Bump the npm_and_yarn group across 5 directories with 22 updates by dependabot[bot] · Pull Request #1689 · getflip/swirl

dependabot · 2026-05-26T09:50:02Z

Bumps the npm_and_yarn group with 22 updates in the / directory:

Package	From	To
rollup	`3.29.4`	`3.30.0`
svgo	`2.8.0`	`2.8.2`
vite	`3.2.10`	`6.4.2`
@angular/core	`19.2.19`	`19.2.20`
next	`14.2.35`	`15.5.18`
@hono/node-server	`1.19.9`	`1.19.14`
@xmldom/xmldom	`0.7.5`	`0.7.13`
basic-ftp	`5.0.3`	`5.3.1`
brace-expansion	`1.1.11`	`1.1.15`
diff	`4.0.2`	`4.0.4`
express-rate-limit	`8.2.1`	`8.5.2`
flatted	`3.2.6`	`3.4.2`
handlebars	`4.7.7`	`4.7.9`
hono	`4.12.3`	`4.12.23`
immutable	`5.1.3`	`5.1.5`
lodash	`4.17.21`	`4.17.23`
minimatch	`3.1.2`	`3.1.5`
node-forge	`1.3.1`	`1.4.0`
picomatch	`2.3.1`	`2.3.2`
qs	`6.9.7`	`6.9.9`
undici	`5.28.4`	`5.29.0`
yaml	`1.10.2`	`1.10.3`

Bumps the npm_and_yarn group with 1 update in the /apps/swirl-docs directory: next.
Bumps the npm_and_yarn group with 1 update in the /packages/bridge directory: rollup.
Bumps the npm_and_yarn group with 2 updates in the /packages/swirl-components directory: svgo and vite.
Bumps the npm_and_yarn group with 1 update in the /packages/swirl-components-angular directory: @angular/core.

Updates rollup from 3.29.4 to 3.30.0

Release notes

Sourced from rollup's releases.

v3.30.0

3.30.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6276: Validate bundle stays within output dir (@lukastaegert)

v3.29.5

3.29.5

2024-09-21

Bug Fixes

Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

#5671: Fix DOM Clobbering CVE (@lukastaegert)

Changelog

Sourced from rollup's changelog.

3.30.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6276: Validate bundle stays within output dir (@lukastaegert)

3.29.5

2024-09-21

Bug Fixes

Resolve CVE-2024-43788

Commits

d91d5e1 3.30.0
9677409 Update release script for backports
c8cf1f9 Validate bundle stays within output dir (#6276)
dfd233d 3.29.5
2ef77c0 Fix DOM Clobbering CVE
See full diff in compare view

Updates svgo from 2.8.0 to 2.8.2

Release notes

Sourced from svgo's releases.

v2.8.2

This is effectively just a re-release of SVGO v2.8.1, but with *.test.js files omitted. It seems something was wrong with the configuration in the v2.8.0 tag and I hadn't noticed it included a few extra files. 😅

We'll deprecate v2.8.1, and I'll include the change log here.

What's Changed

Dependencies

Migrates from our unsupported fork of sax (@trysound/sax) to the upstream version of sax (sax).

Bug Fixes

No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

v2.8.0 v2.8.2 Delta

svgo.browser.js 587.2 kB 589.2 kB ⬆️ 2 kB

Support

SVGO v2 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v2 to v3 and Migration Guide from v3 to v4 which should ease the process.

v2.8.1

Deprecated

This release left *.test.js files in the package, which have been omitted in v2.8.2. Sorry for the noise!

What's Changed

Dependencies

Migrates from our unsupported fork of sax (@trysound/sax) to the upstream version of sax (sax).

Bug Fixes

No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

v2.8.0 v2.8.1 Delta

... (truncated)

Commits

f706b07 deps: upgrade to sax v1.5.0
See full diff in compare view

Maintainer changes

This version was pushed to npm by sethiii, a new releaser for svgo since your current version.

Updates vite from 3.2.10 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163

fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

6.4.1 (2025-10-20)

fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969) (1114b5d), closes #20968 #20969

6.4.0 (2025-10-15)

feat: allow passing down resolved config to vite's createServer (#20932) (ca6455e), closes #20932

6.3.7 (2025-10-14)

fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940) (c59a222), closes #20940

6.3.6 (2025-09-08)

fix: apply fs.strict check to HTML files (#20736) (0ab19ea), closes #20736

fix: upgrade sirv to 3.0.2 (#20735) (e11d240), closes #20735

test: detect ts support via process.features (#20544) (7d99229), closes #20544

6.3.5 (2025-05-05)

fix(ssr): handle uninitialized export access as undefined (#19959) (fd38d07), closes #19959

6.3.4 (2025-04-30)

fix: check static serve file inside sirv (#19965) (c22c43d), closes #19965

fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #19940

refactor: remove duplicate plugin context type (#19935) (d6d01c2), closes #19935

6.3.3 (2025-04-24)

fix: ignore malformed uris in tranform middleware (#19853) (e4d5201), closes #19853

... (truncated)

Commits

6b3fad0 release: v6.4.2
ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
5487f4f release: v6.4.1
1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
f12697c release: v6.4.0
ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
0e173d8 release: v6.3.7
c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
3f337c5 release: v6.3.6
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vite since your current version.

Updates @angular/core from 19.2.19 to 19.2.20

Release notes

Sourced from @angular/core's releases.

19.2.20

compiler

Commit Description

disallow translations of iframe src

core

Commit Description

sanitize translated attribute bindings with interpolations

sanitize translated form attributes

Changelog

Sourced from @angular/core's changelog.

19.2.20 (2026-03-12)

compiler

Commit Type Description

5be912eb55 fix disallow translations of iframe src

core

Commit Type Description

b89b0a83a4 fix sanitize translated attribute bindings with interpolations

621c7071ad fix sanitize translated form attributes

20.3.18 (2026-03-12)

compiler

Commit Type Description

02fbf08890 fix disallow translations of iframe src

core

Commit Type Description

72126f9a08 fix sanitize translated attribute bindings with interpolations

626bc8bc20 fix sanitize translated form attributes

22.0.0-next.3 (2026-03-12)

compiler

Commit Type Description

78dea55351 fix disallow translations of iframe src

core

Commit Type Description

999c14eaab fix reverts "feat(core): add support for nested animations"

de0eb4c656 fix sanitize translated form attributes

21.2.4 (2026-03-12)

compiler

Commit Type Description

ed2d324f9c fix disallow translations of iframe src

core

Commit Type Description

... (truncated)

Commits

621c707 fix(core): sanitize translated form attributes
b89b0a8 fix(core): sanitize translated attribute bindings with interpolations
See full diff in compare view

Updates next from 14.2.35 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.16

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE]

... (truncated)

Commits

9ff92ce v15.5.18
00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
62c97ab v15.5.17
423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
fa78739 Turbopack: Fix middleware matcher suffix (#93590)
36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
36589b5 [backport][test] Pin package manager to patch versions (#93596)
ad6fd4e v15.5.16
79d7dff Ignore malformed CSP nonce headers (#103)
c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates @hono/node-server from 1.19.9 to 1.19.14

Release notes

Sourced from @hono/node-server's releases.

v1.19.14

What's Changed

fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

chore: ignore claude setting by @yusukebe in honojs/node-server#314

fix: request draining for early 413 responses by @usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

b5e63a3 1.19.14
c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
fd64e65 1.19.13
025c30f Merge commit from fork
6cdb5a7 1.19.12
70250f7 fix: request draining for early 413 responses (#329)
cfc08b3 chore: ignore claude setting (#314)
ecd4d6b 1.19.11
c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
2f8ca36 1.19.10
Additional commits viewable in compare view

Updates @xmldom/xmldom from 0.7.5 to 0.7.13

Release notes

Sourced from @xmldom/xmldom's releases.

0.7.13

Commits

Fixed

dom: prevent iteration over deleted items [#514](https://github.com/xmldom/xmldom/issues/514)/ [#499](https://github.com/xmldom/xmldom/issues/499)

Thank you, @qtow, for your contributions

0.7.12

Commits

Fixed

Set nodeName property in ProcessingInstruction [#509](https://github.com/xmldom/xmldom/issues/509) / [#505](https://github.com/xmldom/xmldom/issues/505)

Thank you, @cjbarth, for your contributions

0.7.11

Commits

Fixed

extend list of HTML entities [#489](https://github.com/xmldom/xmldom/issues/489)

Thank you, @zorkow, for your contributions

0.7.10

commits

Fixed

properly parse closing where the last attribute has no value [#485](https://github.com/xmldom/xmldom/issues/485) / [#486](https://github.com/xmldom/xmldom/issues/486)

Thank you, @bulandent, for your contributions

0.7.9

Commits

Fixed

Properly check nodes before replacement [#457](https://github.com/xmldom/xmldom/issues/457) / [#455](https://github.com/xmldom/xmldom/issues/455) / [#456](https://github.com/xmldom/xmldom/issues/456)

Thank you, @edemaine, @pedro-l9, for your contributions

0.7.8

... (truncated)

Changelog

Sourced from @xmldom/xmldom's changelog.

0.7.13

Fixed

dom: prevent iteration over deleted items [#514](https://github.com/xmldom/xmldom/issues/514)/ [#499](https://github.com/xmldom/xmldom/issues/499)

Thank you, @qtow, for your contributions

0.9.0-beta.9

Fixed

Set nodeName property in ProcessingInstruction [#509](https://github.com/xmldom/xmldom/issues/509) / [#505](https://github.com/xmldom/xmldom/issues/505)

preserve DOCTYPE internal subset [#498](https://github.com/xmldom/xmldom/issues/498) / [#497](https://github.com/xmldom/xmldom/issues/497) / [#117](https://github.com/xmldom/xmldom/issues/117)
BREAKING CHANGES: Many documents that were previously accepted by xmldom, esecially non well-formed ones are no longer accepted. Some issues that were formerly reported as errors are now a fatalError.

DOMParser: Align parseFromString errors with specs [#454](https://github.com/xmldom/xmldom/issues/454)

Chore

stop running mutation tests using stryker [#496](https://github.com/xmldom/xmldom/issues/496)

make toErrorSnapshot windows compatible [#503](https://github.com/xmldom/xmldom/issues/503)

Thank you, @cjbarth, @shunkica, @pmahend1, @niklasl, for your contributions

0.8.9

Fixed

Set nodeName property in ProcessingInstruction [#509](https://github.com/xmldom/xmldom/issues/509) / [#505](https://github.com/xmldom/xmldom/issues/505)

Thank you, @cjbarth, for your contributions

0.7.12

Fixed

Set nodeName property in ProcessingInstruction [#509](https://github.com/xmldom/xmldom/issues/509) / [#505](https://github.com/xmldom/xmldom/issues/505)

Thank you, @cjbarth, for your contributions

0.9.0-beta.8

Fixed

Throw DOMException when calling removeChild with invalid parameter [#494](https://github.com/xmldom/xmldom/issues/494) / [#135](https://github.com/xmldom/xmldom/issues/135)

... (truncated)

Commits

282f0ad 0.7.13
e06606b fix(dom): prevent iteration over deleted items (#514)
f3c7be3 0.7.12
ccd9aba fix: Set nodeName property in ProcessingInstruction (#509)
44477fc 0.7.11
b44816c fix: extend list of HTML entities (#489)
f97cb3a 0.7.10
8624000 fix: properly parse closing where the last attribute has no value (#485)
927392f 0.7.9
99cfe62 fix: Properly check nodes before replacement (#457)
Additional commits viewable in compare view

Updates basic-ftp from 5.0.3 to 5.3.1

Release notes

Sourced from basic-ftp's releases.

5.3.1

Fixed: Protect against unbounded control response, fixes GHSA-rpmf-866q-6p89.

5.3.0

Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.

Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

5.2.0

Changed: Skip files with invalid name in downloadToDir.

5.1.0

Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (#259)

5.0.5

Fixed: Memory leak described in #250 by @everhardt, @martijnimhoff

5.0.4

Fixed: Handle relative paths in Client.removeDir()

Changelog

Sourced from basic-ftp's changelog.

5.3.1

Fixed: Protect against unbounded control response, fixes GHSA-rpmf-866q-6p89.

5.3.0

Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.

Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

5.2.0

Changed: Skip files with invalid name in downloadToDir. Fixes security vulnerability CVE-2026-27699, see GHSA-5rq4-664w-9x2c.

5.1.0

Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (#259)

5.0.5

Fixed: Memory leak described in #250 by @everhardt, @martijnimhoff

5.0.4

Fixed: Handle relative paths in Client.removeDir()

Commits

980371b Guard against unbounded control response
50827c7 Adjust changelog to match release notes
c9378a8 Fix test
22abe43 Update Github Actions
0feaaec Fix test
6629d7d Improve error message
9c3bf4f Set higher default value for max size of directory listing
acd3942 Bump version
1304429 Offer maxListingBytes as an option
5cb5367 Add bounded StringWriter
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates brace-expansion from 1.1.11 to 1.1.15

Release notes

Sourced from brace-expansion's releases.

v1.1.15

Backport v5.0.6 change to v1 (#111) 0b09384

juliangruber/brace-expansion@v1.1.14...v1.1.15

v1.1.12

pkg: publish on tag 1.x c460dbd

fmt ccb8ac6

Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

2203f4f 1.1.15
0b09384 Backport v5.0.6 change to v1 (#111)
10c05fc 1.1.14
1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
6c353ca 1.1.13
7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
44f33b4 1.1.12
c460dbd pkg: publish on tag 1.x
Additional commits viewable in compare view

Updates diff from 4.0.2 to 4.0.4

Changelog

Sourced from diff's changelog.

v4.0.4 - January 2026

Only change from 4.0.2 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v4.0.3 (deprecated)

Accidental release - do not use.

Commits

f06f3e4 v4.0.4
0179a48 v4.0.3
4568cae Backport kpdecker/jsdiff#649
4de0ffa Backport kpdecker/jsdiff#647
See full diff in compare view

Maintainer changes

This version was pushed to npm by explodingcabbage, a new releaser for diff since your current version.

Updates express-rate-limit from 8.2.1 to 8.5.2

Release notes

Sourced from express-rate-limit's releases.

v8.5.2

You can view the changelog here.

v8.5.1

You can view the changelog here.

v8.5.0

You can view the changelog here.

v8.4.1

You can view the changelog here.

v8.4.0

You can view the changelog here.

v8.3.2

You can view the changelog here.

v8.3.1

You can view the changelog here.

v8.3.0

You can view the changelog here.

Commits

9774693 8.5.2
0e94cc0 v8.5.2 changelog
9a583c5 feat: simplify IPv6 key generation (#633)
4f4b3fb chore(deps-dev): bump lint-staged from 16.4.0 to 17.0.4 (#632)
3c1d6c5 chore(deps-dev): bump the development-dependencies group with 7 updates (#631)
18884b6 chore(deps): bump basic-ftp from 5.2.0 to 5.3.1 (#630)
dacc980 chore(deps): bump handlebars from 4.7.8 to 4.7.9 (#629)
486d0c6 chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#627)
50cc3f6 8.5.1
92c8e3e chore: bump ip-address library to latest (#626)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for express-rate-limit since your current version.

Updates flatted from 3.2.6 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates handlebars from 4.7.7 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2

fix type "RuntimeOptions" also accepting string partials - eab1d14

feat(types): set hash to be a Record<string, any> - de4414d

fix non-contiguous program indices - 4512766

refactor: rename i to startPartIndex - e497a35

security: fix security issues - 68d8df5

GHSA-2w6w-674q-4c4q

GHSA-3mfm-83xf-c92r

GHSA-xhpv-hc6g-r9c6

GHSA-xjpj-3mr7-gcpf

GHSA-9cx6-37pm-9jff

Bumps the npm_and_yarn group with 22 updates in the / directory: | Package | From | To | | --- | --- | --- | | [rollup](https://github.com/rollup/rollup) | `3.29.4` | `3.30.0` | | [svgo](https://github.com/svg/svgo) | `2.8.0` | `2.8.2` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `3.2.10` | `6.4.2` | | [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `19.2.19` | `19.2.20` | | [next](https://github.com/vercel/next.js) | `14.2.35` | `15.5.18` | | [@hono/node-server](https://github.com/honojs/node-server) | `1.19.9` | `1.19.14` | | [@xmldom/xmldom](https://github.com/xmldom/xmldom) | `0.7.5` | `0.7.13` | | [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | `5.0.3` | `5.3.1` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.11` | `1.1.15` | | [diff](https://github.com/kpdecker/jsdiff) | `4.0.2` | `4.0.4` | | [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) | `8.2.1` | `8.5.2` | | [flatted](https://github.com/WebReflection/flatted) | `3.2.6` | `3.4.2` | | [handlebars](https://github.com/handlebars-lang/handlebars.js) | `4.7.7` | `4.7.9` | | [hono](https://github.com/honojs/hono) | `4.12.3` | `4.12.23` | | [immutable](https://github.com/immutable-js/immutable-js) | `5.1.3` | `5.1.5` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [node-forge](https://github.com/digitalbazaar/forge) | `1.3.1` | `1.4.0` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [qs](https://github.com/ljharb/qs) | `6.9.7` | `6.9.9` | | [undici](https://github.com/nodejs/undici) | `5.28.4` | `5.29.0` | | [yaml](https://github.com/eemeli/yaml) | `1.10.2` | `1.10.3` | Bumps the npm_and_yarn group with 1 update in the /apps/swirl-docs directory: [next](https://github.com/vercel/next.js). Bumps the npm_and_yarn group with 1 update in the /packages/bridge directory: [rollup](https://github.com/rollup/rollup). Bumps the npm_and_yarn group with 2 updates in the /packages/swirl-components directory: [svgo](https://github.com/svg/svgo) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Bumps the npm_and_yarn group with 1 update in the /packages/swirl-components-angular directory: [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core). Updates `rollup` from 3.29.4 to 3.30.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/v3.30.0/CHANGELOG.md) - [Commits](rollup/rollup@v3.29.4...v3.30.0) Updates `svgo` from 2.8.0 to 2.8.2 - [Release notes](https://github.com/svg/svgo/releases) - [Commits](svg/svgo@v2.8.0...v2.8.2) Updates `vite` from 3.2.10 to 6.4.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `@angular/core` from 19.2.19 to 19.2.20 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v19.2.20/packages/core) Updates `next` from 14.2.35 to 15.5.18 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v14.2.35...v15.5.18) Updates `@hono/node-server` from 1.19.9 to 1.19.14 - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.9...v1.19.14) Updates `@xmldom/xmldom` from 0.7.5 to 0.7.13 - [Release notes](https://github.com/xmldom/xmldom/releases) - [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md) - [Commits](xmldom/xmldom@0.7.5...0.7.13) Updates `basic-ftp` from 5.0.3 to 5.3.1 - [Release notes](https://github.com/patrickjuchli/basic-ftp/releases) - [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md) - [Commits](patrickjuchli/basic-ftp@v5.0.3...v5.3.1) Updates `brace-expansion` from 1.1.11 to 1.1.15 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.15) Updates `diff` from 4.0.2 to 4.0.4 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4) Updates `express-rate-limit` from 8.2.1 to 8.5.2 - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v8.2.1...v8.5.2) Updates `flatted` from 3.2.6 to 3.4.2 - [Commits](WebReflection/flatted@v3.2.6...v3.4.2) Updates `handlebars` from 4.7.7 to 4.7.9 - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.7.7...v4.7.9) Updates `hono` from 4.12.3 to 4.12.23 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.3...v4.12.23) Updates `immutable` from 5.1.3 to 5.1.5 - [Release notes](https://github.com/immutable-js/immutable-js/releases) - [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md) - [Commits](immutable-js/immutable-js@v5.1.3...v5.1.5) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `node-forge` from 1.3.1 to 1.4.0 - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.1...v1.4.0) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `qs` from 6.9.7 to 6.9.9 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.9.7...v6.9.9) Updates `undici` from 5.28.4 to 5.29.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v5.28.4...v5.29.0) Updates `yaml` from 1.10.2 to 1.10.3 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](eemeli/yaml@v1.10.2...v1.10.3) Updates `next` from 14.2.35 to 15.5.18 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v14.2.35...v15.5.18) Updates `rollup` from 3.29.4 to 3.30.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/v3.30.0/CHANGELOG.md) - [Commits](rollup/rollup@v3.29.4...v3.30.0) Updates `svgo` from 2.8.0 to 2.8.2 - [Release notes](https://github.com/svg/svgo/releases) - [Commits](svg/svgo@v2.8.0...v2.8.2) Updates `vite` from 3.2.10 to 6.4.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `@angular/core` from 19.2.19 to 19.2.20 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v19.2.20/packages/core) Updates `next` from 14.2.35 to 15.5.18 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v14.2.35...v15.5.18) Updates `next` from 14.2.35 to 15.5.18 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v14.2.35...v15.5.18) Updates `rollup` from 3.29.4 to 3.30.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/v3.30.0/CHANGELOG.md) - [Commits](rollup/rollup@v3.29.4...v3.30.0) Updates `rollup` from 3.29.4 to 3.30.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/v3.30.0/CHANGELOG.md) - [Commits](rollup/rollup@v3.29.4...v3.30.0) Updates `svgo` from 2.8.0 to 2.8.2 - [Release notes](https://github.com/svg/svgo/releases) - [Commits](svg/svgo@v2.8.0...v2.8.2) Updates `vite` from 5.4.0 to 6.4.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `svgo` from 2.8.0 to 2.8.2 - [Release notes](https://github.com/svg/svgo/releases) - [Commits](svg/svgo@v2.8.0...v2.8.2) Updates `vite` from 5.4.0 to 6.4.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `@angular/core` from 19.2.19 to 19.2.20 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v19.2.20/packages/core) Updates `@angular/core` from 19.2.19 to 19.2.20 - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/v19.2.20/packages/core) --- updated-dependencies: - dependency-name: rollup dependency-version: 3.30.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: svgo dependency-version: 2.8.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.4.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@angular/core" dependency-version: 19.2.20 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.18 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@hono/node-server" dependency-version: 1.19.14 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@xmldom/xmldom" dependency-version: 0.7.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: basic-ftp dependency-version: 5.3.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.15 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: diff dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express-rate-limit dependency-version: 8.5.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: immutable dependency-version: 5.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: node-forge dependency-version: 1.4.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.9.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 5.29.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: yaml dependency-version: 1.10.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.18 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 3.30.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: svgo dependency-version: 2.8.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.4.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@angular/core" dependency-version: 19.2.20 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.18 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.18 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 3.30.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 3.30.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: svgo dependency-version: 2.8.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.4.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: svgo dependency-version: 2.8.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.4.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@angular/core" dependency-version: 19.2.20 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@angular/core" dependency-version: 19.2.20 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2026-05-26T09:50:05Z

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
getflipdev	Ignored	Preview	May 26, 2026 9:50am
staginggetflipdev	Ignored	Preview	May 26, 2026 9:50am

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 26, 2026

dependabot Bot added the javascript Pull requests that update javascript code label May 26, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 5 directories with 22 updates#1689

Bump the npm_and_yarn group across 5 directories with 22 updates#1689
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-88016f2775

dependabot Bot commented on behalf of github May 26, 2026

Uh oh!

vercel Bot commented May 26, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

0 participants

Commit	Description
	sanitize translated attribute bindings with interpolations
	sanitize translated form attributes

Commit	Type	Description
b89b0a83a4	fix	sanitize translated attribute bindings with interpolations
621c7071ad	fix	sanitize translated form attributes

Commit	Type	Description
72126f9a08	fix	sanitize translated attribute bindings with interpolations
626bc8bc20	fix	sanitize translated form attributes

Commit	Type	Description
999c14eaab	fix	reverts "feat(core): add support for nested animations"
de0eb4c656	fix	sanitize translated form attributes

Conversation

dependabot Bot commented on behalf of github May 26, 2026

v3.30.0

3.30.0

Features

Pull Requests

v3.29.5

3.29.5

Bug Fixes

Pull Requests

3.30.0

Features

Pull Requests

3.29.5

Bug Fixes

v2.8.2

What's Changed

Dependencies

Bug Fixes

Metrics

Support

v2.8.1

Deprecated

What's Changed

Dependencies

Bug Fixes

Metrics

v6.4.2

v6.4.1

v6.4.0

v6.3.7

v6.3.6

v5.4.21

v5.4.20

6.4.2 (2026-04-06)

6.4.1 (2025-10-20)

6.4.0 (2025-10-15)

6.3.7 (2025-10-14)

6.3.6 (2025-09-08)

6.3.5 (2025-05-05)

6.3.4 (2025-04-30)

6.3.3 (2025-04-24)

19.2.20

compiler

core

19.2.20 (2026-03-12)

compiler

core

20.3.18 (2026-03-12)

compiler

core

22.0.0-next.3 (2026-03-12)

compiler

core

21.2.4 (2026-03-12)

compiler

core

v15.5.18

v15.5.16

v15.5.15

v15.5.14

v1.19.14

What's Changed

v1.19.13

Security Fix

v1.19.12

What's Changed

v1.19.11

What's Changed

v1.19.10

Security Fix

0.7.13

Fixed

0.7.12

Fixed

0.7.11

Commits

Fixed

0.7.10

Fixed

vercel Bot commented May 26, 2026 •

edited

Loading