Skip to content

chore(deps): bump the vue group across 1 directory with 2 updates#107

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/vue-b465e51571
Closed

chore(deps): bump the vue group across 1 directory with 2 updates#107
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/vue-b465e51571

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the vue group with 2 updates in the / directory: vue and vue-router.

Updates vue from 3.5.32 to 3.5.40

Release notes

Sourced from vue's releases.

v3.5.40

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.39

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.38

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.37

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.35

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.34

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.33

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

Changelog

Sourced from vue's changelog.

3.5.40 (2026-07-16)

Bug Fixes

3.5.39 (2026-06-25)

Bug Fixes

3.5.38 (2026-06-11)

3.5.37 (2026-06-11)

3.5.36 (2026-06-11)

Bug Fixes

  • compiler-core: avoid crash on CDATA at the document root (#14916) (0ea17e2)
  • compiler-core: prefix dynamic keys on v-memo elements (#14922) (68e978e), closes #14920
  • compiler-sfc: handle vue-ignore on leading intersection/union type (#14950) (0dcd225), closes #12254
  • compiler-sfc: respect var hoisting in props destructure (48ad452)
  • reactivity: preserve watch callback return value when wrapped for once: true (#14902) (450a8a8)
  • runtime-core: add dev warning for silent catch in compat mode and fix test description typo (#14891) (db3e117)

... (truncated)

Commits

Updates vue-router from 5.0.4 to 5.2.0

Release notes

Sourced from vue-router's releases.

v5.2.0

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v5.1.0

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v5.0.7

   🚀 Features

   🐞 Bug Fixes

  • matcher:

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 6, 2026
@dependabot dependabot Bot changed the title chore(deps): bump the vue group with 2 updates chore(deps): bump the vue group across 1 directory with 2 updates Jul 8, 2026
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/vue-b465e51571 branch 4 times, most recently from 261703a to e8011c7 Compare July 13, 2026 23:45
Bumps the vue group with 2 updates in the / directory: [vue](https://github.com/vuejs/core) and [vue-router](https://github.com/vuejs/router).


Updates `vue` from 3.5.32 to 3.5.40
- [Release notes](https://github.com/vuejs/core/releases)
- [Changelog](https://github.com/vuejs/core/blob/main/CHANGELOG.md)
- [Commits](vuejs/core@v3.5.32...v3.5.40)

Updates `vue-router` from 5.0.4 to 5.2.0
- [Release notes](https://github.com/vuejs/router/releases)
- [Commits](vuejs/router@v5.0.4...v5.2.0)

---
updated-dependencies:
- dependency-name: vue
  dependency-version: 3.5.39
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: vue
- dependency-name: vue-router
  dependency-version: 5.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: vue
...

Signed-off-by: dependabot[bot] <support@github.com>
@ABB65

ABB65 commented Jul 17, 2026

Copy link
Copy Markdown
Member

Superseded by #158 — the vue group bump (vue 3.5.40, vue-router 5.2.0) is folded into the consolidated security refresh, gates green.

@ABB65 ABB65 closed this Jul 17, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot
dependabot Bot deleted the dependabot/npm_and_yarn/vue-b465e51571 branch July 17, 2026 12:33
ABB65 added a commit that referenced this pull request Jul 17, 2026
…d pending bumps (#158)

* chore(deps): security refresh — resolve critical/high advisories, fold pending bumps

Aggressive dependency pass closing the Dependabot backlog (66 alerts on main).

Direct + toolchain bumps (folds the passing/fixable Dependabot group PRs into one
reviewable change):
- @anthropic-ai/sdk 0.80 -> 0.112, sharp 0.34.5 -> 0.35.3, marked -> 18.0.2,
  vue 3.5.40, vue-router 5.2.0
- testing group (vitest 4.1.10, @vue/test-utils 2.4.11, playwright-core 1.61.1, ...)
- linting group (@nuxt/eslint 1.16, eslint 10.7, @commitlint 21, lint-staged 17)
- tsx 4.23

pnpm overrides for runtime-reachable transitives whose parents pin old versions:
hono ^4.12.25 (MCP loopback server), fast-uri ^3.1.2, fast-xml-parser ^5.7.0,
ws ^8.21.0, qs ^6.15.2, js-cookie ^3.0.7.

A lockfile refresh alone clears the stale advisories on main (shell-quote 1.9.0,
nuxt 4.4.8, vite 7.3.6, devalue 5.8.1, dompurify 3.4.11, tar 7.5.19, ...).

Result: the one critical (shell-quote) and every high are resolved. The only
remaining flagged package is uuid — its advisory needs uuid.v3/v5/v6 called with
a `buf` argument, which Studio's transitive usage (@aws-sdk, uuid.v4) never does,
so a risky cross-SDK major override is deliberately skipped.

The @nuxt/eslint 1.16 bump surfaced real code smells (no-useless-assignment,
preserve-caught-error) — fixed in migrate-postgres, anthropic-ai, cdn-builder,
and the Polar webhook handler.

Supersedes #107, #108, #109, #110, #111.

* fix(deps): revert sharp to 0.34.5 — 0.35.3 fails to load on CI Linux

sharp 0.35.3 crashed the Nuxt server at boot on the CI runner
("Server process exited before becoming ready", sharp.mjs:171 install
error) — its native binary doesn't resolve on linux-x64 there, though it
built fine on darwin-arm64 locally (which is why the local smoke was a
false green). sharp is not a security advisory, so 0.34.5 (known-good on
CI) loses nothing. This also confirms #111's e2e failure was sharp, not a
stale base.

---------

Co-authored-by: Contentrain <mcp@contentrain.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant