Skip to content

build(deps): bump the patch-updates group across 1 directory with 5 updates#37

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-patch-updates-5ceef4adc4
Open

build(deps): bump the patch-updates group across 1 directory with 5 updates#37
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-patch-updates-5ceef4adc4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor

Bumps the patch-updates group with 5 updates in the / directory:

Package From To
@iconify-json/material-symbols 1.2.82 1.2.84
sanitize-html 2.17.5 2.17.6
svelte 5.56.4 5.56.5
@biomejs/biome 2.5.2 2.5.3
@types/hast 3.0.4 3.0.5

Updates @iconify-json/material-symbols from 1.2.82 to 1.2.84

Commits

Updates sanitize-html from 2.17.5 to 2.17.6

Changelog

Sourced from sanitize-html's changelog.

2.17.6 (2026-07-10)

Fixes

  • Allow transformTags to emit text when textFilter is set, even if the tag is initially empty. This is consistent with the documentation. Thanks to spokodev for the fix.

Security

  • Fixed an XSS/allowlist bypass in which the contents of a raw-text element (textarea or xmp) nested inside an svg or math root were re-emitted without HTML-escaping. sanitize-html treated that content as inert raw text because htmlparser2 10.x classified raw-text elements by tag name and ignored the namespace, but a real HTML5 parser treats textarea/xmp as ordinary foreign elements inside SVG/MathML and re-parses their contents as live markup. As a result, markup and event-handler attributes that the allowlist never permitted (for example <svg><textarea><img src=x onerror=alert(1)>) could survive sanitization and execute in the browser. This is now fixed on two fronts: htmlparser2 was upgraded to 12.x, which is namespace-aware and parses textarea/xmp inside SVG/MathML as ordinary elements, so their non-allowlisted children (such as the injected img) are dropped by the allowlist instead of being preserved as raw text; and any raw-text content sanitize-html still emits for these tags (at HTML integration points such as foreignObject/mtext, or outside foreign content) is always HTML-escaped. The default configuration is not affected; the precondition is an allowedTags that includes svg or math together with textarea or xmp. Thanks to khoadb175 for responsibly disclosing the vulnerability.
  • Fixed a mutation-XSS / allowedTags bypass affecting configurations that allow the textarea or xmp raw-text tags. htmlparser2 10.x did not recognize an end tag with a trailing solidus (e.g. </textarea/>) as closing the element, so it kept the following markup as raw text, but a spec-compliant browser treats </textarea/> as a valid close and parses that markup as a live element. Because raw-text content was re-emitted without escaping, a payload such as <textarea></textarea/><img src=x onerror=...> could smuggle non-allowlisted, executable markup through the sanitizer. The default configuration was not affected. This is now defended at two layers: htmlparser2 was upgraded to 12.x, whose tokenizer closes these end tags correctly, and the raw text sanitize-html emits for these tags is always escaped so no < can reopen a tag when the output is re-parsed (textarea, an RCDATA element whose entities htmlparser2 decodes, is escaped like normal text, while xmp, a raw-text element, has only its angle brackets escaped to avoid double-encoding already-encoded entities). Because htmlparser2 is ESM-only from version 11 onward, sanitize-html now requires Node.js >=22.12.0 (the first 22.x release in which require() of an ES module is available unflagged). Thanks to bibu123456 for reporting the vulnerability and Kayiz-PT for coordinating the disclosure (GHSA-jxwj-j7wr-gfrw).
Commits

Updates svelte from 5.56.4 to 5.56.5

Release notes

Sourced from svelte's releases.

svelte@5.56.5

Patch Changes

  • chore: drop dead code that make TSGO fail (#18496)

  • fix: don't (re)connect deriveds when read inside branch/root effects (#18527)

  • fix: skip unnecessary derived effect in earlier batch (#18525)

  • fix: avoid declaration tag warning in event handlers (#18500)

  • fix: abort deriveds own AbortSignal when it disconnects (#18400)

  • fix: ensure $state.eager() is correctly transormed for SSR output (#18530)

  • fix: correctly transform declaration tags during SSR (#18492)

  • fix: transform computed keys in keyed {#each} destructuring patterns (#18521)

  • fix: chain preprocessor sourcemaps with an empty sources[0] instead of dropping them (#18518)

  • fix: clear previous_task reference after abort in Tween to prevent memory leak on interrupted tweens (#18541)

  • fix: don't treat declaration tags as parts inside each blocks (#18507)

Changelog

Sourced from svelte's changelog.

5.56.5

Patch Changes

  • chore: drop dead code that make TSGO fail (#18496)

  • fix: don't (re)connect deriveds when read inside branch/root effects (#18527)

  • fix: skip unnecessary derived effect in earlier batch (#18525)

  • fix: avoid declaration tag warning in event handlers (#18500)

  • fix: abort deriveds own AbortSignal when it disconnects (#18400)

  • fix: ensure $state.eager() is correctly transormed for SSR output (#18530)

  • fix: correctly transform declaration tags during SSR (#18492)

  • fix: transform computed keys in keyed {#each} destructuring patterns (#18521)

  • fix: chain preprocessor sourcemaps with an empty sources[0] instead of dropping them (#18518)

  • fix: clear previous_task reference after abort in Tween to prevent memory leak on interrupted tweens (#18541)

  • fix: don't treat declaration tags as parts inside each blocks (#18507)

Commits
  • 602a873 Version Packages (#18497)
  • a4fd67e fix: $state.eager() is sometimes incorrect in SSR (#18530)
  • 199ffeb fix: clear previous_task reference after abort in Tween (#18541)
  • edeef1f chore: add some failing tests (#18528)
  • a91b068 fix: abort deriveds own AbortSignal when it disconnects (#18400)
  • b4d1583 fix: transform computed keys in keyed each block destructuring patterns (#18521)
  • 08a9e9e fix: prevent derived connection leak in untracked contexts (#18517)
  • bfbb026 fix: skip unnecessary derived effect in earlier batch (#18525)
  • 5edd8b0 fix: chain preprocessor sourcemaps with an empty sources[0] (#18518)
  • 41642b7 fix: avoid declaration tag warning in event handlers (#18500)
  • Additional commits viewable in compare view

Updates @biomejs/biome from 2.5.2 to 2.5.3

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.3

2.5.3

Patch Changes

  • #10815 86613d5 Thanks @​WaterWhisperer! - Fixed a parser panic reported in #10708: Biome now recovers when unsupported CSS Modules @value rules or scoped @keyframes names end at EOF.

  • #10534 da9b403 Thanks @​Mokto! - Fixed noUnusedVariables false positives in Svelte files: Svelte store subscriptions ($store references in templates now keep the underlying store binding from being flagged), and $bindable() props that are only written to in the script block (write-only is intentional for bindable props) are no longer reported as unused.

  • #10827 098ba41 Thanks @​Aqu1bp! - Fixed #10698: The noUnsafeOptionalChaining rule now reports unsafe optional chains wrapped in TypeScript as, satisfies, type assertion, and instantiation expressions, such as new (value?.constructor as Constructor)().

  • #10773 3c6513d Thanks @​otkrickey! - Fixed #10772: useVueValidVOn no longer reports a missing handler for v-on directives using a verb modifier (.stop / .prevent) without an expression, e.g. <div @click.stop></div>. The rule also accepts the arg-less object syntax <div v-on="$listeners"></div> instead of reporting a missing event name.

  • #10721 d83c66b Thanks @​minseong0324! - Improved type-aware lint rule inference for built-in globals and indexed function calls. Biome now resolves Error(...), new Error(...), optional Error#stack, and calls through indexed function values such as handlers[0](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome/issues/0) more accurately.

  • #10865 6450276 Thanks @​ematipico! - Fixed #10845. Biome Language Server no longer goes in deadlock when the scanner is enabled.

  • #10853 93d8e53 Thanks @​Netail! - Fixed #10840: Astro shorthand attribute syntax is now correctly being parsed from embedded nodes.

  • #10820 bba3092 Thanks @​JamBalaya56562! - Fixed #10619: noProcessEnv now also reports computed (bracket) member access. Previously only dot access was checked, so process["env"] and env["NODE_ENV"] (where env is imported from node:process) were missed. Both static and computed accesses are now reported.

  • #10835 3447b2f Thanks @​dyc3! - Fixed #10824: useDomQuerySelector now supports an ignore option for receiver identifiers that should not be reported.

  • #10875 b12e486 Thanks @​dyc3! - Fixed #10795: --profile-rules now reports timings for each plugin separately as plugin/<pluginName>, matching the naming used by plugin suppressions, instead of aggregating all plugins under a single plugin/plugin entry.

  • #10877 d6bc447 Thanks @​ematipico! - Fixed biome-zed#164: Biome no longer inserts stray whitespace when format-on-type runs after closing delimiters such as ), ], and }.

  • #10867 a21463e Thanks @​dyc3! - Fixed #10864: Biome no longer crashes when checking or linting HTML files with unquoted attribute values such as <textarea rows=4></textarea>.

What's Changed

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.3

Patch Changes

  • #10815 86613d5 Thanks @​WaterWhisperer! - Fixed a parser panic reported in #10708: Biome now recovers when unsupported CSS Modules @value rules or scoped @keyframes names end at EOF.

  • #10534 da9b403 Thanks @​Mokto! - Fixed noUnusedVariables false positives in Svelte files: Svelte store subscriptions ($store references in templates now keep the underlying store binding from being flagged), and $bindable() props that are only written to in the script block (write-only is intentional for bindable props) are no longer reported as unused.

  • #10827 098ba41 Thanks @​Aqu1bp! - Fixed #10698: The noUnsafeOptionalChaining rule now reports unsafe optional chains wrapped in TypeScript as, satisfies, type assertion, and instantiation expressions, such as new (value?.constructor as Constructor)().

  • #10773 3c6513d Thanks @​otkrickey! - Fixed #10772: useVueValidVOn no longer reports a missing handler for v-on directives using a verb modifier (.stop / .prevent) without an expression, e.g. <div @click.stop></div>. The rule also accepts the arg-less object syntax <div v-on="$listeners"></div> instead of reporting a missing event name.

  • #10721 d83c66b Thanks @​minseong0324! - Improved type-aware lint rule inference for built-in globals and indexed function calls. Biome now resolves Error(...), new Error(...), optional Error#stack, and calls through indexed function values such as handlers[0](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome/issues/0) more accurately.

  • #10865 6450276 Thanks @​ematipico! - Fixed #10845. Biome Language Server no longer goes in deadlock when the scanner is enabled.

  • #10853 93d8e53 Thanks @​Netail! - Fixed #10840: Astro shorthand attribute syntax is now correctly being parsed from embedded nodes.

  • #10820 bba3092 Thanks @​JamBalaya56562! - Fixed #10619: noProcessEnv now also reports computed (bracket) member access. Previously only dot access was checked, so process["env"] and env["NODE_ENV"] (where env is imported from node:process) were missed. Both static and computed accesses are now reported.

  • #10835 3447b2f Thanks @​dyc3! - Fixed #10824: useDomQuerySelector now supports an ignore option for receiver identifiers that should not be reported.

  • #10875 b12e486 Thanks @​dyc3! - Fixed #10795: --profile-rules now reports timings for each plugin separately as plugin/<pluginName>, matching the naming used by plugin suppressions, instead of aggregating all plugins under a single plugin/plugin entry.

  • #10877 d6bc447 Thanks @​ematipico! - Fixed biome-zed#164: Biome no longer inserts stray whitespace when format-on-type runs after closing delimiters such as ), ], and }.

  • #10867 a21463e Thanks @​dyc3! - Fixed #10864: Biome no longer crashes when checking or linting HTML files with unquoted attribute values such as <textarea rows=4></textarea>.

Commits

Updates @types/hast from 3.0.4 to 3.0.5

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…pdates

Bumps the patch-updates group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@iconify-json/material-symbols](https://github.com/iconify/icon-sets) | `1.2.82` | `1.2.84` |
| [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html) | `2.17.5` | `2.17.6` |
| [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) | `5.56.4` | `5.56.5` |
| [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) | `2.5.2` | `2.5.3` |
| [@types/hast](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/hast) | `3.0.4` | `3.0.5` |



Updates `@iconify-json/material-symbols` from 1.2.82 to 1.2.84
- [Commits](https://github.com/iconify/icon-sets/commits)

Updates `sanitize-html` from 2.17.5 to 2.17.6
- [Changelog](https://github.com/apostrophecms/apostrophe/blob/main/packages/sanitize-html/CHANGELOG.md)
- [Commits](https://github.com/apostrophecms/apostrophe/commits/HEAD/packages/sanitize-html)

Updates `svelte` from 5.56.4 to 5.56.5
- [Release notes](https://github.com/sveltejs/svelte/releases)
- [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.56.5/packages/svelte)

Updates `@biomejs/biome` from 2.5.2 to 2.5.3
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.5.3/packages/@biomejs/biome)

Updates `@types/hast` from 3.0.4 to 3.0.5
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/hast)

---
updated-dependencies:
- dependency-name: "@iconify-json/material-symbols"
  dependency-version: 1.2.84
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: sanitize-html
  dependency-version: 2.17.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: svelte
  dependency-version: 5.56.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: "@biomejs/biome"
  dependency-version: 2.5.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: "@types/hast"
  dependency-version: 3.0.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 14, 2026
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs
blog 3be69f9 Jul 14 2026, 06:26 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants