Bump the javascript group across 1 directory with 14 updates

[dependabot]

Bumps the javascript group with 14 updates in the / directory:

Package	From	To
vue	3.5.33	3.5.34
vue-i18n	11.4.0	11.4.4
vue-router	5.0.6	5.0.7
yaml	2.8.4	2.9.0
@playwright/test	1.59.1	1.60.0
@vitejs/plugin-vue	6.0.6	6.0.7
@vitest/eslint-plugin	1.6.16	1.6.18
eslint	10.3.0	10.4.0
eslint-plugin-playwright	2.10.2	2.10.4
eslint-plugin-vue	10.9.0	10.9.1
sass	1.99.0	1.100.0
vite	8.0.10	8.0.14
vite-plugin-vue-devtools	8.1.1	8.1.2
vitest	4.1.5	4.1.7

Updates vue from 3.5.33 to 3.5.34

Release notes

Sourced from vue's releases.

v3.5.34

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

Changelog

Sourced from vue's changelog.

3.5.34 (2026-05-06)

Bug Fixes

• compiler-sfc: infer Vue ref wrapper types when source is unresolvable (#14758) (7f46fd4), closes #14729
• compiler-sfc: preserve hash hrefs on <image> elements (#14756) (090b2e3)
• compiler-sfc: resolve type re-exports inside declare global (#14766) (acfffe3)
• reactivity: prevent orphan effect when created in a stopped scope (#14778) (c8e2d4a), closes #14777
• runtime-core: avoid symbol coercion during props validation (#8539) (23d4fb5), closes #8487
• suspense: avoid DOM leak with out-in transition in v-if fragment (#14762) (9667e0d), closes #14761

Commits

• 57545e9 release: v3.5.34
• a3b2617 chore(deps): update dependency jsdom to ^29.1.1 (#14775)
• 23d4fb5 fix(runtime-core): avoid symbol coercion during props validation (#8539)
• 090b2e3 fix(compiler-sfc): preserve hash hrefs on \<image> elements (#14756)
• 9667e0d fix(suspense): avoid DOM leak with out-in transition in v-if fragment (#14762)
• c8e2d4a fix(reactivity): prevent orphan effect when created in a stopped scope (#14778)
• 7f46fd4 fix(compiler-sfc): infer Vue ref wrapper types when source is unresolvable (#...
• acfffe3 fix(compiler-sfc): resolve type re-exports inside declare global (#14766)
• a037385 chore(deps): update build (#14759)
• 0bc56ff chore(deps): update pnpm to v10.33.3 (#14760)
• Additional commits viewable in compare view

Updates vue-i18n from 11.4.0 to 11.4.4

Release notes

Sourced from vue-i18n's releases.

v11.4.4

What's Changed

⚡ Improvement Features

• fix(security): harden javascript URL sanitization by @​kazupon in intlify/vue-i18n#2503

Full Changelog: intlify/vue-i18n@v11.4.3...v11.4.4

v11.4.3

What's Changed

💥 Breaking Changes

• chore!: drop Node.js 20 support by @​kazupon in intlify/vue-i18n#2478

🔒 Security Fixes

• security(ci): harden workflows and add zizmor audit by @​kazupon in intlify/vue-i18n#2490

Full Changelog: intlify/vue-i18n@v11.4.2...v11.4.3

v11.4.2

What's Changed

⚡ Improvement Features

• fix(formatter): pass component children as slots by @​kazupon in intlify/vue-i18n#2474

Full Changelog: intlify/vue-i18n@v11.4.1...v11.4.2

v11.4.1

What's Changed

⚡ Improvement Features

• fix(i18n-t): pass component children as slots by @​kazupon in intlify/vue-i18n#2473

Full Changelog: intlify/vue-i18n@v11.4.0...v11.4.1

Commits

• 99fd4bc release: v11.4.4
• c9e1513 release: v11.4.3
• 478e894 chore!: drop Node.js 20 support (#2478)
• 7d618ff release: v11.4.2
• 7073775 release: v11.4.1
• See full diff in compare view

Updates vue-router from 5.0.6 to 5.0.7

Release notes

Sourced from vue-router's releases.

v5.0.7

   🚀 Features

• Upgrade to babel 8  -  by @​posva (8d3e6)
• Make defineParamParser() more intuitive  -  by @​posva (8715b)
• Upgrade @vue/devtools-api  -  by @​posva (87c3a)
• matcher: Hint at params: {} workaround in discarded params warning  -  by @​posva and shanliuling in vuejs/router#2689 (c2b13)
• param-parsers: Add include/exclude options  -  by @​posva (91cde)

   🐞 Bug Fixes

• matcher:
  • Finalize param token before processing escaped colon  -  by @​babu-ch and @​posva in vuejs/router#2654 (20521)
• query:
  • Use Object.create(null) to prevent prototype pollution  -  by @​wdskuki, wdsmini and @​posva in vuejs/router#2661 (be88c)
• resolve:
  • Omit empty optional params from resolved params  -  by @​babu-ch and @​posva in vuejs/router#2434 (1ef09)
• types:
  • Wire RouteNamedMap via generated routes.d.ts  -  by @​posva in vuejs/router#2700 (aef99)
• unplugin:
  • Avoid generating empty routes  -  by @​FrontEndDog and @​posva in vuejs/router#2642 (10a8b)
  • Apply definePage path-param parser overrides  -  by @​posva in vuejs/router#2699 (c8074)
• volar:
  • Drop runtime @vue/language-core import  -  by @​danielroe in vuejs/router#2710 (8af50)

    View changes on GitHub

Commits

• ddd20c3 release: vue-router@5.0.7
• 91cdec3 feat(param-parsers): add include/exclude options
• 8af50c9 fix(volar): drop runtime @vue/language-core import (#2710)
• b840cd6 chore(ci): set least-privilege workflow token permissions (#2708)
• 51c1672 chore(release): use @​clack/prompts
• af77a7c chore: playground param type
• 641200a refactor(param-parsers): simplify defineParamParser
• 9b9896e chore: comments
• d41897b refactor: wip of defineParamParser
• 17d51fb chore: logs
• Additional commits viewable in compare view

Updates yaml from 2.8.4 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

Commits

• ddb21b0 2.9.0
• 167365b docs: Clarify that not all errors can be avoided
• 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
• 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
• See full diff in compare view

Updates @playwright/test from 1.59.1 to 1.60.0

Release notes

Sourced from @​playwright/test's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates @vitejs/plugin-vue from 6.0.6 to 6.0.7

Release notes

Sourced from @​vitejs/plugin-vue's releases.

plugin-vue@6.0.7

Please refer to CHANGELOG.md for details.

Changelog

Sourced from @​vitejs/plugin-vue's changelog.

6.0.7 (2026-05-15)

Features

• use carets for @rolldown/pluginutils version (#776) (941b651)

Bug Fixes

• deps: update all non-major dependencies (#762) (9e825b8)
• deps: update all non-major dependencies (#774) (77dc8bc)

Commits

• f93aceb release: plugin-vue@6.0.7
• 941b651 feat: use carets for @rolldown/pluginutils version (#776)
• 77dc8bc fix(deps): update all non-major dependencies (#774)
• 9e825b8 fix(deps): update all non-major dependencies (#762)
• See full diff in compare view

Updates @vitest/eslint-plugin from 1.6.16 to 1.6.18

Release notes

Sourced from @​vitest/eslint-plugin's releases.

v1.6.18

   🐞 Bug Fixes

• Correct requiresTypeChecking metadata for four rules  -  by @​inglec-arista in vitest-dev/eslint-plugin-vitest#905 (e06a3)

    View changes on GitHub

v1.6.17

   🐞 Bug Fixes

• Recommend toBeTypeOf instead of expectTypeOf in prefer-expect-type-of  -  by @​sheremet-va in vitest-dev/eslint-plugin-vitest#896 (a4bcd)
• no-standalone-expect: Allow expect inside vi.defineHelper callbacks  -  by @​nami8824 in vitest-dev/eslint-plugin-vitest#894 (fd8eb)

    View changes on GitHub

Commits

• 3b428d6 chore: release v1.6.18
• e06a3dc fix: correct requiresTypeChecking metadata for four rules (#905)
• 789966e chore: release v1.6.17
• a4bcdf5 fix: recommend toBeTypeOf instead of expectTypeOf in `prefer-expect-type-...
• fd8eb3c fix(no-standalone-expect): allow expect inside vi.defineHelper callbacks (#894)
• dbf423c refactor: simplify ParsedGeneralVitestFnCall type exclusion (#895)
• See full diff in compare view

Updates eslint from 10.3.0 to 10.4.0

Release notes

Sourced from eslint's releases.

v10.4.0

Features

• 1a45ec5 feat: check sequence expressions in for-direction (#20701) (kuldeep kumar)
• 450040b feat: add includeIgnoreFile() to eslint/config (#20735) (Kirk Waiblinger)

Bug Fixes

• 544c0c3 fix: escape code path DOT labels in debug output (#20866) (Pixel998)
• 6799431 fix: update dependency @​eslint/config-helpers to ^0.6.0 (#20850) (renovate[bot])
• f078fef fix: handle non-array deprecated rule replacements (#20825) (xbinaryx)

Documentation

• 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#20869) (Pavel)
• db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#20865) (Kirk Waiblinger)
• 9084664 docs: Update README (GitHub Actions Bot)
• 9cc7387 docs: Update README (GitHub Actions Bot)
• 3d7b548 docs: Update README (GitHub Actions Bot)
• 191ec3c docs: Update README (GitHub Actions Bot)

Chores

• 6616856 chore: upgrade knip to v6 (#20875) (Pixel998)
• d13b084 ci: ensure auto-created PRs run CI (#20860) (lumir)
• e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#20862) (dependabot[bot])
• d84393d test: add unit tests for SuppressionsService.applySuppressions() (#20863) (kuldeep kumar)
• 24db8cb test: add tests for SuppressionsService.save() (#20802) (kuldeep kumar)
• 2ef0549 chore: update ecosystem plugins (#20857) (github-actions[bot])
• a429791 ci: remove eslint-webpack-plugin types integration test (#20668) (Milos Djermanovic)
• 9e37386 chore: replace recast with range approach in code-sample-minimizer (#20682) (Copilot)
• 0dd1f9f test: disable warning for vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER (#20845) (Francesco Trotta)
• 9da3c7b refactor: remove deprecated meta.language and migrate meta.dialects (#20716) (Pixel998)
• 2099ed1 refactor: add meta.defaultOptions to more rules, enable linting (#20800) (xbinaryx)
• f1dfbc9 chore: update ecosystem plugins (#20836) (github-actions[bot])
• c759413 ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 (#20843) (dependabot[bot])
• 5b817d6 test: add unit tests for lib/shared/ast-utils (#20838) (kuldeep kumar)
• 1c13ae3 test: add unit tests for lib/shared/severity (#20835) (kuldeep kumar)

Commits

• 452c401 10.4.0
• b6417e8 Build: changelog update for 10.4.0
• 6616856 chore: upgrade knip to v6 (#20875)
• d13b084 ci: ensure auto-created PRs run CI (#20860)
• 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#20869)
• e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#20862)
• 544c0c3 fix: escape code path DOT labels in debug output (#20866)
• db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#20865)
• d84393d test: add unit tests for SuppressionsService.applySuppressions() (#20863)
• 9084664 docs: Update README
• Additional commits viewable in compare view

Updates eslint-plugin-playwright from 2.10.2 to 2.10.4

Release notes

Sourced from eslint-plugin-playwright's releases.

v2.10.4

2.10.4 (2026-05-19)

Bug Fixes

• valid-title: Skip title checks for anonymous describe blocks (894c0ec)

v2.10.3

2.10.3 (2026-05-18)

Bug Fixes

• missing-playwright-await: Fix false positive when not assigning awaited variable (#464) (801f01a)

Commits

• 894c0ec fix(valid-title): Skip title checks for anonymous describe blocks
• 801f01a fix(missing-playwright-await): Fix false positive when not assigning awaited ...
• b264380 chore(deps): Bump postcss from 8.5.6 to 8.5.14 (#462)
• adc8ad1 chore(deps): Bump ip-address from 10.1.0 to 10.2.0 (#461)
• See full diff in compare view

Updates eslint-plugin-vue from 10.9.0 to 10.9.1

Release notes

Sourced from eslint-plugin-vue's releases.

v10.9.1

Patch Changes

• Updated peer dependency version for vue-eslint-parser to fix parsing errors in Vue SFCs (#3075)

Changelog

Sourced from eslint-plugin-vue's changelog.

10.9.1

Patch Changes

• Updated peer dependency version for vue-eslint-parser to fix parsing errors in Vue SFCs (#3075)

Commits

• 8a2129e Version Packages (#3077)
• fe776a9 fix: require correct peerDep version for vue-eslint-parser (#3075)
• 73f3ef4 docs: update ESLint version requirement to include ^10.0.0 (#3074)
• 333008a Fixed changelog formatting/order for v10.8.0
• See full diff in compare view

Updates sass from 1.99.0 to 1.100.0

Release notes

Sourced from sass's releases.

Dart Sass 1.100.0

To install Sass 1.100.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Writing two compound selectors adjacent to one another without any whitespace between them, such as [class]a, is now deprecated. This was always an error in CSS and Sass only supported it by mistake.

  See the Sass website for details.

See the full changelog for changes in earlier releases.

Changelog

Sourced from sass's changelog.

1.100.0

• Writing two compound selectors adjacent to one another without any whitespace between them, such as [class]a, is now deprecated. This was always an error in CSS and Sass only supported it by mistake.

  See the Sass website for details.

Commits

• 5fd18c7 Bump node engine requirement to >=20.19.0 and chokidar requirement to ^5.0.0 ...
• 8c1d984 Deprecate adjacent compound selectors (#2765)
• 8e5f718 Bump postcss from 8.5.12 to 8.5.13 in /pkg/sass-parser (#2767)
• 1447f9b Bump postcss from 8.5.8 to 8.5.12 in /pkg/sass-parser (#2766)
• See full diff in compare view

Updates vite from 8.0.10 to 8.0.14

Release notes

Sourced from vite's releases.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.14 (2026-05-21)

Features

• update rolldown to 1.0.2 (#22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#22471) (98b8163)
• dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#22310) (0ae2844)

Tests

• css: sass does not use main field (#22449) (ebf39a0)

8.0.13 (2026-05-14)

Features

• bundled-dev: add lazy bundling support (#21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#22357) (47071ce)
• update rolldown to 1.0.1 (#22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #22274) (#22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#22439) (8e59c97)
• make isBundled per environment (#22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#22430) (6ea3838)
• update changelog (#22413) (fcdc87c)

8.0.12 (2026-05-11)

Features

• update rolldown to 1.0.0 (#22401) (cf0ff41)

... (truncated)

Commits

• c917f1e release: v8.0.14
• 5d94d1b fix(html): handle trailing slash paths in transformIndexHtml (#22480)
• 98b8163 fix(deps): update all non-major dependencies (#22471)
• 96efc88 feat: update rolldown to 1.0.2 (#22484)
• ebf39a0 test(css): sass does not use main field (#22449)
• 0ae2844 refactor(glob): do not rewrite import path for absolute base (#22310)
• 7cb728e chore(deps): update rolldown-related dependencies (#22470)
• b3132da fix(optimizer): pass oxc jsx options to transformSync in dependency scan ...
• e8e9a34 fix(dev): handle errors when sending messages to vite server (#22450)
• 2c69495 chore: remove irrelevant commits from changelog
• Additional commits viewable in compare view

Updates vite-plugin-vue-devtools from 8.1.1 to 8.1.2

Release notes

Sourced from vite-plugin-vue-devtools's releases.

v8.1.2

   🚀 Features

• Bump vite-plugin-vue-inspector to support vapor app  -  by @​webfansplz in vuejs/devtools#1096 (784c3)

   🐞 Bug Fixes

• devtools-kit: Remove special handling for Router object  -  by @​skirtles-code in vuejs/devtools#1092 (c2dde)
• extension: Load devtools-background.js as type="module"  -  by @​skirtles-code in vuejs/devtools#1072 (eed09)
• vite: Use TrustedScriptURL for overlay injection under Trusted Types CSP  -  by @​ashishkr96 in vuejs/devtools#1094 (ef08f)

    View changes on GitHub

Commits

• 30e9ebc chore: release v8.1.2
• ef08fd6 fix(vite): use TrustedScriptURL for overlay injection under Trusted Types CSP...
• 784c324 feat: bump vite-plugin-vue-inspector to support vapor app (#1096)
• See full diff in compare view

Updates vitest from 4.1.5 to 4.1.7

Release notes

Sourced from vitest's releases.

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

Commits

• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
• 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creat...

Description has been truncated