chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates #6

dependabot · 2025-02-24T23:25:14Z

Bumps the npm_and_yarn group with 6 updates in the /docs directory:

Package	From	To
braces	`3.0.2`	`3.0.3`
postcss	`8.4.25`	`8.5.3`
rollup	`2.79.1`	`2.79.2`
serialize-javascript	`6.0.1`	`6.0.2`
vite	`2.8.6`	`removed`
vuepress	`2.0.0-beta.35`	`2.0.0-rc.20`

Updates braces from 3.0.2 to 3.0.3

Commits

74b2db2 3.0.3
88f1429 update eslint. lint, fix unit tests.
415d660 Snyk js braces 6838727 (#40)
190510f fix tests, skip 1 test in test/braces.expand
716eb9f readme bump
a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
98414f9 remove funding file
665ab5d update keepEscaping doc (#27)
Additional commits viewable in compare view

Updates postcss from 8.4.25 to 8.5.3

Release notes

Sourced from postcss's releases.

8.5.3

Added more details to Unknown word error (by @hiepxanh).

Fixed types (by @romainmenke).

Fixed docs (by @catnipan).

8.5.2

Fixed end position of rules with semicolon (by @romainmenke).

8.5.1

Fixed backwards compatibility for complex cases (by @romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@romainmenke during his work on Stylelint added Input#document in additional to Input#css.
root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"
Thanks to Sponsors

This release was possible thanks to our community.

If your company wants to support the sustainability of front-end infrastructure or wants to give some love to PostCSS, you can join our supporters by:

Tidelift with a Spotify-like subscription model supporting all projects from your lock file.

Direct donations at GitHub Sponsors or Open Collective.

8.4.49

Fixed custom syntax without source.offset (by @romainmenke).

8.4.48

Fixed position calculation in error/warnings methods (by @romainmenke).

8.4.47

Removed debug code.

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.3

Added more details to Unknown word error (by @hiepxanh).

Fixed types (by @romainmenke).

Fixed docs (by @catnipan).

8.5.2

Fixed end position of rules with semicolon (by @romainmenke).

8.5.1

Fixed backwards compatibility for complex cases (by @romainmenke).

8.5 “Duke Alloces”

Added Input#document for sources like CSS-in-JS or HTML (by @romainmenke).

8.4.49

Fixed custom syntax without source.offset (by @romainmenke).

8.4.48

Fixed position calculation in error/warnings methods (by @romainmenke).

8.4.47

Removed debug code.

8.4.46

Fixed Cannot read properties of undefined (reading 'before').

8.4.45

Removed unnecessary fix which could lead to infinite loop.

8.4.44

Another way to fix markClean is not a function error.

8.4.43

Fixed markClean is not a function error.

8.4.42

Fixed CSS syntax error on long minified files (by @varpstar).

8.4.41

Fixed types (by @nex3 and @querkmachine).

Cleaned up RegExps (by @bluwy).

8.4.40

Moved to getter/setter in nodes types to help Sass team (by @nex3).

8.4.39

Fixed CssSyntaxError types (by @romainmenke).

8.4.38

Fixed endIndex: 0 in errors and warnings (by @romainmenke).

... (truncated)

Commits

22c309d Release 8.5.3 version
a2b594f Update ESLint config
8232ba0 Fix tests
5082831 Fix text
4fdb54b update: parser.js to clarify error message
06006ec AtRule can be empty
755f08f fix typo: them -> then (#2016)
692fcde Release 8.5.2 version
b70e98f Update dependencies
ba587e3 Fix end position of rules with ownSemicon (#2012)
Additional commits viewable in compare view

Updates rollup from 2.79.1 to 2.79.2

Release notes

Sourced from rollup's releases.

v.2.79.2

2.79.2

2024-09-26

Bug Fixes

Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

#5671: Fix DOM Clobbering CVE (@lukastaegert)

Changelog

Sourced from rollup's changelog.

2.79.2

2024-09-26

Bug Fixes

Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

#5671: Fix DOM Clobbering CVE (@lukastaegert)

3.29.5

2024-09-21

Bug Fixes

Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

#5671: Fix DOM Clobbering CVE (@lukastaegert)

4.22.4

2024-09-21

Bug Fixes

Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

#5670: refactor: Use object.prototype to check for reserved properties (@YuHyeonWook)

#5671: Fix DOM Clobbering CVE (@lukastaegert)

4.22.3

2024-09-21

Bug Fixes

Ensure that mutations in modules without side effects are observed while properly handling transitive dependencies (#5669)

Pull Requests

#5669: Ensure impure dependencies of pure modules are added (@lukastaegert)

4.22.2

... (truncated)

Commits

c9bd03d 2.79.2
48aef33 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677)
See full diff in compare view

Updates serialize-javascript from 6.0.1 to 6.0.2

Release notes

Sourced from serialize-javascript's releases.

v6.0.2

fix: serialize URL string contents to prevent XSS (#173) f27d65d

Bump @babel/traverse from 7.10.1 to 7.23.7 (#171) 02499c0

docs: update readme with URL support (#146) 0d88527

chore: update node version and lock file e2a3a91

fix typo (#164) 5a1fa64

yahoo/serialize-javascript@v6.0.1...v6.0.2

Commits

b71ec23 6.0.2
f27d65d fix: serialize URL string contents to prevent XSS (#173)
02499c0 Bump @babel/traverse from 7.10.1 to 7.23.7 (#171)
0d88527 docs: update readme with URL support (#146)
e2a3a91 chore: update node version and lock file
5a1fa64 fix typo (#164)
See full diff in compare view

Removes vite

Updates vuepress from 2.0.0-beta.35 to 2.0.0-rc.20

Commits

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…dates Bumps the npm_and_yarn group with 6 updates in the /docs directory: | Package | From | To | | --- | --- | --- | | [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` | | [postcss](https://github.com/postcss/postcss) | `8.4.25` | `8.5.3` | | [rollup](https://github.com/rollup/rollup) | `2.79.1` | `2.79.2` | | [serialize-javascript](https://github.com/yahoo/serialize-javascript) | `6.0.1` | `6.0.2` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `2.8.6` | `removed` | | [vuepress](https://github.com/vuejs/vuepress/tree/HEAD/packages/vuepress) | `2.0.0-beta.35` | `2.0.0-rc.20` | Updates `braces` from 3.0.2 to 3.0.3 - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](micromatch/braces@3.0.2...3.0.3) Updates `postcss` from 8.4.25 to 8.5.3 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.4.25...8.5.3) Updates `rollup` from 2.79.1 to 2.79.2 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v2.79.1...v2.79.2) Updates `serialize-javascript` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v6.0.1...v6.0.2) Removes `vite` Updates `vuepress` from 2.0.0-beta.35 to 2.0.0-rc.20 - [Release notes](https://github.com/vuejs/vuepress/releases) - [Changelog](https://github.com/vuejs/vuepress/blob/master/CHANGELOG.md) - [Commits](https://github.com/vuejs/vuepress/commits/HEAD/packages/vuepress) --- updated-dependencies: - dependency-name: braces dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: postcss dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serialize-javascript dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vuepress dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added the dependencies Pull requests that update a dependency file label Feb 24, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates #6

chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates #6

dependabot bot commented on behalf of github Feb 24, 2025

chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates #6

Are you sure you want to change the base?

chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates #6

Conversation

dependabot bot commented on behalf of github Feb 24, 2025

8.5.3

8.5.2

8.5.1

8.5 “Duke Alloces”

Thanks to Sponsors

8.4.49

8.4.48

8.4.47

8.5.3

8.5.2

8.5.1

8.5 “Duke Alloces”

8.4.49

8.4.48

8.4.47

8.4.46

8.4.45

8.4.44

8.4.43

8.4.42

8.4.41

8.4.40

8.4.39

8.4.38

v.2.79.2

2.79.2

Bug Fixes

Pull Requests

2.79.2

Bug Fixes

Pull Requests

3.29.5

Bug Fixes

Pull Requests

4.22.4

Bug Fixes

Pull Requests

4.22.3

Bug Fixes

Pull Requests

4.22.2

v6.0.2