Bump the npm_and_yarn group across 1 directory with 12 updates by dependabot[bot] · Pull Request #262 · google/shifter

dependabot · 2026-03-19T17:55:54Z

Bumps the npm_and_yarn group with 9 updates in the /shifter-ui directory:

Package	From	To
axios	`0.27.2`	`0.30.3`
postcss	`8.4.16`	`8.5.8`
vite	`3.0.9`	`8.0.1`
braces	`3.0.2`	`3.0.3`
flatted	`3.2.7`	`3.4.2`
js-yaml	`4.1.0`	`4.1.1`
lodash	`4.17.21`	`4.17.23`
minimatch	`3.1.2`	`3.1.5`
rollup	`2.77.3`	`2.80.0`

Updates axios from 0.27.2 to 0.30.3

Release notes

Sourced from axios's releases.

Release notes - v0.30.3

This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).

Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.

🛡️ Security Fixes

Backport: Fix DoS via proto key in merge config

Patched a vulnerability where specifically crafted configuration objects using the proto key could cause a Denial of Service during the merge process. - by @FeBe95 in [PR #7388](axios/axios#7388)

⚙️ Maintenance & CI

CI Infrastructure Update

Updated Continuous Integration workflows for the v0.x branch to maintain long-term support and build reliability. - by @jasonsaayman in [PR #7407](axios/axios#7407)

⚠️ Breaking Changes

Configuration Merging Behavior:

As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.

Full Changelog: v0.30.2...v0.30.3

v0.30.2

What's Changed

Backport maxContentLength vulnerability fix to v0.x by @FeBe95 in axios/axios#7034

New Contributors

@FeBe95 made their first contribution in axios/axios#7034

Full Changelog: axios/axios@v0.30.1...v0.30.2

Release v0.30.1

Release notes:

Bug Fixes

chore(deps): bump form-data from 4.0.0 to 4.0.4 for v0.x by @wolandec in axios/axios#6978

Contributors to this release

@wolandec made their first contribution in axios/axios#6978

Full Changelog: axios/axios@v0.30.0...v0.30.1

Release v0.30.0

Release notes:

Bug Fixes

fix: modify log while request is aborted by @mori5321 in axios/axios#4917

fix: update CHANGELOG.md for v0.x by @TehZarathustra in axios/axios#6271

fix: modify upgrade guide for 0.28.1's breaking change by @nafeger in axios/axios#6787

... (truncated)

Commits

f53bcf6 chore: release 0.30.2
3ddccd3 chore: remove publish as this wont work
9ef39d0 chore: try with npm token
4775de6 chore: fix version scheme
f96f26b chore: fix issues with using replace
ead45c2 chore: update the publish workflow to run on tag
8119265 chore: tag version as legacy on v0.x
9954985 chore: dispatch for first time
3f8b70f chore: final rename
c665584 chore: revert naming
Additional commits viewable in compare view

Updates postcss from 8.4.16 to 8.5.8

Release notes

Sourced from postcss's releases.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

Fixed ContainerWithChildren type discriminating (by @Goodwine).

8.5.5

Fixed package.json→exports compatibility with some tools (by @JounQin).

8.5.4

Fixed Parcel compatibility issue (by @git-sumitchaudhary).

8.5.3

Added more details to Unknown word error (by @hiepxanh).

Fixed types (by @romainmenke).

Fixed docs (by @catnipan).

8.5.2

Fixed end position of rules with semicolon (by @romainmenke).

8.5.1

Fixed backwards compatibility for complex cases (by @romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@romainmenke during his work on Stylelint added Input#document in additional to Input#css.
root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"
Thanks to Sponsors

This release was possible thanks to our community.

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

Fixed ContainerWithChildren type discriminating (by @Goodwine).

8.5.5

Fixed package.json→exports compatibility with some tools (by @JounQin).

8.5.4

Fixed Parcel compatibility issue (by @git-sumitchaudhary).

8.5.3

Added more details to Unknown word error (by @hiepxanh).

Fixed types (by @romainmenke).

Fixed docs (by @catnipan).

8.5.2

Fixed end position of rules with semicolon (by @romainmenke).

8.5.1

Fixed backwards compatibility for complex cases (by @romainmenke).

8.5 “Duke Alloces”

Added Input#document for sources like CSS-in-JS or HTML (by @romainmenke).

8.4.49

Fixed custom syntax without source.offset (by @romainmenke).

8.4.48

Fixed position calculation in error/warnings methods (by @romainmenke).

8.4.47

Removed debug code.

8.4.46

Fixed Cannot read properties of undefined (reading 'before').

8.4.45

Removed unnecessary fix which could lead to infinite loop.

8.4.44

Another way to fix markClean is not a function error.

8.4.43

Fixed markClean is not a function error.

... (truncated)

Commits

65de537 Release 8.5.8 version
b2c6d97 Run git hook register
0ae0a49 Update Processor#version
6ee9f14 Release 8.5.7 version
3fbc951 Fix uvu Node.js 25 support
52db53e Update dependencies
497daef Speed up source map annotation cleaning by moving from RegExp
41e739a Remove banner
1329142 chore: speed up space-only string check in lib/parser.js (#2064)
23beff9 Update dependencies
Additional commits viewable in compare view

Updates vite from 3.0.9 to 8.0.1

Release notes

Sourced from vite's releases.

create-vite@8.0.1

Please refer to CHANGELOG.md for details.

v8.0.1

Please refer to CHANGELOG.md for details.

create-vite@8.0.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0-beta.18

Please refer to CHANGELOG.md for details.

v8.0.0-beta.17

Please refer to CHANGELOG.md for details.

v8.0.0-beta.16

Please refer to CHANGELOG.md for details.

v8.0.0-beta.15

Please refer to CHANGELOG.md for details.

v8.0.0-beta.14

Please refer to CHANGELOG.md for details.

v8.0.0-beta.13

Please refer to CHANGELOG.md for details.

v8.0.0-beta.12

Please refer to CHANGELOG.md for details.

v8.0.0-beta.11

Please refer to CHANGELOG.md for details.

v8.0.0-beta.10

Please refer to CHANGELOG.md for details.

v8.0.0-beta.9

Please refer to CHANGELOG.md for details.

v8.0.0-beta.8

Please refer to CHANGELOG.md for details.

v8.0.0-beta.7

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.1 (2026-03-19)

Features

update rolldown to 1.0.0-rc.10 (#21932) (b3c067d)

Bug Fixes

bundled-dev: properly disable inlineConst optimization (#21865) (6d97142)

css: lightningcss minify failed when build.target: 'es6' (#21933) (5fcce46)

deps: update all non-major dependencies (#21878) (6dbbd7f)

dev: always use ESM Oxc runtime (#21829) (d323ed7)

dev: handle concurrent restarts in _createServer (#21810) (40bc729)

handle + symbol in package subpath exports during dep optimization (#21886) (86db93d)

improve no-cors request block error (#21902) (5ba688b)

use precise regexes for transform filter to avoid backtracking (#21800) (dbe41bd)

worker: require(json) result should not be wrapped (#21847) (0672fd2)

worker: make worker output consistent with client and SSR (#21871) (69454d7)

Miscellaneous Chores

add changelog rearrange script (#21835) (efef073)

deps: bump required @vitejs/devtools version to 0.1+ (#21925) (12932f5)

deps: update rolldown-related dependencies (#21787) (1af1d3a)

rearrange 8.0 changelog (8e05b61)

rearrange 8.0 changelog (#21834) (86edeee)

8.0.0 (2026-03-12)

Today, we're thrilled to announce the release of the next Vite major:

Vite 8.0 announcement blog post

Docs (translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch, فارسی)

Migration Guide

⚠ BREAKING CHANGES

remove import.meta.hot.accept resolution fallback (#21382)

update default browser target (#21193)

the epic rolldown-vite merge (#21189)

Features

update rolldown to 1.0.0-rc.9 (#21813) (f05be0e)

warn when vite-tsconfig-paths plugin is detected (#21781) (ada493e)

css: support es2025 build target for lightningcss (#21769) (08906e7)

forward browser console logs and errors to dev server terminal (#20916) (2540ed0)

update rolldown to 1.0.0-rc.8 (#21790) (a0c950e)

export Visitor and ESTree from rolldown/utils (#21664) (45de31e)

... (truncated)

Commits

ea68a88 chore(deps): update rolldown-related dependencies (#20810)
693d255 release: v7.1.7
98a3484 fix(hmr): wait for import.meta.hot.prune callbacks to complete before runni...
9f32b1d fix(hmr): trigger prune event when import is removed from non hmr module (#20...
9f2247c fix(deps): update all non-major dependencies (#20811)
105abe8 fix(glob): handle glob imports from folders starting with dot (#20800)
4c4583c fix(build): fix ssr environment emitAssets: true when `sharedConfigBuild: t...
9bc9d12 fix(client): use CSP nonce when rendering error overlay (#20791)
54377f7 release: v7.1.6
88af2ae fix(deps): update all non-major dependencies (#20773)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vite since your current version.

Updates braces from 3.0.2 to 3.0.3

Commits

74b2db2 3.0.3
88f1429 update eslint. lint, fix unit tests.
415d660 Snyk js braces 6838727 (#40)
190510f fix tests, skip 1 test in test/braces.expand
716eb9f readme bump
a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
98414f9 remove funding file
665ab5d update keepEscaping doc (#27)
Additional commits viewable in compare view

Updates flatted from 3.2.7 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates follow-redirects from 1.15.1 to 1.15.11

Commits

21ef28a Release version 1.15.11 of the npm package.
7c88135 Roll back tree shaking.
6e389ba Release version 1.15.10 of the npm package.
5bc496e Shake me up before you go-go.
694d6b4 Bump minimist from 1.2.5 to 1.2.8
e4e55c7 Release version 1.15.9 of the npm package.
31a1abf Attempt much more gentle detection.
d2aaa97 Fix url field.
62558f0 Release version 1.15.8 of the npm package.
a8d1cee Return subtlety.
Additional commits viewable in compare view

Updates form-data from 4.0.0 to 4.0.5

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

[meta] add auto-changelog 811f682

[Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76

[Fix] Switch to using crypto random for boundary values 3d17230

[Tests] fix linting errors 5e34080

[meta] actually ensure the readme backup isn’t published 316c82b

[Dev Deps] update @ljharb/eslint-config 58c25d7

[meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

[Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

[eslint] use a shared config 426ba9a

[eslint] fix some spacing issues 2094191

[Refactor] use hasown 81ab41b

[Fix] validate boundary type in setBoundary() method 8d8e469

[Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1

[Dev Deps] remove unused deps 870e4e6

[meta] remove local commit hooks e6e83cc

[Dev Deps] update eslint 4066fd6

[meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2

v4.0.2 - 2025-02-14

Merged

[Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

[Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

[Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

[Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

[Fix] set Symbol.toStringTag when available [#396](https://github.com/form-data/form-data/issues/396)

Commits

... (truncated)

Changelog

Sourced from form-data's changelog.

v4.0.5 - 2025-11-17

Commits

[Tests] Switch to newer v8 prediction library; enable node 24 testing 16e0076

[Dev Deps] update @ljharb/eslint-config, eslint 5822467

[Fix] set Symbol.toStringTag in the proper place 76d0dee

v4.0.4 - 2025-07-16

Commits

[meta] add auto-changelog 811f682

[Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76

[Fix] Switch to using crypto random for boundary values 3d17230

[Tests] fix linting errors 5e34080

[meta] actually ensure the readme backup isn’t published 316c82b

[Dev Deps] update @ljharb/eslint-config 58c25d7

[meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

[Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

[eslint] use a shared config 426ba9a

[eslint] fix some spacing issues 2094191

[Refactor] use hasown 81ab41b

[Fix] validate boundary type in setBoundary() method 8d8e469

[Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1

[Dev Deps] remove unused deps 870e4e6

[meta] remove local commit hooks e6e83cc

[Dev Deps] update eslint 4066fd6

[meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2 - 2025-02-14

Merged

[Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

[Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

[Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

... (truncated)

Commits

68ff7dd v4.0.5
5822467 [Dev Deps] update @ljharb/eslint-config, eslint
76d0dee [Fix] set Symbol.toStringTag in the proper place
16e0076 [Tests] Switch to newer v8 prediction library; enable node 24 testing
41996f5 v4.0.4
316c82b [meta] actually ensure the readme backup isn’t published
2300ca1 [meta] fix readme capitalization
811f682 [meta] add auto-changelog
5e34080 [Tests] fix linting errors
1d11a76 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

cc482e7 4.1.1 released
50968b8 dist rebuild
d092d86 lint fix
383665f fix prototype pollution in merge (<<)
0d3ca7a README.md: HTTP => HTTPS (#678)
49baadd doc: 'empty' style option for !!null
ba3460e Fix demo link (#618)
See full diff in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates nanoid from 3.3.4 to 3.3.11

Release notes

Sourced from nanoid's releases.

3.3.11

Fixed React Native support.

3.3.10

Fixed React Native support (by @steida).

3.3.9

Reduced npm package size.

Changelog

Sourced from nanoid's changelog.

3.3.11

Fixed React Native support.

3.3.10

Fixed React Native support (by @steida).

3.3.9

Reduced npm package size.

3.3.8

Fixed a way to break Nano ID by passing non-integer size (by @myndzi).

3.3.7

Fixed node16 TypeScript support (by Saadi Myftija).

3.3.6

Fixed package.

3.3.5

Backport funding information.

Commits

37289ce Release 3.3.11 version
23690b7 Fix CI
c147962 Fix RN support
a83734e Move to manually ESM/CJS dual package
bb12e8a Release 3.3.10 version
8f44264 Fix Expo support
adf9b0c Release 3.3.9 version
1c6f088 Remove dev file from npm package
3044cd5 Release 3.3.8 version
4fe3495 Update size limit
Additional commits viewable in compare view

Updates rollup from 2.77.3 to 2.80.0

Release notes

Sourced from rollup's releases.

v.2.79.2

2.79.2

2024-09-26

Bug Fixes

Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

#5671: Fix DOM Clobbering CVE (@lukastaegert)

Changelog

Sourced from rollup's changelog.

2.80.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6277)

Pull Requests

#6277: Validate bundle stays within output dir (@lukastaegert)

2.79.2

2024-09-26

Bug Fixes

Resolve CVE-2024-43788 (#5677)

Pull Requests

#5677: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (@fabianszabo)

2.79.1

2022-09-22

Bug Fixes

Avoid massive performance degradation when creating thousands of chunks (#4643)

Pull Requests

#4639: fix: typo docs and contributors link in CONTRIBUTING.md (@takurinton)

#4641: Update type definition of resolveId (@ivanjonas)

#4643: Improve performance of chunk naming collision check (@lukastaegert)

2.79.0

2022-08-31

Features

Add amd.forceJsExtensionForImports to enforce using .js extensions for relative AMD imports (#4607)

Pull Requests

#4607: add option to keep extensions for amd (@wh1tevs)

... (truncated)

Commits

d17ae15 2.80.0
d6dee5e Validate bundle stays within output dir (#6277)
c9bd03d 2.79.2
48aef33 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677)
69ff418 2.79.1
04dce1b Update changelog
159137e fix: typo docs and contributors link in CONTRIBUTING.md (#4639)
e1392b3 Update type definition of resolveId (#4641)
7836357 Improve performance of chunk naming collision check (#4643)
71d20c9 Reduce permissions for repl-artefacts.yml workflow (#4630)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 9 updates in the /shifter-ui directory: | Package | From | To | | --- | --- | --- | | [axios](https://github.com/axios/axios) | `0.27.2` | `0.30.3` | | [postcss](https://github.com/postcss/postcss) | `8.4.16` | `8.5.8` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `3.0.9` | `8.0.1` | | [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` | | [flatted](https://github.com/WebReflection/flatted) | `3.2.7` | `3.4.2` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [rollup](https://github.com/rollup/rollup) | `2.77.3` | `2.80.0` | Updates `axios` from 0.27.2 to 0.30.3 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v0.27.2...v0.30.3) Updates `postcss` from 8.4.16 to 8.5.8 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.4.16...8.5.8) Updates `vite` from 3.0.9 to 8.0.1 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/create-vite@8.0.1/packages/vite) Updates `braces` from 3.0.2 to 3.0.3 - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](micromatch/braces@3.0.2...3.0.3) Updates `flatted` from 3.2.7 to 3.4.2 - [Commits](WebReflection/flatted@v3.2.7...v3.4.2) Updates `follow-redirects` from 1.15.1 to 1.15.11 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.1...v1.15.11) Updates `form-data` from 4.0.0 to 4.0.5 - [Release notes](https://github.com/form-data/form-data/releases) - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](form-data/form-data@v4.0.0...v4.0.5) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `nanoid` from 3.3.4 to 3.3.11 - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](ai/nanoid@3.3.4...3.3.11) Updates `rollup` from 2.77.3 to 2.80.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/v2.80.0/CHANGELOG.md) - [Commits](rollup/rollup@v2.77.3...v2.80.0) --- updated-dependencies: - dependency-name: axios dependency-version: 0.30.3 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: postcss dependency-version: 8.5.8 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 8.0.1 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: braces dependency-version: 3.0.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: follow-redirects dependency-version: 1.15.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: form-data dependency-version: 4.0.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: nanoid dependency-version: 3.3.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 2.80.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 19, 2026

dependabot bot mentioned this pull request Mar 19, 2026

Bump the npm_and_yarn group across 1 directory with 5 updates #224

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 1 directory with 12 updates#262

Bump the npm_and_yarn group across 1 directory with 12 updates#262
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/shifter-ui/npm_and_yarn-5bd1776722

dependabot bot commented on behalf of github Mar 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 19, 2026

Release notes - v0.30.3

🛡️ Security Fixes

⚙️ Maintenance & CI

⚠️ Breaking Changes

v0.30.2

What's Changed

New Contributors

Release v0.30.1

Release notes:

Bug Fixes

Contributors to this release

Release v0.30.0

Release notes:

Bug Fixes

8.5.8

8.5.7

8.5.6

8.5.5

8.5.4

8.5.3

8.5.2

8.5.1

8.5 “Duke Alloces”

Thanks to Sponsors

8.5.8

8.5.7

8.5.6

8.5.5

8.5.4

8.5.3

8.5.2

8.5.1

8.5 “Duke Alloces”

8.4.49

8.4.48

8.4.47

8.4.46

8.4.45

8.4.44

8.4.43

create-vite@8.0.1

v8.0.1

create-vite@8.0.0

plugin-legacy@8.0.0

v8.0.0

v8.0.0-beta.18

v8.0.0-beta.17

v8.0.0-beta.16

v8.0.0-beta.15

v8.0.0-beta.14

v8.0.0-beta.13

v8.0.0-beta.12

v8.0.0-beta.11

v8.0.0-beta.10

v8.0.0-beta.9

v8.0.0-beta.8

v8.0.0-beta.7

8.0.1 (2026-03-19)

Features

Bug Fixes

Miscellaneous Chores

8.0.0 (2026-03-12)

⚠ BREAKING CHANGES

Features

v4.0.4

v4.0.4 - 2025-07-16

Commits

v4.0.3

v4.0.3 - 2025-06-05

Fixed

Commits

v4.0.2

v4.0.2 - 2025-02-14

Merged

Fixed

Commits

v4.0.5 - 2025-11-17

Commits