

Commits

• 4af7be6 chore(release): 10.25.5 [skip ci]
• 05c47da refactor: replace shell scripts with JS for cross-platform support (#875)
• 66011d1 docs: add timbze as a contributor for code (#874)
• 1cdf10b fix: rounding negative away from zero when half (#873)
• 4f9a499 fix: null date should return empty (#868) (#872)
• f41c1fc fix: enforce root containment for renderFile/parseFile lookups (#870)
• db43485 chore(release): 10.25.4 [skip ci]
• e743da0 fix: sort and sort_natural filters bypass ownPropertyOnly (#869)
• 8f69a08 chore(release): 10.25.3 [skip ci]
• 529dd67 fix: use realpath for fs.contains (#867)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for liquidjs since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Medium Risk
Major-version upgrade of liquidjs and its transitive deps may introduce rendering/behavior changes and requires Node >=16, which can break builds or runtime in older environments.

Overview
Updates @builder.io/shopify to use liquidjs 10.25.5 (from 9.6.2) and refreshes package-lock.json accordingly.

The lockfile changes introduce a new transitive dependency on commander and reflect liquidjs's updated engine requirement (Node >=16).

^{Reviewed by Cursor Bugbot for commit d70669d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: d70669d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[nx-cloud]

View your CI Pipeline Execution ↗ for commit d70669d

Command	Status	Duration	Result
nx test @e2e/react-native-76-fabric	✅ Succeeded	9m 6s	View ↗
nx test @e2e/qwik-city	✅ Succeeded	8m 7s	View ↗
nx test @snippet/gen1-remix	✅ Succeeded	8m 5s	View ↗
nx test @e2e/angular-17	✅ Succeeded	6m 30s	View ↗
nx test @e2e/nuxt	✅ Succeeded	5m 46s	View ↗
nx test @e2e/angular-19-ssr	✅ Succeeded	5m 25s	View ↗
nx test @e2e/gen1-remix	✅ Succeeded	5m 8s	View ↗
nx test @e2e/angular-17-ssr	✅ Succeeded	5m 22s	View ↗
Additional runs (37)	✅ Succeeded	...	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-04-08 15:35:35 UTC

[cursor]

Cursor Bugbot has reviewed your changes and found 4 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit d70669d. Configure here.}

[cursor]

Expression constructor and value API incompatible with v10

High Severity

The liquidjs major version upgrade (v9 to v10) introduced breaking API changes. The code in packages/shopify/js/index.ts (in condition() and assign()) still uses the old Expression and Context constructor signatures and the .value() method, which will cause runtime crashes.

 

^{Reviewed by Cursor Bugbot for commit d70669d. Configure here.}

[cursor]

ownPropertyOnly default change silently breaks template rendering

Medium Severity

Updating liquidjs to v10 changed the ownPropertyOnly default from false to true. The Liquid instance in packages/shopify/js/index.ts now inherits this new default, preventing templates from accessing prototype-inherited properties on Shopify data objects. This may silently break template rendering.

 

^{Reviewed by Cursor Bugbot for commit d70669d. Configure here.}

[cursor]

evalValueSync no longer accepts Context in v10

High Severity

The liquidjs v10 update changed evalValueSync to expect a plain scope object, not a Context instance. The get() method in packages/shopify/js/index.ts still passes a Context, leading to incorrect variable resolution. This affects ForBlock, FormBlock, and PaginateBlock components that rely on get() for Liquid expression resolution.

 

^{Reviewed by Cursor Bugbot for commit d70669d. Configure here.}

[cursor]

Rollup alias references non-existent dist path in v10

High Severity

This major version bump from liquidjs 9.6.2 to 10.25.5 breaks the build. The rollup.config.js hardcodes an alias to node_modules/liquidjs/dist/liquid.js and declares namedExports for that same path. In v10, this file no longer exists — the dist entry points were renamed to dist/liquid.node.js, dist/liquid.node.mjs, and dist/liquid.browser.mjs. The rollup build will fail because the aliased file cannot be resolved.

 

^{Reviewed by Cursor Bugbot for commit d70669d. Configure here.}