Skip to content

Bump the npm_and_yarn group across 2 directories with 9 updates#9

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/_/npm_and_yarn-b44d405ce4
Closed

Bump the npm_and_yarn group across 2 directories with 9 updates#9
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/_/npm_and_yarn-b44d405ce4

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Mar 3, 2026
edited
Loading

Bumps the npm_and_yarn group with 2 updates in the /_ directory: minimatch and tar.
Bumps the npm_and_yarn group with 8 updates in the /_/cloud/hostwriter.app directory:

Package From To
minimatch 3.1.2 3.1.5
tar 7.5.7 7.5.9
@builder.io/qwik 1.19.0 1.19.1
@modelcontextprotocol/sdk 1.25.3 1.27.1
ajv 8.17.1 8.18.0
basic-ftp 5.1.0 5.2.0
qs 6.14.1 6.14.2
rollup 4.57.1 4.59.0

Updates minimatch from 9.0.5 to 9.0.9

Commits

Updates tar from 7.5.7 to 7.5.9

Commits
  • 1f0c2c9 7.5.9
  • fbb0851 build minified version as default export
  • 6b8eba0 7.5.8
  • 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
  • d18e4e1 fix: do not write linkpaths through symlinks
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates minimatch from 3.1.2 to 3.1.5

Commits

Updates tar from 7.5.7 to 7.5.9

Commits
  • 1f0c2c9 7.5.9
  • fbb0851 build minified version as default export
  • 6b8eba0 7.5.8
  • 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
  • d18e4e1 fix: do not write linkpaths through symlinks
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates @builder.io/qwik from 1.19.0 to 1.19.1

Release notes

Sourced from @​builder.io/qwik's releases.

@​builder.io/qwik@1.19.1

Patch Changes

  • 🐞🩹 support Deno as package manager for production builds. The Vite plugin now recognizes Deno as a Node-compatible runtime for manifest passing, and SSG delegates to the Node implementation instead of stubbing out. (by @​ianlet in #8385)

  • 🐞🩹 the optimizer was not using the binary builds (by @​wmertens in #8360)

  • 🐞🩹 resolve 404 error for virtual CSS modules during dev SSR (by @​jantimon in #8351)

@​builder.io/qwik-city@1.19.1

Patch Changes

  • 🐞🩹 support Deno as package manager for production builds. The Vite plugin now recognizes Deno as a Node-compatible runtime for manifest passing, and SSG delegates to the Node implementation instead of stubbing out. (by @​ianlet in #8385)

  • 🐞🩹 Link hash change now properly updates location.url.hash (by @​maiieul in #8305)

Changelog

Sourced from @​builder.io/qwik's changelog.

1.19.1

Patch Changes

  • 🐞🩹 support Deno as package manager for production builds. The Vite plugin now recognizes Deno as a Node-compatible runtime for manifest passing, and SSG delegates to the Node implementation instead of stubbing out. (by @​ianlet in #8385)

  • 🐞🩹 the optimizer was not using the binary builds (by @​wmertens in #8360)

  • 🐞🩹 resolve 404 error for virtual CSS modules during dev SSR (by @​jantimon in #8351)

Commits
  • d507a08 Version Packages
  • 3efd7a5 Merge branch 'main' into fix/virtual-css-dev-ssr-404
  • 9163ccf chore(deps): bump rollup in the npm_and_yarn group across 1 directory
  • 0314b61 Merge branch 'main' into fix/deno-production-builds
  • fe45eb6 fixup
  • cb56877 fix(core): qrl importing on server
  • 03b590f fix(qwik-city): support Deno as package manager for production builds
  • 63e6f55 fix: resolve 404 for virtual CSS modules during dev SSR
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​builder.io/qwik since your current version.


Updates @modelcontextprotocol/sdk from 1.25.3 to 1.27.1

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.27.1

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@v1.26.0...v1.27.0

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

Commits
  • 4faa8c8 chore: bump version to 1.27.1 (#1581)
  • 09a85a8 fix: call onerror for silently swallowed transport errors (#1580)
  • e79d14a fix: prevent command injection in example URL opening (v1.x backport) (#1579)
  • 342ea39 docs: comprehensive feature documentation for SEP-1730 Tier 1 (#1548)
  • 2084a22 docs: add governance documentation for SEP-1730 (#1547)
  • f2d2145 feat: implement auth/pre-registration conformance scenario (#1545)
  • 8cbc658 chore: bump version for v1.27.0 (#1541)
  • 5c16ae3 [v1.x] feat(tasks): add streaming methods for elicitation and sampling (#1528)
  • 97ab379 feat: add url property to RequestInfo interface (#1353)
  • 825e9ab feat: backport discoverOAuthServerInfo() and discovery caching to v1.x (#1533)
  • Additional commits viewable in compare view

Updates ajv from 8.17.1 to 8.18.0

Release notes

Sourced from ajv's releases.

v8.18.0

What's Changed

New Contributors

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits
  • 142ce84 8.18.0
  • 720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
  • 82735a1 fix: typos in schema-language.md (#2507)
  • b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
  • 69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
  • f06766f feat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...
  • See full diff in compare view

Updates basic-ftp from 5.1.0 to 5.2.0

Release notes

Sourced from basic-ftp's releases.

5.2.0

  • Changed: Skip files with invalid name in downloadToDir.
Changelog

Sourced from basic-ftp's changelog.

5.2.0

Commits
Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates hono from 4.11.1 to 4.12.4

Release notes

Sourced from hono's releases.

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

Other changes

New Contributors

Full Changelog: honojs/hono@v4.12.3...v4.12.4

v4.12.3

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.2...v4.12.3

v4.12.2

Security fix

Fixed incorrect handling of X-Forwarded-For in the AWS Lambda adapter behind ALB that could allow IP-based access control bypass. The detail: GHSA-xh87-mx6m-69f3

... (truncated)

Commits
  • 19d20d2 4.12.4
  • 44ae0c8 Merge commit from fork
  • f4123ed Merge commit from fork
  • 80a9837 fix(utils/url): specify the return type of tryDecodeURI (#4779)
  • 6a0607a Merge commit from fork
  • 0768232 fix(client): preserve route schema in ApplyGlobalResponse (#4777)
  • 790c57b 4.12.3
  • bda46ac fix(jwt): prevent memory leak by avoiding mutation of options object (#4759)
  • 0f505f4 fix(types): correct middleware types (#4774)
  • eb9c112 fix(types): remove DOM type dependencies from ClientResponse and request meth...
  • Additional commits viewable in compare view

Updates qs from 6.14.1 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions
Commits
  • bdcf0c7 v6.14.2
  • 294db90 [readme] document that addQueryPrefix does not add ? to empty output
  • 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
  • 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
  • cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
  • febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
  • f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
  • fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
  • 1b9a8b4 [actions] fix rebase workflow permissions
  • 2a35775 [meta] fix changelog typo (arrayLengtharrayLimit)
  • Additional commits viewable in compare view

Updates rollup from 4.57.1 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

v4.58.0

4.58.0

2026-02-20

Features

  • Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

4.58.0

2026-02-20

Features

  • Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 3, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/_/npm_and_yarn-b44d405ce4 branch from 8ac85be to bbbc09e Compare March 3, 2026 20:31
@dependabot
Bump the npm_and_yarn group across 2 directories with 9 updates
87125b9 
Bumps the npm_and_yarn group with 2 updates in the /_ directory: [minimatch](https://github.com/isaacs/minimatch) and [tar](https://github.com/isaacs/node-tar).
Bumps the npm_and_yarn group with 8 updates in the /_/cloud/hostwriter.app directory:

| Package | From | To |
| --- | --- | --- |
| [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` |
| [tar](https://github.com/isaacs/node-tar) | `7.5.7` | `7.5.9` |
| [@builder.io/qwik](https://github.com/QwikDev/qwik/tree/HEAD/packages/qwik) | `1.19.0` | `1.19.1` |
| [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) | `1.25.3` | `1.27.1` |
| [ajv](https://github.com/ajv-validator/ajv) | `8.17.1` | `8.18.0` |
| [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | `5.1.0` | `5.2.0` |
| [qs](https://github.com/ljharb/qs) | `6.14.1` | `6.14.2` |
| [rollup](https://github.com/rollup/rollup) | `4.57.1` | `4.59.0` |



Updates `minimatch` from 9.0.5 to 9.0.9
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v9.0.5...v9.0.9)

Updates `tar` from 7.5.7 to 7.5.9
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.7...v7.5.9)

Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v9.0.5...v9.0.9)

Updates `tar` from 7.5.7 to 7.5.9
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.7...v7.5.9)

Updates `@builder.io/qwik` from 1.19.0 to 1.19.1
- [Release notes](https://github.com/QwikDev/qwik/releases)
- [Changelog](https://github.com/QwikDev/qwik/blob/@builder.io/qwik@1.19.1/packages/qwik/CHANGELOG.md)
- [Commits](https://github.com/QwikDev/qwik/commits/@builder.io/qwik@1.19.1/packages/qwik)

Updates `@modelcontextprotocol/sdk` from 1.25.3 to 1.27.1
- [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases)
- [Commits](modelcontextprotocol/typescript-sdk@v1.25.3...v1.27.1)

Updates `ajv` from 8.17.1 to 8.18.0
- [Release notes](https://github.com/ajv-validator/ajv/releases)
- [Commits](ajv-validator/ajv@v8.17.1...v8.18.0)

Updates `basic-ftp` from 5.1.0 to 5.2.0
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](patrickjuchli/basic-ftp@v5.1.0...v5.2.0)

Updates `hono` from 4.11.1 to 4.12.4
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.11.1...v4.12.4)

Updates `qs` from 6.14.1 to 6.14.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.1...v6.14.2)

Updates `rollup` from 4.57.1 to 4.59.0
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.57.1...v4.59.0)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version: 9.0.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@builder.io/qwik"
  dependency-version: 1.19.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@modelcontextprotocol/sdk"
  dependency-version: 1.27.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ajv
  dependency-version: 8.18.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: basic-ftp
  dependency-version: 5.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.14.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.59.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/_/npm_and_yarn-b44d405ce4 branch from bbbc09e to 87125b9 Compare March 24, 2026 13:52
@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Mar 24, 2026

Looks like these dependencies are no longer updatable, so this is no longer needed.

@dependabot dependabot Bot closed this Mar 24, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/_/npm_and_yarn-b44d405ce4 branch March 24, 2026 14:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants