Skip to content

chore(deps): Bump the npm_and_yarn group across 13 directories with 12 updates#358

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/angular-spring-ui/npm_and_yarn-e395d99fbc
Open

chore(deps): Bump the npm_and_yarn group across 13 directories with 12 updates#358
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/angular-spring-ui/npm_and_yarn-e395d99fbc

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 5 updates in the /angular-spring-ui directory:

Package From To
undici 7.24.7 7.28.0
@sigstore/core 3.2.0 3.2.1
@sigstore/verify 3.1.0 3.1.1
hono 4.12.18 4.12.27
sigstore 4.1.0 4.1.1

Bumps the npm_and_yarn group with 5 updates in the /angular-ui directory:

Package From To
undici 7.24.7 7.28.0
@sigstore/core 3.2.0 3.2.1
@sigstore/verify 3.1.0 3.1.1
hono 4.12.18 4.12.27
sigstore 4.1.0 4.1.1

Bumps the npm_and_yarn group with 1 update in the /api directory: hono.
Bumps the npm_and_yarn group with 3 updates in the /lambda-react-ui directory: vite, undici and js-yaml.
Bumps the npm_and_yarn group with 1 update in the /nest-api directory: js-yaml.
Bumps the npm_and_yarn group with 2 updates in the /nuxt-api directory: @babel/core and nuxt.
Bumps the npm_and_yarn group with 1 update in the /react-apollo-ui directory: vite.
Bumps the npm_and_yarn group with 2 updates in the /react-ui directory: vite and undici.
Bumps the npm_and_yarn group with 2 updates in the /svelte-ui directory: vite and undici.
Bumps the npm_and_yarn group with 3 updates in the /tanstack-start-ui directory: vite, undici and js-yaml.
Bumps the npm_and_yarn group with 2 updates in the /tanstack-ui directory: vite and undici.
Bumps the npm_and_yarn group with 2 updates in the /vue-ui directory: vite and undici.
Bumps the npm_and_yarn group with 1 update in the /yoga-api directory: hono.

Updates undici from 7.24.7 to 7.28.0

Release notes

Sourced from undici's releases.

v7.28.0

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.

npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the earlier 7.2x line — the vulnerable single-pool code was still present through v7.27.2. The per-origin pool fix is 3805b8f8 (#5041).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 7.28.0 8cb10f98
GHSA-vmh5-mc38-953g CVE-2026-9697 High (7.4) 7.28.0 04201f89
GHSA-hm92-r4w5-c3mj CVE-2026-6734 High (7.5) 7.28.0 3805b8f8
GHSA-pr7r-676h-xcf6 CVE-2026-9678 Moderate (5.9) 7.28.0 85a24055
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 7.28.0 d0574cc4
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 7.28.0 d0574cc4
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 7.28.0 ea8930cf

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #5423)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295

... (truncated)

Commits
  • f9eba0a Bumped v7.28.0 (#5430)
  • a027a4a Backport WebSocket maxPayloadSize fixes to v7.x (#5423)
  • 8cb10f9 websocket: limit the number of fragments in a message
  • 04201f8 fix: honor requestTls when proxy is SOCKS5
  • fcd642f fix(socks5): preserve dispatch backpressure return value (#5166)
  • bc98c97 fix(socks5): use configured connector in Socks5ProxyAgent (#5168)
  • 9e1c743 fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)
  • 376c8be fix(socks5): enforce authenticated state before CONNECT (#5097)
  • 3805b8f fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...
  • 85a2405 fix(cache): trim qualified field names
  • Additional commits viewable in compare view

Updates @sigstore/core from 3.2.0 to 3.2.1

Release notes

Sourced from @​sigstore/core's releases.

@​sigstore/core@​3.2.1

Patch Changes

  • b5aa4f1: Apply UTF-8 encoding to payload type during PAE calculation
Commits

Updates @sigstore/verify from 3.1.0 to 3.1.1

Release notes

Sourced from @​sigstore/verify's releases.

@​sigstore/verify@​3.1.1

Patch Changes

  • 7845532: Verification of OID certificate extensions
  • f074710: Require inclusion promise in Rekor entry when used as timestamp source
  • Updated dependencies [b5aa4f1]
    • @​sigstore/core@​3.2.1
Commits

Updates hono from 4.12.18 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc


Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

What's Changed

Full Changelog: honojs/hono@v4.12.25...v4.12.26

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

... (truncated)

Commits
  • 97c6fe1 4.12.27
  • aa92177 Merge commit from fork
  • cd3f6f7 Merge commit from fork
  • d4853a8 fix(jsx): make merged context-isolation tests pass tsc type check (#5037)
  • 6735fea fix(jsx): cast awaitedFallback through unknown to fix Deno type check (#5036)
  • fab3b13 Merge commit from fork
  • 9f0dadf ci: use npm Staged publishing (#5035)
  • 27b7992 4.12.26
  • d29982c chore: replace arg and glob with Bun native APIs in build script
  • 16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.


Updates http-proxy-middleware from 2.0.9 to 2.0.10

Release notes

Sourced from http-proxy-middleware's releases.

v2.0.10-beta.0

What's Changed

New Contributors

Full Changelog: chimurai/http-proxy-middleware@v2.0.9...v2.0.10-beta.0

Changelog

Sourced from http-proxy-middleware's changelog.

v2.0.10

  • fix(router): harden proxy-table matching (exact host for host+path keys, prefix-only path matching) to prevent routing bypass
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for http-proxy-middleware since your current version.


Updates piscina from 5.1.4 to 5.2.0

Changelog

Sourced from piscina's changelog.

5.2.0 (2026-06-12)

Features

Bug Fixes

  • eagerly spawn workers up to maxThreads on cold-pool burst (#1043) (779c640)
  • include skipQueue in queueSize calculation (#1030) (b7d4d61)
  • interface name and add missing curly brace (#951) (8cd51f2)
  • onWorkerMessage gets skipped in Jest environment (#968) (54de192)
Commits
  • 8baaa1b chore(release): 5.2.0
  • 107b09a Merge commit from fork
  • 3eeaa37 docs: correct typo 'maintanance' in CONTRIBUTING.md (#1071)
  • b7d4d61 fix: include skipQueue in queueSize calculation (#1030)
  • 6beabe0 feat: Add idleThreads getter (#1059)
  • e104a89 chore(deps): Bump fast-uri from 3.0.6 to 3.1.2 in /docs in the npm_and_yarn g...
  • 779c640 fix: eagerly spawn workers up to maxThreads on cold-pool burst (#1043)
  • 469cb93 docs: Update Fastify listen() calls to use { port: 3000 } in docs and example...
  • d752afd [Backport v5] chore(deps): docs: Bump lodash from 4.17.23 to 4.18.1 in /docs ...
  • 6ed6284 chores: gh actions least privilege (#1013) (#1015)
  • Additional commits viewable in compare view

Updates sigstore from 4.1.0 to 4.1.1

Release notes

Sourced from sigstore's releases.

sigstore@4.1.1

Patch Changes

  • 7845532: Verification of OID certificate extensions
  • f074710: Require inclusion promise in Rekor entry when used as timestamp source
  • Updated dependencies [b5aa4f1]
  • Updated dependencies [7845532]
  • Updated dependencies [f074710]
    • @​sigstore/core@​3.2.1
    • @​sigstore/verify@​3.1.1
Commits

Updates webpack-dev-server from 5.2.3 to 5.2.5

Release notes

Sourced from webpack-dev-server's releases.

v5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

v5.2.4

5.2.4 (2026-05-11)

Bug Fixes

  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP
Changelog

Sourced from webpack-dev-server's changelog.

5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.2.4 (2026-05-11)

Bug Fixes

  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack-dev-server since your current version.


Updates undici from 7.24.7 to 7.28.0

Release notes

Sourced from undici's releases.

v7.28.0

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.

npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the earlier 7.2x line — the vulnerable single-pool code was still present through v7.27.2. The per-origin pool fix is 3805b8f8 (#5041).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 7.28.0 8cb10f98
GHSA-vmh5-mc38-953g CVE-2026-9697 High (7.4) 7.28.0 04201f89
GHSA-hm92-r4w5-c3mj CVE-2026-6734 High (7.5) 7.28.0 3805b8f8
GHSA-pr7r-676h-xcf6 CVE-2026-9678 Moderate (5.9) 7.28.0 85a24055
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 7.28.0 d0574cc4
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 7.28.0 d0574cc4
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 7.28.0 ea8930cf

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #5423)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295

... (truncated)

Commits
  • f9eba0a Bumped v7.28.0 (#5430)
  • a027a4a Backport WebSocket maxPayloadSize fixes to v7.x (#5423)
  • 8cb10f9 websocket: limit the number of fragments in a message
  • 04201f8 fix: honor requestTls when proxy is SOCKS5
  • fcd642f fix(socks5): preserve dispatch backpressure return value (#5166)
  • bc98c97 fix(socks5): use configured connector in Socks5ProxyAgent (#5168)
  • 9e1c743 fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)
  • 376c8be fix(socks5): enforce authenticated state before CONNECT (#5097)
  • 3805b8f fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...
  • 85a2405 fix(cache): trim qualified field names
  • Additional commits viewable in compare view

Updates @sigstore/core from 3.2.0 to 3.2.1

Release notes

Sourced from @​sigstore/core's releases.

@​sigstore/core@​3.2.1

Patch Changes

  • b5aa4f1: Apply UTF-8 encoding to payload type during PAE calculation
Commits

Updates @sigstore/verify from 3.1.0 to 3.1.1

Release notes

Sourced from @​sigstore/verify's releases.

@​sigstore/verify@​3.1.1

Patch Changes

  • 7845532: Verification of OID certificate extensions
  • f074710: Require inclusion promise in Rekor entry when used as timestamp source
  • Updated dependencies [b5aa4f1]
    • @​sigstore/core@​3.2.1
Commits

Updates hono from 4.12.18 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc


Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

What's Changed

Full Changelog: honojs/hono@v4.12.25...v4.12.26

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

... (truncated)

Commits
  • 97c6fe1 4.12.27
  • aa92177 Merge commit from fork
  • cd3f6f7 Merge commit from fork
  • d4853a8 fix(jsx): make merged context-isolation tests pass tsc type check (#5037)
  • 6735fea fix(jsx): cast awaitedFallback through unknown to fix Deno type check (#5036)
  • fab3b13 Merge commit from fork
  • 9f0dadf ci: use npm Staged publishing (#5035)
  • 27b7992 4.12.26
  • d29982c chore: replace arg and glob with Bun native APIs in build script
  • 16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.


Updates http-proxy-middleware from 2.0.9 to 2.0.10

Release notes

Sourced from http-proxy-middleware's releases.

v2.0.10-beta.0

What's Changed

New Contributors

Full Changelog: chimurai/http-proxy-middleware@v2.0.9...v2.0.10-beta.0

Changelog

Sourced from http-proxy-middleware's changelog.

v2.0.10

  • fix(router): harden proxy-table matching (exact host for host+path keys, prefix-only path matching) to prevent routing bypass
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for http-proxy-middleware since your current version.


Updates piscina from 5.1.4 to 5.2.0

Changelog

Sourced from piscina's changelog.

5.2.0 (2026-06-12)

Features

Bug Fixes

  • eagerly spawn workers up to maxThreads on cold-pool burst (#1043) (779c640)
  • include skipQueue in queueSize calculation (#1030) (b7d4d61)
  • interface name and add missing curly brace (#951) (8cd51f2)
  • onWorkerMessage gets skipped in Jest environment (#968) (54de192)
Commits

…2 updates

Bumps the npm_and_yarn group with 5 updates in the /angular-spring-ui directory:

| Package | From | To |
| --- | --- | --- |
| [undici](https://github.com/nodejs/undici) | `7.24.7` | `7.28.0` |
| [@sigstore/core](https://github.com/sigstore/sigstore-js) | `3.2.0` | `3.2.1` |
| [@sigstore/verify](https://github.com/sigstore/sigstore-js) | `3.1.0` | `3.1.1` |
| [hono](https://github.com/honojs/hono) | `4.12.18` | `4.12.27` |
| [sigstore](https://github.com/sigstore/sigstore-js) | `4.1.0` | `4.1.1` |

Bumps the npm_and_yarn group with 5 updates in the /angular-ui directory:

| Package | From | To |
| --- | --- | --- |
| [undici](https://github.com/nodejs/undici) | `7.24.7` | `7.28.0` |
| [@sigstore/core](https://github.com/sigstore/sigstore-js) | `3.2.0` | `3.2.1` |
| [@sigstore/verify](https://github.com/sigstore/sigstore-js) | `3.1.0` | `3.1.1` |
| [hono](https://github.com/honojs/hono) | `4.12.18` | `4.12.27` |
| [sigstore](https://github.com/sigstore/sigstore-js) | `4.1.0` | `4.1.1` |

Bumps the npm_and_yarn group with 1 update in the /api directory: [hono](https://github.com/honojs/hono).
Bumps the npm_and_yarn group with 3 updates in the /lambda-react-ui directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite), [undici](https://github.com/nodejs/undici) and [js-yaml](https://github.com/nodeca/js-yaml).
Bumps the npm_and_yarn group with 1 update in the /nest-api directory: [js-yaml](https://github.com/nodeca/js-yaml).
Bumps the npm_and_yarn group with 2 updates in the /nuxt-api directory: [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) and [nuxt](https://github.com/nuxt/nuxt/tree/HEAD/packages/nuxt).
Bumps the npm_and_yarn group with 1 update in the /react-apollo-ui directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).
Bumps the npm_and_yarn group with 2 updates in the /react-ui directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [undici](https://github.com/nodejs/undici).
Bumps the npm_and_yarn group with 2 updates in the /svelte-ui directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [undici](https://github.com/nodejs/undici).
Bumps the npm_and_yarn group with 3 updates in the /tanstack-start-ui directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite), [undici](https://github.com/nodejs/undici) and [js-yaml](https://github.com/nodeca/js-yaml).
Bumps the npm_and_yarn group with 2 updates in the /tanstack-ui directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [undici](https://github.com/nodejs/undici).
Bumps the npm_and_yarn group with 2 updates in the /vue-ui directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [undici](https://github.com/nodejs/undici).
Bumps the npm_and_yarn group with 1 update in the /yoga-api directory: [hono](https://github.com/honojs/hono).


Updates `undici` from 7.24.7 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.24.7...v7.28.0)

Updates `@sigstore/core` from 3.2.0 to 3.2.1
- [Release notes](https://github.com/sigstore/sigstore-js/releases)
- [Commits](https://github.com/sigstore/sigstore-js/compare/@sigstore/core@3.2.0...@sigstore/core@3.2.1)

Updates `@sigstore/verify` from 3.1.0 to 3.1.1
- [Release notes](https://github.com/sigstore/sigstore-js/releases)
- [Commits](https://github.com/sigstore/sigstore-js/compare/sigstore@3.1.0...@sigstore/verify@3.1.1)

Updates `hono` from 4.12.18 to 4.12.27
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.18...v4.12.27)

Updates `http-proxy-middleware` from 2.0.9 to 2.0.10
- [Release notes](https://github.com/chimurai/http-proxy-middleware/releases)
- [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/v2.0.10/CHANGELOG.md)
- [Commits](chimurai/http-proxy-middleware@v2.0.9...v2.0.10)

Updates `piscina` from 5.1.4 to 5.2.0
- [Release notes](https://github.com/piscinajs/piscina/releases)
- [Changelog](https://github.com/piscinajs/piscina/blob/v5.2.0/CHANGELOG.md)
- [Commits](piscinajs/piscina@v5.1.4...v5.2.0)

Updates `sigstore` from 4.1.0 to 4.1.1
- [Release notes](https://github.com/sigstore/sigstore-js/releases)
- [Commits](https://github.com/sigstore/sigstore-js/compare/sigstore@4.1.0...sigstore@4.1.1)

Updates `webpack-dev-server` from 5.2.3 to 5.2.5
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v5.2.3...v5.2.5)

Updates `undici` from 7.24.7 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.24.7...v7.28.0)

Updates `@sigstore/core` from 3.2.0 to 3.2.1
- [Release notes](https://github.com/sigstore/sigstore-js/releases)
- [Commits](https://github.com/sigstore/sigstore-js/compare/@sigstore/core@3.2.0...@sigstore/core@3.2.1)

Updates `@sigstore/verify` from 3.1.0 to 3.1.1
- [Release notes](https://github.com/sigstore/sigstore-js/releases)
- [Commits](https://github.com/sigstore/sigstore-js/compare/sigstore@3.1.0...@sigstore/verify@3.1.1)

Updates `hono` from 4.12.18 to 4.12.27
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.18...v4.12.27)

Updates `http-proxy-middleware` from 2.0.9 to 2.0.10
- [Release notes](https://github.com/chimurai/http-proxy-middleware/releases)
- [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/v2.0.10/CHANGELOG.md)
- [Commits](chimurai/http-proxy-middleware@v2.0.9...v2.0.10)

Updates `piscina` from 5.1.4 to 5.2.0
- [Release notes](https://github.com/piscinajs/piscina/releases)
- [Changelog](https://github.com/piscinajs/piscina/blob/v5.2.0/CHANGELOG.md)
- [Commits](piscinajs/piscina@v5.1.4...v5.2.0)

Updates `sigstore` from 4.1.0 to 4.1.1
- [Release notes](https://github.com/sigstore/sigstore-js/releases)
- [Commits](https://github.com/sigstore/sigstore-js/compare/sigstore@4.1.0...sigstore@4.1.1)

Updates `webpack-dev-server` from 5.2.3 to 5.2.5
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v5.2.3...v5.2.5)

Updates `hono` from 4.12.15 to 4.12.27
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.18...v4.12.27)

Updates `vite` from 7.3.2 to 8.1.3
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite)

Updates `undici` from 7.24.7 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.24.7...v7.28.0)

Updates `js-yaml` from 4.1.1 to 4.3.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.3.0)

Updates `js-yaml` from 4.1.1 to 4.3.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.3.0)

Updates `@babel/core` from 7.29.0 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-core)

Updates `nuxt` from 4.4.2 to 4.4.7
- [Release notes](https://github.com/nuxt/nuxt/releases)
- [Commits](https://github.com/nuxt/nuxt/commits/v4.4.7/packages/nuxt)

Updates `vite` from 7.3.2 to 7.3.5
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite)

Updates `vite` from 7.3.2 to 8.1.3
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite)

Updates `undici` from 7.24.7 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.24.7...v7.28.0)

Updates `vite` from 7.3.2 to 8.1.3
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite)

Updates `undici` from 7.24.7 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.24.7...v7.28.0)

Updates `vite` from 7.3.2 to 8.1.3
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite)

Updates `undici` from 7.24.7 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.24.7...v7.28.0)

Updates `js-yaml` from 4.1.1 to 4.3.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.3.0)

Updates `vite` from 7.3.2 to 8.1.3
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite)

Updates `undici` from 7.24.7 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.24.7...v7.28.0)

Updates `vite` from 7.3.2 to 8.1.3
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.1.3/packages/vite)

Updates `undici` from 7.24.7 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.24.7...v7.28.0)

Updates `hono` from 4.12.15 to 4.12.27
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.18...v4.12.27)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@sigstore/core"
  dependency-version: 3.2.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@sigstore/verify"
  dependency-version: 3.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: http-proxy-middleware
  dependency-version: 2.0.10
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: piscina
  dependency-version: 5.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: sigstore
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack-dev-server
  dependency-version: 5.2.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@sigstore/core"
  dependency-version: 3.2.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@sigstore/verify"
  dependency-version: 3.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: http-proxy-middleware
  dependency-version: 2.0.10
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: piscina
  dependency-version: 5.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: sigstore
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack-dev-server
  dependency-version: 5.2.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 8.1.3
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.3.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.3.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@babel/core"
  dependency-version: 7.29.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: nuxt
  dependency-version: 4.4.7
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.3.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 8.1.3
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 8.1.3
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 8.1.3
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.3.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 8.1.3
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 8.1.3
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants