Skip to content

deps(deps): bump the everything group across 1 directory with 13 updates#17038

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/everything-9ae9f8ebd0
Open

deps(deps): bump the everything group across 1 directory with 13 updates#17038
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/everything-9ae9f8ebd0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 29, 2026
edited
Loading

Bumps the everything group with 13 updates in the / directory:

Package From To
@sentry/node 9.28.1 9.47.1
configstore 7.0.0 7.1.0
csp_evaluator 1.1.5 1.1.6
devtools-protocol 0.0.1625959 0.0.1629771
enquirer 2.3.6 2.4.1
http-link-header 1.1.1 1.1.3
intl-messageformat 10.5.3 10.7.18
lodash-es 4.17.21 4.18.1
open 8.4.0 8.4.2
third-party-web 0.29.0 0.29.2
web-features 3.26.0 3.27.0
ws 7.4.6 7.5.10
yargs 17.7.1 17.7.2

Updates @sentry/node from 9.28.1 to 9.47.1

Release notes

Sourced from @​sentry/node's releases.

9.47.1

  • fix(v9/core): Fix logs flush timeout starvation with continuous logging (#18214)

Bundle size 📦

Path Size
@​sentry/browser 23.24 KB
@​sentry/browser - with treeshaking flags 21.83 KB
@​sentry/browser (incl. Tracing) 38.73 KB
@​sentry/browser (incl. Tracing, Replay) 76.11 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags 66.13 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) 80.69 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) 92.54 KB
@​sentry/browser (incl. Feedback) 39.53 KB
@​sentry/browser (incl. sendFeedback) 27.81 KB
@​sentry/browser (incl. FeedbackAsync) 32.59 KB
@​sentry/react 24.95 KB
@​sentry/react (incl. Tracing) 40.64 KB
@​sentry/vue 27.58 KB
@​sentry/vue (incl. Tracing) 40.48 KB
@​sentry/svelte 23.25 KB
CDN Bundle 24.59 KB
CDN Bundle (incl. Tracing) 38.5 KB
CDN Bundle (incl. Tracing, Replay) 73.78 KB
CDN Bundle (incl. Tracing, Replay, Feedback) 79.12 KB
CDN Bundle - uncompressed 71.73 KB
CDN Bundle (incl. Tracing) - uncompressed 114.12 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed 226.32 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 238.83 KB
@​sentry/nextjs (client) 42.64 KB
@​sentry/sveltekit (client) 39.14 KB
@​sentry/node 165.43 KB
@​sentry/node - without tracing 98.19 KB
@​sentry/aws-serverless 125.68 KB

9.47.0

  • feat(replay/v9): Add option to skip requestAnimationFrame for canvas snapshots (#17426)
  • fix(v9/core): Ensure logs past MAX_LOG_BUFFER_SIZE are not swallowed (#18213)
  • fix(v9/e2e-tests): Fix various e2e tests (#18226)

Bundle size 📦

Path Size

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

9.47.1

  • fix(v9/core): Fix logs flush timeout starvation with continuous logging (#18214)

9.47.0

  • feat(replay/v9): Add option to skip requestAnimationFrame for canvas snapshots (#17426)
  • fix(v9/core): Ensure logs past MAX_LOG_BUFFER_SIZE are not swallowed (#18213)
  • fix(v9/e2e-tests): Fix various e2e tests (#18226)

9.46.0

  • feat(v9/node): Capture SystemError context and remove paths from message (#17394)
  • fix(v9/mcp): capture prompt results and add defensive edge cases for transport instrumentation (#17401)
  • fix(v9/nuxt): Do not drop parametrized routes (#17357) (#17359)

9.45.0

  • feat(v9/nuxt): Do not inject trace meta-tags on cached HTML pages (#17305) (#17319)
  • fix(v9/node): Assign default export of openai to the instrumented fn (#17353)

9.44.2

This release is publishing the AWS Lambda Layer under SentryNodeServerlessSDKv9. The previous release 9.44.1 accidentally published the layer under SentryNodeServerlessSDKv10.

9.44.1

  • fix(replay/v9): Call sendBufferedReplayOrFlush when opening/sending feedback (#17270)

9.44.0

  • feat(replay/v9): Deprecate _experiments.autoFlushOnFeedback (#17219)
  • feat(v9/core): Add shared flushIfServerless function (#17239)
  • feat(v9/node-native): Upgrade @sentry-internal/node-native-stacktrace to 0.2.2 (#17256)
  • feat(v9/react-router): Add createSentryHandleError (#17244)
  • feat(v9/react-router): Automatically flush on serverless for loaders/actions (#17243)
  • feat(v9/react-router): Automatically flush on serverless for request handler (#17242)
  • fix(v9/astro): Construct parametrized route during runtime (#17227)
  • fix(v9/nextjs): Flush in route handlers (#17245)
  • fix(v9/node): Fix exports for openai instrumentation (#17238) (#17241)

9.43.0

  • feat(v9/core): add MCP server instrumentation (#17196)
  • feat(v9/meta): Unify detection of serverless environments and add Cloud Run (#17204)

... (truncated)

Commits
  • 411e102 release: 9.47.1
  • d9d5ac2 meta(changelog): Update changelog for 9.47.1 (#18233)
  • 7efa3f4 fix(v9/core): Fix logs flush timeout starvation with continuous logging (#18214)
  • 79141f4 Merge branch 'release/9.47.0' into v9
  • 1aa260b release: 9.47.0
  • 9d8cade meta(changelog): Update changelog for 9.47.0 (#18229)
  • e2a5d1c fix(v9/core): Ensure logs past MAX_LOG_BUFFER_SIZE are not swallowed (#18213)
  • cb57c5b fix(v9/e2e-tests): Fix various e2e tests (#18226)
  • 86e6457 feat(replay/v9): Add option to skip requestAnimationFrame for canvas snapshot...
  • b57c43e Merge branch 'release/9.46.0' into v9
  • Additional commits viewable in compare view

Updates configstore from 7.0.0 to 7.1.0

Release notes

Sourced from configstore's releases.

v7.1.0

  • Add clearInvalidConfig option af24eac

sindresorhus/configstore@v7.0.0...v7.1.0

Commits

Updates csp_evaluator from 1.1.5 to 1.1.6

Commits

Updates devtools-protocol from 0.0.1625959 to 0.0.1629771

Commits

Updates enquirer from 2.3.6 to 2.4.1

Changelog

Sourced from enquirer's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.
Commits

Updates http-link-header from 1.1.1 to 1.1.3

Commits

Updates intl-messageformat from 10.5.3 to 10.7.18

Commits
  • 8c196f3 build: publish
  • fe0dd85 fix: add a comment just to bump patch version
  • 3a192d4 build: publish
  • 3cf9083 build(deps): bump form-data and @​parcel/config-default in /packages/react-int...
  • e392fba chore(deps): update io_buildbuddy_buildbuddy_toolchain digest to 722cf8f (#5125)
  • cfa2707 chore: Lerna-Lite --skip-bump-only-releases (#5124)
  • c7bc7c7 chore(deps): update babel monorepo to v7.28.4 (#5115)
  • e8b5a0e build: publish
  • e55618d chore: tooling
  • e1b954c chore: update lock
  • Additional commits viewable in compare view

Updates lodash-es from 4.17.21 to 4.18.1

Release notes

Sourced from lodash-es's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates open from 8.4.0 to 8.4.2

Release notes

Sourced from open's releases.

v8.4.2

  • Fix support for Podman 51fae87

sindresorhus/open@v8.4.1...v8.4.2

v8.4.1

  • Fix allowNonzeroExitCode option (#296) 051edca
  • Fix the app argument with WSL (#295) 4cf1a6d

sindresorhus/open@v8.4.0...v8.4.1

Commits

Updates third-party-web from 0.29.0 to 0.29.2

Release notes

Sourced from third-party-web's releases.

v0.29.2

0.29.2 (2026-05-14)

Bug Fixes

  • remove outdated web reference (424dc03)
Commits
  • 424dc03 fix: remove outdated web reference
  • 8e30492 ci: remove broken npm self-upgrade step
  • 99fc4a6 ci: fix OIDC npm publishing by removing conflicting registry-url and upgradin...
  • b6846be fix(entities): split Slideshare from LinkedIn (#265)
  • 00b6874 chore: bump semantic-release to v25 for OIDC trusted publishing
  • 6f9d1ec chore: bump @​semantic-release/npm to v13 for OIDC trusted publishing
  • f5a6771 ci: switch npm publishing to OIDC trusted publisher
  • 4f569b3 ci: support OIDC system for NPM publish by CI (#262)
  • 548c5ce chore: add March 2026 data (#260)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for third-party-web since your current version.


Updates web-features from 3.26.0 to 3.27.0

Release notes

Sourced from web-features's releases.

v3.27.0

What's New

  • 7 features: reporting-coep-violations, reporting-crashes, reporting-csp-violations, reporting-deprecation, reporting-integrity-violations, reporting-interventions, reporting-permissions-policy-violations
  • 1 group: reporting
  • 6 status changes:
    • Baseline widely available: clip-path-boxes, user-pseudos
    • Baseline newly available: crisp-edges, js-modules-shared-workers, shared-workers, text-decoration-skip-ink-all

What's Changed

Full Changelog: web-platform-dx/web-features@v3.26.0...v3.27.0

Subscribe to the Upcoming changes announcements thread for news about upcoming releases, such as breaking changes or major features.

Commits

Updates ws from 7.4.6 to 7.5.10

Release notes

Sourced from ws's releases.

7.5.10

Bug fixes

  • Backported e55e5106 to the 7.x release line (22c28763).

7.5.9

Bug fixes

  • Backported bc8bd34e to the 7.x release line (0435e6e1).

7.5.8

Bug fixes

  • Backported 0fdcc0af to the 7.x release line (2758ed35).
  • Backported d68ba9e1 to the 7.x release line (dc1781bc).

7.5.7

Bug fixes

  • Backported 6946f5fe to the 7.x release line (1f72e2e1).

7.5.6

Bug fixes

  • Backported b8186dd1 to the 7.x release line (73dec34b).
  • Backported ed2b8039 to the 7.x release line (22a26afb).

7.5.5

Bug fixes

  • Backported ec9377ca to the 7.x release line (0e274acd).

7.5.4

Bug fixes

  • Backported 6a72da3e to the 7.x release line (76087fbf).
  • Backported 869c9892 to the 7.x release line (27997933).

7.5.3

Bug fixes

  • The WebSocketServer constructor now throws an error if more than one of the noServer, server, and port options are specefied (66e58d27).
  • Fixed a bug where a 'close' event was emitted by a WebSocketServer before the internal HTTP/S server was actually closed (5a587304).
  • Fixed a bug that allowed WebSocket connections to be established after WebSocketServer.prototype.close() was called (772236a1).

7.5.2

Bug fixes

... (truncated)

Commits
  • d962d70 [dist] 7.5.10
  • 22c2876 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 8a78f87 [dist] 7.5.9
  • 0435e6e [security] Fix same host check for ws+unix: redirects
  • 4271f07 [dist] 7.5.8
  • dc1781b [security] Drop sensitive headers when following insecure redirects
  • 2758ed3 [fix] Abort the handshake if the Upgrade header is invalid
  • a370613 [dist] 7.5.7
  • 1f72e2e [security] Drop sensitive headers when following redirects (#2013)
  • 8ecd890 [dist] 7.5.6
  • Additional commits viewable in compare view

Updates yargs from 17.7.1 to 17.7.2

Changelog

Sourced from yargs's changelog.

17.7.2 (2023-04-27)

Bug Fixes

  • do not crash completion when having negated options (#2322) (7f42848)
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 29, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 29, 2026 23:40
@dependabot dependabot Bot requested review from connorjclark and removed request for a team May 29, 2026 23:40
@dependabot
deps(deps): bump the everything group across 1 directory with 13 updates
38c995d 
Bumps the everything group with 13 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@sentry/node](https://github.com/getsentry/sentry-javascript) | `9.28.1` | `9.47.1` |
| [configstore](https://github.com/sindresorhus/configstore) | `7.0.0` | `7.1.0` |
| [csp_evaluator](https://github.com/google/csp-evaluator) | `1.1.5` | `1.1.6` |
| [devtools-protocol](https://github.com/ChromeDevTools/devtools-protocol) | `0.0.1625959` | `0.0.1629771` |
| [enquirer](https://github.com/enquirer/enquirer) | `2.3.6` | `2.4.1` |
| [http-link-header](https://github.com/jhermsmeier/node-http-link-header) | `1.1.1` | `1.1.3` |
| [intl-messageformat](https://github.com/formatjs/formatjs) | `10.5.3` | `10.7.18` |
| [lodash-es](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` |
| [open](https://github.com/sindresorhus/open) | `8.4.0` | `8.4.2` |
| [third-party-web](https://github.com/patrickhulce/third-party-web) | `0.29.0` | `0.29.2` |
| [web-features](https://github.com/web-platform-dx/web-features/tree/HEAD/packages/web-features) | `3.26.0` | `3.27.0` |
| [ws](https://github.com/websockets/ws) | `7.4.6` | `7.5.10` |
| [yargs](https://github.com/yargs/yargs) | `17.7.1` | `17.7.2` |



Updates `@sentry/node` from 9.28.1 to 9.47.1
- [Release notes](https://github.com/getsentry/sentry-javascript/releases)
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/9.47.1/CHANGELOG.md)
- [Commits](getsentry/sentry-javascript@9.28.1...9.47.1)

Updates `configstore` from 7.0.0 to 7.1.0
- [Release notes](https://github.com/sindresorhus/configstore/releases)
- [Commits](sindresorhus/configstore@v7.0.0...v7.1.0)

Updates `csp_evaluator` from 1.1.5 to 1.1.6
- [Release notes](https://github.com/google/csp-evaluator/releases)
- [Commits](https://github.com/google/csp-evaluator/commits)

Updates `devtools-protocol` from 0.0.1625959 to 0.0.1629771
- [Commits](ChromeDevTools/devtools-protocol@v0.0.1625959...v0.0.1629771)

Updates `enquirer` from 2.3.6 to 2.4.1
- [Changelog](https://github.com/enquirer/enquirer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/enquirer/enquirer/commits)

Updates `http-link-header` from 1.1.1 to 1.1.3
- [Commits](https://github.com/jhermsmeier/node-http-link-header/commits)

Updates `intl-messageformat` from 10.5.3 to 10.7.18
- [Release notes](https://github.com/formatjs/formatjs/releases)
- [Commits](https://github.com/formatjs/formatjs/compare/intl-messageformat@10.5.3...intl-messageformat@10.7.18)

Updates `lodash-es` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `open` from 8.4.0 to 8.4.2
- [Release notes](https://github.com/sindresorhus/open/releases)
- [Commits](sindresorhus/open@v8.4.0...v8.4.2)

Updates `third-party-web` from 0.29.0 to 0.29.2
- [Release notes](https://github.com/patrickhulce/third-party-web/releases)
- [Commits](patrickhulce/third-party-web@v0.29.0...v0.29.2)

Updates `web-features` from 3.26.0 to 3.27.0
- [Release notes](https://github.com/web-platform-dx/web-features/releases)
- [Commits](https://github.com/web-platform-dx/web-features/commits/v3.27.0/packages/web-features)

Updates `ws` from 7.4.6 to 7.5.10
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@7.4.6...7.5.10)

Updates `yargs` from 17.7.1 to 17.7.2
- [Release notes](https://github.com/yargs/yargs/releases)
- [Changelog](https://github.com/yargs/yargs/blob/main/CHANGELOG.md)
- [Commits](yargs/yargs@v17.7.1...v17.7.2)

---
updated-dependencies:
- dependency-name: "@sentry/node"
  dependency-version: 9.47.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: everything
- dependency-name: configstore
  dependency-version: 7.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: everything
- dependency-name: csp_evaluator
  dependency-version: 1.1.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: everything
- dependency-name: devtools-protocol
  dependency-version: 0.0.1629771
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: everything
- dependency-name: enquirer
  dependency-version: 2.4.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: everything
- dependency-name: http-link-header
  dependency-version: 1.1.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: everything
- dependency-name: intl-messageformat
  dependency-version: 10.7.18
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: everything
- dependency-name: lodash-es
  dependency-version: 4.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: everything
- dependency-name: open
  dependency-version: 8.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: everything
- dependency-name: third-party-web
  dependency-version: 0.29.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: everything
- dependency-name: web-features
  dependency-version: 3.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: everything
- dependency-name: ws
  dependency-version: 7.5.10
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: everything
- dependency-name: yargs
  dependency-version: 17.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: everything
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/everything-9ae9f8ebd0 branch from 9bbb2de to 38c995d Compare May 29, 2026 23:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@connorjclark connorjclark Awaiting requested review from connorjclark connorjclark is a code owner automatically assigned from GoogleChrome/lighthouse-hackers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants