chore(deps): bump the sec-updates group across 2 directories with 4 updates by dependabot[bot] · Pull Request #556 · FoxxMD/multi-scrobbler

dependabot · 2026-04-09T14:53:59Z

Bumps the sec-updates group with 2 updates in the / directory: storybook and vite.
Bumps the sec-updates group with 1 update in the /docsite directory: lodash-es.

Updates storybook from 10.2.0 to 10.3.5

Release notes

Sourced from storybook's releases.

v10.3.5

10.3.5

Core: Disable component manifest by default - #34408, thanks @yannbf!

[!NOTE] Version >=0.5.0 of @storybook/addon-mcp enables component manifests again. If you're upgrading Storybook from version >= 10.3.0 to >= 10.3.5 and are using the MCP addon, you should also upgrade @storybook/addon-mcp to keep the docs toolset in the MCP server.

v10.3.4

10.3.4

Addon-a11y: Clear status transition timer on unmount to prevent test flake - #34203, thanks @mixelburg!

Bug: Skip re-processing already transformed config files for CSF factories - #34273, thanks @huang-julien!

Builder-Vite: Use djb2 hash to prevent variable name collisions in builder-vite - #34274, thanks @chida09!

CLI: Prompt for init crash reports - #34316, thanks @JReinhold!

CSF4: Fix duplicate preview loading issue in Vitest - #34361, thanks @valentinpalkovic!

Core: Fix WebSocket connection for StackBlitz/WebContainers - #34281, thanks @ghengeveld!

React-Docgen: Try .tsx fallback when resolving .js ESM imports in docgen resolvers - #34393, thanks @mixelburg!

React-Vite: Upgrade @joshwooding/vite-plugin-react-docgen-typescript to 0.7.0 - #34335, thanks @beeswhacks!

v10.3.3

10.3.3

Addon-Vitest: Streamline vite(st) config detection across init and postinstall - #34193, thanks @valentinpalkovic!

v10.3.2

10.3.2

CLI: Shorten CTA link messages - #34236, thanks @shilman!

React Native Web: Fix vite8 support by bumping vite-plugin-rnw - #34231, thanks @dannyhw!

v10.3.1

10.3.1

CLI: Use npm info to fetch versions in repro command - #34214, thanks @yannbf!

Core: Prevent story-local viewport from persisting in URL - #34153, thanks @ghengeveld!

v10.3.0

10.3.0

> Improved developer experience, AI-assisting tools, and broader ecosystem support

Storybook 10.3 contains hundreds of fixes and improvements including:

🤖 Storybook MCP: Agentic component dev, docs, and test (Preview release for React)

⚡ Vite 8 support

▲ Next.js 16.2 support

📝 ESLint 10 support

〰️ Addon Pseudo-States: Tailwind v4 support

🔧 Addon-Vitest: Simplified configuration - no more setup files required

... (truncated)

Changelog

Sourced from storybook's changelog.

10.3.5

Core: Disable component manifest by default - #34408, thanks @yannbf!

[!NOTE] Version >=0.5.0 of @storybook/addon-mcp enables component manifests again. If you're upgrading Storybook from version >= 10.3.0 to >= 10.3.5 and are using the MCP addon, you should also upgrade @storybook/addon-mcp to keep the docs toolset in the MCP server.

10.3.4

Addon-a11y: Clear status transition timer on unmount to prevent test flake - #34203, thanks @mixelburg!

Bug: Skip re-processing already transformed config files for CSF factories - #34273, thanks @huang-julien!

Builder-Vite: Use djb2 hash to prevent variable name collisions in builder-vite - #34274, thanks @chida09!

CLI: Prompt for init crash reports - #34316, thanks @JReinhold!

CSF4: Fix duplicate preview loading issue in Vitest - #34361, thanks @valentinpalkovic!

Core: Fix WebSocket connection for StackBlitz/WebContainers - #34281, thanks @ghengeveld!

React-Docgen: Try .tsx fallback when resolving .js ESM imports in docgen resolvers - #34393, thanks @mixelburg!

React-Vite: Upgrade @joshwooding/vite-plugin-react-docgen-typescript to 0.7.0 - #34335, thanks @beeswhacks!

10.3.3

Addon-Vitest: Streamline vite(st) config detection across init and postinstall - #34193, thanks @valentinpalkovic!

10.3.2

CLI: Shorten CTA link messages - #34236, thanks @shilman!

React Native Web: Fix vite8 support by bumping vite-plugin-rnw - #34231, thanks @dannyhw!

10.3.1

CLI: Use npm info to fetch versions in repro command - #34214, thanks @yannbf!

Core: Prevent story-local viewport from persisting in URL - #34153, thanks @ghengeveld!

10.3.0

> Improved developer experience, AI-assisting tools, and broader ecosystem support

Storybook 10.3 contains hundreds of fixes and improvements including:

🤖 Storybook MCP: Agentic component dev, docs, and test (Preview release for React)

⚡ Vite 8 support

▲ Next.js 16.2 support

📝 ESLint 10 support

〰️ Addon Pseudo-States: Tailwind v4 support

🔧 Addon-Vitest: Simplified configuration - no more setup files required

♿ Numerous accessibility improvements across the UI

... (truncated)

Commits

e486d38 Bump version from "10.3.4" to "10.3.5" [skip ci]
0b3ac65 Merge pull request #34408 from storybookjs/yann/disable-component-manifest-de...
ee73b65 Merge pull request #34455 from seojcarlos/fix/remove-duplicate-words
4eff9cd Bump version from "10.3.3" to "10.3.4" [skip ci]
21d37fd Merge pull request #34224 from storybookjs/chore/removeprettierrc
4eb227b Build: Move prettier to oxfmt
ff9d121 Merge pull request #34316 from storybookjs/jeppe/fix-error-reports-on-init
5bc8686 Merge pull request #34281 from storybookjs/fix-stackblitz-websocket
b0acfb4 Bump version from "10.3.2" to "10.3.3" [skip ci]
6a398c5 Merge pull request #34193 from storybookjs/valentin/streamline-config-validat...
Additional commits viewable in compare view

Updates vite from 5.4.21 to 8.0.8

Release notes

Sourced from vite's releases.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

create-vite@8.0.2

Please refer to CHANGELOG.md for details.

v8.0.2

Please refer to CHANGELOG.md for details.

create-vite@8.0.1

Please refer to CHANGELOG.md for details.

v8.0.1

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.1

Please refer to CHANGELOG.md for details.

create-vite@8.0.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0-beta.18

Please refer to CHANGELOG.md for details.

v8.0.0-beta.17

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.8 (2026-04-09)

Features

update rolldown to 1.0.0-rc.15 (#22201) (6baf587)

Bug Fixes

avoid dns.getDefaultResultOrder temporary (#22202) (15f1c15)

ssr: class property keys hoisting matching imports (#22199) (e137601)

8.0.7 (2026-04-07)

Bug Fixes

use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)

8.0.6 (2026-04-07)

Features

update rolldown to 1.0.0-rc.13 (#22097) (51d3e48)

Bug Fixes

css: avoid mutating sass error multiple times (#22115) (d5081c2)

optimize-deps: hoist CJS interop assignment (#22156) (17a8f9e)

Performance Improvements

early return in getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256)

Miscellaneous Chores

create-vite: remove unnecessary DOM.Iterable (#22168) (bdc53ab)

replace remaining prettier script (#22179) (af71fb2)

8.0.5 (2026-04-06)

Bug Fixes

apply server.fs check to env transport (#22159) (f02d9fd)

avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)

check server.fs after stripping query as well (#22160) (a9a3df2)

disallow referencing files outside the package from sourcemap (#22158) (f05f501)

8.0.4 (2026-04-06)

Features

allow esbuild 0.28 as peer deps (#22155) (b0da973)

hmr: truncate list of files on hmr update (#21535) (d00e806)

optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)

Bug Fixes

... (truncated)

Commits

6e585dc release: v8.0.8
e137601 fix(ssr): class property keys hoisting matching imports (#22199)
15f1c15 fix: avoid dns.getDefaultResultOrder temporary (#22202)
6baf587 feat: update rolldown to 1.0.0-rc.15 (#22201)
fdb2e6f release: v8.0.7
5c05b04 fix: use sync dns.getDefaultResultOrder instead of dns.promises (#22185)
7b3086f release: v8.0.6
af71fb2 chore: replace remaining prettier script (#22179)
51d3e48 feat: update rolldown to 1.0.0-rc.13 (#22097)
17a8f9e fix(optimize-deps): hoist CJS interop assignment (#22156)
Additional commits viewable in compare view

Updates esbuild from 0.21.5 to 0.27.7

Release notes

Sourced from esbuild's releases.

v0.27.7
Fix lowering of define semantics for TypeScript parameter properties (#4421)

The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:
// Original code
class Foo {
  constructor(public x = 1) {}
  y = 2
}
// Old output (with --loader=ts --target=es2021)
class Foo {
constructor(x = 1) {
this.x = x;
__publicField(this, "y", 2);
}
x;
}
// New output (with --loader=ts --target=es2021)
class Foo {
constructor(x = 1) {
__publicField(this, "x", x);
__publicField(this, "y", 2);
}
}
v0.27.5
Fix for an async generator edge case (#4401, #4417)

Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:
async function* inner() { yield 1; yield 2 }
async function* outer() { yield* inner() }
let gen = outer()
for await (let x of [gen.next(), gen.next()]) console.log(x)
Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

This fix was contributed by @2767mr.
Fix a regression when metafile is enabled (#4420, #4418)

This release fixes a regression introduced by the previous release. When metafile: true was enabled in esbuild's JavaScript API, builds with build errors were incorrectly throwing an error about an empty JSON string instead of an object containing the build errors.

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

Fix regression with --define and import.meta (#4010, #4012, #4013)

The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

This fix was contributed by @sapphi-red.

0.24.1
Allow es2024 as a target in tsconfig.json (#4004)

TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:
{
  "compilerOptions": {
    "target": "ES2024"
  }
}
As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

This fix was contributed by @billyjanitsch.
Allow automatic semicolon insertion after get/set

This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:
class Foo {
  get
  *x() {}
  set
  *y() {}
}
The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.
Allow quoted property names in --define and --pure (#4008)

The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

... (truncated)

Commits

2025c9f publish 0.27.7 to npm
c6b586e fix typo in Makefile for @esbuild/win32-x64
9785e14 publish 0.27.6 to npm
b169d8c Revert "update go 1.25.7 => 1.26.1"
7ac8762 run make update-compat-table
8b5ff53 remove an incorrect else
e955268 fix #4421: lower generated class fields if needed
a5a2500 ci: move make test-old-ts
b71e7ac omit go's buildvcs for more reproducible builds
7406b09 organize make platform-all output in Makefile
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.

Updates lodash-es from 4.17.23 to 4.18.1

Release notes

Sourced from lodash-es's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm

lodash-es: lodash/lodash@4.18.0-es...4.18.1-es

lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd

lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

Add security notice for _.template in threat model and API docs (#6099)

Document lower > upper behavior in _.random (#6115)

Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

lodash.orderby

lodash.tonumber

lodash.trim

lodash.trimend

lodash.sortedindexby

lodash.zipobjectdeep

lodash.unset

lodash.omit

lodash.template

Commits

cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
75535f5 chore: prune stale advisory refs (#6170)
62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
59be2de release(minor): bump to 4.18.0 (#6161)
af63457 fix: broken tests for _.template 879aaa9
1073a76 fix: linting issues
879aaa9 fix: validate imports keys in _.template
fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
b819080 ci: add dist sync validation workflow (#6137)
Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

…pdates Bumps the sec-updates group with 2 updates in the / directory: [storybook](https://github.com/storybookjs/storybook/tree/HEAD/code/core) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Bumps the sec-updates group with 1 update in the /docsite directory: [lodash-es](https://github.com/lodash/lodash). Updates `storybook` from 10.2.0 to 10.3.5 - [Release notes](https://github.com/storybookjs/storybook/releases) - [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md) - [Commits](https://github.com/storybookjs/storybook/commits/v10.3.5/code/core) Updates `vite` from 5.4.21 to 8.0.8 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.8/packages/vite) Updates `esbuild` from 0.21.5 to 0.27.7 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md) - [Commits](evanw/esbuild@v0.21.5...v0.27.7) Updates `lodash-es` from 4.17.23 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: storybook dependency-version: 10.3.5 dependency-type: direct:development dependency-group: sec-updates - dependency-name: vite dependency-version: 8.0.8 dependency-type: direct:development dependency-group: sec-updates - dependency-name: esbuild dependency-version: 0.27.7 dependency-type: indirect dependency-group: sec-updates - dependency-name: lodash-es dependency-version: 4.18.1 dependency-type: indirect dependency-group: sec-updates ... Signed-off-by: dependabot[bot] <support@github.com>

netlify · 2026-04-09T14:54:06Z

❌ Deploy Preview for multi-scrobbler failed.

Name	Link
🔨 Latest commit	`9e2a4a5`
🔍 Latest deploy log	https://app.netlify.com/projects/multi-scrobbler/deploys/69d7bd8c719994000848670e

FoxxMD · 2026-04-09T15:53:19Z

@dependabot ignore storybook

dependabot · 2026-04-09T15:53:22Z

OK, I won't notify you about storybook again, unless you unignore it.

dependabot · 2026-04-09T16:04:33Z