Bump the npm_and_yarn group across 1 directory with 4 updates #2

dependabot · 2025-05-05T01:23:13Z

Bumps the npm_and_yarn group with 1 update in the / directory: vitest.

Updates vitest from 2.0.5 to 2.1.9

Release notes

v2.1.9

This release includes security patches for:

Browser mode serves arbitrary files | CVE-2025-24963

Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

backport vitest-dev/vitest#7317 to v2 - by @hi-ogawa in vitest-dev/vitest#7318

(backport #7340 to v2) restrict served files from /__screenshot-error - by @hi-ogawa in vitest-dev/vitest#7343

    View changes on GitHub

v2.1.8

   🐞 Bug Fixes

Support Node 21 - by @sheremet-va (92f7a)

    View changes on GitHub

v2.1.7

   🐞 Bug Fixes

Revert support for Vite 6 - by @sheremet-va (fbe5c)

This introduced some breaking changes (vitest-dev/vitest#6992). We will enable support for it later. In the meantime, you can still use pnpm.overrides or yarn resolutions to override the vite version in the vitest package - the APIs are compatible.

    View changes on GitHub

v2.1.6

🚀 Features

Support Vite 6

    View changes on GitHub

v2.1.5

   🐞 Bug Fixes

dangerouslyIgnoreUnhandledErrors without base reporter - by @AriPerkkio in vitest-dev/vitest#6808 (0bf0a)

Capture unhandledRejection even when base reporter is not used - by @AriPerkkio in vitest-dev/vitest#6812 (8878b)

Don't change the working directory when loading workspace projects - by @sheremet-va in vitest-dev/vitest#6811 (f0aea)

Remove sequence.concurrent from the RuntimeConfig type - by @sheremet-va in vitest-dev/vitest#6880 (6af73)

Stop the runner before restarting, restart on workspace config change - by @sheremet-va in vitest-dev/vitest#6859 (b01df)

Don't rerun on Esc or Ctrl-C during watch filter - by @hi-ogawa in vitest-dev/vitest#6895 (98f76)

Print ssrTransform error - by @hi-ogawa in vitest-dev/vitest#6885 (4c96c)

Throw an error and a warning if .poll, .element, .rejects/.resolves, and locator.* weren't awaited - by @sheremet-va in vitest-dev/vitest#6877 (93b67)

browser:

Don't process the default css styles - by @sheremet-va in vitest-dev/vitest#6861 (0d67f)

Support non US key input - by @hi-ogawa in vitest-dev/vitest#6873 (5969d)

... (truncated)

Commits

c9e59a0 chore: release v2.1.9
e0fe1d8 fix: backport #7317 to v2 (#7318)
d69cc75 bump: 2.1.8
92f7a2a fix: support Node 21
81ed45b chore: release v2.1.7
fbe5c39 fix: revert support for Vite 6
b936702 bump: 2.1.6
32f23b9 chore: release v2.1.5
417bdb4 fix(browser): init browsers eagerly when tests are running (#6876)
93b67c2 fix: throw an error and a warning if .poll, .element, .rejects/`.resolv...
Additional commits viewable in compare view

Updates nanoid from 3.3.7 to 3.3.11

Release notes

Sourced from nanoid's releases.

3.3.11

Fixed React Native support.

3.3.10

Fixed React Native support (by @steida).

3.3.9

Reduced npm package size.

Changelog

Sourced from nanoid's changelog.

3.3.11

Fixed React Native support.

3.3.10

Fixed React Native support (by @steida).

3.3.9

Reduced npm package size.

3.3.8

Fixed a way to break Nano ID by passing non-integer size (by @myndzi).

Commits

37289ce Release 3.3.11 version
23690b7 Fix CI
c147962 Fix RN support
a83734e Move to manually ESM/CJS dual package
bb12e8a Release 3.3.10 version
8f44264 Fix Expo support
adf9b0c Release 3.3.9 version
1c6f088 Remove dev file from npm package
3044cd5 Release 3.3.8 version
4fe3495 Update size limit
Additional commits viewable in compare view

Updates rollup from 4.20.0 to 4.40.1

Release notes

Sourced from rollup's releases.

v4.40.1

4.40.1

2025-04-28

Bug Fixes

Limit hash size for asset file names to the supported 21 (#5921)

Do not inline user-defined entry chunks or chunks with explicit file name (#5923)

Avoid top-level-await cycles when non-entry chunks use top-level await (#5930)

Expose package.json via exports (#5931)

Pull Requests

#5921: fix(assetFileNames): reduce max hash size to 21 (@shulaoda)

#5923: fix: generate the separate chunk for the entry module with explicated chunk filename or name (@TrickyPi)

#5926: fix(deps): update rust crate swc_compiler_base to v18 (@renovate[bot])

#5927: fix(deps): lock file maintenance minor/patch updates (@renovate[bot])

#5928: fix(deps): lock file maintenance minor/patch updates (@renovate[bot])

#5930: Avoid chunks TLA dynamic import circular when TLA dynamic import used in non-entry modules (@TrickyPi)

#5931: chore: add new ./package.json entry (@JounQin, @lukastaegert)

#5936: fix(deps): lock file maintenance minor/patch updates (@renovate[bot])

v4.40.0

4.40.0

2025-04-12

Features

Only show eval warnings on first render and only when the call is not tree-shaken (#5892)

Tree-shake non-included dynamic import members when the handler just maps to one named export (#5898)

Bug Fixes

Consider dynamic imports nested within top-level-awaited dynamic import expressions to be awaited as well (#5900)

Fix namespace rendering when tree-shaking is disabled (#5908)

When using multiple transform hook filters, all of them need to be satisfied together (#5909)

Pull Requests

#5892: Warn when eval or namespace calls are rendered, not when they are parsed (@SunsetFi, @lukastaegert)

#5898: feat: treeshake dynamic import chained member expression (@privatenumber, @lukastaegert)

#5900: consider the dynamic import within a TLA call expression as a TLA import (@TrickyPi)

#5904: fix(deps): update swc monorepo (major) (@renovate[bot])

#5905: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

#5908: Fix treeshake: false breaking destructured namespace imports (@Skn0tt)

#5909: Correct the behavior when multiple transform filter options are specified (@sapphi-red)

#5915: chore(deps): update dependency @types/picomatch to v4 (@renovate[bot])

#5916: fix(deps): update rust crate swc_compiler_base to v17 (@renovate[bot])

... (truncated)

Changelog

Sourced from rollup's changelog.

4.40.1

2025-04-28

Bug Fixes

Limit hash size for asset file names to the supported 21 (#5921)

Do not inline user-defined entry chunks or chunks with explicit file name (#5923)

Avoid top-level-await cycles when non-entry chunks use top-level await (#5930)

Expose package.json via exports (#5931)

Pull Requests

#5921: fix(assetFileNames): reduce max hash size to 21 (@shulaoda)

#5923: fix: generate the separate chunk for the entry module with explicated chunk filename or name (@TrickyPi)

#5926: fix(deps): update rust crate swc_compiler_base to v18 (@renovate[bot])

#5927: fix(deps): lock file maintenance minor/patch updates (@renovate[bot])

#5928: fix(deps): lock file maintenance minor/patch updates (@renovate[bot])

#5930: Avoid chunks TLA dynamic import circular when TLA dynamic import used in non-entry modules (@TrickyPi)

#5931: chore: add new ./package.json entry (@JounQin, @lukastaegert)

#5936: fix(deps): lock file maintenance minor/patch updates (@renovate[bot])

4.40.0

2025-04-12

Features

Only show eval warnings on first render and only when the call is not tree-shaken (#5892)

Tree-shake non-included dynamic import members when the handler just maps to one named export (#5898)

Bug Fixes

Consider dynamic imports nested within top-level-awaited dynamic import expressions to be awaited as well (#5900)

Fix namespace rendering when tree-shaking is disabled (#5908)

When using multiple transform hook filters, all of them need to be satisfied together (#5909)

Pull Requests

#5892: Warn when eval or namespace calls are rendered, not when they are parsed (@SunsetFi, @lukastaegert)

#5898: feat: treeshake dynamic import chained member expression (@privatenumber, @lukastaegert)

#5900: consider the dynamic import within a TLA call expression as a TLA import (@TrickyPi)

#5904: fix(deps): update swc monorepo (major) (@renovate[bot])

#5905: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

#5908: Fix treeshake: false breaking destructured namespace imports (@Skn0tt)

#5909: Correct the behavior when multiple transform filter options are specified (@sapphi-red)

#5915: chore(deps): update dependency @types/picomatch to v4 (@renovate[bot])

#5916: fix(deps): update rust crate swc_compiler_base to v17 (@renovate[bot])

#5917: chore(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)

#5918: chore(deps): update dependency vite to v6.2.6 [security] (@renovate[bot], @lukastaegert)

... (truncated)

Commits

1e6c40f 4.40.1
03f34b0 fix: generate the separate chunk for the entry module with explicated chunk f...
a74916b Avoid chunks TLA dynamic import circular when TLA dynamic import used in non-...
99d4bee chore: add new ./package.json entry (#5931)
8e0d034 fix(assetFileNames): reduce max hash size to 21 (#5921)
7fc5036 fix(deps): lock file maintenance minor/patch updates (#5936)
ec5e45a fix(deps): update rust crate swc_compiler_base to v18 (#5926)
f53d9de fix(deps): lock file maintenance minor/patch updates (#5928)
6a924c0 fix(deps): lock file maintenance minor/patch updates (#5927)
1f2d579 4.40.0
Additional commits viewable in compare view

Updates vite from 5.4.0 to 5.4.19

Release notes

Sourced from vite's releases.

v5.4.19

Please refer to CHANGELOG.md for details.

v5.4.18

Please refer to CHANGELOG.md for details.

v5.4.17

Please refer to CHANGELOG.md for details.

v5.4.16

Please refer to CHANGELOG.md for details.

v5.4.15

Please refer to CHANGELOG.md for details.

v5.4.14

Please refer to CHANGELOG.md for details.

v5.4.13

Please refer to CHANGELOG.md for details.

v5.4.12

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v5.4.11

Please refer to CHANGELOG.md for details.

v5.4.10

Please refer to CHANGELOG.md for details.

v5.4.9

Please refer to CHANGELOG.md for details.

v5.4.8

Please refer to CHANGELOG.md for details.

v5.4.7

Please refer to CHANGELOG.md for details.

v5.4.6

Please refer to CHANGELOG.md for details.

plugin-legacy@5.4.3

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.19 (2025-04-30)

fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246

fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

5.4.13 (2025-01-20)

fix: try parse server.origin URL (#19241) (5946215), closes #19241

5.4.12 (2025-01-20)

fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (9da4abc)

fix!: default server.cors: false to disallow fetching from untrusted origins (dfea38f)

fix: verify token for HMR WebSocket connection (b71a5c8)

chore: add deps update changelog (ecd2375)

... (truncated)

Commits

80a333a release: v5.4.19
766947e fix: backport #19965, check static serve file inside sirv (#19966)
731b77d release: v5.4.18
823675b fix: backport #19830, reject requests with # in request-target (#19831)
0a2518a release: v5.4.17
84b2b46 fix: backport #19782, fs check with svg and relative paths (#19784)
712cb71 release: v5.4.16
b627c50 fix: backport #19761, fs check in transform middleware (#19762)
9b0f4c8 release: v5.4.15
807d7f0 fix: backport #19702, fs raw query with query separators (#19703)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 1 update in the / directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Updates `vitest` from 2.0.5 to 2.1.9 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v2.1.9/packages/vitest) Updates `nanoid` from 3.3.7 to 3.3.11 - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](ai/nanoid@3.3.7...3.3.11) Updates `rollup` from 4.20.0 to 4.40.1 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.20.0...v4.40.1) Updates `vite` from 5.4.0 to 5.4.19 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v5.4.19/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v5.4.19/packages/vite) --- updated-dependencies: - dependency-name: vitest dependency-version: 2.1.9 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: nanoid dependency-version: 3.3.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.40.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 5.4.19 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

socket-security · 2025-05-05T01:23:44Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	rolldown@0.12.2-snapshot-eb78b81-20240812045024 ⏵ 1.0.0-beta.8-commit.bc78fa1	⁺¹⁶		⁺¹
	vitest@2.0.5 ⏵ 2.1.9		⁺⁷⁵

View full report

dependabot · 2025-05-05T02:30:14Z

None of your dependencies match this group anymore, you may need to update your configuration file to remove it or change its rules.

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 5, 2025

dependabot bot closed this May 5, 2025

dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-592e9d5905 branch May 5, 2025 02:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the npm_and_yarn group across 1 directory with 4 updates #2

Bump the npm_and_yarn group across 1 directory with 4 updates #2

Uh oh!

dependabot bot commented on behalf of github May 5, 2025 •

edited

Loading

Uh oh!

socket-security bot commented May 5, 2025

Uh oh!

dependabot bot commented on behalf of github May 5, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Bump the npm_and_yarn group across 1 directory with 4 updates #2

Bump the npm_and_yarn group across 1 directory with 4 updates #2

Uh oh!

Conversation

dependabot bot commented on behalf of github May 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v2.1.9

🐞 Bug Fixes

View changes on GitHub

v2.1.8

🐞 Bug Fixes

View changes on GitHub

v2.1.7

🐞 Bug Fixes

View changes on GitHub

v2.1.6

🚀 Features

View changes on GitHub

v2.1.5

🐞 Bug Fixes

3.3.11

3.3.10

3.3.9

3.3.11

3.3.10

3.3.9

3.3.8

v4.40.1

4.40.1

Bug Fixes

Pull Requests

v4.40.0

4.40.0

Features

Bug Fixes

Pull Requests

4.40.1

Bug Fixes

Pull Requests

4.40.0

Features

Bug Fixes

Pull Requests

v5.4.19

v5.4.18

v5.4.17

v5.4.16

v5.4.15

v5.4.14

v5.4.13

v5.4.12

v5.4.11

v5.4.10

v5.4.9

v5.4.8

v5.4.7

v5.4.6

plugin-legacy@5.4.3

5.4.19 (2025-04-30)

5.4.18 (2025-04-10)

5.4.17 (2025-04-03)

5.4.16 (2025-03-31)

5.4.15 (2025-03-24)

5.4.14 (2025-01-21)

5.4.13 (2025-01-20)

5.4.12 (2025-01-20)

Uh oh!

socket-security bot commented May 5, 2025

Uh oh!

dependabot bot commented on behalf of github May 5, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot bot commented on behalf of github May 5, 2025 •

edited

Loading