chore(deps): bump the npm_and_yarn group across 6 directories with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package	From	To
vite	6.4.1	6.4.2
electron	35.7.5	39.8.5
minimatch	10.1.1	10.2.3
yaml	2.8.2	2.8.3
hono	4.12.8	4.12.16
next	14.2.35	15.5.15
@hono/node-server	1.19.11	1.19.13
postcss	8.4.38	8.5.10
drizzle-orm	0.45.1	0.45.2

Bumps the npm_and_yarn group with 1 update in the /apps/desktop directory: electron.
Bumps the npm_and_yarn group with 2 updates in the /apps/server-v2 directory: yaml and hono.
Bumps the npm_and_yarn group with 2 updates in the /apps/share directory: yaml and next.
Bumps the npm_and_yarn group with 2 updates in the /ee/apps/den-web directory: next and postcss.
Bumps the npm_and_yarn group with 2 updates in the /ee/apps/landing directory: next and postcss.

Updates vite from 6.4.1 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

• fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163
• fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

Commits

• 6b3fad0 release: v6.4.2
• ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
• 5487f4f release: v6.4.1
• 1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
• f12697c release: v6.4.0
• ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
• 0e173d8 release: v6.3.7
• c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
• 3f337c5 release: v6.3.6
• Additional commits viewable in compare view

Updates electron from 35.7.5 to 39.8.5

Release notes

Sourced from electron's releases.

electron v39.8.5

Release Notes for v39.8.5

Fixes

• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #50493 (Also in 40, 41, 42)
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #50499 (Also in 40, 41, 42)

electron v39.8.4

Release Notes for v39.8.4

Fixes

• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)
• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400 (Also in 40, 41, 42)
• Fixed improper focus tracking in BaseWindow on MacOS. #50338 (Also in 40, 41, 42)
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341 (Also in 40, 41, 42)

Other Changes

• Added support for using a proxy during yarn install. #50349 (Also in 40, 41, 42)
• Backported fix for 485935305. #50440
• Backported fix for 489381399. #50443
• Backported fix for chromium:475877320. #50436
• Backported fixes for 484751092, 487117772. #50461

electron v39.8.3

Release Notes for v39.8.3

Fixes

• Added additional ASAR support to additional fs copy methods. #50284 (Also in 40, 41, 42)
• Fixed user resizing of transparent windows on win32 platform. #50300 (Also in 40, 41, 42)

electron v39.8.2

Release Notes for v39.8.2

Other Changes

• Backported fix for b/491421267. #50230

electron v39.8.1

Release Notes for v39.8.1

Fixes

• Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50156 (Also in 38, 40, 41)
• Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50215 (Also in 40, 41)
• Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50136 (Also in 40, 41)
• Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50174 (Also in 38, 40, 41)
• Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50106 (Also in 40, 41)

... (truncated)

Commits

• 9d2f8cb refactor: remove dead named-window lookup from guest-window-manager (#50498)
• 1173004 fix: crash calling OSR shared texture release() after texture GC'd (#50499)
• be37ade fix: crash in clipboard.readImage() on malformed image data (#50493)
• 7007907 chore: cherry-pick 3 changes from chromium (#50461)
• 2c8b6ee chore: cherry-pick fbfb27470bf6 from chromium (#50436)
• 4c64377 chore: cherry-pick 50b057660b4d from chromium (#50440)
• 0ef0561 fix: read nodeIntegrationInWorker from per-frame WebPreferences (#50122) (#50...
• 64373df chore: cherry-pick 074d472db745 from chromium (#50443)
• 13e4407 fix: don't re-parse URL unnecessarily when handling dialogs (#50400)
• 16a0385 ci: output build cache hit rate as GHA annotation (#50369)
• Additional commits viewable in compare view

Updates minimatch from 10.1.1 to 10.2.3

Changelog

Sourced from minimatch's changelog.

change log

10.2

• Add braceExpandMax option

10.1

• Add magicalBraces option for escape
• Fix makeRe when partial: true is set.
• Fix makeRe when pattern ends in a final ** path part.

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

• ea94840 10.2.3
• 0873fba update deps
• cecaad1 more extglob coalescing for performance
• 11d0df6 limit nested extglob recursion, flatten extglobs
• c3448c4 update assertValidPattern param type to unknown from any
• 0bf499a limit recursion for **, improve perf considerably
• 9f15c58 update deps
• f42b239 10.2.2
• fa2133b update deps
• b9d0153 ci: update action workflows
• Additional commits viewable in compare view

Updates yaml from 2.8.2 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

Commits

• ce14587 2.8.3
• 1e84ebb fix: Catch stack overflow during node composition
• 6b24090 ci: Include Prettier check in lint action
• 9424dee chore: Refresh lockfile
• d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
• 4321509 ci: Drop the branch filter from GitHub PR actions
• 47207d0 chore: Update docs-slate
• 5212fae chore: Update docs-slate
• See full diff in compare view

Updates hono from 4.12.8 to 4.12.16

Release notes

Sourced from hono's releases.

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

New Contributors

• @​hiendv made their first contribution in honojs/hono#4889

Full Changelog: honojs/hono@v4.12.14...v4.12.15

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

• fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

• fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @​T4ko0522 in honojs/hono#4865
• feat(trailing-slash): add skip option by @​yusukebe in honojs/hono#4862
• feat(cache): add onCacheNotAvailable option by @​yusukebe in honojs/hono#4876

New Contributors

• @​T4ko0522 made their first contribution in honojs/hono#4865

Full Changelog: honojs/hono@v4.12.12...v4.12.13

v4.12.12

Security fixes

This release includes fixes for the following security issues:

... (truncated)

Commits

• 90d4182 4.12.16
• db05b96 Merge commit from fork
• 614b834 Merge commit from fork
• 027e3df fix(method-override): handle Content-Type with charset parameter (#4894)
• f774f8d 4.12.15
• 18fe604 fix(jwt): support single-line PEM keys (#4889)
• cf2d2b7 4.12.14
• 66daa2e Merge commit from fork
• fa2c74f fix(aws-lambda): handle invalid header names in request processing (#4883)
• 3779927 4.12.13
• Additional commits viewable in compare view

Updates next from 14.2.35 to 15.5.15

Release notes

Sourced from next's releases.

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

Commits

• 412eb90 v15.5.15
• cb90de9 [15.x] Avoid consuming cyclic models multiple times (#74)
• fffef9e Fix CI for glibc linux builds
• d7b012d v15.5.14
• 2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
• f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
• cfd5f53 v15.5.13
• 15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• d23f41c v15.5.12
• 8e75765 fix unlock in publish-native
• Additional commits viewable in compare view

Updates @hono/node-server from 1.19.11 to 1.19.13

Release notes

Sourced from @​hono/node-server's releases.

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

Commits

• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• See full diff in compare view

Updates postcss from 8.4.38 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"
</tr></table>

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

• Added Input#document for sources like CSS-in-JS or HTML (by @​romainmenke).

8.4.49

• Fixed custom syntax without source.offset (by @​romainmenke).

... (truncated)

Commits

• 33b9790 Release 8.5.10 version
• 536c79e Escape </style> in CSS output (#2074)
• afa96b2 Update dependencies (#2073)
• effe88b Typo (#2072)
• 3ee79a2 Thread model (#2071)
• 2e0683d Create incident response docs (#2070)
• fe88ac2 Release 8.5.9 version
• c551632 Avoid RegExp when we can use simple JS
• 89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
• 6ceb8a4 Create SECURITY.md
• Additional commits viewable in compare view

Updates drizzle-orm from 0.45.1 to 0.45.2

Release notes

Sourced from drizzle-orm's releases.

0.45.2

• Fixed sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped causing a possible SQL Injection (CWE-89) vulnerability

Thanks to @​EthanKim88, @​0x90sh and @​wgoodall01 for reaching out to us with a reproduction and suggested fix

Commits

• 273c780 + 0.45.2 (#5534)
• 4aa6ecf Kit updates (#5490)
• e8e6edf feat(drizzle-kit): support d1 via binding (#5302)
• See full diff in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates electron from 35.7.5 to 39.8.5

Release notes

Sourced from electron's releases.

electron v39.8.5

Release Notes for v39.8.5

Fixes

• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #50493 (Also in 40, 41, 42)
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #50499 (Also in 40, 41, 42)

electron v39.8.4

Release Notes for v39.8.4

Fixes

• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)
• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400 (Also in 40, 41, 42)
• Fixed improper focus tracking in BaseWindow on MacOS. #50338 (Also in 40, 41, 42)
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341 (Also in 40, 41, 42)

Other Changes

• Added support for using a proxy during yarn install. #50349 (Also in 40, 41, 42)
• Backported fix for 485935305. #50440
• Backported fix for 489381399. #50443
• Backported fix for chromium:475877320. #50436
• Backported fixes for 484751092, 487117772. #50461

electron v39.8.3

Release Notes for v39.8.3

Fixes

• Added additional ASAR support to additional fs copy methods. #50284 (Also in 40, 41, 42)
• Fixed user resizing of transparent windows on win32 platform. #50300 (Also in 40, 41, 42)

electron v39.8.2

Release Notes for v39.8.2

Other Changes

• Backported fix for b/491421267. #50230

electron v39.8.1

Release Notes for v39.8.1

Fixes

• Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50156 (Also in 38, 40, 41)
• Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50215 (Also in 40, 41)
• Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50136 (Also in 40, 41)
• Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50174 (Also in 38, 40, 41)
• Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50106 (Also in 40, 41)

... (truncated)

Commits

• 9d2f8cb refactor: remove dead named-window lookup from guest-window-manager (#50498)
• 1173004 fix: crash calling OSR shared texture release() after texture GC'd (#50499)
• be37ade fix: crash in clipboard.readImage() on malformed image data (#50493)
• 7007907 chore: cherry-pick 3 changes from chromium (#50461)
• 2c8b6ee chore: cherry-pick fbfb27470bf6 from chromium (#50436)
• 4c64377 chore: cherry-pick 50b057660b4d from chromium (#50440)
• 0ef0561 fix: read nodeIntegrationInWorker from per-frame WebPreferences (#50122) (#50...
• 64373df chore: cherry-pick 074d472db745 from chromium (#50443)
• 13e4407 fix: don't re-parse URL unnecessarily when handling dialogs (#50400)
• 16a0385 ci: output build cache hit rate as GHA annotation (#50369)
• Additional commits viewable in compare view

Updates yaml from 2.8.2 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

Commits

• ce14587 2.8.3
• 1e84ebb fix: Catch stack overflow during node composition
• 6b24090 ci: Include Prettier check in lint action
• 9424dee chore: Refresh lockfile
• d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
• 4321509 ci: Drop the branch filter from GitHub PR actions
• 47207d0 chore: Update docs-slate
• 5212fae chore: Update docs-slate
• See full diff in compare view

Updates hono from 4.12.12 to 4.12.16

Release notes

Sourced from hono's releases.

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

New Contributors

• @​hiendv made their first contribution in honojs/hono#4889

Full Changelog: honojs/hono@v4.12.14...v4.12.15

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

• fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

• fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @​T4ko0522 in honojs/hono#4865
• feat(trailing-slash): add skip option by @​yusukebe in honojs/hono#4862
• feat(cache): add onCacheNotAvailable option by @​yusukebe in honojs/hono#4876

New Contributors

• @​T4ko0522 made their first contribution in honojs/hono#4865

Full Changelog: honojs/hono@v4.12.12...v4.12.13

v4.12.12

Security fixes

This release includes fixes for the following security issues:

... (truncated)

Commits

• 90d4182 4.12.16
• db05b96 Merge commit from fork
• 614b834 Merge commit from fork
• 027e3df fix(method-override): handle Content-Type with charset parameter (#4894)
• f774f8d 4.12.15
• 18fe604 fix(jwt): support single-line PEM keys (#4889)
• cf2d2b7 4.12.14
• 66daa2e Merge commit from fork
• fa2c74f fix(aws-lambda): handle invalid header names in request processing (#4883)
• 3779927 4.12.13
• Additional commits viewable in compare view

Updates yaml from 2.8.2 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (