chore(deps): bump the minor group with 5 updates

[dependabot]

Bumps the minor group with 5 updates:

Package	From	To
prettier	3.8.2	3.8.3
typescript	6.0.2	6.0.3
marko	5.38.35	5.38.36
@types/vscode	1.115.0	1.116.0
@vscode/vsce	3.8.0	3.9.0

Updates prettier from 3.8.2 to 3.8.3

Release notes

Sourced from prettier's releases.

3.8.3

• SCSS: Prevent trailing comma in if() function (prettier/prettier#18471 by @​kovsu)

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.3

diff

SCSS: Prevent trailing comma in if() function (#18471 by @​kovsu)

// Input
$value: if(sass(false): 1; else: -1);
// Prettier 3.8.2
$value: if(
sass(false): 1; else: -1,
);
// Prettier 3.8.3
$value: if(sass(false): 1; else: -1);

Commits

• d7108a7 Release 3.8.3
• 177f908 Prevent trailing comma in SCSS if() function (#18471)
• 1cd4066 Release @​prettier/plugin-oxc@​0.1.4
• a8700e2 Update oxc-parser to v0.125.0
• 752157c Fix tests
• 053fd41 Bump Prettier dependency to 3.8.2
• 904c636 Clean changelog_unreleased
• dc1f7fc Update dependents count
• See full diff in compare view

Updates typescript from 6.0.2 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

Commits

• 050880c Bump version to 6.0.3 and LKG
• eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
• ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
• 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
• See full diff in compare view

Updates marko from 5.38.35 to 5.38.36

Release notes

Sourced from marko's releases.

marko@5.38.36

Patch Changes

• #3159 19d4b37 Thanks @​DylanPiercey! - Fix escaping issue for dynamic text interpolation inside <script>, <style>, <html-script> and <html-style> tags.

  The issue was that the escaping logic for those tags used a CASE SENSITIVE search for the closing tag which could be bypassed like so:

  <script>${"</SCRIPT><img src=x onerror=alert('uh oh')>"}</script>

  Note that script and style there should never render unsanitized user defined values, regardless of wether or not the closing tag is escaped, since these are conceptually just "eval".

• #3159 19d4b37 Thanks @​DylanPiercey! - Fix escaping for <html-comment> tag. Previously this tag relied on normal xml escaping which looks for <. This PR updates to have a special escape for <html-comment> tags that replaces > instead.

  // Previously incorrectly escaped.
  <html-comment>${">Uh oh"}</html-comment>

• Updated dependencies [19d4b37, 19d4b37]:

  • @​marko/runtime-tags@​6.0.164

Changelog

Sourced from marko's changelog.

5.38.36

Patch Changes

• #3159 19d4b37 Thanks @​DylanPiercey! - Fix escaping issue for dynamic text interpolation inside <script>, <style>, <html-script> and <html-style> tags.

  The issue was that the escaping logic for those tags used a CASE SENSITIVE search for the closing tag which could be bypassed like so:

  <script>${"</SCRIPT><img src=x onerror=alert('uh oh')>"}</script>

  Note that script and style there should never render unsanitized user defined values, regardless of wether or not the closing tag is escaped, since these are conceptually just "eval".

• #3159 19d4b37 Thanks @​DylanPiercey! - Fix escaping for <html-comment> tag. Previously this tag relied on normal xml escaping which looks for <. This PR updates to have a special escape for <html-comment> tags that replaces > instead.

  // Previously incorrectly escaped.
  <html-comment>${">Uh oh"}</html-comment>

• Updated dependencies [19d4b37, 19d4b37]:

  • @​marko/runtime-tags@​6.0.164

Commits

• 8e7eb50 [ci] release
• 19d4b37 fix: html script, style, and comment escaping
• See full diff in compare view

Updates @types/vscode from 1.115.0 to 1.116.0

Commits

• See full diff in compare view

Updates @vscode/vsce from 3.8.0 to 3.9.0

Release notes

Sourced from @​vscode/vsce's releases.

v3.9.0

Changes:

• #1263: fix: build regressions in 3.8.1
• #1261: Add override for serialize-javascript

This list of changes was auto generated.

v3.8.2-1

Changes:

• #1263: fix: build regressions in 3.8.1

This list of changes was auto generated.

v3.8.2-0

Changes:

• #1261: Add override for serialize-javascript

This list of changes was auto generated.

v3.8.1

Changes:

• #1259: chore: update @​azure/identity to 4.13.1 and modernize TypeScript/Node.js configuration

This list of changes was auto generated.

v3.8.1-0

Changes:

• #1259: chore: update @​azure/identity to 4.13.1 and modernize TypeScript/Node.js configuration

This list of changes was auto generated.

Commits

• 9329b35 fix: build regressions in 3.8.1 (#1263)
• 165b0f2 Add override for serialize-javascript (#1261)
• 7d124ab chore: update @​azure/identity to 4.13.1 and modernize TypeScript/Node.js conf...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: a23a38a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR