Bump the npm_and_yarn group across 1 directory with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
pnpm	9.14.4	9.15.0
vite	5.4.11	5.4.12
vitest	2.1.8	2.1.9
@octokit/endpoint	10.1.1	10.1.3
@octokit/plugin-paginate-rest	11.3.6	11.4.3
@octokit/request-error	6.1.5	6.1.7
@octokit/request	9.1.3	9.2.2
undici	5.28.4	5.28.5

Updates pnpm from 9.14.4 to 9.15.0

Release notes

Sourced from pnpm's releases.

pnpm 9.15

Minor Changes

• Metadata directory version bumped to force fresh cache after we shipped a fix to the metadata write function. This change is backward compatible as install doesn't require a metadata cache.

Patch Changes

• pnpm update --global should not crash if there are no any global packages installed #7898.
• Fix an exception when running pnpm update --interactive if catalogs are used.

Platinum Sponsors

Gold Sponsors

... (truncated)

Changelog

Sourced from pnpm's changelog.

9.15.0

Minor Changes

• Metadata directory version bumped to force fresh cache after we shipped a fix to the metadata write function. This change is backward compatible as install doesn't require a metadata cache.

Patch Changes

• pnpm update --global should not crash if there are no any global packages installed #7898.
• Fix an exception when running pnpm update --interactive if catalogs are used.

Commits

• ac15953 chore(release): 9.15.0
• ddfd640 fix: global update should not fail if no packages are found (#8829)
• See full diff in compare view

Updates vite from 5.4.11 to 5.4.12

Release notes

Sourced from vite's releases.

v5.4.12

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.12 (2025-01-20)

• fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (9da4abc)
• fix!: default server.cors: false to disallow fetching from untrusted origins (dfea38f)
• fix: verify token for HMR WebSocket connection (b71a5c8)
• chore: add deps update changelog (ecd2375)

Commits

• f428aa9 release: v5.4.12
• 9da4abc fix!: check host header to prevent DNS rebinding attacks and introduce `serve...
• b71a5c8 fix: verify token for HMR WebSocket connection
• dfea38f fix!: default server.cors: false to disallow fetching from untrusted origins
• ecd2375 chore: add deps update changelog
• See full diff in compare view

Updates vitest from 2.1.8 to 2.1.9

Release notes

Sourced from vitest's releases.

v2.1.9

This release includes security patches for:

• Browser mode serves arbitrary files | CVE-2025-24963
• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v2 - by @​hi-ogawa in vitest-dev/vitest#7318
• (backport #7340 to v2) restrict served files from /__screenshot-error - by @​hi-ogawa in vitest-dev/vitest#7343

    View changes on GitHub

Commits

• c9e59a0 chore: release v2.1.9
• e0fe1d8 fix: backport #7317 to v2 (#7318)
• See full diff in compare view

Updates @octokit/endpoint from 10.1.1 to 10.1.3

Release notes

Sourced from @​octokit/endpoint's releases.

v10.1.3

10.1.3 (2025-02-13)

Bug Fixes

• Fix a ReDos vulnerability, reported by @​DayShift (6c9c5be)

v10.1.2

10.1.2 (2024-12-31)

Bug Fixes

• deps: bump @octokit/types to improve Deno compat (#507) (15d700b)

Commits

• d6cf1ad fix: linting issues breaking ci (#514)
• 6c9c5be Merge commit from fork
• e472e22 chore(deps): update dependency esbuild to ^0.25.0 (#512)
• b2ebcda build(deps-dev): bump vitest and @​vitest/coverage-v8 (#511)
• 76e3738 build(deps): bump vite from 5.4.6 to 6.0.11 (#509)
• c9ce54d chore(deps): update vitest monorepo to v3 (major) (#508)
• 15d700b fix(deps): bump @octokit/types to improve Deno compat (#507)
• a0a938e chore(deps): update dependency prettier to v3.4.2 (#506)
• 2e92021 chore(deps): update dependency prettier to v3.4.1 (#505)
• 55ee6d6 chore(deps): update dependency prettier to v3.4.0 (#504)
• Additional commits viewable in compare view

Updates @octokit/plugin-paginate-rest from 11.3.6 to 11.4.3

Release notes

Sourced from @​octokit/plugin-paginate-rest's releases.

v11.4.3

11.4.3 (2025-02-24)

Bug Fixes

• types: correct pagination return type for data which is an array (#662) (9a51aad), closes #661

v11.4.2

11.4.2 (2025-02-13)

Bug Fixes

• types: add back the pagination keys (#653) (8b8c500), closes #652

v11.4.1

11.4.1 (2025-02-13)

Bug Fixes

• mitigate ReDos issues & linting issues (#659) (7d1fade), fixes #657

v11.4.0

11.4.0 (2025-01-08)

Features

• new action runner groups endpoints, new code scanning alerts autofix endpoints, new sub-issues endpoints, new private registries enpoints, new code security endpoints, various description updates (#646) (a73883f)

Commits

• 9a51aad fix(types): correct pagination return type for data which is an array (#662)
• 8b8c500 fix(types): add back the pagination keys (#653)
• 41876f4 chore(deps): update dependency prettier to v3.5.1 (#658)
• 7d1fade fix: mitigate ReDos issues & linting issues (#659)
• bb6c4f9 Merge commit from fork
• d9c1e8f chore(deps): update dependency esbuild to ^0.25.0 (#656)
• 7ed5627 build(deps-dev): bump vitest and @​vitest/coverage-v8 (#655)
• 4a41307 build: remove @​types/fetch-mock (#654)
• 31f8fe9 build(deps): bump vite from 5.4.6 to 6.0.11 (#651)
• bc38852 chore(deps): update vitest monorepo to v3 (major) (#650)
• Additional commits viewable in compare view

Updates @octokit/request-error from 6.1.5 to 6.1.7

Release notes

Sourced from @​octokit/request-error's releases.

v6.1.7

6.1.7 (2025-02-13)

Bug Fixes

• ReDos regex vulnerability, reported by @​DayShift (d558320874a4bc8d356babf1079e6f0056a59b9e)

v6.1.6

6.1.6 (2024-12-29)

Bug Fixes

• deps: bump @octokit/types to fix Deno compat (#483) (e01d470)

Commits

• c346f5c fix: linting issues (#494)
• d558320 Merge commit from fork
• 5046116 chore(deps): update dependency esbuild to ^0.25.0 (#491)
• 50513ba build(deps): lock file maintenance (#490)
• bd5e83f build(deps): lock file maintenance (#488)
• d204ea3 build(deps): lock file maintenance (#486)
• ab1585a chore(deps): update vitest monorepo to v3 (major) (#487)
• 03a7e12 build(deps): lock file maintenance (#485)
• cb4feec build(deps): lock file maintenance (#484)
• e01d470 fix(deps): bump @octokit/types to fix Deno compat (#483)
• Additional commits viewable in compare view

Updates @octokit/request from 9.1.3 to 9.2.2

Release notes

Sourced from @​octokit/request's releases.

v9.2.2

9.2.2 (2025-02-14)

Bug Fixes

• deps: update dependency @​octokit/request-error to v6.1.7 [security] (#740) (4b2f485)

v9.2.1

9.2.1 (2025-02-13)

Bug Fixes

• mitigate ReDos vulnerabilities & lint (#738) (6bb29ba)

v9.2.0

9.2.0 (2025-01-16)

Features

• correctly parse response bodies as JSON where the Content-Type is application/scim+json (#731) (00bf316)

v9.1.4

9.1.4 (2024-12-29)

Bug Fixes

• deps: bump @octokit/types to fix deno compat (#730) (324ffef)

Commits

• 4b2f485 fix(deps): update dependency @​octokit/request-error to v6.1.7 [security] (#740)
• 0320a42 chore(deps): update dependency prettier to v3.5.1 (#737)
• 6bb29ba fix: mitigate ReDos vulnerabilities & lint (#738)
• 34ff07e Merge commit from fork
• a0e96b3 chore(deps): update dependency esbuild to ^0.25.0 (#736)
• d27daa7 build(deps-dev): bump vitest and @​vitest/coverage-v8 (#735)
• bc07c8a build(deps): bump vite from 5.4.6 to 6.0.11 (#734)
• 4266a84 build(deps-dev): bump undici from 6.19.2 to 6.21.1 (#733)
• c2d27a2 chore(deps): update vitest monorepo to v3 (major) (#732)
• 00bf316 feat: correctly parse response bodies as JSON where the Content-Type is `appl...
• Additional commits viewable in compare view

Updates undici from 5.28.4 to 5.28.5

Release notes

Sourced from undici's releases.

v5.28.5

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: nodejs/undici@v5.28.4...v5.28.5

Commits

• 6139ed2 Bumped v5.28.5
• 711e207 Backport of c2d78cd
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.