Skip to content

Bump the npm_and_yarn group across 6 directories with 9 updates#16

Closed
dependabot[bot] wants to merge 1 commit into
canaryfrom
dependabot/npm_and_yarn/npm_and_yarn-4a5f4fd2a8
Closed

Bump the npm_and_yarn group across 6 directories with 9 updates#16
dependabot[bot] wants to merge 1 commit into
canaryfrom
dependabot/npm_and_yarn/npm_and_yarn-4a5f4fd2a8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 11, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 1 update in the / directory: mermaid.
Bumps the npm_and_yarn group with 1 update in the /apps/bundle-analyzer directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/with-i18n-next-intl directory: next-intl.
Bumps the npm_and_yarn group with 1 update in the /test/e2e/app-dir/cache-components-allow-otel-spans directory: @opentelemetry/sdk-node.
Bumps the npm_and_yarn group with 1 update in the /turbopack/benchmark-apps directory: fast-uri.
Bumps the npm_and_yarn group with 4 updates in the /turbopack/crates/turbopack-tracing/tests/node-file-trace directory: axios, mongoose, vm2 and basic-ftp.

Updates mermaid from 10.9.1 to 10.9.6

Commits
  • dd351a7 chore: bump mermaid version to v10.9.6
  • e67a79b build: upgrade repo to use Node v20.17.0
  • e8c7043 fix: loosen uuid dependency range to allow v14
  • 1e8583d ci(publish): support NPM trusted publishing
  • 1173597 chore(deps): update dependencies using pnpm audit
  • c2094a4 Update docs
  • 46a487d test: correct createUserStyles call
  • 47437f3 Merge commit from fork
  • 7470a90 fix: skip namespacing CSSKeyframeRule
  • b37366e fix: disallow some CSS at-rules in custom CSS
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for mermaid since your current version.


Updates next from 16.0.8 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v16.2.5

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits
  • ee6e79b v16.2.6
  • afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
  • 97a154e Turbopack: Fix middleware matcher suffix (#93590)
  • 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
  • 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
  • a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
  • 766148f v16.2.5
  • 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
  • d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
  • 9d50c0b Strip next-resume header from incoming requests (#92)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates next-intl from 1.5.1 to 4.11.2

Release notes

Sourced from next-intl's releases.

v4.11.2

4.11.2 (2026-05-11)

Bug Fixes

v4.11.1

4.11.1 (2026-05-08)

Bug Fixes

v4.11.0

4.11.0 (2026-04-28)

Features

v4.10.1

This was reverted in https://github.com/amannn/next-intl/releases/tag/v4.11.2

4.10.1 (2026-04-28)

Bug Fixes

⚠️ If you're using a setup behind a reverse proxy and your proxy sets x-forwarded-port, make sure the value is correct (typically 443).

v4.10.0

4.10.0 (2026-04-28)

Features

v4.9.2

4.9.2 (2026-04-27)

Bug Fixes

v4.9.1

... (truncated)

Changelog

Sourced from next-intl's changelog.

4.11.2 (2026-05-11)

Bug Fixes

4.11.1 (2026-05-08)

Bug Fixes

4.11.0 (2026-04-28)

Features

4.10.1 (2026-04-28)

Bug Fixes

4.10.0 (2026-04-28)

Features

4.9.2 (2026-04-27)

Bug Fixes

4.9.1 (2026-04-10)

Bug Fixes

4.9.0 (2026-04-01)

Features

4.8.4 (2026-03-31)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next-intl since your current version.


Updates @opentelemetry/sdk-node from 0.203.0 to 0.217.0

Release notes

Sourced from @​opentelemetry/sdk-node's releases.

experimental/v0.217.0

0.217.0

🚀 Features

  • feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
  • feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
  • feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
    • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
    • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
    • An invalid YAML config file will now result in a noop OTel SDK.

🐛 Bug Fixes

  • fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
  • fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
  • fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
  • fix(configuration): improve handling of enums in generated types #6659 @​trentm
  • fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
  • fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
  • fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

🚀 Features

🐛 Bug Fixes

  • fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
  • fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira
  • fix(instrumentation-xhr): resolve relative URLs before matching ignoreUrls #6551 @​Maximiliano-Zeballos
  • fix(sdk-node): fix setting of ViewOption#name from ConfigurationModel #6620 @​trentm
  • fix(web-common): add limit for timeout #6601 @​maryliag
  • fix(otlp-transformer): pin protobufjs@8.0.1 as protobufjs@8.0.3 is broken for browser use #6646

🏠 Internal

  • test(otlp-transformer): add metrics transform benchmark #6628 @​pichlermarc
  • refactor(opentelemetry-exporter-prometheus): do not call enforcePrometheusNamingConvention() multiple times per metric #6636 @​cjihrig

experimental/v0.215.0

0.215.0

💥 Breaking Changes

... (truncated)

Commits
  • 74cde1b chore: prepare next release (#6675)
  • e8f439a fix: handle malformed URLs in Prometheus exporter request handler (#6674)
  • ab3a2e2 feat(sdk-node, configuration): diag log handling updates for startNodeSDK(), ...
  • d5b7d1e fix(deps): update dependency axios to v1.15.2 [security] (#6670)
  • c163618 chore(deps): update github/codeql-action digest to e46ed2c (#6661)
  • ec2bfbe chore(configuration): move config generation scripts into the configuration p...
  • acc9ecd chore(configuration): cosmetic changes to generated types.ts (#6663)
  • 8f008ec chore: Move inactive members to emeritus (#6649)
  • 435431e fix(configuration): improve the technique for removing '| null' on types due ...
  • 4222024 fix(configuration): improve handling of enums in generated types (#6659)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​opentelemetry/sdk-node since your current version.


Updates fast-uri from 3.0.6 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

What's Changed

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

v3.1.0

What's Changed

... (truncated)

Commits
  • 919dd8e Bumped v3.1.2
  • c65ba57 fixup: linting
  • 6c86c17 Merge commit from fork
  • a95158a Handle malformed fragment decoding without throwing (#171)
  • cea547c Bumped v3.1.1
  • 876ce79 Merge commit from fork
  • dcdf690 ci: add lock-threads workflow (#169)
  • c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
  • 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
  • 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
  • Additional commits viewable in compare view

Updates axios from 0.21.4 to 0.31.1

Release notes

Sourced from axios's releases.

v0.31.1

This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.

⚠️ Breaking Changes & Deprecations

  • Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)

🔒 Security Fixes

  • Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
  • Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
  • FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
  • Null-Byte Injection in Query Strings: Removed the unsafe %00 → null-byte substitution from AxiosURLSearchParams.encode so %00 is preserved as-is. Other encoding behaviour (including %20+) unchanged. (#10737)
  • Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)

🔧 Maintenance & Chores

  • CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)

Full Changelog

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

  • Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)

  • CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)

🐛 Bug Fixes

  • TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)

  • Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#6484)

🔧 Maintenance & Chores

  • Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#10690, #10691, #10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.


Updates mongoose from 5.13.15 to 6.13.9

Release notes

Sourced from mongoose's releases.

6.13.9 / 2026-02-04

  • fix: handle other top-level query operators in sanitizeFilter
  • types(aggregate): add $firstN, $lastN, $bottom, $bottomN, $minN and $maxN operators #15303 #15299
  • docs(compatibility): add note that Mongoose ^6.5 works with MongoDB server 7.x #15427

6.13.8 / 2025-01-20

  • chore: remove coverage output from bundle

6.13.7 / 2025-01-20

  • chore: re-release to force npm audit to pick up 6.x fix for CVE-2025-23061

6.13.6 / 2025-01-13

  • fix: disallow nested $where in populate match
Changelog

Sourced from mongoose's changelog.

6.13.9 / 2026-02-04

  • fix: handle other top-level query operators in sanitizeFilter
  • types(aggregate): add $firstN, $lastN, $bottom, $bottomN, $minN and $maxN operators #15303 #15299
  • docs(compatibility): add note that Mongoose ^6.5 works with MongoDB server 7.x #15427

6.13.8 / 2025-01-20

  • chore: remove coverage output from bundle

6.13.7 / 2025-01-20

  • chore: re-release to force npm audit to pick up 6.x fix for CVE-2025-23061

6.13.6 / 2025-01-13

6.13.5 / 2024-11-26

  • fix: disallow using $where in match

6.13.4 / 2024-11-15

  • fix: save execution stack in query as string #15043 #15039
  • docs: clarify strictQuery default will flip-flop in "Migrating to 6.x" #14998 markstos

6.13.3 / 2024-09-23

  • docs(migrating_to_6): document that Lodash _.isEmpty() with ObjectId() as a parameter returns true in Mongoose 6 #11152

6.13.2 / 2024-09-12

  • fix(document): make set() respect merge option on deeply nested objects #14870 #14878

6.13.1 / 2024-09-06

  • fix: remove empty $and, $or, $not that were made empty by scrict mode #14749 #13086 0x0a0d

6.13.0 / 2024-06-06

  • feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #14599 #14587 #14572 #13410

6.12.9 / 2024-05-24

  • fix(cast): cast $comment to string in query filters #14590 #14576
  • types(model): allow passing strict type checking override to create() #14571 #14548

6.12.8 / 2024-04-10

... (truncated)

Commits
  • 473a92e style: fix lint
  • 40e1af0 quick fix for no elvis operator in node 12
  • 068ee25 chore: release 6.13.9
  • 3b0c5c0 fix: handle other top-level query operators in sanitizeFilter
  • b331eac Merge pull request #15434 from Automattic/vkarpov15/gh-15427
  • 2097837 chore: remove upload-artifact
  • 8045783 chore: bump ubuntu versions in GitHub actions
  • 5235028 docs(compatibility): add note that Mongoose ^6.5 works with MongoDB server 7.x
  • 1448c67 Merge pull request #15303 from Automattic/vkarpov15/gh-15299
  • 17d1bd6 fix ts benchmark by bumping max instantiations
  • Additional commits viewable in compare view

Updates vm2 from 3.9.11 to 3.11.2

Release notes

Sourced from vm2's releases.

v3.11.2

What's Changed

Security fixes

  • GHSA-9vg3-4rfj-wgcm — Sandbox-realm null-proto write-through via bridge.from() set trap (RCE)
  • GHSA-2cm2-m3w5-gp2f — Internal state reachable via computed-key access on globalThis
  • GHSA-9qj6-qjgg-37qq — Bridge saved-state leak via sandbox-installed Array.prototype[N] setter (RCE)

Documentation

  • docs/ATTACKS.md updated through Category 28, plus a new Defense Invariant
    ("Bridge-internal containers must not invoke sandbox code").

Full Changelog: patriksimek/vm2@v3.11.1...v3.11.2

v3.11.1

Single advisory closed plus prominent documentation of an existing escape hatch. Patch release — no API changes for valid configurations.

Embedders running untrusted code with nesting: true should read the new README section.

What's Changed

Security fix

  • GHSA-8hg8-63c5-gwmxnesting: true bypassed require: false, allowing sandbox-to-host RCE via inner NodeVM construction. The contradictory option pair { nesting: true, require: false } now throws VMError at new NodeVM(...) time citing the advisory. Same shape as the GHSA-cp6g eager FileSystem-contract probe — surface contradictory configuration at the API surface, not silently produce an unsandboxed sandbox.

Documentation

  • New README section "nesting: true is an escape hatch" under Hardening recommendations. Spells out the inner-VM independence: a nested VM's require config is chosen by the sandbox code that constructs it, not constrained by the outer VM. Do not enable nesting: true for untrusted code.
  • JSDoc on the nesting option (lib/nodevm.js) upgraded to match.
  • docs/ATTACKS.md gains Category 25 documenting the configuration trap, plus a matching row in the "How The Bridge Defends" table.

Upgrade Notes

  • If you set { nesting: true, require: false } anywhere in your codebase, new NodeVM(...) now throws. Either drop nesting: true (if you wanted deny-all), or replace require: false with an explicit require config (e.g. require: { builtin: [] }) to acknowledge that vm2 will be requireable. The error message is actionable and links to the README section.
  • No other configurations are affected. Bare new NodeVM({ nesting: true }) continues to work as documented; this is the documented escape hatch and is not closed by this patch (out of scope — would change nesting: true semantics substantially).

What This Fix Does NOT Close

nesting: true itself remains an escape hatch for any non-trivial require config. The fix closes the specific contradictory pair flagged by the advisory; the broader recommendation is in the new README section: do not enable nesting: true when running untrusted code. Constraint propagation from outer to inner NodeVM (where the outer's require config would constrain inner construction) was considered and deferred — it would change the documented semantics of nesting: true and is a major-version-shaped change.

Full Changelog: patriksimek/vm2@v3.11.0...v3.11.1

v3.11.0

Coordinated security release closing 13 advisories, plus a new bufferAllocLimit option and a realpath() method on the FileSystem adapter contract. Minor version bump because of the new public option and the FileSystem contract addition; no incompatible changes to the existing public API surface.

Embedders running untrusted code should upgrade. Several of the advisories close full sandbox-escape RCE primitives.

What's Changed

... (truncated)

Changelog

Sourced from vm2's changelog.

[3.11.2]

Three advisories closed. Patch release — no API changes.

Security fixes

  • GHSA-2cm2-m3w5-gp2f — Internal state reachable via computed property access on globalThis. The previous fix (GHSA-wp5r-2gw5-m7q7) tightened the transformer's identifier-rejection but left globalThis['VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL'] and every reflective probe of the global object (bracket access, Reflect.get, Object.getOwnPropertyDescriptor, Object.getOwnPropertyNames enumeration) returning the live state object — the transformer is a syntactic gate and cannot see through dynamic property keys. Structural fix: the bootstrap script (vm.js's setupSandboxScript source) now declares let VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL at the script's top level, which lands the binding in the context's [[GlobalLexicalEnvironment]] — reachable as a bare identifier from every script (so transformer-emitted catch handlers still resolve), but absent from globalThis's own-property table (so every computed-key probe returns undefined). The defineProperty install in setup-sandbox.js is removed entirely; the bootstrap IIFE assigns into the outer let instead. Supersedes GHSA-wp5r-2gw5-m7q7's identifier-only mitigation by closing the entire computed-key class. ATTACKS.md Category 27.
  • GHSA-9vg3-4rfj-wgcm — Sandbox breakout via null-proto throw / handleException. The post-GHSA-mpf8 hardening switched handleException and globalPromise.prototype.then onFulfilled to wrap caught/resolved values with bridge.from() for "symmetry". from() builds a sandbox-side proxy whose target the bridge treats as host-realm; calling it on a sandbox-realm null-proto value ({__proto__: null} thrown or Promise.resolve-d by sandbox JS) produced a proxy whose set trap unwrapped sandbox proxies of host references (e.g. Buffer.prototype.inspect) back to their raw host originals and stored them on the underlying sandbox object — readable via the original sandbox reference and pivot to host Function constructor → RCE. Three callsites in lib/setup-sandbox.js reverted to ensureThis() semantics; the host-Promise rejection sanitizer composes from() outside handleException so the GHSA-mpf8 invariant (host null-proto rejection values must reach sandbox callbacks bridge-wrapped) is preserved. ATTACKS.md Category 26.
  • GHSA-9qj6-qjgg-37qq — sandbox breakout via the species-defense helper neutralizeArraySpeciesBatch. The helper appended saved-state records to a fresh [] literal that — being allocated by the sandbox-side bridge closure — inherited sandbox Array.prototype. A sandbox-installed setter on Array.prototype[N]Description has been truncated

@dependabot
Bump the npm_and_yarn group across 6 directories with 9 updates
28fdaf6 
Bumps the npm_and_yarn group with 1 update in the / directory: [mermaid](https://github.com/mermaid-js/mermaid).
Bumps the npm_and_yarn group with 1 update in the /apps/bundle-analyzer directory: [next](https://github.com/vercel/next.js).
Bumps the npm_and_yarn group with 1 update in the /examples/with-i18n-next-intl directory: [next-intl](https://github.com/amannn/next-intl).
Bumps the npm_and_yarn group with 1 update in the /test/e2e/app-dir/cache-components-allow-otel-spans directory: [@opentelemetry/sdk-node](https://github.com/open-telemetry/opentelemetry-js).
Bumps the npm_and_yarn group with 1 update in the /turbopack/benchmark-apps directory: [fast-uri](https://github.com/fastify/fast-uri).
Bumps the npm_and_yarn group with 4 updates in the /turbopack/crates/turbopack-tracing/tests/node-file-trace directory: [axios](https://github.com/axios/axios), [mongoose](https://github.com/Automattic/mongoose), [vm2](https://github.com/patriksimek/vm2) and [basic-ftp](https://github.com/patrickjuchli/basic-ftp).


Updates `mermaid` from 10.9.1 to 10.9.6
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](mermaid-js/mermaid@v10.9.1...v10.9.6)

Updates `next` from 16.0.8 to 16.2.6
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.0.8...v16.2.6)

Updates `next-intl` from 1.5.1 to 4.11.2
- [Release notes](https://github.com/amannn/next-intl/releases)
- [Changelog](https://github.com/amannn/next-intl/blob/main/CHANGELOG.md)
- [Commits](amannn/next-intl@v1.5.1...v4.11.2)

Updates `@opentelemetry/sdk-node` from 0.203.0 to 0.217.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@experimental/v0.203.0...experimental/v0.217.0)

Updates `fast-uri` from 3.0.6 to 3.1.2
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.0.6...v3.1.2)

Updates `axios` from 0.21.4 to 0.31.1
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v0.21.4...v0.31.1)

Updates `mongoose` from 5.13.15 to 6.13.9
- [Release notes](https://github.com/Automattic/mongoose/releases)
- [Changelog](https://github.com/Automattic/mongoose/blob/6.13.9/CHANGELOG.md)
- [Commits](Automattic/mongoose@5.13.15...6.13.9)

Updates `vm2` from 3.9.11 to 3.11.2
- [Release notes](https://github.com/patriksimek/vm2/releases)
- [Changelog](https://github.com/patriksimek/vm2/blob/main/CHANGELOG.md)
- [Commits](patriksimek/vm2@3.9.11...v3.11.2)

Updates `basic-ftp` from 5.0.5 to 5.3.1
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](patrickjuchli/basic-ftp@v5.0.5...v5.3.1)

---
updated-dependencies:
- dependency-name: mermaid
  dependency-version: 10.9.6
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 16.2.6
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next-intl
  dependency-version: 4.11.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@opentelemetry/sdk-node"
  dependency-version: 0.217.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 0.31.1
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: mongoose
  dependency-version: 6.13.9
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vm2
  dependency-version: 3.11.2
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: basic-ftp
  dependency-version: 5.3.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 11, 2026
@dependabot @github

dependabot Bot commented on behalf of github May 12, 2026

Copy link
Copy Markdown
Author

Superseded by #17.

@dependabot dependabot Bot closed this May 12, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-4a5f4fd2a8 branch May 12, 2026 04:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants