chore(deps): bump the npm_and_yarn group across 1 directory with 4 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the / directory: esbuild, cookie, vite and undici.

Updates esbuild from 0.24.2 to 0.25.0

Release notes

Sourced from esbuild's releases.

v0.25.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.24.0 or ~0.24.0. See npm's documentation about semver for more information.

• Restrict access to esbuild's development server (GHSA-67mh-4wv8-2f99)

  This change addresses esbuild's first security vulnerability report. Previously esbuild set the Access-Control-Allow-Origin header to * to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information in the report.

  Starting with this release, CORS will now be disabled, and requests will now be denied if the host does not match the one provided to --serve=. The default host is 0.0.0.0, which refers to all of the IP addresses that represent the local machine (e.g. both 127.0.0.1 and 192.168.0.1). If you want to customize anything about esbuild's development server, you can put a proxy in front of esbuild and modify the incoming and/or outgoing requests.

  In addition, the serve() API call has been changed to return an array of hosts instead of a single host string. This makes it possible to determine all of the hosts that esbuild's development server will accept.

  Thanks to @​sapphi-red for reporting this issue.

• Delete output files when a build fails in watch mode (#3643)

  It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.

• Fix correctness issues with the CSS nesting transform (#3620, #3877, #3933, #3997, #4005, #4037, #4038)

  This release fixes the following problems:

  • Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using :is() to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.

    /* Original code */
    .parent {
      > .a,
      > .b1 > .b2 {
        color: red;
      }
    }
    /* Old output (with --supported:nesting=false) */
    .parent > :is(.a, .b1 > .b2) {
    color: red;
    }
    /* New output (with --supported:nesting=false) */
    .parent > .a,
    .parent > .b1 > .b2 {
    color: red;
    }

    Thanks to @​tim-we for working on a fix.

  • The & CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered && to have the same specificity as &. With this release, this should now work correctly:

    /* Original code (color should be red) */

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

Commits

• e9174d6 publish 0.25.0 to npm
• c27dbeb fix hosts in plugin-tests.js
• 6794f60 fix hosts in node-unref-tests.js
• de85afd Merge commit from fork
• da1de1b fix #4065: bitwise operators can return bigints
• f4e9d19 switch case liveness: default is always last
• 7aa47c3 fix #4028: minify live/dead switch cases better
• 22ecd30 minify: more constant folding for strict equality
• 4cdf03c fix #4053: reordering of .tsx in node_modules
• dc71977 fix #3692: 0 now picks a random ephemeral port
• Additional commits viewable in compare view

Updates cookie from 0.7.2 to 1.0.0

Release notes

Sourced from cookie's releases.

v1.0.0

Breaking changes

• Use modern JS features, ship TypeScript definition (#175) 1cc64ff
  • Adds __esModule marker, imports need to use import { parse, serialize } or import * as cookie
• Minimum node.js v18
• Uses null prototype object for parse return value
• Changes strict and priority to match the lower case strings (i.e. low, not LOW or Low)
• Require maxAge to be an integer using Number.isInteger check
• Delegates decode implementation details to decode option (i.e. error handling and quote parsing is defined by decode)
  • Delegate quote parsing to decode (#180) c4a2597
  • Shift try/catch to decode (#179) 93a5b97
• Improve arg/option error messages (#162) e206fd5 @​MaoShizhong

Other

• Remove hasOwnProperty, use undefined check for performance (#183) 8f3ee9e @​gurgunday

jshttp/cookie@v0.7.2...v1.0.0

Commits

• c69cef6 1.0.0
• 42025f7 Use workflow status for badge
• ad9c960 Update option documentation (#186)
• c4a2597 Delegate quote parsing to decode (#180)
• 88704d6 Use shields for badges (#185)
• 8f3ee9e Remove hasOwnProperty, use undefined (#183)
• 93a5b97 Shift try/catch to decode (#179)
• 0f56c6e Update top sites cookies (#182)
• 0ecf9bd Enable codecov (#178)
• 1cc64ff Use modern JS features, ship TS defs (#175)
• Additional commits viewable in compare view

Updates vite from 6.2.1 to 6.2.7

Release notes

Sourced from vite's releases.

v6.2.7

Please refer to CHANGELOG.md for details.

v6.2.6

Please refer to CHANGELOG.md for details.

v6.2.5

Please refer to CHANGELOG.md for details.

v6.2.4

Please refer to CHANGELOG.md for details.

v6.2.3

Please refer to CHANGELOG.md for details.

v6.2.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.2.7 (2025-04-30)

• fix: check static serve file inside sirv (#19965) (99980ec), closes #19965

6.2.6 (2025-04-10)

• fix: reject requests with # in request-target (#19830) (3bb0883), closes #19830

6.2.5 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (fdb196e), closes #19782

6.2.4 (2025-03-31)

• fix: fs check in transform middleware (#19761) (7a4faba), closes #19761

6.2.3 (2025-03-24)

• fix: fs raw query with query separators (#19702) (f234b57), closes #19702

6.2.2 (2025-03-14)

• fix: await client buildStart on top level buildStart (#19624) (b31faab), closes #19624
• fix(css): inline css correctly for double quote use strict (#19590) (d0aa833), closes #19590
• fix(deps): update all non-major dependencies (#19613) (363d691), closes #19613
• fix(indexHtml): ensure correct URL when querying module graph (#19601) (dc5395a), closes #19601
• fix(preview): use preview https config, not server (#19633) (98b3160), closes #19633
• fix(ssr): use optional chaining to prevent "undefined is not an object" happening in `ssrRewriteStac (4309755), closes #19612
• feat: show friendly error for malformed base (#19616) (2476391), closes #19616
• feat(worker): show asset filename conflict warning (#19591) (367d968), closes #19591
• chore: extend commit hash correctly when ambigious with a non-commit object (#19600) (89a6287), closes #19600

Commits

• 3d6a427 release: v6.2.7
• 99980ec fix: check static serve file inside sirv (#19965)
• d3dbf25 release: v6.2.6
• 3bb0883 fix: reject requests with # in request-target (#19830)
• c176acf release: v6.2.5
• fdb196e fix: backport #19782, fs check with svg and relative paths
• 037f801 release: v6.2.4
• 7a4faba fix: fs check in transform middleware (#19761)
• 16869d7 release: v6.2.3
• f234b57 fix: fs raw query with query separators (#19702)
• Additional commits viewable in compare view

Updates undici from 7.4.0 to 7.5.0

Release notes

Sourced from undici's releases.

v7.5.0

What's Changed

• feat(docs): button to switch dark and light mode by @​shivarm in nodejs/undici#4044
• feat: add mock call history to access request configuration in test by @​blephy in nodejs/undici#4029
• fix: Fix retry-handler.js when retry-after header is a Date by @​fgiova in nodejs/undici#4084
• Update Cache Tests by @​github-actions in nodejs/undici#4027
• Allow disabling autoSelectFamily in an Agent by @​hitsthings in nodejs/undici#4070
• Removed clients with unrecoverable errors from the Pool by @​mcollina in nodejs/undici#4088

New Contributors

• @​blephy made their first contribution in nodejs/undici#4029
• @​fgiova made their first contribution in nodejs/undici#4084
• @​hitsthings made their first contribution in nodejs/undici#4070

Full Changelog: nodejs/undici@v7.4.0...v7.5.0

Commits

• a180465 Bumped v7.5.0 (#4091)
• f317618 Removed clients with unrecoverable errors from the Pool (#4088)
• 1e58b58 feat: Allow disabling autoSelectFamily in an Agent (#4070)
• 2767d0e chore: update cache tests (#4027)
• ef276d4 fix: Fix retry-handler.js when retry-after header is a Date (#4084)
• 6179788 feat: add mock call history to access request configuration in test (#4029)
• f11ae94 feat(docs): button to switch dark and light mode (#4044)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by Sourcery

Upgrade core dependencies to their latest versions and regenerate lockfile

Chores:

• Bump esbuild from 0.24.2 to 0.25.0 across project packages
• Upgrade cookie from 0.7.2 to 1.0.0 and update minimum Node.js requirement
• Update vite from 6.2.1 to 6.2.7 and refresh peer dependency references
• Bump undici from 7.4.0 to 7.5.0
• Regenerate pnpm-lock.yaml to reflect updated dependency versions and remove outdated entries

[sourcery-ai]

Reviewer's Guide

This PR uses Dependabot to bump four core dependencies (esbuild, cookie, vite, undici) in the root pnpm lock file and in relevant package.json files, updating specifiers, versions, integrity checks, and pruning outdated entries across the monorepo.

Class diagram for breaking changes in the 'cookie' dependency update

classDiagram
    class Cookie {
      <<module>>
      +parse(str, [options])
      +serialize(name, value, [options])
      +__esModule: true
    }
    note for Cookie "Breaking changes in v1.0.0:\n- parse() now returns a null-prototype object\n- strict/priority options now use lowercase strings\n- maxAge must be integer\n- decode option now handles error/quote parsing\n- __esModule marker added (import as ESM)\n- Minimum Node.js v18 required"

Loading

Class diagram for esbuild serve() API change

classDiagram
    class EsbuildServe {
      <<API>>
      - host: string
      + hosts: string[]
    }
    note for EsbuildServe "esbuild's serve() API now returns an array of hosts instead of a single host string (v0.25.0)"

Loading

File-Level Changes

Change	Details	Files
Bump esbuild from 0.24.2 to 0.25.0	Updated specifier and version entries for esbuild in pnpm-lock.yaml Removed old esbuild@0.24.2 resolution blocks and replaced them with @0.25.0 Updated esbuild dependency specifier in packages/markdown/remark/package.json	pnpm-lock.yaml packages/markdown/remark/package.json
Bump cookie from 0.7.2 to 1.0.0	Updated cookie specifier and version in pnpm-lock.yaml Replaced integrity and engine fields for cookie@1.0.0 Updated cookie dependency specifier in packages/astro/package.json	pnpm-lock.yaml packages/astro/package.json
Bump vite from 6.2.1 to 6.2.7	Updated vite specifier and version across importers in pnpm-lock.yaml Removed old vite resolution blocks and added @6.2.7 entries with updated peerDependenciesMeta Updated vite dependency specifier in all package.json under packages/astro, db, studio and integrations/*	pnpm-lock.yaml packages/astro/package.json packages/db/package.json packages/studio/package.json packages/integrations/alpinejs/package.json packages/integrations/cloudflare/package.json packages/integrations/markdoc/package.json packages/integrations/mdx/package.json packages/integrations/netlify/package.json packages/integrations/preact/package.json packages/integrations/react/package.json packages/integrations/solid/package.json packages/integrations/svelte/package.json packages/integrations/tailwind/package.json packages/integrations/vue/package.json
Bump undici from 7.4.0 to 7.5.0	Updated undici specifier and version in pnpm-lock.yaml Replaced integrity and engine fields for undici@7.5.0 Updated undici dependency specifier in packages/astro/package.json	pnpm-lock.yaml packages/astro/package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[dependabot]

Superseded by #3.