build(deps): Bump @docusaurus/preset-classic from 3.10.0 to 3.10.1

[dependabot]

Bumps @docusaurus/preset-classic from 3.10.0 to 3.10.1.

Release notes

Sourced from @​docusaurus/preset-classic's releases.

3.10.1 (2026-04-30)

🐛 Bug Fix

• docusaurus-bundler
  • #11981 fix(bundler): fix v3 webpackbar bug due to webpack breaking change (@​slorber)

🔧 Maintenance

• docusaurus
  • #11982 chore: cherry-pick commits for v3.10.1 patch release (@​slorber)

Committers: 1

• Sébastien Lorber (@​slorber)

Changelog

Sourced from @​docusaurus/preset-classic's changelog.

3.10.1 (2026-04-30)

🐛 Bug Fix

• docusaurus-bundler
  • #11981 fix(bundler): fix v3 webpackbar bug due to webpack breaking change (@​slorber)

🔧 Maintenance

• docusaurus
  • #11982 chore: cherry-pick commits for v3.10.1 patch release (@​slorber)

Committers: 1

• Sébastien Lorber (@​slorber)

Commits

• 41c1a45 v3.10.1
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Primarily a patch-level dependency upgrade; main risk is potential docs build/runtime regressions due to updated Docusaurus/bundler and transitive tooling changes (notably webpackbar).

Overview
Updates @docusaurus/preset-classic from 3.10.0 to 3.10.1 in package.json.

Regenerates package-lock.json to pull in Docusaurus 3.10.1 patch releases and related transitive updates (including webpackbar 6.x→7.0.0, new ansis dependency, and minor Babel package bumps).

^{Reviewed by Cursor Bugbot for commit 452758c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​docusaurus/​preset-classic@​3.10.0 ⏵ 3.10.1
	@​docusaurus/​plugin-google-gtag@​3.10.0 ⏵ 3.10.1
	@​docusaurus/​core@​3.10.0 ⏵ 3.10.1	+1		+1

View full report

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verdict: benign

Why this is safe to merge (for supply-chain/malware)

• Source and semver: @docusaurus/preset-classic 3.10.0 → 3.10.1 is a patch from the real facebook/docusaurus package. The release notes describe a narrow bundler/webpackbar fix (PR #11981), which is consistent with a routine patch, not a behavioral takeover.

• Scanner report (interpretation): The scan is warn-only and largely reflects heuristic noise on the upstream monorepo diff (59 files across the whole Docusaurus tree), not evidence of compromise in your app:

  • Unicode / confusable: Hits on binary images (NUL bytes) and emoji in markdown are expected and not GlassWorm-style Trojan Source in source.
  • shell_process_spawn: Matches cross-spawn, @actions/exec, promise-spawn in yarn.lock / package.json — dependency names, not new malicious child_process code.
  • credential_exfil: Text in admin docs about creating a GitHub token is documentation, not runtime exfiltration.
  • obfuscation / base64: Changelog and normal packages (base64-js, etc.) — benign context.
  • steganography / media: Release blog images changed in upstream — plausible for a release post, not standalone evidence of hiding payloads in your install.

• Dependency integrity (practical check): Your hints show package-lock.json resolves preset-classic to https://registry.npmjs.org/.../preset-classic-3.10.1.tgz — normal npm integrity for a published patch. The wide upstream file list is not the same as “unexpected new transitive deps” in your lockfile from a single patch bump (still worth glancing at the PR’s real package-lock.json diff for abnormal tarball URLs or unknown packages).

• Dependabot context: No red flag mentioned for node_modules checked in or workflow-only rewrites; this is a standard dependency bump pattern.

Actionable note: Treat the malware scan’s warn as “review heuristics tripped”, not “malware detected”; nothing in the cited findings overrides trust in the official 3.10.1 npm artifact + changelog scope for this PR.

Compatibility Analysis

Gathering usage sites and upstream change scope for the review.

1) Where @docusaurus/preset-classic is used

• package.json — listed under dependencies (with other @docusaurus/* packages).
• docusaurus.config.js — registered in presets as '@docusaurus/preset-classic', with JSDoc types import('@docusaurus/preset-classic').Options and ThemeConfig for docs/theme and themeConfig (navbar, footer, prism, colorMode, etc.).

There are no other references under the project root (only .upstream-dependency, which is upstream Docusaurus itself).

---

2) Overlap with likely changes in 3.10.1

Upstream CHANGELOG.md for 3.10.1 only calls out:

• docusaurus-bundler: fix for a webpackbar issue after a webpack behavior change (PR #11981).
• Cherry-pick / release housekeeping (PR #11982).

That is build-time / bundler tooling, not preset Options, ThemeConfig, or runtime theme APIs. This site only uses the preset through config + types — no custom bundler hooks or imports from docusaurus-bundler.

Preset 3.10.1 also pins sibling packages (e.g. @docusaurus/core 3.10.1) in its own package.json; that is normal for a lined-up patch, not a new public API.

Conclusion: usage does not meaningfully intersect the documented change surface.

---

3) Risks / unknowns

• Lockfile / version alignment: If the PR only bumps preset-classic while package.json still has other @docusaurus/* at ^3.10.0, npm should still resolve 3.10.1 where the lockfile is refreshed, but it is worth glancing at the lockfile for duplicate @docusaurus/core trees (usually fine, occasionally worth a quick npm ls in CI).
• Ecosystem plugins: @easyops-cn/docusaurus-search-local is not mentioned in upstream release notes; a patch within 3.10 is unlikely to break it, but CI build/start remains the real check.
• Runtime behavior: essentially unchanged; any effect is expected to be build/dev progress / bundler robustness, not site content or routing.

---

4) Recommendation

Merge — patch release with a narrow bundler fix; this repo’s usage is standard preset + config types and does not depend on the changed area. Optional follow-up: bump remaining @docusaurus/* entries to 3.10.1 explicitly for clarity and a single lined-up version line in package.json (not required for correctness if the lockfile already pins 3.10.1 consistently).

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 59
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: 0d98888a7645a5fb1330c905b75faf868f829f5c..41c1a458ecb07d61b6df2761ea4bc1b13db49d12
• Resolved refs: from=0d98888a7645a5fb1330c905b75faf868f829f5c to=41c1a458ecb07d61b6df2761ea4bc1b13db49d12
• Unicode findings (post-allowlist): 3
• Confusable findings (post-allowlist): 3
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 37

Top findings

• website/blog/releases/3.10/img/social-card.png:0 unicode :: binary file matches (found "\0" byte around offset 8)
• admin/publish-legacy.md:249 unicode :: - New code blocks features 🖥️
• admin/publish-legacy.md:250 unicode :: - Draft blog posts ✏️
• website/blog/releases/3.10/img/social-card.png:0 confusable :: binary file matches (found "\0" byte around offset 8)
• website/blog/releases/3.10/img/security.jpg:0 confusable :: binary file matches (found "\0" byte around offset 4)
• website/blog/releases/3.10/img/provenance.jpg:0 confusable :: binary file matches (found "\0" byte around offset 4)
• packages/create-docusaurus/package.json:27 shell_process_spawn :: "cross-spawn": "^7.0.6",
• CHANGELOG.md:348 shell_process_spawn :: - [#11347](https://github.com/facebook/docusaurus/pull/11347) fix(core): Fix docusaurus start on macOS when exec throws a synchronous error ([@slorber](https://github.com/slorber))
• yarn.lock:10 shell_process_spawn :: "@actions/exec" "^3.0.0"
• yarn.lock:13 shell_process_spawn :: "@actions/exec@^3.0.0":
• yarn.lock:15 shell_process_spawn :: resolved "https://registry.yarnpkg.com/@actions/exec/-/exec-3.0.0.tgz#8c3464d20f0aa4068707757021d7e3c01a7ee203"
• yarn.lock:2911 shell_process_spawn :: "@jsdevtools/ez-spawn@^3.0.4":
• yarn.lock:2913 shell_process_spawn :: resolved "https://registry.yarnpkg.com/@jsdevtools/ez-spawn/-/ez-spawn-3.0.4.tgz#5641eb26fee6d31ec29f6788eba849470c52c7ff"
• yarn.lock:2917 shell_process_spawn :: cross-spawn "^7.0.3"
• yarn.lock:3230 shell_process_spawn :: "@npmcli/promise-spawn" "^6.0.0"
• yarn.lock:3268 shell_process_spawn :: "@npmcli/promise-spawn@^6.0.0", "@npmcli/promise-spawn@^6.0.1":
• yarn.lock:3270 shell_process_spawn :: resolved "https://registry.yarnpkg.com/@npmcli/promise-spawn/-/promise-spawn-6.0.2.tgz#c8bc4fa2bd0f01cb979d8798ba038f314cfa70f2"
• yarn.lock:3281 shell_process_spawn :: "@npmcli/promise-spawn" "^6.0.0"
• yarn.lock:7806 shell_process_spawn :: cross-spawn "^7.0.6"
• yarn.lock:7808 shell_process_spawn :: cross-spawn@^6.0.5: