Skip to content

deps: bump the production-deps group across 1 directory with 27 updates#87

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-deps-4ac195faf7
Closed

deps: bump the production-deps group across 1 directory with 27 updates#87
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-deps-4ac195faf7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown

Bumps the production-deps group with 27 updates in the / directory:

Package From To
@passwordless-id/webauthn 2.3.5 2.4.0
@tauri-apps/api 2.10.1 2.11.0
@tauri-apps/plugin-deep-link 2.4.8 2.4.9
@tauri-apps/plugin-dialog 2.7.0 2.7.1
@tauri-apps/plugin-fs 2.5.0 2.5.1
@tauri-apps/plugin-global-shortcut 2.3.1 2.3.2
@tauri-apps/plugin-opener 2.5.3 2.5.4
bits-ui 2.18.0 2.18.1
dexie 4.4.2 4.4.3
dompurify 3.4.2 3.4.10
openpgp 6.3.0 6.3.1
preact 10.29.1 10.29.2
svelte 5.55.1 5.56.3
tailwind-merge 3.5.0 3.6.0
@internationalized/date 3.12.1 3.12.2
@playwright/test 1.59.1 1.61.0
@tailwindcss/postcss 4.2.4 4.3.1
@tauri-apps/cli 2.10.1 2.11.2
@typescript-eslint/eslint-plugin 8.59.1 8.61.1
@typescript-eslint/parser 8.59.1 8.61.1
postcss 8.5.13 8.5.15
prettier 3.8.3 3.8.4
svelte-check 4.4.7 4.6.0
svelte-eslint-parser 1.6.0 1.8.0
tailwindcss 4.2.4 4.3.1
typescript-eslint 8.59.1 8.61.1
workbox-cli 7.4.0 7.4.1

Updates @passwordless-id/webauthn from 2.3.5 to 2.4.0

Release notes

Sourced from @​passwordless-id/webauthn's releases.

2.4.0

IMPORTANT NOTE: In this version the browser field was removed in package.json due to issues how various tooling interpret it. Check out #108 for more details.

Commits
  • bd07189 Removed "browser" field and updated authenticator devices metadata/icons
  • 40e3c21 Merge pull request #112 from passwordless-id/dependabot/npm_and_yarn/npm_and_...
  • 3926a2f chore(deps): bump the npm_and_yarn group across 1 directory with 4 updates
  • ec42719 Merge pull request #110 from passwordless-id/dependabot/npm_and_yarn/npm_and_...
  • 3b514d8 chore(deps): bump minimatch in the npm_and_yarn group across 1 directory
  • efd757a Merge pull request #109 from passwordless-id/dependabot/npm_and_yarn/npm_and_...
  • 3fcfbce chore(deps-dev): bump qs in the npm_and_yarn group across 1 directory
  • See full diff in compare view

Updates @tauri-apps/api from 2.10.1 to 2.11.0

Release notes

Sourced from @​tauri-apps/api's releases.

@​tauri-apps/api v2.11.0

No known vulnerabilities found

[2.11.0]

New Features

  • 074299c08 (#14307) Add Bring All to Front predefined menu item type
  • a12142a48 (#14357) Add macos support for setting the icon and icon template state in the same step of the main thread, to prevent flickering.
  • 001c8fe3d (#14722) Add a WebView option to control browser-level general autofill behavior. This option does not disable password or credit card autofill. On Windows (WebView2), setting it to true disables the general autofill "Suggestions" UI, which may appear even when autocomplete="off" is specified on input elements. On Linux, macOS, iOS, and Android, this option is currently unsupported and performs no operation.
  • eb0312ea9 (#15199) Propagates the Event::Suspended and Event::Resumed events from tao when they are emitted on mobile targets.
> @tauri-apps/api@2.11.0 npm-publish /home/runner/work/tauri/tauri/packages/api
> pnpm build && cd ./dist && pnpm publish --access public --loglevel silly --no-git-checks

> @​tauri-apps/api@​2.11.0 build /home/runner/work/tauri/tauri/packages/api > rollup -c --configPlugin typescript

�[36m �[1m./src/app.ts, ./src/core.ts, ./src/dpi.ts, ./src/event.ts, ./src/image.ts, ./src/index.ts, ./src/menu.ts, ./src/mocks.ts, ./src/path.ts, ./src/tray.ts, ./src/webview.ts, ./src/webviewWindow.ts, ./src/window.ts�[22m → �[1m./dist, ./dist�[22m...�[39m �[32mcreated �[1m./dist, ./dist�[22m in �[1m1s�[22m�[39m �[36m �[1msrc/index.ts�[22m → �[1m../../crates/tauri/scripts/bundle.global.js�[22m...�[39m �[32mcreated �[1m../../crates/tauri/scripts/bundle.global.js�[22m in �[1m1.6s�[22m�[39m npm verbose cli /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/npm npm info using npm@11.11.0 npm info using node@v24.14.1 npm silly config load:file:/opt/hostedtoolcache/node/24.14.1/x64/lib/node_modules/npm/npmrc npm silly config load:file:/tmp/62753b73fd2498862aee9b07ed29cc21/.npmrc npm silly config load:file:/home/runner/.npmrc npm silly config load:file:/home/runner/.config/pnpm/rc npm verbose title npm publish tauri-apps-api-2.11.0.tgz npm verbose argv "publish" "--ignore-scripts" "tauri-apps-api-2.11.0.tgz" "--access" "public" "--loglevel" "silly" npm verbose logfile logs-max:10 dir:/home/runner/.npm/_logs/2026-04-30T15_51_13_171Z- npm verbose logfile /home/runner/.npm/_logs/2026-04-30T15_51_13_171Z-debug-0.log npm warn Unknown env config "verify-deps-before-run". This will stop working in the next major version of npm. See npm help npmrc for supported config options. npm warn Unknown env config "npm-globalconfig". This will stop working in the next major version of npm. See npm help npmrc for supported config options. npm warn Unknown env config "_jsr-registry". This will stop working in the next major version of npm. See npm help npmrc for supported config options. </tr></table>

... (truncated)

Commits
  • e60834f Apply Version Updates From Current Changes (#15041)
  • df05c00 chore: minor bump for codegen crate
  • 13bea17 chore: fmt
  • 9808236 fix(macOS): correct value for work_area.position.y (#14655)
  • eb0312e feat(mobile): Propagate tao::Event::Suspended and tao::Event::Resumed to the ...
  • 4ef5797 feat(ios): add --no-sign and --archive-only flags to ios build (#15061)
  • 110336c fix(macOS): fix incorrect window position on multi-monitor setups (#15250)
  • c00a3db feat(macros): add support for rename command macro in tauri-macros #14173 (#1...
  • 764b913 feat(cli): restart Android emulator if it is disconnected from adb (#14313)
  • 1035f12 fix(windows): tauri-bundler detect arm system (#14923)
  • Additional commits viewable in compare view

Updates @tauri-apps/plugin-deep-link from 2.4.8 to 2.4.9

Release notes

Sourced from @​tauri-apps/plugin-deep-link's releases.

deep-link-js v2.4.9

[2.4.9]

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-deep-link@2.4.9
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 6.2kB README.md
npm notice 3.5kB dist-js/index.cjs
npm notice 2.9kB dist-js/index.d.ts
npm notice 3.4kB dist-js/index.js
npm notice 801B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-deep-link
npm notice version: 2.4.9
npm notice filename: tauri-apps-plugin-deep-link-2.4.9.tgz
npm notice package size: 4.4 kB
npm notice unpacked size: 17.7 kB
npm notice shasum: ae56d59130380f806b533b3107c3f16654e66a8d
npm notice integrity: sha512-u0SKOUHnJ1wqe[...]hIvqLBRpgHJlA==
npm notice total files: 6
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011657
+ @tauri-apps/plugin-deep-link@2.4.9

deep-link v2.4.9

[2.4.9]

</tr></table> 

... (truncated)

Commits
  • 5c7668b publish new versions (#3397)
  • ec05401 chore(deps): update rust crate toml to v1 (#3323)
  • b86e999 chore(deps): update tauri packages to 2.11 (#3407)
  • c463d8a chore(deps): update rustls-webpki in lockfile, ignore core2 in audit (#3405)
  • 1bb7beb chore(deps): bump openssl (#3402)
  • 3412fa2 docs(readme): fix platform support matrix (opener supports mobile)
  • af81fda docs(readme): fix platform support matrix (mobile is supported)
  • c1fd33b fix(opener): allow open network share locations (#3343)
  • 250857b chore(deps): update dependency typescript to v6 (#3363)
  • 964e13f fix(store): dead lock trying to set while exiting (#3395)
  • Additional commits viewable in compare view

Updates @tauri-apps/plugin-dialog from 2.7.0 to 2.7.1

Release notes

Sourced from @​tauri-apps/plugin-dialog's releases.

dialog-js v2.7.1

[2.7.1]

Dependencies

  • Upgraded to fs-js@2.5.1
npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-dialog@2.7.1
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 3.5kB README.md
npm notice 6.9kB dist-js/index.cjs
npm notice 14.6kB dist-js/index.d.ts
npm notice 6.8kB dist-js/index.js
npm notice 11B dist-js/init.d.ts
npm notice 657B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-dialog
npm notice version: 2.7.1
npm notice filename: tauri-apps-plugin-dialog-2.7.1.tgz
npm notice package size: 6.7 kB
npm notice unpacked size: 33.3 kB
npm notice shasum: fc83387de807c8d064d2b64b1b813b84e8286a12
npm notice integrity: sha512-OK1UBXYt+ojcm[...]FmEOjIY9IhzOQ==
npm notice total files: 7
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011725
+ @tauri-apps/plugin-dialog@2.7.1

dialog v2.7.1

[2.7.1]

Dependencies

  • Upgraded to fs-js@2.5.1

... (truncated)

Commits
  • e7a68fa publish new versions (#3068)
  • b5550a3 chore: temp delete updater changefile
  • 93426f8 fix: fix docsrs builds
  • 4ee61e0 Revert "chore: temp delete updater changefile"
  • 06124af publish new versions (#2972)
  • 060219e chore(deps): update dependency @​rollup/plugin-typescript to v12.3.0 (#3067)
  • c7e9766 chore(deps): update tauri monorepo (v2) (#3058)
  • d4a8ce9 chore(deps): update rust crate tokio-tungstenite to 0.28 (#3016)
  • cdc7eec chore(deps): update dependency @​rollup/plugin-typescript to v12.2.0 (#3066)
  • 6314b00 chore: temp delete updater changefile
  • Additional commits viewable in compare view

Updates @tauri-apps/plugin-fs from 2.5.0 to 2.5.1

Release notes

Sourced from @​tauri-apps/plugin-fs's releases.

fs-js v2.5.1

[2.5.1]

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-fs@2.5.1
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 2.4kB README.md
npm notice 32.8kB dist-js/index.cjs
npm notice 32.6kB dist-js/index.d.ts
npm notice 32.0kB dist-js/index.js
npm notice 697B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-fs
npm notice version: 2.5.1
npm notice filename: tauri-apps-plugin-fs-2.5.1.tgz
npm notice package size: 21.5 kB
npm notice unpacked size: 101.5 kB
npm notice shasum: e1b8643d41c74251699fcdecc800877d18a4a6fc
npm notice integrity: sha512-9Lz+Jopp6QyeE[...]tqPB/XEMS3NhQ==
npm notice total files: 6
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011689
+ @tauri-apps/plugin-fs@2.5.1

fs v2.5.1

[2.5.1]

</tr></table> 

... (truncated)

Commits
  • 5c7668b publish new versions (#3397)
  • ec05401 chore(deps): update rust crate toml to v1 (#3323)
  • b86e999 chore(deps): update tauri packages to 2.11 (#3407)
  • c463d8a chore(deps): update rustls-webpki in lockfile, ignore core2 in audit (#3405)
  • 1bb7beb chore(deps): bump openssl (#3402)
  • 3412fa2 docs(readme): fix platform support matrix (opener supports mobile)
  • af81fda docs(readme): fix platform support matrix (mobile is supported)
  • c1fd33b fix(opener): allow open network share locations (#3343)
  • 250857b chore(deps): update dependency typescript to v6 (#3363)
  • 964e13f fix(store): dead lock trying to set while exiting (#3395)
  • Additional commits viewable in compare view

Updates @tauri-apps/plugin-global-shortcut from 2.3.1 to 2.3.2

Release notes

Sourced from @​tauri-apps/plugin-global-shortcut's releases.

upload-js v2.3.2

[2.3.2]

  • 93426f85 Fixed an issue that caused docs.rs builds to fail. No user facing changes.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-upload@2.3.2
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 3.2kB README.md
npm notice 1.4kB dist-js/index.cjs
npm notice 507B dist-js/index.d.ts
npm notice 1.4kB dist-js/index.js
npm notice 729B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-upload
npm notice version: 2.3.2
npm notice filename: tauri-apps-plugin-upload-2.3.2.tgz
npm notice package size: 2.9 kB
npm notice unpacked size: 8.1 kB
npm notice shasum: 4c0d9af44b28f9b05905ff8972a5438b642fc260
npm notice integrity: sha512-h/V8RqsbVpJSt[...]RqpUr0Dk9DuGA==
npm notice total files: 6
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=644611265
+ @tauri-apps/plugin-upload@2.3.2

upload v2.3.2

[2.3.2]

  • 93426f85 Fixed an issue that caused docs.rs builds to fail. No user facing changes.
Updating crates.io index
</tr></table> 

... (truncated)

Commits
  • e7a68fa publish new versions (#3068)
  • b5550a3 chore: temp delete updater changefile
  • 93426f8 fix: fix docsrs builds
  • 4ee61e0 Revert "chore: temp delete updater changefile"
  • 06124af publish new versions (#2972)
  • 060219e chore(deps): update dependency @​rollup/plugin-typescript to v12.3.0 (#3067)
  • c7e9766 chore(deps): update tauri monorepo (v2) (#3058)
  • d4a8ce9 chore(deps): update rust crate tokio-tungstenite to 0.28 (#3016)
  • cdc7eec chore(deps): update dependency @​rollup/plugin-typescript to v12.2.0 (#3066)
  • 6314b00 chore: temp delete updater changefile
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tauri-apps/plugin-global-shortcut since your current version.


Updates @tauri-apps/plugin-opener from 2.5.3 to 2.5.4

Release notes

Sourced from @​tauri-apps/plugin-opener's releases.

opener-js v2.5.4

[2.5.4]

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-opener@2.5.4
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 4.2kB README.md
npm notice 3.1kB dist-js/index.cjs
npm notice 2.0kB dist-js/index.d.ts
npm notice 3.1kB dist-js/index.js
npm notice 11B dist-js/init.d.ts
npm notice 730B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-opener
npm notice version: 2.5.4
npm notice filename: tauri-apps-plugin-opener-2.5.4.tgz
npm notice package size: 3.5 kB
npm notice unpacked size: 14.1 kB
npm notice shasum: b37883e4d36125b8c5a0c74f683395958a65bd7d
npm notice integrity: sha512-1HnPkb+AmgO29[...]aUJtT57lfO9CQ==
npm notice total files: 7
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011743
+ @tauri-apps/plugin-opener@2.5.4

opener v2.5.4

[2.5.4]

... (truncated)

Commits

Updates bits-ui from 2.18.0 to 2.18.1

Release notes

Sourced from bits-ui's releases.

bits-ui@2.18.1

Patch Changes

  • fix(text-selection-layer): snapshot enabled and pointer handlers for listeners (#2041)

  • fix(Tooltip): set wrapper pointer-events when hoverable content is disabled (#2041)

  • fix(Menu): prevent page scroll-jump on item hover when scroll-padding is set (#2035)

Commits
  • 25f8137 Version Packages (#2042)
  • 158364e fix(menu): use preventScroll when focusing items on hover and content on item...
  • 5a3f7ce fix(Tooltip): pointer event handling (#2041)
  • 788fc03 chore: update workflows to Node 24 and latest action versions (#2032)
  • See full diff in compare view

Updates dexie from 4.4.2 to 4.4.3

Release notes

Sourced from dexie's releases.

Dexie v4.4.3

This is a maintenance release with bug fixes and a configuration API improvement.

Related Package Releases

Package Version
dexie 4.4.3
dexie-cloud-addon 4.4.13

Bug Fixes

dexie@4.4.3

  • fix: delByKeyPath() creates empty intermediate objects on missing pathDexie.delByKeyPath(obj, "foo.bar") on an object without foo would create {foo: {}} as a side effect instead of doing nothing. This caused a real-world bug in dexie-cloud-addon where clearing a dotted key from a changeSpec (e.g. claims.sub) would leave {claims: {}} in the spec, which then overwrote the inline primary key with undefined, resulting in: DataError: Evaluating the object store's key path did not yield a value. Fixed in setByKeyPath to bail out early when value is undefined and the intermediate path doesn't exist. (#2303)

  • fix: Collection.sortBy() mutates frozen array in immutable cache mode — calling .sortBy() on a table when using immutable cache mode could throw TypeError: Cannot assign to read only property because Array.sort() was called on a frozen array. Fixed by sorting on a copy instead. (#2294)

dexie-cloud-addon@4.4.12

  • rename: maxStringLengthlargeStringThreshold — the string offloading option is renamed for clarity. The old name is kept as a backward-compatible alias. (#2290)

  • fix: blob writebacks routed through BlobSavingQueue to avoid PSD context loss — after an async native fetch (blob download), Dexie's PSD zone is no longer active, causing table.mutate() to crash with Cannot read properties of undefined (reading 'table'). This surfaced as [dexie-cloud:blobResolve] Failed to resolve BlobRefs. Fixed by always routing blob writebacks through BlobSavingQueue.saveBlobs(), which opens a proper Dexie rw-transaction in a fresh JS task. Fixes lazy blob mode crash when using Dexie hooks with dexie-cloud-addon. (#2302)

  • fix: eager blob downloader could starve RAM — the eager downloader triggered blobResolveMiddleware which resolved all pending blobs into memory at once. Fixed by downloading blobs in chunks with a query limit, so memory usage stays bounded regardless of how many blobs are pending. (#2302)

  • fix: in-flight blob downloads are now deduplicated — if a blob is requested after download starts but before it is persisted, the existing download promise is reused instead of starting a new download. (#2302)

  • fix: use cache: no-store for blob fetch requests — avoids the browser caching raw blob responses and double-storing them. (#2302)

dexie-cloud-addon@4.4.13

  • fix: DataError when applying server-side $logins update — when a user received a server update for the $logins table, dexie-cloud-addon tried to clear claims.sub from the changeSpec using delByKeyPath. Due to the bug above, this left {claims: {}} in the spec, overwriting the inline primary key with undefined and causing DataError: Evaluating the object store's key path did not yield a value. Fixed by guarding against empty changeSpec objects after key deletion. (#2304)

Other Changes

  • dexie-observable and dexie-syncable README updated to mark them as legacy/unmaintained, with a recommendation to use dexie-cloud-addon for sync. (#2298)
Commits
  • 30134f6 Trigger new dev build
  • 9dd614d DataError after updating a user in dexie cloud when that user got an update f...
  • 0919742 Trigger dev build
  • 2710301 Fix delByKeyPath so that it does not create empty object when keyPath is dott...
  • a024831 dexie-cloud-addon@4.4.12
  • 988ec9c Merge pull request #2302 from dexie/liz/fix-blobsave-hooks-psd-context
  • b74758f Use cache: no-store to avoid double storing blobs
  • ed59f5c Implify one bit more
  • f0bb943 Simplified the loop in eagerBlobDownloader by requesting keys first.
  • d2c3ef0 Bugfix: eager blob downloader would trigger blobResolveMiddleware and resolve...
  • Additional commits viewable in compare view

Updates dompurify from 3.4.2 to 3.4.10

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.10

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible

DOMPurify 3.4.9

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

DOMPurify 3.4.7

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

  • Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
  • Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
  • Added more test coverage for IN_PLACE and general DOM Clobbering attacks
  • Bumped several dependencies where possible

DOMPurify 3.4.5

  • Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

  • Added the selectedcontent element to default allow-list, thanks @​lukewarlow
  • Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
  • Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
  • Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
  • Updated demo website and made sure it uses the latest from main
  • Updated existing workflows, fuzzer, dependabot, etc., added more tests
  • Bumped several dependencies where possible

... (truncated)

Commits

Updates openpgp from 6.3.0 to 6.3.1

Release notes

Sourced from openpgp's releases.

v6.3.1

What's Changed

  • Add config.maxArgon2MemoryExponent for argon2 memory limit (#1943, #2014)
  • Fix RSA signing using SHA3 (#1952)
  • Allow creating signature notations when generating/reformatting keys (#1953)
  • TS: fix 'node16'/'nodenext' compatibility, and emit type declarations for .ts files with external exports under dist/types (#1987)
  • TS: fix AnyPacket declaration to also include BasePacket<true> subclasses (#1991)
  • Fix non-zero IV usages for AES-CFB (spec compliance issue; no security or interoperability impact) (#2012)
  • Various dependency version bumps

Full Changelog: openpgpjs/openpgpjs@v6.3.0...v6.3.1

Commits
  • 2ac0048 6.3.1
  • 3c6abc9 Argon2: set hard limit for config.maxArgon2MemoryExponent to cap memory at ...
  • cba2904 Internal: fix readExactSubarray to correctly enforce end boundary (#2013)
  • 4318a48 Run npm audit
  • dd9274e Fix non-zero IV usages for AES-CFB (#2012)
  • 0a67d5e npm: add min-release-age constraint (for manual installs)
  • 2ba545d Bump the dev-dependencies group across 1 directory with 9 updates (#2011)
  • 657ac64 Bump eslint-plugin-unicorn from 62.0.0 to 64.0.0 (#1999)
  • df8c044 Bump fflate from 0.8.2 to 0.8.3 (#2007)
  • 3891531 Bump fast-xml-builder (#2003)
  • Additional commits viewable in compare view
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates preact from 10.29.1 to 10.29.2

Release notes

Sourced from preact's releases.

10.29.2

Fixes

Maintenance

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for preact since your current version.


Updates svelte from 5.55.1 to 5.56.3

Release notes

Sourced from svelte's releases.

svelte@5.56.3

Patch Changes

  • fix: ignore errors that occur in destroyed effects (#18384)

  • fix: type BigInts in $state.snapshot(...) return values (#18388)

svelte@5.56.2

Patch Changes

  • fix: properly track effect end node for async sibling component (#18371)

  • fix: prevent false-positive reactivity loss warning (#18373)

  • chore: bump esrap dependency (#18372)

  • fix: ignore declaration tags for animation directive (#18366)

  • fix: reject pending async deriveds on discard (#18308)

svelte@5.56.1

Patch Changes

  • fix: error at compile time on duplicate snippet/declaration tag definitions (#18351)

  • fix: parse declaration tag contents more robustly (#18353)

  • fix: correctly transform references to earlier declarators in a declaration tag (e.g. {let a = $state(0), b = $derived(a * 2)}) (#18348)

  • fix: avoid spurious state_referenced_locally warnings for $derived declarations in declaration tags (#18348)

  • fix: tolerate whitespace before let/const in declaration tags (#18348)

  • fix: prevent infinite loop when a tag's expression ends with a trailing / at the end of the input (#18350)

  • fix: more robust parsing of declaration tags with regards to type (#18330)

  • fix: preserve newlines in spread input values when the type attribute is applied after value (#18345)

  • fix: update SvelteURLSearchParams when setting duplicate keys to the same joined value (#18336)

  • fix: check references for blockers on server, too (#18352)

svelte@5.56.0

Minor Changes

  • feat: allow declarations in the template (#18282)

Patch Changes

... (truncated)

Changelog

Sourced from svelte's changelog.

5.56.3

Patch Changes

  • fix: ignore errors that occur in destroyed effects (#18384)

  • fix: type BigInts in $state.snapshot(...) return values (#18388)

5.56.2

Patch Changes

  • fix: properly track effect end node for async sibling component (#18371)

  • fix: prevent false-positive reactivity loss warning (#18373)

  • chore: bump esrap dependency (#18372)

  • fix: ignore declaration tags for animation directive (...

    Description has been truncated

@dependabot @github

dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/production-deps-4ac195faf7 branch from 9b9f666 to 56fe123 Compare June 15, 2026 17:44
Bumps the production-deps group with 27 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@passwordless-id/webauthn](https://github.com/passwordless-id/webauthn) | `2.3.5` | `2.4.0` |
| [@tauri-apps/api](https://github.com/tauri-apps/tauri) | `2.10.1` | `2.11.0` |
| [@tauri-apps/plugin-deep-link](https://github.com/tauri-apps/plugins-workspace) | `2.4.8` | `2.4.9` |
| [@tauri-apps/plugin-dialog](https://github.com/tauri-apps/plugins-workspace) | `2.7.0` | `2.7.1` |
| [@tauri-apps/plugin-fs](https://github.com/tauri-apps/plugins-workspace) | `2.5.0` | `2.5.1` |
| [@tauri-apps/plugin-global-shortcut](https://github.com/tauri-apps/plugins-workspace) | `2.3.1` | `2.3.2` |
| [@tauri-apps/plugin-opener](https://github.com/tauri-apps/plugins-workspace) | `2.5.3` | `2.5.4` |
| [bits-ui](https://github.com/huntabyte/bits-ui) | `2.18.0` | `2.18.1` |
| [dexie](https://github.com/dexie/Dexie.js) | `4.4.2` | `4.4.3` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.4.2` | `3.4.10` |
| [openpgp](https://github.com/openpgpjs/openpgpjs) | `6.3.0` | `6.3.1` |
| [preact](https://github.com/preactjs/preact) | `10.29.1` | `10.29.2` |
| [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) | `5.55.1` | `5.56.3` |
| [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` |
| [@internationalized/date](https://github.com/adobe/react-spectrum) | `3.12.1` | `3.12.2` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.59.1` | `1.61.0` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.4` | `4.3.1` |
| [@tauri-apps/cli](https://github.com/tauri-apps/tauri) | `2.10.1` | `2.11.2` |
| [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) | `8.59.1` | `8.61.1` |
| [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) | `8.59.1` | `8.61.1` |
| [postcss](https://github.com/postcss/postcss) | `8.5.13` | `8.5.15` |
| [prettier](https://github.com/prettier/prettier) | `3.8.3` | `3.8.4` |
| [svelte-check](https://github.com/sveltejs/language-tools) | `4.4.7` | `4.6.0` |
| [svelte-eslint-parser](https://github.com/sveltejs/svelte-eslint-parser) | `1.6.0` | `1.8.0` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.4` | `4.3.1` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.59.1` | `8.61.1` |
| [workbox-cli](https://github.com/googlechrome/workbox) | `7.4.0` | `7.4.1` |



Updates `@passwordless-id/webauthn` from 2.3.5 to 2.4.0
- [Release notes](https://github.com/passwordless-id/webauthn/releases)
- [Commits](passwordless-id/webauthn@2.3.5...2.4.0)

Updates `@tauri-apps/api` from 2.10.1 to 2.11.0
- [Release notes](https://github.com/tauri-apps/tauri/releases)
- [Commits](https://github.com/tauri-apps/tauri/compare/@tauri-apps/api-v2.10.1...@tauri-apps/api-v2.11.0)

Updates `@tauri-apps/plugin-deep-link` from 2.4.8 to 2.4.9
- [Release notes](https://github.com/tauri-apps/plugins-workspace/releases)
- [Commits](tauri-apps/plugins-workspace@deep-link-v2.4.8...deep-link-v2.4.9)

Updates `@tauri-apps/plugin-dialog` from 2.7.0 to 2.7.1
- [Release notes](https://github.com/tauri-apps/plugins-workspace/releases)
- [Commits](tauri-apps/plugins-workspace@log-v2.7.0...log-v2.7.1)

Updates `@tauri-apps/plugin-fs` from 2.5.0 to 2.5.1
- [Release notes](https://github.com/tauri-apps/plugins-workspace/releases)
- [Commits](tauri-apps/plugins-workspace@fs-v2.5.0...fs-v2.5.1)

Updates `@tauri-apps/plugin-global-shortcut` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/tauri-apps/plugins-workspace/releases)
- [Commits](tauri-apps/plugins-workspace@os-v2.3.1...os-v2.3.2)

Updates `@tauri-apps/plugin-opener` from 2.5.3 to 2.5.4
- [Release notes](https://github.com/tauri-apps/plugins-workspace/releases)
- [Commits](tauri-apps/plugins-workspace@http-v2.5.3...http-v2.5.4)

Updates `bits-ui` from 2.18.0 to 2.18.1
- [Release notes](https://github.com/huntabyte/bits-ui/releases)
- [Commits](https://github.com/huntabyte/bits-ui/compare/bits-ui@2.18.0...bits-ui@2.18.1)

Updates `dexie` from 4.4.2 to 4.4.3
- [Release notes](https://github.com/dexie/Dexie.js/releases)
- [Commits](dexie/Dexie.js@v4.4.2...v4.4.3)

Updates `dompurify` from 3.4.2 to 3.4.10
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.2...3.4.10)

Updates `openpgp` from 6.3.0 to 6.3.1
- [Release notes](https://github.com/openpgpjs/openpgpjs/releases)
- [Commits](openpgpjs/openpgpjs@v6.3.0...v6.3.1)

Updates `preact` from 10.29.1 to 10.29.2
- [Release notes](https://github.com/preactjs/preact/releases)
- [Commits](preactjs/preact@10.29.1...10.29.2)

Updates `svelte` from 5.55.1 to 5.56.3
- [Release notes](https://github.com/sveltejs/svelte/releases)
- [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.56.3/packages/svelte)

Updates `tailwind-merge` from 3.5.0 to 3.6.0
- [Release notes](https://github.com/dcastil/tailwind-merge/releases)
- [Commits](dcastil/tailwind-merge@v3.5.0...v3.6.0)

Updates `@internationalized/date` from 3.12.1 to 3.12.2
- [Release notes](https://github.com/adobe/react-spectrum/releases)
- [Commits](https://github.com/adobe/react-spectrum/compare/@internationalized/date@3.12.1...@internationalized/date@3.12.2)

Updates `@playwright/test` from 1.59.1 to 1.61.0
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.59.1...v1.61.0)

Updates `@tailwindcss/postcss` from 4.2.4 to 4.3.1
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-postcss)

Updates `@tauri-apps/cli` from 2.10.1 to 2.11.2
- [Release notes](https://github.com/tauri-apps/tauri/releases)
- [Commits](https://github.com/tauri-apps/tauri/compare/@tauri-apps/cli-v2.10.1...@tauri-apps/cli-v2.11.2)

Updates `@typescript-eslint/eslint-plugin` from 8.59.1 to 8.61.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.1/packages/eslint-plugin)

Updates `@typescript-eslint/parser` from 8.59.1 to 8.61.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.1/packages/parser)

Updates `postcss` from 8.5.13 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.13...8.5.15)

Updates `prettier` from 3.8.3 to 3.8.4
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.8.3...3.8.4)

Updates `svelte-check` from 4.4.7 to 4.6.0
- [Release notes](https://github.com/sveltejs/language-tools/releases)
- [Commits](https://github.com/sveltejs/language-tools/compare/svelte-check@4.4.7...svelte-check@4.6.0)

Updates `svelte-eslint-parser` from 1.6.0 to 1.8.0
- [Release notes](https://github.com/sveltejs/svelte-eslint-parser/releases)
- [Changelog](https://github.com/sveltejs/svelte-eslint-parser/blob/main/CHANGELOG.md)
- [Commits](sveltejs/svelte-eslint-parser@v1.6.0...v1.8.0)

Updates `tailwindcss` from 4.2.4 to 4.3.1
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss)

Updates `typescript-eslint` from 8.59.1 to 8.61.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.1/packages/typescript-eslint)

Updates `workbox-cli` from 7.4.0 to 7.4.1
- [Release notes](https://github.com/googlechrome/workbox/releases)
- [Commits](GoogleChrome/workbox@v7.4.0...v7.4.1)

---
updated-dependencies:
- dependency-name: "@internationalized/date"
  dependency-version: 3.12.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: "@passwordless-id/webauthn"
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@playwright/test"
  dependency-version: 1.60.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.3.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@tauri-apps/api"
  dependency-version: 2.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@tauri-apps/cli"
  dependency-version: 2.11.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@tauri-apps/plugin-deep-link"
  dependency-version: 2.4.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: "@tauri-apps/plugin-dialog"
  dependency-version: 2.7.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: "@tauri-apps/plugin-fs"
  dependency-version: 2.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: "@tauri-apps/plugin-global-shortcut"
  dependency-version: 2.3.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: "@tauri-apps/plugin-opener"
  dependency-version: 2.5.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-version: 8.61.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@typescript-eslint/parser"
  dependency-version: 8.61.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: bits-ui
  dependency-version: 2.18.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: dexie
  dependency-version: 4.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: dompurify
  dependency-version: 3.4.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: openpgp
  dependency-version: 6.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: preact
  dependency-version: 10.29.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: prettier
  dependency-version: 3.8.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: svelte
  dependency-version: 5.56.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: svelte-check
  dependency-version: 4.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: svelte-eslint-parser
  dependency-version: 1.8.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: tailwind-merge
  dependency-version: 3.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: tailwindcss
  dependency-version: 4.3.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: typescript-eslint
  dependency-version: 8.61.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: workbox-cli
  dependency-version: 7.4.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: production-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/production-deps-4ac195faf7 branch from 56fe123 to d5480b0 Compare June 15, 2026 21:08
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 22, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/production-deps-4ac195faf7 branch June 22, 2026 17:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants