build(deps): bump the website group across 1 directory with 4 updates

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps the website group with 4 updates in the /website directory: @excalidraw/excalidraw, framer-motion, posthog-js and prettier.

Updates @excalidraw/excalidraw from 0.17.6 to 0.18.0

Release notes

Sourced from @​excalidraw/excalidraw's releases.

v0.18.0 (2025-03-11)

Excalidraw Library

0.18.0 (2025-03-11)

Highlights

• Command palette #7804

• Multiplayer undo / redo #7348

• Editable element stats #6382

• Text element wrapping #7999

• Font picker with more fonts #8012

• Font for Chinese, Japanese, and Korean #8530

• Font subsetting for SVG export #8384

• Elbow arrows #8299, #8952

• Flowcharts #8329

• Scene search #8438

• Image cropping #8613

• Element linking #8812

Breaking changes

Deprecated UMD bundle in favor of ES modules #7441, #9127

We've transitioned from UMD to ESM bundle format. Our new dist folder inside @excalidraw/excalidraw package now contains only bundled source files, making any dependencies tree-shakable. The package comes with the following structure:

Note: The structure is simplified for the sake of brevity, omitting lazy-loadable modules, including locales (previously treated as JSON assets) and source maps in the development bundle.

@excalidraw/excalidraw/
├── dist/
│   ├── dev/
│   │   ├── fonts/
│   │   ├── index.css
│   │   ├── index.js
│   │   ├── index.js.map
│   ├── prod/
│   │   ├── fonts/
│   │   ├── index.css
</tr></table> 

... (truncated)

Commits

• 817d8c5 docs: update CHANGELOG (#9243)
• 69bc5bd chore: post publish docs & examples changes (#9217)
• d587b8a fix: Do not rebind undragged elbow arrow endpoint (#9191)
• 4ec812b fix: Bound elbow arrow on duplication does not route correctly (#9236)
• a9e2d23 chore: Logging and fixing extremely large scenes (#9225)
• 70c3e92 fix: package env vars (#9221)
• d92384b revert: vite@6 -> vite@5 (#9220)
• c5d3bb0 fix: #8475 Arrow updated on both sides (#8593)
• d21c6a1 chore: bump vite@6.x (#9210)
• d1112bb fix: docked sidebar width (#9213)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mrazator, a new releaser for @​excalidraw/excalidraw since your current version.

Updates framer-motion from 12.23.24 to 12.23.25

Changelog

Sourced from framer-motion's changelog.

[12.23.25] 2025-12-01

Fixed

• Ensure relative projection boxes are re-measured when parent layout changes.

Commits

• 78681bc v12.23.25
• 757b56f Updating changelog
• 3d1f73d Merge pull request #3412 from motiondivision/fix/layout-group
• 4f249bd Removing logs
• 00b0f3b Updating changelog
• 07b95ff Updating changelog
• 64a2b22 Adding layout version
• 68e0f9b Fix image links in README.md
• e20a643 Update README.md with new sponsor links
• e787e5f Remove duplicate links in README.md
• Additional commits viewable in compare view

Updates posthog-js from 1.280.0 to 1.302.2

Release notes

Sourced from posthog-js's releases.

posthog-js@1.302.2

1.302.2

Patch Changes

• #2696 daeacdb Thanks @​ksvat! - Update @​posthog/rrweb dependencies to 0.0.33 (2025-12-05)

posthog-js@1.302.1

1.302.1

Patch Changes

• #2694 0d2e26b Thanks @​ksvat! - Restart session recording after opt_in_capture() called (2025-12-05)

posthog-js@1.302.0

1.302.0

Minor Changes

• #2693 4458da7 Thanks @​adboio! - fix(surveys): prefilled questions for hosted surveys (2025-12-04)

posthog-js@1.301.2

1.301.2

Patch Changes

• #2690 e9c00fd Thanks @​robbie-c! - Related to https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

  We didn't include any of the vulnerable deps in any of our packages, however we did have them as dev / test / example project dependencies.

  There was no way that any of these vulnerable packages were included in any of our published packages.

  We've now patched out those dependencies.

  Out of an abundance of caution, let's create a new release of all of our packages. (2025-12-04)

• Updated dependencies [e9c00fd]:

  • @​posthog/core@​1.7.1

posthog-js@1.301.1

1.301.1

Patch Changes

• #2666 2004d36 Thanks @​pauldambra! - fix: session id rotation relied on in-memory cache which would be stale after log idle periods - particularly with multiple windows in play (2025-12-04)

... (truncated)

Commits

• 5fe7401 update versions and lockfile (#2703)
• daeacdb chore: update @​posthog/rrweb version used to 0.0.33 (#2696)
• 62281fa update versions and lockfile (#2702)
• 0d2e26b fix(replay): check if recorder needs to be started on opt in (#2694)
• 140080c Drop @​react-types (#2698)
• 29b5cde update versions and lockfile (#2699)
• 0c3bd5e feat: Support expo-localization 14 onwards (#2697)
• 347668b update versions and lockfile (#2695)
• 4458da7 fix(surveys): prefill/autosubmit for hosted surveys (#2693)
• 320f829 update versions and lockfile (#2692)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for posthog-js since your current version.

Updates prettier from 3.6.2 to 3.7.4

Release notes

Sourced from prettier's releases.

3.7.4

What's Changed

• Fix comment in union type gets duplicated by @​fisker in prettier/prettier#18393
• Fix unstable comment print in union type by @​fisker in prettier/prettier#18395
• Avoid quote around LWC interpolations by @​kovsu in prettier/prettier#18383

🔗 Changelog

3.7.3

What's Changed

• Fix prettier.getFileInfo() change that breaks VSCode extension by @​fisker in prettier/prettier#18375

🔗 Changelog

3.7.2

What's Changed

• Fix string print when switching quotes by @​fisker in prettier/prettier#18351
• Preserve quote for embedded HTML attribute values by @​kovsu in prettier/prettier#18352
• Fix comment in empty type literal by @​fisker in prettier/prettier#18364

🔗 Changelog

3.7.1

• Fix performance regression in doc printer (#18342 by @​fisker)

🔗 Changelog

3.7.0

diff

🔗 Release note

Changelog

Sourced from prettier's changelog.

3.7.4

diff

LWC: Avoid quote around interpolations (#18383 by @​kovsu)

<!-- Input -->
<div foo={bar}>   </div>
<!-- Prettier 3.7.3 (--embedded-language-formatting off) -->
<div foo="{bar}"></div>
<!-- Prettier 3.7.4 (--embedded-language-formatting off) -->
<div foo={bar}></div>

TypeScript: Fix comment inside union type gets duplicated (#18393 by @​fisker)

// Input
type Foo = (/** comment */ a | b) | c;
// Prettier 3.7.3
type Foo = /** comment / (/* comment */ a | b) | c;
// Prettier 3.7.4
type Foo = /** comment */ (a | b) | c;

TypeScript: Fix unstable comment print in union type comments (#18395 by @​fisker)

// Input
type X = (A | B) & (
  // comment
  A | B
);
// Prettier 3.7.3 (first format)
type X = (A | B) &
(// comment
A | B);
// Prettier 3.7.3 (second format)
type X = (
| A
</tr></table>

... (truncated)

Commits

• 7848357 Release 3.7.4
• 7686c59 Release @​prettier/plugin-hermes & @​prettier/plugin-oxc v0.1.3
• fe49434 Remove dead code checking union/intersection types length (#18396)
• ca02b37 Fix unstable comment print (#18395)
• 7efb988 Fix comment in union type get duplicated (#18393)
• cfa92c1 Update dependency @​angular/compiler to v21.0.2 (#18392)
• 1de2737 Update dependency yaml to v2.8.2 (#18391)
• 706aa4e Switch js parse postprocess to onEnter (#18382)
• d3eb2b2 Reuse arrays in visitor keys (#18386)
• c45fef1 Fix LWC attribute with --embedded-language-formatting off (#18383)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for prettier since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: javascript. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[mergify]

Warning

This PR exceeds the recommended limit of 1,000 lines.

Large PRs are difficult to review and may be rejected due to their size.

Please verify that this PR does not address multiple issues.
Consider refactoring it into smaller, more focused PRs to facilitate a smoother review process.

[github-actions]

Dependency Review

The following issues were found:

• ❌ 4 vulnerable package(s)
• ❌ 2 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

Vulnerabilities

website/pnpm-lock.yaml

Name	Version	Vulnerability	Severity
dompurify	3.1.6	DOMPurify allows Cross-site Scripting (XSS)	moderate
mermaid	10.9.3	Mermaid improperly sanitizes sequence diagram labels leading to XSS	moderate
nanoid	3.3.3	Predictable results in nanoid generation when given non-integer values	moderate
nanoid	4.0.2	Predictable results in nanoid generation when given non-integer values	moderate

Only included vulnerabilities with severity moderate or higher.

License Issues

website/pnpm-lock.yaml

Package	Version	License	Issue Type
elkjs	0.9.3	EPL-2.0	Incompatible License
pako	2.0.3	MIT AND Zlib	Incompatible License
@posthog/core	1.8.1	Null	Unknown License
posthog-js	1.309.1	Null	Unknown License

Allowed Licenses:

MIT, MIT-0, Apache-2.0, BSD-2-Clause, BSD-2-Clause-Views, BSD-3-Clause, ISC, MPL-2.0, 0BSD, Unlicense, CC0-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-3.0, Python-2.0, OFL-1.1, LicenseRef-scancode-generic-cla, LicenseRef-scancode-unknown-license-reference, LicenseRef-scancode-unicode, LicenseRef-scancode-google-patent-license-golang

Scanned Files

• website/pnpm-lock.yaml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.80%. Comparing base (97d1641) to head (e2e32a6).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1906      +/-   ##
==========================================
+ Coverage   73.77%   73.80%   +0.02%     
==========================================
  Files         746      746              
  Lines       67889    67889              
==========================================
+ Hits        50085    50105      +20     
+ Misses      14395    14374      -21     
- Partials     3409     3410       +1     

Flag	Coverage Δ
unittests	73.80% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mergify]

💥 This pull request now has conflicts. Could you fix it @dependabot[bot]? 🙏

[mergify]

This automated PR was closed due to merge conflicts.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml