Cete/sipher
1
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates #6

Closed
dependabot[bot] wants to merge 1 commit from dependabot/npm_and_yarn/npm_and_yarn-af2bfed2c7 into main
pull from: dependabot/npm_and_yarn/npm_and_yarn-af2bfed2c7
merge into: Cete:main
Conversation 1 Commits 1 Files changed 2 +958 -1946
dependabot[bot] commented 2026-04-04 07:08:49 +00:00 (Migrated from github.com)
Copy link

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package From To
defu 6.1.4 6.1.6
fast-xml-parser 5.5.6 5.5.10
lodash 4.17.21 4.18.1
picomatch 4.0.3 4.0.4
picomatch 2.3.1 2.3.2
socket.io-parser 4.2.5 4.2.6

Updates nodemailer from 8.0.2 to 8.0.4

Release notes

Sourced from nodemailer's releases.

v8.0.4

8.0.4 (2026-03-25)

Bug Fixes

  • sanitize envelope size to prevent SMTP command injection (2d7b971)

v8.0.3

8.0.3 (2026-03-18)

Bug Fixes

  • clean up addressparser and fix group name fallback producing undefined (9d55877)
  • fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)
  • refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)
  • remove familySupportCache that broke DNS resolution tests (c803d90)
Changelog

Sourced from nodemailer's changelog.

8.0.4 (2026-03-25)

Bug Fixes

  • sanitize envelope size to prevent SMTP command injection (2d7b971)

8.0.3 (2026-03-18)

Bug Fixes

  • clean up addressparser and fix group name fallback producing undefined (9d55877)
  • fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)
  • refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)
  • remove familySupportCache that broke DNS resolution tests (c803d90)
Commits
  • 2d31975 chore(master): release 8.0.4 (#1806)
  • 2d7b971 fix: sanitize envelope size to prevent SMTP command injection
  • 4e702e9 chore(master): release 8.0.3 (#1804)
  • c803d90 fix: remove familySupportCache that broke DNS resolution tests
  • e8c8b92 fix: fix cookie bugs, remove dead code, and improve hot-path efficiency
  • 0e78ee1 chore: update dependencies
  • af73b4c chore: upgrade GitHub Actions to latest versions
  • 604b570 chore: simplify remaining lib modules for clarity and consistency
  • 4ced83d chore: simplify shared, errors, mailer, mime-node, and mime-funcs modules
  • 0cba16e chore: simplify smtp-pool with const, Object.assign, and cleaner control flow
  • Additional commits viewable in compare view

Updates defu from 6.1.4 to 6.1.6

Release notes

Sourced from defu's releases.

v6.1.6

compare changes

📦 Build

v6.1.5

compare changes

🩹 Fixes

  • Prevent prototype pollution via __proto__ in defaults (#156)
  • Ignore inherited enumerable properties (11ba022)

Tests

  • Add more tests for plain objects (b65f603)

❤️ Contributors

Changelog

Sourced from defu's changelog.

v6.1.6

compare changes

📦 Build

❤️ Contributors

v6.1.5

compare changes

🩹 Fixes

  • Prevent prototype pollution via __proto__ in defaults (#156)
  • Ignore inherited enumerable properties (11ba022)

🏡 Chore

Tests

  • Add more tests for plain objects (b65f603)

🤖 CI

❤️ Contributors

Commits
  • 001c290 chore(release): v6.1.6
  • 407b516 build: fix mixed types
  • 23e59e6 chore(release): v6.1.5
  • 11ba022 fix: ignore inherited enumerable properties
  • 3942bfb fix: prevent prototype pollution via __proto__ in defaults (#156)
  • d3ef16d chore(deps): update actions/checkout action to v6 (#151)
  • 869a053 chore(deps): update actions/setup-node action to v6 (#149)
  • a97310c chore(deps): update codecov/codecov-action action to v6 (#154)
  • 89df6bb chore: fix typecheck
  • 9237d9c ci: bump node
  • Additional commits viewable in compare view

Updates fast-xml-parser from 5.5.6 to 5.5.10

Release notes

Sourced from fast-xml-parser's releases.

performance improvment, increase entity expansion default limit

  • increase default entity explansion limit as many projects demand for that
maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,
  • performance improvement
    • reduce calls to toString
    • early return when entities are not present
    • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.9...v5.5.10

fix typins and matcher instance in callbacks

combine typings file to avoid configuration changes pass readonly instance of matcher to the call backs to avoid accidental push/pop call

fix bugs of entity parsing and value parsing

fix: entity expansion limits update strnum package to 2.2.0

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.10 / 2026-04-03

  • increase default entity explansion limit as many projects demand for that
  • performance improvement
    • reduce calls to toString
    • early return when entities are not present
    • prepare rawAttrsForMatcher only if user sets jPath: false

5.5.9 / 2026-03-23

  • combine typing files

4.5.5 / 2026-03-22

apply fixes from v5 (legacy maintenance branch v4-maintenance)

  • support maxEntityCount
  • support onDangerousProperty
  • support maxNestedTags
  • handle prototype pollution
  • fix incorrect entity name replacement
  • fix incorrect condition for entity expansion

5.5.8 / 2026-03-20

  • pass read only matcher in callback

5.5.7 / 2026-03-19

  • fix: entity expansion limits
  • update strnum package to 2.2.0

5.5.6 / 2026-03-16

  • update builder dependency
  • fix incorrect regex to replace . in entity name
  • fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

  • sanitize dangerous tag or attribute name
  • error on critical property name
  • support onDangerousProperty option

5.5.4 / 2026-03-13

  • declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

... (truncated)

Commits

Updates kysely from 0.28.11 to 0.28.15

Release notes

Sourced from kysely's releases.

0.28.15

Hey 👋

The introduction of dehydration in JSON functions/helpers caused an unexpected bug for consumers that have some columns defined as '${number}', e.g. '1' | '2' (also when wrapped in ColumnType or similar). Such columns, when participating in a JSON function/helper would dehydrate to number instead of staying as string.

Why dehydrate numeric strings to numbers in the first place? Select types in kysely describe the data after underlying driver's (e.g. pg) data transformation. Some drivers transform numeric columns to strings to be safe. When these columns participate in JSON functions, they lose original column data types - drivers don't know they need to transform to string - they return as-is.

This release introduces a special helper type that wraps your column type definition and tells kysely to NOT dehydrate it in JSON functions/helpers.

import type { NonDehydrateable } from 'kysely'

interface Database {

my_table: {

a_column: '1' | '2' | '3', // dehydrates to number

another_column: NonDehydrateable<'1' | '2' | '3'>, // stays '1' | '2' | '3'

column_too: NonDehydrateable<ColumnType<'1' | '2' | '3'>> // stays '1' | '2' | '3'

}

}

🚀 Features

  • feat: add NonDehydrateable<T> to allow opt-out from dehydration in JSON functions/helpers. by @​igalklebanov in #1697

🐞 Bugfixes

PostgreSQL 🐘

📖 Documentation

📦 CICD & Tooling

⚠️ Breaking Changes

🐤 New Contributors

Full Changelog: https://github.com/kysely-org/kysely/compare/v0.28.14...v0.28.15

0.28.14

Hey 👋

... (truncated)

Commits

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: https://github.com/lodash/lodash/compare/4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4

Commits

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4

Commits

Updates socket.io-parser from 4.2.5 to 4.2.6

Release notes

Sourced from socket.io-parser's releases.

socket.io-parser@4.2.6

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

  • add a limit to the number of binary attachments (b25738c)
Commits
  • 522edcd chore(release): socket.io-parser@4.2.6
  • 3fff7ca fix(parser): add a limit to the number of binary attachments
  • 37aad11 fix: cleanup pending acks on timeout to prevent memory leak
  • ba9cd69 revert: fix: cleanup pending acks on timeout to prevent memory leak
  • 84c2fb7 chore(release): engine.io@6.6.6
  • 07cbe15 fix(eio): add @​types/ws as dependency (#5458)
  • 44ed73f fix(eio): emit initial_headers and headers events in uServer (#5460)
  • da04267 fix: cleanup pending acks on timeout to prevent memory leak (#5442)
  • 74599a6 fix(types): properly import http module
  • d48718c ci: use actions/checkout@v6 and actions/setup-node@v6 (#5449)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.
Bumps the npm_and_yarn group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [defu](https://github.com/unjs/defu) | `6.1.4` | `6.1.6` | | [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) | `5.5.6` | `5.5.10` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` | | [picomatch](https://github.com/micromatch/picomatch) | `4.0.3` | `4.0.4` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [socket.io-parser](https://github.com/socketio/socket.io) | `4.2.5` | `4.2.6` | Updates `nodemailer` from 8.0.2 to 8.0.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodemailer/nodemailer/releases">nodemailer's releases</a>.</em></p> <blockquote> <h2>v8.0.4</h2> <h2><a href="https://github.com/nodemailer/nodemailer/compare/v8.0.3...v8.0.4">8.0.4</a> (2026-03-25)</h2> <h3>Bug Fixes</h3> <ul> <li>sanitize envelope size to prevent SMTP command injection (<a href="https://github.com/nodemailer/nodemailer/commit/2d7b9710e63555a1eb13d721296c51186d4b5651">2d7b971</a>)</li> </ul> <h2>v8.0.3</h2> <h2><a href="https://github.com/nodemailer/nodemailer/compare/v8.0.2...v8.0.3">8.0.3</a> (2026-03-18)</h2> <h3>Bug Fixes</h3> <ul> <li>clean up addressparser and fix group name fallback producing undefined (<a href="https://github.com/nodemailer/nodemailer/commit/9d55877f8ed15a6aefd7ba76cbb6b6a6cdbcc4fd">9d55877</a>)</li> <li>fix cookie bugs, remove dead code, and improve hot-path efficiency (<a href="https://github.com/nodemailer/nodemailer/commit/e8c8b92f46f2a82d06d49cc9a6ffc26067f68524">e8c8b92</a>)</li> <li>refactor smtp-connection for clarity and add Node.js 6 syntax compat test (<a href="https://github.com/nodemailer/nodemailer/commit/c5b48ea61c28eabf347972f4198a12cdab226ff7">c5b48ea</a>)</li> <li>remove familySupportCache that broke DNS resolution tests (<a href="https://github.com/nodemailer/nodemailer/commit/c803d901f195a21edbb2c276b2e116564467aaaa">c803d90</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md">nodemailer's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/nodemailer/nodemailer/compare/v8.0.3...v8.0.4">8.0.4</a> (2026-03-25)</h2> <h3>Bug Fixes</h3> <ul> <li>sanitize envelope size to prevent SMTP command injection (<a href="https://github.com/nodemailer/nodemailer/commit/2d7b9710e63555a1eb13d721296c51186d4b5651">2d7b971</a>)</li> </ul> <h2><a href="https://github.com/nodemailer/nodemailer/compare/v8.0.2...v8.0.3">8.0.3</a> (2026-03-18)</h2> <h3>Bug Fixes</h3> <ul> <li>clean up addressparser and fix group name fallback producing undefined (<a href="https://github.com/nodemailer/nodemailer/commit/9d55877f8ed15a6aefd7ba76cbb6b6a6cdbcc4fd">9d55877</a>)</li> <li>fix cookie bugs, remove dead code, and improve hot-path efficiency (<a href="https://github.com/nodemailer/nodemailer/commit/e8c8b92f46f2a82d06d49cc9a6ffc26067f68524">e8c8b92</a>)</li> <li>refactor smtp-connection for clarity and add Node.js 6 syntax compat test (<a href="https://github.com/nodemailer/nodemailer/commit/c5b48ea61c28eabf347972f4198a12cdab226ff7">c5b48ea</a>)</li> <li>remove familySupportCache that broke DNS resolution tests (<a href="https://github.com/nodemailer/nodemailer/commit/c803d901f195a21edbb2c276b2e116564467aaaa">c803d90</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodemailer/nodemailer/commit/2d319753c34d2f0ced24d8eb1d7d866d965f59f4"><code>2d31975</code></a> chore(master): release 8.0.4 (<a href="https://redirect.github.com/nodemailer/nodemailer/issues/1806">#1806</a>)</li> <li><a href="https://github.com/nodemailer/nodemailer/commit/2d7b9710e63555a1eb13d721296c51186d4b5651"><code>2d7b971</code></a> fix: sanitize envelope size to prevent SMTP command injection</li> <li><a href="https://github.com/nodemailer/nodemailer/commit/4e702e97650aaff442a7bc040957ba9c53c614b8"><code>4e702e9</code></a> chore(master): release 8.0.3 (<a href="https://redirect.github.com/nodemailer/nodemailer/issues/1804">#1804</a>)</li> <li><a href="https://github.com/nodemailer/nodemailer/commit/c803d901f195a21edbb2c276b2e116564467aaaa"><code>c803d90</code></a> fix: remove familySupportCache that broke DNS resolution tests</li> <li><a href="https://github.com/nodemailer/nodemailer/commit/e8c8b92f46f2a82d06d49cc9a6ffc26067f68524"><code>e8c8b92</code></a> fix: fix cookie bugs, remove dead code, and improve hot-path efficiency</li> <li><a href="https://github.com/nodemailer/nodemailer/commit/0e78ee142b83cd967b5c451bb929f11dd4098f8e"><code>0e78ee1</code></a> chore: update dependencies</li> <li><a href="https://github.com/nodemailer/nodemailer/commit/af73b4cd165d92271576e27b3678eb028bab5f44"><code>af73b4c</code></a> chore: upgrade GitHub Actions to latest versions</li> <li><a href="https://github.com/nodemailer/nodemailer/commit/604b5702e463ed85828de57402b8332a371f838c"><code>604b570</code></a> chore: simplify remaining lib modules for clarity and consistency</li> <li><a href="https://github.com/nodemailer/nodemailer/commit/4ced83d5ce5c61865783d8fb672f98447b52b739"><code>4ced83d</code></a> chore: simplify shared, errors, mailer, mime-node, and mime-funcs modules</li> <li><a href="https://github.com/nodemailer/nodemailer/commit/0cba16e16509d6d2af0899dbb2420e587172f233"><code>0cba16e</code></a> chore: simplify smtp-pool with const, Object.assign, and cleaner control flow</li> <li>Additional commits viewable in <a href="https://github.com/nodemailer/nodemailer/compare/v8.0.2...v8.0.4">compare view</a></li> </ul> </details> <br /> Updates `defu` from 6.1.4 to 6.1.6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/unjs/defu/releases">defu's releases</a>.</em></p> <blockquote> <h2>v6.1.6</h2> <p><a href="https://github.com/unjs/defu/compare/v6.1.5...v6.1.6">compare changes</a></p> <h3>📦 Build</h3> <ul> <li>Fix mixed types (<a href="https://github.com/unjs/defu/commit/407b516">407b516</a>)</li> </ul> <h2>v6.1.5</h2> <p><a href="https://github.com/unjs/defu/compare/v6.1.4...v6.1.5">compare changes</a></p> <h3>🩹 Fixes</h3> <ul> <li>Prevent prototype pollution via <code>__proto__</code> in defaults (<a href="https://redirect.github.com/unjs/defu/pull/156">#156</a>)</li> <li>Ignore inherited enumerable properties (<a href="https://github.com/unjs/defu/commit/11ba022">11ba022</a>)</li> </ul> <h3>✅ Tests</h3> <ul> <li>Add more tests for plain objects (<a href="https://github.com/unjs/defu/commit/b65f603">b65f603</a>)</li> </ul> <h3>❤️ Contributors</h3> <ul> <li>Pooya Parsa (<a href="https://github.com/pi0"><code>@​pi0</code></a>)</li> <li>Kricsleo (<a href="https://github.com/kricsleo"><code>@​kricsleo</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/unjs/defu/blob/main/CHANGELOG.md">defu's changelog</a>.</em></p> <blockquote> <h2>v6.1.6</h2> <p><a href="https://github.com/unjs/defu/compare/v6.1.5...v6.1.6">compare changes</a></p> <h3>📦 Build</h3> <ul> <li>Fix mixed types (<a href="https://github.com/unjs/defu/commit/407b516">407b516</a>)</li> </ul> <h3>❤️ Contributors</h3> <ul> <li>Pooya Parsa (<a href="https://github.com/pi0"><code>@​pi0</code></a>)</li> </ul> <h2>v6.1.5</h2> <p><a href="https://github.com/unjs/defu/compare/v6.1.4...v6.1.5">compare changes</a></p> <h3>🩹 Fixes</h3> <ul> <li>Prevent prototype pollution via <code>__proto__</code> in defaults (<a href="https://redirect.github.com/unjs/defu/pull/156">#156</a>)</li> <li>Ignore inherited enumerable properties (<a href="https://github.com/unjs/defu/commit/11ba022">11ba022</a>)</li> </ul> <h3>🏡 Chore</h3> <ul> <li>Add tea.yaml (<a href="https://github.com/unjs/defu/commit/70cffe5">70cffe5</a>)</li> <li>Update repo (<a href="https://github.com/unjs/defu/commit/23cc432">23cc432</a>)</li> <li>Fix typecheck (<a href="https://github.com/unjs/defu/commit/89df6bb">89df6bb</a>)</li> </ul> <h3>✅ Tests</h3> <ul> <li>Add more tests for plain objects (<a href="https://github.com/unjs/defu/commit/b65f603">b65f603</a>)</li> </ul> <h3>🤖 CI</h3> <ul> <li>Bump node (<a href="https://github.com/unjs/defu/commit/9237d9c">9237d9c</a>)</li> </ul> <h3>❤️ Contributors</h3> <ul> <li>Pooya Parsa (<a href="https://github.com/pi0"><code>@​pi0</code></a>)</li> <li>Kricsleo (<a href="https://github.com/kricsleo"><code>@​kricsleo</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/unjs/defu/commit/001c2906010eb65c1bb13ccd1f4abea09e10405b"><code>001c290</code></a> chore(release): v6.1.6</li> <li><a href="https://github.com/unjs/defu/commit/407b51645c41a57da6efac5b40967f2c60ce4f12"><code>407b516</code></a> build: fix mixed types</li> <li><a href="https://github.com/unjs/defu/commit/23e59e684cb6a432aad13f308d142247e31b6315"><code>23e59e6</code></a> chore(release): v6.1.5</li> <li><a href="https://github.com/unjs/defu/commit/11ba02213d4b1c6b02dd686041f75edc479c98e9"><code>11ba022</code></a> fix: ignore inherited enumerable properties</li> <li><a href="https://github.com/unjs/defu/commit/3942bfbbcaa72084bd4284846c83bd61ed7c8b29"><code>3942bfb</code></a> fix: prevent prototype pollution via <code>__proto__</code> in defaults (<a href="https://redirect.github.com/unjs/defu/issues/156">#156</a>)</li> <li><a href="https://github.com/unjs/defu/commit/d3ef16dabe861713192ba8679c5db8e0ac143f9b"><code>d3ef16d</code></a> chore(deps): update actions/checkout action to v6 (<a href="https://redirect.github.com/unjs/defu/issues/151">#151</a>)</li> <li><a href="https://github.com/unjs/defu/commit/869a053effb7b1bf49a1635e1bb211840daa589e"><code>869a053</code></a> chore(deps): update actions/setup-node action to v6 (<a href="https://redirect.github.com/unjs/defu/issues/149">#149</a>)</li> <li><a href="https://github.com/unjs/defu/commit/a97310c6a52bd33b3bb1bb0f7d94df5a1461e732"><code>a97310c</code></a> chore(deps): update codecov/codecov-action action to v6 (<a href="https://redirect.github.com/unjs/defu/issues/154">#154</a>)</li> <li><a href="https://github.com/unjs/defu/commit/89df6bb1dfb4161b9d285f96e0b4ad1a993a647c"><code>89df6bb</code></a> chore: fix typecheck</li> <li><a href="https://github.com/unjs/defu/commit/9237d9c92059317142b30d7385f0e7bbb0ee82b4"><code>9237d9c</code></a> ci: bump node</li> <li>Additional commits viewable in <a href="https://github.com/unjs/defu/compare/v6.1.4...v6.1.6">compare view</a></li> </ul> </details> <br /> Updates `fast-xml-parser` from 5.5.6 to 5.5.10 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/NaturalIntelligence/fast-xml-parser/releases">fast-xml-parser's releases</a>.</em></p> <blockquote> <h2>performance improvment, increase entity expansion default limit</h2> <ul> <li>increase default entity explansion limit as many projects demand for that</li> </ul> <pre><code>maxEntitySize: 10000, maxExpansionDepth: 10000, maxTotalExpansions: Infinity, maxExpandedLength: 100000, maxEntityCount: 1000, </code></pre> <ul> <li>performance improvement <ul> <li>reduce calls to toString</li> <li>early return when entities are not present</li> <li>prepare rawAttrsForMatcher only if user sets <code>jPath: false</code></li> </ul> </li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.9...v5.5.10">https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.9...v5.5.10</a></p> <h2>fix typins and matcher instance in callbacks</h2> <p>combine typings file to avoid configuration changes pass readonly instance of matcher to the call backs to avoid accidental push/pop call</p> <h2>fix bugs of entity parsing and value parsing</h2> <p>fix: entity expansion limits update strnum package to 2.2.0</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">fast-xml-parser's changelog</a>.</em></p> <blockquote> <p><!-- raw HTML omitted -->Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.<!-- raw HTML omitted --></p> <p>Note: Due to some last quick changes on v4, detail of v4.5.3 &amp; v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion</p> <p><strong>5.5.10 / 2026-04-03</strong></p> <ul> <li>increase default entity explansion limit as many projects demand for that</li> <li>performance improvement <ul> <li>reduce calls to toString</li> <li>early return when entities are not present</li> <li>prepare rawAttrsForMatcher only if user sets <code>jPath: false</code></li> </ul> </li> </ul> <p><strong>5.5.9 / 2026-03-23</strong></p> <ul> <li>combine typing files</li> </ul> <p><strong>4.5.5 / 2026-03-22</strong></p> <p>apply fixes from v5 (legacy maintenance branch v4-maintenance)</p> <ul> <li>support maxEntityCount</li> <li>support onDangerousProperty</li> <li>support maxNestedTags</li> <li>handle prototype pollution</li> <li>fix incorrect entity name replacement</li> <li>fix incorrect condition for entity expansion</li> </ul> <p><strong>5.5.8 / 2026-03-20</strong></p> <ul> <li>pass read only matcher in callback</li> </ul> <p><strong>5.5.7 / 2026-03-19</strong></p> <ul> <li>fix: entity expansion limits</li> <li>update strnum package to 2.2.0</li> </ul> <p><strong>5.5.6 / 2026-03-16</strong></p> <ul> <li>update builder dependency</li> <li>fix incorrect regex to replace . in entity name</li> <li>fix check for entitiy expansion for lastEntities and html entities too</li> </ul> <p><strong>5.5.5 / 2026-03-13</strong></p> <ul> <li>sanitize dangerous tag or attribute name</li> <li>error on critical property name</li> <li>support onDangerousProperty option</li> </ul> <p><strong>5.5.4 / 2026-03-13</strong></p> <ul> <li>declare Matcher &amp; Expression as unknown so user is not forced to install path-expression-matcher</li> </ul> <p><strong>5.5.3 / 2026-03-11</strong></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/6473af03eeedf5ee582934e62986c47f1cad1522"><code>6473af0</code></a> update release info</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/537ea096fdbf6295dc8b3dd097f34f414fd09c02"><code>537ea09</code></a> increase default entity explansion limit</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/71dc2d35c340104893629bf05fd48618eec045f6"><code>71dc2d3</code></a> update path-expression-matcher for performance</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/e868ac5ea4b1f623b77015085edd958a2c38c04f"><code>e868ac5</code></a> update discord link</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/0400f8627a3411ba47abff797d905394dcad8e3c"><code>0400f86</code></a> performance improvement</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/ea42a6a12f48c05dd0312bedb1fc204ff18c5ed1"><code>ea42a6a</code></a> add discord detail</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/e7e02b424fae7214f6d67b0f95186b0325eb38a0"><code>e7e02b4</code></a> add discord seerver detail</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/a8934f903054c582b8ae6a12937fd4b22c380613"><code>a8934f9</code></a> upgrade strnum</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/23d13e40c35386069eec8e28c8bfdaabc3962680"><code>23d13e4</code></a> combine typing files</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/0c0a7dc500983c549c2b1c9e1987dfabc69eddda"><code>0c0a7dc</code></a> update maintenance docs</li> <li>Additional commits viewable in <a href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.6...v5.5.10">compare view</a></li> </ul> </details> <br /> Updates `kysely` from 0.28.11 to 0.28.15 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/kysely-org/kysely/releases">kysely's releases</a>.</em></p> <blockquote> <h2>0.28.15</h2> <p>Hey 👋</p> <p>The introduction of dehydration in JSON functions/helpers caused an unexpected bug for consumers that have some columns defined as <code>'${number}'</code>, e.g. <code>'1' | '2'</code> (also when wrapped in <code>ColumnType</code> or similar). Such columns, when participating in a JSON function/helper would dehydrate to <code>number</code> instead of staying as <code>string</code>.</p> <p>Why dehydrate numeric strings to numbers in the first place? Select types in <code>kysely</code> describe the data after underlying driver's (e.g. <code>pg</code>) data transformation. Some drivers transform numeric columns to strings to be safe. When these columns participate in JSON functions, they lose original column data types - drivers don't know they need to transform to <code>string</code> - they return as-is.</p> <p>This release introduces a special helper type that wraps your column type definition and tells <code>kysely</code> to NOT dehydrate it in JSON functions/helpers.</p> <pre lang="ts"><code>import type { NonDehydrateable } from 'kysely' <p>interface Database {<br /> my_table: {<br /> a_column: '1' | '2' | '3', // dehydrates to <code>number</code><br /> another_column: NonDehydrateable&lt;'1' | '2' | '3'&gt;, // stays <code>'1' | '2' | '3'</code><br /> column_too: NonDehydrateable&lt;ColumnType&lt;'1' | '2' | '3'&gt;&gt; // stays <code>'1' | '2' | '3'</code><br /> }<br /> }<br /> </code></pre></p> <h2>🚀 Features</h2> <ul> <li>feat: add <code>NonDehydrateable&lt;T&gt;</code> to allow opt-out from dehydration in JSON functions/helpers. by <a href="https://github.com/igalklebanov"><code>@​igalklebanov</code></a> in <a href="https://redirect.github.com/kysely-org/kysely/issues/1697">#1697</a></li> </ul> <h2>🐞 Bugfixes</h2> <h4>PostgreSQL 🐘</h4> <ul> <li>fix: PostgreSQL introspector unnecessarily slow in result processing. by <a href="https://github.com/igalklebanov"><code>@​igalklebanov</code></a> &amp; <a href="https://github.com/rubenferreira97"><code>@​rubenferreira97</code></a> in <a href="https://redirect.github.com/kysely-org/kysely/issues/1774">#1774</a></li> </ul> <h2>📖 Documentation</h2> <ul> <li>Add complex function helpers section to documentation by <a href="https://github.com/mifi"><code>@​mifi</code></a> &amp; <a href="https://github.com/igalklebanov"><code>@​igalklebanov</code></a> in <a href="https://redirect.github.com/kysely-org/kysely/pull/1758">kysely-org/kysely#1758</a></li> </ul> <h2>📦 CICD &amp; Tooling</h2> <ul> <li>chore: bump TypeScript to 6. by <a href="https://github.com/igalklebanov"><code>@​igalklebanov</code></a> in <a href="https://redirect.github.com/kysely-org/kysely/pull/1769">kysely-org/kysely#1769</a></li> <li>chore: bump dependencies. by <a href="https://github.com/igalklebanov"><code>@​igalklebanov</code></a> in <a href="https://redirect.github.com/kysely-org/kysely/pull/1775">kysely-org/kysely#1775</a></li> </ul> <h2>⚠️ Breaking Changes</h2> <h2>🐤 New Contributors</h2> <ul> <li><a href="https://github.com/rubenferreira97"><code>@​rubenferreira97</code></a> made their first contribution in <a href="https://redirect.github.com/kysely-org/kysely/issues/1774">#1774</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/kysely-org/kysely/compare/v0.28.14...v0.28.15">https://github.com/kysely-org/kysely/compare/v0.28.14...v0.28.15</a></p> <h2>0.28.14</h2> <p>Hey 👋</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/kysely-org/kysely/commit/87fe2399f4726d497c15b1ed4cd9120a89386c27"><code>87fe239</code></a> 0.28.15</li> <li><a href="https://github.com/kysely-org/kysely/commit/cb94018df7d3b1cd9e1de0feeb819f185488e699"><code>cb94018</code></a> chore: bump dependencies. (<a href="https://redirect.github.com/kysely-org/kysely/issues/1775">#1775</a>)</li> <li><a href="https://github.com/kysely-org/kysely/commit/5a5b6c08d39ff40e30dc4dee8964a46aaf150547"><code>5a5b6c0</code></a> feat: add <code>NonDehydrateable\&lt;T&gt;</code> to opt-out from dehydration. (<a href="https://redirect.github.com/kysely-org/kysely/issues/1697">#1697</a>)</li> <li><a href="https://github.com/kysely-org/kysely/commit/50499245864be37e754306e0e69f9189be835e1e"><code>5049924</code></a> fix: PostgreSQL introspector unnecessarily slow in result processing. (<a href="https://redirect.github.com/kysely-org/kysely/issues/1774">#1774</a>)</li> <li><a href="https://github.com/kysely-org/kysely/commit/acb416272725094cbeadea8a9b9e01fd22e8321f"><code>acb4162</code></a> Add complex function helpers section to documentation (<a href="https://redirect.github.com/kysely-org/kysely/issues/1758">#1758</a>)</li> <li><a href="https://github.com/kysely-org/kysely/commit/43c03ed5acaf53be275ddef684b49d943ac71ec5"><code>43c03ed</code></a> chore: bump TypeScript to 6. (<a href="https://redirect.github.com/kysely-org/kysely/issues/1769">#1769</a>)</li> <li><a href="https://github.com/kysely-org/kysely/commit/91cf3733b2a419f5b17dff118cedb7052ab5300d"><code>91cf373</code></a> 0.28.14</li> <li><a href="https://github.com/kysely-org/kysely/commit/9e02f3b57a4405a4095efe36c4554d14e0f11427"><code>9e02f3b</code></a> bump deno kysely dependency.</li> <li><a href="https://github.com/kysely-org/kysely/commit/6ef6f630180ffcbb6cdc515c777c0e3741bf0a34"><code>6ef6f63</code></a> docs: document immediate value behavior in case() then/else (<a href="https://redirect.github.com/kysely-org/kysely/issues/1753">#1753</a>)</li> <li><a href="https://github.com/kysely-org/kysely/commit/2fb071bfb9c4bf27ce0cf7d05ef1eeb89668e7e0"><code>2fb071b</code></a> Remove unnecessary &quot;)&quot; in Node SQLite link (<a href="https://redirect.github.com/kysely-org/kysely/issues/1755">#1755</a>)</li> <li>Additional commits viewable in <a href="https://github.com/kysely-org/kysely/compare/v0.28.11...v0.28.15">compare view</a></li> </ul> </details> <br /> Updates `lodash` from 4.17.21 to 4.18.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lodash/lodash/releases">lodash's releases</a>.</em></p> <blockquote> <h2>4.18.1</h2> <h2>Bugs</h2> <p>Fixes a <code>ReferenceError</code> issue in <code>lodash</code> <code>lodash-es</code> <code>lodash-amd</code> and <code>lodash.template</code> when using the <code>template</code> and <code>fromPairs</code> functions from the modular builds. See <a href="https://redirect.github.com/lodash/lodash/issues/6167#issuecomment-4165269769">lodash/lodash#6167</a></p> <p>These defects were related to how lodash distributions are built from the main branch using <a href="https://github.com/lodash-archive/lodash-cli">https://github.com/lodash-archive/lodash-cli</a>. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.</p> <p>There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:</p> <ul> <li><code>lodash</code>: <a href="https://github.com/lodash/lodash/compare/4.18.0-npm...4.18.1-npm">https://github.com/lodash/lodash/compare/4.18.0-npm...4.18.1-npm</a></li> <li><code>lodash-es</code>: <a href="https://github.com/lodash/lodash/compare/4.18.0-es...4.18.1-es">https://github.com/lodash/lodash/compare/4.18.0-es...4.18.1-es</a></li> <li><code>lodash-amd</code>: <a href="https://github.com/lodash/lodash/compare/4.18.0-amd...4.18.1-amd">https://github.com/lodash/lodash/compare/4.18.0-amd...4.18.1-amd</a></li> <li><code>lodash.template</code><a href="https://github.com/lodash/lodash/compare/4.18.0-npm-packages...4.18.1-npm-packages">https://github.com/lodash/lodash/compare/4.18.0-npm-packages...4.18.1-npm-packages</a></li> </ul> <h2>4.18.0</h2> <h2>v4.18.0</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/lodash/lodash/compare/4.17.23...4.18.0">https://github.com/lodash/lodash/compare/4.17.23...4.18.0</a></p> <h3>Security</h3> <p><strong><code>_.unset</code> / <code>_.omit</code></strong>: Fixed prototype pollution via <code>constructor</code>/<code>prototype</code> path traversal (<a href="https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh">GHSA-f23m-r3pf-42rh</a>, <a href="https://github.com/lodash/lodash/commit/fe8d32eda854377349a4f922ab7655c8e5df9a0b">fe8d32e</a>). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now <code>constructor</code> and <code>prototype</code> are blocked unconditionally as non-terminal path keys, matching <code>baseSet</code>. Calls that previously returned <code>true</code> and deleted the property now return <code>false</code> and leave the target untouched.</p> <p><strong><code>_.template</code></strong>: Fixed code injection via <code>imports</code> keys (<a href="https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc">GHSA-r5fr-rjxr-66jc</a>, CVE-2026-4800, <a href="https://github.com/lodash/lodash/commit/879aaa93132d78c2f8d20c60279da9f8b21576d6">879aaa9</a>). Fixes an incomplete patch for CVE-2021-23337. The <code>variable</code> option was validated against <code>reForbiddenIdentifierChars</code> but <code>importsKeys</code> was left unguarded, allowing code injection via the same <code>Function()</code> constructor sink. <code>imports</code> keys containing forbidden identifier characters now throw <code>&quot;Invalid imports option passed into _.template&quot;</code>.</p> <h3>Docs</h3> <ul> <li>Add security notice for <code>_.template</code> in threat model and API docs (<a href="https://redirect.github.com/lodash/lodash/pull/6099">#6099</a>)</li> <li>Document <code>lower &gt; upper</code> behavior in <code>_.random</code> (<a href="https://redirect.github.com/lodash/lodash/pull/6115">#6115</a>)</li> <li>Fix quotes in <code>_.compact</code> jsdoc (<a href="https://redirect.github.com/lodash/lodash/pull/6090">#6090</a>)</li> </ul> <h3><code>lodash.*</code> modular packages</h3> <p><a href="https://redirect.github.com/lodash/lodash/pull/6157">Diff</a></p> <p>We have also regenerated and published a select number of the <code>lodash.*</code> modular packages.</p> <p>These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:</p> <ul> <li><a href="https://www.npmjs.com/package/lodash.orderby">lodash.orderby</a></li> <li><a href="https://www.npmjs.com/package/lodash.tonumber">lodash.tonumber</a></li> <li><a href="https://www.npmjs.com/package/lodash.trim">lodash.trim</a></li> <li><a href="https://www.npmjs.com/package/lodash.trimend">lodash.trimend</a></li> <li><a href="https://www.npmjs.com/package/lodash.sortedindexby">lodash.sortedindexby</a></li> <li><a href="https://www.npmjs.com/package/lodash.zipobjectdeep">lodash.zipobjectdeep</a></li> <li><a href="https://www.npmjs.com/package/lodash.unset">lodash.unset</a></li> <li><a href="https://www.npmjs.com/package/lodash.omit">lodash.omit</a></li> <li><a href="https://www.npmjs.com/package/lodash.template">lodash.template</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lodash/lodash/commit/cb0b9b9212521c08e3eafe7c8cb0af1b42b6649e"><code>cb0b9b9</code></a> release(patch): bump main to 4.18.1 (<a href="https://redirect.github.com/lodash/lodash/issues/6177">#6177</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/75535f57883b7225adb96de1cfc1cd4169cfcb51"><code>75535f5</code></a> chore: prune stale advisory refs (<a href="https://redirect.github.com/lodash/lodash/issues/6170">#6170</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/62e91bc6a39c98d85b9ada8c44d40593deaf82a4"><code>62e91bc</code></a> docs: remove n_ Node.js &lt; 6 REPL note from README (<a href="https://redirect.github.com/lodash/lodash/issues/6165">#6165</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/59be2de61f8aa9461c7856533b51d31b7d8babc4"><code>59be2de</code></a> release(minor): bump to 4.18.0 (<a href="https://redirect.github.com/lodash/lodash/issues/6161">#6161</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/af634573030f979194871da7c68f79420992f53d"><code>af63457</code></a> fix: broken tests for _.template 879aaa9</li> <li><a href="https://github.com/lodash/lodash/commit/1073a7693e1727e0cf3641e5f71f75ddcf8de7c0"><code>1073a76</code></a> fix: linting issues</li> <li><a href="https://github.com/lodash/lodash/commit/879aaa93132d78c2f8d20c60279da9f8b21576d6"><code>879aaa9</code></a> fix: validate imports keys in _.template</li> <li><a href="https://github.com/lodash/lodash/commit/fe8d32eda854377349a4f922ab7655c8e5df9a0b"><code>fe8d32e</code></a> fix: block prototype pollution in baseUnset via constructor/prototype traversal</li> <li><a href="https://github.com/lodash/lodash/commit/18ba0a32f42fd02117f096b032f89c984173462d"><code>18ba0a3</code></a> refactor(fromPairs): use baseAssignValue for consistent assignment (<a href="https://redirect.github.com/lodash/lodash/issues/6153">#6153</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/b8190803d48d60b8c80ad45d39125f32fa618cb2"><code>b819080</code></a> ci: add dist sync validation workflow (<a href="https://redirect.github.com/lodash/lodash/issues/6137">#6137</a>)</li> <li>Additional commits viewable in <a href="https://github.com/lodash/lodash/compare/4.17.21...4.18.1">compare view</a></li> </ul> </details> <br /> Updates `picomatch` from 4.0.3 to 4.0.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/micromatch/picomatch/releases">picomatch's releases</a>.</em></p> <blockquote> <h2>4.0.4</h2> <p>This is a security release fixing several security relevant issues.</p> <h2>What's Changed</h2> <ul> <li>Fix for <a href="https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj">CVE-2026-33671</a></li> <li>Fix for <a href="https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p">CVE-2026-33672</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4">https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/micromatch/picomatch/commit/e5474fc1a4d7991870058170407dda8a42be5334"><code>e5474fc</code></a> Publish 4.0.4</li> <li><a href="https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903"><code>4516eb5</code></a> Merge commit from fork</li> <li><a href="https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d"><code>5eceecd</code></a> Merge commit from fork</li> <li><a href="https://github.com/micromatch/picomatch/commit/0db7dd70651ca7c8265601c0442a996ed32e3238"><code>0db7dd7</code></a> Run benchmark again against latest minimatch version (<a href="https://redirect.github.com/micromatch/picomatch/issues/161">#161</a>)</li> <li><a href="https://github.com/micromatch/picomatch/commit/95003777eb1c60dec09495a8231fa2ba4054d76a"><code>9500377</code></a> docs: clarify what brace expansion syntax is and isn't supported (<a href="https://redirect.github.com/micromatch/picomatch/issues/134">#134</a>)</li> <li><a href="https://github.com/micromatch/picomatch/commit/2661f23eca86c8b4a2b14815b9b2b3b74bd5a171"><code>2661f23</code></a> fix typo in globstars.js test name (<a href="https://redirect.github.com/micromatch/picomatch/issues/138">#138</a>)</li> <li><a href="https://github.com/micromatch/picomatch/commit/1798b07e9df59500b9cf567294d44d559032f4c7"><code>1798b07</code></a> docs: fix <code>makeRe</code> example (<a href="https://redirect.github.com/micromatch/picomatch/issues/143">#143</a>)</li> <li><a href="https://github.com/micromatch/picomatch/commit/9d76bc57a03b7f57cc4ca516c8071daf632bafd8"><code>9d76bc5</code></a> chore: undocument removed options (<a href="https://redirect.github.com/micromatch/picomatch/issues/146">#146</a>)</li> <li><a href="https://github.com/micromatch/picomatch/commit/e4d718bbfb47e4f030ab2612b5b04a9297fe272d"><code>e4d718b</code></a> Remove unused time-require (<a href="https://redirect.github.com/micromatch/picomatch/issues/160">#160</a>)</li> <li><a href="https://github.com/micromatch/picomatch/commit/38dffeb16221cc8eb8981524fb6895dd2aaaba76"><code>38dffeb</code></a> chore(deps): pin dependencies (<a href="https://redirect.github.com/micromatch/picomatch/issues/158">#158</a>)</li> <li>Additional commits viewable in <a href="https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4">compare view</a></li> </ul> </details> <br /> Updates `picomatch` from 2.3.1 to 2.3.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/micromatch/picomatch/releases">picomatch's releases</a>.</em></p> <blockquote> <h2>4.0.4</h2> <p>This is a security release fixing several security relevant issues.</p> <h2>What's Changed</h2> <ul> <li>Fix for <a href="https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj">CVE-2026-33671</a></li> <li>Fix for <a href="https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p">CVE-2026-33672</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4">https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/micromatch/picomatch/commit/e5474fc1a4d7991870058170407dda8a42be5334"><code>e5474fc</code></a> Publish 4.0.4</li> <li><a href="https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903"><code>4516eb5</code></a> Merge commit from fork</li> <li><a href="https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d"><code>5eceecd</code></a> Merge commit from fork</li> <li><a href="https://github.com/micromatch/picomatch/commit/0db7dd70651ca7c8265601c0442a996ed32e3238"><code>0db7dd7</code></a> Run benchmark again against latest minimatch version (<a href="https://redirect.github.com/micromatch/picomatch/issues/161">#161</a>)</li> <li><a href="https://github.com/micromatch/picomatch/commit/95003777eb1c60dec09495a8231fa2ba4054d76a"><code>9500377</code></a> docs: clarify what brace expansion syntax is and isn't supported (<a href="https://redirect.github.com/micromatch/picomatch/issues/134">#134</a>)</li> <li><a href="https://github.com/micromatch/picomatch/commit/2661f23eca86c8b4a2b14815b9b2b3b74bd5a171"><code>2661f23</code></a> fix typo in globstars.js test name (<a href="https://redirect.github.com/micromatch/picomatch/issues/138">#138</a>)</li> <li><a href="https://github.com/micromatch/picomatch/commit/1798b07e9df59500b9cf567294d44d559032f4c7"><code>1798b07</code></a> docs: fix <code>makeRe</code> example (<a href="https://redirect.github.com/micromatch/picomatch/issues/143">#143</a>)</li> <li><a href="https://github.com/micromatch/picomatch/commit/9d76bc57a03b7f57cc4ca516c8071daf632bafd8"><code>9d76bc5</code></a> chore: undocument removed options (<a href="https://redirect.github.com/micromatch/picomatch/issues/146">#146</a>)</li> <li><a href="https://github.com/micromatch/picomatch/commit/e4d718bbfb47e4f030ab2612b5b04a9297fe272d"><code>e4d718b</code></a> Remove unused time-require (<a href="https://redirect.github.com/micromatch/picomatch/issues/160">#160</a>)</li> <li><a href="https://github.com/micromatch/picomatch/commit/38dffeb16221cc8eb8981524fb6895dd2aaaba76"><code>38dffeb</code></a> chore(deps): pin dependencies (<a href="https://redirect.github.com/micromatch/picomatch/issues/158">#158</a>)</li> <li>Additional commits viewable in <a href="https://github.com/micromatch/picomatch/compare/4.0.3...4.0.4">compare view</a></li> </ul> </details> <br /> Updates `socket.io-parser` from 4.2.5 to 4.2.6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/socketio/socket.io/releases">socket.io-parser's releases</a>.</em></p> <blockquote> <h2>socket.io-parser@4.2.6</h2> <p>This release includes a fix for <a href="https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9">CVE-2026-33151</a>. Please upgrade as soon as possible.</p> <h3>Bug Fixes</h3> <ul> <li>add a limit to the number of binary attachments (<a href="https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78">b25738c</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/socketio/socket.io/commit/522edcdbb89da5eb647abb93c73229d1e91c304f"><code>522edcd</code></a> chore(release): socket.io-parser@4.2.6</li> <li><a href="https://github.com/socketio/socket.io/commit/3fff7cafa98f1ba5840475b6917c651fe841a943"><code>3fff7ca</code></a> fix(parser): add a limit to the number of binary attachments</li> <li><a href="https://github.com/socketio/socket.io/commit/37aad11417d1020cf51d27a0cf90fa367efd5dc1"><code>37aad11</code></a> fix: cleanup pending acks on timeout to prevent memory leak</li> <li><a href="https://github.com/socketio/socket.io/commit/ba9cd6900d0d84678623cd8e3a42165e922f3fbd"><code>ba9cd69</code></a> revert: fix: cleanup pending acks on timeout to prevent memory leak</li> <li><a href="https://github.com/socketio/socket.io/commit/84c2fb78217b6375b38e0b47e0d59d7b1b8431d7"><code>84c2fb7</code></a> chore(release): engine.io@6.6.6</li> <li><a href="https://github.com/socketio/socket.io/commit/07cbe1510ded7e5460cb82e026e2533e50e30eaf"><code>07cbe15</code></a> fix(eio): add <code>@​types/ws</code> as dependency (<a href="https://redirect.github.com/socketio/socket.io/issues/5458">#5458</a>)</li> <li><a href="https://github.com/socketio/socket.io/commit/44ed73f53995d35ef0c8d10df6806d5687238282"><code>44ed73f</code></a> fix(eio): emit initial_headers and headers events in uServer (<a href="https://redirect.github.com/socketio/socket.io/issues/5460">#5460</a>)</li> <li><a href="https://github.com/socketio/socket.io/commit/da04267ffc7b0903ca91f2fccb80e56246d13328"><code>da04267</code></a> fix: cleanup pending acks on timeout to prevent memory leak (<a href="https://redirect.github.com/socketio/socket.io/issues/5442">#5442</a>)</li> <li><a href="https://github.com/socketio/socket.io/commit/74599a6b9e3dbeff1a9efe46c305d5d25d6e3dd8"><code>74599a6</code></a> fix(types): properly import http module</li> <li><a href="https://github.com/socketio/socket.io/commit/d48718cb675721fc1252775115592ebd1b255899"><code>d48718c</code></a> ci: use actions/checkout@v6 and actions/setup-node@v6 (<a href="https://redirect.github.com/socketio/socket.io/issues/5449">#5449</a>)</li> <li>Additional commits viewable in <a href="https://github.com/socketio/socket.io/compare/socket.io-parser@4.2.5...socket.io-parser@4.2.6">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/tockawaffle/sipher/network/alerts). </details>
dependabot[bot] commented 2026-04-08 13:38:33 +00:00 (Migrated from github.com)
Copy link

Looks like these dependencies are updatable in another way, so this is no longer needed.

Looks like these dependencies are updatable in another way, so this is no longer needed.

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something isn't working

  
dependencies

Pull requests that update a dependency file

  
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
javascript

Pull requests that update javascript code

  
question

Further information is requested

  
wontfix

This will not be worked on

No labels
bug
dependencies
documentation
duplicate
enhancement
good first issue
help wanted
invalid
javascript
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Cete/sipher#6
No description provided.
Delete branch "dependabot/npm_and_yarn/npm_and_yarn-af2bfed2c7"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?