fix(deps): update prod minor+patch#101
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
aed8359 to
12eb03d
Compare
12eb03d to
8edaa3e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^1.7.6→^1.8.0^1.1.18→^1.1.19^1.2.1→^1.2.2^2.3.2→^2.3.3^1.1.18→^1.1.19^2.1.19→^2.1.20^1.1.18→^1.1.19^2.3.2→^2.3.3^1.4.2→^1.4.3^1.3.2→^1.3.3^1.1.16→^1.1.17^1.2.11→^1.2.12^3.27.1→^3.27.3^3.27.1→^3.27.3^3.27.1→^3.27.3^3.27.1→^3.27.3^3.27.1→^3.27.3^3.27.1→^3.27.3^11.0.19→^11.0.22^6.1.3→^6.1.4^1.23.0→^1.24.0^18.0.5→^18.0.63.20.10→3.21.0^1.42.0→^1.42.1^2.17.5→^2.17.6Release Notes
floating-ui/floating-ui (@floating-ui/dom)
v1.8.0Compare Source
Minor Changes
'layoutViewport'string option torootBoundary. Unlike the visual'viewport'boundary, it remains stable while pinch-zooming or when a mobile software keyboard is open, and unlike a manually passedRectof the documentElement's client size, it accounts for space reserved byscrollbar-gutter: stable.Patch Changes
undefinedfor optional properties withexactOptionalPropertyTypeslayoutShiftrefresh throttle when the reference moved during an observer refreshscrollbar-gutter: stable both-edgesreserved spacegetClientRectswhen a virtual element without agetClientRectsmethod is used with theinline()middleware@floating-ui/core@1.8.0,@floating-ui/utils@0.2.12radix-ui/primitives (@radix-ui/react-alert-dialog)
v1.1.19@radix-ui/primitive@1.1.5,@radix-ui/react-context@1.2.0,@radix-ui/react-dialog@1.1.19radix-ui/primitives (@radix-ui/react-avatar)
v1.2.2@radix-ui/react-context@1.2.0radix-ui/primitives (@radix-ui/react-context-menu)
v2.3.3ContextMenunot re-anchoring to the latest pointer position when re-triggered while already open.Space/Enterkeys that originate from focusable descendants.@radix-ui/primitive@1.1.5,@radix-ui/react-context@1.2.0,@radix-ui/react-menu@2.1.20radix-ui/primitives (@radix-ui/react-dialog)
v1.1.19@radix-ui/react-dismissable-layer@1.1.15,@radix-ui/primitive@1.1.5,@radix-ui/react-context@1.2.0,@radix-ui/react-focus-scope@1.1.12,@radix-ui/react-presence@1.1.7radix-ui/primitives (@radix-ui/react-dropdown-menu)
v2.1.20Space/Enterkeys that originate from focusable descendants.@radix-ui/primitive@1.1.5,@radix-ui/react-context@1.2.0,@radix-ui/react-menu@2.1.20radix-ui/primitives (@radix-ui/react-popover)
v1.1.19@radix-ui/react-dismissable-layer@1.1.15,@radix-ui/primitive@1.1.5,@radix-ui/react-context@1.2.0,@radix-ui/react-focus-scope@1.1.12,@radix-ui/react-presence@1.1.7,@radix-ui/react-popper@1.3.3radix-ui/primitives (@radix-ui/react-select)
v2.3.3RadioGroup,Slider,Select, andSwitch.Space/Enterkeys that originate from focusable descendants.@radix-ui/react-dismissable-layer@1.1.15,@radix-ui/primitive@1.1.5,@radix-ui/react-context@1.2.0,@radix-ui/react-focus-scope@1.1.12,@radix-ui/react-presence@1.1.7,@radix-ui/react-collection@1.1.12,@radix-ui/react-popper@1.3.3radix-ui/primitives (@radix-ui/react-slider)
v1.4.3RadioGroup,Slider,Select, andSwitch.defaultValuethat isn't a multiple ofstepfrommin). Stepping now snaps to the next step-aligned value in the direction of travel, matching native<input type="range">behavior.@radix-ui/primitive@1.1.5,@radix-ui/react-context@1.2.0,@radix-ui/react-collection@1.1.12radix-ui/primitives (@radix-ui/react-switch)
v1.3.3RadioGroup,Slider,Select, andSwitch.@radix-ui/primitive@1.1.5,@radix-ui/react-context@1.2.0radix-ui/primitives (@radix-ui/react-tabs)
v1.1.17Space/Enterkeys that originate from focusable descendants.@radix-ui/primitive@1.1.5,@radix-ui/react-context@1.2.0,@radix-ui/react-roving-focus@1.1.15,@radix-ui/react-presence@1.1.7radix-ui/primitives (@radix-ui/react-tooltip)
v1.2.12@radix-ui/react-dismissable-layer@1.1.15,@radix-ui/primitive@1.1.5,@radix-ui/react-context@1.2.0,@radix-ui/react-presence@1.1.7,@radix-ui/react-popper@1.3.3ueberdosis/tiptap (@tiptap/core)
v3.27.3Compare Source
Patch Changes
023f98c: FixdeleteSelectionto delete content across all selection ranges instead of only the first range. This restores multi-cell table selections and other custom selections with multiple ranges.v3.27.2Compare Source
Patch Changes
ceebb31]ueberdosis/tiptap (@tiptap/extension-emoji)
v3.27.3Compare Source
Patch Changes
023f98c]v3.27.2Compare Source
Patch Changes
eb19977: Fix arrow key navigation past emoji nodes in Firefox. Previously, pressing ArrowLeft with the cursor adjacent to an inline non-selectable emoji node at a paragraph boundary would not move the cursor in Firefox. The cursor now correctly skips over emoji nodes in both directions.ceebb31]ueberdosis/tiptap (@tiptap/pm)
v3.27.3Compare Source
v3.27.2Compare Source
Patch Changes
ceebb31: Updated all ProseMirror packages to the latest publicly available versionsueberdosis/tiptap (@tiptap/react)
v3.27.3Compare Source
Patch Changes
023f98c]v3.27.2Compare Source
Patch Changes
13dfad1: Change prop types of the Tiptap component so that either theeditoror theinstancefields are requiredceebb31]ueberdosis/tiptap (@tiptap/starter-kit)
v3.27.3Compare Source
Patch Changes
023f98c]b4600b6]1f3ca7a]76a76da]v3.27.2Compare Source
Patch Changes
d3eb052]f586b6f]ceebb31]ueberdosis/tiptap (@tiptap/suggestion)
v3.27.3Compare Source
Patch Changes
023f98c]v3.27.2Compare Source
Patch Changes
ceebb31]avoidwork/filesize.js (filesize)
v11.0.22Compare Source
#312v11.0.21Compare Source
#311#308#307#310v11.0.20Compare Source
#309#304#306#303#302remarkablemark/html-react-parser (html-react-parser)
v6.1.4Compare Source
Build System
lucide-icons/lucide (lucide-react)
v1.24.0: Version 1.24.0Compare Source
What's Changed
toBeRemovedInVersionmetadata and make it optional in schema by @ericfennis with @Copilot in #4513optionicon by @jamiemlaw in #4326doticon by @cnlancehu in #4492circle-euro-signicon by @Guido3000 in #4353server-plusicon by @Turboman3000 in #4232New Contributors
Full Changelog: lucide-icons/lucide@1.23.0...1.24.0
markedjs/marked (marked)
v18.0.6Compare Source
versatica/mediasoup (mediasoup)
v3.21.0Compare Source
NotFoundError, thrown when the referenced entity in the Worker doesn't exist (PR #1852).errorsviamediasoup/errors(in EMS).InvalidStateErrortoWorkerClosedError.apostrophecms/apostrophe (sanitize-html)
v2.17.6Fixes
Security
textareaorxmp) nested inside ansvgormathroot were re-emitted without HTML-escaping.sanitize-htmltreated that content as inert raw text becausehtmlparser210.x classified raw-text elements by tag name and ignored the namespace, but a real HTML5 parser treatstextarea/xmpas ordinary foreign elements inside SVG/MathML and re-parses their contents as live markup. As a result, markup and event-handler attributes that the allowlist never permitted (for example<svg><textarea><img src=x onerror=alert(1)>) could survive sanitization and execute in the browser. This is now fixed on two fronts:htmlparser2was upgraded to 12.x, which is namespace-aware and parsestextarea/xmpinside SVG/MathML as ordinary elements, so their non-allowlisted children (such as the injectedimg) are dropped by the allowlist instead of being preserved as raw text; and any raw-text contentsanitize-htmlstill emits for these tags (at HTML integration points such asforeignObject/mtext, or outside foreign content) is always HTML-escaped. The default configuration is not affected; the precondition is anallowedTagsthat includessvgormathtogether withtextareaorxmp. Thanks to khoadb175 for responsibly disclosing the vulnerability.allowedTagsbypass affecting configurations that allow thetextareaorxmpraw-text tags.htmlparser210.x did not recognize an end tag with a trailing solidus (e.g.</textarea/>) as closing the element, so it kept the following markup as raw text, but a spec-compliant browser treats</textarea/>as a valid close and parses that markup as a live element. Because raw-text content was re-emitted without escaping, a payload such as<textarea></textarea/><img src=x onerror=...>could smuggle non-allowlisted, executable markup through the sanitizer. The default configuration was not affected. This is now defended at two layers:htmlparser2was upgraded to 12.x, whose tokenizer closes these end tags correctly, and the raw text sanitize-html emits for these tags is always escaped so no<can reopen a tag when the output is re-parsed (textarea, an RCDATA element whose entitieshtmlparser2decodes, is escaped like normal text, whilexmp, a raw-text element, has only its angle brackets escaped to avoid double-encoding already-encoded entities). Becausehtmlparser2is ESM-only from version 11 onward,sanitize-htmlnow requires Node.js>=22.12.0(the first 22.x release in whichrequire()of an ES module is available unflagged). Thanks to bibu123456 for reporting the vulnerability and Kayiz-PT for coordinating the disclosure (GHSA-jxwj-j7wr-gfrw).Configuration
📅 Schedule: (in timezone Europe/Lisbon)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.