chore(deps): bump the npm-security group across 1 directory with 5 updates by dependabot[bot] · Pull Request #251 · obbyworld/obby

dependabot · 2026-06-09T18:11:52Z

Bumps the npm-security group with 4 updates in the / directory: vitest, brace-expansion, minimatch and lodash.

Updates vitest from 3.2.4 to 4.1.8

Release notes

v4.1.8

   🐞 Bug Fixes

browser:

Disable client cdp API when allowWrite/allowExec: false [backport to v4] - by @hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)

Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4] - by @toxik and @Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

runner: Limit concurrency per task branch in addition to per leaf callbacks (backport) - by @hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

browser: Provide project reference in ToMatchScreenshotResolvePath - by @macarie and @sheremet-va in vitest-dev/vitest#10138 (31882)

Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options - by @hi-ogawa, Codex and @sheremet-va in vitest-dev/vitest#10196 (2847d)

browser: Simplify orchestrator otel carrier - by @hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

Stringify diff objects only once - by @sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

coverage: Istanbul to support instrumenter option - by @BartWaardenburg and @AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

--project negation excludes browser instances - by @felamaslen in vitest-dev/vitest#10131 (9423d)

Project color label on html reporter - by @hi-ogawa in vitest-dev/vitest#10142 (596f7)

Fix vi.defineHelper called as object method - by @hi-ogawa in vitest-dev/vitest#10163 (122c2)

Alias agent reporter to minimal - by @sheremet-va in vitest-dev/vitest#10157 (663b9)

Respect diff config options in soft assertions - by @Copilot, sheremet-va and @sheremet-va in vitest-dev/vitest#8696 (9787d)

Respect diff config options in soft assertions " - by @sheremet-va in vitest-dev/vitest#8696 (7dc6d)

ast-collect: Recognize _vi_import prefix in static test discovery - by @Yejneshwar in vitest-dev/vitest#10129 (32546)

coverage: Descriptive error message when reports directory is removed during test run - by @DaveT1991 and @AriPerkkio in vitest-dev/vitest#10117 (14133)

snapshot: Increase default snapshot max output length - by @hi-ogawa and Codex in vitest-dev/vitest#10150 (21e66)

ui: Fix jsx/tsx syntax highlight - by @hi-ogawa in vitest-dev/vitest#10152 (f1b1f)

web-worker: Support MessagePort objects referenced inside postMessage data - by @whitphx and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9927 and vitest-dev/vitest#10124 (7ad7d)

api: Make test-specification options writable - by @sheremet-va in vitest-dev/vitest#10154 (6abd5)

    View changes on GitHub

... (truncated)

Commits

e61f2dd chore: release v4.1.8
e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
a09d472 chore: release v4.1.7
a8fd24c chore: release v4.1.6
18af98c fix(browser): simplify orchestrator otel carrier (#10285)
3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
e399846 chore: release v4.1.5
7dc6d54 Revert "fix: respect diff config options in soft assertions (#8696)"
9787ded fix: respect diff config options in soft assertions (#8696)
325463a fix(ast-collect): recognize _vi_import prefix in static test discovery (#10...
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.

Updates brace-expansion from 1.1.12 to 1.1.15

Release notes

Sourced from brace-expansion's releases.

v1.1.15

Backport v5.0.6 change to v1 (#111) 0b09384

juliangruber/brace-expansion@v1.1.14...v1.1.15

Commits

2203f4f 1.1.15
0b09384 Backport v5.0.6 change to v1 (#111)
10c05fc 1.1.14
1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
6c353ca 1.1.13
7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
See full diff in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm

lodash-es: lodash/lodash@4.18.0-es...4.18.1-es

lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd

lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

Add security notice for _.template in threat model and API docs (#6099)

Document lower > upper behavior in _.random (#6115)

Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

lodash.orderby

lodash.tonumber

lodash.trim

lodash.trimend

lodash.sortedindexby

lodash.zipobjectdeep

lodash.unset

lodash.omit

lodash.template

Commits

cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
75535f5 chore: prune stale advisory refs (#6170)
62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
59be2de release(minor): bump to 4.18.0 (#6161)
af63457 fix: broken tests for _.template 879aaa9
1073a76 fix: linting issues
879aaa9 fix: validate imports keys in _.template
fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
b819080 ci: add dist sync validation workflow (#6137)
Additional commits viewable in compare view

…dates Bumps the npm-security group with 4 updates in the / directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest), [brace-expansion](https://github.com/juliangruber/brace-expansion), [minimatch](https://github.com/isaacs/minimatch) and [lodash](https://github.com/lodash/lodash). Updates `vitest` from 3.2.4 to 4.1.8 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.8/packages/vitest) Updates `brace-expansion` from 1.1.12 to 1.1.15 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.15) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.15 dependency-type: indirect dependency-group: npm-security - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm-security - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm-security - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm-security - dependency-name: vitest dependency-version: 4.1.8 dependency-type: direct:development dependency-group: npm-security ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file npm labels Jun 9, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-security-94adb182db branch from 3e5140b to f03dca7 Compare June 15, 2026 06:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm-security group across 1 directory with 5 updates#251

chore(deps): bump the npm-security group across 1 directory with 5 updates#251
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-security-94adb182db

dependabot Bot commented on behalf of github Jun 9, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v4.1.8

🐞 Bug Fixes

View changes on GitHub

v4.1.7

🐞 Bug Fixes

View changes on GitHub

v4.1.6

🐞 Bug Fixes

🏎 Performance

View changes on GitHub

v4.1.5

🚀 Experimental Features

🐞 Bug Fixes

View changes on GitHub

v1.1.15

4.18.1

Bugs

4.18.0

v4.18.0

Security

Docs

lodash.* modular packages

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Jun 9, 2026 •

edited

Loading

`lodash.*` modular packages