Bump the npm_and_yarn group across 1 directory with 9 updates by dependabot[bot] · Pull Request #61 · GewoonJaap/qwen-code-cli-wrapper

dependabot · 2026-06-14T06:27:33Z

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
hono	`4.9.4`	`4.12.21`
vitest	`3.2.4`	`3.2.6`
wrangler	`4.32.0`	`4.59.1`
defu	`6.1.4`	`6.1.7`
flatted	`3.3.3`	`3.4.2`
js-yaml	`4.1.0`	`4.2.0`
rollup	`4.48.1`	`4.62.0`
vite	`7.1.3`	`7.3.5`

Updates hono from 4.9.4 to 4.12.21

Release notes

Sourced from hono's releases.

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

v4.12.20

What's Changed

fix(route): preserve the base path of the mounted route() app by @usualoma in honojs/hono#4942

fix(jsx): widen jsx and jsxFn children to Child[] by @ashunar0 in honojs/hono#4947

New Contributors

@ashunar0 made their first contribution in honojs/hono#4947

Full Changelog: honojs/hono@v4.12.19...v4.12.20

v4.12.19

What's Changed

ci: pin GitHub Actions to SHAs by @yusukebe in honojs/hono#4932

fix(serveStatic): make options parameter optional in all adapters by @mixelburg in honojs/hono#4934

fix(cookie): return the first cookie when there are multiple cookies with the same name by @usualoma in honojs/hono#4922

feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @justinnais in honojs/hono#4913

feat(cache): key cache entries by configured vary headers by @usualoma in honojs/hono#4915

feat(request): add bytes() by @yusukebe in honojs/hono#4921

fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @yusukebe in honojs/hono#4940

New Contributors

@justinnais made their first contribution in honojs/hono#4913

Full Changelog: honojs/hono@v4.12.18...v4.12.19

... (truncated)

Commits

a83ddb8 4.12.21
6cbb025 Merge commit from fork
c831020 Merge commit from fork
905aedb Merge commit from fork
5463db2 Merge commit from fork
c657a39 4.12.20
eb2d0c2 fix(jsx): widen jsx and jsxFn children to Child[] (#4947)
dcabbec fix(route): preserve the base path of the mounted route() app (#4942)
7e62bcd 4.12.19
e2f252a fix(stream): upgrade @hono/node-server to v2 and fix abort handling (#4940)
Additional commits viewable in compare view

Updates vitest from 3.2.4 to 3.2.6

Release notes

Sourced from vitest's releases.

v3.2.6

   🐞 Bug Fixes

Pin last supported vite-node version - by @sheremet-va (16f12)

    View changes on GitHub

v3.2.5

   🚀 Features

api: Add allowWrite and allowExec options to api [backport to v3] - by @hi-ogawa and Codex in vitest-dev/vitest#10445 (af88b)

   🐞 Bug Fixes

browser: Disable client cdp API when allowWrite/allowExec: false [backport to v3] - by @hi-ogawa and Codex in vitest-dev/vitest#10456 (385a1)

    View changes on GitHub

Commits

b6d56f8 chore: release v3.2.6
16f120d fix: pin last supported vite-node version
2cbad0a chore: release v3.2.5
385a1ae fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
af88b1f feat(api): add allowWrite and allowExec options to api [backport to v3]...
See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.

Updates wrangler from 4.32.0 to 4.59.1

Commits

37a8607 Version Packages (#11890)
99b1f32 fix: execute git commands in pages deploy safely (#11889)
e98c95a Version Packages (#11836)
ad65efa Add --check flag to wrangler types (#11852)
beb96af feat(unenv-preset): add support for native node:sqlite module (#11841)
b0e54b2 [wrangler] Add AI agent detection to analytics events (#11820)
2203af4 Add Node.js 24 and 25 compatibility to the test suites for Miniflare, Wrangle...
b6148ed chore(deps): bump the workerd-and-workers-types group with 2 updates (#11872)
0eb973d Do not warn user when using a redirected config that came from a config with ...
0f8d69d containers: users can set multiple tiers for constraints (#11755)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for wrangler since your current version.

Updates defu from 6.1.4 to 6.1.7

Release notes

Sourced from defu's releases.

v6.1.7

compare changes

📦 Build

Correct the types export entry (#160)

Export Defu types (#157)

❤️ Contributors

Jakub Michálek (@J-Michalek)

Kricsleo (@kricsleo)

v6.1.6

compare changes

📦 Build

Fix mixed types (407b516)

v6.1.5

compare changes

🩹 Fixes

Prevent prototype pollution via __proto__ in defaults (#156)

Ignore inherited enumerable properties (11ba022)

✅ Tests

Add more tests for plain objects (b65f603)

❤️ Contributors

Pooya Parsa (@pi0)

Kricsleo (@kricsleo)

Changelog

Sourced from defu's changelog.

v6.1.7

compare changes

🩹 Fixes

defu.d.cts: Export Defu types (#157)

📦 Build

Correct the types export entry (#160)

❤️ Contributors

Jakub Michálek (@J-Michalek)

Kricsleo (@kricsleo)

v6.1.6

compare changes

📦 Build

Fix mixed types (407b516)

❤️ Contributors

Pooya Parsa (@pi0)

v6.1.5

compare changes

🩹 Fixes

Prevent prototype pollution via __proto__ in defaults (#156)

Ignore inherited enumerable properties (11ba022)

🏡 Chore

Add tea.yaml (70cffe5)

Update repo (23cc432)

Fix typecheck (89df6bb)

✅ Tests

Add more tests for plain objects (b65f603)

🤖 CI

... (truncated)

Commits

80c0146 chore(release): v6.1.7
40d7ef4 fix(defu.d.cts): export Defu types (#157)
3d3a7c8 build: correct the types export entry (#160)
001c290 chore(release): v6.1.6
407b516 build: fix mixed types
23e59e6 chore(release): v6.1.5
11ba022 fix: ignore inherited enumerable properties
3942bfb fix: prevent prototype pollution via __proto__ in defaults (#156)
d3ef16d chore(deps): update actions/checkout action to v6 (#151)
869a053 chore(deps): update actions/setup-node action to v6 (#149)
Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

Added docs/safety.md with notes about processing untrusted YAML.

Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.

Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.

Added sourcemaps to dist/ builds.

Changed

Stop resolving numbers with underscores as numeric scalars, #627.

Switched dev toolchains to Vite / neostandard.

Updated demo.

Reorganized tests.

dist/ files are no longer kept in the repository.

Fixed

Fix parsing of properties on the first implicit block mapping key, #62.

Fix trailing whitespace handling when folding flow scalar lines, #307.

Reject top-level block scalars without content indentation, #280.

Ensure numbers survive round-trip, #737.

Fix test coverage for issue #221.

Fix flow scalar trailing whitespace folding, #307.

Fix digits in YAML named tag handles.

Security

Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

See full diff in compare view

Updates rollup from 4.48.1 to 4.62.0

Release notes

Sourced from rollup's releases.

v4.62.0

4.62.0

2026-06-13

Features

Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

#6374: Extract the static dependencies imported by manual chunks into separate chunks (@TrickyPi, @lukastaegert)

#6405: fix(deps): update minor/patch updates (@renovate[bot])

#6406: chore(deps): pin dependency concurrently to v9 (@renovate[bot], @lukastaegert)

#6407: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

#6409: chore(deps): update minor/patch updates to v6.2.0 (@renovate[bot])

#6410: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

#6412: fix(deps): update minor/patch updates (@renovate[bot])

#6413: chore(deps): update dependency eslint-plugin-unicorn to v65 (@renovate[bot])

#6414: chore(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)

v4.61.1

4.61.1

2026-06-04

Bug Fixes

Avoid extraneous newlines when adding headers via plugins (#6403)

Fix a rare issue where starting Rollup would hang on Windows (#6404)

Pull Requests

#6402: Improve documentation for manualPureFunctions (@lukastaegert)

#6403: Does not add an extra leading line feed for addons (@TrickyPi)

#6404: fix: set report.excludeNetwork=true before getReport() to avoid blocking PTR lookups (@jdz321, @lukastaegert)

v4.61.0

4.61.0

2026-06-01

Features

Sort entry modules to make chunk hashes deterministic (#6391)

Pull Requests

#6376: Eliminate AWS credential exposure on fork PRs in REPL artefact workflow (@lukastaegert)

#6378: fix(deps): update minor/patch updates (@renovate[bot])

... (truncated)

Changelog

Sourced from rollup's changelog.

4.62.0

2026-06-13

Features

Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

#6374: Extract the static dependencies imported by manual chunks into separate chunks (@TrickyPi, @lukastaegert)

#6405: fix(deps): update minor/patch updates (@renovate[bot])

#6406: chore(deps): pin dependency concurrently to v9 (@renovate[bot], @lukastaegert)

#6407: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

#6409: chore(deps): update minor/patch updates to v6.2.0 (@renovate[bot])

#6410: chore(deps): lock file maintenance minor/patch updates (@renovate[bot])

#6412: fix(deps): update minor/patch updates (@renovate[bot])

#6413: chore(deps): update dependency eslint-plugin-unicorn to v65 (@renovate[bot])

#6414: chore(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)

4.61.1

2026-06-04

Bug Fixes

Avoid extraneous newlines when adding headers via plugins (#6403)

Fix a rare issue where starting Rollup would hang on Windows (#6404)

Pull Requests

#6402: Improve documentation for manualPureFunctions (@lukastaegert)

#6403: Does not add an extra leading line feed for addons (@TrickyPi)

#6404: fix: set report.excludeNetwork=true before getReport() to avoid blocking PTR lookups (@jdz321, @lukastaegert)

4.61.0

2026-06-01

Features

Sort entry modules to make chunk hashes deterministic (#6391)

Pull Requests

#6376: Eliminate AWS credential exposure on fork PRs in REPL artefact workflow (@lukastaegert)

#6378: fix(deps): update minor/patch updates (@renovate[bot])

#6379: chore(deps): update dependency lint-staged to v17 (@renovate[bot], @lukastaegert)

#6380: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6381: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

... (truncated)

Commits

5e0066d 4.62.0
93e85fc chore(deps): update dependency eslint-plugin-unicorn to v65 (#6413)
5c9ef2e fix(deps): update minor/patch updates (#6412)
18654d8 chore(deps): lock file maintenance minor/patch updates (#6414)
d96ed95 Extract the static dependencies imported by manual chunks into separate chunk...
126e141 chore(deps): pin dependency concurrently to v9 (#6406)
f2f58c4 chore(deps): lock file maintenance minor/patch updates (#6410)
5a15062 chore(deps): update minor/patch updates to v6.2.0 (#6409)
d02f03a chore(deps): lock file maintenance minor/patch updates (#6407)
844671c fix(deps): update minor/patch updates (#6405)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates undici from 7.15.0 to 7.14.0

Commits

8dd120e fix: h2 CI (#4395)
3d231da build(deps): bump step-security/harden-runner from 2.12.0 to 2.13.0 (#4379)
8816495 build(deps): bump cronometro from 4.0.3 to 5.3.0 in /benchmarks (#4171)
4f70baf build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 (#4380)
43fb162 feat: add install() function to type definitions (#4384)
e5bf00e feat(websocket): add handshake response info to undici:websocket:open diagnos...
c3f5591 cache: fix excessive caching and some other lack of caching (#4335)
431dfdc docs: clarify Node.js version support in LTS table (#4375)
fb4be0a Actually flush the file (#4378)
ca18554 Fix flaky snapshot-testing (#4367)
Additional commits viewable in compare view

Updates vite from 7.1.3 to 7.3.5

Release notes

Sourced from vite's releases.

v7.3.5

Please refer to CHANGELOG.md for details.

v7.3.3

Please refer to CHANGELOG.md for details.

v7.3.2

Please refer to CHANGELOG.md for details.

v7.3.1

Please refer to CHANGELOG.md for details.

v7.3.0

Please refer to CHANGELOG.md for details.

v7.2.7

Please refer to CHANGELOG.md for details.

v7.2.6

Please refer to CHANGELOG.md for details.

v7.2.5

Please refer to CHANGELOG.md for details.

Note: 7.2.5 failed to publish so it is skipped on npm

v7.2.4

Please refer to CHANGELOG.md for details.

v7.2.3

Please refer to CHANGELOG.md for details.

v7.2.2

Please refer to CHANGELOG.md for details.

v7.2.1

Please refer to CHANGELOG.md for details.

v7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0-beta.1

Please refer to CHANGELOG.md for details.

v7.2.0-beta.0

Please refer to CHANGELOG.md for details.

v7.1.12

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

7.3.5 (2026-06-01)

Bug Fixes

backport #22572, reject windows alternate paths (#22574) (8c18556)

deps: backport #22571, reject UNC paths for launch-editor-middleware (#22573) (f20d64b)

Miscellaneous Chores

skip v7.3.4 release (8a6a0c9)

7.3.4 (2026-06-01)

Bug Fixes

backport #22572, reject windows alternate paths (#22574) (8c18556)

deps: backport #22571, reject UNC paths for launch-editor-middleware (#22573) (f20d64b)

7.3.3 (2026-05-07)

Bug Fixes

avoid destructure lowering for newer safari (#22346) (5ab51c0)

7.3.2 (2026-04-06)

Bug Fixes

avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)

backport #22159, apply server.fs check to env transport (#22162) (19db0f2)

check server.fs after stripping query as well (#22160) (f8103cc)

7.3.1 (2026-01-07)

Features

add ignoreOutdatedRequests option to optimizeDeps (#21364) (9d39d37)

7.3.0 (2025-12-15)

Features

deps: update esbuild from ^0.25.0 to ^0.27.0 (#21183) (cff26ec)

7.2.7 (2025-12-08)

Bug Fixes

plugin shortcut support (#21211) (721f163)

7.2.6 (2025-12-01)

7.2.5 (2025-12-01)

Bug Fixes

config: handle shebang properly (#21158) (df5a30d)

deps: update all non-major dependencies (#21146) (a3cd262)

deps: update all non-major dependencies (#21175) (72e398a)

... (truncated)

Commits

077945c release: v7.3.5
8a6a0c9 chore: skip v7.3.4 release
8c18556 fix: backport #22572, reject windows alternate paths (#22574)
f20d64b fix(deps): backport #22571, reject UNC paths for launch-editor-middleware (#2...
ca31424 release: v7.3.3
5ab51c0 fix: avoid destructure lowering for newer safari (#22346)
cc383e0 release: v7.3.2
09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
f8103cc fix: check server.fs after stripping query as well (#22160)
19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [hono](https://github.com/honojs/hono) | `4.9.4` | `4.12.21` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `3.2.4` | `3.2.6` | | [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler) | `4.32.0` | `4.59.1` | | [defu](https://github.com/unjs/defu) | `6.1.4` | `6.1.7` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.2.0` | | [rollup](https://github.com/rollup/rollup) | `4.48.1` | `4.62.0` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.1.3` | `7.3.5` | Updates `hono` from 4.9.4 to 4.12.21 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.9.4...v4.12.21) Updates `vitest` from 3.2.4 to 3.2.6 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v3.2.6/packages/vitest) Updates `wrangler` from 4.32.0 to 4.59.1 - [Release notes](https://github.com/cloudflare/workers-sdk/releases) - [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@4.59.1/packages/wrangler) Updates `defu` from 6.1.4 to 6.1.7 - [Release notes](https://github.com/unjs/defu/releases) - [Changelog](https://github.com/unjs/defu/blob/main/CHANGELOG.md) - [Commits](unjs/defu@v6.1.4...v6.1.7) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `js-yaml` from 4.1.0 to 4.2.0 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](https://github.com/nodeca/js-yaml/commits) Updates `rollup` from 4.48.1 to 4.62.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.48.1...v4.62.0) Updates `undici` from 7.15.0 to 7.14.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.15.0...v7.14.0) Updates `vite` from 7.1.3 to 7.3.5 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.5/packages/vite) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.21 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vitest dependency-version: 3.2.6 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: wrangler dependency-version: 4.59.1 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: defu dependency-version: 6.1.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.62.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.14.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.5 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 14, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the npm_and_yarn group across 1 directory with 9 updates#61

Bump the npm_and_yarn group across 1 directory with 9 updates#61
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-1adc181e78

dependabot Bot commented on behalf of github Jun 14, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot Bot commented on behalf of github Jun 14, 2026

v4.12.21

Security fixes

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

IP Restriction bypasses static deny rules for non-canonical IPv6

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

JWT middleware accepts any Authorization scheme, not only Bearer

v4.12.20

What's Changed

New Contributors

v4.12.19

What's Changed

New Contributors

v3.2.6

🐞 Bug Fixes

View changes on GitHub

v3.2.5

🚀 Features

🐞 Bug Fixes

View changes on GitHub

v6.1.7

📦 Build

❤️ Contributors

v6.1.6

📦 Build

v6.1.5

🩹 Fixes

✅ Tests

❤️ Contributors

v6.1.7

🩹 Fixes

📦 Build

❤️ Contributors

v6.1.6

📦 Build

❤️ Contributors

v6.1.5

🩹 Fixes

🏡 Chore

✅ Tests

🤖 CI

[4.2.0] - 2026-06-01

Added

Changed

Fixed

Security

[3.14.2] - 2025-11-15

Security

[4.1.1] - 2025-11-12

Security

v4.62.0

4.62.0

Features

Pull Requests

v4.61.1

4.61.1

Bug Fixes

Pull Requests

v4.61.0

4.61.0

Features

Pull Requests

4.62.0

Features

Pull Requests

4.61.1

Bug Fixes

Pull Requests

4.61.0

Features

Pull Requests

v7.3.5

v7.3.3

v7.3.2

v7.3.1

v7.3.0

v7.2.7

v7.2.6