Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates#1

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-f392628454
Open

chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates#1
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-f392628454

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 1 update in the / directory: hono.

Updates hono from 4.12.8 to 4.12.25

Release notes

Sourced from hono's releases.

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

What's Changed

Full Changelog: honojs/hono@v4.12.23...v4.12.24

v4.12.23

What's Changed

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

... (truncated)

Commits

Updates vite-plus from 0.1.13 to 0.2.1

Release notes

Sourced from vite-plus's releases.

vite-plus v0.2.1

Restores support for older Node.js (back to 20.19.0) and makes vp exec --fail-if-no-match fail correctly on unmatched filters.

Fixes & Enhancements

  • Stop blocking older Node.js versions: v0.2.0 blocked commands when the resolved Node.js version fell outside the declared range. This reverts that enforcement and widens engines.node to ^20.19.0 || ^22.18.0 || >=24.11.0, matching Vite's own ^20.19.0 floor, so older Node that works in practice (e.g. Node 20 in rolldown CI) is no longer rejected (#1865), by @​fengmk2
  • vp exec --fail-if-no-match: exit non-zero when one or more --filter expressions match no workspace packages. Strict mode previously only warned and returned success, so typoed filters looked successful in CI even though no package command ran (#1859), by @​jong-kyung

Bundled Versions

Tool Version Source
vite 8.0.16 f94df87
rolldown 1.1.1 d7f919c
tsdown 0.22.3 npm
vitest 4.1.9 npm
oxlint 1.70.0 npm
oxlint-tsgolint 0.23.0 npm
oxfmt 0.55.0 npm

Upgrade

vp upgrade

Upgrading from 0.1.x to 0.2.1 Prompt

You are upgrading a project that uses Vite+ (the `vp` CLI) from v0.1.x to v0.2.1.
v0.2.1 has one breaking change vs v0.1.x: it consumes upstream Vitest directly. The @voidzero-dev/vite-plus-test wrapper package is removed. vitest and the base browser runtime (@vitest/browser, @vitest/browser-preview) now come in transitively through vite-plus. The opt-in browser providers (@vitest/browser-playwright, @vitest/browser-webdriverio) are NOT shipped by vite-plus: any project that runs browser-mode tests must install the provider it uses itself.
Do not run vp migrate for this upgrade; it is not reliable enough yet. Make the changes yourself by editing the project's files, then verify by running the tools.
How to run vp: if a global vp is available, use it. Otherwise this project only ships the local CLI from the vite-plus package, so run vp as the project-local binary (for example via the package manager's exec: pnpm exec, npx, yarn, or bunx). After any install, re-resolve vp so you always run the version currently in the project.
Do the following:


Set the vite-plus dependency to the exact version 0.2.1 and reinstall, so the new toolchain is installed and the lockfile moves off 0.1.x. In a monorepo, do this for every workspace package that depends on vite-plus (a shared catalog: entry covers them all at once). Changing the spec to 0.2.1 is what moves the lockfile off the old resolution; a reinstall that leaves the spec unchanged would keep the old version.


Remove the @voidzero-dev/vite-plus-test wrapper from the project. Search everywhere it could appear: package.json, the lockfile, any workspace or catalog config (such as pnpm-workspace.yaml or .yarnrc.yml), and the source files. Then classify the project and apply the matching case. Note these are not exclusive: a browser-mode project is also handled by case C in addition to removing the wrapper config.
First, determine the project's Vitest usage:

BROWSER MODE: the project runs Vitest in the browser. It does if a config or test file imports a real browser provider (vite-plus/test/browser-playwright or vite-plus/test/browser-webdriverio, or the pre-upgrade raw forms @vitest/browser-playwright / @vitest/browser-webdriverio), or sets test.browser.enabled. This needs extra deps regardless of anything below; see case C.
DIRECT vitest usage: a source or test file imports directly from vitest or @vitest/..., or a @vitest/* package is listed in its dependencies (for example a coverage provider). Plain imports from vite-plus/test and vite-plus/test/* do NOT count as direct usage; a vite-plus/test/browser-* provider import is a browser-mode signal (case C), not direct usage.

Case A - node-mode only (no direct vitest usage, no browser mode; the common case): remove the vitest configuration entirely. In package.json, delete the vitest entry from dependencies / devDependencies in whatever form it takes (a @voidzero-dev/vite-plus-test alias, a catalog: reference, or a plain version). Also remove the vitest entry from every dependency-resolution mechanism in the project: both overrides and resolutions, pnpm overrides/catalog (in package.json or pnpm-workspace.yaml), and any catalog entry. If vitest appears in more than one of these, remove all of them. Do not add a pinned vitest; it arrives transitively through vite-plus and the node-mode test command works without it.
Case B - direct vitest usage: pin upstream vitest to the version bundled with vite-plus (4.1.9 for v0.2.1), and upgrade every vitest ecosystem package the project depends on so the whole tree resolves to a single vitest. Set each @vitest/* package the project lists (for example @vitest/coverage-v8, @vitest/ui, @vitest/browser) to that same version (4.1.9), since those are pinned to an exact vitest version. Also update any other vitest integration package (such as vitest-browser-*) to a release compatible with that vitest version. Leaving an ecosystem package on an older version pulls in a second copy of vitest, which Vitest rejects at runtime.
</tr></table>

... (truncated)

Commits
  • a0ed270 release: v0.2.1 (#1874)
  • bf5a938 revert: stop blocking older Node.js versions (#1865)
  • aeea7b9 fix(exec): exit non-zero for unmatched filters with --fail-if-no-match (#1859)
  • 6f97f09 release: v0.2.0 (#1856)
  • 6b036e8 feat: allow vp config opt-outs (#1842)
  • 740319f docs: sync command lists with help output (#1850)
  • 9b1ade6 fix(create): preserve shorthand fmt/lint config keys (#1843)
  • 342fd2f refactor!: replace @​voidzero-dev/vite-plus-test with upstream vitest (#1588)
  • d764e09 feat(deps): upgrade upstream dependencies (#1834)
  • b8b73de feat(create): approve dependency build scripts blocked by the package manager...
  • Additional commits viewable in compare view

Updates devalue from 5.6.4 to 5.8.1

Release notes

Sourced from devalue's releases.

v5.8.1

Patch Changes

  • 206ca67: fix: force sparse arrays to allocate sparsely

v5.8.0

Minor Changes

  • c5115b0: feat: add stringifyAsync for async serialization

v5.7.1

Patch Changes

  • 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

v5.7.0

Minor Changes

  • df2e284: feat: use native alternatives to encode/decode base64
  • 498656e: feat: add DataView support
  • a210130: feat: whitelist Float16Array
  • df2e284: feat: simplify TypedArray slices

Patch Changes

  • 5590634: fix: get uneval type handling up to parity with stringify
  • 57f73fc: fix: correctly support boxed bigints and sentinel values
Changelog

Sourced from devalue's changelog.

5.8.1

Patch Changes

  • 206ca67: fix: force sparse arrays to allocate sparsely

5.8.0

Minor Changes

  • c5115b0: feat: add stringifyAsync for async serialization

5.7.1

Patch Changes

  • 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

5.7.0

Minor Changes

  • df2e284: feat: use native alternatives to encode/decode base64
  • 498656e: feat: add DataView support
  • a210130: feat: whitelist Float16Array
  • df2e284: feat: simplify TypedArray slices

Patch Changes

  • 5590634: fix: get uneval type handling up to parity with stringify
  • 57f73fc: fix: correctly support boxed bigints and sentinel values
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

…dates

Bumps the npm_and_yarn group with 1 update in the / directory: [hono](https://github.com/honojs/hono).


Updates `hono` from 4.12.8 to 4.12.25
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.8...v4.12.25)

Updates `vite-plus` from 0.1.13 to 0.2.1
- [Release notes](https://github.com/voidzero-dev/vite-plus/releases)
- [Commits](https://github.com/voidzero-dev/vite-plus/commits/v0.2.1/packages/cli)

Updates `devalue` from 5.6.4 to 5.8.1
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](sveltejs/devalue@v5.6.4...v5.8.1)

---
updated-dependencies:
- dependency-name: hono
  dependency-version: 4.12.25
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite-plus
  dependency-version: 0.2.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: devalue
  dependency-version: 5.8.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 29, 2026
Copilot AI review requested due to automatic review settings June 29, 2026 02:07
@dependabot dependabot Bot added javascript Pull requests that update javascript code dependencies Pull requests that update a dependency file labels Jun 29, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant