Skip to content

Bump the npm_and_yarn group across 1 directory with 6 updates#15

Merged
metaory merged 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-65622dbb2e
May 9, 2026
Merged

Bump the npm_and_yarn group across 1 directory with 6 updates#15
metaory merged 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-65622dbb2e

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 1, 2026

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
vite 7.1.11 7.3.2
minimatch 5.1.6 5.1.9
minimatch 3.1.2 3.1.5
lodash 4.17.23 4.18.1
picomatch 4.0.3 4.0.4
picomatch 2.3.1 2.3.2
postcss 8.5.6 8.5.13
rollup 4.46.2 4.60.2
rollup 2.79.2 2.80.0

Updates vite from 7.1.11 to 7.3.2

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

v7.3.1

Please refer to CHANGELOG.md for details.

v7.3.0

Please refer to CHANGELOG.md for details.

v7.2.7

Please refer to CHANGELOG.md for details.

v7.2.6

Please refer to CHANGELOG.md for details.

v7.2.5

Please refer to CHANGELOG.md for details.

Note: 7.2.5 failed to publish so it is skipped on npm

v7.2.4

Please refer to CHANGELOG.md for details.

v7.2.3

Please refer to CHANGELOG.md for details.

v7.2.2

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.1

Please refer to CHANGELOG.md for details.

v7.2.1

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0-beta.1

Please refer to CHANGELOG.md for details.

v7.2.0-beta.0

Please refer to CHANGELOG.md for details.

v7.1.12

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

7.3.1 (2026-01-07)

Features

  • add ignoreOutdatedRequests option to optimizeDeps (#21364) (9d39d37)

7.3.0 (2025-12-15)

Features

  • deps: update esbuild from ^0.25.0 to ^0.27.0 (#21183) (cff26ec)

7.2.7 (2025-12-08)

Bug Fixes

7.2.6 (2025-12-01)

7.2.5 (2025-12-01)

Bug Fixes

Performance Improvements

Documentation

  • clarify manifest.json imports field is JS chunks only (#21136) (46d3077)

Miscellaneous Chores

7.2.4 (2025-11-20)

Bug Fixes

  • revert "perf(deps): replace debug with obug (#21107)" (2d66b7b)

7.2.3 (2025-11-20)

... (truncated)

Commits

Updates minimatch from 5.1.6 to 5.1.9

Commits

Updates minimatch from 3.1.2 to 3.1.5

Commits

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

Updates postcss from 8.5.6 to 8.5.13

Release notes

Sourced from postcss's releases.

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).
Changelog

Sourced from postcss's changelog.

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).
Commits

Updates rollup from 4.46.2 to 4.60.2

Release notes

Sourced from rollup's releases.

v4.60.2

4.60.2

2026-04-18

Bug Fixes

  • Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

v4.60.1

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.2

2026-04-18

Bug Fixes

  • Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

4.60.0

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates rollup from 2.79.2 to 2.80.0

Release notes

Sourced from rollup's releases.

v4.60.2

4.60.2

2026-04-18

Bug Fixes

  • Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

v4.60.1

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.2

2026-04-18

Bug Fixes

  • Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

4.60.0

... (truncated)

Description has been truncated

@dependabot
Bump the npm_and_yarn group across 1 directory with 6 updates
094d0b9 
Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.1.11` | `7.3.2` |
| [minimatch](https://github.com/isaacs/minimatch) | `5.1.6` | `5.1.9` |
| [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` |
| [lodash](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` |
| [picomatch](https://github.com/micromatch/picomatch) | `4.0.3` | `4.0.4` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.13` |
| [rollup](https://github.com/rollup/rollup) | `4.46.2` | `4.60.2` |
| [rollup](https://github.com/rollup/rollup) | `2.79.2` | `2.80.0` |



Updates `vite` from 7.1.11 to 7.3.2
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite)

Updates `minimatch` from 5.1.6 to 5.1.9
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v5.1.6...v5.1.9)

Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v5.1.6...v5.1.9)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@4.0.3...4.0.4)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@4.0.3...4.0.4)

Updates `postcss` from 8.5.6 to 8.5.13
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.6...8.5.13)

Updates `rollup` from 4.46.2 to 4.60.2
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.46.2...v4.60.2)

Updates `rollup` from 2.79.2 to 2.80.0
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.46.2...v4.60.2)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 7.3.2
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 5.1.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.60.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 2.80.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 1, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented May 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
markon Ready Ready Preview, Comment May 1, 2026 10:09pm

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 1, 2026
@dependabot dependabot Bot mentioned this pull request May 1, 2026
Closed
@metaory metaory merged commit 04a42cc into master May 9, 2026
4 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-65622dbb2e branch May 9, 2026 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@metaory