Skip to content

deps: bump the production-deps group across 1 directory with 30 updates#94

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-deps-e4d13a49b3
Open

deps: bump the production-deps group across 1 directory with 30 updates#94
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-deps-e4d13a49b3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown

Bumps the production-deps group with 30 updates in the / directory:

Package From To
@passwordless-id/webauthn 2.3.5 2.4.0
@tauri-apps/api 2.10.1 2.11.1
@tauri-apps/plugin-deep-link 2.4.8 2.4.9
@tauri-apps/plugin-dialog 2.7.0 2.7.1
@tauri-apps/plugin-fs 2.5.0 2.5.1
@tauri-apps/plugin-global-shortcut 2.3.1 2.3.2
@tauri-apps/plugin-opener 2.5.3 2.5.4
bits-ui 2.18.0 2.18.1
dexie 4.4.2 4.4.4
dompurify 3.4.2 3.4.11
openpgp 6.3.0 6.3.1
postal-mime 2.7.4 2.7.5
preact 10.29.1 10.29.4
svelte 5.55.1 5.56.4
tailwind-merge 3.5.0 3.6.0
@internationalized/date 3.12.1 3.12.2
@playwright/test 1.59.1 1.61.1
@tailwindcss/postcss 4.2.4 4.3.2
@tauri-apps/cli 2.10.1 2.11.4
@testing-library/svelte 5.3.1 5.4.2
@typescript-eslint/eslint-plugin 8.59.1 8.62.1
@typescript-eslint/parser 8.59.1 8.62.1
autoprefixer 10.5.0 10.5.2
postcss 8.5.13 8.5.16
prettier 3.8.3 3.9.4
svelte-check 4.4.7 4.7.1
svelte-eslint-parser 1.6.0 1.8.0
tailwindcss 4.2.4 4.3.2
typescript-eslint 8.59.1 8.62.1
workbox-cli 7.4.0 7.4.1

Updates @passwordless-id/webauthn from 2.3.5 to 2.4.0

Release notes

Sourced from @​passwordless-id/webauthn's releases.

2.4.0

IMPORTANT NOTE: In this version the browser field was removed in package.json due to issues how various tooling interpret it. Check out #108 for more details.

Commits
  • bd07189 Removed "browser" field and updated authenticator devices metadata/icons
  • 40e3c21 Merge pull request #112 from passwordless-id/dependabot/npm_and_yarn/npm_and_...
  • 3926a2f chore(deps): bump the npm_and_yarn group across 1 directory with 4 updates
  • ec42719 Merge pull request #110 from passwordless-id/dependabot/npm_and_yarn/npm_and_...
  • 3b514d8 chore(deps): bump minimatch in the npm_and_yarn group across 1 directory
  • efd757a Merge pull request #109 from passwordless-id/dependabot/npm_and_yarn/npm_and_...
  • 3fcfbce chore(deps-dev): bump qs in the npm_and_yarn group across 1 directory
  • See full diff in compare view

Updates @tauri-apps/api from 2.10.1 to 2.11.1

Release notes

Sourced from @​tauri-apps/api's releases.

@​tauri-apps/api v2.11.1

No known vulnerabilities found

[2.11.1]

Enhancements

  • 916782601 (#15520 by @​polw1) Document that Monitor.size, Monitor.position and Monitor.workArea are in physical pixels, with examples showing how to convert them to the logical pixels expected by window creation options via toLogical(monitor.scaleFactor).
> @tauri-apps/api@2.11.1 npm-publish /home/runner/work/tauri/tauri/packages/api
> pnpm build && cd ./dist && pnpm publish --access public --loglevel silly --no-git-checks

> @​tauri-apps/api@​2.11.1 build /home/runner/work/tauri/tauri/packages/api > rollup -c --configPlugin typescript

�[36m �[1m./src/app.ts, ./src/core.ts, ./src/dpi.ts, ./src/event.ts, ./src/image.ts, ./src/index.ts, ./src/menu.ts, ./src/mocks.ts, ./src/path.ts, ./src/tray.ts, ./src/webview.ts, ./src/webviewWindow.ts, ./src/window.ts�[22m → �[1m./dist, ./dist�[22m...�[39m �[32mcreated �[1m./dist, ./dist�[22m in �[1m883ms�[22m�[39m �[36m �[1msrc/index.ts�[22m → �[1m../../crates/tauri/scripts/bundle.global.js�[22m...�[39m �[32mcreated �[1m../../crates/tauri/scripts/bundle.global.js�[22m in �[1m1.4s�[22m�[39m npm verbose cli /opt/hostedtoolcache/node/24.16.0/x64/bin/node /opt/hostedtoolcache/node/24.16.0/x64/bin/npm npm info using npm@11.13.0 npm info using node@v24.16.0 npm silly config load:file:/opt/hostedtoolcache/node/24.16.0/x64/lib/node_modules/npm/npmrc npm silly config load:file:/tmp/286e8dee195254a4370e608b672019b0/.npmrc npm silly config load:file:/home/runner/.npmrc npm silly config load:file:/home/runner/.config/pnpm/rc npm verbose title npm publish tauri-apps-api-2.11.1.tgz npm verbose argv "publish" "--ignore-scripts" "tauri-apps-api-2.11.1.tgz" "--access" "public" "--loglevel" "silly" npm verbose logfile logs-max:10 dir:/home/runner/.npm/_logs/2026-06-17T13_41_23_851Z- npm verbose logfile /home/runner/.npm/_logs/2026-06-17T13_41_23_851Z-debug-0.log npm warn Unknown env config "verify-deps-before-run". This will stop working in the next major version of npm. See npm help npmrc for supported config options. npm warn Unknown env config "npm-globalconfig". This will stop working in the next major version of npm. See npm help npmrc for supported config options. npm warn Unknown env config "overrides". This will stop working in the next major version of npm. See npm help npmrc for supported config options. npm warn Unknown env config "_jsr-registry". This will stop working in the next major version of npm. See npm help npmrc for supported config options. npm silly logfile done cleaning log files npm verbose publish [ 'tauri-apps-api-2.11.1.tgz' ] </tr></table>

... (truncated)

Commits

Updates @tauri-apps/plugin-deep-link from 2.4.8 to 2.4.9

Release notes

Sourced from @​tauri-apps/plugin-deep-link's releases.

deep-link-js v2.4.9

[2.4.9]

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-deep-link@2.4.9
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 6.2kB README.md
npm notice 3.5kB dist-js/index.cjs
npm notice 2.9kB dist-js/index.d.ts
npm notice 3.4kB dist-js/index.js
npm notice 801B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-deep-link
npm notice version: 2.4.9
npm notice filename: tauri-apps-plugin-deep-link-2.4.9.tgz
npm notice package size: 4.4 kB
npm notice unpacked size: 17.7 kB
npm notice shasum: ae56d59130380f806b533b3107c3f16654e66a8d
npm notice integrity: sha512-u0SKOUHnJ1wqe[...]hIvqLBRpgHJlA==
npm notice total files: 6
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011657
+ @tauri-apps/plugin-deep-link@2.4.9

deep-link v2.4.9

[2.4.9]

</tr></table> 

... (truncated)

Commits
  • 5c7668b publish new versions (#3397)
  • ec05401 chore(deps): update rust crate toml to v1 (#3323)
  • b86e999 chore(deps): update tauri packages to 2.11 (#3407)
  • c463d8a chore(deps): update rustls-webpki in lockfile, ignore core2 in audit (#3405)
  • 1bb7beb chore(deps): bump openssl (#3402)
  • 3412fa2 docs(readme): fix platform support matrix (opener supports mobile)
  • af81fda docs(readme): fix platform support matrix (mobile is supported)
  • c1fd33b fix(opener): allow open network share locations (#3343)
  • 250857b chore(deps): update dependency typescript to v6 (#3363)
  • 964e13f fix(store): dead lock trying to set while exiting (#3395)
  • Additional commits viewable in compare view

Updates @tauri-apps/plugin-dialog from 2.7.0 to 2.7.1

Release notes

Sourced from @​tauri-apps/plugin-dialog's releases.

dialog-js v2.7.1

[2.7.1]

Dependencies

  • Upgraded to fs-js@2.5.1
npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-dialog@2.7.1
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 3.5kB README.md
npm notice 6.9kB dist-js/index.cjs
npm notice 14.6kB dist-js/index.d.ts
npm notice 6.8kB dist-js/index.js
npm notice 11B dist-js/init.d.ts
npm notice 657B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-dialog
npm notice version: 2.7.1
npm notice filename: tauri-apps-plugin-dialog-2.7.1.tgz
npm notice package size: 6.7 kB
npm notice unpacked size: 33.3 kB
npm notice shasum: fc83387de807c8d064d2b64b1b813b84e8286a12
npm notice integrity: sha512-OK1UBXYt+ojcm[...]FmEOjIY9IhzOQ==
npm notice total files: 7
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011725
+ @tauri-apps/plugin-dialog@2.7.1

dialog v2.7.1

[2.7.1]

Dependencies

  • Upgraded to fs-js@2.5.1

... (truncated)

Commits
  • e7a68fa publish new versions (#3068)
  • b5550a3 chore: temp delete updater changefile
  • 93426f8 fix: fix docsrs builds
  • 4ee61e0 Revert "chore: temp delete updater changefile"
  • 06124af publish new versions (#2972)
  • 060219e chore(deps): update dependency @​rollup/plugin-typescript to v12.3.0 (#3067)
  • c7e9766 chore(deps): update tauri monorepo (v2) (#3058)
  • d4a8ce9 chore(deps): update rust crate tokio-tungstenite to 0.28 (#3016)
  • cdc7eec chore(deps): update dependency @​rollup/plugin-typescript to v12.2.0 (#3066)
  • 6314b00 chore: temp delete updater changefile
  • Additional commits viewable in compare view

Updates @tauri-apps/plugin-fs from 2.5.0 to 2.5.1

Release notes

Sourced from @​tauri-apps/plugin-fs's releases.

fs-js v2.5.1

[2.5.1]

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-fs@2.5.1
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 2.4kB README.md
npm notice 32.8kB dist-js/index.cjs
npm notice 32.6kB dist-js/index.d.ts
npm notice 32.0kB dist-js/index.js
npm notice 697B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-fs
npm notice version: 2.5.1
npm notice filename: tauri-apps-plugin-fs-2.5.1.tgz
npm notice package size: 21.5 kB
npm notice unpacked size: 101.5 kB
npm notice shasum: e1b8643d41c74251699fcdecc800877d18a4a6fc
npm notice integrity: sha512-9Lz+Jopp6QyeE[...]tqPB/XEMS3NhQ==
npm notice total files: 6
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011689
+ @tauri-apps/plugin-fs@2.5.1

fs v2.5.1

[2.5.1]

</tr></table> 

... (truncated)

Commits
  • 5c7668b publish new versions (#3397)
  • ec05401 chore(deps): update rust crate toml to v1 (#3323)
  • b86e999 chore(deps): update tauri packages to 2.11 (#3407)
  • c463d8a chore(deps): update rustls-webpki in lockfile, ignore core2 in audit (#3405)
  • 1bb7beb chore(deps): bump openssl (#3402)
  • 3412fa2 docs(readme): fix platform support matrix (opener supports mobile)
  • af81fda docs(readme): fix platform support matrix (mobile is supported)
  • c1fd33b fix(opener): allow open network share locations (#3343)
  • 250857b chore(deps): update dependency typescript to v6 (#3363)
  • 964e13f fix(store): dead lock trying to set while exiting (#3395)
  • Additional commits viewable in compare view

Updates @tauri-apps/plugin-global-shortcut from 2.3.1 to 2.3.2

Release notes

Sourced from @​tauri-apps/plugin-global-shortcut's releases.

upload-js v2.3.2

[2.3.2]

  • 93426f85 Fixed an issue that caused docs.rs builds to fail. No user facing changes.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-upload@2.3.2
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 3.2kB README.md
npm notice 1.4kB dist-js/index.cjs
npm notice 507B dist-js/index.d.ts
npm notice 1.4kB dist-js/index.js
npm notice 729B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-upload
npm notice version: 2.3.2
npm notice filename: tauri-apps-plugin-upload-2.3.2.tgz
npm notice package size: 2.9 kB
npm notice unpacked size: 8.1 kB
npm notice shasum: 4c0d9af44b28f9b05905ff8972a5438b642fc260
npm notice integrity: sha512-h/V8RqsbVpJSt[...]RqpUr0Dk9DuGA==
npm notice total files: 6
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=644611265
+ @tauri-apps/plugin-upload@2.3.2

upload v2.3.2

[2.3.2]

  • 93426f85 Fixed an issue that caused docs.rs builds to fail. No user facing changes.
Updating crates.io index
</tr></table> 

... (truncated)

Commits
  • e7a68fa publish new versions (#3068)
  • b5550a3 chore: temp delete updater changefile
  • 93426f8 fix: fix docsrs builds
  • 4ee61e0 Revert "chore: temp delete updater changefile"
  • 06124af publish new versions (#2972)
  • 060219e chore(deps): update dependency @​rollup/plugin-typescript to v12.3.0 (#3067)
  • c7e9766 chore(deps): update tauri monorepo (v2) (#3058)
  • d4a8ce9 chore(deps): update rust crate tokio-tungstenite to 0.28 (#3016)
  • cdc7eec chore(deps): update dependency @​rollup/plugin-typescript to v12.2.0 (#3066)
  • 6314b00 chore: temp delete updater changefile
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tauri-apps/plugin-global-shortcut since your current version.


Updates @tauri-apps/plugin-opener from 2.5.3 to 2.5.4

Release notes

Sourced from @​tauri-apps/plugin-opener's releases.

opener-js v2.5.4

[2.5.4]

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-opener@2.5.4
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 4.2kB README.md
npm notice 3.1kB dist-js/index.cjs
npm notice 2.0kB dist-js/index.d.ts
npm notice 3.1kB dist-js/index.js
npm notice 11B dist-js/init.d.ts
npm notice 730B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-opener
npm notice version: 2.5.4
npm notice filename: tauri-apps-plugin-opener-2.5.4.tgz
npm notice package size: 3.5 kB
npm notice unpacked size: 14.1 kB
npm notice shasum: b37883e4d36125b8c5a0c74f683395958a65bd7d
npm notice integrity: sha512-1HnPkb+AmgO29[...]aUJtT57lfO9CQ==
npm notice total files: 7
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011743
+ @tauri-apps/plugin-opener@2.5.4

opener v2.5.4

[2.5.4]

... (truncated)

Commits

Updates bits-ui from 2.18.0 to 2.18.1

Release notes

Sourced from bits-ui's releases.

bits-ui@2.18.1

Patch Changes

  • fix(text-selection-layer): snapshot enabled and pointer handlers for listeners (#2041)

  • fix(Tooltip): set wrapper pointer-events when hoverable content is disabled (#2041)

  • fix(Menu): prevent page scroll-jump on item hover when scroll-padding is set (#2035)

Commits
  • 25f8137 Version Packages (#2042)
  • 158364e fix(menu): use preventScroll when focusing items on hover and content on item...
  • 5a3f7ce fix(Tooltip): pointer event handling (#2041)
  • 788fc03 chore: update workflows to Node 24 and latest action versions (#2032)
  • See full diff in compare view

Updates dexie from 4.4.2 to 4.4.4

Release notes

Sourced from dexie's releases.

Dexie v4.4.4

This is a maintenance release that resolves a bug in useLiveQuery caching and includes a TypeScript typing enhancement.

Related Package Releases

Package Version
dexie 4.4.4
dexie-cloud-addon 4.4.13 (no change)
dexie-react-hooks 4.4.0 (no change)
y-dexie 4.4.0 (no change)

Bug Fixes

dexie@4.4.4

  • fix: useLiveQuery fails to detect updates when mutating queried objects in-place and calling put() — In default/cloned cache mode (cache: 'cloned'), mutating queried objects in-place and subsequently calling put() on them would pollute the cache directly, preventing subsequent live-queries from detecting the change because the "before" and "after" states in the cache became identical. Live-queries now deeply clone results on read to completely isolate query results from in-place consumer mutations. (#2310). Reported in #2309 by @​laukaichung. Fixed by @​liz709 and @​dfahlander .

Other Changes

dexie@4.4.4

  • fix: typescript typings - add missing table4 parameter to transaction method — Added the missing table4 parameter to the typescript type definition of Dexie.transaction(), aligning it with other table parameters. Contributed by @​renbaoshuo (#2311)

Dexie v4.4.3

This is a maintenance release with bug fixes and a configuration API improvement.

Related Package Releases

Package Version
dexie 4.4.3
dexie-cloud-addon 4.4.13

Bug Fixes

dexie@4.4.3

  • fix: delByKeyPath() creates empty intermediate objects on missing pathDexie.delByKeyPath(obj, "foo.bar") on an object without foo would create {foo: {}} as a side effect instead of doing nothing. This caused a real-world bug in dexie-cloud-addon where clearing a dotted key from a changeSpec (e.g. claims.sub) would leave {claims: {}} in the spec, which then overwrote the inline primary key with undefined, resulting in: DataError: Evaluating the object store's key path did not yield a value. Fixed in setByKeyPath to bail out early when value is undefined and the intermediate path doesn't exist. (#2303)

  • fix: Collection.sortBy() mutates frozen array in immutable cache mode — calling .sortBy() on a table when using immutable cache mode could throw TypeError: Cannot assign to read only property because Array.sort() was called on a frozen array. Fixed by sorting on a copy instead. (#2294)

dexie-cloud-addon@4.4.12

  • rename: maxStringLengthlargeStringThreshold — the string offloading option is renamed for clarity. The old name is kept as a backward-compatible alias. (#2290)

  • fix: blob writebacks routed through BlobSavingQueue to avoid PSD context loss — after an async native fetch (blob download), Dexie's PSD zone is no longer active, causing table.mutate() to crash with Cannot read properties of undefined (reading 'table'). This surfaced as [dexie-cloud:blobResolve] Failed to resolve BlobRefs. Fixed by always routing blob writebacks through BlobSavingQueue.saveBlobs(), which opens a proper Dexie rw-transaction in a fresh JS task. Fixes lazy blob mode crash when using Dexie hooks with dexie-cloud-addon. (#2302)

  • fix: eager blob downloader could starve RAM — the eager downloader triggered blobResolveMiddleware which resolved all pending blobs into memory at once. Fixed by downloading blobs in chunks with a query limit, so memory usage stays bounded regardless of how many blobs are pending. (#2302)

... (truncated)

Commits
  • f151e96 chore: bump version to 4.4.4
  • 0cc46ac perf(live-query): avoid redundant double deepClone on initial query cache pop...
  • fb5d3b7 test(live-query): revert prettier formatting and keep only targeted test fixes
  • 8c8c24d test(live-query): parameterize issue 2309 test and fix pre-existing syntax/pr...
  • bb4c265 test(live-query): change actualResults to let to avoid TypeError in tests
  • a6edadb fix(live-query): clone results on cache read when cache: 'cloned' is used (is...
  • 9485361 Add missing table4 parameter typing to transaction method
  • 30134f6 Trigger new dev build
  • 9dd614d DataError after updating a user in dexie cloud when that user got an update f...
  • 0919742 Trigger dev build
  • Additional commits viewable in compare view

Updates dompurify from 3.4.2 to 3.4.11

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

  • Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
  • Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
  • Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
  • Updated up the linting tool-chain and removed now-redundant lint directives
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible

DOMPurify 3.4.10

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible

DOMPurify 3.4.9

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

DOMPurify 3.4.7

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

  • Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
  • Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
  • Added more test coverage for IN_PLACE and general DOM Clobbering attacks
  • Bumped several dependencies where possible

DOMPurify 3.4.5

  • Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

... (truncated)

Commits

Updates openpgp from 6.3.0 to 6.3.1

Release notes

Sourced from openpgp's releases.

v6.3.1

What's Changed

  • Add config.maxArgon2MemoryExponent for argon2 memory limit (#1943, #2014)
  • Fix RSA signing using SHA3 (#1952)
  • Allow creating signature notations when generating/reformatting keys (#1953)
  • TS: fix 'node16'/'nodenext' compatibility, and emit type declarations for .ts files with external exports under dist/types (#1987)
  • TS: fix AnyPacket declaration to also include BasePacket<true> subclasses (#1991)
  • Fix non-zero IV usages for AES-CFB (spec compliance issue; no security or interoperability impact) (#2012)
  • Various dependency version bumps

Full Changelog: openpgpjs/openpgpjs@v6.3.0...v6.3.1

Commits
  • 2ac0048 6.3.1
  • 3c6abc9 Argon2: set hard limit for config.maxArgon2MemoryExponent to cap memory at ...
  • cba2904 Internal: fix readExactSubarray to correctly enforce end boundary (#2013)
  • 4318a48 Run npm audit
  • dd9274e Fix non-zero IV usages for AES-CFB (#2012)
  • 0a67d5e npm: add min-release-age constraint (for manual installs)
  • 2ba545d Bump the dev-dependencies group across 1 directory with 9 updates (#2011)
  • 657ac64 Bump eslint-plugin-unicorn from 62.0.0 to 64.0.0 (#1999)
  • df8c044 Bump fflate from 0.8.2 to 0.8.3 (#2007)
  • 3891531 Bump fast-xml-builder (#2003)
  • Additional commits viewable in compare view
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates postal-mime from 2.7.4 to 2.7.5

Release notes

Sourced from postal-mime's releases.

v2.7.5

2.7.5 (2026-06-25)

Bug Fixes

  • decode iso-8859-8-i and iso-8859-8-e charsets as iso-8859-8 (d7af50b)
Changelog

Sourced from postal-mime's changelog.

2.7.5 (2026-06-25)

Bug Fixes

  • decode iso-8859-8-i and iso-8859-8-e charsets as iso-8859-8 (d7af50b)
Commits
  • a70ee5c chore(master): release 2.7.5 (#91)
  • d7af50b fix: decode iso-8859-8-i and iso-8859-8-e charsets as iso-8859-8
  • See full diff in compare view

Updates preact from 10.29.1 to 10.29.4

Release notes

Sourced from preact's releases.

10.29.4

Fixes

10.29.3

Fixes

Performance

Types

Maintenance

10.29.2

Fixes

Maintenance

Commits
  • 707884c Merge pull request #5136 from preactjs/10.29.4
  • 0e6a253 10.29.4
  • 174d345 Merge pull request #5135 from preactjs/fix-preact-suspense
  • 8d20635 Revert "Fix useId stability across async Suspense (#5108)"
  • 893845a Merge pull request #5134 from preactjs/patch-crashing-at-suspense-bail
  • c3b4f0f Fix hydration-suspense crash due to sCU bailout
  • 65b32cb 10.29.3 (#5121)
  • 1a3b8b5 Fix error recovery for partially rendered subtrees (#5120)

@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Bumps the production-deps group with 30 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@passwordless-id/webauthn](https://github.com/passwordless-id/webauthn) | `2.3.5` | `2.4.0` |
| [@tauri-apps/api](https://github.com/tauri-apps/tauri) | `2.10.1` | `2.11.1` |
| [@tauri-apps/plugin-deep-link](https://github.com/tauri-apps/plugins-workspace) | `2.4.8` | `2.4.9` |
| [@tauri-apps/plugin-dialog](https://github.com/tauri-apps/plugins-workspace) | `2.7.0` | `2.7.1` |
| [@tauri-apps/plugin-fs](https://github.com/tauri-apps/plugins-workspace) | `2.5.0` | `2.5.1` |
| [@tauri-apps/plugin-global-shortcut](https://github.com/tauri-apps/plugins-workspace) | `2.3.1` | `2.3.2` |
| [@tauri-apps/plugin-opener](https://github.com/tauri-apps/plugins-workspace) | `2.5.3` | `2.5.4` |
| [bits-ui](https://github.com/huntabyte/bits-ui) | `2.18.0` | `2.18.1` |
| [dexie](https://github.com/dexie/Dexie.js) | `4.4.2` | `4.4.4` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.4.2` | `3.4.11` |
| [openpgp](https://github.com/openpgpjs/openpgpjs) | `6.3.0` | `6.3.1` |
| [postal-mime](https://github.com/postalsys/postal-mime) | `2.7.4` | `2.7.5` |
| [preact](https://github.com/preactjs/preact) | `10.29.1` | `10.29.4` |
| [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) | `5.55.1` | `5.56.4` |
| [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` |
| [@internationalized/date](https://github.com/adobe/react-spectrum) | `3.12.1` | `3.12.2` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.59.1` | `1.61.1` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.4` | `4.3.2` |
| [@tauri-apps/cli](https://github.com/tauri-apps/tauri) | `2.10.1` | `2.11.4` |
| [@testing-library/svelte](https://github.com/testing-library/svelte-testing-library/tree/HEAD/packages/svelte) | `5.3.1` | `5.4.2` |
| [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) | `8.59.1` | `8.62.1` |
| [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) | `8.59.1` | `8.62.1` |
| [autoprefixer](https://github.com/postcss/autoprefixer) | `10.5.0` | `10.5.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.13` | `8.5.16` |
| [prettier](https://github.com/prettier/prettier) | `3.8.3` | `3.9.4` |
| [svelte-check](https://github.com/sveltejs/language-tools) | `4.4.7` | `4.7.1` |
| [svelte-eslint-parser](https://github.com/sveltejs/svelte-eslint-parser) | `1.6.0` | `1.8.0` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.4` | `4.3.2` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.59.1` | `8.62.1` |
| [workbox-cli](https://github.com/googlechrome/workbox) | `7.4.0` | `7.4.1` |



Updates `@passwordless-id/webauthn` from 2.3.5 to 2.4.0
- [Release notes](https://github.com/passwordless-id/webauthn/releases)
- [Commits](passwordless-id/webauthn@2.3.5...2.4.0)

Updates `@tauri-apps/api` from 2.10.1 to 2.11.1
- [Release notes](https://github.com/tauri-apps/tauri/releases)
- [Commits](https://github.com/tauri-apps/tauri/compare/@tauri-apps/api-v2.10.1...@tauri-apps/api-v2.11.1)

Updates `@tauri-apps/plugin-deep-link` from 2.4.8 to 2.4.9
- [Release notes](https://github.com/tauri-apps/plugins-workspace/releases)
- [Commits](tauri-apps/plugins-workspace@deep-link-v2.4.8...deep-link-v2.4.9)

Updates `@tauri-apps/plugin-dialog` from 2.7.0 to 2.7.1
- [Release notes](https://github.com/tauri-apps/plugins-workspace/releases)
- [Commits](tauri-apps/plugins-workspace@log-v2.7.0...log-v2.7.1)

Updates `@tauri-apps/plugin-fs` from 2.5.0 to 2.5.1
- [Release notes](https://github.com/tauri-apps/plugins-workspace/releases)
- [Commits](tauri-apps/plugins-workspace@fs-v2.5.0...fs-v2.5.1)

Updates `@tauri-apps/plugin-global-shortcut` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/tauri-apps/plugins-workspace/releases)
- [Commits](tauri-apps/plugins-workspace@os-v2.3.1...os-v2.3.2)

Updates `@tauri-apps/plugin-opener` from 2.5.3 to 2.5.4
- [Release notes](https://github.com/tauri-apps/plugins-workspace/releases)
- [Commits](tauri-apps/plugins-workspace@http-v2.5.3...http-v2.5.4)

Updates `bits-ui` from 2.18.0 to 2.18.1
- [Release notes](https://github.com/huntabyte/bits-ui/releases)
- [Commits](https://github.com/huntabyte/bits-ui/compare/bits-ui@2.18.0...bits-ui@2.18.1)

Updates `dexie` from 4.4.2 to 4.4.4
- [Release notes](https://github.com/dexie/Dexie.js/releases)
- [Commits](dexie/Dexie.js@v4.4.2...v4.4.4)

Updates `dompurify` from 3.4.2 to 3.4.11
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.2...3.4.11)

Updates `openpgp` from 6.3.0 to 6.3.1
- [Release notes](https://github.com/openpgpjs/openpgpjs/releases)
- [Commits](openpgpjs/openpgpjs@v6.3.0...v6.3.1)

Updates `postal-mime` from 2.7.4 to 2.7.5
- [Release notes](https://github.com/postalsys/postal-mime/releases)
- [Changelog](https://github.com/postalsys/postal-mime/blob/master/CHANGELOG.md)
- [Commits](postalsys/postal-mime@v2.7.4...v2.7.5)

Updates `preact` from 10.29.1 to 10.29.4
- [Release notes](https://github.com/preactjs/preact/releases)
- [Commits](preactjs/preact@10.29.1...10.29.4)

Updates `svelte` from 5.55.1 to 5.56.4
- [Release notes](https://github.com/sveltejs/svelte/releases)
- [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.56.4/packages/svelte)

Updates `tailwind-merge` from 3.5.0 to 3.6.0
- [Release notes](https://github.com/dcastil/tailwind-merge/releases)
- [Commits](dcastil/tailwind-merge@v3.5.0...v3.6.0)

Updates `@internationalized/date` from 3.12.1 to 3.12.2
- [Release notes](https://github.com/adobe/react-spectrum/releases)
- [Commits](https://github.com/adobe/react-spectrum/compare/@internationalized/date@3.12.1...@internationalized/date@3.12.2)

Updates `@playwright/test` from 1.59.1 to 1.61.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.59.1...v1.61.1)

Updates `@tailwindcss/postcss` from 4.2.4 to 4.3.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/@tailwindcss-postcss)

Updates `@tauri-apps/cli` from 2.10.1 to 2.11.4
- [Release notes](https://github.com/tauri-apps/tauri/releases)
- [Commits](https://github.com/tauri-apps/tauri/compare/@tauri-apps/cli-v2.10.1...@tauri-apps/cli-v2.11.4)

Updates `@testing-library/svelte` from 5.3.1 to 5.4.2
- [Release notes](https://github.com/testing-library/svelte-testing-library/releases)
- [Changelog](https://github.com/testing-library/svelte-testing-library/blob/main/CHANGELOG.md)
- [Commits](https://github.com/testing-library/svelte-testing-library/commits/@testing-library/svelte@5.4.2/packages/svelte)

Updates `@typescript-eslint/eslint-plugin` from 8.59.1 to 8.62.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.62.1/packages/eslint-plugin)

Updates `@typescript-eslint/parser` from 8.59.1 to 8.62.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.62.1/packages/parser)

Updates `autoprefixer` from 10.5.0 to 10.5.2
- [Release notes](https://github.com/postcss/autoprefixer/releases)
- [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md)
- [Commits](postcss/autoprefixer@10.5.0...10.5.2)

Updates `postcss` from 8.5.13 to 8.5.16
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.13...8.5.16)

Updates `prettier` from 3.8.3 to 3.9.4
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.8.3...3.9.4)

Updates `svelte-check` from 4.4.7 to 4.7.1
- [Release notes](https://github.com/sveltejs/language-tools/releases)
- [Commits](https://github.com/sveltejs/language-tools/compare/svelte-check@4.4.7...svelte-check@4.7.1)

Updates `svelte-eslint-parser` from 1.6.0 to 1.8.0
- [Release notes](https://github.com/sveltejs/svelte-eslint-parser/releases)
- [Changelog](https://github.com/sveltejs/svelte-eslint-parser/blob/main/CHANGELOG.md)
- [Commits](sveltejs/svelte-eslint-parser@v1.6.0...v1.8.0)

Updates `tailwindcss` from 4.2.4 to 4.3.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/tailwindcss)

Updates `typescript-eslint` from 8.59.1 to 8.62.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.62.1/packages/typescript-eslint)

Updates `workbox-cli` from 7.4.0 to 7.4.1
- [Release notes](https://github.com/googlechrome/workbox/releases)
- [Commits](GoogleChrome/workbox@v7.4.0...v7.4.1)

---
updated-dependencies:
- dependency-name: "@internationalized/date"
  dependency-version: 3.12.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: "@passwordless-id/webauthn"
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@playwright/test"
  dependency-version: 1.61.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.3.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@tauri-apps/api"
  dependency-version: 2.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@tauri-apps/cli"
  dependency-version: 2.11.4
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@tauri-apps/plugin-deep-link"
  dependency-version: 2.4.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: "@tauri-apps/plugin-dialog"
  dependency-version: 2.7.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: "@tauri-apps/plugin-fs"
  dependency-version: 2.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: "@tauri-apps/plugin-global-shortcut"
  dependency-version: 2.3.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: "@tauri-apps/plugin-opener"
  dependency-version: 2.5.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: "@testing-library/svelte"
  dependency-version: 5.4.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-version: 8.62.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: "@typescript-eslint/parser"
  dependency-version: 8.62.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: autoprefixer
  dependency-version: 10.5.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: bits-ui
  dependency-version: 2.18.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: dexie
  dependency-version: 4.4.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: dompurify
  dependency-version: 3.4.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: openpgp
  dependency-version: 6.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: postal-mime
  dependency-version: 2.7.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: postcss
  dependency-version: 8.5.16
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: preact
  dependency-version: 10.29.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-deps
- dependency-name: prettier
  dependency-version: 3.9.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: svelte
  dependency-version: 5.56.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: svelte-check
  dependency-version: 4.7.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: svelte-eslint-parser
  dependency-version: 1.8.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: tailwind-merge
  dependency-version: 3.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: tailwindcss
  dependency-version: 4.3.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: typescript-eslint
  dependency-version: 8.62.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: production-deps
- dependency-name: workbox-cli
  dependency-version: 7.4.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: production-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/production-deps-e4d13a49b3 branch from c1e287c to 9d20859 Compare July 6, 2026 17:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants