[Docs Site] Bump the npm_and_yarn group across 1 directory with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
@cloudflare/vitest-pool-workers	0.8.9	0.8.12
vitest	2.1.6	2.1.9
axios	1.7.9	1.8.4
cookie	0.5.0	1.0.2
wrangler	4.1.0	4.8.0
prismjs	1.29.0	1.30.0

Updates @cloudflare/vitest-pool-workers from 0.8.9 to 0.8.12

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.8.12

Patch Changes

• #7260 30f7317 Thanks @​xtian! - Support Yarn .store directory

• #8208 9a3d43c Thanks @​LuisDuarte1! - Make vitest-pool-workers not crash when a workflow is defined

• Updated dependencies [4e69fb6, 93267cf, ec7e621, 75b454c, d4c1171]:

  • [email protected]
  • [email protected]

@​cloudflare/vitest-pool-workers@​0.8.11

Patch Changes

• Updated dependencies [e0efb6f, 2650fd3, 196f51d, 0a401d0]:
  • [email protected]
  • [email protected]

@​cloudflare/vitest-pool-workers@​0.8.10

Patch Changes

• Updated dependencies [7427004, 007f322, 199caa4, 80ef13c, 55b336f, 245cfbd]:
  • [email protected]
  • [email protected]

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.8.12

Patch Changes

• #7260 30f7317 Thanks @​xtian! - Support Yarn .store directory

• #8208 9a3d43c Thanks @​LuisDuarte1! - Make vitest-pool-workers not crash when a workflow is defined

• Updated dependencies [4e69fb6, 93267cf, ec7e621, 75b454c, d4c1171]:

  • [email protected]
  • [email protected]

0.8.11

Patch Changes

• Updated dependencies [e0efb6f, 2650fd3, 196f51d, 0a401d0]:
  • [email protected]
  • [email protected]

0.8.10

Patch Changes

• Updated dependencies [7427004, 007f322, 199caa4, 80ef13c, 55b336f, 245cfbd]:
  • [email protected]
  • [email protected]

Commits

• f6b84b7 Version Packages (#8796)
• ec7e621 feat: add waitForEvent and sendEvent support for local dev (#8775)
• 30f7317 Fix fromVitest conditional (#7260)
• 9a3d43c fix: make vitest-pool-workers not crash with scripts that have Workflows (#8208)
• dc31c36 Version Packages (#8781)
• e0efb6f Bump the workerd-and-workers-types group with 2 updates (#8712)
• 4da6067 Version Packages (#8762)
• See full diff in compare view

Updates vitest from 2.1.6 to 2.1.9

Release notes

Sourced from vitest's releases.

v2.1.9

This release includes security patches for:

• Browser mode serves arbitrary files | CVE-2025-24963
• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v2 - by @​hi-ogawa in vitest-dev/vitest#7318
• (backport #7340 to v2) restrict served files from /__screenshot-error - by @​hi-ogawa in vitest-dev/vitest#7343

    View changes on GitHub

v2.1.8

   🐞 Bug Fixes

• Support Node 21  -  by @​sheremet-va (92f7a)

    View changes on GitHub

v2.1.7

   🐞 Bug Fixes

• Revert support for Vite 6  -  by @​sheremet-va (fbe5c)
  • This introduced some breaking changes (vitest-dev/vitest#6992). We will enable support for it later. In the meantime, you can still use pnpm.overrides or yarn resolutions to override the vite version in the vitest package - the APIs are compatible.

    View changes on GitHub

Commits

• c9e59a0 chore: release v2.1.9
• e0fe1d8 fix: backport #7317 to v2 (#7318)
• d69cc75 bump: 2.1.8
• 92f7a2a fix: support Node 21
• 81ed45b chore: release v2.1.7
• fbe5c39 fix: revert support for Vite 6
• See full diff in compare view

Updates esbuild from 0.24.2 to 0.21.5

Changelog

Sourced from esbuild's changelog.

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

  // The following code now transforms to "return true;\n"
  console.log(esbuild.transformSync(
    `return process.env['SOME-TEST-VAR']`,
    { define: { 'process.env["SOME-TEST-VAR"]': 'true' } },

... (truncated)

Commits

• fc37c2f publish 0.21.5 to npm
• cb11924 fix Symbol.metadata errors in decorator tests
• b93a2a9 fix #3781: add metadata to all decorated classes
• 953dae9 fix #3797: import attributes and glob-style import
• 98cb2ed fix #3782: support ${configDir} in tsconfig.json
• 8e6603b run make update-compat-table
• db1b8ca fix #3792: import attributes and the copy loader
• de572d0 fix non-deterministic import attribute plugin test
• ae8d1b4 fix #3794: --supported:object-accessors=false
• 67cbf87 publish 0.21.4 to npm
• Additional commits viewable in compare view

Updates axios from 1.7.9 to 1.8.4

Release notes

Sourced from axios's releases.

Release v1.8.4

Release notes:

Bug Fixes

• buildFullPath: handle allowAbsoluteUrls: false without baseURL (#6833) (f10c2e0)

Contributors to this release

• Marc Hassan

Release v1.8.3

Release notes:

Bug Fixes

• add missing type for allowAbsoluteUrls (#6818) (10fa70e)
• xhr/fetch: pass allowAbsoluteUrls to buildFullPath in xhr and fetch adapters (#6814) (ec159e5)

Contributors to this release

• Ashcon Partovi
• StefanBRas
• Marc Hassan

Release v1.8.2

Release notes:

Bug Fixes

• http-adapter: add allowAbsoluteUrls to path building (#6810) (fb8eec2)

Contributors to this release

• Fasoro-Joseph Alexander

Release v1.8.1

Release notes:

Bug Fixes

• utils: move generateString to platform utils to avoid importing crypto module into client builds; (#6789) (36a5a62)

Contributors to this release

• Dmitriy Mozgovoy

Release v1.8.0

Release notes:

Bug Fixes

• examples: application crashed when navigating examples in browser (#5938) (1260ded)
• missing word in SUPPORT_QUESTION.yml (#6757) (1f890b1)
• utils: replace getRandomValues with crypto module (#6788) (23a25af)

... (truncated)

Changelog

Sourced from axios's changelog.

1.8.4 (2025-03-19)

Bug Fixes

• buildFullPath: handle allowAbsoluteUrls: false without baseURL (#6833) (f10c2e0)

Contributors to this release

• Marc Hassan

1.8.3 (2025-03-10)

Bug Fixes

• add missing type for allowAbsoluteUrls (#6818) (10fa70e)
• xhr/fetch: pass allowAbsoluteUrls to buildFullPath in xhr and fetch adapters (#6814) (ec159e5)

Contributors to this release

• Ashcon Partovi
• StefanBRas
• Marc Hassan

1.8.2 (2025-03-07)

Bug Fixes

• http-adapter: add allowAbsoluteUrls to path building (#6810) (fb8eec2)

Contributors to this release

• Fasoro-Joseph Alexander

1.8.1 (2025-02-26)

Bug Fixes

• utils: move generateString to platform utils to avoid importing crypto module into client builds; (#6789) (36a5a62)

Contributors to this release

• Dmitriy Mozgovoy

1.8.0 (2025-02-25)

... (truncated)

Commits

• 9f6f97b chore(release): v1.8.4 (#6844)
• f10c2e0 fix(buildFullPath): handle allowAbsoluteUrls: false without baseURL (#6833)
• 1e6632c chore(deps): bump tj-actions/changed-files in the github-actions group (#6838)
• 39ec206 chore(release): v1.8.3 (#6819)
• 10fa70e fix: add missing type for allowAbsoluteUrls (#6818)
• 7821ef9 docs: update readme to include bun install (#6811)
• ec159e5 fix(xhr/fetch): pass allowAbsoluteUrls to buildFullPath in xhr and `fet...
• a9f7689 chore(release): v1.8.2 (#6812)
• fb8eec2 fix(http-adapter): add allowAbsoluteUrls to path building (#6810)
• 9812045 chore(sponsor): update sponsor block (#6804)
• Additional commits viewable in compare view

Updates cookie from 0.5.0 to 1.0.2

Release notes

Sourced from cookie's releases.

v1.0.2

Fixed

• Loosen cookie name/value validation (#210)
• fix: options.priority used incorrect fallback (#207) by @​jonchurch

Added

• Add import example to README (#190) by @​isnifer

jshttp/cookie@v1.0.1...v1.0.2

v1.0.1

Added

• Allow case insensitive options (#194) 3bed080

jshttp/cookie@v1.0.0...v1.0.1

v1.0.0

Breaking changes

• Use modern JS features, ship TypeScript definition (#175) 1cc64ff
  • Adds __esModule marker, imports need to use import { parse, serialize } or import * as cookie
• Minimum node.js v18
• Uses null prototype object for parse return value
• Changes strict and priority to match the lower case strings (i.e. low, not LOW or Low)
• Require maxAge to be an integer using Number.isInteger check
• Delegates decode implementation details to decode option (i.e. error handling and quote parsing is defined by decode)
  • Delegate quote parsing to decode (#180) c4a2597
  • Shift try/catch to decode (#179) 93a5b97
• Improve arg/option error messages (#162) e206fd5 @​MaoShizhong

Other

• Remove hasOwnProperty, use undefined check for performance (#183) 8f3ee9e @​gurgunday

jshttp/cookie@v0.7.2...v1.0.0

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)

... (truncated)

Commits

• e739f41 1.0.2
• 8be4b82 Loosen cookie name/value validation (#210)
• 94ba436 Fix codecov workflow in PRs (#209)
• 4898ba2 fix: options.priority used incorrect fallback (#207)
• 408c2b4 Add import example to README (#190)
• ba9e677 1.0.1
• 3bed080 Allow case insensitive options (#194)
• bc66a7e Generate cookie outside benchmarks (#187)
• c69cef6 1.0.0
• 42025f7 Use workflow status for badge
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates wrangler from 4.1.0 to 4.8.0

Release notes

Sourced from wrangler's releases.

[email protected]

Minor Changes

• #8394 93267cf Thanks @​edmundhung! - Support Secrets Store Secret bindings

Patch Changes

• #8780 4e69fb6 Thanks @​cmackenzie1! - - Rename wrangler pipelines show to wrangler pipelines get

  • Replace --enable-worker-binding and --enable-http with --source worker and --source http (or --source http worker for both)
  • Remove --file-template and --partition-template flags from wrangler pipelines create|update
  • Add pretty output for wrangler pipelines get <pipeline>. Existing output is available using --format=json.
  • Clarify the minimums, maximums, and defaults (if unset) for wrangler pipelines create commands.

• #8596 75b454c Thanks @​dario-piotrowicz! - add validation to redirected configs in regards to environments

  add the following validation behaviors to wrangler deploy commands, that relate to redirected configs (i.e. config files specified by .wrangler/deploy/config.json files):

  • redirected configs are supposed to be already flattened configurations without any environment (i.e. a build tool should generate redirected configs already targeting specific environments), so if wrangler encounters a redirected config with some environments defined it should error
  • given the point above, specifying an environment (--env=my-env) when using redirected configs is incorrect, so these environments should be ignored and a warning should be presented to the user

• #8795 d4c1171 Thanks @​GregBrimble! - feat: Unhide wrangler pages functions build command.

  This is already documented for Pages Plugins and by officially documenting it, we can ease the transition to Workers Assets for users of Pages Functions.

• Updated dependencies [93267cf, ec7e621]:

  • [email protected]

[email protected]

Patch Changes

• #8763 2650fd3 Thanks @​garrettgu10! - R2 data catalog URIs now separate account ID and warehouse name with a slash rather than an underscore

• #8341 196f51d Thanks @​kotkoroid! - Improve error message when request to obtain membership info fails

  Wrangler now informs user that specific permission might be not granted when fails to obtain membership info. The same information is provided when Wrangler is unable to fetch user's email.

• Updated dependencies [e0efb6f, 0a401d0]:

  • [email protected]

[email protected]

Patch Changes

... (truncated)

Changelog

Sourced from wrangler's changelog.

4.8.0

Minor Changes

• #8394 93267cf Thanks @​edmundhung! - Support Secrets Store Secret bindings

Patch Changes

• #8780 4e69fb6 Thanks @​cmackenzie1! - - Rename wrangler pipelines show to wrangler pipelines get

  • Replace --enable-worker-binding and --enable-http with --source worker and --source http (or --source http worker for both)
  • Remove --file-template and --partition-template flags from wrangler pipelines create|update
  • Add pretty output for wrangler pipelines get <pipeline>. Existing output is available using --format=json.
  • Clarify the minimums, maximums, and defaults (if unset) for wrangler pipelines create commands.

• #8596 75b454c Thanks @​dario-piotrowicz! - add validation to redirected configs in regards to environments

  add the following validation behaviors to wrangler deploy commands, that relate to redirected configs (i.e. config files specified by .wrangler/deploy/config.json files):

  • redirected configs are supposed to be already flattened configurations without any environment (i.e. a build tool should generate redirected configs already targeting specific environments), so if wrangler encounters a redirected config with some environments defined it should error
  • given the point above, specifying an environment (--env=my-env) when using redirected configs is incorrect, so these environments should be ignored and a warning should be presented to the user

• #8795 d4c1171 Thanks @​GregBrimble! - feat: Unhide wrangler pages functions build command.

  This is already documented for Pages Plugins and by officially documenting it, we can ease the transition to Workers Assets for users of Pages Functions.

• Updated dependencies [93267cf, ec7e621]:

  • [email protected]

4.7.2

Patch Changes

• #8763 2650fd3 Thanks @​garrettgu10! - R2 data catalog URIs now separate account ID and warehouse name with a slash rather than an underscore

• #8341 196f51d Thanks @​kotkoroid! - Improve error message when request to obtain membership info fails

  Wrangler now informs user that specific permission might be not granted when fails to obtain membership info. The same information is provided when Wrangler is unable to fetch user's email.

• Updated dependencies [e0efb6f, 0a401d0]:

  • [email protected]

4.7.1

... (truncated)

Commits

• f6b84b7 Version Packages (#8796)
• ec7e621 feat: add waitForEvent and sendEvent support for local dev (#8775)
• 93267cf Secrets Store Secret binding local dev (#8394)
• 75b454c [wrangler] add validation to redirected configs in regards to environments (#...
• 4e69fb6 Pipelines CLI Improvements (#8780)
• d4c1171 Unhide 'wrangler pages functions build' (#8795)
• dc31c36 Version Packages (#8781)
• 4c5ba38 fix types Wrangler e2e test (#8789)
• e0efb6f Bump the workerd-and-workers-types group with 2 updates (#8712)
• 2650fd3 IGLOO-45 replace underscore with slashes in catalog URI (#8763)
• Additional commits viewable in compare view

Updates prismjs from 1.29.0 to 1.30.0

Release notes

Sourced from prismjs's releases.

v1.30.0

What's Changed

• check that currentScript is set by a script tag by @​lkuechler in PrismJS/prism#3863

New Contributors

• @​lkuechler made their first contribution in PrismJS/prism#3863

Full Changelog: PrismJS/prism@v1.29.0...v1.30.0

Changelog

Sourced from prismjs's changelog.

Prism Changelog

Commits

• 76dde18 Release 1.30.0
• 93cca40 npm pkg fix
• 99c5ca9 Add release script
• 8e8b935 check that currentScript is set by a script tag (#3863)
• f894dc2 Fix logo in the footer
• ac38dce Delete CNAME
• 9b5b09a Enable CORS
• See full diff in compare view

Maintainer changes

This version was pushed to npm by dmitrysharabin, a new releaser for prismjs since your current version.

Updates vite from 6.2.4 to 5.4.17

Changelog

Sourced from vite's changelog.

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

5.4.13 (2025-01-20)

• fix: try parse server.origin URL (#19241) (5946215), closes #19241

5.4.12 (2025-01-20)

• fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (9da4abc)
• fix!: default server.cors: false to disallow fetching from untrusted origins (dfea38f)
• fix: verify token for HMR WebSocket connection (b71a5c8)
• chore: add deps update changelog (ecd2375)

5.4.11 (2024-11-11)

• fix(deps): update dependencies of postcss-modules (ceb15db), closes #18617

5.4.10 (2024-10-23)

• fix: backport #18367,augment hash for CSS files to prevent chromium erroring by loading previous fil (7d1a3bc), closes #18367 #18412

... (truncated)

Commits

• 0a2518a release: v5.4.17
• 84b2b46 fix: backport #19782, fs check with svg and relative paths (#19784)
• 712cb71 release: v5.4.16
• b627c50 fix: backport #19761, fs check in transform middleware (#19762)
• 9b0f4c8 release: v5.4.15
• 807d7f0 fix: backport #19702, fs raw query with query separators (#19703)
• e7eb3c5 release: v5.4.14
• 7d1699c fix: allow CORS from loopback addresses by default (#19249)
• 9df6e6b fix: preview.allowedHosts with specific values was not respected (#19246)
• a1824c5 release: v5.4.13
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Reviewers

The following users could not be added as reviewers: KianNH. Either the username does not exist or it does not have the correct permissions to be added as a reviewer.

Assignees

The following users could not be added as assignees: KianNH. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.