Skip to content

chore(deps): bump the production-dependencies group across 1 directory with 9 updates#279

Merged
Avni2000 merged 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-d6a327d152
Jul 18, 2026
Merged

chore(deps): bump the production-dependencies group across 1 directory with 9 updates#279
Avni2000 merged 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-d6a327d152

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the production-dependencies group with 9 updates in the / directory:

Package From To
@codemirror/merge 6.12.1 6.12.2
@jupyterlab/rendermime 4.5.7 4.5.8
@uiw/codemirror-theme-github 4.25.9 4.25.10
@uiw/react-codemirror 4.25.9 4.25.10
dompurify 3.4.2 3.4.10
katex 0.16.45 0.17.0
markdown-it 14.1.1 14.2.0
ws 8.20.0 8.21.0
zustand 5.0.13 5.0.14

Updates @codemirror/merge from 6.12.1 to 6.12.2

Commits

Updates @jupyterlab/rendermime from 4.5.7 to 4.5.8

Release notes

Sourced from @​jupyterlab/rendermime's releases.

v4.5.8

4.5.8

(Full Changelog)

Bugs fixed

Maintenance and upkeep improvements

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​AliMahmoudDev (activity) | @​CrafterKolyan (activity) | @​Darshan808 (activity) | @​krassowski (activity)

Commits

Updates @uiw/codemirror-theme-github from 4.25.9 to 4.25.10

Release notes

Sourced from @​uiw/codemirror-theme-github's releases.

v4.25.10

Buy me a coffee

Documentation v4.25.10: https://raw.githack.com/uiwjs/react-codemirror/5e24acf/index.html
Comparing Changes: uiwjs/react-codemirror@v4.25.9...v4.25.10

npm i @uiw/react-codemirror@4.25.10
Commits

Updates @uiw/react-codemirror from 4.25.9 to 4.25.10

Release notes

Sourced from @​uiw/react-codemirror's releases.

v4.25.10

Buy me a coffee

Documentation v4.25.10: https://raw.githack.com/uiwjs/react-codemirror/5e24acf/index.html
Comparing Changes: uiwjs/react-codemirror@v4.25.9...v4.25.10

npm i @uiw/react-codemirror@4.25.10
Commits

Updates dompurify from 3.4.2 to 3.4.10

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.10

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible

DOMPurify 3.4.9

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

DOMPurify 3.4.7

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

  • Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
  • Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
  • Added more test coverage for IN_PLACE and general DOM Clobbering attacks
  • Bumped several dependencies where possible

DOMPurify 3.4.5

  • Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

  • Added the selectedcontent element to default allow-list, thanks @​lukewarlow
  • Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
  • Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
  • Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
  • Updated demo website and made sure it uses the latest from main
  • Updated existing workflows, fuzzer, dependabot, etc., added more tests
  • Bumped several dependencies where possible

... (truncated)

Commits

Updates katex from 0.16.45 to 0.17.0

Release notes

Sourced from katex's releases.

v0.17.0

0.17.0 (2026-05-22)

Performance Improvements

  • simplify defineFunction to avoid destructuring, improve typing (#4222) (fb604e6)

BREAKING CHANGES

  • The internal API for __defineFunction changed: you should no longer wrap properties in props.

v0.16.47

0.16.47 (2026-05-16)

Bug Fixes

v0.16.46

0.16.46 (2026-05-13)

Bug Fixes

Changelog

Sourced from katex's changelog.

0.17.0 (2026-05-22)

Performance Improvements

  • simplify defineFunction to avoid destructuring, improve typing (#4222) (fb604e6)

BREAKING CHANGES

  • The internal API for __defineFunction changed: you should no longer wrap properties in props.

0.16.47 (2026-05-16)

Bug Fixes

0.16.46 (2026-05-13)

Bug Fixes

Commits
  • 3dec549 chore(release): 0.17.0 [ci skip]
  • fb604e6 perf: simplify defineFunction to avoid destructuring, improve typing (#4222)
  • 6caa636 refactor: tighten ParseNode types (#4219)
  • afed784 docs: make first supportive organizations logos bigger (#4216)
  • b02d9ac chore(deps): update dependency webpack-dev-server to v5.2.4 [security] (#4220)
  • 878a61b chore(release): 0.16.47 [ci skip]
  • 7ba0027 fix: correct size of [ big delimiter (#4217)
  • 8a52ddb chore: migrate screenshotter for Safari to GitHub MacOS runner (#4206)
  • 2c25b47 chore(release): 0.16.46 [ci skip]
  • e9ee046 fix: preserve math font in some styling commands (#4214)
  • Additional commits viewable in compare view

Updates markdown-it from 14.1.1 to 14.2.0

Changelog

Sourced from markdown-it's changelog.

[14.2.0] - 2026-05-24

Added

  • isPunctCharCode to utilities.

Fixed

  • Don't end HTML comment blocks on a blank line, #1155.
  • Properly recognize astral chars (surrogates) in delimiter scans for emphasis-like markers, #1072. Big thanks to @​tats-u for his global efforts with improving CJK support.
  • Preserve unicode whitespaces when trimm headings/paragraphs, #1074.
  • More strict entities decode to avoid false positives ;, #1096.
  • Restore block parser state on fail in lheading rule, #1131.

Security

  • Fixed poor smartquotes perfomance on > 70k quotes in single block
  • Bumped linkify-it to 5.0.1 with fixed potential perfomance issues.
Commits

Updates ws from 8.20.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits
  • bca91ad [dist] 8.21.0
  • 2b2abd4 [security] Limit retained message parts
  • 78eabe2 [security] Add latest vulnerability to SECURITY.md
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • See full diff in compare view

Updates zustand from 5.0.13 to 5.0.14

Release notes

Sourced from zustand's releases.

v5.0.14

This release fixes a type issue in devtools.

What's Changed

New Contributors

Full Changelog: pmndrs/zustand@v5.0.13...v5.0.14

Commits
  • bfb2a9e 5.0.14
  • 62b2aff chore(deps): update dev dependencies (#3513)
  • ad77bd3 fix(devtools): improve type inference for Devtools initializer (#3511)
  • 8476d2c update pnpm etc (#3512)
  • d690ec2 docs(combine): add object constraints to T and U in signature (#3506)
  • fd8c601 docs(react): add Action constraint to redux middleware signature (#3492)
  • 2ce8226 docs(immer): fix setPerson updater type in usage examples (#3502)
  • 038b938 docs(updating-state): use curried create form with explicit state type (#3503)
  • 60a91b4 docs(devtools): add missing devtools import to troubleshooting example (#3501)
  • efad169 Update FUNDING.json
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…y with 9 updates

Bumps the production-dependencies group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@codemirror/merge](https://github.com/codemirror/merge) | `6.12.1` | `6.12.2` |
| [@jupyterlab/rendermime](https://github.com/jupyterlab/jupyterlab) | `4.5.7` | `4.5.8` |
| [@uiw/codemirror-theme-github](https://github.com/uiwjs/react-codemirror) | `4.25.9` | `4.25.10` |
| [@uiw/react-codemirror](https://github.com/uiwjs/react-codemirror) | `4.25.9` | `4.25.10` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.4.2` | `3.4.10` |
| [katex](https://github.com/KaTeX/KaTeX) | `0.16.45` | `0.17.0` |
| [markdown-it](https://github.com/markdown-it/markdown-it) | `14.1.1` | `14.2.0` |
| [ws](https://github.com/websockets/ws) | `8.20.0` | `8.21.0` |
| [zustand](https://github.com/pmndrs/zustand) | `5.0.13` | `5.0.14` |



Updates `@codemirror/merge` from 6.12.1 to 6.12.2
- [Changelog](https://github.com/codemirror/merge/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codemirror/merge/commits)

Updates `@jupyterlab/rendermime` from 4.5.7 to 4.5.8
- [Release notes](https://github.com/jupyterlab/jupyterlab/releases)
- [Changelog](https://github.com/jupyterlab/jupyterlab/blob/main/RELEASE.md)
- [Commits](https://github.com/jupyterlab/jupyterlab/compare/@jupyterlab/rendermime@4.5.7...@jupyterlab/rendermime@4.5.8)

Updates `@uiw/codemirror-theme-github` from 4.25.9 to 4.25.10
- [Release notes](https://github.com/uiwjs/react-codemirror/releases)
- [Commits](uiwjs/react-codemirror@v4.25.9...v4.25.10)

Updates `@uiw/react-codemirror` from 4.25.9 to 4.25.10
- [Release notes](https://github.com/uiwjs/react-codemirror/releases)
- [Commits](uiwjs/react-codemirror@v4.25.9...v4.25.10)

Updates `dompurify` from 3.4.2 to 3.4.10
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.2...3.4.10)

Updates `katex` from 0.16.45 to 0.17.0
- [Release notes](https://github.com/KaTeX/KaTeX/releases)
- [Changelog](https://github.com/KaTeX/KaTeX/blob/main/CHANGELOG.md)
- [Commits](KaTeX/KaTeX@v0.16.45...v0.17.0)

Updates `markdown-it` from 14.1.1 to 14.2.0
- [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md)
- [Commits](markdown-it/markdown-it@14.1.1...14.2.0)

Updates `ws` from 8.20.0 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.20.0...8.21.0)

Updates `zustand` from 5.0.13 to 5.0.14
- [Release notes](https://github.com/pmndrs/zustand/releases)
- [Commits](pmndrs/zustand@v5.0.13...v5.0.14)

---
updated-dependencies:
- dependency-name: "@codemirror/merge"
  dependency-version: 6.12.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@jupyterlab/rendermime"
  dependency-version: 4.5.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@uiw/codemirror-theme-github"
  dependency-version: 4.25.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@uiw/react-codemirror"
  dependency-version: 4.25.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: dompurify
  dependency-version: 3.4.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: katex
  dependency-version: 0.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: markdown-it
  dependency-version: 14.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: zustand
  dependency-version: 5.0.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 6, 2026
@sonarqubecloud

sonarqubecloud Bot commented Jul 6, 2026

Copy link
Copy Markdown

@Avni2000
Avni2000 merged commit 54c1d45 into main Jul 18, 2026
7 checks passed
@Avni2000
Avni2000 deleted the dependabot/npm_and_yarn/production-dependencies-d6a327d152 branch July 18, 2026 05:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant