deps(deps-dev): Bump the patch-updates group with 2 updates#62
Merged
github-actions[bot] merged 1 commit intostagingfrom Apr 27, 2026
Conversation
Bumps the patch-updates group with 2 updates: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Updates `vite` from 8.0.9 to 8.0.10 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.10/packages/vite) Updates `vitest` from 4.1.4 to 4.1.5 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.5/packages/vitest) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.10 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: vitest dependency-version: 4.1.5 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
automated
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
dependabot
Bot
deleted the
dependabot/npm_and_yarn/staging/patch-updates-f65e67f75b
branch
github-actions Bot
added a commit
that referenced
this pull request
Apr 27, 2026
* deps(deps-dev): Bump the patch-updates group with 2 updates (#52) Bumps the patch-updates group with 2 updates: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Updates `vite` from 8.0.4 to 8.0.8 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.8/packages/vite) Updates `vitest` from 4.1.2 to 4.1.4 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.4/packages/vitest) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: vitest dependency-version: 4.1.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: Deploy directly in dependabot workflow to bypass GITHUB_TOKEN limitation GITHUB_TOKEN merges don't trigger other workflows, so deploy-production.yml never fires after dependabot PRs are merged to main. The dependabot deploy workflow now builds and deploys to Cloudflare Pages directly after merging, and syncs main back into staging. Also adds workflow_dispatch to deploy-production.yml for manual triggers. * deps(deps-dev): Bump vite from 8.0.8 to 8.0.9 in the patch-updates group (#55) Bumps the patch-updates group with 1 update: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 8.0.8 to 8.0.9 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.9/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * deps(deps-dev): Bump happy-dom from 20.8.9 to 20.9.0 (#56) Bumps [happy-dom](https://github.com/capricorn86/happy-dom) from 20.8.9 to 20.9.0. - [Release notes](https://github.com/capricorn86/happy-dom/releases) - [Commits](capricorn86/happy-dom@v20.8.9...v20.9.0) --- updated-dependencies: - dependency-name: happy-dom dependency-version: 20.9.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: Harden dependabot auto-deploy against back-to-back PRs (#59) Back-to-back dependabot PRs landing on staging could race the dependabot-deploy workflow: the second staging→main PR would enable `gh pr merge --auto`, which silently no-ops when no required check is pending, leaving the PR stuck and the workflow timing out. Three defenses: - Group minor updates alongside patches so a typical week produces one combined PR instead of several. - Try an immediate squash merge first and only fall back to --auto when the PR isn't yet mergeable, so --auto's no-op behavior can't strand a ready PR. - Add a concurrency group so overlapping deploy runs queue instead of racing each other. * fix: Tighten share-URL validation against malicious color strings (#60) `validateShareData` previously only checked `version === 1` and the truthiness of `grid`/`colors`, so a crafted share URL could set `patternColors` to arbitrary strings. Those strings flow into `exportSvg` as `fill="${color}"` via string concatenation, so a payload like `"/><script>...</script>` in a downloaded SVG would execute when the victim opens the file directly in a browser. Strict-validate share data at the boundary: hex-regex each color in `colors.pattern`, `colors.background`, and `palette.custom`; require plain objects and finite numeric dimensions; require array-of-arrays shape for cells. Also run `sanitizeGrid` on share-URL cells to match the file-import path (export.js:817). Promoted `sanitizeGrid` to an exported helper. * deps(deps-dev): Bump the patch-updates group with 2 updates (#62) Bumps the patch-updates group with 2 updates: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Updates `vite` from 8.0.9 to 8.0.10 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.10/packages/vite) Updates `vitest` from 4.1.4 to 4.1.5 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.5/packages/vitest) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.10 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: vitest dependency-version: 4.1.5 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Itroun <78351901+Itroun@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
1 task
Itroun
added a commit
that referenced
this pull request
Apr 27, 2026
* deps(deps-dev): Bump the patch-updates group with 2 updates (#52) Bumps the patch-updates group with 2 updates: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Updates `vite` from 8.0.4 to 8.0.8 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.8/packages/vite) Updates `vitest` from 4.1.2 to 4.1.4 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.4/packages/vitest) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: vitest dependency-version: 4.1.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: Deploy directly in dependabot workflow to bypass GITHUB_TOKEN limitation GITHUB_TOKEN merges don't trigger other workflows, so deploy-production.yml never fires after dependabot PRs are merged to main. The dependabot deploy workflow now builds and deploys to Cloudflare Pages directly after merging, and syncs main back into staging. Also adds workflow_dispatch to deploy-production.yml for manual triggers. * deps(deps-dev): Bump vite from 8.0.8 to 8.0.9 in the patch-updates group (#55) Bumps the patch-updates group with 1 update: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 8.0.8 to 8.0.9 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.9/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * deps(deps-dev): Bump happy-dom from 20.8.9 to 20.9.0 (#56) Bumps [happy-dom](https://github.com/capricorn86/happy-dom) from 20.8.9 to 20.9.0. - [Release notes](https://github.com/capricorn86/happy-dom/releases) - [Commits](capricorn86/happy-dom@v20.8.9...v20.9.0) --- updated-dependencies: - dependency-name: happy-dom dependency-version: 20.9.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: Harden dependabot auto-deploy against back-to-back PRs (#59) Back-to-back dependabot PRs landing on staging could race the dependabot-deploy workflow: the second staging→main PR would enable `gh pr merge --auto`, which silently no-ops when no required check is pending, leaving the PR stuck and the workflow timing out. Three defenses: - Group minor updates alongside patches so a typical week produces one combined PR instead of several. - Try an immediate squash merge first and only fall back to --auto when the PR isn't yet mergeable, so --auto's no-op behavior can't strand a ready PR. - Add a concurrency group so overlapping deploy runs queue instead of racing each other. * fix: Tighten share-URL validation against malicious color strings (#60) `validateShareData` previously only checked `version === 1` and the truthiness of `grid`/`colors`, so a crafted share URL could set `patternColors` to arbitrary strings. Those strings flow into `exportSvg` as `fill="${color}"` via string concatenation, so a payload like `"/><script>...</script>` in a downloaded SVG would execute when the victim opens the file directly in a browser. Strict-validate share data at the boundary: hex-regex each color in `colors.pattern`, `colors.background`, and `palette.custom`; require plain objects and finite numeric dimensions; require array-of-arrays shape for cells. Also run `sanitizeGrid` on share-URL cells to match the file-import path (export.js:817). Promoted `sanitizeGrid` to an exported helper. * deps(deps-dev): Bump the patch-updates group with 2 updates (#62) Bumps the patch-updates group with 2 updates: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Updates `vite` from 8.0.9 to 8.0.10 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.10/packages/vite) Updates `vitest` from 4.1.4 to 4.1.5 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.5/packages/vitest) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.10 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates - dependency-name: vitest dependency-version: 4.1.5 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: Fetch full history when checking out main for back-merge (#64) The dependabot-deploy workflow's post-deploy "Sync main into staging" step was failing with "refusing to merge unrelated histories" because the preceding `Checkout main (post-merge)` step used the default shallow clone (depth=1). With no shared history fetched, git cannot find a common ancestor between origin/main and origin/staging and refuses the merge. Set fetch-depth: 0 on that checkout so the back-merge succeeds. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the patch-updates group with 2 updates: vite and vitest.
Updates
vitefrom 8.0.9 to 8.0.10Release notes
Sourced from vite's releases.
Changelog
Sourced from vite's changelog.
Commits
32c2978release: v8.0.10a4d06d9feat: update rolldown to 1.0.0-rc.17 (#22299)a4d828ffix:hmrClient.logger.debugandhmrClient.logger.errorlooked different f...83f0a78fix(css): show filename in CSS minification warnings for.css?inline(#22292)b8a21ccfix: remove format sniffing module resolution from JS resolver (#22297)40a0847refactor: typecheck client directory (#22284)5c7cec6fix(optimizer): allow user transform.target to override default in optimizeDe...9437518refactor: enable some typecheck rules (#22278)Updates
vitestfrom 4.1.4 to 4.1.5Release notes
Sourced from vitest's releases.
Commits
e399846chore: release v4.1.57dc6d54Revert "fix: respect diff config options in soft assertions (#8696)"9787dedfix: respect diff config options in soft assertions (#8696)325463afix(ast-collect): recognize _vi_import prefix in static test discovery (#10...0e0ff41feat(coverage): istanbul to supportinstrumenteroption (#10119)663b99ffix: aliasagentreporter tominimal(#10157)122c25bfix: fixvi.defineHelpercalled as object method (#10163)6abd557feat(api): make test-specification options writable (#10154)596f739fix: project color label on html reporter (#10142)9423dc0fix: --project negation excludes browser instances (#10131)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions