chore(deps): bump the npm_and_yarn group across 1 directory with 24 updates by dependabot[bot] · Pull Request #96 · kir-dev/pek-infinity

dependabot · 2026-06-20T03:32:33Z

Bumps the npm_and_yarn group with 19 updates in the / directory:

Package	From	To
storybook	`10.2.8`	`10.2.10`
vite	`7.3.1`	`7.3.5`
vitest	`4.0.18`	`4.1.0`
brace-expansion	`5.0.2`	`5.0.6`
minimatch	`10.2.0`	`10.2.5`
ajv	`8.17.1`	`8.20.0`
hono	`4.11.9`	`4.12.26`
srvx	`0.9.6`	`0.11.17`
srvx	`0.11.4`	`0.11.17`
nitro	`3.0.1-alpha.1`	`3.0.260610-beta`
@tanstack/start-server-core	`1.159.9`	`1.169.15`
esbuild	`0.25.12`	`0.28.1`
express-rate-limit	`8.2.1`	`8.5.2`
fast-uri	`3.1.0`	`3.1.2`
flatted	`3.3.3`	`3.4.2`
lodash	`4.17.21`	`4.18.1`
qs	`6.14.2`	`6.15.2`
shell-quote	`1.8.3`	`1.8.4`
undici	`7.22.0`	`7.28.0`
ws	`8.18.3`	`8.21.0`

Updates storybook from 10.2.8 to 10.2.10

Release notes

Sourced from storybook's releases.

v10.2.10

10.2.10

Core: Require token for websocket connections - #33820, thanks @ghengeveld!

v10.2.9

10.2.9

Addon-Vitest: Improve config file detection in monorepos - #33814, thanks @valentinpalkovic!

Builder-Vite: Update dependencies react-vite framework - #33810, thanks @valentinpalkovic!

Builder-Vite: Use relative path for mocker entry in production builds - #33792, thanks @DukeDeSouth!

Next.js: Fix Link component override in appDirectory configuration - #31251, thanks @yatishgoel!

Changelog

Sourced from storybook's changelog.

10.2.10

Core: Require token for websocket connections - #33820, thanks @ghengeveld!

10.2.9

Addon-Vitest: Improve config file detection in monorepos - #33814, thanks @valentinpalkovic!

Builder-Vite: Update dependencies react-vite framework - #33810, thanks @valentinpalkovic!

Builder-Vite: Use relative path for mocker entry in production builds - #33792, thanks @DukeDeSouth!

Next.js: Fix Link component override in appDirectory configuration - #31251, thanks @yatishgoel!

Commits

c812573 Bump version from "10.2.9" to "10.2.10" [skip ci]
fd275fb Merge pull request #33820 from storybookjs/harden-websocket-security
4cdde82 Bump version from "10.2.8" to "10.2.9" [skip ci]
See full diff in compare view

Updates vite from 7.3.1 to 7.3.5

Release notes

Sourced from vite's releases.

v7.3.5

Please refer to CHANGELOG.md for details.

v7.3.3

Please refer to CHANGELOG.md for details.

v7.3.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.5 (2026-06-01)

Bug Fixes

backport #22572, reject windows alternate paths (#22574) (8c18556)

deps: backport #22571, reject UNC paths for launch-editor-middleware (#22573) (f20d64b)

Miscellaneous Chores

skip v7.3.4 release (8a6a0c9)

7.3.4 (2026-06-01)

Bug Fixes

backport #22572, reject windows alternate paths (#22574) (8c18556)

deps: backport #22571, reject UNC paths for launch-editor-middleware (#22573) (f20d64b)

7.3.3 (2026-05-07)

Bug Fixes

avoid destructure lowering for newer safari (#22346) (5ab51c0)

7.3.2 (2026-04-06)

Bug Fixes

avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)

backport #22159, apply server.fs check to env transport (#22162) (19db0f2)

check server.fs after stripping query as well (#22160) (f8103cc)

Commits

077945c release: v7.3.5
8a6a0c9 chore: skip v7.3.4 release
8c18556 fix: backport #22572, reject windows alternate paths (#22574)
f20d64b fix(deps): backport #22571, reject UNC paths for launch-editor-middleware (#2...
ca31424 release: v7.3.3
5ab51c0 fix: avoid destructure lowering for newer safari (#22346)
cc383e0 release: v7.3.2
09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
f8103cc fix: check server.fs after stripping query as well (#22160)
19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
See full diff in compare view

Updates vitest from 4.0.18 to 4.1.0

Release notes

Sourced from vitest's releases.

v4.1.0

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

🚀 Features

Return a disposable from doMock() - by @kirkwaiblinger in vitest-dev/vitest#9332 (e3e65)

Added chai style assertions - by @ronnakamoto and @sheremet-va in vitest-dev/vitest#8842 (841df)

Update to sinon/fake-timers v15 and add setTickMode to timer controls - by @atscott and @sheremet-va in vitest-dev/vitest#8726 (4b480)

Expose matcher types - by @sheremet-va in vitest-dev/vitest#9448 (3e4b9)

Add toTestSpecification to reported tasks - by @sheremet-va in vitest-dev/vitest#9464 (1a470)

Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module - by @sheremet-va in vitest-dev/vitest#9387 (5db54)

Track and display expectedly failed tests (.fails) in UI and CLI - by @Copilot, sheremet-va and @sheremet-va in vitest-dev/vitest#9476 (77d75)

Support tags - by @sheremet-va in vitest-dev/vitest#9478 (de7c8)

Implement aroundEach and aroundAll hooks - by @sheremet-va in vitest-dev/vitest#9450 (2a8cb)

Stabilize experimental features - by @sheremet-va in vitest-dev/vitest#9529 (b5fd2)

Accept new or all in --update flag - by @sheremet-va in vitest-dev/vitest#9543 (a5acf)

Support meta in test options - by @sheremet-va in vitest-dev/vitest#9535 (7d622)

Support type inference with a new test.extend syntax - by @sheremet-va in vitest-dev/vitest#9550 (e5385)

Support vite 8 beta, fix type issues in the config with different vite versions - by @sheremet-va in vitest-dev/vitest#9587 (99028)

Add assertion helper to hide internal stack traces - by @hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9594 (eeb0a)

Store failure screenshots using artifacts API - by @macarie in vitest-dev/vitest#9588 (24603)

Allow vitest list to statically collect tests instead of running files to collect them - by @sheremet-va in vitest-dev/vitest#9630 (7a8e7)

Add --detect-async-leaks - by @AriPerkkio in vitest-dev/vitest#9528 (c594d)

Implement mockThrow and mockThrowOnce - by @thor-juhasz and @sheremet-va in vitest-dev/vitest#9512 (61917)

Support update: "none" and add docs about snapshots behavior on CI - by @hi-ogawa in vitest-dev/vitest#9700 (05f18)

Support playwright launchOptions with connectOptions - by @hi-ogawa in vitest-dev/vitest#9702 (f0ff1)

Add page/locator.mark API to enhance playwright trace - by @hi-ogawa in vitest-dev/vitest#9652 (d0ee5)

api:

Support tests starting or ending with test in experimental_parseSpecification - by @jgillick and Jeremy Gillick in vitest-dev/vitest#9235 (2f367)

Add filters to createSpecification - by @sheremet-va in vitest-dev/vitest#9336 (c8e6c)

Expose runTestFiles as alternative to runTestSpecifications - by @sheremet-va in vitest-dev/vitest#9443 (43d76)

Add allowWrite and allowExec options to api - by @sheremet-va in vitest-dev/vitest#9350 (20e00)

Allow passing down test cases to toTestSpecification - by @sheremet-va in vitest-dev/vitest#9627 (6f17d)

browser:

Add userEvent.wheel API - by @macarie in vitest-dev/vitest#9188 (66080)

Add filterNode option to prettyDOM for filtering browser assertion error output - by @Copilot, sheremet-va and @sheremet-va in vitest-dev/vitest#9475 (d3220)

Support playwright persistent context - by @hi-ogawa, Claude Opus 4.6 and @sheremet-va in vitest-dev/vitest#9229 (f865d)

Added detailsPanelPosition option and button - by @shairez in vitest-dev/vitest#9525 (c8a31)

Use BlazeDiff instead of pixelmatch - by @macarie in vitest-dev/vitest#9514 (30936)

Add findElement and enable strict mode in webdriverio and preview - by @sheremet-va in vitest-dev/vitest#9677 (c3f37)

cli:

Add @bomb.sh/tab completions - by @AmirSa12 and @sheremet-va in vitest-dev/vitest#8639 (200f3)

coverage:

Support ignore start/stop ignore hints - by @AriPerkkio in vitest-dev/vitest#9204 (e59c9)

Add coverage.changed option to report only changed files - by @kykim00 and @AriPerkkio in vitest-dev/vitest#9521 (1d939)

experimental:

Add onModuleRunner hook to worker.init - by @sheremet-va in vitest-dev/vitest#9286 (e977f)

Option to disable the module runner - by @sheremet-va and @AriPerkkio in vitest-dev/vitest#9210 (9be61)

... (truncated)

Commits

4150b91 chore: release v4.1.0
1de0aa2 fix: correctly identify concurrent test during static analysis (#9846)
c3cac1c fix: use isAgent check, not just TTY, for watch mode (#9841)
eab68ba chore(deps): update all non-major dependencies (#9824)
031f02a fix: allow catch/finally for async assertion (#9827)
3e9e096 feat(reporters): add agent reporter to reduce ai agent token usage (#9779)
0c2c013 chore: release v4.1.0-beta.6
8181e06 fix: hideSkippedTests should not hide test.todo (fix #9562) (#9781)
a8216b0 fix: manual and redirect mock shouldn't load or transform original module...
689a22a fix(browser): types of getCDPSession and cdp() (#9716)
Additional commits viewable in compare view

Updates brace-expansion from 5.0.2 to 5.0.6

Commits

46317b5 5.0.6
c0b095b Merge commit from fork
ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
8793901 5.0.5
9a02af5 Merge commit from fork
daa71bc Bump tar from 7.5.10 to 7.5.11 (#92)
799e5f7 Bump tar from 7.5.9 to 7.5.10 (#90)
012c230 5.0.4
243c491 Fix handling of brackets. Closes #87
609f858 Correct incorrect brace-expansion import (#89)
Additional commits viewable in compare view

Updates minimatch from 10.2.0 to 10.2.5

Commits

693c823 10.2.5
7953af1 do not allow .. to consume drive letter on Windows
1caf918 lint and format
7783ed6 ignore docs
6d9b356 update deps etc
c36addb 10.2.4
26b9002 docs: add warning about ReDoS
3a0d83b fix partial matching of globstar patterns
ea94840 10.2.3
0873fba update deps
Additional commits viewable in compare view

Updates ajv from 8.17.1 to 8.20.0

Release notes

Sourced from ajv's releases.

v8.20.0

What's Changed

fix: add support for node 22/24, drop node 16/21 by @jasoniangreen in ajv-validator/ajv#2580

fix: add ES2022.RegExp for RegExpIndicesArray by @SignpostMarv in ajv-validator/ajv#2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

v8.19.0

What's Changed

fix prototype pollution via format keyword using $data ref by @epoberezkin in ajv-validator/ajv#2607

Full Changelog: ajv-validator/ajv@v8.18.0...v8.19.0

v8.18.0

What's Changed

feat: allow tree-shaking by adding "sideEffects": false to package.json by @josdejong in ajv-validator/ajv#2480

fix: #2482 Infinity and NaN serialise to null by @jasoniangreen in ajv-validator/ajv#2487

fix: small grammatical error in managing-schemas.md by @monteiro-renato in ajv-validator/ajv#2508

fix: typos in schema-language.md by @monteiro-renato in ajv-validator/ajv#2507

fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @epoberezkin in ajv-validator/ajv#2586

New Contributors

@josdejong made their first contribution in ajv-validator/ajv#2480

@monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

0fba0b8 8.20.0
9caf8d6 fix: add ES2022.RegExp for RegExpIndicesArray; fixes ajv-validator/ajv#2603 (...
2065350 fix: add support for node 22/24, drop node 16/21 (#2580)
154b58d 8.19.0
e8d2bdc test/fix prototype pollution via $data ref with format keyword (#2607)
142ce84 8.18.0
720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
82735a1 fix: typos in schema-language.md (#2507)
b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
Additional commits viewable in compare view

Updates hono from 4.11.9 to 4.12.26

Release notes

Sourced from hono's releases.

v4.12.26

What's Changed

fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding by @yusukebe in honojs/hono#5013

ci: publish to npm from CI with OIDC trusted publishing by @yusukebe in honojs/hono#5028

chore: remove unused devcontainer and gitpod configs by @yusukebe in honojs/hono#5029

chore: replace arg and glob with Bun native APIs in build script by @yusukebe in honojs/hono#5030

Full Changelog: honojs/hono@v4.12.25...v4.12.26

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

What's Changed

docs(contribution): simplifyAI Usage Policy by @yusukebe in honojs/hono#4972

chore: remove @types/glob by @rtritto in honojs/hono#4978

fix(bearer-auth): mention verifyToken in missing-options error message by @tan7vir in honojs/hono#4987

refactor(language): Test/improve tests on languages middleware by @iNeoO in honojs/hono#4980

fix(utils/ipaddr): expand "::" to eight zero groups by @youcefzemmar in honojs/hono#4973

fix: clean up config files trailing comma, stale excludes, typesVersions gaps, jsr paths by @Mohammad-Faiz-Cloud-Engineer in honojs/hono#4982

refactor(timing): Test/add test for middleware timing by @iNeoO in honojs/hono#4991

fix(utils/ipaddr): render the unspecified address binary as "::" by @sarathfrancis90 in honojs/hono#4998

Full Changelog: honojs/hono@v4.12.23...v4.12.24

v4.12.23

What's Changed

... (truncated)

Commits

27b7992 4.12.26
d29982c chore: replace arg and glob with Bun native APIs in build script
16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
c574cf1 ci: publish to npm from CI with OIDC trusted publishing (#5028)
e50df01 fix(lambda-edge): satisfy Deno lib types for Content-Length body encoding (#5...
fce483e 4.12.25
751ba41 Merge commit from fork
f0b094d Merge commit from fork
fa5f9bf Merge commit from fork
3892a6c Merge commit from fork
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.

Updates srvx from 0.9.6 to 0.11.17

Release notes

Sourced from srvx's releases.

v0.11.17

compare changes

🩹 Fixes

node/web: Forward socket drain and handle aborted signals (#209)

node: Keep body methods working when globalThis.Request is patched (8d91ebe)

node: Deopt FastURL to native parser for fragments and path encode-set chars (d384e41)

📖 Documentation

cli: Document static file serving (#210)

❤️ Contributors

Pooya Parsa (@pi0)

Sébastien Chopin (@atinux)

v0.11.16

compare changes

🩹 Fixes

node: Flatten writeHead headers on Deno (#203)

aws-lambda-streaming: Handle empty body (#205)

node: Do not crash on asterisk-form request targets (#206)

💅 Refactors

node/web: Add new TypeOfService utils to socker impl (945fc17)

❤️ Contributors

Taylor Steele (@taylorfsteele)

Pooya Parsa (@pi0)

KT (@ktKongTong)

v0.11.15

compare changes

🩹 Fixes

node/web: Do not swallow getReader errors (#199)

❤️ Contributors

Joël Charles (@magne4000)

v0.11.14

compare changes

... (truncated)

Changelog

Sourced from srvx's changelog.

v0.11.17

compare changes

🩹 Fixes

node/web: Forward socket drain and handle aborted signals (#209)

node: Keep body methods working when globalThis.Request is patched (8d91ebe)

node: Deopt FastURL to native parser for fragments and path encode-set chars (d384e41)

📖 Documentation

cli: Document static file serving (#210)

🏡 Chore

release: V0.11.16 (f6b6678)

Apply automated updates (0a52dab)

Update deps (6ffee51)

Pin undici to 8.3 (e7d7417)

✅ Tests

Reduce flakiness (9db5d30)

❤️ Contributors

Pooya Parsa (@pi0)

Sébastien Chopin seb@nuxtlabs.com

Pi0x x@pi0.io

v0.11.16

compare changes

🩹 Fixes

node: Flatten writeHead headers on Deno (#203)

aws-lambda-streaming: Handle empty body (#205)

node: Do not crash on asterisk-form request targets (#206)

💅 Refactors

node/web: Add new TypeOfService utils to socker impl (945fc17)

🏡 Chore

Update deps (4a6fcd3)

Update deps (c0acb0f)

Bump deps (c853aa9)

... (truncated)

Commits

e7d7417 chore: pin undici to 8.3
9db5d30 test: reduce flakiness
6ffee51 chore: update deps
d384e41 fix(node): deopt FastURL to native parser for fragments and path encode-set c...
8c07e6e docs(cli): document static file serving (#210)
0a52dab chore: apply automated updates
8d91ebe fix(node): keep body methods working when globalThis.Request is patched
59b1891 fix(node/web): forward socket drain and handle aborted signals (#209)
f6b6678 chore(release): v0.11.16
19efb13 fix(node): do not crash on asterisk-form request targets (#206)
Additional commits viewable in compare view

Updates srvx from 0.11.4 to 0.11.17

Release notes

Sourced from srvx's releases.

v0.11.17

compare changes

🩹 Fixes

node/web: Forward socket drain and handle aborted signals (#209)

node: Keep body methods working when globalThis.Request is patched (8d91ebe)

node: Deopt FastURL to native parser for fragments and path encode-set chars (d384e41)

📖 Documentation

cli: Document static file serving (#210)

❤️ Contributors

Pooya Parsa (@pi0)

Sébastien Chopin (@atinux)

v0.11.16

compare changes

🩹 Fixes

node: Flatten writeHead headers on Deno (#203)

aws-lambda-streaming: Handle empty body (#205)

node: Do not crash on asterisk-form request targets (#206)

💅 Refactors

node/web: Add new TypeOfService utils to socker impl (945fc17)

❤️ Contributors

Taylor Steele (@taylorfsteele)

Pooya Parsa (@pi0)

KT (@ktKongTong)

v0.11.15

compare changes

🩹 Fixes

node/web: Do not swallow getReader errors (#199)

❤️ Contributors

Joël Charles (@magne4000)

v0.11.14

compare changes

... (truncated)

Changelog

Sourced from srvx's changelog.

v0.11.17

compare changes

🩹 Fixes

node/web: Forward socket drain and handle aborted signals (#209)

node: Keep body methods working when globalThis.Request is patched (8d91ebe)

node: Deopt FastURL to native parser for fragments and path encode-set chars (d384e41)

📖 Documentation

cli: Document static file serving (#210)

🏡 Chore

release: V0.11.16 (f6b6678)

Apply automated updates (0a52dab)

Update deps (6ffee51)

Pin undici to 8.3 (e7d7417)

✅ Tests

Reduce flakiness (9db5d30)

❤️ Contributors

Pooya Parsa (@pi0)

Sébastien Chopin seb@nuxtlabs.com

Pi0x x@pi0.io

v0.11.16

compare changes

🩹 Fixes

node: Flatten writeHead headers on Deno (#203)

aws-lambda-streaming: Handle empty body (#205)

node: Do not crash on asterisk-form request targets (#206)

💅 Refactors

node/web: Add new TypeOfService utils to socker impl (945fc17)

🏡 Chore

Update deps (4a6fcd3)

Update deps (c0acb0f)

Bump deps (c853aa9)

... (truncated)

Commits

e7d7417 chore: pin undici to 8.3
9db5d30 test: reduce flakiness
6ffee51 chore: update deps
d384e41 fix(node): deopt FastURL to native parser for fragments and path encode-set c...
8c07e6e docs(cli): document static file serving (#210)
0a52dab chore: apply automated updates
8d91ebe fix(node): keep body methods working when globalThis.Request is patched
59b1891 fix(node/web): forward socket drain and handle aborted signals (#209)
f6b6678 chore(release): v0.11.16
19efb13 fix(node): do not crash on asterisk-form request targets (#206)
Additional commits viewable in compare view

Updates nitro from 3.0.1-alpha.1 to 3.0.260610-beta

Release notes

Sourced from nitro's releases.

v3.0.260610-beta

compare changes

🚀 Enhancements

prerender: Run prerenderer in isolate worker (#4326)

vite: Use explicit module graph for service entries (#4327)

Preset Changes

vercel: Support websocket upgrades (internal testing) (#4317)

🩹 Fixes

Try to resolve server entry also from server dir (#4313)

runtime: Avoid std-env in w...
Description has been truncated

…pdates Bumps the npm_and_yarn group with 19 updates in the / directory: | Package | From | To | | --- | --- | --- | | [storybook](https://github.com/storybookjs/storybook/tree/HEAD/code/core) | `10.2.8` | `10.2.10` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.1` | `7.3.5` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.0` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `5.0.2` | `5.0.6` | | [minimatch](https://github.com/isaacs/minimatch) | `10.2.0` | `10.2.5` | | [ajv](https://github.com/ajv-validator/ajv) | `8.17.1` | `8.20.0` | | [hono](https://github.com/honojs/hono) | `4.11.9` | `4.12.26` | | [srvx](https://github.com/h3js/srvx) | `0.9.6` | `0.11.17` | | [srvx](https://github.com/h3js/srvx) | `0.11.4` | `0.11.17` | | [nitro](https://github.com/nitrojs/nitro) | `3.0.1-alpha.1` | `3.0.260610-beta` | | [@tanstack/start-server-core](https://github.com/TanStack/router/tree/HEAD/packages/start-server-core) | `1.159.9` | `1.169.15` | | [esbuild](https://github.com/evanw/esbuild) | `0.25.12` | `0.28.1` | | [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) | `8.2.1` | `8.5.2` | | [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` | | [qs](https://github.com/ljharb/qs) | `6.14.2` | `6.15.2` | | [shell-quote](https://github.com/ljharb/shell-quote) | `1.8.3` | `1.8.4` | | [undici](https://github.com/nodejs/undici) | `7.22.0` | `7.28.0` | | [ws](https://github.com/websockets/ws) | `8.18.3` | `8.21.0` | Updates `storybook` from 10.2.8 to 10.2.10 - [Release notes](https://github.com/storybookjs/storybook/releases) - [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md) - [Commits](https://github.com/storybookjs/storybook/commits/v10.2.10/code/core) Updates `vite` from 7.3.1 to 7.3.5 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.5/packages/vite) Updates `vitest` from 4.0.18 to 4.1.0 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest) Updates `brace-expansion` from 5.0.2 to 5.0.6 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v5.0.2...v5.0.6) Updates `minimatch` from 10.2.0 to 10.2.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v10.2.0...v10.2.5) Updates `ajv` from 8.17.1 to 8.20.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.17.1...v8.20.0) Updates `hono` from 4.11.9 to 4.12.26 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.9...v4.12.26) Updates `srvx` from 0.9.6 to 0.11.17 - [Release notes](https://github.com/h3js/srvx/releases) - [Changelog](https://github.com/h3js/srvx/blob/main/CHANGELOG.md) - [Commits](h3js/srvx@v0.9.6...v0.11.17) Updates `srvx` from 0.11.4 to 0.11.17 - [Release notes](https://github.com/h3js/srvx/releases) - [Changelog](https://github.com/h3js/srvx/blob/main/CHANGELOG.md) - [Commits](h3js/srvx@v0.9.6...v0.11.17) Updates `nitro` from 3.0.1-alpha.1 to 3.0.260610-beta - [Release notes](https://github.com/nitrojs/nitro/releases) - [Changelog](https://github.com/nitrojs/nitro/blob/main/changelog.config.ts) - [Commits](nitrojs/nitro@v3.0.1-alpha.1...v3.0.260610-beta) Updates `@tanstack/start-server-core` from 1.159.9 to 1.169.15 - [Release notes](https://github.com/TanStack/router/releases) - [Changelog](https://github.com/TanStack/router/blob/main/packages/start-server-core/CHANGELOG.md) - [Commits](https://github.com/TanStack/router/commits/@tanstack/start-server-core@1.169.15/packages/start-server-core) Updates `defu` from 6.1.4 to 6.1.7 - [Release notes](https://github.com/unjs/defu/releases) - [Changelog](https://github.com/unjs/defu/blob/main/CHANGELOG.md) - [Commits](unjs/defu@v6.1.4...v6.1.7) Updates `effect` from 3.18.4 to 3.20.0 - [Release notes](https://github.com/Effect-TS/effect/releases) - [Changelog](https://github.com/Effect-TS/effect/blob/main/packages/effect/CHANGELOG.md) - [Commits](https://github.com/Effect-TS/effect/commits/effect@3.20.0/packages/effect) Updates `esbuild` from 0.25.12 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2025.md) - [Commits](evanw/esbuild@v0.25.12...v0.28.1) Updates `express-rate-limit` from 8.2.1 to 8.5.2 - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v8.2.1...v8.5.2) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `h3` from 2.0.1-rc.5 to 2.0.1-rc.22 - [Release notes](https://github.com/h3js/h3/releases) - [Changelog](https://github.com/h3js/h3/blob/main/CHANGELOG.md) - [Commits](h3js/h3@v2.0.1-rc.5...v2.0.1-rc.22) Updates `ip-address` from 10.0.1 to 10.2.0 - [Commits](beaugunderson/ip-address@v10.0.1...v10.2.0) Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) Updates `qs` from 6.14.2 to 6.15.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.2...v6.15.2) Updates `rollup` from 4.53.2 to 4.62.2 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.53.2...v4.62.2) Updates `shell-quote` from 1.8.3 to 1.8.4 - [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md) - [Commits](ljharb/shell-quote@v1.8.3...v1.8.4) Updates `undici` from 7.22.0 to 7.28.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.22.0...v7.28.0) Updates `ws` from 8.18.3 to 8.21.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.3...8.21.0) --- updated-dependencies: - dependency-name: storybook dependency-version: 10.2.10 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.5 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vitest dependency-version: 4.1.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 10.2.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 8.20.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.26 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: srvx dependency-version: 0.11.17 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: srvx dependency-version: 0.11.17 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: nitro dependency-version: 3.0.260610-beta dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@tanstack/start-server-core" dependency-version: 1.169.15 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: defu dependency-version: 6.1.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: effect dependency-version: 3.20.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express-rate-limit dependency-version: 8.5.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: h3 dependency-version: 2.0.1-rc.22 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ip-address dependency-version: 10.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.62.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: shell-quote dependency-version: 1.8.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.28.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.21.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2026-06-20T03:32:37Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pek-infinity	Error		Jun 20, 2026 3:32am

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 20, 2026

dependabot Bot mentioned this pull request Jun 20, 2026

chore(deps): bump the npm_and_yarn group across 1 directory with 24 updates #95

Closed

vercel Bot had a problem deploying to Preview June 20, 2026 03:32 Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 1 directory with 24 updates#96

chore(deps): bump the npm_and_yarn group across 1 directory with 24 updates#96
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-b721bedd55

dependabot Bot commented on behalf of github Jun 20, 2026

Uh oh!

vercel Bot commented Jun 20, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 20, 2026

v10.2.10

10.2.10

v10.2.9

10.2.9

10.2.10

10.2.9

v7.3.5

v7.3.3

v7.3.2

7.3.5 (2026-06-01)

Bug Fixes

Miscellaneous Chores

7.3.4 (2026-06-01)

Bug Fixes

7.3.3 (2026-05-07)

Bug Fixes

7.3.2 (2026-04-06)

Bug Fixes

v4.1.0

🚀 Features

v8.20.0

What's Changed

v8.19.0

What's Changed

v8.18.0

What's Changed

New Contributors

v4.12.26

What's Changed

v4.12.25

Security fixes

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Path traversal in serve-static on Windows via encoded backslash (%5C)

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

v4.12.24

What's Changed

v4.12.23

What's Changed

v0.11.17

🩹 Fixes

📖 Documentation

❤️ Contributors

v0.11.16

🩹 Fixes

💅 Refactors

❤️ Contributors

v0.11.15

🩹 Fixes

❤️ Contributors

v0.11.14

v0.11.17

🩹 Fixes

📖 Documentation

🏡 Chore

✅ Tests

❤️ Contributors

v0.11.16

🩹 Fixes

💅 Refactors

🏡 Chore

v0.11.17

🩹 Fixes

📖 Documentation

❤️ Contributors

v0.11.16

🩹 Fixes

💅 Refactors

❤️ Contributors

v0.11.15

🩹 Fixes

❤️ Contributors

v0.11.14

v0.11.17

🩹 Fixes

📖 Documentation

🏡 Chore

CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

vercel Bot commented Jun 20, 2026 •

edited

Loading