Skip to content

Bump the npm-dependencies group across 1 directory with 5 updates#3027

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-dependencies-a35710e604
Open

Bump the npm-dependencies group across 1 directory with 5 updates#3027
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-dependencies-a35710e604

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 2, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the npm-dependencies group with 5 updates in the / directory:

Package From To
@hotwired/turbo-rails 8.0.2 8.0.23
@rails/actiontext 8.0.0 8.1.300
esbuild 0.25.0 0.28.1
sass 1.63.6 1.101.0
trix 2.1.17 2.1.19

Updates @hotwired/turbo-rails from 8.0.2 to 8.0.23

Commits
Maintainer changes

This version was pushed to npm by packagethief, a new releaser for @​hotwired/turbo-rails since your current version.


Updates @rails/actiontext from 8.0.0 to 8.1.300

Release notes

Sourced from @​rails/actiontext's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
  inflect.acronym "USD"
  inflect.acronym "USDC"
end
"USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​rails/actiontext since your current version.


Updates esbuild from 0.25.0 to 0.28.1

Release notes

Sourced from esbuild's releases.

v0.28.1

  • Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

    This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

    Thanks to @​dellalibera for reporting this issue.

  • Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

    The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

    Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

    Thanks to @​sondt99 for reporting this issue.

  • Avoid inlining using and await using declarations (#4482)

    Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

    // Original code
{
  using x = new Resource()
  x.activate()
}
// Old output (with --minify)
new Resource().activate();
// New output (with --minify)
{using e=new Resource;e.activate()}

  • Fix module evaluation when an error is thrown (#4461, #4467)

    If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

  • Fix some edge cases around the new operator (#4477)

    Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

    // Original code
new (foo()`bar`)()
new (foo()?.bar)()
// Old output
new foo()bar();
new (foo())?.bar();

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2025

This changelog documents all esbuild versions published in the year 2025 (versions 0.25.0 through 0.27.2).

0.27.2

  • Allow import path specifiers starting with #/ (#4361)

    Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

    This change was contributed by @​hybrist.

  • Automatically add the -webkit-mask prefix (#4357, #4358)

    This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

    /* Original code */
main {
  mask: url(x.png) center/5rem no-repeat
}
/* Old output (with --target=chrome110) */
main {
mask: url(x.png) center/5rem no-repeat;
}
/* New output (with --target=chrome110) */
main {
-webkit-mask: url(x.png) center/5rem no-repeat;
mask: url(x.png) center/5rem no-repeat;
}

    This change was contributed by @​BPJEnnova.

  • Additional minification of switch statements (#4176, #4359)

    This release contains additional minification patterns for reducing switch statements. Here is an example:

    // Original code
switch (x) {
  case 0:
    foo()
    break
  case 1:
  default:
    bar()
}

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for esbuild since your current version.


Updates sass from 1.63.6 to 1.101.0

Release notes

Sourced from sass's releases.

Dart Sass 1.101.0

To install Sass 1.101.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

  • Potentially breaking bug fix: The Node package importer now properly supports resolving import-only variants of Sass files declared in the exports, sass, and style fields of package.json. Previously, these files were ignored even when loaded via @import, so any code relying on loading module-system-only files this way may break.

See the full changelog for changes in earlier releases.

Dart Sass 1.100.0

To install Sass 1.100.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

  • Writing two compound selectors adjacent to one another without any whitespace between them, such as [class]a, is now deprecated. This was always an error in CSS and Sass only supported it by mistake.

    See the Sass website for details.

See the full changelog for changes in earlier releases.

Dart Sass 1.99.0

To install Sass 1.99.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

  • Add support for parent selectors (&) at the root of the document. These are emitted as-is in the CSS output, where they're interpreted as the scoping root.

  • User-defined functions named calc or clamp are no longer forbidden. If such a function exists without a namespace in the current module, it will be used instead of the built-in calc() or clamp() function.

  • User-defined functions whose names begin with - and end with -expression, -url, -and, -or, or -not are no longer forbidden. These were originally intended to match vendor prefixes, but in practice no vendor prefixes for these functions ever existed in real browsers.

  • User-defined functions named EXPRESSION, URL, and ELEMENT, those that begin with - and end with -ELEMENT, as well as the same names with some lowercase letters are now deprecated, These are names conflict with plain CSS functions that have special syntax.

    See the Sass website for details.

  • In a future release, calls to functions whose names begin with - and end with -expression and -url will no longer have special parsing. For now, these calls are deprecated if their behavior will change in the future.

    See the Sass website for details.

... (truncated)

Changelog

Sourced from sass's changelog.

1.101.0

  • Potentially breaking bug fix: The Node package importer now properly supports resolving import-only variants of Sass files declared in the exports, sass, and style fields of package.json. Previously, these files were ignored even when loaded via @import, so any code relying on loading module-system-only files this way may break.

1.100.0

  • Writing two compound selectors adjacent to one another without any whitespace between them, such as [class]a, is now deprecated. This was always an error in CSS and Sass only supported it by mistake.

    See the Sass website for details.

1.99.0

  • Add support for parent selectors (&) at the root of the document. These are emitted as-is in the CSS output, where they're interpreted as the scoping root.

  • User-defined functions named calc or clamp are no longer forbidden. If such a function exists without a namespace in the current module, it will be used instead of the built-in calc() or clamp() function.

  • User-defined functions whose names begin with - and end with -expression, -url, -and, -or, or -not are no longer forbidden. These were originally intended to match vendor prefixes, but in practice no vendor prefixes for these functions ever existed in real browsers.

  • User-defined functions named EXPRESSION, URL, and ELEMENT, those that begin with - and end with -ELEMENT, as well as the same names with some lowercase letters are now deprecated, These are names conflict with plain CSS functions that have special syntax.

    See the Sass website for details.

  • In a future release, calls to functions whose names begin with - and end with -expression and -url will no longer have special parsing. For now, these calls are deprecated if their behavior will change in the future.

    See the Sass website for details.

  • Calls to functions whose names begin with - and end with -progid:... are deprecated.

... (truncated)

Commits
  • 63b9922 Load import-only files through package.json exports (#2772)
  • c7e9947 Migrate from bufbuild/buf-setup-action to bufbuild/buf-action (#2773)
  • 7674a4c Bump postcss from 8.5.13 to 8.5.15 in /pkg/sass-parser (#2774)
  • 5fd18c7 Bump node engine requirement to >=20.19.0 and chokidar requirement to ^5.0.0 ...
  • 8c1d984 Deprecate adjacent compound selectors (#2765)
  • 8e5f718 Bump postcss from 8.5.12 to 8.5.13 in /pkg/sass-parser (#2767)
  • 1447f9b Bump postcss from 8.5.8 to 8.5.12 in /pkg/sass-parser (#2766)
  • 83c39fe Support the top-level parent selector (#2758)
  • ec85871 Bump EndBug/add-and-commit from 9 to 10 (#2756)
  • a604acd [Function Name] Implement changes (#2731)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for sass since your current version.


Updates trix from 2.1.17 to 2.1.19

Release notes

Sourced from trix's releases.

v2.1.19

Dependencies

Full Changelog: basecamp/trix@v2.1.18...v2.1.19

v2.1.18

Security

Infrastructure/CI

Full Changelog: basecamp/trix@v2.1.17...v2.1.18

Commits

@dependabot dependabot Bot added dependencies changes or issues relating to a dependency javascript Pull requests that update Javascript code labels Apr 2, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-dependencies-a35710e604 branch from da11d23 to d0a1e5e Compare April 8, 2026 20:05
@dependabot
Bump the npm-dependencies group across 1 directory with 5 updates
4f25ec6 
Bumps the npm-dependencies group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@hotwired/turbo-rails](https://github.com/hotwired/turbo-rails) | `8.0.2` | `8.0.23` |
| [@rails/actiontext](https://github.com/rails/rails) | `8.0.0` | `8.1.300` |
| [esbuild](https://github.com/evanw/esbuild) | `0.25.0` | `0.28.1` |
| [sass](https://github.com/sass/dart-sass) | `1.63.6` | `1.101.0` |
| [trix](https://github.com/basecamp/trix) | `2.1.17` | `2.1.19` |



Updates `@hotwired/turbo-rails` from 8.0.2 to 8.0.23
- [Release notes](https://github.com/hotwired/turbo-rails/releases)
- [Commits](https://github.com/hotwired/turbo-rails/commits)

Updates `@rails/actiontext` from 8.0.0 to 8.1.300
- [Release notes](https://github.com/rails/rails/releases)
- [Commits](https://github.com/rails/rails/commits)

Updates `esbuild` from 0.25.0 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2025.md)
- [Commits](evanw/esbuild@v0.25.0...v0.28.1)

Updates `sass` from 1.63.6 to 1.101.0
- [Release notes](https://github.com/sass/dart-sass/releases)
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md)
- [Commits](sass/dart-sass@1.63.6...1.101.0)

Updates `trix` from 2.1.17 to 2.1.19
- [Release notes](https://github.com/basecamp/trix/releases)
- [Commits](basecamp/trix@v2.1.17...v2.1.19)

---
updated-dependencies:
- dependency-name: "@hotwired/turbo-rails"
  dependency-version: 8.0.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
- dependency-name: "@rails/actiontext"
  dependency-version: 8.1.300
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: esbuild
  dependency-version: 0.27.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: sass
  dependency-version: 1.98.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: trix
  dependency-version: 2.1.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-dependencies-a35710e604 branch from d0a1e5e to 4f25ec6 Compare June 17, 2026 20:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies changes or issues relating to a dependency javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants