Skip to content

Bump the npm_and_yarn group across 2 directories with 10 updates#153

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-98999c7adf
Closed

Bump the npm_and_yarn group across 2 directories with 10 updates#153
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-98999c7adf

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Feb 20, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 1 update in the / directory: devalue.
Bumps the npm_and_yarn group with 7 updates in the /docs directory:

Package From To
devalue 5.1.1 5.6.3
brace-expansion 2.0.1 2.0.2
js-yaml 4.1.0 4.1.1
js-yaml 3.14.1 3.14.2
glob 10.4.5 10.5.0
tar 7.4.3 7.5.9
astro 5.4.2 5.17.3
mdast-util-to-hast 13.2.0 13.2.1

Updates devalue from 5.6.2 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays
Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays
Commits

Updates devalue from 5.1.1 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays
Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays
Commits

Updates brace-expansion from 2.0.1 to 2.0.2

Release notes

Sourced from brace-expansion's releases.

v2.0.2

  • pkg: publish on tag 2.x 14f1d91
  • fmt ed7780a
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

juliangruber/brace-expansion@v2.0.1...v2.0.2

Commits

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates glob from 10.4.5 to 10.5.0

Commits

Updates tar from 7.4.3 to 7.5.9

Changelog

Sourced from tar's changelog.

Changelog

7.5

  • Added zstd compression support.
  • Consistent TOCTOU behavior in sync t.list
  • Only read from ustar block if not specified in Pax
  • Fix sync tar.list when file size reduces while reading
  • Sanitize absolute linkpaths properly
  • Prevent writing hardlink entries to the archive ahead of their file target

7.4

  • Deprecate onentry in favor of onReadEntry for clarity.

7.3

  • Add onWriteEntry option

7.2

  • DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

  • Update minipass to v7.1.0
  • Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

  • Drop support for node <18
  • Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
  • Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
  • Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
  • Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates astro from 5.4.2 to 5.17.3

Release notes

Sourced from astro's releases.

astro@5.17.3

Patch Changes

  • #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

  • #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

astro@5.17.2

Patch Changes

  • c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

astro@5.17.1

Patch Changes

  • #15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

    Removes the getFontBuffer() helper function exported from astro:assets when using the experimental Fonts API

    This experimental feature introduced in v15.6.13 ended up causing significant memory usage during build. This feature has been removed and will be reintroduced after further exploration and testing.

    If you were relying on this function, you can replicate the previous behavior manually:

    • On prerendered routes, read the file using node:fs
    • On server rendered routes, fetch files using URLs from fontData and context.url

astro@5.17.0

Minor Changes

  • #14932 b19d816 Thanks @​patrickarlt! - Adds support for returning a Promise from the parser() option of the file() loader

    This enables you to run asynchronous code such as fetching remote data or using async parsers when loading files with the Content Layer API.

    For example:

    import { defineCollection } from 'astro:content';
    import { file } from 'astro/loaders';
    const blog = defineCollection({
    loader: file('src/data/blog.json', {
    parser: async (text) => {
    const data = JSON.parse(text);
      // Perform async operations like fetching additional data
      const enrichedData = await fetch(`https://api.example.com/enrich`, {
        method: 'POST',
        body: JSON.stringify(data),
      }).then((res) =&gt; res.json());

... (truncated)

Changelog

Sourced from astro's changelog.

5.17.3

Patch Changes

  • #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

  • #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

5.17.2

Patch Changes

  • c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

5.17.1

Patch Changes

  • #15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

    Removes the getFontBuffer() helper function exported from astro:assets when using the experimental Fonts API

    This experimental feature introduced in v15.6.13 ended up causing significant memory usage during build. This feature has been removed and will be reintroduced after further exploration and testing.

    If you were relying on this function, you can replicate the previous behavior manually:

    • On prerendered routes, read the file using node:fs
    • On server rendered routes, fetch files using URLs from fontData and context.url

5.17.0

Minor Changes

  • #14932 b19d816 Thanks @​patrickarlt! - Adds support for returning a Promise from the parser() option of the file() loader

    This enables you to run asynchronous code such as fetching remote data or using async parsers when loading files with the Content Layer API.

    For example:

    import { defineCollection } from 'astro:content';
    import { file } from 'astro/loaders';
    const blog = defineCollection({
    loader: file('src/data/blog.json', {
    parser: async (text) => {
    const data = JSON.parse(text);
      // Perform async operations like fetching additional data
      const enrichedData = await fetch(`https://api.example.com/enrich`, {
        method: 'POST',

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.


Updates diff from 5.2.0 to 8.0.3

Changelog

Sourced from diff's changelog.

8.0.3

  • #631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).
  • #635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.
  • #641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.
  • #647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

8.0.2

  • #616 Restored compatibility of diffSentences with old Safari versions. This was broken in 8.0.0 by the introduction of a regex with a lookbehind assertion; these weren't supported in Safari prior to version 16.4.
  • #612 Improved tree shakeability by marking the built CJS and ESM packages with sideEffects: false.

8.0.1

  • #610 Fixes types for diffJson which were broken by 8.0.0. The new bundled types in 8.0.0 only allowed diffJson to be passed string arguments, but it should've been possible to pass either strings or objects (and now is). Thanks to Josh Kelley for the fix.

8.0.0

  • #580 Multiple tweaks to diffSentences:
    • tokenization no longer takes quadratic time on pathological inputs (reported as a ReDOS vulnerability by Snyk); is now linear instead
    • the final sentence in the string is now handled the same by the tokenizer regardless of whether it has a trailing punctuation mark or not. (Previously, "foo. bar." tokenized to ["foo.", " ", "bar."] but "foo. bar" tokenized to ["foo.", " bar"] - i.e. whether the space between sentences was treated as a separate token depended upon whether the final sentence had trailing punctuation or not. This was arbitrary and surprising; it is no longer the case.)
    • in a string that starts with a sentence end, like "! hello.", the "!" is now treated as a separate sentence
    • the README now correctly documents the tokenization behaviour (it was wrong before)
  • #581 - fixed some regex operations used for tokenization in diffWords taking O(n^2) time in pathological cases
  • #595 - fixed a crash in patch creation functions when handling a single hunk consisting of a very large number (e.g. >130k) of lines. (This was caused by spreading indefinitely-large arrays to .push() using .apply or the spread operator and hitting the JS-implementation-specific limit on the maximum number of arguments to a function, as shown at https://stackoverflow.com/a/56809779/1709587; thus the exact threshold to hit the error will depend on the environment in which you were running JsDiff.)
  • #596 - removed the merge function. Previously JsDiff included an undocumented function called merge that was meant to, in some sense, merge patches. It had at least a couple of serious bugs that could lead to it returning unambiguously wrong results, and it was difficult to simply "fix" because it was unclear precisely what it was meant to do. For now, the fix is to remove it entirely.
  • #591 - JsDiff's source code has been rewritten in TypeScript. This change entails the following changes for end users:
    • the diff package on npm now includes its own TypeScript type definitions. Users who previously used the @types/diff npm package from DefinitelyTyped should remove that dependency when upgrading JsDiff to v8.

      Note that the transition from the DefinitelyTyped types to JsDiff's own type definitions includes multiple fixes and also removes many exported types previously used for options arguments to diffing and patch-generation functions. (There are now different exported options types for abortable calls - ones with a timeout or maxEditLength that may give a result of undefined - and non-abortable calls.) See the TypeScript section of the README for some usage tips.

    • The Diff object is now a class. Custom extensions of Diff, as described in the "Defining custom diffing behaviors" section of the README, can therefore now be done by writing a class CustomDiff extends Diff and overriding methods, instead of the old way based on prototype inheritance. (I think code that did things the old way should still work, though!)

    • diff/lib/index.es6.js and diff/lib/index.mjs no longer exist, and the ESM version of the library is no longer bundled into a single file.

    • The ignoreWhitespace option for diffWords is no longer included in the type declarations. The effect of passing ignoreWhitespace: true has always been to make diffWords just call diffWordsWithSpace instead, which was confusing, because that behaviour doesn't seem properly described as "ignoring" whitespace at all. The property remains available to non-TypeScript applications for the sake of backwards compatibility, but TypeScript applications will now see a type error if they try to pass ignoreWhitespace: true to diffWords and should change their code to call diffWordsWithSpace instead.

    • JsDiff no longer purports to support ES3 environments. (I'm pretty sure it never truly did, despite claiming to in its README, since even the 1.0.0 release used Array.map which was added in ES5.)

  • #601 - diffJson's stringifyReplacer option behaves more like JSON.stringify's replacer argument now. In particular:
    • Each key/value pair now gets passed through the replacer once instead of twice
    • The key passed to the replacer when the top-level object is passed in as value is now "" (previously, was undefined), and the key passed with an array element is the array index as a string, like "0" or "1" (previously was whatever the key for the entire array was). Both the new behaviours match that of JSON.stringify.
  • #602 - diffing functions now consistently return undefined when called in async mode (i.e. with a callback). Previously, there was an odd quirk where they would return true if the strings being diffed were equal and undefined otherwise.

7.0.0

Just a single (breaking) bugfix, undoing a behaviour change introduced accidentally in 6.0.0:

  • #554 diffWords treats numbers and underscores as word characters again. This behaviour was broken in v6.0.0.

6.0.0

... (truncated)

Commits
  • 13576bf 8.0.3 release (#652)
  • 1179ccb Ignore .zed (#651)
  • 949d6e2 Add test for the vuln I just fixed (#650)
  • 15a1585 Fix the second denial-of-service vulnerability in parsePatch (#649)
  • de95cca Fix potentially cubic-time regex in parsePatch (#647)
  • b9aeede Allow more customisation of file headers in patches (#641)
  • 43c716c Merge pull request #636 from kpdecker/dependabot/npm_and_yarn/node-forge-1.3.2
  • b8162c7 Bump node-forge from 1.3.1 to 1.3.2
  • ad6dc17 Fix some bugs in the diffWords regex (and errors & ambiguities in the comment...
  • 3e1774a Fix a comment typo (#633)
  • Additional commits viewable in compare view

Updates h3 from 1.15.1 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

  • readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

v1.15.4

compare changes

🩹 Fixes

  • getRequestHost: Return first host from x-forwarded-host (#1175)

💅 Refactors

  • useSession: Backport SessionManager interface to fix types (#1058)

🏡 Chore

  • docs: Fix typos (#1108)

❤️ Contributors

v1.15.3

compare changes

🩹 Fixes

  • serveStatic: Omit decoded id from statusMessage (#1044)

v1.15.2

compare changes

🩹 Fixes

  • Handle FormData body (3757072 f38dd03 0c9b276)
  • cache: Correct comparison in cache headers (#1034)
  • Handle Headers when merging proxy headers (#1027)
  • setCookie: Unique by name, domain, and path only (#1042)

... (truncated)

Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

  • readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

🤖 CI

❤️ Contributors

v1.15.4

compare changes

🩹 Fixes

  • serveStatic: Omit decoded id from statusMessage (#1044)
  • getRequestHost: Return first host from x-forwarded-host (#1175)

💅 Refactors

  • useSession: Backport SessionManager interface to fix types (#1058)

📦 Build

  • Update repository field (d94b09a)

🏡 Chore

... (truncated)

Commits
  • 24231b9 chore(release): v1.15.5
  • bd92b74 chore: fix more ts/lint issues
  • d18c074 chore: update deps
  • c9ebf80 chore: fix ts issue
  • 618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
  • 401c9b8 ci: fix publish tag
  • 589625c chore: update publish tag to 1.x
  • b4dce71 chore: update ci
  • 0a4a115 chore: add test:types script
  • c934599 chore: update ci
  • Additional commits viewable in compare view

Updates mdast-util-to-hast from 13.2.0 to 13.2.1

Release notes

Sourced from mdast-util-to-hast's releases.

13.2.1

Fix

  • ab3a795 Fix support for spaces in class names

Types

  • efb5312 Refactor to use @imports
  • a5bc210 Add declaration maps

Full Changelog: syntax-tree/mdast-util-to-hast@13.2.0...13.2.1

Commits

Updates vite from 6.3.4 to 6.4.1

Release notes

Sourced from vite's releases.

create-vite@6.4.1

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

v6.3.5

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.0-beta.15 (2026-02-19)

Features

Bug Fixes

  • dev: only treat EADDRINUSE as port conflict in wildcard pre-check (#21642) (e54e25f)
  • dev: prevent concurrent server restarts (#21636) (8ce23a3)
  • dev: return "502 Bad Gateway" on proxy failures instead of 500 (#21652) (e240df2)

Performance Improvements

  • ssr: skip circular import check for already-evaluated modules (#21632) (235140b)
  • use tsconfig cache for oxc transform in dev (#21643) (57ff177)

Miscellaneous Chores

  • deps: remove fdir and @rollup/plugin-commonjs (#21639) (5abffd5)
  • deps: update dependency @​rollup/plugin-alias to v6 (#21097) (44b5bdf)

8.0.0-beta.14 (2026-02-12)

Features

Bug Fixes

  • clear tsconfig cache only when tsconfig.json is cached (#21622) (50c9675)
  • deps: update all non-major dependencies (#21594) (becdc5d)
  • lib: CSS injection point error with nested name IIFE output (#21606) (5003de6)
  • module-runner: incorrect column with sourcemapInterceptor: "prepareStackTrace" (#21562) (416c095)
  • module-runner: prevent crash on negative column in stacktrace (#21585) (a075590)
  • rolldownOptions/rollupOptions merging at environment level (#21612) (db2ecc7)

Miscellaneous Chores

  • fix broken link for future deprecations (#21603) (25f4501)
  • update customResolver deprecation message to mention enforce: 'pre' (#21576) (2ce34d5)

Code Refactoring

Tests

... (truncated)

Commits
  • 175a839 fix: reject requests with # in request-target (#19830)
  • e2e11b1 fix(module-runner): allow already resolved id as entry (#19768)
  • 7200dee fix: correct the behavior when multiple transform filter options are specifie...
  • b125172 fix(css): remove empty chunk imports correctly when chunk file name contained...
  • 8fe3538 test: tweak generateCodeFrame test (#19812)
  • 36935b5 fix(types): remove the keepProcessEnv from the DefaultEnvironmentOptions ...
  • a0e1a04 docs(vite): fix description of transformIndexHtml hook (#19799)
  • 71227be fix: unbundle fdir to fix commonjsOptions.dynamicRequireTargets (#19791)
  • f530a72 fix(dev): make query selector regexes more inclusive (fix #19213) (#19767)
  • 2fa1495 fix: keep entry asset files imported by other files (#19779)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 1 update in the / directory: [devalue](https://github.com/sveltejs/devalue).
Bumps the npm_and_yarn group with 7 updates in the /docs directory:

| Package | From | To |
| --- | --- | --- |
| [devalue](https://github.com/sveltejs/devalue) | `5.1.1` | `5.6.3` |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `2.0.1` | `2.0.2` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `3.14.1` | `3.14.2` |
| [glob](https://github.com/isaacs/node-glob) | `10.4.5` | `10.5.0` |
| [tar](https://github.com/isaacs/node-tar) | `7.4.3` | `7.5.9` |
| [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) | `5.4.2` | `5.17.3` |
| [mdast-util-to-hast](https://github.com/syntax-tree/mdast-util-to-hast) | `13.2.0` | `13.2.1` |



Updates `devalue` from 5.6.2 to 5.6.3
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](sveltejs/devalue@v5.6.2...v5.6.3)

Updates `devalue` from 5.1.1 to 5.6.3
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](sveltejs/devalue@v5.6.2...v5.6.3)

Updates `brace-expansion` from 2.0.1 to 2.0.2
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v2.0.1...v2.0.2)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `glob` from 10.4.5 to 10.5.0
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v10.4.5...v10.5.0)

Updates `tar` from 7.4.3 to 7.5.9
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.4.3...v7.5.9)

Updates `astro` from 5.4.2 to 5.17.3
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/astro@5.17.3/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@5.17.3/packages/astro)

Updates `diff` from 5.2.0 to 8.0.3
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v5.2.0...v8.0.3)

Updates `h3` from 1.15.1 to 1.15.5
- [Release notes](https://github.com/h3js/h3/releases)
- [Changelog](https://github.com/h3js/h3/blob/v1.15.5/CHANGELOG.md)
- [Commits](h3js/h3@v1.15.1...v1.15.5)

Updates `mdast-util-to-hast` from 13.2.0 to 13.2.1
- [Release notes](https://github.com/syntax-tree/mdast-util-to-hast/releases)
- [Commits](syntax-tree/mdast-util-to-hast@13.2.0...13.2.1)

Updates `vite` from 6.3.4 to 6.4.1
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/create-vite@6.4.1/packages/vite)

---
updated-dependencies:
- dependency-name: devalue
  dependency-version: 5.6.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: devalue
  dependency-version: 5.6.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 2.0.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: glob
  dependency-version: 10.5.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: astro
  dependency-version: 5.17.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: diff
  dependency-version: 8.0.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: h3
  dependency-version: 1.15.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: mdast-util-to-hast
  dependency-version: 13.2.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 6.4.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 20, 2026
@vercel

vercel Bot commented Feb 20, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ephira Ready Ready Preview, Comment Feb 20, 2026 6:26pm

@dependabot @github

dependabot Bot commented on behalf of github Feb 28, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #157.

@dependabot dependabot Bot closed this Feb 28, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-98999c7adf branch February 28, 2026 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants