chore(deps): bump the npm_and_yarn group in /console/atest-ui with 7 updates

[dependabot]

Bumps the npm_and_yarn group in /console/atest-ui with 8 updates:

Package	From	To
jsonpath-plus	10.0.7	10.3.0
vue-i18n	9.2.2	9.14.3
vite	4.5.5	4.5.14
esbuild	0.18.20	0.25.4
@vitejs/plugin-vue	4.2.3	5.2.4
@vitejs/plugin-vue-jsx	3.0.1	4.1.2
vite	4.5.14	6.3.5
vitest	0.32.4	3.1.4

Updates jsonpath-plus from 10.0.7 to 10.3.0

Release notes

Sourced from jsonpath-plus's releases.

v10.3.0

What's Changed

• fix(eval): rce using non-string prop names by @​80avin in JSONPath-Plus/JSONPath#237
• feat(demo): make demo link shareable by @​80avin in JSONPath-Plus/JSONPath#238

Full Changelog: JSONPath-Plus/JSONPath@v10.2.0...v10.3.0

Changelog

Sourced from jsonpath-plus's changelog.

10.3.0

• fix(eval): rce using non-string prop names (#237)
• feat(demo): make demo link shareable (#238)
• chore: update deps. and devDeps.

10.2.0

• fix(eval): improve security of safe-eval (#233)
• chore: update deps. and devDeps.

10.1.0

• feat: add typeof operator to safe script

Commits

• 9754e4b chore: bump version
• f690da1 chore: update deps and devDeps
• 313a9b4 Merge pull request #238 from 80avin/shareable-demo
• 39a0d03 Merge pull request #237 from 80avin/fix-10.2.0-rce
• 1c532fc feat(demo): make demo link shareable
• 3094289 fix(eval): rce using non-string prop names
• 8e4acf8 chore: bump version
• f0708a4 chore: update deps. and devDeps.
• 0bfda55 build(deps): bump @​eslint/plugin-kit from 0.2.0 to 0.2.3 (#234)
• 73ad72e fix(eval): improve security of safe-eval (#233)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by 80avin, a new releaser for jsonpath-plus since your current version.

Updates vue-i18n from 9.2.2 to 9.14.3

Release notes

Sourced from vue-i18n's releases.

v9.14.3

What's Changed

🔒 Security Fixes

• fix: prototype pollution in handleFlatJson, about details see GHSA-p2ph-7g93-hw3m

Full Changelog: intlify/vue-i18n@v9.14.2...v9.14.3

v9.14.2

What's Changed

🔒 Security Fixes

• fix: XSS vulnerability with prototype pollution on AST: GHSA-9r9m-ffp6-9x4v
• fix: prototype pollusion on deepCopy: GHSA-hjwq-mjwj-4x6c

Full Changelog: intlify/vue-i18n@v9.14.1...v9.14.2

v9.14.1

What's Changed

🐛 Bug Fixes

• fix: messages deepCopy mutates src arguments by @​BobbieGoede in intlify/vue-i18n#1975

Full Changelog: intlify/vue-i18n@v9.14.0...v9.14.1

v9.14.0

What's Changed

⚡ Improvement Features

• fix: vue-i18n type definition for vue package by @​BobbieGoede in intlify/vue-i18n#1919

Full Changelog: intlify/vue-i18n@v9.13.1...v9.14.0

v9.13.1

What's Changed

🐛 Bug Fixes

• fix(message-compiler): cannot resolve none-identifier characters at linked key by @​kazupon in intlify/vue-i18n-next#1813

... (truncated)

Changelog

Sourced from vue-i18n's changelog.

v9.14.3 (2025-03-07T03:21:38Z)

This changelog is generated by GitHub Releases

Full Changelog: intlify/vue-i18n@v9.14.2...v9.14.3

v9.14.2 (2024-11-28T05:21:12Z)

This changelog is generated by GitHub Releases

What's Changed

🔒 Security Fixes

• fix: XSS vulnerability with prototype pollution on AST: GHSA-9r9m-ffp6-9x4v
• fix: prototype pollusion on deepCopy: GHSA-hjwq-mjwj-4x6c

Full Changelog: intlify/vue-i18n@v9.14.1...v9.14.2

v9.14.1 (2024-09-26T09:01:30Z)

This changelog is generated by GitHub Releases

What's Changed

🐛 Bug Fixes

• fix: messages deepCopy mutates src arguments by @​BobbieGoede in intlify/vue-i18n#1975

Full Changelog: intlify/vue-i18n@v9.14.0...v9.14.1

v9.14.0 (2024-08-16T17:01:17Z)

This changelog is generated by GitHub Releases

What's Changed

⚡ Improvement Features

• fix: vue-i18n type definition for vue package by @​BobbieGoede in intlify/vue-i18n#1919

Full Changelog: intlify/vue-i18n@v9.13.1...v9.14.0

... (truncated)

Commits

• 2e255c5 release: v9.14.3
• 6695eec fix: update package name for npm provenance
• 2b5149d Revert "release: v9.14.3"
• 26449f9 release: v9.14.3
• 5448139 release: v9.14.2
• af67265 release: v9.14.1
• 8e9f6d5 release: v9.14.0
• b07a9a4 fix: vue-i18n type definition for vue package (#1919)
• e37cba0 release: v9.13.1
• 9e73535 release: v9.13.0
• Additional commits viewable in compare view

Updates vite from 4.5.5 to 4.5.14

Release notes

Sourced from vite's releases.

v4.5.14

Please refer to CHANGELOG.md for details.

v4.5.13

Please refer to CHANGELOG.md for details.

v4.5.12

Please refer to CHANGELOG.md for details.

v4.5.11

Please refer to CHANGELOG.md for details.

v4.5.10

Please refer to CHANGELOG.md for details.

v4.5.9

Please refer to CHANGELOG.md for details.

v4.5.8

Please refer to CHANGELOG.md for details.

v4.5.7

Please refer to CHANGELOG.md for details.

v4.5.6

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

4.5.14 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19967) (7739479), closes #19965 #19967
• chore: run format (99afb60)

4.5.13 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19832) (41f3819), closes #19830 #19832

4.5.12 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19785) (0a3dcf5), closes #19782 #19785

4.5.11 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19763) (26e1764), closes #19761 #19763

4.5.10 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19704) (315695e), closes #19702 #19704

4.5.9 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (0bc52e0), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (8f63cd6), closes #19249

4.5.8 (2025-01-20)

• fix: try parse server.origin URL (#19241) (3680bad), closes #19241

4.5.7 (2025-01-20)

• fix: crypto.getRandomValues is not available in old Node versions (#19237) (f4d3c46), closes #19237

... (truncated)

Commits

• 9bfe2b1 release: v4.5.14
• 7739479 fix: backport #19965, check static serve file inside sirv (#19967)
• 99afb60 chore: run format
• cd60e8b release: v4.5.13
• 41f3819 fix: backport #19830, reject requests with # in request-target (#19832)
• 6104add release: v4.5.12
• 0a3dcf5 fix: backport #19782, fs check with svg and relative paths (#19785)
• 07ddc3e release: v4.5.11
• 26e1764 fix: backport #19761, fs check in transform middleware (#19763)
• 86e7a6b release: v4.5.10
• Additional commits viewable in compare view

Updates esbuild from 0.18.20 to 0.25.4

Release notes

Sourced from esbuild's releases.

v0.25.4

• Add simple support for CORS to esbuild's development server (#4125)

  Starting with version 0.25.0, esbuild's development server is no longer configured to serve cross-origin requests. This was a deliberate change to prevent any website you visit from accessing your running esbuild development server. However, this change prevented (by design) certain use cases such as "debugging in production" by having your production website load code from localhost where the esbuild development server is running.

  To enable this use case, esbuild is adding a feature to allow Cross-Origin Resource Sharing (a.k.a. CORS) for simple requests. Specifically, passing your origin to the new cors option will now set the Access-Control-Allow-Origin response header when the request has a matching Origin header. Note that this currently only works for requests that don't send a preflight OPTIONS request, as esbuild's development server doesn't currently support OPTIONS requests.

  Some examples:

  • CLI:

    esbuild --servedir=. --cors-origin=https://example.com
    

  • JS:

    const ctx = await esbuild.context({})
    await ctx.serve({
      servedir: '.',
      cors: {
        origin: 'https://example.com',
      },
    })

  • Go:

    ctx, _ := api.Context(api.BuildOptions{})
    ctx.Serve(api.ServeOptions{
      Servedir: ".",
      CORS: api.CORSOptions{
        Origin: []string{"https://example.com"},
      },
    })

  The special origin * can be used to allow any origin to access esbuild's development server. Note that this means any website you visit will be able to read everything served by esbuild.

• Pass through invalid URLs in source maps unmodified (#4169)

  This fixes a regression in version 0.25.0 where sources in source maps that form invalid URLs were not being passed through to the output. Version 0.25.0 changed the interpretation of sources from file paths to URLs, which means that URL parsing can now fail. Previously URLs that couldn't be parsed were replaced with the empty string. With this release, invalid URLs in sources should now be passed through unmodified.

• Handle exports named __proto__ in ES modules (#4162, #4163)

  In JavaScript, the special property name __proto__ sets the prototype when used inside an object literal. Previously esbuild's ESM-to-CommonJS conversion didn't special-case the property name of exports named __proto__ so the exported getter accidentally became the prototype of the object literal. It's unclear what this affects, if anything, but it's better practice to avoid this by using a computed property name in this case.

  This fix was contributed by @​magic-akari.

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2023

This changelog documents all esbuild versions published in the year 2023 (versions 0.16.13 through 0.19.11).

0.19.11

• Fix TypeScript-specific class transform edge case (#3559)

  The previous release introduced an optimization that avoided transforming super() in the class constructor for TypeScript code compiled with useDefineForClassFields set to false if all class instance fields have no initializers. The rationale was that in this case, all class instance fields are omitted in the output so no changes to the constructor are needed. However, if all of this is the case and there are #private instance fields with initializers, those private instance field initializers were still being moved into the constructor. This was problematic because they were being inserted before the call to super() (since super() is now no longer transformed in that case). This release introduces an additional optimization that avoids moving the private instance field initializers into the constructor in this edge case, which generates smaller code, matches the TypeScript compiler's output more closely, and avoids this bug:

  // Original code
  class Foo extends Bar {
    #private = 1;
    public: any;
    constructor() {
      super();
    }
  }
  // Old output (with esbuild v0.19.9)
  class Foo extends Bar {
  constructor() {
  super();
  this.#private = 1;
  }
  #private;
  }
  // Old output (with esbuild v0.19.10)
  class Foo extends Bar {
  constructor() {
  this.#private = 1;
  super();
  }
  #private;
  }
  // New output
  class Foo extends Bar {
  #private = 1;
  constructor() {
  super();
  }
  }

• Minifier: allow reording a primitive past a side-effect (#3568)

  The minifier previously allowed reordering a side-effect past a primitive, but didn't handle the case of reordering a primitive past a side-effect. This additional case is now handled:

... (truncated)

Commits

• 218d29e publish 0.25.4 to npm
• e66cd0b dev server: simple support for CORS requests (#4171)
• 8bf3368 js api: validate some options as arrays of strings
• 1e7375a js api: simplify comma-separated array validation
• 5f5964d release notes for #4163
• adb5284 fix: handle __proto__ as a computed property in exports and add tests for s...
• 0aa9f7b fix #4169: keep invalid source map URLs unmodified
• 5959289 add additional guards for #4114 when using :is()
• 677910b publish 0.25.3 to npm
• a41040e fix #4110: support custom non-IP host values
• Additional commits viewable in compare view

Updates @vitejs/plugin-vue from 4.2.3 to 5.2.4

Release notes

Sourced from @​vitejs/plugin-vue's releases.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from @​vitejs/plugin-vue's changelog.

5.2.4 (2025-05-09)

• chore: fix types with Vite 6.3 (#559) (8002511), closes #559
• chore: use rollup types exposed from Vite (#583) (2e1287f), closes #583
• chore(deps): update upstream (#542) (ef446fc), closes #542
• chore(deps): update upstream (#569) (98381b2), closes #569
• feat(plugin-vue): use transformWithOxc if rolldown-vite is detected (#584) (6ac8e3a), closes #584
• fix(plugin-vue): handle sourcemap with empty script code (#585) (7f73970), closes #585
• fix(plugin-vue): when the resource path contains chinese characters, dev/build is inconsistent (#550 (5f6affe), closes #550

5.2.3 (2025-03-17)

• Revert "fix: generate unique component id" (#548) (4bc5517), closes #548

5.2.2 (2025-03-17)

• feat: pass descriptor vapor flag to compileTemplte (219e007)
• feat(css): tree shake scoped styles (#533) (333094f), closes #533
• fix: generate unique component id (#538) (2704e85), closes #538
• fix: properly interpret boolean values in define (#545) (46d3d65), closes #545
• fix(deps): update all non-major dependencies (#482) (cdbae68), closes #482
• fix(deps): update all non-major dependencies (#488) (5d39582), closes #488
• fix(index): move the if check earlier to avoid creating unnecessary ssr when entering return block ( (2135c84), closes #523
• fix(plugin-vue): default value for compile time flags (#495) (ae9d948), closes #495
• fix(plugin-vue): ensure HMR updates styles when SFC is treated as a type dependency (#541) (4abe3be), closes #541
• fix(plugin-vue): resolve sourcemap conflicts in build watch mode with cached modules (#505) (906cebb), closes #505
• fix(plugin-vue): support external import URLs for monorepos (#524) (cdd4922), closes #524
• fix(plugin-vue): support vapor template-only component (#529) (95be153), closes #529
• fix(plugin-vue): suppress warnings for non-recognized pseudo selectors form lightningcss (#521) (15c0eb0), closes #521
• chore(deps): update dependency rollup to ^4.27.4 (#479) (428320d), closes #479
• chore(deps): update dependency rollup to ^4.28.1 (#484) (388403f), closes #484
• chore(deps): update dependency rollup to ^4.29.1 (#493) (b092bc8), closes #493
• chore(deps): update upstream (#503) (8c12b9f), closes #503
• chore(deps): update upstream (#511) (d057351), closes #511
• chore(deps): update upstream (#526) (59946d3), closes #526
• chore(plugin-vue): simplify resolved declaration (7288a59)

5.2.1 (2024-11-26)

• chore: add vite 6 peer dep (#481) (4288652), closes #481
• chore: fix lint (378aea3)
• chore(deps): update dependency rollup to ^4.27.2 (#476) (b2df95e), closes #476

... (truncated)

Commits

• 6027d40 release: [email protected]
• 98381b2 chore(deps): update upstream (#569)
• 6ac8e3a feat(plugin-vue): use transformWithOxc if rolldown-vite is detected (#584)
• 7f73970 fix(plugin-vue): handle sourcemap with empty script code (#585)
• 2e1287f chore: use rollup types exposed from Vite (#583)
• ef446fc chore(deps): update upstream (#542)
• 5f6affe fix(plugin-vue): when the resource path contains chinese characters, dev/buil...
• 8002511 chore: fix types with Vite 6.3 (#559)
• b733b91 release: [email protected]
• 4bc5517 Revert "fix: generate unique component id" (#548)
• Additional commits viewable in compare view

Updates @vitejs/plugin-vue-jsx from 3.0.1 to 4.1.2

Release notes

Sourced from @​vitejs/plugin-vue-jsx's releases.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

Changelog

Sourced from @​vitejs/plugin-vue-jsx's changelog.

4.1.2 (2025-03-17)

• fix: properly interpret boolean values in define (#545) (46d3d65), closes #545
• fix(deps): update all non-major dependencies (#482) (cdbae68), closes #482
• fix(deps): update all non-major dependencies (#502) (5bfbbc6), closes #502
• fix(deps): update all non-major dependencies (#510) (28bca4b), closes #510

4.1.1 (2024-11-26)

• chore: add vite 6 peer dep (#481) (4288652), closes #481

4.1.0 (2024-11-11)

• feat: support tsPluginOptions (#445) (fdb3590), closes #445
• fix(deps): update all non-major dependencies (#421) (e3a7fec), closes #421
• fix(deps): update all non-major dependencies (#439) (e432bcb), closes #439
• fix(plugin-jsx): work around bun bug for ssrRegisterHelper (#380) (9c2b620), closes #380 #376
• perf: use hash to replace createHash (#460) (de88394), closes #460
• refactor(vue-jsx): remove extraneous import (ab2516a)

4.0.1 (2024-08-14)

• chore: use pnpm catalog for shared deps (0735e18)
• chore(deps): update upstream (#416) (02a3edd), closes #416
• chore(deps): update upstream (#432) (5d592cd), closes #432
• chore(vue-jsx): add type package field (a2fe479)
• feat(vue-jsx): add defineComponentName option (0f71911)
• fix(deps): update all non-major dependencies (#412) (8cb2ea9), closes #412

4.0.0 (2024-05-30)

• chore: upgrade vitest (db4cf1c)
• chore(deps-dev): bump vite from 5.0.10 to 5.0.12 (#354) (0294b9d), closes #354
• chore(deps): replace dependency eslint-plugin-node with eslint-plugin-n ^14.0.0 (#378) (997f9bb), closes #378
• chore(deps): update dependency prettier to v3.2.4 (#347) (e957179), closes #347
• chore(deps): update dependency prettier to v3.2.5 (#352) (a9f5b11), closes #352
• chore(deps): update upstream (#302) (9c93426), closes #302
• chore(deps): update upstream (#310) (90eb484), closes #310
• chore(deps): update upstream (#356) (cf7d91e), closes #356
• chore(deps): update upstream (#361) (a28c46e), closes #361
• chore(deps): update upstream (#367) (2050ad3), closes #367
• chore(deps): update upstream (#379) (96c82e9), closes #379

... (truncated)

Commits

• 7e59694 release: [email protected]
• 46d3d65 fix: properly interpret boolean values in define (#545)
• 28bca4b fix(deps): update all non-major dependencies (#510)
• 5bfbbc6 fix(deps): update all non-major dependencies (#502)
• cdbae68 fix(deps): update all non-major dependencies (#482)
• ff5624a release: [email protected]
• 4288652 chore: add vite 6 peer dep (#481)
• 23ea2f9 release: [email protected]
• fdb3590 feat: support tsPluginOptions (#445)
• e432bcb fix(deps): update all non-major dependencies (#439)
• Additional commits viewable in compare view

Updates vite from 4.5.14 to 6.3.5

Release notes

Sourced from vite's releases.

v4.5.14

Please refer to CHANGELOG.md for details.

v4.5.13

Please refer to CHANGELOG.md for details.

v4.5.12

Please refer to CHANGELOG.md for details.

v4.5.11

Please refer to CHANGELOG.md for details.

v4.5.10

Please refer to CHANGELOG.md for details.

v4.5.9

Please refer to CHANGELOG.md for details.

v4.5.8

Please refer to CHANGELOG.md for details.

v4.5.7

Please refer to CHANGELOG.md for details.

v4.5.6

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

4.5.14 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19967) (7739479), closes #19965 #19967
• chore: run format (99afb60)

4.5.13 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19832) (41f3819), closes #19830 #19832

4.5.12 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19785) (0a3dcf5), closes #19782 #19785

4.5.11 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19763) (26e1764), closes #19761 #19763

4.5.10 (2025-03-24)

• fix: backport #19702, fs raw quer...

  Description has been truncated

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ LinuxSuRen
❌ dependabot[bot]
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

There are 1 test cases, failed count 0:

Name	Average	Max	Min	Count	Error
	11.442428ms	12.907825ms	10.486023ms	3	0

Reported by api-testing.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud