Bump the npm_and_yarn group across 1 directory with 11 updates by dependabot[bot] · Pull Request #41 · Johnaverse/chains-api

dependabot · 2026-05-12T12:53:12Z

Bumps the npm_and_yarn group with 11 updates in the / directory:

Package	From	To
@fastify/static	`9.0.0`	`9.1.1`
fastify	`5.8.1`	`5.8.5`
@hono/node-server	`1.19.10`	`1.19.14`
brace-expansion	`5.0.4`	`5.0.6`
fast-uri	`3.1.0`	`3.1.2`
hono	`4.12.7`	`4.12.18`
ip-address	`10.1.0`	`10.2.0`
path-to-regexp	`8.3.0`	`8.4.2`
picomatch	`4.0.3`	`4.0.4`
postcss	`8.5.6`	`8.5.14`
vite	`7.3.1`	`7.3.3`

Updates @fastify/static from 9.0.0 to 9.1.1

Release notes

Sourced from @fastify/static's releases.

v9.1.1

⚠️ Security Release

This fixes CVE CVE-2026-6410 GHSA-pr96-94w5-mx2h. This fixes CVE CVE-2026-6414 GHSA-x428-ghpx-8j92.

What's Changed

ci: add lock-threads workflow by @Fdawgs in fastify/fastify-static#570

Full Changelog: fastify/fastify-static@v9.1.0...v9.1.1

v9.1.0

What's Changed

build(deps-dev): bump @types/node from 24.10.4 to 25.0.3 by @dependabot[bot] in fastify/fastify-static#552

test: move ignoreTrailingSlash under routerOptions by @lraveri in fastify/fastify-static#553

build(deps-dev): bump borp from 0.20.2 to 0.21.0 by @dependabot[bot] in fastify/fastify-static#543

chore: bump pino and borp dependencies, delete stale.yml by @Tony133 in fastify/fastify-static#557

chore: update syntax typescript by @Tony133 in fastify/fastify-static#558

chore(license): standardise license notice by @Fdawgs in fastify/fastify-static#560

fix: sendFile ignoring option overrides in some cases by @bakugo in fastify/fastify-static#559

chore: upgrade c8 to v11.0.0 and improvements test by @Tony133 in fastify/fastify-static#564

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fastify-static#566

New Contributors

@lraveri made their first contribution in fastify/fastify-static#553

@Tony133 made their first contribution in fastify/fastify-static#557

@bakugo made their first contribution in fastify/fastify-static#559

Full Changelog: fastify/fastify-static@v9.0.0...v9.1.0

Commits

48b136f Bumped v9.1.1
cc7b7f7 Merge commit from fork
9921faa Merge commit from fork
4183d2d ci: add lock-threads workflow (#570)
a3a8cd6 Bumped v9.1.0
8423c80 build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#566)
475dce1 chore: upgrade c8 to v11.0.0 and improvements test (#564)
3ff0f39 fix: sendFile ignoring option overrides in some cases (#559)
663baa7 chore(license): standardise license notice (#560)
51bb66e chore: update syntax typescript (#558)
Additional commits viewable in compare view

Updates fastify from 5.8.1 to 5.8.5

Release notes

Sourced from fastify's releases.

v5.8.5

⚠️ Security Release

This fixes CVE CVE-2026-33806 GHSA-247c-9743-5963.

What's Changed

chore: Fix port parsing by @jsumners in fastify/fastify#6603

chore: upgrade to typescript v6.0.2 by @Tony133 in fastify/fastify#6605

fix: restore trustProxy function for number and string types, add null check for socketAddr by @mcollina in fastify/fastify#6613

ci: reduce cron scheduled workflows from daily/weekly to monthly by @Fdawgs in fastify/fastify#6623

chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 by @dependabot[bot] in fastify/fastify#6629

chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 by @dependabot[bot] in fastify/fastify#6632

chore: Bump borp from 0.21.0 to 1.0.0 by @dependabot[bot] in fastify/fastify#6633

chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 by @dependabot[bot] in fastify/fastify#6630

docs(ecosystem): add @pompelmi/fastify-plugin by @SonoTommy in fastify/fastify#6610

New Contributors

@SonoTommy made their first contribution in fastify/fastify#6610

Full Changelog: fastify/fastify@v5.8.4...v5.8.5

v5.8.4

Full Changelog: fastify/fastify@v5.8.3...v5.8.4

v5.8.3

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

docs(readme): add @Tony133 to plugin team by @Tony133 in fastify/fastify#6565

Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @kyrylchenko in fastify/fastify#6566

test: use fastify.test in test case by @climba03003 in fastify/fastify#6568

docs: use fastify.example in documentation by @climba03003 in fastify/fastify#6567

docs: add common performance degradation guidance by @maxpetrusenko in fastify/fastify#6520

docs(server): fix camelCase anchor links in TOC by @Deepvamja in fastify/fastify#6530

ci(link-checker): fix root-relative links resolution by @barba-rossa in fastify/fastify#6535

docs: update syntax markdown, absolute paths and links by @Tony133 in fastify/fastify#6569

docs: clarify content-type parser/schema mismatch is outside threat model by @mcollina in fastify/fastify#6537

docs: fix incorrect code examples in Reply and Request reference by @mahmoodhamdi in fastify/fastify#6582

docs: replace redirected npm.im http-errors link by @mcollina in fastify/fastify#6588

types: Allow port to be null in request type definition by @TristanBarlow in fastify/fastify#6589

docs: update links by @Tony133 in fastify/fastify#6593

ci(lock-threads): use shared lock-threads workflow by @Fdawgs in fastify/fastify#6592

New Contributors

@kyrylchenko made their first contribution in fastify/fastify#6566

@maxpetrusenko made their first contribution in fastify/fastify#6520

@Deepvamja made their first contribution in fastify/fastify#6530

@barba-rossa made their first contribution in fastify/fastify#6535

... (truncated)

Commits

3983cce Bumped v5.8.5
3ce3ae6 Merge commit from fork
b06a196 docs(ecosystem): add @pompelmi/fastify-plugin (#6610)
909c5d5 chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 (#6630)
4db21a3 chore: Bump borp from 0.21.0 to 1.0.0 (#6633)
0f4e544 chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 (#6632)
33a2fcd chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 (#6629)
fd35d82 ci: reduce cron schedules from daily/weekly to monthly (#6623)
8dee9be fix: restore trustProxy function for number and string types, add null check ...
d457aed chore: upgrade to typescript v6.0.2 (#6605)
Additional commits viewable in compare view

Updates @hono/node-server from 1.19.10 to 1.19.14

Release notes

Sourced from @hono/node-server's releases.

v1.19.14

What's Changed

fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

chore: ignore claude setting by @yusukebe in honojs/node-server#314

fix: request draining for early 413 responses by @usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

Commits

b5e63a3 1.19.14
c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
fd64e65 1.19.13
025c30f Merge commit from fork
6cdb5a7 1.19.12
70250f7 fix: request draining for early 413 responses (#329)
cfc08b3 chore: ignore claude setting (#314)
ecd4d6b 1.19.11
c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
See full diff in compare view

Updates brace-expansion from 5.0.4 to 5.0.6

Commits

46317b5 5.0.6
c0b095b Merge commit from fork
ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
8793901 5.0.5
9a02af5 Merge commit from fork
daa71bc Bump tar from 7.5.10 to 7.5.11 (#92)
799e5f7 Bump tar from 7.5.9 to 7.5.10 (#90)
See full diff in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

Fix for GHSA-v39h-62p7-jpjc

What's Changed

Handle malformed fragment decoding as a parse error by @mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

Fix for GHSA-q3j6-qgpj-74h6

What's Changed

build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in fastify/fast-uri#148

build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in fastify/fast-uri#149

chore(.npmrc): ignore scripts by @Fdawgs in fastify/fast-uri#150

build(deps-dev): remove @fastify/pre-commit by @Fdawgs in fastify/fast-uri#151

build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in fastify/fast-uri#152

ci(ci): add concurrency config by @Fdawgs in fastify/fast-uri#153

build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in fastify/fast-uri#154

build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in fastify/fast-uri#156

chore(license): standardise license notice by @Fdawgs in fastify/fast-uri#159

style: remove trailing whitespace by @Fdawgs in fastify/fast-uri#161

ci: remove unused github files by @Tony133 in fastify/fast-uri#162

chore: update readme by @Tony133 in fastify/fast-uri#164

build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#165

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#166

build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in fastify/fast-uri#167

ci: add lock-threads workflow by @Fdawgs in fastify/fast-uri#169

New Contributors

@Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

919dd8e Bumped v3.1.2
c65ba57 fixup: linting
6c86c17 Merge commit from fork
a95158a Handle malformed fragment decoding without throwing (#171)
cea547c Bumped v3.1.1
876ce79 Merge commit from fork
dcdf690 ci: add lock-threads workflow (#169)
c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
Additional commits viewable in compare view

Updates hono from 4.12.7 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

fix(jsx): normalize SVG attributes on the root element by @kfly8 in honojs/hono#4893

fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @yuintei in honojs/hono#4899

fix(cors): make origin optional in CORSOptions by @truffle-dev in honojs/hono#4905

fix(types): propagate middleware response types to app.on overloads by @T4ko0522 in honojs/hono#4906

New Contributors

@kfly8 made their first contribution in honojs/hono#4893

@truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

fix(jwt): support single-line PEM keys by @hiendv in honojs/hono#4889

... (truncated)

Commits

f10dee8 4.12.18
a5bd9eb Merge commit from fork
58d3d3a Merge commit from fork
568c2ec Merge commit from fork
ff2b3d3 4.12.17
52aaaf9 fix(types): propagate middleware response types to app.on overloads (#4906)
76d5589 fix(cors): make origin optional in CORSOptions (#4905)
8f027e5 fix(ssg): add atom+xml and rss+xml to defaultExtensionMap (#4899)
bfba97c fix(jsx): normalize SVG attributes on the <svg> root element (#4893)
90d4182 4.12.16
Additional commits viewable in compare view

Updates ip-address from 10.1.0 to 10.2.0

Commits

See full diff in compare view

Updates path-to-regexp from 8.3.0 to 8.4.2

Release notes

Sourced from path-to-regexp's releases.

v8.4.2

Fixed

Error on trailing backslash (#434) 9a78879

Performance

Minimize array allocations (#437) 937c02d

Improve compile performance (#436) 57247e6

Should improve compilation performance by ~25%

Remove internal tokenization during parse (#435) 5844988

Should improve parse performance by ~20%

Bundle size to 1.93 kB, from 1.97 kB.

pillarjs/path-to-regexp@v8.4.1...v8.4.2

v8.4.1

Fixed

Remove trie deduplication (#431) 6bc8e84

Using a trie required non-greedy matching, which regressed wildcards in non-ending mode by matching them up until the first match. For example:

/*foo with /a/b = /a

/*foo.htmlwith /a/b.html/c.html = /a/b.html

Allow backtrack handling to match itself (#427) 5bcd30b

When backtracking was introduced, it rejected matching things like /:"a"_:"b" against /foo__. This makes intuitive sense because the second parameter is not going to backtrack on _ anymore, but it's somewhat unexpected since there's no reason it shouldn't match the second _.

pillarjs/path-to-regexp@v8.4.0...v8.4.1

v8.4.0

Important

Fix CVE-2026-4926 (GHSA-j3q9-mxjg-w52f)

Fix CVE-2026-4923 (GHSA-27v5-c462-wpq7)

Fixed

Restricts wildcard backtracking when using more than 1 in a path (pillarjs/path-to-regexp#421)

Changed

Dedupes regex prefixes (pillarjs/path-to-regexp#422)

This will result in shorter regular expressions for some cases using optional groups

Rejects large optional route combinations (pillarjs/path-to-regexp#424)

When using groups such as /users{/delete} it will restrict the number of generated combinations to < 256, equivalent to 8 top-level optional groups and unlikely to occur in a real world application, but avoids exploding the regex size for applications that accept user created routes

Commits

cbf3025 8.4.2
937c02d Minimize array allocations (#437)
57247e6 Improve compile performance (#436)
5844988 Remove internal tokenization during parse (#435)
9a78879 Error on trailing backslash (#434)
7f05876 8.4.1
6bc8e84 Remove trie deduplication (#431)
5bcd30b Allow backtrack handling to match itself (#427)
9f9c6c5 Add parsing to benchmarks (#418)
9fd31e0 Add trailing: false tests (#428)
Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates postcss from 8.5.6 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.14

Fixed custom syntax regression (by @43081j).

8.5.13

Fixed postcss-scss commend regression.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.14

Fixed custom syntax regression (by @43081j).

8.5.13

Fixed postcss-scss commend regression.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

3ec1394 Release 8.5.14 version
f2bb827 Update dependencies
d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
68bd213 fix: always call raw to retrieve raw values
af58cf1 Release 8.5.13 version
f227dbd Temporary ignore pnpm 11 config
d3abd40 Update dependencies
dd06c3e Revert stringifier changes because of the conflict with postcss-scss
ae889c8 Try to fix CI
e0093e4 Move to pnpm 11
Additional commits viewable in compare view

Updates vite from 7.3.1 to 7.3.3

Release notes

Sourced from vite's releases.

v7.3.3

Please refer to CHANGELOG.md for details.

v7.3.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.3 (2026-05-07)

Bug Fixes

avoid destructure lowering for newer safari (#22346) (5ab51c0)

7.3.2 (2026-04-06)

Bug Fixes

avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)

backport #22159, apply server.fs check to env transport (#22162) (19db0f2)

check server.fs after stripping query as well (#22160) (f8103cc)

Commits

ca31424 release: v7.3.3
5ab51c0 fix: avoid destructure lowering for newer safari (#22346)
cc383e0 release: v7.3.2
09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
f8103cc fix: check server.fs after stripping query as well (#22160)
19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@fastify/static](https://github.com/fastify/fastify-static) | `9.0.0` | `9.1.1` | | [fastify](https://github.com/fastify/fastify) | `5.8.1` | `5.8.5` | | [@hono/node-server](https://github.com/honojs/node-server) | `1.19.10` | `1.19.14` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `5.0.4` | `5.0.6` | | [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` | | [hono](https://github.com/honojs/hono) | `4.12.7` | `4.12.18` | | [ip-address](https://github.com/beaugunderson/ip-address) | `10.1.0` | `10.2.0` | | [path-to-regexp](https://github.com/pillarjs/path-to-regexp) | `8.3.0` | `8.4.2` | | [picomatch](https://github.com/micromatch/picomatch) | `4.0.3` | `4.0.4` | | [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.14` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.1` | `7.3.3` | Updates `@fastify/static` from 9.0.0 to 9.1.1 - [Release notes](https://github.com/fastify/fastify-static/releases) - [Commits](fastify/fastify-static@v9.0.0...v9.1.1) Updates `fastify` from 5.8.1 to 5.8.5 - [Release notes](https://github.com/fastify/fastify/releases) - [Commits](fastify/fastify@v5.8.1...v5.8.5) Updates `@hono/node-server` from 1.19.10 to 1.19.14 - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.10...v1.19.14) Updates `brace-expansion` from 5.0.4 to 5.0.6 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v5.0.4...v5.0.6) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `hono` from 4.12.7 to 4.12.18 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.7...v4.12.18) Updates `ip-address` from 10.1.0 to 10.2.0 - [Commits](https://github.com/beaugunderson/ip-address/commits) Updates `path-to-regexp` from 8.3.0 to 8.4.2 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](pillarjs/path-to-regexp@v8.3.0...v8.4.2) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `postcss` from 8.5.6 to 8.5.14 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.6...8.5.14) Updates `vite` from 7.3.1 to 7.3.3 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.3/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.3/packages/vite) --- updated-dependencies: - dependency-name: "@fastify/static" dependency-version: 9.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: fastify dependency-version: 5.8.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@hono/node-server" dependency-version: 1.19.14 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.18 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ip-address dependency-version: 10.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: path-to-regexp dependency-version: 8.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: postcss dependency-version: 8.5.14 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

Brings in PR #40 (native-token USD prices + execution-client fingerprinting) and PR #41 (dependabot fastify 5.8.5 bump). Conflict resolution favored PR #39's architectural structure: the PR #40 features are ported into the new src/ layout instead of into the old monolithic index.js / mcp-tools.js. - src/http/routes/chains.js: /chains and /chains/:id now enrich responses with price via priceService. - src/http/routes/clients.js (new): /clients and /clients/:id expose getClientsByChain output. - src/http/routes/rpcMonitor.js: /rpc-monitor/:id gains a clients array via summarizeChainClients. - src/http/app.js: registers clientsRoutes, kicks off prefetchAllPrices on startup (with pino-logged failure). - index.js: kept the PR #39 shim form (imports buildApp from src/http/app.js). - mcp-tools.js: keeps PR #39's L2BEAT/refresher tools (get_scaling_chains, get_l2beat_by_id, get_refresher_status) AND adds PR #40's get_clients; get_chains / get_chain_by_id handlers enriched with price. - package.json: union of deps — pino ^10.3.0 (PR #39) + fastify ^5.8.5 (PR #41). - tests/integration/api.test.js: kept the PR #39 hoisted-mocks pattern, added priceService and clientsView mock factories so the new routes resolve under mocked seams. - tests/unit/mcp-tools.test.js: kept l2beatRefresher mock, added clientsView + priceService mocks; tool count is now 17 (13 base + 3 L2BEAT/refresher + 1 clients). - package-lock.json: regenerated by npm install. Test result: 670 passing / 0 failing / 4 skipped (PR #39 was 618/0/4 and PR #40 added priceService + clientsView + clientParser test modules; merged total adds 52 net new passing tests).

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 12, 2026

Johnaverse merged commit e19a74b into main May 14, 2026
2 of 3 checks passed

Johnaverse deleted the dependabot/npm_and_yarn/npm_and_yarn-7abf79be60 branch May 14, 2026 00:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 1 directory with 11 updates#41

Bump the npm_and_yarn group across 1 directory with 11 updates#41
Johnaverse merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-7abf79be60

dependabot Bot commented on behalf of github May 12, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github May 12, 2026

v9.1.1

⚠️ Security Release

What's Changed

v9.1.0

What's Changed

New Contributors

v5.8.5

⚠️ Security Release

What's Changed

New Contributors

v5.8.4

v5.8.3

⚠️ Security Release

What's Changed

New Contributors

v1.19.14

What's Changed

v1.19.13

Security Fix

v1.19.12

What's Changed

v1.19.11

What's Changed

v3.1.2

⚠️ Security Release

What's Changed

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

v4.12.18

Security fixes

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

CSS Declaration Injection via Style Object Values in JSX SSR

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

v4.12.17

What's Changed

New Contributors

v4.12.16

Security fixes

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

bodyLimit() can be bypassed for chunked / unknown-length requests

v4.12.15

What's Changed

v8.4.2

v8.4.1

v8.4.0

4.0.4

What's Changed

8.5.14

8.5.13

8.5.12

8.5.11

8.5.10

8.5.9

8.5.8

8.5.7

8.5.14

8.5.13

8.5.12

8.5.11

8.5.10

8.5.9

8.5.8

8.5.7

v7.3.3

v7.3.2

7.3.3 (2026-05-07)

Bug Fixes

7.3.2 (2026-04-06)

Bug Fixes

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone