Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 14 updates#2

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-175fb3fe41
Open

chore(deps): bump the npm_and_yarn group across 1 directory with 14 updates#2
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-175fb3fe41

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package From To
drizzle-orm 0.45.1 0.45.2
next 16.0.7 16.2.10
vitest 3.2.4 3.2.6
@ai-sdk/provider-utils 3.0.18 5.0.7
@hono/node-server 1.19.7 1.19.14
@modelcontextprotocol/sdk 1.25.2 1.29.0
fast-uri 3.1.0 3.1.3
flatted 3.3.3 3.4.2
langsmith 0.4.5 0.8.1
rollup 4.53.3 4.62.2
vite 6.4.1 7.3.6
ws 8.18.3 8.21.0

Updates drizzle-orm from 0.45.1 to 0.45.2

Release notes

Sourced from drizzle-orm's releases.

0.45.2

  • Fixed sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped causing a possible SQL Injection (CWE-89) vulnerability

Thanks to @​EthanKim88, @​0x90sh and @​wgoodall01 for reaching out to us with a reproduction and suggested fix

Commits

Updates next from 16.0.7 to 16.2.10

Release notes

Sourced from next's releases.

v16.2.10

Contains no changes except publishing @next/swc-wasm-web which was accidentally not published since 16.2.4.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • Backport documentation fixes for v16.2 (#93804)
  • [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
  • [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
  • [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
  • [backport] Encode non-ASCII characters in cache tags at construction (#93918)
  • [backport] Fix server action forwarding loop with middleware rewrites (#93919)
  • [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
  • [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
  • [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
  • [backport] Propagate adapter preferred regions (#94200)
  • [16.2.x] Don't drop FormData entries (#94240)
  • [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

Moderate:

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates vitest from 3.2.4 to 3.2.6

Release notes

Sourced from vitest's releases.

v3.2.6

   🐞 Bug Fixes

    View changes on GitHub

v3.2.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub
Commits
  • b6d56f8 chore: release v3.2.6
  • 16f120d fix: pin last supported vite-node version
  • 2cbad0a chore: release v3.2.5
  • 385a1ae fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • af88b1f feat(api): add allowWrite and allowExec options to api [backport to v3]...
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.


Updates @ai-sdk/provider-utils from 3.0.18 to 5.0.7

Release notes

Sourced from @​ai-sdk/provider-utils's releases.

@​ai-sdk/provider-utils@​5.0.7

Patch Changes

  • Updated dependencies [0f93c57]
    • @​ai-sdk/provider@​4.0.3

@​ai-sdk/provider-utils@​4.0.38

Patch Changes

  • Updated dependencies [e1af05f]
    • @​ai-sdk/provider@​3.0.14
Changelog

Sourced from @​ai-sdk/provider-utils's changelog.

5.0.7

Patch Changes

  • Updated dependencies [0f93c57]
    • @​ai-sdk/provider@​4.0.3

5.0.6

Patch Changes

  • ac306ed: Fix StreamingToolCallTracker finalizing streaming tool calls on parsable partial JSON. Tool calls now only finalize during stream flush, restoring the behavior of #13137: a parsable argument buffer can still be the prefix of a longer argument string, so finalizing early could act on truncated tool inputs.

5.0.5

Patch Changes

  • 5c5c0f5: Add experimental streaming transcription support for transcription models, including OpenAI gpt-realtime-whisper and xAI WebSocket STT.
  • Updated dependencies [5c5c0f5]
    • @​ai-sdk/provider@​4.0.2

5.0.4

Patch Changes

  • c6f5e62: Prevent prototype pollution when synchronously parsing provider JSON inputs and expose secureJsonParse from provider-utils.

5.0.3

Patch Changes

  • 8c616f0: feat(mcp): add maxRetries option for failed mcp tool calls

5.0.2

Patch Changes

  • Updated dependencies [0274f34]
    • @​ai-sdk/provider@​4.0.1

5.0.1

Patch Changes

  • 6a436e3: Limit JSON response body reads in response handlers to prevent unbounded memory use.

5.0.0

Major Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​ai-sdk/provider-utils since your current version.


Updates @hono/node-server from 1.19.7 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

What's Changed

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

What's Changed

New Contributors

... (truncated)

Commits

Updates @modelcontextprotocol/sdk from 1.25.2 to 1.29.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.29.0

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

v1.28.0

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

v1.27.1

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

What's Changed

... (truncated)

Commits

Updates fast-uri from 3.1.0 to 3.1.3

Release notes

Sourced from fast-uri's releases.

v3.1.3

⚠️ Security Release

Full Changelog: fastify/fast-uri@v3.1.2...v3.1.3

v3.1.2

⚠️ Security Release

What's Changed

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

Updates flatted from 3.3.3 to 3.4.2

Commits
  • 3bf0909 3.4.2
  • 885ddcc fix CWE-1321
  • 0bdba70 added flatted-view to the benchmark
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • Additional commits viewable in compare view

Updates langsmith from 0.4.5 to 0.8.1

Release notes

Sourced from langsmith's releases.

v0.8.1

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.8.0...v0.8.1

v0.8.0

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.38...v0.8.0

v0.7.38

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.37...v0.7.38

v0.7.37

What's Changed

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for langsmith since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.


Updates path-to-regexp from 8.3.0 to 8.4.2

Release notes

Sourced from path-to-regexp's releases.

v8.4.2

Fixed

  • Error on trailing backslash (#434) 9a78879

Performance

  • Minimize array allocations (#437) 937c02d
  • Improve compile performance (#436) 57247e6
    • Should improve compilation performance by ~25%
  • Remove internal tokenization during parse (#435) 5844988
    • Should improve parse performance by ~20%

Bundle size to 1.93 kB, from 1.97 kB.


pillarjs/path-to-regexp@v8.4.1...v8.4.2

v8.4.1

Fixed

  • Remove trie deduplication (#431) 6bc8e84
    • Using a trie required non-greedy matching, which regressed wildcards in non-ending mode by matching them up until the first match. For example:
      • /*foo with /a/b = /a
      • /*foo.htmlwith /a/b.html/c.html = /a/b.html
  • Allow backtrack handling to match itself (#427) 5bcd30b
    • When backtracking was introduced, it rejected matching things like /:"a"_:"b" against /foo__. This makes intuitive sense because the second parameter is not going to backtrack on _ anymore, but it's somewhat unexpected since there's no reason it shouldn't match the second _.

pillarjs/path-to-regexp@v8.4.0...v8.4.1

v8.4.0

Important

Fixed

Changed

  • Dedupes regex prefixes (pillarjs/path-to-regexp#422)
    • This will result in shorter regular expressions for some cases using optional groups
  • Rejects large optional route combinations (pillarjs/path-to-regexp#424)
    • When using groups such as /users{/delete} it will restrict the number of generated combinations to < 256, equivalent to 8 top-level optional groups and unlikely to occur in a real world application, but avoids exploding the regex size for applications that accept user created routes
Commits

Updates qs from 6.14.1 to 6.15.3

Changelog

Sourced from qs's changelog.

6.15.3

  • [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via combine/merge
  • [Fix] utils: respect encoding of surrogate pairs across chunks (#559)
  • [Robustness] parse: throw the arrayLimit error before sp...

    Description has been truncated

…pdates

Bumps the npm_and_yarn group with 12 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [drizzle-orm](https://github.com/drizzle-team/drizzle-orm) | `0.45.1` | `0.45.2` |
| [next](https://github.com/vercel/next.js) | `16.0.7` | `16.2.10` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `3.2.4` | `3.2.6` |
| [@ai-sdk/provider-utils](https://github.com/vercel/ai/tree/HEAD/packages/provider-utils) | `3.0.18` | `5.0.7` |
| [@hono/node-server](https://github.com/honojs/node-server) | `1.19.7` | `1.19.14` |
| [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) | `1.25.2` | `1.29.0` |
| [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.3` |
| [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` |
| [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.4.5` | `0.8.1` |
| [rollup](https://github.com/rollup/rollup) | `4.53.3` | `4.62.2` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `6.4.1` | `7.3.6` |
| [ws](https://github.com/websockets/ws) | `8.18.3` | `8.21.0` |



Updates `drizzle-orm` from 0.45.1 to 0.45.2
- [Release notes](https://github.com/drizzle-team/drizzle-orm/releases)
- [Commits](drizzle-team/drizzle-orm@0.45.1...0.45.2)

Updates `next` from 16.0.7 to 16.2.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Commits](vercel/next.js@v16.0.7...v16.2.10)

Updates `vitest` from 3.2.4 to 3.2.6
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v3.2.6/packages/vitest)

Updates `@ai-sdk/provider-utils` from 3.0.18 to 5.0.7
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/main/packages/provider-utils/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/commits/@ai-sdk/provider-utils@5.0.7/packages/provider-utils)

Updates `@hono/node-server` from 1.19.7 to 1.19.14
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v1.19.7...v1.19.14)

Updates `@modelcontextprotocol/sdk` from 1.25.2 to 1.29.0
- [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases)
- [Commits](modelcontextprotocol/typescript-sdk@v1.25.2...v1.29.0)

Updates `fast-uri` from 3.1.0 to 3.1.3
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.3)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

Updates `langsmith` from 0.4.5 to 0.8.1
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](langchain-ai/langsmith-sdk@v0.4.5...v0.8.1)

Updates `path-to-regexp` from 8.3.0 to 8.4.2
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](pillarjs/path-to-regexp@v8.3.0...v8.4.2)

Updates `qs` from 6.14.1 to 6.15.3
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.1...v6.15.3)

Updates `rollup` from 4.53.3 to 4.62.2
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.53.3...v4.62.2)

Updates `vite` from 6.4.1 to 7.3.6
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.6/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.6/packages/vite)

Updates `ws` from 8.18.3 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.18.3...8.21.0)

---
updated-dependencies:
- dependency-name: drizzle-orm
  dependency-version: 0.45.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 16.2.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 3.2.6
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@ai-sdk/provider-utils"
  dependency-version: 5.0.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@hono/node-server"
  dependency-version: 1.19.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@modelcontextprotocol/sdk"
  dependency-version: 1.29.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: langsmith
  dependency-version: 0.8.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: path-to-regexp
  dependency-version: 8.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.15.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.62.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.3.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants