Skip to content

fix(deps): Bump transitive deps for medium security fixes#20683

Open
chargome wants to merge 2 commits intodevelopfrom
fix/dependabot-medium-alerts-v2
Open

fix(deps): Bump transitive deps for medium security fixes#20683
chargome wants to merge 2 commits intodevelopfrom
fix/dependabot-medium-alerts-v2

Conversation

@chargome
Copy link
Copy Markdown
Member

@chargome chargome commented May 5, 2026

Summary

  • postcss 8.5.6 → 8.5.14 (XSS via unescaped </style>)
  • picomatch 2.3.1 → 2.3.2 (method injection in POSIX character classes)
  • yaml 1.10.2 → 1.10.3 (stack overflow via deeply nested collections)
  • @hono/node-server 1.19.10 → 1.19.13 (middleware bypass via repeated slashes)
  • Fixes Dependabot alerts 1431, 1253, 1249, 1348

🤖 Generated with Claude Code

@chargome chargome self-assigned this May 5, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 5, 2026
edited
Loading

size-limit report 📦

Path Size % Change Change
@sentry/browser 26.3 kB - -
@sentry/browser - with treeshaking flags 24.78 kB - -
@sentry/browser (incl. Tracing) 44.17 kB - -
@sentry/browser (incl. Tracing + Span Streaming) 46.39 kB - -
@sentry/browser (incl. Tracing, Profiling) 49.14 kB - -
@sentry/browser (incl. Tracing, Replay) 83.55 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 73.01 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 88.23 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 100.84 kB - -
@sentry/browser (incl. Feedback) 43.44 kB - -
@sentry/browser (incl. sendFeedback) 31.11 kB - -
@sentry/browser (incl. FeedbackAsync) 36.19 kB - -
@sentry/browser (incl. Metrics) 27.6 kB - -
@sentry/browser (incl. Logs) 27.73 kB - -
@sentry/browser (incl. Metrics & Logs) 28.43 kB - -
@sentry/react 28.04 kB - -
@sentry/react (incl. Tracing) 46.4 kB - -
@sentry/vue 31.18 kB - -
@sentry/vue (incl. Tracing) 46.02 kB - -
@sentry/svelte 26.32 kB - -
CDN Bundle 28.91 kB - -
CDN Bundle (incl. Tracing) 46.94 kB - -
CDN Bundle (incl. Logs, Metrics) 30.34 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) 48.04 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) 69.4 kB - -
CDN Bundle (incl. Tracing, Replay) 84.07 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 85.15 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 89.89 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 90.97 kB - -
CDN Bundle - uncompressed 84.88 kB - -
CDN Bundle (incl. Tracing) - uncompressed 140.44 kB - -
CDN Bundle (incl. Logs, Metrics) - uncompressed 89.08 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 143.9 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 212.99 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 258.24 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 261.69 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 271.94 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 275.38 kB - -
@sentry/nextjs (client) 48.9 kB - -
@sentry/sveltekit (client) 44.64 kB - -
@sentry/node-core 59.81 kB +0.02% +10 B 🔺
@sentry/node 163.43 kB +0.01% +8 B 🔺
@sentry/node - without tracing 72.28 kB +0.02% +9 B 🔺
@sentry/aws-serverless 106.95 kB +0.01% +7 B 🔺
@sentry/cloudflare (withSentry) - minified 168.38 kB - -
@sentry/cloudflare (withSentry) 424.9 kB - -

View base workflow run

chargome and others added 2 commits May 6, 2026 10:35
@chargome @claude
fix(deps): bump postcss, picomatch, yaml, and @hono/node-server for s…
314878e 
…ecurity fixes

- postcss 8.5.6 → 8.5.14 (fixes XSS via unescaped </style>)
- picomatch 2.3.1 → 2.3.2 (fixes method injection in POSIX classes)
- yaml 1.10.2 → 1.10.3 (fixes stack overflow via deep collections)
- @hono/node-server 1.19.10 → 1.19.13 (fixes middleware bypass)

Fixes Dependabot alerts 1431, 1253, 1249, 1348.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@chargome @claude
chore: deduplicate yarn.lock
228dea2 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@chargome chargome force-pushed the fix/dependabot-medium-alerts-v2 branch from 1219550 to 228dea2 Compare May 6, 2026 08:39
@chargome chargome marked this pull request as ready for review May 6, 2026 09:29
@chargome chargome enabled auto-merge (squash) May 6, 2026 09:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@chargome chargome

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chargome