ci(deps): Bump getsentry/craft from 2.26.2 to 2.26.6
Closed
Number: #21299
Type: Pull Request
State: Closed
Type: Pull Request
State: Closed
Author:
dependabot[bot]
Association: Unknown
Comments: 1
Association: Unknown
Comments: 1
Created:
June 02, 2026 at 09:32 PM UTC
(about 1 month ago)
(about 1 month ago)
Updated:
June 10, 2026 at 02:03 PM UTC
(about 1 month ago)
(about 1 month ago)
Closed:
June 10, 2026 at 02:03 PM UTC
(about 1 month ago)
(about 1 month ago)
Time to Close:
8 days
Labels:
dependencies github_actions
dependencies github_actions
Description:
Bumps getsentry/craft from 2.26.2 to 2.26.6.
Release notes
Sourced from getsentry/craft's releases.
2.26.6
Bug Fixes 🐛
- (nuget) Move global.json aside during
dotnet setversionby@jamescrosswellin #820- (security) Override
@tootallnate/onceto ^2.0.1 (CVE-2026-3449) by@BYKin #822- Improve partial publishing recovery for CocoaPods and GitHub targets by
@BYKin #8212.26.5
Bug Fixes 🐛
2.26.4
Bug Fixes 🐛
- (security) Prevent script injection in changelog-preview workflow by
@fix-it-felix-sentryin #813- Resolve open dependabot security alerts by
@BYKin #816Internal Changes 🔧
- (deps-dev) Bump simple-git from 3.33.0 to 3.36.0 by
@dependabotin #8142.26.3
Bug Fixes 🐛
- Prevent shell injection vulnerabilities in GitHub Actions workflows by
@fix-it-felix-sentryin #811
Changelog
Sourced from getsentry/craft's changelog.
Changelog
2.26.6
Bug Fixes 🐛
- (nuget) Move global.json aside during
dotnet setversionby@jamescrosswellin #820- (security) Override
@tootallnate/onceto ^2.0.1 (CVE-2026-3449) by@BYKin #822- Improve partial publishing recovery for CocoaPods and GitHub targets by
@BYKin #8212.26.5
Bug Fixes 🐛
2.26.4
Bug Fixes 🐛
- (security) Prevent script injection in changelog-preview workflow by
@fix-it-felix-sentryin #813- Resolve open dependabot security alerts by
@BYKin #816Internal Changes 🔧
- (deps-dev) Bump simple-git from 3.33.0 to 3.36.0 by
@dependabotin #8142.26.3
Bug Fixes 🐛
- Prevent shell injection vulnerabilities in GitHub Actions workflows by
@fix-it-felix-sentryin #8112.26.2
Security 🔒
Bug Fixes 🐛
Internal Changes 🔧
- (deps) Bump astro from 5.18.1 to 6.1.6 in /docs by
@dependabotin #806- (deps-dev) Bump fast-xml-parser from 5.5.7 to 5.7.0 by
@dependabotin #8082.26.1
... (truncated)
Commits
3e6a0f4release: 2.26.62662e81fix(security): override@tootallnate/onceto ^2.0.1 (CVE-2026-3449) (#822)e9a5238fix: improve partial publishing recovery for CocoaPods and GitHub targets (#821)da0e0c1fix(nuget): move global.json aside duringdotnet setversion(#820)d1fa7dbmeta: Bump new development versionca52417Merge branch 'release/2.26.5'bc2e6a9release: 2.26.560b80e5fix(security): bump devalue override to ^5.8.1 (CVE-2026-42570) (#818)7bd2931meta: Bump new development version1389909Merge branch 'release/2.26.4'- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Package Dependencies
Security Advisories
@tootallnate/once vulnerable to Incorrect Control Flow Scoping
GHSA-vpq2-c234-7xj6
CVE-2026-3449
LOW
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pe...
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
GHSA-w5hq-g745-h8pq
CVE-2026-41907
MODERATE
### Summary
The `v3()`, `v5()`, and `v6()` [API methods](https://github.com/uuidjs/uuid#api-summary) (not `uuid` release versions) accept external output buffers but do not reject out-of-range wri...
Svelte devalue: DoS via sparse array deserialization
GHSA-77vg-94rm-hx3p
CVE-2026-42570
HIGH
`devalue.parse` could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.
Technical Details
| ID: | 16027925 |
| UUID: | 4575111706 |
| Node ID: | PR_kwDOADLKPM7h-fEh |
| Host: | GitHub |
| Repository: | getsentry/sentry-javascript |