Skip to content

build(deps): bump the npm_and_yarn group across 1 directory with 10 updates#38

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-58721a0b2d
Open

build(deps): bump the npm_and_yarn group across 1 directory with 10 updates#38
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-58721a0b2d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 28, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 10 updates in the / directory:

Package From To
vite 6.3.6 6.4.3
follow-redirects 1.15.11 1.16.0
glob 10.4.5 10.5.0
js-yaml 3.14.1 3.14.2
lodash 4.17.21 4.18.1
mdast-util-to-hast 13.2.0 13.2.1
minimatch 3.1.2 3.1.5
picomatch 2.3.1 2.3.2
postcss 8.5.3 8.5.15
rollup 4.40.0 4.62.2

Updates vite from 6.3.6 to 6.4.3

Release notes

Sourced from vite's releases.

v6.4.3

Please refer to CHANGELOG.md for details.

v6.4.2

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.3 (2026-06-01)

6.4.2 (2026-04-06)

6.4.1 (2025-10-20)

6.4.0 (2025-10-15)

  • feat: allow passing down resolved config to vite's createServer (#20932) (ca6455e), closes #20932

6.3.7 (2025-10-14)

  • fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940) (c59a222), closes #20940
Commits

Updates follow-redirects from 1.15.11 to 1.16.0

Commits
  • 0c23a22 Release version 1.16.0 of the npm package.
  • 844c4d3 Add sensitiveHeaders option.
  • 5e8b8d0 ci: add Node.js 24.x to the CI matrix
  • 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
  • 86dc1f8 Sanitizing input.
  • See full diff in compare view

Updates glob from 10.4.5 to 10.5.0

Commits

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

  • Types are now exported as yaml.types.XXX.
  • Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

  • Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

  • Check migration guide in docs for details of all breaking changes.
  • Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
  • Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
  • yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
  • yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
  • !!binary now always mapped to Uint8Array on load.
  • Reduced nesting of /lib folder.
  • Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
  • dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
  • Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
  • Code snippet created in exceptions now contains multiple lines with line numbers.
  • dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
  • Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
  • Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

  • Added .mjs (es modules) support.
  • Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
  • Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates mdast-util-to-hast from 13.2.0 to 13.2.1

Release notes

Sourced from mdast-util-to-hast's releases.

13.2.1

Fix

  • ab3a795 Fix support for spaces in class names

Types

  • efb5312 Refactor to use @imports
  • a5bc210 Add declaration maps

Full Changelog: syntax-tree/mdast-util-to-hast@13.2.0...13.2.1

Commits

Updates minimatch from 3.1.2 to 3.1.5

Commits

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates postcss from 8.5.3 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

Changelog

Sourced from postcss's changelog.

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

Commits
  • eae46db Release 8.5.15 version
  • 79508ff Update CI actions
  • b128e21 Speed up declaration parsing by avoiding creating new array on each token
  • 9825dca Fix code format
  • 55789c8 Update dependencies
  • 84fbbe9 Install older pnpm action for old Node.js
  • 9f860bd Revert pnpm action for old Node.js
  • 0877198 Update CI actions
  • b2d1a33 Fix linter warnings
  • 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
  • Additional commits viewable in compare view

Updates rollup from 4.40.0 to 4.62.2

Release notes

Sourced from rollup's releases.

v4.62.2

4.62.2

2026-06-19

Bug Fixes

  • Do not add spurious side-effect-free external imports to chunks when using minChunkSize (#6411)

Pull Requests

v4.62.1

4.62.1

2026-06-19

Bug Fixes

  • Preserve multipart file extensions when deconflicting output chunks (#6408)
  • Fix an issue where getLogFilter would match additional logs (#6415)

Pull Requests

v4.62.0

4.62.0

2026-06-13

Features

  • Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.62.2

2026-06-19

Bug Fixes

  • Do not add spurious side-effect-free external imports to chunks when using minChunkSize (#6411)

Pull Requests

4.62.1

2026-06-19

Bug Fixes

  • Preserve multipart file extensions when deconflicting output chunks (#6408)
  • Fix an issue where getLogFilter would match additional logs (#6415)

Pull Requests

4.62.0

2026-06-13

Features

  • Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

... (truncated)

Commits
  • 8faa187 4.62.2
  • a38a795 refactor(rust/parser_ast): extract property AstConverter write buffer kind lo...
  • 6cc5c31 Skip side-effect-free external imports when hoisting is disabled (#6411)
  • caacf70 4.62.1
  • d1e8297 Add missing ignore
  • 1ba1fc2 fix: insert conflict numbers before first extension in multi-extension filena...
  • 532bd0a Use import attributes for importing JSON (#6393)
  • 2cd8194 fix: advance value past wildcard prefix before suffix check in getLogFilter (...
  • dfac590 fix(deps): update minor/patch updates (#6418)
  • 1d6db3d chore(deps): update dependency eslint-plugin-unicorn to v66 (#6419)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


@dependabot dependabot Bot requested a review from a team as a code owner May 28, 2026 10:13
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 28, 2026
@socket-security

socket-security Bot commented May 28, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedvite@​6.3.6 ⏵ 6.4.394100 +2683 +198 +2100

View full report

@socket-security

socket-security Bot commented May 28, 2026

Copy link
Copy Markdown

Warning

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Warn Low
Potential code anomaly (AI signal): npm glob is 75.0% likely to have a medium risk anomaly

Notes: The analyzed code is a conventional, non-malicious implementation of glob pattern expansion and directory traversal. It reads filesystem data based on user-provided patterns but does not exhibit data exfiltration, remote communications, or code execution risks within this fragment. Overall security risk is low, with standard OS-specific handling for nocase behavior.

Confidence: 0.75

Severity: 0.60

From: ?npm/vite@6.4.3npm/@lavamoat/allow-scripts@3.3.2npm/@vitest/coverage-istanbul@3.1.2npm/glob@10.5.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@10.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm js-yaml is 65.0% likely to have a medium risk anomaly

Notes: The script functions as a straightforward JSON↔YAML translator CLI with standard error handling. The primary security concern is the use of yaml.loadAll without a safeLoad alternative, which could enable YAML deserialization risks if inputs contain crafted tags. To improve security, switch to a safe loader (e.g., yaml.safeLoadAll or equivalent) or ensure the library is configured to restrict risky constructors. Overall, no malware indicators were observed; the risk is confined to YAML deserialization semantics.

Confidence: 0.65

Severity: 0.60

From: ?npm/depcheck@1.4.7npm/js-yaml@3.14.2

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@3.14.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm rollup is 74.0% likely to have a medium risk anomaly

Notes: No direct evidence of hidden malware behavior (no explicit network exfiltration, credential theft, or system command execution is visible). The dominant security concern is that this build tooling intentionally enables arbitrary code execution via new Function() for inline plugin arguments and via dynamic require()/import() of plugins and configs based on runtime-provided strings/paths, plus a stdin-to-module loader and codegen+temp-file+import for transpiled configs. If an attacker can influence CLI/CI inputs (e.g., --plugin, config path, or plugin argument text), the risk is high for build-time arbitrary code execution.

Confidence: 0.74

Severity: 0.68

From: ?npm/vite@6.4.3npm/rollup@4.62.2

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup@4.62.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm rollup is 70.0% likely to have a medium risk anomaly

Notes: No clear malware/backdoor behavior is evident in this fragment. The main security-relevant issue is that watch hooks can execute arbitrary OS commands synchronously via child_process.execSync, with command strings sourced directly from command.watch (and potentially from config-loaded values). This is only acceptable when the watch configuration is fully trusted; otherwise it represents a high-impact arbitrary command execution risk. Signal/exit interception and global emitter usage are unusual but appear aimed at orderly shutdown rather than malicious activity.

Confidence: 0.70

Severity: 0.62

From: ?npm/vite@6.4.3npm/rollup@4.62.2

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup@4.62.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm vite is 75.0% likely to have a medium risk anomaly

Notes: This fragment performs a high-impact global namespace injection driven by a build-time DEFINES object. While not inherently malicious, it creates a significant risk surface: it can override or create global properties, potentially altering security-sensitive behavior. Strong validation, strict namespace scoping, or replacing with a controlled sandbox/namespace approach is recommended to mitigate supply-chain risk.

Confidence: 0.75

Severity: 0.60

From: package.jsonnpm/vite@6.4.3

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@6.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-58721a0b2d branch from 5d160b0 to 86ff4f1 Compare May 28, 2026 10:35
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-58721a0b2d branch from 86ff4f1 to 8cf0df6 Compare June 11, 2026 15:37
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-58721a0b2d branch 2 times, most recently from 4520b83 to 3eebe1a Compare June 25, 2026 11:47
…pdates

Bumps the npm_and_yarn group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `6.3.6` | `6.4.3` |
| [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.11` | `1.16.0` |
| [glob](https://github.com/isaacs/node-glob) | `10.4.5` | `10.5.0` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `3.14.1` | `3.14.2` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` |
| [mdast-util-to-hast](https://github.com/syntax-tree/mdast-util-to-hast) | `13.2.0` | `13.2.1` |
| [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.3` | `8.5.15` |
| [rollup](https://github.com/rollup/rollup) | `4.40.0` | `4.62.2` |



Updates `vite` from 6.3.6 to 6.4.3
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v6.4.3/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v6.4.3/packages/vite)

Updates `follow-redirects` from 1.15.11 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

Updates `glob` from 10.4.5 to 10.5.0
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v10.4.5...v10.5.0)

Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.14.2)

Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `mdast-util-to-hast` from 13.2.0 to 13.2.1
- [Release notes](https://github.com/syntax-tree/mdast-util-to-hast/releases)
- [Commits](syntax-tree/mdast-util-to-hast@13.2.0...13.2.1)

Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v3.1.5)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `postcss` from 8.5.3 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.3...8.5.15)

Updates `rollup` from 4.40.0 to 4.62.2
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.40.0...v4.62.2)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
- dependency-name: glob
  dependency-version: 10.5.0
  dependency-type: indirect
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
- dependency-name: mdast-util-to-hast
  dependency-version: 13.2.1
  dependency-type: indirect
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: indirect
- dependency-name: rollup
  dependency-version: 4.60.4
  dependency-type: indirect
- dependency-name: vite
  dependency-version: 6.4.2
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-58721a0b2d branch from 3eebe1a to 51f4dde Compare June 25, 2026 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants