Skip to content

Bump the npm_and_yarn group across 11 directories with 8 updates#3212

Open
dependabot[bot] wants to merge 1 commit intocanaryfrom
dependabot/npm_and_yarn/npm_and_yarn-2f8cbfd548
Open

Bump the npm_and_yarn group across 11 directories with 8 updates#3212
dependabot[bot] wants to merge 1 commit intocanaryfrom
dependabot/npm_and_yarn/npm_and_yarn-2f8cbfd548

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 5, 2026

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package From To
pnpm 9.12.0 10.28.2
webpack 5.99.9 5.104.1
next 15.2.7 15.5.10
axios 1.10.0 1.13.5
tar 7.4.3 7.5.10

Bumps the npm_and_yarn group with 2 updates in the /beps/infrastructure directory: diff and minimatch.
Bumps the npm_and_yarn group with 1 update in the /examples/internal/_template/typescript-demo directory: next.
Bumps the npm_and_yarn group with 1 update in the /integ-tests/react directory: next.
Bumps the npm_and_yarn group with 3 updates in the /typescript/apps/beps directory: next, ajv and minimatch.
Bumps the npm_and_yarn group with 1 update in the /typescript/apps/fiddle-web-app directory: next.
Bumps the npm_and_yarn group with 1 update in the /typescript/apps/sage-backend directory: next.
Bumps the npm_and_yarn group with 2 updates in the /typescript/apps/vscode-ext directory: axios and tar.
Bumps the npm_and_yarn group with 1 update in the /typescript/packages/nextjs-plugin directory: next.
Bumps the npm_and_yarn group with 1 update in the /typescript/packages/ui directory: next.
Bumps the npm_and_yarn group with 1 update in the /typescript2/app-promptfiddle directory: next.

Updates pnpm from 9.12.0 to 10.28.2

Release notes

Sourced from pnpm's releases.

pnpm 10.28.2

Patch Changes

  • Security fix: prevent path traversal in directories.bin field.

  • When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

    This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

    Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

  • Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #9950.

Platinum Sponsors

Gold Sponsors

... (truncated)

Changelog

Sourced from pnpm's changelog.

10.28.2

Patch Changes

  • Security fix: prevent path traversal in directories.bin field.

  • When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

    This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

    Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

  • Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #9950.

10.28.1

Patch Changes

  • Fixed installation of config dependencies from private registries.

    Added support for object type in configDependencies when the tarball URL returned from package metadata differs from the computed URL #10431.

  • Fix path traversal vulnerability in binary fetcher ZIP extraction

    • Validate ZIP entry paths before extraction to prevent writing files outside target directory
    • Validate BinaryResolution.prefix (basename) to prevent directory escape via crafted prefix
    • Both attack vectors now throw ERR_PNPM_PATH_TRAVERSAL error

  • Support plain http:// and https:// URLs ending with .git as git repository dependencies.

    Previously, URLs like https://gitea.example.org/user/repo.git#commit were not recognized as git repositories because they lacked the git+ prefix (e.g., git+https://). This caused issues when installing dependencies from self-hosted git servers like Gitea or Forgejo that don't provide tarball downloads.

    Changes:

    • The git resolver now runs before the tarball resolver, ensuring git URLs are handled by the correct resolver
    • The git resolver now recognizes plain http:// and https:// URLs ending in .git as git repositories
    • Removed the isRepository check from the tarball resolver since it's no longer needed with the new resolver order

    Fixes #10468

  • pnpm run -r and pnpm run --filter now fail with a non-zero exit code when no packages have the specified script. Previously, this only failed when all packages were selected. Use --if-present to suppress this error #6844.

  • Fixed a path traversal vulnerability in tarball extraction on Windows. The path normalization was only checking for ./ but not .\. Since backslashes are directory separators on Windows, malicious packages could use paths like foo\..\..\.npmrc to write files outside the package directory.

  • When running "pnpm exec" from a subdirectory of a project, don't change the current working directory to the root of the project #5759.

  • Fixed a path traversal vulnerability in pnpm's bin linking. Bin names starting with @ bypassed validation, and after scope normalization, path traversal sequences like ../../ remained intact.

  • Revert Try to avoid making network calls with preferOffline #10334.

  • Fix --save-peer to write valid semver ranges to peerDependencies for protocol-based installs (e.g. jsr:) by deriving from resolved versions when available and falling back to * if none is available #10417.

  • Do not exclude the root workspace project, when it is explicitly selected via a filter #10465.

10.28.0

Minor Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for pnpm since your current version.


Updates webpack from 5.99.9 to 5.104.1

Release notes

Sourced from webpack's releases.

v5.104.1

5.104.1

Patch Changes

  • 2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
  • c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

v5.104.0

5.104.0

Minor Changes

  • d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
  • d3dd841: Enhance import.meta.env to support object access.
  • 4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
  • 04cd530: Handle more at-rules for CSS modules.
  • cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
  • d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
  • 5983843: Provide a stable runtime function variable __webpack_global__.
  • d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

  • 22c48fb: Added module existence check for informative error message in development mode.
  • 50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
  • d3dd841: Support universal lazy compilation.
  • d3dd841: Fixed module library export definitions when multiple runtimes.
  • d3dd841: Fixed CSS nesting and CSS custom properties parsing.
  • d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
  • aab1da9: Fixed bugs for css/global type.
  • d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
  • d3dd841: Handle nested __webpack_require__.
  • 728ddb7: The speed of identifier parsing has been improved.
  • 0f8b31b: Improve types.
  • d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
  • 2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
  • d3dd841: Serialize HookWebpackError.
  • d3dd841: Added ability to use built-in properties in dotenv and define plugin.
  • 3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
  • d3dd841: Reduce collision for local indent name in CSS.
  • d3dd841: Remove CSS link tags when CSS imports are removed.

v5.103.0

Features

  • Added DotenvPlugin and top level dotenv option to enable this plugin
  • Added WebpackManifestPlugin
  • Added support the ignoreList option in devtool plugins
  • Allow to use custom javascript parse function

... (truncated)

Changelog

Sourced from webpack's changelog.

5.104.1

Patch Changes

  • 2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
  • c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

5.104.0

Minor Changes

  • d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
  • d3dd841: Enhance import.meta.env to support object access.
  • 4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
  • 04cd530: Handle more at-rules for CSS modules.
  • cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
  • d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
  • 5983843: Provide a stable runtime function variable __webpack_global__.
  • d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

  • 22c48fb: Added module existence check for informative error message in development mode.
  • 50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
  • d3dd841: Support universal lazy compilation.
  • d3dd841: Fixed module library export definitions when multiple runtimes.
  • d3dd841: Fixed CSS nesting and CSS custom properties parsing.
  • d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
  • aab1da9: Fixed bugs for css/global type.
  • d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
  • d3dd841: Handle nested __webpack_require__.
  • 728ddb7: The speed of identifier parsing has been improved.
  • 0f8b31b: Improve types.
  • d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
  • 2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
  • d3dd841: Serialize HookWebpackError.
  • d3dd841: Added ability to use built-in properties in dotenv and define plugin.
  • 3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
  • d3dd841: Reduce collision for local indent name in CSS.
  • d3dd841: Remove CSS link tags when CSS imports are removed.
Commits
  • 24e3c2d chore(release): new release (#20253)
  • 2efd21b fix(re-exports): reexports runtime calculation should not accessing `__WEBPAC...
  • c510070 fix(security): userinfo bypass vulnerability in HttpUriPlugin allowedUris
  • 4b0501c ci: fix release (#20252)
  • 0c213ce ci: use \<@&1450591255485743204> over @here for discord notificationw
  • 5bf8bc5 refactor: types for benchmarks and tests
  • 505a5e7 chore(release): new release (#20188)
  • 0c06680 refactor: update eslint configuration
  • 2eb0d6a ci: release announcement (#20238)
  • b2b2459 ci: cancel in progress (#20239)
  • Additional commits viewable in compare view

Updates next from 15.2.7 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

v15.4.11

Please see this changelog for more information about this security patch.

v15.3.9

Please see this changelog for more information about this security patch.

v15.2.9

Please see this changelog for more information about this security patch.

Commits

Updates axios from 1.10.0 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

  • Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
  • Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

  • Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

  • Fix/5657. (PR #7313)
  • Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

  • Add input validation to isAbsoluteURL. (PR #7326)
  • Refactor: bump minor package versions. (PR #7356)

Documentation

  • Clarify object-check comment. (PR #7323)
  • Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

  • Chore: fix issues with YAML. (PR #7355)
  • CI: update workflow YAMLs. (PR #7372)
  • CI: fix run condition. (PR #7373)
  • Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
  • Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

  • fix: issues with version 1.13.3 (#7352) (ee90dfc)
    • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

  • http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
  • interceptor: handle the error in the same interceptor (#6269) (5945e40)
  • main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
  • package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
  • silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
  • turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
  • types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
  • types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
  • unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

Reverts

  • Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
  • deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

... (truncated)

Commits
  • 29f7542 chore(release): prepare release 1.13.5 (#7379)
  • 431c3a3 ci: fix run condition (#7373)
  • 9ff3a78 ci: update ymls (#7372)
  • 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
  • 475e75a feat: add input validation to isAbsoluteURL (#7326)
  • 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
  • 04cf019 docs: clarify object check comment (#7323)
  • 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
  • 569f028 fix: added a option to choose between legacy and the new request/response int...
  • 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.


Updates tar from 7.4.3 to 7.5.10

Changelog

Sourced from tar's changelog.

Changelog

7.5

  • Added zstd compression support.
  • Consistent TOCTOU behavior in sync t.list
  • Only read from ustar block if not specified in Pax
  • Fix sync tar.list when file size reduces while reading
  • Sanitize absolute linkpaths properly
  • Prevent writing hardlink entries to the archive ahead of their file target

7.4

  • Deprecate onentry in favor of onReadEntry for clarity.

7.3

  • Add onWriteEntry option

7.2

  • DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

  • Update minipass to v7.1.0
  • Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

  • Drop support for node <18
  • Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
  • Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
  • Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
  • Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits
  • 2b72abc 7.5.10
  • 7bc755d parse root off paths before sanitizing .. parts
  • c8cb846 update deps
  • 1f0c2c9 7.5.9
  • fbb0851 build minified version as default export
  • 6b8eba0 7.5.8
  • 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
  • d18e4e1 fix: do not write linkpaths through symlinks
  • 4a37eb9 7.5.7
  • f4a7aa9 fix: properly sanitize hard links containing ..
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates diff from 4.0.2 to 4.0.4

Changelog

Sourced from diff's changelog.

v4.0.4 - January 2026

Only change from 4.0.2 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v4.0.3 (deprecated)

Accidental release - do not use.

Commits
Maintainer changes

This version was pushed to npm by explodingcabbage, a new releaser for diff since your current version.


Removes minimatch

Updates next from 16.0.9 to 16.1.5

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

v15.4.11

Please see this changelog for more information about this security patch.

v15.3.9

Please see this changelog for more information about this security patch.

v15.2.9

Please see this changelog for more information about this security patch.

Commits

Updates next from 15.2.7 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

v15.4.11

Please see this changelog for more information about this security patch.

v15.3.9

Please see this changelog for more information about this security patch.

v15.2.9

Please see this changelog for more information about this security patch.

Commits

Updates next from 15.5.9 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

v15.4.11

Please see this changelog for more information about this security patch.

v15.3.9

Please see this changelog for more information about this security patch.

v15.2.9

Please see this changelog for more information about this security patch.

Commits

Updates ajv from 6.12.6 to 6.14.0

Commits

Updates minimatch from 3.1.2 to 3.1.5

Changelog

Sourced from minimatch's changelog.

change log

10.2

  • Add braceExpandMax option

10.1

  • Add magicalBraces option for escape
  • Fix makeRe when partial: true is set.
  • Fix makeRe when pattern ends in a final ** path part.

10.0

  • Require node 20 or 22 and higher

9.0

  • No default export, only named exports.

8.0

  • Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
  • Bump required Node.js version

7.4

  • Add escape() method
  • Add unescape() method
  • Add Minimatch.hasMagic() method

7.3

  • Add support for posix character classes in a unicode-aware way.

7.2

  • Add windowsNoMagicRoot option

7.1

  • Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

Updates minimatch from 9.0.5 to 9.0.9

Changelog

Sourced from minimatch's changelog.

change log

10.2

  • Add braceExpandMax option

10.1

  • Add magicalBraces option for escape
  • Fix makeRe when partial: true is set.
  • Fix makeRe when pattern ends in a final ** path part.

10.0

  • Require node 20 or 22 and higher

9.0

  • No default export, only named exports.

8.0

  • Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
  • Bump required Node.js version

7.4

  • Add escape() method
  • Add unescape() method
  • Add Minimatch.hasMagic() method

7.3

  • Add support for posix character classes in a unicode-aware way.

7.2

  • Add windowsNoMagicRoot option

7.1

  • Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

Updates next from 15.4.9 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

v15.4.11

Please see this changelog for more information about this security patch.

v15.3.9

Please see this changelog for more information about this security patch.

v15.2.9

Please see this changelog for more information about this security patch.

Commits

Updates next from 15.4.9 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

v15.4.11

Please see this changelog for more information about this security patch.

v15.3.9

Please see this changelog for more information about this security patch.

v15.2.9

Please see this changelog for more information about this security patch.

Commits
  • 60a2aa9 v15.5.10
  • e5b834d fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
  • 39a2f6a feat(next/image)!: add images.maximumResponseBody config (<...

    Description has been truncated

@dependabot
Bump the npm_and_yarn group across 11 directories with 8 updates
9d37a34 
Bumps the npm_and_yarn group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [pnpm](https://github.com/pnpm/pnpm/tree/HEAD/pnpm) | `9.12.0` | `10.28.2` |
| [webpack](https://github.com/webpack/webpack) | `5.99.9` | `5.104.1` |
| [next](https://github.com/vercel/next.js) | `15.2.7` | `15.5.10` |
| [axios](https://github.com/axios/axios) | `1.10.0` | `1.13.5` |
| [tar](https://github.com/isaacs/node-tar) | `7.4.3` | `7.5.10` |

Bumps the npm_and_yarn group with 2 updates in the /beps/infrastructure directory: [diff](https://github.com/kpdecker/jsdiff) and [minimatch](https://github.com/isaacs/minimatch).
Bumps the npm_and_yarn group with 1 update in the /examples/internal/_template/typescript-demo directory: [next](https://github.com/vercel/next.js).
Bumps the npm_and_yarn group with 1 update in the /integ-tests/react directory: [next](https://github.com/vercel/next.js).
Bumps the npm_and_yarn group with 3 updates in the /typescript/apps/beps directory: [next](https://github.com/vercel/next.js), [ajv](https://github.com/ajv-validator/ajv) and [minimatch](https://github.com/isaacs/minimatch).
Bumps the npm_and_yarn group with 1 update in the /typescript/apps/fiddle-web-app directory: [next](https://github.com/vercel/next.js).
Bumps the npm_and_yarn group with 1 update in the /typescript/apps/sage-backend directory: [next](https://github.com/vercel/next.js).
Bumps the npm_and_yarn group with 2 updates in the /typescript/apps/vscode-ext directory: [axios](https://github.com/axios/axios) and [tar](https://github.com/isaacs/node-tar).
Bumps the npm_and_yarn group with 1 update in the /typescript/packages/nextjs-plugin directory: [next](https://github.com/vercel/next.js).
Bumps the npm_and_yarn group with 1 update in the /typescript/packages/ui directory: [next](https://github.com/vercel/next.js).
Bumps the npm_and_yarn group with 1 update in the /typescript2/app-promptfiddle directory: [next](https://github.com/vercel/next.js).


Updates `pnpm` from 9.12.0 to 10.28.2
- [Release notes](https://github.com/pnpm/pnpm/releases)
- [Changelog](https://github.com/pnpm/pnpm/blob/v10.28.2/pnpm/CHANGELOG.md)
- [Commits](https://github.com/pnpm/pnpm/commits/v10.28.2/pnpm)

Updates `webpack` from 5.99.9 to 5.104.1
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.99.9...v5.104.1)

Updates `next` from 15.2.7 to 15.5.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.2.7...v15.5.10)

Updates `axios` from 1.10.0 to 1.13.5
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.10.0...v1.13.5)

Updates `tar` from 7.4.3 to 7.5.10
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.4.3...v7.5.10)

Updates `diff` from 4.0.2 to 4.0.4
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4)

Removes `minimatch`

Updates `next` from 16.0.9 to 16.1.5
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.2.7...v15.5.10)

Updates `next` from 15.2.7 to 15.5.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.2.7...v15.5.10)

Updates `next` from 15.5.9 to 15.5.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.2.7...v15.5.10)

Updates `ajv` from 6.12.6 to 6.14.0
- [Release notes](https://github.com/ajv-validator/ajv/releases)
- [Commits](ajv-validator/ajv@v6.12.6...v6.14.0)

Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](https://github.com/isaacs/minimatch/commits)

Updates `minimatch` from 9.0.5 to 9.0.9
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](https://github.com/isaacs/minimatch/commits)

Updates `next` from 15.4.9 to 15.5.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.2.7...v15.5.10)

Updates `next` from 15.4.9 to 15.5.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.2.7...v15.5.10)

Updates `axios` from 1.10.0 to 1.13.5
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.10.0...v1.13.5)

Updates `tar` from 7.4.3 to 7.5.10
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.4.3...v7.5.10)

Updates `next` from 15.3.7 to 15.5.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.2.7...v15.5.10)

Updates `next` from 15.3.7 to 15.5.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.2.7...v15.5.10)

Updates `next` from 14.2.35 to 15.5.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.2.7...v15.5.10)

---
updated-dependencies:
- dependency-name: pnpm
  dependency-version: 10.28.2
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: webpack
  dependency-version: 5.104.1
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 1.13.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: diff
  dependency-version: 4.0.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 16.1.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: ajv
  dependency-version: 6.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 9.0.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 1.13.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 5, 2026
@vercel
Copy link

vercel bot commented Mar 5, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
beps Ready Ready Preview, Comment Mar 5, 2026 6:14am
promptfiddle Ready Ready Preview, Comment Mar 5, 2026 6:14am

Request Review

@dependabot dependabot bot mentioned this pull request Mar 5, 2026
Closed
@dependabot dependabot bot had a problem deploying to boundary-tools-dev March 5, 2026 05:52 Failure
@dependabot dependabot bot had a problem deploying to boundary-tools-dev March 5, 2026 05:52 Failure
@dependabot dependabot bot had a problem deploying to boundary-tools-dev March 5, 2026 05:52 Failure
@github-actions
Copy link

github-actions bot commented Mar 5, 2026

🏗️ Building BEPs preview... (run 22704426524)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants