chore(deps): bump the npm_and_yarn group across 2 directories with 19 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the /docs directory:

Package	From	To
astro	4.5.7	4.16.19
vitest	1.4.0	1.6.1
brace-expansion	1.1.11	1.1.12
braces	3.0.2	3.0.3
cross-spawn	7.0.3	7.0.6
undici	5.28.4	5.29.0

Bumps the npm_and_yarn group with 10 updates in the /frontend directory:

Package	From	To
brace-expansion	1.1.11	1.1.12
braces	3.0.2	3.0.3
cross-spawn	7.0.3	7.0.6
path-to-regexp	6.2.1	6.3.0
undici	5.28.4	5.29.0
vite	5.2.6	5.4.20
axios	1.6.8	1.8.2
@babel/runtime	7.24.1	7.28.4
form-data	4.0.0	4.0.4
ws	8.16.0	8.18.3

Updates astro from 4.5.7 to 4.16.19

Release notes

Sourced from astro's releases.

[email protected]

Patch Changes

• #14241 760acc8 Thanks @​ematipico! - Fixes an issue where remote paths weren't correctly computed when generating assets

Changelog

Sourced from astro's changelog.

4.16.19

Patch Changes

• #14241 760acc8 Thanks @​ematipico! - Fixes an issue where remote paths weren't correctly computed when generating assets

4.16.18

Patch Changes

• #12757 d0aaac3 Thanks @​matthewp! - Remove all assets created from the server build

• #12757 d0aaac3 Thanks @​matthewp! - Clean server sourcemaps from static output

4.16.17

Patch Changes

• #12632 e7d14c3 Thanks @​ematipico! - Fixes an issue where the checkOrigin feature wasn't correctly checking the content-type header

4.16.16

Patch Changes

• #12542 65e50eb Thanks @​kadykov! - Fix JPEG image size determination

• #12525 cf0d8b0 Thanks @​ematipico! - Fixes an issue where with i18n enabled, Astro couldn't render the 404.astro component for non-existent routes.

4.16.15

Patch Changes

• #12498 b140a3f Thanks @​ematipico! - Fixes a regression where Astro was trying to access Request.headers

4.16.14

Patch Changes

• #12480 c3b7e7c Thanks @​matthewp! - Removes the default throw behavior in astro:env

• #12444 28dd3ce Thanks @​ematipico! - Fixes an issue where a server island hydration script might fail case the island ID misses from the DOM.

• #12476 80a9a52 Thanks @​florian-lefebvre! - Fixes a case where the Content Layer glob() loader would not update when renaming or deleting an entry

• #12418 25baa4e Thanks @​oliverlynch! - Fix cached image redownloading if it is the first asset

• #12477 46f6b38 Thanks @​ematipico! - Fixes an issue where the SSR build was emitting the dist/server/entry.mjs file with an incorrect import at the top of the file/

• #12365 a23985b Thanks @​apatel369! - Fixes an issue where Astro.currentLocale was not correctly returning the locale for 404 and 500 pages.

... (truncated)

Commits

• 32b14f2 [ci] release (#14244)
• 760acc8 fix(assets): fix remote path detection (#14241)
• 84190aa [ci] release (#12774)
• d0aaac3 Prevent server sourcemaps from being part of client output (#12757)
• ba4aac1 [ci] release (#12648)
• e7d14c3 fix: checkOrigin headers check (#12632)
• 6eac6ba [ci] release (#12536)
• 65e50eb Fix JPEG image size determination (#12542)
• 6fc29e3 fix(deps): update all non-major dependencies (#12410)
• cf0d8b0 fix(i18n): render 404.astro when i18n is enabled (#12525)
• Additional commits viewable in compare view

Updates vitest from 1.4.0 to 1.6.1

Release notes

Sourced from vitest's releases.

v1.6.1

This release includes security patches for:

• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v1 - by @​hi-ogawa in vitest-dev/vitest#7319

    View changes on GitHub

v1.6.0

   🚀 Features

• Support standalone mode  -  by @​sheremet-va in vitest-dev/vitest#5565 (bdce0)
• Custom "snapshotEnvironment" option  -  by @​sheremet-va in vitest-dev/vitest#5449 (30f72)
• benchmark: Support comparing benchmark result  -  by @​hi-ogawa and @​sheremet-va in vitest-dev/vitest#5398 (f8d3d)
• browser: Allow injecting scripts  -  by @​sheremet-va in vitest-dev/vitest#5656 (21e58)
• reporter: Support includeConsoleOutput and addFileAttribute in junit  -  by @​hi-ogawa in vitest-dev/vitest#5659 (2f913)
• ui: Sort items by file name  -  by @​btea in vitest-dev/vitest#5652 (1f726)

   🐞 Bug Fixes

• Keep order of arguments for .each in custom task collectors  -  by @​sheremet-va in vitest-dev/vitest#5640 (7d57c)
• Call resolveId('vitest') after buildStart  -  by @​hi-ogawa in vitest-dev/vitest#5646 (f5faf)
• Hash the name of the file when caching  -  by @​sheremet-va in vitest-dev/vitest#5654 (c9e68)
• Don't panic on empty files in node_modules  -  by @​sheremet-va (40c29)
• Use toJSON for error serialization  -  by @​hi-ogawa in vitest-dev/vitest#5526 (19a21)
• coverage:
  • Exclude *.test-d.* by default  -  by @​MindfulPol in vitest-dev/vitest#5634 (bfe8a)
  • Apply vite-node's wrapper only to executed files  -  by @​AriPerkkio in vitest-dev/vitest#5642 (c9883)
• vm:
  • Support network imports  -  by @​sheremet-va in vitest-dev/vitest#5610 (103a6)

   🏎 Performance

• Improve performance of forks pool  -  by @​sheremet-va in vitest-dev/vitest#5592 (d8304)
• Unnecessary rpc call when coverage is disabled  -  by @​AriPerkkio in vitest-dev/vitest#5658 (c5712)

    View changes on GitHub

v1.5.3

   🐞 Bug Fixes

• Use package.json name for a workspace project if not provided  -  by @​sheremet-va in vitest-dev/vitest#5608 (48fba)
• Backport jest iterable equality within object  -  by @​sukovanej in vitest-dev/vitest#5621 (30e5d)
• browser: Support benchmark  -  by @​hi-ogawa in vitest-dev/vitest#5622 (becab)
• reporter: Use default error formatter for JUnit  -  by @​hi-ogawa in vitest-dev/vitest#5629 (20060)

... (truncated)

Commits

• 017e1ee chore: release v1.6.1
• 7ce9fbb fix: backport #7317 to v1 (#7319)
• 6b29f3d chore: release v1.6.0
• f8d3d22 feat(benchmark): support comparing benchmark result (#5398)
• 21e58bd feat(browser): allow injecting scripts (#5656)
• 30f728b feat: custom "snapshotEnvironment" option (#5449)
• 2f91322 feat(reporter): support includeConsoleOutput and addFileAttribute in juni...
• c571276 perf: unnecessary rpc call when coverage is disabled (#5658)
• bdce0a2 feat: support standalone mode (#5565)
• 40c299f fix: don't panic on empty files in node_modules
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates cookie from 0.6.0 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

Commits

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates devalue from 4.3.2 to 5.3.2

Release notes

Sourced from devalue's releases.

v5.3.2

Patch Changes

• 0623a47: fix: disallow array method access when parsing
• 0623a47: fix: disallow __proto__ properties on objects

v5.3.1

Patch Changes

• ae904c5: fix: correctly differentiate between +0 and -0

v5.3.0

Minor Changes

• 2896e7b: feat: support Temporal
• fec694d: feat: support URL and URLSearchParams objects

Changelog

Sourced from devalue's changelog.

5.3.2

Patch Changes

• 0623a47: fix: disallow array method access when parsing
• 0623a47: fix: disallow __proto__ properties on objects

5.3.1

Patch Changes

• ae904c5: fix: correctly differentiate between +0 and -0

5.3.0

Minor Changes

• 2896e7b: feat: support Temporal
• fec694d: feat: support URL and URLSearchParams objects

5.2.1

Patch Changes

• e46f4c8: fix: handle repeated array buffers and subarrays
• 2dfa504: fix: handle custom classes with null proto as pojo

5.2.0

• Handle custom classes with null proto as pojo (#95)

5.1.1

• Only iterate over own properties of reducers (#80)

5.1.0

• Handle typed arrays and array buffers (#69)
• Add sideEffects: false to package.json (#81)
• Better errors when keys are invalid identifiers (#82)

5.0.0

• Ignore non-enumerable symbolic keys (#78)

4.3.3

• Support invalid dates (#61)
• Fix incorrect error.path when object contains a map (#64)

Commits

• 86a6a66 Version Packages (#109)
• 0623a47 Merge commit from fork
• 02d20e8 Version Packages (#108)
• ae904c5 fix stringify not picking up negative zero if a normal zero has appeared befo...
• e95b87a fix pkg.repository
• 8300172 fix changeset config
• 434d8ae Version Packages (#106)
• 67c8334 mention support for URL/URLSearchParams/Temporal in README
• fec694d feat: support URL and URLSearchParams (#92)
• 2896e7b Add support for Temporal objects (#98)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by svelte-admin, a new releaser for devalue since your current version.

Updates dset from 3.1.3 to 3.1.4

Commits

• 05b1ec0 3.1.4
• 16d6154 fix: prevent proto assignment via implicit string
• See full diff in compare view

Updates nanoid from 3.3.7 to 3.3.11

Release notes

Sourced from nanoid's releases.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

Changelog

Sourced from nanoid's changelog.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

Commits

• 37289ce Release 3.3.11 version
• 23690b7 Fix CI
• c147962 Fix RN support
• a83734e Move to manually ESM/CJS dual package
• bb12e8a Release 3.3.10 version
• 8f44264 Fix Expo support
• adf9b0c Release 3.3.9 version
• 1c6f088 Remove dev file from npm package
• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• Additional commits viewable in compare view

Updates prismjs from 1.29.0 to 1.30.0

Release notes

Sourced from prismjs's releases.

v1.30.0

What's Changed

• check that currentScript is set by a script tag by @​lkuechler in PrismJS/prism#3863

New Contributors

• @​lkuechler made their first contribution in PrismJS/prism#3863

Full Changelog: PrismJS/prism@v1.29.0...v1.30.0

Changelog

Sourced from prismjs's changelog.

Prism Changelog

Commits

• 76dde18 Release 1.30.0
• 93cca40 npm pkg fix
• 99c5ca9 Add release script
• 8e8b935 check that currentScript is set by a script tag (#3863)
• f894dc2 Fix logo in the footer
• ac38dce Delete CNAME
• 9b5b09a Enable CORS
• See full diff in compare view

Maintainer changes

This version was pushed to npm by dmitrysharabin, a new releaser for prismjs since your current version.

Updates rollup from 4.13.0 to 4.50.1

Release notes

Sourced from rollup's releases.

v4.50.1

4.50.1

2025-09-07

Bug Fixes

• Resolve a situation where a destructuring default value was removed (#6090)

Pull Requests

• #6088: feat(www): shorter repl shareables (@​cyyynthia, @​lukastaegert)
• #6090: Call includeNode for self or children nodes in includeDestructuredIfNecessary (@​TrickyPi)
• #6091: fix(deps): update rust crate swc_compiler_base to v33 (@​renovate[bot])
• #6092: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6094: perf: replace startsWith with strict equality (@​btea)

v4.50.0

4.50.0

2025-08-31

Features

• Support openharmony-arm64 platform (#6081)

Bug Fixes

• Fix loading of extensionless imports in config files (#6084)

Pull Requests

• #6081: Add support for openharmony-arm64 platform (@​hqzing, @​lukastaegert)
• #6084: Return null to defer to the default resolution behavior (@​TrickyPi)

v4.49.0

4.49.0

2025-08-27

Features

• Allow config plugins to resolve imports first before deciding whether to treat them as external (#6038)

Pull Requests

• #6038: feat: Run external check in cli/run/loadConfigFile.ts as last in order to allow handling of e.g. workspace package imports in TS monorepos correctly (@​stazz, @​TrickyPi)
• #6082: Improve build pipeline performance (@​lukastaegert)

v4.48.1

... (truncated)

Changelog

Sourced from rollup's changelog.

4.50.1

2025-09-07

Bug Fixes

• Resolve a situation where a destructuring default value was removed (#6090)

Pull Requests

• #6088: feat(www): shorter repl shareables (@​cyyynthia, @​lukastaegert)
• #6090: Call includeNode for self or children nodes in includeDestructuredIfNecessary (@​TrickyPi)
• #6091: fix(deps): update rust crate swc_compiler_base to v33 (@​renovate[bot])
• #6092: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6094: perf: replace startsWith with strict equality (@​btea)

4.50.0

2025-08-31

Features

• Support openharmony-arm64 platform (#6081)

Bug Fixes

• Fix loading of extensionless imports in config files (#6084)

Pull Requests

• #6081: Add support for openharmony-arm64 platform (@​hqzing, @​lukastaegert)
• #6084: Return null to defer to the default resolution behavior (@​TrickyPi)

4.49.0

2025-08-27

Features

• Allow config plugins to resolve imports first before deciding whether to treat them as external (#6038)

Pull Requests

• #6038: feat: Run external check in cli/run/loadConfigFile.ts as last in order to allow handling of e.g. workspace package imports in TS monorepos correctly (@​stazz, @​TrickyPi)
• #6082: Improve build pipeline performance (@​lukastaegert)

4.48.1

2025-08-25

... (truncated)

Commits

• 79d5563 4.50.1
• 7fb50f9 Call includeNode for self or children nodes in includeDestructuredIfNecessary...
• 235dc74 perf: replace startsWith with strict equality (#6094)
• a2744ea feat(www): shorter repl shareables (#6088)
• 298609e chore(deps): lock file maintenance minor/patch updates (#6092)
• 3d9de27 fix(deps): update rust crate swc_compiler_base to v33 (#6091)
• 592e7d7 4.50.0
• 06df2d6 Split up changelog file
• 38a5c6d Add support for openharmony-arm64 platform (#6081)
• bd02778 Return null to defer to the default resolution behavior (#6084)
• Additional commits viewable in compare view

Updates undici from 5.28.4 to 5.29.0

Release notes

Sourced from undici's releases.

v5.29.0

What's Changed

• Fix tests in v5.x for Node 20 by @​mcollina in nodejs/undici#4104
• Removed clients with unrecoverable errors from the Pool nodejs/undici#4088

Full Changelog: nodejs/undici@v5.28.5...v5.29.0

v5.28.5

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: nodejs/undici@v5.28.4...v5.28.5

Commits

• 9528f68 Bumped v5.29.0
• f1d75a4 increase timeout for redirect test
• 2d31ed6 remove fuzzing tests
• 6b36d49 fix redirect test in Node v16
• 648dd8f more fix for the wpt runner on Windows
• a0516ba don't use internal header state for cookies (#3295)
• 87ce4af fix test/client for node 20
• c2c8fd5 fix: accept v20 SSL specific error for alpn selection in http/2
• 82200bd [v6.x] fix wpts on windows (#4093)
• 47546fa test: fix windows wpt (#4050)
• Additional commits viewable in compare view

Updates vite from 5.2.8 to 5.4.20

Release notes

Sourced from vite's releases.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

v5.4.18

Please refer to CHANGELOG.md for details.

v5.4.17

Please refer to CHANGELOG.md for details.

v5.4.16

Please refer to CHANGELOG.md for details.

v5.4.15

Please refer to CHANGELOG.md for details.

v5.4.14

Please refer to CHANGELOG.md for details.

v5.4.13

Please refer to CHANGELOG.md for details.

v5.4.12

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

5.4.13 (2025-01-20)

• fix: try parse server.origin URL (#19241) (5946215), closes #19241

5.4.12 (2025-01-20)

... (truncated)

Commits

• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• 84b2b46 fix: backport #19782, fs check with svg and relative paths (#19784)
• 712cb71 release: v5.4.16
• b627c50 fix: backport #19761, fs check in transform mid...

  Description has been truncated

[github-actions]

Hi @dependabot[bot]! 👋
Thank you for submitting a pull request! We appreciate your contribution and will review your changes as soon as possible.