build(deps): Bump @docusaurus/plugin-google-gtag from 3.10.0 to 3.10.1

[dependabot]

Bumps @docusaurus/plugin-google-gtag from 3.10.0 to 3.10.1.

Release notes

Sourced from @​docusaurus/plugin-google-gtag's releases.

3.10.1 (2026-04-30)

🐛 Bug Fix

• docusaurus-bundler
  • #11981 fix(bundler): fix v3 webpackbar bug due to webpack breaking change (@​slorber)

🔧 Maintenance

• docusaurus
  • #11982 chore: cherry-pick commits for v3.10.1 patch release (@​slorber)

Committers: 1

• Sébastien Lorber (@​slorber)

Changelog

Sourced from @​docusaurus/plugin-google-gtag's changelog.

3.10.1 (2026-04-30)

🐛 Bug Fix

• docusaurus-bundler
  • #11981 fix(bundler): fix v3 webpackbar bug due to webpack breaking change (@​slorber)

🔧 Maintenance

• docusaurus
  • #11982 chore: cherry-pick commits for v3.10.1 patch release (@​slorber)

Committers: 1

• Sébastien Lorber (@​slorber)

Commits

• 41c1a45 v3.10.1
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency-only change; updates the Google gtag Docusaurus plugin and its transitive lockfile entries, which could only affect docs build/analytics bundling behavior.

Overview
Bumps @docusaurus/plugin-google-gtag from 3.10.0 to 3.10.1 in package.json.

Updates package-lock.json to reflect the new plugin version and refreshed transitive Docusaurus/bundler dependencies (including new nested 3.10.1 packages and webpackbar/ansis entries).

^{Reviewed by Cursor Bugbot for commit 96a311f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​docusaurus/​plugin-google-gtag@​3.10.1

View full report

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verdict: benign

Why this reads as safe

• Source and change shape: @docusaurus/plugin-google-gtag 3.10.0 → 3.10.1 is a patch on the official @docusaurus/* scope, with a public Docusaurus 3.10.1 release and a small, described fix in docusaurus-bundler / webpackbar (PR #11981), not unexplained runtime or install behavior.

• Scanner vs. real risk: The report is warn with ioc: 0. Listed items align with heuristic noise on a whole upstream tag-range diff (59 files across the monorepo), not proof of compromise: binary images flagged for null bytes / “media changed,” changelog/docs mentioning exec/base64, lockfile lines matching spawn/exec substring rules, and maintainer docs mentioning GitHub tokens. None of that establishes obfuscation, exfiltration, or malicious install scripts in your consumed dependency.

• Checklist (short): No typosquatting; no indication of hostile lifecycle scripts tied to this bump (would need inspecting the published package.json of plugin-google-gtag@3.10.1 on npm for definitive “scripts” wording—standard for Meta’s published Docusaurus packages is minimal); release notes point to bundler tooling, consistent with benign supply chain.

Actionable nuance: Your lockfile hints show plugin-google-gtag 3.10.1 at the top level while preset-classic may still nest 3.10.0—worth dedupe / align all @docusaurus/* for consistency and fewer duplicate installs, not a malware signal.

Compatibility Analysis

Tracing dependency usage and upstream changes for the Dependabot PR review.

1) Where it appears

• package.json — listed under dependencies as "@docusaurus/plugin-google-gtag": "^3.10.1".
• package-lock.json — lock metadata for that package (and nested Docusaurus packages).
• docusaurus.config.js — preset options include docs, theme, etc., but no gtag and no plugins entry for this package. Analytics in this file is Matomo via scripts (/js/matomo.js), not Google gtag.

So in this repo the package is only declared and locked, not configured as an active Docusaurus plugin.

2) Overlap with 3.10.1 changes

• 3.10.1 (per PR notes) is a patch whose called-out fix is in docusaurus-bundler / webpackbar (Webpack interaction), not in gtag plugin public options, theme integration, or runtime gtag behavior.
• There is no application or config code here that calls plugin APIs or Typescript types from @docusaurus/plugin-google-gtag.
• Conclusion: Usage sites do not intersect likely changed surfaces; any effect is indirect (install graph / duplicated nested copies), not behavioral for your current config.

3) Risks / unknowns

• package-lock.json still has node_modules/@docusaurus/preset-classic/node_modules/@docusaurus/plugin-google-gtag at 3.10.0 (preset-classic is 3.10.0), while the top-level node_modules/@docusaurus/plugin-google-gtag is 3.10.1. Two versions can coexist; low practical risk while gtag is unused, but it is slightly messy for future gtag preset options.
• Engines: locked Docusaurus packages declare node >= 20 while this repo’s package.json still says >=18 — pre-existing inconsistency, not introduced by this bump alone.
• Main build stack (@docusaurus/core / preset at 3.10.0) is unchanged by only bumping the direct gtag dependency; you do not automatically get the 3.10.1 bundler fix on the core build path unless you align those packages too.

4) Recommendation

Merge — patch from the official @docusaurus scope; your site does not enable this plugin today, so there is no config/runtime regression surface from gtag APIs.

If you want a single follow-up for consistency: bump @docusaurus/core and @docusaurus/preset-classic to 3.10.1 (or use overrides/deduping strategy) so the preset’s nested plugin-google-gtag and the active Docusaurus toolchain are on the same patch and you actually pick up the bundler/webpackbar fix where it matters.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 59
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: 0d98888a7645a5fb1330c905b75faf868f829f5c..41c1a458ecb07d61b6df2761ea4bc1b13db49d12
• Resolved refs: from=0d98888a7645a5fb1330c905b75faf868f829f5c to=41c1a458ecb07d61b6df2761ea4bc1b13db49d12
• Unicode findings (post-allowlist): 3
• Confusable findings (post-allowlist): 3
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 37

Top findings

• website/blog/releases/3.10/img/social-card.png:0 unicode :: binary file matches (found "\0" byte around offset 8)
• admin/publish-legacy.md:249 unicode :: - New code blocks features 🖥️
• admin/publish-legacy.md:250 unicode :: - Draft blog posts ✏️
• website/blog/releases/3.10/img/social-card.png:0 confusable :: binary file matches (found "\0" byte around offset 8)
• website/blog/releases/3.10/img/security.jpg:0 confusable :: binary file matches (found "\0" byte around offset 4)
• website/blog/releases/3.10/img/provenance.jpg:0 confusable :: binary file matches (found "\0" byte around offset 4)
• packages/create-docusaurus/package.json:27 shell_process_spawn :: "cross-spawn": "^7.0.6",
• CHANGELOG.md:348 shell_process_spawn :: - [#11347](https://github.com/facebook/docusaurus/pull/11347) fix(core): Fix docusaurus start on macOS when exec throws a synchronous error ([@slorber](https://github.com/slorber))
• yarn.lock:10 shell_process_spawn :: "@actions/exec" "^3.0.0"
• yarn.lock:13 shell_process_spawn :: "@actions/exec@^3.0.0":
• yarn.lock:15 shell_process_spawn :: resolved "https://registry.yarnpkg.com/@actions/exec/-/exec-3.0.0.tgz#8c3464d20f0aa4068707757021d7e3c01a7ee203"
• yarn.lock:2911 shell_process_spawn :: "@jsdevtools/ez-spawn@^3.0.4":
• yarn.lock:2913 shell_process_spawn :: resolved "https://registry.yarnpkg.com/@jsdevtools/ez-spawn/-/ez-spawn-3.0.4.tgz#5641eb26fee6d31ec29f6788eba849470c52c7ff"
• yarn.lock:2917 shell_process_spawn :: cross-spawn "^7.0.3"
• yarn.lock:3230 shell_process_spawn :: "@npmcli/promise-spawn" "^6.0.0"
• yarn.lock:3268 shell_process_spawn :: "@npmcli/promise-spawn@^6.0.0", "@npmcli/promise-spawn@^6.0.1":
• yarn.lock:3270 shell_process_spawn :: resolved "https://registry.yarnpkg.com/@npmcli/promise-spawn/-/promise-spawn-6.0.2.tgz#c8bc4fa2bd0f01cb979d8798ba038f314cfa70f2"
• yarn.lock:3281 shell_process_spawn :: "@npmcli/promise-spawn" "^6.0.0"
• yarn.lock:7806 shell_process_spawn :: cross-spawn "^7.0.6"
• yarn.lock:7808 shell_process_spawn :: cross-spawn@^6.0.5: