chore(deps): bump the npm_and_yarn group across 1 directory with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package	From	To
semver	7.6.3	7.7.0
postcss	8.4.49	8.5.0
vue-i18n	9.14.0	11.0.1
vite	5.4.11	5.4.12
@intlify/core	9.14.0	9.14.2
cross-spawn	6.0.5	6.0.6
nanoid	3.3.7	3.3.8
store2	2.14.3	2.14.4
undici	5.28.4	5.28.5

Updates semver from 7.6.3 to 7.7.0

Release notes

Sourced from semver's releases.

v7.7.0

7.7.0 (2025-01-29)

Features

• 0864b3c #753 add "release" inc type (#753) (@​mbtools)

Bug Fixes

• d588e37 #755 diff: fix prerelease to stable version diff logic (#755) (@​eminberkayd, berkay.daglar)
• 8a34bde #754 add identifier validation to inc() (#754) (@​mbtools)

Documentation

• 67e5478 #756 readme: added missing period for consistency (#756) (@​shaymolcho)
• 868d4bb #749 clarify comment about obsolete prefixes (#749) (@​mbtools, @​ljharb)

Chores

• 145c554 #741 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])
• 753e02b #747 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#747) (@​dependabot[bot], @​npm-cli-bot)
• 0b812d5 #744 postinstall for dependabot template-oss PR (@​hashtagchris)

Changelog

Sourced from semver's changelog.

7.7.0 (2025-01-29)

Features

• 0864b3c #753 add "release" inc type (#753) (@​mbtools)

Bug Fixes

• d588e37 #755 diff: fix prerelease to stable version diff logic (#755) (@​eminberkayd, berkay.daglar)
• 8a34bde #754 add identifier validation to inc() (#754) (@​mbtools)

Documentation

• 67e5478 #756 readme: added missing period for consistency (#756) (@​shaymolcho)
• 868d4bb #749 clarify comment about obsolete prefixes (#749) (@​mbtools, @​ljharb)

Chores

• 145c554 #741 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])
• 753e02b #747 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#747) (@​dependabot[bot], @​npm-cli-bot)
• 0b812d5 #744 postinstall for dependabot template-oss PR (@​hashtagchris)

Commits

• 2cfcbb5 chore: release 7.7.0 (#750)
• d588e37 fix(diff): fix prerelease to stable version diff logic (#755)
• 753e02b chore: bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#747)
• 8a34bde fix: add identifier validation to inc() (#754)
• 0864b3c feat: add "release" inc type (#753)
• 67e5478 docs(readme): added missing period for consistency (#756)
• 868d4bb docs: clarify comment about obsolete prefixes (#749)
• 145c554 chore: bump @​npmcli/eslint-config from 4.0.5 to 5.0.0
• 0b812d5 chore: postinstall for dependabot template-oss PR
• 6502a15 chore: bump @​npmcli/template-oss from 4.23.1 to 4.23.3
• Additional commits viewable in compare view

Updates postcss from 8.4.49 to 8.5.0

Release notes

Sourced from postcss's releases.

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"

Thanks to Sponsors

This release was possible thanks to our community.

If your company wants to support the sustainability of front-end infrastructure or wants to give some love to PostCSS, you can join our supporters by:

• Tidelift with a Spotify-like subscription model supporting all projects from your lock file.
• Direct donations at GitHub Sponsors or Open Collective.

Changelog

Sourced from postcss's changelog.

Change Log

This project adheres to Semantic Versioning.

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

• Added Input#document for sources like CSS-in-JS or HTML (by @​romainmenke).

Commits

• 6873270 Release 8.5 version
• 4223bb9 Fix 80 columns limit
• 80e2401 Add Input#document (#1996)
• 6f86879 Update dependencies
• 85cbbec Fix pnpm version on CI
• 76caa57 Update dependencies
• 46ff246 Move to pnpm 10
• 99da2f2 Fix the documentation for RuleRaws.ownSemicolon (#1994)
• 4493eed Pins nanoid to ^3.3.8 (#1992)
• 2acd7c7 Bump nanoid from 3.3.7 to 3.3.8 (#1989)
• Additional commits viewable in compare view

Updates vue-i18n from 9.14.0 to 11.0.1

Release notes

Sourced from vue-i18n's releases.

v11.0.1

What's Changed

⚡ Improvement Features

• fix: v-t custom directive warning when it will run by @​kazupon in intlify/vue-i18n#2057

Full Changelog: intlify/vue-i18n@v11.0.0...v11.0.1

v11.0.0

We are excited to announce the release of Vue I18n v11. We had many contributors.

Thanks for your contributing ❤️

Summary

Deprecate Legacy API mode

The Legacy API mode was the API mode compatible with v8 for Vue 2. When v9 was released, the Legacy API was provided to smooth the migration from v8 to v9.

Legacy API mode will be deprecated in v11, as previous vue-i18n releases have already provided the following to support migration to Composition API mode

• Migration from Legacy API mode to Composition API mode, see the docs
• Composition API usage, see the docs

For compatibility, Legacy API mode still works in v11, but will be removed entirely in v12, so Legacy API mode will not work after that version.

Deprecate Custom Directive v-t

The advantage of v-t was that it could optimize performance using the vue compiler transform and the pre-translation of vue-i18n-extension.

This feature was supported from Vue 2. About details see the blog article

In Vue 3, due to the Composition API, the pre-translation of vue-i18n-extension is now limited only for global scope.

In addition, Vue 3 Virtual DOM optimization has been introduced, and the optimization provided by vue-i18n-extension is no longer very effective. We need to require settings for SSR, the benefits of using v-t have disappeared. And DX of templates using v-t is not good. Custom directives do not work with key completion in editors (e.g. vscode).

For compatibility, v-t mode still works in v11, but will be removed entirely in v12, so v-t will not work after that version.

Drop tc and $tc for Legacy API mode

These APIs had already deprecated in warning about being dropped in v11. docs says

Vue I18n maintenance Status

... (truncated)

Changelog

Sourced from vue-i18n's changelog.

v11.0.1 (2024-12-26T07:40:58Z)

This changelog is generated by GitHub Releases

What's Changed

⚡ Improvement Features

• fix: v-t custom directive warning when it will run by @​kazupon in intlify/vue-i18n#2057

Full Changelog: intlify/vue-i18n@v11.0.0...v11.0.1

v11.0.0 (2024-12-24T15:01:00Z)

This changelog is generated by GitHub Releases

What's Changed

Deprecate Legacy API mode

The Legacy API mode was the API mode compatible with v8 for Vue 2. When v9 was released, the Legacy API was provided to smooth the migration from v8 to v9.

Legacy API mode will be deprecated in v11, as previous vue-i18n releases have already provided the following to support migration to Composition API mode

• Migration from Legacy API mode to Composition API mode, see the docs
• Composition API usage, see the docs

For compatibility, Legacy API mode still works in v11, but will be removed entirely in v12, so Legacy API mode will not work after that version.

Deprecate Custom Directive v-t

The advantage of v-t was that it could optimize performance using the vue compiler transform and the pre-translation of vue-i18n-extension.

This feature was supported from Vue 2. About details see the blog article

In Vue 3, due to the Composition API, the pre-translation of vue-i18n-extension is now limited only for global scope.

In addition, Vue 3 Virtual DOM optimization has been introduced, and the optimization provided by vue-i18n-extension is no longer very effective. We need to require settings for SSR, the benefits of using v-t have disappeared. And DX of templates using v-t is not good. Custom directives do not work with key completion in editors (e.g. vscode).

For compatibility, v-t mode still works in v11, but will be removed entirely in v12, so v-t will not work after that version.

Drop tc and $tc for Legacy API mode

These APIs had already deprecated in warning about being dropped in v11. docs says

... (truncated)

Commits

• 49c0e18 release: v11.0.1
• 2b98662 release: v11.0.0
• 61cea89 release: v11.0.0-rc.1
• 3808ae7 release: v11.0.0-beta.2
• d10a4ef release: v11.0.0-beta.1
• 3882d02 breaking: drop $tc and tc (#2017)
• 2a44e21 release: v11.0.0-beta.0
• ea528c4 fix: tm function should accept DefineLocaleMessage key type (#2014)
• bd85a57 release: v10.0.4
• decd23b release: v10.0.3
• Additional commits viewable in compare view

Updates vite from 5.4.11 to 5.4.12

Release notes

Sourced from vite's releases.

v5.4.12

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.12 (2025-01-20)

• fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (9da4abc)
• fix!: default server.cors: false to disallow fetching from untrusted origins (dfea38f)
• fix: verify token for HMR WebSocket connection (b71a5c8)
• chore: add deps update changelog (ecd2375)

Commits

• f428aa9 release: v5.4.12
• 9da4abc fix!: check host header to prevent DNS rebinding attacks and introduce `serve...
• b71a5c8 fix: verify token for HMR WebSocket connection
• dfea38f fix!: default server.cors: false to disallow fetching from untrusted origins
• ecd2375 chore: add deps update changelog
• See full diff in compare view

Updates @intlify/core from 9.14.0 to 9.14.2

Release notes

Sourced from @​intlify/core's releases.

v9.14.2

What's Changed

🔒 Security Fixes

• fix: XSS vulnerability with prototype pollution on AST: GHSA-9r9m-ffp6-9x4v
• fix: prototype pollusion on deepCopy: GHSA-hjwq-mjwj-4x6c

Full Changelog: intlify/vue-i18n@v9.14.1...v9.14.2

v9.14.1

What's Changed

🐛 Bug Fixes

• fix: messages deepCopy mutates src arguments by @​BobbieGoede in intlify/vue-i18n#1975

Full Changelog: intlify/vue-i18n@v9.14.0...v9.14.1

Commits

• 5448139 release: v9.14.2
• af67265 release: v9.14.1
• See full diff in compare view

Updates cross-spawn from 6.0.5 to 6.0.6

Changelog

Sourced from cross-spawn's changelog.

6.0.6 (2024-11-18)

Bug Fixes

• disable regexp backtracking (#160) (ba5aaef)
• core: support worker threads (#127) (f4af31c)

Commits

• d35c865 chore(release): 6.0.6
• 5a37e19 chore: update package.json and package.lock
• ba5aaef fix: disable regexp backtracking (#160)
• f4af31c fix(core): support worker threads (#127)
• See full diff in compare view

Updates nanoid from 3.3.7 to 3.3.8

Changelog

Sourced from nanoid's changelog.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

Commits

• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• d643045 Fix pool pollution, infinite loop (#510)
• See full diff in compare view

Updates store2 from 2.14.3 to 2.14.4

Commits

• bb2680d 2.14.4
• 5c4c208 minor version build updates
• 582a86c fix syntax/lint issue
• 0ef2405 Merge pull request #128 from TasosY2K/master
• b5b7723 removed eval use from deep.store.js
• 0216588 ssh git repo url
• cc4444b remove component
• See full diff in compare view

Updates undici from 5.28.4 to 5.28.5

Release notes

Sourced from undici's releases.

v5.28.5

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: nodejs/undici@v5.28.4...v5.28.5

Commits

• 6139ed2 Bumped v5.28.5
• 711e207 Backport of c2d78cd
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud