chore(deps-dev): bump the dependencies group with 6 updates

[dependabot]

Bumps the dependencies group with 6 updates:

Package	From	To
@fastify/express	4.0.4	4.0.5
@hono/node-server	1.19.13	1.19.14
fastify	5.8.4	5.8.5
hono	4.12.12	4.12.14
prettier	3.8.1	3.8.3
webpack	5.105.4	5.106.1

Updates @fastify/express from 4.0.4 to 4.0.5

Release notes

Sourced from @​fastify/express's releases.

v4.0.5

⚠️ Security Release

This fixes CVE CVE-2026-33807 GHSA-hrwm-hgmj-7p9c. This fixes CVE CVE-2026-33808 GHSA-6hw5-45gm-fj88.

What's Changed

• build(deps): bump express from 4.22.1 to 5.2.1 by @​dependabot[bot] in fastify/fastify-express#179
• ci: remove stale.yml by @​Tony133 in fastify/fastify-express#181
• build(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in fastify/fastify-express#183
• chore(license): standardise license notice by @​Fdawgs in fastify/fastify-express#182
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in fastify/fastify-express#185
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in fastify/fastify-express#187
• ci: add lock-threads workflow by @​Fdawgs in fastify/fastify-express#188

New Contributors

• @​Tony133 made their first contribution in fastify/fastify-express#181

Full Changelog: fastify/fastify-express@v4.0.4...v4.0.5

Commits

• f52f447 Bumped v4.0.5
• c4e49b5 Merge commit from fork
• 674020f Merge commit from fork
• 96eb39b ci: add lock-threads workflow (#188)
• 65ddc99 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#187)
• 2746f1f build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#185)
• cce14b1 chore(license): standardise license notice (#182)
• 70a8094 build(deps-dev): bump c8 from 10.1.3 to 11.0.0 (#183)
• 6f627c6 ci: remove stale.yml (#181)
• fa4a726 build(deps): bump express from 4.22.1 to 5.2.1 (#179)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by climba03003, a new releaser for @​fastify/express since your current version.

Updates @hono/node-server from 1.19.13 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

• fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @​usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

Commits

• b5e63a3 1.19.14
• c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
• See full diff in compare view

Updates fastify from 5.8.4 to 5.8.5

Release notes

Sourced from fastify's releases.

v5.8.5

⚠️ Security Release

This fixes CVE CVE-2026-33806 GHSA-247c-9743-5963.

What's Changed

• chore: Fix port parsing by @​jsumners in fastify/fastify#6603
• chore: upgrade to typescript v6.0.2 by @​Tony133 in fastify/fastify#6605
• fix: restore trustProxy function for number and string types, add null check for socketAddr by @​mcollina in fastify/fastify#6613
• ci: reduce cron scheduled workflows from daily/weekly to monthly by @​Fdawgs in fastify/fastify#6623
• chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 by @​dependabot[bot] in fastify/fastify#6629
• chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 by @​dependabot[bot] in fastify/fastify#6632
• chore: Bump borp from 0.21.0 to 1.0.0 by @​dependabot[bot] in fastify/fastify#6633
• chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 by @​dependabot[bot] in fastify/fastify#6630
• docs(ecosystem): add @​pompelmi/fastify-plugin by @​SonoTommy in fastify/fastify#6610

New Contributors

• @​SonoTommy made their first contribution in fastify/fastify#6610

Full Changelog: fastify/fastify@v5.8.4...v5.8.5

Commits

• 3983cce Bumped v5.8.5
• 3ce3ae6 Merge commit from fork
• b06a196 docs(ecosystem): add @​pompelmi/fastify-plugin (#6610)
• 909c5d5 chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 (#6630)
• 4db21a3 chore: Bump borp from 0.21.0 to 1.0.0 (#6633)
• 0f4e544 chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 (#6632)
• 33a2fcd chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 (#6629)
• fd35d82 ci: reduce cron schedules from daily/weekly to monthly (#6623)
• 8dee9be fix: restore trustProxy function for number and string types, add null check ...
• d457aed chore: upgrade to typescript v6.0.2 (#6605)
• Additional commits viewable in compare view

Updates hono from 4.12.12 to 4.12.14

Release notes

Sourced from hono's releases.

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

• fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

• fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @​T4ko0522 in honojs/hono#4865
• feat(trailing-slash): add skip option by @​yusukebe in honojs/hono#4862
• feat(cache): add onCacheNotAvailable option by @​yusukebe in honojs/hono#4876

New Contributors

• @​T4ko0522 made their first contribution in honojs/hono#4865

Full Changelog: honojs/hono@v4.12.12...v4.12.13

Commits

• cf2d2b7 4.12.14
• 66daa2e Merge commit from fork
• fa2c74f fix(aws-lambda): handle invalid header names in request processing (#4883)
• 3779927 4.12.13
• faa6c46 feat(cache): add onCacheNotAvailable option (#4876)
• f23e97b feat(trailing-slash): add skip option (#4862)
• 1aa32fb fix(types): infer response type from last handler in app.on 9- and 10-handler...
• See full diff in compare view

Updates prettier from 3.8.1 to 3.8.3

Release notes

Sourced from prettier's releases.

3.8.3

• SCSS: Prevent trailing comma in if() function (prettier/prettier#18471 by @​kovsu)

🔗 Changelog

3.8.2

• Support Angular v21.2

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.3

diff

SCSS: Prevent trailing comma in if() function (#18471 by @​kovsu)

// Input
$value: if(sass(false): 1; else: -1);
// Prettier 3.8.2
$value: if(
sass(false): 1; else: -1,
);
// Prettier 3.8.3
$value: if(sass(false): 1; else: -1);

3.8.2

diff

Angular: Support Angular v21.2 (#18722, #19034 by @​fisker)

Exhaustive typechecking with @default never;

<!-- Input -->
@switch (foo) {
  @case (1) {}
  @default never;
}
<!-- Prettier 3.8.1 -->
SyntaxError: Incomplete block "default never". If you meant to write the @ character, you should use the "&#64;" HTML entity instead. (3:3)
<!-- Prettier 3.8.2 -->
@​switch (foo) {
@​case (1) {}
@​default never;
}

arrow function and instanceof expressions.

</tr></table> 

... (truncated)

Commits

• d7108a7 Release 3.8.3
• 177f908 Prevent trailing comma in SCSS if() function (#18471)
• 1cd4066 Release @​prettier/plugin-oxc@​0.1.4
• a8700e2 Update oxc-parser to v0.125.0
• 752157c Fix tests
• 053fd41 Bump Prettier dependency to 3.8.2
• 904c636 Clean changelog_unreleased
• dc1f7fc Update dependents count
• b31557c Release 3.8.2
• 96bbaed Support Angular v21.2 (#18722)
• Additional commits viewable in compare view

Updates webpack from 5.105.4 to 5.106.1

Release notes

Sourced from webpack's releases.

v5.106.1

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

v5.106.0

Minor Changes

• Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #20579)

• Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #20449)

  • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
  • Support custom context path for resolving relative imports in virtual modules
  • Add examples demonstrating context usage and filename customization

• Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #20590)

• Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #20694) Additionally, the localIdentName option can now be a function.

• Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #20548)

• Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #20275)

• Added source support for async WASM modules. (by @​magic-akari in #20364)

Patch Changes

• Add a static getSourceBasicTypes method to the Module class to prevent errors across multiple versions. (by @​xiaoxiaojx in #20614)

• Included fragment groups in the conflicting order warning for CSS. (by @​aryanraj45 in #20660)

• Avoid rendering unused top-level __webpack_exports__ declaration when output ECMA module library. (by @​hai-x in #20669)

• Fixed resolving in CSS modules. (by @​alexander-akait in #20771)

• Allow external modules place in async chunks when output ECMA module. (by @​hai-x in #20662)

• Implement deprecate flag in schema for better TypeScript support to show which options are already deprecated by the configuration (by @​bjohansebas in #20432)

• Set .name to "default" for anonymous default export functions and classes per ES spec (by @​xiaoxiaojx in #20773)

• Hash entry chunks after runtime chunks to prevent stale content hash references in watch mode (by @​xiaoxiaojx in #20724)

• Fix multiple bugs and optimizations in CSS modules: correct third code point position in walkCssTokens number detection, fix multiline CSS comment regex, fix swapped :import/:export error message, fix comma callback incorrectly popping balanced stack, fix cache comparison missing array length check, fix match.index mutation side effect, move publicPathAutoRegex to module scope, precompute merged callbacks in consumeUntil, simplify redundant ternary in CssGenerator, fix typo GRID_TEMPLATE_ARES, remove duplicate grid-column-start, and merge duplicate getCompilationHooks calls. (by @​xiaoxiaojx in #20648)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.106.1

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

5.106.0

Minor Changes

• Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #20579)

• Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #20449)

  • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
  • Support custom context path for resolving relative imports in virtual modules
  • Add examples demonstrating context usage and filename customization

• Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #20590)

• Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #20694) Additionally, the localIdentName option can now be a function.

• Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #20548)

• Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #20275)

• Added source support for async WASM modules. (by @​magic-akari in #20364)

Patch Changes

• Add a static getSourceBasicTypes method to the Module class to prevent errors across multiple versions. (by @​xiaoxiaojx in #20614)

• Included fragment groups in the conflicting order warning for CSS. (by @​aryanraj45 in #20660)

• Avoid rendering unused top-level __webpack_exports__ declaration when output ECMA module library. (by @​hai-x in #20669)

• Fixed resolving in CSS modules. (by @​alexander-akait in #20771)

• Allow external modules place in async chunks when output ECMA module. (by @​hai-x in #20662)

• Implement deprecate flag in schema for better TypeScript support to show which options are already deprecated by the configuration (by @​bjohansebas in #20432)

• Set .name to "default" for anonymous default export functions and classes per ES spec (by @​xiaoxiaojx in #20773)

• Hash entry chunks after runtime chunks to prevent stale content hash references in watch mode (by @​xiaoxiaojx in #20724)

... (truncated)

Commits

• a934b9b chore(release): new release (#20808)
• ecb436b fix: use compiler context for CSS modules hash to avoid collisions (#20799)
• c0e8cf4 fix: prevent !important from being renamed in CSS modules (#20798)
• f8d274b fix: anonymous default export name fix-up in ES5 environment (#20796)
• e370b76 chore(deps-dev): bump the dependencies group with 5 updates (#20790)
• 8774a01 chore(release): new release (#20593)
• cc66616 fix: add @deprecated to methods
• 7cdc173 feat: support source phase import for WebAssembly modules (#20364)
• 0b60f1c chore(members): update to match @​webpack/core-wg (#20784)
• 955a68c test: generate snapshots per stats test case (#20785)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: 281548d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR