build(deps): bump the npm_and_yarn group across 2 directories with 7 updates by dependabot[bot] · Pull Request #138 · Dargon789/interface

dependabot · 2026-05-08T15:02:20Z

Bumps the npm_and_yarn group with 4 updates in the /apps/extension directory: react-router, vite, webpack and webpack-dev-server.
Bumps the npm_and_yarn group with 6 updates in the /apps/web directory:

Package	From	To
react-router	`7.6.3`	`7.12.0`
vite	`7.3.1`	`7.3.2`
webpack	`5.90.0`	`5.104.1`
@hono/node-server	`1.19.11`	`1.19.13`
hono	`4.12.8`	`4.12.16`
storybook	`8.5.2`	`8.6.17`

Updates react-router from 7.6.3 to 7.12.0

Release notes

Sourced from react-router's releases.

v7.12.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7120

v7.11.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7110

v7.10.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7101

v7.10.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7100

v7.9.6

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v796

v7.9.5

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v795

v7.9.4

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v794

v7.9.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793

v7.9.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792

v7.9.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791

v7.9.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790

v7.8.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v782

v7.8.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v781

v7.8.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v780

v7.7.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v771

v7.7.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v770

Changelog

Sourced from react-router's changelog.

7.12.0

Minor Changes

Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins. If you need to permit access to specific external origins, you can specify them in the react-router.config.ts config allowedActionOrigins field. (#14708)

Patch Changes

Fix generatePath when used with suffixed params (i.e., "/books/:id.json") (#14269)

Export UNSAFE_createMemoryHistory and UNSAFE_createHashHistory alongside UNSAFE_createBrowserHistory for consistency. These are not intended to be used for new apps but intended to help apps usiong unstable_HistoryRouter migrate from v6->v7 so they can adopt the newer APIs. (#14663)

Escape HTML in scroll restoration keys (#14705)

Validate redirect locations (#14706)

[UNSTABLE] Pass <Scripts nonce> value through to the underlying importmap script tag when using future.unstable_subResourceIntegrity (#14675)

[UNSTABLE] Add a new future.unstable_trailingSlashAwareDataRequests flag to provide consistent behavior of request.pathname inside middleware, loader, and action functions on document and data requests when a trailing slash is present in the browser URL. (#14644)

Currently, your HTTP and request pathnames would be as follows for /a/b/c and /a/b/c/

URL /a/b/c HTTP pathname request pathname`

Document /a/b/c /a/b/c ✅

Data /a/b/c.data /a/b/c ✅

URL /a/b/c/ HTTP pathname request pathname`

Document /a/b/c/ /a/b/c/ ✅

Data /a/b/c.data /a/b/c ⚠️

With this flag enabled, these pathnames will be made consistent though a new _.data format for client-side .data requests:

URL /a/b/c HTTP pathname request pathname`

Document /a/b/c /a/b/c ✅

Data /a/b/c.data /a/b/c ✅

URL /a/b/c/ HTTP pathname request pathname`

Document /a/b/c/ /a/b/c/ ✅

Data /a/b/c/_.data ⬅️ /a/b/c/ ✅

This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.

Enabling this flag also changes the format of client side .data requests from /_root.data to /_.data when navigating to / to align with the new format. This does not impact the request pathname which is still / in all cases.

Preserve clientLoader.hydrate=true when using <HydratedRouter unstable_instrumentations> (#14674)

... (truncated)

Commits

26653a6 chore: Update version for release (#14712)
7ac2346 chore: Update version for release (pre) (#14709)
75b1ef5 Add origin checks for UI route submissions (#14708)
c05ef93 Validate redirect locations (#14706)
c89c32c Escape HTML in scroll restoration keys (#14705)
cbcbf30 fix: pass nonce to importmap script when using subResourceIntegrity (#14675)
30f6c1d fix(react-router): handle parameters with static suffixes in generatePath (#1...
7f140e0 Handle data requests with trailing slash consistently (#14644)
1954af6 Preserve hydrate property on client loaders during instrumentation (#14674)
5ce5cd4 chore: format
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-router since your current version.

Updates vite from 7.3.1 to 7.3.2

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)

backport #22159, apply server.fs check to env transport (#22162) (19db0f2)

check server.fs after stripping query as well (#22160) (f8103cc)

Commits

cc383e0 release: v7.3.2
09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
f8103cc fix: check server.fs after stripping query as well (#22160)
19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
See full diff in compare view

Updates webpack from 5.90.0 to 5.104.1

Release notes

Sourced from webpack's releases.

v5.104.1

5.104.1

Patch Changes

2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.

c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

v5.104.0

5.104.0

Minor Changes

d3dd841: Use method shorthand to render module content in __webpack_modules__ object.

d3dd841: Enhance import.meta.env to support object access.

4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.

04cd530: Handle more at-rules for CSS modules.

cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.

d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.

5983843: Provide a stable runtime function variable __webpack_global__.

d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

22c48fb: Added module existence check for informative error message in development mode.

50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.

d3dd841: Support universal lazy compilation.

d3dd841: Fixed module library export definitions when multiple runtimes.

d3dd841: Fixed CSS nesting and CSS custom properties parsing.

d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.

aab1da9: Fixed bugs for css/global type.

d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.

d3dd841: Handle nested __webpack_require__.

728ddb7: The speed of identifier parsing has been improved.

0f8b31b: Improve types.

d3dd841: Don't corrupt debugId injection when hidden-source-map is used.

2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.

d3dd841: Serialize HookWebpackError.

d3dd841: Added ability to use built-in properties in dotenv and define plugin.

3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.

d3dd841: Reduce collision for local indent name in CSS.

d3dd841: Remove CSS link tags when CSS imports are removed.

v5.103.0

Features

Added DotenvPlugin and top level dotenv option to enable this plugin

Added WebpackManifestPlugin

Added support the ignoreList option in devtool plugins

Allow to use custom javascript parse function

... (truncated)

Changelog

Sourced from webpack's changelog.

5.104.1

Patch Changes

2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.

c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

5.104.0

Minor Changes

d3dd841: Use method shorthand to render module content in __webpack_modules__ object.

d3dd841: Enhance import.meta.env to support object access.

4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.

04cd530: Handle more at-rules for CSS modules.

cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.

d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.

5983843: Provide a stable runtime function variable __webpack_global__.

d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

22c48fb: Added module existence check for informative error message in development mode.

50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.

d3dd841: Support universal lazy compilation.

d3dd841: Fixed module library export definitions when multiple runtimes.

d3dd841: Fixed CSS nesting and CSS custom properties parsing.

d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.

aab1da9: Fixed bugs for css/global type.

d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.

d3dd841: Handle nested __webpack_require__.

728ddb7: The speed of identifier parsing has been improved.

0f8b31b: Improve types.

d3dd841: Don't corrupt debugId injection when hidden-source-map is used.

2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.

d3dd841: Serialize HookWebpackError.

d3dd841: Added ability to use built-in properties in dotenv and define plugin.

3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.

d3dd841: Reduce collision for local indent name in CSS.

d3dd841: Remove CSS link tags when CSS imports are removed.

Commits

24e3c2d chore(release): new release (#20253)
2efd21b fix(re-exports): reexports runtime calculation should not accessing `__WEBPAC...
c510070 fix(security): userinfo bypass vulnerability in HttpUriPlugin allowedUris
4b0501c ci: fix release (#20252)
0c213ce ci: use \<@&1450591255485743204> over @here for discord notificationw
5bf8bc5 refactor: types for benchmarks and tests
505a5e7 chore(release): new release (#20188)
0c06680 refactor: update eslint configuration
2eb0d6a ci: release announcement (#20238)
b2b2459 ci: cancel in progress (#20239)
Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates webpack-dev-server from 4.15.1 to 5.2.1

Release notes

Sourced from webpack-dev-server's releases.

v5.2.1

5.2.1 (2025-03-26)

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header

requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)

take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

v5.2.0

5.2.0 (2024-12-11)

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

v5.1.0

5.1.0 (2024-09-03)

Features

add visual progress indicators (a8f40b7)

added the app option to be Function (by default only with connect compatibility frameworks) (3096148)

allow the server option to be Function (#5275) (02a1c6d)

http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)

ipv6 output (#5270) (06005e7)

replace rimraf with rm (#5162) (1a1561f)

replace default gateway (#5255) (f5f0902)

support devServer: false (#5272) (8b341cb)

v5.0.4

5.0.4 (2024-03-19)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.1 (2025-03-26)

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header

requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)

take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0 (2024-12-11)

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

5.1.0 (2024-09-03)

Features

add visual progress indicators (a8f40b7)

added the app option to be Function (by default only with connect compatibility frameworks) (3096148)

allow the server option to be Function (#5275) (02a1c6d)

http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)

ipv6 output (#5270) (06005e7)

replace rimraf with rm (#5162) (1a1561f)

replace default gateway (#5255) (f5f0902)

support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

... (truncated)

Commits

0d22a08 chore(release): 5.2.1
6045b1e chore(deps): update (#5444)
ffd0b86 fix: take the first network found instead of the last one, this restores the ...
9ea7b08 ci: update dependency-review-action (#5442)
5c9378b Merge commit from fork
d2575ad Merge commit from fork
8c1abc9 fix: prevent overlay for errors caught by React error boundaries (#5431)
5a39c70 ci: update codecov/codecov-action to v5 (#5406)
55220a8 chore(deps-dev): bump the dependencies group across 1 directory with 4 update...
09f6f8e chore(deps): bump the dependencies group across 1 directory with 2 updates (#...
Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates react-router from 7.6.3 to 7.12.0

Release notes

Sourced from react-router's releases.

v7.12.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7120

v7.11.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7110

v7.10.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7101

v7.10.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7100

v7.9.6

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v796

v7.9.5

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v795

v7.9.4

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v794

v7.9.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793

v7.9.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792

v7.9.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791

v7.9.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790

v7.8.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v782

v7.8.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v781

v7.8.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v780

v7.7.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v771

v7.7.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v770

Changelog

Sourced from react-router's changelog.

7.12.0

Minor Changes

Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins. If you need to permit access to specific external origins, you can specify them in the react-router.config.ts config allowedActionOrigins field. (#14708)

Patch Changes

Fix generatePath when used with suffixed params (i.e., "/books/:id.json") (#14269)

Export UNSAFE_createMemoryHistory and UNSAFE_createHashHistory alongside UNSAFE_createBrowserHistory for consistency. These are not intended to be used for new apps but intended to help apps usiong unstable_HistoryRouter migrate from v6->v7 so they can adopt the newer APIs. (#14663)

Escape HTML in scroll restoration keys (#14705)

Validate redirect locations (#14706)

[UNSTABLE] Pass <Scripts nonce> value through to the underlying importmap script tag when using future.unstable_subResourceIntegrity (#14675)

[UNSTABLE] Add a new future.unstable_trailingSlashAwareDataRequests flag to provide consistent behavior of request.pathname inside middleware, loader, and action functions on document and data requests when a trailing slash is present in the browser URL. (#14644)

Currently, your HTTP and request pathnames would be as follows for /a/b/c and /a/b/c/

URL /a/b/c HTTP pathname request pathname`

Document /a/b/c /a/b/c ✅

Data /a/b/c.data /a/b/c ✅

URL /a/b/c/ HTTP pathname request pathname`

Document /a/b/c/ /a/b/c/ ✅

Data /a/b/c.data /a/b/c ⚠️

With this flag enabled, these pathnames will be made consistent though a new _.data format for client-side .data requests:

URL /a/b/c HTTP pathname request pathname`

Document /a/b/c /a/b/c ✅

Data /a/b/c.data /a/b/c ✅

URL /a/b/c/ HTTP pathname request pathname`

Document /a/b/c/ /a/b/c/ ✅

Data /a/b/c/_.data ⬅️ /a/b/c/ ✅

This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.

Enabling this flag also changes the format of client side .data requests from /_root.data to /_.data when navigating to / to align with the new format. This does not impact the request pathname which is still / in all cases.

Preserve clientLoader.hydrate=true when using <HydratedRouter unstable_instrumentations> (#14674)

... (truncated)

Commits

26653a6 chore: Update version for release (#14712)
7ac2346 chore: Update version for release (pre) (#14709)
75b1ef5 Add origin checks for UI route submissions (#14708)
c05ef93 Validate redirect locations (#14706)
c89c32c Escape HTML in scroll restoration keys (#14705)
cbcbf30 fix: pass nonce to importmap script when using subResourceIntegrity (#14675)
30f6c1d fix(react-router): handle parameters with static suffixes in generatePath (#1...
7f140e0 Handle data requests with trailing slash consistently (#14644)
1954af6 Preserve hydrate property on client loaders during instrumentation (#14674)
5ce5cd4 chore: format
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-router since your current version.

Updates vite from 7.3.1 to 7.3.2

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)

backport #22159, apply server.fs check to env transport (#22162) (19db0f2)

check server.fs after stripping query as well (#22160) (f8103cc)

Commits

cc383e0 release: v7.3.2
09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
f8103cc fix: check server.fs after stripping query as well (#22160)
19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
See full diff in compare view

Updates webpack from 5.90.0 to 5.104.1

Release notes

Sourced from webpack's releases.

v5.104.1

5.104.1

Patch Changes

2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.

c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

v5.104.0

5.104.0

Minor Changes

d3dd841: Use method shorthand to render module content in __webpack_modules__ object.

d3dd841: Enhance import.meta.env to support object access.

4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.

04cd530: Handle more at-rules for CSS modules.

cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.

d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.

5983843: Provide a stable runtime function variable __webpack_global__.

d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

22c48fb: Added module existence check for informative error message in development mode.

50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.

d3dd841: Support universal lazy compilation.

d3dd841: Fixed module library export definitions when multiple runtimes.

d3dd841: Fixed CSS nesting and CSS custom properties parsing.

d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.

aab1da9: Fixed bugs for css/global type.

d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.

d3dd841: Handle nested __webpack_require__.

728ddb7: The speed of identifier parsing has been improved.

0f8b31b: Improve types.

d3dd841: Don't corrupt debugId injection when hidden-source-map is used.

2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.

d3dd841: Serialize HookWebpackError.

d3dd841: Added ability to use built-in properties in dotenv and define plugin.

3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.

d3dd841: Reduce collision for local indent name in CSS.

d3dd841: Remove CSS link tags when CSS imports are removed.

v5.103.0

Features

Added DotenvPlugin and top level dotenv option to enable this plugin

Added WebpackManifestPlugin

Added support the ignoreList option in devtool plugins

Allow to use custom javascript parse function

... (truncated)

Changelog

Sourced from webpack's changelog.

5.104.1

Patch Changes

2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.

c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

5.104.0

Minor Changes

d3dd841: Use method shorthand to render module content in __webpack_modules__ object.

d3dd841: Enhance import.meta.env to support object access.

4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.

04cd530: Handle more at-rules for CSS modules.

cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.

d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.

5983843: Provide a stable runtime function variable __webpack_global__.

d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

22c48fb: Added module existence check for informative error message in development mode.

50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.

d3dd841: Support universal lazy compilation.

d3dd841: Fixed module library export definitions when multiple runtimes.

d3dd841: Fixed CSS nesting and CSS custom properties parsing.

d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.

aab1da9: Fixed bugs for css/global type.

d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.

d3dd841: Handle nested __webpack_require__.

728ddb7: The speed of identifier parsing has been improved.

0f8b31b: Improve types.

d3dd841: Don't corrupt debugId injection when hidden-source-map is used.

2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.

d3dd841: Serialize HookWebpackError.

d3dd841: Added ability to use built-in properties in dotenv and define plugin.

3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.

d3dd841: Reduce collision for local indent name in CSS.

d3dd841: Remove CSS link tags when CSS imports are removed.

Commits

24e3c2d chore(release): new release (#20253)
2efd21b fix(re-exports): reexports runtime calculation should not accessing `__WEBPAC...
c510070 fix(security): userinfo bypass vulnerability in HttpUriPlugin allowedUris
4b0501c ci: fix release (#20252)
0c213ce ci: use \<@&1450591255485743204> over @here for discord notificationw
5bf8bc5 refactor: types for benchmarks and tests
505a5e7 chore(release): new release (#20188)
0c06680 refactor: update eslint configuration
2eb0d6a ci: release announcement (#20238)
b2b2459 ci: cancel in progress (#20239)
Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates @hono/node-server from 1.19.11 to 1.19.13

Release notes

Sourced from @hono/node-server's releases.

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

chore: ignore claude setting by @yusukebe in honojs/node-server#314

fix: request draining for early 413 responses by @usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

Commits

fd64e65 1.19.13
025c30f Merge commit from fork
6cdb5a7 1.19.12
70250f7 fix: request draining for early 413 responses (#329)
cfc08b3 chore: ignore claude setting (#314)
See full diff in compare view

Updates hono from 4.12.8 to 4.12.16

Release notes

Sourced from hono's releases.

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

fix(jwt): support single-line PEM keys by @hiendv in honojs/hono#4889

New Contributors

@hiendv made their first contribution in honojs/hono#4889

Full Changelog: honojs/hono@v4.12.14...v4.12.15

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

fix(aws-lambda): handle invalid header names in request processing (

…updates Bumps the npm_and_yarn group with 4 updates in the /apps/extension directory: [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite), [webpack](https://github.com/webpack/webpack) and [webpack-dev-server](https://github.com/webpack/webpack-dev-server). Bumps the npm_and_yarn group with 6 updates in the /apps/web directory: | Package | From | To | | --- | --- | --- | | [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router) | `7.6.3` | `7.12.0` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.1` | `7.3.2` | | [webpack](https://github.com/webpack/webpack) | `5.90.0` | `5.104.1` | | [@hono/node-server](https://github.com/honojs/node-server) | `1.19.11` | `1.19.13` | | [hono](https://github.com/honojs/hono) | `4.12.8` | `4.12.16` | | [storybook](https://github.com/storybookjs/storybook/tree/HEAD/code/core) | `8.5.2` | `8.6.17` | Updates `react-router` from 7.6.3 to 7.12.0 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/react-router@7.12.0/packages/react-router) Updates `vite` from 7.3.1 to 7.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) Updates `webpack` from 5.90.0 to 5.104.1 - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.90.0...v5.104.1) Updates `webpack-dev-server` from 4.15.1 to 5.2.1 - [Release notes](https://github.com/webpack/webpack-dev-server/releases) - [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md) - [Commits](webpack/webpack-dev-server@v4.15.1...v5.2.1) Updates `react-router` from 7.6.3 to 7.12.0 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/react-router@7.12.0/packages/react-router) Updates `vite` from 7.3.1 to 7.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) Updates `webpack` from 5.90.0 to 5.104.1 - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.90.0...v5.104.1) Updates `@hono/node-server` from 1.19.11 to 1.19.13 - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.11...v1.19.13) Updates `hono` from 4.12.8 to 4.12.16 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.8...v4.12.16) Updates `storybook` from 8.5.2 to 8.6.17 - [Release notes](https://github.com/storybookjs/storybook/releases) - [Changelog](https://github.com/storybookjs/storybook/blob/v8.6.17/CHANGELOG.md) - [Commits](https://github.com/storybookjs/storybook/commits/v8.6.17/code/core) --- updated-dependencies: - dependency-name: react-router dependency-version: 7.12.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: webpack dependency-version: 5.104.1 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: webpack-dev-server dependency-version: 5.2.1 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: react-router dependency-version: 7.12.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: webpack dependency-version: 5.104.1 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@hono/node-server" dependency-version: 1.19.13 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.16 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: storybook dependency-version: 8.6.17 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2026-05-08T15:02:24Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
interface-web	Ready	Preview, Comment	May 8, 2026 3:02pm

snyk-io · 2026-05-08T15:02:37Z

⚠️ Snyk checks are incomplete.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
⚠️	Open Source Security	0	0	0	0	See details

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 8, 2026

vercel Bot deployed to Preview May 8, 2026 15:02 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the npm_and_yarn group across 2 directories with 7 updates#138

build(deps): bump the npm_and_yarn group across 2 directories with 7 updates#138
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/apps/extension/npm_and_yarn-36ccbc304e

dependabot Bot commented on behalf of github May 8, 2026

Uh oh!

vercel Bot commented May 8, 2026 •

edited

Loading

Uh oh!

snyk-io Bot commented May 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

URL `/a/b/c`	HTTP pathname	`request` pathname`
Document	`/a/b/c`	`/a/b/c` ✅
Data	`/a/b/c.data`	`/a/b/c` ✅

URL `/a/b/c/`	HTTP pathname	`request` pathname`
Document	`/a/b/c/`	`/a/b/c/` ✅
Data	`/a/b/c.data`	`/a/b/c` ⚠️

Conversation

dependabot Bot commented on behalf of github May 8, 2026

v7.12.0

v7.11.0

v7.10.1

v7.10.0

v7.9.6

v7.9.5

v7.9.4

v7.9.3

v7.9.2

v7.9.1

v7.9.0

v7.8.2

v7.8.1

v7.8.0

v7.7.1

v7.7.0

7.12.0

Minor Changes

Patch Changes

v7.3.2

7.3.2 (2026-04-06)

Bug Fixes

v5.104.1

5.104.1

Patch Changes

v5.104.0

5.104.0

Minor Changes

Patch Changes

v5.103.0

Features

5.104.1

Patch Changes

5.104.0

Minor Changes

Patch Changes

v5.2.1

5.2.1 (2025-03-26)

Security

Bug Fixes

v5.2.0

5.2.0 (2024-12-11)

Features

Bug Fixes

v5.1.0

5.1.0 (2024-09-03)

Features

Bug Fixes

v5.0.4

5.0.4 (2024-03-19)

5.2.1 (2025-03-26)

Security

Bug Fixes

5.2.0 (2024-12-11)

Features

Bug Fixes

5.1.0 (2024-09-03)

Features

Bug Fixes

5.0.4 (2024-03-19)

Bug Fixes

v7.12.0

v7.11.0

v7.10.1

v7.10.0

v7.9.6

v7.9.5

v7.9.4

v7.9.3

v7.9.2

v7.9.1

v7.9.0

v7.8.2

v7.8.1

v7.8.0

v7.7.1

v7.7.0

7.12.0

vercel Bot commented May 8, 2026 •

edited

Loading