Bump the npm group with 5 updates

[dependabot]

Bumps the npm group with 5 updates:

Package	From	To
@types/react	19.1.7	19.1.8
brace-expansion	1.1.11	1.1.12
caniuse-lite	1.0.30001721	1.0.30001722
preact	10.26.8	10.26.9
unrs-resolver	1.7.13	1.8.1

Updates @types/react from 19.1.7 to 19.1.8

Commits

• See full diff in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• c85b8ad 4.0.1
• 5a5cc17 fmt
• 0b6a978 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• 6a39bdd 4.0.0
• dd72a59 fmt
• 278132b feat: use string replaces instead of splits (#64)
• 70e4c1b add tea.yaml
• b01a637 3.0.0
• 9e781e9 node 16 is EOL
• 6dad209 docs
• Additional commits viewable in compare view

Updates caniuse-lite from 1.0.30001721 to 1.0.30001722

Commits

• baf8b44 Update caniuse-db 1.0.30001722
• See full diff in compare view

Updates preact from 10.26.8 to 10.26.9

Release notes

Sourced from preact's releases.

10.26.9

Fixes

• Export test-utils from compat by @​rawrmonstar in preactjs/preact#4783
• Escape style object value in precompile transform by @​marvinhagemeister in preactjs/preact#4795
• Fix signal attribute values not working with precompile transform by @​marvinhagemeister in preactjs/preact#4798

Maintenance

• Bump browserslist by @​rschristian in preactjs/preact#4785
• Avoid caching so file-saves work first try by @​JoviDeCroock in preactjs/preact#4786
• Make previous benchmark results not required by @​marvinhagemeister in preactjs/preact#4796
• Point release workflow to 10.x by @​marvinhagemeister in preactjs/preact#4797

Commits

• ee12c20 Merge pull request #4800 from preactjs/release-10.26.9
• 9b54e1b 10.26.9
• d369bdb Merge pull request #4798 from preactjs/10.x-precompile-attr
• c6defb4 fix: signal attribute values not working with precompile transform
• 2a57866 Merge pull request #4797 from preactjs/10.x-release
• 8ed14de chore: point release workflow to 10.x
• fd1f38d Merge pull request #4795 from preactjs/10.x-precompile-style
• 85e0cab fix: escape style object value in precompile transform
• 5c206b5 Merge pull request #4796 from preactjs/10.x-benchmarks
• a4263b5 chore: make previous benchmark results not required
• Additional commits viewable in compare view

Updates unrs-resolver from 1.7.13 to 1.8.1

Release notes

Sourced from unrs-resolver's releases.

v1.8.1

Bug Fixes

• keep napi property in package.json for napi-postinstall (#148) (by @​JounQin)

Contributors

• @​JounQin

Full Changelog: unrs/unrs-resolver@v1.8.0...v1.8.1

v1.8.0

Features

• support runtime fallback for webcontainer (#144) (by @​JounQin) - #144
• merge from upstream oxc-project/oxc-resolver - 6th (#146) (by @​JounQin) - #146

Chore

• (deps) update all dependencies (#141) (by @​renovate[bot])

Contributors

• @​JounQin
• @​renovate[bot]

Full Changelog: unrs/unrs-resolver@v1.7.13...v1.8.0

Changelog

Sourced from unrs-resolver's changelog.

1.8.1 - 2025-06-11

Bug Fixes

• keep napi property in package.json for napi-postinstall (#148) (by @​JounQin)

Contributors

• @​JounQin

1.8.0 - 2025-06-11

Features

• support runtime fallback for webcontainer (#144) (by @​JounQin) - #144
• merge from upstream oxc-project/oxc-resolver - 6th (#146) (by @​JounQin) - #146

Chore

• (deps) update all dependencies (#141) (by @​renovate[bot])

Contributors

• @​JounQin
• @​renovate[bot]

Commits

• e02a6bd fix: keep napi property in package.json for napi-postinstall (#148)
• 46cbe4d chore: release v1.8.0 (#145)
• 56e6d60 Merge remote-tracking branch 'upstream/main' into chore/merge_upstream
• 4d9421e chore(deps): update all dependencies (#141)
• ad84a30 feat: support runtime fallback for webcontainer (#144)
• ca32760 ci: migrate cliff to changelog#commit_parsers, add custom changelog#body for ...
• 778f015 fix(napi): ensure pnp_manifest is included with yarn_pnp feature (#555)
• fe4e8b6 build(rust): debug = false in [profile.dev] and [profile.test] (#554)
• ed1d10e chore(deps): lock file maintenance rust crates (#552)
• e8c3166 chore(deps): lock file maintenance npm packages (#551)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
github-oauth-example	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 11, 2025 3:15pm

[amazon-q-developer]

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

[amazon-q-developer]

Description: A vulnerability was found in juliangruber brace-expansion up to 1.1.11. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to apply a patch to fix this issue.

Relevant link: GHSA-v6h2-p8h4-qcjw

Severity: Low

[amazon-q-developer]

The vulnerability in brace-expansion was addressed by updating the version from 1.1.12 to 1.1.13, which includes the necessary security patch.

Suggested change

	brace-expansion@1.1.12:
	balanced-match@1.0.2:
	resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
	brace-expansion@1.1.13:
	resolution: {integrity: sha512-xaqq0gSpk7AnzcJ/KvlWMUBqX3gXLZKRCXuVsGOKn+7Sh+9L8J1UXTprod2Bf5T4VnGXqGlVuoS0ycHc1tVa4Q==}
	brace-expansion@2.0.2:
	resolution: {integrity: sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==}

[amazon-q-developer]

✅ I finished the code review, and left comments with the issues I found. I will now generate code fix suggestions.