chore(deps): bump the minor-and-patch group with 6 updates

[dependabot]

Bumps the minor-and-patch group with 6 updates:

Package	From	To
@supabase/supabase-js	2.99.3	2.100.1
maplibre-gl	5.21.0	5.21.1
react-router	7.13.1	7.13.2
typescript-eslint	8.57.1	8.57.2
vite	8.0.1	8.0.3
vitest	4.1.0	4.1.2

Updates @supabase/supabase-js from 2.99.3 to 2.100.1

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.100.1

2.100.1 (2026-03-26)

🩹 Fixes

• postgrest: add type safety for eq() and neq() column names (#2175)
• postgrest: fix maybeSingle for all request methods by removing Accept header override (#2182)
• postgrest: narrow tstyche testFileMatch to only type test files (#2193)
• postgrest: prevent Args: never functions from being classified as computed fields (#2195)
• storage: spread all DEFAULT_FILE_OPTIONS in uploadToSignedUrl (#2194)

❤️ Thank You

• Ayush Baluni @​aayushbaluni
• Katerina Skroumpelou @​mandarini

v2.100.0

2.100.0 (2026-03-23)

🚀 Features

• realtime: use phoenix's js lib inside realtime-js (#2119)

🩹 Fixes

• auth: guard navigator lock steal against cascade when lock is stolen by another request (#2178)
• realtime: revert vsn type to string (#2170)
• storage: structural detection on json() to detect Response-like errors (#2179)

❤️ Thank You

• Alan Guzek @​GuzekAlan
• Dominik Pilipczuk @​snickerdoodle2
• Katerina Skroumpelou @​mandarini

v2.100.0-rc.0

2.100.0-rc.0 (2026-03-16)

This was a version bump only, there were no code changes.

v2.100.0-canary.8

2.100.0-canary.8 (2026-03-30)

🚀 Features

• realtime: add copyBindings functionality (#2197)

❤️ Thank You

• Dominik Pilipczuk @​snickerdoodle2

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.100.1 (2026-03-26)

🩹 Fixes

• postgrest: narrow tstyche testFileMatch to only type test files (#2193)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.100.0 (2026-03-23)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.99.2 (2026-03-16)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.99.1 (2026-03-11)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.99.0 (2026-03-09)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.98.0 (2026-02-26)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.97.0 (2026-02-18)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.96.0 (2026-02-17)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.95.3 (2026-02-06)

🚀 Features

• supabase: add canonical CORS headers export for edge functions (#2071)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.95.0 (2026-02-05)

... (truncated)

Commits

• cd6335e docs(repo): enrich docs comment for remaining packages (#2165)
• 9f487bd fix(postgrest): narrow tstyche testFileMatch to only type test files (#2193)
• 379ce05 chore(release): version 2.100.0 changelogs (#2185)
• See full diff in compare view

Updates maplibre-gl from 5.21.0 to 5.21.1

Release notes

Sourced from maplibre-gl's releases.

v5.21.1

🐞 Bug fixes

• Add missing promoteId parameter to geojson worker and refactor communication object (#7320) (by @​HarelM)

Changelog

Sourced from maplibre-gl's changelog.

5.21.1

🐞 Bug fixes

• Add missing promoteId parameter to geojson worker and refactor communication object (#7320) (by @​HarelM)

Commits

• 1fe69fd Bump js version to 5.21.1 (#7325)
• 1bf28ae Add missing promoteId parameter to geojson worker (#7320)
• 1557f52 chore(deps-dev): bump canvas from 3.2.1 to 3.2.2 (#7324)
• 73db19a chore(deps-dev): bump @​vitest/eslint-plugin in the vitest group (#7321)
• 9eeb0fd chore(deps-dev): bump rollup from 4.59.1 to 4.60.0 (#7322)
• a5a63bc chore(deps-dev): bump rollup from 4.59.0 to 4.59.1 (#7316)
• a54d7a1 chore(deps): bump github/codeql-action from 4.33.0 to 4.34.1 (#7317)
• a4c8bc8 chore(deps): bump ggilder/codecoverage from 1.3.0 to 1.3.1 (#7318)
• a8cf500 chore(deps-dev): bump devtools-protocol from 0.0.1596832 to 0.0.1602427 (#7312)
• 65766d2 chore(deps-dev): bump puppeteer from 24.39.1 to 24.40.0 (#7313)
• Additional commits viewable in compare view

Updates react-router from 7.13.1 to 7.13.2

Release notes

Sourced from react-router's releases.

v7.13.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7132

Changelog

Sourced from react-router's changelog.

7.13.2

Patch Changes

• Fix clientLoader.hydrate when an ancestor route is also hydrating a clientLoader (#14835)

• Fix type error when passing Framework Mode route components using Route.ComponentProps to createRoutesStub (#14892)

• Fix percent encoding in relative path navigation (#14786)

• Add future.unstable_passThroughRequests flag (#14775)

  By default, React Router normalizes the request.url passed to your loader, action, and middleware functions by removing React Router's internal implementation details (.data suffixes, index + _routes query params).

  Enabling this flag removes that normalization and passes the raw HTTP request instance to your handlers. This provides a few benefits:

  • Reduces server-side overhead by eliminating multiple new Request() calls on the critical path
  • Allows you to distinguish document from data requests in your handlers base don the presence of a .data suffix (useful for observability purposes)

  If you were previously relying on the normalization of request.url, you can switch to use the new sibling unstable_url parameter which contains a URL instance representing the normalized location:

  // ❌ Before: you could assume there was no `.data` suffix in `request.url`
  export async function loader({ request }: Route.LoaderArgs) {
    let url = new URL(request.url);
    if (url.pathname === "/path") {
      // This check will fail with the flag enabled because the `.data` suffix will
      // exist on data requests
    }
  }
  // ✅ After: use unstable_url for normalized routing logic and request.url
  // for raw routing logic
  export async function loader({ request, unstable_url }: Route.LoaderArgs) {
  if (unstable_url.pathname === "/path") {
  // This will always have the .data suffix stripped
  }
  // And now you can distinguish between document versus data requests
  let isDataRequest = new URL(request.url).pathname.endsWith(".data");
  }

• Internal refactor to consolidate framework-agnostic/React-specific route type layers - no public API changes (#14765)

• Sync protocol validation to rsc flows (#14882)

• Add a new unstable_url: URL parameter to route handler methods (loader, action, middleware, etc.) representing the normalized URL the application is navigating to or fetching, with React Router implementation details removed (.datasuffix, index/_routes query params) (#14775)

  This is being added alongside the new future.unstable_passthroughRequests future flag so that users still have a way to access the normalized URL when that flag is enabled and non-normalized request's are being passed to your handlers. When adopting this flag, you will only need to start leveraging this new parameter if you are relying on the normalization of request.url in your application code.

... (truncated)

Commits

• aadb56f chore: Update version for release (#14908)
• c68a9b3 chore: Update version for release (pre) (#14893)
• 8c3c7ce fix: allow Framework Mode route components to be passed to createRoutesStub (...
• 1cd923e chore: format
• 830d3ba Fix percent encoding in relative path navigation (#14786)
• 8646d39 Align redirect protocol validation in RSC flows (#14882)
• 7d21b1c Add additional unit test - hydrate fallback rendering for SPA middleware w/o ...
• 8a10826 docs: fix typo in useNavigate documentation (#14848)
• bda5bb7 Fix typo in comment (#14844)
• bbe4a73 chore: format
• Additional commits viewable in compare view

Updates typescript-eslint from 8.57.1 to 8.57.2

Release notes

Sourced from typescript-eslint's releases.

v8.57.2

8.57.2 (2026-03-23)

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] remove dangling closing parenthesis (#11865)
• eslint-plugin: [array-type] ignore Array and ReadonlyArray without type arguments (#11971)
• eslint-plugin: [no-restricted-types] flag banned generics in extends or implements (#12120)
• eslint-plugin: [no-unsafe-return] false positive on unwrapping generic (#12125)
• eslint-plugin: [no-unsafe-return] false positive on unwrapping generic (#12125)
• eslint-plugin: [no-useless-default-assignment] skip reporting false positives for unresolved type parameters (#12127)
• eslint-plugin: [prefer-readonly-parameter-types] preserve type alias infomation (#11954)
• typescript-estree: skip createIsolatedProgram fallback for projectService (#12066, #12065)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger
• Konv Suu
• mdm317
• Newton Yuan @​NewtonYuan
• RyoheiYamamoto
• SungHyun627 @​SungHyun627
• Tamashoo @​Tamashoo

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.57.2 (2026-03-23)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• be4d54d chore(release): publish 8.57.2
• See full diff in compare view

Updates vite from 8.0.1 to 8.0.3

Release notes

Sourced from vite's releases.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

create-vite@8.0.2

Please refer to CHANGELOG.md for details.

v8.0.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.3 (2026-03-26)

Features

• update rolldown to 1.0.0-rc.12 (#22024) (84164ef)

Bug Fixes

• html: cache unfiltered CSS list to prevent missing styles across entries (#22017) (5464190)
• module-runner: handle non-ascii characters in base64 sourcemaps (#21985) (77c95bf)
• module-runner: skip re-import if the runner is closed (#22020) (ee2c2cd)
• optimizer: scan is not resolving sub path import if used in a glob import (#22018) (ddfe20d)
• ssr: ssrTransform incorrectly rewrites meta identifier inside import.meta when a binding named meta exists (#22019) (cff5f0c)

Miscellaneous Chores

• deps: bump picomatch from 4.0.3 to 4.0.4 (#22027) (7e56003)

Tests

• html: add tests for getCssFilesForChunk (#22016) (43fbbf9)

8.0.2 (2026-03-23)

Features

• update rolldown to 1.0.0-rc.11 (#21998) (ff91c31)

Bug Fixes

• deps: update all non-major dependencies (#21988) (9b7d150)

Miscellaneous Chores

• deps: update dependency @​vitejs/devtools to ^0.1.5 (#21992) (b2dd65b)

Commits

• 6a34ac3 fix(deps): update all non-major dependencies (#21096)
• 02ceaec chore(deps): update dependency @​rollup/plugin-commonjs to v29 (#21099)
• 572aaca release: v7.2.2
• 728c8ee fix: revert "refactor: use fs.cpSync (#21019)" (#21081)
• a532e68 release: v7.2.1
• 82d2d6c fix(worker): some worker asset was missing (#21074)
• f83264f refactor(build): rename indexOfMatchInSlice to findPreloadMarker (#21054)
• 8293de0 release: v7.2.0
• 2833c55 fix(types): add undefined to optional properties for exactOptionalProperties ...
• e3a6a83 chore(deps): update rolldown-related dependencies (#21047)
• Additional commits viewable in compare view

Updates vitest from 4.1.0 to 4.1.2

Release notes

Sourced from vitest's releases.

v4.1.2

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (vitest-dev/vitest#9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in vitest-dev/vitest#9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in vitest-dev/vitest#9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in vitest-dev/vitest#9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in vitest-dev/vitest#9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in vitest-dev/vitest#9851 (6f97b)

    View changes on GitHub

v4.1.1

   🚀 Features

• experimental:
  • Expose matchesTags to test if the current filter matches tags  -  by @​sheremet-va in vitest-dev/vitest#9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in vitest-dev/vitest#9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in vitest-dev/vitest#9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in vitest-dev/vitest#9831 and vitest-dev/vitest#9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in vitest-dev/vitest#9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in vitest-dev/vitest#9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in vitest-dev/vitest#9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in vitest-dev/vitest#9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in vitest-dev/vitest#9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in vitest-dev/vitest#9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in vitest-dev/vitest#9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in vitest-dev/vitest#9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in vitest-dev/vitest#9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in vitest-dev/vitest#9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in vitest-dev/vitest#9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in vitest-dev/vitest#9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in vitest-dev/vitest#9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in vitest-dev/vitest#9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9949 (0d5f9)

    View changes on GitHub

Commits

• fc6f482 chore: release v4.1.2
• 6f97b55 feat: disable colors if agent is detected (#9851)
• b3c992c fix(coverage): correct coverageConfigDefaults values and types (#9940)
• 7c06598 fix: ensure sequential mock/unmock resolution (#9830)
• f54abad chore: add typo-checker skill and fix typos (#9963)
• 7aa9377 fix: don't resolve setupFiles from parent directory (#9960)
• 1f2d318 chore: release v4.1.1
• ebfde79 refactor: rename matchesTagsFilter to matchesTags (#9956)
• 5611500 feat(experimental): introduce experimental.vcsProvider (#9928)
• eec53d9 feat(experimental): expose matchesTagsFilter to test if the current filter ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
packforge	Ready	Preview, Comment	Mar 30, 2026 11:50am

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}