Bump the npm_and_yarn group across 5 directories with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package	From	To
vitest	1.6.0	1.6.1
next	14.2.5	14.2.35
hono	4.6.3	4.10.3
tsup	8.3.0	8.3.5
@astrojs/node	8.3.4	9.4.1
astro	4.15.10	5.15.9
@remix-run/node	2.12.0	2.17.2
@remix-run/react	2.12.0	2.17.3
vite	5.4.8	5.4.21

Bumps the npm_and_yarn group with 1 update in the /examples/nextjs directory: next.
Bumps the npm_and_yarn group with 3 updates in the /examples/remix directory: @remix-run/node, @remix-run/react and vite.
Bumps the npm_and_yarn group with 1 update in the /packages/baseai directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /packages/core directory: vitest.

Updates vitest from 1.6.0 to 1.6.1

Release notes

Sourced from vitest's releases.

v1.6.1

This release includes security patches for:

• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v1 - by @​hi-ogawa in vitest-dev/vitest#7319

    View changes on GitHub

Commits

• 017e1ee chore: release v1.6.1
• 7ce9fbb fix: backport #7317 to v1 (#7319)
• See full diff in compare view

Updates next from 14.2.5 to 14.2.35

Release notes

Sourced from next's releases.

v14.2.35

Please see the Next.js Security Update for information about this security patch.

Commits

• 7b940d9 v14.2.35
• 7c1be85 Backport facebook/react#35351 for 14.2.34 (#87095)
• f307368 v14.2.34
• 8e43882 Update React Version (#36)
• 385e8c2 Backport Next.js changes to v14.2.34 (#29)
• 7a2cf51 update version script
• 778e7bf lock swc binaries
• 5a97b40 v14.2.33
• cb88824 backport(v14): omit searchParam data from FlightRouterState before transport ...
• 89ee561 v14.2.32
• Additional commits viewable in compare view

Updates hono from 4.6.3 to 4.10.3

Release notes

Sourced from hono's releases.

v4.10.3

Securiy Fix

A security issue in the CORS middleware has been fixed. In some cases, a request header could affect the Vary response header. Please update to the latest version if you are using the CORS middleware.

What's Changed

• fix(aws-lambda): serve microsoft office files as binary in lambda handler by @​matthiasfeist in honojs/hono#4469
• fix(request-id): validation accepts = by @​ryuapp in honojs/hono#4478
• refactor(jwt): reduce the size of the code generated by minification by @​usualoma in honojs/hono#4480

New Contributors

• @​matthiasfeist made their first contribution in honojs/hono#4469

Full Changelog: honojs/hono@v4.10.2...v4.10.3

v4.10.2

Security hardening improvement

If you are using JWT middleware, please read the following and consider applying the configuration.

Improper Authorization in Hono (JWT Audience Validation)

Hono’s JWT authentication middleware did not validate the aud (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up).

The issue is addressed by adding a new verification.aud configuration option to allow RFC 7519–compliant audience validation. This change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification.

Recommended secure configuration

You can enable RFC 7519–compliant audience validation using the new verification.aud option:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'
const app = new Hono()
app.use(
'/api/*',
jwt({
secret: 'my-secret',
verification: {
// Require this API to only accept tokens with aud = 'service-a'
aud: 'service-a',
},
})
)

What's Changed

• tests: Fix test case of handlers without a path by @​IAmSSH in honojs/hono#4472

... (truncated)

Commits

• fcefd50 4.10.3
• 95ae4d3 refactor(jwt): reduce the size of the code generated by minification (#4480)
• d9b8b4b Merge commit from fork
• 5216117 fix(request-id): validation accepts = (#4478)
• 253ec28 fix(aws-lambda): serve microsoft office files as binary in lambda handler (#4...
• 0c6455d 4.10.2
• 45ba3bf Merge commit from fork
• 4cbad8b tests: Fix test case of handlers without a path (#4472)
• db764c2 4.10.1
• 8774bf9 fix(types): cannot .use non-return mw from createMiddleware (#4465)
• Additional commits viewable in compare view

Updates tsup from 8.3.0 to 8.3.5

Release notes

Sourced from tsup's releases.

v8.3.5

   🐞 Bug Fixes

• Run experimentalDts only once  -  by @​aryaemami59 in egoist/tsup#1236 (fddd4)

    View changes on GitHub

v8.3.4

No significant changes

    View changes on GitHub

v8.3.3

No significant changes

    View changes on GitHub

v8.3.1

   🚀 Features

• Add es2024 target  -  by @​sxzz (4c8cd)

   🐞 Bug Fixes

• Support TS 5.6 for svelte  -  by @​sxzz (28b9c)
• Add neutral value to platform options in schema.json  -  by @​venables in egoist/tsup#982 (a03db)
• Wider restriction for target option  -  by @​odanado in egoist/tsup#1118 (1979b)
• Add terser value to minify option in schema.json  -  by @​damienbutt in egoist/tsup#991 (34951)
• Change newlineKind to lf for experimentalDts  -  by @​aryaemami59 in egoist/tsup#1234 (4584b)
• Enable rollup output.compact when minify is enabled  -  by @​hyrious in egoist/tsup#1232 (9cc86)
• Support Node16 and NodeNext module resolution in experimentalDts  -  by @​aryaemami59 in egoist/tsup#1225 (41c98)

    View changes on GitHub

Commits

• cd03e1e chore: release v8.3.5
• fddd451 fix: run experimentalDts only once (#1236)
• 21b1193 chore: release v8.3.4
• 580e03d ci: fix release workflow
• 01b38f2 chore: release v8.3.3
• 4f5b71e ci: fix release workflow
• e80dad6 chore: release v8.3.2
• f4af79a ci: fix release workflow (#1241)
• 4b72d61 chore: release v8.3.1
• 41c98ff fix: support Node16 and NodeNext module resolution in experimentalDts (...
• Additional commits viewable in compare view

Updates @astrojs/node from 8.3.4 to 9.4.1

Changelog

Sourced from @​astrojs/node's changelog.

9.4.1

Patch Changes

• 5fc3c59 Thanks @​ematipico! - Fixes a routing bug in standalone mode with trailingSlash set to "always".

9.4.0

Minor Changes

• #14188 e3422aa Thanks @​ascorbic! - Adds support for specifying a host to load prerendered error pages

  By default, if a user defines a custom error page that is prerendered, Astro will load it from the same host as the one that the request is made to. This change allows users to specify a different host for loading prerendered error pages. This can be useful in scenarios such as where the server is running behind a reverse proxy or when prerendered pages are hosted on a different domain.

  To use this feature, set the experimentalErrorPageHost adapter option in your Astro configuration to the desired host URL. For example, if your server is running on localhost and served via a proxy, you can ensure the prerendered error pages are fetched via the localhost URL:

  import { defineConfig } from 'astro/config';
  import node from '@astrojs/node';
  export default defineConfig({
    adapter: node({
      // If your server is running on localhost and served via a proxy, set the host like this to ensure prerendered error pages are fetched via the localhost URL
      experimentalErrorPageHost: 'http://localhost:4321',
    }),
  });

  For more information on enabling and using this experimental feature, see the @astrojs/node adapter docs.

9.3.3

Patch Changes

• Updated dependencies [0567fb7]:
  • @​astrojs/internal-helpers@​0.7.1

9.3.2

Patch Changes

• Updated dependencies [f4e8889]:
  • @​astrojs/internal-helpers@​0.7.0

9.3.1

Patch Changes

• #14148 e4d74ba Thanks @​ColoredCarrot! - fix(node): emit set-cookie header from middlewares for not-found routes (#14136)

9.3.0

... (truncated)

Commits

• See full diff in compare view

Updates astro from 4.15.10 to 5.15.9

Release notes

Sourced from astro's releases.

astro@5.15.9

Patch Changes

• #14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  images: {
  remotePatterns: [
  {
  protocol: 'data',
  },
  ],
  },
  });

• #14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

astro@5.15.8

Patch Changes

• #14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

astro@5.15.7

Patch Changes

... (truncated)

Changelog

Sourced from astro's changelog.

4.16.16

Patch Changes

• #12542 65e50eb Thanks @​kadykov! - Fix JPEG image size determination

• #12525 cf0d8b0 Thanks @​ematipico! - Fixes an issue where with i18n enabled, Astro couldn't render the 404.astro component for non-existent routes.

4.16.15

Patch Changes

• #12498 b140a3f Thanks @​ematipico! - Fixes a regression where Astro was trying to access Request.headers

4.16.14

Patch Changes

• #12480 c3b7e7c Thanks @​matthewp! - Removes the default throw behavior in astro:env

• #12444 28dd3ce Thanks @​ematipico! - Fixes an issue where a server island hydration script might fail case the island ID misses from the DOM.

• #12476 80a9a52 Thanks @​florian-lefebvre! - Fixes a case where the Content Layer glob() loader would not update when renaming or deleting an entry

• #12418 25baa4e Thanks @​oliverlynch! - Fix cached image redownloading if it is the first asset

• #12477 46f6b38 Thanks @​ematipico! - Fixes an issue where the SSR build was emitting the dist/server/entry.mjs file with an incorrect import at the top of the file/

• #12365 a23985b Thanks @​apatel369! - Fixes an issue where Astro.currentLocale was not correctly returning the locale for 404 and 500 pages.

4.16.13

Patch Changes

• #12436 453ec6b Thanks @​martrapp! - Fixes a potential null access in the clientside router

• #12392 0462219 Thanks @​apatel369! - Fixes an issue where scripts were not correctly injected during the build. The issue was triggered when there were injected routes with the same entrypoint and different pattern

4.16.12

Patch Changes

• #12420 acac0af Thanks @​ematipico! - Fixes an issue where the dev server returns a 404 status code when a user middleware returns a valid Response.

4.16.11

Patch Changes

• #12305 f5f7109 Thanks @​florian-lefebvre! - Fixes a case where the error overlay would not escape the message

... (truncated)

Commits

• 7a07f02 [ci] release (#14788)
• 8cf3f05 [ci] format
• 758a891 fix(astro): handle invalid encrypted props in server island (#14786)
• 3537876 fix: passthroughImageService generate webp (#14776)
• 048e4dc [ci] format
• 9e9c528 fix: require explicit authorization to use data urls (#14791)
• 0f75f6b Fix wildcard hostname matching to reject hostnames without dots (#14787)
• 504958f feat(fonts): log number of downloaded files (#14783)
• 24e28d2 fix(deps): update astro dependencies (#14779)
• 60af4d0 [ci] release (#14773)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates @remix-run/node from 2.12.0 to 2.17.2

Release notes

Sourced from @​remix-run/node's releases.

v2.17.2

See the changelog for the release notes: https://github.com/remix-run/remix/blob/v2/CHANGELOG.md#v2172

remix v2.17.1

See the changelog for the release notes: https://github.com/remix-run/remix/blob/v2/CHANGELOG.md#v2171

Commits

• 3920349 Version 2.17.2
• 64d88de Validate session id in file session storage (#10806)
• 91ef6fe Version 2.17.1
• 3000859 chore: Update version for release (#10698)
• 3004a98 chore: Update version for release (pre) (#10692)
• fc5cb1f chore: Update version for release (pre) (#10691)
• 3869e0e chore: Update version for release (#10643)
• 00107c5 chore: Update version for release (pre) (#10642)
• 45df312 chore: Update version for release (#10628)
• f90aa1f chore: Update version for release (pre) (#10627)
• Additional commits viewable in compare view

Updates @remix-run/react from 2.12.0 to 2.17.3

Release notes

Sourced from @​remix-run/react's releases.

v2.17.3

See the changelog for the release notes: https://github.com/remix-run/remix/blob/v2/CHANGELOG.md#v2173

v2.17.2

See the changelog for the release notes: https://github.com/remix-run/remix/blob/v2/CHANGELOG.md#v2172

remix v2.17.1

See the changelog for the release notes: https://github.com/remix-run/remix/blob/v2/CHANGELOG.md#v2171

Commits

• b1d29d9 Version 2.17.3
• 5c87c08 Escape HTML in scroll restoration keys (#10925)
• 4a5ffd1 Revert "Version 2.17.3"
• 98c89fa Version 2.17.3
• 3920349 Version 2.17.2
• 91ef6fe Version 2.17.1
• 6bfad4e Escape meta json ld content (#10741)
• 3000859 chore: Update version for release (#10698)
• 3004a98 chore: Update version for release (pre) (#10692)
• fc5cb1f chore: Update version for release (pre) (#10691)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​remix-run/react since your current version.

Updates vite from 5.4.8 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

v5.4.18

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

... (truncated)

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Updates devalue from 5.1.1 to 5.6.1

Release notes

Sourced from devalue's releases.

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

v5.3.2

Patch Changes

• 0623a47: fix: disallow array method access when parsing
• 0623a47: fix: disallow __proto__ properties on objects

v5.3.1

Patch Changes

• ae904c5: fix: correctly differentiate between +0 and -0

v5.3.0

Minor Changes

• 2896e7b: feat: support Temporal

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

5.3.2

Patch Changes

• 0623a47: fix: disallow array method access when parsing
• 0623a47: fix: disallow __proto__ properties on objects

5.3.1

... (truncated)

Commits

• 5e07a67 Version Packages (#129)
• aa09604 Bump js-yaml from 3.14.1 to 3.14.2 (#125)
• 2161d44 fix: add hasOwn check before calling reviver (#128)
• 83de81d Version Packages (#127)
• a3d09d4 Add value and root properties in DevalueError instances (#126)
• f4b37f3 Version Packages (#124)
• 828fa1c Enable support for custom reducer/reviver for "function" values (#123)
• 6f4eb8b Version Packages (#119)
• 5c26c0d fix: allow custom revivers to revive things serialized by buitin reducers (#118)
• 8b0c28d Version Packages (#117)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates prismjs from 1.29.0 to 1.30.0

Release notes

Sourced from prismjs's releases.

v1.30.0

What's Changed

• check that currentScript is set by a script tag by @​lkuechler in PrismJS/prism#3863

New Contributors

• @​lkuechler made their first contribution in PrismJS/prism#3863

Full Changelog: PrismJS/prism@v1.29.0...v1.30.0

Changelog

Sourced from prismjs's changelog.

Prism Changelog

Commits

• 76dde18 Release 1.30.0
• 93cca40 npm pkg fix
• 99c5ca9 Add release script
• 8e8b935 check that currentScript is set by a script tag (#3863)
• f894dc2 Fix logo in the footer
• ac38dce Delete CNAME
• 9b5b09a Enable CORS
• See full diff in compare view

Maintainer changes

This version was pushed to npm by dmitrysharabin, a new releaser for prismjs since your current version.

Updates next from 14.2.5 to 14.2.35

Release notes

Sourced from next's releases.

v14.2.35

Please see the Next.js Security Update for information about this security patch.

Commits

• 7b940d9 v14.2.35
• 7c1be85 Backport facebook/react#35351 for 14.2.34 (#87095)
• f307368 v14.2.34
• 8e43882 Update React Version (#36)
• 385e8c2 Backport Next.js changes to v14.2.34 (#29)
• 7a2cf51 update version script
• 778e7bf lock swc binaries
• 5a97b40 v14.2.33
• cb88824 backport(v14): omit searchParam data from FlightRouterState before transport ...
• 89ee561 v14.2.32
• Additional commits viewable in compare view

Updates @remix-run/node from 2.12.0 to 2.17.2

Release notes

Sourced from @​remix-run/node's releases.

v2.17.2

See the changelog for the release notes: https://github.com/remix-run/remix/blob/v2/CHANGELOG.md#v2172

remix v2.17.1

See the changelog for the release notes: https://github.com/remix-run/remix/blob/v2/CHANGELOG.md#v2171

Commits

• 3920349 Version 2.17.2
• 64d88de Validate session id in file session storage (#10806)
• 91ef6fe Version 2.17.1
• 3000859 chore: Update version for release (#10698)
• 3004a98 chore: Update version for release (pre) (#10692)
• fc5cb1f chore: Update version for release (pre) (#10691)
• 3869e0e chore: Update version for release (#10643)
• 00107c5 chore: Update version for release (pre) (#10642)
• 45df312 chore: Update version for release (#10628)
• f90aa1f chore: Update version for release (pre) (#10627)
• Additional commits viewable in compare view

Updates @remix-run/react from 2.12.0 to 2.17.3

Release notes

Sourced from @​remix-run/react's releases.

v2.17.3

See the changelog for the release notes: https://github.com/remix-run/remix/blob/v2/CHANGELOG.md#v2173

v2.17.2

See the changelog for the release notes: https://github.com/remix-run/remix/blob/v2/CHANGELOG.md#v2172

remix v2.17.1

See the changelog for the release notes: https://github.com/remix-run/remix/blob/v2/CHANGELOG.md#v2171

Commits

• b1d29d9 Version 2.17.3
• 5c87c08 Escape HTML in scroll restoration keys (#10925)
• 4a5ffd1 Revert &quo...

  Description has been truncated