Skip to content

feat(deps): bump the npm-prod-minor-patch group with 4 updates#3956

Merged
jasonbahl merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-prod-minor-patch-8f2e51e505
Jun 18, 2026
Merged

feat(deps): bump the npm-prod-minor-patch group with 4 updates#3956
jasonbahl merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-prod-minor-patch-8f2e51e505

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-prod-minor-patch group with 4 updates: graphql, sanitize-html, @codemirror/lint and @codemirror/view.

Updates graphql from 16.14.1 to 16.14.2

Release notes

Sourced from graphql's releases.

v16.14.2 (2026-06-09)

Docs 📝

Polish 💅

Committers: 2

Commits
  • dca5b4d chore(release): v16.14.2
  • 01f8503 docs: correct extension field comments - v16 (#4801)
  • b8087c3 docs: add Node.js tracing channels guide (#4788)
  • ec23905 docs: refresh website with broader execution/tracing update (#4794)
  • f8680fa docs: remove extra asterisks from single line jsdoc comments (#4792)
  • 6256444 docs: overhaul index and update/add additional migration guides (#4789)
  • e7e90ef docs: update documentation for v17 release candidate (#4787)
  • cae62e3 docs: restore missing docs
  • 35f1ff9 docs: increase spacing in embedded TOC
  • 56c868e docs: fix deprecated markings
  • Additional commits viewable in compare view

Updates sanitize-html from 2.17.4 to 2.17.5

Changelog

Sourced from sanitize-html's changelog.

2.17.5 (2026-06-10)

Security

  • Added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to crattack for reporting the vulnerability.
  • Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to Dipanshu singh for pointing out the issue and contributing the fix.
Commits

Updates @codemirror/lint from 6.9.6 to 6.9.7

Commits

Updates @codemirror/view from 6.43.0 to 6.43.1

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
feat(deps): bump the npm-prod-minor-patch group with 4 updates
36be212 
Bumps the npm-prod-minor-patch group with 4 updates: [graphql](https://github.com/graphql/graphql-js), [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html), [@codemirror/lint](https://github.com/codemirror/lint) and [@codemirror/view](https://github.com/codemirror/view).


Updates `graphql` from 16.14.1 to 16.14.2
- [Release notes](https://github.com/graphql/graphql-js/releases)
- [Commits](graphql/graphql-js@v16.14.1...v16.14.2)

Updates `sanitize-html` from 2.17.4 to 2.17.5
- [Changelog](https://github.com/apostrophecms/apostrophe/blob/main/packages/sanitize-html/CHANGELOG.md)
- [Commits](https://github.com/apostrophecms/apostrophe/commits/sanitize-html@2.17.5/packages/sanitize-html)

Updates `@codemirror/lint` from 6.9.6 to 6.9.7
- [Changelog](https://github.com/codemirror/lint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codemirror/lint/commits)

Updates `@codemirror/view` from 6.43.0 to 6.43.1
- [Changelog](https://github.com/codemirror/view/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codemirror/view/commits)

---
updated-dependencies:
- dependency-name: graphql
  dependency-version: 16.14.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-prod-minor-patch
- dependency-name: sanitize-html
  dependency-version: 2.17.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-prod-minor-patch
- dependency-name: "@codemirror/lint"
  dependency-version: 6.9.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-prod-minor-patch
- dependency-name: "@codemirror/view"
  dependency-version: 6.43.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-prod-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 18, 2026
@vercel

vercel Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
wpgraphql-com Ready Ready Preview, Comment Jun 18, 2026 5:35pm

@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

▶ Preview in WordPress Playground

Open in WordPress Playground

Boots a fresh WordPress, installs WPGraphQL + this PR's IDE build, lands you at the IDE.

Built from 36be21201671823f147250c0e5815a8c2a29734d. Auto-updates when you push.

@jasonbahl jasonbahl merged commit 2fbbdcb into main Jun 18, 2026
64 of 65 checks passed
@jasonbahl jasonbahl deleted the dependabot/npm_and_yarn/npm-prod-minor-patch-8f2e51e505 branch June 18, 2026 18:06
This was referenced Jun 18, 2026
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonbahl jasonbahl jasonbahl approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonbahl