Skip to content

chore(deps): bump the npm_and_yarn group across 5 directories with 7 updates#118

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/examples/astro/npm_and_yarn-5560d0ac54
Open

chore(deps): bump the npm_and_yarn group across 5 directories with 7 updates#118
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/examples/astro/npm_and_yarn-5560d0ac54

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Mar 9, 2026

Bumps the npm_and_yarn group with 1 update in the /examples/astro directory: svgo.
Bumps the npm_and_yarn group with 1 update in the /examples/fastify directory: fastify.
Bumps the npm_and_yarn group with 3 updates in the /examples/firebase-functions directory: @hono/node-server, hono and tar.
Bumps the npm_and_yarn group with 2 updates in the /examples/nestjs directory: multer and serialize-javascript.
Bumps the npm_and_yarn group with 2 updates in the /examples/nuxt directory: svgo and tar.

Updates svgo from 4.0.0 to 4.0.1

Release notes

Sourced from svgo's releases.

v4.0.1

What's Changed

Dependencies

  • Sets minimum version of sax (XML parser) to v1.5.0, which improves built-in guards against entity expansion.

Bug Fixes

Performance

Other Changes

  • Plugins no longer include if they are enabled or disabled by default, as this was written inconsistently. The --show-plugins argument appends the presets a plugin is in to the end of the line. By @​viralcodex in svg/svgo#2174
  • Plugin/preset types to enforce the name start with preset- if it is a preset (collection of plugins). By @​SethFalco in svg/svgo#2178

Metrics

Before and after of the browser bundle of each respective version:

v4.0.0 v4.0.1 Delta
svgo.browser.js 780.2 kB 781.5 kB ⬆️ 1.3 kB
Commits
  • e691f5f Merge commit from fork
  • b1d9f1a chore(deps): bump actions/upload-artifact from 6 to 7 (#2202)
  • d724af1 chore(deps): bump actions/checkout from 5 to 6 (#2195)
  • 4114b32 chore(deps): bump actions/upload-artifact from 4 to 6 (#2196)
  • c06d8f6 chore: upgrade js-yaml and glob (#2191)
  • 26e86e5 fix: remove unused <use> elements when deleting empty symbols (#2051)
  • 50c326b perf: optimiztions to reduce regression test runtime (#2135)
  • 1f33cbe ci: separate regression tests and write delta report (#2190)
  • 79a2167 ci: save test reports to artifacts (#2189)
  • 0ae52a0 chore(deps): bump actions/setup-node from 5 to 6 (#2187)
  • Additional commits viewable in compare view

Updates fastify from 5.7.4 to 5.8.2

Release notes

Sourced from fastify's releases.

v5.8.2

What's Changed

New Contributors

Full Changelog: fastify/fastify@v5.8.1...v5.8.2

v5.8.1

⚠️ Security Release

Fixes "Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation": GHSA-573f-x89g-hqp9.

CVE-2026-3419

Full Changelog: fastify/fastify@v5.8.0...v5.8.1

v5.8.0

What's Changed

... (truncated)

Commits
  • 375e136 Bumped v5.8.2
  • 25a70ff docs: add @​glidemq/fastify to community plugins list (#6560)
  • 4a5304f docs(guides): update codemod links (#6479)
  • c9bcde4 docs: added note on handling of invalid URLs in setNotFoundHandler (#5661)
  • 3b0f769 fix: anchor keyValuePairsReg to prevent quadratic backtracking (#6558)
  • e4474cf docs: add fastify-svelte-view to Ecosystem list (#6453)
  • deaeb40 docs(ecosystem): add fastify-file-router (#6441)
  • 0d3b560 docs: document body validation with custom content type parsers (#6556)
  • cdcc4de Revert "chore: upgrade borp to v1.0.0 (#6510)" (#6564)
  • b61c362 docs(ecosystem): add @​yeliex/fastify-problem-details (#6546)
  • Additional commits viewable in compare view

Updates @hono/node-server from 1.19.9 to 1.19.11

Release notes

Sourced from @​hono/node-server's releases.

v1.19.11

What's Changed

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

Updates hono from 4.12.3 to 4.12.5

Release notes

Sourced from hono's releases.

v4.12.5

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

Other changes

New Contributors

Full Changelog: honojs/hono@v4.12.3...v4.12.4

Commits
  • 18cc595 4.12.5
  • 5d59ac7 chore(eslint): upgrade @hono/eslint-config (#4781)
  • b8cff18 fix(jsx): Fix "Invalid state: Controller is already closed" (#4770)
  • 8c4d7f3 fix(jwt): validate token format in decode and decodeHeader functions (#4752)
  • 0f49915 fix(request): return string | undefined from param() when path type is any ...
  • 19d20d2 4.12.4
  • 44ae0c8 Merge commit from fork
  • f4123ed Merge commit from fork
  • 80a9837 fix(utils/url): specify the return type of tryDecodeURI (#4779)
  • 6a0607a Merge commit from fork
  • Additional commits viewable in compare view

Updates tar from 7.5.9 to 7.5.10

Commits

Updates multer from 2.0.2 to 2.1.1

Release notes

Sourced from multer's releases.

v2.1.1

Important

What's Changed

New Contributors

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

What's Changed

New Contributors

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

Changelog

Sourced from multer's changelog.

2.1.1

2.1.0

Commits
  • 368c8a1 2.1.1 (#1380)
  • 7e66481 🐛 fix recursion issue
  • 643571e ✅ add explicit test for client able to send body without abrupt disconnect
  • e86fa52 fix error/abort handling
  • ca37779 chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
  • 13088f4 chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
  • bc6a1d1 chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
  • c496e93 chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
  • fa173d3 chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
  • 17d7f51 chore: add node version to 25.x in CI
  • Additional commits viewable in compare view

Removes serialize-javascript

Updates svgo from 4.0.0 to 4.0.1

Release notes

Sourced from svgo's releases.

v4.0.1

What's Changed

Dependencies

  • Sets minimum version of sax (XML parser) to v1.5.0, which improves built-in guards against entity expansion.

Bug Fixes

Performance

Other Changes

  • Plugins no longer include if they are enabled or disabled by default, as this was written inconsistently. The --show-plugins argument appends the presets a plugin is in to the end of the line. By @​viralcodex in svg/svgo#2174
  • Plugin/preset types to enforce the name start with preset- if it is a preset (collection of plugins). By @​SethFalco in svg/svgo#2178

Metrics

Before and after of the browser bundle of each respective version:

v4.0.0 v4.0.1 Delta
svgo.browser.js 780.2 kB 781.5 kB ⬆️ 1.3 kB
Commits
  • e691f5f Merge commit from fork
  • b1d9f1a chore(deps): bump actions/upload-artifact from 6 to 7 (#2202)
  • d724af1 chore(deps): bump actions/checkout from 5 to 6 (#2195)
  • 4114b32 chore(deps): bump actions/upload-artifact from 4 to 6 (#2196)
  • c06d8f6 chore: upgrade js-yaml and glob (#2191)
  • 26e86e5 fix: remove unused <use> elements when deleting empty symbols (#2051)
  • 50c326b perf: optimiztions to reduce regression test runtime (#2135)
  • 1f33cbe ci: separate regression tests and write delta report (#2190)
  • 79a2167 ci: save test reports to artifacts (#2189)
  • 0ae52a0 chore(deps): bump actions/setup-node from 5 to 6 (#2187)
  • Additional commits viewable in compare view

Updates tar from 7.5.9 to 7.5.10

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the npm_and_yarn group across 5 directories with 7 …
78a60e4 
…updates

Bumps the npm_and_yarn group with 1 update in the /examples/astro directory: [svgo](https://github.com/svg/svgo).
Bumps the npm_and_yarn group with 1 update in the /examples/fastify directory: [fastify](https://github.com/fastify/fastify).
Bumps the npm_and_yarn group with 3 updates in the /examples/firebase-functions directory: [@hono/node-server](https://github.com/honojs/node-server), [hono](https://github.com/honojs/hono) and [tar](https://github.com/isaacs/node-tar).
Bumps the npm_and_yarn group with 2 updates in the /examples/nestjs directory: [multer](https://github.com/expressjs/multer) and [serialize-javascript](https://github.com/yahoo/serialize-javascript).
Bumps the npm_and_yarn group with 2 updates in the /examples/nuxt directory: [svgo](https://github.com/svg/svgo) and [tar](https://github.com/isaacs/node-tar).


Updates `svgo` from 4.0.0 to 4.0.1
- [Release notes](https://github.com/svg/svgo/releases)
- [Commits](svg/svgo@v4.0.0...v4.0.1)

Updates `fastify` from 5.7.4 to 5.8.2
- [Release notes](https://github.com/fastify/fastify/releases)
- [Commits](fastify/fastify@v5.7.4...v5.8.2)

Updates `@hono/node-server` from 1.19.9 to 1.19.11
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v1.19.9...v1.19.11)

Updates `hono` from 4.12.3 to 4.12.5
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.3...v4.12.5)

Updates `tar` from 7.5.9 to 7.5.10
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.9...v7.5.10)

Updates `multer` from 2.0.2 to 2.1.1
- [Release notes](https://github.com/expressjs/multer/releases)
- [Changelog](https://github.com/expressjs/multer/blob/main/CHANGELOG.md)
- [Commits](expressjs/multer@v2.0.2...v2.1.1)

Removes `serialize-javascript`

Updates `svgo` from 4.0.0 to 4.0.1
- [Release notes](https://github.com/svg/svgo/releases)
- [Commits](svg/svgo@v4.0.0...v4.0.1)

Updates `tar` from 7.5.9 to 7.5.10
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.9...v7.5.10)

---
updated-dependencies:
- dependency-name: svgo
  dependency-version: 4.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fastify
  dependency-version: 5.8.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@hono/node-server"
  dependency-version: 1.19.11
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.10
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: multer
  dependency-version: 2.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: serialize-javascript
  dependency-version: 
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: svgo
  dependency-version: 4.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.10
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 9, 2026
@socket-security
Copy link

socket-security bot commented Mar 9, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​nestjs/​platform-express@​11.1.12 ⏵ 11.1.169910071 -2997 +2100
Updatednpm/​fastify@​5.7.4 ⏵ 5.8.299 +1100 +210098100

View full report

@socket-security
Copy link

socket-security bot commented Mar 9, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Low
Publisher changed: npm cors is now published by ulisesgascon instead of dougwilson

New Author: ulisesgascon

Previous Author: dougwilson

From: examples/nestjs/package-lock.jsonnpm/@nestjs/platform-express@11.1.16npm/cors@2.8.6

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cors@2.8.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants