Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Bump the npm_and_yarn group across 1 directory with 7 updates

Open
Number: #1
Type: Pull Request
State: Open
Author: dependabot[bot] dependabot[bot]
Association: None
Comments: 0
Created: June 12, 2025 at 12:16 PM UTC
(3 months ago)
Updated: June 12, 2025 at 12:16 PM UTC
(3 months ago)
Labels:
dependencies javascript
Description:

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package From To
fastify 4.29.0 4.29.1
vite 5.4.11 5.4.19
@babel/runtime 7.26.0 7.27.6
brace-expansion 2.0.1 2.0.2
esbuild 0.21.5 0.25.5
@fastify/react 0.6.0 1.1.0
@fastify/vite 6.0.7 8.1.3
vite 5.4.19 6.3.5

Updates fastify from 4.29.0 to 4.29.1

Release notes

Sourced from fastify's releases.

v4.29.1

⚠️ Security Release ⚠️

Fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442.

Full Changelog: https://github.com/fastify/fastify/compare/v4.29.0...v4.29.1

Commits

Updates vite from 5.4.11 to 5.4.19

Release notes

Sourced from vite's releases.

v5.4.19

Please refer to CHANGELOG.md for details.

v5.4.18

Please refer to CHANGELOG.md for details.

v5.4.17

Please refer to CHANGELOG.md for details.

v5.4.16

Please refer to CHANGELOG.md for details.

v5.4.15

Please refer to CHANGELOG.md for details.

v5.4.14

Please refer to CHANGELOG.md for details.

v5.4.13

Please refer to CHANGELOG.md for details.

v5.4.12

This version contains a breaking change due to security fixes. See https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.19 (2025-04-30)

5.4.18 (2025-04-10)

5.4.17 (2025-04-03)

5.4.16 (2025-03-31)

5.4.15 (2025-03-24)

5.4.14 (2025-01-21)

5.4.13 (2025-01-20)

5.4.12 (2025-01-20)

  • fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (9da4abc)
  • fix!: default server.cors: false to disallow fetching from untrusted origins (dfea38f)
  • fix: verify token for HMR WebSocket connection (b71a5c8)
  • chore: add deps update changelog (ecd2375)
Commits

Updates @babel/runtime from 7.26.0 to 7.27.6

Release notes

Sourced from @​babel/runtime's releases.

v7.27.6 (2025-06-05)

:bug: Bug Fix

  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • babel-generator, babel-parser, babel-types

Committers: 3

v7.27.5 (2025-06-03)

Thanks @​NullVoxPopuli for your first PR!

:bug: Bug Fix

:nail_care: Polish

Committers: 4

v7.27.4 (2025-05-30)

:eyeglasses: Spec Compliance

  • babel-parser, babel-plugin-proposal-explicit-resource-management

:nail_care: Polish

:microscope: Output optimization

  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-destructuring, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-destructuring, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs3
  • babel-core, babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-destructuring, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime, babel-standalone

... (truncated)

Changelog

Sourced from @​babel/runtime's changelog.

v7.27.6 (2025-06-05)

:bug: Bug Fix

  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • babel-generator, babel-parser, babel-types

v7.27.5 (2025-06-03)

:bug: Bug Fix

:nail_care: Polish

v7.27.4 (2025-05-30)

:eyeglasses: Spec Compliance

  • babel-parser, babel-plugin-proposal-explicit-resource-management

:nail_care: Polish

:microscope: Output optimization

  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-destructuring, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-destructuring, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs3
  • babel-core, babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-destructuring, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime, babel-standalone

v7.27.3 (2025-05-27)

:bug: Bug Fix

  • babel-generator
  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • babel-plugin-proposal-explicit-resource-management
  • babel-plugin-proposal-decorators, babel-types
    • #17321 fix(converter): Remove abstract modifiers in class declaration to expression conversion (@​magic-akari)
  • babel-helper-module-transforms, babel-plugin-proposal-explicit-resource-management, babel-plugin-transform-modules-amd, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-umd
    • #17257 Preserve class id when transforming using declarations with exported class (@​JLHwung)

... (truncated)

Commits

Updates brace-expansion from 2.0.1 to 2.0.2

Release notes

Sourced from brace-expansion's releases.

v2.0.2

  • pkg: publish on tag 2.x 14f1d91
  • fmt ed7780a
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

https://github.com/juliangruber/brace-expansion/compare/v2.0.1...v2.0.2

Commits

Updates esbuild from 0.21.5 to 0.25.5

Release notes

Sourced from esbuild's releases.

v0.25.5

  • Fix a regression with browser in package.json (#4187)

    The fix to #4144 in version 0.25.3 introduced a regression that caused browser overrides specified in package.json to fail to override relative path names that end in a trailing slash. That behavior change affected the axios@0.30.0 package. This regression has been fixed, and now has test coverage.

  • Add support for certain keywords as TypeScript tuple labels (#4192)

    Previously esbuild could incorrectly fail to parse certain keywords as TypeScript tuple labels that are parsed by the official TypeScript compiler if they were followed by a ? modifier. These labels included function, import, infer, new, readonly, and typeof. With this release, these keywords will now be parsed correctly. Here's an example of some affected code:

    type Foo = [
  value: any,
  readonly?: boolean, // This is now parsed correctly
]

  • Add CSS prefixes for the stretch sizing value (#4184)

    This release adds support for prefixing CSS declarations such as div { width: stretch }. That CSS is now transformed into this depending on what the --target= setting includes:

    div {
  width: -webkit-fill-available;
  width: -moz-available;
  width: stretch;
}

v0.25.4

  • Add simple support for CORS to esbuild's development server (#4125)

    Starting with version 0.25.0, esbuild's development server is no longer configured to serve cross-origin requests. This was a deliberate change to prevent any website you visit from accessing your running esbuild development server. However, this change prevented (by design) certain use cases such as "debugging in production" by having your production website load code from localhost where the esbuild development server is running.

    To enable this use case, esbuild is adding a feature to allow Cross-Origin Resource Sharing (a.k.a. CORS) for simple requests. Specifically, passing your origin to the new cors option will now set the Access-Control-Allow-Origin response header when the request has a matching Origin header. Note that this currently only works for requests that don't send a preflight OPTIONS request, as esbuild's development server doesn't currently support OPTIONS requests.

    Some examples:

    • CLI:

      esbuild --servedir=. --cors-origin=https://example.com

    • JS:

      const ctx = await esbuild.context({})
await ctx.serve({
  servedir: '.',
  cors: {

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

  • Fix regression with --define and import.meta (#4010, #4012, #4013)

    The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

    This fix was contributed by @​sapphi-red.

0.24.1

  • Allow es2024 as a target in tsconfig.json (#4004)

    TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

    {
  "compilerOptions": {
    "target": "ES2024"
  }
}

    As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

    This fix was contributed by @​billyjanitsch.

  • Allow automatic semicolon insertion after get/set

    This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

    class Foo {
  get
  *x() {}
  set
  *y() {}
}

    The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

  • Allow quoted property names in --define and --pure (#4008)

    The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

... (truncated)

Commits

Updates @fastify/react from 0.6.0 to 1.1.0

Release notes

Sourced from @​fastify/react's releases.

@​fastify/vue@​1.1.0

This new minor release includes:

And adds a new vue-typescript starter.

Many thanks to @​zanmato, @​onlywei and @​jean-michelet to their extensive work on this release.

@​fastify/react@​1.1.0

This new minor release includes:

And adds a new react-typescript starter.

Many thanks to @​zanmato, @​onlywei and @​jean-michelet to their extensive work on this release.

@​fastify/vue@​1.0.6

This patch release contains the following fixes:

Check out the main release notes for @​fastify/vue v1.0.0.

@​fastify/vue@​1.0.5

This patch release contains the following fix:

Note: this corrects a mistake made when publishing v1.0.4, which was supposed to have the same fix.

Check out the main release notes for @​fastify/vue v1.0.0.

@​fastify/vue@​1.0.4

This patch release contains the following fix:

Check out the main release notes for @​fastify/vue v1.0.0.

@​fastify/vue@​1.0.3

This patch release contains these fixes:

... (truncated)

Commits

Updates @fastify/vite from 6.0.7 to 8.1.3

Release notes

Sourced from @​fastify/vite's releases.

@​fastify/vite@​8.1.3

This patch release removes all optionalDependencies from @fastify/vite.

Reason: npm installs all optional dependencies by default even if you don't plan on using them, which is problematic.

@​fastify/vite@​8.1.2

This release contains a patch fix that addresses vitest failing in certain CI setups.

@​fastify/vite@​8.1.1

This patch release contains a minor fix for the low-level TypeScript SPA examples.

Many thanks to @​onlywei for swiftly addressing it.

@​fastify/vite@​8.1.0

This new minor release contains extensive changes to @fastify/vite's core to:

This unlocks easier TypeScript integration and introduces two new low-level integration TypeScript examples: vue-vanilla-ts and react-vanilla-ts, where src/server.ts is compiled on top of Vite's bundle directly.

└── dist
    ├── vite.config.json <------- Vite production configuration cache
    ├── client <----------------- Vite client environment bundle
    ├── server <----------------- Vite SSR environment bundle
    └── server.js <-------------- Fastify server bundle (compiled from `server.ts`)

This effectively means Vite is responsible for your Vite frontend code, but compilation of your server code is up to your personal choice, be it tsc, tsdown or something else. The rationale for not suggesting a setup where Vite is also responsible for the compilation of server TypeScript code is that Fastify server code doesn't need any of Vite plugins or Vite's highly frontend-optimized build options. It just needs TypeScript transformation. Having HMR for Fastify via Vite's development server would be beneficial, but the setup is fundamentally incompatible, as Vite's internal server is not configurable. That would lead us to run two separate servers, something I've considered non-ideal and most importantly, rather unnecessary.

Maintenance

Perhaps an equally draconian and pragmatic decision: all examples now use zero-config oxlint. I'm just tired of configuring lint, and since LLMs type so much code for us nowadays, I started savoring the moment of removing a semicolon and tab here and there.

The old test.mjs script has been replaced with a new package.mjs script that contains multiple scripts grouped under CLI flags. For project contributors that want to work on renderer packages and starter examples, the prep-for-dev and prep-for-release commands automate some PNPM workspace wrangling.

Acknowledgements

Many thanks to @​onlywei and @​jean-michelet who actively worked on the new TypeScript examples.

This release wouldn't have been possible without their dedication to this project!

@​fastify/vite@​8.0.5

This patch release contains the following fixes:

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by onlywei, a new releaser for @​fastify/vite since your current version.


Updates vite from 5.4.19 to 6.3.5

Release notes

Sourced from vite's releases.

v5.4.19

Please refer to CHANGELOG.md for details.

v5.4.18

Please refer to CHANGELOG.md for details.

v5.4.17

Please refer to CHANGELOG.md for details.

v5.4.16

Please refer to CHANGELOG.md for details.

v5.4.15

Please refer to CHANGELOG.md for details.

v5.4.14

Please refer to CHANGELOG.md for details.

v5.4.13

Please refer to CHANGELOG.md for details.

v5.4.12

This version contains a breaking change due to security fixes. See https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.19 (2025-04-30)

5.4.18 (2025-04-10)

5.4.17 (2025-04-03)

5.4.16 (2025-03-31)

5.4.15 (2025-03-24)

5.4.14 (2025-01-21)

5.4.13 (2025-01-20)

5.4.12 (2025-01-20)

  • fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (9da4abc)
  • fix!: default server.cors: false to disallow fetching from untrusted origins (dfea38f)
  • fix: verify token for HMR WebSocket connection (b71a5c8)
  • chore: add deps update changelog (ecd2375)
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.
Pull Request Statistics
Commits:
1
Files Changed:
2
Additions:
+908
Deletions:
-378
Package Dependencies
Package:
@babel/runtime
Ecosystem:
npm
Version Change:
7.26.0 → 7.27.6
Update Type:
Minor
Package:
vite
Ecosystem:
npm
Version Change:
5.4.11 → 5.4.19
Update Type:
Patch
Package:
esbuild
Ecosystem:
npm
Version Change:
0.21.5 → 0.25.5
Update Type:
Minor
Package:
fastify
Ecosystem:
npm
Version Change:
4.29.0 → 4.29.1
Update Type:
Patch
Package:
brace-expansion
Ecosystem:
npm
Version Change:
2.0.1 → 2.0.2
Update Type:
Patch
Package:
@fastify/react
Ecosystem:
npm
Version Change:
0.6.0 → 1.1.0
Update Type:
Major
Package:
@fastify/vite
Ecosystem:
npm
Version Change:
6.0.7 → 8.1.3
Update Type:
Major
Security Advisories
Websites were able to send any requests to the development server and read the response in vite
GHSA-vg6x-rcgg-rjx6 CVE-2025-24010 MODERATE
### Summary Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket con...
Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
GHSA-mg2h-6x62-wpwc CVE-2025-32442 HIGH
### Impact In applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a _slightly altered_ content type such as w...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 1510645
UUID: 2587154666
Node ID: PR_kwDONhG83M6aNNjq
Host: GitHub
Repository: cyborg-ai-git/openai-realtime-console
Merge State: Unknown