Skip to content

chore(deps): update all non-major dependencies#2136

Open
chrisbbreuer wants to merge 1 commit into
mainfrom
buddy-bot/update-non-major-updates
Open

chore(deps): update all non-major dependencies#2136
chrisbbreuer wants to merge 1 commit into
mainfrom
buddy-bot/update-non-major-updates

Conversation

@chrisbbreuer

@chrisbbreuer chrisbbreuer commented May 5, 2026
edited
Loading

Copy link
Copy Markdown
Member

This PR contains the following updates:

Package Updates Summary

Type Count
📦 NPM Packages 7
Total 7

📦 npm Dependencies

npm

7 packages will be updated

Package Change Age Adoption Passing Confidence
lodash (source) 4.17.23 -> 4.18.1 age adoption passing confidence
@stacksjs/bunpress (source) 0.1.6 -> 0.1.9 age adoption passing confidence
@stacksjs/clapp (source) 0.2.0 -> 0.2.10 age adoption passing confidence
bunfig (source) 0.15.6 -> 0.15.13 age adoption passing confidence
react (source) 19.2.6 -> 19.2.7 age adoption passing confidence
react-dom (source) 19.2.6 -> 19.2.7 age adoption passing confidence
vue (source) 3.5.0 -> 3.5.35 age adoption passing confidence

Release Notes

lodash/lodash (lodash)

4.17.23 -> 4.18.1

4.18.1

Compare Source

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167#issuecomment-4165269769

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

[View full release notes]

Released by jonchurch on 4/1/2026

4.18.0

Compare Source

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, [879aaa9](lodash/lodash@879aaa931...

[View full release notes]

Released by jonchurch on 3/31/2026

stacksjs/bunpress (@stacksjs/bunpress)

0.1.6 -> 0.1.9

Compare Source

Modern documentation engine. Powered by Bun.

📖 View Release Notes

🔗 View Changelog

Release Notes

Changelog

stacksjs/clapp (@stacksjs/clapp)

0.2.0 -> 0.2.10

v0.2.10

Compare Source

Released by github-actions[bot] on 5/14/2026

v0.2.9

Compare Source

Released by github-actions[bot] on 5/11/2026

v0.2.8

Compare Source

Released by github-actions[bot] on 5/6/2026

stacksjs/bunfig (bunfig)

0.15.6 -> 0.15.13

v0.15.13

Compare Source

Released by github-actions[bot] on 5/8/2026

v0.15.12

Compare Source

Released by github-actions[bot] on 5/8/2026

v0.15.11

Compare Source

Released by github-actions[bot] on 5/2/2026

facebook/react (react)

19.2.6 -> 19.2.7

eslint-plugin-react-hooks@7.1.1

Compare Source

Note: 7.1.0 accidentally removed the component-hook-factories rule, causing errors for users who referenced it in their ESLint config. This is now fixed.

Released by mofeiZ on 4/17/2026

eslint-plugin-react-hooks@7.1.0

Compare Source

This release adds ESLint v10 support, improves performance by skipping compilation for non-React files, and includes compiler lint improvements including better set-state-in-effect detection, improved ref validation, and more helpful error reporting.

[View full release notes]

Released by mofeiZ on 4/17/2026

eslint-plugin-react-hooks@5.0.0

Compare Source

This release only contains eslint-plugin-react-hooks. Notably, new violations and support for ESLint v9 were added.

eslint-plugin-react-hooks

  • New Violations: Component names now need to start with an uppercase letter instead of a non-lowercase letter. This means _Button or _component are no longer valid. ([kassens](https://github.com/kassens)) in #25162
    For example, in 
    function _Component() {
  useState()
  ^^^^^^^^ A React Hook "useState" is called in function "_Component" which is neither a Component nor a custom React Hook function.
}
    _Component should be renamed to Component.

[View full release notes]

Released by eps1lon on 10/11/2024

facebook/react (react-dom)

19.2.6 -> 19.2.7

eslint-plugin-react-hooks@7.1.1

Compare Source

Note: 7.1.0 accidentally removed the component-hook-factories rule, causing errors for users who referenced it in their ESLint config. This is now fixed.

Released by mofeiZ on 4/17/2026

eslint-plugin-react-hooks@7.1.0

Compare Source

This release adds ESLint v10 support, improves performance by skipping compilation for non-React files, and includes compiler lint improvements including better set-state-in-effect detection, improved ref validation, and more helpful error reporting.

[View full release notes]

Released by mofeiZ on 4/17/2026

eslint-plugin-react-hooks@5.0.0

Compare Source

This release only contains eslint-plugin-react-hooks. Notably, new violations and support for ESLint v9 were added.

eslint-plugin-react-hooks

  • New Violations: Component names now need to start with an uppercase letter instead of a non-lowercase letter. This means _Button or _component are no longer valid. ([kassens](https://github.com/kassens)) in #25162
    For example, in 
    function _Component() {
  useState()
  ^^^^^^^^ A React Hook "useState" is called in function "_Component" which is neither a Component nor a custom React Hook function.
}
    _Component should be renamed to Component.

[View full release notes]

Released by eps1lon on 10/11/2024

vuejs/core (vue)

3.5.0 -> 3.5.35

v3.6.0-beta.13

Compare Source

For stable releases, please refer to CHANGELOG.md for details.
For pre-releases, please refer to CHANGELOG.md of the minor branch.

Released by github-actions[bot] on 5/28/2026

v3.5.35

Compare Source

For stable releases, please refer to CHANGELOG.md for details.
For pre-releases, please refer to CHANGELOG.md of the minor branch.

Released by github-actions[bot] on 5/27/2026

v3.6.0-beta.12

Compare Source

For stable releases, please refer to CHANGELOG.md for details.
For pre-releases, please refer to CHANGELOG.md of the minor branch.

Released by github-actions[bot] on 5/15/2026

📊 Package Statistics

  • lodash: 148,126,060 weekly downloads
  • @stacksjs/bunpress: 60,172 weekly downloads
  • @stacksjs/clapp: 66,465 weekly downloads
  • bunfig: 64,078 weekly downloads
  • react: 128,167,860 weekly downloads
  • react-dom: 120,786,869 weekly downloads
  • vue: 11,735,268 weekly downloads

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Buddy 🤖

@netlify

netlify Bot commented May 5, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for ts-quick-reaction failed. Why did it fail? →

Name Link
🔨 Latest commit ea20f1a
🔍 Latest deploy log https://app.netlify.com/projects/ts-quick-reaction/deploys/6a1dc91f760c120008cbac85

@chrisbbreuer chrisbbreuer force-pushed the buddy-bot/update-non-major-updates branch 7 times, most recently from 10912e8 to 8cacb78 Compare May 12, 2026 00:34
@chrisbbreuer chrisbbreuer force-pushed the buddy-bot/update-non-major-updates branch 3 times, most recently from 2066d8d to 0728c6b Compare May 19, 2026 13:06
@chrisbbreuer chrisbbreuer force-pushed the buddy-bot/update-non-major-updates branch 4 times, most recently from b338b91 to f4f316c Compare May 29, 2026 22:32
@chrisbbreuer chrisbbreuer force-pushed the buddy-bot/update-non-major-updates branch from f4f316c to ea20f1a Compare June 1, 2026 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies minor npm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chrisbbreuer