deps(backend): bump the backend-patches group across 1 directory with 3 updates by dependabot[bot] · Pull Request #85 · mindcraft-research/mindcraft

dependabot · 2026-06-01T08:55:11Z

Bumps the backend-patches group with 3 updates in the /backend directory: otplib, sanitize-html and vitest.

Updates otplib from 13.4.0 to 13.4.1

Release notes

v13.4.1

What's Changed

fix: override flatted package security alert by @yeojz in yeojz/otplib#820

fix: override picomatch and yaml package security alerts by @yeojz in yeojz/otplib#822

refactor(testing): replace custom Deno adapter with @std/expect by @yeojz in yeojz/otplib#821

fix: override brace-expansion package security alert by @yeojz in yeojz/otplib#824

chore: update github actions pinned images by @yeojz in yeojz/otplib#823

Add @otplib/plugin-base32-alt to dependencies by @yeojz in yeojz/otplib#825

chore: harden supply chain with cooldown and version pinning by @yeojz in yeojz/otplib#826

refactor(testing): centralize test secrets into shared module by @yeojz in yeojz/otplib#831

chore(deps): bump the github-actions group with 5 updates by @dependabot[bot] in yeojz/otplib#827

refactor(testing): rename test secret constants for semantic clarity by @yeojz in yeojz/otplib#832

chore(deps-dev): bump the dev-dependencies-minor group with 4 updates by @dependabot[bot] in yeojz/otplib#828

refactor: replace size-limit with native bundle size check by @yeojz in yeojz/otplib#835

chore(deps-dev): bump vite from 7.3.1 to 8.0.0 by @dependabot[bot] in yeojz/otplib#830

refactor/docs/unusedImport by @ValeriYanev98 in yeojz/otplib#837

fix(security): address npm audit vulnerabilities by @yeojz in yeojz/otplib#839

fix(docker): bump pnpm to 10.30.1 to match packageManager by @yeojz in yeojz/otplib#847

docs: note short-secret guardrail override for legacy/test secrets by @yeojz in yeojz/otplib#848

docs(getting-started): clarify when each function runs by @yeojz in yeojz/otplib#846

chore(deps): bump vite from 5.4.21 to 8.0.10 by @dependabot[bot] in yeojz/otplib#845

chore(deps-dev): bump the dev-dependencies-patch group across 1 directory with 6 updates by @dependabot[bot] in yeojz/otplib#849

chore(deps-dev): bump the dev-dependencies-minor group across 1 directory with 6 updates by @dependabot[bot] in yeojz/otplib#841

docs(otplib): note 16-byte minimum and fix broken secret-handling link by @yeojz in yeojz/otplib#851

chore(deps-dev): bump @codecov/bundle-analyzer from 1.9.1 to 2.0.1 by @dependabot[bot] in yeojz/otplib#843

fix(benchmarks): adapt to tinybench v6 TaskResult shape by @yeojz in yeojz/otplib#852

chore(deps): bump the github-actions group across 1 directory with 6 updates by @dependabot[bot] in yeojz/otplib#844

chore(deps): bump @noble/hashes and @scure/base to 2.2.0 by @yeojz in yeojz/otplib#853

chore(deps-dev): bump turbo from 2.9.9 to 2.9.14 by @dependabot[bot] in yeojz/otplib#855

ci: split security audit into blocking prod and informational full scans by @yeojz in yeojz/otplib#857

chore(deps-dev): bump vite from 8.0.10 to 8.0.11 by @dependabot[bot] in yeojz/otplib#856

release(packages): v13.4.1 by @github-actions[bot] in yeojz/otplib#854

New Contributors

@ValeriYanev98 made their first contribution in yeojz/otplib#837

Full Changelog: yeojz/otplib@v13.4.0...v13.4.1

Commits

1d997b0 release(packages): v13.4.1 (#854)
0e9566f docs(otplib): note 16-byte minimum and fix broken secret-handling link (#851)
e01b4f1 chore(deps-dev): bump the dev-dependencies-patch group across 1 directory wit...
212534b chore(deps-dev): bump the dev-dependencies-minor group with 4 updates (#828)
b54adad refactor(testing): rename test secret constants for semantic clarity (#832)
4898252 refactor(testing): centralize test secrets and normalize naming (#831)
See full diff in compare view

Updates sanitize-html from 2.17.2 to 2.17.4

Changelog

Sourced from sanitize-html's changelog.

2.17.4

Changes

sanitize-html and launder now share a single implementation of naughtyHref, based on that which previously existed in sanitize-html.

Security

Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to Vincenzo Turturro for reporting the vulnerability.

2.17.3 (2026-04-15)

Security

Fix vulnerability introduced in version 2.17.2 that allowed XSS attacks if the developer chose to permit option tags. There was no vulnerability when not explicitly allowing option tags.

Commits

See full diff in compare view

Updates vitest from 4.1.4 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

browser:

Disable client cdp API when allowWrite/allowExec: false [backport to v4] - by @hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)

Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4] - by @toxik and @Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

runner: Limit concurrency per task branch in addition to per leaf callbacks (backport) - by @hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

browser: Provide project reference in ToMatchScreenshotResolvePath - by @macarie and @sheremet-va in vitest-dev/vitest#10138 (31882)

Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options - by @hi-ogawa, Codex and @sheremet-va in vitest-dev/vitest#10196 (2847d)

browser: Simplify orchestrator otel carrier - by @hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

Stringify diff objects only once - by @sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

coverage: Istanbul to support instrumenter option - by @BartWaardenburg and @AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

--project negation excludes browser instances - by @felamaslen in vitest-dev/vitest#10131 (9423d)

Project color label on html reporter - by @hi-ogawa in vitest-dev/vitest#10142 (596f7)

Fix vi.defineHelper called as object method - by @hi-ogawa in vitest-dev/vitest#10163 (122c2)

Alias agent reporter to minimal - by @sheremet-va in vitest-dev/vitest#10157 (663b9)

Respect diff config options in soft assertions - by @Copilot, sheremet-va and @sheremet-va in vitest-dev/vitest#8696 (9787d)

Respect diff config options in soft assertions " - by @sheremet-va in vitest-dev/vitest#8696 (7dc6d)

ast-collect: Recognize _vi_import prefix in static test discovery - by @Yejneshwar in vitest-dev/vitest#10129 (32546)

coverage: Descriptive error message when reports directory is removed during test run - by @DaveT1991 and @AriPerkkio in vitest-dev/vitest#10117 (14133)

snapshot: Increase default snapshot max output length - by @hi-ogawa and Codex in vitest-dev/vitest#10150 (21e66)

ui: Fix jsx/tsx syntax highlight - by @hi-ogawa in vitest-dev/vitest#10152 (f1b1f)

web-worker: Support MessagePort objects referenced inside postMessage data - by @whitphx and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9927 and vitest-dev/vitest#10124 (7ad7d)

api: Make test-specification options writable - by @sheremet-va in vitest-dev/vitest#10154 (6abd5)

    View changes on GitHub

Commits

e61f2dd chore: release v4.1.8
e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
a09d472 chore: release v4.1.7
a8fd24c chore: release v4.1.6
18af98c fix(browser): simplify orchestrator otel carrier (#10285)
3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
e399846 chore: release v4.1.5
7dc6d54 Revert "fix: respect diff config options in soft assertions (#8696)"
9787ded fix: respect diff config options in soft assertions (#8696)
325463a fix(ast-collect): recognize _vi_import prefix in static test discovery (#10...
Additional commits viewable in compare view

dependabot · 2026-06-01T08:55:12Z

Labels

The following labels could not be found: backend, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

… 3 updates Bumps the backend-patches group with 3 updates in the /backend directory: [otplib](https://github.com/yeojz/otplib/tree/HEAD/packages/otplib), [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Updates `otplib` from 13.4.0 to 13.4.1 - [Release notes](https://github.com/yeojz/otplib/releases) - [Commits](https://github.com/yeojz/otplib/commits/v13.4.1/packages/otplib) Updates `sanitize-html` from 2.17.2 to 2.17.4 - [Changelog](https://github.com/apostrophecms/apostrophe/blob/main/packages/sanitize-html/CHANGELOG.md) - [Commits](https://github.com/apostrophecms/apostrophe/commits/HEAD/packages/sanitize-html) Updates `vitest` from 4.1.4 to 4.1.8 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.8/packages/vitest) --- updated-dependencies: - dependency-name: otplib dependency-version: 13.4.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: backend-patches - dependency-name: sanitize-html dependency-version: 2.17.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: backend-patches - dependency-name: vitest dependency-version: 4.1.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: backend-patches ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot force-pushed the dependabot/npm_and_yarn/backend/backend-patches-28fe7a2b36 branch from 615fda1 to 126cc53 Compare June 8, 2026 04:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

deps(backend): bump the backend-patches group across 1 directory with 3 updates#85

deps(backend): bump the backend-patches group across 1 directory with 3 updates#85
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/backend/backend-patches-28fe7a2b36

dependabot Bot commented on behalf of github Jun 1, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github Jun 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v13.4.1

What's Changed

New Contributors

2.17.4

Changes

Security

2.17.3 (2026-04-15)

Security

v4.1.8

🐞 Bug Fixes

View changes on GitHub

v4.1.7

🐞 Bug Fixes

View changes on GitHub

v4.1.6

🐞 Bug Fixes

🏎 Performance

View changes on GitHub

v4.1.5

🚀 Experimental Features

🐞 Bug Fixes

View changes on GitHub

Uh oh!

dependabot Bot commented on behalf of github Jun 1, 2026

Labels

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Jun 1, 2026 •

edited

Loading