Skip to content

chore(deps): bump the npm_and_yarn group across 3 directories with 9 updates#169

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/npm_and_yarn-fe70fd35c1
Open

chore(deps): bump the npm_and_yarn group across 3 directories with 9 updates#169
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/npm_and_yarn-fe70fd35c1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 3, 2026

Bumps the npm_and_yarn group with 4 updates in the / directory: electron, @modelcontextprotocol/sdk, fastify and simple-git.
Bumps the npm_and_yarn group with 1 update in the /apps/desktop directory: electron.
Bumps the npm_and_yarn group with 2 updates in the /apps/server directory: fastify and simple-git.

Updates electron from 35.7.5 to 39.8.4

Release notes

Sourced from electron's releases.

electron v39.8.4

Release Notes for v39.8.4

Fixes

  • Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)
  • Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400 (Also in 40, 41, 42)
  • Fixed improper focus tracking in BaseWindow on MacOS. #50338 (Also in 40, 41, 42)
  • Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341 (Also in 40, 41, 42)

Other Changes

  • Added support for using a proxy during yarn install. #50349 (Also in 40, 41, 42)
  • Backported fix for 485935305. #50440
  • Backported fix for 489381399. #50443
  • Backported fix for chromium:475877320. #50436
  • Backported fixes for 484751092, 487117772. #50461

electron v39.8.3

Release Notes for v39.8.3

Fixes

  • Added additional ASAR support to additional fs copy methods. #50284 (Also in 40, 41, 42)
  • Fixed user resizing of transparent windows on win32 platform. #50300 (Also in 40, 41, 42)

electron v39.8.2

Release Notes for v39.8.2

Other Changes

  • Backported fix for b/491421267. #50230

electron v39.8.1

Release Notes for v39.8.1

Fixes

  • Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50156 (Also in 38, 40, 41)
  • Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50215 (Also in 40, 41)
  • Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50136 (Also in 40, 41)
  • Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50174 (Also in 38, 40, 41)
  • Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50106 (Also in 40, 41)
  • Fixed an issue where calling setBounds on a WebContentsView could trigger redundant page-favicon-updated events even when the favicon had not changed. #50086 (Also in 40, 41)
  • Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected. #50129 (Also in 38, 40, 41)
  • Fixed an issue where permission and device-chooser handlers received the top-level page origin instead of the requesting subframe's origin. #50147 (Also in 38, 40, 41)
  • Fixed an issue where traffic light buttons would flash at position (0,0) when restoring a window with a custom trafficLightPosition from minimization on macOS. #50208 (Also in 40, 41)
  • Fixed bug where opening a message box immediately upon closing a child window may cause the parent window to freeze on Windows. #50190 (Also in 40, 41)
  • Fixed menu bar hiding after a call to win.setFullScreen(false) when not in fullscreen on Linux. #49995 (Also in 40, 41)
  • Fixed shutdown crash on windows when hidden titlebar is enabled. #50054 (Also in 40, 41)
  • Reverted AltGr key fix that caused menu bar to no longer show on Windows. #50109 (Also in 40, 41)

... (truncated)

Commits
  • 7007907 chore: cherry-pick 3 changes from chromium (#50461)
  • 2c8b6ee chore: cherry-pick fbfb27470bf6 from chromium (#50436)
  • 4c64377 chore: cherry-pick 50b057660b4d from chromium (#50440)
  • 0ef0561 fix: read nodeIntegrationInWorker from per-frame WebPreferences (#50122) (#50...
  • 64373df chore: cherry-pick 074d472db745 from chromium (#50443)
  • 13e4407 fix: don't re-parse URL unnecessarily when handling dialogs (#50400)
  • 16a0385 ci: output build cache hit rate as GHA annotation (#50369)
  • 00a492d chore: Respect HTTP(S) proxy env variable for Yarn (#50349)
  • 290a77b fix: correctly track BaseWindow::IsActive() on MacOS (#50338)
  • 87baa17 fix: ensure WebContents::WasShown runs when window is shown (#50341)
  • Additional commits viewable in compare view

Updates @modelcontextprotocol/sdk from 1.24.0 to 1.26.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

v1.25.2

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

1.25.1

What's Changed

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.0...1.25.1

1.25.0

What's Changed

... (truncated)

Commits
  • fe9c07b chore: bump version to 1.26.0 (#1479)
  • 4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
  • a05be17 Merge commit from fork
  • 50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
  • aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
  • 6aba065 chore: bump v1.25.3 for backport fixes (#1412)
  • 6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
  • 12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
  • b392f02 fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) (#1365)
  • a0c9b13 fix: README badges links destinations (#907)
  • Additional commits viewable in compare view

Updates fastify from 4.29.1 to 5.8.3

Release notes

Sourced from fastify's releases.

v5.8.3

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

New Contributors

Full Changelog: fastify/fastify@v5.8.2...v5.8.3

v5.8.2

What's Changed

New Contributors

... (truncated)

Commits
  • a3e77ce Bumped v5.8.3
  • 4e1db5b fix: gate host and protocol getters on proxy trust function
  • a22217f ci(lock-threads): use shared lock-threads workflow (#6592)
  • 1851f20 docs: update links (#6593)
  • 9cc5187 types: Allow port to be null in request type definition (#6589)
  • 722d83b docs: replace redirected npm.im http-errors link (#6588)
  • a1413de docs: fix incorrect code examples in Reply and Request reference (#6582)
  • d7f01b6 docs: clarify content-type parser/schema mismatch is outside threat model (#6...
  • a0649e9 docs: update syntax markdown, absolute paths and links (#6569)
  • d477915 ci(link-checker): fix root-relative links resolution (#6535)
  • Additional commits viewable in compare view

Updates simple-git from 3.30.0 to 3.32.3

Release notes

Sourced from simple-git's releases.

simple-git@3.32.3

Patch Changes

  • f704208: Enhanced protocol.allow checks in allowUnsafeExtProtocol handling.

    Thanks to @​CodeAnt-AI-Security for identifying the issue

simple-git@3.32.2

Patch Changes

  • 8d02097: Enhanced clone unsafe switch detection.

simple-git@3.32.1

Patch Changes

  • 23b070f: Fix regex for detecting unsafe clone options

    Thanks to @​stevenwdv for reporting this issue.

simple-git@3.32.0

Minor Changes

  • 1effd8e: Enhances the unsafe plugin to block additional cases where the -u switch may be disguised along with other single character options.

    Thanks to @​JuHwiSang for identifying this as vulnerability.

Patch Changes

  • d5fd4fe: Use task runner for logging use of deprecated (already no-op) functions.

simple-git@3.31.1

Patch Changes

  • a44184f: Resolve NPM publish steps
Changelog

Sourced from simple-git's changelog.

3.32.3

Patch Changes

  • f704208: Enhanced protocol.allow checks in allowUnsafeExtProtocol handling.

    Thanks to @​CodeAnt-AI-Security for identifying the issue

3.32.2

Patch Changes

  • 8d02097: Enhanced clone unsafe switch detection.

3.32.1

Patch Changes

  • 23b070f: Fix regex for detecting unsafe clone options

    Thanks to @​stevenwdv for reporting this issue.

3.32.0

Minor Changes

  • 1effd8e: Enhances the unsafe plugin to block additional cases where the -u switch may be disguised along with other single character options.

    Thanks to @​JuHwiSang for identifying this as vulnerability.

Patch Changes

  • d5fd4fe: Use task runner for logging use of deprecated (already no-op) functions.

3.31.1

Patch Changes

  • a44184f: Resolve NPM publish steps

3.31.0

Minor Changes

  • 22dc93f: Custom binary plugin should support the use of ~ character, used by Windows to shorten long folder names and folder names that have spaces in them (eg: C:\Program Files might become C:\PROGRA~1).

    Thanks to @​skyshineb for reporting this issue.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for simple-git since your current version.


Updates ajv from 6.12.6 to 6.14.0

Commits

Updates brace-expansion from 1.1.12 to 1.1.13

Commits

Updates minimatch from 3.1.2 to 3.1.5

Commits

Updates path-to-regexp from 8.3.0 to 8.4.2

Release notes

Sourced from path-to-regexp's releases.

v8.4.2

Fixed

  • Error on trailing backslash (#434) 9a78879

Performance

  • Minimize array allocations (#437) 937c02d
  • Improve compile performance (#436) 57247e6
    • Should improve compilation performance by ~25%
  • Remove internal tokenization during parse (#435) 5844988
    • Should improve parse performance by ~20%

Bundle size to 1.93 kB, from 1.97 kB.

pillarjs/path-to-regexp@v8.4.1...v8.4.2

v8.4.1

Fixed

  • Remove trie deduplication (#431) 6bc8e84
    • Using a trie required non-greedy matching, which regressed wildcards in non-ending mode by matching them up until the first match. For example:
      • /*foo with /a/b = /a
      • /*foo.htmlwith /a/b.html/c.html = /a/b.html
  • Allow backtrack handling to match itself (#427) 5bcd30b
    • When backtracking was introduced, it rejected matching things like /:"a"_:"b" against /foo__. This makes intuitive sense because the second parameter is not going to backtrack on _ anymore, but it's somewhat unexpected since there's no reason it shouldn't match the second _.

pillarjs/path-to-regexp@v8.4.0...v8.4.1

v8.4.0

Important

Fixed

Changed

  • Dedupes regex prefixes (pillarjs/path-to-regexp#422)
    • This will result in shorter regular expressions for some cases using optional groups
  • Rejects large optional route combinations (pillarjs/path-to-regexp#424)
    • When using groups such as /users{/delete} it will restrict the number of generated combinations to < 256, equivalent to 8 top-level optional groups and unlikely to occur in a real world application, but avoids exploding the regex size for applications that accept user created routes
Commits

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates electron from 35.7.5 to 39.8.4

Release notes

Sourced from electron's releases.

electron v39.8.4

Release Notes for v39.8.4

Fixes

  • Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)
  • Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400 (Also in 40, 41, 42)
  • Fixed improper focus tracking in BaseWindow on MacOS. #50338 (Also in 40, 41, 42)
  • Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341 (Also in 40, 41, 42)

Other Changes

  • Added support for using a proxy during yarn install. #50349 (Also in 40, 41, 42)
  • Backported fix for 485935305. #50440
  • Backported fix for 489381399. #50443
  • Backported fix for chromium:475877320. #50436
  • Backported fixes for 484751092, 487117772. #50461

electron v39.8.3

Release Notes for v39.8.3

Fixes

  • Added additional ASAR support to additional fs copy methods. #50284 (Also in 40, 41, 42)
  • Fixed user resizing of transparent windows on win32 platform. #50300 (Also in 40, 41, 42)

electron v39.8.2

Release Notes for v39.8.2

Other Changes

  • Backported fix for b/491421267. #50230

electron v39.8.1

Release Notes for v39.8.1

Fixes

  • Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50156 (Also in 38, 40, 41)
  • Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50215 (Also in 40, 41)
  • Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50136 (Also in 40, 41)
  • Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50174 (Also in 38, 40, 41)
  • Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50106 (Also in 40, 41)
  • Fixed an issue where calling setBounds on a WebContentsView could trigger redundant page-favicon-updated events even when the favicon had not changed. #50086 (Also in 40, 41)
  • Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected. #50129 (Also in 38, 40, 41)
  • Fixed an issue where permission and device-chooser handlers received the top-level page origin instead of the requesting subframe's origin. #50147 (Also in 38, 40, 41)
  • Fixed an issue where traffic light buttons would flash at position (0,0) when restoring a window with a custom trafficLightPosition from minimization on macOS. #50208 (Also in 40, 41)
  • Fixed bug where opening a message box immediately upon closing a child window may cause the parent window to freeze on Windows. #50190 (Also in 40, 41)
  • Fixed menu bar hiding after a call to win.setFullScreen(false) when not in fullscreen on Linux. #49995 (Also in 40, 41)
  • Fixed shutdown crash on windows when hidden titlebar is enabled. #50054 (Also in 40, 41)
  • Reverted AltGr key fix that caused menu bar to no longer show on Windows. #50109 (Also in 40, 41)
Description has been truncated

@dependabot
chore(deps): bump the npm_and_yarn group across 3 directories with 9 …
ceaedc3 
…updates

Bumps the npm_and_yarn group with 4 updates in the / directory: [electron](https://github.com/electron/electron), [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk), [fastify](https://github.com/fastify/fastify) and [simple-git](https://github.com/steveukx/git-js/tree/HEAD/simple-git).
Bumps the npm_and_yarn group with 1 update in the /apps/desktop directory: [electron](https://github.com/electron/electron).
Bumps the npm_and_yarn group with 2 updates in the /apps/server directory: [fastify](https://github.com/fastify/fastify) and [simple-git](https://github.com/steveukx/git-js/tree/HEAD/simple-git).


Updates `electron` from 35.7.5 to 39.8.4
- [Release notes](https://github.com/electron/electron/releases)
- [Commits](electron/electron@v35.7.5...v39.8.4)

Updates `@modelcontextprotocol/sdk` from 1.24.0 to 1.26.0
- [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases)
- [Commits](modelcontextprotocol/typescript-sdk@1.24.0...v1.26.0)

Updates `fastify` from 4.29.1 to 5.8.3
- [Release notes](https://github.com/fastify/fastify/releases)
- [Commits](fastify/fastify@v4.29.1...v5.8.3)

Updates `simple-git` from 3.30.0 to 3.32.3
- [Release notes](https://github.com/steveukx/git-js/releases)
- [Changelog](https://github.com/steveukx/git-js/blob/main/simple-git/CHANGELOG.md)
- [Commits](https://github.com/steveukx/git-js/commits/simple-git@3.32.3/simple-git)

Updates `ajv` from 6.12.6 to 6.14.0
- [Release notes](https://github.com/ajv-validator/ajv/releases)
- [Commits](ajv-validator/ajv@v6.12.6...v6.14.0)

Updates `brace-expansion` from 1.1.12 to 1.1.13
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.13)

Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v3.1.5)

Updates `path-to-regexp` from 8.3.0 to 8.4.2
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](pillarjs/path-to-regexp@v8.3.0...v8.4.2)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `electron` from 35.7.5 to 39.8.4
- [Release notes](https://github.com/electron/electron/releases)
- [Commits](electron/electron@v35.7.5...v39.8.4)

Updates `fastify` from 4.29.1 to 5.8.3
- [Release notes](https://github.com/fastify/fastify/releases)
- [Commits](fastify/fastify@v4.29.1...v5.8.3)

Updates `simple-git` from 3.30.0 to 3.32.3
- [Release notes](https://github.com/steveukx/git-js/releases)
- [Changelog](https://github.com/steveukx/git-js/blob/main/simple-git/CHANGELOG.md)
- [Commits](https://github.com/steveukx/git-js/commits/simple-git@3.32.3/simple-git)

---
updated-dependencies:
- dependency-name: electron
  dependency-version: 39.8.4
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@modelcontextprotocol/sdk"
  dependency-version: 1.26.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: fastify
  dependency-version: 5.8.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: simple-git
  dependency-version: 3.32.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: ajv
  dependency-version: 6.14.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: path-to-regexp
  dependency-version: 8.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: electron
  dependency-version: 39.8.4
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: fastify
  dependency-version: 5.8.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: simple-git
  dependency-version: 3.32.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 3, 2026
@dependabot dependabot Bot mentioned this pull request Apr 3, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants