chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates by dependabot[bot] · Pull Request #1 · egeuysall/www

dependabot · 2026-05-09T14:20:52Z

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
picomatch	`4.0.3`	`4.0.4`
picomatch	`2.3.1`	`2.3.2`
fast-uri	`3.1.0`	`3.1.2`
fast-xml-builder	`1.1.5`	`1.2.0`
hono	`4.12.15`	`4.12.18`
ip-address	`10.1.0`	`10.2.0`
postcss	`8.5.8`	`8.5.14`
smol-toml	`1.6.0`	`1.6.1`

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

Fix for GHSA-v39h-62p7-jpjc

What's Changed

Handle malformed fragment decoding as a parse error by @mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

Fix for GHSA-q3j6-qgpj-74h6

What's Changed

build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in fastify/fast-uri#148

build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in fastify/fast-uri#149

chore(.npmrc): ignore scripts by @Fdawgs in fastify/fast-uri#150

build(deps-dev): remove @fastify/pre-commit by @Fdawgs in fastify/fast-uri#151

build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in fastify/fast-uri#152

ci(ci): add concurrency config by @Fdawgs in fastify/fast-uri#153

build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in fastify/fast-uri#154

build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in fastify/fast-uri#156

chore(license): standardise license notice by @Fdawgs in fastify/fast-uri#159

style: remove trailing whitespace by @Fdawgs in fastify/fast-uri#161

ci: remove unused github files by @Tony133 in fastify/fast-uri#162

chore: update readme by @Tony133 in fastify/fast-uri#164

build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#165

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#166

build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in fastify/fast-uri#167

ci: add lock-threads workflow by @Fdawgs in fastify/fast-uri#169

New Contributors

@Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

919dd8e Bumped v3.1.2
c65ba57 fixup: linting
6c86c17 Merge commit from fork
a95158a Handle malformed fragment decoding without throwing (#171)
cea547c Bumped v3.1.1
876ce79 Merge commit from fork
dcdf690 ci: add lock-threads workflow (#169)
c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
Additional commits viewable in compare view

Updates fast-xml-builder from 1.1.5 to 1.2.0

Changelog

Sourced from fast-xml-builder's changelog.

1.2.0 (2026-05-08)

Add support for sanitizeName option

Support xml-naming for validating and sanitizing tag and attribute names

1.1.9 (2026-05-06)

fix: format output for preserve order when indent by is set to empty string

1.1.8 (2026-05-05)

fix: skip text property for PI tags

improve typings

1.1.7 (2026--05-04)

fix security issues when attribute value contains quotes

1.1.6 (2026--05-04)

fix security issues related to comment

skip comment with null value

1.1.5 (2026-04-17)

fix security issues related to comment and cdata

1.1.4 (2026-03-16)

support maxNestedTags option

1.1.3 (2026-03-13)

declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

1.1.2 (2026-03-11)

fix typings

1.1.1 (2026-03-11)

upgrade path-expression-matcher to 1.1.3

1.1.0 (2026-03-10)

Integrate path-expression-matcher

Commits

a9a905b for release
42680e8 support name sanitization
8b00185 release info
8a08f17 allow indentation to be empty string
7fc5dec update docs
c241b6a improve documentation
15d5668 update for release
9877485 fix: skip text property for PI tags
311a221 fix #5 typing import issues
e8fc5b1 update for releast
Additional commits viewable in compare view

Updates hono from 4.12.15 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

fix(jsx): normalize SVG attributes on the root element by @kfly8 in honojs/hono#4893

fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @yuintei in honojs/hono#4899

fix(cors): make origin optional in CORSOptions by @truffle-dev in honojs/hono#4905

fix(types): propagate middleware response types to app.on overloads by @T4ko0522 in honojs/hono#4906

New Contributors

@kfly8 made their first contribution in honojs/hono#4893

@truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

Commits

f10dee8 4.12.18
a5bd9eb Merge commit from fork
58d3d3a Merge commit from fork
568c2ec Merge commit from fork
ff2b3d3 4.12.17
52aaaf9 fix(types): propagate middleware response types to app.on overloads (#4906)
76d5589 fix(cors): make origin optional in CORSOptions (#4905)
8f027e5 fix(ssg): add atom+xml and rss+xml to defaultExtensionMap (#4899)
bfba97c fix(jsx): normalize SVG attributes on the <svg> root element (#4893)
90d4182 4.12.16
Additional commits viewable in compare view

Updates ip-address from 10.1.0 to 10.2.0

Commits

See full diff in compare view

Updates postcss from 8.5.8 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.14

Fixed custom syntax regression (by @43081j).

8.5.13

Fixed postcss-scss commend regression.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

Changelog

Sourced from postcss's changelog.

8.5.14

Fixed custom syntax regression (by @43081j).

8.5.13

Fixed postcss-scss commend regression.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

Commits

3ec1394 Release 8.5.14 version
f2bb827 Update dependencies
d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
68bd213 fix: always call raw to retrieve raw values
af58cf1 Release 8.5.13 version
f227dbd Temporary ignore pnpm 11 config
d3abd40 Update dependencies
dd06c3e Revert stringifier changes because of the conflict with postcss-scss
ae889c8 Try to fix CI
e0093e4 Move to pnpm 11
Additional commits viewable in compare view

Updates smol-toml from 1.6.0 to 1.6.1

Release notes

Sourced from smol-toml's releases.

v1.6.1

This release addresses a minor security vulnerability where an attacker-controlled TOML document can exploit an unrestricted recustion and cause a stack overflow error with a document that contains thousands of sucessive commented lines. Security advisory: GHSA-v3rj-xjv7-4jmq

Commits

072b64f chore: version bump
19a5dc7 chore: upgrade dependencies and actions
f286f87 fix: don't use recursion in skipVoid
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…dates Bumps the npm_and_yarn group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [picomatch](https://github.com/micromatch/picomatch) | `4.0.3` | `4.0.4` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` | | [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) | `1.1.5` | `1.2.0` | | [hono](https://github.com/honojs/hono) | `4.12.15` | `4.12.18` | | [ip-address](https://github.com/beaugunderson/ip-address) | `10.1.0` | `10.2.0` | | [postcss](https://github.com/postcss/postcss) | `8.5.8` | `8.5.14` | | [smol-toml](https://github.com/squirrelchat/smol-toml) | `1.6.0` | `1.6.1` | Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `fast-xml-builder` from 1.1.5 to 1.2.0 - [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-builder@v1.1.5...v1.2.0) Updates `hono` from 4.12.15 to 4.12.18 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.15...v4.12.18) Updates `ip-address` from 10.1.0 to 10.2.0 - [Commits](https://github.com/beaugunderson/ip-address/commits) Updates `postcss` from 8.5.8 to 8.5.14 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.8...8.5.14) Updates `smol-toml` from 1.6.0 to 1.6.1 - [Release notes](https://github.com/squirrelchat/smol-toml/releases) - [Commits](squirrelchat/smol-toml@v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-xml-builder dependency-version: 1.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.18 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ip-address dependency-version: 10.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: postcss dependency-version: 8.5.14 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: smol-toml dependency-version: 1.6.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2026-05-09T14:20:55Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
www	Ready	Preview, Comment	May 9, 2026 2:22pm

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 9, 2026

vercel Bot deployed to Preview May 9, 2026 14:22 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates#1

chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates#1
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-0acc974424

dependabot Bot commented on behalf of github May 9, 2026

Uh oh!

vercel Bot commented May 9, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 9, 2026

4.0.4

What's Changed

4.0.4

What's Changed

v3.1.2

⚠️ Security Release

What's Changed

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

v4.12.18

Security fixes

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

CSS Declaration Injection via Style Object Values in JSX SSR

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

v4.12.17

What's Changed

New Contributors

v4.12.16

Security fixes

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

bodyLimit() can be bypassed for chunked / unknown-length requests

8.5.14

8.5.13

8.5.12

8.5.11

8.5.10

8.5.9

8.5.14

8.5.13

8.5.12

8.5.11

8.5.10

8.5.9

v1.6.1

Uh oh!

vercel Bot commented May 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

vercel Bot commented May 9, 2026 •

edited

Loading