Skip to content

build(deps-dev): bump fallow from 2.40.3 to 2.87.0#46

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/fallow-2.87.0
Closed

build(deps-dev): bump fallow from 2.40.3 to 2.87.0#46
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/fallow-2.87.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps fallow from 2.40.3 to 2.87.0.

Release notes

Sourced from fallow's releases.

v2.87.0: sharper, ranked, framework-aware security candidates

Security candidates: sharper, ranked, framework-aware

This release builds out the opt-in fallow security candidate layer with source modeling, reachability ranking, framework-aware sinks, five more CWE categories, and an MCP tool for agent handoff. As before, results are candidates for verification, not confirmed vulnerabilities: detection stays deterministic and syntactic, and fallow prefers false-negatives over false-positives.

Security candidate engine

  • Untrusted source modeling. Candidates are sharpened by recognizing untrusted sources (req.query / req.params / req.body, route parameters, process.argv, message-event / WebSocket / worker payloads via event.data, and fetch() responses) and walking backward from a sink argument to a source within the same function. A sink fed from an untrusted source is a stronger candidate; values derived only from constants or config no longer fire on the source axis. This approximates taint without a full inter-procedural data-flow engine.
  • Reachability-weighted ranking. Candidates on a path reachable from an entry point (HTTP route handlers, request entry points) now rank above candidates in one-off scripts or isolated helpers, turning a flat list into a prioritized one.
  • Framework-aware sinks. Per-framework idioms are recognized via the plugin system: React dangerouslySetInnerHTML, Angular bypassSecurityTrust*, and DOM sinks such as document.write and jQuery-style .html().
  • Five new CWE categories. Prototype pollution (CWE-1321), zip-slip / tar path traversal (CWE-22), NoSQL injection (CWE-943), server-side template injection (CWE-1336), and XML external entity expansion (CWE-611).

Agent integration

  • security_candidates MCP tool. A read-only tool wraps fallow security --format json and returns the security JSON envelope (category, CWE, evidence, structural trace, blind-spot counters), framed explicitly as unverified candidates so agents verify before editing. SARIF, CI, baseline, summary, failure, and fix behavior stay CLI-only.

Bug fixes

  • Sanitizer-aware suppression. DOMPurify-backed HTML suppression now shares a domain-scoped sanitizer model with literal-allowlist URL guards and path.relative containment guards, so allowlisted redirects, allowlisted outbound URLs, and contained path values no longer report. Near misses (mutable allowlists, helper predicates, guards after route use, plain startsWith(base) checks) still report.
  • Accurate SFC sink spans. Security sink candidates in Vue and Svelte single-file components now point at the real component source line instead of a line inside the isolated script body.
  • Firebase Messaging service workers are no longer reported as unused files. Thanks @​rbalet for the report.
  • Ionic Angular page lifecycle methods (ionViewWillEnter, ionViewDidEnter, ionViewWillLeave, ionViewDidLeave) are no longer flagged as unused class members. Thanks @​rbalet for the report.
  • Angular Material Sass entrypoints such as @use "@angular/material" as mat; now resolve through the package sass export. Thanks @​rbalet for the report.
  • VS Code sidebar switches from a search icon to a reload icon once results exist, clarifying that the button reruns analysis. Thanks @​rbalet for the report.
  • useMemo-bound class instances: methods on const svc = useMemo(() => new Svc(), []) are now credited instead of flagged as unused class members.
  • Nested workspace packages under a bare grouping directory (packages/* matching packages/themes, with the real package at packages/themes/my-theme) are now discovered as their own workspace.

Full Changelog: fallow-rs/fallow@v2.86.0...v2.87.0

v2.86.0: fallow security candidate catalogue + JSON kind discriminator

Highlights

fallow security: a local security-candidate layer for agent verification

fallow security is an opt-in command that surfaces local, deterministic security candidates (not verified vulnerabilities) for a human or coding agent to verify. fallow ships the signal; your agent confirms and fixes.

This release expands it from one rule to a data-driven catalogue spanning 9 CWE categories:

  • dangerous HTML (CWE-79), OS command injection (CWE-78), code injection (CWE-94), SQL injection (CWE-89), SSRF (CWE-918), path traversal (CWE-22), open redirect (CWE-601), runtime-selectable crypto algorithm (CWE-327), unsafe deserialization (CWE-502)
  • Plus the original client-server-leak rule: a "use client" file that transitively reaches a non-public process.env secret, with a structural import-hop trace.

Design choices that keep the signal honest:

  • Conservative by default. A candidate fires only when the relevant argument is non-literal; a fully literal value (el.innerHTML = "<b>x</b>", child_process.exec("ls")) is never flagged. fallow prefers false-negatives over false-positives.
  • Parameterized SQL is not flagged. Tagged-template sql`${x}` and the object form .execute({ sql, args }) bind safely and do not fire; only string concatenation, interpolated template literals into .query() / .execute(), and sql.raw(...) do.
  • Node sinks are provenance-gated to their import source (command injection to node:child_process, vm code injection to node:vm, path traversal to node:path, crypto to node:crypto, deserialization to js-yaml / node-serialize).
  • Build configs and test files are excluded from candidate generation.
  • Opt-in and isolated. The rules default to off, never appear under bare fallow or the audit gate, and fallow security is the only surface. Output is human, JSON, or SARIF (SARIF emits at note level with per-category rule IDs and CWE tags for the GitHub Security tab).
  • Blind spots are counted in-band, so an empty result with a non-zero unresolved count is never a clean bill.

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.87.0] - 2026-06-03

Added

  • fallow security now models untrusted sources to sharpen tainted-sink candidates. Beyond the non-literal-argument trigger, the analyzer recognizes a catalogue of untrusted sources (req.query / req.params / req.body, route parameters, process.argv, message-event / WebSocket / worker payloads via event.data, and fetch() responses) and performs a lightweight backward walk from a sink argument to a source within the same function. A candidate whose sink argument traces back to an untrusted source is a stronger candidate, while values derived only from constants or config no longer fire on the source axis. This approximates taint without a full inter-procedural data-flow engine: detection stays deterministic and syntactic, and findings remain candidates for downstream verification, not proven exploits. (Closes #859.)
  • Security candidates are now ranked by reachability from entry points. fallow security reuses the module graph to weight candidates that sit on a path reachable from an entry point (HTTP route handlers, request entry points) above candidates in one-off scripts or isolated helpers, turning a flat list into a prioritized one. Dependency / advisory concerns and authorization-logic reasoning stay out of scope. (Closes #860.)
  • Framework-aware security sinks now feed the catalogue via the plugin system. Per-framework sink idioms are recognized with higher precision: React dangerouslySetInnerHTML, Angular bypassSecurityTrust* (Html, Script, Style, Url, ResourceUrl), and DOM sinks such as document.write and jQuery-style .html(). The active framework plugin contributes its sink rows, so framework-specific shapes are covered without over-firing generic patterns. Framework authorization logic remains out of scope. (Closes #861.)
  • The data-driven CWE catalogue gains five deterministic categories. fallow security adds prototype pollution (CWE-1321, recursive merge or computed write into __proto__), zip-slip / tar path traversal on archive extraction (CWE-22), NoSQL injection (CWE-943, a user object flowing into a query operator), server-side template injection (CWE-1336), and XML external entity expansion (CWE-611). Each is a single catalogue row with a conservative non-literal trigger; fallow continues to prefer false-negatives over false-positives. SCA / advisory feeds remain out of scope. (Closes #862.)
  • fallow-mcp now exposes security_candidates for agent-readable local security candidates. The read-only tool wraps fallow security --format json --quiet and returns the existing security JSON envelope, including kind: "security", security_findings, category, CWE, evidence, structural trace, and blind-spot counters. It deliberately frames results as unverified candidates, not confirmed vulnerabilities, and tells agents to verify trace and evidence before editing code. The MCP params expose only scope and performance knobs: root, config, workspace, changed_since, changed_workspaces, no_cache, and threads; SARIF, CI, baseline, summary, failure, and fix behavior stay on the CLI. (Closes #864.)

Fixed

  • fallow security now suppresses more sanitized sink candidates without weakening the candidate framing. DOMPurify-backed HTML suppression now shares a domain-scoped sanitizer model with new literal-allowlist URL guards and path.relative containment guards, so allowlisted redirects, allowlisted outbound URLs, and contained path values no longer report as tainted-sink candidates. Near misses still report: mutable allowlists, helper predicates, guards after route file use, plain startsWith(base) path checks, and sanitizer use in the wrong domain remain candidates. The extraction cache version is bumped so warm caches re-extract affected files once. (Closes #863.)
  • Security sink candidates in Vue and Svelte single-file components now point at the real source line. Sink extraction reused parser-local byte offsets after the surrounding SFC source had been restored for line lookup, so reports pointed at a line inside the isolated script body instead of the component file. Captured sink spans are now remapped through the same SFC offset translation used for imports, exports, and other extracted references, with a Vue script setup regression test pinning the resolved span.
  • Firebase Messaging service workers are no longer reported as unused files. The Firebase plugin activates on the exact firebase dependency and keeps both root and nested public/firebase-messaging-sw.js files reachable, while unrelated public files still report normally. Thanks @​rbalet for the report. (Closes #873.)
  • Ionic Angular page lifecycle methods are no longer reported as unused class members. The new Ionic plugin activates on @ionic/angular, keeps ionic.config.json reachable, treats common Ionic CLI packages as tooling dependencies, and credits the documented Angular page lifecycle methods ionViewWillEnter, ionViewDidEnter, ionViewWillLeave, and ionViewDidLeave. Ionic invokes these methods by name through its Angular router outlet, with or without the optional TypeScript lifecycle interfaces. Other ionView* typos still report as unused. Thanks @​rbalet for the report. (Closes #868.)
  • Angular Material Sass entrypoints no longer report as unresolved or unused. External Sass package entrypoints such as @use "@angular/material" as mat; can resolve through the package sass export and then follow package-local relative @use / @forward imports with Sass partial, extension, and index lookup. Thanks @​rbalet for the report. (Closes #871.)
  • The VS Code sidebar now switches from a search icon to a reload icon after analysis has loaded. The initial sidebar action still uses the search icon for first-run analysis, but once results exist the title action becomes Fallow: Reload Analysis with the refresh icon, making it clearer that the button reruns the analysis instead of searching within findings. Thanks @​rbalet for the report. (Closes #869.)
  • Methods on a useMemo-bound class instance are no longer reported as unused. A service instantiated through React's useMemo factory (const svc = useMemo(() => new ClipsService(), [deps]); svc.analyze()) left ClipsService.analyze reported as an unused-class-member, because the non-destructured binding was not tracked (only the array-destructured useState form was). useMemo returns the factory's product directly, so fallow now binds the identifier to the constructed class and credits method calls on it. Scoped to useMemo / React.useMemo: tuple-returning hooks like useState and arbitrary wrappers are intentionally not bound from the non-destructured form, and genuinely-unused members on the same class still report. The extraction cache version is bumped, so warm caches re-extract affected files once on upgrade. (Closes #844.)
  • Packages nested under a bare grouping directory are now discovered as workspaces. When a root package.json declares a single-level workspace glob such as "workspaces": ["packages/*"] but a real package lives two levels deep (packages/themes/my-theme/package.json, where packages/themes itself has no package.json), the glob matched only the bare packages/themes directory, so the deep package was never discovered. Its source files fell back to the root manifest and every dependency it correctly declared (for example react) was reported as an unlisted-dependency. Workspace discovery now descends one level into a glob-matched directory that has no package.json of its own and recovers any immediate child that is a real, named package, so its files are attributed to its own manifest. Recovery is conservative: children in the conventional skip list (node_modules, build output, caches, hidden directories), paths matched by your ignorePatterns (a reliable opt-out), and manifests without a name are ignored, so fixtures, build artifacts, and __mocks__ manifests are not treated as workspaces. Descent is one level only; deeper packages/<group>/<sub>/<pkg> layouts should use a recursive (**) glob. Note this is a behavior change beyond unlisted-dependencies: a nested package previously attributed to the root manifest is now its own workspace, so its files also participate in unused-files, unused-exports, architecture-boundary checks, and internal-dependency crediting. (Closes #842.)

[2.86.0] - 2026-06-02

Added

  • fallow security now ships local code-level security candidates across 9 CWE categories via a data-driven matcher catalogue. Beyond the original client-server-leak class, fallow now flags syntactic sink-site candidates for dangerous HTML (CWE-79), OS command injection (CWE-78), code injection (CWE-94), SQL injection (CWE-89), server-side request forgery (CWE-918), path traversal (CWE-22), open redirect (CWE-601), runtime-selectable crypto algorithms (CWE-327), and unsafe deserialization (CWE-502). These are candidates for downstream agent verification, not verified vulnerabilities: detection is deterministic and syntactic, never taint-proof. A candidate fires only when the relevant argument is non-literal, so a fully-literal value (el.innerHTML = "<b>x</b>", child_process.exec("ls")) is never flagged; fallow prefers false-negatives over false-positives. Node-specific sinks are provenance-gated to their import source (command injection to node:child_process, code injection's vm form to node:vm, path traversal to node:path, runtime crypto to node:crypto, deserialization to js-yaml / node-serialize). The category set is a single data file with no regen step; the rule (security-sink) defaults to off and is surfaced only by fallow security, never under bare fallow or the audit gate. Each candidate carries its category, CWE, and a file-level suppress hint (// fallow-ignore-file security-sink). Sink-shaped calls fallow cannot resolve to a static callee are counted in-band, so an empty result with a non-zero count is not a clean bill. Scope which categories run with security.categories include / exclude lists.
  • fallow security: an opt-in command that surfaces local security candidates for agent verification. The first rule, client-server-leak, flags a "use client" file (React Server Components / Next.js client boundary) that transitively imports a module reading a non-public process.env secret, plus the direct case where the client file reads such a secret itself. fallow emits a structural import-hop trace to the candidate secret source; it does not prove the secret reaches the client bundle. Findings are candidates for verification, not confirmed vulnerabilities, so there is no severity-style confidence score, only the trace. Reads of public-by-convention env vars (NODE_ENV, NEXT_PUBLIC_*, VITE_*, NUXT_PUBLIC_*, REACT_APP_*, PUBLIC_*, GATSBY_*, EXPO_PUBLIC_*, STORYBOOK_*) are not treated as secrets. The command is opt-in and entirely separate from the rest of fallow: the security-client-server-leak rule defaults to off, the findings never appear under bare fallow or the audit gate, and fallow security is the only surface. Output is available as human, JSON, and SARIF (SARIF emits at the note level with no CWE so the candidate framing survives into the GitHub Security tab). Honors --changed-since, --diff-file, --diff-stdin, --workspace, --changed-workspaces, --ci, --fail-on-issues, --sarif-file, and --summary. Suppress a file with // fallow-ignore-file security-client-server-leak. Dynamic import() patterns the reachability scan cannot follow are reported as a counted in-band note, so an empty result with a non-zero unresolved-edge count is not a clean bill.

Changed

  • JSON envelope outputs now include a top-level kind discriminator. Typed FallowOutput roots such as dead-code, dead-code-grouped, health, dupes, combined, audit, explain, impact, coverage setup/analyze, list boundaries, and CI review envelopes can now be identified by kind instead of field-presence heuristics. schema_version is bumped to 7, and --legacy-envelope keeps the previous root shape for one migration cycle. CodeClimateOutput remains a bare array to preserve the Code Climate / GitLab Code Quality contract. The CLI check subcommand remains a legacy alias for dead-code; new JSON discriminators use the canonical dead-code name. (Closes #413.)

Fixed

  • A bare "@" plugin alias no longer swallows @scope/* npm packages. When a config registered a path alias keyed on a bare "@" (e.g. "@" -> "src"), fallow matched the alias with a plain starts_with("@"), so every scoped dependency import such as @radix-ui/react-checkbox was routed into the alias branch, failed alias resolution, and surfaced as unresolved-import, which then cascaded into unused-dependency for the real package. The plugin-alias gate is now segment-aware (mirroring the existing fallbacks.rs alias matcher): a bare prefix matches only on an exact hit or a /-delimited continuation, so @/foo still resolves through the alias while @scope/pkg resolves as a normal npm package. (Closes #838.)
  • declare ambient class properties are no longer reported as unused class members. A TypeScript class field declared with declare (declare readonly __input?: I) is a type-only annotation that emits no JavaScript and cannot be value-referenced, so it can never be a real unused-class-member. Fallow previously extracted these ambient properties as ordinary members, so a class that only annotated injected or framework-provided state with declare surfaced false unused-member findings. Ambient declare property definitions are now skipped during class-member extraction, while normal methods and fields on the same class are still reported when genuinely unused. (Closes #839.)
  • new URL('./dir', import.meta.url) directory targets no longer surface as unresolved imports. Extending the #399 fix, an extensionless relative specifier such as new URL('./services', import.meta.url) or new URL('./bin', import.meta.url) is the standard ESM idiom for referencing an on-disk directory of assets, worker scripts, or binaries relative to a module. A bare directory has no module entry, so resolution failed and fallow reported unresolved-import. Extensionless new URL(..., import.meta.url) specifiers are now treated as speculative: when the resolver finds no module, the finding is silently dropped instead of reported. File-pointing specifiers with an extension (./worker.js, ./assets/foo.svg) keep their existing behavior, so a genuinely missing file is still reported. The extraction cache version is bumped, so users on warm caches see a one-time re-extract on first run after upgrading. (Closes #840.)
  • Quoted globs in package.json scripts are now registered as entry points. A test script using the idiomatic node --test --import tsx 'src/**/*.test.ts' form captured its argument as the literal 'src/**/*.test.ts' with the surrounding single quotes intact, so the compiled entry pattern matched zero files and the test files (and their test-only helper modules) surfaced as false unused-file / unused-export findings. The script tokenizer now strips a matching pair of surrounding single or double quotes from each token, while leaving tokens with internal quotes (such as can't) unchanged. Unquoted globs continue to work as before. (Closes #841.)
  • NestJS lifecycle and handler methods are no longer reported as unused class members. The nestjs plugin now credits the methods Nest invokes reflectively on consumer classes: configure on NestModule, the guard/interceptor/pipe/filter/middleware dispatch methods (canActivate, intercept, transform, catch, use) on their respective interfaces, and the five module lifecycle hooks (onModuleInit, onModuleDestroy, onApplicationBootstrap, beforeApplicationShutdown, onApplicationShutdown). Each rule is heritage-scoped to its Nest interface via implements, so an ordinary class that implements none of these interfaces still reports a genuinely unused method, and non-lifecycle methods on a Nest class are still flagged. A class that implements one lifecycle interface also has its sibling lifecycle hooks credited, matching Nest's duck-typed lifecycle dispatch. (Closes #843.)
  • A method called on a value narrowed by instanceof is now credited as a use of that class's member. Code such as if (e instanceof BaseException) { e.getMessage(); } previously left BaseException.getMessage reported as an unused-class-member, because the call was attributed to the local e rather than the narrowed class. Fallow now records instanceof <Class> guards (including &&-chained guards) so method calls on the narrowed local inside the body are attributed to the class. Genuinely-unused members on the same class still report. Files are re-extracted on upgrade (cache version bump). (Closes #845.)
  • Oxlint config packages referenced through the extends array are no longer reported as unused dependencies. The Oxlint plugin previously parsed top-level config imports and the jsPlugins array but ignored the extends field, so a config such as "extends": ["@nkzw/oxlint-config"] left its declared devDependency flagged as unused-dev-dependency. Package-style extends entries are now credited as referenced dependencies and relative/absolute entries are recorded as setup files, mirroring the existing jsPlugins path handling. (Closes #846.)
  • Bun bunfig.toml preload files are no longer reported as unused, and the Bun plugin now activates on @types/bun. Two gaps combined to flag a Bun test preload file as unused-file: the plugin's enabler set was bun-types only, so a project declaring the canonical @types/bun types package never activated the plugin (activation reads declared package.json deps, not transitive node_modules), and even when active the plugin only marked bunfig.toml itself as always-used without parsing its preload arrays. The plugin now also activates on @types/bun, and when bunfig.toml is present it parses both the top-level preload = [...] array and the [test] preload = [...] array, seeding each referenced file as an entry point (normalized relative to the config file) so the files Bun loads before every run / test stay reachable. Invalid TOML and non-string entries are skipped. (Closes #847.)
  • duplicate-export no longer over-reports when a name-group spans unrelated packages. A same-named export shared across packages (for example a backend class Label alongside a frontend Label value and a type Label alias) was previously emitted as one flat group whenever any pair in the group shared a common importer. The cross-package backend member, which shares no importer with the frontend pair, inflated the value-module count and defeated the value/type self-suppression that should have hidden the frontend pair. fallow now partitions a name-group into connected components by shared importer (two exports are connected when a third file imports both, or one imports the other) and applies value/type self-suppression and the unrelated-leaf drop per component. An isolated cross-package member is dropped as its own singleton instead of polluting a sibling component, so groups that previously surfaced only because an unrelated member crossed the suppression threshold are now correctly suppressed, while genuine within-component duplicates still report with only their connected locations. (Closes #848.)
  • Svelte markup <script src> tags no longer surface as unresolved imports. Svelte treats tags such as <svelte:head><script src="/some-lib.min.js" async></script></svelte:head> as runtime HTML, not bundled SFC script modules. Fallow now keeps parsing the src metadata for span fidelity but no longer emits synthetic imports for Svelte script src references, so root-relative browser assets do not become false unresolved-imports. Vue external scripts keep their existing graph edges. Thanks @​codingthat for the report. (Closes #835.)
  • Pinia stores auto-imported by @pinia/nuxt are now tracked in the module graph. Fallow now activates a Pinia plugin on @pinia/nuxt, scans direct store files in stores/ and Nuxt 4 app/stores/, and maps value exports named use<Name>Store to the file that provides them. Pages that call useUserStore() without an import now keep stores/user.ts reachable and credit the matching export, while sibling helper exports can still report as unused. Nested stores and custom storesDirs remain out of scope for the default detector. (Closes #740.)
  • TanStack Router routeFileIgnorePattern warnings now call out JavaScript regex compatibility instead of treating every unsupported pattern as a user typo. TanStack accepts JavaScript regular expressions, while fallow validates route ignore patterns with Rust's regex engine before matching route file segments. Patterns that use JavaScript-only syntax such as lookahead are still ignored during analysis so the run can continue, but the warning now names routeFileIgnorePattern, points at the source config file when known, and explains that the syntax is unsupported by fallow's Rust regex engine. (Refs #513.)
  • Nuxt composables and utils referenced only through script auto-imports are now tracked in the module graph. Fallow now records unresolved value identifiers in JS/TS and Vue/Svelte script blocks, then resolves Nuxt convention exports from top-level composables/, app/composables/, utils/, and app/utils/, plus recursive shared/utils/ and shared/types/, during graph build. This keeps files like composables/useCounter.ts, utils/format-price.ts, and named exports from composables/index.ts reachable when a page calls useCounter() or formatPrice() without an import. Local declarations, explicit imports, type-only references, and known JS/Web/Vue/Nuxt built-ins do not synthesize edges. With autoImports: true, component entry-pattern removal remains guarded by components: config, while composable/util pattern removal is separately guarded by imports: config. (Closes #739.)
  • fallow health now surfaces CRAP coverage-source consistency in JSON and lets teams tune the secondary CRAP refactor band. CRAP source precedence is explicit (template inheritance first, then Istanbul data including unmatched files, then static estimates), health JSON emits summary.coverage_source_consistency and grouped health emits groups[].coverage_source_consistency whenever CRAP findings carry source data, and health.crapRefactorBand configures the old fixed 5-point window that adds a secondary refactor-function action to near-threshold CRAP-only findings. This closes the remaining JSON/config contract work from issue #474 after the human-output clarification below. (Closes #474.)
  • fallow health now explains whether CRAP scores are estimated or sourced from Istanbul coverage in the high-complexity output. Previously the main human section showed values like 650.0 CRAP without saying whether they came from real coverage or the static export-reference estimate, and the file-score hint told users to pass a bare --coverage flag. The complexity section now includes a short coverage-source note, mixed Istanbul runs call out that unmatched functions fall back to estimates, and the hint spells out fallow health --coverage <coverage-final.json>. A top-level fallow --coverage typo now gets a targeted health-command hint instead of clap suggesting unrelated flags such as --tolerance. (Refs #474.)
  • Two built-in plugins sharing a config file no longer emit an un-actionable collision warning. Projects using both Vite and TanStack Router (with @tanstack/router-plugin/vite configured in vite.config.ts) saw a plugin config_patterns collision warning on every run, because both the vite and tanstack-router built-in plugins legitimately claim vite.config.{ts,js,mts,mjs} (tanstack-router parses the tanstackRouter({...}) call there to find a custom generatedRouteTree path). The collision is benign: config matching runs each matching plugin's parser independently, so there is no data loss. The warning's own advice ("rename one of the patterns or remove the duplicate plugin") is impossible to follow for a built-in. The collision detector now suppresses built-in-only collisions and warns only when at least one owner is an external (user-authored) plugin, matching its documented intent. (Closes #808)

... (truncated)

Commits
  • d9d22a3 chore: release v2.87.0
  • b1d9593 fix(security): suppress sanitized sink candidates
  • d96cd66 fix(plugins): keep Firebase Messaging worker reachable
  • 0f6182a fix(vscode): clarify reload action
  • 011ab0d fix(sass): resolve package entrypoint imports
  • 92fbd74 fix(unused-class-members): credit Ionic lifecycle hooks
  • 571d78a fix(security): suppress DOMPurify-backed HTML sinks
  • 50d1ef0 feat(mcp): add security candidates tool
  • 60a9b76 fix(extract): remap SFC security sink spans
  • a3adfa9 test(security): pin prototype-pollution proto matcher + cast blind spot
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 10, 2026
@dependabot dependabot Bot mentioned this pull request Jun 10, 2026
Closed
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/fallow-2.87.0 branch from 83adb9d to 7d860ac Compare June 10, 2026 07:36
@dependabot
build(deps-dev): bump fallow from 2.40.3 to 2.87.0
17195a3 
Bumps [fallow](https://github.com/fallow-rs/fallow) from 2.40.3 to 2.87.0.
- [Release notes](https://github.com/fallow-rs/fallow/releases)
- [Changelog](https://github.com/fallow-rs/fallow/blob/main/CHANGELOG.md)
- [Commits](fallow-rs/fallow@v2.40.3...v2.87.0)

---
updated-dependencies:
- dependency-name: fallow
  dependency-version: 2.87.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/fallow-2.87.0 branch from 7d860ac to 17195a3 Compare June 10, 2026 07:43
@BartWaardenburg

BartWaardenburg commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Superseded by 46d4a5e on main, which takes fallow straight to the current latest (2.91.0, vs 2.87.0 here) and resolves the dead-code findings it surfaces. The jridgewell-compat packages use a dual-resolution wasm import (by-name @srcmap/<name>-wasm with a relative pkg/ fallback) that is unresolvable under static analysis; that is now ignored centrally in .fallowrc.json rather than per line. Thanks dependabot.

@BartWaardenburg BartWaardenburg deleted the dependabot/npm_and_yarn/fallow-2.87.0 branch June 10, 2026 08:02
@dependabot @github

dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BartWaardenburg