Skip to content

chore(deps): bump the npm_and_yarn group across 5 directories with 6 updates#2436

Closed
everettbu wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/examples/caching/with-nextjs-13-server-components/npm_and_yarn-f4e8cdfd18
Closed

chore(deps): bump the npm_and_yarn group across 5 directories with 6 updates#2436
everettbu wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/examples/caching/with-nextjs-13-server-components/npm_and_yarn-f4e8cdfd18

Conversation

@everettbu

Copy link
Copy Markdown

Mirror of supabase/supabase#43770
Original author: app/dependabot


Bumps the npm_and_yarn group with 1 update in the /examples/caching/with-nextjs-13-server-components directory: flatted.
Bumps the npm_and_yarn group with 1 update in the /examples/todo-list/nextjs-todo-list directory: flatted.
Bumps the npm_and_yarn group with 3 updates in the /examples/user-management/ionic-angular-user-management directory: express-rate-limit, flatted and hono.
Bumps the npm_and_yarn group with 4 updates in the /examples/user-management/nuxt3-user-management directory: devalue, flatted, svgo and unhead.
Bumps the npm_and_yarn group with 1 update in the /examples/user-management/sveltekit-user-management directory: devalue.

Updates flatted from 3.2.7 to 3.4.1

Commits
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • d3418c7 3.4.0
  • 7eb65d8 Merge pull request #88 from WebReflection/avoid-recusrion
  • 7774aae Avoid recursion on parse due possible shenanigans
  • Additional commits viewable in compare view

Updates flatted from 3.2.7 to 3.4.1

Commits
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • d3418c7 3.4.0
  • 7eb65d8 Merge pull request #88 from WebReflection/avoid-recusrion
  • 7774aae Avoid recursion on parse due possible shenanigans
  • Additional commits viewable in compare view

Updates express-rate-limit from 8.2.1 to 8.3.1

Release notes

Sourced from express-rate-limit's releases.

v8.3.1

You can view the changelog here.

v8.3.0

You can view the changelog here.

Commits
  • 47e5b29 8.3.1
  • eb61179 v8.3.1 changelog
  • a17377d Fix broken link for contributing guide
  • 5aa3f6c fix: revert the dts-bundle-generator update
  • 06dea83 ci: run test on node 20, 22, 24, 25 and drop 18 as it reached eol
  • c86a27d chore: update dependencies
  • 8898ffa chore: migrate biome schema and run formatter
  • dd544fd docs: update changelog with backported releases
  • 9c90752 ci: setup oidc connect with npm for automatatic publish
  • e4477fa 8.3.0
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for express-rate-limit since your current version.


Updates flatted from 3.3.4 to 3.4.1

Commits
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • d3418c7 3.4.0
  • 7eb65d8 Merge pull request #88 from WebReflection/avoid-recusrion
  • 7774aae Avoid recursion on parse due possible shenanigans
  • Additional commits viewable in compare view

Updates hono from 4.12.3 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.


Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

... (truncated)

Commits

Updates devalue from 5.0.0 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

  • 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

  • a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
  • a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

  • 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

  • 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

  • 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

  • a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
  • a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

  • 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.


Updates flatted from 3.3.1 to 3.4.1

Commits
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • d3418c7 3.4.0
  • 7eb65d8 Merge pull request #88 from WebReflection/avoid-recusrion
  • 7774aae Avoid recursion on parse due possible shenanigans
  • Additional commits viewable in compare view

Updates svgo from 3.3.2 to 3.3.3

Release notes

Sourced from svgo's releases.

v3.3.3

What's Changed

Dependencies

  • Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

  • No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

v3.3.2 v3.3.3 Delta
svgo.browser.js 910.9 kB 912.9 kB ⬆️ 2 kB

Support

SVGO v3 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v3 to v4 which should ease the process.

Commits

Updates unhead from 1.9.16 to 2.1.12

Release notes

Sourced from unhead's releases.

v2.1.12

   🐞 Bug Fixes

    View changes on GitHub

v2.1.11

    ⚠️ Security

  • Fixed XSS bypass in useHeadSafe via attribute name injection (GHSA-g5xx-pwrp-g3fv). Users handling untrusted input with useHeadSafe should upgrade immediately.

   🐞 Bug Fixes

    View changes on GitHub

v2.1.10

   🐞 Bug Fixes

    View changes on GitHub

v2.1.9

   🐞 Bug Fixes

    View changes on GitHub

v2.1.8

   🐞 Bug Fixes

    View changes on GitHub

v2.1.7

   🐞 Bug Fixes

    View changes on GitHub

v2.1.6

   🐞 Bug Fixes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for unhead since your current version.


Updates devalue from 5.1.1 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

  • 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

  • a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
  • a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

  • 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

  • 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

  • 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

  • a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
  • a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

  • 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting ``@dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • ``@dependabot rebase will rebase this PR
  • ``@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • ``@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • ``@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • ``@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • ``@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • ``@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • ``@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

…updates

Bumps the npm_and_yarn group with 1 update in the /examples/caching/with-nextjs-13-server-components directory: [flatted](https://github.com/WebReflection/flatted).
Bumps the npm_and_yarn group with 1 update in the /examples/todo-list/nextjs-todo-list directory: [flatted](https://github.com/WebReflection/flatted).
Bumps the npm_and_yarn group with 3 updates in the /examples/user-management/ionic-angular-user-management directory: [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit), [flatted](https://github.com/WebReflection/flatted) and [hono](https://github.com/honojs/hono).
Bumps the npm_and_yarn group with 4 updates in the /examples/user-management/nuxt3-user-management directory: [devalue](https://github.com/sveltejs/devalue), [flatted](https://github.com/WebReflection/flatted), [svgo](https://github.com/svg/svgo) and [unhead](https://github.com/unjs/unhead/tree/HEAD/packages/unhead).
Bumps the npm_and_yarn group with 1 update in the /examples/user-management/sveltekit-user-management directory: [devalue](https://github.com/sveltejs/devalue).


Updates `flatted` from 3.2.7 to 3.4.1
- [Commits](WebReflection/flatted@v3.2.7...v3.4.1)

Updates `flatted` from 3.2.7 to 3.4.1
- [Commits](WebReflection/flatted@v3.2.7...v3.4.1)

Updates `express-rate-limit` from 8.2.1 to 8.3.1
- [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases)
- [Commits](express-rate-limit/express-rate-limit@v8.2.1...v8.3.1)

Updates `flatted` from 3.3.4 to 3.4.1
- [Commits](WebReflection/flatted@v3.2.7...v3.4.1)

Updates `hono` from 4.12.3 to 4.12.7
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.3...v4.12.7)

Updates `devalue` from 5.0.0 to 5.6.4
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](sveltejs/devalue@v5.0.0...v5.6.4)

Updates `flatted` from 3.3.1 to 3.4.1
- [Commits](WebReflection/flatted@v3.2.7...v3.4.1)

Updates `svgo` from 3.3.2 to 3.3.3
- [Release notes](https://github.com/svg/svgo/releases)
- [Commits](svg/svgo@v3.3.2...v3.3.3)

Updates `unhead` from 1.9.16 to 2.1.12
- [Release notes](https://github.com/unjs/unhead/releases)
- [Commits](https://github.com/unjs/unhead/commits/v2.1.12/packages/unhead)

Updates `devalue` from 5.1.1 to 5.6.4
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](sveltejs/devalue@v5.0.0...v5.6.4)

---
updated-dependencies:
- dependency-name: flatted
  dependency-version: 3.4.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: express-rate-limit
  dependency-version: 8.3.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: devalue
  dependency-version: 5.6.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: svgo
  dependency-version: 3.3.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: unhead
  dependency-version: 2.1.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: devalue
  dependency-version: 5.6.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@everettbu everettbu added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 13, 2026
@everettbu

Copy link
Copy Markdown
Author

Upstream PR was closed or merged. Code is synced via branch mirror.

@everettbu everettbu closed this Mar 13, 2026
@everettbu everettbu deleted the dependabot/npm_and_yarn/examples/caching/with-nextjs-13-server-components/npm_and_yarn-f4e8cdfd18 branch March 13, 2026 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant