chore(deps): bump defu from 6.1.4 to 6.1.7 in /website#20
chore(deps): bump defu from 6.1.4 to 6.1.7 in /website#20dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [defu](https://github.com/unjs/defu) from 6.1.4 to 6.1.7. - [Release notes](https://github.com/unjs/defu/releases) - [Changelog](https://github.com/unjs/defu/blob/main/CHANGELOG.md) - [Commits](unjs/defu@v6.1.4...v6.1.7) --- updated-dependencies: - dependency-name: defu dependency-version: 6.1.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — patch-level dependency bump with security fixes (prototype pollution prevention) and type export improvements.
Extended reasoning...
Overview
This PR updates the defu package in website/package-lock.json from 6.1.4 to 6.1.7. The only changed file is the lockfile — version, resolved URL, and integrity hash for the node_modules/defu entry.
Security risks
The upgrade itself improves security: v6.1.5 fixed a prototype pollution vulnerability via __proto__ in defaults and addressed inherited enumerable property leakage. No new security risks are introduced by this PR.
Level of scrutiny
Low scrutiny required. This is a Dependabot-generated lockfile-only patch bump with no logic changes in the repository. The upstream changes are bug fixes and build/type improvements with no breaking changes.
Other factors
No bugs were found by the automated system. No prior reviews exist on this PR. The change is self-contained, mechanical, and clearly beneficial.
Bumps defu from 6.1.4 to 6.1.7.
Release notes
Sourced from defu's releases.
Changelog
Sourced from defu's changelog.
... (truncated)
Commits
80c0146chore(release): v6.1.740d7ef4fix(defu.d.cts): export Defu types (#157)3d3a7c8build: correct thetypesexport entry (#160)001c290chore(release): v6.1.6407b516build: fix mixed types23e59e6chore(release): v6.1.511ba022fix: ignore inherited enumerable properties3942bfbfix: prevent prototype pollution via__proto__in defaults (#156)d3ef16dchore(deps): update actions/checkout action to v6 (#151)869a053chore(deps): update actions/setup-node action to v6 (#149)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.