Skip to content

chore: bump the npm-patch-minor group with 3 updates#34

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-patch-minor-04bf4ce5e6
Closed

chore: bump the npm-patch-minor group with 3 updates#34
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-patch-minor-04bf4ce5e6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-patch-minor group with 3 updates: i18next, @types/node and vite-plus.

Updates i18next from 26.3.3 to 26.3.4

Release notes

Sourced from i18next's releases.

v26.3.4

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). Thanks to zx (Jace) for the responsible disclosure.
Changelog

Sourced from i18next's changelog.

26.3.4

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). See advisory GHSA-6jcc-5g8w-32mx, CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H). Thanks to zx (Jace) @​manus-use for the responsible disclosure.
Commits

Updates @types/node from 26.0.1 to 26.1.0

Commits

Updates vite-plus from 0.2.1 to 0.2.2

Release notes

Sourced from vite-plus's releases.

vite-plus v0.2.2: Vite+ Beta

Vite+ is now in Beta: stable and ready for production adoption, fully open source under MIT. Read the announcement to see what Vite+ is about and where it is headed: Announcing Vite+ Beta.

On top of the Beta milestone, this release brings cross-version upgrades via vp migrate, an official Docker toolchain image on GHCR, zero-config runner-aware vp build caching, and PGP-verified managed Node.js downloads.

Highlights

  • vp migrate upgrades existing Vite+ projects across versions: previous release notes told users not to run vp migrate for upgrades. It now runs from the global CLI when the local one is older, re-pins vite-plus and the vite -> @voidzero-dev/vite-plus-core alias across dependencies, overrides/resolutions, and catalogs in every workspace package, aligns vitest / @vitest/* by actual usage, and defaults to a version-only upgrade (pass --full to also run the first-time setup bucket: hooks, editor, agent files, lint migration) (#1891), by @​fengmk2
  • Official Vite+ Docker toolchain image: ghcr.io/voidzero-dev/vite-plus bundles vp plus a native build toolchain on debian:bookworm-slim (amd64/arm64, non-root). Since vp provisions the exact Node.js from .node-version, one image builds any project, and a documented multi-stage build copies the resolved Node.js into a small vp-free runtime stage (#1944), by @​fengmk2
  • Zero-config vp build caching via runner-aware Vite: Vite reports its inputs, outputs, and tracked env reads to the vp runner over the new @voidzero-dev/vite-task-client IPC (vite#22453), so vp build caches correctly with no hand-written cache config: outputs are tracked and restored automatically, and a changed VITE_* env var invalidates the cache and is named in the cache-miss message (#1774), by @​wan9chi
  • PGP-verified Node.js downloads: installing a managed Node.js now verifies the release's clearsigned SHASUMS256.txt.asc against the vendored Node.js release keyring (pure Rust, no gpg required) before trusting any checksum, so a tampered archive is rejected before install; unsigned sources (musl builds, custom mirrors) fall back to checksum-only verification (#1848), by @​fengmk2

Features

  • vp check: a check block in vite.config.ts (check.fmt / check.lint) can make plain vp check skip formatting or linting by default, mirroring --no-fmt / --no-lint; standalone vp fmt / vp lint and git hooks are unaffected, and a note: line keeps the config-based skip discoverable (#1981), by @​fengmk2
  • vp env list-remote: highlight installed versions (color, or a * prefix when piped) and label the project-resolved current and global default versions; --json gains installed / current / default fields (#1907), by @​semimikoh
  • vpr ships as a vite-plus package bin, so the vp run shorthand works on clean installs without global PATH shims (Vercel build image, generic CI runners) (#1988), by @​kvnwolf
  • Vite Task: dependsOn can select tasks from dependency packages, e.g. dependsOn: [{ "task": "build", "from": "dependencies" }] (vite-task#479), by @​wan9chi
  • Vite Task: a task's env / untrackedEnv glob patterns support ! negation (e.g. ["VITE_*", "!VITE_SECRET"]) (vite-task#425), and an env-caused cache miss now names the variable inline, e.g. cache miss: env 'NODE_ENV' changed (vite-task#438), by @​wan9chi
  • Upgrade upstream dependencies: vite 8.0.16 -> 8.1.2, rolldown 1.1.1 -> 1.1.4, oxlint 1.70.0 -> 1.72.0, oxfmt 0.55.0 -> 0.57.0, oxlint-tsgolint 0.23.0 -> 0.24.0, and the oxc toolchain 0.136.0 -> 0.138.0 (#1924, #1989, #2000, #2009), by @​voidzero-guard[bot]

Fixes & Enhancements

  • Windows: vp run no longer hangs CI when a node_modules/.bin .cmd shim is routed through PowerShell; the npm/pnpm/yarn .ps1 wrappers read stdin and block forever on a non-TTY pipe, so the PowerShell rewrite is now skipped when stdin is not an interactive terminal (vite-task#491, via #1973), by @​fengmk2
  • Vite Task: the task cache is stored in a per-schema-version directory (e.g. node_modules/.vite/task-cache/v13/), so switching between branches that pin different Vite+ versions no longer fails with Unrecognized database version (vite-task#433), by @​fengmk2
  • Vite Task: env values in cache fingerprints are stored only as SHA-256 digests and env cache-miss details report names without values (vite-task#455); prefix env assignments like PATH=... command now affect executable lookup during planning (vite-task#440); package.json / pnpm-workspace.yaml files with a UTF-8 BOM parse correctly (vite-task#424), by @​wan9chi
  • vp upgrade: run the pinned pnpm with a managed Node.js LTS directly instead of re-entering vp install, so an incompatible session/project/system runtime can no longer make pnpm skip optional native binaries and leave the upgraded CLI broken (#1900), by @​liangmiQwQ
  • Global package installs: each install writes to an immutable packages/<name>#<uuid> prefix that is activated via metadata after npm succeeds, so an interrupted reinstall can no longer leave the active package unavailable (#1906), and stale interrupted-install directories are swept with file-lock protection for concurrent installs (#1945), by @​liangmiQwQ
  • lazyPlugins(): skip plugin factories only while config metadata is being resolved instead of keying off VP_COMMAND, so builds spawned under vp run / vp exec keep the user's plugins and vp format no longer loads them (#1939), by @​fengmk2
  • vp migrate (pnpm): add a direct vite devDep aliased to the core override wherever vite-plus is depended on, so vitest's vite peer binds to @voidzero-dev/vite-plus-core instead of pulling in a second upstream vite that broke the vp test cache (#1933), by @​fengmk2
  • vp pack: bundle @tsdown/exe and @tsdown/css into core so --exe and CSS bundling work without a resolvable top-level tsdown; the native lightningcss becomes an optional peer loaded lazily with an actionable error (#1919), by @​fengmk2
  • vp env: invalidate stale shim resolve cache entries when the project's Node.js version source changes (#1951), by @​jong-kyung
  • Node shim: when the project declares npm via packageManager / devEngines.packageManager, child processes spawned from node resolve the managed npm instead of the Node-bundled one (#1938); vp env which reports bins linked by an intercepted npm install -g (e.g. tsc) instead of "not found" (#1968); bins with uppercase names (e.g. vitePlus) dispatch correctly (#1963), by @​liangmiQwQ
  • vp-setup: pass the configured npm registry to the inner pnpm install so setup works behind custom registries (#1795), by @​daflyinbed
  • Native binding: declare the platform packages' true ABI floor engines.node >=20.0.0 so engine-strict package managers (pnpm) no longer skip the optional native dependency and fail with Cannot find native binding when a consumer's Node floor lands in a product-policy gap (#1993), by @​fengmk2
  • vp create: run git init without creating an initial commit, so commitlint-configured templates no longer reject the hardcoded message and template placeholders are not baked into history (#2008), by @​forehalo
  • vp staged --debug: inline the bundled lint-staged version so debug logging no longer crashes reading a package.json that does not exist in the bundle (#1925), by @​rokuosan
  • Installer: retry downloads truncated mid-body in HttpClient::get_bytes (the platform-tarball path for vp upgrade and the standalone installer) (#1940), and clean up the temp dir when a package-manager install fails instead of leaking .tmpXXXX directories (#1949), by @​shulaoda
  • Windows/msys: normalize backslashes in the env.fish fallback path (#1954), by @​Aalivexy
  • install.ps1: detect the missing VC++ runtime (0xC0000135) and print VC++ Redistributable guidance instead of a generic failure; interactive irm | iex installs keep the shell open (#1962), by @​cheezone
  • vp migrate: preserve comments, key order, and trailing commas in existing .vscode / .zed JSONC configs by patching the original text instead of re-serializing it (#1956), by @​fengmk2
  • Migration: link the git hook warning to the migration guide (#1902), by @​naokihaba
  • vp info / vp view: use package-manager-native commands (pnpm view, bun info, yarn npm info) instead of routing every lookup through npm view (#1895), by @​jong-kyung
  • Correct overused ErrorConfig error types across the codebase (#1934), by @​liangmiQwQ

Refactor

  • vite_install: centralize Yarn v1/berry branching with is_yarn_berry (#1897), by @​jong-kyung

Docs

... (truncated)

Commits
  • 4f7fd0b release: v0.2.2 Vite+ Beta (#2016)
  • 6a5c472 test(snap): pin VP_VERSION to a published version in install fixtures (#2017)
  • 327d23a feat(migrate): upgrade existing Vite+ projects across versions (#1891)
  • 6c3f3b6 feat(cli): expose vpr as a package bin (#1988)
  • 6b7ad80 feat(deps): upgrade upstream dependencies (#2009)
  • 36535c3 fix(create): initialize git without an initial commit (#2008)
  • 1bc8637 feat(deps): upgrade upstream dependencies (#2000)
  • 3d49d4d feat(deps): upgrade upstream dependencies (#1989)
  • 6f7c2be fix(binding): declare native addon engines.node >=20.0.0 (#1993)
  • 914ca11 feat(check): support check.fmt/check.lint in vite.config.ts (#1981)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Summary by cubic

Bumps three dependencies to improve security and build tooling: i18next (security patch), @types/node, and vite-plus for better cache and stability.

  • Dependencies
    • vite-plus 0.2.1 → 0.2.2: improves build cache reliability and CLI stability; no code changes required.
    • i18next 26.3.3 → 26.3.4: security fix in deep merge (deepExtend) to avoid prototype pollution when using addResourceBundle(..., { deep: true, overwrite: true }).
    • @types/node 26.0.1 → 26.1.0: minor type updates; no runtime impact.

Written for commit a5f0707. Summary will update on new commits.

Review in cubic

Bumps the npm-patch-minor group with 3 updates: [i18next](https://github.com/i18next/i18next), [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [vite-plus](https://github.com/voidzero-dev/vite-plus/tree/HEAD/packages/cli).


Updates `i18next` from 26.3.3 to 26.3.4
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next@v26.3.3...v26.3.4)

Updates `@types/node` from 26.0.1 to 26.1.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `vite-plus` from 0.2.1 to 0.2.2
- [Release notes](https://github.com/voidzero-dev/vite-plus/releases)
- [Commits](https://github.com/voidzero-dev/vite-plus/commits/v0.2.2/packages/cli)

---
updated-dependencies:
- dependency-name: i18next
  dependency-version: 26.3.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-patch-minor
- dependency-name: "@types/node"
  dependency-version: 26.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-patch-minor
- dependency-name: vite-plus
  dependency-version: 0.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-patch-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 6, 2026
@altaywtf

altaywtf commented Jul 6, 2026

Copy link
Copy Markdown
Member

Superseded by direct dependency-bump commit 5ac05e8, which combines the compatible Dependabot bumps into one verified change.

Verification: vp install, pnpm exec vp run verify.

🤖 AI-assisted via Codex, GPT-5.5, high reasoning

@altaywtf altaywtf closed this Jul 6, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm-patch-minor-04bf4ce5e6 branch July 6, 2026 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant