chore(deps): bump the npm-prod-minor-patch group across 1 directory with 7 updates

[dependabot]

Bumps the npm-prod-minor-patch group with 7 updates in the / directory:

Package	From	To
react	19.2.5	19.2.6
react-dom	19.2.5	19.2.6
ora	9.3.0	9.4.0
@wordpress/style-engine	2.43.0	2.46.0
fast-xml-parser	5.7.1	5.8.0
sanitize-html	2.17.3	2.17.4
@wordpress/prettier-config	4.43.0	4.46.0

Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates ora from 9.3.0 to 9.4.0

Release notes

Sourced from ora's releases.

v9.4.0

• Add successSymbol and failSymbol options to oraPromise 3d2e0a9

---

sindresorhus/ora@v9.3.0...v9.4.0

Commits

• 46a6703 9.4.0
• 3d2e0a9 Add successSymbol and failSymbol options to oraPromise
• f70f613 Test tweaks
• 7cf29a7 Validate some options better
• See full diff in compare view

Updates @wordpress/style-engine from 2.43.0 to 2.46.0

Changelog

Sourced from @​wordpress/style-engine's changelog.

2.46.0 (2026-05-14)

2.45.0 (2026-04-29)

2.44.0 (2026-04-15)

Commits

• 51264e3 chore(release): publish
• a8d4b30 Update changelog files
• f75812b Merge changes published in the Gutenberg plugin "release/23.2" branch
• ac75d25 Update changelog files
• 3e8943b Merge changes published in the Gutenberg plugin "release/23.2" branch
• 9656be0 Update changelog files
• 4313ac2 Merge changes published in the Gutenberg plugin "release/23.2" branch
• a5cc28f Update changelog files
• 30dff6b Merge changes published in the Gutenberg plugin "release/23.2" branch
• 6445ede chore(release): publish
• Additional commits viewable in compare view

Updates fast-xml-parser from 5.7.1 to 5.8.0

Release notes

Sourced from fast-xml-parser's releases.

update strnum, FXB. Use xml-naming for DOCTYPE

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname because of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is by deault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

fix minor old bugs and update builder

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

backward compatibility for numerical external entity, fix #705, #817

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

*5.8.0 / 2026-05-12

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is bydeault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

• fix: entity replacement for numeric entities
• use @​nodable/entities to replace entities
  • this may change some error messages related to entities expansion limit or inavlid use
  • post check would be exposed in future version

... (truncated)

Commits

• 4bcee44 for release
• 8a287bf release info
• 50b01dc Use "@​byspec/xml" for testing
• 816b652 update typings to mark validator use deprecated
• 8ad0e65 update fast-xml-builder and strnum
• 58e967e integrate xml-naming
• 42fa3c3 separate XML validator, UPDATE DOCS
• d6d8042 update to release
• d263370 remove dev dependency 'he'
• f9c9a2c update builder to 1.1.7
• Additional commits viewable in compare view

Updates sanitize-html from 2.17.3 to 2.17.4

Changelog

Sourced from sanitize-html's changelog.

2.17.4

Changes

• sanitize-html and launder now share a single implementation of naughtyHref, based on that which previously existed in sanitize-html.

Security

• Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to Vincenzo Turturro for reporting the vulnerability.

Commits

• See full diff in compare view

Updates @wordpress/prettier-config from 4.43.0 to 4.46.0

Changelog

Sourced from @​wordpress/prettier-config's changelog.

4.46.0 (2026-05-14)

4.45.0 (2026-04-29)

4.44.0 (2026-04-15)

Commits

• 51264e3 chore(release): publish
• a8d4b30 Update changelog files
• f75812b Merge changes published in the Gutenberg plugin "release/23.2" branch
• ac75d25 Update changelog files
• 3e8943b Merge changes published in the Gutenberg plugin "release/23.2" branch
• 9656be0 Update changelog files
• 4313ac2 Merge changes published in the Gutenberg plugin "release/23.2" branch
• a5cc28f Update changelog files
• 30dff6b Merge changes published in the Gutenberg plugin "release/23.2" branch
• 6445ede chore(release): publish
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1d337f2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coveralls]

Coverage Report for CI Build 26355345834

Coverage remained the same at 59.571%

Details

• Coverage remained the same as the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	720
Covered Lines:	484
Line Coverage:	67.22%
Relevant Branches:	445
Covered Branches:	210
Branch Coverage:	47.19%
Branches in Coverage %:	Yes
Coverage Strength:	6.8 hits per line

---

💛 - Coveralls