chore(deps): bump the npm_and_yarn group across 1 directory with 4 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the / directory: path-to-regexp, esbuild, happy-dom and vite.

Updates path-to-regexp from 6.3.0 to 8.0.0

Release notes

Sourced from path-to-regexp's releases.

Simpler API

Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.

Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/

Added

• Adds key names to wildcards using *name syntax, aligns with : behavior but using an asterisk instead

Changed

• Removes group suffixes of ?, +, and * - only optional exists moving forward (use wildcards for +, {*foo} for *)
• Parameter names follow JS identifier rules and allow unicode characters

Added

• Parameter names can now be quoted, e.g. :"foo-bar"
• Match accepts an array of values, so the signature is now string | TokenData | Array<string | TokenData>

Removed

• Removes loose mode
• Removes regular expression overrides of parameters

pillarjs/path-to-regexp@v7.1.0...v8.0.0

Support array inputs (again)

Added

• Support array inputs for match and pathToRegexp 3fdd88f

pillarjs/path-to-regexp@v7.1.0...v7.2.0

Strict mode

Added

• Adds a strict option to detect potential ReDOS issues

Fixed

• Fixes separator to default to suffix + prefix when not specified
• Allows separator to be undefined in TokenData
  • This is only relevant if you are building TokenData manually, previously parse filled it in automatically

Comments

• I highly recommend enabling strict: true and I'm probably releasing a V8 with it enabled by default ASAP as a necessary security mitigation

pillarjs/path-to-regexp@v7.0.0...v7.1.0

... (truncated)

Commits

• ed1095e 8.0.0
• 60f2121 Rewrite and simplify API
• 74f97b5 Create SECURITY.md
• fb4d11d Remove matches from tests
• 26551ec Code gen smaller and faster regexps
• 0d20b15 Split using a string
• 341f873 Test for double decoding
• 6b7a452 Throw on unmatched closing paren (#286)
• 208cc83 Refactor params to match up to next token
• cbf2c73 Add debug URL to all errors
• Additional commits viewable in compare view

Updates esbuild from 0.15.18 to 0.25.0

Release notes

Sourced from esbuild's releases.

v0.25.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.24.0 or ~0.24.0. See npm's documentation about semver for more information.

• Restrict access to esbuild's development server (GHSA-67mh-4wv8-2f99)

  This change addresses esbuild's first security vulnerability report. Previously esbuild set the Access-Control-Allow-Origin header to * to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information in the report.

  Starting with this release, CORS will now be disabled, and requests will now be denied if the host does not match the one provided to --serve=. The default host is 0.0.0.0, which refers to all of the IP addresses that represent the local machine (e.g. both 127.0.0.1 and 192.168.0.1). If you want to customize anything about esbuild's development server, you can put a proxy in front of esbuild and modify the incoming and/or outgoing requests.

  In addition, the serve() API call has been changed to return an array of hosts instead of a single host string. This makes it possible to determine all of the hosts that esbuild's development server will accept.

  Thanks to @​sapphi-red for reporting this issue.

• Delete output files when a build fails in watch mode (#3643)

  It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.

• Fix correctness issues with the CSS nesting transform (#3620, #3877, #3933, #3997, #4005, #4037, #4038)

  This release fixes the following problems:

  • Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using :is() to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.

    /* Original code */
    .parent {
      > .a,
      > .b1 > .b2 {
        color: red;
      }
    }
    /* Old output (with --supported:nesting=false) */
    .parent > :is(.a, .b1 > .b2) {
    color: red;
    }
    /* New output (with --supported:nesting=false) */
    .parent > .a,
    .parent > .b1 > .b2 {
    color: red;
    }

    Thanks to @​tim-we for working on a fix.

  • The & CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered && to have the same specificity as &. With this release, this should now work correctly:

    /* Original code (color should be red) */

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2022

This changelog documents all esbuild versions published in the year 2022 (versions 0.14.11 through 0.16.12).

0.16.12

• Loader defaults to js for extensionless files (#2776)

  Certain packages contain files without an extension. For example, the yargs package contains the file yargs/yargs which has no extension. Node, Webpack, and Parcel can all understand code that imports yargs/yargs because they assume that the file is JavaScript. However, esbuild was previously unable to understand this code because it relies on the file extension to tell it how to interpret the file. With this release, esbuild will now assume files without an extension are JavaScript files. This can be customized by setting the loader for "" (the empty string, representing files without an extension) to another loader. For example, if you want files without an extension to be treated as CSS instead, you can do that like this:

  • CLI:

    esbuild --bundle --loader:=css
    

  • JS:

    esbuild.build({
      bundle: true,
      loader: { '': 'css' },
    })

  • Go:

    api.Build(api.BuildOptions{
      Bundle: true,
      Loader: map[string]api.Loader{"": api.LoaderCSS},
    })

  In addition, the "type" field in package.json files now only applies to files with an explicit .js, .jsx, .ts, or .tsx extension. Previously it was incorrectly applied by esbuild to all files that had an extension other than .mjs, .mts, .cjs, or .cts including extensionless files. So for example an extensionless file in a "type": "module" package is now treated as CommonJS instead of ESM.

0.16.11

• Avoid a syntax error in the presence of direct eval (#2761)

  The behavior of nested function declarations in JavaScript depends on whether the code is run in strict mode or not. It would be problematic if esbuild preserved nested function declarations in its output because then the behavior would depend on whether the output was run in strict mode or not instead of respecting the strict mode behavior of the original source code. To avoid this, esbuild transforms nested function declarations to preserve the intended behavior of the original source code regardless of whether the output is run in strict mode or not:

  // Original code
  if (true) {
    function foo() {}
    console.log(!!foo)
    foo = null
    console.log(!!foo)
  }

... (truncated)

Commits

• e9174d6 publish 0.25.0 to npm
• c27dbeb fix hosts in plugin-tests.js
• 6794f60 fix hosts in node-unref-tests.js
• de85afd Merge commit from fork
• da1de1b fix #4065: bitwise operators can return bigints
• f4e9d19 switch case liveness: default is always last
• 7aa47c3 fix #4028: minify live/dead switch cases better
• 22ecd30 minify: more constant folding for strict equality
• 4cdf03c fix #4053: reordering of .tsx in node_modules
• dc71977 fix #3692: 0 now picks a random ephemeral port
• Additional commits viewable in compare view

Updates happy-dom from 14.12.3 to 15.10.2

Release notes

Sourced from happy-dom's releases.

v15.10.2

👷‍♂️ Patch fixes

• Fixes a security vulnerability that allowed for server side code to be executed by a <script> tag - By @​capricorn86 in task #1585
  • There was a case that was missed with the first patch

v15.10.1

👷‍♂️ Patch fixes

• Fixes a security vulnerability that allowed for server side code to be executed by a <script> tag - By @​capricorn86 in task #1585

v15.10.0

🎨 Features

• Adds a new setting called disableSameOriginPolicy that makes it possible to bypass the same-origin policy in fetch requests - By @​OlaviSau in task #1553

v15.9.0

🎨 Features

• Adds support for "aspect-ratio" to CSSStyleDeclaration - By @​yinm in task #1147

v15.8.5

👷‍♂️ Patch fixes

• Fixes bug where Node.getRootNode() returned null when it was within a ShadowRoot that previously been disconnected from the Document - By @​capricorn86 in task #1581

v15.8.4

👷‍♂️ Patch fixes

• Fixes bug where child nodes of HTMLSelectElement and HTMLFormElement had the wrong reference to the parent - By @​capricorn86 in task #1578

Commits

• d23834c fix: #1585 Fixes a security vulnerability that allowed for server side code...
• 5ee0b16 fix: #1585 Fixes security vulnerability that allowed for server side code t...
• a20dba9 chore: #1542 Adds SECURITY.md file (#1584)
• 1625d40 feat: #1553 Adds setting disableSameOriginPolicy, to make it possible to by...
• a78cd8f feat: #1147 Adds support for aspect-ratio to CSSStyleDeclaration (#1537)
• e6f8b13 fix: #1581 Fixes bug where Node.getRootNode() returned null when it was wi...
• 38ab960 fix: #1578 Fixes bug where child nodes of HTMLSelectElement and HTMLFormEle...
• 8f74989 fix: #1534 Toggle open attribute on HTMLDetailsElement when dispatching a c...
• 7f57469 fix: #1546 Use globalThis instead of global to make Happy DOM work in o...
• 759b4fb fix: #1538 Always return Promise<Blob> from ClipboardItem.getType() (#1539)
• Additional commits viewable in compare view

Updates vite from 6.3.5 to 7.0.0

Release notes

Sourced from vite's releases.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

v7.0.0

Please refer to CHANGELOG.md for details.

v7.0.0-beta.2

Please refer to CHANGELOG.md for details.

v7.0.0-beta.1

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

v7.0.0-beta.0

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.0.0 (2025-06-24)

Today, we're excited to announce the release of the next Vite major:

• Vite 7.0 announcement blog post
• Docs (translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch, فارسی)
• Migration Guide

⚠ BREAKING CHANGES

• ssr: don't access Object variable in ssr transformed code (#19996)
• remove experimental.skipSsrTransform option (#20038)
• remove HotBroadcaster (#19988)
• css: always use sass compiler API (#19978)
• bump build.target and name it baseline-widely-available (#20007)
• bump required node version to 20.19+, 22.12+ and remove cjs build (#20032)
• css: remove sass legacy API support (#19977)
• remove deprecated HotBroadcaster related types (#19987)
• remove deprecated no-op type only properties (#19985)
• remove node 18 support (#19972)
• remove deprecated hook-level enforce/transform from transformIndexHtml hook (#19349)
• remove deprecated splitVendorChunkPlugin (#19255)

Features

• types: use terser types from terser package (#20274) (a5799fa)
• apply some middlewares before configurePreviewServer hook (#20224) (b989c42)
• apply some middlewares before configureServer hook (#20222) (f5cc4c0)
• add base option to import.meta.glob (#20163) (253d6c6)
• add this.meta.viteVersion (#20088) (f55bf41)
• allow passing down resolved config to vite's createServer (#19894) (c1ae9bd)
• buildApp hook (#19971) (5da659d)
• build: provide names for asset entrypoints (#19912) (c4e01dc)
• bump build.target and name it baseline-widely-available (#20007) (4a8aa82)
• client: support opening fileURL in editor (#20040) (1bde4d2)
• make PluginContext available for Vite-specific hooks (#19936) (7063839)
• resolve environments plugins at config time (#20120) (f6a28d5)
• stabilize css.preprocessorMaxWorkers and default to true (#19992) (70aee13)
• stabilize optimizeDeps.noDiscovery (#19984) (6d2dcb4)

Bug Fixes

• deps: update all non-major dependencies (#20271) (6b64d63)
• keep import.meta.url in bundled Vite (#20235) (3bf3a8a)
• module-runner: export ssrExportNameKey (#20266) (ac302a7)
• module-runner: expose normalizeModuleId (#20277) (9b98dcb)
• deps: update all non-major dependencies (#20181) (d91d4f7)
• deps: update all non-major dependencies (#20212) (a80339b)

... (truncated)

Commits

• eafd28a chore: rearrange 7.0 changelog (#20280)
• b85f322 release: v7.0.0
• 9b98dcb fix(module-runner): expose normalizeModuleId (#20277)
• a5799fa feat(types): use terser types from terser package (#20274)
• f7377c3 chore(deps): update rolldown-related dependencies (#20270)
• 6b64d63 fix(deps): update all non-major dependencies (#20271)
• ac302a7 fix(module-runner): export ssrExportNameKey (#20266)
• b135918 chore: typos in comments (#20259)
• 3f46901 perf(utils): improve performance of numberToPos (#20244)
• 3bf3a8a fix: keep import.meta.url in bundled Vite (#20235)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}