Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
• Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• See full diff in compare view

Sourced from marked's releases.

v18.0.2

18.0.2 (2026-04-18)

Bug Fixes

• fix infinite loop for indented code blank line (#3947) (58a52e8)

v18.0.1

18.0.1 (2026-04-17)

Bug Fixes

• rules: ensure lookbehind regex is evaluated correctly by minifiers (#3945) (abd907a)

• c4f4529 chore(release): 18.0.2 [skip ci]
• 58a52e8 fix: fix infinite loop for indented code blank line (#3947)
• 98b3824 chore(release): 18.0.1 [skip ci]
• abd907a fix(rules): ensure lookbehind regex is evaluated correctly by minifiers (#3945)
• 96351c4 chore(deps-dev): bump marked-highlight from 2.2.3 to 2.2.4 (#3946)
• c132699 chore: update testutils (#3942)
• See full diff in compare view

Sourced from react-router's releases.

v7.14.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7141

Sourced from react-router's changelog.

v7.14.1

Patch Changes

• Fix a potential race condition that can occur when rendering a HydrateFallback and initial loaders land before the router.subscribe call happens in the RouterProvider layout effect
• Normalize double-slashes in redirect paths

• 197674b Release 7.14.1 (#14973)
• 583fcce Merge branch 'main' into release
• 05f80c8 Migrate changesets files to .changes files
• a87774f Add new release process (#14916)
• f6d1268 Add new release process (#14916)
• 4547c80 Fix rendering/router.subscribe race condition during hydration (#14497)
• f7a0130 Consolidate slash handling (#14962)
• b768d62 Update redirect docs with note on validation
• 80c67a9 chore: format
• 201cd41 chore: format
• See full diff in compare view

Sourced from shadcn's releases.

[email protected]

Patch Changes

• #10436 b7cfc364aca36bc90f8efa86773bc81011502036 Thanks @​shadcn! - Ensure init only runs template post-init hooks for newly created projects.

• #10179 d00605c5fb5fe3cfbcb68cea65398430cdd819f8 Thanks @​EthanThatOneKid! - Send Accept: application/vnd.shadcn.v1+json, application/json;q=0.9 and User-Agent: shadcn on registry fetches so servers using HTTP content negotiation can reliably serve JSON to the CLI. Fixes #10164.

[email protected]

Minor Changes

• #10416 101741046813622d48c081dfc19c40d0aa76484b Thanks @​shadcn! - add style sera

Sourced from shadcn's changelog.

4.3.1

Patch Changes

• #10436 b7cfc364aca36bc90f8efa86773bc81011502036 Thanks @​shadcn! - Ensure init only runs template post-init hooks for newly created projects.

• #10179 d00605c5fb5fe3cfbcb68cea65398430cdd819f8 Thanks @​EthanThatOneKid! - Send Accept: application/vnd.shadcn.v1+json, application/json;q=0.9 and User-Agent: shadcn on registry fetches so servers using HTTP content negotiation can reliably serve JSON to the CLI. Fixes #10164.

4.3.0

Minor Changes

• #10416 101741046813622d48c081dfc19c40d0aa76484b Thanks @​shadcn! - add style sera

• 3411d53 chore(release): version packages
• f632f5d feat: rename header
• 7d6d489 Merge branch 'main' into fix/accept-header-issue-10164
• de385d0 fix: ensure git init runs for new projects only
• 97b9e7b chore(release): version packages
• 6ba39bb fix
• 2be9640 feat: build registry
• 2f57100 feat: init
• 6525227 fix(cli): add Accept and User-Agent headers to support content negotiation (f...
• See full diff in compare view

Sourced from vite's releases.

v8.0.9

Please refer to CHANGELOG.md for details.

Sourced from vite's changelog.

8.0.9 (2026-04-20)

Features

• update rolldown to 1.0.0-rc.16 (#22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#22039) (374bb5d)
• deps: update all non-major dependencies (#22219) (4cd0d67)
• deps: update all non-major dependencies (#22268) (c28e9c1)
• detect Deno workspace root (fix #22237) (#22238) (1b793c0)
• dev: handle errors in watchChange hook (#22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#22231) (44c42b9)
• fix reuses wording in dev environment comment (#22173) (9163412)
• fix wording in sass error comment (#22214) (bc5c6a7)
• update build CLI defaults (#22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#22271) (0a3887d)

• ce729f5 release: v8.0.9
• 605bb97 docs: update build CLI defaults (#22261)
• c28e9c1 fix(deps): update all non-major dependencies (#22268)
• 0a3887d chore(deps): update dependency dotenv-expand to v13 (#22271)
• 868f141 fix(bundled-dev): reject requests to HMR patch files in non potentially trust...
• 3ec9cda fix: skip fallback sourcemap generation for ?raw imports (#22148)
• 3f24533 fix(optimizer): handle more chars that will be sanitized (#22208)
• 1b793c0 fix: detect Deno workspace root (fix #22237) (#22238)
• fc08bda fix(dev): handle errors in watchChange hook (#22188)
• 374bb5d fix(css): use unique key for cssEntriesMap to prevent same-basename collision...
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions