Skip to content

Bump the npm_and_yarn group across 1 directory with 11 updates#917

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/pattern-categorization/npm_and_yarn-30ecc1c3fa
Open

Bump the npm_and_yarn group across 1 directory with 11 updates#917
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/pattern-categorization/npm_and_yarn-30ecc1c3fa

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 11, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 11 updates in the /pattern-categorization directory:

Package From To
@hono/node-server 1.19.6 1.19.14
basic-ftp 5.0.5 5.3.1
hono 4.11.4 4.12.29
ip-address 10.1.0 10.2.0
js-yaml 4.1.1 4.3.0
linkify-it 5.0.0 5.0.2
lodash 4.17.21 4.18.1
markdown-it 14.1.0 14.3.0
undici 6.22.0 6.27.0
ws 8.18.3 8.21.0
yaml 2.8.1 2.9.0

Updates @hono/node-server from 1.19.6 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

What's Changed

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

What's Changed

New Contributors

... (truncated)

Commits

Updates basic-ftp from 5.0.5 to 5.3.1

Release notes

Sourced from basic-ftp's releases.

5.3.1

5.3.0

  • Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
  • Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

5.2.1

5.2.0

  • Changed: Skip files with invalid name in downloadToDir.

5.1.0

  • Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (#259)
Changelog

Sourced from basic-ftp's changelog.

5.3.1

5.3.0

  • Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
  • Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

5.2.1

5.2.0

5.1.0

  • Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (#259)
Commits
Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates hono from 4.11.4 to 4.12.29

Release notes

Sourced from hono's releases.

v4.12.29

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.28...v4.12.29

v4.12.28

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.27...v4.12.28

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

... (truncated)

Commits
  • cda1af2 4.12.29
  • 2126289 fix(etag): treat If-None-Match: * as a match (#5084)
  • 0fc7ffc fix(trie-router): match empty wildcard remainder after regexp param (#5102)
  • ab590e4 fix(types): strip extra properties from array types in JSONParsed (#5103)
  • b93a254 fix(aws-lambda): treat any non-identity content-encoding as binary (#5101)
  • 6217f4b fix(lambda-edge): base64 encode content-encoded response bodies (#5099)
  • ba89e97 test(workerd): add compatibilityDate (#5100)
  • 46557ef docs(language): add JSDoc @​example to languageDetector (#5081)
  • 24547a6 fix(lambda-edge): resolve the handler with the value passed to the callback (...
  • 9c6ccd7 chore: fix no-op tsc in test script (#5093)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.


Updates ip-address from 10.1.0 to 10.2.0

Commits
  • 80fccaa 10.2.0
  • abaeb4d Type Address4.addressMinusSuffix as non-nilable (closes #143)
  • 2878c29 Preserve subnet prefix through Address6.to4() (closes #123) (#203)
  • 586666e Reject trailing junk in Address6.fromURL (closes #158) (#202)
  • 80bc76e Validate static factories instead of silently overflowing (#201)
  • 98927be Clarify isValid() accepts CIDRs with host bits set (#81)
  • a0eb073 Fix getScope() and broaden getType() classification (closes #122) (#200)
  • ec52105 Add networkForm() for CIDR network-address strings (#199)
  • a9443a7 Add isMapped4() predicate for IPv4-mapped IPv6 addresses (closes #62) (#198)
  • f01d742 Add address-property predicates (private, ULA, loopback, link-local, etc.) (#...
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.1 to 4.3.0

Changelog

Sourced from js-yaml's changelog.

4.3.0, 3.15.0 - 2026-06-27

Security

  • Backported maxTotalMergeKeys option.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the test set.

Changed

  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named exports.

... (truncated)

Commits
  • 33d05b5 4.3.0 released
  • 663bfab Drop demo publish, to not override new v5 one.
  • 1cb8c7b Add v4-legacy tag for publish
  • 02f27af Restore umd builds back to es5
  • 8be84ed Fix es5 compatibility
  • 59423c6 Replace maxMergeSeqLength option with maxTotalMergeKeys (more robust). Ba...
  • 6842ef6 doc polish
  • 590dbab 4.2.0 released
  • f944dc5 Add package.json funding field
  • f692719 Changelog update
  • Additional commits viewable in compare view

Updates linkify-it from 5.0.0 to 5.0.2

Changelog

Sourced from linkify-it's changelog.

5.0.2 / 2026-07-02

  • Fixed DoS in mailto: links (restrict user name to 64 chars).
  • Restricted user/pass part length in links.

5.0.1 / 2026-05-23

  • Fixed DoS in fuzzy links/emails search.
  • Reworked search logic - check each pattern separate, use g regexes instead of slice.
  • Removed internal cache - useless overcomplication.
Commits

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates markdown-it from 14.1.0 to 14.3.0

Changelog

Sourced from markdown-it's changelog.

[14.3.0] - 2026-07-02

Changed

  • Reworked build pipeline & tools.
  • Added source maps.
  • Bumped linkify-it to 5.0.2.

Fixed

  • Preserve backslash-space hard line breaks, matching CommonMark 6.7, #1185.

[14.2.0] - 2026-05-24

Added

  • isPunctCharCode to utilities.

Fixed

  • Don't end HTML comment blocks on a blank line, #1155.
  • Properly recognize astral chars (surrogates) in delimiter scans for emphasis-like markers, #1072. Big thanks to @​tats-u for his global efforts with improving CJK support.
  • Preserve unicode whitespaces when trimm headings/paragraphs, #1074.
  • More strict entities decode to avoid false positives ;, #1096.
  • Restore block parser state on fail in lheading rule, #1131.

Security

  • Fixed poor smartquotes perfomance on > 70k quotes in single block
  • Bumped linkify-it to 5.0.1 with fixed potential perfomance issues.

[14.1.1] - 2026-01-11

Security

  • Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @​ltduc147 for report.
Commits
  • ff0ee08 14.3.0 released
  • 52e2749 Bump linkify-it / vite deps
  • 56c2404 fix: keep backslash-space hard line break (CommonMark 6.7) (#1185)
  • 0fbb18b Bump vite from 8.0.14 to 8.0.16 (#1181)
  • 83450e2 Rework benchmark deps and bump versions
  • 57a6863 benchmark => tinybench
  • 7608db1 Update CI config
  • 9d8eb42 Added package-lock and updated versions to latest possible
  • 0aee70d lint: enable @​stylistic/no-multi-spaces rule
  • 8878985 lint => neostandard
  • Additional commits viewable in compare view

Updates undici from 6.22.0 to 6.27.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

Updates ws from 8.18.3 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits
  • bca91ad [dist] 8.21.0
  • 2b2abd4 [security] Limit retained message parts
  • 78eabe2 [security] Add latest vulnerability to SECURITY.md
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • 8439255 [dist] 8.20.0
  • d3503c1 [minor] Export the PerMessageDeflate class and header utils
  • Additional commits viewable in compare view

Updates yaml from 2.8.1 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

  • fix: Avoid calling Array.prototype.push.apply() with large source array
  • fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

  • Disable alias resolution with maxAliasCount:0 (#677)
  • Handle invalid unicode escapes (e1a1a77)
  • Apply minFractionDigits only to decimal strings (#676)

v2.8.3

  • Add trailingComma ToString option for multiline flow formatting (#670)
  • Catch stack overflow during node composition (1e84ebb)

v2.8.2

  • Serialize -0 as -0 (#638)
  • Do not double newlines for empty map values (#642)
Commits
  • ddb21b0 2.9.0
  • 167365b docs: Clarify that not all errors can be avoided
  • 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
  • 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
  • ccdf743 2.8.4
  • f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
  • e1a1a77 fix: Handle invalid unicode escapes
  • a163ea0 style: Satify Prettier
  • b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
  • 93c951b chore: Bump JSR version to v2.8.3 (#673)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 11 updates in the /pattern-categorization directory:

| Package | From | To |
| --- | --- | --- |
| [@hono/node-server](https://github.com/honojs/node-server) | `1.19.6` | `1.19.14` |
| [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | `5.0.5` | `5.3.1` |
| [hono](https://github.com/honojs/hono) | `4.11.4` | `4.12.29` |
| [ip-address](https://github.com/beaugunderson/ip-address) | `10.1.0` | `10.2.0` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.1` | `4.3.0` |
| [linkify-it](https://github.com/markdown-it/linkify-it) | `5.0.0` | `5.0.2` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` |
| [markdown-it](https://github.com/markdown-it/markdown-it) | `14.1.0` | `14.3.0` |
| [undici](https://github.com/nodejs/undici) | `6.22.0` | `6.27.0` |
| [ws](https://github.com/websockets/ws) | `8.18.3` | `8.21.0` |
| [yaml](https://github.com/eemeli/yaml) | `2.8.1` | `2.9.0` |



Updates `@hono/node-server` from 1.19.6 to 1.19.14
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v1.19.6...v1.19.14)

Updates `basic-ftp` from 5.0.5 to 5.3.1
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](patrickjuchli/basic-ftp@v5.0.5...v5.3.1)

Updates `hono` from 4.11.4 to 4.12.29
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.11.4...v4.12.29)

Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](beaugunderson/ip-address@v10.1.0...v10.2.0)

Updates `js-yaml` from 4.1.1 to 4.3.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.3.0)

Updates `linkify-it` from 5.0.0 to 5.0.2
- [Changelog](https://github.com/markdown-it/linkify-it/blob/master/CHANGELOG.md)
- [Commits](markdown-it/linkify-it@5.0.0...5.0.2)

Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `markdown-it` from 14.1.0 to 14.3.0
- [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md)
- [Commits](markdown-it/markdown-it@14.1.0...14.3.0)

Updates `undici` from 6.22.0 to 6.27.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.22.0...v6.27.0)

Updates `ws` from 8.18.3 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.18.3...8.21.0)

Updates `yaml` from 2.8.1 to 2.9.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.8.1...v2.9.0)

---
updated-dependencies:
- dependency-name: "@hono/node-server"
  dependency-version: 1.19.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: basic-ftp
  dependency-version: 5.3.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.29
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.3.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: linkify-it
  dependency-version: 5.0.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: markdown-it
  dependency-version: 14.3.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 6.27.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yaml
  dependency-version: 2.9.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 11, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants