chore(deps): bump dompurify from 3.4.3 to 3.4.11 in /docs#151
Closed
dependabot[bot] wants to merge 1 commit into
Closed
chore(deps): bump dompurify from 3.4.3 to 3.4.11 in /docs#151dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.4.3 to 3.4.11. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.4.3...3.4.11) --- updated-dependencies: - dependency-name: dompurify dependency-version: 3.4.11 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
|
Superseded by #160, which consolidates this update with the other pending dependency bumps into a single build- and test-validated PR. Closing in favor of that. |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
jung-thomas
added a commit
that referenced
this pull request
Jul 11, 2026
* chore(deps): consolidate dependency updates across subprojects Supersedes the 9 open Dependabot PRs (#146, #147, #148, #149, #151, #152, #153, #156, #157) with one validated update. Direct-dep bumps plus lockfile refreshes that absorb the transitive updates; each subproject's build and test suite was run to confirm the majors are safe. vscode-extension: - @vscode/vsce 2.32 -> 3.9.2 (major), esbuild 0.25 -> 0.28.1 (#147, #149) - transitives via lockfile: markdown-it 12->14, js-yaml 4.3, form-data 4.0.6, undici 7.28, tmp 0.2.7 (#146, #152, #153, #157) - Verified: compile + esbuild bundle + `vsce package` succeed; the .vsix stays self-contained (webview assets present, zero native binaries). app/vue: - vite 6.3 -> 8.1.4 (two majors), @vitejs/plugin-vue 5.2 -> 6.0.7 (major), echarts 6.0 -> 6.1 (#148, #156) - Verified: 46 vitest tests pass; `build` and `build:vscode` succeed and emit the webview assets consumed by the extension .vsix. docs: - dompurify 3.4.3 -> 3.4.11 via lockfile (transitive under mermaid) (#151) - Verified: `docs:build` succeeds. Root `test:ci` (550 passing) and `lint` remain green. Pre-existing app/vue advisories (xlsx, dompurify-via-monaco) are untouched — out of scope and only resolvable with breaking `audit fix --force`. * chore(deps): upgrade to CAP 10 (@sap/cds 10) + cds-10-native cap-js drivers Completes the CAP 10 migration on top of the consolidated dependency update. The project's prior pre-work (compat flags already set to CAP 10 targets: legacyLocking=false, ieee754compatible=true, compat_srv_getters=false, compat_texts_entities=false) meant no runtime code changes were required. - @sap/cds ^9.9.0 -> ^10.0.3 - @cap-js/hana 2.8 -> 3.0.1, @cap-js/sqlite 2.4 -> 3.0.2, @cap-js/postgres 2.3 -> 3.0.1, @cap-js/telemetry 1.6 -> 2.0.1 (the 3.x/2.x majors declare `peer @sap/cds ^10`) - Remove @sap/cds-hana: its cds-plugin throws "incompatible with @sap/cds version 9 and higher — use @cap-js/hana instead". Unused in source; @cap-js/hana already covers HANA connectivity. - esbuild: mark generic-pool external — it's an OPTIONAL peer of @cap-js/db-service@3 whose require() is guarded behind the legacy pool path (CAP 10 uses the built-in pool), and it's not installed. Audit: no CAP 10 breaking-change surface in source — no CAP req.params (the one req.params is an Express route param), no ASSERT_MANDATORY matching, no draft SAVE handlers, no @requires/req.user relying on skipped local checks. Bonus: @cap-js/sqlite@3 makes better-sqlite3 an optional peer, so the native binary is no longer installed at all — reinforcing the OS-portable .vsix. Verified on CAP 10.0.3: - root test:ci 550 passing; database+connection utils 50 passing; lint clean - `cds compile` produces SQL; runtime SELECT via node:sqlite works, better-sqlite3 never loads - extension bundles + packages: 352 webview assets, 0 native binaries * chore(deps): refresh lockfiles for in-range patch/minor updates `npm update` sweep across all projects to pull patch/minor bumps that sit within existing semver ranges (no package.json changes needed): - root: @cap-js-community/odata-v2-adapter 1.16, @wdio/* 9.29.1, chromedriver 150.0.3, eslint 10.6, terminal-kit 3.1.3, webdriverio, @types/node, hdb 2.29, sap-hdb-promisfied (lockfile only) - docs: vue 3.5.39, @agentmarkup/vite 0.5.2 (56 transitive packages) - app/vue, vscode-extension: already at wanted versions Verified: root test:ci 550 passing, lint clean, docs:build and app/vue vitest (46) green. * chore(deps): upgrade TypeScript to 7 in vscode-extension and mcp-server TypeScript 7.0 (the native compiler) builds both plain-tsc projects cleanly: - vscode-extension: ^5.7 -> ^7.0.2 (compile, pretest, esbuild bundle all pass) - mcp-server: ^6.0.2 -> ^7.0.2 (tsc build passes) Regenerated mcp-server/build/ (committed output): only .d.ts and .js.map files change — TS 7 emits single quotes in declarations. Zero runtime .js changes; no behavior difference. app/vue is intentionally NOT upgraded: vue-tsc@2 does `require('typescript/lib/tsc')`, a subpath TS 7 removed from its exports map (ERR_PACKAGE_PATH_NOT_EXPORTED). It needs vue-tsc@3 first — tracked in the Group B follow-up issue. app/vue stays on TS 5.9 (within its ^5.7 range). --------- Co-authored-by: Thomas Jung <12159356+jung-thomas@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps dompurify from 3.4.3 to 3.4.11.
Release notes
Sourced from dompurify's releases.
... (truncated)
Commits
0cae518release: 3.4.11 (#1494)6ee5716release: 3.4.10 (#1478)5210247release: 3.4.9 (#1459)bcdd828release: 3.4.8 (#1439)ca30f07release: 3.4.7 (#1414)bb7739erelease: 3.4.6 (#1394)011b0c7release: 3.4.5 (#1382)5817ad9release: 3.4.4 (#1374)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.