chore(deps): bump the npm_and_yarn group across 1 directory with 8 updates by dependabot[bot] · Pull Request #5 · egeuysall/shipr

dependabot · 2026-03-20T01:23:19Z

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
next	`16.1.6`	`16.1.7`
@hono/node-server	`1.19.9`	`1.19.11`
dompurify	`3.3.1`	`3.3.3`
express-rate-limit	`8.2.1`	`8.3.1`
flatted	`3.3.3`	`3.4.2`
hono	`4.12.1`	`4.12.8`
minimatch	`3.1.2`	`3.1.5`
rollup	`4.58.0`	`4.59.0`

Updates next from 16.1.6 to 16.1.7

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

[Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)

Apply server actions transform to node_modules in route handlers (#89380)

ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)

feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)

Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)

Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)

fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @unstubbable, @styfle, @eps1lon, and @ztanner for helping!

Commits

bdf3e35 v16.1.7
dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
c68d62d Backport documentation fixes for 16.1.x (#90655)
5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
c95e357 Backport/docs fixes 16.1.x (#90125)
cba6144 [backport] Apply server actions transform to node_modules in route handlers...
3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
Additional commits viewable in compare view

Updates @hono/node-server from 1.19.9 to 1.19.11

Release notes

Sourced from @hono/node-server's releases.

v1.19.11

What's Changed

fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

ecd4d6b 1.19.11
c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
2f8ca36 1.19.10
455015b Merge commit from fork
cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
58c4412 chore: Adding LICENSE file with MIT license referenced in README.md (#297)
b1daa4c docs(readme): add @usualoma as an author (#300)
See full diff in compare view

Updates dompurify from 3.3.1 to 3.3.3

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.3

Fixed an engine requirement for Node 20 which caused hiccups, thanks @Rotzbua

DOMPurify 3.3.2

Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters

Fixed a prototype pollution issue when working with custom elements, thanks @christos-eth

Fixed a lenient config parsing in _isValidAttribute, thanks @christos-eth

Bumped and removed several dependencies, thanks @Rotzbua

Fixed the test suite after bumping dependencies, thanks @Rotzbua

Commits

8bcbf73 chore: Preparing 3.3.3 release
5faddd6 fix: engine requirement (#1210)
0f91e3a Update README.md
d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
c3efd48 fix: moved back from jsdom 28 to jsdom 20
988b888 fix: moved back from jsdom 28 to jsdom 20
2726c74 chore: Preparing 3.3.2 release
6202c7e build(deps): bump @tootallnate/once and jsdom (#1204)
302b51d fix: Expanded the regex ever so slightly to also cover script
cd85175 Merge branch 'main' of github.com:cure53/DOMPurify
Additional commits viewable in compare view

Updates express-rate-limit from 8.2.1 to 8.3.1

Release notes

Sourced from express-rate-limit's releases.

v8.3.1

You can view the changelog here.

v8.3.0

You can view the changelog here.

Commits

47e5b29 8.3.1
eb61179 v8.3.1 changelog
a17377d Fix broken link for contributing guide
5aa3f6c fix: revert the dts-bundle-generator update
06dea83 ci: run test on node 20, 22, 24, 25 and drop 18 as it reached eol
c86a27d chore: update dependencies
8898ffa chore: migrate biome schema and run formatter
dd544fd docs: update changelog with backported releases
9c90752 ci: setup oidc connect with npm for automatatic publish
e4477fa 8.3.0
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for express-rate-limit since your current version.

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates hono from 4.12.1 to 4.12.8

Release notes

Sourced from hono's releases.

v4.12.8

What's Changed

fix(utils/mime): Normalize input extension to lowercase before MIME check by @TheEssem in honojs/hono#4800

fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @otoneko1102 in honojs/hono#4750

New Contributors

@TheEssem made their first contribution in honojs/hono#4800

Full Changelog: honojs/hono@v4.12.7...v4.12.8

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

fix(accept): replace regex split to mitigate ReDoS by @EdamAme-x in honojs/hono#4758

fix(jsx): align link hoisting and dedupe with React 19 by @usualoma in honojs/hono#4792

chore(builld): tsconfig project references by @BarryThePenguin in honojs/hono#4797

chore: add tsconfig.spec.json by @yusukebe in honojs/hono#4798

feat(jsx-renderer): support function-based options by @3w36zj6 in honojs/hono#4780

fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @t0waxx in honojs/hono#4782

New Contributors

@t0waxx made their first contribution in honojs/hono#4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

fix(request): return string | undefined from param() when path type is any by @andrewdamelio in honojs/hono#4723

fix(jwt): validate token format in decode and decodeHeader functions by @otoneko1102 in honojs/hono#4752

fix(jsx): Fix "Invalid state: Controller is already closed" by @gaearon in honojs/hono#4770

chore(eslint): upgrade @hono/eslint-config by @BarryThePenguin in honojs/hono#4781

New Contributors

@andrewdamelio made their first contribution in honojs/hono#4723

@otoneko1102 made their first contribution in honojs/hono#4752

@gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

... (truncated)

Commits

fe689ec 4.12.8
0c0bf8d fix(bearer-auth): escape regex metacharacters in bearer auth prefix option (#...
488ea6a fix(utils/mime): Normalize input extension to lowercase before MIME check (#4...
b0aba5b 4.12.7
1be3a53 ci: apply automated fixes
ef90225 Merge commit from fork
3f88636 4.12.6
53b66ae fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X (#4782)
58825a7 feat(jsx-renderer): support function-based options (#4780)
0e80acb chore: add tsconfig.spec.json (#4798)
Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates rollup from 4.58.0 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6275: Validate bundle stays within output dir (@lukastaegert)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6275: Validate bundle stays within output dir (@lukastaegert)

Commits

ae84695 4.59.0
b39616e Update audit-resolve
c60770d Validate bundle stays within output dir (#6275)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…dates Bumps the npm_and_yarn group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [next](https://github.com/vercel/next.js) | `16.1.6` | `16.1.7` | | [@hono/node-server](https://github.com/honojs/node-server) | `1.19.9` | `1.19.11` | | [dompurify](https://github.com/cure53/DOMPurify) | `3.3.1` | `3.3.3` | | [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) | `8.2.1` | `8.3.1` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` | | [hono](https://github.com/honojs/hono) | `4.12.1` | `4.12.8` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [rollup](https://github.com/rollup/rollup) | `4.58.0` | `4.59.0` | Updates `next` from 16.1.6 to 16.1.7 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.1.6...v16.1.7) Updates `@hono/node-server` from 1.19.9 to 1.19.11 - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.9...v1.19.11) Updates `dompurify` from 3.3.1 to 3.3.3 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.1...3.3.3) Updates `express-rate-limit` from 8.2.1 to 8.3.1 - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v8.2.1...v8.3.1) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `hono` from 4.12.1 to 4.12.8 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.1...v4.12.8) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `rollup` from 4.58.0 to 4.59.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.58.0...v4.59.0) --- updated-dependencies: - dependency-name: next dependency-version: 16.1.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@hono/node-server" dependency-version: 1.19.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.3.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express-rate-limit dependency-version: 8.3.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.8 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.59.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2026-03-20T01:23:21Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
shipr	Ready	Preview, Comment	Mar 20, 2026 1:24am

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 20, 2026

vercel Bot deployed to Preview March 20, 2026 01:24 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 1 directory with 8 updates#5

chore(deps): bump the npm_and_yarn group across 1 directory with 8 updates#5
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-f4403b3495

dependabot Bot commented on behalf of github Mar 20, 2026

Uh oh!

vercel Bot commented Mar 20, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Mar 20, 2026

v16.1.7

Core Changes

Credits

v1.19.11

What's Changed

v1.19.10

Security Fix

DOMPurify 3.3.3

DOMPurify 3.3.2

v8.3.1

v8.3.0

v4.12.8

What's Changed

New Contributors

v4.12.7

Security hardening

v4.12.6

What's Changed

New Contributors

v4.12.5

What's Changed

New Contributors

v4.12.4

Security fixes

v4.59.0

4.59.0

Features

Pull Requests

4.59.0

Features

Pull Requests

Uh oh!

vercel Bot commented Mar 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

vercel Bot commented Mar 20, 2026 •

edited

Loading