chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates
Open
Number: #891
Type: Pull Request
State: Open
Type: Pull Request
State: Open
Author:
![dependabot[bot]](https://github.com/dependabot.png)
dependabot[bot]
Association: Contributor
Comments: 2
dependabot[bot]Association: Contributor
Comments: 2
Created:
May 15, 2025 at 03:17 PM UTC
(4 months ago)
(4 months ago)
Updated:
June 09, 2025 at 03:51 PM UTC
(3 months ago)
(3 months ago)
Labels:
dependencies javascript
dependencies javascript
Description:
⚠️ Dependabot is rebasing this PR ⚠️
Rebasing might not happen immediately, so don't worry if this takes some time.
Note: if you make any changes to this PR yourself, they will take precedence over the rebase.
Bumps the npm_and_yarn group with 4 updates in the / directory: undici, vitest, @babel/runtime and vite.
Bumps the npm_and_yarn group with 2 updates in the /sdk directory: @babel/runtime and @babel/helpers.
Updates undici from 6.20.1 to 6.21.2
Release notes
Sourced from undici's releases.
v6.21.2
What's Changed
- fix(types): add missing DNS interceptor by
@slagiewkain nodejs/undici#4024- [v6.x] fix wpts on windows by
@mcollinain nodejs/undici#4093- Removed clients with unrecoverable errors from the Pool nodejs/undici#4088
New Contributors
@slagiewkamade their first contribution in nodejs/undici#4024Full Changelog: https://github.com/nodejs/undici/compare/v6.21.1...v6.21.2
v6.21.1
⚠️ Security Release ⚠️
Fixes CVE CVE-2025-22150 https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).
What's Changed
- fix(#3736): back-port 183f8e9 to v6.x by
@ggoodmanin nodejs/undici#3855- fix(#3817): send servername for SNI on TLS (#3821) [backport] by
@metcoder95in nodejs/undici#3864- fix: sending formdata bodies with http2 (#3863) [backport] by
@metcoder95in nodejs/undici#3866- [Backport v6.x] fix: Fixed the issue that there is no running request when http2 goaway by
@github-actionsin nodejs/undici#3877- types: [backport] Update return type of RetryCallback (#3851) by
@metcoder95in nodejs/undici#3876Full Changelog: https://github.com/nodejs/undici/compare/v6.21.0...v6.21.1
v6.21.0
What's Changed
- [Backport v6.x] web: mark as uncloneable when possible (#3709) by
@jazellyin nodejs/undici#3744- [Backport v6.x] fetch: fix content-encoding order by
@github-actionsin nodejs/undici#3764- [Backport v6.x] fix: handle undefined deref() of WeakRef(socket) by
@github-actionsin nodejs/undici#3822- [Backport v6.x] fix: range end is zero-indexed by
@github-actionsin nodejs/undici#3827Full Changelog: https://github.com/nodejs/undici/compare/v6.20.1...v6.21.0
Commits
b63d939Bumped v6.21.2de1e4b8[v6.x] fix wpts on windows (#4093)4e07ddatest: fix windows wpt (#4050)1333871Removed clients with unrecoverable errors from the Pool (#4088)a0e76c7fix(types): add missing DNS interceptor (#4024)e260e7bBumped v6.21.1c3acc60Merge commit from fork2414bc9Update return type of RetryCallback (#3851) (#3876)be8cd0a[Backport v6.x] fix: Fixed the issue that there is no running request when ht...ee6176cfix: sending formdata bodies with http2 (#3863) [backport] (#3866)- Additional commits viewable in compare view
Updates vitest from 2.1.8 to 2.1.9
Release notes
Sourced from vitest's releases.
v2.1.9
This release includes security patches for:
- Browser mode serves arbitrary files | CVE-2025-24963
- Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964
🐞 Bug Fixes
- backport vitest-dev/vitest#7317 to v2 - by
@hi-ogawain vitest-dev/vitest#7318- (backport #7340 to v2) restrict served files from
/__screenshot-error- by@hi-ogawain vitest-dev/vitest#7343View changes on GitHub
Commits
c9e59a0chore: release v2.1.9e0fe1d8fix: backport #7317 to v2 (#7318)- See full diff in compare view
Updates @babel/runtime from 7.26.0 to 7.27.1
Release notes
Sourced from @babel/runtime's releases.
v7.27.1 (2025-04-30)
Thanks
@kermanxand@woaitsAryanfor your first PRs!:eyeglasses: Spec Compliance
babel-parserbabel-parser,babel-types:bug: Bug Fix
babel-plugin-proposal-destructuring-private,babel-plugin-proposal-do-expressions,babel-traversebabel-helper-wrap-function,babel-plugin-transform-async-to-generator
- #17251 Fix: propagate argument evaluation errors through async promise chain (
@magic-akari)babel-helper-remap-async-to-generator,babel-plugin-transform-async-to-generatorbabel-helper-fixtures,babel-parserbabel-generator,babel-parserbabel-parserbabel-compat-data,babel-preset-envbabel-traverse
- #17156 fix: Objects and arrays with multiple references should not be evaluated (
@liuxingbaoyu)babel-generator:nail_care: Polish
babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining,babel-plugin-proposal-decorators,babel-plugin-transform-arrow-functions,babel-plugin-transform-class-properties,babel-plugin-transform-destructuring,babel-plugin-transform-object-rest-spread,babel-plugin-transform-optional-chaining,babel-plugin-transform-parameters,babel-traverse
- #17221 Reduce generated names size for the 10th-11th (
@nicolo-ribaudo):house: Internal
babel-runtime-corejs2,babel-runtime-corejs3,babel-runtime
- #17263 Remove unused
regenerator-runtimedep in@babel/runtime(@nicolo-ribaudo)babel-compat-data,babel-preset-envbabel-compat-data,babel-standalonebabel-register
- #16844 Migrate
@babel/registerto cts (@liuxingbaoyu)babel-helpers,babel-plugin-transform-async-generator-functions,babel-plugin-transform-regenerator,babel-preset-env,babel-runtime-corejs3
- #17205 Inline regenerator in the relevant packages (
@nicolo-ribaudo)- All packages
... (truncated)
Changelog
Sourced from @babel/runtime's changelog.
v7.27.1 (2025-04-30)
:eyeglasses: Spec Compliance
babel-parserbabel-parser,babel-types:bug: Bug Fix
babel-plugin-proposal-destructuring-private,babel-plugin-proposal-do-expressions,babel-traversebabel-helper-wrap-function,babel-plugin-transform-async-to-generator
- #17251 Fix: propagate argument evaluation errors through async promise chain (
@magic-akari)babel-helper-remap-async-to-generator,babel-plugin-transform-async-to-generatorbabel-helper-fixtures,babel-parserbabel-generator,babel-parserbabel-parserbabel-compat-data,babel-preset-envbabel-traverse
- #17156 fix: Objects and arrays with multiple references should not be evaluated (
@liuxingbaoyu)babel-generator:nail_care: Polish
babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining,babel-plugin-proposal-decorators,babel-plugin-transform-arrow-functions,babel-plugin-transform-class-properties,babel-plugin-transform-destructuring,babel-plugin-transform-object-rest-spread,babel-plugin-transform-optional-chaining,babel-plugin-transform-parameters,babel-traverse
- #17221 Reduce generated names size for the 10th-11th (
@nicolo-ribaudo):house: Internal
babel-runtime-corejs2,babel-runtime-corejs3,babel-runtime
- #17263 Remove unused
regenerator-runtimedep in@babel/runtime(@nicolo-ribaudo)babel-compat-data,babel-preset-envbabel-compat-data,babel-standalone- Other
babel-register
- #16844 Migrate
@babel/registerto cts (@liuxingbaoyu)babel-cli,babel-compat-data,babel-core,babel-generator,babel-helper-compilation-targets,babel-helper-fixtures,babel-helper-module-imports,babel-helper-module-transforms,babel-helper-plugin-test-runner,babel-helper-transform-fixture-test-runner,babel-helpers,babel-node,babel-parser,babel-plugin-transform-modules-amd,babel-plugin-transform-modules-commonjs,babel-plugin-transform-modules-systemjs,babel-plugin-transform-modules-umd,babel-plugin-transform-react-display-name,babel-plugin-transform-regenerator,babel-plugin-transform-runtime,babel-plugin-transform-typeof-symbol,babel-plugin-transform-typescript,babel-preset-env,babel-register,babel-standalone,babel-typesbabel-plugin-transform-regenerator
... (truncated)
Commits
eebd3a0v7.27.1296cdc5Remove unusedregenerator-runtimedep in@babel/runtime(#17263)fdc0fb5[Babel 8] Bump nodejs requirements to^20.19.0 || >= 22.12.0(#17204)5c350eav7.27.0ca4865aFix: align behaviour to tscrewriteRelativeImportExtensions(#17118)e1ce99dv7.26.10d5952e8Fix processing of replacement pattern with named capture groups (#17173)64bca7bv7.26.92d95140v7.26.7- See full diff in compare view
Updates vite from 5.4.11 to 5.4.19
Release notes
Sourced from vite's releases.
v5.4.19
Please refer to CHANGELOG.md for details.
v5.4.18
Please refer to CHANGELOG.md for details.
v5.4.17
Please refer to CHANGELOG.md for details.
v5.4.16
Please refer to CHANGELOG.md for details.
v5.4.15
Please refer to CHANGELOG.md for details.
v5.4.14
Please refer to CHANGELOG.md for details.
v5.4.13
Please refer to CHANGELOG.md for details.
v5.4.12
This version contains a breaking change due to security fixes. See https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6 for more details.
Please refer to CHANGELOG.md for details.
Changelog
Sourced from vite's changelog.
5.4.19 (2025-04-30)
5.4.18 (2025-04-10)
- fix: backport #19830, reject requests with
#in request-target (#19831) (823675b), closes #19830 #198315.4.17 (2025-04-03)
5.4.16 (2025-03-31)
5.4.15 (2025-03-24)
5.4.14 (2025-01-21)
- fix:
preview.allowedHostswith specific values was not respected (#19246) (9df6e6b), closes #19246- fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249
5.4.13 (2025-01-20)
5.4.12 (2025-01-20)
Commits
80a333arelease: v5.4.19766947efix: backport #19965, check static serve file inside sirv (#19966)731b77drelease: v5.4.18823675bfix: backport #19830, reject requests with#in request-target (#19831)0a2518arelease: v5.4.1784b2b46fix: backport #19782, fs check with svg and relative paths (#19784)712cb71release: v5.4.16b627c50fix: backport #19761, fs check in transform middleware (#19762)9b0f4c8release: v5.4.15807d7f0fix: backport #19702, fs raw query with query separators (#19703)- Additional commits viewable in compare view
Updates @babel/runtime from 7.23.2 to 7.27.1
Release notes
Sourced from @babel/runtime's releases.
v7.27.1 (2025-04-30)
Thanks
@kermanxand@woaitsAryanfor your first PRs!:eyeglasses: Spec Compliance
babel-parserbabel-parser,babel-types:bug: Bug Fix
babel-plugin-proposal-destructuring-private,babel-plugin-proposal-do-expressions,babel-traversebabel-helper-wrap-function,babel-plugin-transform-async-to-generator
- #17251 Fix: propagate argument evaluation errors through async promise chain (
@magic-akari)babel-helper-remap-async-to-generator,babel-plugin-transform-async-to-generatorbabel-helper-fixtures,babel-parserbabel-generator,babel-parserbabel-parserbabel-compat-data,babel-preset-envbabel-traverse
- #17156 fix: Objects and arrays with multiple references should not be evaluated (
@liuxingbaoyu)babel-generator:nail_care: Polish
babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining,babel-plugin-proposal-decorators,babel-plugin-transform-arrow-functions,babel-plugin-transform-class-properties,babel-plugin-transform-destructuring,babel-plugin-transform-object-rest-spread,babel-plugin-transform-optional-chaining,babel-plugin-transform-parameters,babel-traverse
- #17221 Reduce generated names size for the 10th-11th (
@nicolo-ribaudo):house: Internal
babel-runtime-corejs2,babel-runtime-corejs3,babel-runtime
- #17263 Remove unused
regenerator-runtimedep in@babel/runtime(@nicolo-ribaudo)babel-compat-data,babel-preset-envbabel-compat-data,babel-standalonebabel-register
- #16844 Migrate
@babel/registerto cts (@liuxingbaoyu)babel-helpers,babel-plugin-transform-async-generator-functions,babel-plugin-transform-regenerator,babel-preset-env,babel-runtime-corejs3
- #17205 Inline regenerator in the relevant packages (
@nicolo-ribaudo)- All packages
... (truncated)
Changelog
Sourced from @babel/runtime's changelog.
v7.27.1 (2025-04-30)
:eyeglasses: Spec Compliance
babel-parserbabel-parser,babel-types:bug: Bug Fix
babel-plugin-proposal-destructuring-private,babel-plugin-proposal-do-expressions,babel-traversebabel-helper-wrap-function,babel-plugin-transform-async-to-generator
- #17251 Fix: propagate argument evaluation errors through async promise chain (
@magic-akari)babel-helper-remap-async-to-generator,babel-plugin-transform-async-to-generatorbabel-helper-fixtures,babel-parserbabel-generator,babel-parserbabel-parserbabel-compat-data,babel-preset-envbabel-traverse
- #17156 fix: Objects and arrays with multiple references should not be evaluated (
@liuxingbaoyu)babel-generator:nail_care: Polish
babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining,babel-plugin-proposal-decorators,babel-plugin-transform-arrow-functions,babel-plugin-transform-class-properties,babel-plugin-transform-destructuring,babel-plugin-transform-object-rest-spread,babel-plugin-transform-optional-chaining,babel-plugin-transform-parameters,babel-traverse
- #17221 Reduce generated names size for the 10th-11th (
@nicolo-ribaudo):house: Internal
babel-runtime-corejs2,babel-runtime-corejs3,babel-runtime
- #17263 Remove unused
regenerator-runtimedep in@babel/runtime(@nicolo-ribaudo)babel-compat-data,babel-preset-envbabel-compat-data,babel-standalone- Other
babel-register
- #16844 Migrate
@babel/registerto cts (@liuxingbaoyu)babel-cli,babel-compat-data,babel-core,babel-generator,babel-helper-compilation-targets,babel-helper-fixtures,babel-helper-module-imports,babel-helper-module-transforms,babel-helper-plugin-test-runner,babel-helper-transform-fixture-test-runner,babel-helpers,babel-node,babel-parser,babel-plugin-transform-modules-amd,babel-plugin-transform-modules-commonjs,babel-plugin-transform-modules-systemjs,babel-plugin-transform-modules-umd,babel-plugin-transform-react-display-name,babel-plugin-transform-regenerator,babel-plugin-transform-runtime,babel-plugin-transform-typeof-symbol,babel-plugin-transform-typescript,babel-preset-env,babel-register,babel-standalone,babel-typesbabel-plugin-transform-regenerator
... (truncated)
Commits
eebd3a0v7.27.1296cdc5Remove unusedregenerator-runtimedep in@babel/runtime(#17263)fdc0fb5[Babel 8] Bump nodejs requirements to^20.19.0 || >= 22.12.0(#17204)5c350eav7.27.0ca4865aFix: align behaviour to tscrewriteRelativeImportExtensions(#17118)e1ce99dv7.26.10d5952e8Fix processing of replacement pattern with named capture groups (#17173)64bca7bv7.26.92d95140v7.26.7- See full diff in compare view
Updates @babel/helpers from 7.23.2 to 7.27.1
Release notes
Sourced from @babel/helpers's releases.
v7.27.1 (2025-04-30)
Thanks
@kermanxand@woaitsAryanfor your first PRs!:eyeglasses: Spec Compliance
babel-parserbabel-parser,babel-types:bug: Bug Fix
babel-plugin-proposal-destructuring-private,babel-plugin-proposal-do-expressions,babel-traversebabel-helper-wrap-function,babel-plugin-transform-async-to-generator
- #17251 Fix: propagate argument evaluation errors through async promise chain (
@magic-akari)babel-helper-remap-async-to-generator,babel-plugin-transform-async-to-generatorbabel-helper-fixtures,babel-parserbabel-generator,babel-parserbabel-parserbabel-compat-data,babel-preset-envbabel-traverse
- #17156 fix: Objects and arrays with multiple references should not be evaluated (
@liuxingbaoyu)babel-generator:nail_care: Polish
babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining,babel-plugin-proposal-decorators,babel-plugin-transform-arrow-functions,babel-plugin-transform-class-properties,babel-plugin-transform-destructuring,babel-plugin-transform-object-rest-spread,babel-plugin-transform-optional-chaining,babel-plugin-transform-parameters,babel-traverse
- #17221 Reduce generated names size for the 10th-11th (
@nicolo-ribaudo):house: Internal
babel-runtime-corejs2,babel-runtime-corejs3,babel-runtime
- #17263 Remove unused
regenerator-runtimedep in@babel/runtime(@nicolo-ribaudo)babel-compat-data,babel-preset-envbabel-compat-data,babel-standalonebabel-register
- #16844 Migrate
@babel/registerto cts (@liuxingbaoyu)babel-helpers,babel-plugin-transform-async-generator-functions,babel-plugin-transform-regenerator,babel-preset-env,babel-runtime-corejs3
- #17205 Inline regenerator in the relevant packages (
@nicolo-ribaudo)- All packages
... (truncated)
Changelog
Sourced from @babel/helpers's changelog.
v7.27.1 (2025-04-30)
:eyeglasses: Spec Compliance
babel-parserbabel-parser,babel-types:bug: Bug Fix
babel-plugin-proposal-destructuring-private,babel-plugin-proposal-do-expressions,babel-traversebabel-helper-wrap-function,babel-plugin-transform-async-to-generator
- #17251 Fix: propagate argument evaluation errors through async promise chain (
@magic-akari)babel-helper-remap-async-to-generator,babel-plugin-transform-async-to-generatorbabel-helper-fixtures,babel-parserbabel-generator,babel-parserbabel-parserbabel-compat-data,babel-preset-envbabel-traverse
- #17156 fix: Objects and arrays with multiple references should not be evaluated (
@liuxingbaoyu)babel-generator:nail_care: Polish
babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining,babel-plugin-proposal-decorators,babel-plugin-transform-arrow-functions,babel-plugin-transform-class-properties,babel-plugin-transform-destructuring,babel-plugin-transform-object-rest-spread,babel-plugin-transform-optional-chaining,babel-plugin-transform-parameters,babel-traverse
- #17221 Reduce generated names size for the 10th-11th (
@nicolo-ribaudo):house: Internal
babel-runtime-corejs2,babel-runtime-corejs3,babel-runtime
- #17263 Remove unused
regenerator-runtimedep in@babel/runtime(@nicolo-ribaudo)babel-compat-data,babel-preset-envbabel-compat-data,babel-standalone- Other
babel-register
- #16844 Migrate
@babel/registerto cts (@liuxingbaoyu)babel-cli,babel-compat-data,babel-core,babel-generator,babel-helper-compilation-targets,babel-helper-fixtures,babel-helper-module-imports,babel-helper-module-transforms,bab...Description has been truncated
PR-Codex overview
This PR focuses on updating dependencies in the
package.jsonandyarn.lockfiles, ensuring the project uses the latest versions of several packages, includingundici,vitest, and various@babelpackages.Detailed summary
- Updated
undicifrom^6.20.1to^6.21.2.- Updated
vitestfrom^2.0.3to^2.1.9.- Updated several
@babelpackages to version^7.27.1.- Updated
vite-nodefrom2.1.8to2.1.9.- Updated
vitefrom5.4.11to5.4.19.✨ Ask PR-Codex anything about this PR by commenting with
/codex {your question}
Pull Request Statistics
Commits:
0
0
Files Changed:
0
0
Additions:
+0
+0
Deletions:
-0
-0
Package Dependencies
Security Advisories
Websites were able to send any requests to the development server and read the response in vite
GHSA-vg6x-rcgg-rjx6
CVE-2025-24010
MODERATE
### Summary
Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket con...
Vitest browser mode serves arbitrary files
GHSA-8gvc-j273-4wm5
CVE-2025-24963
MODERATE
### Summary
`__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by [`browser.api.host: true`](...
Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
GHSA-9crc-q9x8-hgqq
CVE-2025-24964
CRITICAL
### Summary
Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.
### Details
When [`api` optio...
Use of Insufficiently Random Values in undici
GHSA-c76h-2ccp-4975
CVE-2025-22150
MODERATE
### Impact
[Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a multipart/f...
Technical Details
| ID: | 585248 |
| UUID: | 3066617757 |
| Node ID: | PR_kwDOJEmqjs6WWV4- |
| Host: | GitHub |
| Repository: | thirdweb-dev/engine |