Bump the npm-dependencies group across 1 directory with 4 updates

[dependabot]

Bumps the npm-dependencies group with 4 updates in the / directory: @sentry/browser, dompurify, sass and vue.

Updates @sentry/browser from 10.57.0 to 10.59.0

Release notes

Sourced from @​sentry/browser's releases.

10.59.0

Important Changes

• feat(react-router): Add support for React Router v8 (#21633)

  The SDK now supports React Router v8, in both the framework and SPA (@sentry/react) modes.

• feat(react): Add version-agnostic React Router SPA exports (#21633)

  @sentry/react now exports version-agnostic wrappers for React Router v6+ SPA instrumentation. The new exports replace the version-specific V6/V7 variants, which are now deprecated:

  Deprecated	New
  reactRouterV6BrowserTracingIntegration / V7	reactRouterBrowserTracingIntegration
  withSentryReactRouterV6Routing / V7	wrapReactRouterRouting
  wrapCreateBrowserRouterV6 / V7	wrapCreateBrowserRouter
  wrapCreateMemoryRouterV6 / V7	wrapCreateMemoryRouter
  wrapUseRoutesV6 / V7	wrapUseRoutes

  The deprecated exports continue to work and will be removed in the next major version.

Other Changes

• feat(aws-serverless): Instrument aws-sdk clients >= 3.1046.0 (#21548)
• feat(bun): Add orchestrion bun build plugin (#21410)
• feat(cloudflare): Instrument sync KV (#21316)
• feat(core): Disable gen_ai message truncation by default when streamGenAiSpans is enabled (#21603)
• feat(deno): Add orchestrion deno runtime hook (#21451)
• feat(hono): Extend peer dependency range (#21550)
• feat(node): Collapse orchestrion opt-in to a single option (#20900)
• fix: Diagnostics channel Node v18 (#21631)
• fix(browser): Clean up pageload readystatechange listener (#21632)
• fix(core): Capture scopes on span before emitting spanStart event (#21644)
• fix(core): Defer TwP sampling by reading trace state from the scope (#21549)
• fix(core): Prevent outgoing HTTP instrumentation from crashing on // request paths (#21645)
• fix(core): Set production as default sentry.environment attribute value on streamed spans (#21637)
• fix(nextjs): Register safe random ID context at module load (#21573)

• chore: Change deprecation/deprecation to oxlint equivalent (#21604)
• chore: Switch license headers to SPDX format (#21357)
• chore(deps-dev): Bump esbuild from 0.20.0 to 0.28.1 (#21511)
• chore(deps): Bump esbuild from 0.25.0 to 0.28.1 in /dev-packages/e2e-tests/test-applications/node-profiling-esm (#21514)
• chore(deps): Bump react-router-6 to 6.30.4 (#21566)
• ci: Assign server team as codeowner for server-utils package (#21601)
• ci: Dedup flaky test issues across esm/cjs variants (#21595)
• ci: Do not apply Bug label to flaky test issues (#21593)

... (truncated)

Changelog

Sourced from @​sentry/browser's changelog.

10.59.0

Important Changes

• feat(react-router): Add support for React Router v8 (#21633)

  The SDK now supports React Router v8, in both the framework and SPA (@sentry/react) modes.

• feat(react): Add version-agnostic React Router SPA exports (#21633)

  @sentry/react now exports version-agnostic wrappers for React Router v6+ SPA instrumentation. The new exports replace the version-specific V6/V7 variants, which are now deprecated:

  Deprecated	New
  reactRouterV6BrowserTracingIntegration / V7	reactRouterBrowserTracingIntegration
  withSentryReactRouterV6Routing / V7	wrapReactRouterRouting
  wrapCreateBrowserRouterV6 / V7	wrapCreateBrowserRouter
  wrapCreateMemoryRouterV6 / V7	wrapCreateMemoryRouter
  wrapUseRoutesV6 / V7	wrapUseRoutes

  The deprecated exports continue to work and will be removed in the next major version.

Other Changes

• feat(aws-serverless): Instrument aws-sdk clients >= 3.1046.0 (#21548)
• feat(bun): Add orchestrion bun build plugin (#21410)
• feat(cloudflare): Instrument sync KV (#21316)
• feat(core): Disable gen_ai message truncation by default when streamGenAiSpans is enabled (#21603)
• feat(deno): Add orchestrion deno runtime hook (#21451)
• feat(hono): Extend peer dependency range (#21550)
• feat(node): Collapse orchestrion opt-in to a single option (#20900)
• fix: Diagnostics channel Node v18 (#21631)
• fix(browser): Clean up pageload readystatechange listener (#21632)
• fix(core): Capture scopes on span before emitting spanStart event (#21644)
• fix(core): Defer TwP sampling by reading trace state from the scope (#21549)
• fix(core): Prevent outgoing HTTP instrumentation from crashing on // request paths (#21645)
• fix(core): Set production as default sentry.environment attribute value on streamed spans (#21637)
• fix(nextjs): Register safe random ID context at module load (#21573)

• chore: Change deprecation/deprecation to oxlint equivalent (#21604)
• chore: Switch license headers to SPDX format (#21357)
• chore(deps-dev): Bump esbuild from 0.20.0 to 0.28.1 (#21511)
• chore(deps): Bump esbuild from 0.25.0 to 0.28.1 in /dev-packages/e2e-tests/test-applications/node-profiling-esm (#21514)
• chore(deps): Bump react-router-6 to 6.30.4 (#21566)
• ci: Assign server team as codeowner for server-utils package (#21601)
• ci: Dedup flaky test issues across esm/cjs variants (#21595)

... (truncated)

Commits

• 2cb0ef6 release: 10.59.0
• f77b265 Merge pull request #21655 from getsentry/prepare-release/10.59.0
• 8e32a8d meta(changelog): Update changelog for 10.59.0
• 50fe5d9 fix: Diagnostics channel Node v18 (#21631)
• 9c765e0 feat(react-router): support react router v8 (#21633)
• 815c1cf feat(deps): Bump @​babel/core from 7.29.0 to 7.29.6 (#21574)
• a520447 ref(tanstackstart-react): Use @sentry/conventions (#21498)
• 38a0485 test(cloudflare): Remove mock in DO tests (#21634)
• cb69761 feat(deno): Add orchestrion deno runtime hook (#21451)
• 1e057ba chore(deps): Bump esbuild from 0.25.0 to 0.28.1 in /dev-packages/e2e-tests/te...
• Additional commits viewable in compare view

Updates dompurify from 3.4.9 to 3.4.11

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

• Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
• Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
• Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
• Updated up the linting tool-chain and removed now-redundant lint directives
• Updated the documentation is several spots, README, wiki, etc.
• Bumped several dependencies where possible

DOMPurify 3.4.10

• Refactored codebase for clarity: extracted the public type declarations into types.ts
• Decomposed the three largest sanitizer functions into focused helpers
• Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
• Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
• Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
• Reduced CI cost by running the full three-engine browser suite once per PR
• Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
• Documented the bench and test:happydom scripts in the README
• Completed the Attack Classes & Bypass History wiki page
• Bumped several dependencies where possible

Commits

• 0cae518 release: 3.4.11 (#1494)
• 6ee5716 release: 3.4.10 (#1478)
• See full diff in compare view

Updates sass from 1.100.0 to 1.101.0

Release notes

Sourced from sass's releases.

Dart Sass 1.101.0

To install Sass 1.101.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Potentially breaking bug fix: The Node package importer now properly supports resolving import-only variants of Sass files declared in the exports, sass, and style fields of package.json. Previously, these files were ignored even when loaded via @import, so any code relying on loading module-system-only files this way may break.

See the full changelog for changes in earlier releases.

Changelog

Sourced from sass's changelog.

1.101.0

• Potentially breaking bug fix: The Node package importer now properly supports resolving import-only variants of Sass files declared in the exports, sass, and style fields of package.json. Previously, these files were ignored even when loaded via @import, so any code relying on loading module-system-only files this way may break.

Commits

• 63b9922 Load import-only files through package.json exports (#2772)
• c7e9947 Migrate from bufbuild/buf-setup-action to bufbuild/buf-action (#2773)
• 7674a4c Bump postcss from 8.5.13 to 8.5.15 in /pkg/sass-parser (#2774)
• See full diff in compare view

Updates vue from 3.5.35 to 3.5.38

Release notes

Sourced from vue's releases.

v3.5.38

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.37

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

Changelog

Sourced from vue's changelog.

3.5.38 (2026-06-11)

3.5.37 (2026-06-11)

3.5.36 (2026-06-11)

Bug Fixes

• compiler-core: avoid crash on CDATA at the document root (#14916) (0ea17e2)
• compiler-core: prefix dynamic keys on v-memo elements (#14922) (68e978e), closes #14920
• compiler-sfc: handle vue-ignore on leading intersection/union type (#14950) (0dcd225), closes #12254
• compiler-sfc: respect var hoisting in props destructure (48ad452)
• reactivity: preserve watch callback return value when wrapped for once: true (#14902) (450a8a8)
• runtime-core: add dev warning for silent catch in compat mode and fix test description typo (#14891) (db3e117)
• runtime-core: force model update when reverted before sync (#14897) (7f76378), closes #13524
• runtime-core: skip async component callbacks after unmount (#14911) (5300ead)
• transition: avoid move transition for hidden v-show group children (#14895) (c11f6ee), closes #14894
• watch: trigger immediate callback for empty sources (#14914) (1f2ca7e), closes #14898

Commits

• 478e3e8 release: v3.5.38
• 30ba647 chore(release): make release publishing resumable (#14953)
• c00b021 release: v3.5.37
• 11ac8b4 release: v3.5.36
• 43eba78 chore(deps): update lint (#14935)
• 3bc7290 chore(deps): update build (#14901)
• 8203fc5 chore(deps): update all non-major dependencies (#14938)
• 8f4bc85 chore(deps): update compiler (#14900)
• 8e63cdf chore(deps): update dependency npm-run-all2 to v9 (#14939)
• 131291a chore(deps): update test (#14936)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions