fix: non-breakin gdependabot security updates by SchnozzleCat · Pull Request #281 · treely/boemly

SchnozzleCat · 2026-04-14T13:17:28Z

Summary

Vulnerabilities Fixed

Patched critical/high/medium vulnerabilities in handlebars (JS
injection, prototype pollution), lodash/lodash-es (code injection, prototype pollution), undici (HTTP
smuggling, CRLF injection, WebSocket issues), flatted (prototype pollution), serialize-javascript
(DoS), yaml (stack overflow), picomatch (method injection), and webpack (SSRF bypass).

Dependencies

Updated all semver-compatible packages including @babel/core, @chakra-ui/react,
@storybook/, @typescript-eslint/, framer-motion, esbuild, eslint, react-datepicker, semantic-release,
and others to their latest non-breaking versions.
Pinned react-dom to avoid pulling react 19 version

vercel · 2026-04-14T13:17:35Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
boemly	Ready	Preview, Comment	Apr 14, 2026 1:32pm

github-actions · 2026-04-14T13:22:43Z

size-limit report 📦

Path	Size	Loading time (3g)	Running time (snapdragon)	Total time
dist/index.js	166.62 KB (-26.34% 🔽)	3.4 s (-26.34% 🔽)	170 ms (-16.74% 🔽)	3.6 s
dist/index.cjs	284.24 KB (-12.49% 🔽)	5.7 s (-12.49% 🔽)	2.4 s (-50.4% 🔽)	8.1 s

github-actions · 2026-04-14T13:43:00Z

🎉 This PR is included in version 10.3.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

vercel Bot had a problem deploying to Preview April 14, 2026 13:17 Failure

SchnozzleCat force-pushed the fix/dependabot-security-updates branch from f2b5a0e to 6e2e781 Compare April 14, 2026 13:20

vercel Bot deployed to Preview April 14, 2026 13:21 View deployment

fix: non-breaking dependabot security updates

7447ea2

SchnozzleCat force-pushed the fix/dependabot-security-updates branch from 6e2e781 to 7447ea2 Compare April 14, 2026 13:31

vercel Bot deployed to Preview April 14, 2026 13:32 View deployment

lukasbals approved these changes Apr 14, 2026

View reviewed changes

SchnozzleCat merged commit 7447ea2 into main Apr 14, 2026
8 checks passed

SchnozzleCat deleted the fix/dependabot-security-updates branch April 14, 2026 13:41

SchnozzleCat temporarily deployed to npm April 14, 2026 13:41 — with GitHub Actions Inactive

vercel Bot deployed to Production April 14, 2026 13:42 View deployment

github-actions Bot added the released label Apr 14, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: non-breakin gdependabot security updates#281

fix: non-breakin gdependabot security updates#281
SchnozzleCat merged 1 commit intomainfrom
fix/dependabot-security-updates

SchnozzleCat commented Apr 14, 2026 •

edited

Loading

Uh oh!

vercel Bot commented Apr 14, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 14, 2026 •

edited

Loading

Uh oh!

Uh oh!

github-actions Bot commented Apr 14, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

SchnozzleCat commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Vulnerabilities Fixed

Dependencies

Uh oh!

vercel Bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

size-limit report 📦

Uh oh!

Uh oh!

github-actions Bot commented Apr 14, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

SchnozzleCat commented Apr 14, 2026 •

edited

Loading

vercel Bot commented Apr 14, 2026 •

edited

Loading

github-actions Bot commented Apr 14, 2026 •

edited

Loading