Bump the npm-security group across 1 directory with 3 updates by dependabot[bot] · Pull Request #2387 · shakacode/react_on_rails

dependabot · 2026-02-09T06:20:57Z

Bumps the npm-security group with 3 updates in the / directory: fastify, lodash and webpack.

Updates fastify from 5.6.2 to 5.7.3

Release notes

v5.7.3

⚠️ Security Release

Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

docs: update Reply.send() documentation for string serialization by @mcollina in fastify/fastify#6466

chore: ignore agents config files by @mcollina in fastify/fastify#6474

docs: update vulnerability reporting to use GitHub Security by @mcollina in fastify/fastify#6475

Full Changelog: fastify/fastify@v5.7.2...v5.7.3

v5.7.2

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

chore: npm ignore AI related files by @climba03003 in fastify/fastify#6447

chore: update sponsor url by @Eomm in fastify/fastify#6450

docs: add fastify-http-exceptions to Ecosystem.md by @bhouston in fastify/fastify#6442

docs: fix invalid shorten form schema example by @climba03003 in fastify/fastify#6448

docs: Simplify and tighten decorators example by @smith558 in fastify/fastify#6451

docs: Fix incorrect variable use by @smith558 in fastify/fastify#6455

chore: update sponsor link by @Eomm in fastify/fastify#6460

fix: Fix MIT Licence file to conform to standard by @smith558 in fastify/fastify#6464

docs: move querystringParser option under routerOptions by @inyourtime in fastify/fastify#6463

chore: Updated content-type header parsing by @jsumners in fastify/fastify#6414

New Contributors

@bhouston made their first contribution in fastify/fastify#6442

Full Changelog: fastify/fastify@v5.7.1...v5.7.2

v5.7.1

What's Changed

chore: Bump actions/checkout from 5 to 6 by @dependabot[bot] in fastify/fastify#6434

chore: updated version in the fastify.js by @Tony133 in fastify/fastify#6446

Full Changelog: fastify/fastify@v5.7.0...v5.7.1

v5.7.0

What's Changed

docs: Improved firebase serverless guide about process remaining stuck by @alexandercerutti in fastify/fastify#6380

docs: update migration guide with date-time breaking change by @craftsman01 in fastify/fastify#6110

chore: remove test file by @Eomm in fastify/fastify#6384

feat: speed up loading with custom compiler by @Eomm in fastify/fastify#6383

docs: replace all instances of twitter.com with x.com by @cseas in fastify/fastify#6355

... (truncated)

Commits

49468ed Bumped v5.7.3
eb11156 Merge commit from fork
d98ce2a docs: update vulnerability reporting to use GitHub Security (#6475)
17172c4 Ignore agents config files (#6474)
b48826f docs: update Reply.send() documentation for string serialization (#6466)
e1e4fe7 v5.7.2
32d7b6a chore: Updated content-type header parsing (#6414)
f4a6ac1 docs: move querystringParser example under routerOptions (#6463)
2af83d6 fix: Fix MIT Licence file to conform to standard (#6464)
5c14e05 chore: update sponsor link (#6460)
Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Updates webpack from 5.103.0 to 5.104.1

Release notes

Sourced from webpack's releases.

v5.104.1

5.104.1

Patch Changes

2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.

c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

v5.104.0

5.104.0

Minor Changes

d3dd841: Use method shorthand to render module content in __webpack_modules__ object.

d3dd841: Enhance import.meta.env to support object access.

4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.

04cd530: Handle more at-rules for CSS modules.

cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.

d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.

5983843: Provide a stable runtime function variable __webpack_global__.

d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

22c48fb: Added module existence check for informative error message in development mode.

50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.

d3dd841: Support universal lazy compilation.

d3dd841: Fixed module library export definitions when multiple runtimes.

d3dd841: Fixed CSS nesting and CSS custom properties parsing.

d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.

aab1da9: Fixed bugs for css/global type.

d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.

d3dd841: Handle nested __webpack_require__.

728ddb7: The speed of identifier parsing has been improved.

0f8b31b: Improve types.

d3dd841: Don't corrupt debugId injection when hidden-source-map is used.

2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.

d3dd841: Serialize HookWebpackError.

d3dd841: Added ability to use built-in properties in dotenv and define plugin.

3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.

d3dd841: Reduce collision for local indent name in CSS.

d3dd841: Remove CSS link tags when CSS imports are removed.

Changelog

Sourced from webpack's changelog.

5.104.1

Patch Changes

2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.

c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

5.104.0

Minor Changes

d3dd841: Use method shorthand to render module content in __webpack_modules__ object.

d3dd841: Enhance import.meta.env to support object access.

4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.

04cd530: Handle more at-rules for CSS modules.

cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.

d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.

5983843: Provide a stable runtime function variable __webpack_global__.

d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

22c48fb: Added module existence check for informative error message in development mode.

50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.

d3dd841: Support universal lazy compilation.

d3dd841: Fixed module library export definitions when multiple runtimes.

d3dd841: Fixed CSS nesting and CSS custom properties parsing.

d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.

aab1da9: Fixed bugs for css/global type.

d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.

d3dd841: Handle nested __webpack_require__.

728ddb7: The speed of identifier parsing has been improved.

0f8b31b: Improve types.

d3dd841: Don't corrupt debugId injection when hidden-source-map is used.

2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.

d3dd841: Serialize HookWebpackError.

d3dd841: Added ability to use built-in properties in dotenv and define plugin.

3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.

d3dd841: Reduce collision for local indent name in CSS.

d3dd841: Remove CSS link tags when CSS imports are removed.

Commits

24e3c2d chore(release): new release (#20253)
2efd21b fix(re-exports): reexports runtime calculation should not accessing `__WEBPAC...
c510070 fix(security): userinfo bypass vulnerability in HttpUriPlugin allowedUris
4b0501c ci: fix release (#20252)
0c213ce ci: use \<@&1450591255485743204> over @here for discord notificationw
5bf8bc5 refactor: types for benchmarks and tests
505a5e7 chore(release): new release (#20188)
0c06680 refactor: update eslint configuration
2eb0d6a ci: release announcement (#20238)
b2b2459 ci: cancel in progress (#20239)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

greptile-apps · 2026-02-09T06:21:04Z

PR author is in the excluded authors list.

github-actions · 2026-02-09T06:27:12Z

size-limit report 📦

Path	Size
react-on-rails/client bundled (gzip)	62.58 KB (+0.14% 🔺)
react-on-rails/client bundled (gzip) (time)	62.58 KB (+0.14% 🔺)
react-on-rails/client bundled (brotli)	53.7 KB (-0.02% 🔽)
react-on-rails/client bundled (brotli) (time)	53.7 KB (-0.02% 🔽)
react-on-rails-pro/client bundled (gzip)	63.59 KB (+0.14% 🔺)
react-on-rails-pro/client bundled (gzip) (time)	63.59 KB (+0.14% 🔺)
react-on-rails-pro/client bundled (brotli)	54.67 KB (+0.01% 🔺)
react-on-rails-pro/client bundled (brotli) (time)	54.67 KB (+0.01% 🔺)
registerServerComponent/client bundled (gzip)	127.31 KB (+0.16% 🔺)
registerServerComponent/client bundled (gzip) (time)	127.31 KB (+0.16% 🔺)
registerServerComponent/client bundled (brotli)	61.58 KB (+0.11% 🔺)
registerServerComponent/client bundled (brotli) (time)	61.58 KB (+0.11% 🔺)
wrapServerComponentRenderer/client bundled (gzip)	121.87 KB (+0.22% 🔺)
wrapServerComponentRenderer/client bundled (gzip) (time)	121.87 KB (+0.22% 🔺)
wrapServerComponentRenderer/client bundled (brotli)	56.59 KB (+0.02% 🔺)
wrapServerComponentRenderer/client bundled (brotli) (time)	56.59 KB (+0.02% 🔺)

Bumps the npm-security group with 3 updates in the / directory: [fastify](https://github.com/fastify/fastify), [lodash](https://github.com/lodash/lodash) and [webpack](https://github.com/webpack/webpack). Updates `fastify` from 5.6.2 to 5.7.3 - [Release notes](https://github.com/fastify/fastify/releases) - [Commits](fastify/fastify@v5.6.2...v5.7.3) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `webpack` from 5.103.0 to 5.104.1 - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.103.0...v5.104.1) --- updated-dependencies: - dependency-name: fastify dependency-version: 5.7.3 dependency-type: direct:production dependency-group: npm-security - dependency-name: lodash dependency-version: 4.17.23 dependency-type: direct:production dependency-group: npm-security - dependency-name: webpack dependency-version: 5.104.1 dependency-type: direct:production dependency-group: npm-security ... Signed-off-by: dependabot[bot] <[email protected]>

* origin/master: Fix private_output_path not configured on fresh Shakapacker installs (#2289) Bump the npm-security group across 1 directory with 3 updates (#2387) docs: use https links (#2518) Consolidate changelog to keep only rc6 prerelease (#2533) Fix CSS module class name divergence with rspack SSR (#2489) Bump version to 16.4.0.rc.6 # Conflicts: # CHANGELOG.md

* origin/master: Fix private_output_path not configured on fresh Shakapacker installs (#2289) Bump the npm-security group across 1 directory with 3 updates (#2387) docs: use https links (#2518) Consolidate changelog to keep only rc6 prerelease (#2533) Fix CSS module class name divergence with rspack SSR (#2489) Bump version to 16.4.0.rc.6 Add BugBot license scanning config (#2515) Fix buildVM promise cleanup ordering (#2483) (#2484) # Conflicts: # CHANGELOG.md

@here

…upport * origin/master: (38 commits) fix: use env-var-driven ports in Procfile templates to support multiple worktrees (#2539) Fix prettier formatting in auto-bundling doc Docs: Clarify .client/.server suffixes vs use client RSC directive (#2406) Warn against using .server/.client variants with RSC features Docs: move internal-only docs out of published docs trees (#2414) Fix crash when HTTPX::ErrorResponse is returned in get_form_body_for_file (#2532) Skip flaky external URLs in lychee checks (#2547) Update mise docs: prefer shell-level shims over conductor-exec (#2537) Document compression middleware compatibility with streaming SSR (#2544) Fix duplicate node-renderer message reporting in render failures (#2531) Fix private_output_path not configured on fresh Shakapacker installs (#2289) Bump the npm-security group across 1 directory with 3 updates (#2387) docs: use https links (#2518) Consolidate changelog to keep only rc6 prerelease (#2533) Fix CSS module class name divergence with rspack SSR (#2489) Bump version to 16.4.0.rc.6 Add BugBot license scanning config (#2515) Fix buildVM promise cleanup ordering (#2483) (#2484) Fix streaming SSR hangs and silent error absorption in RSC payload injection (#2407) Ensure lefthook uses mise tools in non-interactive shells (#2512) ... # Conflicts: # CHANGELOG.md

## Summary - Add changelog entries for 6 user-visible PRs merged since v16.4.0.rc.6 that were missing from `[Unreleased]` - Update existing #2561 entry to include #2568 contributor credit ### New entries added | Section | PR | Description | |---|---|---| | Added | #2539 | Environment-variable-driven ports in Procfile templates | | Fixed | #2417 | Rspack generator config path fix | | Fixed | #2419 | Precompile hook load-based execution fix | | Fixed | #2577 | `create-react-on-rails-app` validation improvements | | Pro Fixed | #2416 | StreamResponse status fallback fix | | Pro Fixed | #2566 | Empty-string license plan mismatch fix | ### Skipped PRs (not user-visible) Docs (#2406, #2414, #2479, #2494, #2518, #2537, #2544), CI/internal (#2533, #2547, #2555, #2557, #2558, #2564), dependabot (#2387, #2541), dev dependencies (#2559, #2569, #2573). ## Test plan - [ ] Verify changelog formatting matches existing entries - [ ] Verify all user-visible PRs since v16.4.0.rc.6 are covered 🤖 Generated with [Claude Code](https://claude.com/claude-code)  --- > [!NOTE] > **Low Risk** > Documentation-only changelog updates with no runtime or build behavior changes. > > **Overview** > Updates `CHANGELOG.md`’s **[Unreleased]** section to include previously missing user-facing entries: Procfile templates now support env-driven ports, several generator/`bin/dev` precompile-hook and rspack-path fixes are documented, and `create-react-on-rails-app` validation improvements are noted. > > Also adds two Pro fix entries (StreamResponse status fallback and license plan empty-string validation) and updates the existing `bin/dev` precompile-hook entry to credit an additional PR/contributor. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit e75d2b5. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  Co-authored-by: Claude Opus 4.6 <[email protected]>

dependabot Bot added dependencies Pull requests that update a dependency file full-ci javascript Pull requests that update Javascript code labels Feb 9, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-security-d2b1a49fa4 branch from fcd5b56 to 2d860ae Compare February 13, 2026 04:26

dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-security-d2b1a49fa4 branch from 2d860ae to 4e79207 Compare February 13, 2026 04:29

justin808 merged commit 04dc125 into master Mar 5, 2026
35 of 36 checks passed

justin808 deleted the dependabot/npm_and_yarn/npm-security-d2b1a49fa4 branch March 5, 2026 08:39

justin808 mentioned this pull request Mar 9, 2026

Add missing changelog entries for unreleased PRs #2578

Merged

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the npm-security group across 1 directory with 3 updates#2387

Bump the npm-security group across 1 directory with 3 updates#2387
justin808 merged 1 commit intomasterfrom
dependabot/npm_and_yarn/npm-security-d2b1a49fa4

dependabot Bot commented on behalf of github Feb 9, 2026 •

edited

Loading

Uh oh!

greptile-apps Bot commented Feb 9, 2026

Uh oh!

github-actions Bot commented Feb 9, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

dependabot Bot commented on behalf of github Feb 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v5.7.3

⚠️ Security Release

What's Changed

v5.7.2

⚠️ Notice ⚠️

What's Changed

New Contributors

v5.7.1

What's Changed

v5.7.0

What's Changed

v5.104.1

5.104.1

Patch Changes

v5.104.0

5.104.0

Minor Changes

Patch Changes

5.104.1

Patch Changes

5.104.0

Minor Changes

Patch Changes

Uh oh!

greptile-apps Bot commented Feb 9, 2026

Uh oh!

github-actions Bot commented Feb 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

size-limit report 📦

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github Feb 9, 2026 •

edited

Loading

github-actions Bot commented Feb 9, 2026 •

edited

Loading