Bump the npm_and_yarn group across 24 directories with 4 updates by dependabot[bot] · Pull Request #12 · telus/cf-workers-for-platforms-template

dependabot · 2026-03-13T22:52:03Z

Bumps the npm_and_yarn group with 1 update in the / directory: hono.
Bumps the npm_and_yarn group with 1 update in the /astro-blog-starter-template directory: devalue.
Bumps the npm_and_yarn group with 2 updates in the /chanfana-openapi-template directory: hono and devalue.
Bumps the npm_and_yarn group with 1 update in the /containers-template directory: hono.
Bumps the npm_and_yarn group with 1 update in the /d1-starter-sessions-api-template directory: devalue.
Bumps the npm_and_yarn group with 1 update in the /llm-chat-app-template directory: devalue.
Bumps the npm_and_yarn group with 1 update in the /microfrontend-template directory: devalue.
Bumps the npm_and_yarn group with 1 update in the /mysql-hyperdrive-template directory: devalue.
Bumps the npm_and_yarn group with 1 update in the /next-starter-template directory: minimatch.
Bumps the npm_and_yarn group with 1 update in the /openauth-template directory: hono.
Bumps the npm_and_yarn group with 1 update in the /postgres-hyperdrive-template directory: devalue.
Bumps the npm_and_yarn group with 1 update in the /r2-explorer-template directory: hono.
Bumps the npm_and_yarn group with 2 updates in the /react-postgres-fullstack-template directory: hono and minimatch.
Bumps the npm_and_yarn group with 2 updates in the /react-router-hono-fullstack-template directory: hono and minimatch.
Bumps the npm_and_yarn group with 2 updates in the /react-router-postgres-ssr-template directory: hono and minimatch.
Bumps the npm_and_yarn group with 1 update in the /react-router-starter-template directory: minimatch.
Bumps the npm_and_yarn group with 1 update in the /remix-starter-template directory: minimatch.
Bumps the npm_and_yarn group with 1 update in the /saas-admin-template directory: devalue.
Bumps the npm_and_yarn group with 2 updates in the /to-do-list-kv-template directory: devalue and minimatch.
Bumps the npm_and_yarn group with 2 updates in the /vite-react-template directory: hono and minimatch.
Bumps the npm_and_yarn group with 1 update in the /workers-builds-notifications-template directory: devalue.
Bumps the npm_and_yarn group with 2 updates in the /workers-for-platforms-template directory: hono and devalue.
Bumps the npm_and_yarn group with 2 updates in the /workflows-starter-template directory: devalue and minimatch.
Bumps the npm_and_yarn group with 3 updates in the /x402-proxy-template directory: hono, bn.js and minimatch.

Updates hono from 4.11.1 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

fix(accept): replace regex split to mitigate ReDoS by @EdamAme-x in honojs/hono#4758

fix(jsx): align link hoisting and dedupe with React 19 by @usualoma in honojs/hono#4792

chore(builld): tsconfig project references by @BarryThePenguin in honojs/hono#4797

chore: add tsconfig.spec.json by @yusukebe in honojs/hono#4798

feat(jsx-renderer): support function-based options by @3w36zj6 in honojs/hono#4780

fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @t0waxx in honojs/hono#4782

New Contributors

@t0waxx made their first contribution in honojs/hono#4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

fix(request): return string | undefined from param() when path type is any by @andrewdamelio in honojs/hono#4723

fix(jwt): validate token format in decode and decodeHeader functions by @otoneko1102 in honojs/hono#4752

fix(jsx): Fix "Invalid state: Controller is already closed" by @gaearon in honojs/hono#4770

chore(eslint): upgrade @hono/eslint-config by @BarryThePenguin in honojs/hono#4781

New Contributors

@andrewdamelio made their first contribution in honojs/hono#4723

@otoneko1102 made their first contribution in honojs/hono#4752

@gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

... (truncated)

Commits

b0aba5b 4.12.7
1be3a53 ci: apply automated fixes
ef90225 Merge commit from fork
3f88636 4.12.6
53b66ae fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X (#4782)
58825a7 feat(jsx-renderer): support function-based options (#4780)
0e80acb chore: add tsconfig.spec.json (#4798)
d69deb8 chore(builld): tsconfig project references (#4797)
8217d9e fix(jsx): align link hoisting and dedupe with React 19 (#4792)
5086956 fix(accept): replace regex split to mitigate ReDoS (#4758)
Additional commits viewable in compare view

Updates devalue from 5.6.2 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Commits

6cbb3f5 Version Packages (#133)
40f1db1 Merge commit from fork
87c1f3c Merge commit from fork
a4a37d2 Version Packages (#132)
819f1ac Merge commit from fork
0f04d4d Merge commit from fork
See full diff in compare view

Updates hono from 4.11.1 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

fix(accept): replace regex split to mitigate ReDoS by @EdamAme-x in honojs/hono#4758

fix(jsx): align link hoisting and dedupe with React 19 by @usualoma in honojs/hono#4792

chore(builld): tsconfig project references by @BarryThePenguin in honojs/hono#4797

chore: add tsconfig.spec.json by @yusukebe in honojs/hono#4798

feat(jsx-renderer): support function-based options by @3w36zj6 in honojs/hono#4780

fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @t0waxx in honojs/hono#4782

New Contributors

@t0waxx made their first contribution in honojs/hono#4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

fix(request): return string | undefined from param() when path type is any by @andrewdamelio in honojs/hono#4723

fix(jwt): validate token format in decode and decodeHeader functions by @otoneko1102 in honojs/hono#4752

fix(jsx): Fix "Invalid state: Controller is already closed" by @gaearon in honojs/hono#4770

chore(eslint): upgrade @hono/eslint-config by @BarryThePenguin in honojs/hono#4781

New Contributors

@andrewdamelio made their first contribution in honojs/hono#4723

@otoneko1102 made their first contribution in honojs/hono#4752

@gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

... (truncated)

Commits

b0aba5b 4.12.7
1be3a53 ci: apply automated fixes
ef90225 Merge commit from fork
3f88636 4.12.6
53b66ae fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X (#4782)
58825a7 feat(jsx-renderer): support function-based options (#4780)
0e80acb chore: add tsconfig.spec.json (#4798)
d69deb8 chore(builld): tsconfig project references (#4797)
8217d9e fix(jsx): align link hoisting and dedupe with React 19 (#4792)
5086956 fix(accept): replace regex split to mitigate ReDoS (#4758)
Additional commits viewable in compare view

Updates devalue from 5.6.1 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Commits

6cbb3f5 Version Packages (#133)
40f1db1 Merge commit from fork
87c1f3c Merge commit from fork
a4a37d2 Version Packages (#132)
819f1ac Merge commit from fork
0f04d4d Merge commit from fork
See full diff in compare view

Updates hono from 4.11.1 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

fix(accept): replace regex split to mitigate ReDoS by @EdamAme-x in honojs/hono#4758

fix(jsx): align link hoisting and dedupe with React 19 by @usualoma in honojs/hono#4792

chore(builld): tsconfig project references by @BarryThePenguin in honojs/hono#4797

chore: add tsconfig.spec.json by @yusukebe in honojs/hono#4798

feat(jsx-renderer): support function-based options by @3w36zj6 in honojs/hono#4780

fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @t0waxx in honojs/hono#4782

New Contributors

@t0waxx made their first contribution in honojs/hono#4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

fix(request): return string | undefined from param() when path type is any by @andrewdamelio in honojs/hono#4723

fix(jwt): validate token format in decode and decodeHeader functions by @otoneko1102 in honojs/hono#4752

fix(jsx): Fix "Invalid state: Controller is already closed" by @gaearon in honojs/hono#4770

chore(eslint): upgrade @hono/eslint-config by @BarryThePenguin in honojs/hono#4781

New Contributors

@andrewdamelio made their first contribution in honojs/hono#4723

@otoneko1102 made their first contribution in honojs/hono#4752

@gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

... (truncated)

Commits

b0aba5b 4.12.7
1be3a53 ci: apply automated fixes
ef90225 Merge commit from fork
3f88636 4.12.6
53b66ae fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X (#4782)
58825a7 feat(jsx-renderer): support function-based options (#4780)
0e80acb chore: add tsconfig.spec.json (#4798)
d69deb8 chore(builld): tsconfig project references (#4797)
8217d9e fix(jsx): align link hoisting and dedupe with React 19 (#4792)
5086956 fix(accept): replace regex split to mitigate ReDoS (#4758)
Additional commits viewable in compare view

Updates devalue from 5.6.1 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Commits

6cbb3f5 Version Packages (#133)
40f1db1 Merge commit from fork
87c1f3c Merge commit from fork
a4a37d2 Version Packages (#132)
819f1ac Merge commit from fork
0f04d4d Merge commit from fork
See full diff in compare view

Updates devalue from 5.6.1 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Commits

6cbb3f5 Version Packages (#133)
40f1db1 Merge commit from fork
87c1f3c Merge commit from fork
a4a37d2 Version Packages (#132)
819f1ac Merge commit from fork
0f04d4d Merge commit from fork
See full diff in compare view

Updates devalue from 5.6.1 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Commits

6cbb3f5 Version Packages (#133)
40f1db1 Merge commit from fork
87c1f3c Merge commit from fork
a4a37d2 Version Packages (#132)
819f1ac Merge commit from fork
0f04d4d Merge commit from fork
See full diff in compare view

Updates devalue from 5.6.1 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Commits

6cbb3f5 Version Packages (#133)
40f1db1 Merge commit from fork
87c1f3c Merge commit from fork
a4a37d2 Version Packages (#132)
819f1ac Merge commit from fork
0f04d4d Merge commit from fork
See full diff in compare view

Updates minimatch from 8.0.4 to 8.0.7

Commits

c11bafe 8.0.7
abf1900 docs: add warning about ReDoS
be84a30 fix partial matching of globstar patterns
a5f07f4 8.0.6
c42643a lock node to v16 in dev
9bbb456 limit nested extglob recursion, flatten extglobs
f4ce011 8.0.5
50c739a update CI matrix and actions
e16b0f0 update test expectations for coalesced consecutive stars
5173367 coalesce consecutive non-globstar * characters
Additional commits viewable in compare view

Updates minimatch from 10.1.1 to 10.2.4

Commits

c11bafe 8.0.7
abf1900 docs: add warning about ReDoS
be84a30 fix partial matching of globstar patterns
a5f07f4 8.0.6
c42643a lock node to v16 in dev
9bbb456 limit nested extglob recursion, flatten extglobs
f4ce011 8.0.5
50c739a update CI matrix and actions
e16b0f0 update test expectations for coalesced consecutive stars
5173367 coalesce consecutive non-globstar * characters
Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

c11bafe 8.0.7
abf1900 docs: add warning about ReDoS
be84a30 fix partial matching of globstar patterns
a5f07f4 8.0.6
c42643a lock node to v16 in dev
9bbb456 limit nested extglob recursion, flatten extglobs
f4ce011 8.0.5
50c739a update CI matrix and actions
e16b0f0 update test expectations for coalesced consecutive stars
5173367 coalesce consecutive non-globstar * characters
Additional commits viewable in compare view

Updates minimatch from 9.0.5 to 9.0.9

Commits

c11bafe 8.0.7
abf1900 docs: add warning about ReDoS
be84a30 fix partial matching of globstar patterns
a5f07f4 8.0.6
c42643a lock node to v16 in dev
9bbb456 limit nested extglob recursion, flatten extglobs
f4ce011 8.0.5
50c739a update CI matrix and actions
e16b0f0 update test expectations for coalesced consecutive stars
5173367 coalesce consecutive non-globstar * characters
Additional commits viewable in compare view

Updates hono from 4.11.1 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

fix(accept): replace regex split to mitigate ReDoS by @EdamAme-x in honojs/hono#4758

fix(jsx): align link hoisting and dedupe with React 19 by @usualoma in honojs/hono#4792

chore(builld): tsconfig project references by @BarryThePenguin in honojs/hono#4797

chore: add tsconfig.spec.json by @yusukebe in honojs/hono#4798

feat(jsx-renderer): support function-based options by @3w36zj6 in honojs/hono#4780

fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @t0waxx in honojs/hono#4782

New Contributors

@t0waxx made their first contribution in honojs/hono#4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

fix(request): return string | undefined from param() when path type is any by @andrewdamelio in honojs/hono#4723

fix(jwt): validate token format in decode and decodeHeader functions by @otoneko1102 in honojs/hono#4752

fix(jsx): Fix "Invalid state: Controller is already closed" by @gaearon in honojs/hono#4770

chore(eslint): upgrade @hono/eslint-config by @BarryThePenguin in honojs/hono#4781

New Contributors

@andrewdamelio made their first contribution in honojs/hono#4723

@otoneko1102 made their first contribution in honojs/hono#4752

@gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

... (truncated)

Commits

b0aba5b 4.12.7
1be3a53 ci: apply automated fixes
ef90225 Merge commit from fork
3f88636 4.12.6
53b66ae fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X (#4782)
58825a7 feat(jsx-renderer): support function-based options (#4780)
0e80acb chore: add tsconfig.spec.json (#4798)
d69deb8 chore(builld): tsconfig project references (#4797)
8217d9e fix(jsx): align link hoisting and dedupe with React 19 (#4792)
5086956 fix(accept): replace regex split to mitigate ReDoS (#4758)
Additional commits viewable in compare view

Updates devalue from 5.6.1 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

Commits

6cbb3f5 Version Packages (#133)
40f1db1 Merge commit from fork
87c1f3c Merge commit from fork
a4a37d2 Version Packages (#132)
819f1ac Merge commit from fork
0f04d4d Merge commit from fork
See full diff in compare view

Updates hono from 4.11.1 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

fix(accept): replace regex split to mitigate ReDoS by @EdamAme-x in honojs/hono#4758

fix(jsx): align link hoisting and dedupe with React 19 by @usualoma in honojs/hono#4792

chore(builld): tsconfig project references by @BarryThePenguin in honojs/hono#4797

chore: add tsconfig.spec.json by @yusukebe in honojs/hono#4798

feat(jsx-renderer): support function-based options by @3w36zj6 in honojs/hono#4780

fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @t0waxx in honojs/h...
Description has been truncated

Bumps the npm_and_yarn group with 1 update in the / directory: [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 1 update in the /astro-blog-starter-template directory: [devalue](https://github.com/sveltejs/devalue). Bumps the npm_and_yarn group with 2 updates in the /chanfana-openapi-template directory: [hono](https://github.com/honojs/hono) and [devalue](https://github.com/sveltejs/devalue). Bumps the npm_and_yarn group with 1 update in the /containers-template directory: [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 1 update in the /d1-starter-sessions-api-template directory: [devalue](https://github.com/sveltejs/devalue). Bumps the npm_and_yarn group with 1 update in the /llm-chat-app-template directory: [devalue](https://github.com/sveltejs/devalue). Bumps the npm_and_yarn group with 1 update in the /microfrontend-template directory: [devalue](https://github.com/sveltejs/devalue). Bumps the npm_and_yarn group with 1 update in the /mysql-hyperdrive-template directory: [devalue](https://github.com/sveltejs/devalue). Bumps the npm_and_yarn group with 1 update in the /next-starter-template directory: [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 1 update in the /openauth-template directory: [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 1 update in the /postgres-hyperdrive-template directory: [devalue](https://github.com/sveltejs/devalue). Bumps the npm_and_yarn group with 1 update in the /r2-explorer-template directory: [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 2 updates in the /react-postgres-fullstack-template directory: [hono](https://github.com/honojs/hono) and [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 2 updates in the /react-router-hono-fullstack-template directory: [hono](https://github.com/honojs/hono) and [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 2 updates in the /react-router-postgres-ssr-template directory: [hono](https://github.com/honojs/hono) and [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 1 update in the /react-router-starter-template directory: [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 1 update in the /remix-starter-template directory: [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 1 update in the /saas-admin-template directory: [devalue](https://github.com/sveltejs/devalue). Bumps the npm_and_yarn group with 2 updates in the /to-do-list-kv-template directory: [devalue](https://github.com/sveltejs/devalue) and [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 2 updates in the /vite-react-template directory: [hono](https://github.com/honojs/hono) and [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 1 update in the /workers-builds-notifications-template directory: [devalue](https://github.com/sveltejs/devalue). Bumps the npm_and_yarn group with 2 updates in the /workers-for-platforms-template directory: [hono](https://github.com/honojs/hono) and [devalue](https://github.com/sveltejs/devalue). Bumps the npm_and_yarn group with 2 updates in the /workflows-starter-template directory: [devalue](https://github.com/sveltejs/devalue) and [minimatch](https://github.com/isaacs/minimatch). Bumps the npm_and_yarn group with 3 updates in the /x402-proxy-template directory: [hono](https://github.com/honojs/hono), [bn.js](https://github.com/indutny/bn.js) and [minimatch](https://github.com/isaacs/minimatch). Updates `hono` from 4.11.1 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.1...v4.12.7) Updates `devalue` from 5.6.2 to 5.6.4 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.2...v5.6.4) Updates `hono` from 4.11.1 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.1...v4.12.7) Updates `devalue` from 5.6.1 to 5.6.4 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.2...v5.6.4) Updates `hono` from 4.11.1 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.1...v4.12.7) Updates `devalue` from 5.6.1 to 5.6.4 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.2...v5.6.4) Updates `devalue` from 5.6.1 to 5.6.4 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.2...v5.6.4) Updates `devalue` from 5.6.1 to 5.6.4 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.2...v5.6.4) Updates `devalue` from 5.6.1 to 5.6.4 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.2...v5.6.4) Updates `minimatch` from 8.0.4 to 8.0.7 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `minimatch` from 10.1.1 to 10.2.4 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `hono` from 4.11.1 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.1...v4.12.7) Updates `devalue` from 5.6.1 to 5.6.4 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.2...v5.6.4) Updates `hono` from 4.11.1 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.1...v4.12.7) Updates `hono` from 4.11.1 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.1...v4.12.7) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `hono` from 4.11.1 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.1...v4.12.7) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `hono` from 4.11.1 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.1...v4.12.7) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `devalue` from 5.6.2 to 5.6.4 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.2...v5.6.4) Updates `devalue` from 5.6.1 to 5.6.4 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.2...v5.6.4) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `hono` from 4.11.1 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.1...v4.12.7) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `devalue` from 5.6.1 to 5.6.4 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.2...v5.6.4) Updates `hono` from 4.11.3 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.1...v4.12.7) Removes `devalue` Updates `devalue` from 5.6.1 to 5.6.4 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.2...v5.6.4) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `hono` from 4.11.1 to 4.12.7 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.1...v4.12.7) Updates `bn.js` from 5.2.2 to 5.2.3 - [Release notes](https://github.com/indutny/bn.js/releases) - [Changelog](https://github.com/indutny/bn.js/blob/master/CHANGELOG.md) - [Commits](indutny/bn.js@v5.2.2...v5.2.3) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v8.0.4...v8.0.7) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 8.0.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 10.2.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.7 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.7 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.7 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: bn.js dependency-version: 5.2.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 13, 2026

dependabot Bot mentioned this pull request Mar 13, 2026

Bump the npm_and_yarn group across 21 directories with 2 updates #11

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 24 directories with 4 updates#12

Bump the npm_and_yarn group across 24 directories with 4 updates#12
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-e3e08f2863

dependabot Bot commented on behalf of github Mar 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Mar 13, 2026

v4.12.7

Security hardening

v4.12.6

What's Changed

New Contributors

v4.12.5

What's Changed

New Contributors

v4.12.4

Security fixes

SSE Control Field Injection

Cookie Attribute Injection in setCookie()

v5.6.4

Patch Changes

v5.6.3

Patch Changes

5.6.4

Patch Changes

5.6.3

Patch Changes

v4.12.7

Security hardening

v4.12.6

What's Changed

New Contributors

v4.12.5

What's Changed

New Contributors

v4.12.4

Security fixes

SSE Control Field Injection

Cookie Attribute Injection in setCookie()

v5.6.4

Patch Changes

v5.6.3

Patch Changes

5.6.4

Patch Changes

5.6.3

Patch Changes

v4.12.7

Security hardening

v4.12.6

What's Changed

New Contributors

v4.12.5

What's Changed

New Contributors

v4.12.4

Security fixes

SSE Control Field Injection

Cookie Attribute Injection in setCookie()

v5.6.4

Patch Changes

v5.6.3

Patch Changes

5.6.4

Patch Changes

5.6.3

Patch Changes

v5.6.4

Patch Changes

v5.6.3

Patch Changes

5.6.4

Patch Changes

5.6.3

Patch Changes

v5.6.4

Patch Changes

v5.6.3

Patch Changes

5.6.4

Patch Changes

5.6.3

Patch Changes

v5.6.4

Patch Changes

Cookie Attribute Injection in `setCookie()`

Cookie Attribute Injection in `setCookie()`

Cookie Attribute Injection in `setCookie()`

Cookie Attribute Injection in `setCookie()`