chore(deps): update dependency tsup to v8.3.5 [security]

[svc-secops]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
tsup (source)	8.0.2 -> 8.3.5

---

tsup DOM Clobbering vulnerability

CVE-2024-53384 / GHSA-3mv9-4h5g-vhg3

More information

Details

A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-53384
• https://gist.github.com/jackfromeast/36f98bf7542d11835c883c1d175d9b92
• https://github.com/egoist/tsup

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

egoist/tsup (tsup)

v8.3.5

Compare Source

   🐞 Bug Fixes

• Run experimentalDts only once  -  by @​aryaemami59 in https://github.com/egoist/tsup/issues/1236 (fddd4)

    View changes on GitHub

v8.3.4

Compare Source

No significant changes

    View changes on GitHub

v8.3.0

Compare Source

Bug Fixes

• fix experimentalDts file cleaning and watching (#​1199) (76dc18b)

Features

• add support for cts and mts config files (#​1178) (ec811b3)
• add support for async injectStyle (#​1193) (f25a9db)

v8.2.4

Compare Source

Bug Fixes

• do not terminate dts worker in watch mode, closes #​1172, closes #​1171 (49c11c3)

v8.2.3

Compare Source

Bug Fixes

• get metafile on windows (048c93b)

v8.2.2

Compare Source

Bug Fixes

• Revert "refactor: replace globby with faster alternative (#​1158)" (2de6dd5)

v8.2.1

Compare Source

Bug Fixes

• dts: terminate worker when work is done (#​1142) (44c88a7)

v8.2.0

Compare Source

Features

• add option to retain node protocol (e7ced34)

v8.1.2

Compare Source

Bug Fixes

• correct sourcemap with treeshake (#​1069) (6ca0cb0)
• only import type statement (43cf9f6), closes #​1157 #​1156

v8.1.1

Compare Source

• Upgrade bunch of dependencies (esbuild v0.23).

v8.1.0

Compare Source

Features

• upgrade esbuild to 0.21.4, opts-in for decorators (#​1116) (796fc50)

---

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - "after 8am and before 4pm on tuesday" in timezone Etc/UTC.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

This PR has been generated by Renovate Bot.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
apollo__client-integration-react-router	❌ Failed (Inspect)		Apr 3, 2025 0:14am
apollo__client-integration-tanstack-start	❌ Failed (Inspect)		Apr 3, 2025 0:14am

[svc-secops]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

➤ YN0000: · Yarn 4.2.2
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + tsup@npm:8.3.5, @rollup/rollup-android-arm-eabi@npm:4.39.0, @rollup/rollup-android-arm64@npm:4.39.0, @rollup/rollup-darwin-arm64@npm:4.39.0, and 24 more.
➤ YN0085: │ - bundle-require@npm:4.0.2, tsup@npm:8.0.2
➤ YN0000: └ Completed in 1s 439ms
➤ YN0000: ┌ Post-resolution validation
➤ YN0060: │ @types/react is listed by your project with version 19.0.2, which doesn't satisfy what @chakra-ui/react (p2d119) and other dependencies request (^16.9.0 || ^17.0.0 || ^18.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2, which doesn't satisfy what @apollo/client (pe38d1) and other dependencies request (^16.6.0).
➤ YN0060: │ react is listed by your project with version 19.0.0, which doesn't satisfy what @apollo/space-kit (pe33c9) and other dependencies request (^18.0.0).
➤ YN0060: │ react-dom is listed by your project with version 19.0.0, which doesn't satisfy what framer-motion (p623d4) requests (^18.0.0).
➤ YN0002: │ @apollo/client-integration-tanstack-start@workspace:packages/tanstack-start doesn't provide vite (p9905a), requested by @tanstack/start.
➤ YN0002: │ @apollo/client-react-streaming@workspace:packages/client-react-streaming [fc55e] doesn't provide webpack (p24220), requested by react-server-dom-webpack.
➤ YN0002: │ @apollo/client-react-streaming@workspace:packages/client-react-streaming doesn't provide webpack (p8a2f0), requested by react-server-dom-webpack.
➤ YN0002: │ @integration-test/jest@workspace:integration-test/jest doesn't provide @testing-library/dom (p26a28), requested by @testing-library/react.
➤ YN0002: │ @integration-test/jest@workspace:integration-test/jest doesn't provide @testing-library/dom (p62073), requested by @testing-library/user-event.
➤ YN0002: │ @integration-test/tanstack-start@workspace:integration-test/tanstack-start doesn't provide @tanstack/react-router (p6c2dd), requested by @tanstack/router-devtools.
➤ YN0002: │ @integration-test/tanstack-start@workspace:integration-test/tanstack-start doesn't provide vite (p53f85), requested by @tanstack/start.
➤ YN0002: │ @integration-test/tanstack-start@workspace:integration-test/tanstack-start doesn't provide vite (pbff5c), requested by @vitejs/plugin-react.
➤ YN0002: │ @integration-test/vitest@workspace:integration-test/vitest doesn't provide @testing-library/dom (p8e982), requested by @testing-library/react.
➤ YN0002: │ @integration-test/vitest@workspace:integration-test/vitest doesn't provide vite (p08893), requested by @vitejs/plugin-react.
➤ YN0002: │ @internal/test-utils@workspace:packages/test-utils doesn't provide @jest/globals (p18129), requested by @testing-library/react-render-stream.
➤ YN0002: │ @internal/test-utils@workspace:packages/test-utils doesn't provide expect (p507be), requested by @testing-library/react-render-stream.
➤ YN0002: │ @internal/test-utils@workspace:packages/test-utils doesn't provide jsdom (pb27c8), requested by global-jsdom.
➤ YN0002: │ monorepo@workspace:. doesn't provide webpack (pa8ffb), requested by @size-limit/webpack-why.
➤ YN0086: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code.
➤ YN0000: └ Completed
➤ YN0000: ┌ Fetch step

[changeset-bot]

⚠️ No Changeset found

Latest commit: 44cf999

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[netlify]

❌ Deploy Preview for apollo-client-nextjs-docmodel failed.

Name	Link
🔨 Latest commit	44cf999
🔍 Latest deploy log	https://app.netlify.com/sites/apollo-client-nextjs-docmodel/deploys/67ee7ac29e04d7000889a442