Skip to content

chore(deps): bump the patch-and-minor group across 1 directory with 6 updates#1241

Merged
vybe merged 1 commit into
devfrom
dependabot/npm_and_yarn/src/frontend/dev/patch-and-minor-c476492ce8
Jun 17, 2026
Merged

chore(deps): bump the patch-and-minor group across 1 directory with 6 updates#1241
vybe merged 1 commit into
devfrom
dependabot/npm_and_yarn/src/frontend/dev/patch-and-minor-c476492ce8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the patch-and-minor group with 6 updates in the /src/frontend directory:

Package From To
axios 1.17.0 1.18.0
dompurify 3.4.8 3.4.11
vue 3.5.35 3.5.38
@playwright/test 1.60.0 1.61.0
@rollup/rollup-darwin-arm64 4.61.1 4.62.0
@rollup/rollup-linux-arm64-musl 4.61.1 4.62.0

Updates axios from 1.17.0 to 1.18.0

Release notes

Sourced from axios's releases.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

Changelog

Sourced from axios's changelog.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

Commits
  • 2d06f96 chore(release): prepare release 1.18.0 (#11003)
  • 32fc489 fix: malformed http urls (#11000)
  • b40ce49 chore(deps-dev): bump the development_dependencies group with 10 updates (#10...
  • fe964f9 docs: mark proxy config as Node.js only (#10995)
  • 5f229d2 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions ...
  • fae9d4e docs: clarify package update PR policy (#10992)
  • 28ab2ce chore(deps-dev): bump the development_dependencies group with 2 updates (#10989)
  • a8e4f13 fix(core): keep default validateStatus when request passes undefined (#10899)
  • 614f455 docs: publish v1.17.0 release notes (#10988)
  • 6bb12c1 fix: custom auth headers not stripped on cross-origin redirects (#10892)
  • Additional commits viewable in compare view

Updates dompurify from 3.4.8 to 3.4.11

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

  • Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
  • Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
  • Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
  • Updated up the linting tool-chain and removed now-redundant lint directives
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible

DOMPurify 3.4.10

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible

DOMPurify 3.4.9

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples
Commits

Updates vue from 3.5.35 to 3.5.38

Release notes

Sourced from vue's releases.

v3.5.38

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.37

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

Changelog

Sourced from vue's changelog.

3.5.38 (2026-06-11)

3.5.37 (2026-06-11)

3.5.36 (2026-06-11)

Bug Fixes

  • compiler-core: avoid crash on CDATA at the document root (#14916) (0ea17e2)
  • compiler-core: prefix dynamic keys on v-memo elements (#14922) (68e978e), closes #14920
  • compiler-sfc: handle vue-ignore on leading intersection/union type (#14950) (0dcd225), closes #12254
  • compiler-sfc: respect var hoisting in props destructure (48ad452)
  • reactivity: preserve watch callback return value when wrapped for once: true (#14902) (450a8a8)
  • runtime-core: add dev warning for silent catch in compat mode and fix test description typo (#14891) (db3e117)
  • runtime-core: force model update when reverted before sync (#14897) (7f76378), closes #13524
  • runtime-core: skip async component callbacks after unmount (#14911) (5300ead)
  • transition: avoid move transition for hidden v-show group children (#14895) (c11f6ee), closes #14894
  • watch: trigger immediate callback for empty sources (#14914) (1f2ca7e), closes #14898
Commits

Updates @playwright/test from 1.60.0 to 1.61.0

Release notes

Sourced from @​playwright/test's releases.

v1.61.0

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();
// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
id: credentialId,
userHandle,
privateKey,
publicKey,
});
await context.credentials.install();
const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

Browser and Screencast

  • New option artifactsDir in browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.
  • New option cursor in screencast.showActions() controls the cursor decoration rendered for pointer actions.
  • The onFrame callback in screencast.start() now receives a timestamp of when the frame was presented by the browser.

Test runner

  • The testOptions.video option now supports the same set of modes as trace: new 'on-all-retries', 'retain-on-first-failure' and 'retain-on-failure-and-retries' values. See the video modes table for which runs are recorded and kept in each mode.
  • Supported expect.soft.poll(...).
  • New fullConfig.argv — a snapshot of process.argv from the runner process, handy for reading custom arguments passed after the -- separator.
  • New fullConfig.failOnFlakyTests mirrors the config option, so reporters can explain why a flaky run failed.
  • testInfo.errors now lists each sub-error of an AggregateError as a separate entry.

... (truncated)

Commits
  • 1cc5a90 cherry-pick(#41295): chore: PLAYWRIGHT_TRACING_NO_WEBSOCKET_FRAMES and PLAYWR...
  • a6772bd cherry-pick(#41280): Revert "fix(trace-viewer): add keyboard navigation to `N...
  • 8133dcf cherry-pick(#41283): docs: add Ubuntu 26.04 and Node.js 26.x to system requir...
  • 812432e chore: mark v1.61.0 (#41277)
  • ac05145 fix(fetch): report serverAddr and securityDetails for reused sockets (#41267)
  • 056efc9 fix(trace-viewer): add keyboard navigation to NetworkFilters component (#41...
  • 41f7b9a chore: fixes uncovered by the .NET 1.61 roll (#41266)
  • ba50778 fix(mcp): assign caps as array for legacy --vision flag (#41253)
  • b8ee5ae docs: release notes for v1.61 (#41261)
  • 49c1f69 fix(trace viewer): load trace from a local file (#41263)
  • Additional commits viewable in compare view

Updates @rollup/rollup-darwin-arm64 from 4.61.1 to 4.62.0

Release notes

Sourced from @​rollup/rollup-darwin-arm64's releases.

v4.62.0

4.62.0

2026-06-13

Features

  • Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

Changelog

Sourced from @​rollup/rollup-darwin-arm64's changelog.

4.62.0

2026-06-13

Features

  • Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

Commits
  • 5e0066d 4.62.0
  • 93e85fc chore(deps): update dependency eslint-plugin-unicorn to v65 (#6413)
  • 5c9ef2e fix(deps): update minor/patch updates (#6412)
  • 18654d8 chore(deps): lock file maintenance minor/patch updates (#6414)
  • d96ed95 Extract the static dependencies imported by manual chunks into separate chunk...
  • 126e141 chore(deps): pin dependency concurrently to v9 (#6406)
  • f2f58c4 chore(deps): lock file maintenance minor/patch updates (#6410)
  • 5a15062 chore(deps): update minor/patch updates to v6.2.0 (#6409)
  • d02f03a chore(deps): lock file maintenance minor/patch updates (#6407)
  • 844671c fix(deps): update minor/patch updates (#6405)
  • See full diff in compare view

Updates @rollup/rollup-linux-arm64-musl from 4.61.1 to 4.62.0

Release notes

Sourced from @​rollup/rollup-linux-arm64-musl's releases.

v4.62.0

4.62.0

2026-06-13

Features

  • Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

Changelog

Sourced from @​rollup/rollup-linux-arm64-musl's changelog.

4.62.0

2026-06-13

Features

  • Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

Commits
  • 5e0066d 4.62.0
  • 93e85fc chore(deps): update dependency eslint-plugin-unicorn to v65 (#6413)
  • 5c9ef2e fix(deps): update minor/patch updates (#6412)
  • 18654d8 chore(deps): lock file maintenance minor/patch updates (#6414)
  • d96ed95 Extract the static dependencies imported by manual chunks into separate chunk...
  • 126e141 chore(deps): pin dependency concurrently to v9 (#6406)
  • f2f58c4 chore(deps): lock file maintenance minor/patch updates (#6410)
  • 5a15062 chore(deps): update minor/patch updates to v6.2.0 (#6409)
  • d02f03a chore(deps): lock file maintenance minor/patch updates (#6407)
  • 844671c fix(deps): update minor/patch updates (#6405)
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency frontend Frontend/UI changes labels Jun 16, 2026
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown

⚠️ Nightly unit-suite check skipped — merge conflict against dev.

Resolve by running git merge dev locally and pushing the result. The next nightly run will re-test once the conflict is gone.

@vybe

vybe commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot
chore(deps): bump the patch-and-minor group across 1 directory with 6…
0da9421 
… updates

Bumps the patch-and-minor group with 6 updates in the /src/frontend directory:

| Package | From | To |
| --- | --- | --- |
| [axios](https://github.com/axios/axios) | `1.17.0` | `1.18.0` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.4.8` | `3.4.11` |
| [vue](https://github.com/vuejs/core) | `3.5.35` | `3.5.38` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.60.0` | `1.61.0` |
| [@rollup/rollup-darwin-arm64](https://github.com/rollup/rollup) | `4.61.1` | `4.62.0` |
| [@rollup/rollup-linux-arm64-musl](https://github.com/rollup/rollup) | `4.61.1` | `4.62.0` |



Updates `axios` from 1.17.0 to 1.18.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.17.0...v1.18.0)

Updates `dompurify` from 3.4.8 to 3.4.11
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.8...3.4.11)

Updates `vue` from 3.5.35 to 3.5.38
- [Release notes](https://github.com/vuejs/core/releases)
- [Changelog](https://github.com/vuejs/core/blob/main/CHANGELOG.md)
- [Commits](vuejs/core@v3.5.35...v3.5.38)

Updates `@playwright/test` from 1.60.0 to 1.61.0
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.60.0...v1.61.0)

Updates `@rollup/rollup-darwin-arm64` from 4.61.1 to 4.62.0
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.61.1...v4.62.0)

Updates `@rollup/rollup-linux-arm64-musl` from 4.61.1 to 4.62.0
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.61.1...v4.62.0)

---
updated-dependencies:
- dependency-name: "@playwright/test"
  dependency-version: 1.61.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: patch-and-minor
- dependency-name: "@rollup/rollup-darwin-arm64"
  dependency-version: 4.62.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: patch-and-minor
- dependency-name: "@rollup/rollup-linux-arm64-musl"
  dependency-version: 4.62.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: patch-and-minor
- dependency-name: axios
  dependency-version: 1.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: patch-and-minor
- dependency-name: dompurify
  dependency-version: 3.4.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-and-minor
- dependency-name: vue
  dependency-version: 3.5.38
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-and-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/src/frontend/dev/patch-and-minor-c476492ce8 branch from f2847c2 to 0da9421 Compare June 17, 2026 13:46
@vybe vybe mentioned this pull request Jun 17, 2026
Closed
vybe
vybe approved these changes Jun 17, 2026
View reviewed changes

@vybe vybe left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Validated: frontend patch-and-minor group (axios 1.18 redirect-header safety, dompurify 3.4.10 XSS sanitizer, vue 3.5.38, @playwright/test 1.61, rollup binaries) — all patch/minor, no majors, beneficial security bumps. Retargeted/rebased onto dev; CI green incl. schema-parity + verify-non-root.

@vybe vybe merged commit a4a0ef5 into dev Jun 17, 2026
17 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/src/frontend/dev/patch-and-minor-c476492ce8 branch June 17, 2026 13:55
@vybe vybe mentioned this pull request Jun 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vybe vybe vybe approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency frontend Frontend/UI changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vybe