apollo-client-nextjs
apollo-client-nextjs copied to clipboard
Published
20 hours ago •
apollographql
apollographql
chore(deps): update dependency tsup to v8.3.5 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| tsup (source) | 8.0.2 -> 8.3.5 |
tsup DOM Clobbering vulnerability
CVE-2024-53384 / GHSA-3mv9-4h5g-vhg3
More information
Details
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Severity
- CVSS Score: Unknown
- Vector String:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-53384
- https://gist.github.com/jackfromeast/36f98bf7542d11835c883c1d175d9b92
- https://github.com/egoist/tsup
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
egoist/tsup (tsup)
v8.3.5
🐞 Bug Fixes
- Run
experimentalDtsonly once - by @aryaemami59 in https://github.com/egoist/tsup/issues/1236 (fddd4)
View changes on GitHub
v8.3.4
No significant changes
View changes on GitHub
v8.3.0
Bug Fixes
Features
- add support for
ctsandmtsconfig files (#1178) (ec811b3) - add support for async
injectStyle(#1193) (f25a9db)
v8.2.4
Bug Fixes
v8.2.3
Bug Fixes
- get metafile on windows (048c93b)
v8.2.2
Bug Fixes
v8.2.1
Bug Fixes
v8.2.0
Features
- add option to retain node protocol (e7ced34)
v8.1.2
Bug Fixes
- correct sourcemap with treeshake (#1069) (6ca0cb0)
- only import type statement (43cf9f6), closes #1157 #1156
v8.1.1
- Upgrade bunch of dependencies (esbuild v0.23).
v8.1.0
Features
Configuration
📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - "after 8am and before 4pm on tuesday" in timezone Etc/UTC.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.
The latest updates on your projects. Learn more about Vercel for GitHub.
| Project | Deployment | Preview | Updated (UTC) |
|---|---|---|---|
| apollo__client-integration-react-router |  Error |
Oct 14, 2025 0:15am | |
| apollo__client-integration-tanstack-start | Error |
Oct 14, 2025 0:15am |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
⚠️ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: yarn.lock
➤ YN0000: · Yarn 4.9.1
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + tsup@npm:8.3.5, @rollup/rollup-android-arm-eabi@npm:4.52.4, @rollup/rollup-android-arm64@npm:4.52.4, @rollup/rollup-darwin-arm64@npm:4.52.4, and 22 more.
➤ YN0085: │ - bundle-require@npm:4.0.2, tsup@npm:8.0.2
➤ YN0000: └ Completed in 1s 725ms
➤ YN0000: ┌ Post-resolution validation
➤ YN0060: │ @types/react is listed by your project with version 19.0.2 (peddff), which doesn't satisfy what react-focus-lock (via @chakra-ui/react) and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ @yarnpkg/core is listed by your project with version 4.2.0 (p4e948), which doesn't satisfy what @yarnpkg/cli and other dependencies request (^4.4.1).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p1eb2e), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p1ecf7), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p2be3d), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p38093), which doesn't satisfy what @apollo/client and other dependencies request (^16.6.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p4b3c5), which doesn't satisfy what @apollo/client and other dependencies request (^16.6.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p74662), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p7c14e), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p9d845), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pa1182), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pc1d15), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pc49da), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pd4beb), which doesn't satisfy what @apollo/client and other dependencies request (^16.6.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pd9955), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pf0659), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ react is listed by your project with version 19.0.0 (pd410a), which doesn't satisfy what framer-motion and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ react is listed by your project with version 19.0.0 (pf06e9), which doesn't satisfy what ssr-only-secrets and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ react-dom is listed by your project with version 19.0.0 (p21a4c), which doesn't satisfy what framer-motion and other dependencies request (^18.2.0).
➤ YN0002: │ @apollo/client-integration-tanstack-start@workspace:packages/tanstack-start doesn't provide vite (p58222), requested by @tanstack/react-start.
➤ YN0002: │ @apollo/client-react-streaming@workspace:packages/client-react-streaming [fc55e] doesn't provide webpack (p25bda), requested by react-server-dom-webpack.
➤ YN0002: │ @apollo/client-react-streaming@workspace:packages/client-react-streaming doesn't provide webpack (p5ca41), requested by react-server-dom-webpack.
➤ YN0002: │ @integration-test/jest@workspace:integration-test/jest doesn't provide @testing-library/dom (p47416), requested by @testing-library/react and other dependencies.
➤ YN0002: │ @integration-test/vitest@workspace:integration-test/vitest doesn't provide @testing-library/dom (p1caec), requested by @testing-library/react.
➤ YN0002: │ @integration-test/vitest@workspace:integration-test/vitest doesn't provide vite (pc1d9a), requested by @vitejs/plugin-react.
➤ YN0002: │ @internal/test-utils@workspace:packages/test-utils doesn't provide @jest/globals (pc7d0f), requested by @testing-library/react-render-stream.
➤ YN0002: │ @internal/test-utils@workspace:packages/test-utils doesn't provide expect (p25412), requested by @testing-library/react-render-stream.
➤ YN0002: │ @internal/test-utils@workspace:packages/test-utils doesn't provide jsdom (p35d94), requested by global-jsdom.
➤ YN0002: │ monorepo@workspace:. doesn't provide webpack (p5bc50), requested by @size-limit/webpack-why.
➤ YN0002: │ packages-shared@workspace:packages doesn't provide typescript (p496ab), requested by @typescript-eslint/eslint-plugin and other dependencies.
➤ YN0086: │ Some peer dependencies are incorrectly met by your project; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code.
➤ YN0086: │ Some peer dependencies are incorrectly met by dependencies; run yarn explain peer-requirements for details.
➤ YN0000: └ Completed
➤ YN0000: ┌ Fetch step
⚠️ No Changeset found
Latest commit: 1f4edaf02d0f009fc0bb02f99e10c4cf0d7ed9bb
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
![changeset-bot[bot] avatar](https://avatars.githubusercontent.com/in/28616?v=4 "Published by a pub.dev verified publisher"){kind=small}
Deploy Preview for apollo-client-nextjs-docmodel failed.
| Name | Link |
|---|---|
| Latest commit | 44cf999c0945b52b96ecb58446a50c1d69865ecc |
| Latest deploy log | https://app.netlify.com/sites/apollo-client-nextjs-docmodel/deploys/67ee7ac29e04d7000889a442 |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Deploy Preview for apollo-client-nextjs-docmodel failed.
| Name | Link |
|---|---|
| Latest commit | 1f4edaf02d0f009fc0bb02f99e10c4cf0d7ed9bb |
| Latest deploy log | https://app.netlify.com/projects/apollo-client-nextjs-docmodel/deploys/68ee3e36ea5e5b000829cc87 |