Skip to content

chore(deps-dev): bump the npm_and_yarn group across 1 directory with 4 updates#49

Merged
boomzero merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-3c9d53269f
May 16, 2026
Merged

chore(deps-dev): bump the npm_and_yarn group across 1 directory with 4 updates#49
boomzero merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-3c9d53269f

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 23, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 4 updates in the / directory: electron, vite, @xmldom/xmldom and lodash.

Updates electron from 40.6.1 to 40.10.0

Release notes

Sourced from electron's releases.

electron v40.10.0

Release Notes for v40.10.0

Fixes

  • Fixed app.getLoginItemSettings() returning undefined for executableWillLaunchAtLogin on macOS; the property is now always a boolean. #51509 (Also in 41, 42)

Other Changes

  • Updated Node.js to v24.15.0. #51087

electron v40.9.3

Release Notes for v40.9.3

Fixes

  • Ensured cross-origin fetch() and XHR are blocked for custom protocols registered with supportFetchAPI: true unless corsEnabled: true is also set; cross-origin mode: 'no-cors' requests now receive an opaque response. #51271 (Also in 39, 41, 42)
  • Fixed webContents.printToPDF rejecting on all subsequent calls after a prior call was rejected with an invalid pageRanges value. #51220 (Also in 41, 42)
  • Fixed a crash when providing invalid HTTP header names or values in the webRequest.onBeforeSendHeaders() callback. #51364 (Also in 41, 42)
  • Fixed a crash that could occur when an autofill suggestion popup was shown while a window was closing. #51334 (Also in 41, 42)
  • Fixed an issue where app-region: drag inside a hidden WebContentsView would still drag the parent window on Windows. #51247 (Also in 41, 42)
  • Fixed an issue where an Electron macOS update would not be applied if another app was previously blocking the macOS system update loop. #51211 (Also in 41, 42)
  • Fixed buggy behavior where Backspace would accept macOS text replacements inside contenteditable elements. #51345 (Also in 41, 42)

Other Changes

  • Backported a fix for route_id validation in the GPU command buffer. #51320
  • Backported security fixes for 493319454, 494158331, 493234757, 492736100, 493413432, 492668885, 496281816. #51258
  • Backported several fixes in Skia, ANGLE, and WebRTC from upstream. #51265

electron v40.9.2

Release Notes for v40.9.2

Fixes

  • Fixed an issue where nodeIntegrationInWorker didn't always work in AudioWorklet. #51004 (Also in 41, 42)
  • Fixed bug that could occasionally cause browserWindow's always-on-top-changed even to fire with incorrect values. #51134 (Also in 41, 42)
  • Fixed test scaffolding bug when running tests locally on Linux. #51151 (Also in 41, 42)

Other Changes

electron v40.9.1

Release Notes for v40.9.1

Features

  • Added allowExtensions privilege to protocol.registerSchemesAsPrivileged() to enable Chrome extensions on custom protocols. #50588 (Also in 41, 42)

Fixes

  • Fixed fs.stat on files inside asar archives returning undefined for blksize and blocks instead of numeric values. #50875 (Also in 41, 42)

... (truncated)

Commits
  • 08f4bb8 ci: pin Homebrew version in CI runs (#51555)
  • cdecff0 chore: use oxfmt and oxlint in 40-x-y (#51500)
  • c9e5205 ci: skip job in rerun apply patches if too old (#51525)
  • ed6f448 fix: test idempotency issues (#51527)
  • 5987d60 chore: bump node to v24.15.0 (40-x-y) (#51087)
  • 5693c09 build: replace spec dep fork with transitive resolution (#51491)
  • 108ff00 fix: always emit executableWillLaunchAtLogin from getLoginItemSettings (#...
  • 8384a9c ci: suppress macOS 'reopen windows' prompt for Electron test bundle (#51495)
  • 32c4761 fix: handle createWindow() rejection in import-meta test fixture (#51470)
  • 41ad342 build(deps): bump dorny/paths-filter from 3.0.2 to 4.0.1 (#51407)
  • Additional commits viewable in compare view

Updates vite from 6.4.1 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

Commits

Updates @xmldom/xmldom from 0.8.11 to 0.8.13

Release notes

Sourced from @​xmldom/xmldom's releases.

0.8.13

Commits

Fixed

  • Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
    • Comment: throws when data contains -->
    • ProcessingInstruction: throws when data contains ?>
    • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
  • Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.8.12

Commits

Fixed

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Thank you, @​thesmartshadow, @​stevenobiajulu, for your contributions

xmldom/xmldom#357

Changelog

Sourced from @​xmldom/xmldom's changelog.

0.8.13

Fixed

  • Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
    • Comment: throws when data contains -->
    • ProcessingInstruction: throws when data contains ?>
    • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
  • Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.9.9

Added

Fixed

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore

  • updated dependencies

Thank you, @​stevenobiajulu, @​yoshi389111, @​thesmartshadow, for your contributions

0.8.12

Fixed

... (truncated)

Commits
  • e5c1480 0.8.13
  • 9611e20 style: drop unused import in test file
  • dc4dff3 docs: add 0.8.13 changelog entry
  • 842fa38 fix: prevent stack overflow in normalize (GHSA-2v35-w6hq-6mfw)
  • aeff69f test: add normalize behavioral coverage to node.test.js
  • cbdb0d7 fix: make walkDOM iterative to prevent stack overflow (GHSA-2v35-w6hq-6mfw)
  • 0b543d3 test: assert namespace declarations are isolated between siblings in serializ...
  • c007c51 refactor: migrate serializeToString to walkDOM
  • 2bb3899 test: add serializeToString coverage for uncovered branches
  • e69f38d refactor: migrate importNode to walkDOM
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.


Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 23, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-3c9d53269f branch from a43956e to ec0667c Compare April 24, 2026 11:58
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-3c9d53269f branch 2 times, most recently from da3ec41 to bea9169 Compare May 6, 2026 00:43
…4 updates

Bumps the npm_and_yarn group with 4 updates in the / directory: [electron](https://github.com/electron/electron), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite), [@xmldom/xmldom](https://github.com/xmldom/xmldom) and [lodash](https://github.com/lodash/lodash).


Updates `electron` from 40.6.1 to 40.10.0
- [Release notes](https://github.com/electron/electron/releases)
- [Commits](electron/electron@v40.6.1...v40.10.0)

Updates `vite` from 6.4.1 to 6.4.2
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite)

Updates `@xmldom/xmldom` from 0.8.11 to 0.8.13
- [Release notes](https://github.com/xmldom/xmldom/releases)
- [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md)
- [Commits](xmldom/xmldom@0.8.11...0.8.13)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

---
updated-dependencies:
- dependency-name: "@xmldom/xmldom"
  dependency-version: 0.8.13
  dependency-type: indirect
- dependency-name: electron
  dependency-version: 40.9.2
  dependency-type: direct:development
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
- dependency-name: vite
  dependency-version: 6.4.2
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-3c9d53269f branch from bea9169 to ccf57bf Compare May 15, 2026 12:59
@boomzero boomzero merged commit 8b85af3 into main May 16, 2026
3 checks passed
@boomzero boomzero deleted the dependabot/npm_and_yarn/npm_and_yarn-3c9d53269f branch May 16, 2026 04:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant