chore(deps): bump the npm_and_yarn group across 1 directory with 23 updates by dependabot[bot] · Pull Request #92 · kir-dev/pek-infinity

dependabot · 2026-06-12T20:33:53Z

Bumps the npm_and_yarn group with 18 updates in the / directory:

Package	From	To
storybook	`10.2.8`	`10.2.10`
vite	`7.3.1`	`7.3.2`
vitest	`4.0.18`	`4.1.0`
brace-expansion	`5.0.2`	`5.0.6`
minimatch	`10.2.0`	`10.2.5`
ajv	`8.17.1`	`8.20.0`
hono	`4.11.9`	`4.12.25`
srvx	`0.9.6`	`0.11.16`
srvx	`0.11.4`	`0.11.16`
nitro	`3.0.1-alpha.1`	`3.0.260610-beta`
@tanstack/start-server-core	`1.159.9`	`1.169.14`
express-rate-limit	`8.2.1`	`8.5.2`
fast-uri	`3.1.0`	`3.1.2`
flatted	`3.3.3`	`3.4.2`
lodash	`4.17.21`	`4.18.1`
qs	`6.14.2`	`6.15.2`
shell-quote	`1.8.3`	`1.8.4`
undici	`7.22.0`	`7.27.2`
ws	`8.18.3`	`8.21.0`

Updates storybook from 10.2.8 to 10.2.10

Release notes

Sourced from storybook's releases.

v10.2.10

10.2.10

Core: Require token for websocket connections - #33820, thanks @ghengeveld!

v10.2.9

10.2.9

Addon-Vitest: Improve config file detection in monorepos - #33814, thanks @valentinpalkovic!

Builder-Vite: Update dependencies react-vite framework - #33810, thanks @valentinpalkovic!

Builder-Vite: Use relative path for mocker entry in production builds - #33792, thanks @DukeDeSouth!

Next.js: Fix Link component override in appDirectory configuration - #31251, thanks @yatishgoel!

Changelog

Sourced from storybook's changelog.

10.2.10

Core: Require token for websocket connections - #33820, thanks @ghengeveld!

10.2.9

Addon-Vitest: Improve config file detection in monorepos - #33814, thanks @valentinpalkovic!

Builder-Vite: Update dependencies react-vite framework - #33810, thanks @valentinpalkovic!

Builder-Vite: Use relative path for mocker entry in production builds - #33792, thanks @DukeDeSouth!

Next.js: Fix Link component override in appDirectory configuration - #31251, thanks @yatishgoel!

Commits

c812573 Bump version from "10.2.9" to "10.2.10" [skip ci]
fd275fb Merge pull request #33820 from storybookjs/harden-websocket-security
4cdde82 Bump version from "10.2.8" to "10.2.9" [skip ci]
See full diff in compare view

Updates vite from 7.3.1 to 7.3.2

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)

backport #22159, apply server.fs check to env transport (#22162) (19db0f2)

check server.fs after stripping query as well (#22160) (f8103cc)

Commits

cc383e0 release: v7.3.2
09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
f8103cc fix: check server.fs after stripping query as well (#22160)
19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
See full diff in compare view

Updates vitest from 4.0.18 to 4.1.0

Release notes

Sourced from vitest's releases.

v4.1.0

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

🚀 Features

Return a disposable from doMock() - by @kirkwaiblinger in vitest-dev/vitest#9332 (e3e65)

Added chai style assertions - by @ronnakamoto and @sheremet-va in vitest-dev/vitest#8842 (841df)

Update to sinon/fake-timers v15 and add setTickMode to timer controls - by @atscott and @sheremet-va in vitest-dev/vitest#8726 (4b480)

Expose matcher types - by @sheremet-va in vitest-dev/vitest#9448 (3e4b9)

Add toTestSpecification to reported tasks - by @sheremet-va in vitest-dev/vitest#9464 (1a470)

Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module - by @sheremet-va in vitest-dev/vitest#9387 (5db54)

Track and display expectedly failed tests (.fails) in UI and CLI - by @Copilot, sheremet-va and @sheremet-va in vitest-dev/vitest#9476 (77d75)

Support tags - by @sheremet-va in vitest-dev/vitest#9478 (de7c8)

Implement aroundEach and aroundAll hooks - by @sheremet-va in vitest-dev/vitest#9450 (2a8cb)

Stabilize experimental features - by @sheremet-va in vitest-dev/vitest#9529 (b5fd2)

Accept new or all in --update flag - by @sheremet-va in vitest-dev/vitest#9543 (a5acf)

Support meta in test options - by @sheremet-va in vitest-dev/vitest#9535 (7d622)

Support type inference with a new test.extend syntax - by @sheremet-va in vitest-dev/vitest#9550 (e5385)

Support vite 8 beta, fix type issues in the config with different vite versions - by @sheremet-va in vitest-dev/vitest#9587 (99028)

Add assertion helper to hide internal stack traces - by @hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9594 (eeb0a)

Store failure screenshots using artifacts API - by @macarie in vitest-dev/vitest#9588 (24603)

Allow vitest list to statically collect tests instead of running files to collect them - by @sheremet-va in vitest-dev/vitest#9630 (7a8e7)

Add --detect-async-leaks - by @AriPerkkio in vitest-dev/vitest#9528 (c594d)

Implement mockThrow and mockThrowOnce - by @thor-juhasz and @sheremet-va in vitest-dev/vitest#9512 (61917)

Support update: "none" and add docs about snapshots behavior on CI - by @hi-ogawa in vitest-dev/vitest#9700 (05f18)

Support playwright launchOptions with connectOptions - by @hi-ogawa in vitest-dev/vitest#9702 (f0ff1)

Add page/locator.mark API to enhance playwright trace - by @hi-ogawa in vitest-dev/vitest#9652 (d0ee5)

api:

Support tests starting or ending with test in experimental_parseSpecification - by @jgillick and Jeremy Gillick in vitest-dev/vitest#9235 (2f367)

Add filters to createSpecification - by @sheremet-va in vitest-dev/vitest#9336 (c8e6c)

Expose runTestFiles as alternative to runTestSpecifications - by @sheremet-va in vitest-dev/vitest#9443 (43d76)

Add allowWrite and allowExec options to api - by @sheremet-va in vitest-dev/vitest#9350 (20e00)

Allow passing down test cases to toTestSpecification - by @sheremet-va in vitest-dev/vitest#9627 (6f17d)

browser:

Add userEvent.wheel API - by @macarie in vitest-dev/vitest#9188 (66080)

Add filterNode option to prettyDOM for filtering browser assertion error output - by @Copilot, sheremet-va and @sheremet-va in vitest-dev/vitest#9475 (d3220)

Support playwright persistent context - by @hi-ogawa, Claude Opus 4.6 and @sheremet-va in vitest-dev/vitest#9229 (f865d)

Added detailsPanelPosition option and button - by @shairez in vitest-dev/vitest#9525 (c8a31)

Use BlazeDiff instead of pixelmatch - by @macarie in vitest-dev/vitest#9514 (30936)

Add findElement and enable strict mode in webdriverio and preview - by @sheremet-va in vitest-dev/vitest#9677 (c3f37)

cli:

Add @bomb.sh/tab completions - by @AmirSa12 and @sheremet-va in vitest-dev/vitest#8639 (200f3)

coverage:

Support ignore start/stop ignore hints - by @AriPerkkio in vitest-dev/vitest#9204 (e59c9)

Add coverage.changed option to report only changed files - by @kykim00 and @AriPerkkio in vitest-dev/vitest#9521 (1d939)

experimental:

Add onModuleRunner hook to worker.init - by @sheremet-va in vitest-dev/vitest#9286 (e977f)

Option to disable the module runner - by @sheremet-va and @AriPerkkio in vitest-dev/vitest#9210 (9be61)

... (truncated)

Commits

4150b91 chore: release v4.1.0
1de0aa2 fix: correctly identify concurrent test during static analysis (#9846)
c3cac1c fix: use isAgent check, not just TTY, for watch mode (#9841)
eab68ba chore(deps): update all non-major dependencies (#9824)
031f02a fix: allow catch/finally for async assertion (#9827)
3e9e096 feat(reporters): add agent reporter to reduce ai agent token usage (#9779)
0c2c013 chore: release v4.1.0-beta.6
8181e06 fix: hideSkippedTests should not hide test.todo (fix #9562) (#9781)
a8216b0 fix: manual and redirect mock shouldn't load or transform original module...
689a22a fix(browser): types of getCDPSession and cdp() (#9716)
Additional commits viewable in compare view

Updates brace-expansion from 5.0.2 to 5.0.6

Commits

46317b5 5.0.6
c0b095b Merge commit from fork
ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
8793901 5.0.5
9a02af5 Merge commit from fork
daa71bc Bump tar from 7.5.10 to 7.5.11 (#92)
799e5f7 Bump tar from 7.5.9 to 7.5.10 (#90)
012c230 5.0.4
243c491 Fix handling of brackets. Closes #87
609f858 Correct incorrect brace-expansion import (#89)
Additional commits viewable in compare view

Updates minimatch from 10.2.0 to 10.2.5

Commits

693c823 10.2.5
7953af1 do not allow .. to consume drive letter on Windows
1caf918 lint and format
7783ed6 ignore docs
6d9b356 update deps etc
c36addb 10.2.4
26b9002 docs: add warning about ReDoS
3a0d83b fix partial matching of globstar patterns
ea94840 10.2.3
0873fba update deps
Additional commits viewable in compare view

Updates ajv from 8.17.1 to 8.20.0

Release notes

Sourced from ajv's releases.

v8.20.0

What's Changed

fix: add support for node 22/24, drop node 16/21 by @jasoniangreen in ajv-validator/ajv#2580

fix: add ES2022.RegExp for RegExpIndicesArray by @SignpostMarv in ajv-validator/ajv#2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

v8.19.0

What's Changed

fix prototype pollution via format keyword using $data ref by @epoberezkin in ajv-validator/ajv#2607

Full Changelog: ajv-validator/ajv@v8.18.0...v8.19.0

v8.18.0

What's Changed

feat: allow tree-shaking by adding "sideEffects": false to package.json by @josdejong in ajv-validator/ajv#2480

fix: #2482 Infinity and NaN serialise to null by @jasoniangreen in ajv-validator/ajv#2487

fix: small grammatical error in managing-schemas.md by @monteiro-renato in ajv-validator/ajv#2508

fix: typos in schema-language.md by @monteiro-renato in ajv-validator/ajv#2507

fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @epoberezkin in ajv-validator/ajv#2586

New Contributors

@josdejong made their first contribution in ajv-validator/ajv#2480

@monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

0fba0b8 8.20.0
9caf8d6 fix: add ES2022.RegExp for RegExpIndicesArray; fixes ajv-validator/ajv#2603 (...
2065350 fix: add support for node 22/24, drop node 16/21 (#2580)
154b58d 8.19.0
e8d2bdc test/fix prototype pollution via $data ref with format keyword (#2607)
142ce84 8.18.0
720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
82735a1 fix: typos in schema-language.md (#2507)
b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
Additional commits viewable in compare view

Updates hono from 4.11.9 to 4.12.25

Release notes

Sourced from hono's releases.

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

What's Changed

docs(contribution): simplifyAI Usage Policy by @yusukebe in honojs/hono#4972

chore: remove @types/glob by @rtritto in honojs/hono#4978

fix(bearer-auth): mention verifyToken in missing-options error message by @tan7vir in honojs/hono#4987

refactor(language): Test/improve tests on languages middleware by @iNeoO in honojs/hono#4980

fix(utils/ipaddr): expand "::" to eight zero groups by @youcefzemmar in honojs/hono#4973

fix: clean up config files trailing comma, stale excludes, typesVersions gaps, jsr paths by @Mohammad-Faiz-Cloud-Engineer in honojs/hono#4982

refactor(timing): Test/add test for middleware timing by @iNeoO in honojs/hono#4991

fix(utils/ipaddr): render the unspecified address binary as "::" by @sarathfrancis90 in honojs/hono#4998

Full Changelog: honojs/hono@v4.12.23...v4.12.24

v4.12.23

What's Changed

fix(serve-static): normalize all backslashes in file paths, not just the first in honojs/hono#4962

feat(context): export the Context class publicly by @BlankParticle in honojs/hono#4543

docs(contribution): add AI Usage Policy by @yusukebe in honojs/hono#4970

feat(compress): add contentTypeFilter option and COMPRESSIBLE_CONTENT_TYPE_REGEX re-export by @na-trium-144 in honojs/hono#4961

fix(utils/ipaddr): do not compress a single 0 group to :: by @yusukebe in honojs/hono#4971

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

... (truncated)

Commits

fce483e 4.12.25
751ba41 Merge commit from fork
f0b094d Merge commit from fork
fa5f9bf Merge commit from fork
3892a6c Merge commit from fork
74c2cf8 test(aws-lambda): update integration tests (#5012)
7ae7cba Merge commit from fork
1b13848 chore(ci): bump codecov-action to v7.0.0 (#5011)
5fdde5a 4.12.24
c78932d fix(utils/ipaddr): render the unspecified address binary as "::" (#4998)
Additional commits viewable in compare view

Updates srvx from 0.9.6 to 0.11.16

Release notes

Sourced from srvx's releases.

v0.11.16

compare changes

🩹 Fixes

node: Flatten writeHead headers on Deno (#203)

aws-lambda-streaming: Handle empty body (#205)

node: Do not crash on asterisk-form request targets (#206)

💅 Refactors

node/web: Add new TypeOfService utils to socker impl (945fc17)

❤️ Contributors

Taylor Steele (@taylorfsteele)

Pooya Parsa (@pi0)

KT (@ktKongTong)

v0.11.15

compare changes

🩹 Fixes

node/web: Do not swallow getReader errors (#199)

❤️ Contributors

Joël Charles (@magne4000)

v0.11.14

compare changes

🩹 Fixes

node: Handle EADDRINUSE port conflict on serve (#197)

❤️ Contributors

Neko (@nekomeowww)

v0.11.13

compare changes

🩹 Fixes

url: Deopt absolute URIs in FastURL (de0d699)

v0.11.12

compare changes

... (truncated)

Changelog

Sourced from srvx's changelog.

v0.11.16

compare changes

🩹 Fixes

node: Flatten writeHead headers on Deno (#203)

aws-lambda-streaming: Handle empty body (#205)

node: Do not crash on asterisk-form request targets (#206)

💅 Refactors

node/web: Add new TypeOfService utils to socker impl (945fc17)

🏡 Chore

Update deps (4a6fcd3)

Update deps (c0acb0f)

Bump deps (c853aa9)

Update deps (961d756)

✅ Tests

Node 20 compat (7771820)

🤖 CI

Downgrade undici for node 20 only (05efca4)

Downgrade undici for deno node-compat test (e501480)

Force latest deno version (6f17e2e)

Directly install latest deno (59ba353)

Fix deno install (f6efb77)

Pin deno (7249b63)

Test node 22, 24, 26 (a745b47)

❤️ Contributors

Pi0x x@pi0.io

Taylor Steele (@taylorfsteele)

Pooya Parsa (@pi0)

KT (@ktKongTong)

v0.11.15

compare changes

🩹 Fixes

node/web: Do not swallow getReader errors (#199)

... (truncated)

Commits

19efb13 fix(node): do not crash on asterisk-form request targets (#206)
e429c6f fix(aws-lambda-streaming): handle empty body (#205)
a745b47 ci: test node 22, 24, 26
961d756 chore: update deps
c853aa9 chore: bump deps
7249b63 ci: pin deno
f6efb77 ci: fix deno install
59ba353 ci: directly install latest deno
6f17e2e ci: force latest deno version
7a05a72 fix(node): flatten writeHead headers on Deno (#203)
Additional commits viewable in compare view

Updates srvx from 0.11.4 to 0.11.16

Release notes

Sourced from srvx's releases.

v0.11.16

compare changes

🩹 Fixes

node: Flatten writeHead headers on Deno (#203)

aws-lambda-streaming: Handle empty body (#205)

node: Do not crash on asterisk-form request targets (#206)

💅 Refactors

node/web: Add new TypeOfService utils to socker impl (945fc17)

❤️ Contributors

Taylor Steele (@taylorfsteele)

Pooya Parsa (@pi0)

KT (@ktKongTong)

v0.11.15

compare changes

🩹 Fixes

node/web: Do not swallow getReader errors (#199)

❤️ Contributors

Joël Charles (@magne4000)

v0.11.14

compare changes

🩹 Fixes

node: Handle EADDRINUSE port conflict on serve (#197)

❤️ Contributors

Neko (@nekomeowww)

v0.11.13

compare changes

🩹 Fixes

url: Deopt absolute URIs in FastURL (de0d699)

v0.11.12

compare changes

... (truncated)

Changelog

Sourced from srvx's changelog.

v0.11.16

compare changes

🩹 Fixes

node: Flatten writeHead headers on Deno (#203)

aws-lambda-streaming: Handle empty body (#205)

node: Do not crash on asterisk-form request targets (#206)

💅 Refactors

node/web: Add new TypeOfService utils to socker impl (945fc17)

🏡 Chore

Update deps (4a6fcd3)

Update deps (c0acb0f)

Bump deps (c853aa9)

Update deps (961d756)

✅ Tests

Node 20 compat (7771820)

🤖 CI

Downgrade undici for node 20 only (05efca4)

Downgrade undici for deno node-compat test (e501480)

Force latest deno version (6f17e2e)

Directly install latest deno (59ba353)

Fix deno install (f6efb77)

Pin deno (7249b63)

Test node 22, 24, 26 (a745b47)

❤️ Contributors

Pi0x x@pi0.io

Taylor Steele (@taylorfsteele)

Pooya Parsa (@pi0)

KT (@ktKongTong)

v0.11.15

compare changes

🩹 Fixes

node/web: Do not swallow getReader errors (#199)

... (truncated)

Commits

19efb13 fix(node): do not crash on asterisk-form request targets (#206)
e429c6f fix(aws-lambda-streaming): handle empty body (#205)
a745b47 ci: test node 22, 24, 26
961d756 chore: update deps
c853aa9 chore: bump deps
7249b63 ci: pin deno
f6efb77 ci: fix deno install
59ba353 ci: directly install latest deno
6f17e2e ci: force latest deno version
7a05a72 fix(node): flatten writeHead headers on Deno (#203)
Additional commits viewable in compare view

Updates nitro from 3.0.1-alpha.1 to 3.0.260610-beta

Release notes

Sourced from nitro's releases.

v3.0.260610-beta

compare changes

🚀 Enhancements

prerender: Run prerenderer in isolate worker (#4326)

vite: Use explicit module graph for service entries (#4327)

Preset Changes

vercel: Support websocket upgrades (internal testing) (#4317)

🩹 Fixes

Try to resolve server entry also from server dir (#4313)

runtime: Avoid std-env in warning stub (#4296)

vite: Force resolve nitro/ imports from service envs (#4324)

vite: Inherit renderer for prerender build (#4325)

vite, prerender: Use shared virtuals (#4328)

build: Add buildDir to noExternals if inside node_modules (#4329)

types: Emit auto-import paths as files, not directories (#4333)

vite: Propagate service fetch errors in dev to match production (#4335)

📖 Documentation

Fix inline escaing (#4312)

❤️ Contributors

Pooya Parsa (@pi0)

Daniel Roe (@danielroe)

Andrew Barba (@AndrewBarba)

Max (@onmax)

Eduardo San Martin Morote (@posva)

v3.0.260603-beta

compare changes

🚀 Enhancements

build: Support custom framework preview/deploy commands (#4293)

config: Add defaultPreset to customize the fallback preset (#4299)

🩹 Fixes

types: Only strip extensions that ts retries (#4297)

📖 Documentation

Fix quick-start preview image (#4307)

... (truncated)

Commits

df5799e v3.0.260610-beta
21e2ab5 chore: update deps
b4f3e2b fix(vite): propagate service fetch errors in dev to match production (#4335)
eebcd33 chore(deps): update all non-major dependencies (#4332)
2395894 fix(types): emit auto-import paths as files, not directories (#4333)
da2a75d presets(vercel): support websocket upgrades (#4317)
0ed3dc3 fix(build): add buildDir to noExternals if inside node_modules (#4329)
9e2f509 fix(vite, prerender): use shared virtuals (#4328)
c6607d9 feat(vite): use explicit module graph for service entries (#4327)
9572a68 feat(prerender): run prerenderer in isolate worker (#4326)

Description has been truncated

…pdates Bumps the npm_and_yarn group with 18 updates in the / directory: | Package | From | To | | --- | --- | --- | | [storybook](https://github.com/storybookjs/storybook/tree/HEAD/code/core) | `10.2.8` | `10.2.10` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.1` | `7.3.2` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.0` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `5.0.2` | `5.0.6` | | [minimatch](https://github.com/isaacs/minimatch) | `10.2.0` | `10.2.5` | | [ajv](https://github.com/ajv-validator/ajv) | `8.17.1` | `8.20.0` | | [hono](https://github.com/honojs/hono) | `4.11.9` | `4.12.25` | | [srvx](https://github.com/h3js/srvx) | `0.9.6` | `0.11.16` | | [srvx](https://github.com/h3js/srvx) | `0.11.4` | `0.11.16` | | [nitro](https://github.com/nitrojs/nitro) | `3.0.1-alpha.1` | `3.0.260610-beta` | | [@tanstack/start-server-core](https://github.com/TanStack/router/tree/HEAD/packages/start-server-core) | `1.159.9` | `1.169.14` | | [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) | `8.2.1` | `8.5.2` | | [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` | | [qs](https://github.com/ljharb/qs) | `6.14.2` | `6.15.2` | | [shell-quote](https://github.com/ljharb/shell-quote) | `1.8.3` | `1.8.4` | | [undici](https://github.com/nodejs/undici) | `7.22.0` | `7.27.2` | | [ws](https://github.com/websockets/ws) | `8.18.3` | `8.21.0` | Updates `storybook` from 10.2.8 to 10.2.10 - [Release notes](https://github.com/storybookjs/storybook/releases) - [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md) - [Commits](https://github.com/storybookjs/storybook/commits/v10.2.10/code/core) Updates `vite` from 7.3.1 to 7.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) Updates `vitest` from 4.0.18 to 4.1.0 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest) Updates `brace-expansion` from 5.0.2 to 5.0.6 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v5.0.2...v5.0.6) Updates `minimatch` from 10.2.0 to 10.2.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v10.2.0...v10.2.5) Updates `ajv` from 8.17.1 to 8.20.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.17.1...v8.20.0) Updates `hono` from 4.11.9 to 4.12.25 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.9...v4.12.25) Updates `srvx` from 0.9.6 to 0.11.16 - [Release notes](https://github.com/h3js/srvx/releases) - [Changelog](https://github.com/h3js/srvx/blob/main/CHANGELOG.md) - [Commits](h3js/srvx@v0.9.6...v0.11.16) Updates `srvx` from 0.11.4 to 0.11.16 - [Release notes](https://github.com/h3js/srvx/releases) - [Changelog](https://github.com/h3js/srvx/blob/main/CHANGELOG.md) - [Commits](h3js/srvx@v0.9.6...v0.11.16) Updates `nitro` from 3.0.1-alpha.1 to 3.0.260610-beta - [Release notes](https://github.com/nitrojs/nitro/releases) - [Changelog](https://github.com/nitrojs/nitro/blob/main/changelog.config.ts) - [Commits](nitrojs/nitro@v3.0.1-alpha.1...v3.0.260610-beta) Updates `@tanstack/start-server-core` from 1.159.9 to 1.169.14 - [Release notes](https://github.com/TanStack/router/releases) - [Changelog](https://github.com/TanStack/router/blob/main/packages/start-server-core/CHANGELOG.md) - [Commits](https://github.com/TanStack/router/commits/@tanstack/start-server-core@1.169.14/packages/start-server-core) Updates `defu` from 6.1.4 to 6.1.7 - [Release notes](https://github.com/unjs/defu/releases) - [Changelog](https://github.com/unjs/defu/blob/main/CHANGELOG.md) - [Commits](unjs/defu@v6.1.4...v6.1.7) Updates `effect` from 3.18.4 to 3.20.0 - [Release notes](https://github.com/Effect-TS/effect/releases) - [Changelog](https://github.com/Effect-TS/effect/blob/main/packages/effect/CHANGELOG.md) - [Commits](https://github.com/Effect-TS/effect/commits/effect@3.20.0/packages/effect) Updates `express-rate-limit` from 8.2.1 to 8.5.2 - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v8.2.1...v8.5.2) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `h3` from 2.0.1-rc.5 to 2.0.1-rc.22 - [Release notes](https://github.com/h3js/h3/releases) - [Changelog](https://github.com/h3js/h3/blob/main/CHANGELOG.md) - [Commits](h3js/h3@v2.0.1-rc.5...v2.0.1-rc.22) Updates `ip-address` from 10.0.1 to 10.2.0 - [Commits](beaugunderson/ip-address@v10.0.1...v10.2.0) Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) Updates `qs` from 6.14.2 to 6.15.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.2...v6.15.2) Updates `rollup` from 4.53.2 to 4.61.1 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.53.2...v4.61.1) Updates `shell-quote` from 1.8.3 to 1.8.4 - [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md) - [Commits](ljharb/shell-quote@v1.8.3...v1.8.4) Updates `undici` from 7.22.0 to 7.27.2 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.22.0...v7.27.2) Updates `ws` from 8.18.3 to 8.21.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.3...8.21.0) --- updated-dependencies: - dependency-name: storybook dependency-version: 10.2.10 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vitest dependency-version: 4.1.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 10.2.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 8.20.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.25 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: srvx dependency-version: 0.11.16 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: srvx dependency-version: 0.11.16 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: nitro dependency-version: 3.0.260610-beta dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@tanstack/start-server-core" dependency-version: 1.169.14 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: defu dependency-version: 6.1.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: effect dependency-version: 3.20.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express-rate-limit dependency-version: 8.5.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: h3 dependency-version: 2.0.1-rc.22 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ip-address dependency-version: 10.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.61.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: shell-quote dependency-version: 1.8.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.27.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.21.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2026-06-12T20:33:56Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pek-infinity	Ready	Preview, Comment	Jun 12, 2026 8:34pm

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 12, 2026

dependabot Bot mentioned this pull request Jun 12, 2026

chore(deps): bump the npm_and_yarn group across 1 directory with 23 updates #91

Closed

vercel Bot deployed to Preview June 12, 2026 20:34 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 1 directory with 23 updates#92

chore(deps): bump the npm_and_yarn group across 1 directory with 23 updates#92
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-e7f1bb7f8c

dependabot Bot commented on behalf of github Jun 12, 2026

Uh oh!

vercel Bot commented Jun 12, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 12, 2026

v10.2.10

10.2.10

v10.2.9

10.2.9

10.2.10

10.2.9

v7.3.2

7.3.2 (2026-04-06)

Bug Fixes

v4.1.0

🚀 Features

v8.20.0

What's Changed

v8.19.0

What's Changed

v8.18.0

What's Changed

New Contributors

v4.12.25

Security fixes

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Path traversal in serve-static on Windows via encoded backslash (%5C)

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

v4.12.24

What's Changed

v4.12.23

What's Changed

v4.12.22

What's Changed

v0.11.16

🩹 Fixes

💅 Refactors

❤️ Contributors

v0.11.15

🩹 Fixes

❤️ Contributors

v0.11.14

🩹 Fixes

❤️ Contributors

v0.11.13

🩹 Fixes

v0.11.12

v0.11.16

🩹 Fixes

💅 Refactors

🏡 Chore

✅ Tests

🤖 CI

❤️ Contributors

v0.11.15

🩹 Fixes

v0.11.16

🩹 Fixes

💅 Refactors

❤️ Contributors

v0.11.15

🩹 Fixes

❤️ Contributors

v0.11.14

🩹 Fixes

❤️ Contributors

v0.11.13

🩹 Fixes

v0.11.12

v0.11.16

🩹 Fixes

💅 Refactors

🏡 Chore

✅ Tests

🤖 CI

❤️ Contributors

v0.11.15

🩹 Fixes

v3.0.260610-beta

🚀 Enhancements

Preset Changes

CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

vercel Bot commented Jun 12, 2026 •

edited

Loading