Skip to content

build(deps): bump the npm_and_yarn group across 2 directories with 21 updates#508

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-6f97abea6b
Open

build(deps): bump the npm_and_yarn group across 2 directories with 21 updates#508
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-6f97abea6b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package From To
@babel/core 7.29.0 7.29.6
undici 6.24.1 6.27.0
@babel/plugin-transform-modules-systemjs 7.29.0 7.29.7
axios 1.14.0 1.18.1
dompurify 3.3.3 3.4.12
fast-uri 3.1.0 3.1.3
fast-xml-builder 1.1.4 1.3.0
fast-xml-parser 4.5.5 4.5.7
form-data 4.0.5 4.0.6
js-cookie 3.0.5 3.0.8
tar 7.5.11 7.5.19
ws 8.20.0 8.21.1

Bumps the npm_and_yarn group with 12 updates in the /docusaurus directory:

Package From To
@babel/plugin-transform-modules-systemjs 7.29.0 7.29.7
js-yaml 3.14.2 3.15.0
postcss 8.5.6 8.5.19
dompurify 3.3.1 3.4.12
fast-uri 3.1.0 3.1.3
follow-redirects 1.15.11 1.16.0
ws 7.5.10 7.5.12
launch-editor 2.13.1 2.14.1
mermaid 11.12.3 11.16.0
qs 6.14.2 6.15.3
webpack-dev-server 5.2.3 5.2.6
websocket-driver 0.7.4 0.7.5

Updates @babel/core from 7.29.0 to 7.29.6

Release notes

Sourced from @​babel/core's releases.

v7.29.6 (2026-05-25)

🐛 Bug Fix

Committers: 3

v7.29.5 (2026-05-05)

🏠 Internal

  • babel-preset-env
    • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

  • babel-plugin-transform-modules-systemjs
    • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

v7.29.3 (2026-04-30)

👓 Spec Compliance

🐛 Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
    • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
  • babel-register
  • babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env

💅 Polish

📝 Documentation

... (truncated)

Commits

Updates undici from 6.24.1 to 6.27.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

Updates @babel/plugin-transform-modules-systemjs from 7.29.0 to 7.29.7

Release notes

Sourced from @​babel/plugin-transform-modules-systemjs's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

Committers: 3

v7.29.5 (2026-05-05)

🏠 Internal

  • babel-preset-env
    • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

  • babel-plugin-transform-modules-systemjs
    • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

v7.29.3 (2026-04-30)

👓 Spec Compliance

🐛 Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
    • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
  • babel-register
  • babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env

💅 Polish

  • babel-parser

... (truncated)

Commits

Updates axios from 1.14.0 to 1.18.1

Release notes

Sourced from axios's releases.

v1.18.1 — June 21, 2026

This release focuses on Node HTTP adapter fixes, safer AxiosError serialisation, runtime/type correctness fixes, documentation updates, and dependency maintenance.

🐛 Bug Fixes

  • AxiosError Serialisation: Made AxiosError#cause non-enumerable to prevent circular JSON serialisation failures when errors include nested causes. (#10913)
  • Node HTTP Adapter: Guarded socket.setKeepAlive for proxy agent streams, accepted path-only URLs when socketPath is configured, deferred environment proxy handling to Node, and explicitly passed maxBodyLength through to follow-redirects. (#10917, #10930, #10942, #10993)
  • Runtime and Type Correctness: Fixed several runtime crashes, type definition mismatches, and incorrect error handling paths. (#10959, #11021)
  • AxiosURLSearchParams: Switched the encoder callback to an arrow function so encoder.call(this) receives the AxiosURLSearchParams instance correctly. (#11019)

🔧 Maintenance & Chores

  • Documentation: Documented sensitive headers and status transition behaviour, prepared cleaned-up docs, added Deno install instructions, and clarified that request data is request-specific (#11007, #11010, #11023, #11025)

  • Dependencies: Bumped vite, rollup, form-data, js-yaml, and multer across the root project, docs, smoke tests, and module test workspaces. (#11011, #11012, #11013, #11014, #11015, #11016, #11017, #11026)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)

... (truncated)

Commits
  • a209bfb chore(release): prepare release 1.18.1 (#11027)
  • fa6a55e chore(deps-dev): bump multer from 2.1.1 to 2.2.0 (#11026)
  • 40e7be8 docs: clarifies that request data is request-specific in axios (#11025)
  • a446b39 fix(AxiosURLSearchParams): use arrow function so encoder.call(this) receives ...
  • cf1306a docs: add Deno to install instructions (#11023)
  • b32880a fix: incorrect use of error (#11021)
  • 1792eda fix: ensure maxBodyLength is explicitly passed to follow-redirects (#10993)
  • 30499d6 fix: various runtime crashes and type definition mismatches (#10959)
  • 20ce9c4 fix(http): defer env proxy handling to Node (#10942)
  • e64bcf9 chore(deps): merge branch 'v1.x' into tests/module/cjs (#11014)
  • Additional commits viewable in compare view

Updates dompurify from 3.3.3 to 3.4.12

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.12

  • Fixed an issue where a hook would not get called for custom elements, thanks @​Rikuxx0
  • Hardened the handling of hooks removing elements, @​mkrause-bee360
  • Added support for a few new SVG attributes, thanks @​cbn-falias & @​Develop-KIM
  • Hardened the handling of declarative partial updates
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible

DOMPurify 3.4.11

  • Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
  • Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
  • Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
  • Updated up the linting tool-chain and removed now-redundant lint directives
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible

DOMPurify 3.4.10

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible

DOMPurify 3.4.9

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

DOMPurify 3.4.7

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

... (truncated)

Commits
Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates fast-uri from 3.1.0 to 3.1.3

Release notes

Sourced from fast-uri's releases.

v3.1.3

⚠️ Security Release

Full Changelog: fastify/fast-uri@v3.1.2...v3.1.3

v3.1.2

⚠️ Security Release

What's Changed

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

Updates fast-xml-builder from 1.1.4 to 1.3.0

Changelog

Sourced from fast-xml-builder's changelog.

1.3.0 (2026-07-11)

  • upgrade:
    • xml-naming v0.3.0: cache support
    • PEM v1.6.2: sibling bug fix

1.2.1 (2026-07-03)

  • fix: escape quotes in stopNode attribute values (By greymoth)
  • fix: neutralize double hyphen in multi-key comment object (By spokodev)

1.2.0 (2026-05-08)

  • Add support for sanitizeName option
  • Support xml-naming for validating and sanitizing tag and attribute names

1.1.9 (2026-05-06)

  • fix: format output for preserve order when indent by is set to empty string

1.1.8 (2026-05-05)

  • fix: skip text property for PI tags
  • improve typings

1.1.7 (2026--05-04)

  • fix security issues when attribute value contains quotes

1.1.6 (2026--05-04)

  • fix security issues related to comment
  • skip comment with null value

1.1.5 (2026-04-17)

  • fix security issues related to comment and cdata

1.1.4 (2026-03-16)

  • support maxNestedTags option

1.1.3 (2026-03-13)

  • declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

1.1.2 (2026-03-11)

  • fix typings

1.1.1 (2026-03-11)

  • upgrade path-expression-matcher to 1.1.3

1.1.0 (2026-03-10)

Commits
  • 11829bf 1.3.0
  • 60774c1 browser bundle
  • 740bd54 update dependency
  • ed22f02 1.2.1
  • 9dc1fc9 update release info
  • 64808e5 Merge pull request #15 from spokodev/fix/multikey-comment-double-hyphen
  • e930f89 Merge pull request #14 from greymoth-jp/fix/stopnode-attr-escape
  • 121d93e fix: neutralize double hyphen in multi-key comment object
  • 0235eb0 fix: escape quotes in stopNode attribute values
  • e6d7c63 Update funding sources in FUNDING.yml
  • Additional commits viewable in compare view

Updates fast-xml-parser from 4.5.5 to 4.5.7

Release notes

Sourced from fast-xml-parser's releases.

Summary update on all the previous releases from v4.2.4

  • Multiple minor fixes provided in the validator and parser
  • v6 is added for experimental use.
  • ignoreAttributes support function, and array of string or regex
  • Add support for parsing HTML numeric entities
  • v5 of the application is ESM module now. However, JS is also supported

Note: Release section in not updated frequently. Please check CHANGELOG or Tags for latest release information.

Commits

Updates follow-redirects from 1.15.11 to 1.16.0

Commits
  • 0c23a22 Release version 1.16.0 of the npm package.
  • 844c4d3 Add sensitiveHeaders option.
  • 5e8b8d0 ci: add Node.js 24.x to the CI matrix
  • 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
  • 86dc1f8 Sanitizing input.
  • See full diff in compare view

Updates form-data from 4.0.5 to 4.0.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

  • [Fix] escape CR, LF, and " in field names and filenames 8dff42c
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
  • [Deps] update hasown, mime-types 92ae0eb
  • [Dev Deps] update js-randomness-predictor 67b0f65
Commits
  • 64190db v4.0.6
  • 92ae0eb [Deps] update hasown, mime-types
  • f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
  • 8dff42c [Fix] escape CR, LF, and " in field names and filenames
  • 67b0f65 [Dev Deps] update js-randomness-predictor
  • See full diff in compare view

Updates js-cookie from 3.0.5 to 3.0.8

Release notes

Sourced from js-cookie's releases.

v3.0.8

  • Restore ES5 compatibility, inadvertently broken in 3.0.7 - #959
  • Lift Node version restriction, inadvertently restricted to >= 20 in 3.0.7 - #956

v3.0.7

  • Prevent cookie attribute injection: CVE-2026-46625 (eb3c40e)
  • Add Partitioned attribute to readme (b994768)
  • Publish to npm registry via trusted publisher exclusively (4dc71be)
  • Ensure consistent behaviour for get('name') + get() (1953d30)
Commits
  • d7a1096 Craft v3.0.8 release
  • 248e685 Use existing Chrome with puppeteer
  • fc04269 Remove QUnit related workaround in Grunt config
  • 265a685 Tidy up package lock file
  • 478e591 Disable Node deprecation DEP0044 for release workflow
  • 331d524 Fix node version config for E2E test job
  • 11d773d Ensure ECMAScript compatibility
  • d788646 Remove engines property from package
  • e7d9a4d Fix typo in test assertion message
  • b5fca24 Make credentials use explicit in release workflow
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for js-cookie since your current version.


Updates tar from 7.5.11 to 7.5.19

Commits

Updates ws from 8.20.0 to 8.21.1

Release notes

Sourced from ws's releases.

8.21.1

Bug fixes

  • Empty fragments are now counted toward the limit (a2f4e7c0).
  • The default values of the maxBufferedChunks and maxFragments options have been reduced (f197ac65).

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

... (truncated)

Commits

… updates

Bumps the npm_and_yarn group with 12 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) | `7.29.0` | `7.29.6` |
| [undici](https://github.com/nodejs/undici) | `6.24.1` | `6.27.0` |
| [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) | `7.29.0` | `7.29.7` |
| [axios](https://github.com/axios/axios) | `1.14.0` | `1.18.1` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.3.3` | `3.4.12` |
| [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.3` |
| [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) | `1.1.4` | `1.3.0` |
| [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) | `4.5.5` | `4.5.7` |
| [form-data](https://github.com/form-data/form-data) | `4.0.5` | `4.0.6` |
| [js-cookie](https://github.com/js-cookie/js-cookie) | `3.0.5` | `3.0.8` |
| [tar](https://github.com/isaacs/node-tar) | `7.5.11` | `7.5.19` |
| [ws](https://github.com/websockets/ws) | `8.20.0` | `8.21.1` |

Bumps the npm_and_yarn group with 12 updates in the /docusaurus directory:

| Package | From | To |
| --- | --- | --- |
| [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) | `7.29.0` | `7.29.7` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `3.14.2` | `3.15.0` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.19` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.3.1` | `3.4.12` |
| [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.3` |
| [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.11` | `1.16.0` |
| [ws](https://github.com/websockets/ws) | `7.5.10` | `7.5.12` |
| [launch-editor](https://github.com/vitejs/launch-editor) | `2.13.1` | `2.14.1` |
| [mermaid](https://github.com/mermaid-js/mermaid) | `11.12.3` | `11.16.0` |
| [qs](https://github.com/ljharb/qs) | `6.14.2` | `6.15.3` |
| [webpack-dev-server](https://github.com/webpack/webpack-dev-server) | `5.2.3` | `5.2.6` |
| [websocket-driver](https://github.com/faye/websocket-driver-node) | `0.7.4` | `0.7.5` |



Updates `@babel/core` from 7.29.0 to 7.29.6
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.6/packages/babel-core)

Updates `undici` from 6.24.1 to 6.27.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.24.1...v6.27.0)

Updates `@babel/plugin-transform-modules-systemjs` from 7.29.0 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-plugin-transform-modules-systemjs)

Updates `axios` from 1.14.0 to 1.18.1
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.14.0...v1.18.1)

Updates `dompurify` from 3.3.3 to 3.4.12
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.3.3...3.4.12)

Updates `fast-uri` from 3.1.0 to 3.1.3
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.3)

Updates `fast-xml-builder` from 1.1.4 to 1.3.0
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-builder@v1.1.4...v1.3.0)

Updates `fast-xml-parser` from 4.5.5 to 4.5.7
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v4.5.5...v4.5.7)

Updates `follow-redirects` from 1.15.11 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

Updates `form-data` from 4.0.5 to 4.0.6
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v4.0.5...v4.0.6)

Updates `js-cookie` from 3.0.5 to 3.0.8
- [Release notes](https://github.com/js-cookie/js-cookie/releases)
- [Commits](js-cookie/js-cookie@v3.0.5...v3.0.8)

Updates `tar` from 7.5.11 to 7.5.19
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.11...v7.5.19)

Updates `ws` from 8.20.0 to 8.21.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.20.0...8.21.1)

Updates `@babel/plugin-transform-modules-systemjs` from 7.29.0 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-plugin-transform-modules-systemjs)

Updates `js-yaml` from 3.14.2 to 3.15.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.2...3.15.0)

Updates `postcss` from 8.5.6 to 8.5.19
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.6...8.5.19)

Updates `dompurify` from 3.3.1 to 3.4.12
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.3.3...3.4.12)

Updates `fast-uri` from 3.1.0 to 3.1.3
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.3)

Updates `follow-redirects` from 1.15.11 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

Updates `ws` from 7.5.10 to 7.5.12
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.20.0...8.21.1)

Updates `launch-editor` from 2.13.1 to 2.14.1
- [Commits](vitejs/launch-editor@v2.13.1...v2.14.1)

Updates `mermaid` from 11.12.3 to 11.16.0
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.3...mermaid@11.16.0)

Updates `qs` from 6.14.2 to 6.15.3
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.2...v6.15.3)

Updates `shell-quote` from 1.8.3 to 1.10.0
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.3...v1.10.0)

Updates `webpack-dev-server` from 5.2.3 to 5.2.6
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/v5.2.6/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v5.2.3...v5.2.6)

Updates `websocket-driver` from 0.7.4 to 0.7.5
- [Changelog](https://github.com/faye/websocket-driver-node/blob/main/CHANGELOG.md)
- [Commits](faye/websocket-driver-node@0.7.4...0.7.5)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-version: 7.29.6
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 6.27.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@babel/plugin-transform-modules-systemjs"
  dependency-version: 7.29.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 1.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-builder
  dependency-version: 1.3.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-parser
  dependency-version: 4.5.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: form-data
  dependency-version: 4.0.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-cookie
  dependency-version: 3.0.8
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.19
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 8.21.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@babel/plugin-transform-modules-systemjs"
  dependency-version: 7.29.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 3.15.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.19
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 7.5.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: launch-editor
  dependency-version: 2.14.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: mermaid
  dependency-version: 11.16.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.15.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: shell-quote
  dependency-version: 1.10.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack-dev-server
  dependency-version: 5.2.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: websocket-driver
  dependency-version: 0.7.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants