Skip to content

build(deps): bump the npm-all group across 1 directory with 11 updates#39

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/services/core/packages/webclient/npm-all-6a88af3353
Open

build(deps): bump the npm-all group across 1 directory with 11 updates#39
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/services/core/packages/webclient/npm-all-6a88af3353

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 22, 2026

Bumps the npm-all group with 11 updates in the /services/core/packages/webclient directory:

Package From To
dompurify 3.3.3 3.4.1
vue 3.5.32 3.5.33
vue-router 5.0.4 5.0.6
vuetify 3.12.5 4.0.6
@types/node 25.5.2 25.6.0
@vitejs/plugin-vue 6.0.5 6.0.6
eslint 10.2.0 10.2.1
eslint-config-vuetify 4.5.0 4.6.0
typescript 6.0.2 6.0.3
vite 8.0.5 8.0.9
vue-tsc 3.2.6 3.2.7

Updates dompurify from 3.3.3 to 3.4.1

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.1

  • Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
  • Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
  • Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
  • Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
  • Removed a duplicate slot entry from the default HTML attribute allow-list
  • Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
  • Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
  • Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

DOMPurify 3.4.0

Most relevant changes:

  • Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
  • Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
  • Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
  • Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
  • Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
  • Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
  • Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
  • Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
  • Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
  • Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
  • Fixed a problem with the type dentition patcher after Node version bump
  • Fixed freezing BS runs by reducing the tested browsers array
  • Bumped several dependencies where possible
  • Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

Commits
  • 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
  • 09f5911 test: added three more browsers to test setup (OSX, mobile)
  • 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
  • See full diff in compare view
Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates vue from 3.5.32 to 3.5.33

Release notes

Sourced from vue's releases.

v3.5.33

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

Changelog

Sourced from vue's changelog.

3.5.33 (2026-04-22)

Bug Fixes

Commits
  • 3310eea release: v3.5.33
  • bb9d265 fix(compiler-sfc): handle nested :deep in selector pseudos (#14725)
  • 60402cd Revert "chore(deps): update pnpm/action-setup action to v6" (#14749)
  • 11fb2fd fix(runtime-dom): preserve textarea resize dimensions (#14747)
  • 974e2d2 chore(deps): update test (#14713)
  • 45990ce fix(transition): preserve placeholder for conditional explicit default slots ...
  • 6a61f44 fix(teleport): don't move teleport children if not mounted (#14702)
  • e7659be fix(reactivity): unlink effect scopes on out-of-order off (#14734)
  • 268115d chore: update pnpm config (#14694)
  • 24f26f4 chore(deps): update pnpm/action-setup action to v6 (#14716)
  • Additional commits viewable in compare view

Updates vue-router from 5.0.4 to 5.0.6

Release notes

Sourced from vue-router's releases.

v5.0.6

   🐞 Bug Fixes

    View changes on GitHub

v5.0.5

   🚀 Features

   🐞 Bug Fixes

  • Track definePage imports per-file to fix named view race condition  -  by @​posva (11191)
  • Avoid double decoding hash on string location  -  by @​posva (1578c)
    View changes on GitHub
Commits
  • 03e2337 release: vue-router@5.0.6
  • 32f78c7 fix: missing closing quote in generated import (#2688)
  • 7a41931 release: vue-router@5.0.5
  • 1578c9e fix: avoid double decoding hash on string location
  • 1e7d2cd chore(release): show last tag and relative date in package prompt
  • dacc763 chore: update sponsors
  • c24b418 build: support git worktrees in verifyCommit script
  • 11191bc fix: track definePage imports per-file to fix named view race condition
  • 8e5f147 style: avoid worktrees
  • 0a043f2 chore: disable no-this-alias rule and remove inline suppression comments
  • Additional commits viewable in compare view

Updates vuetify from 3.12.5 to 4.0.6

Release notes

Sourced from vuetify's releases.

v4.0.6

[!IMPORTANT] Vuetify Needs Your Support! The OpenCollective funds have been fully exhausted. We are currently unable to compensate our contributors for their continued work on the framework and the ecosystem tools.

If Vuetify is part of your stack, please consider sponsoring the project so we can continue delivering updates and fixes.

Sponsor via Open Collective | Sponsor via GitHub

Every contribution helps us keep Vuetify alive and ship exciting new features.

Thank you.

🔧 Bug Fixes

  • VBadge: do not accept clicks within disabled elements (996cd6e), closes #22172
  • VField: pass color to icon-color if glow prop is true (#21547) (10125b7), closes #21388
  • VOtpInput: remove semicolon from sass file (bf53f9e), closes #22798
  • VSelectionControl: readonly should not suppress focus-visible (#22527) (ce234a8), closes #22513

🧪 Labs

  • VVideo: avoid tooltip obstructing volume slider (add2a7e)
  • VVideo: support VVideoControls as standalone component (aaf9cf5), closes #22529
  • VVideo: show progress bar by default (1be0091)

v4.0.5

[!IMPORTANT] Vuetify Needs Your Support! The OpenCollective funds have been fully exhausted. We are currently unable to compensate our contributors for their continued work on the framework and the ecosystem tools.

If Vuetify is part of your stack, please consider sponsoring the project so we can continue delivering updates and fixes.

Sponsor via Open Collective | Sponsor via GitHub

Every contribution helps us keep Vuetify alive and ship exciting new features.

Thank you.

🔧 Bug Fixes

... (truncated)

Commits
  • a87e731 chore(release): publish v4.0.6
  • 996cd6e fix(VBadge): do not accept clicks within disabled elements
  • add2a7e fix(VVideo): avoid tooltip obstructing volume slider
  • aaf9cf5 feat(VVideo): support VVideoControls as standalone component
  • 1be0091 fix(VVideo): show progress bar by default
  • ce234a8 fix(VSelectionControl): readonly should not suppress focus-visible (#22527)
  • 10125b7 fix(VField): pass color to icon-color if glow prop is true (#21547)
  • f35fdeb chore(README.md): update sponsors
  • bf53f9e fix(VOtpInput): remove semicolon from sass file
  • 56acdb6 chore(release): publish v4.0.5
  • Additional commits viewable in compare view

Updates @types/node from 25.5.2 to 25.6.0

Commits

Updates @vitejs/plugin-vue from 6.0.5 to 6.0.6

Release notes

Sourced from @​vitejs/plugin-vue's releases.

plugin-vue@6.0.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from @​vitejs/plugin-vue's changelog.

6.0.6 (2026-04-13)

Features

  • plugin-vue: propagate multiRoot for template-only vapor components (#745) (9e07ae9)

Bug Fixes

  • deps: update all non-major dependencies (#738) (050c996)

Miscellaneous Chores

Commits
  • 51dbf4b release: plugin-vue@6.0.6
  • 9e07ae9 feat(plugin-vue): propagate multiRoot for template-only vapor components (#745)
  • 050c996 fix(deps): update all non-major dependencies (#738)
  • 6d834d8 chore: remove unused deps (#760)
  • a0e1ef8 chore(deps): update dependency rollup to ^4.59.0 (#749)
  • See full diff in compare view

Updates eslint from 10.2.0 to 10.2.1

Release notes

Sourced from eslint's releases.

v10.2.1

Bug Fixes

  • 14be92b fix: model generator yield resumption paths in code path analysis (#20665) (sethamus)
  • 84a19d2 fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx)
  • af764af fix: clarify language and processor validation errors (#20729) (Pixel998)
  • e251b89 fix: update eslint (#20715) (renovate[bot])

Documentation

  • ca92ca0 docs: reuse markdown-it instance for markdown filter (#20768) (Amaresh S M)
  • 57d2ee2 docs: Enable Eleventy incremental mode for watch (#20767) (Amaresh S M)
  • c1621b9 docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla)
  • 1418d52 docs: Update README (GitHub Actions Bot)
  • 39771e6 docs: Update README (GitHub Actions Bot)
  • 71e0469 docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar)
  • 22119ce docs: clarify scope of for-direction rule with dead code examples (#20723) (Amaresh S M)
  • 8f3fb77 docs: document meta.docs.dialects (#20718) (Pixel998)

Chores

  • 7ddfea9 chore: update dependency prettier to v3.8.2 (#20770) (renovate[bot])
  • fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763) (dependabot[bot])
  • 7246f92 test: add tests for SuppressionsService.load() error handling (#20734) (kuldeep kumar)
  • 4f34b1e chore: update pnpm/action-setup action to v5 (#20762) (renovate[bot])
  • 51080eb test: processor service (#20731) (kuldeep kumar)
  • e7e1889 chore: remove stale babel-eslint10 fixture and test (#20727) (kuldeep kumar)
  • 4e1a87c test: remove redundant async/await in flat config array tests (#20722) (Pixel998)
  • 066eabb test: add rule metadata coverage for languages and docs.dialects (#20717) (Pixel998)
Commits

Updates eslint-config-vuetify from 4.5.0 to 4.6.0

Release notes

Sourced from eslint-config-vuetify's releases.

v4.6.0

   🚀 Features

    View changes on GitHub
Commits
  • 5d1d1df chore: release v4.6.0
  • 415c168 feat(vue): enforce blank lines between multiline sibling tags
  • 94c54a1 chore: clean up TypeScript diagnostics
  • See full diff in compare view

Updates typescript from 6.0.2 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

Downloads are available on:

Commits
  • 050880c Bump version to 6.0.3 and LKG
  • eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
  • ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
  • 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
  • See full diff in compare view

Updates vite from 8.0.5 to 8.0.9

Release notes

Sourced from vite's releases.

v8.0.9

Please refer to CHANGELOG.md for details.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.9 (2026-04-20)

Features

Bug Fixes

  • allow binding when strictPort is set but wildcard port is in use (#22150) (dfc8aa5)
  • build: emptyOutDir should happen for watch rebuilds (#22207) (ee52267)
  • bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#22269) (868f141)
  • css: use unique key for cssEntriesMap to prevent same-basename collision (#22039) (374bb5d)
  • deps: update all non-major dependencies (#22219) (4cd0d67)
  • deps: update all non-major dependencies (#22268) (c28e9c1)
  • detect Deno workspace root (fix #22237) (#22238) (1b793c0)
  • dev: handle errors in watchChange hook (#22188) (fc08bda)
  • optimizer: handle more chars that will be sanitized (#22208) (3f24533)
  • skip fallback sourcemap generation for ?raw imports (#22148) (3ec9cda)

Documentation

Miscellaneous Chores

  • deps: update dependency dotenv-expand to v13 (#22271) (0a3887d)

8.0.8 (2026-04-09)

Features

Bug Fixes

  • avoid dns.getDefaultResultOrder temporary (#22202) (15f1c15)
  • ssr: class property keys hoisting matching imports (#22199) (e137601)

8.0.7 (2026-04-07)

Bug Fixes

  • use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)

8.0.6 (2026-04-07)

Features

Bug Fixes

... (truncated)

Commits
  • ce729f5 release: v8.0.9
  • 605bb97 docs: update build CLI defaults (#22261)
  • c28e9c1 fix(deps): update all non-major dependencies (#22268)
  • 0a3887d chore(deps): update dependency dotenv-expand to v13 (#22271)
  • 868f141 fix(bundled-dev): reject requests to HMR patch files in non potentially trust...
  • 3ec9cda fix: skip fallback sourcemap generation for ?raw imports (#22148)
  • 3f24533 fix(optimizer): handle more chars that will be sanitized (#22208)
  • 1b793c0 fix: detect Deno workspace root (fix #22237) (#22238)
  • fc08bda fix(dev): handle errors in watchChange hook (#22188)
  • 374bb5d fix(css): use unique key for cssEntriesMap to prevent same-basename collision...
  • Additional commits viewable in compare view

Updates vue-tsc from 3.2.6 to 3.2.7

Release notes

Sourced from vue-tsc's releases.

v3.2.7

3.2.7 (2026-04-19)

component-meta

  • fix: preserve non-ASCII characters in prop default values (#6012) - Thanks to @​ef81sp!

workspace

Our Sponsors ❤️

... (truncated)

Changelog

Sourced from vue-tsc's changelog.

3.2.7 (2026-04-19)

component-meta

  • fix: preserve non-ASCII characters in prop default values (#6012) - Thanks to @​ef81sp!

workspace

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the npm-all group across 1 directory with 11 updates
103aa53 
Bumps the npm-all group with 11 updates in the /services/core/packages/webclient directory:

| Package | From | To |
| --- | --- | --- |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.3.3` | `3.4.1` |
| [vue](https://github.com/vuejs/core) | `3.5.32` | `3.5.33` |
| [vue-router](https://github.com/vuejs/router) | `5.0.4` | `5.0.6` |
| [vuetify](https://github.com/vuetifyjs/vuetify/tree/HEAD/packages/vuetify) | `3.12.5` | `4.0.6` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.5.2` | `25.6.0` |
| [@vitejs/plugin-vue](https://github.com/vitejs/vite-plugin-vue/tree/HEAD/packages/plugin-vue) | `6.0.5` | `6.0.6` |
| [eslint](https://github.com/eslint/eslint) | `10.2.0` | `10.2.1` |
| [eslint-config-vuetify](https://github.com/vuetifyjs/eslint-config-vuetify) | `4.5.0` | `4.6.0` |
| [typescript](https://github.com/microsoft/TypeScript) | `6.0.2` | `6.0.3` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.5` | `8.0.9` |
| [vue-tsc](https://github.com/vuejs/language-tools/tree/HEAD/packages/tsc) | `3.2.6` | `3.2.7` |



Updates `dompurify` from 3.3.3 to 3.4.1
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.3.3...3.4.1)

Updates `vue` from 3.5.32 to 3.5.33
- [Release notes](https://github.com/vuejs/core/releases)
- [Changelog](https://github.com/vuejs/core/blob/main/CHANGELOG.md)
- [Commits](vuejs/core@v3.5.32...v3.5.33)

Updates `vue-router` from 5.0.4 to 5.0.6
- [Release notes](https://github.com/vuejs/router/releases)
- [Commits](vuejs/router@v5.0.4...v5.0.6)

Updates `vuetify` from 3.12.5 to 4.0.6
- [Release notes](https://github.com/vuetifyjs/vuetify/releases)
- [Commits](https://github.com/vuetifyjs/vuetify/commits/v4.0.6/packages/vuetify)

Updates `@types/node` from 25.5.2 to 25.6.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@vitejs/plugin-vue` from 6.0.5 to 6.0.6
- [Release notes](https://github.com/vitejs/vite-plugin-vue/releases)
- [Changelog](https://github.com/vitejs/vite-plugin-vue/blob/main/packages/plugin-vue/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite-plugin-vue/commits/plugin-vue@6.0.6/packages/plugin-vue)

Updates `eslint` from 10.2.0 to 10.2.1
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.2.0...v10.2.1)

Updates `eslint-config-vuetify` from 4.5.0 to 4.6.0
- [Release notes](https://github.com/vuetifyjs/eslint-config-vuetify/releases)
- [Changelog](https://github.com/vuetifyjs/eslint-config-vuetify/blob/master/CHANGELOG.md)
- [Commits](vuetifyjs/eslint-config-vuetify@v4.5.0...v4.6.0)

Updates `typescript` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Commits](microsoft/TypeScript@v6.0.2...v6.0.3)

Updates `vite` from 8.0.5 to 8.0.9
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.9/packages/vite)

Updates `vue-tsc` from 3.2.6 to 3.2.7
- [Release notes](https://github.com/vuejs/language-tools/releases)
- [Changelog](https://github.com/vuejs/language-tools/blob/master/CHANGELOG.md)
- [Commits](https://github.com/vuejs/language-tools/commits/v3.2.7/packages/tsc)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-version: 3.4.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-all
- dependency-name: vue
  dependency-version: 3.5.33
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-all
- dependency-name: vue-router
  dependency-version: 5.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-all
- dependency-name: vuetify
  dependency-version: 4.0.6
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-all
- dependency-name: "@types/node"
  dependency-version: 25.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-all
- dependency-name: "@vitejs/plugin-vue"
  dependency-version: 6.0.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-all
- dependency-name: eslint
  dependency-version: 10.2.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-all
- dependency-name: eslint-config-vuetify
  dependency-version: 4.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-all
- dependency-name: typescript
  dependency-version: 6.0.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-all
- dependency-name: vite
  dependency-version: 8.0.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-all
- dependency-name: vue-tsc
  dependency-version: 3.2.7
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-all
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants