Skip to content

chore(deps): bump the npm-minor-patch group across 1 directory with 3 updates#394

Merged
sujithq merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-minor-patch-41e437acd3
Jul 13, 2026
Merged

chore(deps): bump the npm-minor-patch group across 1 directory with 3 updates#394
sujithq merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-minor-patch-41e437acd3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-minor-patch group with 3 updates in the / directory: swiper, @types/node and postcss.

Updates swiper from 14.0.1 to 14.0.5

Release notes

Sourced from swiper's releases.

v14.0.5

Bug Fixes

  • virtual: render first slide on initial update (ebdb054), closes #8202

v14.0.2

Bug Fixes

  • build: spawn npx via shell on Windows in emit-types (494f7b1), closes #8197
  • pagination: divide fraction/progressbar total by grid rows (edfbfa5)
  • react: bind Thumbs tap handler when thumbs swiper is set after init (4fb72b9), closes #8198
Changelog

Sourced from swiper's changelog.

14.0.5 (2026-07-09)

Bug Fixes

  • virtual: render first slide on initial update (ebdb054), closes #8202

14.0.2 (2026-07-07)

Bug Fixes

  • build: spawn npx via shell on Windows in emit-types (494f7b1), closes #8197
  • pagination: divide fraction/progressbar total by grid rows (edfbfa5)
  • react: bind Thumbs tap handler when thumbs swiper is set after init (4fb72b9), closes #8198
Commits
  • b3d9e1f 14.0.5
  • ebdb054 fix(virtual): render first slide on initial update
  • 744fb3c chore: sponsors
  • 4b7c826 14.0.2
  • 5f9616e refactor(pagination): extract shared grid-aware getSlidesLength helper
  • 691cdce Merge pull request #8200 from spokodev/fix/pagination-fraction-grid-rows
  • c19902a Merge pull request #8201 from xlgorbylx/fix/react-thumbs-late-init
  • edfbfa5 fix(pagination): divide fraction/progressbar total by grid rows
  • 494f7b1 fix(build): spawn npx via shell on Windows in emit-types
  • 4fb72b9 fix(react): bind Thumbs tap handler when thumbs swiper is set after init
  • See full diff in compare view

Updates @types/node from 26.0.1 to 26.1.1

Commits

Updates postcss from 8.5.16 to 8.5.19

Release notes

Sourced from postcss's releases.

8.5.19

  • Fixed cleaning before for new nodes inserted to Root (by @​MahinAnowar).

8.5.18

  • Restricted loading previous source maps file to the opts.from folder for security reasons (use unsafeMap: true to disable the check).

8.5.17

  • Fixed Maximum call stack size exceeded error.
  • Fixed Prototype hijacking for postcss.fromJSON().
  • Fixed Input#origin() for unmapped end position (by @​chatman-media).
Changelog

Sourced from postcss's changelog.

8.5.19

  • Fixed cleaning before for new nodes inserted to Root (by @​MahinAnowar).

8.5.18

  • Restricted loading previous source maps file to the opts.from folder for security reasons (use unsafeMap: true to disable the check).

8.5.17

  • Fixed Maximum call stack size exceeded error.
  • Fixed Prototype hijacking for postcss.fromJSON().
  • Fixed Input#origin() for unmapped end position (by @​chatman-media).
Commits
  • 9543b22 Release 8.5.19 version
  • 3d13bf9 Fix CI on Windows too
  • 00d0dd2 Keep explicitly set raws.before when inserting nodes into root (#2111)
  • 7a05b33 Temporary fix CI
  • 4c0d194 Release 8.5.18 version
  • 92b4e78 Update dependencies
  • 95663d3 Limit where source map can be loaded for security reasons
  • 74e25ae Release 8.5.17 version
  • d1518af Fix Maximum call stack size exceeded error
  • 2421312 Fix linter
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

… updates

Bumps the npm-minor-patch group with 3 updates in the / directory: [swiper](https://github.com/nolimits4web/Swiper), [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [postcss](https://github.com/postcss/postcss).


Updates `swiper` from 14.0.1 to 14.0.5
- [Release notes](https://github.com/nolimits4web/Swiper/releases)
- [Changelog](https://github.com/nolimits4web/swiper/blob/master/CHANGELOG.md)
- [Commits](nolimits4web/swiper@v14.0.1...v14.0.5)

Updates `@types/node` from 26.0.1 to 26.1.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `postcss` from 8.5.16 to 8.5.19
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.16...8.5.19)

---
updated-dependencies:
- dependency-name: swiper
  dependency-version: 14.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: "@types/node"
  dependency-version: 26.1.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor-patch
- dependency-name: postcss
  dependency-version: 8.5.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 13, 2026
@sujithq sujithq merged commit d8c3725 into main Jul 13, 2026
9 checks passed
@sujithq sujithq deleted the dependabot/npm_and_yarn/npm-minor-patch-41e437acd3 branch July 13, 2026 22:14
@github-actions

Copy link
Copy Markdown
Contributor

🔒 Security Advisory Analysis

This Dependabot PR bumps 3 packages. Below is a detailed analysis of each update, with particular focus on the postcss update which contains security-relevant fixes.


📋 Package Updates

1. postcss — 8.5.16 → 8.5.19 ⚠️ Security-relevant

Field Detail
Severity Medium (source map path traversal + prototype hijacking)
CVE/GHSA Not yet assigned (upstream changelog references)
Patched in 8.5.17 and 8.5.18

Security fixes included:

  • 8.5.18: Restricted loading of previous source map files to the opts.from folder — prevents potential path traversal when processing untrusted CSS with embedded source maps.
  • 8.5.17: Fixed Prototype hijacking in postcss.fromJSON() — malformed input could pollute the prototype chain.

2. swiper — 14.0.1 → 14.0.5

Bug fixes only (no security impact):

  • Virtual slide rendering fix
  • Pagination fraction/grid rows fix
  • React Thumbs handler fix

3. @types/node — 26.0.1 → 26.1.1

TypeScript type definitions update only — no runtime or security impact.


🔍 Impact Analysis

postcss

Dependency type: ✅ Direct dependency (package.json)

Usage in codebase:

  • Used via postcss.config.js (root-level config file) — configured with @fullhuman/postcss-purgecss for production CSS purging
  • Invoked during Hugo build pipeline to process SCSS/CSS
  • Not imported directly in source files — used as a build-time tool only

Risk assessment:
The path traversal fix (8.5.18) applies when postcss processes CSS files with embedded source map references pointing outside opts.from. In this build setup, postcss processes project-owned CSS files in a controlled CI/CD environment — risk is low in production, but the prototype hijacking fix (8.5.17) is more broadly applicable and worth patching immediately.

swiper

Dependency type: ✅ Direct dependency (package.json)

Usage in codebase:

  • Referenced in SCSS files (assets/scss/xebia/_bootswatch.scss, assets/scss/ms/_bootswatch.scss)
  • Update is purely bug fixes — no security impact

✅ Verification

  • Updated packages are all to their latest stable releases
  • postcss 8.5.19 is the current latest and includes all security patches
  • No new vulnerabilities are introduced by this update
  • Changes are limited to package.json and package-lock.json

📝 Recommendation

  • Safe to merge — all updates are patch/minor with no breaking changes
  • 🔐 Recommended to merge promptly — postcss prototype hijacking fix (8.5.17) is security-relevant even in build-time usage
  • No code changes required
  • No manual review needed

This analysis was automatically generated by the Security Advisory Responder agent.

Generated by Security Advisory Responder for issue #394 · ● 225.3K ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant