chore(deps)(deps): bump the web-dependencies group in /web with 17 updates by dependabot[bot] · Pull Request #9 · PatrickFanella/subcults

dependabot · 2026-03-17T21:35:09Z

Bumps the web-dependencies group in /web with 17 updates:

Package	From	To
i18next	`25.7.2`	`25.8.18`
i18next-browser-languagedetector	`8.2.0`	`8.2.1`
livekit-client	`2.16.0`	`2.17.3`
maplibre-gl	`5.14.0`	`5.20.2`
zustand	`5.0.9`	`5.0.12`
@playwright/test	`1.58.0`	`1.58.2`
@testing-library/react	`16.3.0`	`16.3.2`
@types/maplibre-gl	`1.13.2`	`1.14.0`
@vitest/coverage-v8	`4.0.18`	`4.1.0`
@vitest/ui	`4.0.18`	`4.1.0`
autoprefixer	`10.4.22`	`10.4.27`
eslint-plugin-react-refresh	`0.4.24`	`0.5.2`
msw	`2.12.7`	`2.12.13`
playwright	`1.58.0`	`1.58.2`
postcss	`8.5.6`	`8.5.8`
typescript-eslint	`8.49.0`	`8.57.1`
vitest	`4.0.18`	`4.1.0`

Updates i18next from 25.7.2 to 25.8.18

Release notes

Sourced from i18next's releases.

v25.8.18

improve selector api to accept array of selector functions, analogous to array of keys 2404

v25.8.17

update deps

v25.8.16

fix(types): on() method now correctly returns this instead of void, matching the runtime behavior and enabling proper method chaining in TypeScript

v25.8.15

fix: Selector API unable to resolve namespaces #2402

v25.8.14

fix: getCleanedCode now replaces all underscores

v25.8.13

improve support notice shown logic

v25.8.12

improve support notice shown logic

v25.8.11

revert fix: compatibility with moduleResolution bundler (issue 2380) 2381

v25.8.10

fix(interpolator): guard null matchedDoubleQuotes in nesting option parsing 2395

v25.8.9

fix(interpolator): escape nestingOptionsSeparator in nesting option parsing 223943

v25.8.8

types(i18n): add missing toJSON() declaration 2393

v25.8.7

avoid crash due to ReferenceError without Intl API 2391

v25.8.6

ts: address incomplete type definition for getFixedT() return value 2318

v25.8.5

fix: compatibility with moduleResolution bundler (issue 2380) 2381

v25.8.4

fix: crashes when backend in backends array has no name property 2386

v25.8.3

ts: document option to suppress the support message 2385

v25.8.2

option to suppress the support message 2385

... (truncated)

Changelog

Sourced from i18next's changelog.

25.8.18

improve selector api to accept array of selector functions, analogous to array of keys 2404

25.8.17

update deps

25.8.16

fix(types): on() method now correctly returns this instead of void, matching the runtime behavior and enabling proper method chaining in TypeScript

25.8.15

fix: Selector API unable to resolve namespaces 2402

25.8.14

fix: getCleanedCode now replaces all underscores

25.8.13

improve support notice shown logic

25.8.12

improve support notice shown logic

25.8.11

revert fix: compatibility with moduleResolution bundler (issue 2380) 2381

25.8.10

fix(interpolator): guard null matchedDoubleQuotes in nesting option parsing 2395

25.8.9

fix(interpolator): escape nestingOptionsSeparator in nesting option parsing 2394

25.8.8

types(i18n): add missing toJSON() declaration 2393

25.8.7

avoid crash due to ReferenceError without Intl API 2391

25.8.6

... (truncated)

Commits

9c7285b 25.8.18
2fa6e38 improve selector api to accept array of selector functions, analogous to arra...
9ed8fd1 jsr update
e685b3e 25.8.17
272d1e9 update deps
660191c refine notice msg
cd7ab70 jsr update
da0778e 25.8.16
98e5ea7 fix(types): on() method now correctly returns this instead of void, mat...
ea398ad jsr update
Additional commits viewable in compare view

Updates i18next-browser-languagedetector from 8.2.0 to 8.2.1

Changelog

Sourced from i18next-browser-languagedetector's changelog.

8.2.1

Add missing typescript definition for hash options 33154

Commits

7164126 8.2.1
6df69c7 release
1ffa1cf Add missing typescript definition for hash options (#315)
697d89b Bump js-yaml (#313)
ce82da9 Bump lodash from 4.17.21 to 4.17.23 (#312)
d05fe5a fix url in readme
9d1d7d2 Bump tmp from 0.2.1 to 0.2.5 (#309)
32f0429 Bump cipher-base from 1.0.4 to 1.0.6 (#307)
9c0db8f Bump sha.js from 2.4.11 to 2.4.12 (#308)
3ad9ac5 Bump pbkdf2 from 3.1.2 to 3.1.3 (#306)
Additional commits viewable in compare view

Updates livekit-client from 2.16.0 to 2.17.3

Release notes

Sourced from livekit-client's releases.

v2.17.3

Patch Changes

Update happy-dom dependency version - #1821 (@renovate)

e2ee: ensure current key index isn't unintentionally updated - #1830 (@lukasIO)

Prevent unmute -> mute -> unmute cycle for track restarts that happen during unmute - #1793 (@mfairley)

Use controller.error to signal unexpected errors mid data stream - #1834 (@lukasIO)

Signal leave on failed connection attempts if signalling is connected - #1817 (@lukasIO)

Vendored ts-debounce and added critical timers to debounce function - #1800 (@mfairley)

Ensure cryptor setup respects async queue in worker - #1833 (@lukasIO)

Adds new OutgoingDataTrackManager to manage sending data track payloads - #1810 (@1egoman)

v2.17.2

Patch Changes

Ensure connection state mismatches aren't triggered for ongoing PC connection attempts - #1807 (@lukasIO)

Fix unnecessary track restarts on unmute when using ideal device constraints - #1794 (@mfairley)

Prevent ongoing renegotiations from declaring the negotiation as timed out - #1813 (@lukasIO)

Add data track packetizer and depacketizer implementations - #1798 (@1egoman)

Add missing type exports required by @livekit/components-core - #1815 (@1egoman)

v2.17.1

Patch Changes

Add data track packet serialization + deserialization logic - #1792 (@1egoman)

Update docs to clarify other client HKDF support - #1796 (@1egoman)

Add attachedStreamIds as text stream metadata - #1805 (@1egoman)

v2.17.0

Minor Changes

Add new rtc path that defaults to single peer connection mode and falls back to legacy dual pc - #1785 (@lukasIO)

Patch Changes

Use TypedPromise for typesafe errors - #1770 (@lukasIO)

... (truncated)

Changelog

Sourced from livekit-client's changelog.

2.17.3

Patch Changes

Update happy-dom dependency version - #1821 (@renovate)

e2ee: ensure current key index isn't unintentionally updated - #1830 (@lukasIO)

Prevent unmute -> mute -> unmute cycle for track restarts that happen during unmute - #1793 (@mfairley)

Use controller.error to signal unexpected errors mid data stream - #1834 (@lukasIO)

Signal leave on failed connection attempts if signalling is connected - #1817 (@lukasIO)

Vendored ts-debounce and added critical timers to debounce function - #1800 (@mfairley)

Ensure cryptor setup respects async queue in worker - #1833 (@lukasIO)

Adds new OutgoingDataTrackManager to manage sending data track payloads - #1810 (@1egoman)

2.17.2

Patch Changes

Ensure connection state mismatches aren't triggered for ongoing PC connection attempts - #1807 (@lukasIO)

Fix unnecessary track restarts on unmute when using ideal device constraints - #1794 (@mfairley)

Prevent ongoing renegotiations from declaring the negotiation as timed out - #1813 (@lukasIO)

Add data track packetizer and depacketizer implementations - #1798 (@1egoman)

Add missing type exports required by @livekit/components-core - #1815 (@1egoman)

2.17.1

Patch Changes

Add data track packet serialization + deserialization logic - #1792 (@1egoman)

Update docs to clarify other client HKDF support - #1796 (@1egoman)

Add attachedStreamIds as text stream metadata - #1805 (@1egoman)

2.17.0

Minor Changes

Add new rtc path that defaults to single peer connection mode and falls back to legacy dual pc - #1785 (@lukasIO)

... (truncated)

Commits

d87b777 Version Packages (#1818)
b9829c7 Ensure cryptor setup respects async queue in worker (#1833)
02c8094 Fix error handling in example (#1835)
1b93409 Use controller.error to signal unexpected errors mid data stream (#1834)
a2760f4 Propagate key index update in setSharedKey worker method (#1831)
dc1559f fix: prevent mute cycling when restarting tracks during unmute (#1793)
8d1f4ad fix(e2ee): ensure current key index isn't unintentionally updated on … (#1830)
45842cc [🤖 readme-manager] Update README (#1828)
d35c77d Update dev dependencies to patch some low hanging fruit CVEs (#1826)
56c9028 Bump rollup from 4.57.1 to 4.59.0 (#1825)
Additional commits viewable in compare view

Updates maplibre-gl from 5.14.0 to 5.20.2

Release notes

Sourced from maplibre-gl's releases.

v5.20.2

🐞 Bug fixes

Fix update GeoJSON when using diff update by updating geojson-vt package (#7257) (by @HarelM)

v5.20.1

🐞 Bug fixes

Fix cannot read properties of undefined (reading 'range') by updating geojson-vt package (#7245) (by @HarelM)

Fix a bug where raster-resampling: nearest was not applied as expected (#7247) (by @yano-h)

v5.20.0

✨ Features and improvements

Add Etag unmodified support to optimize vector tile reloading (#7074) (by [@rivkamatan](https://github.com/rivkamatan and @wayofthefuture)

Add boxZoom.boxZoomEnd option to customize the action after Shift-drag box selection (#6397) (by @itisyb)

Implement resampling paint property for raster, hillshade, and color-relief layers (#7074) (by @larsmaxfield)

Add updateable support for GeoJSON-VT (#7172) (by @wayofthefuture and @HarelM)

Add example for 3D Tiles using three.js (#7198) (by @hh-hang)

🐞 Bug fixes

Fix: Distance to tile is calculated incorrectly in globe projection for high pitch angles (#7219) (by @jtfedd)

Fix: Tiles are not cleared when using vector tile source setUrl/setTiles (#7185) (by @madoci)

Fix: Allow opaque origins ("null") in Actor message filtering (#7047) (by @pcardinal)

v5.19.0

✨ Features and improvements

Change the return type of LngLatBounds.toArray() to use a more precise type (#7156) (by @n4n5)

Add anisotropicFilterPitch map option to set the pitch above which the anisotropic filter is applied to all raster layers, the default of which is 20° (#7134) (by larsmaxfield)

Add source id to error message (#7107) (by HarelM)

🐞 Bug fixes

Fix SDF icon-text-fit rendering by correctly unpacking packed shader values in symbol_sdf.vertex.glsl, with render-test coverage (#7141, fixes #6953) (by @pcardinal)

Fix correct bounds calculation for GeoJSON with elevation (#6963) (by @simonmnt)

Fix: support elevation in bounds calculation (#7135) (by simonmnt)

Fix Firefox "Alpha-premult deprecated for non-DOM uploads" warning (#7128) (by @birkskyum)

Fix raster tiles rendering with glyph/icon atlas content after WebGL context loss (#7126) (by @birkskyum)

Fix popup tip in RTL pages (#7157) (by @HarelM)

v5.18.0

✨ Features and improvements

... (truncated)

Changelog

Sourced from maplibre-gl's changelog.

5.20.2

🐞 Bug fixes

Fix update GeoJSON when using diff update by updating geojson-vt package (#7257) (by @HarelM)

5.20.1

🐞 Bug fixes

Fix cannot read properties of undefined (reading 'range') by updating geojson-vt package (#7245) (by @HarelM)

Fix a bug where raster-resampling: nearest was not applied as expected (#7247) (by @yano-h)

5.20.0

✨ Features and improvements

Add Etag unmodified support to optimize vector tile reloading (#7074) (by [@rivkamatan](https://github.com/rivkamatan and @wayofthefuture)

Add boxZoom.boxZoomEnd option to customize the action after Shift-drag box selection (#6397) (by @itisyb)

Implement resampling paint property for raster, hillshade, and color-relief layers (#7074) (by @larsmaxfield)

Add updateable support for GeoJSON-VT (#7172) (by @wayofthefuture and @HarelM)

Add example for 3D Tiles using three.js (#7198) (by @hh-hang)

🐞 Bug fixes

Fix: Distance to tile is calculated incorrectly in globe projection for high pitch angles (#7219) (by @jtfedd)

Fix: Tiles are not cleared when using vector tile source setUrl/setTiles (#7185) (by @madoci)

Fix: Allow opaque origins ("null") in Actor message filtering (#7047) (by @pcardinal)

5.19.0

✨ Features and improvements

Change the return type of LngLatBounds.toArray() to use a more precise type (#7156) (by @n4n5)

Add anisotropicFilterPitch map option to set the pitch above which the anisotropic filter is applied to all raster layers, the default of which is 20° (#7134) (by @larsmaxfield)

Add source id to error message (#7107) (by @HarelM)

🐞 Bug fixes

Fix SDF icon-text-fit rendering by correctly unpacking packed shader values in symbol_sdf.vertex.glsl, with render-test coverage (#7141, fixes #6953) (by @pcardinal)

Fix correct bounds calculation for GeoJSON with elevation (#6963) (by @simonmnt)

Fix: support elevation in bounds calculation (#7135) (by @simonmnt)

Fix Firefox "Alpha-premult deprecated for non-DOM uploads" warning (#7128) (by @birkskyum)

Fix raster tiles rendering with glyph/icon atlas content after WebGL context loss (#7126) (by @birkskyum)

Fix popup tip in RTL pages (#7157) (by @HarelM)

5.18.0

✨ Features and improvements

... (truncated)

Commits

109fa99 Bump js version to 5.20.2 (#7274)
44a70ea chore(deps-dev): bump puppeteer from 24.39.0 to 24.39.1 (#7269)
34afdca chore(deps): bump @maplibre/geojson-vt from 6.0.2 to 6.0.3 (#7270)
8dce8fb chore(deps-dev): bump @vitest/eslint-plugin in the vitest group (#7268)
ed6aa71 Remove unused import 'vi' from raster_style_layer test (#7266)
eb88b98 chore(deps-dev): bump puppeteer from 24.38.0 to 24.39.0 (#7264)
4dcf617 chore(deps-dev): bump @types/node from 25.4.0 to 25.5.0 (#7263)
52e6738 chore(deps-dev): bump the vitest group with 4 updates (#7262)
38e2bc0 chore(deps-dev): bump undici from 7.21.0 to 7.24.1 (#7259)
f293c20 Bump js version to 5.20.1 (#7256)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for maplibre-gl since your current version.

Updates zustand from 5.0.9 to 5.0.12

Release notes

Sourced from zustand's releases.

v5.0.12

Two small fixes.

What's Changed

fix(persist): use latest state in post-rehydration callback by @Shohjahon-n in pmndrs/zustand#3391

fix(devtools): correct redux devtools config type extension by @grigoriy-reshetniak in pmndrs/zustand#3414

New Contributors

@pavan-sh made their first contribution in pmndrs/zustand#3378

@Copilot made their first contribution in pmndrs/zustand#3395

@Aravindsreeni made their first contribution in pmndrs/zustand#3400

@wallzero made their first contribution in pmndrs/zustand#3401

@chaesunbak made their first contribution in pmndrs/zustand#3405

@Shohjahon-n made their first contribution in pmndrs/zustand#3391

Full Changelog: pmndrs/zustand@v5.0.11...v5.0.12

v5.0.11

This release includes small improvements in middleware thanks to contributors.

What's Changed

chore: improve typing in devtools middleware by @grigoriy-reshetniak in pmndrs/zustand#3362

fix(persist): avoid relying on global localStorage by @honuuk in pmndrs/zustand#3367

fix(immer): Proper typing for immer middleware in combination with slices by @wheerd in pmndrs/zustand#3371

New Contributors

@SeongYongLee made their first contribution in pmndrs/zustand#3355

@grigoriy-reshetniak made their first contribution in pmndrs/zustand#3351

@DormancyWang made their first contribution in pmndrs/zustand#3363

@Ea-st-ring made their first contribution in pmndrs/zustand#3369

@winner07 made their first contribution in pmndrs/zustand#3373

@honuuk made their first contribution in pmndrs/zustand#3367

@wheerd made their first contribution in pmndrs/zustand#3371

Full Changelog: pmndrs/zustand@v5.0.10...v5.0.11

v5.0.10

This version includes a fix to the persist middleware for an edge case.

What's Changed

fix(persist): prevent race condition during concurrent rehydrate calls by @Niyaz-Mazhitov in pmndrs/zustand#3336

New Contributors

@max-programming made their first contribution in pmndrs/zustand#3310

@oleksandr-danylchenko made their first contribution in pmndrs/zustand#3319

@MateuszSobiech made their first contribution in pmndrs/zustand#3334

@EduardoRangelG made their first contribution in pmndrs/zustand#3326

@1mehdifaraji made their first contribution in pmndrs/zustand#3339

@kamja44 made their first contribution in pmndrs/zustand#3349

@Niyaz-Mazhitov made their first contribution in pmndrs/zustand#3336

... (truncated)

Commits

206012d 5.0.12
d714065 chore(deps): update dev dependencies (#3427)
89ebcd7 fix(devtools): correct redux devtools config type extension (#3414)
6213fc1 fix(persist): use latest state in post-rehydration callback (#3391)
a3869ca docs: fix broken links in beginner TypeScript guide (#3423)
c49df38 Hotfix section linking (#3410)
5561e9b Fix indentation for actions in index.md (#3406)
4966a15 fix(readme) : comparison documentaion link (#3405)
da381c3 Fix README internal links for GitHub rendering (#3403)
0d250b3 fix persist documentation link (#3401)
Additional commits viewable in compare view

Updates @playwright/test from 1.58.0 to 1.58.2

Release notes

Sourced from @playwright/test's releases.

v1.58.2

Highlights

#39121 fix(trace viewer): make paths via stdin work #39129 fix: do not force swiftshader on chromium mac

Browser Versions

Chromium 145.0.7632.6

Mozilla Firefox 146.0.1

WebKit 26.0

v1.58.1

Highlights

#39036 fix(msedge): fix local network permissions #39037 chore: update cft download location #38995 chore(webkit): disable frame sessions on fronzen builds

Browser Versions

Chromium 145.0.7632.6

Mozilla Firefox 146.0.1

WebKit 26.0

Commits

ce480a9 cherry-pick(#39171): devops: add ubuntu-22.04-arm bot
e40c137 chore: mark v1.58.2 (#39155)
50b7296 cherry-pick(#39152): chore: fix execSync inheriting stdio
f3dcf50 cherry-pick(#39129): fix: do not force swiftshader on chromium mac
8684e08 cherry-pick(#39121): fix(trace viewer): make paths via stdin work
97bc385 cherry-pick(#38995): chore(webkit): disable frame sessions on fronzen builds
ad625fe chore: mark v1.58.1 (#39055)
f07234d cherry-pick(#39036): fix(msedge): fix local network permissions (#39053)
ab8136c cherry-pick(#39037): chore: update cft download location (#39052)
aa6ffeb cherry-pick(#39014): docs: add 1.58 release notes for Java, Python, and C#
See full diff in compare view

Updates @testing-library/react from 16.3.0 to 16.3.2

Release notes

Sourced from @testing-library/react's releases.

v16.3.2

16.3.2 (2026-01-19)

Bug Fixes

Update 'onCaughtError' type inference in 'RenderOptions' to work with React v19 (#1438) (f32bd1b)

v16.3.1

16.3.1 (2025-12-15)

Bug Fixes

Switch to trusted publishing (#1437) (a2d37ff)

Commits

f32bd1b fix: Update 'onCaughtError' type inference in 'RenderOptions' to work with Re...
a2d37ff fix: Switch to trusted publishing (#1437)
cd6a175 chore: fix action permissions (#1436)
22b8c28 chore: fix release (#1435)
d996673 chore: new release workflow (#1434)
205ce17 chore: fix typo in jest.config.js (#1427)
aba5740 [test] Fix tests for react@experimental (#1424)
590bc18 [test] Fix npm run typecheck (#1423)
1c931a6 chore(deps): use npm-run-all2 (#1411)
See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @testing-library/react since your current version.

Updates @types/maplibre-gl from 1.13.2 to 1.14.0

Commits

See full diff in compare view

Updates @vitest/coverage-v8 from 4.0.18 to 4.1.0

Release notes

Sourced from @vitest/coverage-v8's releases.

v4.1.0

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

🚀 Features

Return a disposable from doMock() - by @kirkwaiblinger in vitest-dev/vitest#9332 (e3e65)

Added chai style assertions - by @ronnakamoto and @sheremet-va in vitest-dev/vitest#8842 (841df)

Update to sinon/fake-timers v15 and add setTickMode to timer controls - by @atscott and @sheremet-va in vitest-dev/vitest#8726 (4b480)

Expose matcher types - by @sheremet-va in vitest-dev/vitest#9448 (3e4b9)

Add toTestSpecification to reported tasks - by @sheremet-va in vitest-dev/vitest#9464 (1a470)

Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module - by @sheremet-va in vitest-dev/vitest#9387 (5db54)

Track and display expectedly failed tests (.fails) in UI and CLI - by @Copilot, sheremet-va and @sheremet-va in vitest-dev/vitest#9476 (77d75)

Support tags - by @sheremet-va in vitest-dev/vitest#9478 (de7c8)

Implement aroundEach and aroundAll hooks - by @sheremet-va in vitest-dev/vitest#9450 (2a8cb)

Stabilize experimental features - by @sheremet-va in vitest-dev/vitest#9529 (b5fd2)

Accept new or all in --update flag - by @sheremet-va in vitest-dev/vitest#9543 (a5acf)

Support meta in test options - by @sheremet-va in vitest-dev/vitest#9535 (7d622)

Support type inference with a new test.extend syntax - by @sheremet-va in vitest-dev/vitest#9550 (e5385)

Support vite 8 beta, fix type issues in the config with different vite versions - by @sheremet-va in vitest-dev/vitest#9587 (99028)

Add assertion helper to hide internal stack traces - by @hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9594 (eeb0a)

Store failure screenshots using artifacts API - by @macarie in vitest-dev/vitest#9588 (24603)

Allow vitest list to statically collect tests instead of running files to collect them - by @sheremet-va in vitest-dev/vitest#9630 (7a8e7)

Add --detect-async-leaks - by @AriPerkkio in vitest-dev/vitest#9528 (c594d)

Implement mockThrow and mockThrowOnce - by @thor-juhasz and @sheremet-va in vitest-dev/vitest#9512 (61917)

Support update: "none" and add docs about snapshots behavior on CI - by @hi-ogawa in vitest-dev/vitest#9700 (05f18)

Support playwright launchOptions with connectOptions - by @hi-ogawa in vitest-dev/vitest#9702 (f0ff1)

Add page/locator.mark API to enhance playwright trace - by @hi-ogawa in vitest-dev/vitest#9652 (d0ee5)

api:

Support tests starting or ending with test in experimental_parseSpecification - by @jg... Description has been truncated

dependabot · 2026-03-17T21:35:10Z

Labels

The following labels could not be found: dependencies, frontend, npm, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

github-actions · 2026-03-17T21:54:12Z

NPM Vulnerability Scan Results - web

Severity	Count
Critical	0
High	2
Moderate	1
Low	0
Total	3

Click to see details

# npm audit report

ajv  <6.14.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv

minimatch  <=3.1.3
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/minimatch

rollup  4.0.0 - 4.58.0
Severity: high
Rollup 4 has Arbitrary File Write via Path Traversal - https://github.com/advisories/GHSA-mw96-cpmx-2vgc
fix available via `npm audit fix`
node_modules/rollup

3 vulnerabilities (1 moderate, 2 high)

To address all issues, run:
  npm audit fix

github-actions · 2026-03-17T21:55:37Z

Docker Image Scan Results - Dockerfile.indexer

Image: subcults-indexer:scan

Severity	Count
Critical	0
High	1
Medium	2
Low	1
Total	4

Click to see details


Report Summary

┌──────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                Target                │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ subcults-indexer:scan (debian 12.13) │  debian  │        0        │    -    │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ app/indexer                          │ gobinary │        4        │    -    │
└──────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


app/indexer (gobinary)
======================
Total: 4 (LOW: 1, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│           Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├──────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/sdk │ CVE-2026-24051 │ HIGH     │ fixed  │ v1.38.0           │ 1.40.0         │ OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution │
│                              │                │          │        │                   │                │ via PATH Hijacking                                          │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-24051                  │
├──────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                       │ CVE-2026-25679 │ MEDIUM   │        │ v1.24.13          │ 1.25.8, 1.26.1 │ net/url: Incorrect parsing of IPv6 host literals in net/url │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-25679                  │
│                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                              │ CVE-2026-27142 │          │        │                   │                │ html/template: URLs in meta content attribute actions are   │
│                              │                │          │        │                   │                │ not escaped in html/template...                             │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27142                  │
│                              ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│                              │ CVE-2026-27139 │ LOW      │        │                   │                │ os: FileInfo can escape from a Root in golang os module     │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27139                  │
└──────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

github-actions · 2026-03-17T21:56:58Z

Docker Image Scan Results - Dockerfile.frontend

Image: subcults-frontend:scan

Severity	Count
Critical	0
High	0
Medium	3
Low	3
Total	6

Click to see details


Report Summary

┌────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│                 Target                 │  Type  │ Vulnerabilities │ Secrets │
├────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ subcults-frontend:scan (alpine 3.19.9) │ alpine │        6        │    -    │
└────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


subcults-frontend:scan (alpine 3.19.9)
======================================
Total: 6 (LOW: 3, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2024-58251 │ MEDIUM   │ fixed  │ 1.36.1-r20        │ 1.36.1-r21    │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                   │               │ of networ...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                   │               │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                   │               │ filenames...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│ busybox-binsh │ CVE-2024-58251 │ MEDIUM   │        │                   │               │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                   │               │ of networ...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                   │               │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                   │               │ filenames...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2024-58251 │ MEDIUM   │        │                   │               │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                   │               │ of networ...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                   │               │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                   │               │ filenames...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

github-actions · 2026-03-17T21:57:18Z

Go Vulnerability Scan Results

Found 299 vulnerability/vulnerabilities

Details:

=== Symbol Results ===

Vulnerability #1: GO-2026-4603
URLs in meta content attribute actions are not escaped in html/template
More info: https://pkg.go.dev/vuln/GO-2026-4603
Standard library
Found in: html/template@go1.24.12
Fixed in: html/template@go1.25.8
Example traces found:
#1: cmd/api/main.go:1310:34: api.main calls http.Server.ListenAndServe, which eventually calls template.Template.Execute
#2: cmd/api/main.go:1310:34: api.main calls http.Server.ListenAndServe, which eventually calls template.Template.ExecuteTemplate

Vulnerability #2: GO-2026-4602
FileInfo can escape from a Root in os
More info: https://pkg.go.dev/vuln/GO-2026-4602
Standard library
Found in: os@go1.24.12
Fixed in: os@go1.25.8
Example traces found:
#1: internal/tracing/tracing.go:225:25: tracing.Provider.Shutdown calls trace.TracerProvider.Shutdown, which eventually calls os.ReadDir

Vulnerability #3: GO-2026-4601
Incorrect parsing of IPv6 host literals in net/url
More info: https://pkg.go.dev/vuln/GO-2026-4601
Standard library
Found in: net/url@go1.24.12
Fixed in: net/url@go1.25.8
Example traces found:
#1: internal/api/payment_handlers.go:223:24: api.PaymentHandlers.CreateCheckoutSession calls url.Parse
#2: cmd/api/main.go:1310:34: api.main calls http.Server.ListenAndServe, which eventually calls url.ParseRequestURI
#3: internal/health/livekit.go:44:25: health.LiveKitChecker.HealthCheck calls http.Client.Do, which eventually calls url.URL.Parse

Vulnerability #4: GO-2026-4394
OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH
Hijacking in go.opentelemetry.io/otel/sdk
More info: https://pkg.go.dev/vuln/GO-2026-4394
Module: go.opentelemetry.io/otel/sdk
Found in: go.opentelemetry.io/otel/sdk@v1.38.0
Fixed in: go.opentelemetry.io/otel/sdk@v1.40.0
Example traces found:
#1: internal/tracing/tracing.go:111:23: tracing.NewProvider calls trace.WithBatcher, which eventually calls env.BatchSpanProcessorExportTimeout
#2: internal/tracing/tracing.go:111:23: tracing.NewProvider calls trace.WithBatcher, which eventually calls env.BatchSpanProcessorMaxExportBatchSize
#3: internal/tracing/tracing.go:111:23: tracing.NewProvider calls trace.WithBatcher, which eventually calls env.BatchSpanProcessorMaxQueueSize
#4: internal/tracing/tracing.go:111:23: tracing.NewProvider calls trace.WithBatcher, which eventually calls env.BatchSpanProcessorScheduleDelay
#5: internal/tracing/tracing.go:108:34: tracing.NewProvider calls trace.NewTracerProvider, which eventually calls env.SpanAttributeCount
#6: internal/tracing/tracing.go:108:34: tracing.NewProvider calls trace.NewTracerProvider, which eventually calls env.SpanAttributeValueLength
#7: internal/tracing/tracing.go:108:34: tracing.NewProvider calls trace.NewTracerProvider, which eventually calls env.SpanEventAttributeCount
#8: internal/tracing/tracing.go:108:34: tracing.NewProvider calls trace.NewTracerProvider, which eventually calls env.SpanEventCount
#9: internal/tracing/tracing.go:108:34: tracing.NewProvider calls trace.NewTracerProvider, which eventually calls env.SpanLinkAttributeCount
#10: internal/tracing/tracing.go:108:34: tracing.NewProvider calls trace.NewTracerProvider, which eventually calls env.SpanLinkCount
#11: internal/tracing/tracing.go:19:2: tracing.init calls trace.init, which calls env.init
#12: internal/tracing/tracing.go:19:2: tracing.init calls trace.init, which calls instrumentation.init
#13: internal/tracing/tracing.go:108:34: tracing.NewProvider calls trace.NewTracerProvider, which eventually calls resource.Default
#14: internal/tracing/tracing.go:225:25: tracing.Provider.Shutdown calls trace.TracerProvider.Shutdown, which eventually calls resource.Default
#15: internal/tracing/tracing.go:108:34: tracing.NewProvider calls trace.NewTracerProvider, which eventually calls resource.Environment
#16: internal/tracing/tracing.go:108:34: tracing.NewProvider calls trace.NewTracerProvider, which eventually calls resource.Merge
#17: internal/tracing/tracing.go:71:26: tracing.NewProvider calls resource.New
#18: internal/tracing/tracing.go:19:2: tracing.init calls trace.init, which eventually calls resource.NewSchemaless
#19: internal/tracing/tracing.go:111:23: tracing.NewProvider calls trace.WithBatcher, which eventually calls resource.Resource.Equivalent
#20: internal/tracing/tracing.go:111:23: tracing.NewProvider calls trace.WithBatcher, which eventually calls resource.Resource.Iter
#21: internal/tracing/tracing.go:111:23: tracing.NewProvider calls trace.WithBatcher, which eventually calls resource.Resource.SchemaURL
#22: internal/tracing/tracing.go:73:26: tracing.NewProvider calls resource.WithAttributes
#23: internal/tracing/tracing.go:18:2: tracing.init calls resource.init
#24: internal/tracing/tracing.go:236:20: tracing.Provider.Tracer calls trace.TracerProvider.Tracer, which eventually calls sdk.Version
#25: internal/tracing/tracing.go:19:2: tracing.init calls trace.init, which calls sdk.init
#26: internal/tracing/tracing.go:100:34: tracing.NewProvider calls trace.AlwaysSample
#27: internal/tracing/tracing.go:102:33: tracing.NewProvider calls trace.NeverSample
#28: internal/tracing/tracing.go:108:34: tracing.NewProvider calls trace.NewTracerProvider
#29: internal/health/livekit.go:48:1: health.LiveKitChecker.HealthCheck calls http.http2requestBody.Close, which eventually calls trace.Shutdown
#30: internal/health/livekit.go:48:1: health.LiveKitChecker.HealthCheck calls http.http2requestBody.Close, which eventually calls trace.Shutdown
#31: internal/tracing/tracing.go:104:39: tracing.NewProvider calls trace.TraceIDRatioBased
#32: internal/tracing/tracing.go:225:25: tracing.Provider.Shutdown calls trace.TracerProvider.Shutdown
#33: internal/tracing/tracing.go:236:20: tracing.Provider.Tracer calls trace.TracerProvider.Tracer
#34: internal/tracing/tracing.go:112:29: tracing.NewProvider calls trace.WithBatchTimeout
#35: internal/tracing/tracing.go:111:23: tracing.NewProvider calls trace.WithBatcher
#36: internal/tracing/tracing.go:113:35: tracing.NewProvider calls trace.WithMaxExportBatchSize
#37: internal/tracing/tracing.go:109:24: tracing.NewProvider calls trace.WithResource
#38: internal/tracing/tracing.go:110:23: tracing.NewProvider calls trace.WithSampler
#39: internal/indexer/repository.go:235:34: indexer.PostgresRecordRepository.DeleteRecord calls trace.errUnsupportedSampler.Error
#40: internal/health/livekit.go:48:1: health.LiveKitChecker.HealthCheck calls http.http2requestBody.Close, which eventually calls trace.init
#41: internal/tracing/tracing.go:19:2: tracing.init calls trace.init
#42: internal/health/livekit.go:48:1: health.LiveKitChecker.HealthCheck calls http.http2requestBody.Close, which eventually calls trace.logDropped[go.opentelemetry.io/otel/sdk/trace.Event]
#43: internal/health/livekit.go:48:1: health.LiveKitChecker.HealthCheck calls http.http2requestBody.Close, which eventually calls trace.logDropped[go.opentelemetry.io/otel/sdk/trace.Link]
#44: internal/tracing/helpers.go:91:15: tracing.AddEvent calls trace.nonRecordingSpan.AddEvent
#45: internal/health/livekit.go:48:1: health.LiveKitChecker.HealthCheck calls otelhttp.wrappedBody.Close, which calls trace.nonRecordingSpan.End
#46: internal/tracing/helpers.go:77:27: tracing.StartSpan calls noop.Tracer.Start, which calls trace.nonRecordingSpan.IsRecording
#47: internal/tracing/helpers.go:81:20: tracing.StartSpan calls trace.nonRecordingSpan.RecordError
#48: internal/tracing/helpers.go:97:20: tracing.SetAttributes calls trace.nonRecordingSpan.SetAttributes
#49: cmd/api/main.go:1310:34: api.main calls http.Server.ListenAndServe, which eventually calls trace.nonRecordingSpan.SetName
#50: internal/tracing/helpers.go:82:18: tracing.StartSpan calls trace.nonRecordingSpan.SetStatus
#51: internal/middleware/tracing.go:55:41: middleware.GetSpanID calls trace.SpanContextFromContext, which calls trace.nonRecordingSpan.SpanContext
#52: internal/health/livekit.go:44:25: health.LiveKitChecker.HealthCheck calls http.Client.Do, which eventually calls trace.nonRecordingSpan.TracerProvider
#53: internal/tracing/helpers.go:91:15: tracing.AddEvent calls trace.recordingSpan.AddEvent
#54: internal/health/livekit.go:48:1: health.LiveKitChecker.HealthCheck calls otelhttp.wrappedBody.Close, which calls trace.recordingSpan.End
#55: internal/tracing/helpers.go:77:27: tracing.StartSpan calls noop.Tracer.Start, which calls trace.recordingSpan.IsRecording
#56: internal/tracing/helpers.go:81:20: tracing.StartSpan calls trace.recordingSpan.RecordError
#57: internal/tracing/helpers.go:97:20: tracing.SetAttributes calls trace.recordingSpan.SetAttributes
#58: cmd/api/main.go:1310:34: api.main calls http.Server.ListenAndServe, which eventually calls trace.recordingSpan.SetName
#59: internal/tracing/helpers.go:82:18: tracing.StartSpan calls trace.recordingSpan.SetStatus
#60: internal/middleware/tracing.go:55:41: middleware.GetSpanID calls trace.SpanContextFromContext, which calls trace.recordingSpan.SpanContext
#61: internal/health/livekit.go:44:25: health.LiveKitChecker.HealthCheck calls http.Client.Do, which eventually calls trace.recordingSpan.TracerProvider
#62: internal/indexer/repository.go:235:34: indexer.PostgresRecordRepository.DeleteRecord calls trace.samplerArgParseError.Error
#63: internal/api/stream_handlers.go:1530:15: api.StreamHandlers.LockStream calls errors.Is, which eventually calls trace.samplerArgParseError.Unwrap
#64: internal/tracing/helpers.go:77:27: tracing.StartSpan calls trace.tracer.Start
#65: internal/tracing/tracing.go:121:27: tracing.NewProvider calls otel.SetTextMapPropagator, which eventually calls trace.tracerProviderConfig.MarshalLog
#66: internal/tracing/tracing.go:236:20: tracing.Provider.Tracer calls trace.TracerProvider.Tracer, which eventually calls x.Feature[string].Enabled[string]
#67: internal/tracing/tracing.go:225:25: tracing.Provider.Shutdown calls trace.TracerProvider.Shutdown, which eventually calls x.Feature[string].Enabled[string]
#68: internal/tracing/tracing.go:19:2: tracing.init calls trace.init, which calls x.init
#69: internal/tracing/tracing.go:18:2: tracing.init calls resource.init, which calls x.init

Vulnerability #5: GO-2026-4337
Unexpected session resumption in crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4337
Standard library
Found in: crypto/tls@go1.24.12
Fixed in: crypto/tls@go1.24.13
Example traces found:
#1: internal/stream/quality_metrics_repository.go:209:15: stream.PostgresQualityMetricsRepository.GetParticipantsWithHighPacketLoss calls sql.Rows.Next, which eventually calls tls.Conn.Handshake
#2: internal/indexer/client.go:208:36: indexer.Client.connect calls websocket.Dialer.DialContext, which eventually calls tls.Conn.HandshakeContext
#3: internal/indexer/car.go:102:23: indexer.CARReader.ReadByte calls io.ReadFull, which eventually calls tls.Conn.Read
#4: examples/jwt-rotation-integration.go:45:12: examples.main calls fmt.Printf, which eventually calls tls.Conn.Write
#5: cmd/api/main.go:345:32: api.main calls redis.NewClient, which eventually calls tls.DialWithDialer
#6: internal/health/livekit.go:44:25: health.LiveKitChecker.HealthCheck calls http.Client.Do, which eventually calls tls.Dialer.DialContext

Your code is affected by 5 vulnerabilities from 1 module and the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.

github-actions · 2026-03-17T21:57:33Z

Docker Image Scan Results - Dockerfile.api

Image: subcults-api:scan

Severity	Count
Critical	0
High	1
Medium	3
Low	1
Total	5

Click to see details


Report Summary

┌───────────────────────────────────┬──────────┬─────────────────┬─────────┐
│              Target               │   Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ subcults-api:scan (alpine 3.21.6) │  alpine  │        0        │    -    │
├───────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ app/api                           │ gobinary │        5        │    -    │
└───────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


app/api (gobinary)
==================
Total: 5 (LOW: 1, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│           Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├──────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/pion/dtls/v3      │ CVE-2026-26014 │ MEDIUM   │ fixed  │ v3.0.7            │ 3.1.1, 3.0.11  │ github.com/pion/dtls: Pion DTLS uses random nonce generation │
│                              │                │          │        │                   │                │ with AES GCM ciphers risks...                                │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-26014                   │
├──────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/sdk │ CVE-2026-24051 │ HIGH     │        │ v1.38.0           │ 1.40.0         │ OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution  │
│                              │                │          │        │                   │                │ via PATH Hijacking                                           │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-24051                   │
├──────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                       │ CVE-2026-25679 │ MEDIUM   │        │ v1.24.13          │ 1.25.8, 1.26.1 │ net/url: Incorrect parsing of IPv6 host literals in net/url  │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-25679                   │
│                              ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│                              │ CVE-2026-27142 │          │        │                   │                │ html/template: URLs in meta content attribute actions are    │
│                              │                │          │        │                   │                │ not escaped in html/template...                              │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27142                   │
│                              ├────────────────┼──────────┤        │                   │                ├──────────────────────────────────────────────────────────────┤
│                              │ CVE-2026-27139 │ LOW      │        │                   │                │ os: FileInfo can escape from a Root in golang os module      │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27139                   │
└──────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

github-actions · 2026-03-17T21:59:57Z

NPM Vulnerability Scan Results - e2e

Severity	Count
Critical	0
High	0
Moderate	0
Low	1
Total	1

Click to see details

# npm audit report

qs  6.7.0 - 6.14.1
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
fix available via `npm audit fix`
node_modules/qs

1 low severity vulnerability

To address all issues, run:
  npm audit fix

Bumps the web-dependencies group in /web with 17 updates: | Package | From | To | | --- | --- | --- | | [i18next](https://github.com/i18next/i18next) | `25.7.2` | `25.8.18` | | [i18next-browser-languagedetector](https://github.com/i18next/i18next-browser-languageDetector) | `8.2.0` | `8.2.1` | | [livekit-client](https://github.com/livekit/client-sdk-js) | `2.16.0` | `2.17.3` | | [maplibre-gl](https://github.com/maplibre/maplibre-gl-js) | `5.14.0` | `5.20.2` | | [zustand](https://github.com/pmndrs/zustand) | `5.0.9` | `5.0.12` | | [@playwright/test](https://github.com/microsoft/playwright) | `1.58.0` | `1.58.2` | | [@testing-library/react](https://github.com/testing-library/react-testing-library) | `16.3.0` | `16.3.2` | | [@types/maplibre-gl](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/maplibre-gl) | `1.13.2` | `1.14.0` | | [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.0` | | [@vitest/ui](https://github.com/vitest-dev/vitest/tree/HEAD/packages/ui) | `4.0.18` | `4.1.0` | | [autoprefixer](https://github.com/postcss/autoprefixer) | `10.4.22` | `10.4.27` | | [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.4.24` | `0.5.2` | | [msw](https://github.com/mswjs/msw) | `2.12.7` | `2.12.13` | | [playwright](https://github.com/microsoft/playwright) | `1.58.0` | `1.58.2` | | [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.8` | | [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.49.0` | `8.57.1` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.0` | Updates `i18next` from 25.7.2 to 25.8.18 - [Release notes](https://github.com/i18next/i18next/releases) - [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md) - [Commits](i18next/i18next@v25.7.2...v25.8.18) Updates `i18next-browser-languagedetector` from 8.2.0 to 8.2.1 - [Changelog](https://github.com/i18next/i18next-browser-languageDetector/blob/master/CHANGELOG.md) - [Commits](i18next/i18next-browser-languageDetector@v8.2.0...v8.2.1) Updates `livekit-client` from 2.16.0 to 2.17.3 - [Release notes](https://github.com/livekit/client-sdk-js/releases) - [Changelog](https://github.com/livekit/client-sdk-js/blob/main/CHANGELOG.md) - [Commits](livekit/client-sdk-js@v2.16.0...v2.17.3) Updates `maplibre-gl` from 5.14.0 to 5.20.2 - [Release notes](https://github.com/maplibre/maplibre-gl-js/releases) - [Changelog](https://github.com/maplibre/maplibre-gl-js/blob/main/CHANGELOG.md) - [Commits](maplibre/maplibre-gl-js@v5.14.0...v5.20.2) Updates `zustand` from 5.0.9 to 5.0.12 - [Release notes](https://github.com/pmndrs/zustand/releases) - [Commits](pmndrs/zustand@v5.0.9...v5.0.12) Updates `@playwright/test` from 1.58.0 to 1.58.2 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.58.0...v1.58.2) Updates `@testing-library/react` from 16.3.0 to 16.3.2 - [Release notes](https://github.com/testing-library/react-testing-library/releases) - [Changelog](https://github.com/testing-library/react-testing-library/blob/main/CHANGELOG.md) - [Commits](testing-library/react-testing-library@v16.3.0...v16.3.2) Updates `@types/maplibre-gl` from 1.13.2 to 1.14.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/maplibre-gl) Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.0 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/coverage-v8) Updates `@vitest/ui` from 4.0.18 to 4.1.0 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/ui) Updates `autoprefixer` from 10.4.22 to 10.4.27 - [Release notes](https://github.com/postcss/autoprefixer/releases) - [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md) - [Commits](postcss/autoprefixer@10.4.22...10.4.27) Updates `eslint-plugin-react-refresh` from 0.4.24 to 0.5.2 - [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases) - [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md) - [Commits](ArnaudBarre/eslint-plugin-react-refresh@v0.4.24...v0.5.2) Updates `msw` from 2.12.7 to 2.12.13 - [Release notes](https://github.com/mswjs/msw/releases) - [Changelog](https://github.com/mswjs/msw/blob/main/CHANGELOG.md) - [Commits](mswjs/msw@v2.12.7...v2.12.13) Updates `playwright` from 1.58.0 to 1.58.2 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.58.0...v1.58.2) Updates `postcss` from 8.5.6 to 8.5.8 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.6...8.5.8) Updates `typescript-eslint` from 8.49.0 to 8.57.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.57.1/packages/typescript-eslint) Updates `vitest` from 4.0.18 to 4.1.0 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest) --- updated-dependencies: - dependency-name: i18next dependency-version: 25.8.18 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: web-dependencies - dependency-name: i18next-browser-languagedetector dependency-version: 8.2.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: web-dependencies - dependency-name: livekit-client dependency-version: 2.17.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: web-dependencies - dependency-name: maplibre-gl dependency-version: 5.20.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: web-dependencies - dependency-name: zustand dependency-version: 5.0.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: web-dependencies - dependency-name: "@playwright/test" dependency-version: 1.58.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: web-dependencies - dependency-name: "@testing-library/react" dependency-version: 16.3.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: web-dependencies - dependency-name: "@types/maplibre-gl" dependency-version: 1.14.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: web-dependencies - dependency-name: "@vitest/coverage-v8" dependency-version: 4.1.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: web-dependencies - dependency-name: "@vitest/ui" dependency-version: 4.1.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: web-dependencies - dependency-name: autoprefixer dependency-version: 10.4.27 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: web-dependencies - dependency-name: eslint-plugin-react-refresh dependency-version: 0.5.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: web-dependencies - dependency-name: msw dependency-version: 2.12.13 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: web-dependencies - dependency-name: playwright dependency-version: 1.58.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: web-dependencies - dependency-name: postcss dependency-version: 8.5.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: web-dependencies - dependency-name: typescript-eslint dependency-version: 8.57.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: web-dependencies - dependency-name: vitest dependency-version: 4.1.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: web-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-03-23T09:49:47Z

NPM Vulnerability Scan Results - e2e

Severity	Count
Critical	0
High	0
Moderate	0
Low	1
Total	1

Click to see details

# npm audit report

qs  6.7.0 - 6.14.1
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
fix available via `npm audit fix`
node_modules/qs

1 low severity vulnerability

To address all issues, run:
  npm audit fix

github-actions · 2026-03-23T09:49:51Z

NPM Vulnerability Scan Results - web

Severity	Count
Critical	0
High	6
Moderate	1
Low	0
Total	7

Click to see details

# npm audit report

ajv  <6.14.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv

flatted  <=3.4.1
Severity: high
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix --force`
Will install @vitest/coverage-v8@4.0.18, which is a breaking change
node_modules/flatted
  @vitest/ui  >=4.1.0-beta.1
  Depends on vulnerable versions of flatted
  Depends on vulnerable versions of vitest
  node_modules/@vitest/ui
    vitest  4.0.0-beta.1 - 4.0.0-beta.14 || >=4.1.0-beta.1
    Depends on vulnerable versions of @vitest/ui
    node_modules/vitest
      @vitest/coverage-v8  >=4.1.0-beta.1
      Depends on vulnerable versions of vitest
      node_modules/@vitest/coverage-v8

minimatch  <=3.1.3
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/minimatch

rollup  4.0.0 - 4.58.0
Severity: high
Rollup 4 has Arbitrary File Write via Path Traversal - https://github.com/advisories/GHSA-mw96-cpmx-2vgc
fix available via `npm audit fix`
node_modules/rollup

7 vulnerabilities (1 moderate, 6 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

github-actions · 2026-03-23T09:50:56Z

Docker Image Scan Results - Dockerfile.frontend

Image: subcults-frontend:scan

Severity	Count
Critical	0
High	0
Medium	3
Low	3
Total	6

Click to see details


Report Summary

┌────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│                 Target                 │  Type  │ Vulnerabilities │ Secrets │
├────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ subcults-frontend:scan (alpine 3.19.9) │ alpine │        6        │    -    │
└────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


subcults-frontend:scan (alpine 3.19.9)
======================================
Total: 6 (LOW: 3, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2024-58251 │ MEDIUM   │ fixed  │ 1.36.1-r20        │ 1.36.1-r21    │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                   │               │ of networ...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                   │               │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                   │               │ filenames...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│ busybox-binsh │ CVE-2024-58251 │ MEDIUM   │        │                   │               │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                   │               │ of networ...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                   │               │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                   │               │ filenames...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2024-58251 │ MEDIUM   │        │                   │               │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                   │               │ of networ...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                   │               │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                   │               │ filenames...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

github-actions · 2026-03-23T09:51:17Z

Docker Image Scan Results - Dockerfile.indexer

Image: subcults-indexer:scan

Severity	Count
Critical	1
High	2
Medium	1
Low	1
Total	5

Click to see details


Report Summary

┌──────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                Target                │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ subcults-indexer:scan (debian 12.13) │  debian  │        0        │    -    │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ app/indexer                          │ gobinary │        5        │    -    │
└──────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


app/indexer (gobinary)
======================
Total: 5 (LOW: 1, MEDIUM: 1, HIGH: 2, CRITICAL: 1)

┌──────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│           Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├──────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/sdk │ CVE-2026-24051 │ HIGH     │ fixed  │ v1.38.0           │ 1.40.0         │ OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution │
│                              │                │          │        │                   │                │ via PATH Hijacking                                          │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-24051                  │
├──────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc       │ CVE-2026-33186 │ CRITICAL │        │ v1.77.0           │ 1.79.3         │ gRPC-Go has an authorization bypass via missing leading     │
│                              │                │          │        │                   │                │ slash in :path                                              │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-33186                  │
├──────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                       │ CVE-2026-25679 │ HIGH     │        │ v1.24.13          │ 1.25.8, 1.26.1 │ net/url: Incorrect parsing of IPv6 host literals in net/url │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-25679                  │
│                              ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│                              │ CVE-2026-27142 │ MEDIUM   │        │                   │                │ html/template: URLs in meta content attribute actions are   │
│                              │                │          │        │                   │                │ not escaped in html/template...                             │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27142                  │
│                              ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│                              │ CVE-2026-27139 │ LOW      │        │                   │                │ os: FileInfo can escape from a Root in golang os module     │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27139                  │
└──────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

github-actions bot mentioned this pull request Mar 17, 2026

chore(deps-dev)(deps-dev): bump @eslint/js from 9.39.1 to 10.0.1 in /web #10

Open

This was referenced Mar 17, 2026

chore(deps-dev)(deps-dev): bump rollup-plugin-visualizer from 6.0.5 to 7.0.1 in /web #13

Open

chore(deps-dev)(deps-dev): bump tailwindcss from 3.4.19 to 4.2.1 in /web #12

Open

This was referenced Mar 21, 2026

chore(deps-dev)(deps-dev): bump flatted from 3.3.3 to 3.4.2 in /web #32

Open

chore(deps-dev)(deps-dev): bump rollup from 4.53.3 to 4.59.1 in /web #33

Closed

dependabot bot force-pushed the dependabot/npm_and_yarn/web/web-dependencies-d21bdd5a12 branch from 177fd0b to c111635 Compare March 23, 2026 09:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps)(deps): bump the web-dependencies group in /web with 17 updates#9

chore(deps)(deps): bump the web-dependencies group in /web with 17 updates#9
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/web/web-dependencies-d21bdd5a12

dependabot bot commented on behalf of github Mar 17, 2026 •

edited

Loading

Uh oh!

dependabot bot commented on behalf of github Mar 17, 2026

Uh oh!

github-actions bot commented Mar 17, 2026

Uh oh!

github-actions bot commented Mar 17, 2026

Uh oh!

github-actions bot commented Mar 17, 2026

Uh oh!

github-actions bot commented Mar 17, 2026

Uh oh!

github-actions bot commented Mar 17, 2026

Uh oh!

github-actions bot commented Mar 17, 2026

Uh oh!

github-actions bot commented Mar 23, 2026

Uh oh!

github-actions bot commented Mar 23, 2026

Uh oh!

github-actions bot commented Mar 23, 2026

Uh oh!

github-actions bot commented Mar 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v25.8.18

v25.8.17

v25.8.16

v25.8.15

v25.8.14

v25.8.13

v25.8.12

v25.8.11

v25.8.10

v25.8.9

v25.8.8

v25.8.7

v25.8.6

v25.8.5

v25.8.4

v25.8.3

v25.8.2

25.8.18

25.8.17

25.8.16

25.8.15

25.8.14

25.8.13

25.8.12

25.8.11

25.8.10

25.8.9

25.8.8

25.8.7

25.8.6

8.2.1

v2.17.3

Patch Changes

v2.17.2

Patch Changes

v2.17.1

Patch Changes

v2.17.0

Minor Changes

Patch Changes

2.17.3

Patch Changes

2.17.2

Patch Changes

2.17.1

Patch Changes

2.17.0

Minor Changes

v5.20.2

🐞 Bug fixes

v5.20.1

🐞 Bug fixes

v5.20.0

✨ Features and improvements

🐞 Bug fixes

v5.19.0

✨ Features and improvements

🐞 Bug fixes

v5.18.0

✨ Features and improvements

5.20.2

🐞 Bug fixes

5.20.1

🐞 Bug fixes

5.20.0

✨ Features and improvements

🐞 Bug fixes

5.19.0

✨ Features and improvements

🐞 Bug fixes

5.18.0

✨ Features and improvements

v5.0.12

What's Changed

New Contributors

v5.0.11

What's Changed

dependabot bot commented on behalf of github Mar 17, 2026 •

edited

Loading