chore(deps): bump the npm_and_yarn group across 8 directories with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the / directory: turbo, postcss, vite and vitest.
Bumps the npm_and_yarn group with 2 updates in the /dapps/sponsored-transactions directory: postcss and vite.
Bumps the npm_and_yarn group with 3 updates in the /docs/site directory: postcss, lodash and axios.
Bumps the npm_and_yarn group with 1 update in the /examples/tic-tac-toe/ui directory: vite.
Bumps the npm_and_yarn group with 2 updates in the /examples/trading/frontend directory: postcss and vite.
Bumps the npm_and_yarn group with 2 updates in the /external-crates/move/crates/move-analyzer/editors/code directory: qs and tmp.
Bumps the npm_and_yarn group with 3 updates in the /external-crates/move/tooling/prettier-extension directory: qs, tmp and uuid.
Bumps the npm_and_yarn group with 3 updates in the /external-crates/move/tooling/prettier-move directory: postcss, vite and vitest.

Updates turbo from 2.5.3 to 2.9.14

Release notes

Sourced from turbo's releases.

Turborepo v2.9.14

[!NOTE] This release contains important security fixes.

High:

• GHSA-5xc8-49mv-x4mm: Turborepo VSCode Extension command injection

Low:

• GHSA-hcf7-66rw-9f5r: Login callback CSRF/session fixation
• GHSA-3qcw-2rhx-2726: Unexpected local code execution during Yarn Berry detection

What's Changed

Changelog

• release(turborepo): 2.9.12 by @​github-actions[bot] in vercel/turborepo#12774
• fix: Restore docs mobile menu by @​anthonyshew in vercel/turborepo#12782
• ci: Use pull_request for PR title linting by @​anthonyshew in vercel/turborepo#12787
• ci: Scope GitHub Actions caches by branch by @​anthonyshew in vercel/turborepo#12788
• test: Validate lockfiles without dependency downloads by @​anthonyshew in vercel/turborepo#12789
• Removed unneeded import form hash creation script in docs by @​dancrumb in vercel/turborepo#12799
• fix: Validate auth callback state by @​anthonyshew in vercel/turborepo#12802
• fix: Harden VS Code extension command execution by @​anthonyshew in vercel/turborepo#12800
• fix: Avoid project-local Yarn during detection by @​anthonyshew in vercel/turborepo#12801
• chore: Release 2.9.13 by @​anthonyshew in vercel/turborepo#12803

New Contributors

• @​dancrumb made their first contribution in vercel/turborepo#12799

Full Changelog: vercel/turborepo@v2.9.12...v2.9.14

Turborepo v2.9.13-canary.1

What's Changed

Changelog

• release(turborepo): 2.9.11-canary.7 by @​github-actions[bot] in vercel/turborepo#12768
• fix: Allow $TURBO_EXTENDS$ in LSP diagnostics by @​anthonyshew in vercel/turborepo#12770
• release(turborepo): 2.9.11 by @​github-actions[bot] in vercel/turborepo#12771
• fix: Allow transit nodes in LSP diagnostics by @​anthonyshew in vercel/turborepo#12773
• release(turborepo): 2.9.12 by @​github-actions[bot] in vercel/turborepo#12774
• fix: Restore docs mobile menu by @​anthonyshew in vercel/turborepo#12782
• ci: Use pull_request for PR title linting by @​anthonyshew in vercel/turborepo#12787
• ci: Scope GitHub Actions caches by branch by @​anthonyshew in vercel/turborepo#12788
• test: Validate lockfiles without dependency downloads by @​anthonyshew in vercel/turborepo#12789
• Removed unneeded import form hash creation script in docs by @​dancrumb in vercel/turborepo#12799
• fix: Validate auth callback state by @​anthonyshew in vercel/turborepo#12802
• fix: Harden VS Code extension command execution by @​anthonyshew in vercel/turborepo#12800
• fix: Avoid project-local Yarn during detection by @​anthonyshew in vercel/turborepo#12801

... (truncated)

Commits

• fc62fe0 publish 2.9.14 to registry
• fb8c9ae chore: Release 2.9.13 (#12803)
• e8e629d fix: Avoid project-local Yarn during detection (#12801)
• 91c90cb fix: Harden VS Code extension command execution (#12800)
• 84f4508 fix: Validate auth callback state (#12802)
• 1779ad7 Removed unneeded import form hash creation script in docs (#12799)
• 71f8c90 test: Validate lockfiles without dependency downloads (#12789)
• 5fcb960 ci: Scope GitHub Actions caches by branch (#12788)
• 4cf9fab ci: Use pull_request for PR title linting (#12787)
• 859c629 fix: Restore docs mobile menu (#12782)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for turbo since your current version.

Updates postcss from 8.5.3 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

Changelog

Sourced from postcss's changelog.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

Commits

• 33b9790 Release 8.5.10 version
• 536c79e Escape </style> in CSS output (#2074)
• afa96b2 Update dependencies (#2073)
• effe88b Typo (#2072)
• 3ee79a2 Thread model (#2071)
• 2e0683d Create incident response docs (#2070)
• fe88ac2 Release 8.5.9 version
• c551632 Avoid RegExp when we can use simple JS
• 89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
• 6ceb8a4 Create SECURITY.md
• Additional commits viewable in compare view

Updates vite from 5.3.3 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

• fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163
• fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

6.4.1 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969) (1114b5d), closes #20968 #20969

6.4.0 (2025-10-15)

• feat: allow passing down resolved config to vite's createServer (#20932) (ca6455e), closes #20932

6.3.7 (2025-10-14)

• fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940) (c59a222), closes #20940

6.3.6 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (0ab19ea), closes #20736
• fix: upgrade sirv to 3.0.2 (#20735) (e11d240), closes #20735
• test: detect ts support via process.features (#20544) (7d99229), closes #20544

6.3.5 (2025-05-05)

• fix(ssr): handle uninitialized export access as undefined (#19959) (fd38d07), closes #19959

6.3.4 (2025-04-30)

• fix: check static serve file inside sirv (#19965) (c22c43d), closes #19965
• fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #19940
• refactor: remove duplicate plugin context type (#19935) (d6d01c2), closes #19935

6.3.3 (2025-04-24)

• fix: ignore malformed uris in tranform middleware (#19853) (e4d5201), closes #19853

... (truncated)

Commits

• 6b3fad0 release: v6.4.2
• ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
• 5487f4f release: v6.4.1
• 1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
• f12697c release: v6.4.0
• ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
• 0e173d8 release: v6.3.7
• c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
• 3f337c5 release: v6.3.6
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vite since your current version.

Updates vitest from 2.1.9 to 3.2.6

Release notes

Sourced from vitest's releases.

v3.2.6

   🐞 Bug Fixes

• Pin last supported vite-node version  -  by @​sheremet-va (16f12)

    View changes on GitHub

v3.2.5

   🚀 Features

• api: Add allowWrite and allowExec options to api [backport to v3]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10445 (af88b)

   🐞 Bug Fixes

• browser: Disable client cdp API when allowWrite/allowExec: false [backport to v3]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10456 (385a1)

    View changes on GitHub

v3.2.4

   🐞 Bug Fixes

• Use correct path for optimisation of strip-literal  -  by @​mrginglymus in vitest-dev/vitest#8139 (44940)
• Print uint and buffer as a simple string  -  by @​sheremet-va in vitest-dev/vitest#8141 (b86bf)
• browser:
  • Show a helpful error when spying on an export  -  by @​sheremet-va in vitest-dev/vitest#8178 (56007)
• cli:
  • vitest run --watch should be watch-mode  -  by @​AriPerkkio in vitest-dev/vitest#8128 (657e8)
  • Use absolute path environment on Windows  -  by @​colinaaa in vitest-dev/vitest#8105 (85dc0)
  • Throw error when --shard x/<count> exceeds count of test files  -  by @​AriPerkkio in vitest-dev/vitest#8112 (8a18c)
• coverage:
  • Ignore SCSS in browser mode  -  by @​sheremet-va in vitest-dev/vitest#8161 (0c3be)
• deps:
  • Update all non-major dependencies  -  in vitest-dev/vitest#8123 (93f32)
• expect:
  • Handle async errors in expect.soft  -  by @​lzl0304 in vitest-dev/vitest#8145 (68699)
• pool:
  • Auto-adjust minWorkers when only maxWorkers specified  -  by @​AriPerkkio in vitest-dev/vitest#8110 (14dc0)
• reporter:
  • task.meta should be available in custom reporter's errors  -  by @​AriPerkkio in vitest-dev/vitest#8115 (27df6)
• runner:
  • Preserve handler wrapping on extend  -  by @​pengooseDev in vitest-dev/vitest#8153 (a9281)
• ui:
  • Ensure ui config option works correctly  -  by @​lzl0304 in vitest-dev/vitest#8147 (42eeb)

    View changes on GitHub

v3.2.3

   🚀 Features

• browser: Use base url instead of vitest  -  by @​sheremet-va in vitest-dev/vitest#8126 (1d8eb)

... (truncated)

Commits

• b6d56f8 chore: release v3.2.6
• 16f120d fix: pin last supported vite-node version
• 2cbad0a chore: release v3.2.5
• 385a1ae fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• af88b1f feat(api): add allowWrite and allowExec options to api [backport to v3]...
• c666d14 chore: release v3.2.4
• 8a18c8e fix(cli): throw error when --shard x/\<count> exceeds count of test files (#...
• 8abd7cc chore(deps): update tinypool (#8174)
• 93f3200 fix(deps): update all non-major dependencies (#8123)
• 0c3be6f fix(coverage): ignore SCSS in browser mode (#8161)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.

Updates postcss from 8.5.3 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

Changelog

Sourced from postcss's changelog.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

Commits

• 33b9790 Release 8.5.10 version
• 536c79e Escape </style> in CSS output (#2074)
• afa96b2 Update dependencies (#2073)
• effe88b Typo (#2072)
• 3ee79a2 Thread model (#2071)
• 2e0683d Create incident response docs (#2070)
• fe88ac2 Release 8.5.9 version
• c551632 Avoid RegExp when we can use simple JS
• 89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
• 6ceb8a4 Create SECURITY.md
• Additional commits viewable in compare view

Updates vite from 5.3.3 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

• fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163
• fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

6.4.1 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969) (1114b5d), closes #20968 #20969

6.4.0 (2025-10-15)

• feat: allow passing down resolved config to vite's createServer (#20932) (ca6455e), closes #20932

6.3.7 (2025-10-14)

• fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940) (c59a222), closes #20940

6.3.6 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (0ab19ea), closes #20736
• fix: upgrade sirv to 3.0.2 (#20735) (e11d240), closes #20735
• test: detect ts support via process.features (#20544) (7d99229), closes #20544

6.3.5 (2025-05-05)

• fix(ssr): handle uninitialized export access as undefined (#19959) (fd38d07), closes #19959

6.3.4 (2025-04-30)

• fix: check static serve file inside sirv (#19965) (c22c43d), closes #19965
• fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #19940
• refactor: remove duplicate plugin context type (#19935) (d6d01c2), closes #19935

6.3.3 (2025-04-24)

• fix: ignore malformed uris in tranform middleware (#19853) (e4d5201), closes #19853

... (truncated)

Commits

• 6b3fad0 release: v6.4.2
• ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
• 5487f4f release: v6.4.1
• 1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
• f12697c release: v6.4.0
• ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
• 0e173d8 release: v6.3.7
• c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
• 3f337c5 release: v6.3.6
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vite since your current version.

Updates postcss from 8.5.6 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

Changelog

Sourced from postcss's changelog.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

Commits

• 33b9790 Release 8.5.10 version
• 536c79e Escape </style> in CSS output (#2074)
• afa96b2 Update dependencies (#2073)
• effe88b Typo (#2072)
• 3ee79a2 Thread model (#2071)
• 2e0683d Create incident response docs (#2070)
• fe88ac2 Release 8.5.9 version
• c551632 Avoid RegExp when we can use simple JS
• 89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
• 6ceb8a4 Create SECURITY.md
• Additional commits viewable in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates axios from 1.13.5 to 1.16.0

Release notes

Sourced from axios's releases.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (