chore(deps): bump the npm_and_yarn group across 3 directories with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: vite.
Bumps the npm_and_yarn group with 1 update in the /docs directory: nuxt.
Bumps the npm_and_yarn group with 1 update in the /packages/client directory: vite.

Updates vite from 2.9.17 to 4.5.11

Release notes

Sourced from vite's releases.

v4.5.11

Please refer to CHANGELOG.md for details.

v4.5.10

Please refer to CHANGELOG.md for details.

v4.5.9

Please refer to CHANGELOG.md for details.

v4.5.8

Please refer to CHANGELOG.md for details.

v4.5.7

Please refer to CHANGELOG.md for details.

v4.5.6

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v4.5.5

Please refer to CHANGELOG.md for details.

v4.5.4

Please refer to CHANGELOG.md for details.

v3.2.11

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

4.5.11 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19763) (26e1764), closes #19761 #19763

4.5.10 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19704) (315695e), closes #19702 #19704

4.5.9 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (0bc52e0), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (8f63cd6), closes #19249

4.5.8 (2025-01-20)

• fix: try parse server.origin URL (#19241) (3680bad), closes #19241

4.5.7 (2025-01-20)

• fix: crypto.getRandomValues is not available in old Node versions (#19237) (f4d3c46), closes #19237

4.5.6 (2025-01-20)

• fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (ef1049d)
• fix!: default server.cors: false to disallow fetching from untrusted origins (07b36d5)
• fix: verify token for HMR WebSocket connection (c065a77)

4.5.5 (2024-09-16)

4.5.4 (2024-09-16)

• fix: avoid DOM Clobbering gadget in getRelativeUrlFromDocument (#18115) (e812716), closes #18115
• fix: backport #18112, fs raw query (b901438), closes #18112

... (truncated)

Commits

• 07ddc3e release: v4.5.11
• 26e1764 fix: backport #19761, fs check in transform middleware (#19763)
• 86e7a6b release: v4.5.10
• 315695e fix: backport #19702, fs raw query with query separators (#19704)
• edad4d2 release: v4.5.9
• 8f63cd6 fix: allow CORS from loopback addresses by default (#19249)
• 0bc52e0 fix: preview.allowedHosts with specific values was not respected (#19246)
• 947f0c1 release: v4.5.8
• 3680bad fix: try parse server.origin URL (#19241)
• fe86acb release: v4.5.7
• Additional commits viewable in compare view

Updates esbuild from 0.14.54 to 0.18.20

Release notes

Sourced from esbuild's releases.

v0.18.20

• Support advanced CSS @import rules (#953, #3137)

  CSS @import statements have been extended to allow additional trailing tokens after the import path. These tokens sort of make the imported file behave as if it were wrapped in a @layer, @supports, and/or @media rule. Here are some examples:

  @import url(foo.css);
  @import url(foo.css) layer;
  @import url(foo.css) layer(bar);
  @import url(foo.css) layer(bar) supports(display: flex);
  @import url(foo.css) layer(bar) supports(display: flex) print;
  @import url(foo.css) layer(bar) print;
  @import url(foo.css) supports(display: flex);
  @import url(foo.css) supports(display: flex) print;
  @import url(foo.css) print;

  You can read more about this advanced syntax here. With this release, esbuild will now bundle @import rules with these trailing tokens and will wrap the imported files in the corresponding rules. Note that this now means a given imported file can potentially appear in multiple places in the bundle. However, esbuild will still only load it once (e.g. on-load plugins will only run once per file, not once per import).

v0.18.19

• Implement composes from CSS modules (#20)

  This release implements the composes annotation from the CSS modules specification. It provides a way for class selectors to reference other class selectors (assuming you are using the local-css loader). And with the from syntax, this can even work with local names across CSS files. For example:

  // app.js
  import { submit } from './style.css'
  const div = document.createElement('div')
  div.className = submit
  document.body.appendChild(div)

  /* style.css */
  .button {
    composes: pulse from "anim.css";
    display: inline-block;
  }
  .submit {
    composes: button;
    font-weight: bold;
  }

  /* anim.css */
  @keyframes pulse {
    from, to { opacity: 1 }
    50% { opacity: 0.5 }
  }

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2022

This changelog documents all esbuild versions published in the year 2022 (versions 0.14.11 through 0.16.12).

0.16.12

• Loader defaults to js for extensionless files (#2776)

  Certain packages contain files without an extension. For example, the yargs package contains the file yargs/yargs which has no extension. Node, Webpack, and Parcel can all understand code that imports yargs/yargs because they assume that the file is JavaScript. However, esbuild was previously unable to understand this code because it relies on the file extension to tell it how to interpret the file. With this release, esbuild will now assume files without an extension are JavaScript files. This can be customized by setting the loader for "" (the empty string, representing files without an extension) to another loader. For example, if you want files without an extension to be treated as CSS instead, you can do that like this:

  • CLI:

    esbuild --bundle --loader:=css
    

  • JS:

    esbuild.build({
      bundle: true,
      loader: { '': 'css' },
    })

  • Go:

    api.Build(api.BuildOptions{
      Bundle: true,
      Loader: map[string]api.Loader{"": api.LoaderCSS},
    })

  In addition, the "type" field in package.json files now only applies to files with an explicit .js, .jsx, .ts, or .tsx extension. Previously it was incorrectly applied by esbuild to all files that had an extension other than .mjs, .mts, .cjs, or .cts including extensionless files. So for example an extensionless file in a "type": "module" package is now treated as CommonJS instead of ESM.

0.16.11

• Avoid a syntax error in the presence of direct eval (#2761)

  The behavior of nested function declarations in JavaScript depends on whether the code is run in strict mode or not. It would be problematic if esbuild preserved nested function declarations in its output because then the behavior would depend on whether the output was run in strict mode or not instead of respecting the strict mode behavior of the original source code. To avoid this, esbuild transforms nested function declarations to preserve the intended behavior of the original source code regardless of whether the output is run in strict mode or not:

  // Original code
  if (true) {
    function foo() {}
    console.log(!!foo)
    foo = null
    console.log(!!foo)
  }

... (truncated)

Commits

• 22f0818 publish 0.18.20 to npm
• 89b98d9 css: test coverage for some external test cases
• 4bb897f fix #953, fix #3137: advanced css @import syntax
• 6892b1b css: change ast format for @import conditions
• d770d53 remove unnecessary file slice.go
• 0e5b5fb add test-e2e-yarn
• e08ee89 publish 0.18.19 to npm
• d2bc26c css: attempt to warn about undefined composes
• a0910fd fix #20: implement composes from css modules
• a470f0a css: a basic implementation of local composes
• Additional commits viewable in compare view

Updates nanoid from 3.3.8 to 3.3.11

Release notes

Sourced from nanoid's releases.

3.1.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

Changelog

Sourced from nanoid's changelog.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

Commits

• 37289ce Release 3.3.11 version
• 23690b7 Fix CI
• c147962 Fix RN support
• a83734e Move to manually ESM/CJS dual package
• bb12e8a Release 3.3.10 version
• 8f44264 Fix Expo support
• adf9b0c Release 3.3.9 version
• 1c6f088 Remove dev file from npm package
• See full diff in compare view

Updates rollup from 2.77.3 to 3.29.5

Release notes

Sourced from rollup's releases.

v3.29.5

3.29.5

2024-09-21

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

v.2.79.2

2.79.2

2024-09-26

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

Changelog

Sourced from rollup's changelog.

3.29.5

2024-09-21

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

4.22.4

2024-09-21

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5670: refactor: Use object.prototype to check for reserved properties (@​YuHyeonWook)
• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

4.22.3

2024-09-21

Bug Fixes

• Ensure that mutations in modules without side effects are observed while properly handling transitive dependencies (#5669)

Pull Requests

• #5669: Ensure impure dependencies of pure modules are added (@​lukastaegert)

4.22.2

2024-09-20

Bug Fixes

• Revert fix for side effect free modules until other issues are investigated (#5667)

Pull Requests

• #5667: Partially revert #5658 and re-apply #5644 (@​lukastaegert)

4.22.1

... (truncated)

Commits

• dfd233d 3.29.5
• 2ef77c0 Fix DOM Clobbering CVE
• a6448b9 3.29.4
• 4e92d60 Deoptimize all parameters when losing track of a function (#5158)
• 801ffd1 3.29.3
• 353e462 Fully deoptimize first level path when deoptimizing nested parameter paths (#...
• a1a89e7 chore(deps): update dependency @​vue/eslint-config-typescript to v12 (#5148)
• cc14f70 chore(deps): lock file maintenance minor/patch updates (#5149)
• 1e8355b docs: improve the docs repl appearance in the light mode (#5145)
• 5950fc8 Adapt branches in REPL workflow
• Additional commits viewable in compare view

Updates nuxt from 3.12.3 to 3.16.0

Release notes

Sourced from nuxt's releases.

v3.16.0

👀 Highlights

There's a lot in this one!

⚡️ A New New Nuxt

Say hello to create-nuxt, a new tool for starting Nuxt projects (big thanks to @​devgar for donating the package name)!

It's a streamlined version of nuxi init - just a sixth of the size and bundled as a single file with all dependencies inlined, to get you going as fast as possible.

Starting a new project is as simple as:

npm create nuxt

Special thanks to @​cmang for the beautiful ASCII-art. ❤️

Want to learn more about where we're headed with the Nuxt CLI? Check out our roadmap here, including our plans for an interactive modules selector.

🚀 Unhead v2

We've upgraded to unhead v2, the engine behind Nuxt's <head> management. This major version removes deprecations and improves how context works:

• For Nuxt 3 users, we're shipping a legacy compatibility build so nothing breaks
• The context implementation is now more direct via Nuxt itself

// Nuxt now re-exports composables while properly resolving the context
export function useHead(input, options = {}) {
  const unhead = injectHead(options.nuxt)
  return head(input, { head: unhead, ...options })
}

If you're using Unhead directly in your app, keep in mind:

1. Import from Nuxt's auto-imports or #app/composables/head instead of @unhead/vue
2. Importing directly from @unhead/vue might lose async context

Don't worry though - we've maintained backward compatibility in Nuxt 3, so most users won't need to change anything!

If you've opted into compatibilityVersion: 4, check out our upgrade guide for additional changes.

🔧 Devtools v2 Upgrade

Nuxt Devtools has leveled up to v2 (#30889)!

... (truncated)

Commits

• 7a37a98 v3.16.0
• 0d13fe9 chore(deps): update all non-major dependencies (3.x) (#31264)
• 2476cab fix(nuxt): strip query in x-nitro-prerender header
• 2c68c92 chore(deps): update all non-major dependencies (3.x) (#31240)
• bf454cb fix(nuxt): pass useFetch function name on server for warning (#31213)
• b29c0e8 chore: ignore nitro/renderer templates
• 7c427df fix(nuxt): fall back to wasm if oxc native bindings are missing (#31190)
• 0ebaa51 fix(nuxt): apply ignore rules to nitro devStorage (#31233)
• 2f833f4 fix(nuxt): preserve query/hash when calling navigateTo with replace (#31244)
• 3cd4384 fix(nuxt): ensure head components are reactive (#31248)
• Additional commits viewable in compare view

Updates vite from 2.9.17 to 4.5.11

Release notes

Sourced from vite's releases.

v4.5.11

Please refer to CHANGELOG.md for details.

v4.5.10

Please refer to CHANGELOG.md for details.

v4.5.9

Please refer to CHANGELOG.md for details.

v4.5.8

Please refer to CHANGELOG.md for details.

v4.5.7

Please refer to CHANGELOG.md for details.

v4.5.6

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v4.5.5

Please refer to CHANGELOG.md for details.

v4.5.4

Please refer to CHANGELOG.md for details.

v3.2.11

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

4.5.11 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19763) (26e1764), closes #19761 #19763

4.5.10 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19704) (315695e), closes #19702 #19704

4.5.9 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (0bc52e0), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (8f63cd6), closes #19249

4.5.8 (2025-01-20)

• fix: try parse server.origin URL (#19241) (3680bad), closes #19241

4.5.7 (2025-01-20)

• fix: crypto.getRandomValues is not available in old Node versions (#19237) (f4d3c46), closes #19237

4.5.6 (2025-01-20)

• fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (ef1049d)
• fix!: default server.cors: false to disallow fetching from untrusted origins (07b36d5)
• fix: verify token for HMR WebSocket connection (c065a77)

4.5.5 (2024-09-16)

4.5.4 (2024-09-16)

• fix: avoid DOM Clobbering gadget in getRelativeUrlFromDocument (#18115) (e812716), closes #18115
• fix: backport #18112, fs raw query (b901438), closes #18112

... (truncated)

Commits

• 07ddc3e release: v4.5.11
• 26e1764 fix: backport #19761, fs check in transform middleware (#19763)
• 86e7a6b release: v4.5.10
• 315695e fix: backport #19702, fs raw query with query separators (#19704)
• edad4d2 release: v4.5.9
• 8f63cd6 fix: allow CORS from loopback addresses by default (#19249)
• 0bc52e0 fix: preview.allowedHosts with specific values was not respected (#19246)
• 947f0c1 release: v4.5.8
• 3680bad fix: try parse server.origin URL (#19241)
• fe86acb release: v4.5.7
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[netlify]

✅ Deploy Preview for unlighthouse-crux-api canceled.

Name	Link
🔨 Latest commit	6e910c2
🔍 Latest deploy log	https://app.netlify.com/sites/unlighthouse-crux-api/deploys/67ec07128ecb33000825ef3f