build(deps): bump the npm_and_yarn group across 1 directory with 8 updates by dependabot[bot] · Pull Request #50 · WilliamAGH/java-chat

dependabot · 2026-05-18T05:50:37Z

Bumps the npm_and_yarn group with 7 updates in the /frontend directory:

Package	From	To
dompurify	`3.3.1`	`3.4.0`
svelte	`5.48.0`	`5.55.7`
vite	`6.4.1`	`6.4.2`
minimatch	`3.1.2`	`3.1.5`
minimatch	`9.0.5`	`9.0.9`
flatted	`3.3.3`	`3.4.2`
picomatch	`2.3.1`	`4.0.4`
rollup	`4.56.0`	`4.60.4`

Updates dompurify from 3.3.1 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @kodareef5

Fixed several minor problems and typos regarding MathML attributes, thanks @DavidOliver

Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @1Jesper1

Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @bencalif

Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @trace37labs

Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @eddieran

Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @christos-eth

Fixed an issue with USE_PROFILES prototype pollution, thanks @christos-eth

Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @researchatfluidattacks and others

Fixed an issue with closing tags leading to possible mXSS, thanks @frevadiscor

Fixed a problem with the type dentition patcher after Node version bump

Fixed freezing BS runs by reducing the tested browsers array

Bumped several dependencies where possible

Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

DOMPurify 3.3.3

Fixed an engine requirement for Node 20 which caused hiccups, thanks @Rotzbua

DOMPurify 3.3.2

Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters

Fixed a prototype pollution issue when working with custom elements, thanks @christos-eth

Fixed a lenient config parsing in _isValidAttribute, thanks @christos-eth

Bumped and removed several dependencies, thanks @Rotzbua

Fixed the test suite after bumping dependencies, thanks @Rotzbua

Commits

5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
8bcbf73 chore: Preparing 3.3.3 release
5faddd6 fix: engine requirement (#1210)
0f91e3a Update README.md
d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
c3efd48 fix: moved back from jsdom 28 to jsdom 20
988b888 fix: moved back from jsdom 28 to jsdom 20
2726c74 chore: Preparing 3.3.2 release
6202c7e build(deps): bump @tootallnate/once and jsdom (#1204)
302b51d fix: Expanded the regex ever so slightly to also cover script
Additional commits viewable in compare view

Updates svelte from 5.48.0 to 5.55.7

Release notes

Sourced from svelte's releases.

svelte@5.55.7

Patch Changes

fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

chore: bump devalue (#18219)

fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

svelte@5.55.6

Patch Changes

fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

fix: keep dependencies of $state.eager/pending (#18218)

fix: reapply context after transforming error during SSR (#18099)

fix: don't rebase just-created batches (#18117)

chore: allow null for pending in typings (#18201)

fix: flush eager effects in production (#18107)

fix: rethrow error of failed iterable after calling return() (#18169)

fix: account for proxified instance when updating bind:this (#18147)

fix: ensure scheduled batch is flushed if not obsolete (#18131)

fix: resolve stale deriveds with latest value (#18167)

chore: remove unnecessary increment_pending calls (#18183)

fix: correctly compile component member expressions for SSR (#18192)

fix: reset source.updated stack traces after flush (#18196)

fix: replacing async 'blocking' strategy with 'merging' (#18205)

fix: allow @debug tags to reference awaited variables (#18138)

fix: re-run fallback props if dependencies update (#18146)

fix: abort running obsolete async branches (#18118)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.55.7

Patch Changes

fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

chore: bump devalue (#18219)

fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

5.55.6

Patch Changes

fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

fix: keep dependencies of $state.eager/pending (#18218)

fix: reapply context after transforming error during SSR (#18099)

fix: don't rebase just-created batches (#18117)

chore: allow null for pending in typings (#18201)

fix: flush eager effects in production (#18107)

fix: rethrow error of failed iterable after calling return() (#18169)

fix: account for proxified instance when updating bind:this (#18147)

fix: ensure scheduled batch is flushed if not obsolete (#18131)

fix: resolve stale deriveds with latest value (#18167)

chore: remove unnecessary increment_pending calls (#18183)

fix: correctly compile component member expressions for SSR (#18192)

fix: reset source.updated stack traces after flush (#18196)

fix: replacing async 'blocking' strategy with 'merging' (#18205)

fix: allow @debug tags to reference awaited variables (#18138)

fix: re-run fallback props if dependencies update (#18146)

... (truncated)

Commits

4d8f99a Version Packages (#18220)
0552308 chore: bump devalue (#18219)
e1cbbd9 Merge commit from fork
a16ebc6 Merge commit from fork
d2375e2 Merge commit from fork
547853e Merge commit from fork
55f9c85 Version Packages (#18158)
a10e8e4 fix: keep dependencies of $state.eager/pending (alternative approach) (#1...
ef4b97d fix: duplicated "of" in events.js comment (#18217)
5122936 fix: treat batches as a linked list (#18205)
Additional commits viewable in compare view

Updates vite from 6.4.1 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163

fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

Commits

6b3fad0 release: v6.4.2
ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
5487f4f release: v6.4.1
1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
f12697c release: v6.4.0
ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
0e173d8 release: v6.3.7
c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
3f337c5 release: v6.3.6
Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates minimatch from 9.0.5 to 9.0.9

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates devalue from 5.6.2 to 5.8.1

Release notes

Sourced from devalue's releases.

v5.8.1

Patch Changes

206ca67: fix: force sparse arrays to allocate sparsely

v5.8.0

Minor Changes

c5115b0: feat: add stringifyAsync for async serialization

v5.7.1

Patch Changes

8becc7c: fix: handle regexes consistently in uneval's value and reference formats

v5.7.0

Minor Changes

df2e284: feat: use native alternatives to encode/decode base64

498656e: feat: add DataView support

a210130: feat: whitelist Float16Array

df2e284: feat: simplify TypedArray slices

Patch Changes

5590634: fix: get uneval type handling up to parity with stringify

57f73fc: fix: correctly support boxed bigints and sentinel values

v5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Changelog

Sourced from devalue's changelog.

5.8.1

Patch Changes

206ca67: fix: force sparse arrays to allocate sparsely

5.8.0

Minor Changes

c5115b0: feat: add stringifyAsync for async serialization

5.7.1

Patch Changes

8becc7c: fix: handle regexes consistently in uneval's value and reference formats

5.7.0

Minor Changes

df2e284: feat: use native alternatives to encode/decode base64

498656e: feat: add DataView support

a210130: feat: whitelist Float16Array

df2e284: feat: simplify TypedArray slices

Patch Changes

5590634: fix: get uneval type handling up to parity with stringify

57f73fc: fix: correctly support boxed bigints and sentinel values

5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Commits

796ea83 Version Packages (#152)
206ca67 Merge commit from fork
14933f7 Version Packages (#151)
c5115b0 feat: stringifyAsync (#150)
67dad45 docs: update README to reflect serialization stability non-goal (#147)
6eb920a Version Packages (#146)
8becc7c fix: handle regexes consistently in uneval's value and reference formats (#145)
2eee2e4 Version Packages (#144)
498656e DataView support (#143)
5590634 Improve platform types support (#142)
Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

4.0.3

What's Changed

fix: exception when glob pattern contains constructor by @Jason3S in micromatch/picomatch#144

New Contributors

@Jason3S made their first contribution in micromatch/picomatch#144

Full Changelog: micromatch/picomatch@4.0.2...4.0.3

3.0.2

This is a security release fixing several security relevant issues.

What's Changed

fix: exception when glob pattern contains constructor by @Jason3S in micromatch/picomatch#144

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@3.0.1...3.0.2

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

fix: exception when glob pattern contains constructor by @Jason3S in micromatch/picomatch#144

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Changelogs are for humans, not machines.

There should be an entry for every single version.

The same types of changes should be grouped.

Versions and sections should be linkable.

The latest version comes first.

The release date of each versions is displayed.

Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

Added for new features.

Changed for changes in existing functionality.

Deprecated for soon-to-be removed features.

Removed for now removed features.

Fixed for any bug fixes.

Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Fix bad text values in parse #126, thanks to @connor4312

Changed

Remove process global to work outside of node #129, thanks to @styfle

Add sideEffects to package.json #128, thanks to @frandiox

Removed os, make compatible browser environment. See #124, thanks to @gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates rollup from 4.56.0 to 4.60.4

Release notes

Sourced from rollup's releases.

v4.60.4

4.60.4

2026-05-14

Bug Fixes

Improve stability of chunk hashes (#6362)

Pull Requests

#6362: fix: stabilize chunk assignment across parallel file reads (@sonukapoor, @Sonu Kapoor, @TrickyPi, @lukastaegert)

#6370: fix(deps): update minor/patch updates (@renovate[bot])

#6371: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6372: chore(deps): update react monorepo to v19 (major) (@renovate[bot])

#6373: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6375: Resolve vulnerabilities (@lukastaegert)

v4.60.2

4.60.2

2026-04-18

Bug Fixes

Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

#6327: docs: fix various typos in source and documentation (@Abhi3975, @lukastaegert)

#6331: fix(deps): update minor/patch updates (@renovate[bot])

#6332: chore(deps): update codecov/codecov-action action to v6 (@renovate[bot])

#6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@renovate[bot])

#6334: fix(deps): update rust crate swc_compiler_base to v51 (@renovate[bot])

#6335: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6346: fix(deps): update minor/patch updates (@renovate[bot])

#6347: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6348: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6349: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6350: fix: reset variable render names between outputs in the same generate (@barry3406, @lukastaegert)

#6351: chore(deps): update minor/patch updates (@renovate[bot])

#6352: chore(deps): update cross-platform-actions/action action to v1 (@renovate[bot])

#6353: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6354: chore(deps): lock file maintenance (@renovate[bot])

#6355: chore(deps): lock file maintenance (@renovate[bot])

#6356: chore(deps): lock file maintenance (@renovate[bot])

#6358: chore: remove cross-env from devDeps (@K-tecchan)

v4.60.1

4.60.1

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.4

2026-05-14

Bug Fixes

Improve stability of chunk hashes (#6362)

Pull Requests

#6362: fix: stabilize chunk assignment across parallel file reads (@sonukapoor, @Sonu Kapoor, @TrickyPi, @lukastaegert)

#6370: fix(deps): update minor/patch updates (@renovate[bot])

#6371: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6372: chore(deps): update react monorepo to v19 (major) (@renovate[bot])

#6373: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6375: Resolve vulnerabilities (@lukastaegert)

4.60.3

2026-05-04

Bug Fixes

Ensure nested "exports" variables are not renamed (#6360)

Pull Requests

#6360: fix: do not rename nested "exports" bindings that do not conflict (@tariqrafique, @lukastaegert)

#6364: chore(deps): update msys2/setup-msys2 digest to e989830 (@renovate[bot])

#6365: fix(deps): update minor/patch updates (@renovate[bot])

#6366: fix(deps): update swc monorepo (major) (@renovate[bot])

#6367: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6368: docs: add missing backticks in plugin-development (@lumirlumir, @lukastaegert)

4.60.2

2026-04-18

Bug Fixes

Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

#6327: docs: fix various typos in source and documentation (@Abhi3975, @lukastaegert)

#6331: fix(deps): update minor/patch updates (@renovate[bot])

#6332: chore(deps): update codecov/codecov-action action to v6 (@renovate[bot])

#6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@renovate[bot])

#6334: fix(deps): update rust crate swc_compiler_base to v51 (@renovate[bot])

#6335: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

... (truncated)

Commits

d311a84 4.60.4
6aa3248 fix: stabilize chunk assignment across parallel file reads (#6362)
82a0fe7 Resolve vulnerabilities (#6375)
71f5ebc chore(deps): update dependency lru-cache to v11 (#6371)
af91d77 chore(deps): lock file maintenance (#6373)
65e7b94 chore(deps): update react monorepo to v19 (major) (#6372)
642587f fix(deps): update minor/patch updates (#6370)
b47bdab 4.60.3
15c5f33 Add again some unneeded dev dependencies, to make some builds succeed
12195dc fix: do not rename nested "exports" bindings that do not conflict (#6360)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

This PR bumps 8 frontend npm dependencies in the /frontend directory via Dependabot, covering both routine patch/minor updates and several security-relevant fixes. No application logic changes are included.

Security fixes: dompurify 3.4.0 resolves prototype pollution (via CUSTOM_ELEMENT_HANDLING and USE_PROFILES), mXSS via re-contextualization, and ADD_ATTR URI-validation bypass; svelte 5.55.7 fixes XSS in hydratable SSR; vite 6.4.2 patches a path-traversal in the optimize-deps sourcemap handler and a missing server.fs check on env transport; flatted 3.4.2 fixes CWE-1321 prototype pollution; picomatch 4.0.4 addresses CVE-2026-33671 and CVE-2026-33672.
Notable version jumps: picomatch is upgraded across a major boundary (2.3.1 → 4.0.4) as a transitive dependency pinned only in the lock file; svelte moves from the broad ^5.0.0 range to the tighter ^5.55.7 floor; rollup and minimatch receive multi-release patch/minor catches.
Lock-file hygiene: package-lock.json is regenerated consistently with the new ranges declared in package.json.

Confidence Score: 5/5

Safe to merge — all changes are automated dependency bumps with no application logic touched, and every updated package resolves known vulnerabilities present in the previous versions.

Both changed files are package.json and package-lock.json. Every package update either closes a disclosed security issue or brings in bug/stability fixes. The picomatch major-version jump (2→4) is the most noteworthy change, but picomatch is only a transitive build-tool dependency, and the breaking changes in v4 do not affect runtime application code.

No files require special attention. Both package.json and package-lock.json are internally consistent and reflect only the declared version bumps.

Important Files Changed

Filename	Overview
frontend/package.json	Version range bumps for dompurify, svelte, and vite; all changes are additive security/bug-fix updates within existing semver ranges or tightened lower bounds.
frontend/package-lock.json	Lock file regenerated to resolve pinned versions for all 8 updated packages, including transitive bumps of minimatch, flatted, picomatch, devalue, and rollup platform binaries; entries are internally consistent.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot PR - 8 npm updates] --> B[Security Fixes]
    A --> C[Bug / Stability Fixes]

    B --> D[dompurify 3.3.1 → 3.4.0\nPrototype pollution, mXSS, URI bypass]
    B --> E[svelte 5.48.0 → 5.55.7\nXSS in hydratable SSR]
    B --> F[vite 6.4.1 → 6.4.2\nPath traversal, server.fs bypass]
    B --> G[flatted 3.3.3 → 3.4.2\nCWE-1321 prototype pollution]
    B --> H[picomatch 2.3.1 → 4.0.4\nCVE-2026-33671, CVE-2026-33672]

    C --> I[minimatch 3.1.2→3.1.5 / 9.0.5→9.0.9\nReDoS fix]
    C --> J[rollup 4.56.0 → 4.60.4\nChunk hash stability, variable rendering]
    C --> K[devalue 5.6.2 → 5.8.1\n__proto__ prototype pollution fixes]

_{Reviews (1): Last reviewed commit: "build(deps): bump the npm_and_yarn group..." | Re-trigger Greptile}

…dates Bumps the npm_and_yarn group with 7 updates in the /frontend directory: | Package | From | To | | --- | --- | --- | | [dompurify](https://github.com/cure53/DOMPurify) | `3.3.1` | `3.4.0` | | [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) | `5.48.0` | `5.55.7` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `6.4.1` | `6.4.2` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [minimatch](https://github.com/isaacs/minimatch) | `9.0.5` | `9.0.9` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `4.0.4` | | [rollup](https://github.com/rollup/rollup) | `4.56.0` | `4.60.4` | Updates `dompurify` from 3.3.1 to 3.4.0 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.1...3.4.0) Updates `svelte` from 5.48.0 to 5.55.7 - [Release notes](https://github.com/sveltejs/svelte/releases) - [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md) - [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.55.7/packages/svelte) Updates `vite` from 6.4.1 to 6.4.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `devalue` from 5.6.2 to 5.8.1 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.2...v5.8.1) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `picomatch` from 2.3.1 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...4.0.4) Updates `rollup` from 4.56.0 to 4.60.4 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.56.0...v4.60.4) --- updated-dependencies: - dependency-name: dompurify dependency-version: 3.4.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: svelte dependency-version: 5.55.7 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.4.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.8.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.4 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 18, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the npm_and_yarn group across 1 directory with 8 updates#50

build(deps): bump the npm_and_yarn group across 1 directory with 8 updates#50
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/frontend/npm_and_yarn-8019164dec

dependabot Bot commented on behalf of github May 18, 2026 •

edited by greptile-apps Bot

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 18, 2026 • edited by greptile-apps Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

DOMPurify 3.4.0

DOMPurify 3.3.3

DOMPurify 3.3.2

svelte@5.55.7

Patch Changes

svelte@5.55.6

Patch Changes

5.55.7

Patch Changes

5.55.6

Patch Changes

v6.4.2

6.4.2 (2026-04-06)

v5.8.1

Patch Changes

v5.8.0

Minor Changes

v5.7.1

Patch Changes

v5.7.0

Minor Changes

Patch Changes

v5.6.4

Patch Changes

v5.6.3

Patch Changes

5.8.1

Patch Changes

5.8.0

Minor Changes

5.7.1

Patch Changes

5.7.0

Minor Changes

Patch Changes

5.6.4

Patch Changes

5.6.3

Patch Changes

4.0.4

What's Changed

4.0.3

What's Changed

New Contributors

3.0.2

What's Changed

2.3.2

What's Changed

Release history

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

v4.60.4

4.60.4

Bug Fixes

Pull Requests

v4.60.2

4.60.2

Bug Fixes

Pull Requests

v4.60.1

4.60.1

4.60.4

Bug Fixes

Pull Requests

4.60.3

Bug Fixes

Pull Requests

4.60.2

Bug Fixes

Pull Requests

Greptile Summary

Confidence Score: 5/5

Important Files Changed

Flowchart

dependabot Bot commented on behalf of github May 18, 2026 •

edited by greptile-apps Bot

Loading