chore: bump the npm-non-major group across 1 directory with 34 updates by dependabot[bot] · Pull Request #843 · SableClient/Sable

dependabot · 2026-05-15T01:41:56Z

Bumps the npm-non-major group with 31 updates in the / directory:

Package	From	To
@atlaskit/pragmatic-drag-and-drop	`1.7.9`	`1.8.1`
@sentry/react	`10.43.0`	`10.52.0`
@tanstack/react-query	`5.90.21`	`5.100.9`
@tanstack/react-query-devtools	`5.91.3`	`5.100.9`
@tanstack/react-virtual	`3.13.21`	`3.13.24`
@vanilla-extract/css	`1.18.0`	`1.20.1`
@vanilla-extract/vite-plugin	`5.1.4`	`5.2.2`
dayjs	`1.11.19`	`1.11.20`
framer-motion	`12.34.3`	`12.38.0`
jotai	`2.18.1`	`2.20.0`
marked	`18.0.2`	`18.0.3`
pdfjs-dist	`5.5.207`	`5.7.284`
react-aria	`3.47.0`	`3.48.0`
react-colorful	`5.6.1`	`5.7.0`
slate	`0.123.0`	`0.124.1`
slate-dom	`0.123.0`	`0.124.1`
slate-react	`0.123.0`	`0.124.0`
virtua	`0.48.8`	`0.49.1`
workbox-precaching	`7.4.0`	`7.4.1`
@cloudflare/vite-plugin	`1.27.0`	`1.36.3`
@sentry/vite-plugin	`5.1.1`	`5.2.1`
@vitest/coverage-v8	`4.1.0`	`4.1.5`
@vitest/ui	`4.1.0`	`4.1.5`
jsdom	`29.0.0`	`29.1.1`
oxfmt	`0.45.0`	`0.48.0`
oxlint	`1.60.0`	`1.63.0`
oxlint-tsgolint	`0.21.0`	`0.22.1`
vite-plugin-compression2	`2.5.0`	`2.5.3`
vite-plugin-pwa	`1.2.0`	`1.3.0`
vitest	`4.1.0`	`4.1.5`
wrangler	`4.72.0`	`4.90.0`

Updates @atlaskit/pragmatic-drag-and-drop from 1.7.9 to 1.8.1

Commits

See full diff in compare view

Updates @sentry/react from 10.43.0 to 10.52.0

Release notes

Sourced from @sentry/react's releases.

10.52.0

Important Changes

Beta release of the official Hono Sentry SDK

This release marks the beta release of the @sentry/hono Sentry SDK. For details on how to use it, check out the Sentry Hono SDK docs. Please reach out on GitHub if you have any feedback or concerns.

feat(browser): Add ingest_settings to v2 log envelope payload (#20453)

Inference of user data (e.g. IP address, browser name/version) on log events is now gated behind the sendDefaultPii option. Previously, this data was always inferred by default.

Other Changes

docs(hono): Add new docs link and move to BETA release (#20666)

feat(browser): Add ingest_settings to v2 metrics envelope payload (#20454)

feat(browser): Migrate spotlight event processor to ignoreSpans (#20595)

feat(cloudflare): Capture request body via httpServerIntegration (#20614)

feat(cloudflare): Support rpc trace propagation for WorkerEntrypoint (#20523)

feat(cloudflare): Support tracing for queue producer (#20529)

feat(core): Apply request data to segment spans in span streaming (#20654)

feat(core): Migrate Vercel AI event processor to span streaming (#20608)

feat(deno): Add processSegmentSpan to Deno context integration (#20613)

feat(http): Portable node:http client instrumentation (#20393)

feat(nitro): Add unstorage tracing channel instrumentation (#20615)

feat(node-core): Add processSegmentSpan to node context integration (#20678)

feat(node): Use diagnostics_channel for redis >= 5.12.0 (#20573)

feat(node): Vendor ioredis, redis instrumentations (#20510)

feat(replay): Reset replay id from DSC on session expiry/refresh (#20129)

fix: Bump fast-xml-parser to fix vulnerability (#20644)

fix: Bump vite versions to fix vulnerability (#20646)

fix(core): Drain buffers in flush() when there is no transport (#20207)

fix(core): Guard against undefined chained in copyProps (#20637)

fix(deps): Bump rollup-plugin-license to fix lodash vulnerabilities (#20636)

fix(deps): Bump transitive deps for medium security fixes (#20683)

fix(hono): Do not capture 3xx and 4xx errors and add tests (#20640)

fix(nextjs): Skip build modification when SRI is enabled (#20694)

fix(opentelemetry): Respect OTEL_SERVICE_NAME, OTEL_RESOURCE_ATTRIBUTES (#20509)

chore: Remove bundle-analyzer-scenarios dev packages (#20680)

chore(deps): Bump @hono/node-server from 1.19.10 to 1.19.13 (#20117)

chore(deps): Bump @nestjs packages to fix path-to-regexp ReDoS (#20642)

chore(deps): Bump axios from 1.15.0 to 1.15.2 (#20665)

chore(deps): Bump ip-address from 10.1.0 to 10.2.0 (#20695)

chore(deps): Bump simple-git from 3.33.0 to 3.36.0 (#20696)

chore(deps): Bump vulnerable testem version (#20634)

... (truncated)

Changelog

Sourced from @sentry/react's changelog.

10.52.0

Important Changes

Beta release of the official Hono Sentry SDK

This release marks the beta release of the @sentry/hono Sentry SDK. For details on how to use it, check out the Sentry Hono SDK docs. Please reach out on GitHub if you have any feedback or concerns.

feat(browser): Add ingest_settings to v2 log envelope payload (#20453)

Inference of user data (e.g. IP address, browser name/version) on log events is now gated behind the sendDefaultPii option. Previously, this data was always inferred by default.

Other Changes

docs(hono): Add new docs link and move to BETA release (#20666)

feat(browser): Add ingest_settings to v2 metrics envelope payload (#20454)

feat(browser): Migrate spotlight event processor to ignoreSpans (#20595)

feat(cloudflare): Capture request body via httpServerIntegration (#20614)

feat(cloudflare): Support rpc trace propagation for WorkerEntrypoint (#20523)

feat(cloudflare): Support tracing for queue producer (#20529)

feat(core): Apply request data to segment spans in span streaming (#20654)

feat(core): Migrate Vercel AI event processor to span streaming (#20608)

feat(deno): Add processSegmentSpan to Deno context integration (#20613)

feat(http): Portable node:http client instrumentation (#20393)

feat(nitro): Add unstorage tracing channel instrumentation (#20615)

feat(node-core): Add processSegmentSpan to node context integration (#20678)

feat(node): Use diagnostics_channel for redis >= 5.12.0 (#20573)

feat(node): Vendor ioredis, redis instrumentations (#20510)

feat(replay): Reset replay id from DSC on session expiry/refresh (#20129)

fix: Bump fast-xml-parser to fix vulnerability (#20644)

fix: Bump vite versions to fix vulnerability (#20646)

fix(core): Drain buffers in flush() when there is no transport (#20207)

fix(core): Guard against undefined chained in copyProps (#20637)

fix(deps): Bump rollup-plugin-license to fix lodash vulnerabilities (#20636)

fix(deps): Bump transitive deps for medium security fixes (#20683)

fix(hono): Do not capture 3xx and 4xx errors and add tests (#20640)

fix(nextjs): Skip build modification when SRI is enabled (#20694)

fix(opentelemetry): Respect OTEL_SERVICE_NAME, OTEL_RESOURCE_ATTRIBUTES (#20509)

chore: Remove bundle-analyzer-scenarios dev packages (#20680)

chore(deps): Bump @hono/node-server from 1.19.10 to 1.19.13 (#20117)

chore(deps): Bump @nestjs packages to fix path-to-regexp ReDoS (#20642)

chore(deps): Bump axios from 1.15.0 to 1.15.2 (#20665)

chore(deps): Bump ip-address from 10.1.0 to 10.2.0 (#20695)

chore(deps): Bump simple-git from 3.33.0 to 3.36.0 (#20696)

... (truncated)

Commits

4b911e0 release: 10.52.0
781f31c Merge pull request #20707 from getsentry/prepare-release/10.52.0
11a64f6 meta(changelog): Update changelog for 10.52.0
e185818 feat(node-core): Add processSegmentSpan to node context integration (#20678)
7e49571 feat(node): use diagnostics_channel for redis >= 5.12.0 (#20573)
a8ab715 feat(replay): Reset replay id from DSC on session expiry/refresh (#20129)
7efc03f feat(core): Apply request data to segment spans in span streaming (#20654)
01d0a70 feat(core): Migrate Vercel AI event processor to span streaming (#20608)
12cd3e5 fix(nextjs): Skip build modification when SRI is enabled (#20694)
f1f534c fix(deps): Bump transitive deps for medium security fixes (#20683)
Additional commits viewable in compare view

Updates @tanstack/react-query from 5.90.21 to 5.100.9

Release notes

Sourced from @tanstack/react-query's releases.

@tanstack/react-query-devtools@5.100.9

Patch Changes

Updated dependencies [3d21cac]:

@tanstack/query-devtools@5.100.9

@tanstack/react-query@5.100.9

@tanstack/react-query-next-experimental@5.100.9

Patch Changes

Updated dependencies []:

@tanstack/react-query@5.100.9

@tanstack/react-query-persist-client@5.100.9

Patch Changes

Updated dependencies []:

@tanstack/query-persist-client-core@5.100.9

@tanstack/react-query@5.100.9

@tanstack/react-query@5.100.9

Patch Changes

Updated dependencies [fcee7bd]:

@tanstack/query-core@5.100.9

@tanstack/react-query-devtools@5.100.8

Patch Changes

Updated dependencies []:

@tanstack/query-devtools@5.100.8

@tanstack/react-query@5.100.8

@tanstack/react-query-next-experimental@5.100.8

Patch Changes

Updated dependencies []:

@tanstack/react-query@5.100.8

@tanstack/react-query-persist-client@5.100.8

Patch Changes

Updated dependencies []:

@tanstack/query-persist-client-core@5.100.8

@tanstack/react-query@5.100.8

@tanstack/react-query@5.100.8

Patch Changes

Updated dependencies []:

... (truncated)

Changelog

Sourced from @tanstack/react-query's changelog.

5.100.9

Patch Changes

Updated dependencies [fcee7bd]:

@tanstack/query-core@5.100.9

5.100.8

Patch Changes

Updated dependencies []:

@tanstack/query-core@5.100.8

5.100.7

Patch Changes

Updated dependencies []:

@tanstack/query-core@5.100.7

5.100.6

Patch Changes

Updated dependencies []:

@tanstack/query-core@5.100.6

5.100.5

Patch Changes

Updated dependencies [a53ef97]:

@tanstack/query-core@5.100.5

5.100.4

Patch Changes

Updated dependencies []:

@tanstack/query-core@5.100.4

5.100.3

Patch Changes

fix(suspense): skip calling combine when queries would suspend (#10576)

Updated dependencies [f85d825]:

@tanstack/query-core@5.100.3

... (truncated)

Commits

8c3d523 ci: Version Packages (#10630)
9800c8f ci: Version Packages (#10623)
3ae4261 ci: Version Packages (#10620)
87f7ccf ci: Version Packages (#10604)
441204b ci: Version Packages (#10582)
55afb3e ci: Version Packages (#10581)
fe287cc ci: Version Packages (#10579)
f85d825 Feature/use suspense queries combine (#10576)
93b2845 ci: Version Packages (#10575)
ea4497e fix(query-core): stop wrapping persister generics in NoInfer (#10510)
Additional commits viewable in compare view

Updates @tanstack/react-query-devtools from 5.91.3 to 5.100.9

Release notes

Sourced from @tanstack/react-query-devtools's releases.

@tanstack/react-query-devtools@5.100.9

Patch Changes

Updated dependencies [3d21cac]:

@tanstack/query-devtools@5.100.9

@tanstack/react-query@5.100.9

@tanstack/react-query-devtools@5.100.8

Patch Changes

Updated dependencies []:

@tanstack/query-devtools@5.100.8

@tanstack/react-query@5.100.8

@tanstack/react-query-devtools@5.100.7

Patch Changes

docs(devtools): align logo, panel, and 'buttonPosition' union descriptions across docs and JSDoc (#10617)

Updated dependencies []:

@tanstack/query-devtools@5.100.7

@tanstack/react-query@5.100.7

@tanstack/react-query-devtools@5.100.6

Patch Changes

Updated dependencies []:

@tanstack/query-devtools@5.100.6

@tanstack/react-query@5.100.6

Changelog

Sourced from @tanstack/react-query-devtools's changelog.

5.100.9

Patch Changes

Updated dependencies [3d21cac]:

@tanstack/query-devtools@5.100.9

@tanstack/react-query@5.100.9

5.100.8

Patch Changes

Updated dependencies []:

@tanstack/query-devtools@5.100.8

@tanstack/react-query@5.100.8

5.100.7

Patch Changes

docs(devtools): align logo, panel, and 'buttonPosition' union descriptions across docs and JSDoc (#10617)

Updated dependencies []:

@tanstack/query-devtools@5.100.7

@tanstack/react-query@5.100.7

5.100.6

Patch Changes

Updated dependencies []:

@tanstack/query-devtools@5.100.6

@tanstack/react-query@5.100.6

5.100.5

Patch Changes

Updated dependencies []:

@tanstack/query-devtools@5.100.5

@tanstack/react-query@5.100.5

5.100.4

Patch Changes

fix(devtools): change onClose callback type from () => unknown to () => void (#10118)

Updated dependencies [3d1a62e]:

@tanstack/query-devtools@5.100.4

... (truncated)

Commits

8c3d523 ci: Version Packages (#10630)
03eba38 test(react-query-devtools): add tests for missing 'QueryClient', context prov...
9800c8f ci: Version Packages (#10623)
3ae4261 ci: Version Packages (#10620)
868577d docs(devtools): align logo, panel, and option union descriptions across docs ...
87f7ccf ci: Version Packages (#10604)
441204b ci: Version Packages (#10582)
55afb3e ci: Version Packages (#10581)
3d1a62e fix(devtools): change onClose callback type from () => unknown to () … (#10118)
fe287cc ci: Version Packages (#10579)
Additional commits viewable in compare view

Updates @tanstack/react-virtual from 3.13.21 to 3.13.24

Release notes

Sourced from @tanstack/react-virtual's releases.

@tanstack/react-virtual@3.13.24

Patch Changes

Updated dependencies [97a204d]:

@tanstack/virtual-core@3.14.0

@tanstack/react-virtual@3.13.23

Patch Changes

Updated dependencies [7ece2d5]:

@tanstack/virtual-core@3.13.23

@tanstack/react-virtual@3.13.22

Patch Changes

Updated dependencies [54d771a, d3416c3]:

@tanstack/virtual-core@3.13.22

Changelog

Sourced from @tanstack/react-virtual's changelog.

3.13.24

Patch Changes

Updated dependencies [97a204d]:

@tanstack/virtual-core@3.14.0

3.13.23

Patch Changes

Updated dependencies [7ece2d5]:

@tanstack/virtual-core@3.13.23

3.13.22

Patch Changes

Updated dependencies [54d771a, d3416c3]:

@tanstack/virtual-core@3.13.22

Commits

c3d4cd4 ci: Version Packages (#1157)
9394e13 ci: Version Packages (#1149)
7ece2d5 fix(virtual-core): remove incorrect elementsCache cleanup using getItemKey (#...
c2f1c39 ci: Version Packages (#1139)
fc3c733 perf(virtual-core): skip sync DOM reads during normal scrolling (#1144)
See full diff in compare view

Updates @vanilla-extract/css from 1.18.0 to 1.20.1

Release notes

Sourced from @vanilla-extract/css's releases.

@vanilla-extract/css@1.20.1

Patch Changes

#1710 1677593 Thanks @askoufis! - Replace cssesc dependency with vendored version

@vanilla-extract/css@1.20.0

Minor Changes
#1702 48a9caf Thanks @bschlenk! - Allow :where and :is in selectors if all selectors target &

EXAMPLE USAGE:
const example = style({
  color: 'red',
  selectors: {
    // Valid: all selectors in the list target `example`
    ':is(h1 > &, h2 > &)': { color: 'blue' }
    // Invalid: the second selector in the list does not target `example`
    ':is(h1 > &, h2)': { color: 'blue' }
  }
});
@vanilla-extract/css@1.19.1

Patch Changes
#1558 9b1bfd0 Thanks @andjsrk! - style: Fixed a bug where nested arrays of classnames could cause missing or malformed CSS during style composition in certain situations.

For example, the following style composition would not generate CSS for the backgroundColor: 'orange' style, and would also generate malformed CSS:
const styleWithNestedComposition = style([
  [style1, style2],
  { backgroundColor: 'orange' },
  [style3]
]);
@vanilla-extract/css@1.19.0

Minor Changes

#1686 1a63a60 Thanks @askoufis! - Add ./vanilla.virtual.css?* entrypoint for Turbopack integration

Changelog

Sourced from @vanilla-extract/css's changelog.

1.20.1

Patch Changes

#1710 1677593 Thanks @askoufis! - Replace cssesc dependency with vendored version

1.20.0

Minor Changes
#1702 48a9caf Thanks @bschlenk! - Allow :where and :is in selectors if all selectors target &

EXAMPLE USAGE:
const example = style({
  color: 'red',
  selectors: {
    // Valid: all selectors in the list target `example`
    ':is(h1 > &, h2 > &)': { color: 'blue' }
    // Invalid: the second selector in the list does not target `example`
    ':is(h1 > &, h2)': { color: 'blue' }
  }
});
1.19.1

Patch Changes
#1558 9b1bfd0 Thanks @andjsrk! - style: Fixed a bug where nested arrays of classnames could cause missing or malformed CSS during style composition in certain situations.

For example, the following style composition would not generate CSS for the backgroundColor: 'orange' style, and would also generate malformed CSS:
const styleWithNestedComposition = style([
  [style1, style2],
  { backgroundColor: 'orange' },
  [style3]
]);
1.19.0

Minor Changes

#1686 1a63a60 Thanks @askoufis! - Add ./vanilla.virtual.css?* entrypoint for Turbopack integration

Commits

5f3faae Version Packages (#1711)
1677593 Vendor cssesc dependency (#1710)
fb82ead Version Packages (#1703)
a668d59 validateSelectors: Fix changeset, update tests (#1704)
48a9caf fix: allow :where and :is in selectors when they only target & (#1702)
79b3519 Version Packages (#1695)
9b1bfd0 Fix runtime behavior to match the type definition (#1558)
d1257c7 Migrate all tests to vitest, increase vite-node dep range (#1694)
ac5ab50 Configure oxlint, address some lint warnings (#1690)
02d85ec Update prettier to v3, delete some directories, update remix docs (#1689)
Additional commits viewable in compare view

Updates @vanilla-extract/vite-plugin from 5.1.4 to 5.2.2

Release notes

Sourced from @vanilla-extract/vite-plugin's releases.

@vanilla-extract/vite-plugin@5.2.2

Patch Changes

Updated dependencies [1677593]:

@vanilla-extract/compiler@0.7.0

@vanilla-extract/vite-plugin@5.2.1

Patch Changes

#1701 b066d1c Thanks @askoufis! - Reduce unnecessary HMR invalidations and fix broken HMR in Astro, Nuxt and Qwik

Updated dependencies [b066d1c]:

@vanilla-extract/compiler@0.6.0

@vanilla-extract/vite-plugin@5.2.0

Minor Changes

#1687 e29f242 Thanks @askoufis! - Add support for Vite 8

Patch Changes

Updated dependencies [e29f242]:

@vanilla-extract/compiler@0.5.0

@vanilla-extract/vite-plugin@5.1.5

Patch Changes

Updated dependencies [c0e2812, c0e2812, c0e2812]:

@vanilla-extract/compiler@0.4.0

@vanilla-extract/integration@8.0.8

Changelog

Sourced from @vanilla-extract/vite-plugin's changelog.

5.2.2

Patch Changes

Updated dependencies [1677593]:

@vanilla-extract/compiler@0.7.0

5.2.1

Patch Changes

#1701 b066d1c Thanks @askoufis! - Reduce unnecessary HMR invalidations and fix broken HMR in Astro, Nuxt and Qwik

Updated dependencies [b066d1c]:

@vanilla-extract/compiler@0.6.0

5.2.0

Minor Changes

#1687 e29f242 Thanks @askoufis! - Add support for Vite 8

Patch Changes

Updated dependencies [e29f242]:

@vanilla-extract/compiler@0.5.0

5.1.5

Patch Changes

Updated dependencies [c0e2812, c0e2812, c0e2812]:

@vanilla-extract/compiler@0.4.0

@vanilla-extract/integration@8.0.8

Commits

5f3faae Version Packages (#1711)
ba21414 Version Packages (#1706)
b066d1c vite: Reduce unnecessary HMR invalidations (#1701)
d1257c7 Migrate all tests to vitest, increase vite-node dep range (#1694)
81e6c33 Version Packages (#1688)
e29f242 Add support for Vite 8 (#1687)
b227ebb Version Packages (#1685)
See full diff in compare view

Updates dayjs from 1.11.19 to 1.11.20

Release notes

Sourced from dayjs's releases.

v1.11.20

1.11.20 (2026-03-12)

Bug Fixes

Update locale km.js to support meridiem (#3017) (9d2b6a1)

update updateLocale plugin to merge nested object properties instead of replacing (#3012) (99691c5), closes #1118

Changelog

Sourced from dayjs's changelog.

1.11.20 (2026-03-12)

Bug Fixes

Update locale km.js to support meridiem (#3017) (9d2b6a1)

update updateLocale plugin to merge nested object properties instead of replacing (#3012) (99691c5), closes #1118

Commits

af6e1f8 chore(release): 1.11.20 [skip ci]
82babd6 D2M (#3018)
bbe4ab1 chore: fix lint error
99691c5 fix: update updateLocale plugin to merge nested object properties instead of ...
9d2b6a1 fix: Update locale km.js to support meridiem (#3017)
acf21cd chore: update doc
55a64e1 chore: update doc
807face chore: update doc
54f4470 chore: update doc
9ea23c7 chore: update doc
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for dayjs since your current version.

Updates dompurify from 3.3.3 to 3.4.3

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.3

Fixed an issue with handling of nested Shadow DOM trees, thanks @fishjojo1

Fixed the template regexes to be more robust against ReDoS attacks, thanks @aleung27

Updated the node iteration code to catch more Shadow DOM related issues

Updated Playwright and added Node 26 to test matrix

Updated existing workflows, fuzzer, release signing, etc., added more tests

Bumped several dependencies where possible

DOMPurify 3.4.2

Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @nelstrom

Fixed an issue with source maps referring to non-existing files, thanks @cmdcolin

Updated existing workflows, fuzzer, release signing, etc., added more tests

Bumped several dependencies where possible

DOMPurify 3.4.1

Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING

Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode

Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization

Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)

Removed a duplicate slot entry from the default HTML attribute allow-list

Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire

Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)

Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

DOMPurify 3.4.0

Most relevant changes:

Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @kodareef5

Fixed several minor problems and typos regarding MathML attributes, thanks @DavidOliver

Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @1Jesper1

Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @bencalif

Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @trace37labs

Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @eddieran

Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @christos-eth

Fixed an issue with USE_PROFILES prototype pollution, thanks @christos-eth

Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @researchatfluidattacks and others

Fixed an issue with closing tags leading to possible mXSS, thanks @frevadiscor

Fixed a problem with the type dentition patcher after Node version bump

Fixed freezing BS runs by reducing the tested browsers array

Bumped several dependencies where possible

Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

Details

Description has been truncated

Bumps the npm-non-major group with 31 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@atlaskit/pragmatic-drag-and-drop](https://github.com/atlassian/pragmatic-drag-and-drop) | `1.7.9` | `1.8.1` | | [@sentry/react](https://github.com/getsentry/sentry-javascript) | `10.43.0` | `10.52.0` | | [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.90.21` | `5.100.9` | | [@tanstack/react-query-devtools](https://github.com/TanStack/query/tree/HEAD/packages/react-query-devtools) | `5.91.3` | `5.100.9` | | [@tanstack/react-virtual](https://github.com/TanStack/virtual/tree/HEAD/packages/react-virtual) | `3.13.21` | `3.13.24` | | [@vanilla-extract/css](https://github.com/vanilla-extract-css/vanilla-extract/tree/HEAD/packages/css) | `1.18.0` | `1.20.1` | | [@vanilla-extract/vite-plugin](https://github.com/vanilla-extract-css/vanilla-extract/tree/HEAD/packages/vite-plugin) | `5.1.4` | `5.2.2` | | [dayjs](https://github.com/iamkun/dayjs) | `1.11.19` | `1.11.20` | | [framer-motion](https://github.com/motiondivision/motion) | `12.34.3` | `12.38.0` | | [jotai](https://github.com/pmndrs/jotai) | `2.18.1` | `2.20.0` | | [marked](https://github.com/markedjs/marked) | `18.0.2` | `18.0.3` | | [pdfjs-dist](https://github.com/mozilla/pdf.js) | `5.5.207` | `5.7.284` | | [react-aria](https://github.com/adobe/react-spectrum) | `3.47.0` | `3.48.0` | | [react-colorful](https://github.com/omgovich/react-colorful) | `5.6.1` | `5.7.0` | | [slate](https://github.com/ianstormtaylor/slate) | `0.123.0` | `0.124.1` | | [slate-dom](https://github.com/ianstormtaylor/slate) | `0.123.0` | `0.124.1` | | [slate-react](https://github.com/ianstormtaylor/slate) | `0.123.0` | `0.124.0` | | [virtua](https://github.com/inokawa/virtua) | `0.48.8` | `0.49.1` | | [workbox-precaching](https://github.com/googlechrome/workbox) | `7.4.0` | `7.4.1` | | [@cloudflare/vite-plugin](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/vite-plugin-cloudflare) | `1.27.0` | `1.36.3` | | [@sentry/vite-plugin](https://github.com/getsentry/sentry-javascript-bundler-plugins) | `5.1.1` | `5.2.1` | | [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.0` | `4.1.5` | | [@vitest/ui](https://github.com/vitest-dev/vitest/tree/HEAD/packages/ui) | `4.1.0` | `4.1.5` | | [jsdom](https://github.com/jsdom/jsdom) | `29.0.0` | `29.1.1` | | [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt) | `0.45.0` | `0.48.0` | | [oxlint](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxlint) | `1.60.0` | `1.63.0` | | [oxlint-tsgolint](https://github.com/oxc-project/tsgolint) | `0.21.0` | `0.22.1` | | [vite-plugin-compression2](https://github.com/nonzzz/vite-plugin-compression) | `2.5.0` | `2.5.3` | | [vite-plugin-pwa](https://github.com/vite-pwa/vite-plugin-pwa) | `1.2.0` | `1.3.0` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.0` | `4.1.5` | | [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler) | `4.72.0` | `4.90.0` | Updates `@atlaskit/pragmatic-drag-and-drop` from 1.7.9 to 1.8.1 - [Commits](https://github.com/atlassian/pragmatic-drag-and-drop/commits) Updates `@sentry/react` from 10.43.0 to 10.52.0 - [Release notes](https://github.com/getsentry/sentry-javascript/releases) - [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md) - [Commits](getsentry/sentry-javascript@10.43.0...10.52.0) Updates `@tanstack/react-query` from 5.90.21 to 5.100.9 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.100.9/packages/react-query) Updates `@tanstack/react-query-devtools` from 5.91.3 to 5.100.9 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query-devtools/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query-devtools@5.100.9/packages/react-query-devtools) Updates `@tanstack/react-virtual` from 3.13.21 to 3.13.24 - [Release notes](https://github.com/TanStack/virtual/releases) - [Changelog](https://github.com/TanStack/virtual/blob/main/packages/react-virtual/CHANGELOG.md) - [Commits](https://github.com/TanStack/virtual/commits/@tanstack/react-virtual@3.13.24/packages/react-virtual) Updates `@vanilla-extract/css` from 1.18.0 to 1.20.1 - [Release notes](https://github.com/vanilla-extract-css/vanilla-extract/releases) - [Changelog](https://github.com/vanilla-extract-css/vanilla-extract/blob/master/packages/css/CHANGELOG.md) - [Commits](https://github.com/vanilla-extract-css/vanilla-extract/commits/@vanilla-extract/css@1.20.1/packages/css) Updates `@vanilla-extract/vite-plugin` from 5.1.4 to 5.2.2 - [Release notes](https://github.com/vanilla-extract-css/vanilla-extract/releases) - [Changelog](https://github.com/vanilla-extract-css/vanilla-extract/blob/master/packages/vite-plugin/CHANGELOG.md) - [Commits](https://github.com/vanilla-extract-css/vanilla-extract/commits/@vanilla-extract/vite-plugin@5.2.2/packages/vite-plugin) Updates `dayjs` from 1.11.19 to 1.11.20 - [Release notes](https://github.com/iamkun/dayjs/releases) - [Changelog](https://github.com/iamkun/dayjs/blob/dev/CHANGELOG.md) - [Commits](iamkun/dayjs@v1.11.19...v1.11.20) Updates `dompurify` from 3.3.3 to 3.4.3 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.3...3.4.3) Updates `framer-motion` from 12.34.3 to 12.38.0 - [Changelog](https://github.com/motiondivision/motion/blob/main/CHANGELOG.md) - [Commits](motiondivision/motion@v12.34.3...v12.38.0) Updates `i18next-http-backend` from 2.7.3 to 4.0.0 - [Changelog](https://github.com/i18next/i18next-http-backend/blob/master/CHANGELOG.md) - [Commits](i18next/i18next-http-backend@v2.7.3...v4.0.0) Updates `jotai` from 2.18.1 to 2.20.0 - [Release notes](https://github.com/pmndrs/jotai/releases) - [Commits](pmndrs/jotai@v2.18.1...v2.20.0) Updates `marked` from 18.0.2 to 18.0.3 - [Release notes](https://github.com/markedjs/marked/releases) - [Commits](markedjs/marked@v18.0.2...v18.0.3) Updates `pdfjs-dist` from 5.5.207 to 5.7.284 - [Release notes](https://github.com/mozilla/pdf.js/releases) - [Commits](mozilla/pdf.js@v5.5.207...v5.7.284) Updates `react-aria` from 3.47.0 to 3.48.0 - [Release notes](https://github.com/adobe/react-spectrum/releases) - [Commits](https://github.com/adobe/react-spectrum/compare/react-aria@3.47.0...react-aria@3.48.0) Updates `react-colorful` from 5.6.1 to 5.7.0 - [Release notes](https://github.com/omgovich/react-colorful/releases) - [Changelog](https://github.com/omgovich/react-colorful/blob/master/CHANGELOG.md) - [Commits](https://github.com/omgovich/react-colorful/commits/5.7.0) Updates `slate` from 0.123.0 to 0.124.1 - [Release notes](https://github.com/ianstormtaylor/slate/releases) - [Commits](https://github.com/ianstormtaylor/slate/compare/slate@0.123.0...slate@0.124.1) Updates `slate-dom` from 0.123.0 to 0.124.1 - [Release notes](https://github.com/ianstormtaylor/slate/releases) - [Commits](https://github.com/ianstormtaylor/slate/compare/slate-dom@0.123.0...slate-dom@0.124.1) Updates `slate-react` from 0.123.0 to 0.124.0 - [Release notes](https://github.com/ianstormtaylor/slate/releases) - [Commits](https://github.com/ianstormtaylor/slate/compare/slate-react@0.123.0...slate-react@0.124.0) Updates `virtua` from 0.48.8 to 0.49.1 - [Release notes](https://github.com/inokawa/virtua/releases) - [Commits](inokawa/virtua@0.48.8...0.49.1) Updates `workbox-precaching` from 7.4.0 to 7.4.1 - [Release notes](https://github.com/googlechrome/workbox/releases) - [Commits](GoogleChrome/workbox@v7.4.0...v7.4.1) Updates `@cloudflare/vite-plugin` from 1.27.0 to 1.36.3 - [Release notes](https://github.com/cloudflare/workers-sdk/releases) - [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/vite-plugin-cloudflare/CHANGELOG.md) - [Commits](https://github.com/cloudflare/workers-sdk/commits/@cloudflare/vite-plugin@1.36.3/packages/vite-plugin-cloudflare) Updates `@sentry/vite-plugin` from 5.1.1 to 5.2.1 - [Release notes](https://github.com/getsentry/sentry-javascript-bundler-plugins/releases) - [Changelog](https://github.com/getsentry/sentry-javascript-bundler-plugins/blob/main/CHANGELOG.md) - [Commits](getsentry/sentry-javascript-bundler-plugins@5.1.1...5.2.1) Updates `@vitest/coverage-v8` from 4.1.0 to 4.1.5 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.5/packages/coverage-v8) Updates `@vitest/ui` from 4.1.0 to 4.1.5 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.5/packages/ui) Updates `jsdom` from 29.0.0 to 29.1.1 - [Release notes](https://github.com/jsdom/jsdom/releases) - [Commits](jsdom/jsdom@v29.0.0...v29.1.1) Updates `oxfmt` from 0.45.0 to 0.48.0 - [Release notes](https://github.com/oxc-project/oxc/releases) - [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxfmt/CHANGELOG.md) - [Commits](https://github.com/oxc-project/oxc/commits/oxfmt_v0.48.0/npm/oxfmt) Updates `oxlint` from 1.60.0 to 1.63.0 - [Release notes](https://github.com/oxc-project/oxc/releases) - [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxlint/CHANGELOG.md) - [Commits](https://github.com/oxc-project/oxc/commits/oxlint_v1.63.0/npm/oxlint) Updates `oxlint-tsgolint` from 0.21.0 to 0.22.1 - [Release notes](https://github.com/oxc-project/tsgolint/releases) - [Commits](oxc-project/tsgolint@v0.21.0...v0.22.1) Updates `vite` from 7.3.1 to 8.0.12 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.12/packages/vite) Updates `vite-plugin-compression2` from 2.5.0 to 2.5.3 - [Release notes](https://github.com/nonzzz/vite-plugin-compression/releases) - [Changelog](https://github.com/nonzzz/vite-plugin-compression/blob/master/CHANGELOG.md) - [Commits](nonzzz/vite-plugin-compression@v2.5.0...v2.5.3) Updates `vite-plugin-pwa` from 1.2.0 to 1.3.0 - [Release notes](https://github.com/vite-pwa/vite-plugin-pwa/releases) - [Commits](vite-pwa/vite-plugin-pwa@v1.2.0...v1.3.0) Updates `vitest` from 4.1.0 to 4.1.5 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.5/packages/vitest) Updates `wrangler` from 4.72.0 to 4.90.0 - [Release notes](https://github.com/cloudflare/workers-sdk/releases) - [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@4.90.0/packages/wrangler) --- updated-dependencies: - dependency-name: "@atlaskit/pragmatic-drag-and-drop" dependency-version: 1.8.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: "@sentry/react" dependency-version: 10.52.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: "@tanstack/react-query" dependency-version: 5.100.9 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: "@tanstack/react-query-devtools" dependency-version: 5.100.9 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: "@tanstack/react-virtual" dependency-version: 3.13.24 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-non-major - dependency-name: "@vanilla-extract/css" dependency-version: 1.20.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: "@vanilla-extract/vite-plugin" dependency-version: 5.2.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: dayjs dependency-version: 1.11.20 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-non-major - dependency-name: dompurify dependency-version: 3.4.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: framer-motion dependency-version: 12.38.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: i18next-http-backend dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm-non-major - dependency-name: jotai dependency-version: 2.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: marked dependency-version: 18.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-non-major - dependency-name: pdfjs-dist dependency-version: 5.7.284 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: react-aria dependency-version: 3.48.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: react-colorful dependency-version: 5.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: slate dependency-version: 0.124.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: slate-dom dependency-version: 0.124.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: slate-react dependency-version: 0.124.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: virtua dependency-version: 0.49.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: workbox-precaching dependency-version: 7.4.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-non-major - dependency-name: "@cloudflare/vite-plugin" dependency-version: 1.36.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: "@sentry/vite-plugin" dependency-version: 5.2.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: "@vitest/coverage-v8" dependency-version: 4.1.5 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-non-major - dependency-name: "@vitest/ui" dependency-version: 4.1.5 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-non-major - dependency-name: jsdom dependency-version: 29.1.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: oxfmt dependency-version: 0.48.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: oxlint dependency-version: 1.63.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: oxlint-tsgolint dependency-version: 0.22.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: vite dependency-version: 8.0.12 dependency-type: direct:development update-type: version-update:semver-major dependency-group: npm-non-major - dependency-name: vite-plugin-compression2 dependency-version: 2.5.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-non-major - dependency-name: vite-plugin-pwa dependency-version: 1.3.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-non-major - dependency-name: vitest dependency-version: 4.1.5 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-non-major - dependency-name: wrangler dependency-version: 4.90.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-non-major ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-05-18T02:04:48Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot Bot added the internal label May 15, 2026

dependabot Bot requested review from 7w1 and hazre as code owners May 15, 2026 01:41

dependabot Bot added the internal label May 15, 2026

dependabot Bot closed this May 18, 2026

dependabot Bot deleted the dependabot/npm_and_yarn/npm-non-major-614b81aa6b branch May 18, 2026 02:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: bump the npm-non-major group across 1 directory with 34 updates#843

chore: bump the npm-non-major group across 1 directory with 34 updates#843
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/npm-non-major-614b81aa6b

dependabot Bot commented on behalf of github May 15, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

10.52.0

Important Changes

Other Changes

10.52.0

Important Changes

Other Changes

@​tanstack/react-query-devtools@​5.100.9

Patch Changes

@​tanstack/react-query-next-experimental@​5.100.9

Patch Changes

@​tanstack/react-query-persist-client@​5.100.9

Patch Changes

@​tanstack/react-query@​5.100.9

Patch Changes

@​tanstack/react-query-devtools@​5.100.8

Patch Changes

@​tanstack/react-query-next-experimental@​5.100.8

Patch Changes

@​tanstack/react-query-persist-client@​5.100.8

Patch Changes

@​tanstack/react-query@​5.100.8

Patch Changes

5.100.9

Patch Changes

5.100.8

Patch Changes

5.100.7

Patch Changes

5.100.6

Patch Changes

5.100.5

Patch Changes

5.100.4

Patch Changes

5.100.3

Patch Changes

@​tanstack/react-query-devtools@​5.100.9

Patch Changes

@​tanstack/react-query-devtools@​5.100.8

Patch Changes

@​tanstack/react-query-devtools@​5.100.7

Patch Changes

@​tanstack/react-query-devtools@​5.100.6

Patch Changes

5.100.9

Patch Changes

5.100.8

Patch Changes

5.100.7

Patch Changes

5.100.6

Patch Changes

5.100.5

Patch Changes

5.100.4

Patch Changes

@​tanstack/react-virtual@​3.13.24

Patch Changes

@​tanstack/react-virtual@​3.13.23

Patch Changes

@​tanstack/react-virtual@​3.13.22

Patch Changes

3.13.24

Patch Changes

3.13.23

Patch Changes

3.13.22

Patch Changes

@​vanilla-extract/css@​1.20.1

Patch Changes

@​vanilla-extract/css@​1.20.0

Minor Changes

@​vanilla-extract/css@​1.19.1

Patch Changes

@​vanilla-extract/css@​1.19.0

Minor Changes

1.20.1

dependabot Bot commented on behalf of github May 15, 2026 •

edited

Loading

`@tanstack/react-query-devtools@5`.100.9

`@tanstack/react-query-next-experimental@5`.100.9

`@tanstack/react-query-persist-client@5`.100.9

`@tanstack/react-query@5`.100.9

`@tanstack/react-query-devtools@5`.100.8

`@tanstack/react-query-next-experimental@5`.100.8

`@tanstack/react-query-persist-client@5`.100.8

`@tanstack/react-query@5`.100.8

`@tanstack/react-query-devtools@5`.100.9

`@tanstack/react-query-devtools@5`.100.8

`@tanstack/react-query-devtools@5`.100.7

`@tanstack/react-query-devtools@5`.100.6

`@tanstack/react-virtual@3`.13.24

`@tanstack/react-virtual@3`.13.23

`@tanstack/react-virtual@3`.13.22

`@vanilla-extract/css@1`.20.1

`@vanilla-extract/css@1`.20.0

`@vanilla-extract/css@1`.19.1

`@vanilla-extract/css@1`.19.0

`@vanilla-extract/vite-plugin@5`.2.2

`@vanilla-extract/vite-plugin@5`.2.1

`@vanilla-extract/vite-plugin@5`.2.0

`@vanilla-extract/vite-plugin@5`.1.5