Skip to content

chore(deps): bump the npm-deps group across 1 directory with 7 updates#42

Merged
mroderick merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-2ec1b2fa73
Jul 1, 2026
Merged

chore(deps): bump the npm-deps group across 1 directory with 7 updates#42
mroderick merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-2ec1b2fa73

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-deps group with 6 updates in the / directory:

Package From To
@hono/node-server 2.0.5 2.0.6
hono 4.12.26 4.12.27
@commitlint/cli 21.0.2 21.1.0
@playwright/test 1.61.0 1.61.1
fallow 2.101.0 2.102.0
globals 17.6.0 17.7.0

Updates @hono/node-server from 2.0.5 to 2.0.6

Release notes

Sourced from @​hono/node-server's releases.

v2.0.6

What's Changed

Full Changelog: honojs/node-server@v2.0.5...v2.0.6

Commits
  • ff75c61 2.0.6
  • 814720f fix: preserve status and statusText when cloning a Response with live headers...
  • a76209a ci: use npm Staged publishing (#364)
  • 44c365a ci: publish to npm from CI with OIDC trusted publishing and bump np (#361)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​hono/node-server since your current version.


Updates hono from 4.12.26 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc


Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

Commits

Updates @commitlint/cli from 21.0.2 to 21.1.0

Release notes

Sourced from @​commitlint/cli's releases.

v21.1.0

21.1.0 (2026-06-23)

Bug Fixes

Features

Docs, chore, etc.

New Contributors

Full Changelog: conventional-changelog/commitlint@v21.0.2...v21.1.0

Changelog

Sourced from @​commitlint/cli's changelog.

21.1.0 (2026-06-23)

Features

  • cli: add --default-config flag to lint without a config file (#4805) (7af27ba), closes #3662
Commits

Updates @commitlint/config-conventional from 21.0.2 to 21.2.0

Release notes

Sourced from @​commitlint/config-conventional's releases.

v21.2.0

21.2.0 (2026-06-30)

Features

Chore

Full Changelog: conventional-changelog/commitlint@v21.1.0...v21.2.0

v21.1.0

21.1.0 (2026-06-23)

Bug Fixes

Features

Docs, chore, etc.

New Contributors

Full Changelog: conventional-changelog/commitlint@v21.0.2...v21.1.0

Changelog

Sourced from @​commitlint/config-conventional's changelog.

21.2.0 (2026-06-30)

Features

  • resolve-extends: resolve pure-ESM presets (conventional-changelog v7/v9/v10) (#4859) (fdb566f)

21.1.0 (2026-06-23)

Note: Version bump only for package @​commitlint/config-conventional

Commits

Updates @playwright/test from 1.61.0 to 1.61.1

Release notes

Sourced from @​playwright/test's releases.

v1.61.1

Bug Fixes

  • #41365 [Bug]: Expect.Extend matcher with same name as default matcher in same expect instance overrides default matchers implementation to custom matcher
  • #41351 [Bug]: Playwright UI mode: apiRequestContext._wrapApiCall reports unexpected number of bytes (same test passes in headed mode)
  • #41360 [Bug]: Trace viewer: message times in websockets are downscaled by 1000
  • #41311 [Bug]: [Regression]: Sync loader throws "context.conditions?.includes is not a function" on Node 22.15
  • #41371 [Regression]: Sync ESM loader (registerHooks) fails to resolve extensionless .ts subpath imports across pnpm workspace symlinks
Commits
  • 39e3553 cherry-pick(#41399): fix(test): load require-reached files as commonjs in syn...
  • 4328122 chore: mark v1.61.1 (#41404)
  • 2c29a94 fix(tracing): stop recording websocket frames outside of chunks (#41398)
  • 4324b19 cherry-pick(#41367): fix(test): keep builtin expect matchers on base extend
  • 041e7e3 cherry-pick(#41364): fix(har): WebSocket message timestamps should be in mi...
  • b8a0fc3 cherry-pick(#41309, #43149): Revert "fix(firefox): treat `navigationCommitted...
  • b5a3175 cherry-pick(#41319): fix(loader): support other node versions
  • d4724a9 cherry-pick(#41290): feat(docker): add Ubuntu 26.04 (Resolute Raccoon) image
  • See full diff in compare view

Updates fallow from 2.101.0 to 2.102.0

Release notes

Sourced from fallow's releases.

v2.102.0: code review brief, decision surface, and symbol-level trace

Code review for changed code

This release adds a toolkit for reviewing changed code, designed for both human reviewers and AI agents.

Review brief (fallow review, or fallow audit --brief)

A new advisory orientation mode over changed code. It runs the same dead-code + complexity + duplication analysis as fallow audit but answers "where do I look?" instead of "will CI block this?": it ALWAYS exits 0 (the verdict is carried informationally), so a reviewer or agent can read it regardless of the gate outcome. The brief renders a ranked decision surface, a weighted focus map, and change-impact context. --format is orthogonal to --brief.

Decision surface (fallow decision-surface and the decision_surface MCP tool)

Surfaces the consequential structural decisions a change embeds: a ranked, capped (3 to 5) set of coupling/boundary, public-API/contract, and dependency decisions, each framed as a judgment question with the routed expert to ask. Each decision carries an honest count of how many internal consumers it affects plus an explicit trade-off clause, so the reader sees the cost as well as the call. It is separable and cheap, advisory (always exits 0), and every decision is suppressible with // fallow-ignore. Use --base / --changed-since to pick the comparison point, exactly like fallow audit.

Symbol-level call chains (fallow trace <FILE:SYMBOL>)

Walks callers up (modules that import the symbol) and callees down (import-symbol edges plus intra-module call sites) through the module graph, bounded by --depth (default 2). Use --callers / --callees to scope the direction; both are walked by default. Best-effort and syntactic per ADR-001: resolved-vs-unresolved callees are reported honestly, never silently dropped.

fallow trace src/utils.ts:formatDate

Agent-contract walkthrough loop

For agents that review changed code, fallow audit --walkthrough-guide emits a deterministic digest (the brief, the decision surface, the review direction, the JSON schema the agent must return, and a graph-snapshot hash) built from the graph only, so PR prose is never folded in and the digest is injection-resistant. The agent produces judgment JSON and reopens with --walkthrough-file, which post-validates it against the LIVE graph: it rejects any judgment whose signal_id fallow did not emit (anti-hallucination) and refuses the whole payload as stale when the snapshot hash no longer matches. The verifier is the graph, not a second model. Both flags always exit 0.

A weighted focus map ranks changed units by review weight and collapses the de-prioritized tail by default; --show-deprioritized re-expands it (the deprioritized list is always present in --format json).

Framework health

  • Astro framework-health detection. .astro components now participate in the same health suite as Vue/Svelte/Angular/React: a reachable component rendered in no template surfaces as unrendered-component, an interface Props field read nowhere surfaces as unused-component-prop, and fallow health now scores .astro complexity. A zero-false-positive abstain ladder protects public surfaces. No new rules or severities.
  • Lit / web-component framework-health detection. A custom element registered via @customElement / customElements.define but rendered as a tag in no html template surfaces as unrendered-component, and a @state() reactive property read nowhere surfaces as unused-class-member. @property (the public attribute API) is never flagged. Gated on a lit / lit-element / @lit/reactive-element dependency.
  • Deeper React prop coverage for unused-component-prop. The React arm now harvests props from same-file typed interfaces and generic forwardRef components, not only inline destructure, while still abstaining on imported prop interfaces and exported public-API components.

Editor

  • React component intelligence. The LSP surfaces ambient React/Preact context with no new rule, finding, or severity. A code lens above each component summarizes render count, props, and hooks; a per-prop hover shows where a prop is read and passed from; a forwarded prop shows its forwarding chain. Editor-only context: fallow / audit / --format json output is unchanged.
  • VS Code: clearer tree badges, hardened health spawn, and de-duplicated diagnostics.

Security

  • LLM-call prompt-injection candidate. A new llm-call-injection category (CWE-1427) in the fallow security tainted-sink catalogue. It fires only when an untrusted source flows into the prompt/messages argument of a known LLM-call sink (a taint path into the call, not every LLM call). Like all fallow security output it is a candidate for verification, not a verified vulnerability, and never appears under bare fallow or the audit gate.

Fixed

  • Merged namespace values imported through star barrels are no longer falsely reported as unused. A value export sharing its name with an export declare namespace and consumed through export * now receives the same named-import credit as a direct import. Thanks @​TeoVezza95 for the report. (#1373)
  • VS Code now resolves the native fallow binary from platform packages when the binary is reached through a .cmd / .ps1 launcher shim on PATH, so LSP-backed diagnostics start reliably. Thanks @​ivan-palatov for the report. (#1359)
  • TanStack Router: custom routeFileIgnorePrefix is honored, so files using a configured ignore prefix are no longer flagged as dead code. Thanks @​Spiralis for the report. (#1358)
  • fallow audit base-snapshot worktree paths are unique per call, so concurrent audit runs no longer collide.
  • More precise telemetry failure classification when telemetry is enabled.
  • Vendored GitLab CI now bundles gitlab_common.sh, so fallow ci-template gitlab --vendor pipelines run without reaching out to raw.githubusercontent.com.

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.102.0] - 2026-06-23

Added

  • Code review brief (fallow review, or fallow audit --brief). A new advisory orientation mode over changed code. It runs the same dead-code + complexity + duplication analysis as fallow audit but answers "where do I look?" instead of "will CI block this?": it ALWAYS exits 0 (the verdict is carried informationally), so a reviewer or agent can read it regardless of the gate outcome. The brief renders a ranked decision surface, a weighted focus map, and change-impact context. --format is orthogonal to --brief. fallow review is an alias for fallow audit --brief.

  • fallow decision-surface command and decision_surface MCP tool. Surfaces the consequential structural decisions a change embeds (the apex of the review brief): a ranked, capped (3-5) set of coupling/boundary, public-API/contract, and dependency decisions, each framed as a judgment question with the routed expert to ask. Each decision carries an honest count of how many internal consumers it affects plus an explicit trade-off clause, so the reader sees the cost as well as the call. Separable and cheap, advisory (always exits 0), and every decision is suppressible with // fallow-ignore. Use --base / --changed-since to pick the comparison point, exactly like fallow audit.

  • fallow trace <FILE:SYMBOL> symbol-level call chains. Walks callers UP (modules that import the symbol) and callees DOWN (import-symbol edges plus intra-module call sites) through the module graph, bounded by --depth (default 2). --callers / --callees scope the direction; both are walked by default. Best-effort and syntactic per ADR-001: resolved-vs-unresolved callees are reported honestly, never silently dropped. It is its own surface, never folded into the ranked review brief.

  • Agent-contract walkthrough loop (--walkthrough-guide / --walkthrough-file). --walkthrough-guide emits a deterministic digest (the brief, the decision surface, the review direction, the JSON schema the agent must return, and a graph-snapshot hash) built from the graph only, so PR prose is never folded in and the digest is injection-resistant. --walkthrough-file ingests an agent's judgment JSON and post-validates it against the LIVE graph: it rejects any judgment whose signal_id fallow did not emit (anti-hallucination) and refuses the whole payload as stale when the echoed graph-snapshot hash no longer matches. The verifier is the graph, not a second model. Both imply the brief and always exit 0.

  • Weighted focus map with a de-prioritized escape hatch. The review brief ranks changed units by review weight and collapses the de-prioritized tail by default; --show-deprioritized re-expands the human render. The deprioritized list is always present in --format json regardless of the flag.

  • LLM-call prompt-injection candidate (fallow security). A new llm-call-injection category (CWE-1427) in the tainted-sink catalogue. It fires only when an untrusted source flows into the prompt/messages argument of a known LLM-call sink (a taint PATH into the call, not every LLM call), pinned to the distinctive LLM SDK call shapes. Like all fallow security output it is a CANDIDATE for verification, not a verified vulnerability, and never appears under bare fallow or the audit gate.

... (truncated)

Commits
  • 8a83dc0 chore: release v2.102.0
  • b5e53b5 fix(dead-code): credit merged namespace star re-export values
  • e890fbe chore(deps): bump napi from 3.9.0 to 3.9.2 (#1381)
  • 2238983 chore(deps): bump insta from 1.47.2 to 1.48.0 (#1380)
  • 4059812 chore(deps-dev): bump oxfmt from 0.54.0 to 0.55.0 (#1378)
  • 01e2813 chore(deps): bump rust-lang/crates-io-auth-action from 1.0.4 to 1.0.5 (#1375)
  • eb55b34 chore(deps-dev): bump @​tanstack/intent in /npm/fallow (#1376)
  • 7b8c570 chore(deps-dev): bump oxlint from 1.69.0 to 1.70.0 (#1377)
  • e585f05 refactor(review-app): namespace persisted state under fallow-review instead o...
  • 0ffd4ca test(unused-members): cover issue-844 typed-instance crediting at monorepo pa...
  • Additional commits viewable in compare view

Updates globals from 17.6.0 to 17.7.0

Release notes

Sourced from globals's releases.

v17.7.0

  • Update globals (2026-06-22) (#345) 33b75f9

sindresorhus/globals@v17.6.0...v17.7.0

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the npm-deps group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@hono/node-server](https://github.com/honojs/node-server) | `2.0.5` | `2.0.6` |
| [hono](https://github.com/honojs/hono) | `4.12.26` | `4.12.27` |
| [@commitlint/cli](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/cli) | `21.0.2` | `21.1.0` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.61.0` | `1.61.1` |
| [fallow](https://github.com/fallow-rs/fallow) | `2.101.0` | `2.102.0` |
| [globals](https://github.com/sindresorhus/globals) | `17.6.0` | `17.7.0` |



Updates `@hono/node-server` from 2.0.5 to 2.0.6
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.5...v2.0.6)

Updates `hono` from 4.12.26 to 4.12.27
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.26...v4.12.27)

Updates `@commitlint/cli` from 21.0.2 to 21.1.0
- [Release notes](https://github.com/conventional-changelog/commitlint/releases)
- [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/cli/CHANGELOG.md)
- [Commits](https://github.com/conventional-changelog/commitlint/commits/v21.1.0/@commitlint/cli)

Updates `@commitlint/config-conventional` from 21.0.2 to 21.2.0
- [Release notes](https://github.com/conventional-changelog/commitlint/releases)
- [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/config-conventional/CHANGELOG.md)
- [Commits](https://github.com/conventional-changelog/commitlint/commits/v21.2.0/@commitlint/config-conventional)

Updates `@playwright/test` from 1.61.0 to 1.61.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.61.0...v1.61.1)

Updates `fallow` from 2.101.0 to 2.102.0
- [Release notes](https://github.com/fallow-rs/fallow/releases)
- [Changelog](https://github.com/fallow-rs/fallow/blob/main/CHANGELOG.md)
- [Commits](fallow-rs/fallow@v2.101.0...v2.102.0)

Updates `globals` from 17.6.0 to 17.7.0
- [Release notes](https://github.com/sindresorhus/globals/releases)
- [Commits](sindresorhus/globals@v17.6.0...v17.7.0)

---
updated-dependencies:
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: "@commitlint/cli"
  dependency-version: 21.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: "@commitlint/config-conventional"
  dependency-version: 21.2.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: "@playwright/test"
  dependency-version: 1.61.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: fallow
  dependency-version: 2.102.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: globals
  dependency-version: 17.7.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 30, 2026
@mroderick

Copy link
Copy Markdown
Collaborator

Dependency Upgrade Review

PR Scope

Dependency-only — only package.json and package-lock.json changed.

Package From To Risk
hono 4.12.26 4.12.27 Low
@hono/node-server 2.0.5 2.0.6 Low
@commitlint/cli 21.0.2 21.1.0 Low
@commitlint/config-conventional 21.0.2 21.2.0 Low
@playwright/test 1.61.0 1.61.1 Low
fallow 2.101.0 2.102.0 Low
globals 17.6.0 17.7.0 Low

Key: hono v4.12.27

Security patch release — fixes 3 CVEs:

None of the affected modules (hono/jsx, hono/css, hono/aws-lambda) are used in this repo. The fix is backward compatible for core Hono usage.

Other Packages

All patch/minor bumps with no breaking changes affecting this repo. Highlights:

  • @hono/node-server — fixes Response.clone() with live headers
  • @commitlint/cli — new --default-config flag (no breaking changes)
  • @playwright/test — bug fixes for expect.extend, trace viewer, ESM loader
  • fallow — new features (review brief, decision surface, trace)

Verdict

Confidence: High — all upgrades are patch/minor with no breaking changes affecting this repo. The Hono security patch is worth getting in regardless.

@mroderick mroderick left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. See analysis comment above.

@mroderick mroderick merged commit b83278a into main Jul 1, 2026
7 checks passed
@mroderick mroderick deleted the dependabot/npm_and_yarn/npm-deps-2ec1b2fa73 branch July 1, 2026 09:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant