Bump the npm_and_yarn group across 2 directories with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /sample directory: vite.
Bumps the npm_and_yarn group with 4 updates in the / directory: diff, js-yaml, @isaacs/brace-expansion and glob.

Updates vite from 7.1.5 to 7.1.11

Release notes

Sourced from vite's releases.

v7.1.11

Please refer to CHANGELOG.md for details.

v7.1.10

Please refer to CHANGELOG.md for details.

v7.1.9

Please refer to CHANGELOG.md for details.

v7.1.8

Please refer to CHANGELOG.md for details.

v7.1.7

Please refer to CHANGELOG.md for details.

v7.1.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.1.11 (2025-10-20)

Bug Fixes

• dev: trim trailing slash before server.fs.deny check (#20968) (f479cc5)

Miscellaneous Chores

• deps: update all non-major dependencies (#20966) (6fb41a2)

Code Refactoring

• use subpath imports for types module reference (#20921) (d0094af)

Build System

• remove cjs reference in files field (#20945) (ef411ce)
• remove hash from built filenames (#20946) (a817307)

7.1.10 (2025-10-14)

Bug Fixes

• css: avoid duplicate style for server rendered stylesheet link and client inline style during dev (#20767) (3a92bc7)
• css: respect emitAssets when cssCodeSplit=false (#20883) (d3e7eee)
• deps: update all non-major dependencies (879de86)
• deps: update all non-major dependencies (#20894) (3213f90)
• dev: allow aliases starting with // (#20760) (b95fa2a)
• dev: remove timestamp query consistently (#20887) (6537d15)
• esbuild: inject esbuild helpers correctly for esbuild 0.25.9+ (#20906) (446eb38)
• normalize path before calling fileToBuiltUrl (#20898) (73b6d24)
• preserve original sourcemap file field when combining sourcemaps (#20926) (c714776)

Documentation

• correct WebSocket spelling (#20890) (29e98dc)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#20923) (a5e3b06)

7.1.9 (2025-10-03)

Reverts

• server: drain stdin when not interactive (#20885) (12d72b0)

7.1.8 (2025-10-02)

Bug Fixes

• css: improve url escape characters handling (#20847) (24a61a3)
• deps: update all non-major dependencies (#20855) (788a183)
• deps: update artichokie to 0.4.2 (#20864) (e670799)

... (truncated)

Commits

• 8b69c9e release: v7.1.11
• f479cc5 fix(dev): trim trailing slash before server.fs.deny check (#20968)
• 6fb41a2 chore(deps): update all non-major dependencies (#20966)
• a817307 build: remove hash from built filenames (#20946)
• ef411ce build: remove cjs reference in files field (#20945)
• d0094af refactor: use subpath imports for types module reference (#20921)
• ed4a0dc release: v7.1.10
• c714776 fix: preserve original sourcemap file field when combining sourcemaps (#20926)
• 446eb38 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20906)
• 879de86 fix(deps): update all non-major dependencies
• Additional commits viewable in compare view

Updates diff from 8.0.2 to 8.0.3

Changelog

Sourced from diff's changelog.

8.0.3

• #631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).
• #635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.
• #641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.
• #647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

Commits

• 13576bf 8.0.3 release (#652)
• 1179ccb Ignore .zed (#651)
• 949d6e2 Add test for the vuln I just fixed (#650)
• 15a1585 Fix the second denial-of-service vulnerability in parsePatch (#649)
• de95cca Fix potentially cubic-time regex in parsePatch (#647)
• b9aeede Allow more customisation of file headers in patches (#641)
• 43c716c Merge pull request #636 from kpdecker/dependabot/npm_and_yarn/node-forge-1.3.2
• b8162c7 Bump node-forge from 1.3.1 to 1.3.2
• ad6dc17 Fix some bugs in the diffWords regex (and errors & ambiguities in the comment...
• 3e1774a Fix a comment typo (#633)
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates @isaacs/brace-expansion from 5.0.0 to 5.0.1

Updates glob from 11.0.3 to 11.1.0

Changelog

Sourced from glob's changelog.

changeglob

13

• Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

• Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

• Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
• Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
• Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

• Drop support for node before v20

10.4

• Add includeChildMatches: false option
• Export the Ignore class

10.3

• Add --default -p flag to provide a default pattern
• exclude symbolic links to directories when follow and nodir are both set

10.2

• Add glob cli

10.1

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

• 2551fb5 11.1.0
• 47473c0 bin: Do not expose filenames to shell expansion
• bc33fe1 skip tilde test on systems that lack tilde expansion
• 59bf9ca fix notes
• dde4fa6 docs(README): add #anchor and improve notes
• 0559b0e docs: add better links to path-scurry docs
• c9773c2 fix: correct typos in README.md
• 13e68ea Fix punctuation in traversal function documentation
• 1527e2b fix repo url
• 7e190e8 fix typo maths → paths
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.