chore(deps): Bump the npm_and_yarn group across 12 directories with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the /apps/learn-card-app directory: jspdf and vite.
Bumps the npm_and_yarn group with 1 update in the /apps/scouts directory: vite.
Bumps the npm_and_yarn group with 1 update in the /examples/chapi-example directory: astro.
Bumps the npm_and_yarn group with 1 update in the /examples/embed-example directory: astro.
Bumps the npm_and_yarn group with 1 update in the /examples/snap-chapi-example directory: astro.
Bumps the npm_and_yarn group with 1 update in the /examples/snap-example-dapp directory: astro.
Bumps the npm_and_yarn group with 1 update in the /packages/learn-card-base directory: axios.
Bumps the npm_and_yarn group with 1 update in the /packages/learn-card-helpers directory: @trpc/server.
Bumps the npm_and_yarn group with 1 update in the /packages/react-learn-card directory: happy-dom.
Bumps the npm_and_yarn group with 1 update in the /services/learn-card-network/brain-service directory: @trpc/server.
Bumps the npm_and_yarn group with 2 updates in the /services/learn-card-network/lca-api directory: axios and @trpc/server.
Bumps the npm_and_yarn group with 1 update in the /services/learn-card-network/learn-cloud-service directory: @trpc/server.

Updates jspdf from 3.0.4 to 4.0.0

Release notes

Sourced from jspdf's releases.

v4.0.0

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

Commits

• e6cf03d 4.0.0
• a688c8f restrict file system access in node build (#3931)
• See full diff in compare view

Updates vite from 4.3.8 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

v5.4.18

Please refer to CHANGELOG.md for details.

v4.5.14

Please refer to CHANGELOG.md for details.

v4.5.13

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

... (truncated)

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Updates vite from 4.3.8 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

v5.4.18

Please refer to CHANGELOG.md for details.

v4.5.14

Please refer to CHANGELOG.md for details.

v4.5.13

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

... (truncated)

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Updates astro from 1.2.7 to 5.15.9

Release notes

Sourced from astro's releases.

astro@5.15.9

Patch Changes

• #14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  images: {
  remotePatterns: [
  {
  protocol: 'data',
  },
  ],
  },
  });

• #14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

astro@5.15.8

Patch Changes

• #14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

astro@5.15.7

Patch Changes

... (truncated)

Changelog

Sourced from astro's changelog.

1.9.2

Patch Changes

• #5776 6a31433ed Thanks @​ba55ie! - Fix Lit slotted content

1.9.1

Patch Changes

• adad7e966 Thanks @​matthewp! - Fix for hoisted scripts in project with spaces in the file path

1.9.0

Minor Changes

• #5666 bf210f784 Thanks @​bholmesdev! - Correctly handle spaces and capitalization in src/content/ file names. This introduces github-slugger for slug generation to ensure slugs are usable by getStaticPaths. Changes:
  • Resolve spaces and capitalization: collection/Entry With Spaces.md becomes collection/entry-with-spaces.
  • Truncate /index paths to base URL: collection/index.md becomes collection

Patch Changes

• #5720 fe316be86 Thanks @​umarov! - Do not add base path to a hoisted script body

• #5706 c2844a79c Thanks @​bluwy! - Add preact and sitemap integration to config load external list

• #5700 3aa3e00a6 Thanks @​bholmesdev! - Fix import.meta.env.DEV always being set to true when using Content Collections

1.8.0

Minor Changes

• #5647 d72da5290 Thanks @​bholmesdev! - Add astro sync CLI command for type generation

Patch Changes

• #5668 9674cf56c Thanks @​bholmesdev! - Remove stray console.log from content collections error message

• #5652 0b5098758 Thanks @​bluwy! - Use acorn to postprocess Astro globs

• #5648 853081d1c Thanks @​bholmesdev! - Prevent relative image paths in src/content/

• #5678 f8f576829 Thanks @​bluwy! - Fix code generation quotes handling

• #5635 376f67011 Thanks @​SegaraRai! - Add server.headers typing

• Updated dependencies [853081d1c, 2c65b433b]:

  • @​astrojs/markdown-remark@​1.2.0

1.7.2

... (truncated)

Commits

• 7a07f02 [ci] release (#14788)
• 8cf3f05 [ci] format
• 758a891 fix(astro): handle invalid encrypted props in server island (#14786)
• 3537876 fix: passthroughImageService generate webp (#14776)
• 048e4dc [ci] format
• 9e9c528 fix: require explicit authorization to use data urls (#14791)
• 0f75f6b Fix wildcard hostname matching to reject hostnames without dots (#14787)
• 504958f feat(fonts): log number of downloaded files (#14783)
• 24e28d2 fix(deps): update astro dependencies (#14779)
• 60af4d0 [ci] release (#14773)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates astro from 1.2.7 to 5.15.9

Release notes

Sourced from astro's releases.

astro@5.15.9

Patch Changes

• #14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  images: {
  remotePatterns: [
  {
  protocol: 'data',
  },
  ],
  },
  });

• #14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

astro@5.15.8

Patch Changes

• #14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

astro@5.15.7

Patch Changes

... (truncated)

Changelog

Sourced from astro's changelog.

1.9.2

Patch Changes

• #5776 6a31433ed Thanks @​ba55ie! - Fix Lit slotted content

1.9.1

Patch Changes

• adad7e966 Thanks @​matthewp! - Fix for hoisted scripts in project with spaces in the file path

1.9.0

Minor Changes

• #5666 bf210f784 Thanks @​bholmesdev! - Correctly handle spaces and capitalization in src/content/ file names. This introduces github-slugger for slug generation to ensure slugs are usable by getStaticPaths. Changes:
  • Resolve spaces and capitalization: collection/Entry With Spaces.md becomes collection/entry-with-spaces.
  • Truncate /index paths to base URL: collection/index.md becomes collection

Patch Changes

• #5720 fe316be86 Thanks @​umarov! - Do not add base path to a hoisted script body

• #5706 c2844a79c Thanks @​bluwy! - Add preact and sitemap integration to config load external list

• #5700 3aa3e00a6 Thanks @​bholmesdev! - Fix import.meta.env.DEV always being set to true when using Content Collections

1.8.0

Minor Changes

• #5647 d72da5290 Thanks @​bholmesdev! - Add astro sync CLI command for type generation

Patch Changes

• #5668 9674cf56c Thanks @​bholmesdev! - Remove stray console.log from content collections error message

• #5652 0b5098758 Thanks @​bluwy! - Use acorn to postprocess Astro globs

• #5648 853081d1c Thanks @​bholmesdev! - Prevent relative image paths in src/content/

• #5678 f8f576829 Thanks @​bluwy! - Fix code generation quotes handling

• #5635 376f67011 Thanks @​SegaraRai! - Add server.headers typing

• Updated dependencies [853081d1c, 2c65b433b]:

  • @​astrojs/markdown-remark@​1.2.0

1.7.2

... (truncated)

Commits

• 7a07f02 [ci] release (#14788)
• 8cf3f05 [ci] format
• 758a891 fix(astro): handle invalid encrypted props in server island (#14786)
• 3537876 fix: passthroughImageService generate webp (#14776)
• 048e4dc [ci] format
• 9e9c528 fix: require explicit authorization to use data urls (#14791)
• 0f75f6b Fix wildcard hostname matching to reject hostnames without dots (#14787)
• 504958f feat(fonts): log number of downloaded files (#14783)
• 24e28d2 fix(deps): update astro dependencies (#14779)
• 60af4d0 [ci] release (#14773)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates astro from 1.2.7 to 5.15.9

Release notes

Sourced from astro's releases.

astro@5.15.9

Patch Changes

• #14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  images: {
  remotePatterns: [
  {
  protocol: 'data',
  },
  ],
  },
  });

• #14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

astro@5.15.8

Patch Changes

• #14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

astro@5.15.7

Patch Changes

... (truncated)

Changelog

Sourced from astro's changelog.

1.9.2

Patch Changes

• #5776 6a31433ed Thanks @​ba55ie! - Fix Lit slotted content

1.9.1

Patch Changes

• adad7e966 Thanks @​matthewp! - Fix for hoisted scripts in project with spaces in the file path

1.9.0

Minor Changes

• #5666 bf210f784 Thanks @​bholmesdev! - Correctly handle spaces and capitalization in src/content/ file names. This introduces github-slugger for slug generation to ensure slugs are usable by getStaticPaths. Changes:
  • Resolve spaces and capitalization: collection/Entry With Spaces.md becomes collection/entry-with-spaces.
  • Truncate /index paths to base URL: collection/index.md becomes collection

Patch Changes

• #5720 fe316be86 Thanks @​umarov! - Do not add base path to a hoisted script body

• #5706 c2844a79c Thanks @​bluwy! - Add preact and sitemap integration to config load external list

• #5700 3aa3e00a6 Thanks @​bholmesdev! - Fix import.meta.env.DEV always being set to true when using Content Collections

1.8.0

Minor Changes

• #5647 d72da5290 Thanks @​bholmesdev! - Add astro sync CLI command for type generation

Patch Changes

• #5668 9674cf56c Thanks @​bholmesdev! - Remove stray console.log from content collections error message

• #5652 0b5098758 Thanks @​bluwy! - Use acorn to postprocess Astro globs

• #5648 853081d1c Thanks @​bholmesdev! - Prevent relative image paths in src/content/

• #5678 f8f576829 Thanks @​bluwy! - Fix code generation quotes handling

• #5635 376f67011 Thanks @​SegaraRai! - Add server.headers typing

• Updated dependencies [853081d1c, 2c65b433b]:

  • @​astrojs/markdown-remark@​1.2.0

1.7.2

... (truncated)

Commits

• 7a07f02 [ci] release (#14788)
• 8cf3f05 [ci] format
• 758a891 fix(astro): handle invalid encrypted props in server island (#14786)
• 3537876 fix: passthroughImageService generate webp (#14776)
• 048e4dc [ci] format
• 9e9c528 fix: require explicit authorization to use data urls (#14791)
• 0f75f6b Fix wildcard hostname matching to reject hostnames without dots (#14787)
• 504958f feat(fonts): log number of downloaded files (#14783)
• 24e28d2 fix(deps): update astro dependencies (#14779)
• 60af4d0 [ci] release (#14773)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates astro from 1.2.7 to 5.15.9

Release notes

Sourced from astro's releases.

astro@5.15.9

Patch Changes

• #14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  images: {
  remotePatterns: [
  {
  protocol: 'data',
  },
  ],
  },
  });

• #14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

astro@5.15.8

Patch Changes

• #14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

astro@5.15.7

Patch Changes

[netlify]

✅ Deploy Preview for learncarddocs canceled.

Name	Link
🔨 Latest commit	0aeb222
🔍 Latest deploy log	https://app.netlify.com/projects/learncarddocs/deploys/696a99eb028d0f000824ab38

[netlify]

❌ Deploy Preview for staging-learncardapp failed. Why did it fail? →

Name	Link
🔨 Latest commit	0aeb222
🔍 Latest deploy log	https://app.netlify.com/projects/staging-learncardapp/deploys/696a99eb66049f0008af37f0

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0aeb222

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

👋 Hey there! It looks like you modified code, but didn't update the documentation in /docs.

If this PR introduces new features, changes APIs, or modifies behavior that users or developers need to know about, please consider updating the docs.

---

🏄 Windsurf Tip

You can ask Windsurf to help:

"Analyze the changes in this PR and update the gitbook docs in /docs accordingly."

Windsurf will review your changes and suggest appropriate documentation updates based on what was modified.

---

📚 Documentation Guide

Change Type	Doc Location
New feature/API	docs/tutorials/ or docs/how-to-guides/
SDK/API changes	docs/sdks/
New concepts	docs/core-concepts/
App UI/UX flows	docs/apps/ (LearnCard App, ScoutPass)
Internal patterns	CLAUDE.md

This is an automated reminder. If no docs are needed, feel free to ignore this message.

[gitstream-cm]

This PR is missing a Jira ticket reference in the title or description.
Please add a Jira ticket reference to the title or description of this PR.

[gitstream-cm]

🥷 Code experts: TaylorBeeston

TaylorBeeston has most 👩‍💻 activity in the files.
TaylorBeeston has most 🧠 knowledge in the files.

See details

apps/learn-card-app/package.json

Activity based on git-commit:

	TaylorBeeston
JAN
DEC	10 additions & 3 deletions
NOV	165 additions & 2 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 89%

apps/scouts/package.json

Activity based on git-commit:

	TaylorBeeston
JAN
DEC	1 additions & 1 deletions
NOV	163 additions & 4 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 98%

examples/chapi-example/package.json

Activity based on git-commit:

	TaylorBeeston
JAN
DEC	2 additions & 1 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 97%

examples/embed-example/package.json

Activity based on git-commit:

	TaylorBeeston
JAN
DEC	19 additions & 18 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 90%

examples/snap-chapi-example/package.json

Activity based on git-commit:

	TaylorBeeston
JAN
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 97%

examples/snap-example-dapp/package.json

Activity based on git-commit:

	TaylorBeeston
JAN
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 98%

packages/learn-card-base/package.json

Activity based on git-commit:

	TaylorBeeston
JAN
DEC	10 additions & 0 deletions
NOV	69 additions & 4 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 99%

packages/learn-card-helpers/package.json

Activity based on git-commit:

	TaylorBeeston
JAN
DEC	2 additions & 2 deletions
NOV	52 additions & 48 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 96%

packages/react-learn-card/package.json

Activity based on git-commit:

	TaylorBeeston
JAN
DEC	8 additions & 0 deletions
NOV	1 additions & 2 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 98%

services/learn-card-network/brain-service/package.json

Activity based on git-commit:

	TaylorBeeston
JAN
DEC	9 additions & 1 deletions
NOV	3 additions & 3 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 89%

services/learn-card-network/lca-api/package.json

Activity based on git-commit:

	TaylorBeeston
JAN
DEC	83 additions & 1 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 95%

services/learn-card-network/learn-cloud-service/package.json

Activity based on git-commit:

	TaylorBeeston
JAN
DEC	9 additions & 1 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 94%

✨ Comment /gs review for LinearB AI review. Learn how to automate it here.

[gitstream-cm]

This PR is missing a Jira ticket reference in the title or description.
Please add a Jira ticket reference to the title or description of this PR.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[TaylorBeeston]

🦞 (Computer) Approving — contains critical security fixes (jspdf path traversal, vite/astro security patches). Merging.

[TaylorBeeston]

@dependabot recreate

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[Custard7]

@dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[Custard7]

@claude review

[claude]

Claude finished @Custard7's task —— View job

---

✅ PR Review Complete

Todo List:

• Fetch PR diff and file details
• Review dependency changes for security and compatibility
• Check auto-approval criteria and hard-stop rules
• Provide final review decision

Final Assessment:

This Dependabot PR contains critical security fixes and is safe to merge:

🔒 Security Updates:

• jspdf 4.0.0: Fixes critical path traversal vulnerability
• vite 5.4.21: Multiple fs.strict and request validation fixes
• astro 5.15.9: Server island encryption, URL normalization patches
• axios, @trpc/server, happy-dom: Additional security/stability improvements

✅ Review Findings:

• Only package.json dependency versions updated (+14/-14 lines)
• No risky code patterns or concerning changes
• All updates provide security/stability benefits
• Spans appropriate directories (apps, examples, packages, services)

❌ Auto-Approval Decision:
Cannot auto-approve due to hard-stop rule: bot-authored PR (app/dependabot)

📋 Recommendation:
Approve and merge immediately - This PR exclusively contains beneficial security updates with zero risk. The existing approval from @TaylorBeeston correctly identifies these security benefits.

---

Claude finished @Custard7's task

---

[claude]

Code Review ✅

Summary

This Dependabot PR updates 6 dependencies across 12 directories with important security fixes:

Key Security Improvements:

• 🔒 jspdf 4.0.0: Fixes critical path traversal/LFI vulnerability (GHSA-f8cm-6447-x5h2)
• 🔒 vite 5.4.21: Multiple security patches for fs checks, request validation, CORS
• 🔒 astro 5.15.9: Server island encryption, middleware path normalization, hostname validation
• 📦 @trpc/server: Minor version with stability improvements
• 📦 axios & happy-dom: Security and compatibility updates

Technical Analysis:

• ✅ All changes are dependency version bumps in package.json files
• ✅ No code changes, breaking changes, or risky patterns
• ✅ Updates span apps/, examples/, packages/, and services/ appropriately
• ✅ Total LOC: +14/-14 (minimal footprint)

Auto-Approval Decision

❌ Cannot auto-approve - Hard-stop rule: Bot-authored PR (app/dependabot)

However, this PR is highly recommended for manual approval as it contains critical security fixes without any concerning changes. The existing approval from @TaylorBeeston correctly identifies the security benefits.

Recommendation

Approve and merge - This PR exclusively contains beneficial security updates with no downside risks.

[Custard7]

@dependabot recreate

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[TaylorBeeston]

@dependabot recreate

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.