Skip to content

chore(deps): bump the vue group across 1 directory with 3 updates#3

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/vue-11c694bf47
Closed

chore(deps): bump the vue group across 1 directory with 3 updates#3
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/vue-11c694bf47

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 7, 2026

Copy link
Copy Markdown

Bumps the vue group with 3 updates in the / directory: @vitejs/plugin-vue, pinia and vue-tsc.

Updates @vitejs/plugin-vue from 5.2.4 to 6.0.7

Release notes

Sourced from @​vitejs/plugin-vue's releases.

plugin-vue@6.0.7

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.6

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.5

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.4

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.3

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.2

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.1

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.0

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.0-beta.2

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.0-beta.1

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.0-beta.0

Please refer to CHANGELOG.md for details.

Changelog

Sourced from @​vitejs/plugin-vue's changelog.

6.0.7 (2026-05-15)

Features

  • use carets for @rolldown/pluginutils version (#776) (941b651)

Bug Fixes

  • deps: update all non-major dependencies (#762) (9e825b8)
  • deps: update all non-major dependencies (#774) (77dc8bc)

6.0.6 (2026-04-13)

Features

  • plugin-vue: propagate multiRoot for template-only vapor components (#745) (9e07ae9)

Bug Fixes

  • deps: update all non-major dependencies (#738) (050c996)

Miscellaneous Chores

6.0.5 (2026-03-12)

Miscellaneous Chores

  • remove Vite 8 beta from supported range (#746) (b3f23e4)

6.0.4 (2026-02-02)

Bug Fixes

  • deps: update all non-major dependencies (#709) (924b28e)
  • deps: update all non-major dependencies (#722) (8a95809)
  • deps: update all non-major dependencies (#726) (e69d751)

Miscellaneous Chores

6.0.3 (2025-12-12)

Features

Bug Fixes

  • deps: update all non-major dependencies (#707) (799f419)

... (truncated)

Commits
  • f93aceb release: plugin-vue@6.0.7
  • 941b651 feat: use carets for @rolldown/pluginutils version (#776)
  • 77dc8bc fix(deps): update all non-major dependencies (#774)
  • 9e825b8 fix(deps): update all non-major dependencies (#762)
  • 51dbf4b release: plugin-vue@6.0.6
  • 9e07ae9 feat(plugin-vue): propagate multiRoot for template-only vapor components (#745)
  • 050c996 fix(deps): update all non-major dependencies (#738)
  • 6d834d8 chore: remove unused deps (#760)
  • a0e1ef8 chore(deps): update dependency rollup to ^4.59.0 (#749)
  • 6ad6cc1 release: plugin-vue@6.0.5
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​vitejs/plugin-vue since your current version.


Updates pinia from 2.3.1 to 3.0.4

Commits

Updates vue-tsc from 2.2.12 to 3.3.3

Release notes

Sourced from vue-tsc's releases.

v3.3.3

vscode

  • fix: prevent grammar scopes leakage in capitalized tags (#6073) - Thanks to @​KazariEX!
  • fix: preserve TS auto imports behavior in Vue files (#6072) - Thanks to @​KazariEX!

workspace

  • fix: read PR title from env in auto-version workflow to prevent injection (#6074) - Thanks to @​arpitjain099!

Our Sponsors ❤️

... (truncated)

Changelog

Sourced from vue-tsc's changelog.

3.3.3 (2026-05-30)

vscode

  • fix: prevent grammar scopes leakage in capitalized tags (#6073) - Thanks to @​KazariEX!
  • fix: preserve TS auto imports behavior in Vue files (#6072) - Thanks to @​KazariEX!

workspace

  • fix: read PR title from env in auto-version workflow to prevent injection (#6074) - Thanks to @​arpitjain099!

3.3.2 (2026-05-25)

language-core

  • feat: preserve literal types for inline v-for sources (#6067) - Thanks to @​kkesidis!
  • fix: align v-bind shorthand identifier skipping with interpolation - Thanks to @​KazariEX!

vscode

  • feat: transform tsserver content (#6062) - Thanks to @​KazariEX!
  • fix: do not mark trailing slash in capitalized self-closing tags as invalid (#6065) - Thanks to @​suisanka!

3.3.1 (2026-05-19)

language-core

  • fix: avoid extraneous children error for conditional slots (#6056) - Thanks to @​KazariEX!

language-service

  • refactor: replace scanner-based missing props hints detection with AST traversal - Thanks to @​KazariEX!

typescript-plugin

  • fix: get component prop details from symbols - Thanks to @​KazariEX!
  • fix: skip unchecked JS identifiers in component props (#6055) - Thanks to @​KazariEX!

vscode

  • fix: resolve typescript plugin path from resolved server path (#6058) - Thanks to @​KazariEX!

3.3.0 (2026-05-18)

language-core

  • feat: check required fallthrough attributes (#6049) - Thanks to @​KazariEX!
  • fix: penetrate v-if branch fragments when collecting single root nodes - Thanks to @​KazariEX!
  • refactor: rename Sfc APIs to IR - Thanks to @​KazariEX!

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vue-tsc since your current version.


@dependabot @github

dependabot Bot commented on behalf of github Jun 7, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@YamadaBlog

Copy link
Copy Markdown
Owner

@dependabot rebase

Bumps the vue group with 3 updates in the / directory: [@vitejs/plugin-vue](https://github.com/vitejs/vite-plugin-vue/tree/HEAD/packages/plugin-vue), [pinia](https://github.com/vuejs/pinia) and [vue-tsc](https://github.com/vuejs/language-tools/tree/HEAD/packages/tsc).


Updates `@vitejs/plugin-vue` from 5.2.4 to 6.0.7
- [Release notes](https://github.com/vitejs/vite-plugin-vue/releases)
- [Changelog](https://github.com/vitejs/vite-plugin-vue/blob/main/packages/plugin-vue/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite-plugin-vue/commits/plugin-vue@6.0.7/packages/plugin-vue)

Updates `pinia` from 2.3.1 to 3.0.4
- [Release notes](https://github.com/vuejs/pinia/releases)
- [Commits](vuejs/pinia@v2.3.1...v3.0.4)

Updates `vue-tsc` from 2.2.12 to 3.3.3
- [Release notes](https://github.com/vuejs/language-tools/releases)
- [Changelog](https://github.com/vuejs/language-tools/blob/master/CHANGELOG.md)
- [Commits](https://github.com/vuejs/language-tools/commits/v3.3.3/packages/tsc)

---
updated-dependencies:
- dependency-name: "@vitejs/plugin-vue"
  dependency-version: 6.0.7
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: vue
- dependency-name: pinia
  dependency-version: 3.0.4
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: vue
- dependency-name: vue-tsc
  dependency-version: 3.3.3
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: vue
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump the vue group with 3 updates chore(deps): bump the vue group across 1 directory with 3 updates Jun 7, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/vue-11c694bf47 branch from a29639a to 69637d2 Compare June 7, 2026 19:05
@YamadaBlog

Copy link
Copy Markdown
Owner

Closing — pinia 2 → 3 + @vitejs/plugin-vue 5 → 6 + vue-tsc 2 → 3 = three majors in one PR. Pinia 3 changes the store setup API; vue-tsc 3 changes the type-check pipeline. Affects every Vue example (examples/01-03) + the v2.3.4 reference build — too risky for an auto-PR. Will re-evaluate as separate PRs aligned with the broader Vue 3.5 / Pinia 3 ecosystem upgrade.

@YamadaBlog YamadaBlog closed this Jun 7, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 7, 2026

Copy link
Copy Markdown
Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/vue-11c694bf47 branch June 7, 2026 19:09
YamadaBlog added a commit that referenced this pull request Jun 8, 2026
…udit

The brutal alpha.25 product audit caught 6 gaps that earlier audits
missed by reading README narrative instead of running npm view +
npm audit + asset-rights checks. This alpha closes all 6. Vue v2.3.4
byte-identical on 27th alpha.

P0 #1 — npm install pulse-player 404
  README told Vue consumers `npm install pulse-player` while npm view
  returned 404 NOT FOUND. The Vue lib was never published. Most
  embarrassing kind of doc bug — copy-paste install command broken.
  - Removed the lying install line
  - Added honest Vue install path (vendor src/lib or use @pulse-music/web-component)
  - Parity table Vue row: source-available, not on npm
  - Version table + Source column (npm vs source-available)
  - Hero box: 7 @Pulse-Music packages (was "six core" + lying Vue ref)

P0 #2CVE-2026-47429 vitest CVSS 9.8
  Earlier audits ran `npm audit --omit=dev` only. Full audit shows
  1 critical (vitest UI server RCE). Fix only in vitest 4.x.
  - Tried vitest 4.x — needs Node 22.6+ (styleText), maintainer Node 20.11 throws
  - Settled vitest 3.x + @vitest/coverage-v8 3.x (was 1.6.1)
  - SECURITY.md documents WHY not runtime-exploitable (no --ui/--api flags;
    dev server never binds port; consumers never receive vitest)
  - Path to full fix: maintainer upgrades Node 22.6+/24 LTS

P0 #3 — Demo audio assets REMOVED from public deployment
  Most dangerous legal exposure: public/audio/{track1,track2,cover,cover2}
  served from GH Pages + public repo since alpha.16. NOTICE.md says
  NOT licensed for redistribution + provenance not documented. DMCA risk.
  - git rm --cached + rm 4 files (8.4 MB)
  - .gitignore public/audio/*.{webm,mp3,webp}
  - public/audio/README.md explains empty state + setup procedure
  - NOTICE.md §3 updated REMOVED + historical table kept for traceability
  - GH Pages: chrome renders silent state, legally safe baseline

P0 #4 — @pulse-music/angular private status clarified
  Parity table: ~95% (code) / 0% (distribution) + "private, not on npm yet"
  Version table dedicated row
  FEATURE_MATRIX test count row "(private, not on npm)"

P1 — Custom OG image PNG generated + deployed
  usesCustomOpenGraphImage was false.
  - sharp-generated PNGs (no external binary):
    docs/brand/og-banner.png 1200x630 30.8 kB
    docs/brand/logo-{256,512}.png
    public/favicon.png 32x32
  - public/og-banner.png deployed live URL ready
  - index.html OG + Twitter Card meta point at branded banner
  - docs/brand/README.md regen one-liner + Settings → Social preview steps

P2 — Doc sprawl 36 → 31 active + 5 archived
  Moved to docs/_archive/:
    RENAMING_DECISION   decision locked
    REACT_NATIVE_RUNTIME_SETUP   sprint shipped alpha.22
    PROTECTION_NOTES   folded into PRICING + LICENSING
    PUBLISH_CHECKLIST   cadence in VERSION_STRATEGY
    GIF_GUIDE   YouTube covers it
  docs/_archive/README.md indexes successors

QUALITY GATE
  type-check               → clean
  lint                     → 0 errors, 0 warnings
  format:check             → all files use Prettier code style
  tests (root)             →  33 / 33
  tests (@pulse-music/*)   → 106 / 106
  TOTAL unit               → 139 / 139
  audit (prod-only)        → 0 vulnerabilities
  audit (full, dev incl.)  → 12 mod + 1 crit (dev-only, documented)
  Vue v2.3.4 demo          → bit-for-bit identical
  src/lib/                 → ZERO file modified (27th consecutive alpha)

Self-assessed grade: 5.8 → 6.6 / 10 brutal.

+0.8 reflects: no more lying README, no more legal exposure (assets
removed), CRITICAL CVE documented + scoped, Angular status honest,
branded OG deployed, doc surface reduced.

Ceiling stays ~6.6 because 0 stars/dl/users unchanged. Next raise
needs maintainer to post launch threads + Day 7 measurement.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant