build(deps): Bump @docusaurus/core from 3.10.0 to 3.10.1

[dependabot]

Bumps @docusaurus/core from 3.10.0 to 3.10.1.

Release notes

Sourced from @​docusaurus/core's releases.

3.10.1 (2026-04-30)

🐛 Bug Fix

• docusaurus-bundler
  • #11981 fix(bundler): fix v3 webpackbar bug due to webpack breaking change (@​slorber)

🔧 Maintenance

• docusaurus
  • #11982 chore: cherry-pick commits for v3.10.1 patch release (@​slorber)

Committers: 1

• Sébastien Lorber (@​slorber)

Changelog

Sourced from @​docusaurus/core's changelog.

3.10.1 (2026-04-30)

🐛 Bug Fix

• docusaurus-bundler
  • #11981 fix(bundler): fix v3 webpackbar bug due to webpack breaking change (@​slorber)

🔧 Maintenance

• docusaurus
  • #11982 chore: cherry-pick commits for v3.10.1 patch release (@​slorber)

Committers: 1

• Sébastien Lorber (@​slorber)

Commits

• 41c1a45 v3.10.1
• d4164ae chore: cherry-pick commits for v3.10.1 patch release (#11982)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency bump for the docs site; main risk is unexpected build/runtime regressions from the updated Docusaurus toolchain (notably webpackbar and transitive deps).

Overview
Bumps @docusaurus/core from 3.10.0 to 3.10.1 in package.json.

Regenerates package-lock.json to align with the new Docusaurus release, pulling in updated transitive packages (including webpackbar 7.0.0 and related dependencies).

^{Reviewed by Cursor Bugbot for commit da984fb. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​docusaurus/​core@​3.10.1

View full report

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying declared Docusaurus versions in the repo for accuracy.

Verdict: benign

Why this looks safe

• Source and scope: @docusaurus/core 3.10.1 is a patch on the official facebook/docusaurus line. Release notes only mention a bundler/webpackbar fix (PR #11981), which is a normal build-tool regression fix, not a behavior that suggests a supply-chain implant.
• Obfuscation / exfil / spawning: The scanner’s 0 IOC result matches manual assessment: reported items are heuristic noise on upstream repo text (e.g. the word “exec” in changelog links, cross-spawn / @actions/exec in yarn.lock, “base64” in changelog and package names), plus emoji in markdown and binary image hits—not Trojan Source or hidden payloads in your app code.
• Invisible Unicode / homoglyphs: Findings are emoji in docs, NUL/offsets in PNG/JPG (expected for binaries), not PUA/zero-width/bidi smuggling in source the way GlassWorm-style attacks present.
• Dependency integrity: A 3.10.0 → 3.10.1 jump is minimal semver; nothing here indicates a forged version or typosquat (@docusaurus/core is correct). Your tree may still resolve nested 3.10.0 copies under plugins until all @docusaurus/* are on the same minor/patch—that’s lockfile dedup, not malware.

Scanner vs interpretation: The report’s status: warn reflects noisy rules on a broad upstream diff (59 files including website/blog assets and monorepo yarn.lock), not evidence of compromise in this npm bump. If anything in the PR changed .github/workflows/ outside Dependabot’s normal manifest updates, that would warrant a separate look—that’s not indicated in what you shared.

Actionable (non-security): After merge, consider bumping all @docusaurus/* to ^3.10.1 and regenerating the lockfile so you don’t carry duplicate @docusaurus/core versions—hygiene, not a malicious signal.

Compatibility Analysis

Gathering usage sites and verifying upstream changes for this patch release.

1) Where @docusaurus/core is used

• Direct dependency: package.json lists @docusaurus/core and npm scripts call the docusaurus CLI (start, build, etc.).
• Babel: babel.config.js uses require.resolve('@docusaurus/core/lib/babel/preset').
• Site config: docusaurus.config.js is a standard Classic preset setup with JSDoc types from @docusaurus/types / @docusaurus/preset-classic (those types ship with the stack, not separate “core API” calls in your repo).
• Runtime imports (from other @docusaurus/* packages that core wires up): e.g. Link, useDocusaurusContext, ExecutionEnvironment, useColorMode in src/pages/index.js, src/components/*, src/theme/prism-include-languages.js.

Core is not imported by name in app code except the Babel preset path above.

2) Intersection with 3.10.1 changes

Upstream v3.10.1 only cherry-picks PR #11981: docusaurus-bundler bumps webpackbar from ^6.0.1 to ^7.0.0 to fix a build-time issue with a webpack change. That is CLI/build pipeline only, not documented public surface for DocusaurusConfig, Babel preset, or React client APIs you use.

Conclusion: Your usage does not sit on APIs that this patch is documented to change.

3) Risks / unknowns

• Version skew: If package-lock.json still nests @docusaurus/core@3.10.0 under plugins while the root is 3.10.1, you can get duplicate installs until the lockfile / sibling @docusaurus/* versions are aligned (e.g. bump @docusaurus/preset-classic and @docusaurus/plugin-google-gtag to ^3.10.1 and reinstall). That is a resolution hygiene issue, not a signal that 3.10.1 is unsafe.
• Build toolchain: webpackbar v7 is a transitive change; extremely low risk for site output, but CI should still run docusaurus build once to confirm.

4) Recommendation

Merge (optionally merge-with-caveats only if CI fails or the lockfile still pins mixed 3.10.0 / 3.10.1 for @docusaurus/core—then align all @docusaurus/* patch versions and refresh the lockfile in the same PR or a fast follow).

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 59
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: 0d98888a7645a5fb1330c905b75faf868f829f5c..41c1a458ecb07d61b6df2761ea4bc1b13db49d12
• Resolved refs: from=0d98888a7645a5fb1330c905b75faf868f829f5c to=41c1a458ecb07d61b6df2761ea4bc1b13db49d12
• Unicode findings (post-allowlist): 3
• Confusable findings (post-allowlist): 3
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 37

Top findings

• website/blog/releases/3.10/img/social-card.png:0 unicode :: binary file matches (found "\0" byte around offset 8)
• admin/publish-legacy.md:249 unicode :: - New code blocks features 🖥️
• admin/publish-legacy.md:250 unicode :: - Draft blog posts ✏️
• website/blog/releases/3.10/img/social-card.png:0 confusable :: binary file matches (found "\0" byte around offset 8)
• website/blog/releases/3.10/img/security.jpg:0 confusable :: binary file matches (found "\0" byte around offset 4)
• website/blog/releases/3.10/img/provenance.jpg:0 confusable :: binary file matches (found "\0" byte around offset 4)
• packages/create-docusaurus/package.json:27 shell_process_spawn :: "cross-spawn": "^7.0.6",
• CHANGELOG.md:348 shell_process_spawn :: - [#11347](https://github.com/facebook/docusaurus/pull/11347) fix(core): Fix docusaurus start on macOS when exec throws a synchronous error ([@slorber](https://github.com/slorber))
• yarn.lock:10 shell_process_spawn :: "@actions/exec" "^3.0.0"
• yarn.lock:13 shell_process_spawn :: "@actions/exec@^3.0.0":
• yarn.lock:15 shell_process_spawn :: resolved "https://registry.yarnpkg.com/@actions/exec/-/exec-3.0.0.tgz#8c3464d20f0aa4068707757021d7e3c01a7ee203"
• yarn.lock:2911 shell_process_spawn :: "@jsdevtools/ez-spawn@^3.0.4":
• yarn.lock:2913 shell_process_spawn :: resolved "https://registry.yarnpkg.com/@jsdevtools/ez-spawn/-/ez-spawn-3.0.4.tgz#5641eb26fee6d31ec29f6788eba849470c52c7ff"
• yarn.lock:2917 shell_process_spawn :: cross-spawn "^7.0.3"
• yarn.lock:3230 shell_process_spawn :: "@npmcli/promise-spawn" "^6.0.0"
• yarn.lock:3268 shell_process_spawn :: "@npmcli/promise-spawn@^6.0.0", "@npmcli/promise-spawn@^6.0.1":
• yarn.lock:3270 shell_process_spawn :: resolved "https://registry.yarnpkg.com/@npmcli/promise-spawn/-/promise-spawn-6.0.2.tgz#c8bc4fa2bd0f01cb979d8798ba038f314cfa70f2"
• yarn.lock:3281 shell_process_spawn :: "@npmcli/promise-spawn" "^6.0.0"
• yarn.lock:7806 shell_process_spawn :: cross-spawn "^7.0.6"
• yarn.lock:7808 shell_process_spawn :: cross-spawn@^6.0.5: