Bump the npm_and_yarn group across 2 directories with 7 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the / directory: jspdf, esbuild, lodash and qs.
Bumps the npm_and_yarn group with 2 updates in the /packages/core directory: vue and vuetify.

Updates jspdf from 4.0.0 to 4.2.0

Release notes

Sourced from jspdf's releases.

v4.2.0

This release fixes three security issues.

What's Changed

• Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton children) vulnerability.
• Fix Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions vulnerability.
• Fix PDF Object Injection via Unsanitized Input in addJS Method vulnerability.
• Add "default" property to export section in package.json by @​stefan-schweiger in parallax/jsPDF#3953

New Contributors

• @​stefan-schweiger made their first contribution in parallax/jsPDF#3953

Full Changelog: parallax/jsPDF@v4.1.0...v4.2.0

v4.1.0

This release fixes several security issues.

What's Changed

• Upgrade optional dompurify dependency to 3.3.1 in parallax/jsPDF#3948
• Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution vulnerability
• Fix Stored XMP Metadata Injection (Spoofing & Integrity Violation) vulnerability
• Fix Shared State Race Condition in addJS Method vulnerability
• Fix Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder vulnerability

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

Commits

• 7af912c 4.2.0
• 56b46d4 Merge commit from fork
• 2e5e156 Merge commit from fork
• 71ad2db Merge commit from fork
• 885a777 fix: upgrade @​babel/runtime from 7.28.4 to 7.28.6 (#3954)
• 3b92c7d Add default export to package.json (#3953)
• 0227381 4.1.0
• ae4b93f Merge commit from fork
• 2863e5c Merge commit from fork
• efe54bf Merge commit from fork
• Additional commits viewable in compare view

Updates esbuild from 0.21.5 to 0.25.0

Release notes

Sourced from esbuild's releases.

v0.25.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.24.0 or ~0.24.0. See npm's documentation about semver for more information.

• Restrict access to esbuild's development server (GHSA-67mh-4wv8-2f99)

  This change addresses esbuild's first security vulnerability report. Previously esbuild set the Access-Control-Allow-Origin header to * to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information in the report.

  Starting with this release, CORS will now be disabled, and requests will now be denied if the host does not match the one provided to --serve=. The default host is 0.0.0.0, which refers to all of the IP addresses that represent the local machine (e.g. both 127.0.0.1 and 192.168.0.1). If you want to customize anything about esbuild's development server, you can put a proxy in front of esbuild and modify the incoming and/or outgoing requests.

  In addition, the serve() API call has been changed to return an array of hosts instead of a single host string. This makes it possible to determine all of the hosts that esbuild's development server will accept.

  Thanks to @​sapphi-red for reporting this issue.

• Delete output files when a build fails in watch mode (#3643)

  It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.

• Fix correctness issues with the CSS nesting transform (#3620, #3877, #3933, #3997, #4005, #4037, #4038)

  This release fixes the following problems:

  • Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using :is() to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.

    /* Original code */
    .parent {
      > .a,
      > .b1 > .b2 {
        color: red;
      }
    }
    /* Old output (with --supported:nesting=false) */
    .parent > :is(.a, .b1 > .b2) {
    color: red;
    }
    /* New output (with --supported:nesting=false) */
    .parent > .a,
    .parent > .b1 > .b2 {
    color: red;
    }

    Thanks to @​tim-we for working on a fix.

  • The & CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered && to have the same specificity as &. With this release, this should now work correctly:

    /* Original code (color should be red) */

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

... (truncated)

Commits

• e9174d6 publish 0.25.0 to npm
• c27dbeb fix hosts in plugin-tests.js
• 6794f60 fix hosts in node-unref-tests.js
• de85afd Merge commit from fork
• da1de1b fix #4065: bitwise operators can return bigints
• f4e9d19 switch case liveness: default is always last
• 7aa47c3 fix #4028: minify live/dead switch cases better
• 22ecd30 minify: more constant folding for strict equality
• 4cdf03c fix #4053: reordering of .tsx in node_modules
• dc71977 fix #3692: 0 now picks a random ephemeral port
• Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates qs from 6.14.0 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

• d9b4c66 v6.15.0
• cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
• 88e1563 [Fix] duplicates option should not apply to bracket notation keys
• 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
• 85cc8ca v6.12.5
• ffc12aa v6.11.4
• 0506b11 [actions] update reusable workflows
• 6a37faf [actions] update reusable workflows
• 8e8df5a [Fix] fix regressions from robustness refactor
• d60bab3 v6.10.7
• Additional commits viewable in compare view

Updates rollup from 4.34.8 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

v4.58.0

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

v4.57.1

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)
• #6252: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6253: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6254: Fully include dynamic imports in a try-catch (@​lukastaegert)

... (truncated)

Commits

• ae84695 4.59.0
• b39616e Update audit-resolve
• c60770d Validate bundle stays within output dir (#6275)
• 33f39c1 4.58.0
• b61c408 forward NO_SIDE_EFFECTS annotations to function expressions in variable decla...
• 7f00689 Extend agent instructions
• e7b2b85 chore(deps): lock file maintenance (#6270)
• 2aa5da9 fix(deps): update minor/patch updates (#6267)
• 4319837 chore(deps): update dependency lru-cache to v11 (#6269)
• c3b6b4b chore(deps): update dependency eslint-plugin-unicorn to v63 (#6268)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates vue from 2.7.16 to 3.5.29

Release notes

Sourced from vue's releases.

v3.5.29

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.28

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.27

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.26

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.25

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.24

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.23

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.22

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.21

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.20

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.19

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.18

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.17

For stable releases, please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vue's changelog.

3.5.29 (2026-02-24)

Bug Fixes

• runtime-core: prevent instance leak in withAsyncContext (#14445) (702284f), closes nuxt/nuxt#33644
• server-renderer: render className as escaped string (#14469) (da6690c)
• transition: prevent enter if leave is in progress (#14443) (df059f8), closes #12091 #12133

3.5.28 (2026-02-09)

Bug Fixes

• transition: avoid unexpected cancelled parameter in transition done callback (#14391) (6798853)
• compiler-sfc: add resolution trying for .mts/.cts files (#14402) (c09d41f), closes vuejs/router#2611
• compiler-sfc: no params were generated when using withDefaults (#12823) (b0a1f05), closes #12822
• reactivity: add __v_skip flag to EffectScope to prevent reactive conversion (#14359) (48b7552), closes #14357
• runtime-core: avoid retaining el on cached text vnodes during static traversal (#14419) (4ace79a), closes #14134
• runtime-core: prevent child component updates when style remains unchanged (#12825) (57866b5), closes #12826
• runtime-core: properly handle async component update before resolve (#11619) (e71c26c), closes #11617
• runtime-dom: handle null/undefined handler in withModifiers (#14362) (261de54), closes #14361
• teleport: properly handling disabled teleport target anchor (#14417) (d7bcd85), closes #14412
• transition-group: correct move translation under scale via element rect (#14360) (0243a79), closes #14356
• useTemplateRef: don't update setup ref for useTemplateRef key (#12756) (fc40ca0), closes #12749

3.5.27 (2026-01-19)

Bug Fixes

• compile-sfc: correctly handle variable shadowing in for loop for defineProps destructuring. (#14296) (6a1bb50), closes #14294
• compiler-sfc: handle indexed access types in declare global blocks (#14260) (e4091fe), closes #14236
• compiler-sfc: use correct scope when resolving indexed access types from external files (#14297) (f0f0a21), closes #14292
• reactivity: collection iteration should inherit iterator instance methods (#12644) (3c8b2fc), closes #12615
• runtime-core: skip patching reserved props for custom elements (#14275) (19cc7e2), closes #14274
• server-renderer: use ssrRenderClass helper for className attribute (#14327) (a4708f3)
• ssr: handle v-bind modifiers during render attrs (#14263) (c2f5964), closes #14262

3.5.26 (2025-12-18)

Bug Fixes

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vue since your current version.

Updates vuetify from 2.7.2 to 4.0.0

Release notes

Sourced from vuetify's releases.

v4.0.0

Welcome to the v4.0.0 release of Vuetify!

Supporting Vuetify

Vuetify is an open source MIT project that has been made possible due to the generous contributions by sponsors and backers. If your business depend on Vuetify, please consider joining sponsors and backers on various platforms to help support ongoing development and new features.

• Documentation
• Upgrade Guide
• Report a Bug
• Community Discord

🚀 Features

• MD3 typography (#22557) (311daf4)
• MD3 elevation levels (#22461) (dfce695), closes #14198
• grid system overhaul (#21500) (f6d24a9), closes #8611
• VAvatar: add badge prop + dot-size for VBadge (#22496) (cc9f417)
• VCol: syntax for overriding row size (#22572) (43e8736)
• VRow: smaller density steps (#22574) (16b944f)
• VSelect/VAutocomplete/VCombobox: add menu-elevation prop (4605987)
• VSnackbarQueue: show multiple snackbars (#22605) (7248d20), closes #21927
• display: reduce default breakpoint sizes (#19759) (853ce33)
• styles: always use css layers (f7123c6), closes #3400 #20232
• styles: flatten layer names (#22460) (47bc400), closes #22443
• styles: add separate entry points (#22396) (f00902c), closes #20100
• styles: cut down CSS reset (#20960) (ae3e8c9), closes #17633
• styles: remove overflow-y from reset (27868d5), closes #1197
• theme: change default theme to 'system' (9c8506c)
• theme: support transparent colors (bb49662), closes #10299
• theme: remove unimportant option (e8845ff)
• VDatePicker: only emit start and end range values (#20621) (eef80ad), closes #9098 #18701 #20599
• VForm: unref values in slot props (f92ae7a), closes #18355
• VImg: pass attributes to the underlying <img> (#22439) (71e01aa), closes #18860 #18907
• VInput: add indent-details prop (#21265) (f483092), closes #16679
• VNumberInput: do not clamp value on mounted (#21826) (4b4bfa5)
• VSelect/Autocomplete/Combobox: rename item to internalItem (2c1ac25), closes #18354
• VSnackbar: remove multi-line prop (#22212) (1371aba), closes #15996

🔧 Bug Fixes

• colors: correct CSS layer name (47d4b70)
• defaults: skip undefined values (2a74859), closes #17845
• inputs: restore plain/underlined icon alignment (5495cca)
• styles: utilities should override responsive typography (#22573) (878907f)

... (truncated)

Commits

• 84f9dc3 chore(release): publish v4.0.0
• 91acb02 chore(VToolbar): fix a test rendering 0px width in vizzly
• 6fbfd78 chore(release): publish v4.0.0-beta.3
• 16d60c2 chore: revert minor merge accident
• 4605987 feat(VSelect/VAutocomplete/VCombobox): add menu-elevation prop
• b005b5e Merge branch 'dev' into next
• b26cb70 chore(release): publish v3.12.1
• a9227bc Revert "fix(VTreeview, VList): reworked indentation and spacing in trees and ...
• 7e241ab chore(README): update sponsors
• d751d7c chore(release): publish v3.12.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vuetify since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[oeninghe-dataport]

We are not using dependabot on main branch yet.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml