Skip to content

chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security]#32

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-builder.io-qwik-city-vulnerability
Open

chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security]#32
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-builder.io-qwik-city-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 10, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@builder.io/qwik-city (source) 1.8.01.19.2 age confidence

Qwik's unhandled exception vulnerabilty can cause server crashes from malicious requests

CVE-2025-53620 / GHSA-qr9h-j6xg-2j72

More information

Details

Summary

Possibility to craft a request that will crash the Qwik Server in the default configuration.

Details

When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit.

PoC
  1. Setup a Qwik Project pnpm create qwik@latest
  2. Start the Qwik Server using pnpm run preview
  3. Execute the following curl command to crash the instance
curl --location 'http://localhost:4173/?qfunc=PPXYallGsCE' \
--header 'Content-Type: application/qwik-json' \
--header 'X-Qrl: PPXYallGsCE' \
--data '{"_entry":"2","_objs":["\u0002_#s_PPXYallGsCE",1,["0","1"]]}'

Here the qfunc query parameter, X-Qrl header and payload need to have the same qrl.

The Qwik Server will then crash with the message

qrl s_PPXYallGsCE failed to load Error: Dynamic require of "_.js" is not supported
    at file:///home/michele/Code/qwik/server/entry.preview.js:32:199
    at Object.importSymbol (file:///home/michele/Code/qwik/server/entry.preview.js:32:776)
    at $ (file:///home/michele/Code/qwik/server/entry.preview.js:26:3064)
    at d (file:///home/michele/Code/qwik/server/entry.preview.js:26:3274)
    at file:///home/michele/Code/qwik/server/entry.preview.js:26:3311
    at Object.a (file:///home/michele/Code/qwik/server/entry.preview.js:26:2566)
    at oc (file:///home/michele/Code/qwik/server/entry.preview.js:16:1562)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.m [as next] (file:///home/michele/Code/qwik/server/entry.preview.js:15:7000)
    at async Ls (file:///home/michele/Code/qwik/server/entry.preview.js:15:5559)
node:internal/process/promises:289
            triggerUncaughtException(err, true /* fromPromise */);
            ^

Error: Dynamic require of "_.js" is not supported
    at file:///home/michele/Code/qwik/server/entry.preview.js:32:199
    at Object.importSymbol (file:///home/michele/Code/qwik/server/entry.preview.js:32:776)
    at $ (file:///home/michele/Code/qwik/server/entry.preview.js:26:3064)
    at d (file:///home/michele/Code/qwik/server/entry.preview.js:26:3274)
    at file:///home/michele/Code/qwik/server/entry.preview.js:26:3311
    at Object.a (file:///home/michele/Code/qwik/server/entry.preview.js:26:2566)
    at oc (file:///home/michele/Code/qwik/server/entry.preview.js:16:1562)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.m [as next] (file:///home/michele/Code/qwik/server/entry.preview.js:15:7000)
    at async Ls (file:///home/michele/Code/qwik/server/entry.preview.js:15:5559)

Node.js v21.7.2

The same can also be repeated running Qwik in production using express.

  1. Setup a Qwik Project pnpm create qwik@latest
  2. Install the express middleware pnpm run qwik add express
  3. Build the qwik app using pnpm run build
  4. Start the server using pnpm run serve
  5. Execute the following curl command to crash the instance
curl --location 'http://localhost:3000/?qfunc=PPXYallGsCE' \
--header 'Content-Type: application/qwik-json' \
--header 'X-Qrl: PPXYallGsCE' \
--data '{"_entry":"2","_objs":["\u0002_#s_PPXYallGsCE",1,["0","1"]]}'
Impact

Any Qwik Server instance running the default configuration can be crashed. Using a simple loop to send this HTTP request will cause permanent down time of the service as it takes a few seconds for an instance to restart.

There is also the issue that this can happen without a malicious attacker.
When a Qwik Application is deployed through a CDN and an old instance is still loaded on some Client, like through an inactive Tab. Once that user returns to the old Version and performs an action that runs a removed qfunc the server will crash.

Severity

  • CVSS Score: 9.2 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Qwik SSR XSS via Unsafe Virtual Node Serialization

CVE-2026-25148 / GHSA-m6jq-g7gq-5w3c

More information

Details

Summary

Description
A Cross-site Scripting (CWE-79) vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.

Impact

This vulnerability impacts applications that dynamically populate Virtual Node attributes with keys/values that users can influence. Applications that hard-code these keys/values are unaffected.

Qwik doesn't use traditional hydration. Instead, it serializes application state into the HTML so the client can resume execution from the server-rendered output. To support this, Qwik v1 marks component boundaries with HTML comments. SSR builds comment content for Virtual components by concatenating structural attribute names and values without any escaping or quoting. An attacker-controlled key or value can prematurely close the HTML comment and inject arbitrary HTML/JS.

Successful exploitation permits script execution in a victim’s browser in the context of the affected origin. Additionally, because Qwik uses these serialized comment markers for resumability, breaking comment structure can lead to resume/hydration desync and unexpected client-side behavior.

Patches

This has been patched in qwik-city version 1.19.0. Users are strongly encouraged to update to the latest available release.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Prototype Pollution via FormData Processing in Qwik City

CVE-2026-25150 / GHSA-xqg6-98cw-gxhq

More information

Details

Summary

A Prototype Pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service.

Impact

An unauthenticated attacker can supply specially crafted form field names that cause formToObj() to write dangerous keys (for example proto, constructor, prototype) into parsed objects. This results in Prototype Pollution of the server process and can cause privilege escalation, auth bypass, denial-of-service, or other global application integrity failures depending on how objects are used.

Severity

  • CVSS Score: 9.3 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Qwik City has a CSRF Protection Bypass via Content-Type Header Validation

CVE-2026-25151 / GHSA-r666-8gjf-4v5f

More information

Details

Summary

Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers.

Impact

A vulnerability in checkCSRF lets an attacker bypass Origin-based CSRF checks by using malformed or multi-valued Content-Type headers. Exploitation requires the CORS preflight to succeed (so it’s blocked if preflight is denied) and is possible when the application accepts cross-origin requests or via non-browser clients. Impact varies with server CORS and cookie policies and may enable unauthorized state changes.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Qwik City Open Redirect via fixTrailingSlash

CVE-2026-25149 / GHSA-92j7-wgmg-f32m

More information

Details

Summary

Description
An Open Redirect (CWE-601) vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.

Impact

Qwik City automatically applies the fixTrailingSlash middleware to page routes to ensure URL consistency. This vulnerability impacts all Qwik City applications deployed to runtimes that have a catch-all path to match arbitrary domains and that do not automatically normalize URL paths (e.g. Bun).

Exploitation allows an attacker to craft links that trigger a 301 redirect to arbitrary protocol-relative URLs. Browsers interpret this Location header as a protocol-relative URL, redirecting the user to attacker-controlled domains. This can enable phishing attacks and token theft among other common open redirect exploits.

Patches

This has been patched in qwik-city version 1.19.0. Users are strongly encouraged to update to the latest available release.

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)

CVE-2026-25155 / GHSA-vm6g-8r4h-22x8

More information

Details

Summary

A typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers.

Impact

An attacker can bypass Qwik City’s Origin-based CSRF protections and perform forged form submissions, potentially causing unauthorized state changes.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Qwik City has array method pollution in FormData processing allows type confusion and DoS

CVE-2026-32701 / GHSA-whhv-gg5v-864r

More information

Details

Summary

Qwik City improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays.

Description

When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names such as items.0 and items.1 into nested structures. If a path was interpreted as an array, additional attacker-controlled keys on the same path, such as items.toString, items.push, items.valueOf, or items.length, could alter the resulting server-side value in unexpected ways.

Applications that assumed these parsed values were safe arrays could be affected. Depending on application behavior, this could lead to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code.

This issue affects form parsing in Qwik City request handling. It does not require authentication if the vulnerable route is publicly reachable.

Impact

An attacker can send crafted form submissions that cause parsed input to differ from the application’s expected shape. Possible outcomes include:

  • Triggering runtime errors when application code calls array methods on attacker-influenced values
  • Inflating array length or otherwise creating malformed structures that increase server work or memory use
  • Causing type confusion in application logic that trusts parsed form data to be a normal array

There is no direct evidence that this issue enables confidentiality or integrity impact by itself; the primary risk is denial of service and application instability.

Patched Versions

Patched in 1.19.2.

Workarounds

Until patched, avoid trusting parsed form data to be a well-formed array when using dotted field names, and validate or normalize action input before using array methods or relying on array shape.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

QwikDev/qwik (@​builder.io/qwik-city)

v1.19.2

Compare Source

Patch Changes
  • 🐞🩹 When a form POST is done, keys like "name.1" mean it's an array. However, later keys could be strings like "name.value". Now, we check if all the keys are numbers, otherwise we make an object instead of an array. This allows for more correct form data handling. (by @​wmertens in #​8424)

  • 🐞🩹 handle special characters in dynamic route (by @​gioboa in #​8400)

v1.19.1

Compare Source

Patch Changes
  • 🐞🩹 support Deno as package manager for production builds. The Vite plugin now recognizes Deno as a Node-compatible runtime for manifest passing, and SSG delegates to the Node implementation instead of stubbing out. (by @​ianlet in #​8385)

  • 🐞🩹 Link hash change now properly updates location.url.hash (by @​maiieul in #​8305)

v1.19.0

Compare Source

Minor Changes
Patch Changes
  • 🐞🩹 qwik-city spa routeStateInternal and routeLocation url origins mismatch (by @​maiieul in #​8234)

  • feat(qwik-city): add getOrigin option to QwikCityBunOptions and QwikCityDenoOptions for improved URL handling (by @​JerryWu1234 in #​8251)

  • Make RequestEvents readonly instead of frozen (by @​DustinJSilk in #​8135)

v1.18.0

Compare Source

Patch Changes
  • execute cleanup cb for all component tree while calling dispose.cleanup method returned by render fn (by @​sashkashishka in #​8164)

v1.17.2

Compare Source

Patch Changes
  • 🐞🩹 history behavior in some edge cases has been brought inline with the E2E tests that were accidentally disabled. (the tests can't be disabled any more either) (by @​wmertens in 206f3e0)

  • 🐞🩹 SPA routing is broken unless origin matches value in in vite.config #​8093 (by @​termermc in #​8097)

    If the SSG origin was set to localhost:3000 and a user visited from 127.0.0.1:3000, SPA routing would be broken.

    Internally, useNavigate's context provider goto checks the new destination with the last route location. If the
    origin is different, it just does a normal browser navigation. This makes sense; links to other origins cannot use
    SPA routing. However, the initial route it compares was using an origin that came from the server environment.

    Now, the first navigation will set that initial route to the browser's actual href, eliminating the erroneous
    origin mismatch for SPA navigations.

  • 🐞🩹 this in various Qwik-City handlers is now RequestEvent again. (by @​wmertens in #​8111)

v1.17.1

Compare Source

Patch Changes
  • 🐞🩹 zod is now imported as import * as z from 'zod', which vastly improves bundling. The Insights app client code reduced by 12kB. (by @​wmertens in #​8042)

v1.17.0

Compare Source

Patch Changes
  • 🐞🩹 SSG sometimes hangs after completion, now we forcibly exit the SSG process when this happens. (by @​wmertens in #​7957)

  • 🐞🩹 return 404 for missing /build/ files. (by @​gioboa in #​7914)

  • 🐞🩹 redirecting internal q-data.json requests will keep the q-data.json suffix so that the client can still fetch the correct one (by @​wmertens in #​7988)

  • 🐞🩹 solve type error when using async _resolved function (by @​JerryWu1234 in #​7426)

  • 🐞🩹 while prefetching Link data, don't navigate to captive portals (by @​wmertens in #​7988)

v1.16.1

Compare Source

Patch Changes
  • 🐞🩹 fix behaviour of checkOrigin: "lax-proto" in createQwikCity (by @​asaharan in #​7865)

  • 🛠 Add check-client command to verify bundle freshness (by @​JerryWu1234 in #​7517)

  • 🐞🩹 return 404 with invalid URL. (by @​gioboa in #​7902)

  • ✨ All qwik packages are now marked as side effect free in their package.json. This should remove a few unecessary empty imports added by rollup and then not tree-shaken like import "./preloader.js". (by @​maiieul in #​7908)

  • ✨ SPA Link navigation now preloads the next route bundles on click with maximum probability, speeding up SPA navigation. (by @​maiieul in #​7849)

  • 🐞🩹 Your service-worker.js won't be unregistered anymore if you added custom logic to it. (by @​maiieul in #​7872)

    Note: Qwik 1.14.0 and above now use <link rel="modulepreload"> by default. If you didn't add custom service-worker logic, you should remove your service-worker.ts file(s) for the ServiceWorkerRegister Component to actually unregister the service-worker.js and delete its related cache. Make sure to keep the ServiceWorkerRegister Component in your app (without any service-worker.ts file) as long as you want to unregister the service-worker.js for your users.

v1.16.0

Compare Source

Minor Changes
Patch Changes
  • 🐞🩹 Keeping the service worker components now properly unregisters them. (by @​maiieul in #​7781)

  • 🐞🩹 redirects no longer take their parent layout's Cache-Control value by default and are instead set to no-store. This prevents issues in redirection logic. We might introduce another API to enable caching redirects in the future. (by @​maiieul in #​7811)

  • 🐞🩹 Keeping the service worker components now also removes their associated Cache storage. (by @​maiieul in #​7782)

v1.15.0

Compare Source

Minor Changes
  • ✨ Added rewrite() to the RequestEvent object. It works like redirect but does not change the URL, (by @​omerman in #​7562)
    think of it as an internal redirect.

    Example usage:

    export const onRequest: RequestHandler = async ({ url, rewrite }) => {
      if (url.pathname.includes('/articles/the-best-article-in-the-world')) {
        const artistId = db.getArticleByName('the-best-article-in-the-world');
    
        // Url will remain /articles/the-best-article-in-the-world, but under the hood,
        // will render /articles/${artistId}
        throw rewrite(`/articles/${artistId}`);
      }
    };
Patch Changes

v1.14.1

Compare Source

v1.14.0

Compare Source

Minor Changes
  • 🐞🩹 qwik-city no longer forces q-data.json downloads, instead relying on the cache headers. This means that you have to make sure your q-data.json is served with Cache-Control headers that suit you. That file contains all the information about the route and is read for each qwik-city navigation. By default the data is cached for one hour. (by @​wmertens in #​7537)

  • 🛠 the service workers have been deprecated and replaced with entries that unregister them. If you have it enabled in production, you can remove it after a while once you are sure all your users have the new version. (by @​wmertens in #​7453)

Patch Changes
  • 🐞🩹 linting errors which were previously being ignored across the monorepo. (by @​better-salmon in #​7418)

  • 🐞🩹 Link SPA subsequent navigation now properly prefetch the next routes. (by @​maiieul in #​7590)

  • 🐞🩹 SPA Link now handle subsequent onQVisible$ passed as props. (by @​maiieul in #​7612)

v1.13.0

Compare Source

Minor Changes
Patch Changes

v1.12.1

Compare Source

Patch Changes
  • 🐞🩹 MDX content now accepts a prop of type components that lets you use your own custom components (by @​double-thinker in #​7277)

    To add custom components to your MDX content, you can now do this:

    // routes/example/index.tsx
    import Content from './markdown.mdx';
    import MyComponent from '../../components/my-component/my-component';
    import { component$ } from '@&#8203;builder.io/qwik';
    
    export default component$(() => <Content components={{ MyComponent }} />);

    You can also use props in JS expressions. See https://mdxjs.com/docs/using-mdx/#props

  • 🐞🩹 mdx not rendering (by @​shairez in #​7168)

  • 📃 added a "Qwik for Mobile" guide to build iOS and Android Qwik apps (by @​srapport in #​7205)

  • 🐞🩹 some qrls weren't fetched correctly on page load (by @​shairez in #​7286)

v1.12.0

Compare Source

Patch Changes

v1.11.0

Compare Source

v1.10.0

Compare Source

Patch Changes
  • 🐞🩹 MDX content no longer ignores Layout components. See the MDX docs for more information. (by @​danielvaijk in #​6845)

  • 🐞🩹 SSG errors now show the path that failed (by @​wmertens in #​6998)

  • 🐞🩹 Fixed action redirect regression where searchParams were appended (by @​brandonpittman in #​6927)

  • 🐞🩹 Redirect, error, and fail request events no longer forcefully delete user-defined Cache-Control HTTP header value. (by @​nelsonprsousa in #​6991)

  • 🐞🩹 vite is now a peer dependency of qwik, qwik-city, qwik-react and qwik-labs, so that there can be no duplicate imports. This should not have consequences, since all apps also directly depend on vite. (by @​wmertens in #​6945)

  • 🐞🩹 Fixed MDX layout default export being ignored by transformer. (by @​danielvaijk in #​6845)

  • 🐞🩹 Prevent unexpected caching for q-data.json (by @​genki in #​6808)

  • 🐞🩹 Multiple rewrite routes pointing to the same route is no longer an error. (by @​JerryWu1234 in #​6970)

v1.9.1

Compare Source

Patch Changes
  • ✨ Experimental feature - noSPA. (by @​wmertens in #​6937)
    This disables history patching, slightly reducing code size and startup time. Use this when your application is MPA only, meaning you don't use the Link component. To enable this, add it to the experimental array of the qwikVite plugin (not the qwikCity plugin).

v1.9.0

Compare Source

Minor Changes
  • (EXPERIMENTAL) valibot$ validator and a fix for zod$ types. (by @​fabian-hiller in #​6752)

    To use it, you need to pass experimental: ['valibot'] as an option to the qwikVite plugin as such:

    // vite.config.ts
    
    export default defineConfig(({ command, mode }): UserConfig => {
      return {
        plugins: [
          // ... other plugins like qwikCity() etc
          qwikVite({
            experimental: ['valibot']
            // ... other options
          }),
    
        ],
        // ... rest of the config
      };
    }
  • (EXPERIMENTAL) usePreventNavigate lets you prevent navigation while your app's state is unsaved. It works asynchronously for SPA navigation and falls back to the browser's default dialogs for other navigations. To use it, add experimental: ['preventNavigate'] to your qwikVite options. (by @​wmertens in #​6825)

Patch Changes
  • 🐞🩹 added .ico to be detected by isStaticFile (by @​intellix in #​6860)

  • 🐞🩹 fixed delays caused from inefficient Service Worker prefetching (buffering) (by @​shairez in #​6863)


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) July 10, 2025 04:07
@renovate

renovate Bot commented Jul 10, 2025

Copy link
Copy Markdown
Contributor Author

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.


  • Branch has one or more failed status checks

@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 40e6c4c to 23679da Compare August 10, 2025 14:12
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Aug 10, 2025

Copy link
Copy Markdown

Deploying cuex with  Cloudflare Pages  Cloudflare Pages

Latest commit: 3ec00c2
Status:🚫  Build failed.

View logs

@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch 2 times, most recently from e502953 to e1d7e8b Compare August 19, 2025 12:35
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from e1d7e8b to 02c76bb Compare August 31, 2025 10:32
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 02c76bb to d27c4fa Compare September 25, 2025 19:49
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from d27c4fa to 55ff20d Compare October 21, 2025 17:59
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 55ff20d to 2fce942 Compare November 10, 2025 18:10
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 2fce942 to 51e4a60 Compare November 18, 2025 22:43
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 51e4a60 to 3784afd Compare December 3, 2025 17:41
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 3784afd to 7391d1d Compare December 31, 2025 13:10
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 7391d1d to 7660d51 Compare January 8, 2026 19:24
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch 2 times, most recently from 2b009bf to 8851645 Compare January 23, 2026 16:51
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 8851645 to ea7a297 Compare February 2, 2026 14:54
@renovate renovate Bot changed the title chore(deps): update dependency @builder.io/qwik-city to v1.13.0 [security] chore(deps): update dependency @builder.io/qwik-city to v1.19.0 [security] Feb 3, 2026
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch 2 times, most recently from 1688706 to 0377f96 Compare February 17, 2026 20:57
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 0377f96 to 8b5afc3 Compare March 5, 2026 19:02
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 8b5afc3 to cbe294e Compare March 13, 2026 16:15
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from cbe294e to 3a3c9e4 Compare March 20, 2026 18:10
@renovate renovate Bot changed the title chore(deps): update dependency @builder.io/qwik-city to v1.19.0 [security] chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security] Mar 20, 2026
@renovate renovate Bot changed the title chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security] chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
auto-merge was automatically disabled March 27, 2026 02:17

Pull request was closed

@renovate renovate Bot deleted the renovate/npm-builder.io-qwik-city-vulnerability branch March 27, 2026 02:17
@renovate renovate Bot changed the title chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security] - autoclosed chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch 3 times, most recently from b2f14b2 to 7955f14 Compare April 1, 2026 17:28
@renovate renovate Bot enabled auto-merge (squash) April 1, 2026 17:28
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 7955f14 to de3c8f2 Compare April 8, 2026 18:02
@renovate renovate Bot changed the title chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security] chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
auto-merge was automatically disabled April 27, 2026 17:53

Pull request was closed

@renovate renovate Bot changed the title chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security] - autoclosed chore(deps): update dependency @builder.io/qwik-city to v1.19.2 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch 2 times, most recently from de3c8f2 to f0e5b51 Compare April 27, 2026 23:16
@renovate renovate Bot enabled auto-merge (squash) May 12, 2026 14:52
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch 2 times, most recently from b7d84af to be5de38 Compare May 18, 2026 14:30
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch 2 times, most recently from af3fe55 to 31ccb1a Compare June 1, 2026 23:04
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from 31ccb1a to de69fba Compare June 11, 2026 17:54
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-city-vulnerability branch from de69fba to 3ec00c2 Compare July 12, 2026 09:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants