chore(deps): Bump the npm_and_yarn group across 12 directories with 11 updates by dependabot[bot] · Pull Request #321 · WhatIfWeDigDeeper/application-tracker

dependabot · 2026-05-18T18:41:43Z

Bumps the npm_and_yarn group with 3 updates in the /angular-spring-ui directory: @babel/plugin-transform-modules-systemjs, fast-uri and hono.
Bumps the npm_and_yarn group with 3 updates in the /angular-ui directory: @babel/plugin-transform-modules-systemjs, fast-uri and hono.
Bumps the npm_and_yarn group with 2 updates in the /api directory: fast-uri and hono.
Bumps the npm_and_yarn group with 2 updates in the /hono-api directory: brace-expansion and hono.
Bumps the npm_and_yarn group with 3 updates in the /lambda-api directory: brace-expansion, hono and fast-xml-builder.
Bumps the npm_and_yarn group with 2 updates in the /nest-api directory: fast-uri and protobufjs.
Bumps the npm_and_yarn group with 2 updates in the /nest-history-api directory: brace-expansion and protobufjs.
Bumps the npm_and_yarn group with 2 updates in the /nuxt-api directory: devalue and nitropack.
Bumps the npm_and_yarn group with 3 updates in the /svelte-ui directory: brace-expansion, devalue and svelte.
Bumps the npm_and_yarn group with 2 updates in the /tanstack-start-ui directory: brace-expansion and @tanstack/start-server-core.
Bumps the npm_and_yarn group with 1 update in the /ui directory: next.
Bumps the npm_and_yarn group with 3 updates in the /yoga-api directory: brace-expansion, fast-uri and hono.

Updates @babel/plugin-transform-modules-systemjs from 7.29.0 to 7.29.4

Release notes

Sourced from @babel/plugin-transform-modules-systemjs's releases.

v7.29.4 (2026-05-05)

🐛 Bug Fix

babel-plugin-transform-modules-systemjs

#17974 [7.x backport]fix(systemjs): improve module string name support (@JLHwung)

Committers: 1

Huáng Jùnliàng (@JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

babel-parser

#17923 Support flow extends bound (@JLHwung)

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#17931 fix(decorators): replace super within all removed static elements (@JLHwung)

babel-register

#17915 Fix thread synchronization issues in @babel/register (@liuxingbaoyu)

babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env

#17788 Add bugfix plugin for Safari array rest destructuring bug (@JLHwung)

💅 Polish

babel-parser

#17782 Improve trailing comma comment handling (@JLHwung)

📝 Documentation

#17847 Replace npmjs.com links with npmx.dev (@nicolo-ribaudo)

🏃‍♀️ Performance

babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-transform-json-modules

#17818 Load async Wasm and JSON imports in parallel (@nicolo-ribaudo)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

v7.29.2 (2026-03-16)

👓 Spec Compliance

babel-parser

#17840 [7.x backport] async x => {} must be in leading pos (@JLHwung)

🐛 Bug Fix

babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3

#17805 [7.x backport] fix: Properly handle await in finally (@liuxingbaoyu)

babel-preset-env

... (truncated)

Commits

a458f66 v7.29.4
32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
See full diff in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

Fix for GHSA-v39h-62p7-jpjc

What's Changed

Handle malformed fragment decoding as a parse error by @mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

Fix for GHSA-q3j6-qgpj-74h6

What's Changed

build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in fastify/fast-uri#148

build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in fastify/fast-uri#149

chore(.npmrc): ignore scripts by @Fdawgs in fastify/fast-uri#150

build(deps-dev): remove @fastify/pre-commit by @Fdawgs in fastify/fast-uri#151

build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in fastify/fast-uri#152

ci(ci): add concurrency config by @Fdawgs in fastify/fast-uri#153

build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in fastify/fast-uri#154

build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in fastify/fast-uri#156

chore(license): standardise license notice by @Fdawgs in fastify/fast-uri#159

style: remove trailing whitespace by @Fdawgs in fastify/fast-uri#161

ci: remove unused github files by @Tony133 in fastify/fast-uri#162

chore: update readme by @Tony133 in fastify/fast-uri#164

build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#165

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#166

build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in fastify/fast-uri#167

ci: add lock-threads workflow by @Fdawgs in fastify/fast-uri#169

New Contributors

@Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

919dd8e Bumped v3.1.2
c65ba57 fixup: linting
6c86c17 Merge commit from fork
a95158a Handle malformed fragment decoding without throwing (#171)
cea547c Bumped v3.1.1
876ce79 Merge commit from fork
dcdf690 ci: add lock-threads workflow (#169)
c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
Additional commits viewable in compare view

Updates hono from 4.12.15 to 4.12.19

Release notes

Sourced from hono's releases.

v4.12.19

What's Changed

ci: pin GitHub Actions to SHAs by @yusukebe in honojs/hono#4932

fix(serveStatic): make options parameter optional in all adapters by @mixelburg in honojs/hono#4934

fix(cookie): return the first cookie when there are multiple cookies with the same name by @usualoma in honojs/hono#4922

feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @justinnais in honojs/hono#4913

feat(cache): key cache entries by configured vary headers by @usualoma in honojs/hono#4915

feat(request): add bytes() by @yusukebe in honojs/hono#4921

fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @yusukebe in honojs/hono#4940

New Contributors

@justinnais made their first contribution in honojs/hono#4913

Full Changelog: honojs/hono@v4.12.18...v4.12.19

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

fix(jsx): normalize SVG attributes on the root element by @kfly8 in honojs/hono#4893

fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @yuintei in honojs/hono#4899

fix(cors): make origin optional in CORSOptions by @truffle-dev in honojs/hono#4905

fix(types): propagate middleware response types to app.on overloads by @T4ko0522 in honojs/hono#4906

New Contributors

@kfly8 made their first contribution in honojs/hono#4893

@truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

... (truncated)

Commits

7e62bcd 4.12.19
e2f252a fix(stream): upgrade @hono/node-server to v2 and fix abort handling (#4940)
54f2f0c feat(request): add bytes() (#4921)
e59db59 feat(cache): key cache entries by configured vary headers (#4915)
48a7ccb feat(bearer-auth): make bearerAuth generic for typed context in verifyToken (...
ff7522f fix(cookie): return the first cookie when there are multiple cookies with the...
26f8c33 fix(serveStatic): make options parameter optional in all adapters (#4934)
16c4e38 ci: pin GitHub Actions to SHAs (#4932)
f10dee8 4.12.18
a5bd9eb Merge commit from fork
Additional commits viewable in compare view

Updates @babel/plugin-transform-modules-systemjs from 7.29.0 to 7.29.4

Release notes

Sourced from @babel/plugin-transform-modules-systemjs's releases.

v7.29.4 (2026-05-05)

🐛 Bug Fix

babel-plugin-transform-modules-systemjs

#17974 [7.x backport]fix(systemjs): improve module string name support (@JLHwung)

Committers: 1

Huáng Jùnliàng (@JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

babel-parser

#17923 Support flow extends bound (@JLHwung)

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#17931 fix(decorators): replace super within all removed static elements (@JLHwung)

babel-register

#17915 Fix thread synchronization issues in @babel/register (@liuxingbaoyu)

babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env

#17788 Add bugfix plugin for Safari array rest destructuring bug (@JLHwung)

💅 Polish

babel-parser

#17782 Improve trailing comma comment handling (@JLHwung)

📝 Documentation

#17847 Replace npmjs.com links with npmx.dev (@nicolo-ribaudo)

🏃‍♀️ Performance

babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-transform-json-modules

#17818 Load async Wasm and JSON imports in parallel (@nicolo-ribaudo)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

v7.29.2 (2026-03-16)

👓 Spec Compliance

babel-parser

#17840 [7.x backport] async x => {} must be in leading pos (@JLHwung)

🐛 Bug Fix

babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3

#17805 [7.x backport] fix: Properly handle await in finally (@liuxingbaoyu)

babel-preset-env

... (truncated)

Commits

a458f66 v7.29.4
32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
See full diff in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

Fix for GHSA-v39h-62p7-jpjc

What's Changed

Handle malformed fragment decoding as a parse error by @mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

Fix for GHSA-q3j6-qgpj-74h6

What's Changed

build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in fastify/fast-uri#148

build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in fastify/fast-uri#149

chore(.npmrc): ignore scripts by @Fdawgs in fastify/fast-uri#150

build(deps-dev): remove @fastify/pre-commit by @Fdawgs in fastify/fast-uri#151

build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in fastify/fast-uri#152

ci(ci): add concurrency config by @Fdawgs in fastify/fast-uri#153

build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in fastify/fast-uri#154

build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in fastify/fast-uri#156

chore(license): standardise license notice by @Fdawgs in fastify/fast-uri#159

style: remove trailing whitespace by @Fdawgs in fastify/fast-uri#161

ci: remove unused github files by @Tony133 in fastify/fast-uri#162

chore: update readme by @Tony133 in fastify/fast-uri#164

build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#165

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#166

build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in fastify/fast-uri#167

ci: add lock-threads workflow by @Fdawgs in fastify/fast-uri#169

New Contributors

@Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

919dd8e Bumped v3.1.2
c65ba57 fixup: linting
6c86c17 Merge commit from fork
a95158a Handle malformed fragment decoding without throwing (#171)
cea547c Bumped v3.1.1
876ce79 Merge commit from fork
dcdf690 ci: add lock-threads workflow (#169)
c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
Additional commits viewable in compare view

Updates hono from 4.12.15 to 4.12.19

Release notes

Sourced from hono's releases.

v4.12.19

What's Changed

ci: pin GitHub Actions to SHAs by @yusukebe in honojs/hono#4932

fix(serveStatic): make options parameter optional in all adapters by @mixelburg in honojs/hono#4934

fix(cookie): return the first cookie when there are multiple cookies with the same name by @usualoma in honojs/hono#4922

feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @justinnais in honojs/hono#4913

feat(cache): key cache entries by configured vary headers by @usualoma in honojs/hono#4915

feat(request): add bytes() by @yusukebe in honojs/hono#4921

fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @yusukebe in honojs/hono#4940

New Contributors

@justinnais made their first contribution in honojs/hono#4913

Full Changelog: honojs/hono@v4.12.18...v4.12.19

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

fix(jsx): normalize SVG attributes on the root element by @kfly8 in honojs/hono#4893

fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @yuintei in honojs/hono#4899

fix(cors): make origin optional in CORSOptions by @truffle-dev in honojs/hono#4905

fix(types): propagate middleware response types to app.on overloads by @T4ko0522 in honojs/hono#4906

New Contributors

@kfly8 made their first contribution in honojs/hono#4893

@truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

... (truncated)

Commits

7e62bcd 4.12.19
e2f252a fix(stream): upgrade @hono/node-server to v2 and fix abort handling (#4940)
54f2f0c feat(request): add bytes() (#4921)
e59db59 feat(cache): key cache entries by configured vary headers (#4915)
48a7ccb feat(bearer-auth): make bearerAuth generic for typed context in verifyToken (...
ff7522f fix(cookie): return the first cookie when there are multiple cookies with the...
26f8c33 fix(serveStatic): make options parameter optional in all adapters (#4934)
16c4e38 ci: pin GitHub Actions to SHAs (#4932)
f10dee8 4.12.18
a5bd9eb Merge commit from fork
Additional commits viewable in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

Fix for GHSA-v39h-62p7-jpjc

What's Changed

Handle malformed fragment decoding as a parse error by @mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

Fix for GHSA-q3j6-qgpj-74h6

What's Changed

build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in fastify/fast-uri#148

build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in fastify/fast-uri#149

chore(.npmrc): ignore scripts by @Fdawgs in fastify/fast-uri#150

build(deps-dev): remove @fastify/pre-commit by @Fdawgs in fastify/fast-uri#151

build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in fastify/fast-uri#152

ci(ci): add concurrency config by @Fdawgs in fastify/fast-uri#153

build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in fastify/fast-uri#154

build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in fastify/fast-uri#156

chore(license): standardise license notice by @Fdawgs in fastify/fast-uri#159

style: remove trailing whitespace by @Fdawgs in fastify/fast-uri#161

ci: remove unused github files by @Tony133 in fastify/fast-uri#162

chore: update readme by @Tony133 in fastify/fast-uri#164

build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#165

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#166

build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in fastify/fast-uri#167

ci: add lock-threads workflow by @Fdawgs in fastify/fast-uri#169

New Contributors

@Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

919dd8e Bumped v3.1.2
c65ba57 fixup: linting
6c86c17 Merge commit from fork
a95158a Handle malformed fragment decoding without throwing (#171)
cea547c Bumped v3.1.1
876ce79 Merge commit from fork
dcdf690 ci: add lock-threads workflow (#169)
c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
Additional commits viewable in compare view

Updates hono from 4.12.15 to 4.12.19

Release notes

Sourced from hono's releases.

v4.12.19

What's Changed

ci: pin GitHub Actions to SHAs by @yusukebe in honojs/hono#4932

fix(serveStatic): make options parameter optional in all adapters by @mixelburg in honojs/hono#4934

fix(cookie): return the first cookie when there are multiple cookies with the same name by @usualoma in honojs/hono#4922

feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @justinnais in honojs/hono#4913

feat(cache): key cache entries by configured vary headers by @usualoma in honojs/hono#4915

feat(request): add bytes() by @yusukebe in honojs/hono#4921

fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @yusukebe in honojs/hono#4940

New Contributors

@justinnais made their first contribution in honojs/hono#4913

Full Changelog: honojs/hono@v4.12.18...v4.12.19

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

fix(jsx): normalize SVG attributes on the root element by @kfly8 in honojs/hono#4893

fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @yuintei in honojs/hono#4899

fix(cors): make origin optional in CORSOptions by @truffle-dev in honojs/hono#4905

fix(types): propagate middleware response types to app.on overloads by @T4ko0522 in honojs/hono#4906

New Contributors

@kfly8 made their first contribution in honojs/hono#4893

@truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

... (truncated)

Commits

7e62bcd 4.12.19
e2f252a fix(stream): upgrade @hono/node-server to v2 and fix abort handling (#4940)
54f2f0c feat(request): add bytes() (#4921)
e59db59 feat(cache): key cache entries by configured vary headers (#4915)
48a7ccb feat(bearer-auth): make bearerAuth generic for typed context in verifyToken (...
ff7522f fix(cookie): return the first cookie when there are multiple cookies with the...
26f8c33 fix(serveStatic): make options parameter optional in all adapters (#4934)
16c4e38 ci: pin GitHub Actions to SHAs (#4932)
f10dee8 4.12.18
a5bd9eb Merge commit from fork
Additional commits viewable in compare view

Updates brace-expansion from 5.0.5 to 5.0.6

Commits

46317b5 5.0.6
c0b095b Merge commit from fork
ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
See full diff in compare view

Updates hono from 4.12.15 to 4.12.19

Release notes

Sourced from hono's releases.

v4.12.19

What's Changed

ci: pin GitHub Actions to SHAs by @yusukebe in honojs/hono#4932

fix(serveStatic): make options parameter optional in all adapters by @mixelburg in honojs/hono#4934

fix(cookie): return the first cookie when there are multiple cookies with the same name by @usualoma in honojs/hono#4922

feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @justinnais in honojs/hono#4913

feat(cache): key cache entries by configured vary headers by @usualoma in honojs/hono#4915

feat(request): add bytes() by @yusukebe in honojs/hono#4921

fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @yusukebe in honojs/hono#4940

New Contributors

@justinnais made their first contribution in honojs/hono#4913

Full Changelog: honojs/hono@v4.12.18...v4.12.19

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

fix(jsx): normalize SVG attributes on the root element by @kfly8 in honojs/hono#4893

fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @yuintei in honojs/hono#4899

fix(cors): make origin optional in CORSOptions by @truffle-dev in honojs/hono#4905

fix(types): propagate middleware response types to app.on overloads by @T4ko0522 in honojs/hono#4906

New Contributors

@kfly8 made their first contribution in honojs/hono#4893

@truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

... (truncated)

Commits

7e62bcd 4.12.19
e2f252a fix(stream): upgrade @hono/node-server to v2 and fix abort handling (#4940)
54f2f0c feat(request): add bytes() (#4921)
e59db59 feat(cache): key cache entries by configured vary headers (#4915)
48a7ccb feat(bearer-auth): make bearerAuth generic for typed context in verifyToken (...
ff7522f fix(cookie): return the first cookie when there are multiple cookies with the...
26f8c33 fix(serveStatic): make options parameter optional in all adapters (#4934)
16c4e38 ci: pin GitHub Actions to SHAs (#4932)
f10dee8 4.12.18
a5bd9eb Merge commit from fork
Additional commits viewable in compare view

Updates brace-expansion from 5.0.5 to 5.0.6

Commits

46317b5 5.0.6
c0b095b Merge commit from fork
ec56020 Bump picomatch from 4.0.3 to 4.0.4 (

…1 updates Bumps the npm_and_yarn group with 3 updates in the /angular-spring-ui directory: [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs), [fast-uri](https://github.com/fastify/fast-uri) and [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 3 updates in the /angular-ui directory: [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs), [fast-uri](https://github.com/fastify/fast-uri) and [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 2 updates in the /api directory: [fast-uri](https://github.com/fastify/fast-uri) and [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 2 updates in the /hono-api directory: [brace-expansion](https://github.com/juliangruber/brace-expansion) and [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 3 updates in the /lambda-api directory: [brace-expansion](https://github.com/juliangruber/brace-expansion), [hono](https://github.com/honojs/hono) and [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder). Bumps the npm_and_yarn group with 2 updates in the /nest-api directory: [fast-uri](https://github.com/fastify/fast-uri) and [protobufjs](https://github.com/protobufjs/protobuf.js). Bumps the npm_and_yarn group with 2 updates in the /nest-history-api directory: [brace-expansion](https://github.com/juliangruber/brace-expansion) and [protobufjs](https://github.com/protobufjs/protobuf.js). Bumps the npm_and_yarn group with 2 updates in the /nuxt-api directory: [devalue](https://github.com/sveltejs/devalue) and [nitropack](https://github.com/nitrojs/nitro). Bumps the npm_and_yarn group with 3 updates in the /svelte-ui directory: [brace-expansion](https://github.com/juliangruber/brace-expansion), [devalue](https://github.com/sveltejs/devalue) and [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte). Bumps the npm_and_yarn group with 2 updates in the /tanstack-start-ui directory: [brace-expansion](https://github.com/juliangruber/brace-expansion) and [@tanstack/start-server-core](https://github.com/TanStack/router/tree/HEAD/packages/start-server-core). Bumps the npm_and_yarn group with 1 update in the /ui directory: [next](https://github.com/vercel/next.js). Bumps the npm_and_yarn group with 3 updates in the /yoga-api directory: [brace-expansion](https://github.com/juliangruber/brace-expansion), [fast-uri](https://github.com/fastify/fast-uri) and [hono](https://github.com/honojs/hono). Updates `@babel/plugin-transform-modules-systemjs` from 7.29.0 to 7.29.4 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.4/packages/babel-plugin-transform-modules-systemjs) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `hono` from 4.12.15 to 4.12.19 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.15...v4.12.19) Updates `@babel/plugin-transform-modules-systemjs` from 7.29.0 to 7.29.4 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.4/packages/babel-plugin-transform-modules-systemjs) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `hono` from 4.12.15 to 4.12.19 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.15...v4.12.19) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `hono` from 4.12.15 to 4.12.19 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.15...v4.12.19) Updates `brace-expansion` from 5.0.5 to 5.0.6 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v5.0.5...v5.0.6) Updates `hono` from 4.12.15 to 4.12.19 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.15...v4.12.19) Updates `brace-expansion` from 5.0.5 to 5.0.6 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v5.0.5...v5.0.6) Updates `hono` from 4.12.15 to 4.12.19 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.15...v4.12.19) Updates `fast-xml-builder` from 1.1.5 to 1.2.0 - [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-builder@v1.1.5...v1.2.0) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `protobufjs` from 7.5.5 to 7.6.0 - [Release notes](https://github.com/protobufjs/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.6.0/CHANGELOG.md) - [Commits](protobufjs/protobuf.js@protobufjs-v7.5.5...protobufjs-v7.6.0) Updates `brace-expansion` from 5.0.5 to 5.0.6 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v5.0.5...v5.0.6) Updates `protobufjs` from 7.5.5 to 7.6.0 - [Release notes](https://github.com/protobufjs/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.6.0/CHANGELOG.md) - [Commits](protobufjs/protobuf.js@protobufjs-v7.5.5...protobufjs-v7.6.0) Updates `devalue` from 5.7.0 to 5.8.1 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.7.0...v5.8.1) Updates `nitropack` from 2.13.3 to 2.13.4 - [Release notes](https://github.com/nitrojs/nitro/releases) - [Changelog](https://github.com/nitrojs/nitro/blob/main/changelog.config.ts) - [Commits](nitrojs/nitro@v2.13.3...v2.13.4) Updates `brace-expansion` from 5.0.5 to 5.0.6 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v5.0.5...v5.0.6) Updates `devalue` from 5.7.0 to 5.8.1 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.7.0...v5.8.1) Updates `svelte` from 5.53.12 to 5.55.8 - [Release notes](https://github.com/sveltejs/svelte/releases) - [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md) - [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.55.8/packages/svelte) Updates `brace-expansion` from 5.0.5 to 5.0.6 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v5.0.5...v5.0.6) Updates `@tanstack/start-server-core` from 1.166.9 to 1.168.4 - [Release notes](https://github.com/TanStack/router/releases) - [Changelog](https://github.com/TanStack/router/blob/main/packages/start-server-core/CHANGELOG.md) - [Commits](https://github.com/TanStack/router/commits/@tanstack/start-server-core@1.168.4/packages/start-server-core) Updates `next` from 16.2.4 to 16.2.6 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.2.4...v16.2.6) Updates `brace-expansion` from 5.0.5 to 5.0.6 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v5.0.5...v5.0.6) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `hono` from 4.12.15 to 4.12.19 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.15...v4.12.19) --- updated-dependencies: - dependency-name: "@babel/plugin-transform-modules-systemjs" dependency-version: 7.29.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.19 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@babel/plugin-transform-modules-systemjs" dependency-version: 7.29.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.19 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.19 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.19 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.19 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: fast-xml-builder dependency-version: 1.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: protobufjs dependency-version: 7.6.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: protobufjs dependency-version: 7.6.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.8.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: nitropack dependency-version: 2.13.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.8.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: svelte dependency-version: 5.55.8 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@tanstack/start-server-core" dependency-version: 1.168.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: next dependency-version: 16.2.6 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.19 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-05-18T19:24:48Z

Superseded by #322.

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 18, 2026

dependabot Bot mentioned this pull request May 18, 2026

chore(deps): Bump the npm_and_yarn group across 9 directories with 10 updates #319

Closed

dependabot Bot closed this May 18, 2026

dependabot Bot deleted the dependabot/npm_and_yarn/angular-spring-ui/npm_and_yarn-2a9fb513cc branch May 18, 2026 19:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): Bump the npm_and_yarn group across 12 directories with 11 updates#321

chore(deps): Bump the npm_and_yarn group across 12 directories with 11 updates#321
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/angular-spring-ui/npm_and_yarn-2a9fb513cc

dependabot Bot commented on behalf of github May 18, 2026

Uh oh!

dependabot Bot commented on behalf of github May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 18, 2026

v7.29.4 (2026-05-05)

🐛 Bug Fix

Committers: 1

v7.29.3 (2026-04-30)

👓 Spec Compliance

🐛 Bug Fix

💅 Polish

📝 Documentation

🏃‍♀️ Performance

Committers: 4

v7.29.2 (2026-03-16)

👓 Spec Compliance

🐛 Bug Fix

v3.1.2

⚠️ Security Release

What's Changed

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

v4.12.19

What's Changed

New Contributors

v4.12.18

Security fixes

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

CSS Declaration Injection via Style Object Values in JSX SSR

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

v4.12.17

What's Changed

New Contributors

v4.12.16

v7.29.4 (2026-05-05)

🐛 Bug Fix

Committers: 1

v7.29.3 (2026-04-30)

👓 Spec Compliance

🐛 Bug Fix

💅 Polish

📝 Documentation

🏃‍♀️ Performance

Committers: 4

v7.29.2 (2026-03-16)

👓 Spec Compliance

🐛 Bug Fix

v3.1.2

⚠️ Security Release

What's Changed

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

v4.12.19

What's Changed

New Contributors

v4.12.18

Security fixes

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

CSS Declaration Injection via Style Object Values in JSX SSR

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

v4.12.17

What's Changed

New Contributors

v4.12.16

v3.1.2

⚠️ Security Release

What's Changed

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

v4.12.19

What's Changed

New Contributors

v4.12.18

Security fixes

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

CSS Declaration Injection via Style Object Values in JSX SSR