Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Bump the npm_and_yarn group across 39 directories with 4 updates

Open
Number: #175
Type: Pull Request
State: Open
Author: dependabot[bot] dependabot[bot]
Association: Unknown
Comments: 2
Created: April 09, 2026 at 08:55 AM UTC
(about 2 months ago)
Updated: April 09, 2026 at 08:58 AM UTC
(about 2 months ago)
Labels:
dependencies javascript
Description:

Bumps the npm_and_yarn group with 1 update in the /1Application-frontend directory: vite.
Bumps the npm_and_yarn group with 2 updates in the /3DPorffolio/bilalmirza74 directory: vite and picomatch.
Bumps the npm_and_yarn group with 2 updates in the /AdminDashBoard/Haris-Mohanty directory: picomatch and lodash.
Bumps the npm_and_yarn group with 1 update in the /Bulb/sivangbagri/Bulb directory: vite.
Bumps the npm_and_yarn group with 2 updates in the /ChatApp/priyajani028/client directory: picomatch and lodash.
Bumps the npm_and_yarn group with 1 update in the /ChatApp/priyajani028/server directory: picomatch.
Bumps the npm_and_yarn group with 1 update in the /ChatApp/s-sasaki-0529/client directory: picomatch.
Bumps the npm_and_yarn group with 1 update in the /Clock/kububo directory: picomatch.
Bumps the npm_and_yarn group with 1 update in the /Covid19Tracker/Koddi-Evangelista directory: lodash.
Bumps the npm_and_yarn group with 3 updates in the /Covid19Tracker/sonu7089 directory: picomatch, lodash and axios.
Bumps the npm_and_yarn group with 2 updates in the /Dicegame/falgun143 directory: vite and picomatch.
Bumps the npm_and_yarn group with 1 update in the /Grammr/sreyas-b-anand directory: picomatch.
Bumps the npm_and_yarn group with 1 update in the /JokeGenerator/humbl3man directory: picomatch.
Bumps the npm_and_yarn group with 2 updates in the /LandingPage/Haris-Mohanty directory: picomatch and lodash.
Bumps the npm_and_yarn group with 2 updates in the /Newsapp/Athul directory: picomatch and lodash.
Bumps the npm_and_yarn group with 2 updates in the /Newsapp/tvermaashutosh directory: picomatch and lodash.
Bumps the npm_and_yarn group with 1 update in the /NoveltyCalculator/ADHIRAJ-12 directory: vite.
Bumps the npm_and_yarn group with 2 updates in the /PasswordGenerator/AnuragC07/AnuragC07 directory: vite and picomatch.
Bumps the npm_and_yarn group with 2 updates in the /Pokedex/Ayush-Vish directory: vite and axios.
Bumps the npm_and_yarn group with 2 updates in the /ProfileCard/kartik2433 directory: picomatch and lodash.
Bumps the npm_and_yarn group with 2 updates in the /QuizApp/kirtisingh3008 directory: picomatch and lodash.
Bumps the npm_and_yarn group with 2 updates in the /RandomQuote/cnohall directory: picomatch and lodash.
Bumps the npm_and_yarn group with 2 updates in the /ReactCart/thinkswell/ReactCart1 directory: picomatch and lodash.
Bumps the npm_and_yarn group with 1 update in the /ReactCart/thinkswell/ReactCart2 directory: picomatch.
Bumps the npm_and_yarn group with 1 update in the /SpendingCalculatorApp_Pratik1968/SpendingCalculator directory: vite.
Bumps the npm_and_yarn group with 2 updates in the /StonePaperScissorMinimal/coolpulkit99 directory: picomatch and lodash.
Bumps the npm_and_yarn group with 2 updates in the /TaskTracker/mansitheG8 directory: picomatch and lodash.
Bumps the npm_and_yarn group with 2 updates in the /TaskTracker/thinkswell directory: picomatch and lodash.
Bumps the npm_and_yarn group with 2 updates in the /TextAnalyzer/JiyaGupta-cs directory: picomatch and lodash.
Bumps the npm_and_yarn group with 2 updates in the /TicTacToeGame/Tanushree713 directory: picomatch and lodash.
Bumps the npm_and_yarn group with 2 updates in the /TicTacToeGame/cricket-lover directory: picomatch and lodash.
Bumps the npm_and_yarn group with 2 updates in the /ToDoList/Tanushree713 directory: picomatch and lodash.
Bumps the npm_and_yarn group with 3 updates in the /UltimateTicTacToeGame/PBJI directory: picomatch, lodash and axios.
Bumps the npm_and_yarn group with 3 updates in the /WeatherApp/neeraja-anil directory: picomatch, lodash and axios.
Bumps the npm_and_yarn group with 2 updates in the /Website directory: vite and picomatch.
Bumps the npm_and_yarn group with 2 updates in the /Website/server directory: picomatch and axios.
Bumps the npm_and_yarn group with 1 update in the /WordScramble/ifirmawan directory: vite.
Bumps the npm_and_yarn group with 2 updates in the /video-call/vaibhavpnimkar/client directory: picomatch and lodash.
Bumps the npm_and_yarn group with 1 update in the /video-call/vaibhavpnimkar/server directory: picomatch.

Updates vite from 4.4.11 to 8.0.8

Release notes

Sourced from vite's releases.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

create-vite@8.0.2

Please refer to CHANGELOG.md for details.

v8.0.2

Please refer to CHANGELOG.md for details.

create-vite@8.0.1

Please refer to CHANGELOG.md for details.

v8.0.1

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.1

Please refer to CHANGELOG.md for details.

create-vite@8.0.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0-beta.18

Please refer to CHANGELOG.md for details.

v8.0.0-beta.17

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.8 (2026-04-09)

Features

Bug Fixes

  • avoid dns.getDefaultResultOrder temporary (#22202) (15f1c15)
  • ssr: class property keys hoisting matching imports (#22199) (e137601)

8.0.7 (2026-04-07)

Bug Fixes

  • use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)

8.0.6 (2026-04-07)

Features

Bug Fixes

Performance Improvements

  • early return in getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256)

Miscellaneous Chores

8.0.5 (2026-04-06)

Bug Fixes

  • apply server.fs check to env transport (#22159) (f02d9fd)
  • avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)
  • check server.fs after stripping query as well (#22160) (a9a3df2)
  • disallow referencing files outside the package from sourcemap (#22158) (f05f501)

8.0.4 (2026-04-06)

Features

  • allow esbuild 0.28 as peer deps (#22155) (b0da973)
  • hmr: truncate list of files on hmr update (#21535) (d00e806)
  • optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)

Bug Fixes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vite since your current version.


Updates vite from 4.4.9 to 8.0.8

Release notes

Sourced from vite's releases.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

create-vite@8.0.2

Please refer to CHANGELOG.md for details.

v8.0.2

Please refer to CHANGELOG.md for details.

create-vite@8.0.1

Please refer to CHANGELOG.md for details.

v8.0.1

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.1

Please refer to CHANGELOG.md for details.

create-vite@8.0.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0-beta.18

Please refer to CHANGELOG.md for details.

v8.0.0-beta.17

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.8 (2026-04-09)

Features

Bug Fixes

  • avoid dns.getDefaultResultOrder temporary (#22202) (15f1c15)
  • ssr: class property keys hoisting matching imports (#22199) (e137601)

8.0.7 (2026-04-07)

Bug Fixes

  • use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)

8.0.6 (2026-04-07)

Features

Bug Fixes

Performance Improvements

  • early return in getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256)

Miscellaneous Chores

8.0.5 (2026-04-06)

Bug Fixes

  • apply server.fs check to env transport (#22159) (f02d9fd)
  • avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)
  • check server.fs after stripping query as well (#22160) (a9a3df2)
  • disallow referencing files outside the package from sourcemap (#22158) (f05f501)

8.0.4 (2026-04-06)

Features

  • allow esbuild 0.28 as peer deps (#22155) (b0da973)
  • hmr: truncate list of files on hmr update (#21535) (d00e806)
  • optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)

Bug Fixes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vite since your current version.


Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: https://github.com/lodash/lodash/compare/4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates vite from 5.0.10 to 8.0.8

Release notes

Sourced from vite's releases.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

create-vite@8.0.2

Please refer to CHANGELOG.md for details.

v8.0.2

Please refer to CHANGELOG.md for details.

create-vite@8.0.1

Please refer to CHANGELOG.md for details.

v8.0.1

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.1

Please refer to CHANGELOG.md for details.

create-vite@8.0.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0-beta.18

Please refer to CHANGELOG.md for details.

v8.0.0-beta.17

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.8 (2026-04-09)

Features

Bug Fixes

  • avoid dns.getDefaultResultOrder temporary (#22202) (15f1c15)
  • ssr: class property keys hoisting matching imports (#22199) (e137601)

8.0.7 (2026-04-07)

Bug Fixes

  • use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)

8.0.6 (2026-04-07)

Features

Bug Fixes

Performance Improvements

  • early return in getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256)

Miscellaneous Chores

8.0.5 (2026-04-06)

Bug Fixes

  • apply server.fs check to env transport (#22159) (f02d9fd)
  • avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)
  • check server.fs after stripping query as well (#22160) (a9a3df2)
  • disallow referencing files outside the package from sourcemap (#22158) (f05f501)

8.0.4 (2026-04-06)

Features

  • allow esbuild 0.28 as peer deps (#22155) (b0da973)
  • hmr: truncate list of files on hmr update (#21535) (d00e806)
  • optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)

Bug Fixes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vite since your current version.


Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: https://github.com/lodash/lodash/compare/4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.Description has been truncated

Package Dependencies
Package:
vite
Ecosystem:
npm
Version Change:
4.4.11 → 8.0.8
Update Type:
Major
Package:
lodash
Ecosystem:
npm
Version Change:
4.17.21 → 4.18.1
Update Type:
Minor
Package:
picomatch
Ecosystem:
npm
Version Change:
2.3.1 → 2.3.2
Update Type:
Patch
Security Advisories
Command Injection in lodash
GHSA-35jh-r3h4-6jhm CVE-2021-23337 HIGH
`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
lodash vulnerable to Code Injection via `_.template` imports key names
GHSA-r5fr-rjxr-66jc CVE-2026-4800 HIGH
### Impact The fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `opti...
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
GHSA-f23m-r3pf-42rh CVE-2026-2950 MODERATE
### Impact Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security...
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
GHSA-3v7f-55p6-f55p CVE-2026-33672 MODERATE
### Impact picomatch is vulnerable to a **method injection vulnerability (CWE-1321)** affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially craft...
Picomatch has a ReDoS vulnerability via extglob quantifiers
GHSA-c2c7-rcm5-vvqj CVE-2026-33671 HIGH
### Impact `picomatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, es...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 15161242
UUID: 4230882958
Node ID: PR_kwDOODSF9M7REgBB
Host: GitHub
Repository: Horlabrainmoore/javascript-mini-projects