Skip to content

deps(deps): bump the frontend-minor-updates group across 1 directory with 5 updates#2

Merged
xiaojinao merged 1 commit intomainfrom
dependabot/npm_and_yarn/ui/frontend-minor-updates-0822d59120
Apr 21, 2026
Merged

deps(deps): bump the frontend-minor-updates group across 1 directory with 5 updates#2
xiaojinao merged 1 commit intomainfrom
dependabot/npm_and_yarn/ui/frontend-minor-updates-0822d59120

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 21, 2026
edited
Loading

Bumps the frontend-minor-updates group with 5 updates in the /ui directory:

Package From To
dompurify 3.3.3 3.4.0
i18next 26.0.5 26.0.6
marked 18.0.0 18.0.2
react-router-dom 7.14.0 7.14.2
vite 8.0.7 8.0.9

Updates dompurify from 3.3.3 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

  • Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
  • Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
  • Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
  • Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
  • Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
  • Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
  • Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
  • Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
  • Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
  • Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
  • Fixed a problem with the type dentition patcher after Node version bump
  • Fixed freezing BS runs by reducing the tested browsers array
  • Bumped several dependencies where possible
  • Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

Commits

Updates i18next from 26.0.5 to 26.0.6

Release notes

Sourced from i18next's releases.

v26.0.6

Security release — all issues found via an internal audit. GHSA advisory filed after release.

  • security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security docs for mitigation guidance (GHSA-TBD)
  • security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
  • security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
  • chore: ignore .env* and *.pem/*.key files in .gitignore
Changelog

Sourced from i18next's changelog.

26.0.6

Security release — all issues found via an internal audit.

  • security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security note in the Nesting docs for the full pattern and mitigations
  • security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
  • security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
  • chore: ignore .env* and *.pem/*.key files in .gitignore
Commits
  • 9d0ed9f 26.0.6
  • 8c82564 security: hardening for 26.0.6 — nesting-options warning, regexEscape unescap...
  • 0cb018c chore: bump devDependencies
  • See full diff in compare view

Updates marked from 18.0.0 to 18.0.2

Release notes

Sourced from marked's releases.

v18.0.2

18.0.2 (2026-04-18)

Bug Fixes

  • fix infinite loop for indented code blank line (#3947) (58a52e8)

v18.0.1

18.0.1 (2026-04-17)

Bug Fixes

  • rules: ensure lookbehind regex is evaluated correctly by minifiers (#3945) (abd907a)
Commits
  • c4f4529 chore(release): 18.0.2 [skip ci]
  • 58a52e8 fix: fix infinite loop for indented code blank line (#3947)
  • 98b3824 chore(release): 18.0.1 [skip ci]
  • abd907a fix(rules): ensure lookbehind regex is evaluated correctly by minifiers (#3945)
  • 96351c4 chore(deps-dev): bump marked-highlight from 2.2.3 to 2.2.4 (#3946)
  • c132699 chore: update testutils (#3942)
  • See full diff in compare view

Updates react-router-dom from 7.14.0 to 7.14.2

Changelog

Sourced from react-router-dom's changelog.

v7.14.2

Patch Changes

v7.14.1

Patch Changes

Commits

Updates vite from 8.0.7 to 8.0.9

Release notes

Sourced from vite's releases.

v8.0.9

Please refer to CHANGELOG.md for details.

v8.0.8

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.9 (2026-04-20)

Features

Bug Fixes

  • allow binding when strictPort is set but wildcard port is in use (#22150) (dfc8aa5)
  • build: emptyOutDir should happen for watch rebuilds (#22207) (ee52267)
  • bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#22269) (868f141)
  • css: use unique key for cssEntriesMap to prevent same-basename collision (#22039) (374bb5d)
  • deps: update all non-major dependencies (#22219) (4cd0d67)
  • deps: update all non-major dependencies (#22268) (c28e9c1)
  • detect Deno workspace root (fix #22237) (#22238) (1b793c0)
  • dev: handle errors in watchChange hook (#22188) (fc08bda)
  • optimizer: handle more chars that will be sanitized (#22208) (3f24533)
  • skip fallback sourcemap generation for ?raw imports (#22148) (3ec9cda)

Documentation

Miscellaneous Chores

  • deps: update dependency dotenv-expand to v13 (#22271) (0a3887d)

8.0.8 (2026-04-09)

Features

Bug Fixes

  • avoid dns.getDefaultResultOrder temporary (#22202) (15f1c15)
  • ssr: class property keys hoisting matching imports (#22199) (e137601)
Commits
  • ce729f5 release: v8.0.9
  • 605bb97 docs: update build CLI defaults (#22261)
  • c28e9c1 fix(deps): update all non-major dependencies (#22268)
  • 0a3887d chore(deps): update dependency dotenv-expand to v13 (#22271)
  • 868f141 fix(bundled-dev): reject requests to HMR patch files in non potentially trust...
  • 3ec9cda fix: skip fallback sourcemap generation for ?raw imports (#22148)
  • 3f24533 fix(optimizer): handle more chars that will be sanitized (#22208)
  • 1b793c0 fix: detect Deno workspace root (fix #22237) (#22238)
  • fc08bda fix(dev): handle errors in watchChange hook (#22188)
  • 374bb5d fix(css): use unique key for cssEntriesMap to prevent same-basename collision...
  • Additional commits viewable in compare view

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 21, 2026

Labels

The following labels could not be found: dependencies, javascript. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot
deps(deps): bump the frontend-minor-updates group in /ui with 5 updates
d36d1ef 
Bumps the frontend-minor-updates group in /ui with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.3.3` | `3.4.0` |
| [i18next](https://github.com/i18next/i18next) | `26.0.5` | `26.0.6` |
| [marked](https://github.com/markedjs/marked) | `18.0.0` | `18.0.2` |
| [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom) | `7.14.0` | `7.14.2` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.7` | `8.0.9` |


Updates `dompurify` from 3.3.3 to 3.4.0
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.3.3...3.4.0)

Updates `i18next` from 26.0.5 to 26.0.6
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next@v26.0.5...v26.0.6)

Updates `marked` from 18.0.0 to 18.0.2
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](markedjs/marked@v18.0.0...v18.0.2)

Updates `react-router-dom` from 7.14.0 to 7.14.2
- [Release notes](https://github.com/remix-run/react-router/releases)
- [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router-dom/CHANGELOG.md)
- [Commits](https://github.com/remix-run/react-router/commits/react-router-dom@7.14.2/packages/react-router-dom)

Updates `vite` from 8.0.7 to 8.0.9
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.9/packages/vite)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-version: 3.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-updates
- dependency-name: i18next
  dependency-version: 26.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-updates
- dependency-name: marked
  dependency-version: 18.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-updates
- dependency-name: react-router-dom
  dependency-version: 7.14.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-updates
- dependency-name: vite
  dependency-version: 8.0.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title deps(deps): bump the frontend-minor-updates group in /ui with 5 updates deps(deps): bump the frontend-minor-updates group across 1 directory with 5 updates Apr 21, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/ui/frontend-minor-updates-0822d59120 branch from 4096aae to d36d1ef Compare April 21, 2026 15:48
@xiaojinao xiaojinao merged commit b501fbb into main Apr 21, 2026
2 of 4 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/ui/frontend-minor-updates-0822d59120 branch April 21, 2026 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@xiaojinao xiaojinao

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xiaojinao