Bump @docusaurus/preset-classic from 3.10.0 to 3.10.1

[dependabot]

Bumps @docusaurus/preset-classic from 3.10.0 to 3.10.1.

Release notes

Sourced from @​docusaurus/preset-classic's releases.

3.10.1 (2026-04-30)

🐛 Bug Fix

• docusaurus-bundler
  • #11981 fix(bundler): fix v3 webpackbar bug due to webpack breaking change (@​slorber)

🔧 Maintenance

• docusaurus
  • #11982 chore: cherry-pick commits for v3.10.1 patch release (@​slorber)

Committers: 1

• Sébastien Lorber (@​slorber)

Changelog

Sourced from @​docusaurus/preset-classic's changelog.

3.10.1 (2026-04-30)

🐛 Bug Fix

• docusaurus-bundler
  • #11981 fix(bundler): fix v3 webpackbar bug due to webpack breaking change (@​slorber)

🔧 Maintenance

• docusaurus
  • #11982 chore: cherry-pick commits for v3.10.1 patch release (@​slorber)

Committers: 1

• Sébastien Lorber (@​slorber)

Commits

• 41c1a45 v3.10.1
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency-only bump; main impact is on the docs site build toolchain (Docusaurus/webpackbar), which could affect build output but doesn’t change app code.

Overview
Bumps @docusaurus/preset-classic from 3.10.0 to 3.10.1 in package.json.

Updates package-lock.json accordingly, pulling in Docusaurus 3.10.1 packages and related transitive upgrades (notably webpackbar 6.x→7.0.0, Algolia 5.51.0→5.52.1, and minor Babel toolchain updates, plus a few dependency add/remove changes such as ansis replacing some prior webpackbar deps).

^{Reviewed by Cursor Bugbot for commit d716ccf. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​docusaurus/​preset-classic@​3.10.0 ⏵ 3.10.1
	@​docusaurus/​plugin-google-gtag@​3.10.0 ⏵ 3.10.1
	@​docusaurus/​core@​3.10.0 ⏵ 3.10.1	+1		+1

View full report

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying lockfile resolution and dependency declarations for this bump.

Verdict: benign

Why this looks safe

• Identity: @docusaurus/preset-classic is the official scoped package from the facebook/docusaurus project—not typosquatting.
• Version: Patch 3.10.0 → 3.10.1 with a tagged upstream release and changelog describing a narrow bundler/webpackbar fix (PR #11981); that matches normal maintenance, not a suspicious jump or “ghost” version.
• Integrity / resolution: Your lockfile resolves the tarball from https://registry.npmjs.org/.../preset-classic-3.10.1.tgz with a standard sha512 integrity field—consistent with a normal npm publish.

    "node_modules/@docusaurus/preset-classic": {
      "version": "3.10.1",
      "resolved": "https://registry.npmjs.org/@docusaurus/preset-classic/-/preset-classic-3.10.1.tgz",
      "integrity": "sha512-YO/FL8v1zmbxoTso6mjMz/RDjhaTJxb1UpFFTDdY5847LLDCeyYiYlrhyTbgN1RIN3xnkLKZ9Lj1x8hUzI4JOg==",
      "license": "MIT",
      "dependencies": {
        "@docusaurus/core": "3.10.1",
        "@docusaurus/plugin-content-blog": "3.10.1",
        ...

Malware scanner vs interpretation

• Status warn reflects noisy heuristics over a large upstream monorepo diff (59 files), not proof of compromise in what you install from npm.
• Unicode/confusable/steganography on .png/.jpg: Typical false positives from scanning binaries (e.g. \0 in image headers) and release assets in Docusaurus’s own repo—not GlassWorm-style invisible-source attacks in your dependency tree.
• shell_process_spawn / obfuscation / credential_exfil hits: Substring/document matches (cross-spawn, exec in changelog text, GitHub token docs in upstream admin markdown, base64-js-style package names in yarn)—not lifecycle malware or exfiltration code.
• ioc: 0 aligns with benign.

Residual diligence (optional, not malware-specific)

• Other @docusaurus/* entries in package.json still say ^3.10.0 while the preset pulls 3.10.1 peers via the lockfile—that’s semver/npm behavior; aligning versions is housekeeping, not a supply-chain red flag.

Action: Safe to merge from a supply-chain malware perspective; treat scanner warnings as context-heavy noise unless you see suspicious lifecycle scripts, unexpected hosts, or lockfile/registry anomalies—none appear here.

Compatibility Analysis

Gathering usage sites and upstream change scope for the Docusaurus patch bump.

1) Where @docusaurus/preset-classic is used

Location	Role
package.json	Declared dependency (^3.10.1 in current tree).
docusaurus.config.js	Wired in presets with classic options (theme.customCss, docs / routeBasePath, sidebarPath, editUrl).
Indirect	All docusaurus npm scripts invoke the CLI, which loads this preset via the config.

Other @docusaurus/* imports (not the preset package itself): src/theme/prism-include-languages.js (ExecutionEnvironment, @generated/docusaurus.config), src/components/Runnable.tsx (useColorMode from theme-common).

2) Overlap with 3.10.1 changes

Release notes describe a bug fix in docusaurus-bundler (webpack/webpackbar), not changes to preset options, public config shape, or theme runtime APIs.

Your usage is standard preset + theme config + a couple of stable theme/runtime imports. Nothing here depends on bundler progress-bar behavior or other internals called out in the changelog.

.upstream-dependency is not present in this workspace, so inspection stops at upstream release notes; they still point to a narrow bundler-only fix (PR #11981).

3) Risks / unknowns

• Patch scope: Low; semver patch within v3.10.x.
• Lockfile / tree: package-lock.json already pulls 3.10.1 for @docusaurus/core, @docusaurus/bundler, and related packages when you install—consistent with how the preset pins its peers.
• package.json ranges: @docusaurus/core and @docusaurus/plugin-google-gtag are still ^3.10.0; that is compatible with 3.10.1 but slightly inconsistent in declared ranges (cosmetic unless someone relies on package.json without a lockfile).
• Third-party theme: @easyops-cn/docusaurus-search-local is the main non-FB surface; patch bumps within 3.10.x are usually uneventful; any edge case would show up in docusaurus build / CI.

4) Recommendation

Merge.

Optional follow-up (not required to block): bump @docusaurus/core and @docusaurus/plugin-google-gtag to ^3.10.1 in package.json so declared versions match the resolved 3.10.1 line.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 59
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: 0d98888a7645a5fb1330c905b75faf868f829f5c..41c1a458ecb07d61b6df2761ea4bc1b13db49d12
• Resolved refs: from=0d98888a7645a5fb1330c905b75faf868f829f5c to=41c1a458ecb07d61b6df2761ea4bc1b13db49d12
• Unicode findings (post-allowlist): 3
• Confusable findings (post-allowlist): 3
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 37

Top findings

• website/blog/releases/3.10/img/social-card.png:0 unicode :: binary file matches (found "\0" byte around offset 8)
• admin/publish-legacy.md:249 unicode :: - New code blocks features 🖥️
• admin/publish-legacy.md:250 unicode :: - Draft blog posts ✏️
• website/blog/releases/3.10/img/social-card.png:0 confusable :: binary file matches (found "\0" byte around offset 8)
• website/blog/releases/3.10/img/security.jpg:0 confusable :: binary file matches (found "\0" byte around offset 4)
• website/blog/releases/3.10/img/provenance.jpg:0 confusable :: binary file matches (found "\0" byte around offset 4)
• packages/create-docusaurus/package.json:27 shell_process_spawn :: "cross-spawn": "^7.0.6",
• CHANGELOG.md:348 shell_process_spawn :: - [#11347](https://github.com/facebook/docusaurus/pull/11347) fix(core): Fix docusaurus start on macOS when exec throws a synchronous error ([@slorber](https://github.com/slorber))
• yarn.lock:10 shell_process_spawn :: "@actions/exec" "^3.0.0"
• yarn.lock:13 shell_process_spawn :: "@actions/exec@^3.0.0":
• yarn.lock:15 shell_process_spawn :: resolved "https://registry.yarnpkg.com/@actions/exec/-/exec-3.0.0.tgz#8c3464d20f0aa4068707757021d7e3c01a7ee203"
• yarn.lock:2911 shell_process_spawn :: "@jsdevtools/ez-spawn@^3.0.4":
• yarn.lock:2913 shell_process_spawn :: resolved "https://registry.yarnpkg.com/@jsdevtools/ez-spawn/-/ez-spawn-3.0.4.tgz#5641eb26fee6d31ec29f6788eba849470c52c7ff"
• yarn.lock:2917 shell_process_spawn :: cross-spawn "^7.0.3"
• yarn.lock:3230 shell_process_spawn :: "@npmcli/promise-spawn" "^6.0.0"
• yarn.lock:3268 shell_process_spawn :: "@npmcli/promise-spawn@^6.0.0", "@npmcli/promise-spawn@^6.0.1":
• yarn.lock:3270 shell_process_spawn :: resolved "https://registry.yarnpkg.com/@npmcli/promise-spawn/-/promise-spawn-6.0.2.tgz#c8bc4fa2bd0f01cb979d8798ba038f314cfa70f2"
• yarn.lock:3281 shell_process_spawn :: "@npmcli/promise-spawn" "^6.0.0"
• yarn.lock:7806 shell_process_spawn :: cross-spawn "^7.0.6"
• yarn.lock:7808 shell_process_spawn :: cross-spawn@^6.0.5: