Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates#1400

Open
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/ui/npm_and_yarn-65c690bf1f
Open

chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates#1400
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/ui/npm_and_yarn-65c690bf1f

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 6, 2026
edited by cursor Bot
Loading

Bumps the npm_and_yarn group with 3 updates in the /ui directory: react-router, vite and kysely.

Updates react-router from 7.10.1 to 7.12.0

Release notes

Sourced from react-router's releases.

v7.12.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7120

v7.11.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7110

Changelog

Sourced from react-router's changelog.

7.12.0

Minor Changes

  • Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins. If you need to permit access to specific external origins, you can specify them in the react-router.config.ts config allowedActionOrigins field. (#14708)

Patch Changes

  • Fix generatePath when used with suffixed params (i.e., "/books/:id.json") (#14269)

  • Export UNSAFE_createMemoryHistory and UNSAFE_createHashHistory alongside UNSAFE_createBrowserHistory for consistency. These are not intended to be used for new apps but intended to help apps usiong unstable_HistoryRouter migrate from v6->v7 so they can adopt the newer APIs. (#14663)

  • Escape HTML in scroll restoration keys (#14705)

  • Validate redirect locations (#14706)

  • [UNSTABLE] Pass <Scripts nonce> value through to the underlying importmap script tag when using future.unstable_subResourceIntegrity (#14675)

  • [UNSTABLE] Add a new future.unstable_trailingSlashAwareDataRequests flag to provide consistent behavior of request.pathname inside middleware, loader, and action functions on document and data requests when a trailing slash is present in the browser URL. (#14644)

    Currently, your HTTP and request pathnames would be as follows for /a/b/c and /a/b/c/

    URL /a/b/c HTTP pathname request pathname`
    Document /a/b/c /a/b/c
    Data /a/b/c.data /a/b/c
    URL /a/b/c/ HTTP pathname request pathname`
    Document /a/b/c/ /a/b/c/
    Data /a/b/c.data /a/b/c ⚠️

    With this flag enabled, these pathnames will be made consistent though a new _.data format for client-side .data requests:

    URL /a/b/c HTTP pathname request pathname`
    Document /a/b/c /a/b/c
    Data /a/b/c.data /a/b/c
    URL /a/b/c/ HTTP pathname request pathname`
    Document /a/b/c/ /a/b/c/
    Data /a/b/c/_.data ⬅️ /a/b/c/

    This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.

    Enabling this flag also changes the format of client side .data requests from /_root.data to /_.data when navigating to / to align with the new format. This does not impact the request pathname which is still / in all cases.

  • Preserve clientLoader.hydrate=true when using <HydratedRouter unstable_instrumentations> (#14674)

... (truncated)

Commits
  • 26653a6 chore: Update version for release (#14712)
  • 7ac2346 chore: Update version for release (pre) (#14709)
  • 75b1ef5 Add origin checks for UI route submissions (#14708)
  • c05ef93 Validate redirect locations (#14706)
  • c89c32c Escape HTML in scroll restoration keys (#14705)
  • cbcbf30 fix: pass nonce to importmap script when using subResourceIntegrity (#14675)
  • 30f6c1d fix(react-router): handle parameters with static suffixes in generatePath (#1...
  • 7f140e0 Handle data requests with trailing slash consistently (#14644)
  • 1954af6 Preserve hydrate property on client loaders during instrumentation (#14674)
  • 5ce5cd4 chore: format
  • Additional commits viewable in compare view

Updates vite from 8.0.3 to 8.0.5

Release notes

Sourced from vite's releases.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.5 (2026-04-06)

Bug Fixes

  • apply server.fs check to env transport (#22159) (f02d9fd)
  • avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)
  • check server.fs after stripping query as well (#22160) (a9a3df2)
  • disallow referencing files outside the package from sourcemap (#22158) (f05f501)

8.0.4 (2026-04-06)

Features

  • allow esbuild 0.28 as peer deps (#22155) (b0da973)
  • hmr: truncate list of files on hmr update (#21535) (d00e806)
  • optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)

Bug Fixes

  • hasBothRollupOptionsAndRolldownOptions should return false for proxy case (#22043) (99897d2)
  • add types for vite/modulepreload-polyfill (#22126) (17330d2)
  • deps: update all non-major dependencies (#22073) (6daa10f)
  • deps: update all non-major dependencies (#22143) (22b0166)
  • resolve: resolve tsconfig paths starting with # (#22038) (3460fc5)
  • ssr: use browser platform for webworker SSR builds (fix #21969) (#21963) (364c227)

Documentation

Miscellaneous Chores

Code Refactoring

Commits

Updates kysely from 0.27.6 to 0.28.15

Release notes

Sourced from kysely's releases.

0.28.15

Hey 👋

The introduction of dehydration in JSON functions/helpers caused an unexpected bug for consumers that have some columns defined as '${number}', e.g. '1' | '2' (also when wrapped in ColumnType or similar). Such columns, when participating in a JSON function/helper would dehydrate to number instead of staying as string.

Why dehydrate numeric strings to numbers in the first place? Select types in kysely describe the data after underlying driver's (e.g. pg) data transformation. Some drivers transform numeric columns to strings to be safe. When these columns participate in JSON functions, they lose original column data types - drivers don't know they need to transform to string - they return as-is.

This release introduces a special helper type that wraps your column type definition and tells kysely to NOT dehydrate it in JSON functions/helpers.

import type { NonDehydrateable } from 'kysely'
interface Database {
my_table: {
a_column: '1' | '2' | '3', // dehydrates to number
another_column: NonDehydrateable<'1' | '2' | '3'>, // stays '1' | '2' | '3'
column_too: NonDehydrateable<ColumnType<'1' | '2' | '3'>> // stays '1' | '2' | '3'
}
}

🚀 Features

  • feat: add NonDehydrateable<T> to allow opt-out from dehydration in JSON functions/helpers. by @​igalklebanov in #1697

🐞 Bugfixes

PostgreSQL 🐘

📖 Documentation

📦 CICD & Tooling

⚠️ Breaking Changes

🐤 New Contributors

Full Changelog: kysely-org/kysely@v0.28.14...v0.28.15

0.28.14

Hey 👋

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for kysely since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Low risk dependency-only update in the ui package; main risk is subtle runtime/build behavior changes from react-router and vite bumps.

Overview
Updates ui dependencies to newer versions, including react-router 7.10.17.12.0 and vite 8.0.38.0.5.

Refreshes i18n/dev tooling (@inlang/*) and lockfile transitive deps (notably kysely, uuid, and related packages), with corresponding integrity/resolution updates in package-lock.json.

Reviewed by Cursor Bugbot for commit d18514e. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
chore(deps): bump the npm_and_yarn group across 1 directory with 3 up…
d18514e 
…dates

Bumps the npm_and_yarn group with 3 updates in the /ui directory: [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [kysely](https://github.com/kysely-org/kysely).


Updates `react-router` from 7.10.1 to 7.12.0
- [Release notes](https://github.com/remix-run/react-router/releases)
- [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md)
- [Commits](https://github.com/remix-run/react-router/commits/react-router@7.12.0/packages/react-router)

Updates `vite` from 8.0.3 to 8.0.5
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.5/packages/vite)

Updates `kysely` from 0.27.6 to 0.28.15
- [Release notes](https://github.com/kysely-org/kysely/releases)
- [Commits](kysely-org/kysely@0.27.6...v0.28.15)

---
updated-dependencies:
- dependency-name: react-router
  dependency-version: 7.12.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 8.0.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: kysely
  dependency-version: 0.28.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 6, 2026
terryrankine added a commit to terryrankine/kvm that referenced this pull request May 7, 2026
@terryrankine @claude
chore(ui): bump vite to v8, tailwindcss/vite to v4.2.4, and associate…
1f0d9f9 
…d plugins

Applies jetkvm#1400 (security/maintenance bump) adapted for the Luckfox
fork. Upstream bumped vite 8.0.3→8.0.5; this fork was on v6.3.5 so a full
v6→v8 migration was required. Co-upgraded @tailwindcss/vite, @tailwindcss/postcss,
tailwindcss, @vitejs/plugin-react-swc, and @vitejs/plugin-basic-ssl to their
latest versions which declare vite ^8 peer support. `npm audit` now reports
0 vulnerabilities (down from 9).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants