Bump the npm_and_yarn group across 1 directory with 6 updates by dependabot[bot] · Pull Request #38 · react18-tools/react18-themes

dependabot · 2026-06-08T23:10:07Z

Bumps the npm_and_yarn group with 4 updates in the / directory: turbo, next, vite and vitest.

Updates turbo from 2.4.0 to 2.9.14

Release notes

Turborepo v2.9.14

[!NOTE] This release contains important security fixes.

High:

GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation

GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

release(turborepo): 2.9.12 by @github-actions[bot] in vercel/turborepo#12774

fix: Restore docs mobile menu by @anthonyshew in vercel/turborepo#12782

ci: Use pull_request for PR title linting by @anthonyshew in vercel/turborepo#12787

ci: Scope GitHub Actions caches by branch by @anthonyshew in vercel/turborepo#12788

test: Validate lockfiles without dependency downloads by @anthonyshew in vercel/turborepo#12789

Removed unneeded import form hash creation script in docs by @dancrumb in vercel/turborepo#12799

fix: Validate auth callback state by @anthonyshew in vercel/turborepo#12802

fix: Harden VS Code extension command execution by @anthonyshew in vercel/turborepo#12800

fix: Avoid project-local Yarn during detection by @anthonyshew in vercel/turborepo#12801

chore: Release 2.9.13 by @anthonyshew in vercel/turborepo#12803

New Contributors

@dancrumb made their first contribution in vercel/turborepo#12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

Turborepo v2.9.13-canary.1

What's Changed

Changelog

release(turborepo): 2.9.11-canary.7 by @github-actions[bot] in vercel/turborepo#12768

fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @anthonyshew in vercel/turborepo#12770

release(turborepo): 2.9.11 by @github-actions[bot] in vercel/turborepo#12771

fix: Allow transit nodes in LSP diagnostics by @anthonyshew in vercel/turborepo#12773

release(turborepo): 2.9.12 by @github-actions[bot] in vercel/turborepo#12774

fix: Restore docs mobile menu by @anthonyshew in vercel/turborepo#12782

ci: Use pull_request for PR title linting by @anthonyshew in vercel/turborepo#12787

ci: Scope GitHub Actions caches by branch by @anthonyshew in vercel/turborepo#12788

test: Validate lockfiles without dependency downloads by @anthonyshew in vercel/turborepo#12789

Removed unneeded import form hash creation script in docs by @dancrumb in vercel/turborepo#12799

fix: Validate auth callback state by @anthonyshew in vercel/turborepo#12802

fix: Harden VS Code extension command execution by @anthonyshew in vercel/turborepo#12800

fix: Avoid project-local Yarn during detection by @anthonyshew in vercel/turborepo#12801

... (truncated)

Commits

fc62fe0 publish 2.9.14 to registry
fb8c9ae chore: Release 2.9.13 (#12803)
e8e629d fix: Avoid project-local Yarn during detection (#12801)
91c90cb fix: Harden VS Code extension command execution (#12800)
84f4508 fix: Validate auth callback state (#12802)
1779ad7 Removed unneeded import form hash creation script in docs (#12799)
71f8c90 test: Validate lockfiles without dependency downloads (#12789)
5fcb960 ci: Scope GitHub Actions caches by branch (#12788)
4cf9fab ci: Use pull_request for PR title linting (#12787)
859c629 fix: Restore docs mobile menu (#12782)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for turbo since your current version.

Updates next from 15.2.3 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.16

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

Commits

9ff92ce v15.5.18
00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
62c97ab v15.5.17
423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
fa78739 Turbopack: Fix middleware matcher suffix (#93590)
36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
36589b5 [backport][test] Pin package manager to patch versions (#93596)
ad6fd4e v15.5.16
79d7dff Ignore malformed CSP nonce headers (#103)
c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates vite from 6.0.11 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163

fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

6.4.1 (2025-10-20)

fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969) (1114b5d), closes #20968 #20969

6.4.0 (2025-10-15)

feat: allow passing down resolved config to vite's createServer (#20932) (ca6455e), closes #20932

6.3.7 (2025-10-14)

fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940) (c59a222), closes #20940

6.3.6 (2025-09-08)

fix: apply fs.strict check to HTML files (#20736) (0ab19ea), closes #20736

fix: upgrade sirv to 3.0.2 (#20735) (e11d240), closes #20735

test: detect ts support via process.features (#20544) (7d99229), closes #20544

6.3.5 (2025-05-05)

fix(ssr): handle uninitialized export access as undefined (#19959) (fd38d07), closes #19959

6.3.4 (2025-04-30)

fix: check static serve file inside sirv (#19965) (c22c43d), closes #19965

fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #19940

refactor: remove duplicate plugin context type (#19935) (d6d01c2), closes #19935

6.3.3 (2025-04-24)

fix: ignore malformed uris in tranform middleware (#19853) (e4d5201), closes #19853

... (truncated)

Commits

6b3fad0 release: v6.4.2
ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
5487f4f release: v6.4.1
1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
f12697c release: v6.4.0
ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
0e173d8 release: v6.3.7
c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
3f337c5 release: v6.3.6
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vite since your current version.

Updates vitest from 3.0.5 to 3.2.6

Release notes

Sourced from vitest's releases.

v3.2.6

   🐞 Bug Fixes

Pin last supported vite-node version - by @sheremet-va (16f12)

    View changes on GitHub

v3.2.5

   🚀 Features

api: Add allowWrite and allowExec options to api [backport to v3] - by @hi-ogawa and Codex in vitest-dev/vitest#10445 (af88b)

   🐞 Bug Fixes

browser: Disable client cdp API when allowWrite/allowExec: false [backport to v3] - by @hi-ogawa and Codex in vitest-dev/vitest#10456 (385a1)

    View changes on GitHub

v3.2.4

   🐞 Bug Fixes

Use correct path for optimisation of strip-literal - by @mrginglymus in vitest-dev/vitest#8139 (44940)

Print uint and buffer as a simple string - by @sheremet-va in vitest-dev/vitest#8141 (b86bf)

browser:

Show a helpful error when spying on an export - by @sheremet-va in vitest-dev/vitest#8178 (56007)

cli:

vitest run --watch should be watch-mode - by @AriPerkkio in vitest-dev/vitest#8128 (657e8)

Use absolute path environment on Windows - by @colinaaa in vitest-dev/vitest#8105 (85dc0)

Throw error when --shard x/<count> exceeds count of test files - by @AriPerkkio in vitest-dev/vitest#8112 (8a18c)

coverage:

Ignore SCSS in browser mode - by @sheremet-va in vitest-dev/vitest#8161 (0c3be)

deps:

Update all non-major dependencies - in vitest-dev/vitest#8123 (93f32)

expect:

Handle async errors in expect.soft - by @lzl0304 in vitest-dev/vitest#8145 (68699)

pool:

Auto-adjust minWorkers when only maxWorkers specified - by @AriPerkkio in vitest-dev/vitest#8110 (14dc0)

reporter:

task.meta should be available in custom reporter's errors - by @AriPerkkio in vitest-dev/vitest#8115 (27df6)

runner:

Preserve handler wrapping on extend - by @pengooseDev in vitest-dev/vitest#8153 (a9281)

ui:

Ensure ui config option works correctly - by @lzl0304 in vitest-dev/vitest#8147 (42eeb)

    View changes on GitHub

v3.2.3

   🚀 Features

browser: Use base url instead of vitest - by @sheremet-va in vitest-dev/vitest#8126 (1d8eb)

... (truncated)

Commits

b6d56f8 chore: release v3.2.6
16f120d fix: pin last supported vite-node version
2cbad0a chore: release v3.2.5
385a1ae fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
af88b1f feat(api): add allowWrite and allowExec options to api [backport to v3]...
c666d14 chore: release v3.2.4
8a18c8e fix(cli): throw error when --shard x/\<count> exceeds count of test files (#...
8abd7cc chore(deps): update tinypool (#8174)
93f3200 fix(deps): update all non-major dependencies (#8123)
0c3be6f fix(coverage): ignore SCSS in browser mode (#8161)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

fix: exception when glob pattern contains constructor by @Jason3S in micromatch/picomatch#144

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Changelogs are for humans, not machines.

There should be an entry for every single version.

The same types of changes should be grouped.

Versions and sections should be linkable.

The latest version comes first.

The release date of each versions is displayed.

Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

Added for new features.

Changed for changes in existing functionality.

Deprecated for soon-to-be removed features.

Removed for now removed features.

Fixed for any bug fixes.

Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Fix bad text values in parse #126, thanks to @connor4312

Changed

Remove process global to work outside of node #129, thanks to @styfle

Add sideEffects to package.json #128, thanks to @frandiox

Removed os, make compatible browser environment. See #124, thanks to @gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

81cba8d Publish 2.3.2
fc1f6b6 Merge commit from fork
eec17ae Merge commit from fork
78f8ca4 Merge pull request #156 from micromatch/backport-144
3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 4 updates in the / directory: [turbo](https://github.com/vercel/turborepo), [next](https://github.com/vercel/next.js), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Updates `turbo` from 2.4.0 to 2.9.14 - [Release notes](https://github.com/vercel/turborepo/releases) - [Changelog](https://github.com/vercel/turborepo/blob/main/RELEASE.md) - [Commits](vercel/turborepo@v2.4.0...v2.9.14) Updates `next` from 15.2.3 to 15.5.18 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.2.3...v15.5.18) Updates `vite` from 6.0.11 to 6.4.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `vitest` from 3.0.5 to 3.2.6 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v3.2.6/packages/vitest) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: turbo dependency-version: 2.9.14 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.18 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.4.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vitest dependency-version: 3.2.6 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 8, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the npm_and_yarn group across 1 directory with 6 updates#38

Bump the npm_and_yarn group across 1 directory with 6 updates#38
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-5c976add7d

dependabot Bot commented on behalf of github Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot Bot commented on behalf of github Jun 8, 2026

Turborepo v2.9.14

High:

Low:

What's Changed

Changelog

New Contributors

Turborepo v2.9.13-canary.1

What's Changed

Changelog

v15.5.18

v15.5.16

v15.5.15

v6.4.2

v6.4.1

v6.4.0

v6.3.7

v6.3.6

6.4.2 (2026-04-06)

6.4.1 (2025-10-20)

6.4.0 (2025-10-15)

6.3.7 (2025-10-14)

6.3.6 (2025-09-08)

6.3.5 (2025-05-05)

6.3.4 (2025-04-30)

6.3.3 (2025-04-24)

v3.2.6

🐞 Bug Fixes

View changes on GitHub

v3.2.5

🚀 Features

🐞 Bug Fixes

View changes on GitHub

v3.2.4

🐞 Bug Fixes

View changes on GitHub

v3.2.3

🚀 Features

2.3.2

What's Changed

Release history

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants