create-nuxt-base 2.6.0 → 2.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. package/.claude/agent-memory/lt-dev-npm-package-maintainer/MEMORY.md +4 -0
  2. package/.claude/agent-memory/lt-dev-npm-package-maintainer/feedback_override_safety.md +13 -0
  3. package/.claude/agent-memory/lt-dev-npm-package-maintainer/project_structure.md +22 -0
  4. package/.oxfmtrc.jsonc +4 -0
  5. package/CHANGELOG.md +11 -2
  6. package/nuxt-base-template/.claude/agent-memory/lt-dev-npm-package-maintainer/MEMORY.md +1 -1
  7. package/nuxt-base-template/.claude/agent-memory/lt-dev-security-reviewer/MEMORY.md +1 -1
  8. package/nuxt-base-template/.claude/agent-memory/lt-dev-security-reviewer/project_dep_maintenance.md +1 -1
  9. package/nuxt-base-template/.editorconfig +18 -0
  10. package/nuxt-base-template/.nuxtrc +1 -1
  11. package/nuxt-base-template/CLAUDE.md +30 -26
  12. package/nuxt-base-template/README.md +1 -1
  13. package/nuxt-base-template/package.json +37 -35
  14. package/nuxt-base-template/pnpm-lock.yaml +1714 -1540
  15. package/package.json +11 -5
package/.claude/agent-memory/lt-dev-npm-package-maintainer/MEMORY.md ADDED
@@ -0,0 +1,4 @@
1
+ # lt-dev-npm-package-maintainer Memory
2
+
3
+ - [Override Safety Rule](feedback_override_safety.md) — All pnpm.overrides targets MUST use fixed versions (no `>=`, `^`, `~`)
4
+ - [Project Structure](project_structure.md) — Two-level package.json structure: root (create-nuxt-base) + nuxt-base-template/
package/.claude/agent-memory/lt-dev-npm-package-maintainer/feedback_override_safety.md ADDED
@@ -0,0 +1,13 @@
1
+ ---
2
+ name: Override Safety Rule
3
+ description: All pnpm.overrides targets must use fixed versions, never unbounded ranges
4
+ type: feedback
5
+ ---
6
+
7
+ All `pnpm.overrides` target values (right-hand side) MUST be fixed versions — never `>=X`, `^X`, `~X`, or `*`.
8
+
9
+ **Why:** In April 2026 an unbounded override `"vite@>=7.0.0 <=7.3.1": ">=7.3.2"` caused pnpm to install `vite@8.0.8` (major version jump), breaking peer dependencies in `@nuxt/test-utils`, dropping `drizzle-orm` from `better-auth`, and causing 13 e2e test regressions.
10
+
11
+ **How to apply:** When writing or reviewing overrides, always pin to a specific version like `"7.3.2"`. The selector on the LEFT can use ranges (to scope which vulnerable versions are replaced); the value on the RIGHT must be exact.
12
+
13
+ Before this maintenance session (2026-04-17) ALL overrides in nuxt-base-template/package.json had unbounded targets (`>=X`). They were all fixed to exact version strings.
package/.claude/agent-memory/lt-dev-npm-package-maintainer/project_structure.md ADDED
@@ -0,0 +1,22 @@
1
+ ---
2
+ name: Project Structure
3
+ description: nuxt-base-starter has two-level package.json structure requiring checks in both locations
4
+ type: project
5
+ ---
6
+
7
+ This repo has TWO package.json files requiring maintenance:
8
+
9
+ 1. **Root** `/package.json` (package: `create-nuxt-base` v2.6.0+)
10
+ - `dependencies`: cross-spawn, fs-extra (used by index.js scaffolding tool)
11
+ - `devDependencies`: oxfmt, standard-version
12
+ - Has its own `pnpm.overrides` for standard-version's transitive deps (handlebars, lodash, brace-expansion, minimatch)
13
+
14
+ 2. **Template** `/nuxt-base-template/package.json` (the actual Nuxt app template)
15
+ - The bulk of the packages live here
16
+ - `dependencies`: better-auth, @better-auth/passkey, @lenne.tech/nuxt-extensions, @nuxt/ui, tus-js-client, valibot, qrcode, etc.
17
+ - `devDependencies`: nuxt, vitest, playwright, @nuxtjs/seo, typescript, etc.
18
+ - Has extensive `pnpm.overrides` for security CVEs
19
+
20
+ The `check` script in root runs `cd nuxt-base-template && pnpm run check` which covers: audit + format + lint + unit tests + build + server-start verification.
21
+
22
+ **Why:** Maintained as 2026-04-17. The structure ensures the scaffolding tool (root) and the generated project (template) are independently versioned.
package/.oxfmtrc.jsonc CHANGED
@@ -4,4 +4,8 @@
4
4
  "printWidth": 180,
5
5
  "semi": true,
6
6
  "singleQuote": true,
7
+ // nuxt-base-template has its own .editorconfig with `[*.md] insert_final_newline = false`
8
+ // which doesn't propagate up when oxfmt runs from the starter root. Skip it here;
9
+ // the sub-project has its own `pnpm run format:check`.
10
+ "ignorePatterns": ["node_modules", "dist", "nuxt-base-template"],
7
11
  }
package/CHANGELOG.md CHANGED
@@ -2,12 +2,21 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
4
4
 
5
- ## [2.6.0](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.3...v2.6.0) (2026-04-17)
5
+ ### [2.6.3](https://github.com/lenneTech/nuxt-base-starter/compare/v2.6.2...v2.6.3) (2026-04-18)
6
+
7
+ ### [2.6.2](https://github.com/lenneTech/nuxt-base-starter/compare/v2.6.1...v2.6.2) (2026-04-17)
8
+
9
+ ### Bug Fixes
6
10
 
11
+ - **deps:** sync pnpm-lock.yaml with pinned overrides ([26cf45d](https://github.com/lenneTech/nuxt-base-starter/commit/26cf45dad735f2ab9ba4f2e9f0870e3cc04c67e7))
12
+
13
+ ### [2.6.1](https://github.com/lenneTech/nuxt-base-starter/compare/v2.6.0...v2.6.1) (2026-04-17)
14
+
15
+ ## [2.6.0](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.3...v2.6.0) (2026-04-17)
7
16
 
8
17
  ### Features
9
18
 
10
- * **template:** harden check script with server-start verification and document vendor-mode workflow ([6521650](https://github.com/lenneTech/nuxt-base-starter/commit/65216500261c846a87c66f0cb7a1170a3d0ed2b9))
19
+ - **template:** harden check script with server-start verification and document vendor-mode workflow ([6521650](https://github.com/lenneTech/nuxt-base-starter/commit/65216500261c846a87c66f0cb7a1170a3d0ed2b9))
11
20
 
12
21
  ### [2.5.3](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.2...v2.5.3) (2026-04-06)
13
22
 
package/nuxt-base-template/.claude/agent-memory/lt-dev-npm-package-maintainer/MEMORY.md CHANGED
@@ -70,4 +70,4 @@ After maintenance, all packages at latest:
70
70
  - `@hey-api/openapi-ts`: 0.94.2 (from 0.94.0)
71
71
  - `jsdom`: 29.0.0 (from 28.1.0) - fixes undici vulnerabilities (jsdom 29 requires undici ^7.24.3)
72
72
  - Residual vulnerabilities: 0
73
- - `@hey-api/client-fetch`: moved from dependencies → devDependencies
73
+ - `@hey-api/client-fetch`: moved from dependencies → devDependencies
package/nuxt-base-template/.claude/agent-memory/lt-dev-security-reviewer/MEMORY.md CHANGED
@@ -1,3 +1,3 @@
1
1
  # Security Reviewer Memory Index
2
2
 
3
- - [Dependency Maintenance Pattern](project_dep_maintenance.md) — pnpm overrides use open upper bounds (>=) by convention; h3-next is intentionally aliased to RC pre-release
3
+ - [Dependency Maintenance Pattern](project_dep_maintenance.md) — pnpm overrides use open upper bounds (>=) by convention; h3-next is intentionally aliased to RC pre-release
package/nuxt-base-template/.claude/agent-memory/lt-dev-security-reviewer/project_dep_maintenance.md CHANGED
@@ -10,4 +10,4 @@ The `h3-next` alias is pinned to `npm:h3@2.0.1-rc.20` because the Nuxt/Nitro eco
10
10
 
11
11
  **Why:** Reviewed during 2026-04-04 dependency maintenance update (PR: TypeScript 5.9→6.0, @nuxtjs/seo 3.4→5.1, 14 overrides added/updated).
12
12
 
13
- **How to apply:** Do not flag open-upper-bound `>=` override targets as findings unless they allow a known-malicious version. Flag only if the lower bound is incorrect (allows still-vulnerable versions) or the target package name is suspicious.
13
+ **How to apply:** Do not flag open-upper-bound `>=` override targets as findings unless they allow a known-malicious version. Flag only if the lower bound is incorrect (allows still-vulnerable versions) or the target package name is suspicious.
package/nuxt-base-template/.editorconfig ADDED
@@ -0,0 +1,18 @@
1
+ # EditorConfig is awesome: https://EditorConfig.org
2
+
3
+ # top-most EditorConfig file
4
+ root = true
5
+
6
+ # all files
7
+ [*]
8
+ charset = utf-8
9
+ indent_style = space
10
+ indent_size = 2
11
+ end_of_line = lf
12
+ insert_final_newline = true
13
+ trim_trailing_whitespace = true
14
+
15
+ # Markdown files
16
+ [*.md]
17
+ insert_final_newline = false
18
+ trim_trailing_whitespace = false
package/nuxt-base-template/.nuxtrc CHANGED
@@ -1 +1 @@
1
- setups.@nuxt/test-utils="4.0.0"
1
+ setups.@nuxt/test-utils="4.0.2"
package/nuxt-base-template/CLAUDE.md CHANGED
@@ -134,35 +134,39 @@ Key rule: Never manually write to the `lt-auth-state` cookie from custom middlew
134
134
 
135
135
  The `pnpm.overrides` in `package.json` force vulnerable transitive dependencies to patched versions. Each override addresses a specific CVE or security advisory:
136
136
 
137
- | Override | Advisory | Notes |
138
- | -------------------------------- | ------------------- | ----------------------------------------------------------------------------------- |
139
- | `@hono/node-server@<1.19.10` | GHSA-7256-2wf4-hf2r | Request smuggling |
140
- | `brace-expansion@>=2.0.0 <2.0.3` | GHSA-f886-m6hf-6m8v | ReDoS via zero-step sequences |
141
- | `brace-expansion@>=4.0.0 <5.0.5` | GHSA-f886-m6hf-6m8v | Same advisory, 5.x range |
142
- | `readdir-glob@<2.0.3` | (transitive) | Forces minimatch upgrade for brace-expansion fix |
143
- | `defu@<=6.1.4` | GHSA-mchp-fgcf-hmfj | Prototype pollution |
144
- | `devalue@<=5.6.3` | GHSA-77p6-w3v8-rqwf | XSS via crafted input |
145
- | `effect@<3.20.0` | GHSA-j44v-mmf2-xvm9 | Denial of service |
146
- | `h3@<1.15.9` | GHSA-wr4h-v87w-p3r7 | Path traversal |
147
- | `h3@>=2.0.0-0 <2.0.1-rc.18` | GHSA-q5pr-72pq-83v3 | Cookie DoS + SSE injection |
148
- | `h3-next` | (alias fix) | `@nuxt/test-utils` pins h3-next to vulnerable RC; remove when h3 v2 stable releases |
149
- | `hono@<4.12.7` | GHSA-rp6g-89hg-4gfv | SSRF via host header |
150
- | `kysely@>=0.26.0 <=0.28.13` | GHSA-4hxq-5gxr-453h | SQL injection |
151
- | `lodash@>=4.0.0 <=4.17.23` | GHSA-x5rq-j2xg-h7qm | Prototype pollution |
152
- | `minimatch@>=9.0.0 <9.0.7` | GHSA-f886-m6hf-6m8v | ReDoS via brace-expansion |
153
- | `node-forge@<1.4.0` | GHSA-997c-fj8j-rq5h | RSA signature forgery |
154
- | `picomatch@<2.3.2` | GHSA-26j4-r882-m4jm | ReDoS |
155
- | `picomatch@>=4.0.0 <4.0.4` | GHSA-26j4-r882-m4jm | Same advisory, 4.x range |
156
- | `rollup@>=4.0.0 <4.59.0` | GHSA-gcx4-mw62-g3rm | DOM clobbering in output |
157
- | `serialize-javascript@<=7.0.4` | GHSA-cqmj-v5x6-4hg7 | XSS via crafted object |
158
- | `srvx@<0.11.13` | GHSA-4r4v-8rg6-5crc | Open redirect |
159
- | `tar@<=7.5.10` | GHSA-jg7w-cxjv-98c2 | Path traversal |
160
- | `unhead@<=2.1.10` | GHSA-gxhp-jfhg-5fv8 | XSS via meta tags |
161
- | `yaml@>=2.0.0 <2.8.3` | GHSA-4hm9-844j-jmxp | Code execution via crafted YAML |
137
+ All override targets use fixed versions (not ranges) to prevent silent major-version jumps. See TurboOps incident (April 2026) in the agent memory for context.
138
+
139
+ | Override | Advisory | Notes |
140
+ | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
141
+ | `@hono/node-server@<1.19.14` | GHSA-7256-2wf4-hf2r, GHSA-92pp-h63x-v22m | Request smuggling + middleware bypass via repeated slashes |
142
+ | `brace-expansion@>=2.0.0 <2.0.3` | GHSA-f886-m6hf-6m8v | ReDoS via zero-step sequences |
143
+ | `brace-expansion@>=4.0.0 <5.0.5` | GHSA-f886-m6hf-6m8v | Same advisory, 5.x range |
144
+ | `drizzle-orm@<0.45.2` | GHSA-gpj5-g38j-94v9 | SQL injection via improperly escaped identifiers; transitive via @nuxtjs/seo>nuxt-link-checker>unstorage>db0 |
145
+ | `readdir-glob@<2.0.3` | (transitive) | Forces minimatch upgrade for brace-expansion fix |
146
+ | `defu@<=6.1.4` | GHSA-mchp-fgcf-hmfj | Prototype pollution |
147
+ | `devalue@<=5.6.3` | GHSA-77p6-w3v8-rqwf | XSS via crafted input |
148
+ | `effect@<3.20.0` | GHSA-j44v-mmf2-xvm9 | Denial of service |
149
+ | `h3@<1.15.9` | GHSA-wr4h-v87w-p3r7 | Path traversal |
150
+ | `h3@>=2.0.0-0 <2.0.1-rc.18` | GHSA-q5pr-72pq-83v3 | Cookie DoS + SSE injection |
151
+ | `h3-next` | (alias fix) | `@nuxt/test-utils` pins h3-next to vulnerable RC; remove when h3 v2 stable releases |
152
+ | `hono@<4.12.14` | GHSA-rp6g-89hg-4gfv, GHSA-26pp-8wgv-hjvm, GHSA-r5rp-j6wh-rvv4, GHSA-wmmm-f939-6g9c, GHSA-xpcf-pg52-r92g, GHSA-458j-xx4x-4375 | SSRF, cookie validation, IP bypass, JSX injection |
153
+ | `kysely@>=0.26.0 <=0.28.13` | GHSA-4hxq-5gxr-453h | SQL injection |
154
+ | `lodash@>=4.0.0 <=4.17.23` | GHSA-x5rq-j2xg-h7qm | Prototype pollution |
155
+ | `minimatch@>=9.0.0 <9.0.7` | GHSA-f886-m6hf-6m8v | ReDoS via brace-expansion |
156
+ | `node-forge@<1.4.0` | GHSA-997c-fj8j-rq5h | RSA signature forgery |
157
+ | `picomatch@<2.3.2` | GHSA-26j4-r882-m4jm | ReDoS |
158
+ | `picomatch@>=4.0.0 <4.0.4` | GHSA-26j4-r882-m4jm | Same advisory, 4.x range |
159
+ | `rollup@>=4.0.0 <4.59.0` | GHSA-gcx4-mw62-g3rm | DOM clobbering in output |
160
+ | `serialize-javascript@<=7.0.4` | GHSA-cqmj-v5x6-4hg7 | XSS via crafted object |
161
+ | `srvx@<0.11.13` | GHSA-4r4v-8rg6-5crc | Open redirect |
162
+ | `tar@<=7.5.10` | GHSA-jg7w-cxjv-98c2 | Path traversal |
163
+ | `unhead@<=2.1.12` | GHSA-gxhp-jfhg-5fv8, GHSA-95h2-gj7x-gx9w | XSS via meta tags + hasDangerousProtocol() bypass via leading-zero padded HTML entities |
164
+ | `vite@>=7.0.0 <7.3.2` | GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583, GHSA-4w7w-66w2-5vf9 | fs.deny bypass, arbitrary file read via WebSocket, path traversal in .map |
165
+ | `yaml@>=2.0.0 <2.8.3` | GHSA-4hm9-844j-jmxp | Code execution via crafted YAML |
162
166
 
163
167
  The `ignoredOptionalDependencies` block suppresses 30 platform-specific native binaries (`@img/sharp-*`, `@resvg/resvg-js-*`) that are pulled in by `@nuxtjs/seo` 5.x's OG image engine. Only the host-platform binary is needed at build time.
164
168
 
165
169
  ## Notable Version Changes (v2.5.x)
166
170
 
167
171
  - **TypeScript 5.9 -> 6.0:** Changes `erasableSyntaxOnly` default and tightens module resolution. Run `pnpm run build` to verify no type regressions after upgrading existing projects.
168
- - **@nuxtjs/seo 3.4 -> 5.1:** Major rewrite (v4 was skipped). The OG image engine switched to `@shikijs/*` for syntax highlighting (SSR/build-time only). `nuxt.config.ts` SEO options are backwards-compatible. The 30 `ignoredOptionalDependencies` entries are required for clean installs.
172
+ - **@nuxtjs/seo 3.4 -> 5.1:** Major rewrite (v4 was skipped). The OG image engine switched to `@shikijs/*` for syntax highlighting (SSR/build-time only). `nuxt.config.ts` SEO options are backwards-compatible. The 30 `ignoredOptionalDependencies` entries are required for clean installs.
package/nuxt-base-template/README.md CHANGED
@@ -202,4 +202,4 @@ tests/ # Playwright E2E tests
202
202
  - [NuxtUI Documentation](https://ui.nuxt.com)
203
203
  - [Better Auth Documentation](https://www.better-auth.com)
204
204
  - [Tailwind CSS Documentation](https://tailwindcss.com/docs)
205
- - [Vue 3 Documentation](https://vuejs.org)
205
+ - [Vue 3 Documentation](https://vuejs.org)
package/nuxt-base-template/package.json CHANGED
@@ -48,35 +48,35 @@
48
48
  "fix": "pnpm run lint:fix && pnpm run format"
49
49
  },
50
50
  "dependencies": {
51
- "@better-auth/passkey": "1.5.6",
51
+ "@better-auth/passkey": "1.6.5",
52
52
  "@lenne.tech/bug.lt": "latest",
53
- "@lenne.tech/nuxt-extensions": "1.5.3",
53
+ "@lenne.tech/nuxt-extensions": "1.5.4",
54
54
  "@nuxt/image": "2.0.0",
55
55
  "@nuxt/ui": "4.6.1",
56
56
  "@pinia/nuxt": "0.11.3",
57
57
  "@vueuse/nuxt": "14.2.1",
58
- "better-auth": "1.5.6",
58
+ "better-auth": "1.6.5",
59
59
  "qrcode": "1.5.4",
60
60
  "tus-js-client": "4.3.1",
61
61
  "valibot": "1.3.1"
62
62
  },
63
63
  "devDependencies": {
64
- "@hey-api/openapi-ts": "0.95.0",
65
- "@iconify-json/lucide": "1.2.101",
64
+ "@hey-api/openapi-ts": "0.96.0",
65
+ "@iconify-json/lucide": "1.2.102",
66
66
  "@nuxt/devtools": "3.2.4",
67
- "@nuxt/test-utils": "4.0.0",
67
+ "@nuxt/test-utils": "4.0.2",
68
68
  "@nuxtjs/plausible": "3.0.2",
69
- "@nuxtjs/seo": "5.1.0",
69
+ "@nuxtjs/seo": "5.1.3",
70
70
  "@playwright/test": "1.59.1",
71
71
  "@tailwindcss/typography": "0.5.19",
72
72
  "@tailwindcss/vite": "4.2.2",
73
- "@types/node": "25.5.2",
73
+ "@types/node": "25.6.0",
74
74
  "@types/qrcode": "1.5.6",
75
- "@vitejs/plugin-vue": "6.0.5",
75
+ "@vitejs/plugin-vue": "6.0.6",
76
76
  "@vue/test-utils": "2.4.6",
77
77
  "dayjs-nuxt": "2.1.11",
78
- "happy-dom": "20.8.9",
79
- "jsdom": "29.0.1",
78
+ "happy-dom": "20.9.0",
79
+ "jsdom": "29.0.2",
80
80
  "lint-staged": "16.4.0",
81
81
  "mongodb": "7.1.1",
82
82
  "nuxt": "4.4.2",
@@ -85,8 +85,8 @@
85
85
  "rimraf": "6.1.3",
86
86
  "simple-git-hooks": "2.13.1",
87
87
  "tailwindcss": "4.2.2",
88
- "typescript": "6.0.2",
89
- "vitest": "4.1.2"
88
+ "typescript": "6.0.3",
89
+ "vitest": "4.1.4"
90
90
  },
91
91
  "simple-git-hooks": {
92
92
  "pre-commit": "npx lint-staged",
@@ -146,29 +146,31 @@
146
146
  "vue-demi"
147
147
  ],
148
148
  "overrides": {
149
- "@hono/node-server@<1.19.10": ">=1.19.10",
150
- "brace-expansion@>=2.0.0 <2.0.3": ">=2.0.3",
151
- "brace-expansion@>=4.0.0 <5.0.5": ">=5.0.5",
152
- "readdir-glob@<2.0.3": ">=2.0.3",
153
- "defu@<=6.1.4": ">=6.1.5",
154
- "devalue@<=5.6.3": ">=5.6.4",
155
- "effect@<3.20.0": ">=3.20.0",
156
- "h3@<1.15.9": ">=1.15.9",
157
- "h3@>=2.0.0-0 <2.0.1-rc.18": ">=2.0.1-rc.18",
149
+ "@hono/node-server@<1.19.14": "1.19.14",
150
+ "brace-expansion@>=2.0.0 <2.0.3": "2.1.0",
151
+ "brace-expansion@>=4.0.0 <5.0.5": "5.0.5",
152
+ "drizzle-orm@<0.45.2": "0.45.2",
153
+ "readdir-glob@<2.0.3": "3.0.0",
154
+ "defu@<=6.1.4": "6.1.7",
155
+ "devalue@<=5.6.3": "5.7.1",
156
+ "effect@<3.20.0": "3.21.0",
157
+ "h3@<1.15.9": "1.15.11",
158
+ "h3@>=2.0.0-0 <2.0.1-rc.18": "2.0.1-rc.20",
158
159
  "h3-next": "npm:h3@2.0.1-rc.20",
159
- "hono@<4.12.7": ">=4.12.7",
160
- "kysely@>=0.26.0 <=0.28.13": ">=0.28.14",
161
- "lodash@>=4.0.0 <=4.17.23": ">=4.18.0",
162
- "minimatch@>=9.0.0 <9.0.7": ">=9.0.7",
163
- "node-forge@<1.4.0": ">=1.4.0",
164
- "picomatch@<2.3.2": ">=2.3.2",
165
- "picomatch@>=4.0.0 <4.0.4": ">=4.0.4",
166
- "rollup@>=4.0.0 <4.59.0": ">=4.59.0",
167
- "serialize-javascript@<=7.0.4": ">=7.0.5",
168
- "srvx@<0.11.13": ">=0.11.13",
169
- "tar@<=7.5.10": ">=7.5.11",
170
- "unhead@<=2.1.10": ">=2.1.11",
171
- "yaml@>=2.0.0 <2.8.3": ">=2.8.3"
160
+ "hono@<4.12.14": "4.12.14",
161
+ "kysely@>=0.26.0 <=0.28.13": "0.28.16",
162
+ "lodash@>=4.0.0 <=4.17.23": "4.18.1",
163
+ "minimatch@>=9.0.0 <9.0.7": "9.0.9",
164
+ "node-forge@<1.4.0": "1.4.0",
165
+ "picomatch@<2.3.2": "2.3.2",
166
+ "picomatch@>=4.0.0 <4.0.4": "4.0.4",
167
+ "rollup@>=4.0.0 <4.59.0": "4.60.1",
168
+ "serialize-javascript@<=7.0.4": "7.0.5",
169
+ "srvx@<0.11.13": "0.11.15",
170
+ "tar@<=7.5.10": "7.5.13",
171
+ "unhead@<=2.1.12": "2.1.13",
172
+ "vite@>=7.0.0 <7.3.2": "7.3.2",
173
+ "yaml@>=2.0.0 <2.8.3": "2.8.3"
172
174
  }
173
175
  }
174
176
  }