Bump the npm_and_yarn group across 6 directories with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
webpack-dev-server	5.2.0	5.2.1
http-proxy-middleware	2.0.7	2.0.9
hono	4.7.5	4.9.7
axios	1.8.4	1.12.0
mermaid	11.6.0	11.10.0

Bumps the npm_and_yarn group with 1 update in the /crates/rustbolt_resolver directory: axios.
Bumps the npm_and_yarn group with 1 update in the /crates/rustbolt_resolver/fixtures/pnpm directory: axios.
Bumps the npm_and_yarn group with 1 update in the /packages/rustbolt-dev-server directory: webpack-dev-server.
Bumps the npm_and_yarn group with 1 update in the /packages/rustbolt directory: webpack-dev-server.
Bumps the npm_and_yarn group with 1 update in the /tests/e2e directory: webpack-dev-server.

Updates webpack-dev-server from 5.2.0 to 5.2.1

Release notes

Sourced from webpack-dev-server's releases.

v5.2.1

5.2.1 (2025-03-26)

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.1 (2025-03-26)

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

Commits

• 0d22a08 chore(release): 5.2.1
• 6045b1e chore(deps): update (#5444)
• ffd0b86 fix: take the first network found instead of the last one, this restores the ...
• 9ea7b08 ci: update dependency-review-action (#5442)
• 5c9378b Merge commit from fork
• d2575ad Merge commit from fork
• 8c1abc9 fix: prevent overlay for errors caught by React error boundaries (#5431)
• 5a39c70 ci: update codecov/codecov-action to v5 (#5406)
• 55220a8 chore(deps-dev): bump the dependencies group across 1 directory with 4 update...
• 09f6f8e chore(deps): bump the dependencies group across 1 directory with 2 updates (#...
• See full diff in compare view

Updates http-proxy-middleware from 2.0.7 to 2.0.9

Release notes

Sourced from http-proxy-middleware's releases.

v2.0.9

What's Changed

• fix(fixRequestBody): check readableLength by @​chimurai in chimurai/http-proxy-middleware#1097
• chore(package): v2.0.9 by @​chimurai in chimurai/http-proxy-middleware#1099

Full Changelog: chimurai/http-proxy-middleware@v2.0.8...v2.0.9

v2.0.8

What's Changed

• fix(fixRequestBody): prevent multiple .write() calls by @​chimurai in chimurai/http-proxy-middleware#1090
• fix(fixRequestBody): handle invalid request by @​chimurai in chimurai/http-proxy-middleware#1091
• chore(package): v2.0.8 by @​chimurai in chimurai/http-proxy-middleware#1094

Full Changelog: chimurai/http-proxy-middleware@v2.0.7...v2.0.8

Changelog

Sourced from http-proxy-middleware's changelog.

v2.0.9

• fix(fixRequestBody): check readableLength

v2.0.8

• fix(fixRequestBody): prevent multiple .write() calls
• fix(fixRequestBody): handle invalid request

Commits

• 617a7c9 chore(package): v2.0.9 (#1099)
• d22d587 fix(fixRequestBody): check readableLength (#1097)
• d03d51b chore(package): v2.0.8 (#1094)
• c50dd06 fix(fixRequestBody): handle invalid request (#1091)
• 76a9d8d fix(fixRequestBody): prevent multiple .write() calls (#1090)
• See full diff in compare view

Updates hono from 4.7.5 to 4.9.7

Release notes

Sourced from hono's releases.

v4.9.7

Security

• Fixed an issue in the bodyLimit middleware where the body size limit could be bypassed when both Content-Length and Transfer-Encoding headers were present. If you are using this middleware, please update immediately. Security Advisory

What's Changed

• fix(client): Fix parseResponse not parsing json in react native by @​lr0pb in honojs/hono#4399
• chore: add .tool-versions file by @​3w36zj6 in honojs/hono#4397
• chore: update bun install commands to use --frozen-lockfile by @​3w36zj6 in honojs/hono#4398
• test(jwk): Add tests of JWK token verification by @​buckett in honojs/hono#4402

New Contributors

• @​lr0pb made their first contribution in honojs/hono#4399
• @​buckett made their first contribution in honojs/hono#4402

Full Changelog: honojs/hono@v4.9.6...v4.9.7

v4.9.6

Security

Fixed a bug in URL path parsing (getPath) that could cause path confusion under malformed requests.

If you rely on reverse proxies (e.g. Nginx) for ACLs or restrict access to endpoints like /admin, please update immediately.

See advisory for details: GHSA-9hp6-4448-45g2

What's Changed

• chore: update packages in the router bench by @​yusukebe in honojs/hono#4386
• chore(benchmarks): remove comment-out from router bench by @​yusukebe in honojs/hono#4387

Full Changelog: honojs/hono@v4.9.5...v4.9.6

v4.9.5

What's Changed

• chore: replace supertest with undici by @​BarryThePenguin in honojs/hono#4365
• fix(aws-lambda): preserve percent-encoded values in query strings by @​yusukebe in honojs/hono#4372
• feat(cors): Allow async functions for origin and allowMethods by @​jobrk in honojs/hono#4373
• feat(cors): Correct origin function return type asynchronously returning null or undefined for origin by @​jobrk in honojs/hono#4375
• fix(service-worker): correct args for app.fetch in handle by @​yusukebe in honojs/hono#4374
• fix(language-detector): Detect language from path after getPath changed by @​iflamed in honojs/hono#4369

New Contributors

• @​jobrk made their first contribution in honojs/hono#4373
• @​iflamed made their first contribution in honojs/hono#4369

Full Changelog: honojs/hono@v4.9.4...v4.9.5

v4.9.4

What's Changed

... (truncated)

Commits

• 5ece995 4.9.7
• 605c705 Merge commit from fork
• 6792789 test(jwk): Add tests of JWK token verification (#4402)
• 2f489b3 chore: update bun install commands to use --frozen-lockfile (#4398)
• 9b0a8f5 chore: add .tool-versions file (#4397)
• 5b277d8 fix(client): Fix parseResponse not parsing json in react native (#4399)
• 7f4311c 4.9.6
• 1d79aed Merge commit from fork
• adecab1 chore(benchmarks): remove comment-out from router bench (#4387)
• b3d5b40 chore: update packages in the router bench (#4386)
• Additional commits viewable in compare view

Updates axios from 1.8.4 to 1.12.0

Release notes

Sourced from axios's releases.

Release v1.12.0

Release notes:

Bug Fixes

• adding build artifacts (9ec86de)
• dont add dist on release (a2edc36)
• fetch-adapter: set correct Content-Type for Node FormData (#6998) (a9f47af)
• node: enforce maxContentLength for data: URLs (#7011) (945435f)
• package exports (#5627) (aa78ac2)
• params: removing '[' and ']' from URL encode exclude characters (#3316) (#5715) (6d84189)
• release pr run (fd7f404)
• types: change the type guard on isCancel (#5595) (0dbb7fd)

Features

• adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
• fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
• support reviver on JSON.parse (#5926) (2a97634), closes #5924
• types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

• Willian Agostini
• Dmitriy Mozgovoy
• khani
• Ameer Assadi
• Emiedonmokumo Dick-Boro
• Zeroday BYTE
• Jason Saayman
• 최예찬
• Gligor Kotushevski
• Aleksandar Dimitrov

Release v1.11.0

Release notes:

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail
• Tejaswi1305

... (truncated)

Changelog

Sourced from axios's changelog.

1.12.0 (2025-09-11)

Bug Fixes

• adding build artifacts (9ec86de)
• dont add dist on release (a2edc36)
• fetch-adapter: set correct Content-Type for Node FormData (#6998) (a9f47af)
• node: enforce maxContentLength for data: URLs (#7011) (945435f)
• package exports (#5627) (aa78ac2)
• params: removing '[' and ']' from URL encode exclude characters (#3316) (#5715) (6d84189)
• release pr run (fd7f404)
• types: change the type guard on isCancel (#5595) (0dbb7fd)

Features

• adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
• fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
• support reviver on JSON.parse (#5926) (2a97634), closes #5924
• types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

• Willian Agostini
• Dmitriy Mozgovoy
• khani
• Ameer Assadi
• Emiedonmokumo Dick-Boro
• Zeroday BYTE
• Jason Saayman
• 최예찬
• Gligor Kotushevski
• Aleksandar Dimitrov

1.11.0 (2025-07-22)

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail

... (truncated)

Commits

• 0d8ad6e chore(release): v1.12.0 (#7013)
• fd7f404 fix: release pr run
• a2edc36 fix: dont add dist on release
• 9ec86de fix: adding build artifacts
• 945435f fix(node): enforce maxContentLength for data: URLs (#7011)
• 28e5e30 chore(sponsor): update sponsor block (#7005)
• d03f245 chore(CI): fixed release info script to use npm registry instead of git as fi...
• a0bc911 chore: removing dist files from src (#7002)
• c959ff2 feat(fetch): add fetch, Request, Response env config variables for the adapte...
• a9f47af fix(fetch-adapter): set correct Content-Type for Node FormData (#6998)
• Additional commits viewable in compare view

Updates mermaid from 11.6.0 to 11.10.0

Release notes

Sourced from mermaid's releases.

mermaid@11.10.0

Minor Changes

• #6744 daf8d8d Thanks @​SpecularAura! - feat: Added support for per link curve styling in flowchart diagram using edge ids

Patch Changes

• #6857 b9ef683 Thanks @​knsv! - feat: Exposing elk configuration forceNodeModelOrder and considerModelOrder to the mermaid configuration

• #6653 2c0931d Thanks @​darshanr0107! - chore: Remove the "-beta" suffix from the XYChart, Block, Sankey diagrams to reflect their stable status

• #6683 33e08da Thanks @​darshanr0107! - fix: Position the edge label in state diagram correctly relative to the edge

• #6693 814b68b Thanks @​darshanr0107! - fix: Apply correct dateFormat in Gantt chart to show only day when specified

• #6734 fce7cab Thanks @​darshanr0107! - fix: handle exclude dates properly in Gantt charts when using dateFormat: 'YYYY-MM-DD HH:mm:ss'

• #6733 fc07f0d Thanks @​omkarht! - fix: fixed connection gaps in flowchart for roundedRect, stadium and diamond shape

• #6876 12e01bd Thanks @​sidharthv96! - fix: sanitize icon labels and icon SVGs

  Resolves CVE-2025-54880 reported by @​fourcube

• #6801 01aaef3 Thanks @​sidharthv96! - fix: Update casing of ID in requirement diagram

• #6796 c36cd05 Thanks @​HashanCP! - fix: Make flowchart elk detector regex match less greedy

• #6702 8bb29fc Thanks @​qraqras! - fix(block): overflowing blocks no longer affect later lines

  This may change the layout of block diagrams that have overflowing lines (i.e. block diagrams that use up more columns that the columns specifier).

• #6717 71b04f9 Thanks @​darshanr0107! - fix: log warning for blocks exceeding column width

  This update adds a validation check that logs a warning message when a block's width exceeds the defined column layout.

• #6820 c99bce6 Thanks @​kriss-u! - fix: Add escaped class literal name on namespace

• #6332 6cc1926 Thanks @​ajuckel! - fix: Allow equals sign in sequenceDiagram labels

• #6651 9da6fb3 Thanks @​darshanr0107! - Add validation for negative values in pie charts:

  Prevents crashes during parsing by validating values post-parsing.

  Provides clearer, user-friendly error messages for invalid negative inputs.

• #6803 e48b0ba Thanks @​omkarht! - chore: migrate to class-based ArchitectureDB implementation

• #6838 4d62d59 Thanks @​saurabhg772244! - fix: node border style for handdrawn shapes

... (truncated)

Commits

• 96778f7 Merge pull request #6880 from mermaid-js/changeset-release/master
• d4c058b Version Packages
• b638a0a temp: Remove peerDeps from examples
• fd9aa36 chore: Update peerDependencies for examples
• 46a9f1b temp: Disable cspell check as it's blocking release
• 83c6224 Merge pull request #6878 from mermaid-js/develop
• d8161b1 fix: move fourcube to contributor
• 8223141 chore: add fourcube to cspell
• 99f98a6 Merge pull request #6877 from mermaid-js/update-timings
• ef28f54 chore: update E2E timings
• Additional commits viewable in compare view

Updates axios from 1.6.2 to 1.12.0

Release notes

Sourced from axios's releases.

Release v1.12.0

Release notes:

Bug Fixes

• adding build artifacts (9ec86de)
• dont add dist on release (a2edc36)
• fetch-adapter: set correct Content-Type for Node FormData (#6998) (a9f47af)
• node: enforce maxContentLength for data: URLs (#7011) (945435f)
• package exports (#5627) (aa78ac2)
• params: removing '[' and ']' from URL encode exclude characters (#3316) (#5715) (6d84189)
• release pr run (fd7f404)
• types: change the type guard on isCancel (#5595) (0dbb7fd)

Features

• adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
• fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
• support reviver on JSON.parse (#5926) (2a97634), closes #5924
• types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

• Willian Agostini
• Dmitriy Mozgovoy
• khani
• Ameer Assadi
• Emiedonmokumo Dick-Boro
• Zeroday BYTE
• Jason Saayman
• 최예찬
• Gligor Kotushevski
• Aleksandar Dimitrov

Release v1.11.0

Release notes:

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail
• Tejaswi1305

... (truncated)

Changelog

Sourced from axios's changelog.

1.12.0 (2025-09-11)

Bug Fixes

• adding build artifacts (9ec86de)
• dont add dist on release (a2edc36)
• fetch-adapter: set correct Content-Type for Node FormData (#6998) (a9f47af)
• node: enforce maxContentLength for data: URLs (#7011) (945435f)
• package exports (#5627) (aa78ac2)
• params: removing '[' and ']' from URL encode exclude characters (#3316) (#5715) (6d84189)
• release pr run (fd7f404)
• types: change the type guard on isCancel (#5595) (0dbb7fd)

Features

• adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
• fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
• support reviver on JSON.parse (#5926) (2a97634), closes #5924
• types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

• Willian Agostini
• Dmitriy Mozgovoy
• khani
• Ameer Assadi
• Emiedonmokumo Dick-Boro
• Zeroday BYTE
• Jason Saayman
• 최예찬
• Gligor Kotushevski
• Aleksandar Dimitrov

1.11.0 (2025-07-22)

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail

... (truncated)

Commits

• 0d8ad6e chore(release): v1.12.0 (#7013)
• fd7f404 fix: release pr run
• a2edc36 fix: dont add dist on release
• 9ec86de fix: adding build artifacts
• 945435f fix(node): enforce maxContentLength for data: URLs (#7011)
• 28e5e30 chore(sponsor): update sponsor block (#7005)
• d03f245 chore(CI): fixed release info script to use npm registry instead of git as fi...
• a0bc911 chore: removing dist files from src (#7002)
• c959ff2 feat(fetch): add fetch, Request, Response env config variables for the adapte...
• a9f47af fix(fetch-adapter): set correct Content-Type for Node FormData (#6998)
• Additional commits viewable in compare view

Updates axios from 1.6.2 to 1.12.0

Release notes

Sourced from axios's releases.

Release v1.12.0

Release notes:

Bug Fixes

• adding build artifacts (9ec86de)
• dont add dist on release (a2edc36)
• fetch-adapter: set correct Content-Type for Node FormData (#6998) (a9f47af)
• node: enforce maxContentLength for data: URLs (#7011) (945435f)
• package exports (#5627) (aa78ac2)
• params: removing '[' and ']' from URL encode exclude characters (#3316) (#5715) (6d84189)
• release pr run (fd7f404)
• types: change the type guard on isCancel (#5595) (0dbb7fd)

Features

• adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
• fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
• support reviver on JSON.parse (#5926) (2a97634), closes #5924
• types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

• Willian Agostini
• Dmitriy Mozgovoy
• khani
• Ameer Assadi
• Emiedonmokumo Dick-Boro
• Zeroday BYTE
• Jason Saayman
• 최예찬
• Gligor Kotushevski
• Aleksandar Dimitrov

Release v1.11.0

Release notes:

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dependabot]

Superseded by #6.