Skip to content

Bump the npm_and_yarn group across 1 directory with 10 updates#2

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-38972b2ec8
Open

Bump the npm_and_yarn group across 1 directory with 10 updates#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-38972b2ec8

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Mar 28, 2026

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package From To
vite 5.4.19 5.4.21
@tootallnate/once 2.0.0 removed
minimatch 3.1.2 3.1.5
esbuild 0.21.5 0.27.4
flatted 3.3.1 3.4.2
glob 10.4.5 10.5.0
js-yaml 4.1.0 4.1.1
lodash 4.17.21 4.17.23
react-router 6.30.1 6.30.3

Updates vite from 5.4.19 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

5.4.20 (2025-09-08)

Commits

Removes @tootallnate/once

Updates minimatch from 3.1.2 to 3.1.5

Commits

Updates esbuild from 0.21.5 to 0.27.4

Release notes

Sourced from esbuild's releases.

v0.27.4

  • Fix a regression with CSS media queries (#4395, #4405, #4406)

    Version 0.25.11 of esbuild introduced support for parsing media queries. This unintentionally introduced a regression with printing media queries that use the <media-type> and <media-condition-without-or> grammar. Specifically, esbuild was failing to wrap an or clause with parentheses when inside <media-condition-without-or>. This release fixes the regression.

    Here is an example:

    /* Original code */
@media only screen and ((min-width: 10px) or (min-height: 10px)) {
  a { color: red }
}
/* Old output (incorrect) */
@​media only screen and (min-width: 10px) or (min-height: 10px) {
a {
color: red;
}
}
/* New output (correct) */
@​media only screen and ((min-width: 10px) or (min-height: 10px)) {
a {
color: red;
}
}

  • Fix an edge case with the inject feature (#4407)

    This release fixes an edge case where esbuild's inject feature could not be used with arbitrary module namespace names exported using an export {} from statement with bundling disabled and a target environment where arbitrary module namespace names is unsupported.

    With the fix, the following inject file:

    import jquery from 'jquery';
export { jquery as 'window.jQuery' };

    Can now always be rewritten as this without esbuild sometimes incorrectly generating an error:

    export { default as 'window.jQuery' } from 'jquery';

  • Attempt to improve API handling of huge metafiles (#4329, #4415)

    This release contains a few changes that attempt to improve the behavior of esbuild's JavaScript API with huge metafiles (esbuild's name for the build metadata, formatted as a JSON object). The JavaScript API is designed to return the metafile JSON as a JavaScript object in memory, which makes it easy to access from within a JavaScript-based plugin. Multiple people have encountered issues where this API breaks down with a pathologically-large metafile.

    The primary issue is that V8 has an implementation-specific maximum string length, so using the JSON.parse API with large enough strings is impossible. This release will now attempt to use a fallback JavaScript-based JSON parser that operates directly on the UTF8-encoded JSON bytes instead of using JSON.parse when the JSON metafile is too big to fit in a JavaScript string. The new fallback path has not yet been heavily-tested. The metafile will also now be generated with whitespace removed if the bundle is significantly large, which will reduce the size of the metafile JSON slightly.

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

  • Fix regression with --define and import.meta (#4010, #4012, #4013)

    The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

    This fix was contributed by @​sapphi-red.

0.24.1

  • Allow es2024 as a target in tsconfig.json (#4004)

    TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

    {
  "compilerOptions": {
    "target": "ES2024"
  }
}

    As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

    This fix was contributed by @​billyjanitsch.

  • Allow automatic semicolon insertion after get/set

    This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

    class Foo {
  get
  *x() {}
  set
  *y() {}
}

    The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

  • Allow quoted property names in --define and --pure (#4008)

    The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

    

    • 






... (truncated)





Commits





Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.






Updates flatted from 3.3.1 to 3.4.2



Commits

    

  • 3bf0909 3.4.2
    • 

  • 885ddcc fix CWE-1321
    • 

  • 0bdba70 added flatted-view to the benchmark
    • 

  • 2a02dce 3.4.1
    • 

  • fba4e8f Merge pull request #89 from WebReflection/python-fix
    • 

  • 5fe8648 added "when in Rome" also a test for PHP
    • 

  • 53517ad some minor improvement
    • 

  • b3e2a0c Fixing recursion issue in Python too
    • 

  • c4b46db Add SECURITY.md for security policy and reporting
    • 

  • f86d071 Create dependabot.yml for version updates
    • 

  • Additional commits viewable in compare view
    • 







Updates glob from 10.4.5 to 10.5.0



Commits






Updates js-yaml from 4.1.0 to 4.1.1



Changelog

Sourced from js-yaml's changelog.




[4.1.1] - 2025-11-12


Security


    

  • Fix prototype pollution issue in yaml merge (<<) operator.
    • 








Commits






Updates lodash from 4.17.21 to 4.17.23



Commits






Updates react-router from 6.30.1 to 6.30.3



Release notes

Sourced from react-router's releases.




v6.30.3


See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6303


v6.30.2


See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6302







Changelog

Sourced from react-router's changelog.




v6.30.3


Date: 2026-01-07


Security Notice


This release addresses 1 security vulnerability:



Patch Changes


    

  • Validate redirect locations (#14707)
    • 



Full Changelog: v6.30.2...v6.30.3


v6.30.2


Date: 2025-11-13


Security Notice


This release addresses 1 security vulnerability:



Patch Changes


    

  • Normalize double-slashes in resolvePath (#14537)
    • 



Full Changelog: v6.30.1...v6.30.2







Commits





Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for react-router since your current version.






Updates rollup from 4.24.0 to 4.60.0



Release notes

Sourced from rollup's releases.




v4.60.0


4.60.0


2026-03-22


Features


    

  • Support source phase imports as long as they are external (#6279)
    • 



Pull Requests



v4.59.1


4.59.1


2026-03-21


Bug Fixes


    

  • Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)
    • 



Pull Requests



v4.59.0


4.59.0


2026-02-22





... (truncated)





Changelog

Sourced from rollup's changelog.




4.60.0


2026-03-22


Features


    

  • Support source phase imports as long as they are external (#6279)
    • 



Pull Requests



4.59.1


2026-03-21


Bug Fixes


    

  • Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)
    • 



Pull Requests



4.59.0


2026-02-22


Features


    

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)
    • 






... (truncated)





Commits





Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.





Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.






Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.





Dependabot commands and options



You can trigger Dependabot actions by commenting on this PR:


    

  • @dependabot rebase will rebase this PR
    • 

  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • 

  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
    • 

  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
    • 

  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
    • 

  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
    • 

  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
    • 

  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    
You can disable automated security fix PRs for this repo from the Security Alerts page.
    • 




    

  
  



      


          

          
  
  

    
  
    
    

  

  

  



                    

          
        





  





    



      

  
        

  

      

  
  

  
          

  

    

      


  

      
        @dependabot
  




      

        
          Bump the npm_and_yarn group across 1 directory with 10 updates
        

          
                        
      


      

        

    
    
    

  

    


      


      

        

          

    
    
    

  

  

    
  



        

      


      

        
          32d3cd6
        
      

    

  

    

      
Bumps the npm_and_yarn group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `5.4.19` | `5.4.21` |
| [@tootallnate/once](https://github.com/TooTallNate/once) | `2.0.0` | `removed` |
| [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` |
| [esbuild](https://github.com/evanw/esbuild) | `0.21.5` | `0.27.4` |
| [flatted](https://github.com/WebReflection/flatted) | `3.3.1` | `3.4.2` |
| [glob](https://github.com/isaacs/node-glob) | `10.4.5` | `10.5.0` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` |
| [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router) | `6.30.1` | `6.30.3` |



Updates `vite` from 5.4.19 to 5.4.21
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v5.4.21/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v5.4.21/packages/vite)

Removes `@tootallnate/once`

Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v3.1.5)

Updates `esbuild` from 0.21.5 to 0.27.4
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md)
- [Commits](evanw/esbuild@v0.21.5...v0.27.4)

Updates `flatted` from 3.3.1 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.1...v3.4.2)

Updates `glob` from 10.4.5 to 10.5.0
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v10.4.5...v10.5.0)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `lodash` from 4.17.21 to 4.17.23
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

Updates `react-router` from 6.30.1 to 6.30.3
- [Release notes](https://github.com/remix-run/react-router/releases)
- [Changelog](https://github.com/remix-run/react-router/blob/main/CHANGELOG.md)
- [Commits](https://github.com/remix-run/react-router/commits/react-router@6.30.3/packages/react-router)

Updates `rollup` from 4.24.0 to 4.60.0
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.24.0...v4.60.0)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 5.4.21
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@tootallnate/once"
  dependency-version: 
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: esbuild
  dependency-version: 0.27.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: glob
  dependency-version: 10.5.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: react-router
  dependency-version: 6.30.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.60.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>

    







  








      

  
            

    

      
    

    


      


          @dependabot
dependabot
Bot



            added
      

  dependencies

  Pull requests that update a dependency file

      

  javascript

  Pull requests that update javascript code

  labels


      Mar 28, 2026

    

  








      

  
      



  

  @vercel






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

              
  
      
                Copy Markdown

  

        
      

    


    

        



        

    

  


  

    

      
          
      

      
            vercel
  Bot

      

      

      commented


        Mar 28, 2026



      
  

  

    
      

        
          edited
          
        
        
      

    
    
      
  
        
      Loading


  
    
  



    


  





      


        



  
    

      
          
The latest updates on your projects. Learn more about Vercel for GitHub.






Project
Deployment
Actions
Updated (UTC)






shareit-link
Error Error

Mar 28, 2026 3:21am






      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
            

    

      
    

    


      


          @dependabot
dependabot
Bot



            added
      

  dependencies

  Pull requests that update a dependency file

      

  javascript

  Pull requests that update javascript code

  labels


      Mar 28, 2026

    

  



  

  











  
  

    

      

  










  








  
      

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  










      

  

    
    

    

  

    Reviewers
  


    

    No reviews






    

  


      
  

    Assignees
  



        


    No one assigned







      


  


  

    Labels
  



    

      

    dependencies

  Pull requests that update a dependency file
  

    javascript

  Pull requests that update javascript code








      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    

      
        

          
  

    Development
  



            


Successfully merging this pull request may close these issues.





  
  



      
    

  




      

    

  
        

  

    

      0 participants