chore(deps): bump the npm-deps group across 1 directory with 10 updates by dependabot[bot] · Pull Request #705 · tempoxyz/mpp

dependabot · 2026-06-16T16:09:29Z

Bumps the npm-deps group with 10 updates in the / directory:

Package	From	To
@stripe/stripe-js	`9.7.0`	`9.8.0`
hono	`4.12.23`	`4.12.25`
vocs	`2.0.10`	`2.0.12`
waku	`1.0.0-beta.1`	`1.0.0-beta.2`
@iconify/json	`2.2.482`	`2.2.484`
@types/node	`25.9.1`	`25.9.3`
@types/react	`19.2.16`	`19.2.17`
happy-dom	`20.9.0`	`20.10.2`
shiki	`4.1.0`	`4.2.0`
vite-plugin-mkcert	`2.0.0`	`2.1.0`

Updates @stripe/stripe-js from 9.7.0 to 9.8.0

Release notes

Sourced from @stripe/stripe-js's releases.

v9.8.0

Changed

Add CurrencySelector element definitions for getElement and create (#930)

Add new appearance API variable types (#931)

add unit label to checkout.d.ts (#929)

Commits

e5654a3 v9.8.0
6753d06 Add CurrencySelector element definitions for getElement and create (#930)
bd1be88 Add new appearance API variable types (#931)
730dbdb add unit label to checkout.d.ts (#929)
See full diff in compare view

Updates hono from 4.12.23 to 4.12.25

Release notes

Sourced from hono's releases.

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

What's Changed

docs(contribution): simplifyAI Usage Policy by @yusukebe in honojs/hono#4972

chore: remove @types/glob by @rtritto in honojs/hono#4978

fix(bearer-auth): mention verifyToken in missing-options error message by @tan7vir in honojs/hono#4987

refactor(language): Test/improve tests on languages middleware by @iNeoO in honojs/hono#4980

fix(utils/ipaddr): expand "::" to eight zero groups by @youcefzemmar in honojs/hono#4973

fix: clean up config files trailing comma, stale excludes, typesVersions gaps, jsr paths by @Mohammad-Faiz-Cloud-Engineer in honojs/hono#4982

refactor(timing): Test/add test for middleware timing by @iNeoO in honojs/hono#4991

fix(utils/ipaddr): render the unspecified address binary as "::" by @sarathfrancis90 in honojs/hono#4998

Full Changelog: honojs/hono@v4.12.23...v4.12.24

Commits

fce483e 4.12.25
751ba41 Merge commit from fork
f0b094d Merge commit from fork
fa5f9bf Merge commit from fork
3892a6c Merge commit from fork
74c2cf8 test(aws-lambda): update integration tests (#5012)
7ae7cba Merge commit from fork
1b13848 chore(ci): bump codecov-action to v7.0.0 (#5011)
5fdde5a 4.12.24
c78932d fix(utils/ipaddr): render the unspecified address binary as "::" (#4998)
Additional commits viewable in compare view

Updates vocs from 2.0.10 to 2.0.12

Release notes

Sourced from vocs's releases.

vocs@2.0.12

Patch Changes

23ca0df: Added copy-to-clipboard behavior for heading anchor links.

vocs@2.0.11

Patch Changes

c7dcfd0: Fixed inline Twoslash cache comments leaking into rendered code snippets.

Changelog

Sourced from vocs's changelog.

2.0.12

Patch Changes

23ca0df: Added copy-to-clipboard behavior for heading anchor links.

2.0.11

Patch Changes

c7dcfd0: Fixed inline Twoslash cache comments leaking into rendered code snippets.

Commits

ce7dd97 chore: version packages (#471)
23ca0df fix(mdx): copy heading anchor links (#470)
88db3d6 chore: version packages (#469)
c7dcfd0 fix: hide @twoslash-cache comments in snippets (#468)
See full diff in compare view

Updates waku from 1.0.0-beta.1 to 1.0.0-beta.2

Release notes

Sourced from waku's releases.

v1.0.0-beta.2

This release includes a breaking change, along with bug fixes and improvements.

Here's the summary:

Before (waku/server) After (waku/router/server)

unstable_getContext() returning { req, nonce, data } unstable_getRequest() returning Request

unstable_getHeaders() unstable_getHeaders() (moved module)

unstable_getContextData() removed, bring your own AsyncLocalStorage

context.nonce = ... unstable_setNonce(nonce)

For more information, see #2118.

What's Changed

chore(deps): update dependencies by @dai-shi in wakujs/waku#2104

fix(adapters/cloudflare): check production worker by @dai-shi in wakujs/waku#2105

fix: one more validation before parsing request body by @dai-shi in wakujs/waku#2106

feat(adapters): add bodyLimit middleware by @dai-shi in wakujs/waku#2107

refactor(workflows): no longer uesed merge-group trigger by @dai-shi in wakujs/waku#2108

fix(router): add slice config check in define-router by @dai-shi in wakujs/waku#2109

fix(adapters): bodyLimit order by @dai-shi in wakujs/waku#2110

refactor: read debug id header only in dev by @dai-shi in wakujs/waku#2111

refactor(router): add stricter check in define-router by @dai-shi in wakujs/waku#2112

fix: sanitize log string by @dai-shi in wakujs/waku#2113

feat(adapters): pass app to middleware by @dai-shi in wakujs/waku#2114

refactor waku internals by @dai-shi in wakujs/waku#2115

fix(router): warm prefetched route navigations by @jxom in wakujs/waku#2100

breaking: handler interceptors instead of context storage by @dai-shi in wakujs/waku#2118

Full Changelog: wakujs/waku@v1.0.0-beta.1...v1.0.0-beta.2

Commits

1095211 v1.0.0-beta.2
15a99ea breaking: handler interceptors instead of context storage (#2118)
3259e01 fix(router): warm prefetched route navigations (#2100)
d8d823a refactor waku internals (#2115)
521bc76 feat(adapters): pass app to middleware (#2114)
551c3ca fix: sanitize log string (#2113)
56cdb51 refactor(router): add stricter check in define-router (#2112)
8858691 refactor: read debug id header only in dev (#2111)
d90307d fix(adapters): bodyLimit order (#2110)
a3ed8b5 fix(router): add slice config check in define-router (#2109)
Additional commits viewable in compare view

Updates @iconify/json from 2.2.482 to 2.2.484

Commits

81e9a6e Update 3 icon sets: Octicons, Simple Icons, VSCode Icons
5d7fcf8 Update 5 icon sets
See full diff in compare view

Updates @types/node from 25.9.1 to 25.9.3

Commits

See full diff in compare view

Updates @types/react from 19.2.16 to 19.2.17

Commits

See full diff in compare view

Updates happy-dom from 20.9.0 to 20.10.2

Release notes

Sourced from happy-dom's releases.

v20.10.2

👷‍♂️ Patch fixes

Updates external dependencies - By @capricorn86 in task #2163

v20.10.0

🎨 Features

Adds support for setting a canvas adapter for handling the canvas rendering using the browser setting canvasAdapter - By @RAprogramm and @capricorn86 in task #241

Adds new package @happy-dom/node-canvas-adapter - By @RAprogramm and @capricorn86 in task #241

@happy-dom/node-canvas-adapter is a pluggable canvas adapter for Happy DOM using node-canvas.

Adds support for loading image files when enabling the browser setting enableImageFileLoading - By @capricorn86 in task #241

Adds support for loading image data URLs - By @capricorn86 in task #241

Adds support for ImageData - By @capricorn86 in task #241

Adds support for ImageBitmap - By @capricorn86 in task #241

Adds support for Window.createImageBitmap() - By @capricorn86 in task #241

Commits

b334a12 fix: #2163 Updates external dependencies (#2188)
20f89aa fix: #2180 Try to fix publish workflow (#2181)
f08c3fa chore: #2177 Update happy-conventional-commit (#2179)
df504c0 chore: #2177 Update happy-conventional-commit (#2178)
c3db9e2 chore: #2174 Fix NPM cache issue (#2175)
5a50f8a chore: #2171 Fix canvas adapter peer dependency to happy-dom (#2173)
090183a chore: #2171 Fix canvas adapter peer dependency to happy-dom (#2172)
e5b81b1 feat: #241 Adds canvas adapter package (#2069)
cd6f87f fix: #0 Fix github release workflow (#2141)
See full diff in compare view

Updates shiki from 4.1.0 to 4.2.0

Release notes

Sourced from shiki's releases.

v4.2.0

   🚀 Features

Add @shikijs/stream and @shikijs/magic-move packages - by @antfu in shikijs/shiki#1283 (d031f)

   🐞 Bug Fixes

transformers: Handle YAML comment prefixes correctly for v3 - by @AkaHarshit in shikijs/shiki#1266 (f694a)

vitepress-twoslash: Scroll blocking on mobile viewports - by @micaiguai in shikijs/shiki#1262 (9e0e8)

    View changes on GitHub

Commits

1d56dae chore: release v4.2.0
See full diff in compare view

Updates vite-plugin-mkcert from 2.0.0 to 2.1.0

Release notes

Sourced from vite-plugin-mkcert's releases.

v2.1.0

2.1.0 (2026-06-03)

Features

Avoid shell execution for mkcert hosts (#124) (b7541de)

Changelog

Sourced from vite-plugin-mkcert's changelog.

2.1.0 (2026-06-03)

Features

Avoid shell execution for mkcert hosts (#124) (b7541de)

Commits

97c68a4 chore(release): 2.1.0 [skip ci]
ef6f49a chore: update
b7541de feat: Avoid shell execution for mkcert hosts (#124)
See full diff in compare view

vercel · 2026-06-16T16:09:33Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mpp	Ready	Preview, Comment	Jun 19, 2026 2:10pm

socket-security · 2026-06-16T16:10:23Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	happy-dom@20.10.2
	shiki@4.2.0
	@types/react@19.2.17
	@types/node@25.9.3
	vocs@2.0.12
	vite-plugin-mkcert@2.1.0
	@iconify/json@2.2.484
	hono@4.12.25
	@stripe/stripe-js@9.8.0

View full report

Bumps the npm-deps group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@stripe/stripe-js](https://github.com/stripe/stripe-js) | `9.7.0` | `9.8.0` | | [hono](https://github.com/honojs/hono) | `4.12.23` | `4.12.25` | | [vocs](https://github.com/wevm/vocs) | `2.0.10` | `2.0.12` | | [waku](https://github.com/wakujs/waku/tree/HEAD/packages/waku) | `1.0.0-beta.1` | `1.0.0-beta.2` | | [@iconify/json](https://github.com/iconify/icon-sets) | `2.2.482` | `2.2.484` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.9.1` | `25.9.3` | | [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.16` | `19.2.17` | | [happy-dom](https://github.com/capricorn86/happy-dom) | `20.9.0` | `20.10.2` | | [shiki](https://github.com/shikijs/shiki/tree/HEAD/packages/shiki) | `4.1.0` | `4.2.0` | | [vite-plugin-mkcert](https://github.com/liuweiGL/vite-plugin-mkcert) | `2.0.0` | `2.1.0` | Updates `@stripe/stripe-js` from 9.7.0 to 9.8.0 - [Release notes](https://github.com/stripe/stripe-js/releases) - [Commits](stripe/stripe-js@v9.7.0...v9.8.0) Updates `hono` from 4.12.23 to 4.12.25 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.23...v4.12.25) Updates `vocs` from 2.0.10 to 2.0.12 - [Release notes](https://github.com/wevm/vocs/releases) - [Changelog](https://github.com/wevm/vocs/blob/main/CHANGELOG.md) - [Commits](https://github.com/wevm/vocs/compare/vocs@2.0.10...vocs@2.0.12) Updates `waku` from 1.0.0-beta.1 to 1.0.0-beta.2 - [Release notes](https://github.com/wakujs/waku/releases) - [Changelog](https://github.com/wakujs/waku/blob/main/CHANGELOG.md) - [Commits](https://github.com/wakujs/waku/commits/v1.0.0-beta.2/packages/waku) Updates `@iconify/json` from 2.2.482 to 2.2.484 - [Commits](iconify/icon-sets@2.2.482...2.2.484) Updates `@types/node` from 25.9.1 to 25.9.3 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `@types/react` from 19.2.16 to 19.2.17 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `happy-dom` from 20.9.0 to 20.10.2 - [Release notes](https://github.com/capricorn86/happy-dom/releases) - [Commits](capricorn86/happy-dom@v20.9.0...v20.10.2) Updates `shiki` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/shikijs/shiki/releases) - [Commits](https://github.com/shikijs/shiki/commits/v4.2.0/packages/shiki) Updates `vite-plugin-mkcert` from 2.0.0 to 2.1.0 - [Release notes](https://github.com/liuweiGL/vite-plugin-mkcert/releases) - [Changelog](https://github.com/liuweiGL/vite-plugin-mkcert/blob/main/CHANGELOG.md) - [Commits](liuweiGL/vite-plugin-mkcert@v2.0.0...v2.1.0) --- updated-dependencies: - dependency-name: "@iconify/json" dependency-version: 2.2.484 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-deps - dependency-name: "@stripe/stripe-js" dependency-version: 9.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-deps - dependency-name: "@types/node" dependency-version: 25.9.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-deps - dependency-name: "@types/react" dependency-version: 19.2.17 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-deps - dependency-name: happy-dom dependency-version: 20.10.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-deps - dependency-name: hono dependency-version: 4.12.25 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-deps - dependency-name: shiki dependency-version: 4.2.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-deps - dependency-name: vite-plugin-mkcert dependency-version: 2.1.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-deps - dependency-name: vocs dependency-version: 2.0.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-deps - dependency-name: waku dependency-version: 1.0.0-beta.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-deps ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 16, 2026

github-actions Bot added the config label Jun 16, 2026

vercel Bot deployed to Preview June 16, 2026 16:10 View deployment

dependabot Bot changed the title ~~chore(deps): bump the npm-deps group with 10 updates~~ chore(deps): bump the npm-deps group across 1 directory with 10 updates Jun 17, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-deps-066cf19222 branch from 9a749cb to fd22f85 Compare June 17, 2026 14:16

vercel Bot deployed to Preview June 17, 2026 14:17 View deployment

dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-deps-066cf19222 branch from fd22f85 to 7379813 Compare June 17, 2026 23:19

vercel Bot deployed to Preview June 17, 2026 23:20 View deployment

fix: pin waku to 1.0.0-beta.1 (beta.2 breaks vocs build)

f3ab916

vercel Bot deployed to Preview June 19, 2026 14:10 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm-deps group across 1 directory with 10 updates#705

chore(deps): bump the npm-deps group across 1 directory with 10 updates#705
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/npm-deps-066cf19222

dependabot Bot commented on behalf of github Jun 16, 2026 •

edited

Loading

Uh oh!

vercel Bot commented Jun 16, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Jun 16, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Before (`waku/server`)	After (`waku/router/server`)
`unstable_getContext()` returning `{ req, nonce, data }`	`unstable_getRequest()` returning `Request`
`unstable_getHeaders()`	`unstable_getHeaders()` (moved module)
`unstable_getContextData()`	removed, bring your own `AsyncLocalStorage`
`context.nonce = ...`	`unstable_setNonce(nonce)`

Conversation

dependabot Bot commented on behalf of github Jun 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v9.8.0

Changed

v4.12.25

Security fixes

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Path traversal in serve-static on Windows via encoded backslash (%5C)

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

v4.12.24

What's Changed

vocs@2.0.12

Patch Changes

vocs@2.0.11

Patch Changes

2.0.12

Patch Changes

2.0.11

Patch Changes

v1.0.0-beta.2

What's Changed

v20.10.2

👷‍♂️ Patch fixes

v20.10.0

🎨 Features

v4.2.0

🚀 Features

🐞 Bug Fixes

View changes on GitHub

v2.1.0

2.1.0 (2026-06-03)

Features

2.1.0 (2026-06-03)

Features

Uh oh!

vercel Bot commented Jun 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented Jun 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github Jun 16, 2026 •

edited

Loading

CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

vercel Bot commented Jun 16, 2026 •

edited

Loading

socket-security Bot commented Jun 16, 2026 •

edited

Loading