Skip to content

Bump the npm_and_yarn group across 1 directory with 13 updates#1920

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-756889332a
Open

Bump the npm_and_yarn group across 1 directory with 13 updates#1920
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-756889332a

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package From To
lodash 4.17.23 4.18.1
@sveltejs/kit 2.58.0 2.66.0
svelte 5.55.5 5.55.7
vite 7.3.2 7.3.5
vitest 4.0.10 4.1.9
file-type 16.5.4 21.3.4
ip-address 10.1.0 10.2.0
shell-quote 1.8.3 1.8.4

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates @sveltejs/kit from 2.58.0 to 2.66.0

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.66.0

Minor Changes

  • feat: precompress prerendered .md and .mdx files (#15893)

  • feat: warn the user when they forget to make boolean inputs optional in their form schemas (#15804)

Patch Changes

  • fix: blur active element before component update during navigation so that blur/focusout handlers fire while old component data is still valid (#15452)

  • fix: ensure base is available from $service-worker during development (#15882)

  • fix: use correct relative asset paths when rendering an error page for a missing __data.json request (#15884)

  • fix: preserve active for await consumers across query.live reconnects (#16022)

  • fix: settle query.live reconnect promise on all exit paths, preventing invalidateAll() from deadlocking when a live query is offline or interrupted (#16022)

  • fix: preserve last value when a query.live stream completes without yielding on reconnect (#16022)

  • fix: remove types: ['node'] from generated tsconfig to avoid errors when @types/node is not installed (#15709)

  • fix: prefer pages over endpoints when prerendering (#16076)

  • fix: restore snapshots after afterNavigate callbacks (#16066)

  • fix: support ws:/wss: and trusted-types-eval for CSP sources (#15938)

  • fix: omit empty file inputs from remote form data (#15898)

  • fix: fail early if a route with +page and +server is marked as prerenderable (#16075)

  • fix: wait a tick before resetting forms (#15805)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.66.0

Minor Changes

  • feat: precompress prerendered .md and .mdx files (#15893)

  • feat: warn the user when they forget to make boolean inputs optional in their form schemas (#15804)

Patch Changes

  • fix: blur active element before component update during navigation so that blur/focusout handlers fire while old component data is still valid (#15452)

  • fix: ensure base is available from $service-worker during development (#15882)

  • fix: use correct relative asset paths when rendering an error page for a missing __data.json request (#15884)

  • fix: preserve active for await consumers across query.live reconnects (#16022)

  • fix: settle query.live reconnect promise on all exit paths, preventing invalidateAll() from deadlocking when a live query is offline or interrupted (#16022)

  • fix: preserve last value when a query.live stream completes without yielding on reconnect (#16022)

  • fix: remove types: ['node'] from generated tsconfig to avoid errors when @types/node is not installed (#15709)

  • fix: prefer pages over endpoints when prerendering (#16076)

  • fix: restore snapshots after afterNavigate callbacks (#16066)

  • fix: support ws:/wss: and trusted-types-eval for CSP sources (#15938)

  • fix: omit empty file inputs from remote form data (#15898)

  • fix: fail early if a route with +page and +server is marked as prerenderable (#16075)

  • fix: wait a tick before resetting forms (#15805)

... (truncated)

Commits
  • 4c9b8f1 Version Packages (#16062)
  • 276744d fix: preflight schemas apply correctly when chained before for (#15863)
  • e8c8d84 chore: DRY out __sveltekit_xyz123 stuff (#16085)
  • 4eabadc fix: fail early if a route with +page and +server is marked as prerendera...
  • de47227 chore: correctly type keys of the URL object (#16078)
  • f8c842c fix: prefer pages over endpoints when prerendering (#16076)
  • 63f1b0b fix: blur active element before component update during navigation (#15452)
  • 860b3c7 fix: remove types: ['node'] from generated tsconfig (#15709)
  • 8740132 fix: show error.html when root layout load() throws in SPA mode (#15798)
  • 0d8ef59 chore: await web-first assertions in basics client tests (#16068)
  • Additional commits viewable in compare view

Updates svelte from 5.55.5 to 5.55.7

Release notes

Sourced from svelte's releases.

svelte@5.55.7

Patch Changes

svelte@5.55.6

Patch Changes

  • fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

  • fix: keep dependencies of $state.eager/pending (#18218)

  • fix: reapply context after transforming error during SSR (#18099)

  • fix: don't rebase just-created batches (#18117)

  • chore: allow null for pending in typings (#18201)

  • fix: flush eager effects in production (#18107)

  • fix: rethrow error of failed iterable after calling return() (#18169)

  • fix: account for proxified instance when updating bind:this (#18147)

  • fix: ensure scheduled batch is flushed if not obsolete (#18131)

  • fix: resolve stale deriveds with latest value (#18167)

  • chore: remove unnecessary increment_pending calls (#18183)

  • fix: correctly compile component member expressions for SSR (#18192)

  • fix: reset source.updated stack traces after flush (#18196)

  • fix: replacing async 'blocking' strategy with 'merging' (#18205)

  • fix: allow @debug tags to reference awaited variables (#18138)

  • fix: re-run fallback props if dependencies update (#18146)

  • fix: abort running obsolete async branches (#18118)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.55.7

Patch Changes

5.55.6

Patch Changes

  • fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

  • fix: keep dependencies of $state.eager/pending (#18218)

  • fix: reapply context after transforming error during SSR (#18099)

  • fix: don't rebase just-created batches (#18117)

  • chore: allow null for pending in typings (#18201)

  • fix: flush eager effects in production (#18107)

  • fix: rethrow error of failed iterable after calling return() (#18169)

  • fix: account for proxified instance when updating bind:this (#18147)

  • fix: ensure scheduled batch is flushed if not obsolete (#18131)

  • fix: resolve stale deriveds with latest value (#18167)

  • chore: remove unnecessary increment_pending calls (#18183)

  • fix: correctly compile component member expressions for SSR (#18192)

  • fix: reset source.updated stack traces after flush (#18196)

  • fix: replacing async 'blocking' strategy with 'merging' (#18205)

  • fix: allow @debug tags to reference awaited variables (#18138)

  • fix: re-run fallback props if dependencies update (#18146)

... (truncated)

Commits

Updates vite from 7.3.2 to 7.3.5

Release notes

Sourced from vite's releases.

v7.3.5

Please refer to CHANGELOG.md for details.

v7.3.3

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.5 (2026-06-01)

Bug Fixes

Miscellaneous Chores

7.3.4 (2026-06-01)

Bug Fixes

7.3.3 (2026-05-07)

Bug Fixes

Commits

Updates vitest from 4.0.10 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

View changes on GitHub

v4.1.8

   🐞 Bug Fixes

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

   🐞 Bug Fixes

... (truncated)

Commits
  • a7a61e7 chore: release v4.1.9 (#10598)
  • 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
  • 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
  • a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
  • e61f2dd chore: release v4.1.8
  • e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • a09d472 chore: release v4.1.7
  • a8fd24c chore: release v4.1.6
  • 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
  • 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
  • Additional commits viewable in compare view

Updates immutable from 3.7.6 to 4.3.8

Release notes

Sourced from immutable's releases.

v4.3.8

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

v4.3.7

What's Changed

Full Changelog: immutable-js/immutable-js@v4.3.6...v4.3.7

v4.3.6

What's Changed

Internals

New Contributors

Full Changelog: immutable-js/immutable-js@v4.3.5...v4.3.6

v4.3.5

What's Changed

New Contributors

Full Changelog: immutable-js/immutable-js@v4.3.4...v4.3.5

4.3.4

What's Changed

Full Changelog: immutable-js/immutable-js@v4.3.3...v4.3.4

v4.3.3

What's Changed

... (truncated)

Changelog

Sourced from immutable's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning. Dates are formatted as YYYY-MM-DD.

Unreleased

  • fix(IndexedCollection): has(index) on a lazy Seq of unknown size now checks index existence instead of searching for a value equal to the index
  • [TypeScript]: reduce/reduceRight without an initial value now infer the result type from the collection's values when the reducer returns a value (e.g. list.reduce((a, b) => a + b) infers number), matching Array#reduce. Previously an explicit type argument was required.

5.1.6

  • fix(reverseFactory): read reversedSequence.size in __iterator instead of this #2196

5.1.5

  • Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

Documentation

Internal

5.1.3

TypeScript

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for immutable since your current version.


Updates @grpc/grpc-js from 1.14.1 to 1.14.4

Release notes

Sourced from @​grpc/grpc-js's releases.

@​grpc/grpc-js 1.14.4

@​grpc/grpc-js 1.14.3

  • Send halfClose immediately after messages to prevent late halfClose issues with Envoy (#3031 contributed by @​serkanerip)

@​grpc/grpc-js 1.14.2

Commits
  • a380735 Merge pull request #3052 from murgatroid99/grpc-js_1.14.4
  • 5b8d37b Merge commit from fork
  • 6a97456 Merge commit from fork
  • e5e0b1d grpc-js: Bump version to 1.14.4
  • 5029a26 Make compression error a static string
  • 2fe55fd Fix crashes when receiving malformed compressed data
  • 234f917 Fix server crash when handling invalid requests
  • acef8d4 Merge pull request #3043 from murgatroid99/rbac_types_change_fix_1.14
  • 4f3c58f grpc-js-xds: Update RBAC code to handle Node type change, pin @​types/node
  • ccd29b2 Merge pull request #3032 from murgatroid99/grpc-js_retry_half_close_1.14
  • Additional commits viewable in compare view

Updates @opentelemetry/core from 2.0.0 to 2.0.1

Release notes

Sourced from @​opentelemetry/core's releases.

v2.0.1

2.0.1

🐛 Bug Fixes

  • fix(resources): guard asynchronous resource attribute rejections from causing unhandled promise rejection #5544 @​dyladan
  • fix(resource): do not trigger Accessing resource attributes before async attributes settled warning when detecting resources #5546 @​dyladan
    • verbose logging of detected resource removed
  • fix(resource): use dynamic import over require to improve ESM compliance #5298 @​xiaoxiangmoe

📚 Documentation

  • refactor(metrics): Updated metrics samples to no longer treat sdk.start() as async #5617 @​JacksonWeber

🏠 Internal

Changelog

Sourced from @​opentelemetry/core's changelog.

2.0.1

🐛 Bug Fixes

  • fix(resources): guard asynchronous resource attribute rejections from causing unhandled promise rejection #5544 @​dyladan
  • fix(resource): do not trigger Accessing resource attributes before async attributes settled warning when detecting resources #5546 @​dyladan
    • verbose logging of detected resource removed
  • fix(resource): use dynamic import over require to improve ESM compliance #5298 @​xiaoxiangmoe
  • fix(core): getNumberFromEnv should return number | undefined #5874 @​shubham-vunet

📚 Documentation

  • refactor(metrics): Updated metrics samples to no longer treat sdk.start() as async #5617 @​JacksonWeber

🏠 Internal

Commits
  • 4ce5bd1 chore: prepare release 2.0.1/0.201.0 (#5683)
  • 6803723 fix(deps): update all patch versions (#5685)
  • d4d3732 feat(instrumentation): export generic 'semconvStabilityFromStr()' utility, ra...
  • 56610a0 test: test Node.js 24 in CI (#5661)
  • 697e1d3 refactor(instrumentation-http): Add back support for http semconv (#5665)
  • 373edd9 Revert "fix(sdk-metrics): improve PeriodicExportingMetricReader() constructor...
  • 0c21db4 feat(instrumentat...

    Description has been truncated

@dependabot
Bump the npm_and_yarn group across 1 directory with 13 updates
f1b174d 
Bumps the npm_and_yarn group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [lodash](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` |
| [@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit) | `2.58.0` | `2.66.0` |
| [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) | `5.55.5` | `5.55.7` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.2` | `7.3.5` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.10` | `4.1.9` |
| [file-type](https://github.com/sindresorhus/file-type) | `16.5.4` | `21.3.4` |
| [ip-address](https://github.com/beaugunderson/ip-address) | `10.1.0` | `10.2.0` |
| [shell-quote](https://github.com/ljharb/shell-quote) | `1.8.3` | `1.8.4` |



Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `@sveltejs/kit` from 2.58.0 to 2.66.0
- [Release notes](https://github.com/sveltejs/kit/releases)
- [Changelog](https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.66.0/packages/kit)

Updates `svelte` from 5.55.5 to 5.55.7
- [Release notes](https://github.com/sveltejs/svelte/releases)
- [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.55.7/packages/svelte)

Updates `vite` from 7.3.2 to 7.3.5
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.5/packages/vite)

Updates `vitest` from 4.0.10 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest)

Updates `immutable` from 3.7.6 to 4.3.8
- [Release notes](https://github.com/immutable-js/immutable-js/releases)
- [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md)
- [Commits](immutable-js/immutable-js@3.7.6...v4.3.8)

Updates `@grpc/grpc-js` from 1.14.1 to 1.14.4
- [Release notes](https://github.com/grpc/grpc-node/releases)
- [Commits](https://github.com/grpc/grpc-node/compare/@grpc/grpc-js@1.14.1...@grpc/grpc-js@1.14.4)

Updates `@opentelemetry/core` from 2.0.0 to 2.0.1
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@v2.0.0...v2.0.1)

Updates `@opentelemetry/exporter-prometheus` from 0.200.0 to 0.219.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@experimental/v0.200.0...experimental/v0.219.0)

Updates `devalue` from 5.7.1 to 5.8.1
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](sveltejs/devalue@v5.7.1...v5.8.1)

Updates `file-type` from 16.5.4 to 21.3.4
- [Release notes](https://github.com/sindresorhus/file-type/releases)
- [Commits](sindresorhus/file-type@v16.5.4...v21.3.4)

Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](beaugunderson/ip-address@v10.1.0...v10.2.0)

Updates `shell-quote` from 1.8.3 to 1.8.4
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.3...v1.8.4)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@sveltejs/kit"
  dependency-version: 2.66.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: svelte
  dependency-version: 5.55.7
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.3.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: immutable
  dependency-version: 4.3.8
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@grpc/grpc-js"
  dependency-version: 1.14.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@opentelemetry/core"
  dependency-version: 2.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@opentelemetry/exporter-prometheus"
  dependency-version: 0.219.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: devalue
  dependency-version: 5.8.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: file-type
  dependency-version: 21.3.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: shell-quote
  dependency-version: 1.8.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants