Skip to content

Bump @docusaurus/plugin-google-gtag from 3.9.2 to 3.10.0#966

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/docusaurus/plugin-google-gtag-3.10.0
Open

Bump @docusaurus/plugin-google-gtag from 3.9.2 to 3.10.0#966
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/docusaurus/plugin-google-gtag-3.10.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 14, 2026

Bumps @docusaurus/plugin-google-gtag from 3.9.2 to 3.10.0.

Release notes

Sourced from @​docusaurus/plugin-google-gtag's releases.

3.10.0 (2026-04-07)

🚀 New Feature

  • docusaurus-types, docusaurus
    • #11896 feat(core): add future.v4.mdx1CompatDisabledByDefault flag (@​slorber)
    • #11797 feat(core): promote siteConfig.storage to stable + add future.v4.siteStorageNamespacing flag [Claude] (@​slorber)
    • #11571 feat(core): support custom html elements in head tags (@​lebalz)
  • create-docusaurus
    • #11897 feat(create-docusaurus): update init template to .mdx extension and strict MDX syntax (@​slorber)
    • #11696 feat(create-docusaurus): Newly initialized TS sites should use "strict: true" (@​slorber)
    • #11611 feat(create-docusaurus): enable creation in current directory (@​Mcheung7272)
  • Other
    • #11874 feat(ci): improve npm supply chain security - improve Dependabot config (@​slorber)
    • #11712 feat(publish): Use trusted publishing (OIDC) for canary releases (@​slorber)
  • create-docusaurus, docusaurus-bundler, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-pwa, docusaurus-types, docusaurus
    • #11802 feat(core): Docusaurus Faster is stable + v4 future flag turns it on by default (@​slorber)
  • docusaurus-mdx-loader, docusaurus-utils, docusaurus
    • #11777 feat(cli): write-heading-ids CLI now supports the --syntax and --migrate options (@​slorber)
  • docusaurus-mdx-loader
    • #11755 feat(mdx-loader): add support for explicit headingId based on MD/MDX comments (@​slorber)
  • docusaurus-theme-live-codeblock, docusaurus-theme-translations
  • docusaurus-theme-classic, docusaurus-theme-common
    • #11734 feat(theme): Split <DocCard>, improve extensibility, better handling of emoji icons, stable classNames (@​slorber)
    • #11733 feat(theme): Use React context for <Tabs>, allow custom <TabItem> components (@​slorber)
  • docusaurus-faster, docusaurus
    • #11715 feat(bundler): upgrade to Rspack 1.7, remove useless experimental feature flags (@​slorber)
  • docusaurus-plugin-content-pages
  • docusaurus-mdx-loader, docusaurus-theme-classic
    • #11642 feat(mdx-loader): add admonitions directive support for class/id shortcuts (@​lebalz)
  • docusaurus-theme-classic
  • docusaurus-theme-search-algolia
  • create-docusaurus, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-sitemap, docusaurus-types, docusaurus-utils, docusaurus
    • #11512 feat(core): New siteConfig future.experimental_vcs API + future.experimental_faster.gitEagerVcs flag (@​slorber)

🐛 Bug Fix

  • docusaurus
    • #11844 fix(core): fix url.resolve() Node.js deprecation warning (@​slorber)
    • #11833 fix(core): upgrade serve handler min version to for upgrade users to a secure version (@​BearAlliance)
    • #11763 fix(cli): fix write-heading-ids CLI when no files provided (@​slorber)
    • #11693 fix(core): Remove deprecated experiments.lazyBarrel config for RsPack (@​VedikaGupt)
    • #11604 fix(core): webpack aliases shouldn't be created for test files and typedefs (@​slorber)
    • #11603 fix(core): Fix openBrowser AppleScript support for Arc (@​slorber)
    • #11579 fix(core): in isInternalUrl(), URI protocol scheme detection should implement the spec more strictly (@​slorber)

... (truncated)

Changelog

Sourced from @​docusaurus/plugin-google-gtag's changelog.

3.10.0 (2026-04-07)

🚀 New Feature

  • docusaurus-types, docusaurus
    • #11896 feat(core): add future.v4.mdx1CompatDisabledByDefault flag (@​slorber)
    • #11797 feat(core): promote siteConfig.storage to stable + add future.v4.siteStorageNamespacing flag [Claude] (@​slorber)
    • #11571 feat(core): support custom html elements in head tags (@​lebalz)
  • create-docusaurus
    • #11897 feat(create-docusaurus): update init template to .mdx extension and strict MDX syntax (@​slorber)
    • #11696 feat(create-docusaurus): Newly initialized TS sites should use "strict: true" (@​slorber)
    • #11611 feat(create-docusaurus): enable creation in current directory (@​Mcheung7272)
  • Other
    • #11874 feat(ci): improve npm supply chain security - improve Dependabot config (@​slorber)
    • #11712 feat(publish): Use trusted publishing (OIDC) for canary releases (@​slorber)
  • create-docusaurus, docusaurus-bundler, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-pwa, docusaurus-types, docusaurus
    • #11802 feat(core): Docusaurus Faster is stable + v4 future flag turns it on by default (@​slorber)
  • docusaurus-mdx-loader, docusaurus-utils, docusaurus
    • #11777 feat(cli): write-heading-ids CLI now supports the --syntax and --migrate options (@​slorber)
  • docusaurus-mdx-loader
    • #11755 feat(mdx-loader): add support for explicit headingId based on MD/MDX comments (@​slorber)
  • docusaurus-theme-live-codeblock, docusaurus-theme-translations
  • docusaurus-theme-classic, docusaurus-theme-common
    • #11734 feat(theme): Split <DocCard>, improve extensibility, better handling of emoji icons, stable classNames (@​slorber)
    • #11733 feat(theme): Use React context for <Tabs>, allow custom <TabItem> components (@​slorber)
  • docusaurus-faster, docusaurus
    • #11715 feat(bundler): upgrade to Rspack 1.7, remove useless experimental feature flags (@​slorber)
  • docusaurus-plugin-content-pages
  • docusaurus-mdx-loader, docusaurus-theme-classic
    • #11642 feat(mdx-loader): add admonitions directive support for class/id shortcuts (@​lebalz)
  • docusaurus-theme-classic
  • docusaurus-theme-search-algolia
  • create-docusaurus, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-sitemap, docusaurus-types, docusaurus-utils, docusaurus
    • #11512 feat(core): New siteConfig future.experimental_vcs API + future.experimental_faster.gitEagerVcs flag (@​slorber)

🐛 Bug Fix

  • docusaurus
    • #11844 fix(core): fix url.resolve() Node.js deprecation warning (@​slorber)
    • #11833 fix(core): upgrade serve handler min version to for upgrade users to a secure version (@​BearAlliance)
    • #11763 fix(cli): fix write-heading-ids CLI when no files provided (@​slorber)
    • #11693 fix(core): Remove deprecated experiments.lazyBarrel config for RsPack (@​VedikaGupt)
    • #11604 fix(core): webpack aliases shouldn't be created for test files and typedefs (@​slorber)
    • #11603 fix(core): Fix openBrowser AppleScript support for Arc (@​slorber)
    • #11579 fix(core): in isInternalUrl(), URI protocol scheme detection should implement the spec more strictly (@​slorber)

... (truncated)

Commits
  • 0d98888 v3.10.0
  • 4a0273f fix(create-docusaurus): fix support for TypeScript 6.0 + fix our CI (#11843)
  • 1451780 chore(ci): fixes for the npm trusted publishing workflow (#11823)
  • 5dff744 chore(ci): add Trusted Publishing release workflow through dispatch action (#...
  • 63ccba8 fix(create-docusaurus): update @​types/gtag.js to 0.0.20 (#11770)
  • bca9ce7 chore: release v3.9.2 (#11491)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​docusaurus/plugin-google-gtag since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Low risk dependency bump limited to the Docusaurus Google Analytics plugin and its transitive lockfile updates; main risk is unforeseen build/runtime behavior changes from the new plugin version.

Overview
Updates @docusaurus/plugin-google-gtag from 3.9.x to 3.10.0 in package.json.

Regenerates package-lock.json to pull the new plugin release and updated transitive dependencies (notably @types/gtag.js 0.0.120.0.20 and react-loadable-ssr-addon-v5-slorber 1.0.11.0.3), including a nested @docusaurus/* 3.10.0 subtree under the plugin.

Reviewed by Cursor Bugbot for commit 57866ab. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [@docusaurus/plugin-google-gtag](https://github.com/facebook/docusaurus/tree/HEAD/packages/docusaurus-plugin-google-gtag) from 3.9.2 to 3.10.0.
- [Release notes](https://github.com/facebook/docusaurus/releases)
- [Changelog](https://github.com/facebook/docusaurus/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/docusaurus/commits/v3.10.0/packages/docusaurus-plugin-google-gtag)

---
updated-dependencies:
- dependency-name: "@docusaurus/plugin-google-gtag"
  dependency-version: 3.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 14, 2026
@socket-security
Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​docusaurus/​plugin-google-gtag@​3.10.01001007099100

View full report

Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 57866ab. Configure here.

Comment thread package.json
"@docsearch/react": "^4.6.2",
"@docusaurus/core": "^3.9.1",
"@docusaurus/plugin-google-gtag": "^3.9.1",
"@docusaurus/plugin-google-gtag": "^3.10.0",
Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docusaurus version skew causes duplicate plugin installations

Medium Severity

Bumping @docusaurus/plugin-google-gtag to ^3.10.0 while @docusaurus/core and @docusaurus/preset-classic remain at ^3.9.1 creates a version skew. The lock file shows the 3.10.0 plugin installs its own nested copies of @docusaurus/core, @docusaurus/babel, @docusaurus/bundler, @docusaurus/types, and other internal packages at 3.10.0. Meanwhile, preset-classic at 3.9.2 creates its own nested copy of plugin-google-gtag at 3.9.2. This results in two versions of the gtag plugin and duplicated Docusaurus internals, which can cause subtle runtime conflicts between mismatched internal APIs. All @docusaurus/* packages need to stay in sync.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 57866ab. Configure here.

@github-actions
Copy link
Copy Markdown

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying local dependency manifests for lifecycle scripts and lockfile consistency to support the malware review.

Verdict: benign

Why this looks safe

  • Package identity: @docusaurus/plugin-google-gtag is the official Docusaurus package; the bump is 3.9.2 → 3.10.0 (same major), aligned with the documented 3.10.0 (2026-04-07) release in the PR body.
  • Registry / integrity: The lockfile resolves the direct dependency to the normal npm tarball URL: registry.npmjs.org/.../plugin-google-gtag-3.10.0.tgz — not an odd mirror or git URL.
  • Malware scanner vs. interpretation: The report’s warn and high unicode/heuristic counts come from scanning a large upstream git range (1431 changed files). The cited “unicode” hits are visible emoji/symbols in docs (e.g. ⚡️, ⏱️), which matches benign documentation content, not invisible-Unicode exploits. IOC: 0 after allowlist supports “no known bad indicators.”
  • Lifecycle / scripts: Your root package.json has no preinstall/postinstall hooks on this dependency change; typical supply-chain red flags from unexpected install scripts are not introduced here.
  • What to watch (not malware): The lockfile still has @docusaurus/preset-classic nesting plugin-google-gtag@3.9.2, while the direct dep is 3.10.0 — that is duplicate versions / alignment, worth cleaning up by aligning @docusaurus/core and @docusaurus/preset-classic to 3.10.x, not a compromise signal.

Actionable follow-up (optional): Bump the rest of the Docusaurus stack to 3.10.x so you do not run two gtag plugin versions.

Compatibility Analysis

Tracing how @docusaurus/plugin-google-gtag is used in the repo and checking for version skew or API impact.

Here’s a concise compatibility and adoption read for this repo.


1) Where it appears

Location Role
package.json Declared as a direct dependency: "@docusaurus/plugin-google-gtag": "^3.10.0".
package-lock.json Resolves two copies: top-level node_modules/@docusaurus/plugin-google-gtag3.10.0, and node_modules/@docusaurus/preset-classic/node_modules/@docusaurus/plugin-google-gtag3.9.2 (pinned by @docusaurus/preset-classic@3.9.2).
docusaurus.config.js No gtag preset option, no plugins entry for this package, no themeConfig.gtag. Analytics is handled via scripts (/js/matomo.js), not Google gtag.

So: the package is only referenced in manifests, not in site configuration. There is no application code in this repo that imports or configures @docusaurus/plugin-google-gtag.


2) Intersection with 3.10.0 / release notes

  • The 3.10.0 notes you pasted are mostly core, themes, MDX, bundler, etc.; nothing in that excerpt targets a public gtag plugin API change.
  • Upstream history for this bump includes @types/gtag.js → 0.0.20 (typing), which matters only if you use those types or the plugin’s TS surface directly—which this site does not from config.
  • Preset-classic still ships 3.9.2 of this plugin; your direct dep at 3.10.0 does not replace that nested copy. So behavior from “preset + gtag option” would still be 3.9.2 until preset is upgraded.

Net: Your configured build path does not exercise this plugin, so no meaningful intersection with likely changed gtag APIs for this site as it stands.


3) Risks / unknowns

  • Unused direct dependency: Bumping it changes disk layout and lockfile, but should not change produced HTML/JS for this config unless you later enable gtag or add a manual plugin entry.
  • Version skew / bloat: Direct 3.10.0 pulls a nested Docusaurus 3.10.x tree under that package (per lockfile pattern), while @docusaurus/core / preset-classic resolve to 3.9.x in the lockfile—duplicate major stacks, larger install, harder mental model. Not a proven runtime bug here, but a maintainability and future footgun risk.
  • If you ever enable gtag in preset: You’d be on preset’s 3.9.2 plugin until you bump preset-classic (and friends) to 3.10.x—the 3.10.0 top-level install wouldn’t automatically become the one preset uses.

4) Recommendation

Merge-with-caveats

  • Merge is reasonable: the site does not use the plugin in config, so this bump is low functional risk.
  • Caveats: Treat as housekeeping unless you also align the whole @docusaurus/* stack to 3.10.x (or remove the direct dependency if it’s truly unused) so you don’t carry two gtag versions and a split Docusaurus tree long term.

Optional CI check after merge: docusaurus build (and spot-check that Matomo still loads as before)—standard sanity, not gtag-specific.


Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 1431
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 3
  • Resolved upstream range: abfbe5621b08407bc3dcbe6111ff118d4c22f7a1..0d98888a7645a5fb1330c905b75faf868f829f5c
  • Resolved refs: from=abfbe5621b08407bc3dcbe6111ff118d4c22f7a1 to=0d98888a7645a5fb1330c905b75faf868f829f5c
  • Unicode findings (post-allowlist): 184
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 220

Top findings

  • website/versioned_docs/version-3.9.2/introduction.mdx:8 unicode :: ⚡️ Docusaurus will help you ship a **beautiful documentation site in no time**.
  • website/versioned_docs/version-3.9.2/introduction.mdx:20 unicode :: ## Fast Track ⏱️ {/* #fast-track */}
  • website/versioned_docs/version-3.9.2/introduction.mdx:93 unicode :: - ⚛️ **Built with 💚 and React**:
  • website/versioned_docs/version-3.9.2/introduction.mdx:99 unicode :: - ✂️ **Developer experience**:
  • website/versioned_docs/version-3.9.2/introduction.mdx:120 unicode :: - ⚡️ **Lightning-fast**. Docusaurus v2+ follows the [PRPL Pattern](https://developers.google.com/web/fundamentals/performance/prpl-pattern/) that makes sure your content loads blazing fast.
  • website/versioned_docs/version-3.9.2/api/plugins/plugin-content-blog.mdx:249 unicode :: | author | string | undefined | ⚠️ Prefer using authors. The blog post author's name. |
  • website/versioned_docs/version-3.9.2/api/plugins/plugin-content-blog.mdx:250 unicode :: | author_url | string | undefined | ⚠️ Prefer using authors. The URL that the author's name will be linked to. This could be a GitHub, X, Facebook profile URL, etc. |
  • website/versioned_docs/version-3.9.2/api/plugins/plugin-content-blog.mdx:251 unicode :: | author_image_url | string | undefined | ⚠️ Prefer using authors. The URL to the author's thumbnail image. |
  • website/versioned_docs/version-3.9.2/api/plugins/plugin-content-blog.mdx:252 unicode :: | author_title | string | undefined | ⚠️ Prefer using authors. A description of the author. |
  • website/versioned_docs/version-3.9.2/advanced/client.mdx:146 unicode :: title.innerText += '❤️';
  • website/versioned_docs/version-3.8.1/api/plugins/plugin-content-blog.mdx:249 unicode :: | author | string | undefined | ⚠️ Prefer using authors. The blog post author's name. |
  • website/versioned_docs/version-3.8.1/api/plugins/plugin-content-blog.mdx:250 unicode :: | author_url | string | undefined | ⚠️ Prefer using authors. The URL that the author's name will be linked to. This could be a GitHub, X, Facebook profile URL, etc. |
  • website/versioned_docs/version-3.8.1/api/plugins/plugin-content-blog.mdx:251 unicode :: | author_image_url | string | undefined | ⚠️ Prefer using authors. The URL to the author's thumbnail image. |
  • website/versioned_docs/version-3.8.1/api/plugins/plugin-content-blog.mdx:252 unicode :: | author_title | string | undefined | ⚠️ Prefer using authors. A description of the author. |
  • website/versioned_docs/version-3.8.1/advanced/client.mdx:146 unicode :: title.innerText += '❤️';
  • website/versioned_docs/version-3.7.0/api/plugins/plugin-content-blog.mdx:248 unicode :: | author | string | undefined | ⚠️ Prefer using authors. The blog post author's name. |
  • website/versioned_docs/version-3.7.0/api/plugins/plugin-content-blog.mdx:249 unicode :: | author_url | string | undefined | ⚠️ Prefer using authors. The URL that the author's name will be linked to. This could be a GitHub, X, Facebook profile URL, etc. |
  • website/versioned_docs/version-3.7.0/api/plugins/plugin-content-blog.mdx:250 unicode :: | author_image_url | string | undefined | ⚠️ Prefer using authors. The URL to the author's thumbnail image. |
  • website/versioned_docs/version-3.7.0/api/plugins/plugin-content-blog.mdx:251 unicode :: | author_title | string | undefined | ⚠️ Prefer using authors. A description of the author. |
  • website/versioned_docs/version-3.7.0/advanced/client.mdx:146 unicode :: title.innerText += '❤️';

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants