Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

feat(deps): Bump the npm_and_yarn group across 14 directories with 4 updates

Open
Number: #245
Type: Pull Request
State: Open
Author: dependabot[bot] dependabot[bot]
Association: Unknown
Comments: 1
Created: May 31, 2026 at 11:38 PM UTC
(11 days ago)
Updated: May 31, 2026 at 11:38 PM UTC
(11 days ago)
Labels:
dependencies javascript
Description:

Bumps the npm_and_yarn group with 3 updates in the / directory: next, nuxt and svelte.
Bumps the npm_and_yarn group with 1 update in the /dev-packages/e2e-tests/test-applications/nextjs-13 directory: next.
Bumps the npm_and_yarn group with 1 update in the /dev-packages/e2e-tests/test-applications/nextjs-14 directory: next.
Bumps the npm_and_yarn group with 1 update in the /dev-packages/e2e-tests/test-applications/nextjs-app-dir directory: next.
Bumps the npm_and_yarn group with 1 update in the /dev-packages/e2e-tests/test-applications/nextjs-orpc directory: next.
Bumps the npm_and_yarn group with 1 update in the /dev-packages/e2e-tests/test-applications/nextjs-pages-dir directory: next.
Bumps the npm_and_yarn group with 1 update in the /dev-packages/e2e-tests/test-applications/nuxt-3-min directory: nuxt.
Bumps the npm_and_yarn group with 1 update in the /dev-packages/e2e-tests/test-applications/supabase-nextjs directory: next.
Bumps the npm_and_yarn group with 1 update in the /dev-packages/e2e-tests/test-applications/sveltekit-2 directory: svelte.
Bumps the npm_and_yarn group with 1 update in the /dev-packages/e2e-tests/test-applications/sveltekit-2-kit-tracing directory: @sveltejs/kit.
Bumps the npm_and_yarn group with 1 update in the /dev-packages/e2e-tests/test-applications/sveltekit-2-svelte-5 directory: @sveltejs/kit.
Bumps the npm_and_yarn group with 1 update in the /packages/nextjs directory: next.
Bumps the npm_and_yarn group with 1 update in the /packages/nuxt directory: nuxt.
Bumps the npm_and_yarn group with 1 update in the /packages/sveltekit directory: svelte.

Updates next from 14.2.35 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.16

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE]

... (truncated)

Commits
  • 9ff92ce v15.5.18
  • 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
  • 62c97ab v15.5.17
  • 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
  • fa78739 Turbopack: Fix middleware matcher suffix (#93590)
  • 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
  • 36589b5 [backport][test] Pin package manager to patch versions (#93596)
  • ad6fd4e v15.5.16
  • 79d7dff Ignore malformed CSP nonce headers (#103)
  • c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates nuxt from 3.17.7 to 3.21.6

Release notes

Sourced from nuxt's releases.

v3.21.6

3.21.6 is the next patch release.

👉 Changelog

compare changes

đź©ą Fixes

  • nuxt: Prefer our own builder/server deps (#35029)
  • nitro: Add json extension to payload cache items (#35043)
  • nuxt: Handle errors fetching app manifest (#35050)
  • nuxt: Preserve setPageLayout props on same-path navigation (#35055)
  • vite: Don't strip buildAssetsDir from vite-node SSR ids (#35040)
  • nuxt: Mark useLoadingIndicator properties as readonly (#35062)
  • vite: Strip queries in css inline styles map (#35067)
  • nuxt: Encode html-significant characters in external redirect body (#35052)
  • nitro: Validate island request hash matches props (#35077)
  • nitro: Use regexp to strip query (042b615e6)
  • nitro: Use statusCode for nitro v2 compatibility (82dcd6a31)
  • nuxt: Render component-less parent routes during client-side nav (#35036)
  • nuxt: Run middleware for page islands (#35092)

đź’… Refactors

  • rspack,webpack: Extract same-origin check for dev middleware (#35051)

đź“– Documentation

  • Remove CSB, set node 22 and use steps for clarity (#35066)

🏡 Chore

âś… Tests

  • Relax relative time assertion (256513eb0)
  • Move build assets dir fixture out of app/ (6d2ac69ff)

🤖 CI

  • Clean up agent-scan workflow (31590cf07)
  • Continue autofix workflow when test:engines fails (958abb882)
  • Improve workflows (#35088)

❤️ Contributors

v3.21.5

3.21.5 is the next patch release.

👉 Changelog

... (truncated)

Commits
  • 1a8fff3 v3.21.6
  • d152a5e fix(nuxt): run middleware for page islands (#35092)
  • d6caa8e fix(nuxt): render component-less parent routes during client-side nav (#35036)
  • 63e5437 chore(deps): update all non-major dependencies (3.x) (#35076)
  • 21c110a fix(nitro): validate island request hash matches props (#35077)
  • 17b27b0 fix(nuxt): encode html-significant characters in external redirect body (#35052)
  • c67675c fix(nuxt): mark useLoadingIndicator properties as readonly (#35062)
  • 702c02b fix(nuxt): preserve setPageLayout props on same-path navigation (#35055)
  • aacb18d fix(nuxt): handle errors fetching app manifest (#35050)
  • db4b5ff fix(nuxt): prefer our own builder/server deps (#35029)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for nuxt since your current version.


Updates svelte from 3.59.2 to 5.55.7

Release notes

Sourced from svelte's releases.

svelte@5.55.7

Patch Changes

svelte@5.55.6

Patch Changes

  • fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

  • fix: keep dependencies of $state.eager/pending (#18218)

  • fix: reapply context after transforming error during SSR (#18099)

  • fix: don't rebase just-created batches (#18117)

  • chore: allow null for pending in typings (#18201)

  • fix: flush eager effects in production (#18107)

  • fix: rethrow error of failed iterable after calling return() (#18169)

  • fix: account for proxified instance when updating bind:this (#18147)

  • fix: ensure scheduled batch is flushed if not obsolete (#18131)

  • fix: resolve stale deriveds with latest value (#18167)

  • chore: remove unnecessary increment_pending calls (#18183)

  • fix: correctly compile component member expressions for SSR (#18192)

  • fix: reset source.updated stack traces after flush (#18196)

  • fix: replacing async 'blocking' strategy with 'merging' (#18205)

  • fix: allow @debug tags to reference awaited variables (#18138)

  • fix: re-run fallback props if dependencies update (#18146)

  • fix: abort running obsolete async branches (#18118)

... (truncated)

Changelog

Sourced from svelte's changelog.

svelte

4.2.3

Patch Changes

  • fix: improve a11y-click-events-have-key-events message (#9358)

  • fix: more robust hydration of html tag (#9184)

4.2.2

Patch Changes

  • fix: support camelCase properties on custom elements (#9328)

  • fix: add missing plaintext-only value to contenteditable type (#9242)

  • chore: upgrade magic-string to 0.30.4 (#9292)

  • fix: ignore trailing comments when comparing nodes (#9197)

4.2.1

Patch Changes

  • fix: update style directive when style attribute is present and is updated via an object prop (#9187)

  • fix: css sourcemap generation with unicode filenames (#9120)

  • fix: do not add module declared variables as dependencies (#9122)

  • fix: handle svelte:element with dynamic this and spread attributes (#9112)

  • fix: silence false positive reactive component warning (#9094)

  • fix: head duplication when binding is present (#9124)

  • fix: take custom attribute name into account when reflecting property (#9140)

  • fix: add indeterminate to the list of HTMLAttributes (#9180)

  • fix: recognize option value on spread attribute (#9125)

4.2.0

Minor Changes

  • feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#9070)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for svelte since your current version.


Updates next from 14.2.35 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.16

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE]

... (truncated)

Commits
  • 9ff92ce v15.5.18
  • 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
  • 62c97ab v15.5.17
  • 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
  • fa78739 Turbopack: Fix middleware matcher suffix (#93590)
  • 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
  • 36589b5 [backport][test] Pin package manager to patch versions (#93596)
  • ad6fd4e v15.5.16
  • 79d7dff Ignore malformed CSP nonce headers (#103)
  • c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates next from 14.2.35 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.16

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE]

... (truncated)

Commits
  • 9ff92ce v15.5.18
  • 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
  • 62c97ab v15.5.17
  • 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
  • fa78739 Turbopack: Fix middleware matcher suffix (#93590)
  • 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
  • 36589b5 [backport][test] Pin package manager to patch versions (#93596)
  • ad6fd4e v15.5.16
  • 79d7dff Ignore malformed CSP nonce headers (#103)
  • c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates next from 14.2.35 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.16

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE]

... (truncated)

Commits
  • 9ff92ce v15.5.18
  • 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
  • 62c97ab v15.5.17
  • 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
  • fa78739 Turbopack: Fix middleware matcher suffix (#93590)
  • 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
  • 36589b5 [backport][test] Pin package manager to patch versions (#93596)
  • ad6fd4e v15.5.16
  • 79d7dff Ignore malformed CSP nonce headers (#103)
  • c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates next from 14.2.35 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.16

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE]

... (truncated)

Commits
  • 9ff92ce v15.5.18
  • 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
  • 62c97ab v15.5.17
  • 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
  • fa78739 Turbopack: Fix middleware matcher suffix (#93590)
  • 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
  • 36589b5 [backport][test] Pin package manager to patch versions (#93596)
  • ad6fd4e v15.5.16
  • 79d7dff Ignore malformed CSP nonce headers (#103)
  • c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates next from 14.2.35 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.16

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE]

... (truncated)

Commits ...

Description has been truncated

Package Dependencies
Package:
next
Ecosystem:
npm
Version Change:
14.2.35 → 15.5.18
Update Type:
Major
Package:
nuxt
Ecosystem:
npm
Version Change:
3.17.7 → 3.21.6
Update Type:
Minor
Package:
svelte
Ecosystem:
npm
Version Change:
3.59.2 → 5.55.7
Update Type:
Major
Security Advisories
Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
GHSA-ffhc-5mcf-pf4q CVE-2026-44581 MODERATE
### Impact App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived...
Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting
GHSA-vfv6-92ff-j949 CVE-2026-44582 LOW
### Impact React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisio...
Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
GHSA-gx5p-jg67-6x7h CVE-2026-44580 MODERATE
### Impact Applications that use `beforeInteractive` scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not esca...
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
GHSA-mg66-mrh9-m8jx CVE-2026-44579 HIGH
### Impact Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected con...
Next.js has a Denial of Service in the Image Optimization API
GHSA-h64f-5h5j-jqjh CVE-2026-44577 MODERATE
### Impact When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could c...
Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades
GHSA-c4j6-fc7j-m34r CVE-2026-44578 HIGH
### Impact Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server ...
Next.js vulnerable to cache poisoning in React Server Component responses
GHSA-wfc6-r584-vfw7 CVE-2026-44576 MODERATE
### Impact Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker c...
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
GHSA-267c-6grr-h53f CVE-2026-44575 HIGH
### Impact App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetch...
Next.js has a Middleware / Proxy bypass through dynamic route parameter injection
GHSA-492v-c6pp-mqqv CVE-2026-44574 HIGH
### Impact Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynam...
Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
GHSA-36qx-fr4f-26g5 CVE-2026-44573 HIGH
### Impact Applications using the Pages Router with `i18n` configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less `/_next/data...
Next.js Vulnerable to Denial of Service with Server Components
GHSA-8h8q-6873-q5fj HIGH
A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. ...
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
GHSA-26hh-7cqf-hhc6 CVE-2026-45109 HIGH
### Impact It was found that the fix addressing [CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) did not apply to `middleware.ts` with Turbopack. Refer ...
Next.js's Middleware / Proxy redirects can be cache-poisoned
GHSA-3g8h-86w9-wvmq CVE-2026-44572 LOW
### Impact Next.js uses the `x-nextjs-data` request header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by midd...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 15971685
UUID: 4559385592
Node ID: PR_kwDONhlJ1c7hLJky
Host: GitHub
Repository: SherfeyInv/sentry-javascript