Skip to content

chore(deps): bump the production group across 1 directory with 9 updates#83

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-d096b39135
Open

chore(deps): bump the production group across 1 directory with 9 updates#83
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-d096b39135

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor

Bumps the production group with 9 updates in the / directory:

Package From To
ws 8.20.1 8.21.0
@fastify/cors 11.2.0 11.3.0
@fastify/helmet 13.0.2 13.1.0
@fastify/static 9.1.3 10.1.0
fastify 5.8.5 5.10.0
ioredis 5.10.1 5.11.1
i18next 26.2.0 26.3.6
react-i18next 17.0.8 17.0.9
react-router-dom 7.15.1 7.18.1

Updates ws from 8.20.1 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Commits

Updates @fastify/cors from 11.2.0 to 11.3.0

Release notes

Sourced from @​fastify/cors's releases.

v11.3.0

What's Changed

New Contributors

Full Changelog: fastify/fastify-cors@v11.2.0...v11.3.0

Commits
  • 2c60caa Bumped v11.3.0
  • cf4986e chore: bump @​types/node in the dev-dependencies-typescript group (#411)
  • 816d054 test: remove remaining tap-style assertions from vary tests (#410)
  • 20507ea chore(package.json): fix delvedor's personal url (#409)
  • 6fe85c4 docs(readme): update request origin link (#408)
  • 57bdc65 chore: bump fastify-plugin from 5.1.0 to 6.0.0 in the dependencies group (#407)
  • a8ae57d chore: update depedabot setting
  • 4d34798 chore(.gitattributes): retain binary file eol style (#402)
  • 675ebef refactor(types): migrate from tsd to tstyche (#403)
  • ef25e0b ci: add lock-threads workflow (#401)
  • Additional commits viewable in compare view

Updates @fastify/helmet from 13.0.2 to 13.1.0

Release notes

Sourced from @​fastify/helmet's releases.

v13.1.0

What's Changed

New Contributors

Full Changelog: fastify/fastify-helmet@v13.0.2...v13.1.0

Commits
  • 33d89a3 Bumped v13.1.0
  • 6a7ecf2 docs: fix broken links (#314)
  • 1e0ccb7 chore: bump @​types/node in the dev-dependencies-typescript group (#315)
  • 51d6e89 chore(package.json): fix delvedor's personal url
  • 6ac42ed chore: bump fastify-plugin from 5.1.0 to 6.0.0 in the dependencies group (#312)
  • 9eb465c chore: update depedabot setting
  • 6f506da refactor(types): migrate from tsd to tstyche (#307)
  • 0c3d73d ci: add lock-threads workflow (#306)
  • 8ae7182 build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#303)
  • 307b579 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#304)
  • Additional commits viewable in compare view

Updates @fastify/static from 9.1.3 to 10.1.0

Release notes

Sourced from @​fastify/static's releases.

v10.1.0

What's Changed

New Contributors

Full Changelog: fastify/fastify-static@v10.0.0...v10.1.0

v10.0.0

Breaking Changes

  • setHeaders now using FastifyReply instead of Response.

You should refactor your code to use the reply helpers. For example,

// Before
const fastify = require('fastify')({logger: true})
const path = require('node:path')
fastify.register(require('@​fastify/static'), {
root: path.join(__dirname, 'public'),
prefix: '/public/', // optional: default '/',
setHeaders(res) {
res.setHeader('X-Test', 'Foo')
}
})
// After
const fastify = require('fastify')({logger: true})
const path = require('node:path')
fastify.register(require('@​fastify/static'), {
root: path.join(__dirname, 'public'),
prefix: '/public/', // optional: default '/',
setHeaders(reply) {
reply.header('X-Test', 'Foo')
}
})

What's Changed

New Contributors

Full Changelog: fastify/fastify-static@v9.3.0...v10.0.0

... (truncated)

Commits
  • 36c939d Bumped v10.1.0
  • 7c1121a feat: use @fastify/error for errors and add option suppressWarning (#599)
  • c57d8bc fix: set Vary: Accept-Encoding for preCompressed responses (#586)
  • babf6df Bumped v10.0.0
  • 08ed461 fix!: allow setHeaders to override send headers (#598)
  • 99f0193 fix: ignore unsupported deflate for precompressed assets (#596)
  • a6e5f4d chore!: bump content-disposition fom 1.0.1 to 2.0.1 (#597)
  • ad05a27 Bumped v9.3.0
  • 58811db chore: update fastify-plugin dependency to version 6.0.0 (#594)
  • a343813 Bumped v9.2.0
  • Additional commits viewable in compare view

Updates fastify from 5.8.5 to 5.10.0

Release notes

Sourced from fastify's releases.

v5.10.0

What's Changed

New Contributors

Full Changelog: fastify/fastify@v5.9.0...v5.10.0

v5.9.0

What's Changed

... (truncated)

Commits
  • 94bcbcc Bumped v5.10.0
  • c47975e docs: Update import for page consistency (#6771)
  • 82952b8 docs: Logging.md with per-route log level info (#6627)
  • 6ac2e95 fix: derive request.port from request.host (#6680)
  • 5f4871f perf: reduce per-request overhead in the request lifecycle (#6831)
  • ec4bc66 chore: Bump fast-json-stringify to v7 (#6800)
  • d0b649d docs: fix incorrect hook count in Hooks.md (eight -> ten) (#6825)
  • 826c807 docs: fix incorrect defaults and code examples in Server.md (#6805)
  • 6f63ce9 fix: use ContentType to detect json and charset in reply.send (#6830)
  • 75d74e1 feat: introduce log controller layer (#6580)
  • Additional commits viewable in compare view

Updates ioredis from 5.10.1 to 5.11.1

Release notes

Sourced from ioredis's releases.

v5.11.1

5.11.1 (2026-06-04)

Bug Fixes

  • cluster: reconnect to nodes that restart without slot changes (#2096) (c84b2ee)
  • parse protocol-relative Redis URLs as TCP connections (#2125) (131ee24)

v5.11.0

5.11.0 (2026-05-26)

Bug Fixes

Features

Changelog

Sourced from ioredis's changelog.

5.11.1 (2026-06-04)

Bug Fixes

  • cluster: reconnect to nodes that restart without slot changes (#2096) (c84b2ee)
  • parse protocol-relative Redis URLs as TCP connections (#2125) (131ee24)

5.11.0 (2026-05-26)

Bug Fixes

Features

Commits
  • fb224a7 chore(release): 5.11.1 [skip ci]
  • 131ee24 fix: parse protocol-relative Redis URLs as TCP connections (#2125)
  • c84b2ee fix(cluster): reconnect to nodes that restart without slot changes (#2096)
  • 1490432 chore(release): 5.11.0 [skip ci]
  • 5359d4d refactor(utils): inline defaults and isArguments helpers (#2107)
  • b7b3def feat: add vector set command support (#2116)
  • faa53fd ci: update Node.js and Redis test matrix (#2119)
  • 37d0695 feat: add increx command (#2115)
  • 612ee9d chore: update Redis 8.8 test image to custom (#2118)
  • baf68d6 feat: add array commands, typings and tests (#2114)
  • Additional commits viewable in compare view

Updates i18next from 26.2.0 to 26.3.6

Release notes

Sourced from i18next's releases.

v26.3.6

  • fix: allow TypeScript 7 in the optional typescript peer dependency range (^5 || ^6 || ^7). With typescript@7.0.2 in a project, npm install failed with an ERESOLVE peer conflict. The published types are TS7-compatible as-is: every test/typescript suite produces identical results under 6.0 and 7.0.2. Reported in react-i18next#1927, thanks @​andikapradanaarif.

v26.3.5

  • fix: $t() nesting options blocks that span multiple lines are now parsed. nest() decided where the nested key ends by testing match[1] with /{.*}/, whose dot does not cross line breaks — so a $t(key, { ... }) options object containing a newline was treated as having no options, mis-split as formatters, and the nested lookup ran without its options (placeholders stayed unresolved). The nesting regexp itself already matches newlines inside $t(...); adding the s (dotAll) flag makes multiline options behave like the single-line form. Thanks @​spokodev (#2440).
  • fix: getUsedParamsDetails (the returnDetails: true path) no longer mutates the passed replace object. It wrote count straight onto options.replace so the returned usedParams would include it — a caller reusing one replace object across t() calls then carried a stale count into later interpolations (e.g. a previous call's count: 5 rendered instead of the current call's value). The details are now built from a copy; usedParams still includes count. Thanks @​spokodev (#2441).
  • fix: with the default skipOnVariables: true + escapeValue: true, a {{placeholder}} carried inside an interpolated value now stays literal even when the value contains escapable characters. The skip logic advanced the regex lastIndex by the raw value length, but the escaped text written into the string is longer, so lastIndex landed inside the inserted value and a trailing {{placeholder}} in it got interpolated — leaking another in-scope variable that should have stayed literal (values without escapable characters were already skipped correctly). The advance now uses the escaped length that is actually written, and the regex-safe $-doubling is applied only at the String.replace call so it can't distort the length arithmetic. Thanks @​spokodev (#2442).

v26.3.4

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). Thanks to zx (Jace) for the responsible disclosure.

v26.3.3

  • fix(types): selector t($ => $.arr, { returnObjects: true, context }) on a JSON array of heterogeneous objects now preserves each element's full shape (e.g. { transKey1: string; transKey2: string }[]) instead of collapsing to a union of partial element types. Two type-level causes: (1) FilterKeys evaluated the whole array element type at once, so keyof (A | B) only saw the keys common to every element — it now distributes over the object union and filters each element independently; (2) when TypeScript merges mismatched array element types it injects phantom optional undefined keys (e.g. transKey1_withContext?: undefined on elements that don't define it), which the context-detection helpers mistook for real context variants — they now skip keys typed as undefined. Also adds a dedicated context + returnObjects: true selector overload using const Fn + ReturnType<Fn>, so Target is no longer collapsed to unknown via ApplyTarget. Resolves Problem 1 of #2398 (Problem 2 was already fixed on master). Thanks @​sauravgupta-dotcom (#2438). Fixes #2398.

v26.3.2

  • fix: chained formatters with a parenthesised option that contains the format separator (e.g. join(separator: ', ')) now work at any position in the chain, not just first. Previously the comma-in-parens reassembly only repaired formats[0], so {{v, uppercase, join(separator: ', ')}} split the join(...) option on the inner comma and never rejoined it, producing corrupt output. Replaced the first-position-only repair with a position-independent pass that re-joins fragments until each open paren closes. Thanks @​spokodev (#2437).

v26.3.1

  • fix(types): t() with a keyPrefix no longer pollutes its return type with sibling keys' values. A regression in 26.3.0 — the [Res] extends [never] guards added to KeysBuilderWithReturnObjects / KeysBuilderWithoutReturnObjects turned the builders into deferred conditional types, so KeyPrefix<Ns> stopped resolving to a literal union and keyPrefix inference widened to the whole namespace. Symptom: useTranslation(ns, { keyPrefix: 'a.b' }) then t('title') would resolve to '<a.b>.title' | '<other.path>.title' | ... instead of just the scoped value. Affected every react-i18next user using keyPrefix. Restored to the eager 26.2.0 form. The same-namespace conflict handling from #2434 still works via _DropConflictKeys at the merge layer (in options.d.ts). Thanks @​aaronrosenthal (#2436).

v26.3.0

  • feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#2434). Fixes #2409.
Changelog

Sourced from i18next's changelog.

26.3.6

  • fix: allow TypeScript 7 in the optional typescript peer dependency range (^5 || ^6 || ^7). With typescript@7.0.2 in a project, npm install failed with an ERESOLVE peer conflict. The published types are TS7-compatible as-is: every test/typescript suite produces identical results under 6.0 and 7.0.2. Reported in react-i18next#1927, thanks @​andikapradanaarif.

26.3.5

  • fix: $t() nesting options blocks that span multiple lines are now parsed. nest() decided where the nested key ends by testing match[1] with /{.*}/, whose dot does not cross line breaks — so a $t(key, { ... }) options object containing a newline was treated as having no options, mis-split as formatters, and the nested lookup ran without its options (placeholders stayed unresolved). The nesting regexp itself already matches newlines inside $t(...); adding the s (dotAll) flag makes multiline options behave like the single-line form. Thanks @​spokodev (#2440).
  • fix: getUsedParamsDetails (the returnDetails: true path) no longer mutates the passed replace object. It wrote count straight onto options.replace so the returned usedParams would include it — a caller reusing one replace object across t() calls then carried a stale count into later interpolations (e.g. a previous call's count: 5 rendered instead of the current call's value). The details are now built from a copy; usedParams still includes count. Thanks @​spokodev (#2441).
  • fix: with the default skipOnVariables: true + escapeValue: true, a {{placeholder}} carried inside an interpolated value now stays literal even when the value contains escapable characters. The skip logic advanced the regex lastIndex by the raw value length, but the escaped text written into the string is longer, so lastIndex landed inside the inserted value and a trailing {{placeholder}} in it got interpolated — leaking another in-scope variable that should have stayed literal (values without escapable characters were already skipped correctly). The advance now uses the escaped length that is actually written, and the regex-safe $-doubling is applied only at the String.replace call so it can't distort the length arithmetic. Thanks @​spokodev (#2442).

26.3.4

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). See advisory GHSA-6jcc-5g8w-32mx, CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H). Thanks to zx (Jace) @​manus-use for the responsible disclosure.

26.3.3

  • fix(types): selector t($ => $.arr, { returnObjects: true, context }) on a JSON array of heterogeneous objects now preserves each element's full shape (e.g. { transKey1: string; transKey2: string }[]) instead of collapsing to a union of partial element types. Two type-level causes: (1) FilterKeys evaluated the whole array element type at once, so keyof (A | B) only saw the keys common to every element — it now distributes over the object union and filters each element independently; (2) when TypeScript merges mismatched array element types it injects phantom optional undefined keys (e.g. transKey1_withContext?: undefined on elements that don't define it), which the context-detection helpers mistook for real context variants — they now skip keys typed as undefined. Also adds a dedicated context + returnObjects: true selector overload using const Fn + ReturnType<Fn>, so Target is no longer collapsed to unknown via ApplyTarget. Resolves Problem 1 of #2398 (Problem 2 was already fixed on master). Thanks @​sauravgupta-dotcom (#2438). Fixes #2398.

26.3.2

  • fix: chained formatters with a parenthesised option that contains the format separator (e.g. join(separator: ', ')) now work at any position in the chain, not just first. Previously the comma-in-parens reassembly only repaired formats[0], so {{v, uppercase, join(separator: ', ')}} split the join(...) option on the inner comma and never rejoined it, producing corrupt output. Replaced the first-position-only repair with a position-independent pass that re-joins fragments until each open paren closes. Thanks @​spokodev (#2437).

26.3.1

  • fix(types): t() with a keyPrefix no longer pollutes its return type with sibling keys' values. A regression in 26.3.0 — the [Res] extends [never] guards added to KeysBuilderWithReturnObjects / KeysBuilderWithoutReturnObjects turned the builders into deferred conditional types, so KeyPrefix<Ns> stopped resolving to a literal union and keyPrefix inference widened to the whole namespace. Symptom: useTranslation(ns, { keyPrefix: 'a.b' }) then t('title') would resolve to '<a.b>.title' | '<other.path>.title' | ... instead of just the scoped value. Affected every react-i18next user using keyPrefix. Restored to the eager 26.2.0 form. The same-namespace conflict handling from #2434 still works via _DropConflictKeys at the merge layer (in options.d.ts). Thanks @​aaronrosenthal (#2436).

26.3.0

  • feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#2434). Fixes #2409.
Commits

Bumps the production group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [ws](https://github.com/websockets/ws) | `8.20.1` | `8.21.0` |
| [@fastify/cors](https://github.com/fastify/fastify-cors) | `11.2.0` | `11.3.0` |
| [@fastify/helmet](https://github.com/fastify/fastify-helmet) | `13.0.2` | `13.1.0` |
| [@fastify/static](https://github.com/fastify/fastify-static) | `9.1.3` | `10.1.0` |
| [fastify](https://github.com/fastify/fastify) | `5.8.5` | `5.10.0` |
| [ioredis](https://github.com/luin/ioredis) | `5.10.1` | `5.11.1` |
| [i18next](https://github.com/i18next/i18next) | `26.2.0` | `26.3.6` |
| [react-i18next](https://github.com/i18next/react-i18next) | `17.0.8` | `17.0.9` |
| [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom) | `7.15.1` | `7.18.1` |



Updates `ws` from 8.20.1 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.20.1...8.21.0)

Updates `@fastify/cors` from 11.2.0 to 11.3.0
- [Release notes](https://github.com/fastify/fastify-cors/releases)
- [Commits](fastify/fastify-cors@v11.2.0...v11.3.0)

Updates `@fastify/helmet` from 13.0.2 to 13.1.0
- [Release notes](https://github.com/fastify/fastify-helmet/releases)
- [Commits](fastify/fastify-helmet@v13.0.2...v13.1.0)

Updates `@fastify/static` from 9.1.3 to 10.1.0
- [Release notes](https://github.com/fastify/fastify-static/releases)
- [Commits](fastify/fastify-static@v9.1.3...v10.1.0)

Updates `fastify` from 5.8.5 to 5.10.0
- [Release notes](https://github.com/fastify/fastify/releases)
- [Commits](fastify/fastify@v5.8.5...v5.10.0)

Updates `ioredis` from 5.10.1 to 5.11.1
- [Release notes](https://github.com/luin/ioredis/releases)
- [Changelog](https://github.com/redis/ioredis/blob/main/CHANGELOG.md)
- [Commits](redis/ioredis@v5.10.1...v5.11.1)

Updates `i18next` from 26.2.0 to 26.3.6
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next@v26.2.0...v26.3.6)

Updates `react-i18next` from 17.0.8 to 17.0.9
- [Changelog](https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/react-i18next@v17.0.8...v17.0.9)

Updates `react-router-dom` from 7.15.1 to 7.18.1
- [Release notes](https://github.com/remix-run/react-router/releases)
- [Changelog](https://github.com/remix-run/react-router/blob/react-router-dom@7.18.1/packages/react-router-dom/CHANGELOG.md)
- [Commits](https://github.com/remix-run/react-router/commits/react-router-dom@7.18.1/packages/react-router-dom)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production
- dependency-name: "@fastify/cors"
  dependency-version: 11.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production
- dependency-name: "@fastify/helmet"
  dependency-version: 13.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production
- dependency-name: "@fastify/static"
  dependency-version: 10.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production
- dependency-name: fastify
  dependency-version: 5.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production
- dependency-name: ioredis
  dependency-version: 5.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production
- dependency-name: i18next
  dependency-version: 26.3.6
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production
- dependency-name: react-i18next
  dependency-version: 17.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production
- dependency-name: react-router-dom
  dependency-version: 7.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 14, 2026
Comment thread package-lock.json
Comment on lines +3802 to +3822
"node_modules/engine.io/node_modules/ws": {
"version": "8.20.1",
"resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz",
"integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==",
"license": "MIT",
"engines": {
"node": ">=10.0.0"
},
"peerDependencies": {
"bufferutil": "^4.0.1",
"utf-8-validate": ">=5.0.2"
},
"peerDependenciesMeta": {
"bufferutil": {
"optional": true
},
"utf-8-validate": {
"optional": true
}
}
},
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant