create-nuxt-base 2.5.3 → 2.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/.claude/agent-memory/lt-dev-npm-package-maintainer/MEMORY.md +4 -0
  2. package/.claude/agent-memory/lt-dev-npm-package-maintainer/feedback_override_safety.md +13 -0
  3. package/.claude/agent-memory/lt-dev-npm-package-maintainer/project_structure.md +22 -0
  4. package/CHANGELOG.md +15 -0
  5. package/nuxt-base-template/.nuxtrc +1 -1
  6. package/nuxt-base-template/CLAUDE.md +77 -30
  7. package/nuxt-base-template/package.json +39 -37
  8. package/nuxt-base-template/pnpm-lock.yaml +1719 -1536
  9. package/nuxt-base-template/scripts/check-server-start.sh +37 -0
  10. package/package.json +11 -5
package/.claude/agent-memory/lt-dev-npm-package-maintainer/MEMORY.md ADDED
@@ -0,0 +1,4 @@
1
+ # lt-dev-npm-package-maintainer Memory
2
+
3
+ - [Override Safety Rule](feedback_override_safety.md) — All pnpm.overrides targets MUST use fixed versions (no `>=`, `^`, `~`)
4
+ - [Project Structure](project_structure.md) — Two-level package.json structure: root (create-nuxt-base) + nuxt-base-template/
package/.claude/agent-memory/lt-dev-npm-package-maintainer/feedback_override_safety.md ADDED
@@ -0,0 +1,13 @@
1
+ ---
2
+ name: Override Safety Rule
3
+ description: All pnpm.overrides targets must use fixed versions, never unbounded ranges
4
+ type: feedback
5
+ ---
6
+
7
+ All `pnpm.overrides` target values (right-hand side) MUST be fixed versions — never `>=X`, `^X`, `~X`, or `*`.
8
+
9
+ **Why:** In April 2026 an unbounded override `"vite@>=7.0.0 <=7.3.1": ">=7.3.2"` caused pnpm to install `vite@8.0.8` (major version jump), breaking peer dependencies in `@nuxt/test-utils`, dropping `drizzle-orm` from `better-auth`, and causing 13 e2e test regressions.
10
+
11
+ **How to apply:** When writing or reviewing overrides, always pin to a specific version like `"7.3.2"`. The selector on the LEFT can use ranges (to scope which vulnerable versions are replaced); the value on the RIGHT must be exact.
12
+
13
+ Before this maintenance session (2026-04-17) ALL overrides in nuxt-base-template/package.json had unbounded targets (`>=X`). They were all fixed to exact version strings.
package/.claude/agent-memory/lt-dev-npm-package-maintainer/project_structure.md ADDED
@@ -0,0 +1,22 @@
1
+ ---
2
+ name: Project Structure
3
+ description: nuxt-base-starter has two-level package.json structure requiring checks in both locations
4
+ type: project
5
+ ---
6
+
7
+ This repo has TWO package.json files requiring maintenance:
8
+
9
+ 1. **Root** `/package.json` (package: `create-nuxt-base` v2.6.0+)
10
+ - `dependencies`: cross-spawn, fs-extra (used by index.js scaffolding tool)
11
+ - `devDependencies`: oxfmt, standard-version
12
+ - Has its own `pnpm.overrides` for standard-version's transitive deps (handlebars, lodash, brace-expansion, minimatch)
13
+
14
+ 2. **Template** `/nuxt-base-template/package.json` (the actual Nuxt app template)
15
+ - The bulk of the packages live here
16
+ - `dependencies`: better-auth, @better-auth/passkey, @lenne.tech/nuxt-extensions, @nuxt/ui, tus-js-client, valibot, qrcode, etc.
17
+ - `devDependencies`: nuxt, vitest, playwright, @nuxtjs/seo, typescript, etc.
18
+ - Has extensive `pnpm.overrides` for security CVEs
19
+
20
+ The `check` script in root runs `cd nuxt-base-template && pnpm run check` which covers: audit + format + lint + unit tests + build + server-start verification.
21
+
22
+ **Why:** Maintained as 2026-04-17. The structure ensures the scaffolding tool (root) and the generated project (template) are independently versioned.
package/CHANGELOG.md CHANGED
@@ -2,6 +2,21 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
4
4
 
5
+ ### [2.6.2](https://github.com/lenneTech/nuxt-base-starter/compare/v2.6.1...v2.6.2) (2026-04-17)
6
+
7
+
8
+ ### Bug Fixes
9
+
10
+ * **deps:** sync pnpm-lock.yaml with pinned overrides ([26cf45d](https://github.com/lenneTech/nuxt-base-starter/commit/26cf45dad735f2ab9ba4f2e9f0870e3cc04c67e7))
11
+
12
+ ### [2.6.1](https://github.com/lenneTech/nuxt-base-starter/compare/v2.6.0...v2.6.1) (2026-04-17)
13
+
14
+ ## [2.6.0](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.3...v2.6.0) (2026-04-17)
15
+
16
+ ### Features
17
+
18
+ - **template:** harden check script with server-start verification and document vendor-mode workflow ([6521650](https://github.com/lenneTech/nuxt-base-starter/commit/65216500261c846a87c66f0cb7a1170a3d0ed2b9))
19
+
5
20
  ### [2.5.3](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.2...v2.5.3) (2026-04-06)
6
21
 
7
22
  ### [2.5.2](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.1...v2.5.2) (2026-04-04)
package/nuxt-base-template/.nuxtrc CHANGED
@@ -1 +1 @@
1
- setups.@nuxt/test-utils="4.0.0"
1
+ setups.@nuxt/test-utils="4.0.2"
package/nuxt-base-template/CLAUDE.md CHANGED
@@ -58,9 +58,51 @@ pnpm run check # Full quality check (audit + format + lint + types + test
58
58
 
59
59
  ## Framework: @lenne.tech/nuxt-extensions
60
60
 
61
- This project depends on `@lenne.tech/nuxt-extensions`. The framework source is available in `node_modules/@lenne.tech/nuxt-extensions/` and **MUST** be read when using or debugging framework features.
62
-
63
- ### Key Source Files (in node_modules/@lenne.tech/nuxt-extensions/)
61
+ This project consumes the framework in one of two modes:
62
+
63
+ - **npm mode (default):** `@lenne.tech/nuxt-extensions` is installed as
64
+ an npm dependency; framework source lives in
65
+ `node_modules/@lenne.tech/nuxt-extensions/`. Registered in
66
+ `nuxt.config.ts` via the module string `'@lenne.tech/nuxt-extensions'`.
67
+ - **vendor mode:** framework source is copied directly into
68
+ `app/core/` as first-class project code. No
69
+ `@lenne.tech/nuxt-extensions` npm dependency. Baseline + patch log
70
+ live in `app/core/VENDOR.md`. Updated via
71
+ `/lt-dev:frontend:update-nuxt-extensions-core`. Detect via:
72
+ `test -f app/core/VENDOR.md`.
73
+
74
+ **ALWAYS read the actual framework source** before guessing behavior —
75
+ in npm mode from `node_modules/@lenne.tech/nuxt-extensions/`, in
76
+ vendor mode directly from `app/core/`.
77
+
78
+ ### Vendor Modification Policy
79
+
80
+ When this project is in vendor mode, the copy in `app/core/` exists
81
+ so Claude Code can read framework internals directly — it is a
82
+ **comprehension aid**, not a fork. Only edit `app/core/` when the
83
+ change is **generally useful to every nuxt-extensions consumer**:
84
+
85
+ - Bugfixes that apply to every consumer
86
+ - Broad framework enhancements (new composables, better defaults,
87
+ SSR fixes)
88
+ - Security vulnerability fixes
89
+ - Type/config compatibility fixes every consumer would hit
90
+
91
+ **Everything else stays out of `app/core/`.** Project-specific
92
+ business rules, customer branding, and proprietary integrations
93
+ belong in project code (`app/composables/`, `app/components/`,
94
+ `app/middleware/`, plugin overrides).
95
+
96
+ **Generally-useful changes MUST be submitted as an upstream PR** to
97
+ `github.com/lenneTech/nuxt-extensions`. Run
98
+ `/lt-dev:frontend:contribute-nuxt-extensions-core` to prepare the PR
99
+ — the agent filters cosmetic commits, categorizes each local change
100
+ as upstream-candidate vs. project-specific, and writes PR drafts for
101
+ human review. Letting useful fixes rot in a single project's vendor
102
+ tree is an anti-pattern: they belong upstream so every consumer
103
+ benefits and the local patch disappears on the next sync.
104
+
105
+ ### Key Source Files (in node_modules/@lenne.tech/nuxt-extensions/ — npm mode; replace prefix with app/core/ in vendor mode)
64
106
 
65
107
  | File | Purpose |
66
108
  | --------------------------- | ---------------------------------------------------------- |
@@ -75,11 +117,12 @@ This project depends on `@lenne.tech/nuxt-extensions`. The framework source is a
75
117
 
76
118
  ### Rules
77
119
 
78
- 1. **ALWAYS read actual source code** from `node_modules/@lenne.tech/nuxt-extensions/` before guessing framework behavior
120
+ 1. **ALWAYS read actual source code** before guessing framework behavior — from `node_modules/@lenne.tech/nuxt-extensions/` in npm mode, or from `app/core/` in vendor mode
79
121
  2. **NEVER re-implement** functionality that nuxt-extensions already provides — check composables first
80
122
  3. **Use `useBetterAuth()`** for authentication — never implement auth manually
81
123
  4. **When debugging auth issues**, read the auth proxy server route and middleware source
82
- 5. **Check `dist/runtime/composables/`** before creating new composables — may already exist
124
+ 5. **Check runtime composables** before creating new composables — may already exist
125
+ 6. **In vendor mode**, only edit `app/core/` for generally-useful changes and submit them upstream via `/lt-dev:frontend:contribute-nuxt-extensions-core`. Project-specific code belongs outside `app/core/`.
83
126
 
84
127
  ## Authentication
85
128
 
@@ -91,31 +134,35 @@ Key rule: Never manually write to the `lt-auth-state` cookie from custom middlew
91
134
 
92
135
  The `pnpm.overrides` in `package.json` force vulnerable transitive dependencies to patched versions. Each override addresses a specific CVE or security advisory:
93
136
 
94
- | Override | Advisory | Notes |
95
- | -------------------------------- | ------------------- | ----------------------------------------------------------------------------------- |
96
- | `@hono/node-server@<1.19.10` | GHSA-7256-2wf4-hf2r | Request smuggling |
97
- | `brace-expansion@>=2.0.0 <2.0.3` | GHSA-f886-m6hf-6m8v | ReDoS via zero-step sequences |
98
- | `brace-expansion@>=4.0.0 <5.0.5` | GHSA-f886-m6hf-6m8v | Same advisory, 5.x range |
99
- | `readdir-glob@<2.0.3` | (transitive) | Forces minimatch upgrade for brace-expansion fix |
100
- | `defu@<=6.1.4` | GHSA-mchp-fgcf-hmfj | Prototype pollution |
101
- | `devalue@<=5.6.3` | GHSA-77p6-w3v8-rqwf | XSS via crafted input |
102
- | `effect@<3.20.0` | GHSA-j44v-mmf2-xvm9 | Denial of service |
103
- | `h3@<1.15.9` | GHSA-wr4h-v87w-p3r7 | Path traversal |
104
- | `h3@>=2.0.0-0 <2.0.1-rc.18` | GHSA-q5pr-72pq-83v3 | Cookie DoS + SSE injection |
105
- | `h3-next` | (alias fix) | `@nuxt/test-utils` pins h3-next to vulnerable RC; remove when h3 v2 stable releases |
106
- | `hono@<4.12.7` | GHSA-rp6g-89hg-4gfv | SSRF via host header |
107
- | `kysely@>=0.26.0 <=0.28.13` | GHSA-4hxq-5gxr-453h | SQL injection |
108
- | `lodash@>=4.0.0 <=4.17.23` | GHSA-x5rq-j2xg-h7qm | Prototype pollution |
109
- | `minimatch@>=9.0.0 <9.0.7` | GHSA-f886-m6hf-6m8v | ReDoS via brace-expansion |
110
- | `node-forge@<1.4.0` | GHSA-997c-fj8j-rq5h | RSA signature forgery |
111
- | `picomatch@<2.3.2` | GHSA-26j4-r882-m4jm | ReDoS |
112
- | `picomatch@>=4.0.0 <4.0.4` | GHSA-26j4-r882-m4jm | Same advisory, 4.x range |
113
- | `rollup@>=4.0.0 <4.59.0` | GHSA-gcx4-mw62-g3rm | DOM clobbering in output |
114
- | `serialize-javascript@<=7.0.4` | GHSA-cqmj-v5x6-4hg7 | XSS via crafted object |
115
- | `srvx@<0.11.13` | GHSA-4r4v-8rg6-5crc | Open redirect |
116
- | `tar@<=7.5.10` | GHSA-jg7w-cxjv-98c2 | Path traversal |
117
- | `unhead@<=2.1.10` | GHSA-gxhp-jfhg-5fv8 | XSS via meta tags |
118
- | `yaml@>=2.0.0 <2.8.3` | GHSA-4hm9-844j-jmxp | Code execution via crafted YAML |
137
+ All override targets use fixed versions (not ranges) to prevent silent major-version jumps. See TurboOps incident (April 2026) in the agent memory for context.
138
+
139
+ | Override | Advisory | Notes |
140
+ | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
141
+ | `@hono/node-server@<1.19.14` | GHSA-7256-2wf4-hf2r, GHSA-92pp-h63x-v22m | Request smuggling + middleware bypass via repeated slashes |
142
+ | `brace-expansion@>=2.0.0 <2.0.3` | GHSA-f886-m6hf-6m8v | ReDoS via zero-step sequences |
143
+ | `brace-expansion@>=4.0.0 <5.0.5` | GHSA-f886-m6hf-6m8v | Same advisory, 5.x range |
144
+ | `drizzle-orm@<0.45.2` | GHSA-gpj5-g38j-94v9 | SQL injection via improperly escaped identifiers; transitive via @nuxtjs/seo>nuxt-link-checker>unstorage>db0 |
145
+ | `readdir-glob@<2.0.3` | (transitive) | Forces minimatch upgrade for brace-expansion fix |
146
+ | `defu@<=6.1.4` | GHSA-mchp-fgcf-hmfj | Prototype pollution |
147
+ | `devalue@<=5.6.3` | GHSA-77p6-w3v8-rqwf | XSS via crafted input |
148
+ | `effect@<3.20.0` | GHSA-j44v-mmf2-xvm9 | Denial of service |
149
+ | `h3@<1.15.9` | GHSA-wr4h-v87w-p3r7 | Path traversal |
150
+ | `h3@>=2.0.0-0 <2.0.1-rc.18` | GHSA-q5pr-72pq-83v3 | Cookie DoS + SSE injection |
151
+ | `h3-next` | (alias fix) | `@nuxt/test-utils` pins h3-next to vulnerable RC; remove when h3 v2 stable releases |
152
+ | `hono@<4.12.14` | GHSA-rp6g-89hg-4gfv, GHSA-26pp-8wgv-hjvm, GHSA-r5rp-j6wh-rvv4, GHSA-wmmm-f939-6g9c, GHSA-xpcf-pg52-r92g, GHSA-458j-xx4x-4375 | SSRF, cookie validation, IP bypass, JSX injection |
153
+ | `kysely@>=0.26.0 <=0.28.13` | GHSA-4hxq-5gxr-453h | SQL injection |
154
+ | `lodash@>=4.0.0 <=4.17.23` | GHSA-x5rq-j2xg-h7qm | Prototype pollution |
155
+ | `minimatch@>=9.0.0 <9.0.7` | GHSA-f886-m6hf-6m8v | ReDoS via brace-expansion |
156
+ | `node-forge@<1.4.0` | GHSA-997c-fj8j-rq5h | RSA signature forgery |
157
+ | `picomatch@<2.3.2` | GHSA-26j4-r882-m4jm | ReDoS |
158
+ | `picomatch@>=4.0.0 <4.0.4` | GHSA-26j4-r882-m4jm | Same advisory, 4.x range |
159
+ | `rollup@>=4.0.0 <4.59.0` | GHSA-gcx4-mw62-g3rm | DOM clobbering in output |
160
+ | `serialize-javascript@<=7.0.4` | GHSA-cqmj-v5x6-4hg7 | XSS via crafted object |
161
+ | `srvx@<0.11.13` | GHSA-4r4v-8rg6-5crc | Open redirect |
162
+ | `tar@<=7.5.10` | GHSA-jg7w-cxjv-98c2 | Path traversal |
163
+ | `unhead@<=2.1.12` | GHSA-gxhp-jfhg-5fv8, GHSA-95h2-gj7x-gx9w | XSS via meta tags + hasDangerousProtocol() bypass via leading-zero padded HTML entities |
164
+ | `vite@>=7.0.0 <7.3.2` | GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583, GHSA-4w7w-66w2-5vf9 | fs.deny bypass, arbitrary file read via WebSocket, path traversal in .map |
165
+ | `yaml@>=2.0.0 <2.8.3` | GHSA-4hm9-844j-jmxp | Code execution via crafted YAML |
119
166
 
120
167
  The `ignoredOptionalDependencies` block suppresses 30 platform-specific native binaries (`@img/sharp-*`, `@resvg/resvg-js-*`) that are pulled in by `@nuxtjs/seo` 5.x's OG image engine. Only the host-platform binary is needed at build time.
121
168
 
package/nuxt-base-template/package.json CHANGED
@@ -11,9 +11,9 @@
11
11
  },
12
12
  "scripts": {
13
13
  "c": "pnpm run check",
14
- "check": "pnpm audit && pnpm run format:check && pnpm run lint && pnpm test && pnpm run build && pnpm start",
15
- "check:fix": "pnpm install && pnpm audit --fix && pnpm run format && pnpm run lint:fix && pnpm test && pnpm run build && pnpm start",
16
- "check:naf": "pnpm install && pnpm run format && pnpm run lint:fix && pnpm test && pnpm run build && pnpm start",
14
+ "check": "pnpm audit && pnpm run format:check && pnpm run lint && pnpm test && pnpm run build && bash scripts/check-server-start.sh",
15
+ "check:fix": "pnpm install && pnpm audit --fix && pnpm run format && pnpm run lint:fix && pnpm test && pnpm run build && bash scripts/check-server-start.sh",
16
+ "check:naf": "pnpm install && pnpm run format && pnpm run lint:fix && pnpm test && pnpm run build && bash scripts/check-server-start.sh",
17
17
  "cf": "pnpm run check:fix",
18
18
  "cnaf": "pnpm run check:naf",
19
19
  "init": "pnpm install",
@@ -48,35 +48,35 @@
48
48
  "fix": "pnpm run lint:fix && pnpm run format"
49
49
  },
50
50
  "dependencies": {
51
- "@better-auth/passkey": "1.5.6",
51
+ "@better-auth/passkey": "1.6.5",
52
52
  "@lenne.tech/bug.lt": "latest",
53
53
  "@lenne.tech/nuxt-extensions": "1.5.3",
54
54
  "@nuxt/image": "2.0.0",
55
55
  "@nuxt/ui": "4.6.1",
56
56
  "@pinia/nuxt": "0.11.3",
57
57
  "@vueuse/nuxt": "14.2.1",
58
- "better-auth": "1.5.6",
58
+ "better-auth": "1.6.5",
59
59
  "qrcode": "1.5.4",
60
60
  "tus-js-client": "4.3.1",
61
61
  "valibot": "1.3.1"
62
62
  },
63
63
  "devDependencies": {
64
- "@hey-api/openapi-ts": "0.95.0",
65
- "@iconify-json/lucide": "1.2.101",
64
+ "@hey-api/openapi-ts": "0.96.0",
65
+ "@iconify-json/lucide": "1.2.102",
66
66
  "@nuxt/devtools": "3.2.4",
67
- "@nuxt/test-utils": "4.0.0",
67
+ "@nuxt/test-utils": "4.0.2",
68
68
  "@nuxtjs/plausible": "3.0.2",
69
- "@nuxtjs/seo": "5.1.0",
69
+ "@nuxtjs/seo": "5.1.3",
70
70
  "@playwright/test": "1.59.1",
71
71
  "@tailwindcss/typography": "0.5.19",
72
72
  "@tailwindcss/vite": "4.2.2",
73
- "@types/node": "25.5.2",
73
+ "@types/node": "25.6.0",
74
74
  "@types/qrcode": "1.5.6",
75
- "@vitejs/plugin-vue": "6.0.5",
75
+ "@vitejs/plugin-vue": "6.0.6",
76
76
  "@vue/test-utils": "2.4.6",
77
77
  "dayjs-nuxt": "2.1.11",
78
- "happy-dom": "20.8.9",
79
- "jsdom": "29.0.1",
78
+ "happy-dom": "20.9.0",
79
+ "jsdom": "29.0.2",
80
80
  "lint-staged": "16.4.0",
81
81
  "mongodb": "7.1.1",
82
82
  "nuxt": "4.4.2",
@@ -85,8 +85,8 @@
85
85
  "rimraf": "6.1.3",
86
86
  "simple-git-hooks": "2.13.1",
87
87
  "tailwindcss": "4.2.2",
88
- "typescript": "6.0.2",
89
- "vitest": "4.1.2"
88
+ "typescript": "6.0.3",
89
+ "vitest": "4.1.4"
90
90
  },
91
91
  "simple-git-hooks": {
92
92
  "pre-commit": "npx lint-staged",
@@ -146,29 +146,31 @@
146
146
  "vue-demi"
147
147
  ],
148
148
  "overrides": {
149
- "@hono/node-server@<1.19.10": ">=1.19.10",
150
- "brace-expansion@>=2.0.0 <2.0.3": ">=2.0.3",
151
- "brace-expansion@>=4.0.0 <5.0.5": ">=5.0.5",
152
- "readdir-glob@<2.0.3": ">=2.0.3",
153
- "defu@<=6.1.4": ">=6.1.5",
154
- "devalue@<=5.6.3": ">=5.6.4",
155
- "effect@<3.20.0": ">=3.20.0",
156
- "h3@<1.15.9": ">=1.15.9",
157
- "h3@>=2.0.0-0 <2.0.1-rc.18": ">=2.0.1-rc.18",
149
+ "@hono/node-server@<1.19.14": "1.19.14",
150
+ "brace-expansion@>=2.0.0 <2.0.3": "2.1.0",
151
+ "brace-expansion@>=4.0.0 <5.0.5": "5.0.5",
152
+ "drizzle-orm@<0.45.2": "0.45.2",
153
+ "readdir-glob@<2.0.3": "3.0.0",
154
+ "defu@<=6.1.4": "6.1.7",
155
+ "devalue@<=5.6.3": "5.7.1",
156
+ "effect@<3.20.0": "3.21.0",
157
+ "h3@<1.15.9": "1.15.11",
158
+ "h3@>=2.0.0-0 <2.0.1-rc.18": "2.0.1-rc.20",
158
159
  "h3-next": "npm:h3@2.0.1-rc.20",
159
- "hono@<4.12.7": ">=4.12.7",
160
- "kysely@>=0.26.0 <=0.28.13": ">=0.28.14",
161
- "lodash@>=4.0.0 <=4.17.23": ">=4.18.0",
162
- "minimatch@>=9.0.0 <9.0.7": ">=9.0.7",
163
- "node-forge@<1.4.0": ">=1.4.0",
164
- "picomatch@<2.3.2": ">=2.3.2",
165
- "picomatch@>=4.0.0 <4.0.4": ">=4.0.4",
166
- "rollup@>=4.0.0 <4.59.0": ">=4.59.0",
167
- "serialize-javascript@<=7.0.4": ">=7.0.5",
168
- "srvx@<0.11.13": ">=0.11.13",
169
- "tar@<=7.5.10": ">=7.5.11",
170
- "unhead@<=2.1.10": ">=2.1.11",
171
- "yaml@>=2.0.0 <2.8.3": ">=2.8.3"
160
+ "hono@<4.12.14": "4.12.14",
161
+ "kysely@>=0.26.0 <=0.28.13": "0.28.16",
162
+ "lodash@>=4.0.0 <=4.17.23": "4.18.1",
163
+ "minimatch@>=9.0.0 <9.0.7": "9.0.9",
164
+ "node-forge@<1.4.0": "1.4.0",
165
+ "picomatch@<2.3.2": "2.3.2",
166
+ "picomatch@>=4.0.0 <4.0.4": "4.0.4",
167
+ "rollup@>=4.0.0 <4.59.0": "4.60.1",
168
+ "serialize-javascript@<=7.0.4": "7.0.5",
169
+ "srvx@<0.11.13": "0.11.15",
170
+ "tar@<=7.5.10": "7.5.13",
171
+ "unhead@<=2.1.12": "2.1.13",
172
+ "vite@>=7.0.0 <7.3.2": "7.3.2",
173
+ "yaml@>=2.0.0 <2.8.3": "2.8.3"
172
174
  }
173
175
  }
174
176
  }