Skip to content

Bump the security-all group across 1 directory with 6 updates#37

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/security-all-47cc34e01e
Open

Bump the security-all group across 1 directory with 6 updates#37
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/security-all-47cc34e01e

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 23, 2026
edited
Loading

Bumps the security-all group with 6 updates in the / directory:

Package From To
vite 7.3.0 7.3.2
picomatch 2.3.1 2.3.2
handlebars 4.7.8 4.7.9
lodash 4.17.21 removed
qs 6.14.1 6.15.1
rollup 4.46.2 4.60.2

Updates vite from 7.3.0 to 7.3.2

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

v7.3.1

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

7.3.1 (2026-01-07)

Features

  • add ignoreOutdatedRequests option to optimizeDeps (#21364) (9d39d37)
Commits

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

  • fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
  • fix type "RuntimeOptions" also accepting string partials - eab1d14
  • feat(types): set hash to be a Record<string, any> - de4414d
  • fix non-contiguous program indices - 4512766
  • refactor: rename i to startPartIndex - e497a35
  • security: fix security issues - 68d8df5

Commits

Commits
  • dce542c v4.7.9
  • 8a41389 Update release notes
  • 68d8df5 Fix security issues
  • b2a0831 Fix browser tests
  • 9f98c16 Fix release script
  • 45443b4 Revert "Improve partial indenting performance"
  • 8841a5f Fix CI errors with linting
  • e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
  • e914d60 Improve rendering performance
  • 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
  • Additional commits viewable in compare view

Removes lodash

Updates qs from 6.14.1 to 6.15.1

Changelog

Sourced from qs's changelog.

6.15.1

  • [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
  • [Deps] update @ljharb/eslint-config
  • [Dev Deps] update @ljharb/eslint-config, iconv-lite
  • [Tests] increase coverage

6.15.0

  • [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
  • [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions
Commits
  • 3f5e1c5 v6.15.1
  • c85b67f [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true s...
  • 4dfa0f0 [Deps] update @ljharb/eslint-config
  • dbb05d7 [Dev Deps] update @ljharb/eslint-config, iconv-lite
  • b0cfe7c [Tests] increase coverage
  • d9b4c66 v6.15.0
  • cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
  • 88e1563 [Fix] duplicates option should not apply to bracket notation keys
  • 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
  • 85cc8ca v6.12.5
  • Additional commits viewable in compare view

Updates rollup from 4.46.2 to 4.60.2

Release notes

Sourced from rollup's releases.

v4.60.2

4.60.2

2026-04-18

Bug Fixes

  • Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

v4.60.1

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.2

2026-04-18

Bug Fixes

  • Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

4.60.0

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 23, 2026
This was referenced Apr 23, 2026
Closed
Closed
Closed
Closed
Closed
Closed
@dependabot
Bump the security-all group across 1 directory with 6 updates
bc54fce 
Bumps the security-all group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.0` | `7.3.2` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` |
| [handlebars](https://github.com/handlebars-lang/handlebars.js) | `4.7.8` | `4.7.9` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `removed` |
| [qs](https://github.com/ljharb/qs) | `6.14.1` | `6.15.1` |
| [rollup](https://github.com/rollup/rollup) | `4.46.2` | `4.60.2` |



Updates `vite` from 7.3.0 to 7.3.2
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `handlebars` from 4.7.8 to 4.7.9
- [Release notes](https://github.com/handlebars-lang/handlebars.js/releases)
- [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md)
- [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9)

Removes `lodash`

Updates `qs` from 6.14.1 to 6.15.1
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.1...v6.15.1)

Updates `rollup` from 4.46.2 to 4.60.2
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.46.2...v4.60.2)

---
updated-dependencies:
- dependency-name: handlebars
  dependency-version: 4.7.9
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: lodash
  dependency-version: 
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: qs
  dependency-version: 6.15.1
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: rollup
  dependency-version: 4.60.2
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: vite
  dependency-version: 7.3.2
  dependency-type: direct:development
  dependency-group: security-all
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/security-all-47cc34e01e branch from aafd1d6 to bc54fce Compare May 2, 2026 03:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants