build(deps): bump the npm_and_yarn group across 2 directories with 11 updates#185
Open
dependabot[bot] wants to merge 1 commit intomasterfrom
Open
build(deps): bump the npm_and_yarn group across 2 directories with 11 updates#185dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot[bot] wants to merge 1 commit intomasterfrom
Conversation
… updates Bumps the npm_and_yarn group with 3 updates in the /client directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite), [@babel/runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-runtime) and [esbuild](https://github.com/evanw/esbuild). Bumps the npm_and_yarn group with 3 updates in the /server directory: [semver](https://github.com/npm/node-semver), [express](https://github.com/expressjs/express) and [json-bigint](https://github.com/sidorares/json-bigint). Updates `vite` from 5.4.8 to 5.4.21 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v5.4.21/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v5.4.21/packages/vite) Updates `@babel/runtime` from 7.25.7 to 7.29.2 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.2/packages/babel-runtime) Removes `esbuild` Updates `nanoid` from 3.3.7 to 3.3.11 - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](ai/nanoid@3.3.7...3.3.11) Updates `semver` from 6.3.0 to 6.3.1 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/v6.3.1/CHANGELOG.md) - [Commits](npm/node-semver@v6.3.0...v6.3.1) Updates `express` from 4.18.1 to 4.22.0 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.22.0/History.md) - [Commits](expressjs/express@4.18.1...4.22.0) Updates `body-parser` from 1.20.0 to 1.20.4 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@1.20.0...1.20.4) Updates `cookie` from 0.5.0 to 0.7.2 - [Release notes](https://github.com/jshttp/cookie/releases) - [Commits](jshttp/cookie@v0.5.0...v0.7.2) Updates `json-bigint` from 0.3.1 to 1.0.0 - [Commits](sidorares/json-bigint@v0.3.1...v1.0.0) Updates `send` from 0.18.0 to 0.19.2 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.18.0...0.19.2) Updates `serve-static` from 1.15.0 to 1.16.3 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md) - [Commits](expressjs/serve-static@v1.15.0...v1.16.3) --- updated-dependencies: - dependency-name: vite dependency-version: 5.4.21 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@babel/runtime" dependency-version: 7.29.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: nanoid dependency-version: 3.3.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: semver dependency-version: 6.3.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express dependency-version: 4.22.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: body-parser dependency-version: 1.20.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: cookie dependency-version: 0.7.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: json-bigint dependency-version: 1.0.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-version: 0.19.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serve-static dependency-version: 1.16.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
This was referenced Mar 18, 2026
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "typescript": "^5.5.3", | ||
| "typescript-eslint": "^8.7.0", | ||
| "vite": "^5.4.8" | ||
| "vite": "^8.0.0" |
There was a problem hiding this comment.
Vite bumped to v8 instead of v5.4.21
High Severity
The PR description states vite is updated from 5.4.8 to 5.4.21 (a patch update), but the actual change bumps vite from ^5.4.8 to ^8.0.0 — a three-major-version jump. Vite 8 is a completely different architecture (uses rolldown instead of rollup, bundles lightningcss, drops esbuild as a direct dependency). This is a breaking change that contradicts the stated intent of the PR and will likely break the build.
Additional Locations (1)
| "typescript": "^5.5.3", | ||
| "typescript-eslint": "^8.7.0", | ||
| "vite": "^5.4.8" | ||
| "vite": "^8.0.0" |
There was a problem hiding this comment.
Vite 8 incompatible with project Node.js 18 requirement
High Severity
Vite 8.0.0 requires node: ^20.19.0 || >=22.12.0, but the project's root package.json pins Node.js to ^18.19.1 via both engines and volta. Additionally, @types/node is still ^18. This means vite 8 cannot run in the project's configured Node.js environment, causing build failures in CI and development.
Additional Locations (1)
| }, | ||
| "peerDependencies": { | ||
| "vite": "^4.2.0 || ^5.0.0" | ||
| "vite": "^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0" |
There was a problem hiding this comment.
Plugin-react peer dependency doesn't include vite 8
Medium Severity
@vitejs/plugin-react@4.7.0 declares its peer dependency as "vite": "^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0", which does not include vite 8. The installed vite@8.0.0 falls outside this range, creating a peer dependency conflict that may cause runtime incompatibilities or install warnings/errors.
Additional Locations (1)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the npm_and_yarn group with 3 updates in the /client directory: vite, @babel/runtime and esbuild.
Bumps the npm_and_yarn group with 3 updates in the /server directory: semver, express and json-bigint.
Updates
vitefrom 5.4.8 to 5.4.21Release notes
Sourced from vite's releases.
Changelog
Sourced from vite's changelog.
... (truncated)
Commits
adce3c2release: v5.4.21cad1d31fix(dev): trim trailing slash beforeserver.fs.denycheck (#20968) (#20970)ca88ed7chore: update CHANGELOG997700frelease: v5.4.20482000ffix: applyfs.strictcheck to HTML files (#20736)80a333arelease: v5.4.19766947efix: backport #19965, check static serve file inside sirv (#19966)731b77drelease: v5.4.18823675bfix: backport #19830, reject requests with#in request-target (#19831)0a2518arelease: v5.4.17Updates
@babel/runtimefrom 7.25.7 to 7.29.2Release notes
Sourced from
@babel/runtime's releases.... (truncated)
Commits
37d5595v7.29.2d7f4008v7.28.635055e3v7.28.4ef155f5v7.28.3cac0ff4v7.28.2f68ac51chore: Avoid CITGM errors (#17382)baa4cb8v7.27.67d06930v7.27.45b9468dReduceregeneratorsize more (#17287)cb78b5b[babel 8] Do not replace globalregeneratorRuntimereferences in regenerato...Maintainer changes
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for
@babel/runtimesince your current version.Removes
esbuildUpdates
nanoidfrom 3.3.7 to 3.3.11Release notes
Sourced from nanoid's releases.
Changelog
Sourced from nanoid's changelog.
Commits
37289ceRelease 3.3.11 version23690b7Fix CIc147962Fix RN supporta83734eMove to manually ESM/CJS dual packagebb12e8aRelease 3.3.10 version8f44264Fix Expo supportadf9b0cRelease 3.3.9 version1c6f088Remove dev file from npm package3044cd5Release 3.3.8 version4fe3495Update size limitUpdates
semverfrom 6.3.0 to 6.3.1Release notes
Sourced from semver's releases.
Changelog
Sourced from semver's changelog.
... (truncated)
Commits
44d27bcchore: release 6.3.1928e56dfix: better handling of whitespace (#591)39f6326chore:@npmcli/template-oss@4.16.0Maintainer changes
This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.
Updates
expressfrom 4.18.1 to 4.22.0Release notes
Sourced from express's releases.
... (truncated)
Changelog
Sourced from express's changelog.
... (truncated)
Commits
49744ab4.22.0 (#6921)6e97452sec: security patch for CVE-2024-519996a23d34deps: use tilde notation forqs(#6919)8c12cdfdeps: qs@6.14.0 (#6909)7fea74fdeps: use tilde notation for certain dependencies (#6905)dac7a04chore: wider range for query test skip (#6513)997919bci: add node.js 24 to test matrix (#6506)36fb59cfix(ci): reordernpm isteps to fix ci for older node versions (#6336)3a5edfafix(ci): updated github actions ci workflow (#6323)52d9781fix(test): add test for method routes without paths #5955Maintainer changes
This version was pushed to npm by ulisesgascon, a new releaser for express since your current version.
Updates
body-parserfrom 1.20.0 to 1.20.4Release notes
Sourced from body-parser's releases.
Changelog
Sourced from body-parser's changelog.
Commits
7db202c1.20.4 (#672)d8f8adbci: add CodeQL (SAST) (#670)6d133c1chore: remove SECURITY.md (#669)fcd1535deps: use tilde notation and update certain dependencies (#668)ec5fa29deps: qs@~6.14.0 (#664)ffb95c1ci: restore CI for 1.x branch (#665)48a5f07ci: add support for Node.js v23 (#553)f20f6adRemove redundant depth check (#538)17529511.20.339744cfchore: linter (#534)Maintainer changes
This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.
Updates
cookiefrom 0.5.0 to 0.7.2Release notes
Sourced from cookie's releases.
Commits
d19eaa10.7.2bc38ffdFix object assignment ofhasOwnProperty(#177)cf4658f0.7.16a8b8f5Allow leading dot for domain (#174)58015c0Remove more code and perf wins (#172)ab057d60.7.05f02ca8Migrate history to GitHub releasesa5d591cMigrate history to GitHub releases51968f9Skip isNaN9e7ca51perf(parse): cache length, return early (#144)Maintainer changes
This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.
Updates
json-bigintfrom 0.3.1 to 1.0.0Commits
390482a1.0.0f2d8f83typo6ee392eMerge pull request #37 from sidorares/fix/prototypec85a430MAJOR: Add protoAction and constructorAction options4c2dbf4build: add node 14b348ea3fix assertion after chai upgrade725777cadd files section and bump depsebd1d91add prettier config6c659f5Merge pull request #36 from babyadoresorange/master1556563update READMEUpdates
sendfrom 0.18.0 to 0.19.2Release notes
Sourced from send's releases.
Changelog
Sourced from send's changelog.
Commits
34ba03b0.19.2 (#280)e53e4e5deps: use tilde notation and update certain dependencies (#279)19efaa30.19.10a9fa80fix(deps): encodeurl@~2.0.0 (#240)9d2db990.19.0ae4f298Merge commit from forkMaintainer changes
This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.
Updates
serve-staticfrom 1.15.0 to 1.16.3Release notes
Sourced from serve-static's releases.
Changelog
Sourced from serve-static's changelog.
Commits
9acad221.16.3 (#229)52dc97ddeps: send@~0.19.1 and upgrade Node.js versions on the CI (#227)ec9c5ec1.16.2f454d37fix(deps): encodeurl@~2.0.077a82551.16.14263f49fix(deps): send@0.19.048c73971.16.00c11fadMerge commit from forkMaintainer changes
This version was pushed to npm by ulisesgascon, a new releaser for serve-static since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.