chore(deps): bump the vue group across 1 directory with 3 updates#3
chore(deps): bump the vue group across 1 directory with 3 updates#3dependabot[bot] wants to merge 1 commit into
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
@dependabot rebase |
Bumps the vue group with 3 updates in the / directory: [@vitejs/plugin-vue](https://github.com/vitejs/vite-plugin-vue/tree/HEAD/packages/plugin-vue), [pinia](https://github.com/vuejs/pinia) and [vue-tsc](https://github.com/vuejs/language-tools/tree/HEAD/packages/tsc). Updates `@vitejs/plugin-vue` from 5.2.4 to 6.0.7 - [Release notes](https://github.com/vitejs/vite-plugin-vue/releases) - [Changelog](https://github.com/vitejs/vite-plugin-vue/blob/main/packages/plugin-vue/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite-plugin-vue/commits/plugin-vue@6.0.7/packages/plugin-vue) Updates `pinia` from 2.3.1 to 3.0.4 - [Release notes](https://github.com/vuejs/pinia/releases) - [Commits](vuejs/pinia@v2.3.1...v3.0.4) Updates `vue-tsc` from 2.2.12 to 3.3.3 - [Release notes](https://github.com/vuejs/language-tools/releases) - [Changelog](https://github.com/vuejs/language-tools/blob/master/CHANGELOG.md) - [Commits](https://github.com/vuejs/language-tools/commits/v3.3.3/packages/tsc) --- updated-dependencies: - dependency-name: "@vitejs/plugin-vue" dependency-version: 6.0.7 dependency-type: direct:development update-type: version-update:semver-major dependency-group: vue - dependency-name: pinia dependency-version: 3.0.4 dependency-type: direct:production update-type: version-update:semver-major dependency-group: vue - dependency-name: vue-tsc dependency-version: 3.3.3 dependency-type: direct:development update-type: version-update:semver-major dependency-group: vue ... Signed-off-by: dependabot[bot] <support@github.com>
a29639a to
69637d2
Compare
|
Closing — pinia 2 → 3 + @vitejs/plugin-vue 5 → 6 + vue-tsc 2 → 3 = three majors in one PR. Pinia 3 changes the store setup API; vue-tsc 3 changes the type-check pipeline. Affects every Vue example (examples/01-03) + the v2.3.4 reference build — too risky for an auto-PR. Will re-evaluate as separate PRs aligned with the broader Vue 3.5 / Pinia 3 ecosystem upgrade. |
|
This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests. To ignore these dependencies, configure ignore rules in dependabot.yml |
…udit The brutal alpha.25 product audit caught 6 gaps that earlier audits missed by reading README narrative instead of running npm view + npm audit + asset-rights checks. This alpha closes all 6. Vue v2.3.4 byte-identical on 27th alpha. P0 #1 — npm install pulse-player 404 README told Vue consumers `npm install pulse-player` while npm view returned 404 NOT FOUND. The Vue lib was never published. Most embarrassing kind of doc bug — copy-paste install command broken. - Removed the lying install line - Added honest Vue install path (vendor src/lib or use @pulse-music/web-component) - Parity table Vue row: source-available, not on npm - Version table + Source column (npm vs source-available) - Hero box: 7 @Pulse-Music packages (was "six core" + lying Vue ref) P0 #2 — CVE-2026-47429 vitest CVSS 9.8 Earlier audits ran `npm audit --omit=dev` only. Full audit shows 1 critical (vitest UI server RCE). Fix only in vitest 4.x. - Tried vitest 4.x — needs Node 22.6+ (styleText), maintainer Node 20.11 throws - Settled vitest 3.x + @vitest/coverage-v8 3.x (was 1.6.1) - SECURITY.md documents WHY not runtime-exploitable (no --ui/--api flags; dev server never binds port; consumers never receive vitest) - Path to full fix: maintainer upgrades Node 22.6+/24 LTS P0 #3 — Demo audio assets REMOVED from public deployment Most dangerous legal exposure: public/audio/{track1,track2,cover,cover2} served from GH Pages + public repo since alpha.16. NOTICE.md says NOT licensed for redistribution + provenance not documented. DMCA risk. - git rm --cached + rm 4 files (8.4 MB) - .gitignore public/audio/*.{webm,mp3,webp} - public/audio/README.md explains empty state + setup procedure - NOTICE.md §3 updated REMOVED + historical table kept for traceability - GH Pages: chrome renders silent state, legally safe baseline P0 #4 — @pulse-music/angular private status clarified Parity table: ~95% (code) / 0% (distribution) + "private, not on npm yet" Version table dedicated row FEATURE_MATRIX test count row "(private, not on npm)" P1 — Custom OG image PNG generated + deployed usesCustomOpenGraphImage was false. - sharp-generated PNGs (no external binary): docs/brand/og-banner.png 1200x630 30.8 kB docs/brand/logo-{256,512}.png public/favicon.png 32x32 - public/og-banner.png deployed live URL ready - index.html OG + Twitter Card meta point at branded banner - docs/brand/README.md regen one-liner + Settings → Social preview steps P2 — Doc sprawl 36 → 31 active + 5 archived Moved to docs/_archive/: RENAMING_DECISION decision locked REACT_NATIVE_RUNTIME_SETUP sprint shipped alpha.22 PROTECTION_NOTES folded into PRICING + LICENSING PUBLISH_CHECKLIST cadence in VERSION_STRATEGY GIF_GUIDE YouTube covers it docs/_archive/README.md indexes successors QUALITY GATE type-check → clean lint → 0 errors, 0 warnings format:check → all files use Prettier code style tests (root) → 33 / 33 tests (@pulse-music/*) → 106 / 106 TOTAL unit → 139 / 139 audit (prod-only) → 0 vulnerabilities audit (full, dev incl.) → 12 mod + 1 crit (dev-only, documented) Vue v2.3.4 demo → bit-for-bit identical src/lib/ → ZERO file modified (27th consecutive alpha) Self-assessed grade: 5.8 → 6.6 / 10 brutal. +0.8 reflects: no more lying README, no more legal exposure (assets removed), CRITICAL CVE documented + scoped, Angular status honest, branded OG deployed, doc surface reduced. Ceiling stays ~6.6 because 0 stars/dl/users unchanged. Next raise needs maintainer to post launch threads + Day 7 measurement. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Bumps the vue group with 3 updates in the / directory: @vitejs/plugin-vue, pinia and vue-tsc.
Updates
@vitejs/plugin-vuefrom 5.2.4 to 6.0.7Release notes
Sourced from @vitejs/plugin-vue's releases.
Changelog
Sourced from @vitejs/plugin-vue's changelog.
... (truncated)
Commits
f93acebrelease: plugin-vue@6.0.7941b651feat: use carets for@rolldown/pluginutilsversion (#776)77dc8bcfix(deps): update all non-major dependencies (#774)9e825b8fix(deps): update all non-major dependencies (#762)51dbf4brelease: plugin-vue@6.0.69e07ae9feat(plugin-vue): propagate multiRoot for template-only vapor components (#745)050c996fix(deps): update all non-major dependencies (#738)6d834d8chore: remove unused deps (#760)a0e1ef8chore(deps): update dependency rollup to ^4.59.0 (#749)6ad6cc1release: plugin-vue@6.0.5Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for
@vitejs/plugin-vuesince your current version.Updates
piniafrom 2.3.1 to 3.0.4Commits
290db63release: pinia@3.0.4@pinia/testing@1.0.3@pinia/nuxt@0.11.30e9e7e7feat(nuxt): automatic HMR code (vite only) (#2954)be9e356feat(warn): detect global context on the server side (#2983)8a65eb7chore: up nuxt 4e25e525fix(nuxt): resolve auto-imports in layers (#3035)868f6b5chore: dedupec0a6a4bchore: up depsbcc571btest: upgrade workspaces vitest1cf5687test: unstub specific action9b92217fix: store typeUpdates
vue-tscfrom 2.2.12 to 3.3.3Release notes
Sourced from vue-tsc's releases.
... (truncated)
Changelog
Sourced from vue-tsc's changelog.
... (truncated)
Commits
5c41b5fv3.3.3 (#6079)7a00047v3.3.2 (#6068)9109bf3v3.3.1 (#6059)1088dcev3.3.0 (#6052)c8e90e4v3.2.9 (#6045)ae6f658chore: refine package publish file lists2d029c7chore: bump deps618bd6bv3.2.8 (#6036)a7092edv3.2.7 (#6018)1e54c84chore: bump typescript to 6.0.3 (#6017)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for vue-tsc since your current version.