Bump the npm_and_yarn group across 1 directory with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
axios	1.8.4	1.13.5
vite	6.3.5	6.4.1
flatted	3.3.3	3.4.2
js-yaml	4.1.0	4.1.1
minimatch	3.1.2	3.1.5
picomatch	4.0.2	4.0.4
react-router	7.6.3	7.13.2
rollup	4.39.0	4.60.0

Updates axios from 1.8.4 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates vite from 6.3.5 to 6.4.1

Release notes

Sourced from vite's releases.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.3 (2026-03-26)

Features

• update rolldown to 1.0.0-rc.12 (#22024) (84164ef)

Bug Fixes

• html: cache unfiltered CSS list to prevent missing styles across entries (#22017) (5464190)
• module-runner: handle non-ascii characters in base64 sourcemaps (#21985) (77c95bf)
• module-runner: skip re-import if the runner is closed (#22020) (ee2c2cd)
• optimizer: scan is not resolving sub path import if used in a glob import (#22018) (ddfe20d)
• ssr: ssrTransform incorrectly rewrites meta identifier inside import.meta when a binding named meta exists (#22019) (cff5f0c)

Miscellaneous Chores

• deps: bump picomatch from 4.0.3 to 4.0.4 (#22027) (7e56003)

Tests

• html: add tests for getCssFilesForChunk (#22016) (43fbbf9)

8.0.2 (2026-03-23)

Features

• update rolldown to 1.0.0-rc.11 (#21998) (ff91c31)

Bug Fixes

• deps: update all non-major dependencies (#21988) (9b7d150)

Miscellaneous Chores

• deps: update dependency @​vitejs/devtools to ^0.1.5 (#21992) (b2dd65b)

8.0.1 (2026-03-19)

Features

• update rolldown to 1.0.0-rc.10 (#21932) (b3c067d)

Bug Fixes

• bundled-dev: properly disable inlineConst optimization (#21865) (6d97142)
• css: lightningcss minify failed when build.target: 'es6' (#21933) (5fcce46)
• deps: update all non-major dependencies (#21878) (6dbbd7f)
• dev: always use ESM Oxc runtime (#21829) (d323ed7)
• dev: handle concurrent restarts in _createServer (#21810) (40bc729)
• handle + symbol in package subpath exports during dep optimization (#21886) (86db93d)
• improve no-cors request block error (#21902) (5ba688b)
• use precise regexes for transform filter to avoid backtracking (#21800) (dbe41bd)
• worker: require(json) result should not be wrapped (#21847) (0672fd2)

... (truncated)

Commits

• 0a0c50a refactor: simplify pluginFilter implementation (#19828)
• 59d0b35 perf(css): avoid constructing renderedModules (#19775)
• 175a839 fix: reject requests with # in request-target (#19830)
• e2e11b1 fix(module-runner): allow already resolved id as entry (#19768)
• 7200dee fix: correct the behavior when multiple transform filter options are specifie...
• b125172 fix(css): remove empty chunk imports correctly when chunk file name contained...
• 8fe3538 test: tweak generateCodeFrame test (#19812)
• 36935b5 fix(types): remove the keepProcessEnv from the DefaultEnvironmentOptions ...
• a0e1a04 docs(vite): fix description of transformIndexHtml hook (#19799)
• 71227be fix: unbundle fdir to fix commonjsOptions.dynamicRequireTargets (#19791)
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates form-data from 4.0.2 to 4.0.5

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

Changelog

Sourced from form-data's changelog.

v4.0.5 - 2025-11-17

Commits

• [Tests] Switch to newer v8 prediction library; enable node 24 testing 16e0076
• [Dev Deps] update @ljharb/eslint-config, eslint 5822467
• [Fix] set Symbol.toStringTag in the proper place 76d0dee

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

Commits

• 68ff7dd v4.0.5
• 5822467 [Dev Deps] update @ljharb/eslint-config, eslint
• 76d0dee [Fix] set Symbol.toStringTag in the proper place
• 16e0076 [Tests] Switch to newer v8 prediction library; enable node 24 testing
• 41996f5 v4.0.4
• 316c82b [meta] actually ensure the readme backup isn’t published
• 2300ca1 [meta] fix readme capitalization
• 811f682 [meta] add auto-changelog
• 5e34080 [Tests] fix linting errors
• 1d11a76 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
• Additional commits viewable in compare view

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates picomatch from 4.0.2 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

4.0.3

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144

New Contributors

• @​Jason3S made their first contribution in micromatch/picomatch#144

Full Changelog: micromatch/picomatch@4.0.2...4.0.3

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates react-router from 7.6.3 to 7.13.2

Release notes

Sourced from react-router's releases.

v7.13.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7132

v7.13.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7131

v7.13.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7130

v7.12.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7120

v7.11.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7110

v7.10.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7101

v7.10.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7100

v7.9.6

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v796

v7.9.5

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v795

v7.9.4

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v794

v7.9.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793

v7.9.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792

v7.9.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791

v7.9.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790

v7.8.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v782

v7.8.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v781

v7.8.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v780

... (truncated)

Changelog

Sourced from react-router's changelog.

7.13.2

Patch Changes

• Fix clientLoader.hydrate when an ancestor route is also hydrating a clientLoader (#14835)

• Fix type error when passing Framework Mode route components using Route.ComponentProps to createRoutesStub (#14892)

• Fix percent encoding in relative path navigation (#14786)

• Add future.unstable_passThroughRequests flag (#14775)

  By default, React Router normalizes the request.url passed to your loader, action, and middleware functions by removing React Router's internal implementation details (.data suffixes, index + _routes query params).

  Enabling this flag removes that normalization and passes the raw HTTP request instance to your handlers. This provides a few benefits:

  • Reduces server-side overhead by eliminating multiple new Request() calls on the critical path
  • Allows you to distinguish document from data requests in your handlers base don the presence of a .data suffix (useful for observability purposes)

  If you were previously relying on the normalization of request.url, you can switch to use the new sibling unstable_url parameter which contains a URL instance representing the normalized location:

  // ❌ Before: you could assume there was no `.data` suffix in `request.url`
  export async function loader({ request }: Route.LoaderArgs) {
    let url = new URL(request.url);
    if (url.pathname === "/path") {
      // This check will fail with the flag enabled because the `.data` suffix will
      // exist on data requests
    }
  }
  // ✅ After: use unstable_url for normalized routing logic and request.url
  // for raw routing logic
  export async function loader({ request, unstable_url }: Route.LoaderArgs) {
  if (unstable_url.pathname === "/path") {
  // This will always have the .data suffix stripped
  }
  // And now you can distinguish between document versus data requests
  let isDataRequest = new URL(request.url).pathname.endsWith(".data");
  }

• Internal refactor to consolidate framework-agnostic/React-specific route type layers - no public API changes (#14765)

• Sync protocol validation to rsc flows (#14882)

• Add a new unstable_url: URL parameter to route handler methods (loader, action, middleware, etc.) representing the normalized URL the application is navigating to or fetching, with React Router implementation details removed (.datasuffix, index/_routes query params) (#14775)

  This is being added alongside the new future.unstable_passthroughRequests future flag so that users still have a way to access the normalized URL when that flag is enabled and non-normalized request's are being passed to your handlers. When adopting this flag, you will only need to start leveraging this new parameter if you are relying on the normalization of request.url in your application code.

... (truncated)

Commits

• aadb56f chore: Update version for release (#14908)
• c68a9b3 chore: Update version for release (pre) (#14893)
• 8c3c7ce fix: allow Framework Mode route components to be passed to createRoutesStub (...
• 1cd923e chore: format
• 830d3ba Fix percent encoding in relative path navigation (#14786)
• 8646d39 Align redirect protocol validation in RSC flows (#14882)
• 7d21b1c Add additional unit test - hydrate fallback rendering for SPA middleware w/o ...
• 8a10826 docs: fix typo in useNavigate documentation (#14848)
• bda5bb7 Fix typo in comment (#14844)
• bbe4a73 chore: format
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for react-router since your current version.

Updates rollup from 4.39.0 to 4.60.0

Release notes

Sourced from rollup's releases.

v4.60.0

4.60.0

2026-03-22

Features

• Support source phase imports as long as they are external (#6279)

Pull Requests

• #6279: feat: external only Source Phase imports support (@​guybedford, @​lukastaegert)

v4.59.1

4.59.1

2026-03-21

Bug Fixes

• Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

• #6281: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6282: chore(deps): update github artifact actions (major) (@​renovate[bot], @​lukastaegert)
• #6283: chore(deps): update dependency nyc to v18 (@​renovate[bot], @​lukastaegert)
• #6284: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #6285: chore(deps): lock file maintenance (@​renovate[bot])
• #6290: chore(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6291: chore(deps): update dependency @​shikijs/vitepress-twoslash to v4 (@​renovate[bot])
• #6292: chore(deps): lock file maintenance (@​renovate[bot])
• #6297: chore(deps): update minor/patch updates (@​renovate[bot])
• #6298: chore(deps): lock file maintenance (@​renovate[bot])
• #6299: chore(deps): lock file maintenance (@​renovate[bot])
• #6300: docs: update packagephobia link (@​bluwy)
• #6301: chore(deps): update dependency lint-staged to ^16.3.3 (@​renovate[bot])
• #6306: fix: fix chunk assignment for deoptimized module with dynamic import (@​JoaoBrlt, @​lukastaegert)
• #6307: chore(deps): update minor/patch updates (@​renovate[bot])
• #6308: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6309: chore(deps): update dependency vite to v8 (@​renovate[bot])
• #6310: chore(deps): lock file maintenance (@​renovate[bot])
• #6311: chore(deps): lock file maintenance (@​renovate[bot])
• #6312: chore(deps): lock file maintenance (@​renovate[bot])

v4.59.0

4.59.0

2026-02-22

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.0

2026-03-22

Features

• Support source phase imports as long as they are external (#6279)

Pull Requests

• #6279: feat: external only Source Phase imports support (@​guybedford, @​lukastaegert)

4.59.1

2026-03-21

Bug Fixes

• Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

• #6281: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6282: chore(deps): update github artifact actions (major) (@​renovate[bot], @​lukastaegert)
• #6283: chore(deps): update dependency nyc to v18 (@​renovate[bot], @​lukastaegert)
• #6284: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #6285: chore(deps): lock file maintenance (@​renovate[bot])
• #6290: chore(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6291: chore(deps): update dependency @​shikijs/vitepress-twoslash to v4 (@​renovate[bot])
• #6292: chore(deps): lock file maintenance (@​renovate[bot])
• #6297: chore(deps): update minor/patch updates (@​renovate[bot])
• #6298: chore(deps): lock file maintenance (@​renovate[bot])
• #6299: chore(deps): lock file maintenance (@​renovate[bot])
• <...

  Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
prescripto-frontend	Ready	Preview, Comment	Mar 27, 2026 9:35am