Bump the npm_and_yarn group across 3 directories with 5 updates by dependabot[bot] · Pull Request #7 · JosephMaynard/loam

dependabot · 2026-05-18T19:01:14Z

Bumps the npm_and_yarn group with 3 updates in the / directory: vite, @fastify/static and fast-uri.
Bumps the npm_and_yarn group with 1 update in the /apps/client directory: vite.
Bumps the npm_and_yarn group with 1 update in the /apps/server directory: @fastify/static.

Updates vite from 8.0.2 to 8.0.5

Release notes

Sourced from vite's releases.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.5 (2026-04-06)

Bug Fixes

apply server.fs check to env transport (#22159) (f02d9fd)

avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)

check server.fs after stripping query as well (#22160) (a9a3df2)

disallow referencing files outside the package from sourcemap (#22158) (f05f501)

8.0.4 (2026-04-06)

Features

allow esbuild 0.28 as peer deps (#22155) (b0da973)

hmr: truncate list of files on hmr update (#21535) (d00e806)

optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)

Bug Fixes

hasBothRollupOptionsAndRolldownOptions should return false for proxy case (#22043) (99897d2)

add types for vite/modulepreload-polyfill (#22126) (17330d2)

deps: update all non-major dependencies (#22073) (6daa10f)

deps: update all non-major dependencies (#22143) (22b0166)

resolve: resolve tsconfig paths starting with # (#22038) (3460fc5)

ssr: use browser platform for webworker SSR builds (fix #21969) (#21963) (364c227)

Documentation

add environment.fetchModule documentation (#22035) (54229e7)

Miscellaneous Chores

deps: update rolldown-related dependencies (#21989) (0ded627)

Code Refactoring

upgrade to typescript 6 (#22110) (cc41398)

8.0.3 (2026-03-26)

Features

update rolldown to 1.0.0-rc.12 (#22024) (84164ef)

Bug Fixes

html: cache unfiltered CSS list to prevent missing styles across entries (#22017) (5464190)

module-runner: handle non-ascii characters in base64 sourcemaps (#21985) (77c95bf)

module-runner: skip re-import if the runner is closed (#22020) (ee2c2cd)

optimizer: scan is not resolving sub path import if used in a glob import (#22018) (ddfe20d)

ssr: ssrTransform incorrectly rewrites meta identifier inside import.meta when a binding named meta exists (#22019) (cff5f0c)

Miscellaneous Chores

... (truncated)

Commits

1a12d4c release: v8.0.5
79f002f fix: avoid path traversal with optimize deps sourcemap handler (#22161)
a9a3df2 fix: check server.fs after stripping query as well (#22160)
f02d9fd fix: apply server.fs check to env transport (#22159)
f05f501 fix: disallow referencing files outside the package from sourcemap (#22158)
7339bdc release: v8.0.4
54229e7 docs: add environment.fetchModule documentation (#22035)
b0da973 feat: allow esbuild 0.28 as peer deps (#22155)
22b0166 fix(deps): update all non-major dependencies (#22143)
17330d2 fix: add types for vite/modulepreload-polyfill (#22126)
Additional commits viewable in compare view

Updates @fastify/static from 8.3.0 to 9.1.1

Release notes

Sourced from @fastify/static's releases.

v9.1.1

⚠️ Security Release

This fixes CVE CVE-2026-6410 GHSA-pr96-94w5-mx2h. This fixes CVE CVE-2026-6414 GHSA-x428-ghpx-8j92.

What's Changed

ci: add lock-threads workflow by @Fdawgs in fastify/fastify-static#570

Full Changelog: fastify/fastify-static@v9.1.0...v9.1.1

v9.1.0

What's Changed

build(deps-dev): bump @types/node from 24.10.4 to 25.0.3 by @dependabot[bot] in fastify/fastify-static#552

test: move ignoreTrailingSlash under routerOptions by @lraveri in fastify/fastify-static#553

build(deps-dev): bump borp from 0.20.2 to 0.21.0 by @dependabot[bot] in fastify/fastify-static#543

chore: bump pino and borp dependencies, delete stale.yml by @Tony133 in fastify/fastify-static#557

chore: update syntax typescript by @Tony133 in fastify/fastify-static#558

chore(license): standardise license notice by @Fdawgs in fastify/fastify-static#560

fix: sendFile ignoring option overrides in some cases by @bakugo in fastify/fastify-static#559

chore: upgrade c8 to v11.0.0 and improvements test by @Tony133 in fastify/fastify-static#564

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fastify-static#566

New Contributors

@lraveri made their first contribution in fastify/fastify-static#553

@Tony133 made their first contribution in fastify/fastify-static#557

@bakugo made their first contribution in fastify/fastify-static#559

Full Changelog: fastify/fastify-static@v9.0.0...v9.1.0

v9.0.0

What's Changed

build(deps): bump content-disposition from 0.5.4 to 1.0.1 by @dependabot[bot] in fastify/fastify-static#547

Update glob@13 by @mcollina in fastify/fastify-static#550

Full Changelog: fastify/fastify-static@v8.3.0...v9.0.0

Commits

48b136f Bumped v9.1.1
cc7b7f7 Merge commit from fork
9921faa Merge commit from fork
4183d2d ci: add lock-threads workflow (#570)
a3a8cd6 Bumped v9.1.0
8423c80 build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#566)
475dce1 chore: upgrade c8 to v11.0.0 and improvements test (#564)
3ff0f39 fix: sendFile ignoring option overrides in some cases (#559)
663baa7 chore(license): standardise license notice (#560)
51bb66e chore: update syntax typescript (#558)
Additional commits viewable in compare view

Updates brace-expansion from 5.0.5 to 5.0.6

Commits

46317b5 5.0.6
c0b095b Merge commit from fork
ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
See full diff in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

Fix for GHSA-v39h-62p7-jpjc

What's Changed

Handle malformed fragment decoding as a parse error by @mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

Fix for GHSA-q3j6-qgpj-74h6

What's Changed

build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in fastify/fast-uri#148

build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in fastify/fast-uri#149

chore(.npmrc): ignore scripts by @Fdawgs in fastify/fast-uri#150

build(deps-dev): remove @fastify/pre-commit by @Fdawgs in fastify/fast-uri#151

build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in fastify/fast-uri#152

ci(ci): add concurrency config by @Fdawgs in fastify/fast-uri#153

build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in fastify/fast-uri#154

build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in fastify/fast-uri#156

chore(license): standardise license notice by @Fdawgs in fastify/fast-uri#159

style: remove trailing whitespace by @Fdawgs in fastify/fast-uri#161

ci: remove unused github files by @Tony133 in fastify/fast-uri#162

chore: update readme by @Tony133 in fastify/fast-uri#164

build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#165

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#166

build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in fastify/fast-uri#167

ci: add lock-threads workflow by @Fdawgs in fastify/fast-uri#169

New Contributors

@Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

919dd8e Bumped v3.1.2
c65ba57 fixup: linting
6c86c17 Merge commit from fork
a95158a Handle malformed fragment decoding without throwing (#171)
cea547c Bumped v3.1.1
876ce79 Merge commit from fork
dcdf690 ci: add lock-threads workflow (#169)
c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
Additional commits viewable in compare view

Updates postcss from 8.5.8 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.14

Fixed custom syntax regression (by @43081j).

8.5.13

Fixed postcss-scss commend regression.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

Changelog

Sourced from postcss's changelog.

8.5.14

Fixed custom syntax regression (by @43081j).

8.5.13

Fixed postcss-scss commend regression.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

Commits

3ec1394 Release 8.5.14 version
f2bb827 Update dependencies
d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
68bd213 fix: always call raw to retrieve raw values
af58cf1 Release 8.5.13 version
f227dbd Temporary ignore pnpm 11 config
d3abd40 Update dependencies
dd06c3e Revert stringifier changes because of the conflict with postcss-scss
ae889c8 Try to fix CI
e0093e4 Move to pnpm 11
Additional commits viewable in compare view

Updates vite from 8.0.2 to 8.0.5

Release notes

Sourced from vite's releases.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.5 (2026-04-06)

Bug Fixes

apply server.fs check to env transport (#22159) (f02d9fd)

avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)

check server.fs after stripping query as well (#22160) (a9a3df2)

disallow referencing files outside the package from sourcemap (#22158) (f05f501)

8.0.4 (2026-04-06)

Features

allow esbuild 0.28 as peer deps (#22155) (b0da973)

hmr: truncate list of files on hmr update (#21535) (d00e806)

optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)

Bug Fixes

hasBothRollupOptionsAndRolldownOptions should return false for proxy case (#22043) (99897d2)

add types for vite/modulepreload-polyfill (#22126) (17330d2)

deps: update all non-major dependencies (#22073) (6daa10f)

deps: update all non-major dependencies (#22143) (22b0166)

resolve: resolve tsconfig paths starting with # (#22038) (3460fc5)

ssr: use browser platform for webworker SSR builds (fix #21969) (#21963) (364c227)

Documentation

add environment.fetchModule documentation (#22035) (54229e7)

Miscellaneous Chores

deps: update rolldown-related dependencies (#21989) (0ded627)

Code Refactoring

upgrade to typescript 6 (#22110) (cc41398)

8.0.3 (2026-03-26)

Features

update rolldown to 1.0.0-rc.12 (#22024) (84164ef)

Bug Fixes

html: cache unfiltered CSS list to prevent missing styles across entries (#22017) (5464190)

module-runner: handle non-ascii characters in base64 sourcemaps (#21985) (77c95bf)

module-runner: skip re-import if the runner is closed (#22020) (ee2c2cd)

optimizer: scan is not resolving sub path import if used in a glob import (#22018) (ddfe20d)

ssr: ssrTransform incorrectly rewrites meta identifier inside import.meta when a binding named meta exists (#22019) (cff5f0c)

Miscellaneous Chores

... (truncated)

Commits

1a12d4c release: v8.0.5
79f002f fix: avoid path traversal with optimize deps sourcemap handler (#22161)
a9a3df2 fix: check server.fs after stripping query as well (#22160)
f02d9fd fix: apply server.fs check to env transport (#22159)
f05f501 fix: disallow referencing files outside the package from sourcemap (#22158)
7339bdc release: v8.0.4
54229e7 docs: add environment.fetchModule documentation (#22035)
b0da973 feat: allow esbuild 0.28 as peer deps (#22155)
22b0166 fix(deps): update all non-major dependencies (#22143)
17330d2 fix: add types for vite/modulepreload-polyfill (#22126)
Additional commits viewable in compare view

Updates @fastify/static from 8.3.0 to 9.1.1

Release notes

Sourced from @fastify/static's releases.

v9.1.1

⚠️ Security Release

This fixes CVE CVE-2026-6410 GHSA-pr96-94w5-mx2h. This fixes CVE CVE-2026-6414 GHSA-x428-ghpx-8j92.

What's Changed

ci: add lock-threads workflow by @Fdawgs in fastify/fastify-static#570

Full Changelog: fastify/fastify-static@v9.1.0...v9.1.1

v9.1.0

What's Changed

build(deps-dev): bump @types/node from 24.10.4 to 25.0.3 by @dependabot[bot] in fastify/fastify-static#552

test: move ignoreTrailingSlash under routerOptions by @lraveri in fastify/fastify-static#553

build(deps-dev): bump borp from 0.20.2 to 0.21.0 by @dependabot[bot] in fastify/fastify-static#543

chore: bump pino and borp dependencies, delete stale.yml by @Tony133 in fastify/fastify-static#557

chore: update syntax typescript by @Tony133 in fastify/fastify-static#558

chore(license): standardise license notice by @Fdawgs in fastify/fastify-static#560

fix: sendFile ignoring option overrides in some cases by @bakugo in fastify/fastify-static#559

chore: upgrade c8 to v11.0.0 and improvements test by @Tony133 in fastify/fastify-static#564

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fastify-static#566

New Contributors

@lraveri made their first contribution in fastify/fastify-static#553

@Tony133 made their first contribution in fastify/fastify-static#557

@bakugo made their first contribution in fastify/fastify-static#559

Full Changelog: fastify/fastify-static@v9.0.0...v9.1.0

v9.0.0

What's Changed

build(deps): bump content-disposition from 0.5.4 to 1.0.1 by @dependabot[bot] in fastify/fastify-static#547

Update glob@13 by @mcollina in fastify/fastify-static#550

Full Changelog: fastify/fastify-static@v8.3.0...v9.0.0

Commits

48b136f Bumped v9.1.1
cc7b7f7 Merge commit from fork
9921faa Merge commit from fork
4183d2d ci: add lock-threads workflow (#570)
a3a8cd6 Bumped v9.1.0
8423c80 build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#566)
475dce1 chore: upgrade c8 to v11.0.0 and improvements test (#564)
3ff0f39 fix: sendFile ignoring option overrides in some cases (#559)
663baa7 chore(license): standardise license notice (#560)
51bb66e chore: update syntax typescript (#558)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 3 updates in the / directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite), [@fastify/static](https://github.com/fastify/fastify-static) and [fast-uri](https://github.com/fastify/fast-uri). Bumps the npm_and_yarn group with 1 update in the /apps/client directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Bumps the npm_and_yarn group with 1 update in the /apps/server directory: [@fastify/static](https://github.com/fastify/fastify-static). Updates `vite` from 8.0.2 to 8.0.5 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.5/packages/vite) Updates `@fastify/static` from 8.3.0 to 9.1.1 - [Release notes](https://github.com/fastify/fastify-static/releases) - [Commits](fastify/fastify-static@v8.3.0...v9.1.1) Updates `brace-expansion` from 5.0.5 to 5.0.6 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v5.0.5...v5.0.6) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `postcss` from 8.5.8 to 8.5.14 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.8...8.5.14) Updates `vite` from 8.0.2 to 8.0.5 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.5/packages/vite) Updates `@fastify/static` from 8.3.0 to 9.1.1 - [Release notes](https://github.com/fastify/fastify-static/releases) - [Commits](fastify/fastify-static@v8.3.0...v9.1.1) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.5 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@fastify/static" dependency-version: 9.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: postcss dependency-version: 8.5.14 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 8.0.5 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@fastify/static" dependency-version: 9.1.1 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 18, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 3 directories with 5 updates#7

Bump the npm_and_yarn group across 3 directories with 5 updates#7
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-f72216be14

dependabot Bot commented on behalf of github May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 18, 2026

v8.0.5

v8.0.4

create-vite@8.0.3

v8.0.3

8.0.5 (2026-04-06)

Bug Fixes

8.0.4 (2026-04-06)

Features

Bug Fixes

Documentation

Miscellaneous Chores

Code Refactoring

8.0.3 (2026-03-26)

Features

Bug Fixes

Miscellaneous Chores

v9.1.1

⚠️ Security Release

What's Changed

v9.1.0

What's Changed

New Contributors

v9.0.0

What's Changed

v3.1.2

⚠️ Security Release

What's Changed

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

8.5.14

8.5.13

8.5.12

8.5.11

8.5.10

8.5.9

8.5.14

8.5.13

8.5.12

8.5.11

8.5.10

8.5.9

v8.0.5

v8.0.4

create-vite@8.0.3

v8.0.3

8.0.5 (2026-04-06)

Bug Fixes

8.0.4 (2026-04-06)

Features

Bug Fixes

Documentation

Miscellaneous Chores

Code Refactoring

8.0.3 (2026-03-26)

Features

Bug Fixes

Miscellaneous Chores

v9.1.1

⚠️ Security Release

What's Changed

v9.1.0

What's Changed

New Contributors

v9.0.0

What's Changed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants