chore(deps): bump the npm_and_yarn group across 8 directories with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
pnpm	9.12.0	10.0.0
next	15.2.7	15.4.10
vite-plugin-static-copy	3.1.0	3.1.2
axios	1.10.0	1.12.0
js-yaml	4.1.0	4.1.1
mermaid	11.9.0	11.10.0

Bumps the npm_and_yarn group with 1 update in the /examples/internal/_template/typescript-demo directory: next.
Bumps the npm_and_yarn group with 2 updates in the /integ-tests/react directory: next and js-yaml.
Bumps the npm_and_yarn group with 1 update in the /typescript/apps/fiddle-web-app directory: next.
Bumps the npm_and_yarn group with 1 update in the /typescript/apps/sage-backend directory: next.
Bumps the npm_and_yarn group with 1 update in the /typescript/apps/vscode-ext directory: axios.
Bumps the npm_and_yarn group with 1 update in the /typescript/packages/nextjs-plugin directory: next.
Bumps the npm_and_yarn group with 1 update in the /typescript/packages/ui directory: next.

Updates pnpm from 9.12.0 to 10.0.0

Release notes

Sourced from pnpm's releases.

pnpm 10

Major Changes

• Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security. In order to allow lifecycle scripts of specific dependencies, they should be listed in the pnpm.onlyBuiltDependencies field of package.json #8897. For example:

  {
    "pnpm": {
      "onlyBuiltDependencies": ["fsevents"]
    }
  }

  Read pnpm 10.0.0 Blocks Lifecycle Scripts by Default to learn about the motivation of the change.

  If you want the old pre v10 behaviour, so you want to allow all dependencies to run postinstall scripts, then add this to your package.json:

  {
    "pnpm": {
      "neverBuiltDependencies": []
    }
  }

• pnpm link behavior updated:

  The pnpm link command now adds overrides to the root package.json.

  • In a workspace: The override is added to the root of the workspace, linking the dependency to all projects in the workspace.
  • Global linking: To link a package globally, run pnpm link from the package’s directory. Previously, you needed to use pnpm link -g. Related PR: #8653

• Secure hashing with SHA256:

  Various hashing algorithms have been updated to SHA256 for enhanced security and consistency:

  • Long paths inside node_modules/.pnpm are now hashed with SHA256.
  • Long peer dependency hashes in the lockfile now use SHA256 instead of MD5. (This affects very few users since these are only used for long keys.)
  • The hash stored in the packageExtensionsChecksum field of pnpm-lock.yaml is now SHA256.
  • The side effects cache keys now use SHA256.
  • The pnpmfile checksum in the lockfile now uses SHA256 (#8530).
  • The patch file checksums in the lockfile now use SHA256.

• Configuration updates:

  • manage-package-manager-versions: enabled by default. pnpm now manages its own version based on the packageManager field in package.json by default.

  • public-hoist-pattern: nothing is hoisted by default. Packages containing eslint or prettier in their name are no longer hoisted to the root of node_modules. Related Issue: #8378

... (truncated)

Changelog

Sourced from pnpm's changelog.

10.0.0

Major Changes

• Lifecycle scripts of dependencies are not executed during installation by default! This is a breaking change aimed at increasing security. In order to allow lifecycle scripts of specific dependencies, they should be listed in the pnpm.onlyBuiltDependencies field of package.json #8897. For example:

  {
    "pnpm": {
      "onlyBuiltDependencies": ["fsevents"]
    }
  }

• pnpm link behavior updated:

  The pnpm link command now adds overrides to the root package.json.

  • In a workspace: The override is added to the root of the workspace, linking the dependency to all projects in the workspace.
  • Global linking: To link a package globally, run pnpm link from the package’s directory. Previously, you needed to use pnpm link -g. Related PR: #8653

• Secure hashing with SHA256:

  Various hashing algorithms have been updated to SHA256 for enhanced security and consistency:

  • Long paths inside node_modules/.pnpm are now hashed with SHA256.
  • Long peer dependency hashes in the lockfile now use SHA256 instead of MD5. (This affects very few users since these are only used for long keys.)
  • The hash stored in the packageExtensionsChecksum field of pnpm-lock.yaml is now SHA256.
  • The side effects cache keys now use SHA256.
  • The pnpmfile checksum in the lockfile now uses SHA256 (#8530).

• Configuration updates:

  • manage-package-manager-versions: enabled by default. pnpm now manages its own version based on the packageManager field in package.json by default.

  • public-hoist-pattern: nothing is hoisted by default. Packages containing eslint or prettier in their name are no longer hoisted to the root of node_modules. Related Issue: #8378

  • Upgraded @yarnpkg/extensions to v2.0.3. This may alter your lockfile.

  • virtual-store-dir-max-length: the default value on Windows has been reduced to 60 characters.

  • Reduced environment variables for scripts: During script execution, fewer npm_package_* environment variables are set. Only name, version, bin, engines, and config remain. Related Issue: #8552

  • All dependencies are now installed even if NODE_ENV=production. Related Issue: #8827

• Changes to the global store:

  • Store version bumped to v10.

... (truncated)

Commits

• 42ecf04 chore(release): 10.0.0
• c0c63ef docs: update years
• dde650b fix: ensure that recursive pnpm update --latest \<pkg> updates only the spec...
• c5080de chore(release): 10.0.0-rc.3
• cc3bbc9 fix: don't load side-effects cache for packages that are not allowed to be bu...
• 12aebe2 docs: README add Bluesky link (#8937)
• 9591a18 feat: configurational dependencies (#8915)
• 52204d5 chore: pd should not switch to another version of pnpm (#8930)
• c7eefdd fix: pnpm update --filter --latest should only change relevant packages and...
• e103abe chore(release): 10.0.0-rc.2
• Additional commits viewable in compare view

Updates next from 15.2.7 to 15.4.10

Release notes

Sourced from next's releases.

v15.4.10

Please see the Next.js Security Update for information about this security patch.

v15.4.8

Please see CVE-2025-66478 for additional details about this release.

v15.3.8

Please see the Next.js Security Update for information about this security patch.

v15.3.6

Please see CVE-2025-66478 for additional details about this release.

v15.2.8

Please see the Next.js Security Update for information about this security patch.

Commits

• 43cb546 v15.4.10
• 6129673 Backport facebook/react#35351 for 15.4.9 (#87087)
• d1449e5 v15.4.9
• 596f513 Update React Version (#42)
• 2ff781e Update React Version (#31)
• d0edaac Backport Next.js changes to v15.4.9 (#24)
• bd84546 lock binaries
• 4966847 v15.4.8
• bf8d31c update version script
• bed530f Update React Version for Next.js 15.4.8 (#9)
• Additional commits viewable in compare view

Updates vite-plugin-static-copy from 3.1.0 to 3.1.2

Release notes

Sourced from vite-plugin-static-copy's releases.

vite-plugin-static-copy@3.1.2

Patch Changes

• #195 0bc6b49 Thanks @​sapphi-red! - Files not included in src was possible to acess with a crafted request. See GHSA-pp7p-q8fx-2968 for more details.

vite-plugin-static-copy@3.1.1

Patch Changes

• #186 fc84156 Thanks @​sapphi-red! - fix a bug that the content was not sent when multiple vite-plugin-static-copy instance was used

Changelog

Sourced from vite-plugin-static-copy's changelog.

3.1.2

Patch Changes

• #195 0bc6b49 Thanks @​sapphi-red! - Files not included in src was possible to acess with a crafted request. See GHSA-pp7p-q8fx-2968 for more details.

3.1.1

Patch Changes

• #186 fc84156 Thanks @​sapphi-red! - fix a bug that the content was not sent when multiple vite-plugin-static-copy instance was used

Commits

• edab809 chore: update versions (#196)
• 0bc6b49 fix: only serve files under src (#195)
• 1489507 ci: run release against v* branches
• 5cfb90c docs: Add DEBUG section to README for vite:plugin-static-copy logging (#192)
• a80b108 test: use previewServer.close
• 32aee5c chore: update versions (#187)
• cd3f085 test: quickly timeout keep-alive (#189)
• ffba50a chore: use builtin fetch (#188)
• fc84156 fix: inject middleware correctly when there's multiple plugin instances (#186)
• ff6630c fix(deps): update all non-major dependencies (#181)
• Additional commits viewable in compare view

Updates axios from 1.10.0 to 1.12.0

Release notes

Sourced from axios's releases.

Release v1.12.0

Release notes:

Bug Fixes

• adding build artifacts (9ec86de)
• dont add dist on release (a2edc36)
• fetch-adapter: set correct Content-Type for Node FormData (#6998) (a9f47af)
• node: enforce maxContentLength for data: URLs (#7011) (945435f)
• package exports (#5627) (aa78ac2)
• params: removing '[' and ']' from URL encode exclude characters (#3316) (#5715) (6d84189)
• release pr run (fd7f404)
• types: change the type guard on isCancel (#5595) (0dbb7fd)

Features

• adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
• fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
• support reviver on JSON.parse (#5926) (2a97634), closes #5924
• types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

• Willian Agostini
• Dmitriy Mozgovoy
• khani
• Ameer Assadi
• Emiedonmokumo Dick-Boro
• Zeroday BYTE
• Jason Saayman
• 최예찬
• Gligor Kotushevski
• Aleksandar Dimitrov

Release v1.11.0

Release notes:

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail
• Tejaswi1305

Changelog

Sourced from axios's changelog.

1.12.0 (2025-09-11)

Bug Fixes

• adding build artifacts (9ec86de)
• dont add dist on release (a2edc36)
• fetch-adapter: set correct Content-Type for Node FormData (#6998) (a9f47af)
• node: enforce maxContentLength for data: URLs (#7011) (945435f)
• package exports (#5627) (aa78ac2)
• params: removing '[' and ']' from URL encode exclude characters (#3316) (#5715) (6d84189)
• release pr run (fd7f404)
• types: change the type guard on isCancel (#5595) (0dbb7fd)

Features

• adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
• fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
• support reviver on JSON.parse (#5926) (2a97634), closes #5924
• types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

• Willian Agostini
• Dmitriy Mozgovoy
• khani
• Ameer Assadi
• Emiedonmokumo Dick-Boro
• Zeroday BYTE
• Jason Saayman
• 최예찬
• Gligor Kotushevski
• Aleksandar Dimitrov

1.11.0 (2025-07-22)

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail

... (truncated)

Commits

• 0d8ad6e chore(release): v1.12.0 (#7013)
• fd7f404 fix: release pr run
• a2edc36 fix: dont add dist on release
• 9ec86de fix: adding build artifacts
• 945435f fix(node): enforce maxContentLength for data: URLs (#7011)
• 28e5e30 chore(sponsor): update sponsor block (#7005)
• d03f245 chore(CI): fixed release info script to use npm registry instead of git as fi...
• a0bc911 chore: removing dist files from src (#7002)
• c959ff2 feat(fetch): add fetch, Request, Response env config variables for the adapte...
• a9f47af fix(fetch-adapter): set correct Content-Type for Node FormData (#6998)
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates mermaid from 11.9.0 to 11.10.0

Release notes

Sourced from mermaid's releases.

mermaid@11.10.0

Minor Changes

• #6744 daf8d8d Thanks @​SpecularAura! - feat: Added support for per link curve styling in flowchart diagram using edge ids

Patch Changes

• #6857 b9ef683 Thanks @​knsv! - feat: Exposing elk configuration forceNodeModelOrder and considerModelOrder to the mermaid configuration

• #6653 2c0931d Thanks @​darshanr0107! - chore: Remove the "-beta" suffix from the XYChart, Block, Sankey diagrams to reflect their stable status

• #6683 33e08da Thanks @​darshanr0107! - fix: Position the edge label in state diagram correctly relative to the edge

• #6693 814b68b Thanks @​darshanr0107! - fix: Apply correct dateFormat in Gantt chart to show only day when specified

• #6734 fce7cab Thanks @​darshanr0107! - fix: handle exclude dates properly in Gantt charts when using dateFormat: 'YYYY-MM-DD HH:mm:ss'

• #6733 fc07f0d Thanks @​omkarht! - fix: fixed connection gaps in flowchart for roundedRect, stadium and diamond shape

• #6876 12e01bd Thanks @​sidharthv96! - fix: sanitize icon labels and icon SVGs

  Resolves CVE-2025-54880 reported by @​fourcube

• #6801 01aaef3 Thanks @​sidharthv96! - fix: Update casing of ID in requirement diagram

• #6796 c36cd05 Thanks @​HashanCP! - fix: Make flowchart elk detector regex match less greedy

• #6702 8bb29fc Thanks @​qraqras! - fix(block): overflowing blocks no longer affect later lines

  This may change the layout of block diagrams that have overflowing lines (i.e. block diagrams that use up more columns that the columns specifier).

• #6717 71b04f9 Thanks @​darshanr0107! - fix: log warning for blocks exceeding column width

  This update adds a validation check that logs a warning message when a block's width exceeds the defined column layout.

• #6820 c99bce6 Thanks @​kriss-u! - fix: Add escaped class literal name on namespace

• #6332 6cc1926 Thanks @​ajuckel! - fix: Allow equals sign in sequenceDiagram labels

• #6651 9da6fb3 Thanks @​darshanr0107! - Add validation for negative values in pie charts:

  Prevents crashes during parsing by validating values post-parsing.

  Provides clearer, user-friendly error messages for invalid negative inputs.

• #6803 e48b0ba Thanks @​omkarht! - chore: migrate to class-based ArchitectureDB implementation

• #6838 4d62d59 Thanks @​saurabhg772244! - fix: node border style for handdrawn shapes

... (truncated)

Commits

• 96778f7 Merge pull request #6880 from mermaid-js/changeset-release/master
• d4c058b Version Packages
• b638a0a temp: Remove peerDeps from examples
• fd9aa36 chore: Update peerDependencies for examples
• 46a9f1b temp: Disable cspell check as it's blocking release
• 83c6224 Merge pull request #6878 from mermaid-js/develop
• d8161b1 fix: move fourcube to contributor
• 8223141 chore: add fourcube to cspell
• 99f98a6 Merge pull request #6877 from mermaid-js/update-timings
• ef28f54 chore: update E2E timings
• Additional commits viewable in compare view

Updates next from 16.0.9 to 16.0.10

Release notes

Sourced from next's releases.

v15.4.10

Please see the Next.js Security Update for information about this security patch.

v15.4.8

Please see CVE-2025-66478 for additional details about this release.

v15.3.8

Please see the Next.js Security Update for information about this security patch.

v15.3.6

Please see CVE-2025-66478 for additional details about this release.

v15.2.8

Please see the Next.js Security Update for information about this security patch.

Commits

• 43cb546 v15.4.10
• 6129673 Backport facebook/react#35351 for 15.4.9 (#87087)
• d1449e5 v15.4.9
• 596f513 Update React Version (#42)
• 2ff781e Update React Version (#31)
• d0edaac Backport Next.js changes to v15.4.9 (#24)
• bd84546 lock binaries
• 4966847 v15.4.8
• bf8d31c update version script
• bed530f Update React Version for Next.js 15.4.8 (#9)
• Additional commits viewable in compare view

Updates next from 15.2.7 to 15.4.10

Release notes

Sourced from next's releases.

v15.4.10

Please see the Next.js Security Update for information about this security patch.

v15.4.8

Please see CVE-2025-66478 for additional details about this release.

v15.3.8

Please see the Next.js Security Update for information about this security patch.

v15.3.6

Please see CVE-2025-66478 for additional details about this release.

v15.2.8

Please see the Next.js Security Update for information about this security patch.

Commits

• 43cb546 v15.4.10
• 6129673 Backport facebook/react#35351 for 15.4.9 (#87087)
• d1449e5 v15.4.9
• 596f513 Update React Version (#42)
• 2ff781e Update React Version (#31)
• d0edaac Backport Next.js changes to v15.4.9 (#24)
• bd84546 lock binaries
• 4966847 v15.4.8
• bf8d31c update version script
• bed530f Update React Version for Next.js 15.4.8 (#9)
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates next from 15.4.9 to 15.4.10

Release notes

Sourced from next's releases.

v15.4.10

Please see the Next.js Security Update for information about this security patch.

v15.4.8

Please see CVE-2025-66478 for additional details about this release.

v15.3.8

Please see the Next.js Security Update for information about this security patch.

v15.3.6

Please see CVE-2025-66478 for additional details about this release.

v15.2.8

Please see the Next.js Security Update for information about this security patch.

Commits

• 43cb546 v15.4.10
• 6129673 Backport facebook/react#35351 for 15.4.9 (#87087)
• d1449e5 v15.4.9
• 596f513 Update React Version (#42)
• 2ff781e Update React Version (#31)
• d0edaac Backport Next.js changes to v15.4.9 (#24)
• bd84546 lock binaries
• 4966847 v15.4.8
• bf8d31c update version script
• bed530f Update React Version for Next.js 15.4.8 (#9)
• Additional commits viewable in compare view

Updates next from 15.4.9 to 15.4.10

Release notes

Sourced from next's releases.

v15.4.10

Please see the Next.js Security Update for information about this security patch.

v15.4.8

Please see CVE-2025-66478 for additional details about this release.

v15.3.8

Please see the Next.js Security Update for information about this security patch.

v15.3.6

Please see CVE-2025-66478 for additional details about this release.

v15.2.8

Please see the Next.js Security Update for information about this security patch.

Commits

• 43cb546 v15.4.10
• 6129673 Backport facebook/react#35351 for 15.4.9 (#87087)
• d1449e5 v15.4.9
• 596f513 Update React Version (#42)
• 2ff781e Update React Version (#31)
• d0edaac Backport Next.js changes to v15.4.9 (#24)
• bd84546 lock binaries
• 4966847 v15.4.8
• bf8d31c update version script
• bed530f Update React Version for Next.js 15.4.8 (#9)
• Additional commits viewable in compare view

Updates axios from 1.10.0 to 1.12.0

Release notes

Sourced from axios's releases.

Release v1.12.0

Release notes:

Bug Fixes

• adding build artifacts (9ec86de)
• dont add dist on release (a2edc36)
• fetch-adapter: set correct Content-Type for Node FormData (#6998) (a9f47af)
• node: enforce maxContentLength for data: URLs (#7011) (945435f)
• package exports (#5627) (aa78ac2)
• params: removing '[' and ']' from URL encode exclude characters (#3316) (#5715) (6d84189)
• release pr run (fd7f404)
• types: change the type guard on isCancel (#5595) (0dbb7fd)

Features

• adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
• fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
• support reviver on JSON.parse (#5926) (2a97634), closes #5924
• types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

• Willian Agostini
• Dmitriy Mozgovoy
• khani
• Ameer Assadi
• Emiedonmokumo Dick-Boro
• Zeroday BYTE
• Jason Saayman
• 최예찬
• Gligor Kotushevski
• Aleksandar Dimitrov

Release v1.11.0

Release notes:

Bug Fixes

• form-data npm pakcage (#6970) (e...

  Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
promptfiddle	Error		Dec 15, 2025 9:57pm

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.