Bump the npm_and_yarn group across 2 directories with 13 updates by dependabot[bot] · Pull Request #666 · department-of-veterans-affairs/va-mobile-library

dependabot · 2026-03-21T11:02:47Z

Bumps the npm_and_yarn group with 13 updates in the / directory:

Package	From	To
storybook	`9.0.15`	`9.1.19`
vite	`6.3.5`	`6.4.1`
@isaacs/brace-expansion	`5.0.0`	`5.0.1`
ajv	`6.12.6`	`6.14.0`
flatted	`3.3.3`	`3.4.2`
lodash	`4.17.21`	`4.17.23`
minimatch	`3.1.2`	`3.1.5`
react-server-dom-webpack	`19.0.3`	`19.0.4`
rollup	`4.53.5`	`4.59.1`
svgo	`3.3.2`	`3.3.3`
tar	`7.5.2`	`7.5.12`
undici	`6.22.0`	`6.24.1`
webpack	`5.104.0`	`5.105.4`

Bumps the npm_and_yarn group with 2 updates in the /packages/components directory: storybook and vite.

Updates storybook from 9.0.15 to 9.1.19

Release notes

Sourced from storybook's releases.

v9.1.19

9.1.19

Harden websocket connection

v9.1.18

9.1.18

No-op release. No changes.

v9.1.17

9.1.17

Core: Fix .env-file parsing, thanks @jreinhold!

Changelog

Sourced from storybook's changelog.

9.1.19

Harden websocket connection

9.1.18

No-op release. No changes.

9.1.16

CLI: Fix Nextjs project creation in empty directories - #32828, thanks @yannbf!

Core: Add experimental_devServer preset - #32862, thanks @yannbf!

Telemetry: Fix preview-first-load event - #32859, thanks @shilman!

9.1.15

Core: Add preview-first-load telemetry - #32770, thanks @shilman!

Dependencies: Update vite-plugin-storybook-nextjs - #32821, thanks @ndelangen!

9.1.14

NextJS: Add NextJS 16 support - #32791, thanks @yannbf and @ndelangen!

Addon-Vitest: Support Vitest 4 - #32819, thanks @yannbf and @ndelangen!

CSF: Fix play-fn tag for methods - #32695, thanks @shilman!

9.1.13

Nextjs: Fix config access for Vite - #32759, thanks @valentinpalkovic!

9.1.12

Maintenance: Hotfix for missing nextjs dts files, thanks @ndelangen!

9.1.11

Automigration: Improve the viewport/backgrounds automigration - #32619, thanks @valentinpalkovic!

Mocking: Fix sb.mock usage in Storybook's deployed in subpaths - #32678, thanks @valentinpalkovic!

NextJS-Vite: Automatically fix bad PostCSS configuration - #32691, thanks @ndelangen!

React Native Web: Fix REACT_NATIVE_AND_RNW should detect vite builder - #32718, thanks @dannyhw!

Telemetry: Add metadata for react routers - #32615, thanks @shilman!

9.1.10

Automigrations: Add automigration for viewport and backgrounds - #31614, thanks @valentinpalkovic!

Telemetry: Log userAgent in onboarding - #32566, thanks @shilman!

9.1.9

Angular: Enable experimental zoneless detection on Angular v21 - #32580, thanks @yannbf!

Svelte: Ignore inherited HTMLAttributes docgen when using utility types - #32173, thanks @steciuk!

... (truncated)

Commits

20887f1 Bump version from "9.1.18" to "9.1.19" [skip ci]
66b2d8e Fix test
31f16c4 fix linting
62dd25b Core: Require token for websocket connections
bbe61e3 Bump version from "9.1.17" to "9.1.18" [skip ci]
d0d5a3d Bump version from 9.1.16 to 9.1.17 MANUALLY
a06c257 filter env vars from .env files
a54a04c Bump version from "9.1.15" to "9.1.16" [skip ci]
ebd7ff5 Merge pull request #32859 from storybookjs/shilman/first-load-new-user
da2da6e Merge pull request #32862 from storybookjs/yann/patch-dev-server-preset
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for storybook since your current version.

Updates vite from 6.3.5 to 6.4.1

Release notes

Sourced from vite's releases.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.1 (2026-03-19)

Features

update rolldown to 1.0.0-rc.10 (#21932) (b3c067d)

Bug Fixes

bundled-dev: properly disable inlineConst optimization (#21865) (6d97142)

css: lightningcss minify failed when build.target: 'es6' (#21933) (5fcce46)

deps: update all non-major dependencies (#21878) (6dbbd7f)

dev: always use ESM Oxc runtime (#21829) (d323ed7)

dev: handle concurrent restarts in _createServer (#21810) (40bc729)

handle + symbol in package subpath exports during dep optimization (#21886) (86db93d)

improve no-cors request block error (#21902) (5ba688b)

use precise regexes for transform filter to avoid backtracking (#21800) (dbe41bd)

worker: require(json) result should not be wrapped (#21847) (0672fd2)

worker: make worker output consistent with client and SSR (#21871) (69454d7)

Miscellaneous Chores

add changelog rearrange script (#21835) (efef073)

deps: bump required @vitejs/devtools version to 0.1+ (#21925) (12932f5)

deps: update rolldown-related dependencies (#21787) (1af1d3a)

rearrange 8.0 changelog (8e05b61)

rearrange 8.0 changelog (#21834) (86edeee)

8.0.0 (2026-03-12)

Today, we're thrilled to announce the release of the next Vite major:

Vite 8.0 announcement blog post

Docs (translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch, فارسی)

Migration Guide

⚠ BREAKING CHANGES

remove import.meta.hot.accept resolution fallback (#21382)

update default browser target (#21193)

the epic rolldown-vite merge (#21189)

Features

update rolldown to 1.0.0-rc.9 (#21813) (f05be0e)

warn when vite-tsconfig-paths plugin is detected (#21781) (ada493e)

css: support es2025 build target for lightningcss (#21769) (08906e7)

forward browser console logs and errors to dev server terminal (#20916) (2540ed0)

update rolldown to 1.0.0-rc.8 (#21790) (a0c950e)

export Visitor and ESTree from rolldown/utils (#21664) (45de31e)

... (truncated)

Commits

0a0c50a refactor: simplify pluginFilter implementation (#19828)
59d0b35 perf(css): avoid constructing renderedModules (#19775)
175a839 fix: reject requests with # in request-target (#19830)
e2e11b1 fix(module-runner): allow already resolved id as entry (#19768)
7200dee fix: correct the behavior when multiple transform filter options are specifie...
b125172 fix(css): remove empty chunk imports correctly when chunk file name contained...
8fe3538 test: tweak generateCodeFrame test (#19812)
36935b5 fix(types): remove the keepProcessEnv from the DefaultEnvironmentOptions ...
a0e1a04 docs(vite): fix description of transformIndexHtml hook (#19799)
71227be fix: unbundle fdir to fix commonjsOptions.dynamicRequireTargets (#19791)
Additional commits viewable in compare view

Updates @isaacs/brace-expansion from 5.0.0 to 5.0.1

Updates ajv from 6.12.6 to 6.14.0

Commits

e3af0a7 6.14.0
b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
72f2286 docs: update v7 info
231e52b Merge pull request #1320 from philsturgeon/patch-1
d3475fc Add spectral, an AJV util from a sponsor
413afe0 docs: v7.0.0-beta.3
11e997b update readme for v7
See full diff in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates react-server-dom-webpack from 19.0.3 to 19.0.4

Release notes

Sourced from react-server-dom-webpack's releases.

19.0.4 (January 26th, 2026)

React Server Components

Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @gnoff, @lubieowoce, @sebmarkbage, @unstubbable)

Commits

7806ec2 19.0.4
de58cca Add more DoS mitigations to React Flight Reply, and harden React Flight
See full diff in compare view

Updates rollup from 4.53.5 to 4.59.1

Release notes

Sourced from rollup's releases.

v4.59.1

4.59.1

2026-03-21

Bug Fixes

Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

#6281: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6282: chore(deps): update github artifact actions (major) (@renovate[bot], @lukastaegert)

#6283: chore(deps): update dependency nyc to v18 (@renovate[bot], @lukastaegert)

#6284: fix(deps): update swc monorepo (major) (@renovate[bot])

#6285: chore(deps): lock file maintenance (@renovate[bot])

#6290: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6291: chore(deps): update dependency @shikijs/vitepress-twoslash to v4 (@renovate[bot])

#6292: chore(deps): lock file maintenance (@renovate[bot])

#6297: chore(deps): update minor/patch updates (@renovate[bot])

#6298: chore(deps): lock file maintenance (@renovate[bot])

#6299: chore(deps): lock file maintenance (@renovate[bot])

#6300: docs: update packagephobia link (@bluwy)

#6301: chore(deps): update dependency lint-staged to ^16.3.3 (@renovate[bot])

#6306: fix: fix chunk assignment for deoptimized module with dynamic import (@JoaoBrlt, @lukastaegert)

#6307: chore(deps): update minor/patch updates (@renovate[bot])

#6308: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6309: chore(deps): update dependency vite to v8 (@renovate[bot])

#6310: chore(deps): lock file maintenance (@renovate[bot])

#6311: chore(deps): lock file maintenance (@renovate[bot])

#6312: chore(deps): lock file maintenance (@renovate[bot])

v4.59.0

4.59.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6275: Validate bundle stays within output dir (@lukastaegert)

v4.58.0

4.58.0

2026-02-20

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.1

2026-03-21

Bug Fixes

Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

#6281: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6282: chore(deps): update github artifact actions (major) (@renovate[bot], @lukastaegert)

#6283: chore(deps): update dependency nyc to v18 (@renovate[bot], @lukastaegert)

#6284: fix(deps): update swc monorepo (major) (@renovate[bot])

#6285: chore(deps): lock file maintenance (@renovate[bot])

#6290: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6291: chore(deps): update dependency @shikijs/vitepress-twoslash to v4 (@renovate[bot])

#6292: chore(deps): lock file maintenance (@renovate[bot])

#6297: chore(deps): update minor/patch updates (@renovate[bot])

#6298: chore(deps): lock file maintenance (@renovate[bot])

#6299: chore(deps): lock file maintenance (@renovate[bot])

#6300: docs: update packagephobia link (@bluwy)

#6301: chore(deps): update dependency lint-staged to ^16.3.3 (@renovate[bot])

#6306: fix: fix chunk assignment for deoptimized module with dynamic import (@JoaoBrlt, @lukastaegert)

#6307: chore(deps): update minor/patch updates (@renovate[bot])

#6308: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6309: chore(deps): update dependency vite to v8 (@renovate[bot])

#6310: chore(deps): lock file maintenance (@renovate[bot])

#6311: chore(deps): lock file maintenance (@renovate[bot])

#6312: chore(deps): lock file maintenance (@renovate[bot])

4.59.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6275: Validate bundle stays within output dir (@lukastaegert)

4.58.0

2026-02-20

Features

Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

... (truncated)

Commits

0cba9e0 4.59.1
4eeea29 Pin Vite
1cd49ae fix: fix chunk assignment for deoptimized module with dynamic import (#6306)
c9dabc3 Downgrade Vite
d46200f chore(deps): update dependency vite to v8 (#6309)
aa6c853 chore(deps): update dependency lru-cache to v11 (#6308)
4208811 chore(deps): lock file maintenance (#6312)
5348a82 chore(deps): lock file maintenance (#6311)
c942b8d chore(deps): update minor/patch updates (#6307)
bf9d35c chore(deps): lock file maintenance (#6310)
Additional commits viewable in compare view

Updates svgo from 3.3.2 to 3.3.3

Release notes

Sourced from svgo's releases.

v3.3.3

What's Changed

Dependencies

Migrates from our unsupported fork of sax (@trysound/sax) to the upstream version of sax (sax).

Bug Fixes

No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

v3.3.2 v3.3.3 Delta

svgo.browser.js 910.9 kB 912.9 kB ⬆️ 2 kB

Support

SVGO v3 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v3 to v4 which should ease the process.

Commits

bbab162 deps: upgrade to sax v1.5.0
See full diff in compare view

Updates tar from 7.5.2 to 7.5.12

Commits

2a294d3 7.5.12
01082a4 fix: reject top promise on floating addFilesAsync rejections
dd1c36a linting
35a1ffe doc: more clarity in security warning
bf776f6 7.5.11
f48b5fa prevent escaping symlinks with drive-relative paths
97cff15 docs: more security info
2b72abc 7.5.10
7bc755d parse root off paths before sanitizing .. parts
c8cb846 update deps
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates undici from 6.22.0 to 6.24.1

Release notes

Sourced from undici's releases.

v6.24.1

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.

GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the upgrade option.

GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

CVE-2026-1525: affected < 6.24.0, patched 6.24.0

CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0

CVE-2026-1527: affected < 6.24.0, patched 6.24.0

CVE-2026-2229: affected < 6.24.0, patched 6.24.0

CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525

NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528

NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527

NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229

NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

... (truncated)

Commits

c0cf656 Bumped v6.24.1
f5a9f0c Fix v6 release workflow branch targeting
af2cb8f wqremove maxDecompressedMessageSize (#4891)
8873c94 Bumped v6.24.0
411bd01 test(websocket): use node:assert for Node 18 compatibility
844bf59 test: fix http2 lint regressions in backport
a444e4f test: stabilize h2 and tls-cert-leak under current test runner
dc032a1 fix: h2 CI (#4395)
4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
7df6442 fix: adapt websocket frame-limit handling for v6 parser
Additional commits viewable in compare view

Updates webpack from 5.104.0 to 5.105.4

Release notes

Sourced from webpack's releases.

v5.105.4

Patch Changes

Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @xiaoxiaojx in #20546)

Handle createRequire in expressions. (by @alexander-akait in #20549)

Fixed types for multi stats. (by @alexander-akait in #20556)

Remove empty needless js output for normal css module. (by @JSerFeng in #20162)

Update enhanced-resolve to support new features for tsconfig.json. (by @alexander-akait in #20555)

Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @hai-x in #20561)

v5.105.3

Patch Changes

Context modules now handle rejections correctly. (by @alexander-akait in #20455)

Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @hai-x in #20535)

Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @hai-x in #20463)

Fixed HMR failure for CSS modules with @import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @import CSS to work correctly during hot module replacement. (by @xiaoxiaojx in #20514)

Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @xiaoxiaojx in #20454)

Do not crash when a referenced chunk is not a runtime chunk. (by @alexander-akait in #20461)

Fix some types. (by @alexander-akait in #20412)

Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @hai-x in #20510)

Added createRequire support for ECMA modules. (by @stefanbinoj in #20497)

Added category for CJS reexport dependency to fix issues with ECMA modules. (by @hai-x in #20444)

Implement immutable bytes for bytes import attribute to match tc39 spec. (by @alexander-akait in #20481)

Fixed deterministic search for graph roots regardless of edge order. (by @veeceey in #20452)

v5.105.2

Patch Changes

Fixed WebpackPluginInstance type regression. (by @alexander-akait in #20440)

v5.105.1

Patch Changes

... (truncated)

Changelog

Sourced from webpack's changelog.

5.105.4

Patch Changes

Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @xiaoxiaojx in #20546)

Handle createRequire in expressions. (by @alexander-akait in #20549)

Fixed types for multi stats. (by @alexander-akait in #20556)

Remove empty needless js output for normal css module. (by @JSerFeng in #20162)

Update enhanced-resolve to support new features for tsconfig.json. (by @alexander-akait in #20555)

Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @hai-x in #20561)

5.105.3

Patch Changes

Context modules now handle rejections correctly. (by @alexander-akait in #20455)

Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @hai-x in #20535)

Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @hai-x in #20463)

Fixed HMR failure for CSS modules with @import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @import CSS to work correctly during hot module replacement. (by @xiaoxiaojx in #20514)

Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @xiaoxiaojx in #20454)

Do not crash when a referenced chunk is not a runtime chunk. (by @alexander-akait in #20461)

Fix some types. (by @alexander-akait in #20412)

Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @hai-x in #20510)

Added createRequire support for ECMA modules. (by @stefanbinoj in #20497)

Added category for CJS reexport dependency to fix issues with ECMA modules. (by @hai-x in #20444)

Implement immutable bytes for bytes import attribute to match tc39 spec. (by @alexander-akait in #20481)

Fixed deterministic search for graph roots regardless of edge order. (by @veeceey in #20452)

5.105.2

Patch Changes

Fixed WebpackPluginInstance type regression. (by @alexander-akait in #20440)

... (truncated)

Commits

27c13b4 chore(release): new release (#20550)
9b2f41e chore: bump terser plugin (#20569)
eafe060 fix: narrow the export presence guard detection (#20561)
75d605c refactor: add AppendOnlyStackedSet iteration support and tests (#20560)
afa607d refactor: remove unused code (#20562)
4098902 test: add source files for web-webworker and web-webworker-auto-public-path (...
f97be67 refactor: fix duplicated word in Compilation JSDoc (#20547)
9d76fff refactor: add M...
Description has been truncated

Bumps the npm_and_yarn group with 13 updates in the / directory: | Package | From | To | | --- | --- | --- | | [storybook](https://github.com/storybookjs/storybook/tree/HEAD/code/core) | `9.0.15` | `9.1.19` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `6.3.5` | `6.4.1` | | @isaacs/brace-expansion | `5.0.0` | `5.0.1` | | [ajv](https://github.com/ajv-validator/ajv) | `6.12.6` | `6.14.0` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [react-server-dom-webpack](https://github.com/facebook/react/tree/HEAD/packages/react-server-dom-webpack) | `19.0.3` | `19.0.4` | | [rollup](https://github.com/rollup/rollup) | `4.53.5` | `4.59.1` | | [svgo](https://github.com/svg/svgo) | `3.3.2` | `3.3.3` | | [tar](https://github.com/isaacs/node-tar) | `7.5.2` | `7.5.12` | | [undici](https://github.com/nodejs/undici) | `6.22.0` | `6.24.1` | | [webpack](https://github.com/webpack/webpack) | `5.104.0` | `5.105.4` | Bumps the npm_and_yarn group with 2 updates in the /packages/components directory: [storybook](https://github.com/storybookjs/storybook/tree/HEAD/code/core) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `storybook` from 9.0.15 to 9.1.19 - [Release notes](https://github.com/storybookjs/storybook/releases) - [Changelog](https://github.com/storybookjs/storybook/blob/v9.1.19/CHANGELOG.md) - [Commits](https://github.com/storybookjs/storybook/commits/v9.1.19/code/core) Updates `vite` from 6.3.5 to 6.4.1 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/create-vite@6.4.1/packages/vite) Updates `@isaacs/brace-expansion` from 5.0.0 to 5.0.1 Updates `ajv` from 6.12.6 to 6.14.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.6...v6.14.0) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `react-server-dom-webpack` from 19.0.3 to 19.0.4 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.0.4/packages/react-server-dom-webpack) Updates `rollup` from 4.53.5 to 4.59.1 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.53.5...v4.59.1) Updates `svgo` from 3.3.2 to 3.3.3 - [Release notes](https://github.com/svg/svgo/releases) - [Commits](svg/svgo@v3.3.2...v3.3.3) Updates `tar` from 7.5.2 to 7.5.12 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.2...v7.5.12) Updates `undici` from 6.22.0 to 6.24.1 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v6.22.0...v6.24.1) Updates `webpack` from 5.104.0 to 5.105.4 - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.104.0...v5.105.4) Updates `storybook` from 9.0.15 to 9.1.19 - [Release notes](https://github.com/storybookjs/storybook/releases) - [Changelog](https://github.com/storybookjs/storybook/blob/v9.1.19/CHANGELOG.md) - [Commits](https://github.com/storybookjs/storybook/commits/v9.1.19/code/core) Updates `vite` from 6.3.5 to 6.4.1 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/create-vite@6.4.1/packages/vite) --- updated-dependencies: - dependency-name: storybook dependency-version: 9.1.19 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.4.1 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@isaacs/brace-expansion" dependency-version: 5.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 6.14.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: react-server-dom-webpack dependency-version: 19.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.59.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: svgo dependency-version: 3.3.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 6.24.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: webpack dependency-version: 5.105.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: storybook dependency-version: 9.1.19 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.4.1 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 21, 2026

dependabot Bot requested a review from a team as a code owner March 21, 2026 11:02

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 21, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 2 directories with 13 updates#666

Bump the npm_and_yarn group across 2 directories with 13 updates#666
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-545a401f73

dependabot Bot commented on behalf of github Mar 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Mar 21, 2026

v9.1.19

9.1.19

v9.1.18

9.1.18

v9.1.17

9.1.17

9.1.19

9.1.18

9.1.16

9.1.15

9.1.14

9.1.13

9.1.12

9.1.11

9.1.10

9.1.9

v6.4.1

v6.4.0

v6.3.7

v6.3.6

8.0.1 (2026-03-19)

Features

Bug Fixes

Miscellaneous Chores

8.0.0 (2026-03-12)

⚠ BREAKING CHANGES

Features

19.0.4 (January 26th, 2026)

React Server Components

v4.59.1

4.59.1

Bug Fixes

Pull Requests

v4.59.0

4.59.0

Features

Pull Requests

v4.58.0

4.58.0

4.59.1

Bug Fixes

Pull Requests

4.59.0

Features

Pull Requests

4.58.0

Features

v3.3.3

What's Changed

Dependencies

Bug Fixes

Metrics

Support

v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

Upgrade guidance

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

v5.105.4

Patch Changes

v5.105.3

Patch Changes

v5.105.2

Patch Changes

v5.105.1

Patch Changes

5.105.4

Patch Changes

5.105.3

Patch Changes

5.105.2

Patch Changes

Uh oh!

Reviewers

Assignees