build(deps): bump the npm_and_yarn group across 2 directories with 11 updates by dependabot[bot] · Pull Request #1465 · github/awesome-copilot

dependabot · 2026-04-21T22:20:21Z

Bumps the npm_and_yarn group with 2 updates in the / directory: lodash and yaml.
Bumps the npm_and_yarn group with 6 updates in the /website directory:

Package	From	To
astro	`5.16.15`	`6.1.8`
picomatch	`2.3.1`	`2.3.2`
defu	`6.1.4`	`6.1.7`
devalue	`5.6.3`	`5.7.1`
h3	`1.15.5`	`1.15.11`
rollup	`4.57.0`	`4.60.2`

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm

lodash-es: lodash/lodash@4.18.0-es...4.18.1-es

lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd

lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

Add security notice for _.template in threat model and API docs (#6099)

Document lower > upper behavior in _.random (#6115)

Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

lodash.orderby

lodash.tonumber

lodash.trim

lodash.trimend

lodash.sortedindexby

lodash.zipobjectdeep

lodash.unset

lodash.omit

lodash.template

Commits

cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
75535f5 chore: prune stale advisory refs (#6170)
62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
59be2de release(minor): bump to 4.18.0 (#6161)
af63457 fix: broken tests for _.template 879aaa9
1073a76 fix: linting issues
879aaa9 fix: validate imports keys in _.template
fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
b819080 ci: add dist sync validation workflow (#6137)
Additional commits viewable in compare view

Updates yaml from 2.8.1 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

Add trailingComma ToString option for multiline flow formatting (#670)

Catch stack overflow during node composition (1e84ebb)

v2.8.2

Serialize -0 as -0 (#638)

Do not double newlines for empty map values (#642)

Commits

ce14587 2.8.3
1e84ebb fix: Catch stack overflow during node composition
6b24090 ci: Include Prettier check in lint action
9424dee chore: Refresh lockfile
d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
4321509 ci: Drop the branch filter from GitHub PR actions
47207d0 chore: Update docs-slate
5212fae chore: Update docs-slate
086fa6b 2.8.2
95f01e9 chore: Add funding to package.json
Additional commits viewable in compare view

Updates astro from 5.16.15 to 6.1.8

Release notes

Sourced from astro's releases.

astro@6.1.8

Patch Changes

#16367 a6866a7 Thanks @ematipico! - Fixes an issue where build output files could contain special characters (!, ~, {, }) in their names, causing deploy failures on platforms like Netlify.

#16381 217c5b3 Thanks @ematipico! - Slightly improved the performance of the dev server by caching the internal crawling of the dependencies of a project.

#16348 7d26cd7 Thanks @ocavue! - Fixes a bug where emitted assets during a client build would contain always fresh, new hashes in their name. Now the build should be more stable.

#16317 d012bfe Thanks @das-peter! - Fixes a bug where allowedDomains weren't correctly propagated when using the development server.

#16379 5a84551 Thanks @martrapp! - Improves Vue scoped style handling in DEV mode during client router navigation.

#16317 d012bfe Thanks @das-peter! - Adds tests to verify settings are properly propagated when using the development server.

#16282 5b0fdaa Thanks @jmurty! - Fixes build errors on platforms with skew protection enabled (e.g. Vercel, Netlify) for inter-chunk Javascript using dynamic imports

Updated dependencies [e0b240e]:

@astrojs/telemetry@3.3.1

astro@6.1.7

Patch Changes

#16027 c62516b Thanks @fkatsuhiro! - Fixes a bug where remote image dimensions were not validated during static builds on Netlify.

#16311 94048f2 Thanks @Arecsu! - Fixes --port flag being ignored after a Vite-triggered server restart (e.g. when a .env file changes)

#16316 0fcd04c Thanks @ematipico! - Fixes the /_image endpoint accepting an arbitrary f=svg query parameter and serving non-SVG content as image/svg+xml. The endpoint now validates that the source is actually SVG before honoring f=svg, matching the same guard already enforced on the <Image> component path.

astro@6.1.6

Patch Changes

#16202 b5c2fba Thanks @matthewp! - Fixes Actions failing with ActionsWithoutServerOutputError when using output: 'static' with an adapter

#16303 b06eabf Thanks @matthewp! - Improves handling of special characters in inline <script> content

#14924 bb4586a Thanks @aralroca! - Fixes SCSS and CSS module file changes triggering a full page reload instead of hot-updating styles in place during development

astro@6.1.5

Patch Changes

#16171 5bcd03c Thanks @Desel72! - Fixes a build error that occurred when a pre-rendered page used the <Picture> component and another page called render() on content collection entries.

#16239 7c65c04 Thanks @dataCenter430! - Fixes sync content inside <Fragment> not streaming to the browser until all async sibling expressions have resolved.

#16242 686c312 Thanks @martrapp! - Revives UnoCSS in dev mode when used with the client router.

This change partly reverts #16089, which in hindsight turned out to be too general. Instead of automatically persisting all style sheets, we now do this only for styles from Vue components.

#16192 79d86b8 Thanks @alexanderniebuhr! - Uses today’s date for Cloudflare compatibility_date in astro add cloudflare

... (truncated)

Changelog

Sourced from astro's changelog.

6.1.8

Patch Changes

#16367 a6866a7 Thanks @ematipico! - Fixes an issue where build output files could contain special characters (!, ~, {, }) in their names, causing deploy failures on platforms like Netlify.

#16381 217c5b3 Thanks @ematipico! - Slightly improved the performance of the dev server by caching the internal crawling of the dependencies of a project.

#16348 7d26cd7 Thanks @ocavue! - Fixes a bug where emitted assets during a client build would contain always fresh, new hashes in their name. Now the build should be more stable.

#16317 d012bfe Thanks @das-peter! - Fixes a bug where allowedDomains weren't correctly propagated when using the development server.

#16379 5a84551 Thanks @martrapp! - Improves Vue scoped style handling in DEV mode during client router navigation.

#16317 d012bfe Thanks @das-peter! - Adds tests to verify settings are properly propagated when using the development server.

#16282 5b0fdaa Thanks @jmurty! - Fixes build errors on platforms with skew protection enabled (e.g. Vercel, Netlify) for inter-chunk Javascript using dynamic imports

Updated dependencies [e0b240e]:

@astrojs/telemetry@3.3.1

6.1.7

Patch Changes

#16027 c62516b Thanks @fkatsuhiro! - Fixes a bug where remote image dimensions were not validated during static builds on Netlify.

#16311 94048f2 Thanks @Arecsu! - Fixes --port flag being ignored after a Vite-triggered server restart (e.g. when a .env file changes)

#16316 0fcd04c Thanks @ematipico! - Fixes the /_image endpoint accepting an arbitrary f=svg query parameter and serving non-SVG content as image/svg+xml. The endpoint now validates that the source is actually SVG before honoring f=svg, matching the same guard already enforced on the <Image> component path.

6.1.6

Patch Changes

#16202 b5c2fba Thanks @matthewp! - Fixes Actions failing with ActionsWithoutServerOutputError when using output: 'static' with an adapter

#16303 b06eabf Thanks @matthewp! - Improves handling of special characters in inline <script> content

#14924 bb4586a Thanks @aralroca! - Fixes SCSS and CSS module file changes triggering a full page reload instead of hot-updating styles in place during development

6.1.5

Patch Changes

#16171 5bcd03c Thanks @Desel72! - Fixes a build error that occurred when a pre-rendered page used the <Picture> component and another page called render() on content collection entries.

#16239 7c65c04 Thanks @dataCenter430! - Fixes sync content inside <Fragment> not streaming to the browser until all async sibling expressions have resolved.

#16242 686c312 Thanks @martrapp! - Revives UnoCSS in dev mode when used with the client router.

... (truncated)

Commits

63c5c85 [ci] release (#16356)
71c93ca [ci] format
5a84551 Improves Vue scoped style handling in DEV mode during client router navigatio...
ba2dbf1 refactor(astro): correct Fixture type signatures in test-utils (#16380)
217c5b3 perf(core): cache crawl result (#16381)
6e5bc17 chore: absorb tests into others (#16365)
dc8a01d chore: reduce fixtures by merging them (#16364)
bb0ff91 refactor(astro): migrate error tests to typescript (#16377)
a6866a7 fix(core): clean chunk name (#16367)
811015d chore: remove lone fixtures (#16363)
Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

fix: exception when glob pattern contains constructor by @Jason3S in micromatch/picomatch#144

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Changelogs are for humans, not machines.

There should be an entry for every single version.

The same types of changes should be grouped.

Versions and sections should be linkable.

The latest version comes first.

The release date of each versions is displayed.

Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

Added for new features.

Changed for changes in existing functionality.

Deprecated for soon-to-be removed features.

Removed for now removed features.

Fixed for any bug fixes.

Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Fix bad text values in parse #126, thanks to @connor4312

Changed

Remove process global to work outside of node #129, thanks to @styfle

Add sideEffects to package.json #128, thanks to @frandiox

Removed os, make compatible browser environment. See #124, thanks to @gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

81cba8d Publish 2.3.2
fc1f6b6 Merge commit from fork
eec17ae Merge commit from fork
78f8ca4 Merge pull request #156 from micromatch/backport-144
3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
See full diff in compare view

Updates defu from 6.1.4 to 6.1.7

Release notes

Sourced from defu's releases.

v6.1.7

compare changes

📦 Build

Correct the types export entry (#160)

Export Defu types (#157)

❤️ Contributors

Jakub Michálek (@J-Michalek)

Kricsleo (@kricsleo)

v6.1.6

compare changes

📦 Build

Fix mixed types (407b516)

v6.1.5

compare changes

🩹 Fixes

Prevent prototype pollution via __proto__ in defaults (#156)

Ignore inherited enumerable properties (11ba022)

✅ Tests

Add more tests for plain objects (b65f603)

❤️ Contributors

Pooya Parsa (@pi0)

Kricsleo (@kricsleo)

Changelog

Sourced from defu's changelog.

v6.1.7

compare changes

🩹 Fixes

defu.d.cts: Export Defu types (#157)

📦 Build

Correct the types export entry (#160)

❤️ Contributors

Jakub Michálek (@J-Michalek)

Kricsleo (@kricsleo)

v6.1.6

compare changes

📦 Build

Fix mixed types (407b516)

❤️ Contributors

Pooya Parsa (@pi0)

v6.1.5

compare changes

🩹 Fixes

Prevent prototype pollution via __proto__ in defaults (#156)

Ignore inherited enumerable properties (11ba022)

🏡 Chore

Add tea.yaml (70cffe5)

Update repo (23cc432)

Fix typecheck (89df6bb)

✅ Tests

Add more tests for plain objects (b65f603)

🤖 CI

... (truncated)

Commits

80c0146 chore(release): v6.1.7
40d7ef4 fix(defu.d.cts): export Defu types (#157)
3d3a7c8 build: correct the types export entry (#160)
001c290 chore(release): v6.1.6
407b516 build: fix mixed types
23e59e6 chore(release): v6.1.5
11ba022 fix: ignore inherited enumerable properties
3942bfb fix: prevent prototype pollution via __proto__ in defaults (#156)
d3ef16d chore(deps): update actions/checkout action to v6 (#151)
869a053 chore(deps): update actions/setup-node action to v6 (#149)
Additional commits viewable in compare view

Updates devalue from 5.6.3 to 5.7.1

Release notes

Sourced from devalue's releases.

v5.7.1

Patch Changes

8becc7c: fix: handle regexes consistently in uneval's value and reference formats

v5.7.0

Minor Changes

df2e284: feat: use native alternatives to encode/decode base64

498656e: feat: add DataView support

a210130: feat: whitelist Float16Array

df2e284: feat: simplify TypedArray slices

Patch Changes

5590634: fix: get uneval type handling up to parity with stringify

57f73fc: fix: correctly support boxed bigints and sentinel values

v5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

Changelog

Sourced from devalue's changelog.

5.7.1

Patch Changes

8becc7c: fix: handle regexes consistently in uneval's value and reference formats

5.7.0

Minor Changes

df2e284: feat: use native alternatives to encode/decode base64

498656e: feat: add DataView support

a210130: feat: whitelist Float16Array

df2e284: feat: simplify TypedArray slices

Patch Changes

5590634: fix: get uneval type handling up to parity with stringify

57f73fc: fix: correctly support boxed bigints and sentinel values

5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

Commits

6eb920a Version Packages (#146)
8becc7c fix: handle regexes consistently in uneval's value and reference formats (#145)
2eee2e4 Version Packages (#144)
498656e DataView support (#143)
5590634 Improve platform types support (#142)
57f73fc fix: support boxed bigints and sentinel values (#141)
baec4cb Add prettier configuration (#140)
a210130 feat: whitelist Float16Array (#137)
df2e284 feat: use native alternatives to encode/decode base64 (#136)
26b7c8d chore: add simple benchmarks (#135)
Additional commits viewable in compare view

Updates h3 from 1.15.5 to 1.15.11

Release notes

Sourced from h3's releases.

v1.15.11

compare changes

🏡 Chore

Update defu to 6.1.6 (6125485)

Update deps (4998dd8)

Update cookie-es (d166186)

v1.15.10

compare changes

🩹 Fixes

Preserve percent-encoded req.url in app event handler (#1355)

❤️ Contributors

Sergio Azócar (@sergioazoc)

v1.15.9

compare changes

🩹 Fixes

Preserve %25 in pathname (1103df6)

static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)

sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

v1.15.8

compare changes

🩹 Fixes

Preserve %25 in pathname (1103df6)

v1.15.7

compare changes

🩹 Fixes

static: Narrow path traversal check to match .. as a path segment only (c049dc0)

app: Decode percent-encoded path segments to prevent auth bypass (313ea52)

💅 Refactors

Remove implicit event handler conversion warning (#1340)

❤️ Contributors

... (truncated)

Changelog

Sourced from h3's changelog.

v1.15.11

compare changes

🏡 Chore

Update defu to 6.1.6 (6125485)

Update deps (4998dd8)

Update cookie-es (d166186)

❤️ Contributors

Pooya Parsa (@pi0)

v1.15.10

compare changes

🩹 Fixes

Preserve percent-encoded req.url in app event handler (#1355)

🏡 Chore

Update deps (26fec6f)

❤️ Contributors

Pooya Parsa (@pi0)

Sergio Azócar (@sergioazoc)

v1.15.9

compare changes

🩹 Fixes

Preserve %25 in pathname (1103df6)

static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)

sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

🏡 Chore

release: V1.15.8 (e3b9c9e)

Update deps (23045df)

❤️ Contributors

Pooya Parsa (@pi0)

... (truncated)

Commits

7b9f41f chore(release): v1.15.11
d166186 chore: update cookie-es
4998dd8 chore: update deps
6125485 chore: update defu to 6.1.6
b72bb57 chore(release): v1.15.10
d8ef318 remove resolutions for h3
26fec6f chore: update deps
51ca9b3 fix: preserve percent-encoded req.url in app event handler (#1355)
4e8d43a chore(release): v1.15.9
23045df chore: update deps
Additional commits viewable in compare view

Updates rollup from 4.57.0 to 4.60.2

Release notes

Sourced from rollup's releases.

v4.60.2

4.60.2

2026-04-18

Bug Fixes

Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

#6327: docs: fix various typos in source and documentation (@Abhi3975, @lukastaegert)

#6331: fix(deps): update minor/patch updates (@renovate[bot])

#6332: chore(deps): update codecov/codecov-action action to v6 (@renovate[bot])

#6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@renovate[bot])

#6334: fix(deps): update rust crate swc_compiler_base to v51 (@renovate[bot])

#6335: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6346: fix(deps): update minor/patch updates (@renovate[bot])

#6347: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6348: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6349: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6350: fix: reset variable render names between outputs in the same generate (@barry3406, @lukastaegert)

#6351: chore(deps): update minor/patch updates (@renovate[bot])

#6352: chore(deps): update cross-platform-actions/action action to v1 (@renovate[bot])

#6353: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6354: chore(deps): lock file maintenance (@renovate[bot])

#6355: chore(deps): lock file maintenance (@renovate[bot])

#6356: chore(deps): lock file maintenance (@renovate[bot])

#6358: chore: remove cross-env from devDeps (@K-tecchan)

v4.60.1

4.60.1

2026-03-30

Bug Fixes

Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

#6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (@littlegrayss, @TrickyPi)

#6317: chore(deps): pin dependencies (@renovate[bot], @lukastaegert)

#6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@renovate[bot], @lukastaegert)

#6319: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6320: chore(deps): pin dependency typescript to v5 (@renovate[bot], @lukastaegert)

#6321: chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (@renovate[bot], @lukastaegert)

#6322: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6323: chore(deps): lock file maintenance (@renovate[bot])

#6324: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.2

2026-04-18

Bug Fixes

Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

#6327: docs: fix various typos in source and documentation (@Abhi3975, @lukastaegert)

#6331: fix(deps): update minor/patch updates (@renovate[bot])

#6332: chore(deps): update codecov/codecov-action action to v6 (@renovate[bot])

#6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@renovate[bot])

#6334: fix(deps): update rust crate swc_compiler_base to v51 (@renovate[bot])

#6335: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6346: fix(deps): update minor/patch updates (@renovate[bot])

#6347: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6348: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6349: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6350: fix: reset variable render names between outputs in the same generate (@barry3406, @lukastaegert)

#6351: chore(deps): update minor/patch updates (@renovate[bot])

#6352: chore(deps): update cross-platform-actions/action action to v1 (@renovate[bot])

#6353: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6354: chore(deps): lock file maintenance (@renovate[bot])

#6355: chore(deps): lock file maintenance (@renovate[bot])

#6356: chore(deps): lock file maintenance (@renovate[bot])

#6358: chore: remove cross-env from devDeps (@K-tecchan)

4.60.1

2026-03-30

Bug Fixes

Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

#6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (@littlegrayss, @TrickyPi)

#6317: chore(deps): pin dependencies (@renovate[bot], @lukastaegert)

#6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@renovate[bot], @lukastaegert)

#6319: chore(deps): update minor/patch updates (

… updates Bumps the npm_and_yarn group with 2 updates in the / directory: [lodash](https://github.com/lodash/lodash) and [yaml](https://github.com/eemeli/yaml). Bumps the npm_and_yarn group with 6 updates in the /website directory: | Package | From | To | | --- | --- | --- | | [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) | `5.16.15` | `6.1.8` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [defu](https://github.com/unjs/defu) | `6.1.4` | `6.1.7` | | [devalue](https://github.com/sveltejs/devalue) | `5.6.3` | `5.7.1` | | [h3](https://github.com/h3js/h3) | `1.15.5` | `1.15.11` | | [rollup](https://github.com/rollup/rollup) | `4.57.0` | `4.60.2` | Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) Updates `yaml` from 2.8.1 to 2.8.3 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](eemeli/yaml@v2.8.1...v2.8.3) Updates `astro` from 5.16.15 to 6.1.8 - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@6.1.8/packages/astro) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `defu` from 6.1.4 to 6.1.7 - [Release notes](https://github.com/unjs/defu/releases) - [Changelog](https://github.com/unjs/defu/blob/main/CHANGELOG.md) - [Commits](unjs/defu@v6.1.4...v6.1.7) Updates `devalue` from 5.6.3 to 5.7.1 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.3...v5.7.1) Updates `h3` from 1.15.5 to 1.15.11 - [Release notes](https://github.com/h3js/h3/releases) - [Changelog](https://github.com/h3js/h3/blob/v1.15.11/CHANGELOG.md) - [Commits](h3js/h3@v1.15.5...v1.15.11) Updates `rollup` from 4.57.0 to 4.60.2 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.57.0...v4.60.2) Updates `smol-toml` from 1.6.0 to 1.6.1 - [Release notes](https://github.com/squirrelchat/smol-toml/releases) - [Commits](squirrelchat/smol-toml@v1.6.0...v1.6.1) Updates `svgo` from 4.0.0 to 4.0.1 - [Release notes](https://github.com/svg/svgo/releases) - [Commits](svg/svgo@v4.0.0...v4.0.1) Updates `vite` from 6.4.1 to 7.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: yaml dependency-version: 2.8.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: astro dependency-version: 6.1.8 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: defu dependency-version: 6.1.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.7.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: h3 dependency-version: 1.15.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: smol-toml dependency-version: 1.6.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: svgo dependency-version: 4.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.2 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions

⚠️ This PR targets main, but PRs should target staged.

The main branch is auto-published from staged and should not receive direct PRs.
Please close this PR and re-open it against the staged branch.

You can change the base branch using the Edit button at the top of this PR,
or run: gh pr edit 1465 --base staged

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 21, 2026

dependabot Bot requested a review from aaronpowell as a code owner April 21, 2026 22:20

github-actions Bot requested changes Apr 21, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the npm_and_yarn group across 2 directories with 11 updates#1465

build(deps): bump the npm_and_yarn group across 2 directories with 11 updates#1465
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-537517e580

dependabot Bot commented on behalf of github Apr 21, 2026

Uh oh!

github-actions Bot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 21, 2026

4.18.1

Bugs

4.18.0

v4.18.0

Security

Docs

lodash.* modular packages

v2.8.3

v2.8.2

astro@6.1.8

Patch Changes

astro@6.1.7

Patch Changes

astro@6.1.6

Patch Changes

astro@6.1.5

Patch Changes

6.1.8

Patch Changes

6.1.7

Patch Changes

6.1.6

Patch Changes

6.1.5

Patch Changes

2.3.2

What's Changed

Release history

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

v6.1.7

📦 Build

❤️ Contributors

v6.1.6

📦 Build

v6.1.5

🩹 Fixes

✅ Tests

❤️ Contributors

v6.1.7

🩹 Fixes

📦 Build

❤️ Contributors

v6.1.6

📦 Build

❤️ Contributors

v6.1.5

🩹 Fixes

🏡 Chore

✅ Tests

🤖 CI

v5.7.1

Patch Changes

v5.7.0

Minor Changes

Patch Changes

v5.6.4

Patch Changes

5.7.1

Patch Changes

5.7.0

Minor Changes

Patch Changes

5.6.4

Patch Changes

v1.15.11

🏡 Chore

v1.15.10

🩹 Fixes

❤️ Contributors

v1.15.9

🩹 Fixes

v1.15.8

🩹 Fixes

v1.15.7

`lodash.*` modular packages