chore(deps): bump the npm_and_yarn group across 1 directory with 9 updates#741
Conversation
…dates Bumps the npm_and_yarn group with 9 updates in the /internal/dev_server/ui directory: | Package | From | To | | --- | --- | --- | | [lodash](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` | | [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router) | `7.12.0` | `7.15.1` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `6.4.1` | `8.1.4` | | [dompurify](https://github.com/cure53/DOMPurify) | `3.2.4` | `3.4.12` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.1` | `3.4.2` | | [form-data](https://github.com/form-data/form-data) | `4.0.4` | `4.0.6` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.1` | `4.3.0` | | [uuid](https://github.com/uuidjs/uuid) | `8.3.2` | `removed` | | [ws](https://github.com/websockets/ws) | `8.18.0` | `8.21.0` | Updates `lodash` from 4.17.23 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) Updates `react-router` from 7.12.0 to 7.15.1 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/react-router@7.15.1/packages/react-router) Updates `vite` from 6.4.1 to 8.1.4 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.1.4/packages/vite) Updates `dompurify` from 3.2.4 to 3.4.12 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.2.4...3.4.12) Updates `flatted` from 3.3.1 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.1...v3.4.2) Updates `form-data` from 4.0.4 to 4.0.6 - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](form-data/form-data@v4.0.4...v4.0.6) Updates `js-yaml` from 4.1.1 to 4.3.0 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.1...4.3.0) Removes `uuid` Updates `ws` from 8.18.0 to 8.21.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.0...8.21.0) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: react-router dependency-version: 7.15.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 8.1.4 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: form-data dependency-version: 4.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.3.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.21.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7936c2e. Configure here.
| "launchdarkly-js-client-sdk": "3.4.0", | ||
| "lodash": "4.17.23", | ||
| "launchdarkly-js-client-sdk": "3.9.3", | ||
| "lodash": "4.18.1", |
There was a problem hiding this comment.
Embedded dist not rebuilt
Medium Severity
Dependency versions were bumped in package.json, but the checked-in dist bundle that go:embed serves was not regenerated. The embedded single-file build still contains older libraries (for example lodash 4.17.23), so the dev server UI users get from the CLI does not actually pick up these updates until npm run build and a new dist commit.
Reviewed by Cursor Bugbot for commit 7936c2e. Configure here.


Bumps the npm_and_yarn group with 9 updates in the /internal/dev_server/ui directory:
4.17.234.18.17.12.07.15.16.4.18.1.43.2.43.4.123.3.13.4.24.0.44.0.64.1.14.3.08.3.2removed8.18.08.21.0Updates
lodashfrom 4.17.23 to 4.18.1Release notes
Sourced from lodash's releases.
Commits
cb0b9b9release(patch): bump main to 4.18.1 (#6177)75535f5chore: prune stale advisory refs (#6170)62e91bcdocs: remove n_ Node.js < 6 REPL note from README (#6165)59be2derelease(minor): bump to 4.18.0 (#6161)af63457fix: broken tests for _.template 879aaa91073a76fix: linting issues879aaa9fix: validate imports keys in _.templatefe8d32efix: block prototype pollution in baseUnset via constructor/prototype traversal18ba0a3refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)b819080ci: add dist sync validation workflow (#6137)Updates
react-routerfrom 7.12.0 to 7.15.1Release notes
Sourced from react-router's releases.
Changelog
Sourced from react-router's changelog.
... (truncated)
Commits
587d08fRelease v7.15.1 (#15038)89996bdFire onError for initial-load errors when RouterProvider mounts late (#15039)4322e58Update docs for useRouterStatefadd6c4Merge branch 'main' into release6bf91cechore: format44c3478fix: prevent fetcher formData flicker and eliminate state.fetchers mutations ...7e6725aCleanup lint issues (#15030)aabd30cUse shared isMutationMethod check (#15033)954a4a6Fix stale SSR data when hydration is aborted by a same-route navigation (#15022)041cd32fix(react-router): Internal preloads refactor to preserve types (#14860)Updates
vitefrom 6.4.1 to 8.1.4Release notes
Sourced from vite's releases.
... (truncated)
Changelog
Sourced from vite's changelog.
... (truncated)
Commits
a477454release: v8.1.4ab5dafafeat(legacy): prefer oxc as minifier (fix #21973) (#22468)173a1b6fix(ssr): align named export function call stacktrace column with Node (#22829)575c32cfix(build): add workaround for building on stackblitz (#22840)72a5e21fix(optimizer): avoid optimizer run for transform request before init (#22852)a9539d6chore(deps): update dependency postcss-modules to v9 (#22867)70435b2docs: fix incorrect@defaultforserver.cors(#22859)2c4a217build: remove the custom onLog function (#22878)c581b55build: replace deprecatedonwarnwithonLog(#22741)ea22fb3refactor: eliminate ineffectiveDynamicImport warn (#22876)Updates
dompurifyfrom 3.2.4 to 3.4.12Release notes
Sourced from dompurify's releases.
... (truncated)
Commits
a9ca1e5release: 3.4.12 (#1537)0cae518release: 3.4.11 (#1494)6ee5716release: 3.4.10 (#1478)5210247release: 3.4.9 (#1459)bcdd828release: 3.4.8 (#1439)ca30f07release: 3.4.7 (#1414)bb7739erelease: 3.4.6 (#1394)011b0c7release: 3.4.5 (#1382)5817ad9release: 3.4.4 (#1374)520edb0release: 3.4.3 (#1352)Install script changes
This version adds
preparescript that runs during installation. Review the package contents before updating.Updates
flattedfrom 3.3.1 to 3.4.2Commits
3bf09093.4.2885ddccfix CWE-13210bdba70added flatted-view to the benchmark2a02dce3.4.1fba4e8fMerge pull request #89 from WebReflection/python-fix5fe8648added "when in Rome" also a test for PHP53517adsome minor improvementb3e2a0cFixing recursion issue in Python tooc4b46dbAdd SECURITY.md for security policy and reportingf86d071Create dependabot.yml for version updatesUpdates
form-datafrom 4.0.4 to 4.0.6Changelog
Sourced from form-data's changelog.
Commits
64190dbv4.0.692ae0eb[Deps] updatehasown,mime-typesf31d21e[Dev Deps] update@ljharb/eslint-config,auto-changelog,tape8dff42c[Fix] escape CR, LF, and"in field names and filenames67b0f65[Dev Deps] updatejs-randomness-predictor68ff7ddv4.0.55822467[Dev Deps] update@ljharb/eslint-config,eslint76d0dee[Fix] set Symbol.toStringTag in the proper place16e0076[Tests] Switch to newer v8 prediction library; enable node 24 testingUpdates
js-yamlfrom 4.1.1 to 4.3.0Changelog
Sourced from js-yaml's changelog.
... (truncated)
Commits
33d05b54.3.0 released663bfabDrop demo publish, to not override new v5 one.1cb8c7bAdd v4-legacy tag for publish02f27afRestore umd builds back to es58be84edFix es5 compatibility59423c6ReplacemaxMergeSeqLengthoption withmaxTotalMergeKeys(more robust). Ba...6842ef6doc polish590dbab4.2.0 releasedf944dc5Add package.json funding fieldf692719Changelog updateRemoves
uuidUpdates
wsfrom 8.18.0 to 8.21.0Release notes
Sourced from ws's releases.
... (truncated)
Commits
bca91ad[dist] 8.21.02b2abd4[security] Limit retained message parts78eabe2[security] Add latest vulnerability to SECURITY.md5d9b316[dist] 8.20.1c0327ec[security] Fix uninitialized memory disclosure inwebsocket.close()ce2a3d6[ci] Test on node 2658e45b8[ci] Do not test on node 255f26c24[ci] Run the lint step on node 248439255[dist] 8.20.0d3503c1[minor] Export thePerMessageDeflateclass and header utilsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Major Vite/Vitest/plugin upgrades can break
npm run build/testand CI Node versions; lodash and transitive ws/js-yaml bumps are security-motivated but still warrant a local rebuild ofdistbefore merge.Overview
Updates
internal/dev_server/uidependency versions inpackage.jsonandpackage-lock.jsononly—no application source changes.Runtime:
lodash4.17.23 → 4.18.1 (prototype-pollution and_.templateinjection fixes),launchdarkly-js-client-sdk3.4.0 → 3.9.3, andreact-router7.12.0 → 7.15.1.Build/test toolchain: Vite 6.4.1 → 8.1.4 (bundler stack shifts to Rolldown instead of Rollup/esbuild in the lockfile),
@vitejs/plugin-react6.0.3, Vitest 4.1.10, andvite-plugin-singlefile2.3.3. Vite 8’s declared Node requirement is^20.19.0 || >=22.12.0.The lockfile also pulls in transitive security/maintenance bumps (e.g. dompurify, ws, js-yaml) and drops
uuidfrom the LaunchDarkly client SDK dependency tree.Reviewed by Cursor Bugbot for commit 7936c2e. Bugbot is set up for automated code reviews on this repo. Configure here.