build(deps): bump the npm_and_yarn group across 1 directory with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: solid-start and rollup.

Updates solid-start from 0.1.6 to 0.3.11

Release notes

Sourced from solid-start's releases.

v0.5.0 - Async Local Storage ...Everywhere

This release is a bunch of organizational shifts from our learnings after running Solid Start Beta 2 for the first month (see: solidjs/solid-start#1279). These are all minor changes but we hope they will smooth out the dev experience significantly. This release is largely possible due to the heroic efforts of @​nksaraf and the multitudes of updates/fixes @​lxsmnsyc has been making behind the scenes.

RequestEvent improvements

Main update is we've changed how we look at the main event object. Before we were mashing everything on top of H3 which wasn't always the best. We couldn't just adopt H3's Event because we have conventions in the Solid ecosystem and it was a bit awkward trying to figure out how to best interact with both systems in place.

Main change here is that instead of merging, the underlying H3Event is now available at event.nativeEvent. But having to pump that through helpers all the time would be a bit clunky so we have a couple new mechanism to make it easier to use.

Stubbing out the Response

If you are doing simple operations like updating the headers or status of the response you can do that now directly off our event the same way you can with request:

import { getRequestEvent } from "solid-js/web";
const event = getRequestEvent();
console.log(event.request.url);
event.response.headers.set("x-foo", "bar");
console.log(event.response.status);
event.response.status = 201;

This response object proxies the H3 methods which has the nice benefit of being able to use it easier in isomorphic settings without worrying about imports and bundling. Components like <HttpStatus> and <HttpHeader> are built using this primitive.

Async Local Storage Everywhere

HTTP helpers are now available at vinxi/http. Previously we were re-exporting these but we don't want to own this piece. Currently there is a light wrapper around H3 done here. But it means that the provided helpers are usable now directly without passing the H3Event in.

import { useSession } from "vinxi/http";
async function someServerFunction() {
"use server";
const session = await useSession({ password: process.env.SESSION_SECRET});
doSomethingWith(session.data.userId);
}

You can still pass in the H3Event if you want as the first argument, and these Vinxi wrappers also support passing in Solid's RequestEvent as well but between these 2 APIs you probably won't be interfacing with the H3Event much directly in application code.

Typing Locals

SolidStart uses event.locals to pass around local context to be used as you see fit. Before this was just a record but now you can add specific types to it as well:

declare module "@solidjs/start/server" {
  interface RequestEventLocals {
    myNumber: number;
    someString: string;
  }
}
</tr></table> 

... (truncated)

Commits

• See full diff in compare view

Updates vite from 3.2.10 to 6.1.0

Release notes

Sourced from vite's releases.

create-vite@6.1.0

Please refer to CHANGELOG.md for details.

v6.1.0

Please refer to CHANGELOG.md for details.

v6.1.0-beta.2

Please refer to CHANGELOG.md for details.

v6.1.0-beta.1

Please refer to CHANGELOG.md for details.

v6.1.0-beta.0

Please refer to CHANGELOG.md for details.

v6.0.11

Please refer to CHANGELOG.md for details.

v6.0.10

Please refer to CHANGELOG.md for details.

v6.0.9

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v6.0.8

Please refer to CHANGELOG.md for details.

v6.0.7

Please refer to CHANGELOG.md for details.

v6.0.6

Please refer to CHANGELOG.md for details.

v6.0.5

Please refer to CHANGELOG.md for details.

v6.0.4

Please refer to CHANGELOG.md for details.

v6.0.3

Please refer to CHANGELOG.md for details.

v6.0.2

Please refer to CHANGELOG.md for details.

create-vite@6.0.1

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

6.1.0 (2025-02-05)

Features

• feat: show hosts in cert in CLI (#19317) (a5e306f), closes #19317
• feat: support for env var for defining allowed hosts (#19325) (4d88f6c), closes #19325
• feat: use native runtime to import the config (#19178) (7c2a794), closes #19178
• feat: print port in the logged error message after failed WS connection with EADDRINUSE (#19212) (14027b0), closes #19212
• perf(css): only run postcss when needed (#19061) (30194fa), closes #19061
• feat: add support for .jxl (#18855) (57b397c), closes #18855
• feat: add the builtins environment resolve (#18584) (2c2d521), closes #18584
• feat: call Logger for plugin logs in build (#13757) (bf3e410), closes #13757
• feat: export defaultAllowedOrigins for user-land config and 3rd party plugins (#19259) (dc8946b), closes #19259
• feat: expose createServerModuleRunnerTransport (#18730) (8c24ee4), closes #18730
• feat: support async for proxy.bypass (#18940) (a6b9587), closes #18940
• feat: support log related functions in dev (#18922) (3766004), closes #18922
• feat: use module runner to import the config (#18637) (b7e0e42), closes #18637
• feat(css): add friendly errors for IE hacks that are not supported by lightningcss (#19072) (caad985), closes #19072
• feat(optimizer): support bun text lockfile (#18403) (05b005f), closes #18403
• feat(reporter): add wasm to the compressible assets regex (#19085) (ce84142), closes #19085
• feat(worker): support dynamic worker option fields (#19010) (d0c3523), closes #19010

Fixes

• fix: avoid builtStart during vite optimize (#19356) (fdb36e0), closes #19356
• fix(build): fix stale build manifest on watch rebuild (#19361) (fcd5785), closes #19361
• fix: allow expanding env vars in reverse order (#19352) (3f5f2bd), closes #19352
• fix: avoid packageJson without name in resolveLibCssFilename (#19324) (f183bdf), closes #19324
• fix(html): fix css disorder when building multiple entry html (#19143) (e7b4ba3), closes #19143
• fix: don't call buildStart hooks for vite optimize (#19347) (19ffad0), closes #19347
• fix: don't call next middleware if user sent response in proxy.bypass (#19318) (7e6364d), closes #19318
• fix: respect top-level server.preTransformRequests (#19272) (12aaa58), closes #19272
• fix: use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#19313) (9fc31b6), closes #19313
• fix(css): less @plugin imports of JS files treated as CSS and rebased (fix #19268) (#19269) (602b373), closes #19268 #19269
• fix(deps): update all non-major dependencies (#19296) (2bea7ce), closes #19296
• fix(resolve): preserve hash/search of file url (#19300) (d1e1b24), closes #19300
• fix(resolve): warn if node-like builtin was imported when resolve.builtin is empty (#19312) (b7aba0b), closes #19312
• fix(ssr): fix transform error due to export all id scope (#19331) (e28bce2), closes #19331
• fix(ssr): pretty print plugin error in ssrLoadModule (#19290) (353c467), closes #19290
• fix: change ResolvedConfig type to interface to allow extending it (#19210) (bc851e3), closes #19210
• fix: correctly resolve hmr dep ids and fallback to url (#18840) (b84498b), closes #18840
• fix: make --force work for all environments (#18901) (51a42c6), closes #18901
• fix: use loc.file from rollup errors if available (#19222) (ce3fe23), closes #19222
• fix(deps): update all non-major dependencies (#19190) (f2c07db), closes #19190
• fix(hmr): register inlined assets as a dependency of CSS file (#18979) (eb22a74), closes #18979
• fix(resolve): support resolving TS files by JS extension specifiers in JS files (#18889) (612332b), closes #18889
• fix(ssr): combine empty source mappings (#19226) (ba03da2), closes #19226
• fix(utils): clone RegExp values with new RegExp instead of structuredClone (fix #19245, fix #1 (56ad2be), closes #19245 #18875 #19247

... (truncated)

Commits

• 3734f80 fix(css): escape double quotes in url() when lightningcss is used (#18997)
• 2b4f115 fix(deps): update all non-major dependencies (#18996)
• 12b612d fix: fallback terser to main thread when function options are used (#18987)
• d88d000 fix(deps): update all non-major dependencies (#18967)
• 21680bd fix(css): skip non css in custom sass importer (#18970)
• 62fad6d chore(deps): update dependency @​rollup/plugin-node-resolve to v16 (#18968)
• 8a6bb4e fix(optimizer): keep NODE_ENV as-is when keepProcessEnv is true (#18899)
• 7d6dd5d fix(ssr): recreate ssrCompatModuleRunner on restart (#18973)
• c4b532c fix(css): root relative import in sass modern API on Windows (#18945)
• 27f691b refactor: make internal invoke event to use the same interface with `handleIn...
• Additional commits viewable in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates nanoid from 3.3.7 to 3.3.8

Changelog

Sourced from nanoid's changelog.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

Commits

• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• d643045 Fix pool pollution, infinite loop (#510)
• See full diff in compare view

Updates rollup from 2.79.1 to 2.79.2

Release notes

Sourced from rollup's releases.

v.2.79.2

2.79.2

2024-09-26

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

Changelog

Sourced from rollup's changelog.

2.79.2

2024-09-26

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

3.29.5

2024-09-21

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

4.22.4

2024-09-21

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5670: refactor: Use object.prototype to check for reserved properties (@​YuHyeonWook)
• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

4.22.3

2024-09-21

Bug Fixes

• Ensure that mutations in modules without side effects are observed while properly handling transitive dependencies (#5669)

Pull Requests

• #5669: Ensure impure dependencies of pure modules are added (@​lukastaegert)

4.22.2

... (truncated)

Commits

• c9bd03d 2.79.2
• 48aef33 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
package-lock.json	Unsupported file format
package.json	0% smaller

[snyk-io]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)