chore(deps): bump the npm_and_yarn group across 1 directory with 21 updates

[dependabot]

Bumps the npm_and_yarn group with 16 updates in the / directory:

Package	From	To
storybook	10.2.8	10.2.10
vite	7.3.1	7.3.2
brace-expansion	5.0.2	5.0.6
brace-expansion	1.1.12	1.1.14
minimatch	10.2.0	10.2.5
minimatch	3.1.2	3.1.5
ajv	8.17.1	8.20.0
ajv	6.12.6	6.15.0
hono	4.11.9	4.12.18
srvx	0.9.6	0.11.15
srvx	0.11.4	0.11.15
nitro	3.0.1-alpha.1	3.0.260429-beta
picomatch	4.0.3	4.0.4
picomatch	2.3.1	2.3.2
diff	8.0.2	8.0.4
diff	4.0.2	4.0.4
express-rate-limit	8.2.1	8.5.1
fast-uri	3.1.0	3.1.2
flatted	3.3.3	3.4.2
lodash	4.17.21	4.18.1
path-to-regexp	8.3.0	8.4.2
undici	7.22.0	7.25.0

Updates storybook from 10.2.8 to 10.2.10

Release notes

Sourced from storybook's releases.

v10.2.10

10.2.10

• Core: Require token for websocket connections - #33820, thanks @​ghengeveld!

v10.2.9

10.2.9

• Addon-Vitest: Improve config file detection in monorepos - #33814, thanks @​valentinpalkovic!
• Builder-Vite: Update dependencies react-vite framework - #33810, thanks @​valentinpalkovic!
• Builder-Vite: Use relative path for mocker entry in production builds - #33792, thanks @​DukeDeSouth!
• Next.js: Fix Link component override in appDirectory configuration - #31251, thanks @​yatishgoel!

Changelog

Sourced from storybook's changelog.

10.2.10

• Core: Require token for websocket connections - #33820, thanks @​ghengeveld!

10.2.9

• Addon-Vitest: Improve config file detection in monorepos - #33814, thanks @​valentinpalkovic!
• Builder-Vite: Update dependencies react-vite framework - #33810, thanks @​valentinpalkovic!
• Builder-Vite: Use relative path for mocker entry in production builds - #33792, thanks @​DukeDeSouth!
• Next.js: Fix Link component override in appDirectory configuration - #31251, thanks @​yatishgoel!

Commits

• c812573 Bump version from "10.2.9" to "10.2.10" [skip ci]
• fd275fb Merge pull request #33820 from storybookjs/harden-websocket-security
• 4cdde82 Bump version from "10.2.8" to "10.2.9" [skip ci]
• See full diff in compare view

Updates vite from 7.3.1 to 7.3.2

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

• avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)
• backport #22159, apply server.fs check to env transport (#22162) (19db0f2)
• check server.fs after stripping query as well (#22160) (f8103cc)

Commits

• cc383e0 release: v7.3.2
• 09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• f8103cc fix: check server.fs after stripping query as well (#22160)
• 19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
• See full diff in compare view

Updates brace-expansion from 5.0.2 to 5.0.6

Commits

• 46317b5 5.0.6
• c0b095b Merge commit from fork
• ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
• 8793901 5.0.5
• 9a02af5 Merge commit from fork
• daa71bc Bump tar from 7.5.10 to 7.5.11 (#92)
• 799e5f7 Bump tar from 7.5.9 to 7.5.10 (#90)
• 012c230 5.0.4
• 243c491 Fix handling of brackets. Closes #87
• 609f858 Correct incorrect brace-expansion import (#89)
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.12 to 1.1.14

Commits

• 46317b5 5.0.6
• c0b095b Merge commit from fork
• ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
• 8793901 5.0.5
• 9a02af5 Merge commit from fork
• daa71bc Bump tar from 7.5.10 to 7.5.11 (#92)
• 799e5f7 Bump tar from 7.5.9 to 7.5.10 (#90)
• 012c230 5.0.4
• 243c491 Fix handling of brackets. Closes #87
• 609f858 Correct incorrect brace-expansion import (#89)
• Additional commits viewable in compare view

Updates minimatch from 10.2.0 to 10.2.5

Commits

• 693c823 10.2.5
• 7953af1 do not allow .. to consume drive letter on Windows
• 1caf918 lint and format
• 7783ed6 ignore docs
• 6d9b356 update deps etc
• c36addb 10.2.4
• 26b9002 docs: add warning about ReDoS
• 3a0d83b fix partial matching of globstar patterns
• ea94840 10.2.3
• 0873fba update deps
• Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 693c823 10.2.5
• 7953af1 do not allow .. to consume drive letter on Windows
• 1caf918 lint and format
• 7783ed6 ignore docs
• 6d9b356 update deps etc
• c36addb 10.2.4
• 26b9002 docs: add warning about ReDoS
• 3a0d83b fix partial matching of globstar patterns
• ea94840 10.2.3
• 0873fba update deps
• Additional commits viewable in compare view

Updates ajv from 8.17.1 to 8.20.0

Release notes

Sourced from ajv's releases.

v8.20.0

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in ajv-validator/ajv#2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in ajv-validator/ajv#2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

v8.19.0

What's Changed

• fix prototype pollution via format keyword using $data ref by @​epoberezkin in ajv-validator/ajv#2607

Full Changelog: ajv-validator/ajv@v8.18.0...v8.19.0

v8.18.0

What's Changed

• feat: allow tree-shaking by adding "sideEffects": false to package.json by @​josdejong in ajv-validator/ajv#2480
• fix: #2482 Infinity and NaN serialise to null by @​jasoniangreen in ajv-validator/ajv#2487
• fix: small grammatical error in managing-schemas.md by @​monteiro-renato in ajv-validator/ajv#2508
• fix: typos in schema-language.md by @​monteiro-renato in ajv-validator/ajv#2507
• fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @​epoberezkin in ajv-validator/ajv#2586

New Contributors

• @​josdejong made their first contribution in ajv-validator/ajv#2480
• @​monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

• 0fba0b8 8.20.0
• 9caf8d6 fix: add ES2022.RegExp for RegExpIndicesArray; fixes ajv-validator/ajv#2603 (...
• 2065350 fix: add support for node 22/24, drop node 16/21 (#2580)
• 154b58d 8.19.0
• e8d2bdc test/fix prototype pollution via $data ref with format keyword (#2607)
• 142ce84 8.18.0
• 720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
• 82735a1 fix: typos in schema-language.md (#2507)
• b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
• 69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
• Additional commits viewable in compare view

Updates ajv from 6.12.6 to 6.15.0

Release notes

Sourced from ajv's releases.

v8.20.0

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in ajv-validator/ajv#2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in ajv-validator/ajv#2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

v8.19.0

What's Changed

• fix prototype pollution via format keyword using $data ref by @​epoberezkin in ajv-validator/ajv#2607

Full Changelog: ajv-validator/ajv@v8.18.0...v8.19.0

v8.18.0

What's Changed

• feat: allow tree-shaking by adding "sideEffects": false to package.json by @​josdejong in ajv-validator/ajv#2480
• fix: #2482 Infinity and NaN serialise to null by @​jasoniangreen in ajv-validator/ajv#2487
• fix: small grammatical error in managing-schemas.md by @​monteiro-renato in ajv-validator/ajv#2508
• fix: typos in schema-language.md by @​monteiro-renato in ajv-validator/ajv#2507
• fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @​epoberezkin in ajv-validator/ajv#2586

New Contributors

• @​josdejong made their first contribution in ajv-validator/ajv#2480
• @​monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

• 0fba0b8 8.20.0
• 9caf8d6 fix: add ES2022.RegExp for RegExpIndicesArray; fixes ajv-validator/ajv#2603 (...
• 2065350 fix: add support for node 22/24, drop node 16/21 (#2580)
• 154b58d 8.19.0
• e8d2bdc test/fix prototype pollution via $data ref with format keyword (#2607)
• 142ce84 8.18.0
• 720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
• 82735a1 fix: typos in schema-language.md (#2507)
• b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
• 69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
• Additional commits viewable in compare view

Updates hono from 4.11.9 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

---

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

• fix(jsx): normalize SVG attributes on the root element by @​kfly8 in honojs/hono#4893
• fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @​yuintei in honojs/hono#4899
• fix(cors): make origin optional in CORSOptions by @​truffle-dev in honojs/hono#4905
• fix(types): propagate middleware response types to app.on overloads by @​T4ko0522 in honojs/hono#4906

New Contributors

• @​kfly8 made their first contribution in honojs/hono#4893
• @​truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

... (truncated)

Commits

• f10dee8 4.12.18
• a5bd9eb Merge commit from fork
• 58d3d3a Merge commit from fork
• 568c2ec Merge commit from fork
• ff2b3d3 4.12.17
• 52aaaf9 fix(types): propagate middleware response types to app.on overloads (#4906)
• 76d5589 fix(cors): make origin optional in CORSOptions (#4905)
• 8f027e5 fix(ssg): add atom+xml and rss+xml to defaultExtensionMap (#4899)
• bfba97c fix(jsx): normalize SVG attributes on the <svg> root element (#4893)
• 90d4182 4.12.16
• Additional commits viewable in compare view

Updates srvx from 0.9.6 to 0.11.15

Release notes

Sourced from srvx's releases.

v0.11.15

compare changes

🩹 Fixes

• node/web: Do not swallow getReader errors (#199)

❤️ Contributors

• Joël Charles (@​magne4000)

v0.11.14

compare changes

🩹 Fixes

• node: Handle EADDRINUSE port conflict on serve (#197)

❤️ Contributors

• Neko (@​nekomeowww)

v0.11.13

compare changes

🩹 Fixes

• url: Deopt absolute URIs in FastURL (de0d699)

v0.11.12

compare changes

🩹 Fixes

• node: Improve pipeBody stability and performance (4051f22)

v0.11.11

compare changes

🩹 Fixes

• node: Handle duck-typed pipe objects in pipeBody (5e731ef, f746e79)

v0.11.10

compare changes

🩹 Fixes

• node: Handle error and abort propagation for piped Node.js streams (77f879b)
• node: Fallback to socket address on invalid Host header (#192)

... (truncated)

Changelog

Sourced from srvx's changelog.

v0.11.15

compare changes

🩹 Fixes

• node/web: Do not swallow getReader errors (#199)

❤️ Contributors

• Joël Charles (@​magne4000)

v0.11.14

compare changes

🩹 Fixes

• node: Handle EADDRINUSE port conflict on serve (#197)

🏡 Chore

• Update deps (645b261)

❤️ Contributors

• Neko (@​nekomeowww)
• Pooya Parsa (@​pi0)

v0.11.13

compare changes

🩹 Fixes

• url: Deopt absolute URIs in FastURL (de0d699)

🏡 Chore

• Update deps (4e6ace6)
• Update deps (6a72a00)
• Fix type issue (ed8cc2b)
• Apply automated updates (7375fed)
• Update deps (8f4bc4f)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.11.12

... (truncated)

Commits

• ba8d059 chore(release): v0.11.15
• 76cb641 fix(node/web): do not swallow getReader errors (#199)
• a27fcbb chore(release): v0.11.14
• 0e4f29b fix(node): handle EADDRINUSE port conflict on serve (#197)
• 645b261 chore: update deps
• e19649a chore(release): v0.11.13
• 8f4bc4f chore: update deps
• 7375fed chore: apply automated updates
• ed8cc2b chore: fix type issue
• 6a72a00 chore: update deps
• Additional commits viewable in compare view

Updates srvx from 0.11.4 to 0.11.15

Release notes

Sourced from srvx's releases.

v0.11.15

compare changes

🩹 Fixes

• node/web: Do not swallow getReader errors (#199)

❤️ Contributors

• Joël Charles (@​magne4000)

v0.11.14

compare changes

🩹 Fixes

• node: Handle EADDRINUSE port conflict on serve (#197)

❤️ Contributors

• Neko (@​nekomeowww)

v0.11.13

compare changes

🩹 Fixes

• url: Deopt absolute URIs in FastURL (de0d699)

v0.11.12

compare changes

🩹 Fixes

• node: Improve pipeBody stability and performance (4051f22)

v0.11.11

compare changes

🩹 Fixes

• node: Handle duck-typed pipe objects in pipeBody (5e731ef, f746e79)

v0.11.10

compare changes

🩹 Fixes

• node: Handle error and abort propagation for piped Node.js streams (77f879b)
• node: Fallback to socket address on invalid Host header (#192)

... (truncated)

Changelog

Sourced from srvx's changelog.

v0.11.15

compare changes

🩹 Fixes

• node/web: Do not swallow getReader errors (#199)

❤️ Contributors

• Joël Charles (@​magne4000)

v0.11.14

compare changes

🩹 Fixes

• node: Handle EADDRINUSE port conflict on serve (#197)

🏡 Chore

• Update deps (645b261)

❤️ Contributors

• Neko (@​nekomeowww)
• Pooya Parsa (@​pi0)

v0.11.13

compare changes

🩹 Fixes

• url: Deopt absolute URIs in FastURL (de0d699)

🏡 Chore

• Update deps (4e6ace6)
• Update deps (6a72a00)
• Fix type issue (ed8cc2b)
• Apply automated updates (7375fed)
• Update deps (8f4bc4f)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.11.12

... (truncated)

Commits

• ba8d059 chore(release): v0.11.15
• 76cb641 fix(node/web): do not swallow getReader errors (#199)
• a27fcbb chore(release): v0.11.14
• 0e4f29b fix(node): handle EADDRINUSE port conflict on serve (#197)
• 645b261 chore: update deps
• e19649a chore(release): v0.11.13
• 8f4bc4f chore: update deps
• 7375fed chore: apply automated updates
• ed8cc2b chore: fix type issue
• 6a72a00 chore: update deps
• Additional commits viewable in compare view

Updates nitro from 3.0.1-alpha.1 to 3.0.260429-beta

Release notes

Sourced from nitro's releases.

v3.0.260429-beta

compare changes

[!IMPORTANT] This release patches two medium-severity vulnerabilities in proxy and redirect route rules. Users relying on either are strongly encouraged to upgrade. See GHSA-5w89-w975-hf9q and GHSA-9phm-9p8f-hw5m for details.

🚀 Enhancements

• tracing: Enable tracing channels for unstorage (#4226)

🩹 Fixes

• Accept ipv4-mapped ipv6 loopback in vfs handler (#4212)
• route-rules: Reject out-of-scope requests (#4222)
• route-rules: Prevent open redirect via protocol-relative url bypass (#4236)
• vite: Route browser asset loads to vite when sec-fetch-dest is absent (#4238)

💅 Refactors

• Use built-in escapeRegExp util (#4109)

📖 Documentation

• cache: Add invalidation usage (#4216)
• Improve jsdocs (#4199)

📦 Build

• Shim oxc-parser via rolldown/utils (#4237)

🌊 Types

• vite: Make experimental.vite type optional (#4225)

Preset Changes

• cloudflare: Add missing types for cloudflare.wrangler.observability.traces (#4220)
• vercel: Enable shouldAddSourcemapSupport when sourcemap is enabled (#4232)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Rihan Arfan (@​RihanArfan)
• Ofer Shapira (@​ofershap)
• Abdelrahman Awad (@​logaretm)
• Sōta (@​sotasan)
• Btea (@​btea)
• Restent Ou (@​gxres042)

v3.0.260415-beta

... (truncated)

Commits

• c467f13 v3.0.260429-beta
• 1281d4b chore: update release script
• 6016153 fix(vite): route browser asset loads to vite when sec-fetch-dest is absent (#...
• a9305f0 presets(vercel): enable shouldAddSourcemapSupport when sourcemap is enabled...
• a027ae8 build: shim oxc-parser via rolldown/utils (#4237)
• f92e684 chore: apply automated updates
• 112e215 chore: basic dist-diff script
• 932f628 chore: ignore vite7 from pnpm outdated
• 705069f chore: update deps
• bc1dd9d fix(route-rules): prevent open redirect via protocol-relative url bypass (#4236)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for nitro since your current version.

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates defu from 6.1.4 to 6.1.7

Release notes

Sourced from defu's releases.

v6.1.7

compare changes

📦 Build

• Correct the types export entry (#160)
• Export Defu types (#157)

❤️ Contributors

• Jakub Michálek (@​J-Michalek)
• Kricsleo (@​kricsleo)

v6.1.6

compare changes

📦 Build

• Fix mixed types (407b516)

v6.1.5

compare changes

🩹 Fixes

• Prevent prototype pollution via __proto__ in defaults (#156)
• Ignore inherited enumerable properties (11ba022)

✅ Tests

• Add more tests for plain objects (b65f603)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kricsleo (@​kricsleo)

Changelog

Sourced from defu's changelog.

v6.1.7

compare changes

🩹 Fixes

• defu.d.cts: Export Defu types (#157)

📦 Build

• Correct the types export entry (#160)

❤️ Contributors

• Jakub Michálek (@​J-Michalek)
• Kricsleo (@​kricsleo)

v6.1.6

compare changes

📦 Build

• Fix mixed types (407b516)

❤️ Contributors

• Pooya Parsa (@​pi0)

v6.1.5

compare changes

🩹 Fixes

• Prevent prototype pollution via __proto__ in defaults (#156)
• Ignore inherited enumerable properties (11ba022)

🏡 Chore

• Add tea.yaml (70cffe5)
• Update repo (23cc432)
• Fix typecheck (89df6bb)

✅ Tests

• Add more tests for plain objects (b65f603)

🤖 CI

... (truncated)

Commits

• 80c0146 chore(release): v6.1.7
• 40d7ef4 fix(defu.d.cts): export Defu types (#157)
• 3d3a7c8 build: correct the types export entry (#160)
• 001c290 chore(release): v6.1.6
• 407b516 build: fix mixed types
• 23e59e6 chore(release): v6.1.5
• 11ba022 fix: ignore inherited enumerable properties
• 3942bfb fix: prevent prototype pollution via __proto__ in defaults (#156)
• d3ef16d chore(deps): update actions/checkout action to v6 (#151)
• 869a053 chore(deps): update actions/setup-node action to v6 (#149)
• Additional commits viewable in

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pek-infinity	Ready	Preview, Comment	May 9, 2026 2:45am