Bump @docusaurus/plugin-google-gtag from 3.9.2 to 3.10.0

[dependabot]

Bumps @docusaurus/plugin-google-gtag from 3.9.2 to 3.10.0.

Release notes

Sourced from @​docusaurus/plugin-google-gtag's releases.

3.10.0 (2026-04-07)

🚀 New Feature

• docusaurus-types, docusaurus
  • #11896 feat(core): add future.v4.mdx1CompatDisabledByDefault flag (@​slorber)
  • #11797 feat(core): promote siteConfig.storage to stable + add future.v4.siteStorageNamespacing flag [Claude] (@​slorber)
  • #11571 feat(core): support custom html elements in head tags (@​lebalz)
• create-docusaurus
  • #11897 feat(create-docusaurus): update init template to .mdx extension and strict MDX syntax (@​slorber)
  • #11696 feat(create-docusaurus): Newly initialized TS sites should use "strict: true" (@​slorber)
  • #11611 feat(create-docusaurus): enable creation in current directory (@​Mcheung7272)
• Other
  • #11874 feat(ci): improve npm supply chain security - improve Dependabot config (@​slorber)
  • #11712 feat(publish): Use trusted publishing (OIDC) for canary releases (@​slorber)
• create-docusaurus, docusaurus-bundler, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-pwa, docusaurus-types, docusaurus
  • #11802 feat(core): Docusaurus Faster is stable + v4 future flag turns it on by default (@​slorber)
• docusaurus-mdx-loader, docusaurus-utils, docusaurus
  • #11777 feat(cli): write-heading-ids CLI now supports the --syntax and --migrate options (@​slorber)
• docusaurus-mdx-loader
  • #11755 feat(mdx-loader): add support for explicit headingId based on MD/MDX comments (@​slorber)
• docusaurus-theme-live-codeblock, docusaurus-theme-translations
  • #11675 feat(theme-live-codeblock): reset button + wire position prop (@​NPX2218)
• docusaurus-theme-classic, docusaurus-theme-common
  • #11734 feat(theme): Split <DocCard>, improve extensibility, better handling of emoji icons, stable classNames (@​slorber)
  • #11733 feat(theme): Use React context for <Tabs>, allow custom <TabItem> components (@​slorber)
• docusaurus-faster, docusaurus
  • #11715 feat(bundler): upgrade to Rspack 1.7, remove useless experimental feature flags (@​slorber)
• docusaurus-plugin-content-pages
  • #11666 feat(pages): add support for Markdown file path links (@​VedantMadane)
• docusaurus-mdx-loader, docusaurus-theme-classic
  • #11642 feat(mdx-loader): add admonitions directive support for class/id shortcuts (@​lebalz)
• docusaurus-theme-classic
  • #11635 feat(theme): add MDXComponents/Li to swizzle config (@​moskalakamil)
• docusaurus-theme-search-algolia
  • #11581 feat(theme-search-algolia): allow overriding transformSearchClient (@​hugohaggmark)
  • #11541 feat(theme-search-algolia): add support for DocSearch v4.3.2 and new Suggested Questions (@​NatanTechofNY)
• create-docusaurus, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-sitemap, docusaurus-types, docusaurus-utils, docusaurus
  • #11512 feat(core): New siteConfig future.experimental_vcs API + future.experimental_faster.gitEagerVcs flag (@​slorber)

🐛 Bug Fix

• docusaurus
  • #11844 fix(core): fix url.resolve() Node.js deprecation warning (@​slorber)
  • #11833 fix(core): upgrade serve handler min version to for upgrade users to a secure version (@​BearAlliance)
  • #11763 fix(cli): fix write-heading-ids CLI when no files provided (@​slorber)
  • #11693 fix(core): Remove deprecated experiments.lazyBarrel config for RsPack (@​VedikaGupt)
  • #11604 fix(core): webpack aliases shouldn't be created for test files and typedefs (@​slorber)
  • #11603 fix(core): Fix openBrowser AppleScript support for Arc (@​slorber)
  • #11579 fix(core): in isInternalUrl(), URI protocol scheme detection should implement the spec more strictly (@​slorber)

... (truncated)

Changelog

Sourced from @​docusaurus/plugin-google-gtag's changelog.

3.10.0 (2026-04-07)

🚀 New Feature

• docusaurus-types, docusaurus
  • #11896 feat(core): add future.v4.mdx1CompatDisabledByDefault flag (@​slorber)
  • #11797 feat(core): promote siteConfig.storage to stable + add future.v4.siteStorageNamespacing flag [Claude] (@​slorber)
  • #11571 feat(core): support custom html elements in head tags (@​lebalz)
• create-docusaurus
  • #11897 feat(create-docusaurus): update init template to .mdx extension and strict MDX syntax (@​slorber)
  • #11696 feat(create-docusaurus): Newly initialized TS sites should use "strict: true" (@​slorber)
  • #11611 feat(create-docusaurus): enable creation in current directory (@​Mcheung7272)
• Other
  • #11874 feat(ci): improve npm supply chain security - improve Dependabot config (@​slorber)
  • #11712 feat(publish): Use trusted publishing (OIDC) for canary releases (@​slorber)
• create-docusaurus, docusaurus-bundler, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-pwa, docusaurus-types, docusaurus
  • #11802 feat(core): Docusaurus Faster is stable + v4 future flag turns it on by default (@​slorber)
• docusaurus-mdx-loader, docusaurus-utils, docusaurus
  • #11777 feat(cli): write-heading-ids CLI now supports the --syntax and --migrate options (@​slorber)
• docusaurus-mdx-loader
  • #11755 feat(mdx-loader): add support for explicit headingId based on MD/MDX comments (@​slorber)
• docusaurus-theme-live-codeblock, docusaurus-theme-translations
  • #11675 feat(theme-live-codeblock): reset button + wire position prop (@​NPX2218)
• docusaurus-theme-classic, docusaurus-theme-common
  • #11734 feat(theme): Split <DocCard>, improve extensibility, better handling of emoji icons, stable classNames (@​slorber)
  • #11733 feat(theme): Use React context for <Tabs>, allow custom <TabItem> components (@​slorber)
• docusaurus-faster, docusaurus
  • #11715 feat(bundler): upgrade to Rspack 1.7, remove useless experimental feature flags (@​slorber)
• docusaurus-plugin-content-pages
  • #11666 feat(pages): add support for Markdown file path links (@​VedantMadane)
• docusaurus-mdx-loader, docusaurus-theme-classic
  • #11642 feat(mdx-loader): add admonitions directive support for class/id shortcuts (@​lebalz)
• docusaurus-theme-classic
  • #11635 feat(theme): add MDXComponents/Li to swizzle config (@​moskalakamil)
• docusaurus-theme-search-algolia
  • #11581 feat(theme-search-algolia): allow overriding transformSearchClient (@​hugohaggmark)
  • #11541 feat(theme-search-algolia): add support for DocSearch v4.3.2 and new Suggested Questions (@​NatanTechofNY)
• create-docusaurus, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-sitemap, docusaurus-types, docusaurus-utils, docusaurus
  • #11512 feat(core): New siteConfig future.experimental_vcs API + future.experimental_faster.gitEagerVcs flag (@​slorber)

🐛 Bug Fix

• docusaurus
  • #11844 fix(core): fix url.resolve() Node.js deprecation warning (@​slorber)
  • #11833 fix(core): upgrade serve handler min version to for upgrade users to a secure version (@​BearAlliance)
  • #11763 fix(cli): fix write-heading-ids CLI when no files provided (@​slorber)
  • #11693 fix(core): Remove deprecated experiments.lazyBarrel config for RsPack (@​VedikaGupt)
  • #11604 fix(core): webpack aliases shouldn't be created for test files and typedefs (@​slorber)
  • #11603 fix(core): Fix openBrowser AppleScript support for Arc (@​slorber)
  • #11579 fix(core): in isInternalUrl(), URI protocol scheme detection should implement the spec more strictly (@​slorber)

... (truncated)

Commits

• 0d98888 v3.10.0
• 4a0273f fix(create-docusaurus): fix support for TypeScript 6.0 + fix our CI (#11843)
• 1451780 chore(ci): fixes for the npm trusted publishing workflow (#11823)
• 5dff744 chore(ci): add Trusted Publishing release workflow through dispatch action (#...
• 63ccba8 fix(create-docusaurus): update @​types/gtag.js to 0.0.20 (#11770)
• bca9ce7 chore: release v3.9.2 (#11491)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​docusaurus/plugin-google-gtag since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency bump limited to the Docusaurus Google Analytics plugin and its transitive lockfile updates; main risk is unforeseen build/runtime behavior changes from the new plugin version.

Overview
Updates @docusaurus/plugin-google-gtag from 3.9.x to 3.10.0 in package.json.

Regenerates package-lock.json to pull the new plugin release and updated transitive dependencies (notably @types/gtag.js 0.0.12 → 0.0.20 and react-loadable-ssr-addon-v5-slorber 1.0.1 → 1.0.3), including a nested @docusaurus/* 3.10.0 subtree under the plugin.

^{Reviewed by Cursor Bugbot for commit 57866ab. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​docusaurus/​plugin-google-gtag@​3.10.0

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 57866ab. Configure here.}

[cursor]

Docusaurus version skew causes duplicate plugin installations

Medium Severity

Bumping @docusaurus/plugin-google-gtag to ^3.10.0 while @docusaurus/core and @docusaurus/preset-classic remain at ^3.9.1 creates a version skew. The lock file shows the 3.10.0 plugin installs its own nested copies of @docusaurus/core, @docusaurus/babel, @docusaurus/bundler, @docusaurus/types, and other internal packages at 3.10.0. Meanwhile, preset-classic at 3.9.2 creates its own nested copy of plugin-google-gtag at 3.9.2. This results in two versions of the gtag plugin and duplicated Docusaurus internals, which can cause subtle runtime conflicts between mismatched internal APIs. All @docusaurus/* packages need to stay in sync.

Additional Locations (1)

• package-lock.json#L4038-L4058

 

^{Reviewed by Cursor Bugbot for commit 57866ab. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying local dependency manifests for lifecycle scripts and lockfile consistency to support the malware review.

Verdict: benign

Why this looks safe

• Package identity: @docusaurus/plugin-google-gtag is the official Docusaurus package; the bump is 3.9.2 → 3.10.0 (same major), aligned with the documented 3.10.0 (2026-04-07) release in the PR body.
• Registry / integrity: The lockfile resolves the direct dependency to the normal npm tarball URL: registry.npmjs.org/.../plugin-google-gtag-3.10.0.tgz — not an odd mirror or git URL.
• Malware scanner vs. interpretation: The report’s warn and high unicode/heuristic counts come from scanning a large upstream git range (1431 changed files). The cited “unicode” hits are visible emoji/symbols in docs (e.g. ⚡️, ⏱️), which matches benign documentation content, not invisible-Unicode exploits. IOC: 0 after allowlist supports “no known bad indicators.”
• Lifecycle / scripts: Your root package.json has no preinstall/postinstall hooks on this dependency change; typical supply-chain red flags from unexpected install scripts are not introduced here.
• What to watch (not malware): The lockfile still has @docusaurus/preset-classic nesting plugin-google-gtag@3.9.2, while the direct dep is 3.10.0 — that is duplicate versions / alignment, worth cleaning up by aligning @docusaurus/core and @docusaurus/preset-classic to 3.10.x, not a compromise signal.

Actionable follow-up (optional): Bump the rest of the Docusaurus stack to 3.10.x so you do not run two gtag plugin versions.

Compatibility Analysis

Tracing how @docusaurus/plugin-google-gtag is used in the repo and checking for version skew or API impact.

Here’s a concise compatibility and adoption read for this repo.

---

1) Where it appears

Location	Role
package.json	Declared as a direct dependency: "@docusaurus/plugin-google-gtag": "^3.10.0".
package-lock.json	Resolves two copies: top-level node_modules/@docusaurus/plugin-google-gtag → 3.10.0, and node_modules/@docusaurus/preset-classic/node_modules/@docusaurus/plugin-google-gtag → 3.9.2 (pinned by @docusaurus/preset-classic@3.9.2).
docusaurus.config.js	No gtag preset option, no plugins entry for this package, no themeConfig.gtag. Analytics is handled via scripts (/js/matomo.js), not Google gtag.

So: the package is only referenced in manifests, not in site configuration. There is no application code in this repo that imports or configures @docusaurus/plugin-google-gtag.

---

2) Intersection with 3.10.0 / release notes

• The 3.10.0 notes you pasted are mostly core, themes, MDX, bundler, etc.; nothing in that excerpt targets a public gtag plugin API change.
• Upstream history for this bump includes @types/gtag.js → 0.0.20 (typing), which matters only if you use those types or the plugin’s TS surface directly—which this site does not from config.
• Preset-classic still ships 3.9.2 of this plugin; your direct dep at 3.10.0 does not replace that nested copy. So behavior from “preset + gtag option” would still be 3.9.2 until preset is upgraded.

Net: Your configured build path does not exercise this plugin, so no meaningful intersection with likely changed gtag APIs for this site as it stands.

---

3) Risks / unknowns

• Unused direct dependency: Bumping it changes disk layout and lockfile, but should not change produced HTML/JS for this config unless you later enable gtag or add a manual plugin entry.
• Version skew / bloat: Direct 3.10.0 pulls a nested Docusaurus 3.10.x tree under that package (per lockfile pattern), while @docusaurus/core / preset-classic resolve to 3.9.x in the lockfile—duplicate major stacks, larger install, harder mental model. Not a proven runtime bug here, but a maintainability and future footgun risk.
• If you ever enable gtag in preset: You’d be on preset’s 3.9.2 plugin until you bump preset-classic (and friends) to 3.10.x—the 3.10.0 top-level install wouldn’t automatically become the one preset uses.

---

4) Recommendation

Merge-with-caveats

• Merge is reasonable: the site does not use the plugin in config, so this bump is low functional risk.
• Caveats: Treat as housekeeping unless you also align the whole @docusaurus/* stack to 3.10.x (or remove the direct dependency if it’s truly unused) so you don’t carry two gtag versions and a split Docusaurus tree long term.

Optional CI check after merge: docusaurus build (and spot-check that Matomo still loads as before)—standard sanity, not gtag-specific.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 1431
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 3
• Resolved upstream range: abfbe5621b08407bc3dcbe6111ff118d4c22f7a1..0d98888a7645a5fb1330c905b75faf868f829f5c
• Resolved refs: from=abfbe5621b08407bc3dcbe6111ff118d4c22f7a1 to=0d98888a7645a5fb1330c905b75faf868f829f5c
• Unicode findings (post-allowlist): 184
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 220

Top findings

• website/versioned_docs/version-3.9.2/introduction.mdx:8 unicode :: ⚡️ Docusaurus will help you ship a **beautiful documentation site in no time**.
• website/versioned_docs/version-3.9.2/introduction.mdx:20 unicode :: ## Fast Track ⏱️ {/* #fast-track */}
• website/versioned_docs/version-3.9.2/introduction.mdx:93 unicode :: - ⚛️ **Built with 💚 and React**:
• website/versioned_docs/version-3.9.2/introduction.mdx:99 unicode :: - ✂️ **Developer experience**:
• website/versioned_docs/version-3.9.2/introduction.mdx:120 unicode :: - ⚡️ **Lightning-fast**. Docusaurus v2+ follows the [PRPL Pattern](https://developers.google.com/web/fundamentals/performance/prpl-pattern/) that makes sure your content loads blazing fast.
• website/versioned_docs/version-3.9.2/api/plugins/plugin-content-blog.mdx:249 unicode :: | author | string | undefined | ⚠️ Prefer using authors. The blog post author's name. |
• website/versioned_docs/version-3.9.2/api/plugins/plugin-content-blog.mdx:250 unicode :: | author_url | string | undefined | ⚠️ Prefer using authors. The URL that the author's name will be linked to. This could be a GitHub, X, Facebook profile URL, etc. |
• website/versioned_docs/version-3.9.2/api/plugins/plugin-content-blog.mdx:251 unicode :: | author_image_url | string | undefined | ⚠️ Prefer using authors. The URL to the author's thumbnail image. |
• website/versioned_docs/version-3.9.2/api/plugins/plugin-content-blog.mdx:252 unicode :: | author_title | string | undefined | ⚠️ Prefer using authors. A description of the author. |
• website/versioned_docs/version-3.9.2/advanced/client.mdx:146 unicode :: title.innerText += '❤️';
• website/versioned_docs/version-3.8.1/api/plugins/plugin-content-blog.mdx:249 unicode :: | author | string | undefined | ⚠️ Prefer using authors. The blog post author's name. |
• website/versioned_docs/version-3.8.1/api/plugins/plugin-content-blog.mdx:250 unicode :: | author_url | string | undefined | ⚠️ Prefer using authors. The URL that the author's name will be linked to. This could be a GitHub, X, Facebook profile URL, etc. |
• website/versioned_docs/version-3.8.1/api/plugins/plugin-content-blog.mdx:251 unicode :: | author_image_url | string | undefined | ⚠️ Prefer using authors. The URL to the author's thumbnail image. |
• website/versioned_docs/version-3.8.1/api/plugins/plugin-content-blog.mdx:252 unicode :: | author_title | string | undefined | ⚠️ Prefer using authors. A description of the author. |
• website/versioned_docs/version-3.8.1/advanced/client.mdx:146 unicode :: title.innerText += '❤️';
• website/versioned_docs/version-3.7.0/api/plugins/plugin-content-blog.mdx:248 unicode :: | author | string | undefined | ⚠️ Prefer using authors. The blog post author's name. |
• website/versioned_docs/version-3.7.0/api/plugins/plugin-content-blog.mdx:249 unicode :: | author_url | string | undefined | ⚠️ Prefer using authors. The URL that the author's name will be linked to. This could be a GitHub, X, Facebook profile URL, etc. |
• website/versioned_docs/version-3.7.0/api/plugins/plugin-content-blog.mdx:250 unicode :: | author_image_url | string | undefined | ⚠️ Prefer using authors. The URL to the author's thumbnail image. |
• website/versioned_docs/version-3.7.0/api/plugins/plugin-content-blog.mdx:251 unicode :: | author_title | string | undefined | ⚠️ Prefer using authors. A description of the author. |
• website/versioned_docs/version-3.7.0/advanced/client.mdx:146 unicode :: title.innerText += '❤️';