chore(deps): bump the npm_and_yarn group across 7 directories with 4 updates by dependabot[bot] · Pull Request #136 · chris-c-thomas/LexBuild

dependabot · 2026-06-01T19:29:59Z

Bumps the npm_and_yarn group with 4 updates in the / directory: turbo, vitest, hono and astro.
Bumps the npm_and_yarn group with 1 update in the /packages/cli directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /packages/core directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /packages/ecfr directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /packages/fr directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /packages/mcp directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /packages/usc directory: vitest.

Updates turbo from 2.8.13 to 2.9.14

Release notes

Sourced from turbo's releases.

Turborepo v2.9.14

[!NOTE] This release contains important security fixes.

High:

GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation

GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

release(turborepo): 2.9.12 by @github-actions[bot] in vercel/turborepo#12774

fix: Restore docs mobile menu by @anthonyshew in vercel/turborepo#12782

ci: Use pull_request for PR title linting by @anthonyshew in vercel/turborepo#12787

ci: Scope GitHub Actions caches by branch by @anthonyshew in vercel/turborepo#12788

test: Validate lockfiles without dependency downloads by @anthonyshew in vercel/turborepo#12789

Removed unneeded import form hash creation script in docs by @dancrumb in vercel/turborepo#12799

fix: Validate auth callback state by @anthonyshew in vercel/turborepo#12802

fix: Harden VS Code extension command execution by @anthonyshew in vercel/turborepo#12800

fix: Avoid project-local Yarn during detection by @anthonyshew in vercel/turborepo#12801

chore: Release 2.9.13 by @anthonyshew in vercel/turborepo#12803

New Contributors

@dancrumb made their first contribution in vercel/turborepo#12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

Turborepo v2.9.13-canary.1

What's Changed

Changelog

release(turborepo): 2.9.11-canary.7 by @github-actions[bot] in vercel/turborepo#12768

fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @anthonyshew in vercel/turborepo#12770

release(turborepo): 2.9.11 by @github-actions[bot] in vercel/turborepo#12771

fix: Allow transit nodes in LSP diagnostics by @anthonyshew in vercel/turborepo#12773

release(turborepo): 2.9.12 by @github-actions[bot] in vercel/turborepo#12774

fix: Restore docs mobile menu by @anthonyshew in vercel/turborepo#12782

ci: Use pull_request for PR title linting by @anthonyshew in vercel/turborepo#12787

ci: Scope GitHub Actions caches by branch by @anthonyshew in vercel/turborepo#12788

test: Validate lockfiles without dependency downloads by @anthonyshew in vercel/turborepo#12789

Removed unneeded import form hash creation script in docs by @dancrumb in vercel/turborepo#12799

fix: Validate auth callback state by @anthonyshew in vercel/turborepo#12802

fix: Harden VS Code extension command execution by @anthonyshew in vercel/turborepo#12800

fix: Avoid project-local Yarn during detection by @anthonyshew in vercel/turborepo#12801

... (truncated)

Commits

fc62fe0 publish 2.9.14 to registry
fb8c9ae chore: Release 2.9.13 (#12803)
e8e629d fix: Avoid project-local Yarn during detection (#12801)
91c90cb fix: Harden VS Code extension command execution (#12800)
84f4508 fix: Validate auth callback state (#12802)
1779ad7 Removed unneeded import form hash creation script in docs (#12799)
71f8c90 test: Validate lockfiles without dependency downloads (#12789)
5fcb960 ci: Scope GitHub Actions caches by branch (#12788)
4cf9fab ci: Use pull_request for PR title linting (#12787)
859c629 fix: Restore docs mobile menu (#12782)
Additional commits viewable in compare view

Updates vitest from 3.2.4 to 4.1.0

Release notes

Sourced from vitest's releases.

v4.1.0

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

🚀 Features

Return a disposable from doMock() - by @kirkwaiblinger in vitest-dev/vitest#9332 (e3e65)

Added chai style assertions - by @ronnakamoto and @sheremet-va in vitest-dev/vitest#8842 (841df)

Update to sinon/fake-timers v15 and add setTickMode to timer controls - by @atscott and @sheremet-va in vitest-dev/vitest#8726 (4b480)

Expose matcher types - by @sheremet-va in vitest-dev/vitest#9448 (3e4b9)

Add toTestSpecification to reported tasks - by @sheremet-va in vitest-dev/vitest#9464 (1a470)

Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module - by @sheremet-va in vitest-dev/vitest#9387 (5db54)

Track and display expectedly failed tests (.fails) in UI and CLI - by @Copilot, sheremet-va and @sheremet-va in vitest-dev/vitest#9476 (77d75)

Support tags - by @sheremet-va in vitest-dev/vitest#9478 (de7c8)

Implement aroundEach and aroundAll hooks - by @sheremet-va in vitest-dev/vitest#9450 (2a8cb)

Stabilize experimental features - by @sheremet-va in vitest-dev/vitest#9529 (b5fd2)

Accept new or all in --update flag - by @sheremet-va in vitest-dev/vitest#9543 (a5acf)

Support meta in test options - by @sheremet-va in vitest-dev/vitest#9535 (7d622)

Support type inference with a new test.extend syntax - by @sheremet-va in vitest-dev/vitest#9550 (e5385)

Support vite 8 beta, fix type issues in the config with different vite versions - by @sheremet-va in vitest-dev/vitest#9587 (99028)

Add assertion helper to hide internal stack traces - by @hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9594 (eeb0a)

Store failure screenshots using artifacts API - by @macarie in vitest-dev/vitest#9588 (24603)

Allow vitest list to statically collect tests instead of running files to collect them - by @sheremet-va in vitest-dev/vitest#9630 (7a8e7)

Add --detect-async-leaks - by @AriPerkkio in vitest-dev/vitest#9528 (c594d)

Implement mockThrow and mockThrowOnce - by @thor-juhasz and @sheremet-va in vitest-dev/vitest#9512 (61917)

Support update: "none" and add docs about snapshots behavior on CI - by @hi-ogawa in vitest-dev/vitest#9700 (05f18)

Support playwright launchOptions with connectOptions - by @hi-ogawa in vitest-dev/vitest#9702 (f0ff1)

Add page/locator.mark API to enhance playwright trace - by @hi-ogawa in vitest-dev/vitest#9652 (d0ee5)

api:

Support tests starting or ending with test in experimental_parseSpecification - by @jgillick and Jeremy Gillick in vitest-dev/vitest#9235 (2f367)

Add filters to createSpecification - by @sheremet-va in vitest-dev/vitest#9336 (c8e6c)

Expose runTestFiles as alternative to runTestSpecifications - by @sheremet-va in vitest-dev/vitest#9443 (43d76)

Add allowWrite and allowExec options to api - by @sheremet-va in vitest-dev/vitest#9350 (20e00)

Allow passing down test cases to toTestSpecification - by @sheremet-va in vitest-dev/vitest#9627 (6f17d)

browser:

Add userEvent.wheel API - by @macarie in vitest-dev/vitest#9188 (66080)

Add filterNode option to prettyDOM for filtering browser assertion error output - by @Copilot, sheremet-va and @sheremet-va in vitest-dev/vitest#9475 (d3220)

Support playwright persistent context - by @hi-ogawa, Claude Opus 4.6 and @sheremet-va in vitest-dev/vitest#9229 (f865d)

Added detailsPanelPosition option and button - by @shairez in vitest-dev/vitest#9525 (c8a31)

Use BlazeDiff instead of pixelmatch - by @macarie in vitest-dev/vitest#9514 (30936)

Add findElement and enable strict mode in webdriverio and preview - by @sheremet-va in vitest-dev/vitest#9677 (c3f37)

cli:

Add @bomb.sh/tab completions - by @AmirSa12 and @sheremet-va in vitest-dev/vitest#8639 (200f3)

coverage:

Support ignore start/stop ignore hints - by @AriPerkkio in vitest-dev/vitest#9204 (e59c9)

Add coverage.changed option to report only changed files - by @kykim00 and @AriPerkkio in vitest-dev/vitest#9521 (1d939)

experimental:

Add onModuleRunner hook to worker.init - by @sheremet-va in vitest-dev/vitest#9286 (e977f)

Option to disable the module runner - by @sheremet-va and @AriPerkkio in vitest-dev/vitest#9210 (9be61)

... (truncated)

Commits

4150b91 chore: release v4.1.0
1de0aa2 fix: correctly identify concurrent test during static analysis (#9846)
c3cac1c fix: use isAgent check, not just TTY, for watch mode (#9841)
eab68ba chore(deps): update all non-major dependencies (#9824)
031f02a fix: allow catch/finally for async assertion (#9827)
3e9e096 feat(reporters): add agent reporter to reduce ai agent token usage (#9779)
0c2c013 chore: release v4.1.0-beta.6
8181e06 fix: hideSkippedTests should not hide test.todo (fix #9562) (#9781)
a8216b0 fix: manual and redirect mock shouldn't load or transform original module...
689a22a fix(browser): types of getCDPSession and cdp() (#9716)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.

Updates hono from 4.12.14 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

fix(jsx): normalize SVG attributes on the root element by @kfly8 in honojs/hono#4893

fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @yuintei in honojs/hono#4899

fix(cors): make origin optional in CORSOptions by @truffle-dev in honojs/hono#4905

fix(types): propagate middleware response types to app.on overloads by @T4ko0522 in honojs/hono#4906

New Contributors

@kfly8 made their first contribution in honojs/hono#4893

@truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

fix(jwt): support single-line PEM keys by @hiendv in honojs/hono#4889

... (truncated)

Commits

f10dee8 4.12.18
a5bd9eb Merge commit from fork
58d3d3a Merge commit from fork
568c2ec Merge commit from fork
ff2b3d3 4.12.17
52aaaf9 fix(types): propagate middleware response types to app.on overloads (#4906)
76d5589 fix(cors): make origin optional in CORSOptions (#4905)
8f027e5 fix(ssg): add atom+xml and rss+xml to defaultExtensionMap (#4899)
bfba97c fix(jsx): normalize SVG attributes on the <svg> root element (#4893)
90d4182 4.12.16
Additional commits viewable in compare view

Updates astro from 6.1.6 to 6.1.10

Release notes

Sourced from astro's releases.

astro@6.1.10

Patch Changes

#16479 1058428 Thanks @matthewp! - Fixes a spurious [WARN] [content] Content config not loaded warning during astro dev for projects that don't use content collections

#16457 3d82220 Thanks @matthewp! - Hardens server island encryption to prevent encrypted data from one island component being replayed against a different one

#16481 152700e Thanks @matthewp! - Fixes a spurious 404 request for a dev toolbar sourcemap during astro dev caused by the browser mis-resolving a relative sourceMappingURL from the /@id/ URL prefix

#16480 1bcb43b Thanks @matthewp! - Fixes an unnecessary full page reload on first navigation during dev

astro@6.1.9

Patch Changes

#16448 99464ed Thanks @matthewp! - Updates vite, picomatch, and unstorage to latest patch versions

#16422 a3951d7 Thanks @matthewp! - Hardens astro-island export resolution and hydration error handling for malformed component metadata

#16420 e21de1d Thanks @matthewp! - Hardens Astro's error overlay and server logging paths to avoid unsafe HTML insertion and format-string interpolation

#16419 f3485c3 Thanks @matthewp! - Hardens nested object and package metadata lookups to ignore prototype keys in content handling and project scaffolding

#16022 a002540 Thanks @mathieumaf! - Fixes an issue where i18n domains would return 404 when trailingSlash is set to never.

Updated dependencies [99464ed, f3485c3]:

@astrojs/internal-helpers@0.9.0

@astrojs/markdown-remark@7.1.1

astro@6.1.8

Patch Changes

#16367 a6866a7 Thanks @ematipico! - Fixes an issue where build output files could contain special characters (!, ~, {, }) in their names, causing deploy failures on platforms like Netlify.

#16381 217c5b3 Thanks @ematipico! - Slightly improved the performance of the dev server by caching the internal crawling of the dependencies of a project.

#16348 7d26cd7 Thanks @ocavue! - Fixes a bug where emitted assets during a client build would contain always fresh, new hashes in their name. Now the build should be more stable.

#16317 d012bfe Thanks @das-peter! - Fixes a bug where allowedDomains weren't correctly propagated when using the development server.

#16379 5a84551 Thanks @martrapp! - Improves Vue scoped style handling in DEV mode during client router navigation.

#16317 d012bfe Thanks @das-peter! - Adds tests to verify settings are properly propagated when using the development server.

#16282 5b0fdaa Thanks @jmurty! - Fixes build errors on platforms with skew protection enabled (e.g. Vercel, Netlify) for inter-chunk Javascript using dynamic imports

Updated dependencies [e0b240e]:

@astrojs/telemetry@3.3.1

Changelog

Sourced from astro's changelog.

6.1.10

Patch Changes

#16479 1058428 Thanks @matthewp! - Fixes a spurious [WARN] [content] Content config not loaded warning during astro dev for projects that don't use content collections

#16457 3d82220 Thanks @matthewp! - Hardens server island encryption to prevent encrypted data from one island component being replayed against a different one

#16481 152700e Thanks @matthewp! - Fixes a spurious 404 request for a dev toolbar sourcemap during astro dev caused by the browser mis-resolving a relative sourceMappingURL from the /@id/ URL prefix

#16480 1bcb43b Thanks @matthewp! - Fixes an unnecessary full page reload on first navigation during dev

6.1.9

Patch Changes

#16448 99464ed Thanks @matthewp! - Updates vite, picomatch, and unstorage to latest patch versions

#16422 a3951d7 Thanks @matthewp! - Hardens astro-island export resolution and hydration error handling for malformed component metadata

#16420 e21de1d Thanks @matthewp! - Hardens Astro's error overlay and server logging paths to avoid unsafe HTML insertion and format-string interpolation

#16419 f3485c3 Thanks @matthewp! - Hardens nested object and package metadata lookups to ignore prototype keys in content handling and project scaffolding

#16022 a002540 Thanks @mathieumaf! - Fixes an issue where i18n domains would return 404 when trailingSlash is set to never.

Updated dependencies [99464ed, f3485c3]:

@astrojs/internal-helpers@0.9.0

@astrojs/markdown-remark@7.1.1

6.1.8

Patch Changes

#16367 a6866a7 Thanks @ematipico! - Fixes an issue where build output files could contain special characters (!, ~, {, }) in their names, causing deploy failures on platforms like Netlify.

#16381 217c5b3 Thanks @ematipico! - Slightly improved the performance of the dev server by caching the internal crawling of the dependencies of a project.

#16348 7d26cd7 Thanks @ocavue! - Fixes a bug where emitted assets during a client build would contain always fresh, new hashes in their name. Now the build should be more stable.

#16317 d012bfe Thanks @das-peter! - Fixes a bug where allowedDomains weren't correctly propagated when using the development server.

#16379 5a84551 Thanks @martrapp! - Improves Vue scoped style handling in DEV mode during client router navigation.

#16317 d012bfe Thanks @das-peter! - Adds tests to verify settings are properly propagated when using the development server.

#16282 5b0fdaa Thanks @jmurty! - Fixes build errors on platforms with skew protection enabled (e.g. Vercel, Netlify) for inter-chunk Javascript using dynamic imports

Updated dependencies [e0b240e]:

@astrojs/telemetry@3.3.1

... (truncated)

Commits

c1f2e4f [ci] release (#16467)
345fb9e chore: fix flaky dev toolbar render time test (#16500)
5120ecd [ci] format
3d82220 Add AEAD context binding to server island encryption (#16457)
1bcb43b Prebundle dev toolbar entrypoint in client environment (#16480)
93101cc [ci] format
152700e fix: strip sourceMappingURL from dev toolbar entrypoint during dep optimizati...
bc83041 refactor(astro): migrate test utils to typescript (#16492)
5c543c5 refactor(astro): add internal entry points for test (#16473)
1058428 Suppress content config warning for projects without content collections (#16...
Additional commits viewable in compare view

Updates vitest from 3.2.4 to 4.1.0

Release notes

Sourced from vitest's releases.

v4.1.0

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

🚀 Features

Return a disposable from doMock() - by @kirkwaiblinger in vitest-dev/vitest#9332 (e3e65)

Added chai style assertions - by @ronnakamoto and @sheremet-va in vitest-dev/vitest#8842 (841df)

Update to sinon/fake-timers v15 and add setTickMode to timer controls - by @atscott and @sheremet-va in vitest-dev/vitest#8726 (4b480)

Expose matcher types - by @sheremet-va in vitest-dev/vitest#9448 (3e4b9)

Add toTestSpecification to reported tasks - by @sheremet-va in vitest-dev/vitest#9464 (1a470)

Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module - by @sheremet-va in vitest-dev/vitest#9387 (5db54)

Track and display expectedly failed tests (.fails) in UI and CLI - by @Copilot, sheremet-va and @sheremet-va in vitest-dev/vitest#9476 (77d75)

Support tags - by @sheremet-va in vitest-dev/vitest#9478 (de7c8)

Implement aroundEach and aroundAll hooks - by @sheremet-va in vitest-dev/vitest#9450 (2a8cb)

Stabilize experimental features - by @sheremet-va in vitest-dev/vitest#9529 (b5fd2)

Accept new or all in --update flag - by @sheremet-va in vitest-dev/vitest#9543 (a5acf)

Support meta in test options - by @sheremet-va in vitest-dev/vitest#9535 (7d622)

Support type inference with a new test.extend syntax - by @sheremet-va in vitest-dev/vitest#9550 (e5385)

Support vite 8 beta, fix type issues in the config with different vite versions - by @sheremet-va in vitest-dev/vitest#9587 (99028)

Add assertion helper to hide internal stack traces - by @hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9594 (eeb0a)

Store failure screenshots using artifacts API - by @macarie in vitest-dev/vitest#9588 (24603)

Allow vitest list to statically collect tests instead of running files to collect them - by @sheremet-va in vitest-dev/vitest#9630 (7a8e7)

Add --detect-async-leaks - by @AriPerkkio in vitest-dev/vitest#9528 (c594d)

Implement mockThrow and mockThrowOnce - by @thor-juhasz and @sheremet-va in vitest-dev/vitest#9512 (61917)

Support update: "none" and add docs about snapshots behavior on CI - by @hi-ogawa in vitest-dev/vitest#9700 (05f18)

Support playwright launchOptions with connectOptions - by @hi-ogawa in vitest-dev/vitest#9702 (f0ff1)

Add page/locator.mark API to enhance playwright trace - by @hi-ogawa in vitest-dev/vitest#9652 (d0ee5)

api:

Support tests starting or ending with test in experimental_parseSpecification - by @jgillick and Jeremy Gillick in vitest-dev/vitest#9235 (2f367)

Add filters to createSpecification - by @sheremet-va in vitest-dev/vitest#9336 (c8e6c)

Expose runTestFiles as alternative to runTestSpecifications - by @sheremet-va in vitest-dev/vitest#9443 (43d76)

Add allowWrite and allowExec options to api - by @sheremet-va in vitest-dev/vitest#9350 (20e00)

Allow passing down test cases to toTestSpecification - by @sheremet-va in vitest-dev/vitest#9627 (6f17d)

browser:

Add userEvent.wheel API - by @macarie in vitest-dev/vitest#9188 (66080)

Add filterNode option to prettyDOM for filtering browser assertion error output - by @Copilot, sheremet-va and @sheremet-va in vitest-dev/vitest#9475 (d3220)
Description has been truncated

…updates Bumps the npm_and_yarn group with 4 updates in the / directory: [turbo](https://github.com/vercel/turborepo), [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest), [hono](https://github.com/honojs/hono) and [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro). Bumps the npm_and_yarn group with 1 update in the /packages/cli directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Bumps the npm_and_yarn group with 1 update in the /packages/core directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Bumps the npm_and_yarn group with 1 update in the /packages/ecfr directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Bumps the npm_and_yarn group with 1 update in the /packages/fr directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Bumps the npm_and_yarn group with 1 update in the /packages/mcp directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Bumps the npm_and_yarn group with 1 update in the /packages/usc directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Updates `turbo` from 2.8.13 to 2.9.14 - [Release notes](https://github.com/vercel/turborepo/releases) - [Changelog](https://github.com/vercel/turborepo/blob/main/RELEASE.md) - [Commits](vercel/turborepo@v2.8.13...v2.9.14) Updates `vitest` from 3.2.4 to 4.1.0 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest) Updates `hono` from 4.12.14 to 4.12.18 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.14...v4.12.18) Updates `astro` from 6.1.6 to 6.1.10 - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@6.1.10/packages/astro) Updates `vitest` from 3.2.4 to 4.1.0 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest) Updates `vitest` from 3.2.4 to 4.1.0 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest) Updates `vitest` from 3.2.4 to 4.1.0 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest) Updates `vitest` from 3.2.4 to 4.1.0 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest) Updates `vitest` from 3.2.4 to 4.1.0 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest) Updates `vitest` from 3.2.4 to 4.1.0 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest) --- updated-dependencies: - dependency-name: turbo dependency-version: 2.9.14 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vitest dependency-version: 4.1.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.18 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: astro dependency-version: 6.1.10 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vitest dependency-version: 4.1.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vitest dependency-version: 4.1.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vitest dependency-version: 4.1.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vitest dependency-version: 4.1.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vitest dependency-version: 4.1.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vitest dependency-version: 4.1.0 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

sonarqubecloud · 2026-06-01T19:30:42Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

dependabot · 2026-06-01T21:54:47Z

Superseded by #137.

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 1, 2026

dependabot Bot mentioned this pull request Jun 1, 2026

chore(deps): bump hono from 4.12.14 to 4.12.16 in the npm_and_yarn group across 1 directory #135

Closed

dependabot Bot closed this Jun 1, 2026

dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-ce65116deb branch June 1, 2026 21:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 7 directories with 4 updates#136

chore(deps): bump the npm_and_yarn group across 7 directories with 4 updates#136
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-ce65116deb

dependabot Bot commented on behalf of github Jun 1, 2026

Uh oh!

sonarqubecloud Bot commented Jun 1, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 1, 2026

Turborepo v2.9.14

High:

Low:

What's Changed

Changelog

New Contributors

Turborepo v2.9.13-canary.1

What's Changed

Changelog

v4.1.0

🚀 Features

v4.12.18

Security fixes

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

CSS Declaration Injection via Style Object Values in JSX SSR

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

v4.12.17

What's Changed

New Contributors

v4.12.16

Security fixes

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

bodyLimit() can be bypassed for chunked / unknown-length requests

v4.12.15

What's Changed

astro@6.1.10

Patch Changes

astro@6.1.9

Patch Changes

astro@6.1.8

Patch Changes

6.1.10

Patch Changes

6.1.9

Patch Changes

6.1.8

Patch Changes

v4.1.0

🚀 Features

Uh oh!

sonarqubecloud Bot commented Jun 1, 2026

Quality Gate passed

Uh oh!

dependabot Bot commented on behalf of github Jun 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants