Skip to content

build(deps): bump the npm_and_yarn group across 5 directories with 3 updates#285

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/apps/next-js/npm_and_yarn-0323a9404d
Open

build(deps): bump the npm_and_yarn group across 5 directories with 3 updates#285
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/apps/next-js/npm_and_yarn-0323a9404d

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026
edited by devin-ai-integration Bot
Loading

Bumps the npm_and_yarn group with 1 update in the /apps/next-js directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /examples/cookbook/mastra directory: hono.
Bumps the npm_and_yarn group with 1 update in the /moss-live-labs/examples/image-search/react-app directory: react-router.
Bumps the npm_and_yarn group with 1 update in the /packages/vercel-sdk directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /packages/vitepress-plugin-moss directory: vitest.

Updates vitest from 3.2.4 to 4.1.0

Release notes

Sourced from vitest's releases.

v4.1.0

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

   🚀 Features

... (truncated)

Commits
  • 4150b91 chore: release v4.1.0
  • 1de0aa2 fix: correctly identify concurrent test during static analysis (#9846)
  • c3cac1c fix: use isAgent check, not just TTY, for watch mode (#9841)
  • eab68ba chore(deps): update all non-major dependencies (#9824)
  • 031f02a fix: allow catch/finally for async assertion (#9827)
  • 3e9e096 feat(reporters): add agent reporter to reduce ai agent token usage (#9779)
  • 0c2c013 chore: release v4.1.0-beta.6
  • 8181e06 fix: hideSkippedTests should not hide test.todo (fix #9562) (#9781)
  • a8216b0 fix: manual and redirect mock shouldn't load or transform original module...
  • 689a22a fix(browser): types of getCDPSession and cdp() (#9716)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.


Updates hono from 4.12.18 to 4.12.23

Release notes

Sourced from hono's releases.

v4.12.23

What's Changed

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.21...v4.12.22

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

... (truncated)

Commits
  • 83bfb3b 4.12.23
  • bcd290a fix(utils/ipaddr): do not compress a single 0 group to :: (#4971)
  • c968177 feat(compress): add contentTypeFilter option and `COMPRESSIBLE_CONTENT_TYPE_R...
  • 0265a54 docs(contribution): add AI Usage Policy (#4970)
  • c84c5d2 feat(context): export the Context class publicly (#4543)
  • 82dad62 fix(serve-static): normalize all backslashes in file paths, not just the firs...
  • 2f01b77 4.12.22
  • 6bc0dff feat: add msgpack as a compressible content type (#4957)
  • 7e0555d fix(deno): echo negotiated WebSocket subprotocol in upgrade response (#4955)
  • f0ed246 fix(compress): respect Accept-Encoding when encoding option is set (#4951)
  • Additional commits viewable in compare view

Updates react-router from 7.14.1 to 7.17.0

Release notes

Sourced from react-router's releases.

v7.17.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7170

v7.16.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7160

v7.15.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7151

v7.15.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7150

v7.14.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7142

Changelog

Sourced from react-router's changelog.

v7.17.0

Minor Changes

  • Ship a subset of the official documentation inside the react-router package (#15121)
    • Markdown docs are now available in node_modules/react-router/docs, letting AI coding agents and the React Router agent skills read official docs locally
    • Excludes auto-generated API docs (api/), community/ content, and tutorials (tutorials/)

v7.16.0

Minor Changes

  • Stabilize future.unstable_trailingSlashAwareDataRequests as future.v8_trailingSlashAwareDataRequests (#15098)

Patch Changes

  • Disable manifest path when lazy route dicovery is disabled (#15068)

  • Fix browser URL creation to use the configured history window instead of the global window. (#15066)

    • Pass the history/router window through to createBrowserURLImpl so custom window contexts keep the correct URL origin.

  • Fix useNavigation() return type to preserve discriminated union across navigation states (#15095)

  • Widen MetaDescriptor script:ld+json type from LdJsonObject to LdJsonObject | LdJsonObject[] to permit multiple JSON-LD schemas in a single <script type="application/ld+json"> tag emitted by <Meta /> (#15082)

v7.15.1

Patch Changes

  • Update router to operate on fetcher Maps in an immutable manner to avoid delayed React renders from potentially reading an updated but not yet committed Map. This could result in brief flickers in some fetcher-driven optimistic UI scenarios. (#15028)
  • Fix serverLoader() returning stale SSR data when a client navigation aborts pending hydration before the hydration clientLoader resolves (#15022)
  • Fix RouterProvider onError callback not being called for synchronous initial loader errors in SPA mode (#15039) (#14942)
  • Memoize useFetchers to return a stable identity and only change if fetchers changed (#15028)
  • Internal refactor to consolidate mutation request detection through shared utility (#15033)

Unstable Changes

⚠️ Unstable features are not recommended for production use

  • Add a new unstable_useRouterState() hook that consolidates access to active and pending router states (RFC: #12358) (#15017)

    • Data/Framework/RSC only — throws when used without a data router

    • This should allow you to consolidate usages of the following hooks which will likely be deprecated and removed in a future major version

      • useLocation
      • useSearchParams
      • useParams
      • useMatches
      • useNavigationType
      • useNavigation
      

      • 

    

    • 






... (truncated)





Commits






Updates vitest from 3.1.1 to 4.1.0



Release notes

Sourced from vitest's releases.




v4.1.0


Vitest 4.1 is out!


This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.


   🚀 Features






... (truncated)





Commits

    

  • 4150b91 chore: release v4.1.0
    • 

  • 1de0aa2 fix: correctly identify concurrent test during static analysis (#9846)
    • 

  • c3cac1c fix: use isAgent check, not just TTY, for watch mode (#9841)
    • 

  • eab68ba chore(deps): update all non-major dependencies (#9824)
    • 

  • 031f02a fix: allow catch/finally for async assertion (#9827)
    • 

  • 3e9e096 feat(reporters): add agent reporter to reduce ai agent token usage (#9779)
    • 

  • 0c2c013 chore: release v4.1.0-beta.6
    • 

  • 8181e06 fix: hideSkippedTests should not hide test.todo (fix #9562) (#9781)
    • 

  • a8216b0 fix: manual and redirect mock shouldn't load or transform original module...
    • 

  • 689a22a fix(browser): types of getCDPSession and cdp() (#9716)
    • 

  • Additional commits viewable in compare view
    • 






Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.






Updates vitest from 3.2.4 to 4.1.0



Release notes

Sourced from vitest's releases.




v4.1.0


Vitest 4.1 is out!


This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.


   🚀 Features



    

  
  



      


          

          
  
  

    
  
    
    

  

  

  



                    

          
        





  





    



      

  
        

  

      

  
  

  
          

  

    

      


  

      
        @dependabot
  




      

        
          build(deps): bump the npm_and_yarn group across 5 directories with 3 …
        

          
                        
      


      

        

    
    
    

  

    


      


      

        

          

    
    
    

  

  

    
  



        

      


      

        
          84469f0
        
      

    

  

    

      
…updates

Bumps the npm_and_yarn group with 1 update in the /apps/next-js directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest).
Bumps the npm_and_yarn group with 1 update in the /examples/cookbook/mastra directory: [hono](https://github.com/honojs/hono).
Bumps the npm_and_yarn group with 1 update in the /moss-live-labs/examples/image-search/react-app directory: [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router).
Bumps the npm_and_yarn group with 1 update in the /packages/vercel-sdk directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest).
Bumps the npm_and_yarn group with 1 update in the /packages/vitepress-plugin-moss directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest).


Updates `vitest` from 3.2.4 to 4.1.0
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest)

Updates `hono` from 4.12.18 to 4.12.23
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.18...v4.12.23)

Updates `react-router` from 7.14.1 to 7.17.0
- [Release notes](https://github.com/remix-run/react-router/releases)
- [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md)
- [Commits](https://github.com/remix-run/react-router/commits/react-router@7.17.0/packages/react-router)

Updates `vitest` from 3.1.1 to 4.1.0
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest)

Updates `vitest` from 3.2.4 to 4.1.0
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest)

---
updated-dependencies:
- dependency-name: vitest
  dependency-version: 4.1.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.23
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: react-router
  dependency-version: 7.17.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 4.1.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 4.1.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>

    







  








      

  
            

    

      
    

    


      


          @dependabot
dependabot
Bot



            added
      

  dependencies

  Pull requests that update a dependency file

      

  javascript

  Pull requests that update javascript code

  labels


      Jun 4, 2026

    

  



  
  

  

    
  


  

      


    @dependabot
dependabot
Bot


    mentioned this pull request
    
      Jun 4, 2026
    





  


  

      
   Closed

  







  









      

  
      



  

  @CLAassistant






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

              
  
      
                Copy Markdown

  

        
      

    


    

        



        

    

  


  

    

      
          
      

      
            CLAassistant
  

      

      

      commented


        Jun 4, 2026



      
    


  





      


        



  
    

      
          
CLA assistant check 
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.


      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
        

  

        

  devin-ai-integration[bot]
  

  
            

              
                    devin-ai-integration
  Bot

              

              reviewed


              
                  
                    Jun 4, 2026
                  
              
              
            


            



                
    View reviewed changes
  


            





          

  
  
  
              

                      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

              
  
      
                Copy Markdown

  

        
      

    


    

        

  
    Contributor


        

    

  


  

    

      
          @devin-ai-integration
      

      
            devin-ai-integration
  Bot

      

      

      left a comment





      
    


  



                  

                      

  

  
 

  
    

    
Choose a reason for hiding this comment


    

      The reason will be displayed to describe this comment to others. Learn more.
    


    

      
      



  



  
    

      
✅ Devin Review: No Issues Found


Devin Review analyzed this PR and found no potential bugs to report.


View in Devin Review to see 2 additional findings.



  
    
    Open in Devin Review
  


      
    

  
  




                    

                  
  
  

    
  
    
    

  

  

  



                      

                    
                  








      

  
  
  




  












  
  

    

      

  










  








  
      

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  










      

  

    
    

    

  

    Reviewers
  


    


      

  

    


  
      @devin-ai-integration
  
    devin-ai-integration[bot]


    
      
        
      
    
    devin-ai-integration[bot] left review comments



      

          


  
      @HarshaNalluru
  
    HarshaNalluru


                Awaiting requested review from HarshaNalluru

                    HarshaNalluru is a code owner

        
      

      

          


  
      @r4ghu
  
    r4ghu


                Awaiting requested review from r4ghu

                    r4ghu is a code owner

        
      

      

          


  
      @CoderOMaster
  
    CoderOMaster


                Awaiting requested review from CoderOMaster

                    CoderOMaster is a code owner

        
      



        

      At least 1 approving review is required to merge this pull request.
  








    

  


      
  

    Assignees
  



        


    No one assigned







      


  


  

    Labels
  



    

      

    dependencies

  Pull requests that update a dependency file
  

    javascript

  Pull requests that update javascript code








      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    

      
        

          
  

    Development
  



            


Successfully merging this pull request may close these issues.





  
  



      
    

  




      

    

  
        

  

    

      1 participant
    

    

        
          @CLAassistant