Bump the npm_and_yarn group across 1 directory with 10 updates

Closed

Number: #10
Type: Pull Request
State: Closed

Author:

dependabot[bot]
Association: None
Comments: 1

Created: September 08, 2025 at 08:06 AM UTC
(4 days ago)

Updated: September 08, 2025 at 08:29 AM UTC
(4 days ago)

Closed: September 08, 2025 at 08:29 AM UTC
(4 days ago)

Time to Close: 23 minutes

Labels:
dependencies javascript

Description:

Bumps the npm_and_yarn group with 8 updates in the /chapter11 directory:

Package	From	To
vite	`4.4.9`	`4.5.14`
axios	`0.27.2`	`1.11.0`
start-server-and-test	`2.0.1`	`2.1.0`
braces	`3.0.2`	`3.0.3`
esbuild	`0.18.20`	`0.25.9`
@vitejs/plugin-vue	`4.3.4`	`6.0.1`
vite	`4.5.14`	`7.1.5`
tmp	`0.2.1`	`0.2.5`
ws	`8.14.2`	`8.18.3`

Updates vite from 4.4.9 to 4.5.14

Release notes

Sourced from vite's releases.

v4.5.14

Please refer to CHANGELOG.md for details.

v4.5.13

Please refer to CHANGELOG.md for details.

v4.5.12

Please refer to CHANGELOG.md for details.

v4.5.11

Please refer to CHANGELOG.md for details.

v4.5.10

Please refer to CHANGELOG.md for details.

v4.5.9

Please refer to CHANGELOG.md for details.

v4.5.8

Please refer to CHANGELOG.md for details.

v4.5.7

Please refer to CHANGELOG.md for details.

v4.5.6

This version contains a breaking change due to security fixes. See https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

4.5.14 (2025-04-30)

fix: backport #19965, check static serve file inside sirv (#19967) (7739479), closes #19965 #19967

chore: run format (99afb60)

4.5.13 (2025-04-10)

fix: backport #19830, reject requests with # in request-target (#19832) (41f3819), closes #19830 #19832

4.5.12 (2025-04-03)

fix: backport #19782, fs check with svg and relative paths (#19785) (0a3dcf5), closes #19782 #19785

4.5.11 (2025-03-31)

fix: backport #19761, fs check in transform middleware (#19763) (26e1764), closes #19761 #19763

4.5.10 (2025-03-24)

fix: backport #19702, fs raw query with query separators (#19704) (315695e), closes #19702 #19704

4.5.9 (2025-01-21)

fix: preview.allowedHosts with specific values was not respected (#19246) (0bc52e0), closes #19246

fix: allow CORS from loopback addresses by default (#19249) (8f63cd6), closes #19249

4.5.8 (2025-01-20)

fix: try parse server.origin URL (#19241) (3680bad), closes #19241

4.5.7 (2025-01-20)

fix: crypto.getRandomValues is not available in old Node versions (#19237) (f4d3c46), closes #19237

... (truncated)

Commits

9bfe2b1 release: v4.5.14
7739479 fix: backport #19965, check static serve file inside sirv (#19967)
99afb60 chore: run format
cd60e8b release: v4.5.13
41f3819 fix: backport #19830, reject requests with # in request-target (#19832)
6104add release: v4.5.12
0a3dcf5 fix: backport #19782, fs check with svg and relative paths (#19785)
07ddc3e release: v4.5.11
26e1764 fix: backport #19761, fs check in transform middleware (#19763)
86e7a6b release: v4.5.10
Additional commits viewable in compare view

Updates axios from 0.27.2 to 1.11.0

Release notes

Sourced from axios's releases.

Release v1.11.0

Release notes:

Bug Fixes

form-data npm pakcage (#6970) (e72c193)

prevent RangeError when using large Buffers (#6961) (a2214ca)

types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

izzy goldman

Manish Sahani

Noritaka Kobayashi

James Nail

Tejaswi1305

Release v1.10.0

Release notes:

Bug Fixes

adapter: pass fetchOptions to fetch function (#6883) (0f50af8)

form-data: convert boolean values to strings in FormData serialization (#6917) (5064b10)

package: add module entry point for React Native; (#6933) (3d343b8)

Features

types: improved fetchOptions interface (#6867) (63f1fce)

Contributors to this release

Dmitriy Mozgovoy

Noritaka Kobayashi

Dimitrios Lazanas

Adrian Knapp

Howie Zhao

Uhyeon Park

Sampo Silvennoinen

Release v1.9.0

Release notes:

Bug Fixes

core: fix the Axios constructor implementation to treat the config argument as optional; (#6881) (6c5d4cd)

fetch: fixed ERR_NETWORK mapping for Safari browsers; (#6767) (dfe8411)

headers: allow iterable objects to be a data source for the set method; (#6873) (1b1f9cc)

headers: fix getSetCookie by using 'get' method for caseless access; (#6874) (d4f7df4)

headers: fixed support for setting multiple header values from an iterated source; (#6885) (f7a3b5e)

http: send minimal end multipart boundary (#6661) (987d2e2)

types: fix autocomplete for adapter config (#6855) (e61a893)

... (truncated)

Changelog

Sourced from axios's changelog.

1.11.0 (2025-07-22)

Bug Fixes

form-data npm pakcage (#6970) (e72c193)

prevent RangeError when using large Buffers (#6961) (a2214ca)

types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

izzy goldman

Manish Sahani

Noritaka Kobayashi

James Nail

Tejaswi1305

1.10.0 (2025-06-14)

Bug Fixes

adapter: pass fetchOptions to fetch function (#6883) (0f50af8)

form-data: convert boolean values to strings in FormData serialization (#6917) (5064b10)

package: add module entry point for React Native; (#6933) (3d343b8)

Features

types: improved fetchOptions interface (#6867) (63f1fce)

Contributors to this release

Dmitriy Mozgovoy

Noritaka Kobayashi

Dimitrios Lazanas

Adrian Knapp

Howie Zhao

Uhyeon Park

Sampo Silvennoinen

1.9.0 (2025-04-24)

Bug Fixes

core: fix the Axios constructor implementation to treat the config argument as optional; (#6881) (6c5d4cd)

fetch: fixed ERR_NETWORK mapping for Safari browsers; (#6767) (dfe8411)

headers: allow iterable objects to be a data source for the set method; (#6873) (1b1f9cc)

headers: fix getSetCookie by using 'get' method for caseless access; (#6874) (d4f7df4)

... (truncated)

Commits

b76c4ac chore(release): v1.11.0 (#6974)
e72c193 fix: form-data npm pakcage (#6970)
8517aa1 fix(types): resolve type discrepancies between ESM and CJS TypeScript declara...
a2214ca fix: prevent RangeError when using large Buffers (#6961)
6161947 refactor: use spread operator instead of '.apply()' (#6938)
a1d16dd refactor: use an object spread instead of Object.assign (#6939)
07183cd chore(sponsor): update sponsor block (#6952)
ef36347 docs(CONTRIBUTING): update docs link for accuracy (#6894)
b29bd6a chore(sponsor): update sponsor block (#6948)
a406a93 chore(sponsor): update sponsor block (#6937)
Additional commits viewable in compare view

Updates start-server-and-test from 2.0.1 to 2.1.0

Release notes

Sourced from start-server-and-test's releases.

v2.1.0

2.1.0 (2025-09-04)

Features

support axios proxy (#402) (b399fec)

v2.0.13

2.0.13 (2025-08-03)

Bug Fixes

deps: update dependency wait-on to v8.0.4 (#405) (6385e1d)

v2.0.12

2.0.12 (2025-05-15)

Bug Fixes

deps: update dependency debug to v4.4.1 (#403) (b3b82c0)

v2.0.11

2.0.11 (2025-03-13)

Bug Fixes

deps: update dependency wait-on to v8.0.3 (#400) (005ee08)

v2.0.10

2.0.10 (2025-01-14)

Bug Fixes

deps: update dependency wait-on to v8.0.2 (#399) (a514875)

v2.0.9

2.0.9 (2024-12-11)

Bug Fixes

deps: update dependency debug to v4.4.0 (#397) (0f057d7)

v2.0.8

2.0.8 (2024-09-16)

... (truncated)

Commits

b399fec feat: support axios proxy (#402)
6385e1d fix(deps): update dependency wait-on to v8.0.4 (#405)
b3b82c0 fix(deps): update dependency debug to v4.4.1 (#403)
005ee08 fix(deps): update dependency wait-on to v8.0.3 (#400)
a514875 fix(deps): update dependency wait-on to v8.0.2 (#399)
0f057d7 fix(deps): update dependency debug to v4.4.0 (#397)
fe1c25d fix(deps): update dependency wait-on to v8.0.1
d814a72 fix(deps): update dependency wait-on to v8 (#386)
78c6f53 fix(deps): update dependency debug to v4.3.7
8ebb70b fix(deps): update dependency debug to v4.3.6
Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

74b2db2 3.0.3
88f1429 update eslint. lint, fix unit tests.
415d660 Snyk js braces 6838727 (#40)
190510f fix tests, skip 1 test in test/braces.expand
716eb9f readme bump
a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
98414f9 remove funding file
665ab5d update keepEscaping doc (#27)
Additional commits viewable in compare view

Updates esbuild from 0.18.20 to 0.25.9

Release notes

Sourced from esbuild's releases.

v0.25.9
Better support building projects that use Yarn on Windows (#3131, #3663)

With this release, you can now use esbuild to bundle projects that use Yarn Plug'n'Play on Windows on drives other than the C: drive. The problem was as follows:

Yarn in Plug'n'Play mode on Windows stores its global module cache on the C: drive

Some developers put their projects on the D: drive

Yarn generates relative paths that use ../.. to get from the project directory to the cache directory

Windows-style paths don't support directory traversal between drives via .. (so D:\.. is just D:)

I didn't have access to a Windows machine for testing this edge case

Yarn works around this edge case by pretending Windows-style paths beginning with C:\ are actually Unix-style paths beginning with /C:/, so the ../.. path segments are able to navigate across drives inside Yarn's implementation. This was broken for a long time in esbuild but I finally got access to a Windows machine and was able to debug and fix this edge case. So you should now be able to bundle these projects with esbuild.
Preserve parentheses around function expressions (#4252)

The V8 JavaScript VM uses parentheses around function expressions as an optimization hint to immediately compile the function. Otherwise the function would be lazily-compiled, which has additional overhead if that function is always called immediately as lazy compilation involves parsing the function twice. You can read V8's blog post about this for more details.

Previously esbuild did not represent parentheses around functions in the AST so they were lost during compilation. With this change, esbuild will now preserve parentheses around function expressions when they are present in the original source code. This means these optimization hints will not be lost when bundling with esbuild. In addition, esbuild will now automatically add this optimization hint to immediately-invoked function expressions. Here's an example:
// Original code
const fn0 = () => 0
const fn1 = (() => 1)
console.log(fn0, function() { return fn1() }())
// Old output

const fn0 = () => 0;

const fn1 = () => 1;

console.log(fn0, function() {

return fn1();

}());
// New output

const fn0 = () => 0;

const fn1 = (() => 1);

console.log(fn0, (function() {

return fn1();

})());
Note that you do not want to wrap all function expressions in parentheses. This optimization hint should only be used for functions that are called on initial load. Using this hint for functions that are not called on initial load will unnecessarily delay the initial load. Again, see V8's blog post linked above for details.
Update Go from 1.23.10 to 1.23.12 (#4257, #4258)

This should have no effect on existing code as this version change does not change Go's operating system support. It may remove certain false positive reports (specifically CVE-2025-4674 and CVE-2025-47907) from vulnerability scanners that only detect which version of the Go compiler esbuild uses.
v0.25.8

Fix another TypeScript parsing edge case (#4248)

This fixes a regression with a change in the previous release that tries to more accurately parse TypeScript arrow functions inside the ?: operator. The regression specifically involves parsing an arrow function containing a #private identifier inside the middle of a ?: ternary operator inside a class body. This was fixed by propagating private identifier state into the parser clone used to speculatively parse the arrow function body. Here is an example of some affected code:

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2023

This changelog documents all esbuild versions published in the year 2023 (versions 0.16.13 through 0.19.11).

0.19.11
Fix TypeScript-specific class transform edge case (#3559)

The previous release introduced an optimization that avoided transforming super() in the class constructor for TypeScript code compiled with useDefineForClassFields set to false if all class instance fields have no initializers. The rationale was that in this case, all class instance fields are omitted in the output so no changes to the constructor are needed. However, if all of this is the case and there are #private instance fields with initializers, those private instance field initializers were still being moved into the constructor. This was problematic because they were being inserted before the call to super() (since super() is now no longer transformed in that case). This release introduces an additional optimization that avoids moving the private instance field initializers into the constructor in this edge case, which generates smaller code, matches the TypeScript compiler's output more closely, and avoids this bug:
// Original code
class Foo extends Bar {
  #private = 1;
  public: any;
  constructor() {
    super();
  }
}
// Old output (with esbuild v0.19.9)

class Foo extends Bar {

constructor() {

super();

this.#private = 1;

}

#private;

}
// Old output (with esbuild v0.19.10)

class Foo extends Bar {

constructor() {

this.#private = 1;

super();

}

#private;

}
// New output

class Foo extends Bar {

#private = 1;

constructor() {

super();

}

}
Minifier: allow reording a primitive past a side-effect (#3568)

The minifier previously allowed reordering a side-effect past a primitive, but didn't handle the case of reordering a primitive past a side-effect. This additional case is now handled:

... (truncated)

Commits

195e05c publish 0.25.9 to npm
3dac33f fix #3131, fix #3663: yarnpnp + windows + D drive
0f2c5c8 mock fs now supports multiple volumes on windows
100a51e split out yarnpnp snapshot tests
13aace3 remove C: assumption from windows snapshot tests
f1f413f fix #4252: preserve parentheses around functions
1bc8091 fix #4257, close #4258: go 1.23.10 => 1.23.12
bc52135 move the go compiler version to go.version
a0af5d1 makefile: use ESBUILD_VERSION consistently
8c71947 publish 0.25.8 to npm
Additional commits viewable in compare view

Updates @vitejs/plugin-vue from 4.3.4 to 6.0.1

Release notes

Sourced from @vitejs/plugin-vue's releases.

plugin-vue@6.0.1

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.0

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.0-beta.2

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.0-beta.1

Please refer to CHANGELOG.md for details.

plugin-vue@6.0.0-beta.0

Please refer to CHANGELOG.md for details.

plugin-vue@5.2.4

Please refer to CHANGELOG.md for details.

plugin-vue@5.2.3

Please refer to CHANGELOG.md for details.

plugin-vue@5.2.2

Please refer to CHANGELOG.md for details.

plugin-vue@5.2.1

Please refer to CHANGELOG.md for details.

plugin-vue@5.2.0

Please refer to CHANGELOG.md for details.

plugin-vue@5.1.5

Please refer to CHANGELOG.md for details.

plugin-vue@5.1.4

Please refer to CHANGELOG.md for details.

plugin-vue@5.1.3

Please refer to CHANGELOG.md for details.

plugin-vue@5.1.2

Please refer to CHANGELOG.md for details.

plugin-vue@5.1.1

Please refer to CHANGELOG.md for details.

plugin-vue-jsx@5.1.1

Please refer to CHANGELOG.md for details.

plugin-vue@5.1.0

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from @vitejs/plugin-vue's changelog.

6.0.1 (2025-07-28)

Bug Fixes

deps: update all non-major dependencies (#618) (46f6c99)

deps: update all non-major dependencies (#624) (fe03fa2)

deps: update all non-major dependencies (#629) (b969637)

deps: update all non-major dependencies (#633) (aa56ad1)

deps: update all non-major dependencies (#636) (5f471a3)

hmr: ignore non-js modules (#625) (f899ad3)

Performance Improvements

only bundle node version debug (#627) (9dfa996)

Miscellaneous Chores

deps: update dependency rollup to ^4.44.2 (#623) (76bf4c4)

deps: update dependency rollup to ^4.45.1 (#630) (4fd92b9)

group commits by category in changelog (#620) (1a32018)

Build System

use tsdown (#626) (ffac7e1)

6.0.0 (2025-06-24)

Bug Fixes

deps: update all non-major dependencies (#590) (43426c8)

deps: update all non-major dependencies (#600) (a4c32a8)

deps: update all non-major dependencies (#605) (67534e5)

deps: update all non-major dependencies (#609) (98c52eb)

Miscellaneous Chores

add description and keywords field to package.json (#604) (67ab76b)

deps: update dependency rollup to ^4.41.1 (#591) (256ac31)

deps: update dependency rollup to ^4.43.0 (#601) (a495edf)

remove Vite 7 beta from supported range (#598) (c7ddd62)

Code Refactoring

always use crypto.hash (#606) (5de85f6)

6.0.0-beta.2 (2025-06-06)

⚠ BREAKING CHANGES

bump required node version to 20.19+, 22.12+ and drop CJS build (#596)

Features

... (truncated)

Commits

bb27be7 release: plugin-vue@6.0.1
f899ad3 fix(hmr): ignore non-js modules (#625)
5f471a3 fix(deps): update all non-major dependencies (#636)
4fd92b9 chore(deps): update dependency rollup to ^4.45.1 (#630)
aa56ad1 fix(deps): update all non-major dependencies (#633)
b969637 fix(deps): update all non-major dependencies (#629)
9dfa996 perf: only bundle node version debug (#627)
ffac7e1 build: use tsdown (#626)
fe03fa2 fix(deps): update all non-major dependencies (#624)
76bf4c4 chore(deps): update dependency rollup to ^4.44.2 (#623)
Additional commits viewable in compare view

Updates vite from 4.5.14 to 7.1.5

Release notes

Sourced from vite's releases.

v4.5.14

Please refer to CHANGELOG.md for details.

v4.5.13

Please refer to CHANGELOG.md for details.

v4.5.12

Please refer to CHANGELOG.md for details.

v4.5.11

Please refer to CHANGELOG.md for details.

v4.5.10

Please refer to CHANGELOG.md for details.

v4.5.9

Please refer to CHANGELOG.md for details.

v4.5.8

Please refer to CHANGELOG.md for details.

v4.5.7

Please refer to CHANGELOG.md for details.

v4.5.6

This version contains a breaking change due to security fixes. See https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

4.5.14 (2025-04-30)

fix: backport #19965, check static serve file inside sirv (#19967) (7739479), closes #19965 #19967

chore: run format (99afb60)

4.5.13 (2025-04-10)

fix: backport #19830, reject requests with # in request-target (#19832) (41f3819), closes #19830 #19832

4.5.12 (2025-04-03)

fix: backport #19782, fs check with svg and relative paths (#19785) (0a3dcf5), closes #19782 #19785

4.5.11 (2025-03-31)

fix: backport #19761, fs check in transform middleware (#19763) (26e1764), closes #19761 #19763

4.5.10 (2025-03-24)

fix: backport #19702, fs raw query with query separators (#19704) (315695e), closes #19702 #19704

4.5.9 (2025-01-21)

fix: preview.allowedHosts with specific values was not respected (#19246) (0bc52e0), closes #19246

fix: allow CORS from loopback addresses by default (#19249) (8f63cd6), closes #19249

4.5.8 (2025-01-20)

fix: try parse server.origin URL (#19241) (3680bad), closes #19241

4.5.7 (2025-01-20)

fix: crypto.getRandomValues is not available in old Node versions (#19237) (f4d3c46), closes #19237

... (truncated)

Commits

9bfe2b1 release: v4.5.14
7739479 fix: backport #19965, check static serve file inside sirv (#19967)
99afb60 chore: run format
cd60e8b release: v4.5.13
41f3819 fix: backport #19830, reject requests with # in request-target (#19832)
6104add release: v4.5.12
0a3dcf5 fix: backport #19782, fs check with svg and relative paths (#19785)
07ddc3e release: v4.5.11
26e1764 fix: backport #19761, fs check in transform middleware (#19763)
86e7a6b release: v4.5.10
Additional commits viewable in compare view

Updates follow-redirects from 1.15.3 to 1.15.11

Commits

21ef28a Release version 1.15.11 of the npm package.
7c88135 Roll back tree shaking.
6e389ba Release version 1.15.10 of the npm package.
5bc496e Shake me up before you go-go.
694d6b4 Bump minimist from 1.2.5 to 1.2.8
e4e55c7 Release version 1.15.9 of the npm package.
31a1abf Attempt much more gentle detection.
Pull Request Statistics

Commits:
1

Files Changed:
2

Additions:
+573

Deletions:
-1460

Package Dependencies

Package:
axios

Ecosystem:
npm

Version Change:
0.27.2 → 1.11.0

Update Type:
Major

Package:
vite

Ecosystem:
npm

Version Change:
4.4.9 → 4.5.14

Update Type:
Minor

Package:
ws

Ecosystem:
npm

Version Change:
8.14.2 → 8.18.3

Update Type:
Minor

Package:
braces

Ecosystem:
npm

Version Change:
3.0.2 → 3.0.3

Update Type:
Patch

Package:
esbuild

Ecosystem:
npm

Version Change:
0.18.20 → 0.25.9

Update Type:
Minor

Package:
@vitejs/plugin-vue

Ecosystem:
npm

Version Change:
4.3.4 → 6.0.1

Update Type:
Major

Package:
start-server-and-test

Ecosystem:
npm

Version Change:
2.0.1 → 2.1.0

Update Type:
Minor

Package:
tmp

Ecosystem:
npm

Version Change:
0.2.1 → 0.2.5

Update Type:
Patch

Security Advisories

Websites were able to send any requests to the development server and read the response in vite

GHSA-vg6x-rcgg-rjx6 CVE-2025-24010 MODERATE

### Summary Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket con...

Actions

View on GitHub View Repository All Dependabot PRs

Technical Details

ID:	`7184543`
UUID:	`2807261732`
Node ID:	`PR_kwDOPrbPb86nU2ok`
Host:	GitHub
Repository:	ibiscum/Vue.js-3-for-Beginners
Merge State:	Dirty