Skip to content

chore(deps): Bump the npm_and_yarn group across 2 directories with 14 updates#720

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-768be85acb
Closed

chore(deps): Bump the npm_and_yarn group across 2 directories with 14 updates#720
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-768be85acb

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 2, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package From To
axios 1.12.2 1.15.0
dompurify 3.3.1 3.4.0
lodash 4.17.23 4.18.1
vue 2.7.16 3.0.0
vite 7.3.1 7.3.2
flatted 3.3.3 3.4.2
immutable 5.1.4 5.1.5
js-yaml 4.1.0 4.1.1
rollup 4.57.0 4.60.2

Bumps the npm_and_yarn group with 7 updates in the /docs directory:

Package From To
vite 7.1.2 7.3.2
mdast-util-to-hast 13.2.0 13.2.1
picomatch 4.0.3 4.0.4
rollup 4.46.2 4.60.2
mermaid 10.9.3 10.9.4
svgo 4.0.0 4.0.1
diff 5.2.0 5.2.2

Updates axios from 1.12.2 to 1.15.0

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

  • Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

  • Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
  • Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

  • Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

  • CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
  • Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
  • Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
  • Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
  • Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

  • Breaking Changes: None identified in this release.
  • Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

  • Runtime Features: No new end-user features were introduced in this release.
  • Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

  • Headers: Trim trailing CRLF in normalised header values. (#7456)
  • HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
  • Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
  • Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.0 - April 7, 2026

This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.

🔒 Security Fixes

  • Header Injection (CRLF): Rejects any header value containing \r or \n characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw "Invalid character in header content". (#10660)

  • SSRF via no_proxy Bypass: Introduces a shouldBypassProxy helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating no_proxy/NO_PROXY rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (#10661)

🚀 New Features

  • Deno & Bun Runtime Support: Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (#10652)

🐛 Bug Fixes

  • Node.js v22 Compatibility: Replaced deprecated url.parse() calls with the WHATWG URL/URLSearchParams API across examples, sandbox, and tests, eliminating DEP0169 deprecation warnings on Node.js v22+. (#10625)

🔧 Maintenance & Chores

  • CI Security Hardening: Added zizmor GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived NODE_AUTH_TOKEN); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated npm-publish environment; and blocked the sponsor-block workflow from running on forks. (#10618, #10619, #10627, #10637, #10641, #10666)

  • Docs: Clarified HTTP/2 support and the unsupported httpVersion option; added documentation for header case preservation; improved the beforeRedirect example to prevent accidental credential leakage. (#10644, #10654, #10624)

  • Dependencies: Bumped picomatch, handlebars, serialize-javascript, vite (×3), denoland/setup-deno, and 4 additional dev dependencies to latest versions. (#10564, #10565, #10567, #10568, #10572, #10574, #10663, #10664, #10665, #10669, #10670)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog


v1.14.0 - March 27, 2026

This release fixes a security vulnerability in the formidable dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.

🔒 Security Fixes

  • Formidable Vulnerability: Upgraded formidable from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (#7533)

🐛 Bug Fixes

... (truncated)

Commits
  • 772a4e5 chore(release): prepare release 1.15.0 (#10671)
  • 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
  • 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
  • fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
  • 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
  • 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
  • e66530e ci: require npm-publish environment for releases (#10666)
  • 49f23cb chore(sponsor): update sponsor block (#10668)
  • 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
  • fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates dompurify from 3.3.1 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

  • Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
  • Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
  • Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
  • Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
  • Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
  • Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
  • Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
  • Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
  • Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
  • Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
  • Fixed a problem with the type dentition patcher after Node version bump
  • Fixed freezing BS runs by reducing the tested browsers array
  • Bumped several dependencies where possible
  • Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

DOMPurify 3.3.3

  • Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

  • Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
  • Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
  • Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
  • Bumped and removed several dependencies, thanks @​Rotzbua
  • Fixed the test suite after bumping dependencies, thanks @​Rotzbua
Commits
  • 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
  • 8bcbf73 chore: Preparing 3.3.3 release
  • 5faddd6 fix: engine requirement (#1210)
  • 0f91e3a Update README.md
  • d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
  • c3efd48 fix: moved back from jsdom 28 to jsdom 20
  • 988b888 fix: moved back from jsdom 28 to jsdom 20
  • 2726c74 chore: Preparing 3.3.2 release
  • 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
  • 302b51d fix: Expanded the regex ever so slightly to also cover script
  • Additional commits viewable in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates vue from 2.7.16 to 3.0.0

Changelog

Sourced from vue's changelog.

3.0.0 (2020-09-18)

3.0.0-rc.13 (2020-09-18)

Bug Fixes

  • hmr: make hmr working with class components (#2144) (422f05e)
  • reactivity: avoid length mutating array methods causing infinite updates (#2138) (f316a33), closes #2137
  • suspense: should discard unmount effects of invalidated pending branch (5bfcad1)
  • types: component instance inference without props (#2145) (57bdaa2)

Code Refactoring

Features

  • runtime-core: support using inject() inside props default functions (58c31e3)
  • watch: support dot-delimited path in watch option (1c9a0b3)

BREAKING CHANGES

  • watch APIs now default to use flush: 'pre' instead of flush: 'post'. This change affects watch, watchEffect, the watch component option, and this.$watch. See (49bb447) for more details.

3.0.0-rc.12 (2020-09-16)

Bug Fixes

  • reactivity: effect should only recursively self trigger with explicit options (3810de7), closes #2125
  • runtime-core: ensure root stable fragments inherit elements for moving (bebd44f), closes #2134
  • runtime-core: should still do full traverse of stable fragment children in dev + hmr (dd40ad8)
  • runtime-core/async-component: fix error component when there are no error handlers (c7b4a37), closes #2129
  • types/tsx: optional props from Mixin/Extends are treated as required (#2048) (89e9ab8)

Features

  • compiler-sfc: additionalData support for css preprocessors (#2126) (066d514)

3.0.0-rc.11 (2020-09-15)

... (truncated)

Commits

Updates vite from 7.3.1 to 7.3.2

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

Commits

Updates flatted from 3.3.3 to 3.4.2

Commits
  • 3bf0909 3.4.2
  • 885ddcc fix CWE-1321
  • 0bdba70 added flatted-view to the benchmark
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • Additional commits viewable in compare view

Updates immutable from 5.1.4 to 5.1.5

Release notes

Sourced from immutable's releases.

v5.1.5

What's Changed

Full Changelog: immutable-js/immutable-js@v5.1.4...v5.1.5

Changelog

Sourced from immutable's changelog.

5.1.5

  • Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable
Commits
  • b37b855 5.1.5
  • 16b3313 Merge commit from fork
  • fd2ef49 fix new proto key injection
  • 6734b7b fix Prototype Pollution in mergeDeep, toJS, etc.
  • 6f772de Merge pull request #2175 from immutable-js/dependabot/npm_and_yarn/rollup-4.59.0
  • 5f3dc61 Bump rollup from 4.34.8 to 4.59.0
  • 049a594 Merge pull request #2173 from immutable-js/dependabot/npm_and_yarn/lodash-4.1...
  • 2481a77 Merge pull request #2172 from mrazauskas/update-tstyche
  • eb04779 Bump lodash from 4.17.21 to 4.17.23
  • b973bf3 format
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates rollup from 4.57.0 to 4.60.2

Release notes

Sourced from rollup's releases.

v4.60.2

4.60.2

2026-04-18

Bug Fixes

  • Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

v4.60.1

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.2

2026-04-18

Bug Fixes

  • Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

4.60.0

... (truncated)

Commits

Updates vite from 7.1.2 to 7.3.2

Release notes

Sourced from Description has been truncated

… updates

Bumps the npm_and_yarn group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [axios](https://github.com/axios/axios) | `1.12.2` | `1.15.0` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.3.1` | `3.4.0` |
| [lodash](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` |
| [vue](https://github.com/vuejs/core) | `2.7.16` | `3.0.0` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.1` | `7.3.2` |
| [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` |
| [immutable](https://github.com/immutable-js/immutable-js) | `5.1.4` | `5.1.5` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` |
| [rollup](https://github.com/rollup/rollup) | `4.57.0` | `4.60.2` |

Bumps the npm_and_yarn group with 7 updates in the /docs directory:

| Package | From | To |
| --- | --- | --- |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.1.2` | `7.3.2` |
| [mdast-util-to-hast](https://github.com/syntax-tree/mdast-util-to-hast) | `13.2.0` | `13.2.1` |
| [picomatch](https://github.com/micromatch/picomatch) | `4.0.3` | `4.0.4` |
| [rollup](https://github.com/rollup/rollup) | `4.46.2` | `4.60.2` |
| [mermaid](https://github.com/mermaid-js/mermaid) | `10.9.3` | `10.9.4` |
| [svgo](https://github.com/svg/svgo) | `4.0.0` | `4.0.1` |
| [diff](https://github.com/kpdecker/jsdiff) | `5.2.0` | `5.2.2` |



Updates `axios` from 1.12.2 to 1.15.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.12.2...v1.15.0)

Updates `dompurify` from 3.3.1 to 3.4.0
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.3.1...3.4.0)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `vue` from 2.7.16 to 3.0.0
- [Release notes](https://github.com/vuejs/core/releases)
- [Changelog](https://github.com/vuejs/core/blob/v3.0.0/CHANGELOG.md)
- [Commits](https://github.com/vuejs/core/commits/v3.0.0)

Updates `vite` from 7.3.1 to 7.3.2
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

Updates `immutable` from 5.1.4 to 5.1.5
- [Release notes](https://github.com/immutable-js/immutable-js/releases)
- [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md)
- [Commits](immutable-js/immutable-js@v5.1.4...v5.1.5)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `rollup` from 4.57.0 to 4.60.2
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.57.0...v4.60.2)

Updates `vite` from 7.1.2 to 7.3.2
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite)

Updates `mdast-util-to-hast` from 13.2.0 to 13.2.1
- [Release notes](https://github.com/syntax-tree/mdast-util-to-hast/releases)
- [Commits](syntax-tree/mdast-util-to-hast@13.2.0...13.2.1)

Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@4.0.3...4.0.4)

Updates `rollup` from 4.46.2 to 4.60.2
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.57.0...v4.60.2)

Updates `mermaid` from 10.9.3 to 10.9.4
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](mermaid-js/mermaid@v10.9.3...v10.9.4)

Updates `svgo` from 4.0.0 to 4.0.1
- [Release notes](https://github.com/svg/svgo/releases)
- [Commits](svg/svgo@v4.0.0...v4.0.1)

Updates `diff` from 5.2.0 to 5.2.2
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v5.2.0...v5.2.2)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vue
  dependency-version: 3.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.3.2
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: immutable
  dependency-version: 5.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.60.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: mdast-util-to-hast
  dependency-version: 13.2.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.60.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: mermaid
  dependency-version: 10.9.4
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: svgo
  dependency-version: 4.0.1
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: diff
  dependency-version: 5.2.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 2, 2026
@github-actions
github-actions Bot enabled auto-merge (squash) May 2, 2026 23:17
@sonarqubecloud

sonarqubecloud Bot commented May 2, 2026

Copy link
Copy Markdown

@aaronlippold
aaronlippold temporarily deployed to vulcan-dependabot-npm-a-hfagw2 May 2, 2026 23:19 Inactive
@dependabot @github

dependabot Bot commented on behalf of github May 7, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #723.

@dependabot dependabot Bot closed this May 7, 2026
auto-merge was automatically disabled May 7, 2026 14:39

Pull request was closed

@dependabot
dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-768be85acb branch May 7, 2026 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant