Skip to content

chore(deps): bump the npm_and_yarn group across 7 directories with 8 updates#5206

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/engine/sdks/typescript/runner/npm_and_yarn-718ae6e066
Open

chore(deps): bump the npm_and_yarn group across 7 directories with 8 updates#5206
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/engine/sdks/typescript/runner/npm_and_yarn-718ae6e066

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 3 updates in the /engine/sdks/typescript/runner directory: ws, vitest and uuid.
Bumps the npm_and_yarn group with 3 updates in the /engine/sdks/typescript/test-runner directory: hono, ws and vitest.
Bumps the npm_and_yarn group with 1 update in the /examples/ai-and-user-generated-actors-freestyle directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /examples/ai-and-user-generated-actors-freestyle/template directory: hono.
Bumps the npm_and_yarn group with 1 update in the /examples/next-js directory: next.
Bumps the npm_and_yarn group with 3 updates in the /rivetkit-typescript/packages/engine-runner directory: ws, vitest and uuid.
Bumps the npm_and_yarn group with 3 updates in the /website directory: mermaid, astro and axios.

Updates ws from 8.19.0 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

  • Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).
Commits
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • 8439255 [dist] 8.20.0
  • d3503c1 [minor] Export the PerMessageDeflate class and header utils
  • 3ee5349 [api] Convert the isServer and maxPayload parameters to options
  • 91707b4 [doc] Add missing space
  • 8b55319 [pkg] Update eslint to version 10.0.1
  • Additional commits viewable in compare view

Updates vitest from 1.6.1 to 3.2.6

Release notes

Sourced from vitest's releases.

v3.2.6

   🐞 Bug Fixes

    View changes on GitHub

v3.2.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v3.2.4

   🐞 Bug Fixes

    View changes on GitHub

v3.2.3

   🚀 Features

... (truncated)

Commits
  • b6d56f8 chore: release v3.2.6
  • 16f120d fix: pin last supported vite-node version
  • 2cbad0a chore: release v3.2.5
  • 385a1ae fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • af88b1f feat(api): add allowWrite and allowExec options to api [backport to v3]...
  • c666d14 chore: release v3.2.4
  • 8a18c8e fix(cli): throw error when --shard x/\<count> exceeds count of test files (#...
  • 8abd7cc chore(deps): update tinypool (#8174)
  • 93f3200 fix(deps): update all non-major dependencies (#8123)
  • 0c3be6f fix(coverage): ignore SCSS in browser mode (#8161)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.


Updates uuid from 12.0.0 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

  • expect crypto to be global everywhere (requires node@20+) (#935)
  • drop node@18 support (#934)

Features

Bug Fixes

  • expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
  • Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

  • rerelease to fix provenance. (49ccb35)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

  • make browser exports the default (#901)

Bug Fixes

v12.0.1

12.0.1 (2026-04-29)

... (truncated)

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

  • Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

  • crypto is now expected to be globally defined (requires node@20+) (#935)
  • drop node@18 support (#934)
  • upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

  • make browser exports the default (#901)

Bug Fixes

Commits
  • 7c1ea08 chore(main): release 14.0.0 (#926)
  • 3d2c5b0 Merge commit from fork
  • f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
  • 529ef08 chore: upgrade TypeScript and fixup types (#927)
  • 086fd79 chore: update dependencies (#933)
  • dc4ddb8 feat!: drop node@18 support (#934)
  • 0f1f9c9 chore: switch to Biome for parsing and linting (#932)
  • e2879e6 chore: use maintained version of npm-run-all (#930)
  • ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
  • 0423d49 docs: remove obsolete v1 option notes (#915)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.


Updates hono from 4.11.9 to 4.12.21

Release notes

Sourced from hono's releases.

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

v4.12.20

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.19...v4.12.20

v4.12.19

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.18...v4.12.19

... (truncated)

Commits

Updates ws from 8.19.0 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

  • Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).
Commits
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • 8439255 [dist] 8.20.0
  • d3503c1 [minor] Export the PerMessageDeflate class and header utils
  • 3ee5349 [api] Convert the isServer and maxPayload parameters to options
  • 91707b4 [doc] Add missing space
  • 8b55319 [pkg] Update eslint to version 10.0.1
  • Additional commits viewable in compare view

Updates vitest from 1.6.1 to 3.2.6

Release notes

Sourced from vitest's releases.

v3.2.6

   🐞 Bug Fixes

    View changes on GitHub

v3.2.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v3.2.4

   🐞 Bug Fixes

    View changes on GitHub

v3.2.3

   🚀 Features

... (truncated)

Commits
  • b6d56f8 chore: release v3.2.6
  • 16f120d fix: pin last supported vite-node version
  • 2cbad0a chore: release v3.2.5
  • 385a1ae fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • af88b1f feat(api): add allowWrite and allowExec options to api [backport to v3]...
  • c666d14 chore: release v3.2.4
  • 8a18c8e fix(cli): throw error when --shard x/\<count> exceeds count of test files (#...
  • 8abd7cc chore(deps): update tinypool (#8174)
  • 93f3200 fix(deps): update all non-major dependencies (#8123)
  • 0c3be6f fix(coverage): ignore SCSS in browser mode (#8161)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.


Updates vitest from 1.6.1 to 3.2.6

Release notes

Sourced from vitest's releases.

v3.2.6

   🐞 Bug Fixes

    View changes on GitHub

v3.2.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v3.2.4

   🐞 Bug Fixes

    View changes on GitHub

v3.2.3

   🚀 Features

... (truncated)

Commits
  • b6d56f8 chore: release v3.2.6
  • 16f120d fix: pin last supported vite-node version
  • 2cbad0a chore: release v3.2.5
  • 385a1ae fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • af88b1f feat(api): add allowWrite and allowExec options to api [backport to v3]...
  • c666d14 chore: release v3.2.4
  • 8a18c8e fix(cli): throw error when --shard x/\<count> exceeds count of test files (#...
  • 8abd7cc chore(deps): update tinypool (#8174)
  • 93f3200 fix(deps): update all non-major dependencies (#8123)
  • 0c3be6f fix(coverage): ignore SCSS in browser mode (#8161)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.


Updates hono from 4.9.8 to 4.12.21

Release notes

Sourced from hono's releases.

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

v4.12.20

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.19...v4.12.20

v4.12.19

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.18...v4.12.19

... (truncated)

Commits

Updates next from 16.1.1 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

Moderate:

Low:

Core Changes

  • fix: preserve HTTP access fallbacks during prerender recovery (#92231)
  • Fix fallback route params case in app-page handler (#91737)
  • Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
  • Patch setHeader for direct route handlers (#93101)
  • Include deployment id in cacheHandlers keys (#93453)
  • Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

... (truncated)

Commits
  • ee6e79b v16.2.6
  • afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
  • 97a154e Turbopack: Fix middleware matcher suffix (#93590)
  • 83899bc [backport] Disable build caches for production/staging/force-preview ...

    Description has been truncated

@dependabot
chore(deps): bump the npm_and_yarn group across 7 directories with 8 …
473ef07 
…updates

Bumps the npm_and_yarn group with 3 updates in the /engine/sdks/typescript/runner directory: [ws](https://github.com/websockets/ws), [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) and [uuid](https://github.com/uuidjs/uuid).
Bumps the npm_and_yarn group with 3 updates in the /engine/sdks/typescript/test-runner directory: [hono](https://github.com/honojs/hono), [ws](https://github.com/websockets/ws) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest).
Bumps the npm_and_yarn group with 1 update in the /examples/ai-and-user-generated-actors-freestyle directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest).
Bumps the npm_and_yarn group with 1 update in the /examples/ai-and-user-generated-actors-freestyle/template directory: [hono](https://github.com/honojs/hono).
Bumps the npm_and_yarn group with 1 update in the /examples/next-js directory: [next](https://github.com/vercel/next.js).
Bumps the npm_and_yarn group with 3 updates in the /rivetkit-typescript/packages/engine-runner directory: [ws](https://github.com/websockets/ws), [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) and [uuid](https://github.com/uuidjs/uuid).
Bumps the npm_and_yarn group with 3 updates in the /website directory: [mermaid](https://github.com/mermaid-js/mermaid), [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) and [axios](https://github.com/axios/axios).


Updates `ws` from 8.19.0 to 8.20.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.19.0...8.20.1)

Updates `vitest` from 1.6.1 to 3.2.6
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v3.2.6/packages/vitest)

Updates `uuid` from 12.0.0 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v12.0.0...v14.0.0)

Updates `hono` from 4.11.9 to 4.12.21
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.11.9...v4.12.21)

Updates `ws` from 8.19.0 to 8.20.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.19.0...8.20.1)

Updates `vitest` from 1.6.1 to 3.2.6
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v3.2.6/packages/vitest)

Updates `vitest` from 1.6.1 to 3.2.6
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v3.2.6/packages/vitest)

Updates `hono` from 4.9.8 to 4.12.21
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.11.9...v4.12.21)

Updates `next` from 16.1.1 to 16.2.6
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.1.1...v16.2.6)

Updates `ws` from 8.19.0 to 8.20.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.19.0...8.20.1)

Updates `vitest` from 1.6.1 to 3.2.6
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v3.2.6/packages/vitest)

Updates `uuid` from 12.0.0 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v12.0.0...v14.0.0)

Updates `mermaid` from 11.12.2 to 11.15.0
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](https://github.com/mermaid-js/mermaid/compare/[email protected]@11.15.0)

Updates `astro` from 5.16.9 to 6.1.10
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/[email protected]/packages/astro)

Updates `axios` from 1.13.2 to 1.16.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.2...v1.16.0)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.20.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 3.2.6
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.21
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 8.20.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 3.2.6
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 3.2.6
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.21
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 16.2.6
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 8.20.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 3.2.6
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: mermaid
  dependency-version: 11.15.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: astro
  dependency-version: 6.1.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 1.16.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 8, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 9, 2026

Copy link
Copy Markdown
Author

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants