Skip to content

chore(deps): bump h3 from 1.11.1 to 1.15.10#4392

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/h3-1.15.10
Open

chore(deps): bump h3 from 1.11.1 to 1.15.10#4392
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/h3-1.15.10

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 25, 2026
edited by cursor Bot
Loading

Bumps h3 from 1.11.1 to 1.15.10.

Release notes

Sourced from h3's releases.

v1.15.10

compare changes

🩹 Fixes

  • Preserve percent-encoded req.url in app event handler (#1355)

❤️ Contributors

v1.15.9

compare changes

🩹 Fixes

  • Preserve %25 in pathname (1103df6)
  • static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)
  • sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

v1.15.8

compare changes

🩹 Fixes

  • Preserve %25 in pathname (1103df6)

v1.15.7

compare changes

🩹 Fixes

  • static: Narrow path traversal check to match .. as a path segment only (c049dc0)
  • app: Decode percent-encoded path segments to prevent auth bypass (313ea52)

💅 Refactors

  • Remove implicit event handler conversion warning (#1340)

❤️ Contributors

v1.15.6

compare changes

🩹 Fixes

  • sse: Sanitize newlines in event stream fields to prevent SSE injection (840ac5c)

... (truncated)

Changelog

Sourced from h3's changelog.

v1.15.10

compare changes

🩹 Fixes

  • Preserve percent-encoded req.url in app event handler (#1355)

🏡 Chore

❤️ Contributors

v1.15.9

compare changes

🩹 Fixes

  • Preserve %25 in pathname (1103df6)
  • static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)
  • sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

🏡 Chore

❤️ Contributors

v1.15.8

compare changes

🩹 Fixes

  • Preserve %25 in pathname (1103df6)

❤️ Contributors

v1.15.7

... (truncated)

Commits
  • b72bb57 chore(release): v1.15.10
  • d8ef318 remove resolutions for h3
  • 26fec6f chore: update deps
  • 51ca9b3 fix: preserve percent-encoded req.url in app event handler (#1355)
  • 4e8d43a chore(release): v1.15.9
  • 23045df chore: update deps
  • ba3c3fe fix(sse): sanitize carriage returns in event stream data and comments
  • c56683d fix(static): prevent path traversal via double-encoded dot segments (`%252e%2...
  • e3b9c9e chore(release): v1.15.8
  • 1103df6 fix: preserve %25 in pathname
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Medium Risk
Updates the h3 HTTP runtime and several transitive dependencies, which can subtly change request/URL parsing and WebSocket behavior at runtime despite no application code changes.

Overview
Bumps h3 from 1.11.1 to 1.15.10 via yarn.lock, pulling in newer versions of related networking/util deps (notably cookie-es, crossws, destr, iron-webcrypto, ufo, radix3) and adding node-mock-http as a new transitive dependency.

No source code changes; this PR is purely a dependency/lockfile update.

Written by Cursor Bugbot for commit d15a47c. This will update automatically on new commits. Configure here.

@dependabot
chore(deps): bump h3 from 1.11.1 to 1.15.10
d15a47c 
Bumps [h3](https://github.com/h3js/h3) from 1.11.1 to 1.15.10.
- [Release notes](https://github.com/h3js/h3/releases)
- [Changelog](https://github.com/h3js/h3/blob/v1.15.10/CHANGELOG.md)
- [Commits](h3js/h3@v1.11.1...v1.15.10)

---
updated-dependencies:
- dependency-name: h3
  dependency-version: 1.15.10
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 25, 2026
@dependabot dependabot Bot mentioned this pull request Mar 25, 2026
Closed
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Mar 25, 2026

⚠️ No Changeset found

Latest commit: d15a47c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@nx-cloud
Copy link
Copy Markdown

nx-cloud Bot commented Mar 25, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit d15a47c

Command Status Duration Result
nx test @e2e/react-sdk-next-14-app ✅ Succeeded 14m 58s View ↗
nx test @snippet/angular-17-ssr ✅ Succeeded 11m 14s View ↗
nx test @snippet/nuxt ✅ Succeeded 10m 6s View ↗
nx test @e2e/nextjs-sdk-next-app ✅ Succeeded 8m 51s View ↗
nx test @e2e/qwik-city ✅ Succeeded 8m 53s View ↗
nx test @e2e/angular-17 ✅ Succeeded 8m 5s View ↗
nx test @e2e/nuxt ✅ Succeeded 7m View ↗
nx test @e2e/angular-17-ssr ✅ Succeeded 6m 51s View ↗
Additional runs (38) ✅ Succeeded ... View ↗

☁️ Nx Cloud last updated this comment at 2026-03-25 16:57:49 UTC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants