build(deps): bump the npm_and_yarn group with 2 updates #268

dependabot · 2025-04-23T18:29:01Z

Bumps the npm_and_yarn group with 2 updates: fastify and vite.

Updates fastify from 5.2.2 to 5.3.2

Release notes

v5.3.2

⚠️ Security Release ⚠️

Unfortunately, v5.3.1 did not include a complete fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442. This is a follow-up patch to cover an edge case.

What's Changed

docs: fix archived concurrently link to point to active repo by @TimTeylor in fastify/fastify#6063

fix: treat space as a delimiter in content-type parsing by @mcollina in fastify/fastify#6064

New Contributors

@TimTeylor made their first contribution in fastify/fastify#6063

Full Changelog: fastify/fastify@v5.3.1...v5.3.2

v5.3.1

⚠️ Security Release ⚠️

Fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442

What's Changed

test: migrate logger options to node test runner by @ilteoood in fastify/fastify#6059

test: migrate logger logging to node test runner by @ilteoood in fastify/fastify#6060

test: convert custom parser 1 to node test runner by @ilteoood in fastify/fastify#6053

test: custom querystring parser by @ilteoood in fastify/fastify#6054

test: migrate stream 4 to node test runner by @ilteoood in fastify/fastify#6062

test: migrate request logger to node test runner by @ilteoood in fastify/fastify#6058

test: migrate custom parser 0 to node test runner by @ilteoood in fastify/fastify#6052

test: migrate logger instantiation to node test runner by @ilteoood in fastify/fastify#6061

New Contributors

@ilteoood made their first contribution in fastify/fastify#6059

Full Changelog: fastify/fastify@v5.3.0...v5.3.1

v5.3.0

What's Changed

fix: wrong reply return type by @dangkyokhoang in fastify/fastify#6026

feat: allow to access decorators by @jean-michelet in fastify/fastify#5768

ci: continue-on-error on alternative runtime by @Eomm in fastify/fastify#6031

fix: clear [kState].readyPromise for garbage collection by @LiviaMedeiros in fastify/fastify#6030

ci: set workflow permissions to read-only by default by @Fdawgs in fastify/fastify#6035

chore: Bump the dependencies-major group with 2 updates by @dependabot in fastify/fastify#6036

chore: Bump lycheeverse/lychee-action from 2.3.0 to 2.4.0 by @dependabot in fastify/fastify#6037

chore: remove sponsort by @Eomm in fastify/fastify#6040

test: fix skip in upgrade test by @LiviaMedeiros in fastify/fastify#6044

chore: migrate custom-parser.4.test.js to node:test by @Matthew-Mallimo in fastify/fastify#6042

docs: add fastify-lm to Ecosystem.md by @galiprandi in fastify/fastify#6032

test: skip IPv6 tests if its support is not present by @LiviaMedeiros in fastify/fastify#6048

... (truncated)

Commits

32f7e1e Bumped v5.3.2
f3d2bcb fix: treat space as a delimiter in content-type parsing (#6064)
9b1cf06 docs: fix archived concurrently link to point to active repo (#6063)
644b68d Bumped v5.3.1
436da4c Merge commit from fork
ebbd4a6 test: migrate logger instantiation to node test runner (#6061)
2ce1ae1 test: migrate custom parser 0 to node test runner (#6052)
f30973c test: migrate request logger to node test runner (#6058)
0a9aa87 test: migrate stream 4 to node test runner (#6062)
417b1f8 test: custom querystring parser (#6054)
Additional commits viewable in compare view

Updates vite from 6.2.5 to 6.3.2

Release notes

Sourced from vite's releases.

v6.3.2

Please refer to CHANGELOG.md for details.

create-vite@6.3.1

Please refer to CHANGELOG.md for details.

v6.3.1

Please refer to CHANGELOG.md for details.

create-vite@6.3.0

Please refer to CHANGELOG.md for details.

v6.3.0

Please refer to CHANGELOG.md for details.

v6.3.0-beta.2

Please refer to CHANGELOG.md for details.

v6.3.0-beta.1

Please refer to CHANGELOG.md for details.

v6.3.0-beta.0

Please refer to CHANGELOG.md for details.

v6.2.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.3.2 (2025-04-18)

fix: match default asserts case insensitive (#19852) (cbdab1d), closes #19852

fix: open first url if host does not match any urls (#19886) (6abbdce), closes #19886

fix(css): respect css.lightningcss option in css minification process (#19879) (b5055e0), closes #19879

fix(deps): update all non-major dependencies (#19698) (bab4cb9), closes #19698

feat(css): improve lightningcss messages (#19880) (c713f79), closes #19880

6.3.1 (2025-04-17)

fix: avoid using Promise.allSettled in preload function (#19805) (35c7f35), closes #19805

fix: backward compat for internal plugin transform calls (#19878) (a152b7c), closes #19878

6.3.0 (2025-04-16)

fix(hmr): avoid infinite loop happening with hot.invalidate in circular deps (#19870) (d4ee5e8), closes #19870

fix(preview): use host url to open browser (#19836) (5003434), closes #19836

6.3.0-beta.2 (2025-04-11)

fix: addWatchFile doesn't work if base is specified (fixes #19792) (#19794) (8bed1de), closes #19792 #19794

fix: correct the behavior when multiple transform filter options are specified (#19818) (7200dee), closes #19818

fix: fs check with svg and relative paths (#19782) (62d7e81), closes #19782

fix: keep entry asset files imported by other files (#19779) (2fa1495), closes #19779

fix: reject requests with # in request-target (#19830) (175a839), closes #19830

fix: unbundle fdir to fix commonjsOptions.dynamicRequireTargets (#19791) (71227be), closes #19791

fix(css): remove empty chunk imports correctly when chunk file name contained special characters (#1 (b125172), closes #19814

fix(dev): make query selector regexes more inclusive (fix #19213) (#19767) (f530a72), closes #19213 #19767

fix(hmr): run HMR handler sequentially (#19793) (380c10e), closes #19793

fix(module-runner): allow already resolved id as entry (#19768) (e2e11b1), closes #19768

fix(types): remove the keepProcessEnv from the DefaultEnvironmentOptions type (#19796) (36935b5), closes #19796

refactor: simplify pluginFilter implementation (#19828) (0a0c50a), closes #19828

perf(css): avoid constructing renderedModules (#19775) (59d0b35), closes #19775

test: tweak generateCodeFrame test (#19812) (8fe3538), closes #19812

docs(vite): fix description of transformIndexHtml hook (#19799) (a0e1a04), closes #19799

chore: remove unused eslint directive (#19781) (cb4f5b4), closes #19781

6.3.0-beta.1 (2025-04-03)

fix: align plugin hook filter behavior with pluginutils (#19736) (0bbdd2c), closes #19736

fix: fs check in transform middleware (#19761) (5967313), closes #19761

fix(hmr): throw non-standard error info causes logical error (#19776) (6b648c7), closes #19776

... (truncated)

Commits

4bc17b4 release: v6.3.2
b5055e0 fix(css): respect css.lightningcss option in css minification process (#19879)
c713f79 feat(css): improve lightningcss messages (#19880)
cbdab1d fix: match default asserts case insensitive (#19852)
6abbdce fix: open first url if host does not match any urls (#19886)
bab4cb9 fix(deps): update all non-major dependencies (#19698)
a7349ef release: v6.3.1
a152b7c fix: backward compat for internal plugin transform calls (#19878)
35c7f35 fix: avoid using Promise.allSettled in preload function (#19805)
5fdcfe7 release: v6.3.0
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 2 updates: [fastify](https://github.com/fastify/fastify) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `fastify` from 5.2.2 to 5.3.2 - [Release notes](https://github.com/fastify/fastify/releases) - [Commits](fastify/fastify@v5.2.2...v5.3.2) Updates `vite` from 6.2.5 to 6.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.3.2/packages/vite) --- updated-dependencies: - dependency-name: fastify dependency-version: 5.3.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.3.2 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

zrosenbauer · 2025-05-16T20:36:44Z

@dependabot rebase

dependabot · 2025-05-16T20:38:14Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot bot added the type: dependencies Dependency upgrades. label Apr 23, 2025

zrosenbauer added the semver: patch Bug fixes that are backwards compatible. label Apr 23, 2025

scotty-robot enabled auto-merge (squash) April 23, 2025 18:30

dependabot bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-3887ff6f8d branch from d1c3a9d to b350831 Compare April 23, 2025 18:31

dependabot bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-3887ff6f8d branch from b350831 to 916609c Compare April 23, 2025 18:33

dependabot bot closed this May 16, 2025

auto-merge was automatically disabled May 16, 2025 20:38
Pull request was closed

dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-3887ff6f8d branch May 16, 2025 20:38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the npm_and_yarn group with 2 updates #268

build(deps): bump the npm_and_yarn group with 2 updates #268

dependabot bot commented on behalf of github Apr 23, 2025 •

edited

Loading

zrosenbauer commented May 16, 2025

dependabot bot commented on behalf of github May 16, 2025

build(deps): bump the npm_and_yarn group with 2 updates #268

build(deps): bump the npm_and_yarn group with 2 updates #268

Conversation

dependabot bot commented on behalf of github Apr 23, 2025 • edited Loading

v5.3.2

⚠️ Security Release ⚠️

What's Changed

New Contributors

v5.3.1

⚠️ Security Release ⚠️

What's Changed

New Contributors

v5.3.0

What's Changed

v6.3.2

create-vite@6.3.1

v6.3.1

create-vite@6.3.0

v6.3.0

v6.3.0-beta.2

v6.3.0-beta.1

v6.3.0-beta.0

v6.2.6

6.3.2 (2025-04-18)

6.3.1 (2025-04-17)

6.3.0 (2025-04-16)

6.3.0-beta.2 (2025-04-11)

6.3.0-beta.1 (2025-04-03)

zrosenbauer commented May 16, 2025

dependabot bot commented on behalf of github May 16, 2025

dependabot bot commented on behalf of github Apr 23, 2025 •

edited

Loading